projects / freeradius.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Rbtree shouldn't be allocated from inst
[freeradius.git] / src / modules / rlm_securid / rlm_securid.c
diff --git a/src/modules/rlm_securid/rlm_securid.c b/src/modules/rlm_securid/rlm_securid.c
index d9b6a9a..79a81b1 100644 (file)
--- a/src/modules/rlm_securid/rlm_securid.c
+++ b/src/modules/rlm_securid/rlm_securid.c
@@ -12,7 +12,7 @@
  *   along with this program; if not, write to the Free Software
  *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  */
+
 /**
  * $Id$
  * @file rlm_securid.c
@@ -23,7 +23,6 @@
  * @copyright 2012  The FreeRADIUS server project
  * @copyright 2012  Alan DeKok <aland@networkradius.com>
  */
-#include <freeradius-devel/ident.h>
 #include <freeradius-devel/radiusd.h>
 #include <freeradius-devel/modules.h>
 #include <ctype.h>
@@ -40,24 +39,22 @@ typedef enum {
 
 
 static const CONF_PARSER module_config[] = {
-       { "timer_expire", PW_TYPE_INTEGER,
-         offsetof(rlm_securid_t, timer_limit), NULL, "600"},
-       { "max_sessions", PW_TYPE_INTEGER,
-         offsetof(rlm_securid_t, max_sessions), NULL, "2048"},
-       { "max_trips_per_session", PW_TYPE_INTEGER,
-         offsetof(rlm_securid_t, max_trips_per_session), NULL, NULL},
-       { "max_round_trips", PW_TYPE_INTEGER,
-         offsetof(rlm_securid_t, max_trips_per_session), NULL, "6"},
+       { "timer_expire", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_securid_t, timer_limit), "600" },
+       { "max_sessions", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_securid_t, max_sessions), "2048" },
+       { "max_trips_per_session", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_securid_t, max_trips_per_session), NULL },
+       { "max_round_trips", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_securid_t, max_trips_per_session), "6" },
        { NULL, -1, 0, NULL, NULL }             /* end the list */
 };
 
 
+static SD_CHAR empty_pin[] = "";
+
 /* comparison function to find session in the tree */
-static int securid_session_cmp(const void *a, const void *b)
+static int securid_session_cmp(void const *a, void const *b)
 {
        int rcode;
-       const SECURID_SESSION *one = a;
-       const SECURID_SESSION *two = b;
+       SECURID_SESSION const *one = a;
+       SECURID_SESSION const *two = b;
 
        rad_assert(one != NULL);
        rad_assert(two != NULL);
@@ -70,107 +67,109 @@ static int securid_session_cmp(const void *a, const void *b)
 
 
 static SECURID_AUTH_RC securidAuth(void *instance, REQUEST *request,
-                                  const char* username, 
-                                  const char* passcode,
-                                  char* replyMsgBuffer,int replyMsgBufferSize)
+                                  char const *username,
+                                  char const *passcode,
+                                  char *replyMsgBuffer, size_t replyMsgBufferSize)
 {
        rlm_securid_t *inst = (rlm_securid_t *) instance;
-       int         acmRet;
-       SD_PIN pinParams;
-       char newPin[10];
+       int acm_ret;
+       SD_PIN pin_params;
+       char new_pin[10];
        char format[30];
-       SECURID_SESSION *pSecurid_session=NULL;
-       int rc=-1;
+       SECURID_SESSION *securid_session = NULL;
+       int rc = -1;
+
+       SD_CHAR *securid_user, *securid_pass;
 
        if (!username) {
-               radlog(L_ERR, "SecurID username is NULL");
-               return RC_SECURID_AUTH_FAILURE;         
+               ERROR("SecurID username is NULL");
+               return RC_SECURID_AUTH_FAILURE;
        }
 
        if (!passcode) {
-               radlog(L_ERR, "SecurID passcode is NULL for %s user",username);
-               return RC_SECURID_AUTH_FAILURE;         
+               ERROR("SecurID passcode is NULL for %s user", username);
+               return RC_SECURID_AUTH_FAILURE;
        }
 
+       memcpy(&securid_user, &username, sizeof(securid_user));
+       memcpy(&securid_pass, &passcode, sizeof(securid_pass));
+
        *replyMsgBuffer = '\0';
 
-       pSecurid_session = securid_sessionlist_find(inst,request);
-       if (pSecurid_session == NULL) {
+       securid_session = securid_sessionlist_find(inst, request);
+       if (!securid_session) {
                /* securid session not found */
-               SDI_HANDLE  sdiHandle = SDI_HANDLE_NONE;
+               SDI_HANDLE sdiHandle = SDI_HANDLE_NONE;
 
-               acmRet = SD_Init(&sdiHandle);
-               if (acmRet != ACM_OK) {
-                       radlog(L_ERR, "Cannot communicate with the ACE/Server");
+               acm_ret = SD_Init(&sdiHandle);
+               if (acm_ret != ACM_OK) {
+                       ERROR("Cannot communicate with the ACE/Server");
                        return -1;
                }
 
-               acmRet = SD_Lock(sdiHandle, (SD_CHAR*)username);
-               if (acmRet != ACM_OK) {
-                       radlog(L_ERR,"SecurID: Access denied. Name [%s] lock failed.",username);
+               acm_ret = SD_Lock(sdiHandle, securid_user);
+               if (acm_ret != ACM_OK) {
+                       ERROR("SecurID: Access denied. Name [%s] lock failed", username);
                        return -2;
                }
 
-               acmRet = SD_Check(sdiHandle, (SD_CHAR*) passcode,
-                                 (SD_CHAR*) username);
-               switch (acmRet) {
+               acm_ret = SD_Check(sdiHandle, securid_pass, securid_user);
+               switch (acm_ret) {
                case ACM_OK:
                        /* we are in now */
-                       RDEBUG("SecurID authentication successful for %s.",
-                              username);
+                       RDEBUG("SecurID authentication successful for %s", username);
                        SD_Close(sdiHandle);
 
                        return RC_SECURID_AUTH_SUCCESS;
 
-               case ACM_ACCESS_DENIED:         
+               case ACM_ACCESS_DENIED:
                        /* not this time */
                        RDEBUG("SecurID Access denied for %s", username);
                        SD_Close(sdiHandle);
                        return RC_SECURID_AUTH_ACCESS_DENIED_FAILURE;
 
                case ACM_INVALID_SERVER:
-                       radlog(L_ERR,"SecurID: Invalid ACE server.");
+                       ERROR("SecurID: Invalid ACE server");
                        return RC_SECURID_AUTH_INVALID_SERVER_FAILURE;
 
                case ACM_NEW_PIN_REQUIRED:
-                       RDEBUG2("SeecurID new pin required for %s",
-                               username);
+                       RDEBUG2("SecurID new pin required for %s", username);
 
                        /* create a new session */
-                       pSecurid_session = securid_session_alloc();
-                       pSecurid_session->sdiHandle = sdiHandle; /* save ACE handle for future use */
-                       pSecurid_session->securidSessionState = NEW_PIN_REQUIRED_STATE;
-                       pSecurid_session->identity = strdup(username);
-                        
+                       securid_session = securid_session_alloc();
+                       securid_session->sdiHandle = sdiHandle; /* save ACE handle for future use */
+                       securid_session->securidSessionState = NEW_PIN_REQUIRED_STATE;
+                       securid_session->identity = strdup(username);
+
                        /* Get PIN requirements */
-                       acmRet = AceGetPinParams(sdiHandle, &pinParams);
-                        
+                       (void) AceGetPinParams(sdiHandle, &pin_params);
+
                        /* If a system-generated PIN is required */
-                       if (pinParams.Selectable == CANNOT_CHOOSE_PIN) {
+                       if (pin_params.Selectable == CANNOT_CHOOSE_PIN) {
                                /* Prompt user to accept a system generated PIN */
                                snprintf(replyMsgBuffer, replyMsgBufferSize,
                                         "\r\nAre you prepared to accept a new system-generated PIN [y/n]?");
-                               pSecurid_session->securidSessionState = NEW_PIN_SYSTEM_ACCEPT_STATE;
+                               securid_session->securidSessionState = NEW_PIN_SYSTEM_ACCEPT_STATE;
 
-                       } else if (pinParams.Selectable == USER_SELECTABLE) { //may be returned by AM 6.x servers.
+                       } else if (pin_params.Selectable == USER_SELECTABLE) { //may be returned by AM 6.x servers.
                                snprintf(replyMsgBuffer, replyMsgBufferSize,
                                         "\r\nPress 'y' to generate a new PIN\r\nOR\r\n'n'to enter a new PIN yourself [y/n]");
-                               pSecurid_session->securidSessionState = NEW_PIN_USER_SELECT_STATE;
+                               securid_session->securidSessionState = NEW_PIN_USER_SELECT_STATE;
 
                        } else {
-                               if (pinParams.Alphanumeric) {
+                               if (pin_params.Alphanumeric) {
                                        strcpy(format, "alphanumeric characters");
                                } else {
                                        strcpy(format, "digits");
                                }
                                snprintf(replyMsgBuffer, replyMsgBufferSize,
-                                        " \r\n   Enter your new PIN of %d to %d %s,\r\n                or\r\n   <Ctrl-D> to cancel the New PIN procedure:",
-                                        pinParams.Min, pinParams.Max, format);
+                                        " \r\n   Enter your new PIN of %d to %d %s, \r\n               or\r\n   <Ctrl-D> to cancel the New PIN procedure:",
+                                        pin_params.Min, pin_params.Max, format);
                        }
 
                        /* insert new session in the session list */
-                       securid_sessionlist_add(inst,request,pSecurid_session);
-                        
+                       securid_sessionlist_add(inst, request, securid_session);
+
                        return RC_SECURID_AUTH_CHALLENGE;
 
                case ACM_NEXT_CODE_REQUIRED:
@@ -178,44 +177,46 @@ static SECURID_AUTH_RC securidAuth(void *instance, REQUEST *request,
                                username);
 
                        /* create a new session */
-                       pSecurid_session = securid_session_alloc();
-                       pSecurid_session->sdiHandle = sdiHandle;
-                       pSecurid_session->securidSessionState = NEXT_CODE_REQUIRED_STATE;
-                       pSecurid_session->identity = strdup(username);
+                       securid_session = securid_session_alloc();
+                       securid_session->sdiHandle = sdiHandle;
+                       securid_session->securidSessionState = NEXT_CODE_REQUIRED_STATE;
+                       securid_session->identity = strdup(username);
 
                        /* insert new session in the session list */
-                       securid_sessionlist_add(inst,request,pSecurid_session);
-                    
+                       securid_sessionlist_add(inst, request, securid_session);
+
                        strlcpy(replyMsgBuffer, "\r\nPlease Enter the Next Code from Your Token:", replyMsgBufferSize);
                        return RC_SECURID_AUTH_CHALLENGE;
+
                default:
-                       radlog(L_ERR,"SecurID: Unexpected error from ACE/Agent API acmRet=%d",acmRet);
+                       ERROR("SecurID: Unexpected error from ACE/Agent API acm_ret=%d", acm_ret);
+                       securid_session_free(inst, request, securid_session);
                        return RC_SECURID_AUTH_FAILURE;
-  
-                       
+
+
                }
        } else {
                /* existing session found */
-               RDEBUG("Continuing previous session found for user [%s]",username);
+               RDEBUG("Continuing previous session found for user [%s]", username);
 
                /* continue previous session */
-               switch (pSecurid_session->securidSessionState) {
+               switch (securid_session->securidSessionState) {
                case NEXT_CODE_REQUIRED_STATE:
-                       DEBUG2("Securid NEXT_CODE_REQUIRED_STATE: User [%s]",username);
+                       DEBUG2("Securid NEXT_CODE_REQUIRED_STATE: User [%s]", username);
                        /* next token code mode */
 
-                       acmRet = SD_Next(pSecurid_session->sdiHandle, (SD_CHAR*)passcode);
-                       if (acmRet == ACM_OK) {
-                               radlog(L_INFO,"Next SecurID token accepted for [%s].",pSecurid_session->identity);
+                       acm_ret = SD_Next(securid_session->sdiHandle, securid_pass);
+                       if (acm_ret == ACM_OK) {
+                               INFO("Next SecurID token accepted for [%s].", securid_session->identity);
                                rc = RC_SECURID_AUTH_SUCCESS;
 
                        } else {
-                               radlog(L_INFO,"SecurID: Next token rejected for [%s].",pSecurid_session->identity);
+                               INFO("SecurID: Next token rejected for [%s].", securid_session->identity);
                                rc = RC_SECURID_AUTH_FAILURE;
                        }
 
                        /* deallocate session */
-                       securid_session_free(inst,request,pSecurid_session);
+                       securid_session_free(inst, request, securid_session);
                        return rc;
 
                case NEW_PIN_REQUIRED_STATE:
@@ -223,198 +224,195 @@ static SECURID_AUTH_RC securidAuth(void *instance, REQUEST *request,
                                username);
 
                        /* save the previous pin */
-                       if (pSecurid_session->pin) {
-                               free(pSecurid_session->pin);
-                               pSecurid_session->pin = NULL;
+                       if (securid_session->pin) {
+                               free(securid_session->pin);
+                               securid_session->pin = NULL;
                        }
-                       pSecurid_session->pin = strdup(passcode);
+                       securid_session->pin = strdup(passcode);
 
-                       strlcpy(replyMsgBuffer,"\r\n                 Please re-enter new PIN:", replyMsgBufferSize);
+                       strlcpy(replyMsgBuffer, "\r\n            Please re-enter new PIN:", replyMsgBufferSize);
 
                        /* set next state */
-                       pSecurid_session->securidSessionState = NEW_PIN_USER_CONFIRM_STATE;
+                       securid_session->securidSessionState = NEW_PIN_USER_CONFIRM_STATE;
 
                        /* insert the updated session in the session list */
-                       securid_sessionlist_add(inst,request,pSecurid_session);
+                       securid_sessionlist_add(inst, request, securid_session);
                        return RC_SECURID_AUTH_CHALLENGE;
-                         
+
                case NEW_PIN_USER_CONFIRM_STATE:
-                       RDEBUG2("SecurID NEW_PIN_USER_CONFIRM_STATE: User [%s]",username);
+                       RDEBUG2("SecurID NEW_PIN_USER_CONFIRM_STATE: User [%s]", username);
                        /* compare previous pin and current pin */
-                       if (!pSecurid_session->pin || strcmp(pSecurid_session->pin,passcode)) {
+                       if (!securid_session->pin || strcmp(securid_session->pin, passcode)) {
                                RDEBUG2("Pin confirmation failed. Pins do not match [%s] and [%s]",
-                                      SAFE_STR(pSecurid_session->pin),
-                                      passcode);
+                                      SAFE_STR(securid_session->pin), securid_pass);
                                /* pins do not match */
 
                                /* challenge the user again */
-                               AceGetPinParams(pSecurid_session->sdiHandle, &pinParams);
-                               if (pinParams.Alphanumeric) {
+                               AceGetPinParams(securid_session->sdiHandle, &pin_params);
+                               if (pin_params.Alphanumeric) {
                                        strcpy(format, "alphanumeric characters");
                                } else {
                                        strcpy(format, "digits");
                                }
                                snprintf(replyMsgBuffer, replyMsgBufferSize,
-                                        " \r\n   Pins do not match--Please try again.\r\n   Enter your new PIN of %d to %d %s,\r\n                or\r\n   <Ctrl-D> to cancel the New PIN procedure:",
-                                        pinParams.Min, pinParams.Max, format);
+                                        " \r\n   Pins do not match--Please try again.\r\n   Enter your new PIN of %d to %d %s, \r\n            or\r\n   <Ctrl-D> to cancel the New PIN procedure:",
+                                        pin_params.Min, pin_params.Max, format);
 
-                               pSecurid_session->securidSessionState = NEW_PIN_REQUIRED_STATE;
+                               securid_session->securidSessionState = NEW_PIN_REQUIRED_STATE;
 
                                /* insert the updated session in the session list */
-                               securid_sessionlist_add(inst,request,pSecurid_session);
+                               securid_sessionlist_add(inst, request, securid_session);
                                rc = RC_SECURID_AUTH_CHALLENGE;
 
                        } else {
                                /* pins match */
                                RDEBUG2("Pin confirmation succeeded. Pins match");
-                               acmRet = SD_Pin(pSecurid_session->sdiHandle, (SD_CHAR*)passcode);
-                               if (acmRet == ACM_NEW_PIN_ACCEPTED) {
-                                       RDEBUG("New SecurID pin accepted for %s.",pSecurid_session->identity);
+                               acm_ret = SD_Pin(securid_session->sdiHandle, securid_pass);
+                               if (acm_ret == ACM_NEW_PIN_ACCEPTED) {
+                                       RDEBUG("New SecurID pin accepted for %s.", securid_session->identity);
 
-                                       pSecurid_session->securidSessionState = NEW_PIN_AUTH_VALIDATE_STATE;
+                                       securid_session->securidSessionState = NEW_PIN_AUTH_VALIDATE_STATE;
 
                                        /* insert the updated session in the session list */
-                                       securid_sessionlist_add(inst,request,pSecurid_session);
+                                       securid_sessionlist_add(inst, request, securid_session);
 
                                        rc = RC_SECURID_AUTH_CHALLENGE;
-                                       strlcpy(replyMsgBuffer," \r\n\r\nWait for the code on your card to change, then enter new PIN and TokenCode\r\n\r\nEnter PASSCODE:", replyMsgBufferSize);
+                                       strlcpy(replyMsgBuffer, " \r\n\r\nWait for the code on your card to change, then enter new PIN and TokenCode\r\n\r\nEnter PASSCODE:", replyMsgBufferSize);
                                } else {
-                                       RDEBUG("SecurID: New SecurID pin rejected for %s.",pSecurid_session->identity);
-                                       SD_Pin(pSecurid_session->sdiHandle, (SD_CHAR*)"");  /* cancel PIN */
-                                       
+                                       RDEBUG("SecurID: New SecurID pin rejected for %s.", securid_session->identity);
+                                       SD_Pin(securid_session->sdiHandle, &empty_pin[0]);  /* cancel PIN */
+
 
                                        rc = RC_SECURID_AUTH_FAILURE;
 
                                        /* deallocate session */
-                                       securid_session_free(inst, request,
-                                                            pSecurid_session);
+                                       securid_session_free(inst, request, securid_session);
                                }
                        }
-                       return rc;                
+                       return rc;
                case NEW_PIN_AUTH_VALIDATE_STATE:
-                       acmRet = SD_Check(pSecurid_session->sdiHandle, (SD_CHAR*)passcode, (SD_CHAR*)username);
-                       if (acmRet == ACM_OK) {
+                       acm_ret = SD_Check(securid_session->sdiHandle, securid_pass, securid_user);
+                       if (acm_ret == ACM_OK) {
                                RDEBUG("New SecurID passcode accepted for %s.",
-                                      pSecurid_session->identity);
+                                      securid_session->identity);
                                rc = RC_SECURID_AUTH_SUCCESS;
 
                        } else {
-                               radlog(L_INFO,"SecurID: New passcode rejected for [%s].",pSecurid_session->identity);
+                               INFO("SecurID: New passcode rejected for [%s].", securid_session->identity);
                                rc = RC_SECURID_AUTH_FAILURE;
                        }
 
                        /* deallocate session */
-                       securid_session_free(inst,request,pSecurid_session);
+                       securid_session_free(inst, request, securid_session);
 
                        return rc;
                case NEW_PIN_SYSTEM_ACCEPT_STATE:
                        if (!strcmp(passcode, "y")) {
-                               AceGetSystemPin(pSecurid_session->sdiHandle, newPin);
-                                       
+                               AceGetSystemPin(securid_session->sdiHandle, new_pin);
+
                                /* Save the PIN for the next session
                                 * continuation */
-                               if (pSecurid_session->pin) {
-                                       free(pSecurid_session->pin);
-                                       pSecurid_session->pin = NULL;
+                               if (securid_session->pin) {
+                                       free(securid_session->pin);
+                                       securid_session->pin = NULL;
                                }
-                               pSecurid_session->pin = strdup(newPin);
-                                       
+                               securid_session->pin = strdup(new_pin);
+
                                snprintf(replyMsgBuffer, replyMsgBufferSize,
                                         "\r\nYour new PIN is: %s\r\nDo you accept this [y/n]?",
-                                        newPin);
-                               pSecurid_session->securidSessionState = NEW_PIN_SYSTEM_CONFIRM_STATE;
-                                       
+                                        new_pin);
+                               securid_session->securidSessionState = NEW_PIN_SYSTEM_CONFIRM_STATE;
+
                                /* insert the updated session in the
                                 * session list */
-                               securid_sessionlist_add(inst, request,
-                                                       pSecurid_session);
-                                       
+                               securid_sessionlist_add(inst, request, securid_session);
+
                                rc = RC_SECURID_AUTH_CHALLENGE;
 
                        } else {
-                               SD_Pin(pSecurid_session->sdiHandle, (SD_CHAR*)""); //Cancel new PIN
-                                       
+                               SD_Pin(securid_session->sdiHandle, &empty_pin[0]); //Cancel new PIN
+
                                /* deallocate session */
                                securid_session_free(inst, request,
-                                                    pSecurid_session);
-                                       
+                                                    securid_session);
+
                                rc = RC_SECURID_AUTH_FAILURE;
                        }
-                               
-                       return rc;                              
-                        
+
+                       return rc;
+
                case NEW_PIN_SYSTEM_CONFIRM_STATE:
-                       acmRet = SD_Pin(pSecurid_session->sdiHandle, (SD_CHAR*)pSecurid_session->pin);
-                       if (acmRet == ACM_NEW_PIN_ACCEPTED) {
-                               strlcpy(replyMsgBuffer," \r\n\r\nPin Accepted. Wait for the code on your card to change, then enter new PIN and TokenCode\r\n\r\nEnter PASSCODE:",replyMsgBufferSize);
-                               pSecurid_session->securidSessionState = NEW_PIN_AUTH_VALIDATE_STATE;
+                       acm_ret = SD_Pin(securid_session->sdiHandle, (SD_CHAR*)securid_session->pin);
+                       if (acm_ret == ACM_NEW_PIN_ACCEPTED) {
+                               strlcpy(replyMsgBuffer, " \r\n\r\nPin Accepted. Wait for the code on your card to change, then enter new PIN and TokenCode\r\n\r\nEnter PASSCODE:", replyMsgBufferSize);
+                               securid_session->securidSessionState = NEW_PIN_AUTH_VALIDATE_STATE;
                                /* insert the updated session in the session list */
-                               securid_sessionlist_add(inst,request,pSecurid_session);
+                               securid_sessionlist_add(inst, request, securid_session);
                                rc = RC_SECURID_AUTH_CHALLENGE;
 
                        } else {
-                               SD_Pin(pSecurid_session->sdiHandle, (SD_CHAR*)""); //Cancel new PIN
-                               strlcpy(replyMsgBuffer," \r\n\r\nPin Rejected. Wait for the code on your card to change, then try again.\r\n\r\nEnter PASSCODE:",replyMsgBufferSize);
+                               SD_Pin(securid_session->sdiHandle, &empty_pin[0]); //Cancel new PIN
+                               strlcpy(replyMsgBuffer, " \r\n\r\nPin Rejected. Wait for the code on your card to change, then try again.\r\n\r\nEnter PASSCODE:", replyMsgBufferSize);
                                /* deallocate session */
                                securid_session_free(inst, request,
-                                                    pSecurid_session);
+                                                    securid_session);
                                rc = RC_SECURID_AUTH_FAILURE;
                        }
-                               
+
                        return rc;
-                        
+
                        /* USER_SELECTABLE state should be implemented to preserve compatibility with AM 6.x servers, which can return this state */
                case NEW_PIN_USER_SELECT_STATE:
                        if (!strcmp(passcode, "y")) {
                                /* User has opted for a system-generated PIN */
-                               AceGetSystemPin(pSecurid_session->sdiHandle, newPin);
+                               AceGetSystemPin(securid_session->sdiHandle, new_pin);
                                snprintf(replyMsgBuffer, replyMsgBufferSize,
                                         "\r\nYour new PIN is: %s\r\nDo you accept this [y/n]?",
-                                        newPin);
-                               pSecurid_session->securidSessionState = NEW_PIN_SYSTEM_CONFIRM_STATE;
-                                       
+                                        new_pin);
+                               securid_session->securidSessionState = NEW_PIN_SYSTEM_CONFIRM_STATE;
+
                                /* insert the updated session in the session list */
                                securid_sessionlist_add(inst, request,
-                                                       pSecurid_session);
+                                                       securid_session);
                                rc = RC_SECURID_AUTH_CHALLENGE;
 
                        } else {
                                /* User has opted for a user-defined PIN */
-                               AceGetPinParams(pSecurid_session->sdiHandle,
-                                               &pinParams);
-                               if (pinParams.Alphanumeric) {
+                               AceGetPinParams(securid_session->sdiHandle,
+                                               &pin_params);
+                               if (pin_params.Alphanumeric) {
                                        strcpy(format, "alphanumeric characters");
                                } else {
                                        strcpy(format, "digits");
                                }
-                                       
+
                                snprintf(replyMsgBuffer, replyMsgBufferSize,
-                                        " \r\n   Enter your new PIN of %d to %d %s,\r\n                or\r\n   <Ctrl-D> to cancel the New PIN procedure:",
-                                        pinParams.Min, pinParams.Max, format);
-                               pSecurid_session->securidSessionState = NEW_PIN_REQUIRED_STATE;
-                                       
+                                        " \r\n   Enter your new PIN of %d to %d %s, \r\n               or\r\n   <Ctrl-D> to cancel the New PIN procedure:",
+                                        pin_params.Min, pin_params.Max, format);
+                               securid_session->securidSessionState = NEW_PIN_REQUIRED_STATE;
+
                                /* insert the updated session in the session list */
                                securid_sessionlist_add(inst, request,
-                                                       pSecurid_session);
+                                                       securid_session);
                                rc = RC_SECURID_AUTH_CHALLENGE;
                        }
-                               
+
                        return rc;
-                               
+
                default:
-                       radlog(L_ERR, "rlm_securid: Invalid session state %d for user [%s]",
-                              pSecurid_session->securidSessionState,
+                       ERROR("rlm_securid: Invalid session state %d for user [%s]",
+                              securid_session->securidSessionState,
                               username);
-                       break;  
+                       break;
                }
        }
-       
+
        return 0;
-               
+
 }
 
 /******************************************/
-static int securid_detach(void *instance)
+static int mod_detach(void *instance)
 {
        rlm_securid_t *inst = (rlm_securid_t *) instance;
 
@@ -430,59 +428,47 @@ static int securid_detach(void *instance)
 }
 
 
-static rlm_rcode_t securid_instantiate(CONF_SECTION *conf, void **instance)
+static int mod_instantiate(UNUSED CONF_SECTION *conf, void *instance)
 {
-       rlm_securid_t *inst;
-
-       /* Set up a storage area for instance data */
-       *instance = inst = talloc_zero(conf, rlm_securid_t);
-       if (!inst) return -1;
-
-        /* If the configuration parameters can't be parsed, then fail. */
-       if (cf_section_parse(conf, inst, module_config) < 0) {
-               radlog(L_ERR, "rlm_securid: Unable to parse configuration section.");
-               return -1;
-        }
+       rlm_securid_t *inst = instance;
 
        /*
         *      Lookup sessions in the tree.  We don't free them in
         *      the tree, as that's taken care of elsewhere...
         */
-       inst->session_tree = rbtree_create(securid_session_cmp, NULL, 0);
+       inst->session_tree = rbtree_create(NULL, securid_session_cmp, NULL, 0);
        if (!inst->session_tree) {
-               radlog(L_ERR, "rlm_securid: Cannot initialize session tree.");
+               ERROR("rlm_securid: Cannot initialize session tree");
                return -1;
        }
 
        pthread_mutex_init(&(inst->session_mutex), NULL);
-        return 0;
+       return 0;
 }
 
 
 /*
  *     Authenticate the user via one of any well-known password.
  */
-static int securid_authenticate(void *instance, REQUEST *request)
+static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, REQUEST *request)
 {
        int rcode;
        rlm_securid_t *inst = instance;
-       VALUE_PAIR *module_fmsg_vp;
-       VALUE_PAIR *vp;
        char  buffer[MAX_STRING_LEN]="";
-       const char *username=NULL, *password=NULL;
-       char module_fmsg[MAX_STRING_LEN]="";
-       
+       char const *username=NULL, *password=NULL;
+       VALUE_PAIR *vp;
+
        /*
         *      We can only authenticate user requests which HAVE
         *      a User-Name attribute.
         */
        if (!request->username) {
-               radlog(L_AUTH, "rlm_securid: Attribute \"User-Name\" is required for authentication.");
+               AUTH("rlm_securid: Attribute \"User-Name\" is required for authentication");
                return RLM_MODULE_INVALID;
        }
 
        if (!request->password) {
-               radlog_request(L_AUTH, 0, request, "Attribute \"Password\" is required for authentication.");
+               RAUTH("Attribute \"Password\" is required for authentication");
                return RLM_MODULE_INVALID;
        }
 
@@ -490,7 +476,7 @@ static int securid_authenticate(void *instance, REQUEST *request)
         *      Clear-text passwords are the only ones we support.
         */
        if (request->password->da->attr != PW_USER_PASSWORD) {
-               radlog_request(L_AUTH, 0, request, "Attribute \"User-Password\" is required for authentication. Cannot use \"%s\".", request->password->da->name);
+               RAUTH("Attribute \"User-Password\" is required for authentication. Cannot use \"%s\".", request->password->da->name);
                return RLM_MODULE_INVALID;
        }
 
@@ -498,9 +484,7 @@ static int securid_authenticate(void *instance, REQUEST *request)
         *      The user MUST supply a non-zero-length password.
         */
        if (request->password->length == 0) {
-               snprintf(module_fmsg,sizeof(module_fmsg),"rlm_securid: empty password supplied");
-               module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ);
-               pairadd(&request->packet->vps, module_fmsg_vp);
+               REDEBUG("Password should not be empty");
                return RLM_MODULE_INVALID;
        }
 
@@ -509,13 +493,16 @@ static int securid_authenticate(void *instance, REQUEST *request)
         */
        username = request->username->vp_strvalue;
        password = request->password->vp_strvalue;
-       
-       RDEBUG("User [%s] login attempt with password [%s]",
-              username, password);
-       
+
+       if (RDEBUG_ENABLED3) {
+               RDEBUG3("Login attempt with password \"%s\"", password);
+       } else {
+               RDEBUG("Login attempt with password");
+       }
+
        rcode = securidAuth(inst, request, username, password,
                            buffer, sizeof(buffer));
-       
+
        switch (rcode) {
        case RC_SECURID_AUTH_SUCCESS:
                rcode = RLM_MODULE_OK;
@@ -525,15 +512,15 @@ static int securid_authenticate(void *instance, REQUEST *request)
                /* reply with Access-challenge message code (11) */
 
                /* Generate Prompt attribute */
-               vp = paircreate(PW_PROMPT, 0);
-                               
+               vp = paircreate(request->reply, PW_PROMPT, 0);
+
                rad_assert(vp != NULL);
                vp->vp_integer = 0; /* no echo */
                pairadd(&request->reply->vps, vp);
 
                /* Mark the packet as a Acceess-Challenge Packet */
-               request->reply->code = PW_ACCESS_CHALLENGE;
-               RDEBUG("Sending Access-Challenge.");
+               request->reply->code = PW_CODE_ACCESS_CHALLENGE;
+               RDEBUG("Sending Access-Challenge");
                rcode = RLM_MODULE_HANDLED;
                break;
 
@@ -545,17 +532,8 @@ static int securid_authenticate(void *instance, REQUEST *request)
                break;
        }
 
-       if (*buffer) {
-               /* Generate Reply-Message attribute with reply message data */
-               vp = pairmake("Reply-Message", buffer, T_OP_EQ);
-               
-               /* make sure message ends with '\0' */
-               if (vp->length < (int) sizeof(vp->vp_strvalue)) {
-                       vp->vp_strvalue[vp->length] = '\0';
-                       vp->length++;
-               }
-               pairadd(&request->reply->vps,vp);
-       }
+       if (*buffer) pairmake_reply("Reply-Message", buffer, T_OP_EQ);
+
        return rcode;
 }
 
@@ -572,17 +550,19 @@ static int securid_authenticate(void *instance, REQUEST *request)
 module_t rlm_securid = {
        RLM_MODULE_INIT,
        "securid",
-       RLM_TYPE_CHECK_CONFIG_SAFE | RLM_TYPE_HUP_SAFE,         /* type */
-       securid_instantiate,            /* instantiation */
-       securid_detach,                 /* detach */
+       RLM_TYPE_HUP_SAFE,      /* type */
+       sizeof(rlm_securid_t),
+       module_config,
+       mod_instantiate,                /* instantiation */
+       mod_detach,                     /* detach */
        {
-               securid_authenticate,   /* authentication */
-               NULL,                   /* authorization */
-               NULL,                   /* preaccounting */
-               NULL,                   /* accounting */
-               NULL,                   /* checksimul */
-               NULL,                   /* pre-proxy */
-               NULL,                   /* post-proxy */
+               mod_authenticate,       /* authentication */
+               NULL,                   /* authorization */
+               NULL,                   /* preaccounting */
+               NULL,                   /* accounting */
+               NULL,                   /* checksimul */
+               NULL,                   /* pre-proxy */
+               NULL,                   /* post-proxy */
                NULL                    /* post-auth */
        },
 };
Unnamed repository; edit this file 'description' to name the repository.