int
auth_call_radius(const uschar *s, uschar **errptr)
{
uschar *user;
const uschar *radius_args = s;
int result;
int sep = 0;
#ifdef RADIUS_LIB_RADLIB
struct rad_handle *h;
#else
#ifdef RADIUS_LIB_RADIUSCLIENTNEW
rc_handle *h;
#endif
VALUE_PAIR *send = NULL;
VALUE_PAIR *received;
unsigned int service = PW_AUTHENTICATE_ONLY;
char msg[4096];
#endif
user = string_nextinlist(&radius_args, &sep, big_buffer, big_buffer_size);
if (user == NULL) user = US"";
DEBUG(D_auth) debug_printf("Running RADIUS authentication for user \"%s\" "
"and \"%s\"\n", user, radius_args);
*errptr = NULL;
/* Authenticate using the radiusclient library */
#ifndef RADIUS_LIB_RADLIB
rc_openlog("exim");
#ifdef RADIUS_LIB_RADIUSCLIENT
if (rc_read_config(RADIUS_CONFIG_FILE) != 0)
*errptr = string_sprintf("RADIUS: can't open %s", RADIUS_CONFIG_FILE);
else if (rc_read_dictionary(rc_conf_str("dictionary")) != 0)
*errptr = string_sprintf("RADIUS: can't read dictionary");
else if (rc_avpair_add(&send, PW_USER_NAME, user, 0) == NULL)
*errptr = string_sprintf("RADIUS: add user name failed\n");
else if (rc_avpair_add(&send, PW_USER_PASSWORD, CS radius_args, 0) == NULL)
*errptr = string_sprintf("RADIUS: add password failed\n");
else if (rc_avpair_add(&send, PW_SERVICE_TYPE, &service, 0) == NULL)
*errptr = string_sprintf("RADIUS: add service type failed\n");
#else /* RADIUS_LIB_RADIUSCLIENT unset => RADIUS_LIB_RADIUSCLIENT2 */
if ((h = rc_read_config(RADIUS_CONFIG_FILE)) == NULL)
*errptr = string_sprintf("RADIUS: can't open %s", RADIUS_CONFIG_FILE);
else if (rc_read_dictionary(h, rc_conf_str(h, "dictionary")) != 0)
*errptr = string_sprintf("RADIUS: can't read dictionary");
else if (rc_avpair_add(h, &send, PW_USER_NAME, user, Ustrlen(user), 0) == NULL)
*errptr = string_sprintf("RADIUS: add user name failed\n");
else if (rc_avpair_add(h, &send, PW_USER_PASSWORD, CS radius_args,
Ustrlen(radius_args), 0) == NULL)
*errptr = string_sprintf("RADIUS: add password failed\n");
else if (rc_avpair_add(h, &send, PW_SERVICE_TYPE, &service, 0, 0) == NULL)
*errptr = string_sprintf("RADIUS: add service type failed\n");
#endif /* RADIUS_LIB_RADIUSCLIENT */
if (*errptr != NULL)
{
DEBUG(D_auth) debug_printf("%s\n", *errptr);
return ERROR;
}
#ifdef RADIUS_LIB_RADIUSCLIENT
result = rc_auth(0, send, &received, msg);
#else
result = rc_auth(h, 0, send, &received, msg);
#endif
DEBUG(D_auth) debug_printf("RADIUS code returned %d\n", result);
switch (result)
{
case OK_RC:
return OK;
case REJECT_RC:
case ERROR_RC:
return FAIL;
case TIMEOUT_RC:
*errptr = US"RADIUS: timed out";
return ERROR;
default:
case BADRESP_RC:
*errptr = string_sprintf("RADIUS: unexpected response (%d)", result);
return ERROR;
}
#else /* RADIUS_LIB_RADLIB is set */
/* Authenticate using the libradius library */
h = rad_auth_open();
if (h == NULL)
{
*errptr = string_sprintf("RADIUS: can't initialise libradius");
return ERROR;
}
if (rad_config(h, RADIUS_CONFIG_FILE) != 0 ||
rad_create_request(h, RAD_ACCESS_REQUEST) != 0 ||
rad_put_string(h, RAD_USER_NAME, CS user) != 0 ||
rad_put_string(h, RAD_USER_PASSWORD, CS radius_args) != 0 ||
rad_put_int(h, RAD_SERVICE_TYPE, RAD_AUTHENTICATE_ONLY) != 0 ||
rad_put_string(h, RAD_NAS_IDENTIFIER, CS primary_hostname) != 0)
{
*errptr = string_sprintf("RADIUS: %s", rad_strerror(h));
result = ERROR;
}
else
{
result = rad_send_request(h);
switch(result)
{
case RAD_ACCESS_ACCEPT:
result = OK;
break;
case RAD_ACCESS_REJECT:
result = FAIL;
break;
case -1:
*errptr = string_sprintf("RADIUS: %s", rad_strerror(h));
result = ERROR;
break;
default:
*errptr = string_sprintf("RADIUS: unexpected response (%d)", result);
result= ERROR;
break;
}
}
if (*errptr != NULL) DEBUG(D_auth) debug_printf("%s\n", *errptr);
rad_close(h);
return result;
#endif /* RADIUS_LIB_RADLIB */
}
static int
chk_radius(
const struct berval *sc,
const struct berval *passwd,
const struct berval *cred,
const char **text )
{
unsigned int i;
int rc = LUTIL_PASSWD_ERR;
struct rad_handle *h = NULL;
for ( i = 0; i < cred->bv_len; i++ ) {
if ( cred->bv_val[ i ] == '\0' ) {
return LUTIL_PASSWD_ERR; /* NUL character in cred */
}
}
if ( cred->bv_val[ i ] != '\0' ) {
return LUTIL_PASSWD_ERR; /* cred must behave like a string */
}
for ( i = 0; i < passwd->bv_len; i++ ) {
if ( passwd->bv_val[ i ] == '\0' ) {
return LUTIL_PASSWD_ERR; /* NUL character in password */
}
}
if ( passwd->bv_val[ i ] != '\0' ) {
return LUTIL_PASSWD_ERR; /* passwd must behave like a string */
}
ldap_pvt_thread_mutex_lock( &libradius_mutex );
h = rad_auth_open();
if ( h == NULL ) {
ldap_pvt_thread_mutex_unlock( &libradius_mutex );
return LUTIL_PASSWD_ERR;
}
if ( rad_config( h, config_filename ) != 0 ) {
goto done;
}
if ( rad_create_request( h, RAD_ACCESS_REQUEST ) ) {
goto done;
}
if ( rad_put_string( h, RAD_USER_NAME, passwd->bv_val ) != 0 ) {
goto done;
}
if ( rad_put_string( h, RAD_USER_PASSWORD, cred->bv_val ) != 0 ) {
goto done;
}
if ( rad_put_string( h, RAD_NAS_IDENTIFIER, global_host ) != 0 ) {
goto done;
}
switch ( rad_send_request( h ) ) {
case RAD_ACCESS_ACCEPT:
rc = LUTIL_PASSWD_OK;
break;
case RAD_ACCESS_REJECT:
rc = LUTIL_PASSWD_ERR;
break;
case RAD_ACCESS_CHALLENGE:
rc = LUTIL_PASSWD_ERR;
break;
case -1:
/* no valid response is received */
break;
}
done:;
rad_close( h );
ldap_pvt_thread_mutex_unlock( &libradius_mutex );
return rc;
}