X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=src%2Fmain%2Fauth.c;h=054511421610b5848edca5ab1a3737dd7d8027b1;hb=e4d2860552e745ba785ee8716b918b288b6194a6;hp=25ebfe3cf65573a45c00e63f7c81e0c018b15db4;hpb=d415281b27960d0145831b1d4d022bbb11462e2c;p=freeradius.git diff --git a/src/main/auth.c b/src/main/auth.c index 25ebfe3..0545114 100644 --- a/src/main/auth.c +++ b/src/main/auth.c @@ -41,9 +41,9 @@ char *auth_name(char *buf, size_t buflen, REQUEST *request, int do_cli) VALUE_PAIR *pair; int port = 0; - if ((cli = pairfind(request->packet->vps, PW_CALLING_STATION_ID)) == NULL) + if ((cli = pairfind(request->packet->vps, PW_CALLING_STATION_ID, 0)) == NULL) do_cli = 0; - if ((pair = pairfind(request->packet->vps, PW_NAS_PORT)) != NULL) + if ((pair = pairfind(request->packet->vps, PW_NAS_PORT, 0)) != NULL) port = pair->vp_integer; snprintf(buf, buflen, "from client %.128s port %u%s%.128s%s", @@ -60,11 +60,14 @@ char *auth_name(char *buf, size_t buflen, REQUEST *request, int do_cli) * Make sure user/pass are clean * and then log them */ -static int rad_authlog(const char *msg, REQUEST *request, int goodpass) { - +static int rad_authlog(const char *msg, REQUEST *request, int goodpass) +{ + int logit; + const char *extra_msg = NULL; char clean_password[1024]; char clean_username[1024]; char buf[1024]; + char extra[1024]; VALUE_PAIR *username = NULL; if (!request->root->log_auth) { @@ -75,7 +78,7 @@ static int rad_authlog(const char *msg, REQUEST *request, int goodpass) { * Get the correct username based on the configured value */ if (log_stripped_names == 0) { - username = pairfind(request->packet->vps, PW_USER_NAME); + username = pairfind(request->packet->vps, PW_USER_NAME, 0); } else { username = request->username; } @@ -86,7 +89,7 @@ static int rad_authlog(const char *msg, REQUEST *request, int goodpass) { if (username == NULL) { strcpy(clean_username, ""); } else { - librad_safeprint((char *)username->vp_strvalue, + fr_print_string((char *)username->vp_strvalue, username->length, clean_username, sizeof(clean_username)); } @@ -99,7 +102,7 @@ static int rad_authlog(const char *msg, REQUEST *request, int goodpass) { VALUE_PAIR *auth_type; auth_type = pairfind(request->config_items, - PW_AUTH_TYPE); + PW_AUTH_TYPE, 0); if (auth_type && (auth_type->vp_strvalue[0] != '\0')) { snprintf(clean_password, sizeof(clean_password), "", @@ -107,31 +110,39 @@ static int rad_authlog(const char *msg, REQUEST *request, int goodpass) { } else { strcpy(clean_password, ""); } - } else if (pairfind(request->packet->vps, PW_CHAP_PASSWORD)) { + } else if (pairfind(request->packet->vps, PW_CHAP_PASSWORD, 0)) { strcpy(clean_password, ""); } else { - librad_safeprint((char *)request->password->vp_strvalue, + fr_print_string((char *)request->password->vp_strvalue, request->password->length, clean_password, sizeof(clean_password)); } } if (goodpass) { - radlog(L_AUTH, "%s: [%s%s%s] (%s)", - msg, - clean_username, - request->root->log_auth_goodpass ? "/" : "", - request->root->log_auth_goodpass ? clean_password : "", - auth_name(buf, sizeof(buf), request, 1)); + logit = request->root->log_auth_goodpass; + extra_msg = request->root->auth_goodpass_msg; + } else { + logit = request->root->log_auth_badpass; + extra_msg = request->root->auth_badpass_msg; + } + + if (extra_msg) { + extra[0] = ' '; + radius_xlat(extra + 1, sizeof(extra) - 1, extra_msg, request, + NULL); } else { - radlog(L_AUTH, "%s: [%s%s%s] (%s)", - msg, - clean_username, - request->root->log_auth_badpass ? "/" : "", - request->root->log_auth_badpass ? clean_password : "", - auth_name(buf, sizeof(buf), request, 1)); + *extra = '\0'; } + radlog_request(L_AUTH, 0, request, "%s: [%s%s%s] (%s)%s", + msg, + clean_username, + logit ? "/" : "", + logit ? clean_password : "", + auth_name(buf, sizeof(buf), request, 1), + extra); + return 0; } @@ -163,22 +174,25 @@ static int rad_check_password(REQUEST *request) * PW_AUTHTYPE_REJECT. */ cur_config_item = request->config_items; - while(((auth_type_pair = pairfind(cur_config_item, PW_AUTH_TYPE))) != NULL) { + while(((auth_type_pair = pairfind(cur_config_item, PW_AUTH_TYPE, 0))) != NULL) { + DICT_VALUE *dv; auth_type = auth_type_pair->vp_integer; auth_type_count++; + dv = dict_valbyattr(auth_type_pair->attribute, + auth_type_pair->vp_integer, 0); - DEBUG2(" rad_check_password: Found Auth-Type %s", - auth_type_pair->vp_strvalue); + RDEBUG2("Found Auth-Type = %s", + (dv != NULL) ? dv->name : "?"); cur_config_item = auth_type_pair->next; if (auth_type == PW_AUTHTYPE_REJECT) { - DEBUG2(" rad_check_password: Auth-Type = Reject, rejecting user"); + RDEBUG2("Auth-Type = Reject, rejecting user"); return -2; } } if (( auth_type_count > 1) && (debug_flag)) { - radlog(L_ERR, "Warning: Found %d auth-types on request for user '%s'", + radlog_request(L_ERR, 0, request, "Warning: Found %d auth-types on request for user '%s'", auth_type_count, request->username->vp_strvalue); } @@ -188,31 +202,35 @@ static int rad_check_password(REQUEST *request) * that means it is accepted and we do no further * authentication */ - if ((auth_type == PW_AUTHTYPE_ACCEPT) || (request->proxy)) { - DEBUG2(" rad_check_password: Auth-Type = Accept, accepting the user"); + if ((auth_type == PW_AUTHTYPE_ACCEPT) +#ifdef WITH_PROXY + || (request->proxy) +#endif + ) { + RDEBUG2("Auth-Type = Accept, accepting the user"); return 0; } - password_pair = pairfind(request->config_items, PW_USER_PASSWORD); + password_pair = pairfind(request->config_items, PW_USER_PASSWORD, 0); if (password_pair && - pairfind(request->config_items, PW_CLEARTEXT_PASSWORD)) { - pairdelete(&request->config_items, PW_USER_PASSWORD); + pairfind(request->config_items, PW_CLEARTEXT_PASSWORD, 0)) { + pairdelete(&request->config_items, PW_USER_PASSWORD, 0); password_pair = NULL; } if (password_pair) { DICT_ATTR *da; - DEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); - DEBUG("!!! Replacing User-Password in config items with Cleartext-Password. !!!"); - DEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); - DEBUG("!!! Please update your configuration so that the \"known good\" !!!"); - DEBUG("!!! clear text password is in Cleartext-Password, and not in User-Password. !!!"); - DEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); + RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); + RDEBUG("!!! Replacing User-Password in config items with Cleartext-Password. !!!"); + RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); + RDEBUG("!!! Please update your configuration so that the \"known good\" !!!"); + RDEBUG("!!! clear text password is in Cleartext-Password, and not in User-Password. !!!"); + RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); password_pair->attribute = PW_CLEARTEXT_PASSWORD; - da = dict_attrbyvalue(PW_CLEARTEXT_PASSWORD); + da = dict_attrbyvalue(PW_CLEARTEXT_PASSWORD, 0); if (!da) { - radlog(L_ERR, "FATAL: You broke the dictionaries. Please use the default dictionaries!"); + radlog_request(L_ERR, 0, request, "FATAL: You broke the dictionaries. Please use the default dictionaries!"); _exit(1); } @@ -225,14 +243,14 @@ static int rad_check_password(REQUEST *request) * FIXME: We should get rid of these hacks, and replace * them with a module. */ - if ((password_pair = pairfind(request->config_items, PW_CRYPT_PASSWORD)) != NULL) { + if ((password_pair = pairfind(request->config_items, PW_CRYPT_PASSWORD, 0)) != NULL) { /* * Re-write Auth-Type, but ONLY if it isn't already * set. */ if (auth_type == -1) auth_type = PW_AUTHTYPE_CRYPT; } else { - password_pair = pairfind(request->config_items, PW_CLEARTEXT_PASSWORD); + password_pair = pairfind(request->config_items, PW_CLEARTEXT_PASSWORD, 0); } if (auth_type < 0) { @@ -245,15 +263,16 @@ static int rad_check_password(REQUEST *request) * * This is fail-safe. */ - DEBUG2("auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user"); + RDEBUG2("ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user"); return -2; } } switch(auth_type) { - DICT_VALUE *dval; - case PW_AUTHTYPE_CRYPT: + RDEBUG2("WARNING: Please update your configuration, and remove 'Auth-Type = Crypt'"); + RDEBUG2("WARNING: Use the PAP module instead."); + /* * Find the password sent by the user. It * SHOULD be there, if it's not @@ -261,13 +280,12 @@ static int rad_check_password(REQUEST *request) */ auth_item = request->password; if (auth_item == NULL) { - DEBUG2("auth: No User-Password or CHAP-Password attribute in the request"); + RDEBUG2("No User-Password or CHAP-Password attribute in the request"); return -1; } - DEBUG2("auth: type Crypt"); if (password_pair == NULL) { - DEBUG2("No Crypt-Password configured for the user"); + RDEBUG2("No Crypt-Password configured for the user"); rad_authlog("Login incorrect " "(No Crypt-Password configured for the user)", request, 0); return -1; @@ -283,7 +301,8 @@ static int rad_check_password(REQUEST *request) } break; case PW_AUTHTYPE_LOCAL: - DEBUG2("auth: type Local"); + RDEBUG2("WARNING: Please update your configuration, and remove 'Auth-Type = Local'"); + RDEBUG2("WARNING: Use the PAP or CHAP modules instead."); /* * Find the password sent by the user. It @@ -293,9 +312,10 @@ static int rad_check_password(REQUEST *request) auth_item = request->password; if (!auth_item) auth_item = pairfind(request->packet->vps, - PW_CHAP_PASSWORD); + PW_CHAP_PASSWORD, 0); if (!auth_item) { - DEBUG2("auth: No User-Password or CHAP-Password attribute in the request"); + RDEBUG2("No User-Password or CHAP-Password attribute in the request."); + RDEBUG2("Cannot perform authentication."); return -1; } @@ -303,7 +323,8 @@ static int rad_check_password(REQUEST *request) * Plain text password. */ if (password_pair == NULL) { - DEBUG2("auth: No password configured for the user"); + RDEBUG2("No \"known good\" password was configured for the user."); + RDEBUG2("As a result, we cannot authenticate the user."); rad_authlog("Login incorrect " "(No password configured for the user)", request, 0); return -1; @@ -315,14 +336,14 @@ static int rad_check_password(REQUEST *request) if (auth_item->attribute == PW_USER_PASSWORD) { if (strcmp((char *)password_pair->vp_strvalue, (char *)auth_item->vp_strvalue) != 0) { - DEBUG2("auth: user supplied User-Password does NOT match local User-Password"); + RDEBUG2("User-Password in the request does NOT match \"known good\" password."); return -1; } - DEBUG2("auth: user supplied User-Password matches local User-Password"); + RDEBUG2("User-Password in the request is correct."); break; } else if (auth_item->attribute != PW_CHAP_PASSWORD) { - DEBUG2("The user did not supply a User-Password or a CHAP-Password attribute"); + RDEBUG2("The user did not supply a User-Password or a CHAP-Password attribute"); rad_authlog("Login incorrect " "(no User-Password or CHAP-Password attribute)", request, 0); return -1; @@ -336,19 +357,12 @@ static int rad_check_password(REQUEST *request) */ if (memcmp(my_chap + 1, auth_item->vp_strvalue + 1, CHAP_VALUE_LENGTH) != 0) { - DEBUG2("auth: user supplied CHAP-Password does NOT match local User-Password"); + RDEBUG2("CHAP-Password is incorrect."); return -1; } - DEBUG2("auth: user supplied CHAP-Password matches local User-Password"); + RDEBUG2("CHAP-Password is correct."); break; default: - dval = dict_valbyattr(PW_AUTH_TYPE, auth_type); - if (dval) { - DEBUG2("auth: type \"%s\"", dval->name); - } else { - DEBUG2("auth: type UNKNOWN-%d", auth_type); - } - /* * See if there is a module that handles * this type, and turn the RLM_ return @@ -400,9 +414,9 @@ int rad_postauth(REQUEST *request) /* * Do post-authentication calls. ignoring the return code. */ - vp = pairfind(request->config_items, PW_POST_AUTH_TYPE); + vp = pairfind(request->config_items, PW_POST_AUTH_TYPE, 0); if (vp) { - DEBUG2(" Found Post-Auth-Type %s", vp->vp_strvalue); + RDEBUG2("Using Post-Auth-Type %s", vp->vp_strvalue); postauth_type = vp->vp_integer; } result = module_post_auth(postauth_type, request); @@ -446,20 +460,20 @@ int rad_postauth(REQUEST *request) int rad_authenticate(REQUEST *request) { VALUE_PAIR *namepair; +#ifdef WITH_SESSION_MGMT VALUE_PAIR *check_item; - VALUE_PAIR *auth_item; +#endif + VALUE_PAIR *auth_item = NULL; VALUE_PAIR *module_msg; VALUE_PAIR *tmp = NULL; int result; - char umsg[MAX_STRING_LEN + 1]; - const char *user_msg = NULL; const char *password; - char logstr[1024]; char autz_retry = 0; int autz_type = 0; password = ""; +#ifdef WITH_PROXY /* * If this request got proxied to another server, we need * to check whether it authenticated the request or not. @@ -473,9 +487,10 @@ int rad_authenticate(REQUEST *request) case PW_AUTHENTICATION_ACK: tmp = radius_paircreate(request, &request->config_items, - PW_AUTH_TYPE, PW_TYPE_INTEGER); + PW_AUTH_TYPE, 0, PW_TYPE_INTEGER); if (tmp) tmp->vp_integer = PW_AUTHTYPE_ACCEPT; - break; + goto authenticate; + /* * Challenges are punted back to the NAS without any * further processing. @@ -491,13 +506,18 @@ int rad_authenticate(REQUEST *request) * done by the server, by rejecting them here. */ case PW_AUTHENTICATION_REJECT: - default: rad_authlog("Login incorrect (Home Server says so)", request, 0); request->reply->code = PW_AUTHENTICATION_REJECT; return RLM_MODULE_REJECT; + + default: + rad_authlog("Login incorrect (Home Server failed to respond)", + request, 0); + return RLM_MODULE_REJECT; } } +#endif /* * Get the username from the request. @@ -512,7 +532,7 @@ int rad_authenticate(REQUEST *request) */ if (!request->password) { request->password = pairfind(request->packet->vps, - PW_USER_PASSWORD); + PW_USER_PASSWORD, 0); } /* @@ -527,7 +547,7 @@ int rad_authenticate(REQUEST *request) * Maybe there's a CHAP-Password? */ if ((auth_item = pairfind(request->packet->vps, - PW_CHAP_PASSWORD)) != NULL) { + PW_CHAP_PASSWORD, 0)) != NULL) { password = ""; } else { @@ -558,7 +578,7 @@ autz_redo: case RLM_MODULE_USERLOCK: default: if ((module_msg = pairfind(request->packet->vps, - PW_MODULE_FAILURE_MESSAGE)) != NULL) { + PW_MODULE_FAILURE_MESSAGE, 0)) != NULL) { char msg[MAX_STRING_LEN + 16]; snprintf(msg, sizeof(msg), "Invalid user (%s)", module_msg->vp_strvalue); @@ -570,9 +590,9 @@ autz_redo: return result; } if (!autz_retry) { - tmp = pairfind(request->config_items, PW_AUTZ_TYPE); + tmp = pairfind(request->config_items, PW_AUTZ_TYPE, 0); if (tmp) { - DEBUG2(" Found Autz-Type %s", tmp->vp_strvalue); + RDEBUG2("Using Autz-Type %s", tmp->vp_strvalue); autz_type = tmp->vp_integer; autz_retry = 1; goto autz_redo; @@ -585,8 +605,11 @@ autz_redo: * modules has decided that a proxy should be used. If * so, get out of here and send the packet. */ - if ((request->proxy == NULL) && - ((tmp = pairfind(request->config_items, PW_PROXY_TO_REALM)) != NULL)) { + if ( +#ifdef WITH_PROXY + (request->proxy == NULL) && +#endif + ((tmp = pairfind(request->config_items, PW_PROXY_TO_REALM, 0)) != NULL)) { REALM *realm; realm = realm_find2(tmp->vp_strvalue); @@ -605,14 +628,18 @@ autz_redo: * *the* LOCAL realm. */ if (realm &&(strcmp(realm->name, "LOCAL") != 0)) { - DEBUG2(" WARNING: You set Proxy-To-Realm = %s, but it is a LOCAL realm! Cancelling invalid proxy request.", realm->name); + RDEBUG2("WARNING: You set Proxy-To-Realm = %s, but it is a LOCAL realm! Cancelling proxy request.", realm->name); } if (!realm) { - DEBUG2(" WARNING: You set Proxy-To-Realm = %s, but the realm does not exist! Cancelling invalid proxy request.", tmp->vp_strvalue); + RDEBUG2("WARNING: You set Proxy-To-Realm = %s, but the realm does not exist! Cancelling invalid proxy request.", tmp->vp_strvalue); } } +#ifdef WITH_PROXY + authenticate: +#endif + /* * Perhaps there is a Stripped-User-Name now. */ @@ -637,10 +664,10 @@ autz_redo: * wants to send back. */ if (result < 0) { - DEBUG2("auth: Failed to validate the user."); + RDEBUG2("Failed to authenticate the user."); request->reply->code = PW_AUTHENTICATION_REJECT; - if ((module_msg = pairfind(request->packet->vps,PW_MODULE_FAILURE_MESSAGE)) != NULL){ + if ((module_msg = pairfind(request->packet->vps,PW_MODULE_FAILURE_MESSAGE, 0)) != NULL){ char msg[MAX_STRING_LEN+19]; snprintf(msg, sizeof(msg), "Login incorrect (%s)", @@ -666,13 +693,17 @@ autz_redo: } } +#ifdef WITH_SESSION_MGMT if (result >= 0 && - (check_item = pairfind(request->config_items, PW_SIMULTANEOUS_USE)) != NULL) { + (check_item = pairfind(request->config_items, PW_SIMULTANEOUS_USE, 0)) != NULL) { int r, session_type = 0; + char logstr[1024]; + char umsg[MAX_STRING_LEN + 1]; + const char *user_msg = NULL; - tmp = pairfind(request->config_items, PW_SESSION_TYPE); + tmp = pairfind(request->config_items, PW_SESSION_TYPE, 0); if (tmp) { - DEBUG2(" Found Session-Type %s", tmp->vp_strvalue); + RDEBUG2("Using Session-Type %s", tmp->vp_strvalue); session_type = tmp->vp_integer; } @@ -688,9 +719,9 @@ autz_redo: /* Multilink attempt. Check if port-limit > simultaneous-use */ VALUE_PAIR *port_limit; - if ((port_limit = pairfind(request->reply->vps, PW_PORT_LIMIT)) != NULL && + if ((port_limit = pairfind(request->reply->vps, PW_PORT_LIMIT, 0)) != NULL && port_limit->vp_integer > check_item->vp_integer){ - DEBUG2("main auth: MPP is OK"); + RDEBUG2("MPP is OK"); mpp_ok = 1; } } @@ -724,6 +755,7 @@ autz_redo: } } } +#endif /* * Result should be >= 0 here - if not, it means the user @@ -734,20 +766,11 @@ autz_redo: } /* - * We might need this later. The 'password' string - * is NOT used anywhere below here, except for logging, - * so it should be safe... - */ - if ((auth_item != NULL) && (auth_item->attribute == PW_CHAP_PASSWORD)) { - password = "CHAP-Password"; - } - - /* * Add the port number to the Framed-IP-Address if * vp->addport is set. */ if (((tmp = pairfind(request->reply->vps, - PW_FRAMED_IP_ADDRESS)) != NULL) && + PW_FRAMED_IP_ADDRESS, 0)) != NULL) && (tmp->flags.addport != 0)) { VALUE_PAIR *vpPortId; @@ -755,14 +778,14 @@ autz_redo: * Find the NAS port ID. */ if ((vpPortId = pairfind(request->packet->vps, - PW_NAS_PORT)) != NULL) { + PW_NAS_PORT, 0)) != NULL) { unsigned long tvalue = ntohl(tmp->vp_integer); tmp->vp_integer = htonl(tvalue + vpPortId->vp_integer); tmp->flags.addport = 0; ip_ntoa(tmp->vp_strvalue, tmp->vp_integer); } else { - DEBUG2("WARNING: No NAS-Port attribute in request. CANNOT return a Framed-IP-Address + NAS-Port.\n"); - pairdelete(&request->reply->vps, PW_FRAMED_IP_ADDRESS); + RDEBUG2("WARNING: No NAS-Port attribute in request. CANNOT return a Framed-IP-Address + NAS-Port.\n"); + pairdelete(&request->reply->vps, PW_FRAMED_IP_ADDRESS, 0); } } @@ -773,7 +796,7 @@ autz_redo: if (request->reply->code == 0) request->reply->code = PW_AUTHENTICATION_ACK; - if ((module_msg = pairfind(request->packet->vps,PW_MODULE_SUCCESS_MESSAGE)) != NULL){ + if ((module_msg = pairfind(request->packet->vps,PW_MODULE_SUCCESS_MESSAGE, 0)) != NULL){ char msg[MAX_STRING_LEN+12]; snprintf(msg, sizeof(msg), "Login OK (%s)",