}
if (pairfind(request->config_items, PW_AUTHTYPE) != NULL) {
- DEBUG2(" rlm_chap: WARNING: Auth-Type already set. Not setting to CHAP");
+ RDEBUG2("WARNING: Auth-Type already set. Not setting to CHAP");
return RLM_MODULE_NOOP;
}
- DEBUG(" rlm_chap: Setting 'Auth-Type := CHAP'");
+ RDEBUG("Setting 'Auth-Type := CHAP'");
pairadd(&request->config_items,
pairmake("Auth-Type", "CHAP", T_OP_EQ));
return RLM_MODULE_OK;
request = request;
if (!request->username) {
- radlog(L_AUTH, "rlm_chap: Attribute \"User-Name\" is required for authentication.\n");
+ radlog_request(L_AUTH, 0, request, "rlm_chap: Attribute \"User-Name\" is required for authentication.\n");
return RLM_MODULE_INVALID;
}
chap = pairfind(request->packet->vps, PW_CHAP_PASSWORD);
if (!chap) {
- radlog(L_AUTH, "rlm_chap: Attribute \"CHAP-Password\" is required for authentication.");
+ radlog_request(L_AUTH, 0, request, "rlm_chap: Attribute \"CHAP-Password\" is required for authentication.");
return RLM_MODULE_INVALID;
}
if (chap->length == 0) {
- radlog(L_ERR, "rlm_chap: empty password supplied");
+ radlog_request(L_ERR, 0, request, "rlm_chap: empty password supplied");
return RLM_MODULE_INVALID;
}
if (chap->length != CHAP_VALUE_LENGTH + 1) {
- radlog(L_ERR, "rlm_chap: password supplied has wrong length");
+ radlog_request(L_ERR, 0, request, "rlm_chap: password supplied has wrong length");
return RLM_MODULE_INVALID;
}
/*
* Don't print out the CHAP password here. It's binary crap.
*/
- DEBUG(" rlm_chap: login attempt by \"%s\" with CHAP password",
+ RDEBUG("login attempt by \"%s\" with CHAP password",
request->username->vp_strvalue);
if ((passwd_item = pairfind(request->config_items, PW_CLEARTEXT_PASSWORD)) == NULL){
- DEBUG(" rlm_chap: Cleartext-Password is required for authentication");
+ RDEBUG("Cleartext-Password is required for authentication");
snprintf(module_fmsg, sizeof(module_fmsg),
"rlm_chap: Clear text password not available");
module_fmsg_vp = pairmake("Module-Failure-Message",
return RLM_MODULE_INVALID;
}
- DEBUG(" rlm_chap: Using clear text password \"%s\" for user %s authentication.",
+ RDEBUG("Using clear text password \"%s\" for user %s authentication.",
passwd_item->vp_strvalue, request->username->vp_strvalue);
rad_chap_encode(request->packet,pass_str,
if (memcmp(pass_str + 1, chap->vp_octets + 1,
CHAP_VALUE_LENGTH) != 0){
- DEBUG(" rlm_chap: Password check failed");
+ RDEBUG("Password check failed");
snprintf(module_fmsg, sizeof(module_fmsg),
"rlm_chap: Wrong user password");
module_fmsg_vp = pairmake("Module-Failure-Message",
return RLM_MODULE_REJECT;
}
- DEBUG(" rlm_chap: chap user %s authenticated succesfully",
+ RDEBUG("chap user %s authenticated succesfully",
request->username->vp_strvalue);
return RLM_MODULE_OK;
chap_challenge = pairfind(request->packet->vps,
PW_MSCHAP_CHALLENGE);
if (!chap_challenge) {
- DEBUG2(" rlm_mschap: No MS-CHAP-Challenge in the request.");
+ RDEBUG2("No MS-CHAP-Challenge in the request.");
return 0;
}
* for MS-CHAPv2
*/
if (chap_challenge->length == 8) {
- DEBUG2(" mschap1: %02x",
+ RDEBUG2(" mschap1: %02x",
chap_challenge->vp_octets[0]);
data = chap_challenge->vp_octets;
data_len = 8;
} else if (chap_challenge->length == 16) {
char *username_string;
- DEBUG2(" mschap2: %02x", chap_challenge->vp_octets[0]);
+ RDEBUG2(" mschap2: %02x", chap_challenge->vp_octets[0]);
response = pairfind(request->packet->vps,
PW_MSCHAP2_RESPONSE);
if (!response) {
- DEBUG2(" rlm_mschap: MS-CHAP2-Response is required to calculate MS-CHAPv1 challenge.");
+ RDEBUG2("MS-CHAP2-Response is required to calculate MS-CHAPv1 challenge.");
return 0;
}
* Responses are 50 octets.
*/
if (response->length < 50) {
- radlog(L_AUTH, "rlm_mschap: MS-CHAP-Response has the wrong format.");
+ radlog_request(L_AUTH, 0, request, "MS-CHAP-Response has the wrong format.");
return 0;
}
user_name = pairfind(request->packet->vps,
PW_USER_NAME);
if (!user_name) {
- DEBUG2(" rlm_mschap: User-Name is required to calculateMS-CHAPv1 Challenge.");
+ RDEBUG2("User-Name is required to calculateMS-CHAPv1 Challenge.");
return 0;
}
if (inst->with_ntdomain_hack) {
username_string++;
} else {
- DEBUG2(" rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack?");
+ RDEBUG2("NT Domain delimeter found, should we have enabled with_ntdomain_hack?");
username_string = user_name->vp_strvalue;
}
} else {
data = buffer;
data_len = 8;
} else {
- DEBUG2(" rlm_mschap: Invalid MS-CHAP challenge length");
+ RDEBUG2("Invalid MS-CHAP challenge length");
return 0;
}
if (!response) response = pairfind(request->packet->vps,
PW_MSCHAP2_RESPONSE);
if (!response) {
- DEBUG2(" rlm_mschap: No MS-CHAP-Response or MS-CHAP2-Response was found in the request.");
+ RDEBUG2("No MS-CHAP-Response or MS-CHAP2-Response was found in the request.");
return 0;
}
*/
if ((response->attribute == PW_MSCHAP_RESPONSE) &&
((response->vp_octets[1] & 0x01) == 0)) {
- DEBUG2(" rlm_mschap: No NT-Response in MS-CHAP-Response");
+ RDEBUG2("No NT-Response in MS-CHAP-Response");
return 0;
}
response = pairfind(request->packet->vps,
PW_MSCHAP_RESPONSE);
if (!response) {
- DEBUG2(" rlm_mschap: No MS-CHAP-Response was found in the request.");
+ RDEBUG2("No MS-CHAP-Response was found in the request.");
return 0;
}
* if the second octet says so.
*/
if ((response->vp_octets[1] & 0x01) != 0) {
- DEBUG2(" rlm_mschap: No LM-Response in MS-CHAP-Response");
+ RDEBUG2("No LM-Response in MS-CHAP-Response");
return 0;
}
data = response->vp_octets + 2;
user_name = pairfind(request->packet->vps, PW_USER_NAME);
if (!user_name) {
- DEBUG2(" rlm_mschap: No User-Name was found in the request.");
+ RDEBUG2("No User-Name was found in the request.");
return 0;
}
*/
p = strchr(user_name->vp_strvalue, '.');
if (!p) {
- DEBUG2(" rlm_mschap: setting NT-Domain to same as machine name");
+ RDEBUG2("setting NT-Domain to same as machine name");
strlcpy(out, user_name->vp_strvalue + 5, outlen);
} else {
p++; /* skip the period */
} else {
p = strchr(user_name->vp_strvalue, '\\');
if (!p) {
- DEBUG2(" rlm_mschap: No NT-Domain was found in the User-Name.");
+ RDEBUG2("No NT-Domain was found in the User-Name.");
return 0;
}
user_name = pairfind(request->packet->vps, PW_USER_NAME);
if (!user_name) {
- DEBUG2(" rlm_mschap: No User-Name was found in the request.");
+ RDEBUG2("No User-Name was found in the request.");
return 0;
}
p = fmt + 8; /* 7 is the length of 'NT-Hash' */
if ((p == '\0') || (outlen <= 32))
return 0;
- DEBUG("rlm_mschap: NT-Hash: %s",p);
+ RDEBUG("rlm_mschap: NT-Hash: %s",p);
ntpwdhash(buffer,p);
fr_bin2hex(buffer, out, 16);
out[32] = '\0';
- DEBUG("rlm_mschap: NT-Hash: Result: %s",out);
+ RDEBUG("rlm_mschap: NT-Hash: Result: %s",out);
return 32;
/*
if ((p == '\0') || (outlen <= 32))
return 0;
- DEBUG("rlm_mschap: LM-Hash: %s",p);
+ RDEBUG("rlm_mschap: LM-Hash: %s",p);
smbdes_lmpwdhash(p, buffer);
fr_bin2hex(buffer, out, 16);
out[32] = '\0';
- DEBUG("rlm_mschap: LM-Hash: Result: %s",out);
+ RDEBUG("rlm_mschap: LM-Hash: Result: %s",out);
return 32;
} else {
- DEBUG2(" rlm_mschap: Unknown expansion string \"%s\"",
+ RDEBUG2("Unknown expansion string \"%s\"",
fmt);
return 0;
}
* Didn't set anything: this is bad.
*/
if (!data) {
- DEBUG2(" rlm_mschap: Failed to do anything intelligent");
+ RDEBUG2("Failed to do anything intelligent");
return 0;
}
* add_reply() adds either MS-CHAP2-Success or MS-CHAP-Error
* attribute to reply packet
*/
-void mschap_add_reply(VALUE_PAIR** vp, unsigned char ident,
+void mschap_add_reply(REQUEST *request, VALUE_PAIR** vp, unsigned char ident,
const char* name, const char* value, int len)
{
VALUE_PAIR *reply_attr;
reply_attr = pairmake(name, "", T_OP_EQ);
if (!reply_attr) {
- DEBUG(" rlm_mschap: Failed to create attribute %s: %s\n", name, librad_errstr);
+ RDEBUG("Failed to create attribute %s: %s\n", name, librad_errstr);
return;
}
VALUE_PAIR *vp;
vp = radius_pairmake(request, &request->reply->vps, name, "", T_OP_EQ);
if (!vp) {
- DEBUG("rlm_mschap: mppe_add_reply failed to create attribute %s: %s\n", name, librad_errstr);
+ RDEBUG("rlm_mschap: mppe_add_reply failed to create attribute %s: %s\n", name, librad_errstr);
return;
}
* know what to do...
*/
if (!inst->ntlm_auth && do_ntlm_auth) {
- DEBUG2(" rlm_mschap: Asked to use ntlm_auth, but it was not configured in the mschap{} section.");
+ RDEBUG2("Asked to use ntlm_auth, but it was not configured in the mschap{} section.");
return -1;
}
* No password: can't do authentication.
*/
if (!password) {
- DEBUG2(" rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.");
+ RDEBUG2("FAILED: No NT/LM-Password. Cannot perform authentication.");
return -1;
}
buffer, sizeof(buffer),
NULL, NULL, 1);
if (result != 0) {
- DEBUG2(" rlm_mschap: External script failed.");
+ RDEBUG2("External script failed.");
return -1;
}
* NT_KEY: 000102030405060708090a0b0c0d0e0f
*/
if (memcmp(buffer, "NT_KEY: ", 8) != 0) {
- DEBUG2(" rlm_mschap: Invalid output from ntlm_auth: expecting NT_KEY");
+ RDEBUG2("Invalid output from ntlm_auth: expecting NT_KEY");
return -1;
}
* with an LF at the end.
*/
if (strlen(buffer + 8) < 32) {
- DEBUG2(" rlm_mschap: Invalid output from ntlm_auth: NT_KEY has unexpected length");
+ RDEBUG2("Invalid output from ntlm_auth: NT_KEY has unexpected length");
return -1;
}
* Update the NT hash hash, from the NT key.
*/
if (fr_hex2bin(buffer + 8, nthashhash, 16) != 16) {
- DEBUG2(" rlm_mschap: Invalid output from ntlm_auth: NT_KEY has non-hex values");
+ RDEBUG2("Invalid output from ntlm_auth: NT_KEY has non-hex values");
return -1;
}
}
* Nothing we recognize. Don't do anything.
*/
if (!response) {
- DEBUG2(" rlm_mschap: Found MS-CHAP-Challenge, but no MS-CHAP-Response.");
+ RDEBUG2("Found MS-CHAP-Challenge, but no MS-CHAP-Response.");
return RLM_MODULE_NOOP;
}
if (pairfind(request->config_items, PW_AUTH_TYPE)) {
- DEBUG2(" rlm_mschap: Found existing Auth-Type. Not changing it.");
+ RDEBUG2("Found existing Auth-Type. Not changing it.");
return RLM_MODULE_NOOP;
}
- DEBUG2(" rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = %s'", inst->xlat_name);
+ RDEBUG2("Found MS-CHAP attributes. Setting 'Auth-Type = %s'", inst->xlat_name);
/*
* Set Auth-Type to MS-CHAP. The authentication code
* Password is not required.
*/
if ((smb_ctrl->vp_integer & ACB_PWNOTREQ) != 0) {
- DEBUG2(" rlm_mschap: SMB-Account-Ctrl says no password is required.");
+ RDEBUG2("SMB-Account-Ctrl says no password is required.");
return RLM_MODULE_OK;
}
}
((lm_password->length == 32) &&
(fr_hex2bin(lm_password->vp_strvalue,
lm_password->vp_octets, 16) == 16))) {
- DEBUG2(" rlm_mschap: Found LM-Password");
+ RDEBUG2("Found LM-Password");
lm_password->length = 16;
} else {
- radlog(L_ERR, "rlm_mschap: Invalid LM-Password");
+ radlog_request(L_ERR, 0, request, "Invalid LM-Password");
lm_password = NULL;
}
} else if (!password) {
- DEBUG2(" rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.");
+ RDEBUG2("No Cleartext-Password configured. Cannot create LM-Password.");
} else { /* there is a configured Cleartext-Password */
lm_password = radius_pairmake(request, &request->config_items,
"LM-Password", "", T_OP_EQ);
if (!lm_password) {
- radlog(L_ERR, "No memory");
+ radlog_request(L_ERR, 0, request, "No memory");
} else {
smbdes_lmpwdhash(password->vp_strvalue,
lm_password->vp_octets);
((nt_password->length == 32) &&
(fr_hex2bin(nt_password->vp_strvalue,
nt_password->vp_octets, 16) == 16))) {
- DEBUG2(" rlm_mschap: Found NT-Password");
+ RDEBUG2("Found NT-Password");
nt_password->length = 16;
} else {
- radlog(L_ERR, "rlm_mschap: Invalid NT-Password");
+ radlog_request(L_ERR, 0, request, "Invalid NT-Password");
nt_password = NULL;
}
} else if (!password) {
- DEBUG2(" rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.");
+ RDEBUG2("No Cleartext-Password configured. Cannot create NT-Password.");
} else { /* there is a configured Cleartext-Password */
nt_password = radius_pairmake(request, &request->config_items,
"NT-Password", "", T_OP_EQ);
if (!nt_password) {
- radlog(L_ERR, "No memory");
+ radlog_request(L_ERR, 0, request, "No memory");
return RLM_MODULE_FAIL;
} else {
ntpwdhash(nt_password->vp_octets,
challenge = pairfind(request->packet->vps, PW_MSCHAP_CHALLENGE);
if (!challenge) {
- DEBUG2(" rlm_mschap: No MS-CHAP-Challenge in the request");
+ RDEBUG2("No MS-CHAP-Challenge in the request");
return RLM_MODULE_REJECT;
}
* MS-CHAPv1 challenges are 8 octets.
*/
if (challenge->length < 8) {
- radlog(L_AUTH, "rlm_mschap: MS-CHAP-Challenge has the wrong format.");
+ radlog_request(L_AUTH, 0, request, "MS-CHAP-Challenge has the wrong format.");
return RLM_MODULE_INVALID;
}
* Responses are 50 octets.
*/
if (response->length < 50) {
- radlog(L_AUTH, "rlm_mschap: MS-CHAP-Response has the wrong format.");
+ radlog_request(L_AUTH, 0, request, "MS-CHAP-Response has the wrong format.");
return RLM_MODULE_INVALID;
}
* response
*/
if (response->vp_octets[1] & 0x01) {
- DEBUG2(" rlm_mschap: Told to do MS-CHAPv1 with NT-Password");
+ RDEBUG2("Told to do MS-CHAPv1 with NT-Password");
password = nt_password;
offset = 26;
} else {
- DEBUG2(" rlm_mschap: Told to do MS-CHAPv1 with LM-Password");
+ RDEBUG2("Told to do MS-CHAPv1 with LM-Password");
password = lm_password;
offset = 2;
}
*/
if (do_mschap(inst, request, password, challenge->vp_octets,
response->vp_octets + offset, nthashhash) < 0) {
- DEBUG2(" rlm_mschap: MS-CHAP-Response is incorrect.");
- mschap_add_reply(&request->reply->vps,
+ RDEBUG2("MS-CHAP-Response is incorrect.");
+ mschap_add_reply(request, &request->reply->vps,
*response->vp_octets,
"MS-CHAP-Error", "E=691 R=1", 9);
return RLM_MODULE_REJECT;
* MS-CHAPv2 challenges are 16 octets.
*/
if (challenge->length < 16) {
- radlog(L_AUTH, "rlm_mschap: MS-CHAP-Challenge has the wrong format.");
+ radlog_request(L_AUTH, 0, request, "MS-CHAP-Challenge has the wrong format.");
return RLM_MODULE_INVALID;
}
* Responses are 50 octets.
*/
if (response->length < 50) {
- radlog(L_AUTH, "rlm_mschap: MS-CHAP-Response has the wrong format.");
+ radlog_request(L_AUTH, 0, request, "MS-CHAP-Response has the wrong format.");
return RLM_MODULE_INVALID;
}
*/
username = pairfind(request->packet->vps, PW_USER_NAME);
if (!username) {
- radlog(L_AUTH, "rlm_mschap: We require a User-Name for MS-CHAPv2");
+ radlog_request(L_AUTH, 0, request, "We require a User-Name for MS-CHAPv2");
return RLM_MODULE_INVALID;
}
if (inst->with_ntdomain_hack) {
username_string++;
} else {
- DEBUG2(" rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack?");
+ RDEBUG2(" NT Domain delimeter found, should we have enabled with_ntdomain_hack?");
username_string = username->vp_strvalue;
}
} else {
* OpenDirectory authentication.
*/
if (!nt_password && inst->open_directory) {
- DEBUG2(" rlm_mschap: No NT-Password configured. Trying DirectoryService Authentication.");
+ RDEBUG2("No NT-Password configured. Trying DirectoryService Authentication.");
return od_mschap_auth(request, challenge, username);
}
#endif
username_string, /* user name */
mschapv1_challenge); /* resulting challenge */
- DEBUG2(" rlm_mschap: Told to do MS-CHAPv2 for %s with NT-Password",
+ RDEBUG2("Told to do MS-CHAPv2 for %s with NT-Password",
username_string);
if (do_mschap(inst, request, nt_password, mschapv1_challenge,
response->vp_octets + 26, nthashhash) < 0) {
- DEBUG2(" rlm_mschap: FAILED: MS-CHAP2-Response is incorrect");
- mschap_add_reply(&request->reply->vps,
+ RDEBUG2("FAILED: MS-CHAP2-Response is incorrect");
+ mschap_add_reply(request, &request->reply->vps,
*response->vp_octets,
"MS-CHAP-Error", "E=691 R=1", 9);
return RLM_MODULE_REJECT;
response->vp_octets + 2, /* peer challenge */
challenge->vp_octets, /* our challenge */
msch2resp); /* calculated MPPE key */
- mschap_add_reply(&request->reply->vps, *response->vp_octets,
+ mschap_add_reply(request, &request->reply->vps, *response->vp_octets,
"MS-CHAP2-Success", msch2resp, 42);
chap = 2;
} else { /* Neither CHAPv1 or CHAPv2 response: die */
- radlog(L_AUTH, "rlm_mschap: No MS-CHAP response found");
+ radlog_request(L_AUTH, 0, request, "No MS-CHAP response found");
return RLM_MODULE_INVALID;
}
*/
if (((smb_ctrl->vp_integer & ACB_DISABLED) != 0) ||
((smb_ctrl->vp_integer & ACB_NORMAL) == 0)) {
- DEBUG2(" rlm_mschap: SMB-Account-Ctrl says that the account is disabled, or is not a normal account.");
- mschap_add_reply( &request->reply->vps,
+ RDEBUG2("SMB-Account-Ctrl says that the account is disabled, or is not a normal account.");
+ mschap_add_reply(request, &request->reply->vps,
*response->vp_octets,
"MS-CHAP-Error", "E=691 R=1", 9);
return RLM_MODULE_NOTFOUND;
* User is locked out.
*/
if ((smb_ctrl->vp_integer & ACB_AUTOLOCK) != 0) {
- DEBUG2(" rlm_mschap: SMB-Account-Ctrl says that the account is locked out.");
- mschap_add_reply( &request->reply->vps,
+ RDEBUG2("SMB-Account-Ctrl says that the account is locked out.");
+ mschap_add_reply(request, &request->reply->vps,
*response->vp_octets,
"MS-CHAP-Error", "E=647 R=0", 9);
return RLM_MODULE_USERLOCK;
uint8_t mppe_recvkey[34];
if (chap == 1){
- DEBUG2("rlm_mschap: adding MS-CHAPv1 MPPE keys");
+ RDEBUG2("adding MS-CHAPv1 MPPE keys");
memset(mppe_sendkey, 0, 32);
if (lm_password) {
memcpy(mppe_sendkey, lm_password->vp_octets, 8);
"MS-CHAP-MPPE-Keys",
mppe_sendkey, 32);
} else if (chap == 2) {
- DEBUG2("rlm_mschap: adding MS-CHAPv2 MPPE keys");
+ RDEBUG2("adding MS-CHAPv2 MPPE keys");
mppe_chap2_gen_keys128(nthashhash,
response->vp_octets + 26,
mppe_sendkey, mppe_recvkey);
/*
* Hex or base64 or bin auto-discovery.
*/
-static void normify(VALUE_PAIR *vp, size_t min_length)
+static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length)
{
size_t decoded;
uint8_t buffer[64];
if (vp->length >= (2 * min_length)) {
decoded = fr_hex2bin(vp->vp_strvalue, buffer, vp->length >> 1);
if (decoded == (vp->length >> 1)) {
- DEBUG2("rlm_pap: Normalizing %s from hex encoding", vp->name);
+ RDEBUG2("Normalizing %s from hex encoding", vp->name);
memcpy(vp->vp_octets, buffer, decoded);
vp->length = decoded;
return;
if ((vp->length * 3) >= ((min_length * 4))) {
decoded = base64_decode(vp->vp_strvalue, buffer);
if (decoded >= min_length) {
- DEBUG2("rlm_pap: Normalizing %s from base64 encoding", vp->name);
+ RDEBUG2("Normalizing %s from base64 encoding", vp->name);
memcpy(vp->vp_octets, buffer, decoded);
vp->length = decoded;
return;
attr = fr_str2int(header_names, buffer, 0);
if (!attr) {
- DEBUG2("rlm_pap: Found unknown header {%s}: Not doing anything", buffer);
+ RDEBUG2("Found unknown header {%s}: Not doing anything", buffer);
break;
}
case PW_SMD5_PASSWORD:
case PW_NT_PASSWORD:
case PW_LM_PASSWORD:
- normify(vp, 16); /* ensure it's in the right format */
+ normify(request, vp, 16); /* ensure it's in the right format */
found_pw = TRUE;
break;
case PW_SHA_PASSWORD:
case PW_SSHA_PASSWORD:
- normify(vp, 20); /* ensure it's in the right format */
+ normify(request, vp, 20); /* ensure it's in the right format */
found_pw = TRUE;
break;
return RLM_MODULE_NOOP;
}
- DEBUG("rlm_pap: WARNING! No \"known good\" password found for the user. Authentication may fail because of this.");
+ RDEBUG("WARNING! No \"known good\" password found for the user. Authentication may fail because of this.");
return RLM_MODULE_NOOP;
}
* Don't touch existing Auth-Types.
*/
if (auth_type) {
- DEBUG2("rlm_pap: Found existing Auth-Type, not changing it.");
+ RDEBUG2("Found existing Auth-Type, not changing it.");
return RLM_MODULE_NOOP;
}
return RLM_MODULE_NOOP;
}
- DEBUG2("rlm_pap: No clear-text password in the request. Not performing PAP.");
+ RDEBUG2("No clear-text password in the request. Not performing PAP.");
return RLM_MODULE_NOOP;
}
int scheme = PAP_ENC_INVALID;
if (!request->password){
- radlog(L_AUTH, "rlm_pap: Attribute \"Password\" is required for authentication.");
+ radlog_request(L_AUTH, 0, request, "Attribute \"Password\" is required for authentication.");
return RLM_MODULE_INVALID;
}
* Clear-text passwords are the only ones we support.
*/
if (request->password->attribute != PW_USER_PASSWORD) {
- radlog(L_AUTH, "rlm_pap: Attribute \"User-Password\" is required for authentication. Cannot use \"%s\".", request->password->name);
+ radlog_request(L_AUTH, 0, request, "Attribute \"User-Password\" is required for authentication. Cannot use \"%s\".", request->password->name);
return RLM_MODULE_INVALID;
}
return RLM_MODULE_INVALID;
}
- DEBUG("rlm_pap: login attempt with password \"%s\"",
+ RDEBUG("login attempt with password \"%s\"",
request->password->vp_strvalue);
/*
}
fail:
- DEBUG("rlm_pap: No password configured for the user. Cannot do authentication");
+ RDEBUG("No password configured for the user. Cannot do authentication");
return RLM_MODULE_FAIL;
} else {
switch (scheme) {
case PAP_ENC_CLEAR:
do_clear:
- DEBUG("rlm_pap: Using clear text password \"%s\"",
+ RDEBUG("Using clear text password \"%s\"",
vp->vp_strvalue);
if (strcmp((char *) vp->vp_strvalue,
(char *) request->password->vp_strvalue) != 0){
goto make_msg;
}
done:
- DEBUG("rlm_pap: User authenticated successfully");
+ RDEBUG("User authenticated successfully");
return RLM_MODULE_OK;
break;
case PAP_ENC_CRYPT:
do_crypt:
- DEBUG("rlm_pap: Using CRYPT encryption.");
+ RDEBUG("Using CRYPT encryption.");
if (fr_crypt_check((char *) request->password->vp_strvalue,
(char *) vp->vp_strvalue) != 0) {
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: CRYPT password check failed");
case PW_MD5_PASSWORD:
do_md5:
- DEBUG("rlm_pap: Using MD5 encryption.");
+ RDEBUG("Using MD5 encryption.");
- normify(vp, 16);
+ normify(request, vp, 16);
if (vp->length != 16) {
- DEBUG("rlm_pap: Configured MD5 password has incorrect length");
+ RDEBUG("Configured MD5 password has incorrect length");
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: Configured MD5 password has incorrect length");
goto make_msg;
}
case PW_SMD5_PASSWORD:
do_smd5:
- DEBUG("rlm_pap: Using SMD5 encryption.");
+ RDEBUG("Using SMD5 encryption.");
- normify(vp, 16);
+ normify(request, vp, 16);
if (vp->length <= 16) {
- DEBUG("rlm_pap: Configured SMD5 password has incorrect length");
+ RDEBUG("Configured SMD5 password has incorrect length");
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: Configured SMD5 password has incorrect length");
goto make_msg;
}
case PW_SHA_PASSWORD:
do_sha:
- DEBUG("rlm_pap: Using SHA1 encryption.");
+ RDEBUG("Using SHA1 encryption.");
- normify(vp, 20);
+ normify(request, vp, 20);
if (vp->length != 20) {
- DEBUG("rlm_pap: Configured SHA1 password has incorrect length");
+ RDEBUG("Configured SHA1 password has incorrect length");
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: Configured SHA1 password has incorrect length");
goto make_msg;
}
case PW_SSHA_PASSWORD:
do_ssha:
- DEBUG("rlm_pap: Using SSHA encryption.");
+ RDEBUG("Using SSHA encryption.");
- normify(vp, 20);
+ normify(request, vp, 20);
if (vp->length <= 20) {
- DEBUG("rlm_pap: Configured SSHA password has incorrect length");
+ RDEBUG("Configured SSHA password has incorrect length");
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: Configured SHA password has incorrect length");
goto make_msg;
}
case PW_NT_PASSWORD:
do_nt:
- DEBUG("rlm_pap: Using NT encryption.");
+ RDEBUG("Using NT encryption.");
- normify(vp, 16);
+ normify(request, vp, 16);
if (vp->length != 16) {
- DEBUG("rlm_pap: Configured NT-Password has incorrect length");
+ RDEBUG("Configured NT-Password has incorrect length");
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: Configured NT-Password has incorrect length");
goto make_msg;
}
snprintf(buff2, sizeof(buff2), "%%{mschap:NT-Hash %s}",
request->password->vp_strvalue);
if (!radius_xlat(digest, sizeof(digest),buff2,request,NULL)){
- DEBUG("rlm_pap: mschap xlat failed");
+ RDEBUG("mschap xlat failed");
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: mschap xlat failed");
goto make_msg;
}
case PW_LM_PASSWORD:
do_lm:
- DEBUG("rlm_pap: Using LM encryption.");
+ RDEBUG("Using LM encryption.");
- normify(vp, 16);
+ normify(request, vp, 16);
if (vp->length != 16) {
- DEBUG("rlm_pap: Configured LM-Password has incorrect length");
+ RDEBUG("Configured LM-Password has incorrect length");
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: Configured LM-Password has incorrect length");
goto make_msg;
}
snprintf(buff2, sizeof(buff2), "%%{mschap:LM-Hash %s}",
request->password->vp_strvalue);
if (!radius_xlat(digest,sizeof(digest),buff2,request,NULL)){
- DEBUG("rlm_pap: mschap xlat failed");
+ RDEBUG("mschap xlat failed");
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: mschap xlat failed");
goto make_msg;
}
(memcmp(digest, vp->vp_octets, vp->length) != 0)) {
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: LM password check failed");
make_msg:
- DEBUG("rlm_pap: Passwords don't match");
+ RDEBUG("Passwords don't match");
module_fmsg_vp = pairmake("Module-Failure-Message",
module_fmsg, T_OP_EQ);
pairadd(&request->packet->vps, module_fmsg_vp);
case PAP_ENC_NS_MTA_MD5:
do_ns_mta_md5:
- DEBUG("rlm_pap: Using NT-MTA-MD5 password");
+ RDEBUG("Using NT-MTA-MD5 password");
if (vp->length != 64) {
- DEBUG("rlm_pap: Configured NS-MTA-MD5-Password has incorrect length");
+ RDEBUG("Configured NS-MTA-MD5-Password has incorrect length");
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: Configured NS-MTA-MD5-Password has incorrect length");
goto make_msg;
}
* Sanity check the value of NS-MTA-MD5-Password
*/
if (fr_hex2bin(vp->vp_strvalue, buff, 32) != 16) {
- DEBUG("rlm_pap: Configured NS-MTA-MD5-Password has invalid value");
+ RDEBUG("Configured NS-MTA-MD5-Password has invalid value");
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: Configured NS-MTA-MD5-Password has invalid value");
goto make_msg;
}
* This really: sizeof(buff) - 2 - 2*32 - strlen(passwd)
*/
if (strlen(request->password->vp_strvalue) >= (sizeof(buff2) - 2 - 2 * 32)) {
- DEBUG("rlm_pap: Configured password is too long");
+ RDEBUG("Configured password is too long");
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: password is too long");
goto make_msg;
}
break;
}
- DEBUG("rlm_pap: No password configured for the user. Cannot do authentication");
+ RDEBUG("No password configured for the user. Cannot do authentication");
return RLM_MODULE_FAIL;
}