{
VALUE_PAIR *cli;
VALUE_PAIR *pair;
- int port = 0;
+ uint16_t port = 0;
char const *tls = "";
if ((cli = pairfind(request->packet->vps, PW_CALLING_STATION_ID, 0, TAG_ANY)) == NULL) {
*
* NOTE: NOT the same as the RLM_ values !
*/
-static int rad_check_password(REQUEST *request)
+static int CC_HINT(nonnull) rad_check_password(REQUEST *request)
{
vp_cursor_t cursor;
VALUE_PAIR *auth_type_pair;
int result;
int auth_type_count = 0;
- rad_assert(request != NULL);
-
/*
* Look for matching check items. We skip the whole lot
* if the authentication type is PW_AUTHTYPE_ACCEPT or
if (auth_type < 0) {
if (pairfind(request->config_items, PW_CRYPT_PASSWORD, 0, TAG_ANY) != NULL) {
RWDEBUG2("Please update your configuration, and remove 'Auth-Type = Crypt'");
- RWDEBUG2("Use the PAP module instead.");
+ RWDEBUG2("Use the PAP module instead");
}
else if (pairfind(request->config_items, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY) != NULL) {
RWDEBUG2("Please update your configuration, and remove 'Auth-Type = Local'");
- RWDEBUG2("Use the PAP or CHAP modules instead.");
+ RWDEBUG2("Use the PAP or CHAP modules instead");
}
/*
- * The admin hasn't told us how to
- * authenticate the user, so we reject them!
- *
- * This is fail-safe.
- */
+ * The admin hasn't told us how to
+ * authenticate the user, so we reject them!
+ *
+ * This is fail-safe.
+ */
REDEBUG2("No Auth-Type found: rejecting the user via Post-Auth-Type = Reject");
return -2;
case RLM_MODULE_REJECT:
case RLM_MODULE_USERLOCK:
default:
- request->reply->code = PW_AUTHENTICATION_REJECT;
+ request->reply->code = PW_CODE_ACCESS_REJECT;
result = RLM_MODULE_REJECT;
break;
/*
/*
* If this request got proxied to another server, we need
* to check whether it authenticated the request or not.
+ *
+ * request->proxy gets set only AFTER authorization, so
+ * it's safe to check it here. If it exists, it means
+ * we're doing a second pass through rad_authenticate().
*/
- if (request->proxy_reply) {
- switch (request->proxy_reply->code) {
+ if (request->proxy) {
+ int code = 0;
+
+ if (request->proxy_reply) code = request->proxy_reply->code;
+
+ switch (code) {
/*
* Reply of ACCEPT means accept, thus set Auth-Type
* accordingly.
*/
- case PW_AUTHENTICATION_ACK:
+ case PW_CODE_ACCESS_ACCEPT:
tmp = radius_paircreate(request,
&request->config_items,
PW_AUTH_TYPE, 0);
* Challenges are punted back to the NAS without any
* further processing.
*/
- case PW_ACCESS_CHALLENGE:
- request->reply->code = PW_ACCESS_CHALLENGE;
+ case PW_CODE_ACCESS_CHALLENGE:
+ request->reply->code = PW_CODE_ACCESS_CHALLENGE;
return RLM_MODULE_OK;
+
/*
* ALL other replies mean reject. (this is fail-safe)
*
* are being rejected, so we minimize the amount of work
* done by the server, by rejecting them here.
*/
- case PW_AUTHENTICATION_REJECT:
+ case PW_CODE_ACCESS_REJECT:
rad_authlog("Login incorrect (Home Server says so)",
request, 0);
- request->reply->code = PW_AUTHENTICATION_REJECT;
+ request->reply->code = PW_CODE_ACCESS_REJECT;
return RLM_MODULE_REJECT;
default:
} else {
rad_authlog("Invalid user", request, 0);
}
- request->reply->code = PW_AUTHENTICATION_REJECT;
+ request->reply->code = PW_CODE_ACCESS_REJECT;
return result;
}
if (!autz_retry) {
* wants to send back.
*/
if (result < 0) {
- RDEBUG2("Failed to authenticate the user.");
- request->reply->code = PW_AUTHENTICATION_REJECT;
+ RDEBUG2("Failed to authenticate the user");
+ request->reply->code = PW_CODE_ACCESS_REJECT;
if ((module_msg = pairfind(request->packet->vps, PW_MODULE_FAILURE_MESSAGE, 0, TAG_ANY)) != NULL){
char msg[MAX_STRING_LEN+19];
if (check_item->vp_integer > 1) {
snprintf(umsg, sizeof(umsg),
"\r\n%s (%d)\r\n\n",
- mainconfig.denied_msg,
+ main_config.denied_msg,
(int)check_item->vp_integer);
} else {
snprintf(umsg, sizeof(umsg),
"\r\n%s\r\n\n",
- mainconfig.denied_msg);
+ main_config.denied_msg);
}
- request->reply->code = PW_AUTHENTICATION_REJECT;
+ request->reply->code = PW_CODE_ACCESS_REJECT;
/*
* They're trying to log in too many times.
* been set to something. (i.e. Access-Challenge)
*/
if (request->reply->code == 0)
- request->reply->code = PW_AUTHENTICATION_ACK;
+ request->reply->code = PW_CODE_ACCESS_ACCEPT;
if ((module_msg = pairfind(request->packet->vps, PW_MODULE_SUCCESS_MESSAGE, 0, TAG_ANY)) != NULL){
char msg[MAX_STRING_LEN+12];
VALUE_PAIR *vp;
int result;
+ RDEBUG("server %s {", request->server);
+ RDEBUG(" Request:");
+ debug_pair_list(request->packet->vps);
+
/*
* We currently only handle AUTH packets here.
* This could be expanded to handle other packets as well if required.
*/
- rad_assert(request->packet->code == PW_AUTHENTICATION_REQUEST);
+ rad_assert(request->packet->code == PW_CODE_ACCESS_REQUEST);
result = rad_authenticate(request);
- if (request->reply->code == PW_AUTHENTICATION_REJECT) {
+ if (request->reply->code == PW_CODE_ACCESS_REJECT) {
pairdelete(&request->config_items, PW_POST_AUTH_TYPE, 0, TAG_ANY);
vp = pairmake_config("Post-Auth-Type", "Reject", T_OP_SET);
if (vp) rad_postauth(request);
}
- if (request->reply->code == PW_AUTHENTICATION_ACK) {
+ if (request->reply->code == PW_CODE_ACCESS_ACCEPT) {
rad_postauth(request);
}
+ RDEBUG(" Reply:");
+ debug_pair_list(request->reply->vps);
+ RDEBUG("} # server %s", request->server);
+
return result;
}
-