* Return a short string showing the terminal server, port
* and calling station ID.
*/
-char *auth_name(char *buf, size_t buflen, REQUEST *request, int do_cli)
+char *auth_name(char *buf, size_t buflen, REQUEST *request, bool do_cli)
{
VALUE_PAIR *cli;
VALUE_PAIR *pair;
- int port = 0;
+ uint16_t port = 0;
char const *tls = "";
- if ((cli = pairfind(request->packet->vps, PW_CALLING_STATION_ID, 0, TAG_ANY)) == NULL)
- do_cli = 0;
- if ((pair = pairfind(request->packet->vps, PW_NAS_PORT, 0, TAG_ANY)) != NULL)
+ if ((cli = pairfind(request->packet->vps, PW_CALLING_STATION_ID, 0, TAG_ANY)) == NULL) {
+ do_cli = false;
+ }
+
+ if ((pair = pairfind(request->packet->vps, PW_NAS_PORT, 0, TAG_ANY)) != NULL) {
port = pair->vp_integer;
+ }
if (request->packet->dst_port == 0) {
if (pairfind(request->packet->vps, PW_FREERADIUS_PROXIED_TO, 0, TAG_ANY)) {
/*
* Get the correct username based on the configured value
*/
- if (log_stripped_names == 0) {
+ if (!log_stripped_names) {
username = pairfind(request->packet->vps, PW_USER_NAME, 0, TAG_ANY);
} else {
username = request->username;
} else if (pairfind(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY)) {
strcpy(clean_password, "<CHAP-Password>");
} else {
- fr_print_string((char *)request->password->vp_strvalue,
+ fr_print_string(request->password->vp_strvalue,
request->password->length,
clean_password, sizeof(clean_password));
}
*
* NOTE: NOT the same as the RLM_ values !
*/
-static int rad_check_password(REQUEST *request)
+static int CC_HINT(nonnull) rad_check_password(REQUEST *request)
{
+ vp_cursor_t cursor;
VALUE_PAIR *auth_type_pair;
- VALUE_PAIR *cur_config_item;
int auth_type = -1;
int result;
int auth_type_count = 0;
- result = 0;
/*
* Look for matching check items. We skip the whole lot
* if the authentication type is PW_AUTHTYPE_ACCEPT or
* PW_AUTHTYPE_REJECT.
*/
- cur_config_item = request->config_items;
- while(((auth_type_pair = pairfind(cur_config_item, PW_AUTH_TYPE, 0, TAG_ANY))) != NULL) {
+ fr_cursor_init(&cursor, &request->config_items);
+ while ((auth_type_pair = fr_cursor_next_by_num(&cursor, PW_AUTH_TYPE, 0, TAG_ANY))) {
auth_type = auth_type_pair->vp_integer;
auth_type_count++;
- RDEBUG2("Found Auth-Type = %s",
- dict_valnamebyattr(PW_AUTH_TYPE, 0, auth_type));
- cur_config_item = auth_type_pair->next;
-
+ RDEBUG2("Found Auth-Type = %s", dict_valnamebyattr(PW_AUTH_TYPE, 0, auth_type));
if (auth_type == PW_AUTHTYPE_REJECT) {
RDEBUG2("Auth-Type = Reject, rejecting user");
+
return -2;
}
}
* Warn if more than one Auth-Type was found, because only the last
* one found will actually be used.
*/
- if (( auth_type_count > 1) && (debug_flag)) {
+ if ((auth_type_count > 1) && (debug_flag)) {
RERROR("Warning: Found %d auth-types on request for user '%s'",
auth_type_count, request->username->vp_strvalue);
}
if (auth_type < 0) {
if (pairfind(request->config_items, PW_CRYPT_PASSWORD, 0, TAG_ANY) != NULL) {
RWDEBUG2("Please update your configuration, and remove 'Auth-Type = Crypt'");
- RWDEBUG2("Use the PAP module instead.");
+ RWDEBUG2("Use the PAP module instead");
}
else if (pairfind(request->config_items, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY) != NULL) {
RWDEBUG2("Please update your configuration, and remove 'Auth-Type = Local'");
- RWDEBUG2("Use the PAP or CHAP modules instead.");
+ RWDEBUG2("Use the PAP or CHAP modules instead");
}
/*
- * The admin hasn't told us how to
- * authenticate the user, so we reject them!
- *
- * This is fail-safe.
- */
+ * The admin hasn't told us how to
+ * authenticate the user, so we reject them!
+ *
+ * This is fail-safe.
+ */
REDEBUG2("No Auth-Type found: rejecting the user via Post-Auth-Type = Reject");
return -2;
case RLM_MODULE_REJECT:
case RLM_MODULE_USERLOCK:
default:
- request->reply->code = PW_AUTHENTICATION_REJECT;
+ request->reply->code = PW_CODE_ACCESS_REJECT;
result = RLM_MODULE_REJECT;
break;
/*
*/
int rad_authenticate(REQUEST *request)
{
- VALUE_PAIR *namepair;
#ifdef WITH_SESSION_MGMT
VALUE_PAIR *check_item;
#endif
- VALUE_PAIR *auth_item = NULL;
VALUE_PAIR *module_msg;
VALUE_PAIR *tmp = NULL;
int result;
/*
* If this request got proxied to another server, we need
* to check whether it authenticated the request or not.
+ *
+ * request->proxy gets set only AFTER authorization, so
+ * it's safe to check it here. If it exists, it means
+ * we're doing a second pass through rad_authenticate().
*/
- if (request->proxy_reply) {
- switch (request->proxy_reply->code) {
+ if (request->proxy) {
+ int code = 0;
+
+ if (request->proxy_reply) code = request->proxy_reply->code;
+
+ switch (code) {
/*
* Reply of ACCEPT means accept, thus set Auth-Type
* accordingly.
*/
- case PW_AUTHENTICATION_ACK:
+ case PW_CODE_ACCESS_ACCEPT:
tmp = radius_paircreate(request,
&request->config_items,
PW_AUTH_TYPE, 0);
* Challenges are punted back to the NAS without any
* further processing.
*/
- case PW_ACCESS_CHALLENGE:
- request->reply->code = PW_ACCESS_CHALLENGE;
+ case PW_CODE_ACCESS_CHALLENGE:
+ request->reply->code = PW_CODE_ACCESS_CHALLENGE;
return RLM_MODULE_OK;
+
/*
* ALL other replies mean reject. (this is fail-safe)
*
* are being rejected, so we minimize the amount of work
* done by the server, by rejecting them here.
*/
- case PW_AUTHENTICATION_REJECT:
+ case PW_CODE_ACCESS_REJECT:
rad_authlog("Login incorrect (Home Server says so)",
request, 0);
- request->reply->code = PW_AUTHENTICATION_REJECT;
+ request->reply->code = PW_CODE_ACCESS_REJECT;
return RLM_MODULE_REJECT;
default:
}
}
#endif
-
- /*
- * Get the username from the request.
- *
- * Note that namepair MAY be NULL, in which case there
- * is no User-Name attribute in the request.
- */
- namepair = request->username;
-
/*
* Look for, and cache, passwords.
*/
if (!request->password) {
request->password = pairfind(request->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY);
}
-
- /*
- * Discover which password we want to use.
- */
- auth_item = request->password;
- if (!auth_item) {
- auth_item = pairfind(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY);
+ if (!request->password) {
+ request->password = pairfind(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY);
}
- request->password = auth_item;
/*
* Get the user's authorization information from the database
} else {
rad_authlog("Invalid user", request, 0);
}
- request->reply->code = PW_AUTHENTICATION_REJECT;
+ request->reply->code = PW_CODE_ACCESS_REJECT;
return result;
}
if (!autz_retry) {
#endif
/*
- * Perhaps there is a Stripped-User-Name now.
- */
- namepair = request->username;
-
- /*
* Validate the user
*/
do {
* wants to send back.
*/
if (result < 0) {
- RDEBUG2("Failed to authenticate the user.");
- request->reply->code = PW_AUTHENTICATION_REJECT;
+ RDEBUG2("Failed to authenticate the user");
+ request->reply->code = PW_CODE_ACCESS_REJECT;
if ((module_msg = pairfind(request->packet->vps, PW_MODULE_FAILURE_MESSAGE, 0, TAG_ANY)) != NULL){
char msg[MAX_STRING_LEN+19];
rad_authlog("Login incorrect", request, 0);
}
- /* double check: maybe the secret is wrong? */
- if ((debug_flag > 1) && (auth_item != NULL) &&
- (auth_item->da->attr == PW_USER_PASSWORD)) {
- uint8_t const *p;
-
- p = (uint8_t const *) auth_item->vp_strvalue;
- while (*p) {
- int size;
-
- size = fr_utf8_char(p);
- if (!size) {
- RWDEBUG("Unprintable characters in the password. Double-check the shared secret on the server and the NAS!");
- break;
+ if (request->password) {
+ VERIFY_VP(request->password);
+ /* double check: maybe the secret is wrong? */
+ if ((debug_flag > 1) && (request->password->da->attr == PW_USER_PASSWORD)) {
+ uint8_t const *p;
+
+ p = (uint8_t const *) request->password->vp_strvalue;
+ while (*p) {
+ int size;
+
+ size = fr_utf8_char(p);
+ if (!size) {
+ RWDEBUG("Unprintable characters in the password. Double-check the "
+ "shared secret on the server and the NAS!");
+ break;
+ }
+ p += size;
}
- p += size;
}
}
}
int r, session_type = 0;
char logstr[1024];
char umsg[MAX_STRING_LEN + 1];
- char const *user_msg = NULL;
tmp = pairfind(request->config_items, PW_SESSION_TYPE, 0, TAG_ANY);
if (tmp) {
* User authenticated O.K. Now we have to check
* for the Simultaneous-Use parameter.
*/
- if (namepair &&
+ if (request->username &&
(r = process_checksimul(session_type, request, check_item->vp_integer)) != 0) {
char mpp_ok = 0;
}
if (!mpp_ok){
if (check_item->vp_integer > 1) {
- snprintf(umsg, sizeof(umsg),
- "\r\nYou are already logged in %d times - access denied\r\n\n",
- (int)check_item->vp_integer);
- user_msg = umsg;
+ snprintf(umsg, sizeof(umsg),
+ "\r\n%s (%d)\r\n\n",
+ main_config.denied_msg,
+ (int)check_item->vp_integer);
} else {
- user_msg = "\r\nYou are already logged in - access denied\r\n\n";
+ snprintf(umsg, sizeof(umsg),
+ "\r\n%s\r\n\n",
+ main_config.denied_msg);
}
- request->reply->code = PW_AUTHENTICATION_REJECT;
+ request->reply->code = PW_CODE_ACCESS_REJECT;
/*
* They're trying to log in too many times.
*/
pairfree(&request->reply->vps);
pairmake_reply("Reply-Message",
- user_msg, T_OP_SET);
+ umsg, T_OP_SET);
snprintf(logstr, sizeof(logstr), "Multiple logins (max %d) %s",
check_item->vp_integer,
* been set to something. (i.e. Access-Challenge)
*/
if (request->reply->code == 0)
- request->reply->code = PW_AUTHENTICATION_ACK;
+ request->reply->code = PW_CODE_ACCESS_ACCEPT;
if ((module_msg = pairfind(request->packet->vps, PW_MODULE_SUCCESS_MESSAGE, 0, TAG_ANY)) != NULL){
char msg[MAX_STRING_LEN+12];
VALUE_PAIR *vp;
int result;
+ RDEBUG("server %s {", request->server);
+ RDEBUG(" Request:");
+ debug_pair_list(request->packet->vps);
+
/*
* We currently only handle AUTH packets here.
* This could be expanded to handle other packets as well if required.
*/
- rad_assert(request->packet->code == PW_AUTHENTICATION_REQUEST);
+ rad_assert(request->packet->code == PW_CODE_ACCESS_REQUEST);
result = rad_authenticate(request);
- if (request->reply->code == PW_AUTHENTICATION_REJECT) {
+ if (request->reply->code == PW_CODE_ACCESS_REJECT) {
pairdelete(&request->config_items, PW_POST_AUTH_TYPE, 0, TAG_ANY);
vp = pairmake_config("Post-Auth-Type", "Reject", T_OP_SET);
if (vp) rad_postauth(request);
}
- if (request->reply->code == PW_AUTHENTICATION_ACK) {
+ if (request->reply->code == PW_CODE_ACCESS_ACCEPT) {
rad_postauth(request);
}
+ RDEBUG(" Reply:");
+ debug_pair_list(request->reply->vps);
+ RDEBUG("} # server %s", request->server);
+
return result;
}
-