66
66
static int check_expiration(REQUEST *request)
69
VALUE_PAIR *check_item = request->config_items;
72
while (result == 0 && check_item != NULL) {
75
* Check expiration date if we are doing password aging.
77
if (check_item->attribute == PW_EXPIRATION) {
79
* Has this user's password expired?
81
* If so, remove ALL reply attributes,
82
* and add our own Reply-Message, saying
83
* why they're being rejected.
85
if (check_item->lvalue < (unsigned) time(NULL)) {
89
vp = pairmake("Reply-Message",
90
"Password Has Expired\r\n",
92
pairfree(&request->reply->vps);
93
request->reply->vps = vp;
97
check_item = check_item->next;
68
VALUE_PAIR *check_item;
71
check_item = pairfind(request->config_items, PW_EXPIRATION);
73
if (!check_item) return 0;
76
* Has this user's password expired?
78
* If so, remove ALL reply attributes,
79
* and add our own Reply-Message, saying
80
* why they're being rejected.
82
if (((time_t) check_item->lvalue) <= request->timestamp) {
83
vp = pairmake("Reply-Message",
84
"Password Has Expired\r\n",
86
pairfree(&request->reply->vps);
87
request->reply->vps = vp;
91
#define EXP_TIMEOUT ((uint32_t) (((time_t) check_item->lvalue) - request->timestamp))
93
* Otherwise, set the Session-Timeout based on expiration.
95
vp = pairfind(request->reply->vps, PW_SESSION_TIMEOUT);
97
vp = pairmake("Session-Timeout", "0", T_OP_SET);
98
if (!vp) return -1; /* out of memory */
100
vp->lvalue = EXP_TIMEOUT;
101
pairadd(&request->reply->vps, vp);
102
} else if (vp->lvalue > EXP_TIMEOUT) {
103
vp->lvalue = EXP_TIMEOUT;
104
} /* else Session-Timeout is smaller than Expiration, leave it alone */
342
351
DEBUG2("auth: user supplied CHAP-Password matches local User-Password");
345
DEBUG2("auth: type \"%s\"",
346
dict_valbyattr(PW_AUTH_TYPE, auth_type)->name);
354
dval = dict_valbyattr(PW_AUTH_TYPE, auth_type);
356
DEBUG2("auth: type \"%s\"", dval->name);
358
DEBUG2("auth: type UNKNOWN-%d", auth_type);
348
362
* See if there is a module that handles
349
363
* this type, and turn the RLM_ return
391
406
int postauth_type = 0;
392
VALUE_PAIR *postauth_type_item = NULL;
395
410
* Do post-authentication calls. ignoring the return code.
397
postauth_type_item = pairfind(request->config_items, PW_POST_AUTH_TYPE);
398
if (postauth_type_item)
399
postauth_type = postauth_type_item->lvalue;
412
vp = pairfind(request->config_items, PW_POST_AUTH_TYPE);
414
DEBUG2(" Found Post-Auth-Type %s", vp->strvalue);
415
postauth_type = vp->lvalue;
400
417
result = module_post_auth(postauth_type, request);
401
418
switch (result) {
406
* The module failed, or said to reject the user: Do so.
408
case RLM_MODULE_FAIL:
409
case RLM_MODULE_REJECT:
410
case RLM_MODULE_USERLOCK:
411
case RLM_MODULE_INVALID:
412
request->reply->code = PW_AUTHENTICATION_REJECT;
413
result = RLM_MODULE_REJECT;
417
* The module had a number of OK return codes.
419
case RLM_MODULE_NOTFOUND:
420
case RLM_MODULE_NOOP:
421
case RLM_MODULE_UPDATED:
423
case RLM_MODULE_HANDLED:
424
result = RLM_MODULE_OK;
420
* The module failed, or said to reject the user: Do so.
422
case RLM_MODULE_FAIL:
423
case RLM_MODULE_INVALID:
424
case RLM_MODULE_REJECT:
425
case RLM_MODULE_USERLOCK:
427
request->reply->code = PW_AUTHENTICATION_REJECT;
428
result = RLM_MODULE_REJECT;
431
* The module handled the request, cancel the reply.
433
case RLM_MODULE_HANDLED:
435
result = RLM_MODULE_OK;
438
* The module had a number of OK return codes.
440
case RLM_MODULE_NOOP:
441
case RLM_MODULE_NOTFOUND:
443
case RLM_MODULE_UPDATED:
444
result = RLM_MODULE_OK;
451
* Before sending an Access-Reject, call the modules in the
452
* Post-Auth-Type REJECT stanza.
454
static int rad_postauth_reject(REQUEST *request)
460
dval = dict_valbyname(PW_POST_AUTH_TYPE, "REJECT");
462
/* Overwrite the Post-Auth-Type with the value REJECT */
463
pairdelete(&request->config_items, PW_POST_AUTH_TYPE);
464
tmp = paircreate(PW_POST_AUTH_TYPE, PW_TYPE_INTEGER);
465
tmp->lvalue = dval->value;
466
pairadd(&request->config_items, tmp);
467
result = rad_postauth(request);
469
/* No REJECT stanza */
470
result = RLM_MODULE_OK;
458
* If this request got proxied to another server,
459
* AND it was an authentication request, then we need
460
* to add an initial Auth-Type: Auth-Accept for success,
461
* Auth-Reject for fail. We also need to add the reply
462
* pairs from the server to the initial reply.
464
* Huh? If the request wasn't an authentication request,
465
* WTF are we doing here?
503
* If this request got proxied to another server, we need
504
* to check whether it authenticated the request or not.
467
if ((request->proxy_reply) &&
468
(request->packet->code == PW_AUTHENTICATION_REQUEST)) {
469
tmp = paircreate(PW_AUTH_TYPE, PW_TYPE_INTEGER);
471
radlog(L_ERR|L_CONS, "no memory");
476
* Challenges are punted back to the NAS
477
* without any further processing.
479
if (request->proxy_reply->code == PW_ACCESS_CHALLENGE) {
506
if (request->proxy_reply) {
507
switch (request->proxy_reply->code) {
509
* Reply of ACCEPT means accept, thus set Auth-Type
512
case PW_AUTHENTICATION_ACK:
513
tmp = paircreate(PW_AUTH_TYPE, PW_TYPE_INTEGER);
515
radlog(L_ERR|L_CONS, "Not enough memory");
518
tmp->lvalue = PW_AUTHTYPE_ACCEPT;
519
pairadd(&request->config_items, tmp);
522
* Challenges are punted back to the NAS without any
523
* further processing.
525
case PW_ACCESS_CHALLENGE:
480
526
request->reply->code = PW_ACCESS_CHALLENGE;
481
return RLM_MODULE_HANDLED;
485
* Reply of ACCEPT means accept, ALL other
486
* replies mean reject. This is fail-safe.
488
if (request->proxy_reply->code == PW_AUTHENTICATION_ACK)
489
tmp->lvalue = PW_AUTHTYPE_ACCEPT;
491
tmp->lvalue = PW_AUTHTYPE_REJECT;
492
pairadd(&request->config_items, tmp);
495
* If it's an Access-Reject, then do NOT do any
496
* authorization or authentication. They're being
497
* rejected, so we minimize the amount of work
527
return RLM_MODULE_OK;
529
* ALL other replies mean reject. (this is fail-safe)
531
* Do NOT do any authorization or authentication. They
532
* are being rejected, so we minimize the amount of work
498
533
* done by the server, by rejecting them here.
500
if ((request->proxy_reply->code != PW_AUTHENTICATION_ACK) &&
501
(request->proxy_reply->code != PW_ACCESS_CHALLENGE)) {
502
rad_authlog("Login incorrect (Home Server says so)", request, 0);
535
case PW_AUTHENTICATION_REJECT:
537
rad_authlog("Login incorrect (Home Server says so)",
503
539
request->reply->code = PW_AUTHENTICATION_REJECT;
540
rad_postauth_reject(request);
504
541
return RLM_MODULE_REJECT;
549
586
* Get the user's authorization information from the database
552
r = module_authorize(autz_type, request);
553
if (r != RLM_MODULE_NOTFOUND &&
554
r != RLM_MODULE_NOOP &&
555
r != RLM_MODULE_OK &&
556
r != RLM_MODULE_UPDATED) {
557
if (r != RLM_MODULE_FAIL && r != RLM_MODULE_HANDLED) {
589
result = module_authorize(autz_type, request);
591
case RLM_MODULE_NOOP:
592
case RLM_MODULE_NOTFOUND:
594
case RLM_MODULE_UPDATED:
596
case RLM_MODULE_FAIL:
597
case RLM_MODULE_HANDLED:
599
case RLM_MODULE_INVALID:
600
case RLM_MODULE_REJECT:
601
case RLM_MODULE_USERLOCK:
558
603
if ((module_msg = pairfind(request->packet->vps,
559
PW_MODULE_FAILURE_MESSAGE)) != NULL){
560
char msg[MAX_STRING_LEN+16];
604
PW_MODULE_FAILURE_MESSAGE)) != NULL) {
605
char msg[MAX_STRING_LEN + 16];
561
606
snprintf(msg, sizeof(msg), "Invalid user (%s)",
562
607
module_msg->strvalue);
563
608
rad_authlog(msg,request,0);
565
610
rad_authlog("Invalid user", request, 0);
567
612
request->reply->code = PW_AUTHENTICATION_REJECT;
572
VALUE_PAIR *autz_type_item = NULL;
573
autz_type_item = pairfind(request->config_items, PW_AUTZ_TYPE);
575
autz_type = autz_type_item->lvalue;
616
tmp = pairfind(request->config_items, PW_AUTZ_TYPE);
618
DEBUG2(" Found Autz-Type %s", tmp->strvalue);
619
autz_type = tmp->lvalue;
662
706
if (result >= 0 &&
663
707
(check_item = pairfind(request->config_items, PW_SIMULTANEOUS_USE)) != NULL) {
664
VALUE_PAIR *session_type;
708
int session_type = 0;
667
session_type = pairfind(request->config_items, PW_SESSION_TYPE);
669
sess_type = session_type->lvalue;
710
tmp = pairfind(request->config_items, PW_SESSION_TYPE);
712
DEBUG2(" Found Session-Type %s", tmp->strvalue);
713
session_type = tmp->lvalue;
672
717
* User authenticated O.K. Now we have to check
673
718
* for the Simultaneous-Use parameter.
676
(r = module_checksimul(sess_type,request, check_item->lvalue)) != 0) {
721
(r = module_checksimul(session_type, request, check_item->lvalue)) != 0) {
779
824
* Result should be >= 0 here - if not, it means the user
780
* is rejected, so we overwrite the Post-Auth-Type with
781
* the value REJECT and call the post-authentication
825
* is rejected, so we just process post-auth and return.
784
827
if (result < 0) {
787
dval = dict_valbyname(PW_POST_AUTH_TYPE, "REJECT");
789
pairdelete(&request->config_items, PW_POST_AUTH_TYPE);
790
tmp = paircreate(PW_POST_AUTH_TYPE, PW_TYPE_INTEGER);
791
tmp->lvalue = dval->value;
792
pairadd(&request->config_items, tmp);
793
rad_postauth(request);
795
return RLM_MODULE_OK;
828
rad_postauth_reject(request);
829
return RLM_MODULE_REJECT;
880
914
pairmove(&request->reply->vps, &tmp);
885
919
* Error. radius_exec_program() returns -1 on
886
* fork/exec errors, or >0 if the exec'ed program
887
* had a non-zero exit status.
889
if (umsg[0] == '\0') {
890
user_msg = "\r\nAccess denied (external check failed).";
895
request->reply->code = PW_AUTHENTICATION_REJECT;
922
user_msg = "Access denied (external check failed)";
896
923
tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
898
924
pairadd(&request->reply->vps, tmp);
926
request->reply->code = PW_AUTHENTICATION_REJECT;
899
927
rad_authlog("Login incorrect (external check failed)",
929
rad_postauth_reject(request);
931
return RLM_MODULE_REJECT;
935
* Reject. radius_exec_program() returns >0
936
* if the exec'ed program had a non-zero
939
request->reply->code = PW_AUTHENTICATION_REJECT;
940
rad_authlog("Login incorrect (external check said so)",
942
rad_postauth_reject(request);
902
944
return RLM_MODULE_REJECT;