Steal patch from CVS Head 1.140 for post-auth REJECT processing.

	Thanks to Nicolas Baradakis for the patch.

diff --git a/doc/ChangeLog b/doc/ChangeLog
index 2e9534c..6e498d6 100644 (file)
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,5 +1,5 @@
 FreeRADIUS 1.0.2 ; $Date$, urgency=medium
-    * Don't declare zero-length arrays in rlm_passwd
+       * Don't declare zero-length arrays in rlm_passwd
        * Bug fix to make udpfromto code work
        * radrelay shouldn't dump core if it can't read a VP from the
          detail file.
@@ -10,6 +10,8 @@ FreeRADIUS 1.0.2 ; $Date$, urgency=medium
        * Treat Quintium VSAs like Cisco VSAs
        * Locking fixes in threading code
        * rlm_krb5 includes /usr/include/et for Fedora Core
+       * Fix post-auth REJECT stanza processing for rejections from external
+         processes or home RADIUS servers
 
 FreeRADIUS 1.0.1 ; Date: 2004/09/02 10:52:03 , urgency=high
        Denial-of-Service Security Fix

diff --git a/src/main/auth.c b/src/main/auth.c
index 3a48ee3..58c92db 100644 (file)
--- a/src/main/auth.c
+++ b/src/main/auth.c
@@ -428,6 +428,31 @@ int rad_postauth(REQUEST *request)
 }
 
 /*
+ *     Before sending an Access-Reject, call the modules in the
+ *     Post-Auth-Type REJECT stanza.
+ */
+static int rad_postauth_reject(REQUEST *request)
+{
+       int             result;
+       VALUE_PAIR      *tmp;
+       DICT_VALUE      *dval;
+
+       dval = dict_valbyname(PW_POST_AUTH_TYPE, "REJECT");
+       if (dval) {
+               /* Overwrite the Post-Auth-Type with the value REJECT */
+               pairdelete(&request->config_items, PW_POST_AUTH_TYPE);
+               tmp = paircreate(PW_POST_AUTH_TYPE, PW_TYPE_INTEGER);
+               tmp->lvalue = dval->value;
+               pairadd(&request->config_items, tmp);
+               result = rad_postauth(request);
+       } else {
+               /* No REJECT stanza */
+               result = RLM_MODULE_OK;
+       }
+       return result;
+}
+
+/*
  *     Process and reply to an authentication request
  *
  *     The return value of this function isn't actually used right now, so
@@ -501,6 +526,7 @@ int rad_authenticate(REQUEST *request)
                    (request->proxy_reply->code != PW_ACCESS_CHALLENGE)) {
                        rad_authlog("Login incorrect (Home Server says so)", request, 0);
                        request->reply->code = PW_AUTHENTICATION_REJECT;
+                       rad_postauth_reject(request);
                        return RLM_MODULE_REJECT;
                }
        }
@@ -777,22 +803,11 @@ autz_redo:
 
        /*
         *      Result should be >= 0 here - if not, it means the user
-        *      is rejected, so we overwrite the Post-Auth-Type with
-        *      the value REJECT and call the post-authentication
-        *      step.
+        *      is rejected, so we just process post-auth and return.
         */
        if (result < 0) {
-               DICT_VALUE *dval;
-
-               dval = dict_valbyname(PW_POST_AUTH_TYPE, "REJECT");
-               if (dval) {
-                       pairdelete(&request->config_items, PW_POST_AUTH_TYPE);
-                       tmp = paircreate(PW_POST_AUTH_TYPE, PW_TYPE_INTEGER);
-                       tmp->lvalue = dval->value;
-                       pairadd(&request->config_items, tmp);
-                       rad_postauth(request);
-               }
-               return RLM_MODULE_OK;
+               rad_postauth_reject(request);
+               return RLM_MODULE_REJECT;
        }
 
        /*
@@ -899,6 +914,8 @@ autz_redo:
                        rad_authlog("Login incorrect (external check failed)",
                                        request, 0);
 
+                       rad_postauth_reject(request);
+
                        return RLM_MODULE_REJECT;
                }
        }