📄 radiusd.c
字号:
}
else {
send_pwack(authreq, activefd);
}
pairfree(authreq->request);
pairfree(user_check);
pairfree(user_reply);
memset(authreq, 0, sizeof(AUTH_REQ));
free(authreq);
return;
}
/*************************************************************************
*
* Function: rad_authenticate
*
* Purpose: Process and reply to an authentication request
*
*************************************************************************/
rad_authenticate(authreq, activefd)
AUTH_REQ *authreq;
int activefd;
{
VALUE_PAIR *namepair;
VALUE_PAIR *check_item;
VALUE_PAIR *auth_item;
VALUE_PAIR *user_check;
VALUE_PAIR *user_reply;
VALUE_PAIR *u_reply;
int result;
char pw_digest[16];
char string[128];
int i;
char msg[512];
char umsg[128];
char *user_msg;
char *ip_hostname();
int retval;
char *ptr;
char name_str[32];
char realm_suffix[64];
int realm_status;
char addr_str[32];
VALUE_PAIR *auth_type_pair;
int expire_status;
char *encrypt_pw;
char *enpw;
char *crypt();
USER_ONLINE *online;
long left_time;
long expire_date;
/* Get the username from the request */
namepair = authreq->request;
while(namepair != (VALUE_PAIR *)NULL) {
if(namepair->attribute == PW_USER_NAME) {
break;
}
namepair = namepair->next;
}
if((namepair == (VALUE_PAIR *)NULL) ||
(strlen(namepair->strvalue) <= 0)) {
sprintf(msg, "Authenticate: from %s - No User Name\n",
ip_hostname(authreq->ipaddr));
msg[127] = '\0';
log_err(msg);
pairfree(authreq->request);
memset(authreq, 0, sizeof(AUTH_REQ));
free(authreq);
return;
}
memcpy(authreq->user_name,namepair->strvalue,sizeof(namepair->strvalue));
/* Verify the client and Calculate the MD5 Password Digest */
if(calc_digest(pw_digest, authreq) != 0) {
/* We don't respond when this fails */
sprintf(msg, "Authenticate: from %s - Security Breach: %s\n",
ip_hostname(authreq->ipaddr), namepair->strvalue);
msg[127] = '\0';
log_err(msg);
pairfree(authreq->request);
memset(authreq, 0, sizeof(AUTH_REQ));
free(authreq);
return;
}
memcpy(authreq->digest, pw_digest, AUTH_PASS_LEN);
ipaddr2str(addr_str,authreq->ipaddr);
sprintf(msg,"Auth user: %s - From: %s\n",namepair->strvalue,addr_str);
msg[127]='\0';
log_err(msg);
/* Parse the user_name_string and find the radius server */
if(realm_status=realm_user(namepair->strvalue)){
memset(name_str,'\0',sizeof(name_str));
memset(realm_suffix,'\0',sizeof(realm_suffix));
if(parse_user(namepair->strvalue, name_str,realm_suffix) != 0) {
sprintf(msg, "Authenticate: from %s - Invalid User: %s\n", ip_hostname(authreq->ipaddr), namepair->strvalue);
msg[127] = '\0';
log_err(msg);
send_reject(authreq, (char *)NULL, activefd);
pairfree(authreq->request);
memset(authreq, 0, sizeof(AUTH_REQ));
free(authreq);
}
}else{
memcpy(name_str,namepair->strvalue,sizeof(namepair->strvalue));
}
/* Verify the realm and the radius host(remote/local) */
if(realm_find(authreq, realm_suffix) != 0) {
sprintf(msg, "Authenticate: from %s - Invalid Realm: %s\n", ip_hostname(authreq->ipaddr), realm_suffix);
msg[127] = '\0';
log_err(msg);
send_reject(authreq, (char *)NULL, activefd);
pairfree(authreq->request);
memset(authreq, 0, sizeof(AUTH_REQ));
free(authreq);
return;
}
/* Verify whether the local realm */
/* if not then forwarding the request */
/* else authentication at local */
if(authreq->proxy_state){
/* Log to the file */
ipaddr2str(addr_str,authreq->r_serv);
sprintf(msg,"Auth remote: %s - Realm: %s\n",addr_str,authreq->realm);
msg[127]='\0';
log_err(msg);
/* Forwarding the request to the remote server */
forwarding_request_reply(authreq,activefd);
/* Just for test */
/*-------------------
sprintf(msg, "Auth remote: reply from %s:%d\n", ip_hostname(authreq->r_serv),authreq->udp_port);
msg[127] = '\0';
log_err(msg);
-------------------*/
/* send_reject(authreq, (char *)NULL, activefd); */
/* pairfree(authreq->request); */
/* memset(authreq, 0, sizeof(AUTH_REQ)); */
/* free(authreq); */
return;
}else{
/* Log to the logfile */
ipaddr2str(addr_str,authreq->r_serv);
sprintf(msg,"Auth Local: %s - Realm: %s\n",addr_str,authreq->realm);
msg[127]='\0';
log_err(msg);
/* Chech result sign */
result = 0;
user_msg = (char *)NULL;
/*----------------------*/
/* Tempary add function */
/*----------------------*/
if(user_find(name_str, &user_check, &user_reply) != 0) {
sprintf(msg, "Authenticate: from %s - Invalid User: %s\n", ip_hostname(authreq->ipaddr), namepair->strvalue);
msg[127] = '\0';
log_err(msg);
send_reject(authreq, (char *)NULL, activefd);
pairfree(authreq->request);
memset(authreq, 0, sizeof(AUTH_REQ));
free(authreq);
return;
}
/* Validate the user */
/* Look for matching check items */
authreq->check_item = user_check;
authreq->reply_item = user_reply;
check_item = user_check;
auth_type_pair = (VALUE_PAIR *)NULL;
while(check_item != (VALUE_PAIR *)NULL) {
if(check_item->attribute == PW_AUTH_TYPE) {
auth_type_pair = check_item;
break;
}
check_item = check_item->next;
}
if(auth_type_pair != (VALUE_PAIR *)NULL) {
switch(auth_type_pair->lvalue) {
case PW_AUTH_LOCAL:
check_item = authreq->check_item;
while(result == 0 && check_item != (VALUE_PAIR *)NULL) {
/* Exclude the Auth-Type Attribute */
if(check_item->attribute == PW_AUTH_TYPE) {
check_item = check_item->next;
continue;
}
/* Check expiration */
if(check_item->attribute == PW_EXPIRATION) {
if(check_expiration(check_item) != 0) {
result = -1;
}
check_item = check_item->next;
continue;
}
/* Check simultaneous_use */
if(check_item->attribute == PW_SIMULTANEOUS_USE) {
check_item = check_item->next;
continue;
}
auth_item = authreq->request;
while(auth_item != (VALUE_PAIR *)NULL) {
if(check_item->attribute == auth_item->attribute) {
break;
}
auth_item = auth_item->next;
}
if(auth_item == (VALUE_PAIR *)NULL) {
result = -1;
continue;
}
/* Decrypt the password and check it */
if(check_item->attribute == PW_PASSWORD) {
memcpy(string, auth_item->strvalue,AUTH_PASS_LEN);
for(i=0; i<AUTH_PASS_LEN; i++) {
string[i] ^= pw_digest[i];
}
string[AUTH_PASS_LEN]='\0';
if(strcmp(check_item->strvalue, string) != 0) {
result = -1;
user_msg = (char *)NULL;
}
}else{
switch(check_item->type) {
case PW_TYPE_STRING:
if(strcmp(check_item->strvalue,auth_item->strvalue)!=0) {
result = -1;
}
break;
case PW_TYPE_IPADDR:
case PW_TYPE_INTEGER:
if(check_item->lvalue != auth_item->lvalue) {
result = -1;
}
break;
default:
result = -1;
break;
}
}
check_item = check_item->next;
} /* end of while(result==0) */
break;
case PW_AUTH_CRYPT_LOCAL:
check_item = authreq->check_item;
while(result == 0 && check_item != (VALUE_PAIR *)NULL) {
/* Exclude the Auth-Type Attribute */
if(check_item->attribute == PW_AUTH_TYPE) {
check_item = check_item->next;
continue;
}
/* Check expiration */
if(check_item->attribute == PW_EXPIRATION) {
if(check_expiration(check_item) != 0) {
result = -1;
/* Just for test */
/*------------------
sprintf(msg,"Auth: password expired - result: %d\n",result);
msg[127]='\0';
log_err(msg);
-----------------*/
}
check_item = check_item->next;
continue;
}
/* Check simultaneous_use */
if(check_item->attribute == PW_SIMULTANEOUS_USE) {
/* New function should be added */
check_item = check_item->next;
continue;
}
auth_item = authreq->request;
while(auth_item != (VALUE_PAIR *)NULL) {
if(check_item->attribute == auth_item->attribute) {
break;
}
if(check_item->attribute == PW_CRYPT_PASSWORD && auth_item->attribute == PW_PASSWORD) {
break;
}
auth_item = auth_item->next;
}
if(auth_item == (VALUE_PAIR *)NULL) {
result = -1;
/* Just for test */
/*-------------------
sprintf(msg,"Auth: auth attr is NULL - result: %d\n",result);
msg[127]='\0';
log_err(msg);
-------------------*/
continue;
}
/* Decrypt the password and check it */
if(check_item->attribute == PW_CRYPT_PASSWORD && auth_item->attribute == PW_PASSWORD) {
memcpy(string, auth_item->strvalue,AUTH_PASS_LEN);
for(i=0; i<AUTH_PASS_LEN; i++) {
string[i] ^= pw_digest[i];
}
string[AUTH_PASS_LEN]='\0';
encrypt_pw=check_item->strvalue;
enpw=crypt(string,encrypt_pw);
if(strcmp(enpw, encrypt_pw) != 0) {
result = -1;
user_msg = (char *)NULL;
}
/* Just for test */
/*-----------------
sprintf(msg,"Auth: encrypt-password: %s - %s, result: %d\n",encrypt_pw,enpw,result);
msg[127]='\0';
log_err(msg);
-----------------*/
}else{
switch(check_item->type) {
case PW_TYPE_STRING:
if(strcmp(check_item->strvalue,auth_item->strvalue)!=0) {
result = -1;
}
break;
case PW_TYPE_IPADDR:
case PW_TYPE_INTEGER:
if(check_item->lvalue != auth_item->lvalue) {
result = -1;
}
break;
default:
result = -1;
break;
}
}
check_item = check_item->next;
} /* end of while(result==0) */
/* Just for test */
/*----------------
sprintf(msg,"Auth: auth-type: %d - result: %d\n", auth_type_pair->lvalue, result);
msg[127]='\0';
log_err(msg);
-----------------*/
break;
case PW_AUTH_SYSTEM:
check_item = authreq->check_item;
while(result == 0 && check_item != (VALUE_PAIR *)NULL) {
/* Just for test */
/*----------------
sprintf(msg,"Auth: check attr: %d - result: %d\n",check_item->attribute,result);
msg[127]='\0';
log_err(msg);
----------------*/
/* Exclude the Auth-Type Attribute */
if(check_item->attribute == PW_AUTH_TYPE || check_item->attribute == PW_PASSWORD) {
check_item = check_item->next;
continue;
}
/* Check expiration */
if(check_item->attribute == PW_EXPIRATION) {
if(check_expiration(check_item)!=0){
result = -1;
/* Just for test */
/*---------------
sprintf(msg,"Auth: password expired - result: %d\n",result);
msg[127]='\0';
log_err(msg);
---------------*/
}
check_item = check_item->next;
continue;
}
/* Check simultaneous_use */
if(check_item->attribute == PW_SIMULTANEOUS_USE) {
/* New function need to add */
check_item = check_item->next;
continue;
}
auth_item = authreq->request;
while(auth_item != (VALUE_PAIR *)NULL) {
if(check_item->attribute == auth_item->attribute) {
break;
}
auth_item = auth_item->next;
}
if(auth_item == (VALUE_PAIR *)NULL) {
result = -1;
/* Just for test */
/*------------
sprintf(msg,"Auth: auth attr is NULL(1) - result: %d\n",result);
msg[127]='\0';
log_err(msg);
------------*/
continue;
}
switch(check_item->type) {
case PW_TYPE_STRING:
if(strcmp(check_item->strvalue,auth_item->strvalue)!=0) {
result = -1;
}
break;
case PW_TYPE_IPADDR:
case PW_TYPE_INTEGER:
if(check_item->lvalue != auth_item->lvalue) {
result = -1;
}
break;
default:
result = -1;
break;
}
check_item = check_item->next;
} /* end of while(result==0) */
auth_item = authreq->request;
while(result ==0 && auth_item != (VALUE_PAIR *)NULL) {
if(auth_item->attribute == PW_PASSWORD) {
/* Decrypt the password and check it */
memcpy(string, auth_item->strvalue,AUTH_PASS_LEN);
for(i=0; i<AUTH_PASS_LEN; i++) {
string[i] ^= pw_digest[i];
}
if(unix_pass(name_str,string,user_reply) != 0) {
result = -1;
user_msg = (char *)NULL;
}
/* Just for test */
/*---------------
sprintf(msg,"Auth: Unix decrypted password: %s - result: %d \n",string,result);
msg[127]='\0';
log_err(msg);
---------------*/
break;
}
auth_item = auth_item->next;
}
if(auth_item == (VALUE_PAIR *)NULL) {
result = -1;
user_msg = (char *)NULL;
/* Just for test */
/*-------------
sprintf(msg,"Auth: auth attr is NULL(2) - result: %d\n",result);
msg[127]='\0';
log_err(msg);
-------------*/
}
/* Just for test */
/*-------------
sprintf(msg,"Auth: auth-type: %d - result: %d\n", auth_type_pair->lvalue, result);
msg[127]='\0';
log_err(msg);
--------------*/
break;
case PW_AUTH_REJECT:
default:
result = -1;
user_msg = (char *)NULL;
break;
}
}else{
check_item = user_check;
while(result == 0 && check_item != (VALUE_PAIR *)NULL) {
/*
* Check expiration date if we are doing password aging.
*/
if(check_item->attribute == PW_EXPIRATION) {
/* Has this user's password expired */
retval = pw_expired(check_item->lvalue);
if(retval < 0) {
result = -1;
user_msg = "Password Has Expired\r\n";
}
else {
if(retval > 0) {
sprintf(umsg,
"Password Will Expire in %d Days\r\n",
retval);
user_msg = umsg;
}
check_item = check_item->next;
}
continue;
}
/*
* Look for the matching attribute in the request.
*/
auth_item = authreq->request;
while(auth_item != (VALUE_PAIR *)NULL) {
if(check_item->attribute == auth_item->attribute) {
break;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -