26 RCSID(
"$Id: fafb415870354adf0fc1219f38ca2f4228b6897e $")
29 #include <freeradius-devel/server/base.h>
30 #include <freeradius-devel/server/module_rlm.h>
31 #include <freeradius-devel/server/password.h>
32 #include <freeradius-devel/tls/base.h>
33 #include <freeradius-devel/tls/log.h>
35 #include <freeradius-devel/util/base64.h>
36 #include <freeradius-devel/util/debug.h>
37 #include <freeradius-devel/util/base16.h>
38 #include <freeradius-devel/util/md5.h>
39 #include <freeradius-devel/util/sha1.h>
41 #include <freeradius-devel/unlang/call_env.h>
43 #include <freeradius-devel/protocol/freeradius/freeradius.internal.password.h>
52 #ifdef HAVE_OPENSSL_EVP_H
53 # include <freeradius-devel/tls/openssl_user_macros.h>
54 # include <openssl/evp.h>
92 .inst_type =
"pap_call_env_t",
118 #ifdef HAVE_OPENSSL_EVP_H
120 {
L(
"HMACSHA1"), FR_SSHA1 },
121 {
L(
"HMACSHA2+224"), FR_SSHA2_224 },
122 {
L(
"HMACSHA2+256"), FR_SSHA2_256 },
123 {
L(
"HMACSHA2+384"), FR_SSHA2_384 },
124 {
L(
"HMACSHA2+512"), FR_SSHA2_512 },
125 # if OPENSSL_VERSION_NUMBER >= 0x10101000L
126 {
L(
"HMACSHA3+224"), FR_SSHA3_224 },
127 {
L(
"HMACSHA3+256"), FR_SSHA3_256 },
128 {
L(
"HMACSHA3+384"), FR_SSHA3_384 },
129 {
L(
"HMACSHA3+512"), FR_SSHA3_512 },
132 static size_t pbkdf2_crypt_names_len =
NUM_ELEMENTS(pbkdf2_crypt_names);
135 {
L(
"sha1"), FR_SSHA1 },
136 {
L(
"sha256"), FR_SSHA2_256 },
137 {
L(
"sha512"), FR_SSHA2_512 }
139 static size_t pbkdf2_passlib_names_len =
NUM_ELEMENTS(pbkdf2_passlib_names);
156 RDEBUG3(
"Auth-Type is already set. Not setting 'Auth-Type := %s'", mctx->
inst->
name);
165 if (!
inst->auth_type) {
166 WARN(
"No 'authenticate %s {...}' section or 'Auth-Type = %s' set. Cannot setup PAP authentication.",
184 if ((known_good->vp_length != password->vb_length) ||
185 (
fr_digest_cmp(known_good->vp_octets, password->vb_octets, known_good->vp_length) != 0)) {
186 REDEBUG(
"Cleartext password does not match \"known good\" password");
187 REDEBUG3(
"Password : %pV", password);
188 REDEBUG3(
"Expected : %pV", &known_good->data);
203 struct crypt_data crypt_data = { .initialized = 0 };
205 crypt_out = crypt_r(password->vb_strvalue, known_good->vp_strvalue, &crypt_data);
206 if (crypt_out) cmp = strcmp(known_good->vp_strvalue, crypt_out);
212 crypt_out = crypt(password->vb_strvalue, known_good->vp_strvalue);
219 if (crypt_out) cmp = strcmp(known_good->vp_strvalue, crypt_out);
226 if (!crypt_out || (cmp != 0)) {
227 REDEBUG(
"Crypt digest does not match \"known good\" digest");
242 REDEBUG(
"\"known-good\" MD5 password has incorrect length, expected 16 got %zu", known_good->vp_length);
246 fr_md5_calc(digest, password->vb_octets, password->vb_length);
248 if (
fr_digest_cmp(digest, known_good->vp_octets, known_good->vp_length) != 0) {
249 REDEBUG(
"MD5 digest does not match \"known good\" digest");
250 REDEBUG3(
"Password : %pV", password);
268 REDEBUG(
"\"known-good\" Password.SMD5 has incorrect length, expected 16 got %zu", known_good->vp_length);
273 fr_md5_update(md5_ctx, password->vb_octets, password->vb_length);
282 REDEBUG(
"SMD5 digest does not match \"known good\" digest");
283 REDEBUG3(
"Password : %pV", password);
300 REDEBUG(
"\"known-good\" Password.SHA1 has incorrect length, expected 20 got %zu", known_good->vp_length);
305 fr_sha1_update(&sha1_context, password->vb_octets, password->vb_length);
308 if (
fr_digest_cmp(digest, known_good->vp_octets, known_good->vp_length) != 0) {
309 REDEBUG(
"SHA1 digest does not match \"known good\" digest");
310 REDEBUG3(
"Password : %pV", password);
327 REDEBUG(
"\"known-good\" Password.SSHA has incorrect length, expected > 20 got %zu", known_good->vp_length);
332 fr_sha1_update(&sha1_context, password->vb_octets, password->vb_length);
338 REDEBUG(
"SSHA digest does not match \"known good\" digest");
339 REDEBUG3(
"Password : %pV", password);
350 #ifdef HAVE_OPENSSL_EVP_H
354 char const *
name, EVP_MD
const *md)
357 uint8_t digest[EVP_MAX_MD_SIZE];
358 unsigned int digest_len;
360 ctx = EVP_MD_CTX_create();
361 EVP_DigestInit_ex(ctx, md, NULL);
362 EVP_DigestUpdate(ctx, password->vb_octets, password->vb_length);
363 EVP_DigestFinal_ex(ctx, digest, &digest_len);
364 EVP_MD_CTX_destroy(ctx);
366 fr_assert((
size_t) digest_len == known_good->vp_length);
368 if (
fr_digest_cmp(digest, known_good->vp_octets, known_good->vp_length) != 0) {
369 REDEBUG(
"%s digest does not match \"known good\" digest",
name);
370 REDEBUG3(
"Password : %pV", password);
372 REDEBUG3(
"Expected : %pH", &known_good->data);
382 char const *
name, EVP_MD
const *md)
385 uint8_t digest[EVP_MAX_MD_SIZE];
386 unsigned int digest_len, min_len;
388 min_len = EVP_MD_size(md);
389 ctx = EVP_MD_CTX_create();
390 EVP_DigestInit_ex(ctx, md, NULL);
391 EVP_DigestUpdate(ctx, password->vb_octets, password->vb_length);
392 EVP_DigestUpdate(ctx, known_good->vp_octets + min_len, known_good->vp_length - min_len);
393 EVP_DigestFinal_ex(ctx, digest, &digest_len);
394 EVP_MD_CTX_destroy(ctx);
396 fr_assert((
size_t) digest_len == min_len);
401 if (
fr_digest_cmp(digest, known_good->vp_octets, (
size_t)digest_len) != 0) {
402 REDEBUG(
"%s digest does not match \"known good\" digest",
name);
403 REDEBUG3(
"Password : %pV", password);
405 fr_box_octets(known_good->vp_octets + digest_len, known_good->vp_length - digest_len));
417 #define PAP_AUTH_EVP_MD(_func, _new_func, _name, _md) \
418 static unlang_action_t CC_HINT(nonnull) _new_func(rlm_rcode_t *p_result, \
419 rlm_pap_t const *inst, request_t *request, \
420 fr_pair_t const *known_good, fr_value_box_t const *password) \
422 return _func(p_result, inst, request, known_good, password, _name, _md); \
425 PAP_AUTH_EVP_MD(pap_auth_evp_md, pap_auth_sha2_224,
"SHA2-224", EVP_sha224())
426 PAP_AUTH_EVP_MD(pap_auth_evp_md, pap_auth_sha2_256, "SHA2-256", EVP_sha256())
427 PAP_AUTH_EVP_MD(pap_auth_evp_md, pap_auth_sha2_384, "SHA2-384", EVP_sha384())
428 PAP_AUTH_EVP_MD(pap_auth_evp_md, pap_auth_sha2_512, "SHA2-512", EVP_sha512())
429 PAP_AUTH_EVP_MD(pap_auth_evp_md_salted, pap_auth_ssha2_224, "SSHA2-224", EVP_sha224())
430 PAP_AUTH_EVP_MD(pap_auth_evp_md_salted, pap_auth_ssha2_256, "SSHA2-256", EVP_sha256())
431 PAP_AUTH_EVP_MD(pap_auth_evp_md_salted, pap_auth_ssha2_384, "SSHA2-384", EVP_sha384())
432 PAP_AUTH_EVP_MD(pap_auth_evp_md_salted, pap_auth_ssha2_512, "SSHA2-512", EVP_sha512())
434 # if OPENSSL_VERSION_NUMBER >= 0x10101000L
435 PAP_AUTH_EVP_MD(pap_auth_evp_md, pap_auth_sha3_224,
"SHA3-224", EVP_sha3_224())
436 PAP_AUTH_EVP_MD(pap_auth_evp_md, pap_auth_sha3_256, "SHA3-256", EVP_sha3_256())
437 PAP_AUTH_EVP_MD(pap_auth_evp_md, pap_auth_sha3_384, "SHA3-384", EVP_sha3_384())
438 PAP_AUTH_EVP_MD(pap_auth_evp_md, pap_auth_sha3_512, "SHA3-512", EVP_sha3_512())
439 PAP_AUTH_EVP_MD(pap_auth_evp_md_salted, pap_auth_ssha3_224, "SSHA3-224", EVP_sha3_224())
440 PAP_AUTH_EVP_MD(pap_auth_evp_md_salted, pap_auth_ssha3_256, "SSHA3-256", EVP_sha3_256())
441 PAP_AUTH_EVP_MD(pap_auth_evp_md_salted, pap_auth_ssha3_384, "SSHA3-384", EVP_sha3_384())
442 PAP_AUTH_EVP_MD(pap_auth_evp_md_salted, pap_auth_ssha3_512, "SSHA3-512", EVP_sha3_512())
465 char scheme_sep,
char iter_sep,
char salt_sep,
473 EVP_MD
const *evp_md;
482 uint8_t digest[EVP_MAX_MD_SIZE];
484 RDEBUG2(
"Comparing with \"known-good\" Password.PBKDF2");
487 REDEBUG(
"Password.PBKDF2 is too short");
497 q = memchr(p, scheme_sep, end - p);
499 REDEBUG(
"Password.PBKDF2 has no component separators");
504 switch (digest_type) {
511 evp_md = EVP_sha224();
512 digest_len = SHA224_DIGEST_LENGTH;
516 evp_md = EVP_sha256();
517 digest_len = SHA256_DIGEST_LENGTH;
521 evp_md = EVP_sha384();
522 digest_len = SHA384_DIGEST_LENGTH;
526 evp_md = EVP_sha512();
527 digest_len = SHA512_DIGEST_LENGTH;
530 # if OPENSSL_VERSION_NUMBER >= 0x10101000L
532 evp_md = EVP_sha3_224();
533 digest_len = SHA224_DIGEST_LENGTH;
537 evp_md = EVP_sha3_256();
538 digest_len = SHA256_DIGEST_LENGTH;
542 evp_md = EVP_sha3_384();
543 digest_len = SHA384_DIGEST_LENGTH;
547 evp_md = EVP_sha3_512();
548 digest_len = SHA512_DIGEST_LENGTH;
553 REDEBUG(
"Unknown PBKDF2 hash method \"%.*s\"", (
int)(q - p), p);
559 if (((end - p) < 1) || !(q = memchr(p, iter_sep, end - p))) {
560 REDEBUG(
"Password.PBKDF2 missing iterations component");
565 REDEBUG(
"Password.PBKDF2 iterations component too short");
572 if (!iter_is_base64) {
573 char iterations_buff[
sizeof(
"4294967295") + 1];
576 strlcpy(iterations_buff, (
char const *)p, (q - p) + 1);
578 iterations = strtoul(iterations_buff, &qq, 10);
580 REMARKER(iterations_buff, qq - iterations_buff,
581 "Password.PBKDF2 iterations field contains an invalid character");
592 &
FR_SBUFF_IN((
char const *)p, (
char const *)q),
false,
false);
594 RPEDEBUG(
"Failed decoding Password.PBKDF2 iterations component (%.*s)", (
int)(q - p), p);
597 if (slen !=
sizeof(iterations)) {
598 REDEBUG(
"Decoded Password.PBKDF2 iterations component is wrong size");
601 iterations = ntohl(iterations);
609 if (iterations == 0) iterations = 1;
611 if (((end - p) < 1) || !(q = memchr(p, salt_sep, end - p))) {
612 REDEBUG(
"Password.PBKDF2 missing salt component");
617 REDEBUG(
"Password.PBKDF2 salt component too short");
623 &
FR_SBUFF_IN((
char const *) p, (
char const *)q),
false,
false);
625 RPEDEBUG(
"Failed decoding Password.PBKDF2 salt component");
633 REDEBUG(
"Password.PBKDF2 hash component too short");
638 &
FR_SBUFF_IN((
char const *)p, (
char const *)end),
false,
false);
640 RPEDEBUG(
"Failed decoding Password.PBKDF2 hash component");
644 if ((
size_t)slen != digest_len) {
645 REDEBUG(
"Password.PBKDF2 hash component length is incorrect for hash type, expected %zu, got %zd",
653 RDEBUG2(
"PBKDF2 %s: Iterations %u, salt length %zu, hash length %zd",
655 iterations, salt_len, slen);
660 if (PKCS5_PBKDF2_HMAC((
char const *)password->vb_octets, (
int)password->vb_length,
661 (
unsigned char const *)salt, (
int)salt_len,
664 (
int)digest_len, (
unsigned char *)digest) == 0) {
665 fr_tls_log(request,
"PBKDF2 digest failure");
670 REDEBUG(
"PBKDF2 digest does not match \"known good\" digest");
690 uint8_t const *p = known_good->vp_octets, *q, *end = p + known_good->vp_length;
693 REDEBUG(
"Password.PBKDF2 too short");
708 q = memchr(p,
'}', end - p);
711 return pap_auth_pbkdf2_parse(p_result, request, p, end - p,
712 pbkdf2_crypt_names, pbkdf2_crypt_names_len,
713 ':',
':',
':',
true, password);
721 if ((
size_t)(end - p) >=
sizeof(
"$PBKDF2$") && (memcmp(p,
"$PBKDF2$",
sizeof(
"$PBKDF2$") - 1) == 0)) {
722 p +=
sizeof(
"$PBKDF2$") - 1;
723 return pap_auth_pbkdf2_parse(p_result, request, p, end - p,
724 pbkdf2_crypt_names, pbkdf2_crypt_names_len,
725 ':',
':',
'$',
false, password);
735 if ((
size_t)(end - p) >=
sizeof(
"$pbkdf2-") && (memcmp(p,
"$pbkdf2-",
sizeof(
"$pbkdf2-") - 1) == 0)) {
736 p +=
sizeof(
"$pbkdf2-") - 1;
737 return pap_auth_pbkdf2_parse(p_result, request, p, end - p,
738 pbkdf2_passlib_names, pbkdf2_passlib_names_len,
739 '$',
'$',
'$',
false, password);
742 REDEBUG(
"Can't determine format of Password.PBKDF2");
756 RDEBUG2(
"Comparing with \"known-good\" Password.NT");
759 REDEBUG(
"\"known good\" Password.NT has incorrect length, expected 16 got %zu", known_good->vp_length);
764 password->vb_strvalue, password->vb_length);
766 REDEBUG(
"User-Password is not in UCS2 format");
772 if (
fr_digest_cmp(digest, known_good->vp_octets, known_good->vp_length) != 0) {
773 REDEBUG(
"NT digest does not match \"known good\" digest");
775 REDEBUG3(
"Expected : %pH", &known_good->data);
791 RDEBUG2(
"Using Password.NT-MTA-MD5");
793 if (known_good->vp_length != 64) {
794 REDEBUG(
"\"known good\" Password.NS-MTA-MD5 has incorrect length, expected 64 got %zu",
795 known_good->vp_length);
803 &
FR_SBUFF_IN(known_good->vp_strvalue, known_good->vp_length),
false) != 16) {
804 REDEBUG(
"\"known good\" Password.NS-MTA-MD5 has invalid value");
813 if (password->vb_length >= (
sizeof(
buff) - 2 - 2 * 32)) {
814 REDEBUG(
"\"known good\" Password.NS-MTA-MD5 is too long");
824 memcpy(p, &known_good->vp_octets[32], 32);
827 memcpy(p, password->vb_strvalue, password->vb_length);
828 p += password->vb_length;
830 memcpy(p, &known_good->vp_octets[32], 32);
837 REDEBUG(
"NS-MTA-MD5 digest does not match \"known good\" digest");
863 [FR_CRYPT] = pap_auth_crypt,
871 #ifdef HAVE_OPENSSL_EVP_H
872 [FR_PBKDF2] = pap_auth_pbkdf2,
874 [FR_SHA2_224] = pap_auth_sha2_224,
875 [FR_SHA2_256] = pap_auth_sha2_256,
876 [FR_SHA2_384] = pap_auth_sha2_384,
877 [FR_SHA2_512] = pap_auth_sha2_512,
878 [FR_SSHA2_224] = pap_auth_ssha2_224,
879 [FR_SSHA2_256] = pap_auth_ssha2_256,
880 [FR_SSHA2_384] = pap_auth_ssha2_384,
881 [FR_SSHA2_512] = pap_auth_ssha2_512,
883 # if OPENSSL_VERSION_NUMBER >= 0x10101000L
885 [FR_SHA3_224] = pap_auth_sha3_224,
886 [FR_SHA3_256] = pap_auth_sha3_256,
887 [FR_SHA3_384] = pap_auth_sha3_384,
888 [FR_SHA3_512] = pap_auth_sha3_512,
889 [FR_SSHA3_224] = pap_auth_ssha3_224,
890 [FR_SSHA3_256] = pap_auth_ssha3_256,
891 [FR_SSHA3_384] = pap_auth_ssha3_384,
892 [FR_SSHA3_512] = pap_auth_ssha3_512,
910 REDEBUG(
"You set 'Auth-Type = PAP' for a request that does not contain a %s attribute!",
918 if (env_data->
password.vb_length == 0) {
919 REDEBUG(
"Password must not be empty");
927 RDEBUG2(
"Login attempt with password");
940 REDEBUG(
"No \"known good\" password found for user");
950 RDEBUG3(
"Comparing with \"known good\" %pP (%zu)", known_good, known_good->vp_length);
952 RDEBUG2(
"Comparing with \"known-good\" %s (%zu)", known_good->
da->name, known_good->vp_length);
958 auth_func(&rcode,
inst, request, known_good, &env_data->
password);
959 if (ephemeral) TALLOC_FREE(known_good);
966 RDEBUG2(
"User authenticated successfully");
981 if (!
inst->auth_type) {
982 WARN(
"Failed to find 'authenticate %s {...}' section. PAP will likely not work",
998 PERROR(
"%s", __FUNCTION__);
1002 PERROR(
"%s", __FUNCTION__);
1028 ERROR(
"Could not resolve password attribute %zu", i);
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
#define fr_base16_decode(_err, _out, _in, _no_trailing)
#define fr_base64_decode(_out, _in, _expect_padding, _no_trailing)
#define FR_BASE64_DEC_LENGTH(_inlen)
#define USES_APPLE_DEPRECATED_API
#define L(_str)
Helper for initialising arrays of string literals.
#define CALL_ENV_TERMINATOR
#define FR_CALL_ENV_PARSE_OFFSET(_name, _cast_type, _flags, _struct, _field, _parse_field)
Specify a call_env_parser_t which writes out runtime results and the result of the parsing phase to t...
size_t inst_size
Size of per call env.
@ CALL_ENV_FLAG_CONCAT
If the tmpl produced multiple boxes they should be concatenated.
@ CALL_ENV_FLAG_ATTRIBUTE
Tmpl must contain an attribute reference.
@ CALL_ENV_FLAG_REQUIRED
Associated conf pair or section is required.
@ CALL_ENV_FLAG_NULLABLE
Tmpl expansions are allowed to produce no output.
#define CONF_PARSER_TERMINATOR
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Defines a CONF_PAIR to C data type mapping.
#define fr_dbuff_start(_dbuff_or_marker)
Return the 'start' position of a dbuff or marker.
#define FR_DBUFF_TMP(_start, _len_or_end)
Creates a compound literal to pass into functions which accept a dbuff.
#define fr_cond_assert(_x)
Calls panic_action ifndef NDEBUG, else logs error and evaluates to value of _x.
#define fr_dict_autofree(_to_free)
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
int fr_dict_attr_autoload(fr_dict_attr_autoload_t const *to_load)
Process a dict_attr_autoload element to load/verify a dictionary attribute.
fr_dict_enum_value_t * fr_dict_enum_by_name(fr_dict_attr_t const *da, char const *name, ssize_t len)
#define fr_dict_autoload(_to_load)
fr_dict_attr_t const * fr_dict_attr_child_by_num(fr_dict_attr_t const *parent, unsigned int attr)
Check if a child attribute exists in a parent using an attribute number.
Specifies an attribute which must be present for the module to function.
Specifies a dictionary which must be loaded/loadable for the module to function.
Value of an enumerated attribute.
char const *_CONST name
Instance name.
void *_CONST data
Module instance's parsed configuration.
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
#define RDEBUG_ENABLED3
True if request debug level 1-3 messages are enabled.
#define REDEBUG3(fmt,...)
#define REMARKER(_str, _marker_idx, _marker,...)
Output string with error marker, showing where format error occurred.
#define RPEDEBUG(fmt,...)
#define RHEXDUMP2(_data, _len, _fmt,...)
void fr_md4_calc(uint8_t out[static MD4_DIGEST_LENGTH], uint8_t const *in, size_t inlen)
Calculate the MD4 hash of the contents of a buffer.
#define MD4_DIGEST_LENGTH
fr_md5_update_t fr_md5_update
fr_md5_final_t fr_md5_final
void fr_md5_ctx_free_from_list(fr_md5_ctx_t **ctx)
fr_md5_ctx_t * fr_md5_ctx_alloc_from_list(void)
#define MD5_DIGEST_LENGTH
@ FR_TYPE_TLV
Contains nested attributes.
@ FR_TYPE_STRING
String of printable characters.
@ FR_TYPE_UINT32
32 Bit unsigned integer.
void fr_md5_calc(uint8_t out[static MD5_DIGEST_LENGTH], uint8_t const *in, size_t inlen)
Perform a single digest operation on a single input buffer.
ssize_t fr_utf8_to_ucs2(uint8_t *out, size_t outlen, char const *in, size_t inlen)
Convert UTF8 string to UCS2 encoding.
int fr_digest_cmp(uint8_t const *a, uint8_t const *b, size_t length)
Do a comparison of two authentication digests by comparing the FULL data.
void * env_data
Per call environment data.
dl_module_inst_t const * inst
Dynamic loader API handle for the module.
dl_module_inst_t const * inst
Dynamic loader API handle for the module.
Temporary structure to hold arguments for module calls.
Temporary structure to hold arguments for instantiation calls.
Specifies a module method identifier.
bool module_rlm_section_type_set(request_t *request, fr_dict_attr_t const *type_da, fr_dict_enum_value_t const *enumv)
Set the next section type if it's not already set.
module_t common
Common fields presented by all modules.
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
static ssize_t normify(normalise_t *action, uint8_t *buffer, size_t bufflen, char const *known_good, size_t len, size_t min_len)
fr_pair_t * password_find(bool *ephemeral, TALLOC_CTX *ctx, request_t *request, fr_dict_attr_t const *allowed_attrs[], size_t allowed_attrs_len, bool normify)
Find a "known good" password in the control list of a request.
static const conf_parser_t config[]
#define RETURN_MODULE_REJECT
#define RETURN_MODULE_NOOP
#define RETURN_MODULE_RCODE(_rcode)
#define RETURN_MODULE_INVALID
#define RETURN_MODULE_UPDATED
rlm_rcode_t
Return codes indicating the result of the module call.
@ RLM_MODULE_INVALID
The module considers the request invalid.
@ RLM_MODULE_OK
The module is OK, continue.
@ RLM_MODULE_REJECT
Immediately reject the request.
static const pap_auth_func_t auth_func_table[]
Table of password types we can process.
static unlang_action_t pap_auth_dummy(rlm_rcode_t *p_result, UNUSED rlm_pap_t const *inst, UNUSED request_t *request, UNUSED fr_pair_t const *known_good, UNUSED fr_value_box_t const *password)
Auth func for password types that should have been normalised away.
static int mod_load(void)
static fr_dict_attr_autoload_t rlm_pap_dict_attr[]
fr_dict_enum_value_t * auth_type
static unlang_action_t pap_auth_md5(rlm_rcode_t *p_result, UNUSED rlm_pap_t const *inst, request_t *request, fr_pair_t const *known_good, fr_value_box_t const *password)
static unlang_action_t pap_auth_clear(rlm_rcode_t *p_result, UNUSED rlm_pap_t const *inst, request_t *request, fr_pair_t const *known_good, fr_value_box_t const *password)
static unlang_action_t pap_auth_smd5(rlm_rcode_t *p_result, UNUSED rlm_pap_t const *inst, request_t *request, fr_pair_t const *known_good, fr_value_box_t const *password)
static fr_dict_t const * dict_freeradius
static const call_env_method_t pap_method_env
static unlang_action_t pap_auth_nt(rlm_rcode_t *p_result, UNUSED rlm_pap_t const *inst, request_t *request, fr_pair_t const *known_good, fr_value_box_t const *password)
static fr_dict_autoload_t rlm_pap_dict[]
static unlang_action_t pap_auth_ns_mta_md5(rlm_rcode_t *p_result, UNUSED rlm_pap_t const *inst, request_t *request, fr_pair_t const *known_good, fr_value_box_t const *password)
static unlang_action_t mod_authenticate(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
static fr_dict_attr_t const * attr_auth_type
static unlang_action_t pap_auth_sha1(rlm_rcode_t *p_result, UNUSED rlm_pap_t const *inst, request_t *request, fr_pair_t const *known_good, fr_value_box_t const *password)
static void mod_unload(void)
static unlang_action_t pap_auth_ssha1(rlm_rcode_t *p_result, UNUSED rlm_pap_t const *inst, request_t *request, fr_pair_t const *known_good, fr_value_box_t const *password)
static unlang_action_t mod_authorize(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
static fr_dict_attr_t const * attr_root
static fr_dict_attr_t const ** pap_alloweds
static USES_APPLE_DEPRECATED_API pthread_mutex_t fr_crypt_mutex
static const conf_parser_t module_config[]
unlang_action_t(* pap_auth_func_t)(rlm_rcode_t *p_result, rlm_pap_t const *inst, request_t *request, fr_pair_t const *, fr_value_box_t const *)
static int mod_instantiate(module_inst_ctx_t const *mctx)
static unsigned int hash(char const *username, unsigned int tablesize)
static int instantiate(module_inst_ctx_t const *mctx)
#define FR_SBUFF_IN(_start, _len_or_end)
#define MODULE_NAME_TERMINATOR
void fr_sha1_init(fr_sha1_ctx *context)
void fr_sha1_final(uint8_t digest[static SHA1_DIGEST_LENGTH], fr_sha1_ctx *context)
void fr_sha1_update(fr_sha1_ctx *context, uint8_t const *in, size_t len)
#define SHA1_DIGEST_LENGTH
static char buff[sizeof("18446744073709551615")+3]
MEM(pair_append_request(&vp, attr_eap_aka_sim_identity) >=0)
eap_aka_sim_process_conf_t * inst
size_t strlcpy(char *dst, char const *src, size_t siz)
Stores an attribute, a value and various bits of other data.
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
#define fr_table_str_by_value(_table, _number, _def)
Convert an integer to a string.
#define fr_table_value_by_substr(_table, _name, _name_len, _def)
Convert a partial string to a value using an ordered or sorted table.
An element in a lexicographically sorted array of name to num mappings.
#define talloc_get_type_abort_const
void fr_strerror_clear(void)
Clears all pending messages from the talloc pools.
#define FR_MAX_STRING_LEN
#define fr_box_octets(_val, _len)