← Back to branch summary

~ubuntu-branches/ubuntu/natty/freeradius/natty-updates

« back to all changes in this revision

Viewing changes to src/modules/rlm_pap/rlm_pap.c

  • Committer: Bazaar Package Importer
  • Author(s): Josip Rodin
  • Date: 2009-11-23 03:57:37 UTC
  • mfrom: (1.2.1 upstream)
  • mto: This revision was merged to the branch mainline in revision 28.
  • Revision ID: james.westby@ubuntu.com-20091123035737-zsgtzhfych8hir68
Tags: 2.1.7+dfsg-1
http://bugs.debian.org/536623
http://bugs.debian.org/513484
http://bugs.debian.org/526175
http://bugs.debian.org/533396
http://bugs.debian.org/550143
* Adopting the package, closes: #536623.
* New upstream version, closes: #513484.
  + Fixes the blooper in unlang evaluation logic, closes: #526175.
* Used quilt (and added README.source), and moved upstream file patching
  into debian/patches/. The source is no longer in collab-maint git
  (to make it simpler for me to finally get this out the door), but
  kept the .gitignore should we need that again.
* Dropped the dialup_admin/bin/backup_radacct patch (integrated upstream).
* Dropped the raddb/Makefile patch (problem no longer exists upstream).
* Dropped the lib/packet.c lib/radius.c main/listen.c patches (was from
  upstream 2.0.5 anyway).
* Dropped references to otp.conf, it no longer exists upstream.
  Keep removing the conffile statoverride in prerm.
* Dropped references to snmp.conf, it no longer exists upstream.
  Keep removing the conffile statoverride in prerm.
* Ship /etc/freeradius/modules/* in the freeradius package.
* Stop shipping sites-enabled symlinks in the package and instead create
  them only on initial install, thanks to Matej Vela, closes: #533396.
* Add export PATH="${PATH:+$PATH:}/usr/sbin:/sbin" to the init script
  at the request of John Morrissey, closes: #550143.
* Stop installing /var/run/freeradius in the package to silence Lintian.
  The init script already recreates it at will.
* Remove executable bit from example.pl to silence Lintian.

Show diffs side-by-side

added added

removed removed

Lines of Context:
src/modules/rlm_pap/rlm_pap.c
1
1
/*
2
2
 * rlm_pap.c
3
3
 *
4
 
 * Version:  $Id: rlm_pap.c,v 1.63 2008/03/29 21:30:33 aland Exp $
 
4
 * Version:  $Id$
5
5
 *
6
6
 *   This program is free software; you can redistribute it and/or modify
7
7
 *   it under the terms of the GNU General Public License as published by
22
22
 */
23
23
 
24
24
#include <freeradius-devel/ident.h>
25
 
RCSID("$Id: rlm_pap.c,v 1.63 2008/03/29 21:30:33 aland Exp $")
 
25
RCSID("$Id$")
26
26
 
27
27
#include <freeradius-devel/radiusd.h>
28
28
#include <freeradius-devel/modules.h>
200
200
 
201
201
        dst[2] = (unsigned char)(x & 255); x >>= 8;
202
202
        dst[1] = (unsigned char)(x & 255); x >>= 8;
203
 
        dst[0] = (unsigned char)(x & 255); x >>= 8;
 
203
        dst[0] = (unsigned char)(x & 255);
204
204
 
205
205
        return 1;
206
206
}
240
240
/*
241
241
 *      Hex or base64 or bin auto-discovery.
242
242
 */
243
 
static void normify(VALUE_PAIR *vp, size_t min_length)
 
243
static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length)
244
244
{
245
245
        size_t decoded;
246
246
        uint8_t buffer[64];
253
253
        if (vp->length >= (2 * min_length)) {
254
254
                decoded = fr_hex2bin(vp->vp_strvalue, buffer, vp->length >> 1);
255
255
                if (decoded == (vp->length >> 1)) {
256
 
                        DEBUG2("rlm_pap: Normalizing %s from hex encoding", vp->name);
 
256
                        RDEBUG2("Normalizing %s from hex encoding", vp->name);
257
257
                        memcpy(vp->vp_octets, buffer, decoded);
258
258
                        vp->length = decoded;
259
259
                        return;
267
267
        if ((vp->length * 3) >= ((min_length * 4))) {
268
268
                decoded = base64_decode(vp->vp_strvalue, buffer);
269
269
                if (decoded >= min_length) {
270
 
                        DEBUG2("rlm_pap: Normalizing %s from base64 encoding", vp->name);
 
270
                        RDEBUG2("Normalizing %s from base64 encoding", vp->name);
271
271
                        memcpy(vp->vp_octets, buffer, decoded);
272
272
                        vp->length = decoded;
273
273
                        return;
336
336
 
337
337
                        attr = fr_str2int(header_names, buffer, 0);
338
338
                        if (!attr) {
339
 
                                DEBUG2("rlm_pap: Found unknown header {%s}: Not doing anything", buffer);
 
339
                                RDEBUG2("Found unknown header {%s}: Not doing anything", buffer);
340
340
                                break;
341
341
                        }
342
342
 
366
366
                case PW_SMD5_PASSWORD:
367
367
                case PW_NT_PASSWORD:
368
368
                case PW_LM_PASSWORD:
369
 
                        normify(vp, 16); /* ensure it's in the right format */
 
369
                        normify(request, vp, 16); /* ensure it's in the right format */
370
370
                        found_pw = TRUE;
371
371
                        break;
372
372
 
373
373
                case PW_SHA_PASSWORD:
374
374
                case PW_SSHA_PASSWORD:
375
 
                        normify(vp, 20); /* ensure it's in the right format */
 
375
                        normify(request, vp, 20); /* ensure it's in the right format */
376
376
                        found_pw = TRUE;
377
377
                        break;
378
378
 
432
432
                        return RLM_MODULE_NOOP;
433
433
                }
434
434
 
435
 
                DEBUG("rlm_pap: WARNING! No \"known good\" password found for the user.  Authentication may fail because of this.");
 
435
                RDEBUG("WARNING! No \"known good\" password found for the user.  Authentication may fail because of this.");
436
436
                return RLM_MODULE_NOOP;
437
437
        }
438
438
 
440
440
         *      Don't touch existing Auth-Types.
441
441
         */
442
442
        if (auth_type) {
443
 
                DEBUG2("rlm_pap: Found existing Auth-Type, not changing it.");
 
443
                RDEBUG2("Found existing Auth-Type, not changing it.");
444
444
                return RLM_MODULE_NOOP;
445
445
        }
446
446
 
457
457
                        return RLM_MODULE_NOOP;
458
458
                }
459
459
 
460
 
                DEBUG2("rlm_pap: No clear-text password in the request.  Not performing PAP.");
 
460
                RDEBUG2("No clear-text password in the request.  Not performing PAP.");
461
461
                return RLM_MODULE_NOOP;
462
462
        }
463
463
 
488
488
        int scheme = PAP_ENC_INVALID;
489
489
 
490
490
        if (!request->password){
491
 
                radlog(L_AUTH, "rlm_pap: Attribute \"Password\" is required for authentication.");
 
491
                radlog_request(L_AUTH, 0, request, "Attribute \"Password\" is required for authentication.");
492
492
                return RLM_MODULE_INVALID;
493
493
        }
494
494
 
496
496
         *      Clear-text passwords are the only ones we support.
497
497
         */
498
498
        if (request->password->attribute != PW_USER_PASSWORD) {
499
 
                radlog(L_AUTH, "rlm_pap: Attribute \"User-Password\" is required for authentication. Cannot use \"%s\".", request->password->name);
 
499
                radlog_request(L_AUTH, 0, request, "Attribute \"User-Password\" is required for authentication. Cannot use \"%s\".", request->password->name);
500
500
                return RLM_MODULE_INVALID;
501
501
        }
502
502
 
510
510
                return RLM_MODULE_INVALID;
511
511
        }
512
512
 
513
 
        DEBUG("rlm_pap: login attempt with password \"%s\"",
 
513
        RDEBUG("login attempt with password \"%s\"",
514
514
              request->password->vp_strvalue);
515
515
 
516
516
        /*
555
555
                }
556
556
 
557
557
        fail:
558
 
                DEBUG("rlm_pap: No password configured for the user.  Cannot do authentication");
 
558
                RDEBUG("No password configured for the user.  Cannot do authentication");
559
559
                return RLM_MODULE_FAIL;
560
560
 
561
561
        } else {
580
580
        switch (scheme) {
581
581
        case PAP_ENC_CLEAR:
582
582
        do_clear:
583
 
                DEBUG("rlm_pap: Using clear text password \"%s\"",
 
583
                RDEBUG("Using clear text password \"%s\"",
584
584
                      vp->vp_strvalue);
585
585
                if (strcmp((char *) vp->vp_strvalue,
586
586
                           (char *) request->password->vp_strvalue) != 0){
588
588
                        goto make_msg;
589
589
                }
590
590
        done:
591
 
                DEBUG("rlm_pap: User authenticated successfully");
 
591
                RDEBUG("User authenticated successfully");
592
592
                return RLM_MODULE_OK;
593
593
                break;
594
594
 
595
595
        case PAP_ENC_CRYPT:
596
596
        do_crypt:
597
 
                DEBUG("rlm_pap: Using CRYPT encryption.");
 
597
                RDEBUG("Using CRYPT encryption.");
598
598
                if (fr_crypt_check((char *) request->password->vp_strvalue,
599
599
                                     (char *) vp->vp_strvalue) != 0) {
600
600
                        snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: CRYPT password check failed");
605
605
 
606
606
        case PW_MD5_PASSWORD:
607
607
        do_md5:
608
 
                DEBUG("rlm_pap: Using MD5 encryption.");
 
608
                RDEBUG("Using MD5 encryption.");
609
609
 
610
 
                normify(vp, 16);
 
610
                normify(request, vp, 16);
611
611
                if (vp->length != 16) {
612
 
                DEBUG("rlm_pap: Configured MD5 password has incorrect length");
 
612
                RDEBUG("Configured MD5 password has incorrect length");
613
613
                        snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: Configured MD5 password has incorrect length");
614
614
                        goto make_msg;
615
615
                }
627
627
 
628
628
        case PW_SMD5_PASSWORD:
629
629
        do_smd5:
630
 
                DEBUG("rlm_pap: Using SMD5 encryption.");
 
630
                RDEBUG("Using SMD5 encryption.");
631
631
 
632
 
                normify(vp, 16);
 
632
                normify(request, vp, 16);
633
633
                if (vp->length <= 16) {
634
 
                        DEBUG("rlm_pap: Configured SMD5 password has incorrect length");
 
634
                        RDEBUG("Configured SMD5 password has incorrect length");
635
635
                        snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: Configured SMD5 password has incorrect length");
636
636
                        goto make_msg;
637
637
                }
654
654
 
655
655
        case PW_SHA_PASSWORD:
656
656
        do_sha:
657
 
                DEBUG("rlm_pap: Using SHA1 encryption.");
 
657
                RDEBUG("Using SHA1 encryption.");
658
658
 
659
 
                normify(vp, 20);
 
659
                normify(request, vp, 20);
660
660
                if (vp->length != 20) {
661
 
                        DEBUG("rlm_pap: Configured SHA1 password has incorrect length");
 
661
                        RDEBUG("Configured SHA1 password has incorrect length");
662
662
                        snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: Configured SHA1 password has incorrect length");
663
663
                        goto make_msg;
664
664
                }
676
676
 
677
677
        case PW_SSHA_PASSWORD:
678
678
        do_ssha:
679
 
                DEBUG("rlm_pap: Using SSHA encryption.");
 
679
                RDEBUG("Using SSHA encryption.");
680
680
 
681
 
                normify(vp, 20);
 
681
                normify(request, vp, 20);
682
682
                if (vp->length <= 20) {
683
 
                        DEBUG("rlm_pap: Configured SSHA password has incorrect length");
 
683
                        RDEBUG("Configured SSHA password has incorrect length");
684
684
                        snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: Configured SHA password has incorrect length");
685
685
                        goto make_msg;
686
686
                }
700
700
 
701
701
        case PW_NT_PASSWORD:
702
702
        do_nt:
703
 
                DEBUG("rlm_pap: Using NT encryption.");
 
703
                RDEBUG("Using NT encryption.");
704
704
 
705
 
                normify(vp, 16);
 
705
                normify(request, vp, 16);
706
706
                if (vp->length != 16) {
707
 
                        DEBUG("rlm_pap: Configured NT-Password has incorrect length");
 
707
                        RDEBUG("Configured NT-Password has incorrect length");
708
708
                        snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: Configured NT-Password has incorrect length");
709
709
                        goto make_msg;
710
710
                }
712
712
                snprintf(buff2, sizeof(buff2), "%%{mschap:NT-Hash %s}",
713
713
                        request->password->vp_strvalue);
714
714
                if (!radius_xlat(digest, sizeof(digest),buff2,request,NULL)){
715
 
                        DEBUG("rlm_pap: mschap xlat failed");
 
715
                        RDEBUG("mschap xlat failed");
716
716
                        snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: mschap xlat failed");
717
717
                        goto make_msg;
718
718
                }
726
726
 
727
727
        case PW_LM_PASSWORD:
728
728
        do_lm:
729
 
                DEBUG("rlm_pap: Using LM encryption.");
 
729
                RDEBUG("Using LM encryption.");
730
730
 
731
 
                normify(vp, 16);
 
731
                normify(request, vp, 16);
732
732
                if (vp->length != 16) {
733
 
                        DEBUG("rlm_pap: Configured LM-Password has incorrect length");
 
733
                        RDEBUG("Configured LM-Password has incorrect length");
734
734
                        snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: Configured LM-Password has incorrect length");
735
735
                        goto make_msg;
736
736
                }
737
737
                snprintf(buff2, sizeof(buff2), "%%{mschap:LM-Hash %s}",
738
738
                        request->password->vp_strvalue);
739
739
                if (!radius_xlat(digest,sizeof(digest),buff2,request,NULL)){
740
 
                        DEBUG("rlm_pap: mschap xlat failed");
 
740
                        RDEBUG("mschap xlat failed");
741
741
                        snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: mschap xlat failed");
742
742
                        goto make_msg;
743
743
                }
745
745
                    (memcmp(digest, vp->vp_octets, vp->length) != 0)) {
746
746
                        snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: LM password check failed");
747
747
                make_msg:
748
 
                        DEBUG("rlm_pap: Passwords don't match");
 
748
                        RDEBUG("Passwords don't match");
749
749
                        module_fmsg_vp = pairmake("Module-Failure-Message",
750
750
                                                  module_fmsg, T_OP_EQ);
751
751
                        pairadd(&request->packet->vps, module_fmsg_vp);
756
756
 
757
757
        case PAP_ENC_NS_MTA_MD5:
758
758
        do_ns_mta_md5:
759
 
                DEBUG("rlm_pap: Using NT-MTA-MD5 password");
 
759
                RDEBUG("Using NT-MTA-MD5 password");
760
760
 
761
761
                if (vp->length != 64) {
762
 
                        DEBUG("rlm_pap: Configured NS-MTA-MD5-Password has incorrect length");
 
762
                        RDEBUG("Configured NS-MTA-MD5-Password has incorrect length");
763
763
                        snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: Configured NS-MTA-MD5-Password has incorrect length");
764
764
                        goto make_msg;
765
765
                }
768
768
                 *      Sanity check the value of NS-MTA-MD5-Password
769
769
                 */
770
770
                if (fr_hex2bin(vp->vp_strvalue, buff, 32) != 16) {
771
 
                        DEBUG("rlm_pap: Configured NS-MTA-MD5-Password has invalid value");
 
771
                        RDEBUG("Configured NS-MTA-MD5-Password has invalid value");
772
772
                        snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: Configured NS-MTA-MD5-Password has invalid value");
773
773
                        goto make_msg;
774
774
                }
779
779
                 *      This really: sizeof(buff) - 2 - 2*32 - strlen(passwd)
780
780
                 */
781
781
                if (strlen(request->password->vp_strvalue) >= (sizeof(buff2) - 2 - 2 * 32)) {
782
 
                        DEBUG("rlm_pap: Configured password is too long");
 
782
                        RDEBUG("Configured password is too long");
783
783
                        snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: password is too long");
784
784
                        goto make_msg;
785
785
                }
814
814
                break;
815
815
        }
816
816
 
817
 
        DEBUG("rlm_pap: No password configured for the user.  Cannot do authentication");
 
817
        RDEBUG("No password configured for the user.  Cannot do authentication");
818
818
        return RLM_MODULE_FAIL;
819
819
}
820
820