FreeRADIUS 1.0.2 ; $Date$, urgency=medium
- * Don't declare zero-length arrays in rlm_passwd
+ * Don't declare zero-length arrays in rlm_passwd
* Bug fix to make udpfromto code work
* radrelay shouldn't dump core if it can't read a VP from the
detail file.
* Treat Quintium VSAs like Cisco VSAs
* Locking fixes in threading code
* rlm_krb5 includes /usr/include/et for Fedora Core
+ * Fix post-auth REJECT stanza processing for rejections from external
+ processes or home RADIUS servers
FreeRADIUS 1.0.1 ; Date: 2004/09/02 10:52:03 , urgency=high
Denial-of-Service Security Fix
}
/*
+ * Before sending an Access-Reject, call the modules in the
+ * Post-Auth-Type REJECT stanza.
+ */
+static int rad_postauth_reject(REQUEST *request)
+{
+ int result;
+ VALUE_PAIR *tmp;
+ DICT_VALUE *dval;
+
+ dval = dict_valbyname(PW_POST_AUTH_TYPE, "REJECT");
+ if (dval) {
+ /* Overwrite the Post-Auth-Type with the value REJECT */
+ pairdelete(&request->config_items, PW_POST_AUTH_TYPE);
+ tmp = paircreate(PW_POST_AUTH_TYPE, PW_TYPE_INTEGER);
+ tmp->lvalue = dval->value;
+ pairadd(&request->config_items, tmp);
+ result = rad_postauth(request);
+ } else {
+ /* No REJECT stanza */
+ result = RLM_MODULE_OK;
+ }
+ return result;
+}
+
+/*
* Process and reply to an authentication request
*
* The return value of this function isn't actually used right now, so
(request->proxy_reply->code != PW_ACCESS_CHALLENGE)) {
rad_authlog("Login incorrect (Home Server says so)", request, 0);
request->reply->code = PW_AUTHENTICATION_REJECT;
+ rad_postauth_reject(request);
return RLM_MODULE_REJECT;
}
}
/*
* Result should be >= 0 here - if not, it means the user
- * is rejected, so we overwrite the Post-Auth-Type with
- * the value REJECT and call the post-authentication
- * step.
+ * is rejected, so we just process post-auth and return.
*/
if (result < 0) {
- DICT_VALUE *dval;
-
- dval = dict_valbyname(PW_POST_AUTH_TYPE, "REJECT");
- if (dval) {
- pairdelete(&request->config_items, PW_POST_AUTH_TYPE);
- tmp = paircreate(PW_POST_AUTH_TYPE, PW_TYPE_INTEGER);
- tmp->lvalue = dval->value;
- pairadd(&request->config_items, tmp);
- rad_postauth(request);
- }
- return RLM_MODULE_OK;
+ rad_postauth_reject(request);
+ return RLM_MODULE_REJECT;
}
/*
rad_authlog("Login incorrect (external check failed)",
request, 0);
+ rad_postauth_reject(request);
+
return RLM_MODULE_REJECT;
}
}