All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
auth.c
Go to the documentation of this file.
1 /*
2  * auth.c User authentication.
3  *
4  * Version: $Id: 5038d7d9eeb105b4e0dcb2bf579191332178eb6b $
5  *
6  * This program is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License as published by
8  * the Free Software Foundation; either version 2 of the License, or
9  * (at your option) any later version.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program; if not, write to the Free Software
18  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
19  *
20  * Copyright 2000,2006 The FreeRADIUS server project
21  * Copyright 2000 Miquel van Smoorenburg <miquels@cistron.nl>
22  * Copyright 2000 Jeff Carneal <jeff@apex.net>
23  */
24 RCSID("$Id: 5038d7d9eeb105b4e0dcb2bf579191332178eb6b $")
25 
26 #include <freeradius-devel/radiusd.h>
27 #include <freeradius-devel/modules.h>
28 #include <freeradius-devel/state.h>
29 #include <freeradius-devel/rad_assert.h>
30 
31 #include <ctype.h>
32 
33 /*
34  * Return a short string showing the terminal server, port
35  * and calling station ID.
36  */
37 char *auth_name(char *buf, size_t buflen, REQUEST *request, bool do_cli)
38 {
39  VALUE_PAIR *cli;
40  VALUE_PAIR *pair;
41  uint32_t port = 0; /* RFC 2865 NAS-Port is 4 bytes */
42  char const *tls = "";
43 
44  if ((cli = fr_pair_find_by_num(request->packet->vps, 0, PW_CALLING_STATION_ID, TAG_ANY)) == NULL) {
45  do_cli = false;
46  }
47 
48  if ((pair = fr_pair_find_by_num(request->packet->vps, 0, PW_NAS_PORT, TAG_ANY)) != NULL) {
49  port = pair->vp_integer;
50  }
51 
52  if (request->packet->dst_port == 0) {
53  if (fr_pair_find_by_num(request->packet->vps, 0, PW_FREERADIUS_PROXIED_TO, TAG_ANY)) {
54  tls = " via TLS tunnel";
55  } else {
56  tls = " via proxy to virtual server";
57  }
58  }
59 
60  snprintf(buf, buflen, "from client %.128s port %u%s%.128s%s",
61  request->client->shortname, port,
62  (do_cli ? " cli " : ""), (do_cli ? cli->vp_strvalue : ""),
63  tls);
64 
65  return buf;
66 }
67 
68 
69 
70 /*
71  * Make sure user/pass are clean
72  * and then log them
73  */
74 static int rad_authlog(char const *msg, REQUEST *request, int goodpass)
75 {
76  int logit;
77  char const *extra_msg = NULL;
78  char clean_password[1024];
79  char clean_username[1024];
80  char buf[1024];
81  char extra[1024];
82  char *p;
83  VALUE_PAIR *username = NULL;
84 
85  if (!request->root->log_auth) {
86  return 0;
87  }
88 
89  /*
90  * Get the correct username based on the configured value
91  */
92  if (!log_stripped_names) {
93  username = fr_pair_find_by_num(request->packet->vps, 0, PW_USER_NAME, TAG_ANY);
94  } else {
95  username = request->username;
96  }
97 
98  /*
99  * Clean up the username
100  */
101  if (username == NULL) {
102  strcpy(clean_username, "<no User-Name attribute>");
103  } else {
104  fr_snprint(clean_username, sizeof(clean_username), username->vp_strvalue, username->vp_length, '\0');
105  }
106 
107  /*
108  * Clean up the password
109  */
110  if (request->root->log_auth_badpass || request->root->log_auth_goodpass) {
111  if (!request->password) {
112  VALUE_PAIR *auth_type;
113 
114  auth_type = fr_pair_find_by_num(request->config, 0, PW_AUTH_TYPE, TAG_ANY);
115  if (auth_type) {
116  snprintf(clean_password, sizeof(clean_password),
117  "<via Auth-Type = %s>",
118  fr_dict_enum_name_by_da(NULL, auth_type->da, auth_type->vp_integer));
119  } else {
120  strcpy(clean_password, "<no User-Password attribute>");
121  }
122  } else if (fr_pair_find_by_num(request->packet->vps, 0, PW_CHAP_PASSWORD, TAG_ANY)) {
123  strcpy(clean_password, "<CHAP-Password>");
124  } else {
125  fr_snprint(clean_password, sizeof(clean_password),
126  request->password->vp_strvalue, request->password->vp_length, '\0');
127  }
128  }
129 
130  if (goodpass) {
131  logit = request->root->log_auth_goodpass;
132  extra_msg = request->root->auth_goodpass_msg;
133  } else {
134  logit = request->root->log_auth_badpass;
135  extra_msg = request->root->auth_badpass_msg;
136  }
137 
138  if (extra_msg) {
139  extra[0] = ' ';
140  p = extra + 1;
141  if (radius_xlat(p, sizeof(extra) - 1, request, extra_msg, NULL, NULL) < 0) {
142  return -1;
143  }
144  } else {
145  *extra = '\0';
146  }
147 
148  RAUTH("%s: [%s%s%s] (%s)%s",
149  msg,
150  clean_username,
151  logit ? "/" : "",
152  logit ? clean_password : "",
153  auth_name(buf, sizeof(buf), request, 1),
154  extra);
155 
156  return 0;
157 }
158 
159 /*
160  * Check password.
161  *
162  * Returns: 0 OK
163  * -1 Password fail
164  * -2 Rejected (Auth-Type = Reject, send Port-Message back)
165  * 1 End check & return, don't reply
166  *
167  * NOTE: NOT the same as the RLM_ values !
168  */
169 static int CC_HINT(nonnull) rad_check_password(REQUEST *request)
170 {
171  vp_cursor_t cursor;
172  VALUE_PAIR *auth_type_pair;
173  int auth_type = -1;
174  int result;
175  int auth_type_count = 0;
176 
177  /*
178  * Look for matching check items. We skip the whole lot
179  * if the authentication type is PW_AUTH_TYPE_ACCEPT or
180  * PW_AUTH_TYPE_REJECT.
181  */
182  fr_cursor_init(&cursor, &request->config);
183  while ((auth_type_pair = fr_cursor_next_by_num(&cursor, 0, PW_AUTH_TYPE, TAG_ANY))) {
184  auth_type = auth_type_pair->vp_integer;
185  auth_type_count++;
186 
187  RDEBUG2("Found Auth-Type = %s", fr_dict_enum_name_by_da(NULL, auth_type_pair->da, auth_type));
188  if (auth_type == PW_AUTH_TYPE_REJECT) {
189  RDEBUG2("Auth-Type = Reject, rejecting user");
190 
191  return -2;
192  }
193  }
194 
195  /*
196  * Warn if more than one Auth-Type was found, because only the last
197  * one found will actually be used.
198  */
199  if ((auth_type_count > 1) && (rad_debug_lvl)) {
200  RERROR("Warning: Found %d auth-types on request for user '%s'",
201  auth_type_count, request->username->vp_strvalue);
202  }
203 
204  /*
205  * This means we have a proxy reply or an accept and it wasn't
206  * rejected in the above loop. So that means it is accepted and we
207  * do no further authentication.
208  */
209  if ((auth_type == PW_AUTH_TYPE_ACCEPT)
210 #ifdef WITH_PROXY
211  || (request->proxy)
212 #endif
213  ) {
214  RDEBUG2("Auth-Type = Accept, accepting the user");
215  return 0;
216  }
217 
218  /*
219  * Check that Auth-Type has been set, and reject if not.
220  *
221  * Do quick checks to see if Cleartext-Password or Crypt-Password have
222  * been set, and complain if so.
223  */
224  if (auth_type < 0) {
225  if (fr_pair_find_by_num(request->config, 0, PW_CRYPT_PASSWORD, TAG_ANY) != NULL) {
226  RWDEBUG2("Please update your configuration, and remove 'Auth-Type = Crypt'");
227  RWDEBUG2("Use the PAP module instead");
228  }
229  else if (fr_pair_find_by_num(request->config, 0, PW_CLEARTEXT_PASSWORD, TAG_ANY) != NULL) {
230  RWDEBUG2("Please update your configuration, and remove 'Auth-Type = Local'");
231  RWDEBUG2("Use the PAP or CHAP modules instead");
232  }
233 
234  /*
235  * The admin hasn't told us how to
236  * authenticate the user, so we reject them!
237  *
238  * This is fail-safe.
239  */
240 
241  REDEBUG2("No Auth-Type found: rejecting the user via Post-Auth-Type = Reject");
242  return -2;
243  }
244 
245  /*
246  * See if there is a module that handles
247  * this Auth-Type, and turn the RLM_ return
248  * status into the values as defined at
249  * the top of this function.
250  */
251  result = process_authenticate(auth_type, request);
252  switch (result) {
253  /*
254  * An authentication module FAIL
255  * return code, or any return code that
256  * is not expected from authentication,
257  * is the same as an explicit REJECT!
258  */
259  case RLM_MODULE_FAIL:
260  case RLM_MODULE_INVALID:
261  case RLM_MODULE_NOOP:
262  case RLM_MODULE_NOTFOUND:
263  case RLM_MODULE_REJECT:
264  case RLM_MODULE_UPDATED:
265  case RLM_MODULE_USERLOCK:
266  default:
267  result = -1;
268  break;
269 
270  case RLM_MODULE_OK:
271  result = 0;
272  break;
273 
274  case RLM_MODULE_HANDLED:
275  result = 1;
276  break;
277  }
278 
279  return result;
280 }
281 
282 /*
283  * Post-authentication step processes the response before it is
284  * sent to the NAS. It can receive both Access-Accept and Access-Reject
285  * replies.
286  */
287 int rad_postauth(REQUEST *request)
288 {
289  int result;
290  int postauth_type = 0;
291  VALUE_PAIR *vp;
292 
293  /*
294  * Do post-authentication calls. ignoring the return code.
295  */
296  vp = fr_pair_find_by_num(request->config, 0, PW_POST_AUTH_TYPE, TAG_ANY);
297  if (vp) {
298  postauth_type = vp->vp_integer;
299  RDEBUG2("Using Post-Auth-Type %s",
300  fr_dict_enum_name_by_da(NULL, vp->da, postauth_type));
301  }
302  result = process_post_auth(postauth_type, request);
303  switch (result) {
304  /*
305  * The module failed, or said to reject the user: Do so.
306  */
307  case RLM_MODULE_FAIL:
308  case RLM_MODULE_INVALID:
309  case RLM_MODULE_REJECT:
310  case RLM_MODULE_USERLOCK:
311  default:
312  request->reply->code = PW_CODE_ACCESS_REJECT;
313  fr_state_discard(global_state, request, request->packet);
314  result = RLM_MODULE_REJECT;
315  break;
316  /*
317  * The module handled the request, cancel the reply.
318  */
319  case RLM_MODULE_HANDLED:
320  /* FIXME */
321  break;
322  /*
323  * The module had a number of OK return codes.
324  */
325  case RLM_MODULE_NOOP:
326  case RLM_MODULE_NOTFOUND:
327  case RLM_MODULE_OK:
328  case RLM_MODULE_UPDATED:
329  result = RLM_MODULE_OK;
330 
331  if (request->reply->code == PW_CODE_ACCESS_CHALLENGE) {
332  fr_request_to_state(global_state, request, request->packet, request->reply);
333 
334  } else {
335  fr_state_discard(global_state, request, request->packet);
336  }
337  break;
338  }
339  return result;
340 }
341 
342 /*
343  * Process and reply to an authentication request
344  *
345  * The return value of this function isn't actually used right now, so
346  * it's not entirely clear if it is returning the right things. --Pac.
347  */
349 {
350 #ifdef WITH_SESSION_MGMT
351  VALUE_PAIR *check_item;
352 #endif
353  VALUE_PAIR *module_msg;
354  VALUE_PAIR *tmp = NULL;
355  int result;
356  char autz_retry = 0;
357  int autz_type = 0;
358 
359 #ifdef WITH_PROXY
360  /*
361  * If this request got proxied to another server, we need
362  * to check whether it authenticated the request or not.
363  *
364  * request->proxy gets set only AFTER authorization, so
365  * it's safe to check it here. If it exists, it means
366  * we're doing a second pass through rad_authenticate().
367  */
368  if (request->proxy) {
369  int code = 0;
370 
371  if (request->proxy_reply) code = request->proxy_reply->code;
372 
373  switch (code) {
374  /*
375  * Reply of ACCEPT means accept, thus set Auth-Type
376  * accordingly.
377  */
379  tmp = radius_pair_create(request,
380  &request->config,
381  PW_AUTH_TYPE, 0);
382  if (tmp) tmp->vp_integer = PW_AUTH_TYPE_ACCEPT;
383  goto authenticate;
384 
385  /*
386  * Challenges are punted back to the NAS without any
387  * further processing.
388  */
390  request->reply->code = PW_CODE_ACCESS_CHALLENGE;
391  fr_request_to_state(global_state, request, request->packet, request->reply);
392  return RLM_MODULE_OK;
393 
394  /*
395  * ALL other replies mean reject. (this is fail-safe)
396  *
397  * Do NOT do any authorization or authentication. They
398  * are being rejected, so we minimize the amount of work
399  * done by the server, by rejecting them here.
400  */
402  rad_authlog("Login incorrect (Home Server says so)",
403  request, 0);
404  request->reply->code = PW_CODE_ACCESS_REJECT;
405  fr_state_discard(global_state, request, request->packet);
406  return RLM_MODULE_REJECT;
407 
408  default:
409  rad_authlog("Login incorrect (Home Server failed to respond)",
410  request, 0);
411  fr_state_discard(global_state, request, request->packet);
412  return RLM_MODULE_REJECT;
413  }
414  }
415 #endif
416  /*
417  * Look for, and cache, passwords.
418  */
419  if (!request->password) {
420  request->password = fr_pair_find_by_num(request->packet->vps, 0, PW_USER_PASSWORD, TAG_ANY);
421  }
422  if (!request->password) {
423  request->password = fr_pair_find_by_num(request->packet->vps, 0, PW_CHAP_PASSWORD, TAG_ANY);
424  }
425 
426  /*
427  * Grab the VPS and data associated with the State attribute.
428  */
429  fr_state_to_request(global_state, request, request->packet);
430 
431  /*
432  * Get the user's authorization information from the database
433  */
434 autz_redo:
435  result = process_authorize(autz_type, request);
436  switch (result) {
437  case RLM_MODULE_NOOP:
438  case RLM_MODULE_NOTFOUND:
439  case RLM_MODULE_OK:
440  case RLM_MODULE_UPDATED:
441  break;
442  case RLM_MODULE_HANDLED:
443  return result;
444  case RLM_MODULE_FAIL:
445  case RLM_MODULE_INVALID:
446  case RLM_MODULE_REJECT:
447  case RLM_MODULE_USERLOCK:
448  default:
449  if ((module_msg = fr_pair_find_by_num(request->packet->vps, 0, PW_MODULE_FAILURE_MESSAGE, TAG_ANY)) != NULL) {
450  char msg[MAX_STRING_LEN + 16];
451  snprintf(msg, sizeof(msg), "Invalid user (%s)",
452  module_msg->vp_strvalue);
453  rad_authlog(msg,request,0);
454  } else {
455  rad_authlog("Invalid user", request, 0);
456  }
457  request->reply->code = PW_CODE_ACCESS_REJECT;
458  return result;
459  }
460  if (!autz_retry) {
461  tmp = fr_pair_find_by_num(request->config, 0, PW_AUTZ_TYPE, TAG_ANY);
462  if (tmp) {
463  autz_type = tmp->vp_integer;
464  RDEBUG2("Using Autz-Type %s",
465  fr_dict_enum_name_by_da(NULL, tmp->da, autz_type));
466  autz_retry = 1;
467  goto autz_redo;
468  }
469  }
470 
471  /*
472  * If we haven't already proxied the packet, then check
473  * to see if we should. Maybe one of the authorize
474  * modules has decided that a proxy should be used. If
475  * so, get out of here and send the packet.
476  */
477  if (
478 #ifdef WITH_PROXY
479  (request->proxy == NULL) &&
480 #endif
481  ((tmp = fr_pair_find_by_num(request->config, 0, PW_PROXY_TO_REALM, TAG_ANY)) != NULL)) {
482  REALM *realm;
483 
484  realm = realm_find2(tmp->vp_strvalue);
485 
486  /*
487  * Don't authenticate, as the request is going to
488  * be proxied.
489  */
490  if (realm && realm->auth_pool) {
491  return RLM_MODULE_OK;
492  }
493 
494  /*
495  * Catch users who set Proxy-To-Realm to a LOCAL
496  * realm (sigh). But don't complain if it is
497  * *the* LOCAL realm.
498  */
499  if (realm &&(strcmp(realm->name, "LOCAL") != 0)) {
500  RWDEBUG2("You set Proxy-To-Realm = %s, but it is a LOCAL realm! Cancelling proxy request.", realm->name);
501  }
502 
503  if (!realm) {
504  RWDEBUG2("You set Proxy-To-Realm = %s, but the realm does not exist! Cancelling invalid proxy request.", tmp->vp_strvalue);
505  }
506  }
507 
508 #ifdef WITH_PROXY
509 authenticate:
510 #endif
511 
512  /*
513  * Validate the user
514  */
515  do {
516  result = rad_check_password(request);
517  if (result > 0) {
518  return RLM_MODULE_HANDLED;
519  }
520 
521  } while(0);
522 
523  /*
524  * Failed to validate the user.
525  *
526  * We PRESUME that the code which failed will clean up
527  * request->reply->vps, to be ONLY the reply items it
528  * wants to send back.
529  */
530  if (result < 0) {
531  RDEBUG2("Failed to authenticate the user");
532  request->reply->code = PW_CODE_ACCESS_REJECT;
533 
534  if ((module_msg = fr_pair_find_by_num(request->packet->vps, 0, PW_MODULE_FAILURE_MESSAGE, TAG_ANY)) != NULL){
535  char msg[MAX_STRING_LEN+19];
536 
537  snprintf(msg, sizeof(msg), "Login incorrect (%s)",
538  module_msg->vp_strvalue);
539  rad_authlog(msg, request, 0);
540  } else {
541  rad_authlog("Login incorrect", request, 0);
542  }
543 
544  if (request->password) {
545  VERIFY_VP(request->password);
546  /* double check: maybe the secret is wrong? */
547  if ((rad_debug_lvl > 1) && (request->password->da->attr == PW_USER_PASSWORD)) {
548  uint8_t const *p;
549 
550  p = (uint8_t const *) request->password->vp_strvalue;
551  while (*p) {
552  int size;
553 
554  size = fr_utf8_char(p, -1);
555  if (!size) {
556  RWDEBUG("Unprintable characters in the password. Double-check the "
557  "shared secret on the server and the NAS!");
558  break;
559  }
560  p += size;
561  }
562  }
563  }
564  }
565 
566 #ifdef WITH_SESSION_MGMT
567  if (result >= 0 &&
568  (check_item = fr_pair_find_by_num(request->config, 0, PW_SIMULTANEOUS_USE, TAG_ANY)) != NULL) {
569  int r, session_type = 0;
570  char logstr[1024];
571  char umsg[MAX_STRING_LEN + 1];
572 
573  tmp = fr_pair_find_by_num(request->config, 0, PW_SESSION_TYPE, TAG_ANY);
574  if (tmp) {
575  session_type = tmp->vp_integer;
576  RDEBUG2("Using Session-Type %s",
577  fr_dict_enum_name_by_da(NULL, tmp->da, session_type));
578  }
579 
580  /*
581  * User authenticated O.K. Now we have to check
582  * for the Simultaneous-Use parameter.
583  */
584  if (request->username &&
585  (r = process_checksimul(session_type, request, check_item->vp_integer)) != 0) {
586  char mpp_ok = 0;
587 
588  if (r == 2){
589  /* Multilink attempt. Check if port-limit > simultaneous-use */
590  VALUE_PAIR *port_limit;
591 
592  if ((port_limit = fr_pair_find_by_num(request->reply->vps, 0, PW_PORT_LIMIT,
593  TAG_ANY)) != NULL &&
594  port_limit->vp_integer > check_item->vp_integer){
595  RDEBUG2("MPP is OK");
596  mpp_ok = 1;
597  }
598  }
599  if (!mpp_ok){
600  if (check_item->vp_integer > 1) {
601  snprintf(umsg, sizeof(umsg), "%s (%u)", main_config.denied_msg,
602  check_item->vp_integer);
603  } else {
604  strlcpy(umsg, main_config.denied_msg, sizeof(umsg));
605  }
606 
607  request->reply->code = PW_CODE_ACCESS_REJECT;
608 
609  /*
610  * They're trying to log in too many times.
611  * Remove ALL reply attributes.
612  */
613  fr_pair_list_free(&request->reply->vps);
614  pair_make_reply("Reply-Message", umsg, T_OP_SET);
615 
616  snprintf(logstr, sizeof(logstr), "Multiple logins (max %d) %s",
617  check_item->vp_integer,
618  r == 2 ? "[MPP attempt]" : "");
619  rad_authlog(logstr, request, 1);
620 
621  result = -1;
622  }
623  }
624  }
625 #endif
626 
627  /*
628  * Result should be >= 0 here - if not, it means the user
629  * is rejected, so we just process post-auth and return.
630  */
631  if (result < 0) {
632  return RLM_MODULE_REJECT;
633  }
634 
635  /*
636  * Set the reply to Access-Accept, if it hasn't already
637  * been set to something. (i.e. Access-Challenge)
638  */
639  if (request->reply->code == 0)
640  request->reply->code = PW_CODE_ACCESS_ACCEPT;
641 
642  if ((module_msg = fr_pair_find_by_num(request->packet->vps, 0, PW_MODULE_SUCCESS_MESSAGE, TAG_ANY)) != NULL){
643  char msg[MAX_STRING_LEN+12];
644 
645  snprintf(msg, sizeof(msg), "Login OK (%s)",
646  module_msg->vp_strvalue);
647  rad_authlog(msg, request, 1);
648  } else {
649  rad_authlog("Login OK", request, 1);
650  }
651 
652  return result;
653 }
654 
655 /*
656  * Run a virtual server auth and postauth
657  *
658  */
660 {
661  VALUE_PAIR *vp;
662  int result;
663 
664  RDEBUG("Virtual server %s received request", request->server);
665  rdebug_pair_list(L_DBG_LVL_1, request, request->packet->vps, NULL);
666 
667  RDEBUG("server %s {", request->server);
668  RINDENT();
669 
670  /*
671  * We currently only handle AUTH packets here.
672  * This could be expanded to handle other packets as well if required.
673  */
675 
676  result = rad_authenticate(request);
677 
678  if (request->reply->code == PW_CODE_ACCESS_REJECT) {
679  fr_pair_delete_by_num(&request->config, 0, PW_POST_AUTH_TYPE, TAG_ANY);
680  vp = pair_make_config("Post-Auth-Type", "Reject", T_OP_SET);
681  if (vp) rad_postauth(request);
682  }
683 
684  if (request->reply->code == PW_CODE_ACCESS_ACCEPT) {
685  rad_postauth(request);
686  }
687 
688  REXDENT();
689  RDEBUG("} # server %s", request->server);
690 
691  RDEBUG("Virtual server sending reply");
692  rdebug_pair_list(L_DBG_LVL_1, request, request->reply->vps, NULL);
693 
694  return result;
695 }
void fr_pair_list_free(VALUE_PAIR **)
Free memory used by a valuepair list.
Definition: pair.c:544
REALM * realm_find2(char const *name)
Definition: realms.c:2201
VALUE_PAIR * config
VALUE_PAIR (s) used to set per request parameters for modules and the server core at runtime...
Definition: radiusd.h:227
#define RINDENT()
Indent R* messages by one level.
Definition: log.h:265
#define RERROR(fmt,...)
Definition: log.h:207
rlm_rcode_t process_authorize(int type, REQUEST *request)
Definition: modules.c:2098
RFC2865 - Access-Challenge.
Definition: radius.h:102
Main server configuration.
Definition: radiusd.h:108
RADIUS_PACKET * proxy_reply
Incoming response from proxy server.
Definition: radiusd.h:238
The module is OK, continue.
Definition: radiusd.h:91
VALUE_PAIR * fr_cursor_next_by_num(vp_cursor_t *cursor, unsigned int vendor, unsigned int attr, int8_t tag)
Iterate over a collection of VALUE_PAIRs of a given type in the pairlist.
Definition: cursor.c:200
char const * auth_badpass_msg
Additional text to append to successful auth messages.
Definition: radiusd.h:115
rlm_rcode_t process_post_auth(int type, REQUEST *request)
Definition: modules.c:2178
VALUE_PAIR * radius_pair_create(TALLOC_CTX *ctx, VALUE_PAIR **vps, unsigned int attribute, unsigned int vendor)
Create a VALUE_PAIR and add it to a list of VALUE_PAIR s.
Definition: pair.c:704
VALUE_PAIR * username
Cached username VALUE_PAIR from request RADIUS_PACKET.
Definition: radiusd.h:222
#define VERIFY_VP(_x)
Definition: pair.h:44
#define REDEBUG2(fmt,...)
Definition: log.h:255
VALUE_PAIR * vps
Result of decoding the packet into VALUE_PAIRs.
Definition: libradius.h:162
VALUE_PAIR * fr_cursor_init(vp_cursor_t *cursor, VALUE_PAIR *const *node)
Setup a cursor to iterate over attribute pairs.
Definition: cursor.c:60
PUBLIC int snprintf(char *string, size_t length, char *format, va_alist)
Definition: snprintf.c:686
home_pool_t * auth_pool
Definition: realms.h:183
Definition: realms.h:178
char const * fr_dict_enum_name_by_da(fr_dict_t *dict, fr_dict_attr_t const *da, int value)
Lookup the name of an enum value in a fr_dict_attr_t.
Definition: dict.c:3688
VALUE_PAIR * password
Cached password VALUE_PAIR from request RADIUS_PACKET.
Definition: radiusd.h:223
The module considers the request invalid.
Definition: radiusd.h:93
uint16_t dst_port
DST Port of packet.
Definition: libradius.h:152
void fr_state_to_request(fr_state_tree_t *state, REQUEST *request, RADIUS_PACKET *packet)
Copy a pointer to the head of the list of state VALUE_PAIRs (and their ctx) into the request...
Definition: state.c:523
Abstraction to allow iterating over different configurations of VALUE_PAIRs.
Definition: pair.h:144
bool log_stripped_names
Definition: radiusd.c:61
size_t fr_snprint(char *out, size_t outlen, char const *in, ssize_t inlen, char quote)
Escape any non printable or non-UTF8 characters in the input string.
Definition: print.c:179
char * auth_name(char *buf, size_t buflen, REQUEST *request, bool do_cli)
Definition: auth.c:37
RADIUS_PACKET * proxy
Outgoing request to proxy server.
Definition: radiusd.h:237
RFC2865 - Access-Reject.
Definition: radius.h:94
main_config_t * root
Pointer to the main config hack to try and deal with hup.
Definition: radiusd.h:267
#define rad_assert(expr)
Definition: rad_assert.h:38
Reject the request (user is locked out).
Definition: radiusd.h:94
RFC2865 - Access-Request.
Definition: radius.h:92
static int CC_HINT(nonnull)
Definition: auth.c:169
void fr_state_discard(fr_state_tree_t *state, REQUEST *request, RADIUS_PACKET *original)
Called when sending an Access-Accept/Access-Reject to discard state information.
Definition: state.c:487
Highest priority debug messages (-x).
Definition: log.h:51
rlm_rcode_t process_authenticate(int type, REQUEST *request)
Definition: modules.c:2106
#define pair_make_config(_a, _b, _c)
Definition: radiusd.h:547
unsigned int attr
Attribute number.
Definition: dict.h:79
Immediately reject the request.
Definition: radiusd.h:89
unsigned int code
Packet code (type).
Definition: libradius.h:155
RFC2865 - Access-Accept.
Definition: radius.h:93
int rad_authenticate(REQUEST *request)
Definition: auth.c:348
Stores an attribute, a value and various bits of other data.
Definition: pair.h:112
int rad_postauth(REQUEST *request)
Definition: auth.c:287
bool log_auth_goodpass
Log failed authentications.
Definition: radiusd.h:114
RADIUS_PACKET * reply
Outgoing response.
Definition: radiusd.h:225
int rad_virtual_server(REQUEST *request)
Definition: auth.c:659
#define REXDENT()
Exdent (unindent) R* messages by one level.
Definition: log.h:272
bool log_auth
Log authentication attempts.
Definition: radiusd.h:112
Definition: token.h:45
ssize_t radius_xlat(char *out, size_t outlen, REQUEST *request, char const *fmt, xlat_escape_t escape, void *escape_ctx) CC_HINT(nonnull(1
#define RWDEBUG2(fmt,...)
Definition: log.h:252
void rdebug_pair_list(log_lvl_t level, REQUEST *, VALUE_PAIR *, char const *)
Print a list of VALUE_PAIRs.
Definition: pair.c:757
void fr_pair_delete_by_num(VALUE_PAIR **head, unsigned int vendor, unsigned int attr, int8_t tag)
Delete matching pairs.
Definition: pair.c:797
Module succeeded without doing anything.
Definition: radiusd.h:96
#define RDEBUG2(fmt,...)
Definition: log.h:244
Module failed, don't reply.
Definition: radiusd.h:90
#define TAG_ANY
Definition: pair.h:191
log_lvl_t rad_debug_lvl
Global debugging level.
Definition: log.c:49
bool fr_request_to_state(fr_state_tree_t *state, REQUEST *request, RADIUS_PACKET *original, RADIUS_PACKET *packet)
Transfer ownership of the state VALUE_PAIRs and ctx, back to a state entry.
Definition: state.c:579
char const * name
Definition: realms.h:179
int process_checksimul(int type, REQUEST *request, int maxsimul)
Definition: modules.c:2135
#define pair_make_reply(_a, _b, _c)
Definition: radiusd.h:546
RADIUS_PACKET * packet
Incoming request.
Definition: radiusd.h:221
#define RAUTH(fmt,...)
Definition: log.h:202
VALUE_PAIR * fr_pair_find_by_num(VALUE_PAIR *head, unsigned int vendor, unsigned int attr, int8_t tag)
Find the pair with the matching attribute.
Definition: pair.c:639
bool log_auth_badpass
Log successful authentications.
Definition: radiusd.h:113
size_t strlcpy(char *dst, char const *src, size_t siz)
Definition: strlcpy.c:38
fr_dict_attr_t const * da
Dictionary attribute defines the attribute.
Definition: pair.h:113
int fr_utf8_char(uint8_t const *str, ssize_t inlen)
Checks for utf-8, taken from http://www.w3.org/International/questions/qa-forms-utf-8.
Definition: print.c:34
#define MAX_STRING_LEN
Definition: libradius.h:120
#define RWDEBUG(fmt,...)
Definition: log.h:251
RADCLIENT * client
The client that originally sent us the request.
Definition: radiusd.h:219
User not found.
Definition: radiusd.h:95
#define RCSID(id)
Definition: build.h:135
static int rad_authlog(char const *msg, REQUEST *request, int goodpass)
Definition: auth.c:74
static int r
Definition: rbmonkey.c:66
OK (pairs modified).
Definition: radiusd.h:97
The module handled the request, so stop.
Definition: radiusd.h:92
char const * auth_goodpass_msg
Additional text to append to failed auth messages.
Definition: radiusd.h:116
#define RDEBUG(fmt,...)
Definition: log.h:243
fr_state_tree_t * global_state
Definition: state.c:87
char const * server
Definition: radiusd.h:289
char const * shortname
Client nickname.
Definition: clients.h:41
char const * denied_msg
Additional text to append if the user is already logged in (simultaneous use check failed)...
Definition: radiusd.h:118