/* * Construct an access request, but don't send it. Returns 0 on success, * -1 on failure. */ static int build_access_request(struct rad_handle *radh, const char *user, const char *pass, const char *nas_id, const char *nas_ipaddr, const void *state, size_t state_len) { int error; char host[MAXHOSTNAMELEN]; struct sockaddr_in *haddr; struct addrinfo hints; struct addrinfo *res; if (rad_create_request(radh, RAD_ACCESS_REQUEST) == -1) { syslog(LOG_CRIT, "rad_create_request: %s", rad_strerror(radh)); return (-1); } if (nas_id == NULL || (nas_ipaddr != NULL && strlen(nas_ipaddr) == 0)) { if (gethostname(host, sizeof host) != -1) { if (nas_id == NULL) nas_id = host; if (nas_ipaddr != NULL && strlen(nas_ipaddr) == 0) nas_ipaddr = host; } } if ((user != NULL && rad_put_string(radh, RAD_USER_NAME, user) == -1) || (pass != NULL && rad_put_string(radh, RAD_USER_PASSWORD, pass) == -1) || (nas_id != NULL && rad_put_string(radh, RAD_NAS_IDENTIFIER, nas_id) == -1)) { syslog(LOG_CRIT, "rad_put_string: %s", rad_strerror(radh)); return (-1); } if (nas_ipaddr != NULL) { memset(&hints, 0, sizeof(hints)); hints.ai_family = AF_INET; if (getaddrinfo(nas_ipaddr, NULL, &hints, &res) == 0 && res != NULL && res->ai_family == AF_INET) { haddr = (struct sockaddr_in *)res->ai_addr; error = rad_put_addr(radh, RAD_NAS_IP_ADDRESS, haddr->sin_addr); freeaddrinfo(res); if (error == -1) { syslog(LOG_CRIT, "rad_put_addr: %s", rad_strerror(radh)); return (-1); } } } if (state != NULL && rad_put_attr(radh, RAD_STATE, state, state_len) == -1) { syslog(LOG_CRIT, "rad_put_attr: %s", rad_strerror(radh)); return (-1); } if (rad_put_int(radh, RAD_SERVICE_TYPE, RAD_AUTHENTICATE_ONLY) == -1) { syslog(LOG_CRIT, "rad_put_int: %s", rad_strerror(radh)); return (-1); } return (0); }
static int do_accept(pam_handle_t *pamh, struct rad_handle *radh) { int attrtype; const void *attrval; size_t attrlen; char *s; while ((attrtype = rad_get_attr(radh, &attrval, &attrlen)) > 0) { if (attrtype == RAD_USER_NAME) { s = rad_cvt_string(attrval, attrlen); if (s == NULL) { syslog(LOG_CRIT, "rad_cvt_string: out of memory"); return (-1); } pam_set_item(pamh, PAM_USER, s); free(s); } } if (attrtype == -1) { syslog(LOG_CRIT, "rad_get_attr: %s", rad_strerror(radh)); return (-1); } return (0); }
int main() { struct rad_handle *rad_h = NULL; int srv_sock = -1; int opt = 1; struct sockaddr_in sin; fd_set readfds, conffds; struct timeval tv, tv_conf; signal(SIGINT, &sig_handler); if ((srv_sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) { fprintf(stderr, "failed to create socket: %s\n", strerror(errno)); return -1; } if (setsockopt(srv_sock, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) < 0) { fprintf(stderr, "failed to set socket option SO_REUSEADDR: %s\n", strerror(errno)); close(srv_sock); return -1; } memset(&sin, 0, sizeof(sin)); sin.sin_family = AF_INET; sin.sin_addr.s_addr = htonl(INADDR_ANY); sin.sin_port = htons(RAD_SRV_SOCKET); if (bind(srv_sock, (const struct sockaddr *)&sin, sizeof(sin)) == -1) { fprintf(stderr, "failed to bind socket: %s\n", strerror(errno)); close(srv_sock); return -1; } if (!(rad_h = rad_server_open(srv_sock))) { fprintf(stderr, "failed to open server.\n"); close(srv_sock); return -1; } if (rad_add_server(rad_h, "127.0.0.1", 0, RAD_SRV_SECRET, 5, 5) < 0) { fprintf(stderr, "failed to add server: %s\n", rad_strerror(rad_h)); close(srv_sock); return -1; } tv_conf.tv_sec = 1; tv_conf.tv_usec = 0; FD_ZERO(&conffds); FD_SET(srv_sock, &conffds); printf("ctrl+c to terminate server\n"); srv_run = 1; while(srv_run) { tv = tv_conf; readfds = conffds; switch(select(srv_sock + 1, &readfds, NULL, NULL, &tv)) { case 0: break; case 1: if (rad_receive_request(rad_h) < 0) { fprintf(stderr, "invalid request received: %s\n", rad_strerror(rad_h)); } else { _dump_message(rad_h); } rad_create_response(rad_h, RAD_ACCOUNTING_RESPONSE); rad_send_response(rad_h); break; default: if (srv_run) { fprintf(stderr, "something bad happened: %s\n", strerror(errno)); close(srv_sock); return -1; } } } rad_close(rad_h); close(srv_sock); return 0; }
/* * rad_continue_send_request() has given us `got' (non-zero). Deal with it. */ static void radius_Process(struct radius *r, int got) { char *argv[MAXARGS], *nuke; struct bundle *bundle; int argc, addrs, res, width; size_t len; struct ncprange dest; struct ncpaddr gw; const void *data; const char *stype; u_int32_t ipaddr, vendor; struct in_addr ip; #ifndef NOINET6 uint8_t ipv6addr[INET6_ADDRSTRLEN]; struct in6_addr ip6; #endif r->cx.fd = -1; /* Stop select()ing */ stype = r->cx.auth ? "auth" : "acct"; switch (got) { case RAD_ACCESS_ACCEPT: log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, "Radius(%s): ACCEPT received\n", stype); if (!r->cx.auth) { rad_close(r->cx.rad); return; } break; case RAD_ACCESS_REJECT: log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, "Radius(%s): REJECT received\n", stype); if (!r->cx.auth) { rad_close(r->cx.rad); return; } break; case RAD_ACCESS_CHALLENGE: /* we can't deal with this (for now) ! */ log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, "Radius: CHALLENGE received (can't handle yet)\n"); if (r->cx.auth) auth_Failure(r->cx.auth); rad_close(r->cx.rad); return; case RAD_ACCOUNTING_RESPONSE: /* * It's probably not ideal to log this at PHASE level as we'll see * too much stuff going to the log when ``set rad_alive'' is used. * So we differ from older behaviour (ppp version 3.1 and before) * and just log accounting responses to LogRADIUS. */ log_Printf(LogRADIUS, "Radius(%s): Accounting response received\n", stype); if (r->cx.auth) auth_Failure(r->cx.auth); /* unexpected !!! */ /* No further processing for accounting requests, please */ rad_close(r->cx.rad); return; case -1: log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, "radius(%s): %s\n", stype, rad_strerror(r->cx.rad)); if (r->cx.auth) auth_Failure(r->cx.auth); rad_close(r->cx.rad); return; default: log_Printf(LogERROR, "rad_send_request(%s): Failed %d: %s\n", stype, got, rad_strerror(r->cx.rad)); if (r->cx.auth) auth_Failure(r->cx.auth); rad_close(r->cx.rad); return; } /* Let's see what we've got in our reply */ r->ip.s_addr = r->mask.s_addr = INADDR_NONE; r->mtu = 0; r->vj = 0; while ((res = rad_get_attr(r->cx.rad, &data, &len)) > 0) { switch (res) { case RAD_FRAMED_IP_ADDRESS: r->ip = rad_cvt_addr(data); log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " IP %s\n", inet_ntoa(r->ip)); break; case RAD_FILTER_ID: free(r->filterid); if ((r->filterid = rad_cvt_string(data, len)) == NULL) { log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad)); auth_Failure(r->cx.auth); rad_close(r->cx.rad); return; } log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " Filter \"%s\"\n", r->filterid); break; case RAD_SESSION_TIMEOUT: r->sessiontime = rad_cvt_int(data); log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " Session-Timeout %lu\n", r->sessiontime); break; case RAD_FRAMED_IP_NETMASK: r->mask = rad_cvt_addr(data); log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " Netmask %s\n", inet_ntoa(r->mask)); break; case RAD_FRAMED_MTU: r->mtu = rad_cvt_int(data); log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " MTU %lu\n", r->mtu); break; case RAD_FRAMED_ROUTING: /* Disabled for now - should we automatically set up some filters ? */ /* rad_cvt_int(data); */ /* bit 1 = Send routing packets */ /* bit 2 = Receive routing packets */ break; case RAD_FRAMED_COMPRESSION: r->vj = rad_cvt_int(data) == 1 ? 1 : 0; log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " VJ %sabled\n", r->vj ? "en" : "dis"); break; case RAD_FRAMED_ROUTE: /* * We expect a string of the format ``dest[/bits] gw [metrics]'' * Any specified metrics are ignored. MYADDR and HISADDR are * understood for ``dest'' and ``gw'' and ``0.0.0.0'' is the same * as ``HISADDR''. */ if ((nuke = rad_cvt_string(data, len)) == NULL) { log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad)); auth_Failure(r->cx.auth); rad_close(r->cx.rad); return; } log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " Route: %s\n", nuke); bundle = r->cx.auth->physical->dl->bundle; ip.s_addr = INADDR_ANY; ncpaddr_setip4(&gw, ip); ncprange_setip4host(&dest, ip); argc = command_Interpret(nuke, strlen(nuke), argv); if (argc < 0) log_Printf(LogWARN, "radius: %s: Syntax error\n", argc == 1 ? argv[0] : "\"\""); else if (argc < 2) log_Printf(LogWARN, "radius: %s: Invalid route\n", argc == 1 ? argv[0] : "\"\""); else if ((strcasecmp(argv[0], "default") != 0 && !ncprange_aton(&dest, &bundle->ncp, argv[0])) || !ncpaddr_aton(&gw, &bundle->ncp, argv[1])) log_Printf(LogWARN, "radius: %s %s: Invalid route\n", argv[0], argv[1]); else { ncprange_getwidth(&dest, &width); if (width == 32 && strchr(argv[0], '/') == NULL) { /* No mask specified - use the natural mask */ ncprange_getip4addr(&dest, &ip); ncprange_setip4mask(&dest, addr2mask(ip)); } addrs = 0; if (!strncasecmp(argv[0], "HISADDR", 7)) addrs = ROUTE_DSTHISADDR; else if (!strncasecmp(argv[0], "MYADDR", 6)) addrs = ROUTE_DSTMYADDR; if (ncpaddr_getip4addr(&gw, &ipaddr) && ipaddr == INADDR_ANY) { addrs |= ROUTE_GWHISADDR; ncpaddr_setip4(&gw, bundle->ncp.ipcp.peer_ip); } else if (strcasecmp(argv[1], "HISADDR") == 0) addrs |= ROUTE_GWHISADDR; route_Add(&r->routes, addrs, &dest, &gw); } free(nuke); break; case RAD_REPLY_MESSAGE: free(r->repstr); if ((r->repstr = rad_cvt_string(data, len)) == NULL) { log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad)); auth_Failure(r->cx.auth); rad_close(r->cx.rad); return; } log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " Reply-Message \"%s\"\n", r->repstr); break; #ifndef NOINET6 case RAD_FRAMED_IPV6_PREFIX: free(r->ipv6prefix); if ((r->ipv6prefix = rad_cvt_ipv6prefix(data, len)) == NULL) { log_Printf(LogERROR, "rad_cvt_ipv6prefix: %s\n", "Malformed attribute in response"); auth_Failure(r->cx.auth); rad_close(r->cx.rad); return; } inet_ntop(AF_INET6, &r->ipv6prefix[2], ipv6addr, sizeof(ipv6addr)); log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " IPv6 %s/%d\n", ipv6addr, r->ipv6prefix[1]); break; case RAD_FRAMED_IPV6_ROUTE: /* * We expect a string of the format ``dest[/bits] gw [metrics]'' * Any specified metrics are ignored. MYADDR6 and HISADDR6 are * understood for ``dest'' and ``gw'' and ``::'' is the same * as ``HISADDR6''. */ if ((nuke = rad_cvt_string(data, len)) == NULL) { log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad)); auth_Failure(r->cx.auth); rad_close(r->cx.rad); return; } log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " IPv6 Route: %s\n", nuke); bundle = r->cx.auth->physical->dl->bundle; ncpaddr_setip6(&gw, &in6addr_any); ncprange_set(&dest, &gw, 0); argc = command_Interpret(nuke, strlen(nuke), argv); if (argc < 0) log_Printf(LogWARN, "radius: %s: Syntax error\n", argc == 1 ? argv[0] : "\"\""); else if (argc < 2) log_Printf(LogWARN, "radius: %s: Invalid route\n", argc == 1 ? argv[0] : "\"\""); else if ((strcasecmp(argv[0], "default") != 0 && !ncprange_aton(&dest, &bundle->ncp, argv[0])) || !ncpaddr_aton(&gw, &bundle->ncp, argv[1])) log_Printf(LogWARN, "radius: %s %s: Invalid route\n", argv[0], argv[1]); else { addrs = 0; if (!strncasecmp(argv[0], "HISADDR6", 8)) addrs = ROUTE_DSTHISADDR6; else if (!strncasecmp(argv[0], "MYADDR6", 7)) addrs = ROUTE_DSTMYADDR6; if (ncpaddr_getip6(&gw, &ip6) && IN6_IS_ADDR_UNSPECIFIED(&ip6)) { addrs |= ROUTE_GWHISADDR6; ncpaddr_copy(&gw, &bundle->ncp.ipv6cp.hisaddr); } else if (strcasecmp(argv[1], "HISADDR6") == 0) addrs |= ROUTE_GWHISADDR6; route_Add(&r->ipv6routes, addrs, &dest, &gw); } free(nuke); break; #endif case RAD_VENDOR_SPECIFIC: if ((res = rad_get_vendor_attr(&vendor, &data, &len)) <= 0) { log_Printf(LogERROR, "rad_get_vendor_attr: %s (failing!)\n", rad_strerror(r->cx.rad)); auth_Failure(r->cx.auth); rad_close(r->cx.rad); return; } switch (vendor) { case RAD_VENDOR_MICROSOFT: switch (res) { #ifndef NODES case RAD_MICROSOFT_MS_CHAP_ERROR: free(r->errstr); if (len == 0) r->errstr = NULL; else { if (len < 3 || ((const char *)data)[1] != '=') { /* * Only point at the String field if we don't think the * peer has misformatted the response. */ data = (const char *)data + 1; len--; } else log_Printf(LogWARN, "Warning: The MS-CHAP-Error " "attribute is mis-formatted. Compensating\n"); if ((r->errstr = rad_cvt_string((const char *)data, len)) == NULL) { log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad)); auth_Failure(r->cx.auth); rad_close(r->cx.rad); return; } log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " MS-CHAP-Error \"%s\"\n", r->errstr); } break; case RAD_MICROSOFT_MS_CHAP2_SUCCESS: free(r->msrepstr); if (len == 0) r->msrepstr = NULL; else { if (len < 3 || ((const char *)data)[1] != '=') { /* * Only point at the String field if we don't think the * peer has misformatted the response. */ data = (const char *)data + 1; len--; } else log_Printf(LogWARN, "Warning: The MS-CHAP2-Success " "attribute is mis-formatted. Compensating\n"); if ((r->msrepstr = rad_cvt_string((const char *)data, len)) == NULL) { log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad)); auth_Failure(r->cx.auth); rad_close(r->cx.rad); return; } log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " MS-CHAP2-Success \"%s\"\n", r->msrepstr); } break; case RAD_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY: r->mppe.policy = rad_cvt_int(data); log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " MS-MPPE-Encryption-Policy %s\n", radius_policyname(r->mppe.policy)); break; case RAD_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES: r->mppe.types = rad_cvt_int(data); log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " MS-MPPE-Encryption-Types %s\n", radius_typesname(r->mppe.types)); break; case RAD_MICROSOFT_MS_MPPE_RECV_KEY: free(r->mppe.recvkey); demangle(r, data, len, &r->mppe.recvkey, &r->mppe.recvkeylen); log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " MS-MPPE-Recv-Key ********\n"); break; case RAD_MICROSOFT_MS_MPPE_SEND_KEY: demangle(r, data, len, &r->mppe.sendkey, &r->mppe.sendkeylen); log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " MS-MPPE-Send-Key ********\n"); break; #endif default: log_Printf(LogDEBUG, "Dropping MICROSOFT vendor specific " "RADIUS attribute %d\n", res); break; } break; default: log_Printf(LogDEBUG, "Dropping vendor %lu RADIUS attribute %d\n", (unsigned long)vendor, res); break; } break; default: log_Printf(LogDEBUG, "Dropping RADIUS attribute %d\n", res); break; } } if (res == -1) { log_Printf(LogERROR, "rad_get_attr: %s (failing!)\n", rad_strerror(r->cx.rad)); auth_Failure(r->cx.auth); } else if (got == RAD_ACCESS_REJECT) auth_Failure(r->cx.auth); else { r->valid = 1; auth_Success(r->cx.auth); } rad_close(r->cx.rad); }
static int do_challenge(pam_handle_t *pamh, struct rad_handle *radh, const char *user, const char *nas_id, const char *nas_ipaddr) { int retval; int attrtype; const void *attrval; size_t attrlen; const void *state; size_t statelen; struct pam_message msgs[MAX_CHALLENGE_MSGS]; const struct pam_message *msg_ptrs[MAX_CHALLENGE_MSGS]; struct pam_response *resp; int num_msgs; const void *item; const struct pam_conv *conv; state = NULL; statelen = 0; num_msgs = 0; while ((attrtype = rad_get_attr(radh, &attrval, &attrlen)) > 0) { switch (attrtype) { case RAD_STATE: state = attrval; statelen = attrlen; break; case RAD_REPLY_MESSAGE: if (num_msgs >= MAX_CHALLENGE_MSGS) { syslog(LOG_CRIT, "Too many RADIUS challenge messages"); return (PAM_SERVICE_ERR); } msgs[num_msgs].msg = rad_cvt_string(attrval, attrlen); if (msgs[num_msgs].msg == NULL) { syslog(LOG_CRIT, "rad_cvt_string: out of memory"); return (PAM_SERVICE_ERR); } msgs[num_msgs].msg_style = PAM_TEXT_INFO; msg_ptrs[num_msgs] = &msgs[num_msgs]; num_msgs++; break; } } if (attrtype == -1) { syslog(LOG_CRIT, "rad_get_attr: %s", rad_strerror(radh)); return (PAM_SERVICE_ERR); } if (num_msgs == 0) { msgs[num_msgs].msg = strdup("(null RADIUS challenge): "); if (msgs[num_msgs].msg == NULL) { syslog(LOG_CRIT, "Out of memory"); return (PAM_SERVICE_ERR); } msgs[num_msgs].msg_style = PAM_TEXT_INFO; msg_ptrs[num_msgs] = &msgs[num_msgs]; num_msgs++; } msgs[num_msgs-1].msg_style = PAM_PROMPT_ECHO_ON; if ((retval = pam_get_item(pamh, PAM_CONV, &item)) != PAM_SUCCESS) { syslog(LOG_CRIT, "do_challenge: cannot get PAM_CONV"); return (retval); } conv = (const struct pam_conv *)item; if ((retval = conv->conv(num_msgs, msg_ptrs, &resp, conv->appdata_ptr)) != PAM_SUCCESS) return (retval); if (build_access_request(radh, user, resp[num_msgs-1].resp, nas_id, nas_ipaddr, state, statelen) == -1) return (PAM_SERVICE_ERR); memset(resp[num_msgs-1].resp, 0, strlen(resp[num_msgs-1].resp)); free(resp[num_msgs-1].resp); free(resp); while (num_msgs > 0) free(msgs[--num_msgs].msg); return (PAM_SUCCESS); }
int auth_call_radius(const uschar *s, uschar **errptr) { uschar *user; const uschar *radius_args = s; int result; int sep = 0; #ifdef RADIUS_LIB_RADLIB struct rad_handle *h; #else #ifdef RADIUS_LIB_RADIUSCLIENTNEW rc_handle *h; #endif VALUE_PAIR *send = NULL; VALUE_PAIR *received; unsigned int service = PW_AUTHENTICATE_ONLY; char msg[4096]; #endif user = string_nextinlist(&radius_args, &sep, big_buffer, big_buffer_size); if (user == NULL) user = US""; DEBUG(D_auth) debug_printf("Running RADIUS authentication for user \"%s\" " "and \"%s\"\n", user, radius_args); *errptr = NULL; /* Authenticate using the radiusclient library */ #ifndef RADIUS_LIB_RADLIB rc_openlog("exim"); #ifdef RADIUS_LIB_RADIUSCLIENT if (rc_read_config(RADIUS_CONFIG_FILE) != 0) *errptr = string_sprintf("RADIUS: can't open %s", RADIUS_CONFIG_FILE); else if (rc_read_dictionary(rc_conf_str("dictionary")) != 0) *errptr = string_sprintf("RADIUS: can't read dictionary"); else if (rc_avpair_add(&send, PW_USER_NAME, user, 0) == NULL) *errptr = string_sprintf("RADIUS: add user name failed\n"); else if (rc_avpair_add(&send, PW_USER_PASSWORD, CS radius_args, 0) == NULL) *errptr = string_sprintf("RADIUS: add password failed\n"); else if (rc_avpair_add(&send, PW_SERVICE_TYPE, &service, 0) == NULL) *errptr = string_sprintf("RADIUS: add service type failed\n"); #else /* RADIUS_LIB_RADIUSCLIENT unset => RADIUS_LIB_RADIUSCLIENT2 */ if ((h = rc_read_config(RADIUS_CONFIG_FILE)) == NULL) *errptr = string_sprintf("RADIUS: can't open %s", RADIUS_CONFIG_FILE); else if (rc_read_dictionary(h, rc_conf_str(h, "dictionary")) != 0) *errptr = string_sprintf("RADIUS: can't read dictionary"); else if (rc_avpair_add(h, &send, PW_USER_NAME, user, Ustrlen(user), 0) == NULL) *errptr = string_sprintf("RADIUS: add user name failed\n"); else if (rc_avpair_add(h, &send, PW_USER_PASSWORD, CS radius_args, Ustrlen(radius_args), 0) == NULL) *errptr = string_sprintf("RADIUS: add password failed\n"); else if (rc_avpair_add(h, &send, PW_SERVICE_TYPE, &service, 0, 0) == NULL) *errptr = string_sprintf("RADIUS: add service type failed\n"); #endif /* RADIUS_LIB_RADIUSCLIENT */ if (*errptr != NULL) { DEBUG(D_auth) debug_printf("%s\n", *errptr); return ERROR; } #ifdef RADIUS_LIB_RADIUSCLIENT result = rc_auth(0, send, &received, msg); #else result = rc_auth(h, 0, send, &received, msg); #endif DEBUG(D_auth) debug_printf("RADIUS code returned %d\n", result); switch (result) { case OK_RC: return OK; case REJECT_RC: case ERROR_RC: return FAIL; case TIMEOUT_RC: *errptr = US"RADIUS: timed out"; return ERROR; default: case BADRESP_RC: *errptr = string_sprintf("RADIUS: unexpected response (%d)", result); return ERROR; } #else /* RADIUS_LIB_RADLIB is set */ /* Authenticate using the libradius library */ h = rad_auth_open(); if (h == NULL) { *errptr = string_sprintf("RADIUS: can't initialise libradius"); return ERROR; } if (rad_config(h, RADIUS_CONFIG_FILE) != 0 || rad_create_request(h, RAD_ACCESS_REQUEST) != 0 || rad_put_string(h, RAD_USER_NAME, CS user) != 0 || rad_put_string(h, RAD_USER_PASSWORD, CS radius_args) != 0 || rad_put_int(h, RAD_SERVICE_TYPE, RAD_AUTHENTICATE_ONLY) != 0 || rad_put_string(h, RAD_NAS_IDENTIFIER, CS primary_hostname) != 0) { *errptr = string_sprintf("RADIUS: %s", rad_strerror(h)); result = ERROR; } else { result = rad_send_request(h); switch(result) { case RAD_ACCESS_ACCEPT: result = OK; break; case RAD_ACCESS_REJECT: result = FAIL; break; case -1: *errptr = string_sprintf("RADIUS: %s", rad_strerror(h)); result = ERROR; break; default: *errptr = string_sprintf("RADIUS: unexpected response (%d)", result); result= ERROR; break; } } if (*errptr != NULL) DEBUG(D_auth) debug_printf("%s\n", *errptr); rad_close(h); return result; #endif /* RADIUS_LIB_RADLIB */ }