* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_securid.c
* @copyright 2012 The FreeRADIUS server project
* @copyright 2012 Alan DeKok <aland@networkradius.com>
*/
-#include <freeradius-devel/ident.h>
#include <freeradius-devel/radiusd.h>
#include <freeradius-devel/modules.h>
#include <ctype.h>
RC_SECURID_AUTH_ACCESS_DENIED_FAILURE = -4,
RC_SECURID_AUTH_INVALID_SERVER_FAILURE = -5,
RC_SECURID_AUTH_CHALLENGE = -17
-}
- SECURID_AUTH_RC;
+} SECURID_AUTH_RC;
static const CONF_PARSER module_config[] = {
- { "timer_expire", PW_TYPE_INTEGER,
- offsetof(rlm_securid_t, timer_limit), NULL, "600"},
- { "max_sessions", PW_TYPE_INTEGER,
- offsetof(rlm_securid_t, max_sessions), NULL, "2048"},
- { "max_trips_per_session", PW_TYPE_INTEGER,
- offsetof(rlm_securid_t, max_trips_per_session), NULL, NULL},
- { "max_round_trips", PW_TYPE_INTEGER,
- offsetof(rlm_securid_t, max_trips_per_session), NULL, "6"},
+ { "timer_expire", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_securid_t, timer_limit), "600" },
+ { "max_sessions", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_securid_t, max_sessions), "2048" },
+ { "max_trips_per_session", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_securid_t, max_trips_per_session), NULL },
+ { "max_round_trips", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_securid_t, max_trips_per_session), "6" },
{ NULL, -1, 0, NULL, NULL } /* end the list */
};
+static SD_CHAR empty_pin[] = "";
+
/* comparison function to find session in the tree */
-static int securid_session_cmp(const void *a, const void *b)
+static int securid_session_cmp(void const *a, void const *b)
{
int rcode;
- const SECURID_SESSION *one = a;
- const SECURID_SESSION *two = b;
+ SECURID_SESSION const *one = a;
+ SECURID_SESSION const *two = b;
rad_assert(one != NULL);
rad_assert(two != NULL);
static SECURID_AUTH_RC securidAuth(void *instance, REQUEST *request,
- const char* username,
- const char* passcode,
- char* replyMsgBuffer,int replyMsgBufferSize)
+ char const *username,
+ char const *passcode,
+ char *replyMsgBuffer, size_t replyMsgBufferSize)
{
rlm_securid_t *inst = (rlm_securid_t *) instance;
- int acmRet;
- SD_PIN pinParams;
- char newPin[10];
+ int acm_ret;
+ SD_PIN pin_params;
+ char new_pin[10];
char format[30];
- SECURID_SESSION *pSecurid_session=NULL;
- int rc=-1;
+ SECURID_SESSION *securid_session = NULL;
+ int rc = -1;
+
+ SD_CHAR *securid_user, *securid_pass;
if (!username) {
- radlog(L_ERR, "SecurID username is NULL");
- return RC_SECURID_AUTH_FAILURE;
+ ERROR("SecurID username is NULL");
+ return RC_SECURID_AUTH_FAILURE;
}
if (!passcode) {
- radlog(L_ERR, "SecurID passcode is NULL for %s user",username);
- return RC_SECURID_AUTH_FAILURE;
+ ERROR("SecurID passcode is NULL for %s user", username);
+ return RC_SECURID_AUTH_FAILURE;
}
+ memcpy(&securid_user, &username, sizeof(securid_user));
+ memcpy(&securid_pass, &passcode, sizeof(securid_pass));
+
*replyMsgBuffer = '\0';
- pSecurid_session = securid_sessionlist_find(inst,request);
- if (pSecurid_session == NULL) {
+ securid_session = securid_sessionlist_find(inst, request);
+ if (!securid_session) {
/* securid session not found */
- SDI_HANDLE sdiHandle = SDI_HANDLE_NONE;
+ SDI_HANDLE sdiHandle = SDI_HANDLE_NONE;
- acmRet = SD_Init(&sdiHandle);
- if (acmRet != ACM_OK) {
- radlog(L_ERR, "Cannot communicate with the ACE/Server");
+ acm_ret = SD_Init(&sdiHandle);
+ if (acm_ret != ACM_OK) {
+ ERROR("Cannot communicate with the ACE/Server");
return -1;
}
- acmRet = SD_Lock(sdiHandle, (SD_CHAR*)username);
- if (acmRet != ACM_OK) {
- radlog(L_ERR,"SecurID: Access denied. Name [%s] lock failed.",username);
+ acm_ret = SD_Lock(sdiHandle, securid_user);
+ if (acm_ret != ACM_OK) {
+ ERROR("SecurID: Access denied. Name [%s] lock failed", username);
return -2;
}
- acmRet = SD_Check(sdiHandle, (SD_CHAR*) passcode,
- (SD_CHAR*) username);
- switch (acmRet) {
+ acm_ret = SD_Check(sdiHandle, securid_pass, securid_user);
+ switch (acm_ret) {
case ACM_OK:
/* we are in now */
- RDEBUG("SecurID authentication successful for %s.",
- username);
+ RDEBUG("SecurID authentication successful for %s", username);
SD_Close(sdiHandle);
return RC_SECURID_AUTH_SUCCESS;
- case ACM_ACCESS_DENIED:
+ case ACM_ACCESS_DENIED:
/* not this time */
RDEBUG("SecurID Access denied for %s", username);
SD_Close(sdiHandle);
return RC_SECURID_AUTH_ACCESS_DENIED_FAILURE;
case ACM_INVALID_SERVER:
- radlog(L_ERR,"SecurID: Invalid ACE server.");
+ ERROR("SecurID: Invalid ACE server");
return RC_SECURID_AUTH_INVALID_SERVER_FAILURE;
case ACM_NEW_PIN_REQUIRED:
- RDEBUG2("SeecurID new pin required for %s",
- username);
+ RDEBUG2("SecurID new pin required for %s", username);
/* create a new session */
- pSecurid_session = securid_session_alloc();
- pSecurid_session->sdiHandle = sdiHandle; /* save ACE handle for future use */
- pSecurid_session->securidSessionState = NEW_PIN_REQUIRED_STATE;
- pSecurid_session->identity = strdup(username);
-
+ securid_session = securid_session_alloc();
+ securid_session->sdiHandle = sdiHandle; /* save ACE handle for future use */
+ securid_session->securidSessionState = NEW_PIN_REQUIRED_STATE;
+ securid_session->identity = strdup(username);
+
/* Get PIN requirements */
- acmRet = AceGetPinParams(sdiHandle, &pinParams);
-
+ (void) AceGetPinParams(sdiHandle, &pin_params);
+
/* If a system-generated PIN is required */
- if (pinParams.Selectable == CANNOT_CHOOSE_PIN) {
+ if (pin_params.Selectable == CANNOT_CHOOSE_PIN) {
/* Prompt user to accept a system generated PIN */
snprintf(replyMsgBuffer, replyMsgBufferSize,
"\r\nAre you prepared to accept a new system-generated PIN [y/n]?");
- pSecurid_session->securidSessionState = NEW_PIN_SYSTEM_ACCEPT_STATE;
+ securid_session->securidSessionState = NEW_PIN_SYSTEM_ACCEPT_STATE;
- } else if (pinParams.Selectable == USER_SELECTABLE) { //may be returned by AM 6.x servers.
+ } else if (pin_params.Selectable == USER_SELECTABLE) { //may be returned by AM 6.x servers.
snprintf(replyMsgBuffer, replyMsgBufferSize,
"\r\nPress 'y' to generate a new PIN\r\nOR\r\n'n'to enter a new PIN yourself [y/n]");
- pSecurid_session->securidSessionState = NEW_PIN_USER_SELECT_STATE;
+ securid_session->securidSessionState = NEW_PIN_USER_SELECT_STATE;
} else {
- if (pinParams.Alphanumeric) {
+ if (pin_params.Alphanumeric) {
strcpy(format, "alphanumeric characters");
} else {
strcpy(format, "digits");
}
snprintf(replyMsgBuffer, replyMsgBufferSize,
- " \r\n Enter your new PIN of %d to %d %s,\r\n or\r\n <Ctrl-D> to cancel the New PIN procedure:",
- pinParams.Min, pinParams.Max, format);
+ " \r\n Enter your new PIN of %d to %d %s, \r\n or\r\n <Ctrl-D> to cancel the New PIN procedure:",
+ pin_params.Min, pin_params.Max, format);
}
/* insert new session in the session list */
- securid_sessionlist_add(inst,request,pSecurid_session);
-
+ securid_sessionlist_add(inst, request, securid_session);
+
return RC_SECURID_AUTH_CHALLENGE;
case ACM_NEXT_CODE_REQUIRED:
username);
/* create a new session */
- pSecurid_session = securid_session_alloc();
- pSecurid_session->sdiHandle = sdiHandle;
- pSecurid_session->securidSessionState = NEXT_CODE_REQUIRED_STATE;
- pSecurid_session->identity = strdup(username);
+ securid_session = securid_session_alloc();
+ securid_session->sdiHandle = sdiHandle;
+ securid_session->securidSessionState = NEXT_CODE_REQUIRED_STATE;
+ securid_session->identity = strdup(username);
/* insert new session in the session list */
- securid_sessionlist_add(inst,request,pSecurid_session);
-
+ securid_sessionlist_add(inst, request, securid_session);
+
strlcpy(replyMsgBuffer, "\r\nPlease Enter the Next Code from Your Token:", replyMsgBufferSize);
return RC_SECURID_AUTH_CHALLENGE;
+
default:
- radlog(L_ERR,"SecurID: Unexpected error from ACE/Agent API acmRet=%d",acmRet);
+ ERROR("SecurID: Unexpected error from ACE/Agent API acm_ret=%d", acm_ret);
+ securid_session_free(inst, request, securid_session);
return RC_SECURID_AUTH_FAILURE;
-
-
+
+
}
} else {
/* existing session found */
- RDEBUG("Continuing previous session found for user [%s]",username);
+ RDEBUG("Continuing previous session found for user [%s]", username);
/* continue previous session */
- switch (pSecurid_session->securidSessionState) {
+ switch (securid_session->securidSessionState) {
case NEXT_CODE_REQUIRED_STATE:
- DEBUG2("Securid NEXT_CODE_REQUIRED_STATE: User [%s]",username);
+ DEBUG2("Securid NEXT_CODE_REQUIRED_STATE: User [%s]", username);
/* next token code mode */
- acmRet = SD_Next(pSecurid_session->sdiHandle, (SD_CHAR*)passcode);
- if (acmRet == ACM_OK) {
- radlog(L_INFO,"Next SecurID token accepted for [%s].",pSecurid_session->identity);
+ acm_ret = SD_Next(securid_session->sdiHandle, securid_pass);
+ if (acm_ret == ACM_OK) {
+ INFO("Next SecurID token accepted for [%s].", securid_session->identity);
rc = RC_SECURID_AUTH_SUCCESS;
} else {
- radlog(L_INFO,"SecurID: Next token rejected for [%s].",pSecurid_session->identity);
+ INFO("SecurID: Next token rejected for [%s].", securid_session->identity);
rc = RC_SECURID_AUTH_FAILURE;
}
/* deallocate session */
- securid_session_free(inst,request,pSecurid_session);
+ securid_session_free(inst, request, securid_session);
return rc;
case NEW_PIN_REQUIRED_STATE:
username);
/* save the previous pin */
- if (pSecurid_session->pin) {
- free(pSecurid_session->pin);
- pSecurid_session->pin = NULL;
+ if (securid_session->pin) {
+ free(securid_session->pin);
+ securid_session->pin = NULL;
}
- pSecurid_session->pin = strdup(passcode);
+ securid_session->pin = strdup(passcode);
- strlcpy(replyMsgBuffer,"\r\n Please re-enter new PIN:", replyMsgBufferSize);
+ strlcpy(replyMsgBuffer, "\r\n Please re-enter new PIN:", replyMsgBufferSize);
/* set next state */
- pSecurid_session->securidSessionState = NEW_PIN_USER_CONFIRM_STATE;
+ securid_session->securidSessionState = NEW_PIN_USER_CONFIRM_STATE;
/* insert the updated session in the session list */
- securid_sessionlist_add(inst,request,pSecurid_session);
+ securid_sessionlist_add(inst, request, securid_session);
return RC_SECURID_AUTH_CHALLENGE;
-
+
case NEW_PIN_USER_CONFIRM_STATE:
- RDEBUG2("SecurID NEW_PIN_USER_CONFIRM_STATE: User [%s]",username);
+ RDEBUG2("SecurID NEW_PIN_USER_CONFIRM_STATE: User [%s]", username);
/* compare previous pin and current pin */
- if (!pSecurid_session->pin || strcmp(pSecurid_session->pin,passcode)) {
+ if (!securid_session->pin || strcmp(securid_session->pin, passcode)) {
RDEBUG2("Pin confirmation failed. Pins do not match [%s] and [%s]",
- SAFE_STR(pSecurid_session->pin),
- passcode);
+ SAFE_STR(securid_session->pin), securid_pass);
/* pins do not match */
/* challenge the user again */
- AceGetPinParams(pSecurid_session->sdiHandle, &pinParams);
- if (pinParams.Alphanumeric) {
+ AceGetPinParams(securid_session->sdiHandle, &pin_params);
+ if (pin_params.Alphanumeric) {
strcpy(format, "alphanumeric characters");
} else {
strcpy(format, "digits");
}
snprintf(replyMsgBuffer, replyMsgBufferSize,
- " \r\n Pins do not match--Please try again.\r\n Enter your new PIN of %d to %d %s,\r\n or\r\n <Ctrl-D> to cancel the New PIN procedure:",
- pinParams.Min, pinParams.Max, format);
+ " \r\n Pins do not match--Please try again.\r\n Enter your new PIN of %d to %d %s, \r\n or\r\n <Ctrl-D> to cancel the New PIN procedure:",
+ pin_params.Min, pin_params.Max, format);
- pSecurid_session->securidSessionState = NEW_PIN_REQUIRED_STATE;
+ securid_session->securidSessionState = NEW_PIN_REQUIRED_STATE;
/* insert the updated session in the session list */
- securid_sessionlist_add(inst,request,pSecurid_session);
+ securid_sessionlist_add(inst, request, securid_session);
rc = RC_SECURID_AUTH_CHALLENGE;
} else {
/* pins match */
RDEBUG2("Pin confirmation succeeded. Pins match");
- acmRet = SD_Pin(pSecurid_session->sdiHandle, (SD_CHAR*)passcode);
- if (acmRet == ACM_NEW_PIN_ACCEPTED) {
- RDEBUG("New SecurID pin accepted for %s.",pSecurid_session->identity);
+ acm_ret = SD_Pin(securid_session->sdiHandle, securid_pass);
+ if (acm_ret == ACM_NEW_PIN_ACCEPTED) {
+ RDEBUG("New SecurID pin accepted for %s.", securid_session->identity);
- pSecurid_session->securidSessionState = NEW_PIN_AUTH_VALIDATE_STATE;
+ securid_session->securidSessionState = NEW_PIN_AUTH_VALIDATE_STATE;
/* insert the updated session in the session list */
- securid_sessionlist_add(inst,request,pSecurid_session);
+ securid_sessionlist_add(inst, request, securid_session);
rc = RC_SECURID_AUTH_CHALLENGE;
- strlcpy(replyMsgBuffer," \r\n\r\nWait for the code on your card to change, then enter new PIN and TokenCode\r\n\r\nEnter PASSCODE:", replyMsgBufferSize);
+ strlcpy(replyMsgBuffer, " \r\n\r\nWait for the code on your card to change, then enter new PIN and TokenCode\r\n\r\nEnter PASSCODE:", replyMsgBufferSize);
} else {
- RDEBUG("SecurID: New SecurID pin rejected for %s.",pSecurid_session->identity);
- SD_Pin(pSecurid_session->sdiHandle, (SD_CHAR*)""); /* cancel PIN */
-
+ RDEBUG("SecurID: New SecurID pin rejected for %s.", securid_session->identity);
+ SD_Pin(securid_session->sdiHandle, &empty_pin[0]); /* cancel PIN */
+
rc = RC_SECURID_AUTH_FAILURE;
/* deallocate session */
- securid_session_free(inst, request,
- pSecurid_session);
+ securid_session_free(inst, request, securid_session);
}
}
- return rc;
+ return rc;
case NEW_PIN_AUTH_VALIDATE_STATE:
- acmRet = SD_Check(pSecurid_session->sdiHandle, (SD_CHAR*)passcode, (SD_CHAR*)username);
- if (acmRet == ACM_OK) {
+ acm_ret = SD_Check(securid_session->sdiHandle, securid_pass, securid_user);
+ if (acm_ret == ACM_OK) {
RDEBUG("New SecurID passcode accepted for %s.",
- pSecurid_session->identity);
+ securid_session->identity);
rc = RC_SECURID_AUTH_SUCCESS;
} else {
- radlog(L_INFO,"SecurID: New passcode rejected for [%s].",pSecurid_session->identity);
+ INFO("SecurID: New passcode rejected for [%s].", securid_session->identity);
rc = RC_SECURID_AUTH_FAILURE;
}
/* deallocate session */
- securid_session_free(inst,request,pSecurid_session);
+ securid_session_free(inst, request, securid_session);
return rc;
case NEW_PIN_SYSTEM_ACCEPT_STATE:
if (!strcmp(passcode, "y")) {
- AceGetSystemPin(pSecurid_session->sdiHandle, newPin);
-
+ AceGetSystemPin(securid_session->sdiHandle, new_pin);
+
/* Save the PIN for the next session
* continuation */
- if (pSecurid_session->pin) {
- free(pSecurid_session->pin);
- pSecurid_session->pin = NULL;
+ if (securid_session->pin) {
+ free(securid_session->pin);
+ securid_session->pin = NULL;
}
- pSecurid_session->pin = strdup(newPin);
-
+ securid_session->pin = strdup(new_pin);
+
snprintf(replyMsgBuffer, replyMsgBufferSize,
"\r\nYour new PIN is: %s\r\nDo you accept this [y/n]?",
- newPin);
- pSecurid_session->securidSessionState = NEW_PIN_SYSTEM_CONFIRM_STATE;
-
+ new_pin);
+ securid_session->securidSessionState = NEW_PIN_SYSTEM_CONFIRM_STATE;
+
/* insert the updated session in the
* session list */
- securid_sessionlist_add(inst, request,
- pSecurid_session);
-
+ securid_sessionlist_add(inst, request, securid_session);
+
rc = RC_SECURID_AUTH_CHALLENGE;
} else {
- SD_Pin(pSecurid_session->sdiHandle, (SD_CHAR*)""); //Cancel new PIN
-
+ SD_Pin(securid_session->sdiHandle, &empty_pin[0]); //Cancel new PIN
+
/* deallocate session */
securid_session_free(inst, request,
- pSecurid_session);
-
+ securid_session);
+
rc = RC_SECURID_AUTH_FAILURE;
}
-
- return rc;
-
+
+ return rc;
+
case NEW_PIN_SYSTEM_CONFIRM_STATE:
- acmRet = SD_Pin(pSecurid_session->sdiHandle, (SD_CHAR*)pSecurid_session->pin);
- if (acmRet == ACM_NEW_PIN_ACCEPTED) {
- strlcpy(replyMsgBuffer," \r\n\r\nPin Accepted. Wait for the code on your card to change, then enter new PIN and TokenCode\r\n\r\nEnter PASSCODE:",replyMsgBufferSize);
- pSecurid_session->securidSessionState = NEW_PIN_AUTH_VALIDATE_STATE;
+ acm_ret = SD_Pin(securid_session->sdiHandle, (SD_CHAR*)securid_session->pin);
+ if (acm_ret == ACM_NEW_PIN_ACCEPTED) {
+ strlcpy(replyMsgBuffer, " \r\n\r\nPin Accepted. Wait for the code on your card to change, then enter new PIN and TokenCode\r\n\r\nEnter PASSCODE:", replyMsgBufferSize);
+ securid_session->securidSessionState = NEW_PIN_AUTH_VALIDATE_STATE;
/* insert the updated session in the session list */
- securid_sessionlist_add(inst,request,pSecurid_session);
+ securid_sessionlist_add(inst, request, securid_session);
rc = RC_SECURID_AUTH_CHALLENGE;
} else {
- SD_Pin(pSecurid_session->sdiHandle, (SD_CHAR*)""); //Cancel new PIN
- strlcpy(replyMsgBuffer," \r\n\r\nPin Rejected. Wait for the code on your card to change, then try again.\r\n\r\nEnter PASSCODE:",replyMsgBufferSize);
+ SD_Pin(securid_session->sdiHandle, &empty_pin[0]); //Cancel new PIN
+ strlcpy(replyMsgBuffer, " \r\n\r\nPin Rejected. Wait for the code on your card to change, then try again.\r\n\r\nEnter PASSCODE:", replyMsgBufferSize);
/* deallocate session */
securid_session_free(inst, request,
- pSecurid_session);
+ securid_session);
rc = RC_SECURID_AUTH_FAILURE;
}
-
+
return rc;
-
+
/* USER_SELECTABLE state should be implemented to preserve compatibility with AM 6.x servers, which can return this state */
case NEW_PIN_USER_SELECT_STATE:
if (!strcmp(passcode, "y")) {
/* User has opted for a system-generated PIN */
- AceGetSystemPin(pSecurid_session->sdiHandle, newPin);
+ AceGetSystemPin(securid_session->sdiHandle, new_pin);
snprintf(replyMsgBuffer, replyMsgBufferSize,
"\r\nYour new PIN is: %s\r\nDo you accept this [y/n]?",
- newPin);
- pSecurid_session->securidSessionState = NEW_PIN_SYSTEM_CONFIRM_STATE;
-
+ new_pin);
+ securid_session->securidSessionState = NEW_PIN_SYSTEM_CONFIRM_STATE;
+
/* insert the updated session in the session list */
securid_sessionlist_add(inst, request,
- pSecurid_session);
+ securid_session);
rc = RC_SECURID_AUTH_CHALLENGE;
} else {
/* User has opted for a user-defined PIN */
- AceGetPinParams(pSecurid_session->sdiHandle,
- &pinParams);
- if (pinParams.Alphanumeric) {
+ AceGetPinParams(securid_session->sdiHandle,
+ &pin_params);
+ if (pin_params.Alphanumeric) {
strcpy(format, "alphanumeric characters");
} else {
strcpy(format, "digits");
}
-
+
snprintf(replyMsgBuffer, replyMsgBufferSize,
- " \r\n Enter your new PIN of %d to %d %s,\r\n or\r\n <Ctrl-D> to cancel the New PIN procedure:",
- pinParams.Min, pinParams.Max, format);
- pSecurid_session->securidSessionState = NEW_PIN_REQUIRED_STATE;
-
+ " \r\n Enter your new PIN of %d to %d %s, \r\n or\r\n <Ctrl-D> to cancel the New PIN procedure:",
+ pin_params.Min, pin_params.Max, format);
+ securid_session->securidSessionState = NEW_PIN_REQUIRED_STATE;
+
/* insert the updated session in the session list */
securid_sessionlist_add(inst, request,
- pSecurid_session);
+ securid_session);
rc = RC_SECURID_AUTH_CHALLENGE;
}
-
+
return rc;
-
+
default:
- radlog(L_ERR|L_CONS, "rlm_securid: Invalid session state %d for user [%s]",
- pSecurid_session->securidSessionState,
+ ERROR("rlm_securid: Invalid session state %d for user [%s]",
+ securid_session->securidSessionState,
username);
- break;
+ break;
}
}
-
+
return 0;
-
+
}
/******************************************/
-static int securid_detach(void *instance)
+static int mod_detach(void *instance)
{
rlm_securid_t *inst = (rlm_securid_t *) instance;
pthread_mutex_destroy(&(inst->session_mutex));
- free(inst);
return 0;
}
-static rlm_rcode_t securid_instantiate(CONF_SECTION *conf, void **instance)
+static int mod_instantiate(UNUSED CONF_SECTION *conf, void *instance)
{
- rlm_securid_t *inst;
-
- /* Set up a storage area for instance data */
- inst = rad_malloc(sizeof(*inst));
- if (!inst) return -1;
- memset(inst, 0, sizeof(*inst));
-
- /* If the configuration parameters can't be parsed, then fail. */
- if (cf_section_parse(conf, inst, module_config) < 0) {
- radlog(L_ERR|L_CONS, "rlm_securid: Unable to parse configuration section.");
- securid_detach(inst);
- return -1;
- }
+ rlm_securid_t *inst = instance;
/*
* Lookup sessions in the tree. We don't free them in
* the tree, as that's taken care of elsewhere...
*/
- inst->session_tree = rbtree_create(securid_session_cmp, NULL, 0);
+ inst->session_tree = rbtree_create(NULL, securid_session_cmp, NULL, 0);
if (!inst->session_tree) {
- radlog(L_ERR|L_CONS, "rlm_securid: Cannot initialize session tree.");
- securid_detach(inst);
+ ERROR("rlm_securid: Cannot initialize session tree");
return -1;
}
pthread_mutex_init(&(inst->session_mutex), NULL);
-
- *instance = inst;
- return 0;
+ return 0;
}
/*
* Authenticate the user via one of any well-known password.
*/
-static int securid_authenticate(void *instance, REQUEST *request)
+static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, REQUEST *request)
{
int rcode;
rlm_securid_t *inst = instance;
- VALUE_PAIR *module_fmsg_vp;
- VALUE_PAIR *vp;
char buffer[MAX_STRING_LEN]="";
- const char *username=NULL, *password=NULL;
- char module_fmsg[MAX_STRING_LEN]="";
-
+ char const *username=NULL, *password=NULL;
+ VALUE_PAIR *vp;
+
/*
* We can only authenticate user requests which HAVE
* a User-Name attribute.
*/
if (!request->username) {
- radlog(L_AUTH, "rlm_securid: Attribute \"User-Name\" is required for authentication.");
+ AUTH("rlm_securid: Attribute \"User-Name\" is required for authentication");
return RLM_MODULE_INVALID;
}
if (!request->password) {
- radlog_request(L_AUTH, 0, request, "Attribute \"Password\" is required for authentication.");
+ RAUTH("Attribute \"Password\" is required for authentication");
return RLM_MODULE_INVALID;
}
* Clear-text passwords are the only ones we support.
*/
if (request->password->da->attr != PW_USER_PASSWORD) {
- radlog_request(L_AUTH, 0, request, "Attribute \"User-Password\" is required for authentication. Cannot use \"%s\".", request->password->da->name);
+ RAUTH("Attribute \"User-Password\" is required for authentication. Cannot use \"%s\".", request->password->da->name);
return RLM_MODULE_INVALID;
}
* The user MUST supply a non-zero-length password.
*/
if (request->password->length == 0) {
- snprintf(module_fmsg,sizeof(module_fmsg),"rlm_securid: empty password supplied");
- module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ);
- pairadd(&request->packet->vps, module_fmsg_vp);
+ REDEBUG("Password should not be empty");
return RLM_MODULE_INVALID;
}
*/
username = request->username->vp_strvalue;
password = request->password->vp_strvalue;
-
- RDEBUG("User [%s] login attempt with password [%s]",
- username, password);
-
+
+ if (RDEBUG_ENABLED3) {
+ RDEBUG3("Login attempt with password \"%s\"", password);
+ } else {
+ RDEBUG("Login attempt with password");
+ }
+
rcode = securidAuth(inst, request, username, password,
buffer, sizeof(buffer));
-
+
switch (rcode) {
case RC_SECURID_AUTH_SUCCESS:
rcode = RLM_MODULE_OK;
/* reply with Access-challenge message code (11) */
/* Generate Prompt attribute */
- vp = paircreate(PW_PROMPT, 0, PW_TYPE_INTEGER);
-
+ vp = paircreate(request->reply, PW_PROMPT, 0);
+
rad_assert(vp != NULL);
vp->vp_integer = 0; /* no echo */
pairadd(&request->reply->vps, vp);
/* Mark the packet as a Acceess-Challenge Packet */
- request->reply->code = PW_ACCESS_CHALLENGE;
- RDEBUG("Sending Access-Challenge.");
+ request->reply->code = PW_CODE_ACCESS_CHALLENGE;
+ RDEBUG("Sending Access-Challenge");
rcode = RLM_MODULE_HANDLED;
break;
break;
}
- if (*buffer) {
- /* Generate Reply-Message attribute with reply message data */
- vp = pairmake("Reply-Message", buffer, T_OP_EQ);
-
- /* make sure message ends with '\0' */
- if (vp->length < (int) sizeof(vp->vp_strvalue)) {
- vp->vp_strvalue[vp->length] = '\0';
- vp->length++;
- }
- pairadd(&request->reply->vps,vp);
- }
+ if (*buffer) pairmake_reply("Reply-Message", buffer, T_OP_EQ);
+
return rcode;
}
module_t rlm_securid = {
RLM_MODULE_INIT,
"securid",
- RLM_TYPE_CHECK_CONFIG_SAFE | RLM_TYPE_HUP_SAFE, /* type */
- securid_instantiate, /* instantiation */
- securid_detach, /* detach */
+ RLM_TYPE_HUP_SAFE, /* type */
+ sizeof(rlm_securid_t),
+ module_config,
+ mod_instantiate, /* instantiation */
+ mod_detach, /* detach */
{
- securid_authenticate, /* authentication */
- NULL, /* authorization */
- NULL, /* preaccounting */
- NULL, /* accounting */
- NULL, /* checksimul */
- NULL, /* pre-proxy */
- NULL, /* post-proxy */
+ mod_authenticate, /* authentication */
+ NULL, /* authorization */
+ NULL, /* preaccounting */
+ NULL, /* accounting */
+ NULL, /* checksimul */
+ NULL, /* pre-proxy */
+ NULL, /* post-proxy */
NULL /* post-auth */
},
};