X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=src%2Fmain%2Fauth.c;h=054511421610b5848edca5ab1a3737dd7d8027b1;hb=e4d2860552e745ba785ee8716b918b288b6194a6;hp=c33eef6cd59f0d1c50d6eac454d300df349cc4b2;hpb=cabe0a0e04c141017b32d114418ab83d1d752c20;p=freeradius.git diff --git a/src/main/auth.c b/src/main/auth.c index c33eef6..0545114 100644 --- a/src/main/auth.c +++ b/src/main/auth.c @@ -41,9 +41,9 @@ char *auth_name(char *buf, size_t buflen, REQUEST *request, int do_cli) VALUE_PAIR *pair; int port = 0; - if ((cli = pairfind(request->packet->vps, PW_CALLING_STATION_ID)) == NULL) + if ((cli = pairfind(request->packet->vps, PW_CALLING_STATION_ID, 0)) == NULL) do_cli = 0; - if ((pair = pairfind(request->packet->vps, PW_NAS_PORT)) != NULL) + if ((pair = pairfind(request->packet->vps, PW_NAS_PORT, 0)) != NULL) port = pair->vp_integer; snprintf(buf, buflen, "from client %.128s port %u%s%.128s%s", @@ -60,11 +60,14 @@ char *auth_name(char *buf, size_t buflen, REQUEST *request, int do_cli) * Make sure user/pass are clean * and then log them */ -static int rad_authlog(const char *msg, REQUEST *request, int goodpass) { - +static int rad_authlog(const char *msg, REQUEST *request, int goodpass) +{ + int logit; + const char *extra_msg = NULL; char clean_password[1024]; char clean_username[1024]; char buf[1024]; + char extra[1024]; VALUE_PAIR *username = NULL; if (!request->root->log_auth) { @@ -75,7 +78,7 @@ static int rad_authlog(const char *msg, REQUEST *request, int goodpass) { * Get the correct username based on the configured value */ if (log_stripped_names == 0) { - username = pairfind(request->packet->vps, PW_USER_NAME); + username = pairfind(request->packet->vps, PW_USER_NAME, 0); } else { username = request->username; } @@ -86,7 +89,7 @@ static int rad_authlog(const char *msg, REQUEST *request, int goodpass) { if (username == NULL) { strcpy(clean_username, ""); } else { - librad_safeprint((char *)username->vp_strvalue, + fr_print_string((char *)username->vp_strvalue, username->length, clean_username, sizeof(clean_username)); } @@ -99,7 +102,7 @@ static int rad_authlog(const char *msg, REQUEST *request, int goodpass) { VALUE_PAIR *auth_type; auth_type = pairfind(request->config_items, - PW_AUTH_TYPE); + PW_AUTH_TYPE, 0); if (auth_type && (auth_type->vp_strvalue[0] != '\0')) { snprintf(clean_password, sizeof(clean_password), "", @@ -107,31 +110,39 @@ static int rad_authlog(const char *msg, REQUEST *request, int goodpass) { } else { strcpy(clean_password, ""); } - } else if (pairfind(request->packet->vps, PW_CHAP_PASSWORD)) { + } else if (pairfind(request->packet->vps, PW_CHAP_PASSWORD, 0)) { strcpy(clean_password, ""); } else { - librad_safeprint((char *)request->password->vp_strvalue, + fr_print_string((char *)request->password->vp_strvalue, request->password->length, clean_password, sizeof(clean_password)); } } if (goodpass) { - radlog_request(L_AUTH, 0, request, "%s: [%s%s%s] (%s)", - msg, - clean_username, - request->root->log_auth_goodpass ? "/" : "", - request->root->log_auth_goodpass ? clean_password : "", - auth_name(buf, sizeof(buf), request, 1)); + logit = request->root->log_auth_goodpass; + extra_msg = request->root->auth_goodpass_msg; + } else { + logit = request->root->log_auth_badpass; + extra_msg = request->root->auth_badpass_msg; + } + + if (extra_msg) { + extra[0] = ' '; + radius_xlat(extra + 1, sizeof(extra) - 1, extra_msg, request, + NULL); } else { - radlog_request(L_AUTH, 0, request, "%s: [%s%s%s] (%s)", - msg, - clean_username, - request->root->log_auth_badpass ? "/" : "", - request->root->log_auth_badpass ? clean_password : "", - auth_name(buf, sizeof(buf), request, 1)); + *extra = '\0'; } + radlog_request(L_AUTH, 0, request, "%s: [%s%s%s] (%s)%s", + msg, + clean_username, + logit ? "/" : "", + logit ? clean_password : "", + auth_name(buf, sizeof(buf), request, 1), + extra); + return 0; } @@ -163,11 +174,12 @@ static int rad_check_password(REQUEST *request) * PW_AUTHTYPE_REJECT. */ cur_config_item = request->config_items; - while(((auth_type_pair = pairfind(cur_config_item, PW_AUTH_TYPE))) != NULL) { + while(((auth_type_pair = pairfind(cur_config_item, PW_AUTH_TYPE, 0))) != NULL) { + DICT_VALUE *dv; auth_type = auth_type_pair->vp_integer; auth_type_count++; - DICT_VALUE *dv = dict_valbyattr(auth_type_pair->attribute, - auth_type_pair->vp_integer); + dv = dict_valbyattr(auth_type_pair->attribute, + auth_type_pair->vp_integer, 0); RDEBUG2("Found Auth-Type = %s", (dv != NULL) ? dv->name : "?"); @@ -199,10 +211,10 @@ static int rad_check_password(REQUEST *request) return 0; } - password_pair = pairfind(request->config_items, PW_USER_PASSWORD); + password_pair = pairfind(request->config_items, PW_USER_PASSWORD, 0); if (password_pair && - pairfind(request->config_items, PW_CLEARTEXT_PASSWORD)) { - pairdelete(&request->config_items, PW_USER_PASSWORD); + pairfind(request->config_items, PW_CLEARTEXT_PASSWORD, 0)) { + pairdelete(&request->config_items, PW_USER_PASSWORD, 0); password_pair = NULL; } @@ -216,7 +228,7 @@ static int rad_check_password(REQUEST *request) RDEBUG("!!! clear text password is in Cleartext-Password, and not in User-Password. !!!"); RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); password_pair->attribute = PW_CLEARTEXT_PASSWORD; - da = dict_attrbyvalue(PW_CLEARTEXT_PASSWORD); + da = dict_attrbyvalue(PW_CLEARTEXT_PASSWORD, 0); if (!da) { radlog_request(L_ERR, 0, request, "FATAL: You broke the dictionaries. Please use the default dictionaries!"); _exit(1); @@ -231,14 +243,14 @@ static int rad_check_password(REQUEST *request) * FIXME: We should get rid of these hacks, and replace * them with a module. */ - if ((password_pair = pairfind(request->config_items, PW_CRYPT_PASSWORD)) != NULL) { + if ((password_pair = pairfind(request->config_items, PW_CRYPT_PASSWORD, 0)) != NULL) { /* * Re-write Auth-Type, but ONLY if it isn't already * set. */ if (auth_type == -1) auth_type = PW_AUTHTYPE_CRYPT; } else { - password_pair = pairfind(request->config_items, PW_CLEARTEXT_PASSWORD); + password_pair = pairfind(request->config_items, PW_CLEARTEXT_PASSWORD, 0); } if (auth_type < 0) { @@ -251,7 +263,7 @@ static int rad_check_password(REQUEST *request) * * This is fail-safe. */ - RDEBUG2("No authenticate method (Auth-Type) configuration found for the request: Rejecting the user"); + RDEBUG2("ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user"); return -2; } } @@ -300,7 +312,7 @@ static int rad_check_password(REQUEST *request) auth_item = request->password; if (!auth_item) auth_item = pairfind(request->packet->vps, - PW_CHAP_PASSWORD); + PW_CHAP_PASSWORD, 0); if (!auth_item) { RDEBUG2("No User-Password or CHAP-Password attribute in the request."); RDEBUG2("Cannot perform authentication."); @@ -402,7 +414,7 @@ int rad_postauth(REQUEST *request) /* * Do post-authentication calls. ignoring the return code. */ - vp = pairfind(request->config_items, PW_POST_AUTH_TYPE); + vp = pairfind(request->config_items, PW_POST_AUTH_TYPE, 0); if (vp) { RDEBUG2("Using Post-Auth-Type %s", vp->vp_strvalue); postauth_type = vp->vp_integer; @@ -475,7 +487,7 @@ int rad_authenticate(REQUEST *request) case PW_AUTHENTICATION_ACK: tmp = radius_paircreate(request, &request->config_items, - PW_AUTH_TYPE, PW_TYPE_INTEGER); + PW_AUTH_TYPE, 0, PW_TYPE_INTEGER); if (tmp) tmp->vp_integer = PW_AUTHTYPE_ACCEPT; goto authenticate; @@ -494,11 +506,15 @@ int rad_authenticate(REQUEST *request) * done by the server, by rejecting them here. */ case PW_AUTHENTICATION_REJECT: - default: rad_authlog("Login incorrect (Home Server says so)", request, 0); request->reply->code = PW_AUTHENTICATION_REJECT; return RLM_MODULE_REJECT; + + default: + rad_authlog("Login incorrect (Home Server failed to respond)", + request, 0); + return RLM_MODULE_REJECT; } } #endif @@ -516,7 +532,7 @@ int rad_authenticate(REQUEST *request) */ if (!request->password) { request->password = pairfind(request->packet->vps, - PW_USER_PASSWORD); + PW_USER_PASSWORD, 0); } /* @@ -531,7 +547,7 @@ int rad_authenticate(REQUEST *request) * Maybe there's a CHAP-Password? */ if ((auth_item = pairfind(request->packet->vps, - PW_CHAP_PASSWORD)) != NULL) { + PW_CHAP_PASSWORD, 0)) != NULL) { password = ""; } else { @@ -562,7 +578,7 @@ autz_redo: case RLM_MODULE_USERLOCK: default: if ((module_msg = pairfind(request->packet->vps, - PW_MODULE_FAILURE_MESSAGE)) != NULL) { + PW_MODULE_FAILURE_MESSAGE, 0)) != NULL) { char msg[MAX_STRING_LEN + 16]; snprintf(msg, sizeof(msg), "Invalid user (%s)", module_msg->vp_strvalue); @@ -574,7 +590,7 @@ autz_redo: return result; } if (!autz_retry) { - tmp = pairfind(request->config_items, PW_AUTZ_TYPE); + tmp = pairfind(request->config_items, PW_AUTZ_TYPE, 0); if (tmp) { RDEBUG2("Using Autz-Type %s", tmp->vp_strvalue); autz_type = tmp->vp_integer; @@ -593,7 +609,7 @@ autz_redo: #ifdef WITH_PROXY (request->proxy == NULL) && #endif - ((tmp = pairfind(request->config_items, PW_PROXY_TO_REALM)) != NULL)) { + ((tmp = pairfind(request->config_items, PW_PROXY_TO_REALM, 0)) != NULL)) { REALM *realm; realm = realm_find2(tmp->vp_strvalue); @@ -651,7 +667,7 @@ autz_redo: RDEBUG2("Failed to authenticate the user."); request->reply->code = PW_AUTHENTICATION_REJECT; - if ((module_msg = pairfind(request->packet->vps,PW_MODULE_FAILURE_MESSAGE)) != NULL){ + if ((module_msg = pairfind(request->packet->vps,PW_MODULE_FAILURE_MESSAGE, 0)) != NULL){ char msg[MAX_STRING_LEN+19]; snprintf(msg, sizeof(msg), "Login incorrect (%s)", @@ -679,13 +695,13 @@ autz_redo: #ifdef WITH_SESSION_MGMT if (result >= 0 && - (check_item = pairfind(request->config_items, PW_SIMULTANEOUS_USE)) != NULL) { + (check_item = pairfind(request->config_items, PW_SIMULTANEOUS_USE, 0)) != NULL) { int r, session_type = 0; char logstr[1024]; char umsg[MAX_STRING_LEN + 1]; const char *user_msg = NULL; - tmp = pairfind(request->config_items, PW_SESSION_TYPE); + tmp = pairfind(request->config_items, PW_SESSION_TYPE, 0); if (tmp) { RDEBUG2("Using Session-Type %s", tmp->vp_strvalue); session_type = tmp->vp_integer; @@ -703,7 +719,7 @@ autz_redo: /* Multilink attempt. Check if port-limit > simultaneous-use */ VALUE_PAIR *port_limit; - if ((port_limit = pairfind(request->reply->vps, PW_PORT_LIMIT)) != NULL && + if ((port_limit = pairfind(request->reply->vps, PW_PORT_LIMIT, 0)) != NULL && port_limit->vp_integer > check_item->vp_integer){ RDEBUG2("MPP is OK"); mpp_ok = 1; @@ -754,7 +770,7 @@ autz_redo: * vp->addport is set. */ if (((tmp = pairfind(request->reply->vps, - PW_FRAMED_IP_ADDRESS)) != NULL) && + PW_FRAMED_IP_ADDRESS, 0)) != NULL) && (tmp->flags.addport != 0)) { VALUE_PAIR *vpPortId; @@ -762,14 +778,14 @@ autz_redo: * Find the NAS port ID. */ if ((vpPortId = pairfind(request->packet->vps, - PW_NAS_PORT)) != NULL) { + PW_NAS_PORT, 0)) != NULL) { unsigned long tvalue = ntohl(tmp->vp_integer); tmp->vp_integer = htonl(tvalue + vpPortId->vp_integer); tmp->flags.addport = 0; ip_ntoa(tmp->vp_strvalue, tmp->vp_integer); } else { RDEBUG2("WARNING: No NAS-Port attribute in request. CANNOT return a Framed-IP-Address + NAS-Port.\n"); - pairdelete(&request->reply->vps, PW_FRAMED_IP_ADDRESS); + pairdelete(&request->reply->vps, PW_FRAMED_IP_ADDRESS, 0); } } @@ -780,7 +796,7 @@ autz_redo: if (request->reply->code == 0) request->reply->code = PW_AUTHENTICATION_ACK; - if ((module_msg = pairfind(request->packet->vps,PW_MODULE_SUCCESS_MESSAGE)) != NULL){ + if ((module_msg = pairfind(request->packet->vps,PW_MODULE_SUCCESS_MESSAGE, 0)) != NULL){ char msg[MAX_STRING_LEN+12]; snprintf(msg, sizeof(msg), "Login OK (%s)",