/*
* Construct an access request, but don't send it. Returns 0 on success,
* -1 on failure.
*/
static int
build_access_request(struct rad_handle *radh, const char *user,
const char *pass, const char *nas_id, const char *nas_ipaddr,
const void *state, size_t state_len)
{
int error;
char host[MAXHOSTNAMELEN];
struct sockaddr_in *haddr;
struct addrinfo hints;
struct addrinfo *res;
if (rad_create_request(radh, RAD_ACCESS_REQUEST) == -1) {
syslog(LOG_CRIT, "rad_create_request: %s", rad_strerror(radh));
return (-1);
}
if (nas_id == NULL ||
(nas_ipaddr != NULL && strlen(nas_ipaddr) == 0)) {
if (gethostname(host, sizeof host) != -1) {
if (nas_id == NULL)
nas_id = host;
if (nas_ipaddr != NULL && strlen(nas_ipaddr) == 0)
nas_ipaddr = host;
}
}
if ((user != NULL &&
rad_put_string(radh, RAD_USER_NAME, user) == -1) ||
(pass != NULL &&
rad_put_string(radh, RAD_USER_PASSWORD, pass) == -1) ||
(nas_id != NULL &&
rad_put_string(radh, RAD_NAS_IDENTIFIER, nas_id) == -1)) {
syslog(LOG_CRIT, "rad_put_string: %s", rad_strerror(radh));
return (-1);
}
if (nas_ipaddr != NULL) {
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_INET;
if (getaddrinfo(nas_ipaddr, NULL, &hints, &res) == 0 &&
res != NULL && res->ai_family == AF_INET) {
haddr = (struct sockaddr_in *)res->ai_addr;
error = rad_put_addr(radh, RAD_NAS_IP_ADDRESS,
haddr->sin_addr);
freeaddrinfo(res);
if (error == -1) {
syslog(LOG_CRIT, "rad_put_addr: %s",
rad_strerror(radh));
return (-1);
}
}
}
if (state != NULL && rad_put_attr(radh, RAD_STATE, state,
state_len) == -1) {
syslog(LOG_CRIT, "rad_put_attr: %s", rad_strerror(radh));
return (-1);
}
if (rad_put_int(radh, RAD_SERVICE_TYPE, RAD_AUTHENTICATE_ONLY) == -1) {
syslog(LOG_CRIT, "rad_put_int: %s", rad_strerror(radh));
return (-1);
}
return (0);
}
int
auth_call_radius(const uschar *s, uschar **errptr)
{
uschar *user;
const uschar *radius_args = s;
int result;
int sep = 0;
#ifdef RADIUS_LIB_RADLIB
struct rad_handle *h;
#else
#ifdef RADIUS_LIB_RADIUSCLIENTNEW
rc_handle *h;
#endif
VALUE_PAIR *send = NULL;
VALUE_PAIR *received;
unsigned int service = PW_AUTHENTICATE_ONLY;
char msg[4096];
#endif
user = string_nextinlist(&radius_args, &sep, big_buffer, big_buffer_size);
if (user == NULL) user = US"";
DEBUG(D_auth) debug_printf("Running RADIUS authentication for user \"%s\" "
"and \"%s\"\n", user, radius_args);
*errptr = NULL;
/* Authenticate using the radiusclient library */
#ifndef RADIUS_LIB_RADLIB
rc_openlog("exim");
#ifdef RADIUS_LIB_RADIUSCLIENT
if (rc_read_config(RADIUS_CONFIG_FILE) != 0)
*errptr = string_sprintf("RADIUS: can't open %s", RADIUS_CONFIG_FILE);
else if (rc_read_dictionary(rc_conf_str("dictionary")) != 0)
*errptr = string_sprintf("RADIUS: can't read dictionary");
else if (rc_avpair_add(&send, PW_USER_NAME, user, 0) == NULL)
*errptr = string_sprintf("RADIUS: add user name failed\n");
else if (rc_avpair_add(&send, PW_USER_PASSWORD, CS radius_args, 0) == NULL)
*errptr = string_sprintf("RADIUS: add password failed\n");
else if (rc_avpair_add(&send, PW_SERVICE_TYPE, &service, 0) == NULL)
*errptr = string_sprintf("RADIUS: add service type failed\n");
#else /* RADIUS_LIB_RADIUSCLIENT unset => RADIUS_LIB_RADIUSCLIENT2 */
if ((h = rc_read_config(RADIUS_CONFIG_FILE)) == NULL)
*errptr = string_sprintf("RADIUS: can't open %s", RADIUS_CONFIG_FILE);
else if (rc_read_dictionary(h, rc_conf_str(h, "dictionary")) != 0)
*errptr = string_sprintf("RADIUS: can't read dictionary");
else if (rc_avpair_add(h, &send, PW_USER_NAME, user, Ustrlen(user), 0) == NULL)
*errptr = string_sprintf("RADIUS: add user name failed\n");
else if (rc_avpair_add(h, &send, PW_USER_PASSWORD, CS radius_args,
Ustrlen(radius_args), 0) == NULL)
*errptr = string_sprintf("RADIUS: add password failed\n");
else if (rc_avpair_add(h, &send, PW_SERVICE_TYPE, &service, 0, 0) == NULL)
*errptr = string_sprintf("RADIUS: add service type failed\n");
#endif /* RADIUS_LIB_RADIUSCLIENT */
if (*errptr != NULL)
{
DEBUG(D_auth) debug_printf("%s\n", *errptr);
return ERROR;
}
#ifdef RADIUS_LIB_RADIUSCLIENT
result = rc_auth(0, send, &received, msg);
#else
result = rc_auth(h, 0, send, &received, msg);
#endif
DEBUG(D_auth) debug_printf("RADIUS code returned %d\n", result);
switch (result)
{
case OK_RC:
return OK;
case REJECT_RC:
case ERROR_RC:
return FAIL;
case TIMEOUT_RC:
*errptr = US"RADIUS: timed out";
return ERROR;
default:
case BADRESP_RC:
*errptr = string_sprintf("RADIUS: unexpected response (%d)", result);
return ERROR;
}
#else /* RADIUS_LIB_RADLIB is set */
/* Authenticate using the libradius library */
h = rad_auth_open();
if (h == NULL)
{
*errptr = string_sprintf("RADIUS: can't initialise libradius");
return ERROR;
}
if (rad_config(h, RADIUS_CONFIG_FILE) != 0 ||
rad_create_request(h, RAD_ACCESS_REQUEST) != 0 ||
rad_put_string(h, RAD_USER_NAME, CS user) != 0 ||
rad_put_string(h, RAD_USER_PASSWORD, CS radius_args) != 0 ||
rad_put_int(h, RAD_SERVICE_TYPE, RAD_AUTHENTICATE_ONLY) != 0 ||
rad_put_string(h, RAD_NAS_IDENTIFIER, CS primary_hostname) != 0)
{
*errptr = string_sprintf("RADIUS: %s", rad_strerror(h));
result = ERROR;
}
else
{
result = rad_send_request(h);
switch(result)
{
case RAD_ACCESS_ACCEPT:
result = OK;
break;
case RAD_ACCESS_REJECT:
result = FAIL;
break;
case -1:
*errptr = string_sprintf("RADIUS: %s", rad_strerror(h));
result = ERROR;
break;
default:
*errptr = string_sprintf("RADIUS: unexpected response (%d)", result);
result= ERROR;
break;
}
}
if (*errptr != NULL) DEBUG(D_auth) debug_printf("%s\n", *errptr);
rad_close(h);
return result;
#endif /* RADIUS_LIB_RADLIB */
}