/*
* Process and reply to an authentication request
*
* The return value of this function isn't actually used right now, so
* it's not entirely clear if it is returning the right things. --Pac.
*/
int rad_authenticate(REQUEST *request)
{
VALUE_PAIR *namepair;
#ifdef WITH_SESSION_MGMT
VALUE_PAIR *check_item;
#endif
VALUE_PAIR *auth_item = NULL;
VALUE_PAIR *module_msg;
VALUE_PAIR *tmp = NULL;
int result;
const char *password;
char autz_retry = 0;
int autz_type = 0;
password = "";
#ifdef WITH_PROXY
/*
* If this request got proxied to another server, we need
* to check whether it authenticated the request or not.
*/
if (request->proxy_reply) {
switch (request->proxy_reply->code) {
/*
* Reply of ACCEPT means accept, thus set Auth-Type
* accordingly.
*/
case PW_AUTHENTICATION_ACK:
tmp = radius_paircreate(request,
&request->config_items,
PW_AUTH_TYPE, PW_TYPE_INTEGER);
if (tmp) tmp->vp_integer = PW_AUTHTYPE_ACCEPT;
#ifdef WITH_POST_PROXY_AUTHORIZE
if (mainconfig.post_proxy_authorize) break;
#endif
goto authenticate;
/*
* Challenges are punted back to the NAS without any
* further processing.
*/
case PW_ACCESS_CHALLENGE:
request->reply->code = PW_ACCESS_CHALLENGE;
return RLM_MODULE_OK;
/*
* ALL other replies mean reject. (this is fail-safe)
*
* Do NOT do any authorization or authentication. They
* are being rejected, so we minimize the amount of work
* done by the server, by rejecting them here.
*/
case PW_AUTHENTICATION_REJECT:
rad_authlog("Login incorrect (Home Server says so)",
request, 0);
request->reply->code = PW_AUTHENTICATION_REJECT;
return RLM_MODULE_REJECT;
default:
rad_authlog("Login incorrect (Home Server failed to respond)",
request, 0);
return RLM_MODULE_REJECT;
}
}
#endif
/*
* Get the username from the request.
*
* Note that namepair MAY be NULL, in which case there
* is no User-Name attribute in the request.
*/
namepair = request->username;
/*
* Look for, and cache, passwords.
*/
if (!request->password) {
request->password = pairfind(request->packet->vps,
PW_USER_PASSWORD);
}
/*
* Discover which password we want to use.
*/
auth_item = request->password;
if (auth_item) {
password = (const char *)auth_item->vp_strvalue;
} else {
/*
* Maybe there's a CHAP-Password?
*/
if ((auth_item = pairfind(request->packet->vps,
PW_CHAP_PASSWORD)) != NULL) {
password = "******";
} else {
/*
* No password we recognize.
*/
password = "******";
}
}
request->password = auth_item;
/*
* Get the user's authorization information from the database
*/
autz_redo:
result = module_authorize(autz_type, request);
switch (result) {
case RLM_MODULE_NOOP:
case RLM_MODULE_NOTFOUND:
case RLM_MODULE_OK:
case RLM_MODULE_UPDATED:
break;
case RLM_MODULE_HANDLED:
return result;
case RLM_MODULE_FAIL:
case RLM_MODULE_INVALID:
case RLM_MODULE_REJECT:
case RLM_MODULE_USERLOCK:
default:
if ((module_msg = pairfind(request->packet->vps,
PW_MODULE_FAILURE_MESSAGE)) != NULL) {
char msg[MAX_STRING_LEN + 16];
snprintf(msg, sizeof(msg), "Invalid user (%s)",
module_msg->vp_strvalue);
rad_authlog(msg,request,0);
} else {
rad_authlog("Invalid user", request, 0);
}
request->reply->code = PW_AUTHENTICATION_REJECT;
return result;
}
if (!autz_retry) {
tmp = pairfind(request->config_items, PW_AUTZ_TYPE);
if (tmp) {
autz_type = tmp->vp_integer;
RDEBUG2("Using Autz-Type %s",
dict_valnamebyattr(PW_AUTZ_TYPE, autz_type));
autz_retry = 1;
goto autz_redo;
}
}
/*
* If we haven't already proxied the packet, then check
* to see if we should. Maybe one of the authorize
* modules has decided that a proxy should be used. If
* so, get out of here and send the packet.
*/
if (
#ifdef WITH_PROXY
(request->proxy == NULL) &&
#endif
((tmp = pairfind(request->config_items, PW_PROXY_TO_REALM)) != NULL)) {
REALM *realm;
realm = realm_find2(tmp->vp_strvalue);
/*
* Don't authenticate, as the request is going to
* be proxied.
*/
if (realm && realm->auth_pool) {
return RLM_MODULE_OK;
}
/*
* Catch users who set Proxy-To-Realm to a LOCAL
* realm (sigh). But don't complain if it is
* *the* LOCAL realm.
*/
if (realm &&(strcmp(realm->name, "LOCAL") != 0)) {
RDEBUG2("WARNING: You set Proxy-To-Realm = %s, but it is a LOCAL realm! Cancelling proxy request.", realm->name);
}
if (!realm) {
RDEBUG2("WARNING: You set Proxy-To-Realm = %s, but the realm does not exist! Cancelling invalid proxy request.", tmp->vp_strvalue);
}
}
#ifdef WITH_PROXY
authenticate:
#endif
/*
* Perhaps there is a Stripped-User-Name now.
*/
namepair = request->username;
/*
* Validate the user
*/
do {
result = rad_check_password(request);
if (result > 0) {
/* don't reply! */
return RLM_MODULE_HANDLED;
}
} while(0);
/*
* Failed to validate the user.
*
* We PRESUME that the code which failed will clean up
* request->reply->vps, to be ONLY the reply items it
* wants to send back.
*/
if (result < 0) {
RDEBUG2("Failed to authenticate the user.");
request->reply->code = PW_AUTHENTICATION_REJECT;
if ((module_msg = pairfind(request->packet->vps,PW_MODULE_FAILURE_MESSAGE)) != NULL){
char msg[MAX_STRING_LEN+19];
snprintf(msg, sizeof(msg), "Login incorrect (%s)",
module_msg->vp_strvalue);
rad_authlog(msg, request, 0);
} else {
rad_authlog("Login incorrect", request, 0);
}
/* double check: maybe the secret is wrong? */
if ((debug_flag > 1) && (auth_item != NULL) &&
(auth_item->attribute == PW_USER_PASSWORD)) {
uint8_t *p;
p = (uint8_t *) auth_item->vp_strvalue;
while (*p) {
int size;
size = fr_utf8_char(p);
if (!size) {
log_debug(" WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!");
break;
}
p += size;
}
}
}
#ifdef WITH_SESSION_MGMT
if (result >= 0 &&
(check_item = pairfind(request->config_items, PW_SIMULTANEOUS_USE)) != NULL) {
int r, session_type = 0;
char logstr[1024];
char umsg[MAX_STRING_LEN + 1];
const char *user_msg = NULL;
tmp = pairfind(request->config_items, PW_SESSION_TYPE);
if (tmp) {
session_type = tmp->vp_integer;
RDEBUG2("Using Session-Type %s",
dict_valnamebyattr(PW_SESSION_TYPE, session_type));
}
/*
* User authenticated O.K. Now we have to check
* for the Simultaneous-Use parameter.
*/
if (namepair &&
(r = module_checksimul(session_type, request, check_item->vp_integer)) != 0) {
char mpp_ok = 0;
if (r == 2){
/* Multilink attempt. Check if port-limit > simultaneous-use */
VALUE_PAIR *port_limit;
if ((port_limit = pairfind(request->reply->vps, PW_PORT_LIMIT)) != NULL &&
port_limit->vp_integer > check_item->vp_integer){
RDEBUG2("MPP is OK");
mpp_ok = 1;
}
}
if (!mpp_ok){
if (check_item->vp_integer > 1) {
snprintf(umsg, sizeof(umsg),
"\r\nYou are already logged in %d times - access denied\r\n\n",
(int)check_item->vp_integer);
user_msg = umsg;
} else {
user_msg = "\r\nYou are already logged in - access denied\r\n\n";
}
request->reply->code = PW_AUTHENTICATION_REJECT;
/*
* They're trying to log in too many times.
* Remove ALL reply attributes.
*/
pairfree(&request->reply->vps);
radius_pairmake(request, &request->reply->vps,
"Reply-Message",
user_msg, T_OP_SET);
snprintf(logstr, sizeof(logstr), "Multiple logins (max %d) %s",
check_item->vp_integer,
r == 2 ? "[MPP attempt]" : "");
rad_authlog(logstr, request, 1);
result = -1;
}
}
}
#endif
/*
* Result should be >= 0 here - if not, it means the user
* is rejected, so we just process post-auth and return.
*/
if (result < 0) {
return RLM_MODULE_REJECT;
}
/*
* Add the port number to the Framed-IP-Address if
* vp->addport is set.
*/
if (((tmp = pairfind(request->reply->vps,
PW_FRAMED_IP_ADDRESS)) != NULL) &&
(tmp->flags.addport != 0)) {
VALUE_PAIR *vpPortId;
/*
* Find the NAS port ID.
*/
if ((vpPortId = pairfind(request->packet->vps,
PW_NAS_PORT)) != NULL) {
unsigned long tvalue = ntohl(tmp->vp_integer);
tmp->vp_integer = htonl(tvalue + vpPortId->vp_integer);
tmp->flags.addport = 0;
ip_ntoa(tmp->vp_strvalue, tmp->vp_integer);
} else {
RDEBUG2("WARNING: No NAS-Port attribute in request. CANNOT return a Framed-IP-Address + NAS-Port.\n");
pairdelete(&request->reply->vps, PW_FRAMED_IP_ADDRESS);
}
}
/*
* Set the reply to Access-Accept, if it hasn't already
* been set to something. (i.e. Access-Challenge)
*/
if (request->reply->code == 0)
request->reply->code = PW_AUTHENTICATION_ACK;
if ((module_msg = pairfind(request->packet->vps,PW_MODULE_SUCCESS_MESSAGE)) != NULL){
char msg[MAX_STRING_LEN+12];
snprintf(msg, sizeof(msg), "Login OK (%s)",
module_msg->vp_strvalue);
rad_authlog(msg, request, 1);
} else {
rad_authlog("Login OK", request, 1);
}
/*
* Run the modules in the 'post-auth' section.
*/
result = rad_postauth(request);
return result;
}
/*
* Process and reply to an authentication request
*
* The return value of this function isn't actually used right now, so
* it's not entirely clear if it is returning the right things. --Pac.
*/
int rad_authenticate(REQUEST *request)
{
VALUE_PAIR *namepair;
VALUE_PAIR *check_item;
VALUE_PAIR *auth_item;
VALUE_PAIR *module_msg;
VALUE_PAIR *tmp = NULL;
int result, r;
char umsg[MAX_STRING_LEN + 1];
const char *user_msg = NULL;
const char *password;
char logstr[1024];
char autz_retry = 0;
int autz_type = 0;
password = "";
/*
* If this request got proxied to another server,
* AND it was an authentication request, then we need
* to add an initial Auth-Type: Auth-Accept for success,
* Auth-Reject for fail. We also need to add the reply
* pairs from the server to the initial reply.
*
* Huh? If the request wasn't an authentication request,
* WTF are we doing here?
*/
if ((request->proxy_reply) &&
(request->packet->code == PW_AUTHENTICATION_REQUEST)) {
tmp = paircreate(PW_AUTH_TYPE, PW_TYPE_INTEGER);
if (tmp == NULL) {
radlog(L_ERR|L_CONS, "no memory");
exit(1);
}
/*
* Challenges are punted back to the NAS
* without any further processing.
*/
if (request->proxy_reply->code == PW_ACCESS_CHALLENGE) {
request->reply->code = PW_ACCESS_CHALLENGE;
return RLM_MODULE_HANDLED;
}
/*
* Reply of ACCEPT means accept, ALL other
* replies mean reject. This is fail-safe.
*/
if (request->proxy_reply->code == PW_AUTHENTICATION_ACK)
tmp->lvalue = PW_AUTHTYPE_ACCEPT;
else
tmp->lvalue = PW_AUTHTYPE_REJECT;
pairadd(&request->config_items, tmp);
/*
* If it's an Access-Reject, then do NOT do any
* authorization or authentication. They're being
* rejected, so we minimize the amount of work
* done by the server, by rejecting them here.
*/
if ((request->proxy_reply->code != PW_AUTHENTICATION_ACK) &&
(request->proxy_reply->code != PW_ACCESS_CHALLENGE)) {
rad_authlog("Login incorrect (Home Server says so)", request, 0);
request->reply->code = PW_AUTHENTICATION_REJECT;
rad_postauth_reject(request);
return RLM_MODULE_REJECT;
}
}
/*
* Get the username from the request.
*
* Note that namepair MAY be NULL, in which case there
* is no User-Name attribute in the request.
*/
namepair = request->username;
/*
* Look for, and cache, passwords.
*/
if (!request->password) {
request->password = pairfind(request->packet->vps,
PW_PASSWORD);
}
/*
* Discover which password we want to use.
*/
auth_item = request->password;
if (auth_item) {
password = (const char *)auth_item->strvalue;
} else {
/*
* Maybe there's a CHAP-Password?
*/
if ((auth_item = pairfind(request->packet->vps,
PW_CHAP_PASSWORD)) != NULL) {
password = "******";
} else {
/*
* No password we recognize.
*/
password = "******";
}
}
request->password = auth_item;
/*
* Get the user's authorization information from the database
*/
autz_redo:
r = module_authorize(autz_type, request);
if (r != RLM_MODULE_NOTFOUND &&
r != RLM_MODULE_NOOP &&
r != RLM_MODULE_OK &&
r != RLM_MODULE_UPDATED) {
if (r != RLM_MODULE_FAIL && r != RLM_MODULE_HANDLED) {
if ((module_msg = pairfind(request->packet->vps,
PW_MODULE_FAILURE_MESSAGE)) != NULL){
char msg[MAX_STRING_LEN+16];
snprintf(msg, sizeof(msg), "Invalid user (%s)",
module_msg->strvalue);
rad_authlog(msg,request,0);
} else {
rad_authlog("Invalid user", request, 0);
}
request->reply->code = PW_AUTHENTICATION_REJECT;
}
return r;
}
if (!autz_retry){
VALUE_PAIR *autz_type_item = NULL;
autz_type_item = pairfind(request->config_items, PW_AUTZ_TYPE);
if (autz_type_item){
autz_type = autz_type_item->lvalue;
autz_retry = 1;
goto autz_redo;
}
}
/*
* If we haven't already proxied the packet, then check
* to see if we should. Maybe one of the authorize
* modules has decided that a proxy should be used. If
* so, get out of here and send the packet.
*/
if ((request->proxy == NULL) &&
((tmp = pairfind(request->config_items, PW_PROXY_TO_REALM)) != NULL)) {
REALM *realm;
/*
* Catch users who set Proxy-To-Realm to a LOCAL
* realm (sigh).
*/
realm = realm_find(tmp->strvalue, 0);
rad_assert((realm == NULL) || (realm->ipaddr.af == AF_INET));
if (realm && (realm->ipaddr.ipaddr.ip4addr.s_addr == htonl(INADDR_NONE))) {
DEBUG2(" WARNING: You set Proxy-To-Realm = %s, but it is a LOCAL realm! Cancelling invalid proxy request.", realm->realm);
} else {
/*
* Don't authenticate, as the request is
* proxied.
*/
return RLM_MODULE_OK;
}
}
/*
* Perhaps there is a Stripped-User-Name now.
*/
namepair = request->username;
/*
* Validate the user
*/
do {
result = rad_check_password(request);
if (result > 0) {
/* don't reply! */
return RLM_MODULE_HANDLED;
}
} while(0);
/*
* Failed to validate the user.
*
* We PRESUME that the code which failed will clean up
* request->reply->vps, to be ONLY the reply items it
* wants to send back.
*/
if (result < 0) {
DEBUG2("auth: Failed to validate the user.");
request->reply->code = PW_AUTHENTICATION_REJECT;
if ((module_msg = pairfind(request->packet->vps,PW_MODULE_FAILURE_MESSAGE)) != NULL){
char msg[MAX_STRING_LEN+19];
snprintf(msg, sizeof(msg), "Login incorrect (%s)",
module_msg->strvalue);
rad_authlog(msg, request, 0);
} else {
rad_authlog("Login incorrect", request, 0);
}
/* double check: maybe the secret is wrong? */
if ((debug_flag > 1) && (auth_item != NULL) &&
(auth_item->attribute == PW_PASSWORD)) {
u_char *p;
p = auth_item->strvalue;
while (*p != '\0') {
if (!isprint((int) *p)) {
log_debug(" WARNING: Unprintable characters in the password.\n\t Double-check the shared secret on the server and the NAS!");
break;
}
p++;
}
}
}
if (result >= 0 &&
(check_item = pairfind(request->config_items, PW_SIMULTANEOUS_USE)) != NULL) {
VALUE_PAIR *session_type;
int sess_type = 0;
session_type = pairfind(request->config_items, PW_SESSION_TYPE);
if (session_type)
sess_type = session_type->lvalue;
/*
* User authenticated O.K. Now we have to check
* for the Simultaneous-Use parameter.
*/
if (namepair &&
(r = module_checksimul(sess_type,request, check_item->lvalue)) != 0) {
char mpp_ok = 0;
if (r == 2){
/* Multilink attempt. Check if port-limit > simultaneous-use */
VALUE_PAIR *port_limit;
if ((port_limit = pairfind(request->reply->vps, PW_PORT_LIMIT)) != NULL &&
port_limit->lvalue > check_item->lvalue){
DEBUG2("main auth: MPP is OK");
mpp_ok = 1;
}
}
if (!mpp_ok){
if (check_item->lvalue > 1) {
snprintf(umsg, sizeof(umsg),
"\r\nYou are already logged in %d times - access denied\r\n\n",
(int)check_item->lvalue);
user_msg = umsg;
} else {
user_msg = "\r\nYou are already logged in - access denied\r\n\n";
}
request->reply->code = PW_AUTHENTICATION_REJECT;
/*
* They're trying to log in too many times.
* Remove ALL reply attributes.
*/
pairfree(&request->reply->vps);
tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
request->reply->vps = tmp;
snprintf(logstr, sizeof(logstr), "Multiple logins (max %d) %s",
check_item->lvalue,
r == 2 ? "[MPP attempt]" : "");
rad_authlog(logstr, request, 1);
result = -1;
}
}
}
/*
* Result should be >= 0 here - if not, it means the user
* is rejected, so we just process post-auth and return.
*/
if (result < 0) {
rad_postauth_reject(request);
return RLM_MODULE_REJECT;
}
/*
* We might need this later. The 'password' string
* is NOT used anywhere below here, except for logging,
* so it should be safe...
*/
if ((auth_item != NULL) && (auth_item->attribute == PW_CHAP_PASSWORD)) {
password = "******";
}
/*
* Add the port number to the Framed-IP-Address if
* vp->addport is set.
*/
if (((tmp = pairfind(request->reply->vps,
PW_FRAMED_IP_ADDRESS)) != NULL) &&
(tmp->flags.addport != 0)) {
VALUE_PAIR *vpPortId;
/*
* Find the NAS port ID.
*/
if ((vpPortId = pairfind(request->packet->vps,
PW_NAS_PORT)) != NULL) {
unsigned long tvalue = ntohl(tmp->lvalue);
tmp->lvalue = htonl(tvalue + vpPortId->lvalue);
tmp->flags.addport = 0;
ip_ntoa(tmp->strvalue, tmp->lvalue);
} else {
DEBUG2("WARNING: No NAS-Port attribute in request. CANNOT return a Framed-IP-Address + NAS-Port.\n");
pairdelete(&request->reply->vps, PW_FRAMED_IP_ADDRESS);
}
}
/*
* Set the reply to Access-Accept, if it hasn't already
* been set to something. (i.e. Access-Challenge)
*/
if (request->reply->code == 0)
request->reply->code = PW_AUTHENTICATION_ACK;
if ((module_msg = pairfind(request->packet->vps,PW_MODULE_SUCCESS_MESSAGE)) != NULL){
char msg[MAX_STRING_LEN+12];
snprintf(msg, sizeof(msg), "Login OK (%s)",
module_msg->strvalue);
rad_authlog(msg, request, 1);
} else {
rad_authlog("Login OK", request, 1);
}
/*
* Run the modules in the 'post-auth' section.
*/
result = rad_postauth(request);
return result;
}
