1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
|
/*************************************************
* Exim - an Internet mail transport agent *
*************************************************/
/* Copyright (c) The Exim Maintainers 2020 */
/* Copyright (c) University of Cambridge 1995 - 2016 */
/* See the file NOTICE for conditions of use and distribution. */
/* This file was originally supplied by Ian Kirk. The libradius support came
from Alex Kiernan. */
/* ugly hack to work around redefinition of ENV by radiusclient.h and
* db.h: define _DB_H_ so the db.h include thinks it's already included,
* we can get away with it like this, since this file doesn't use any db
* functions. */
#ifndef _DB_H_
# define _DB_H_ 1
# define _DB_EXT_PROT_IN_ 1
# define DB void
#endif
#include "../exim.h"
/* This module contains functions that call the Radius authentication
mechanism.
We can't just compile this code and allow the library mechanism to omit the
functions if they are not wanted, because we need to have the Radius headers
available for compiling. Therefore, compile these functions only if
RADIUS_CONFIG_FILE is defined. However, some compilers don't like compiling
empty modules, so keep them happy with a dummy when skipping the rest. Make it
reference itself to stop picky compilers complaining that it is unused, and put
in a dummy argument to stop even pickier compilers complaining about infinite
loops. Then use a mutually-recursive pair as gcc is just getting stupid. */
#ifndef RADIUS_CONFIG_FILE
static void dummy(int x);
static void dummy2(int x) { dummy(x-1); }
static void dummy(int x) { dummy2(x-1); }
#else /* RADIUS_CONFIG_FILE */
/* Two different Radius libraries are supported. The default is radiusclient,
using its original API. At release 0.4.0 the API changed. */
#ifdef RADIUS_LIB_RADLIB
#include <radlib.h>
#else
#if !defined(RADIUS_LIB_RADIUSCLIENT) && !defined(RADIUS_LIB_RADIUSCLIENTNEW)
# define RADIUS_LIB_RADIUSCLIENT
#endif
#ifdef RADIUS_LIB_RADIUSCLIENTNEW
# include <freeradius-client.h>
#else
# include <radiusclient.h>
#endif
#endif
/*************************************************
* Perform RADIUS authentication *
*************************************************/
/* This function calls the Radius authentication mechanism, passing over one or
more data strings.
Arguments:
s a colon-separated list of strings
errptr where to point an error message
Returns: OK if authentication succeeded
FAIL if authentication failed
ERROR some other error condition
*/
int
auth_call_radius(const uschar *s, uschar **errptr)
{
uschar *user;
const uschar *radius_args = s;
int result;
int sep = 0;
#ifdef RADIUS_LIB_RADLIB
struct rad_handle *h;
#else
#ifdef RADIUS_LIB_RADIUSCLIENTNEW
rc_handle *h;
#endif
VALUE_PAIR *send = NULL;
VALUE_PAIR *received;
unsigned int service = PW_AUTHENTICATE_ONLY;
char msg[4096];
#endif
if (!(user = string_nextinlist(&radius_args, &sep, NULL, 0))) user = US"";
DEBUG(D_auth) debug_printf("Running RADIUS authentication for user \"%s\" "
"and \"%s\"\n", user, radius_args);
*errptr = NULL;
/* Authenticate using the radiusclient library */
#ifndef RADIUS_LIB_RADLIB
rc_openlog("exim");
#ifdef RADIUS_LIB_RADIUSCLIENT
if (rc_read_config(RADIUS_CONFIG_FILE) != 0)
*errptr = string_sprintf("RADIUS: can't open %s", RADIUS_CONFIG_FILE);
else if (rc_read_dictionary(rc_conf_str("dictionary")) != 0)
*errptr = US"RADIUS: can't read dictionary";
else if (!rc_avpair_add(&send, PW_USER_NAME, user, 0))
*errptr = US"RADIUS: add user name failed";
else if (!rc_avpair_add(&send, PW_USER_PASSWORD, CS radius_args, 0))
*errptr = US"RADIUS: add password failed");
else if (!rc_avpair_add(&send, PW_SERVICE_TYPE, &service, 0))
*errptr = US"RADIUS: add service type failed";
#else /* RADIUS_LIB_RADIUSCLIENT unset => RADIUS_LIB_RADIUSCLIENT2 */
if (!(h = rc_read_config(RADIUS_CONFIG_FILE)))
*errptr = string_sprintf("RADIUS: can't open %s", RADIUS_CONFIG_FILE);
else if (rc_read_dictionary(h, rc_conf_str(h, "dictionary")) != 0)
*errptr = US"RADIUS: can't read dictionary";
else if (!rc_avpair_add(h, &send, PW_USER_NAME, user, Ustrlen(user), 0))
*errptr = US"RADIUS: add user name failed";
else if (!rc_avpair_add(h, &send, PW_USER_PASSWORD, CS radius_args,
Ustrlen(radius_args), 0))
*errptr = US"RADIUS: add password failed";
else if (!rc_avpair_add(h, &send, PW_SERVICE_TYPE, &service, 0, 0))
*errptr = US"RADIUS: add service type failed";
#endif /* RADIUS_LIB_RADIUSCLIENT */
if (*errptr)
{
DEBUG(D_auth) debug_printf("%s\n", *errptr);
return ERROR;
}
#ifdef RADIUS_LIB_RADIUSCLIENT
result = rc_auth(0, send, &received, msg);
#else
result = rc_auth(h, 0, send, &received, msg);
#endif
DEBUG(D_auth) debug_printf("RADIUS code returned %d\n", result);
switch (result)
{
case OK_RC:
return OK;
case REJECT_RC:
case ERROR_RC:
return FAIL;
case TIMEOUT_RC:
*errptr = US"RADIUS: timed out";
return ERROR;
case BADRESP_RC:
default:
*errptr = string_sprintf("RADIUS: unexpected response (%d)", result);
return ERROR;
}
#else /* RADIUS_LIB_RADLIB is set */
/* Authenticate using the libradius library */
if (!(h = rad_auth_open()))
{
*errptr = string_sprintf("RADIUS: can't initialise libradius");
return ERROR;
}
if (rad_config(h, RADIUS_CONFIG_FILE) != 0 ||
rad_create_request(h, RAD_ACCESS_REQUEST) != 0 ||
rad_put_string(h, RAD_USER_NAME, CS user) != 0 ||
rad_put_string(h, RAD_USER_PASSWORD, CS radius_args) != 0 ||
rad_put_int(h, RAD_SERVICE_TYPE, RAD_AUTHENTICATE_ONLY) != 0 ||
rad_put_string(h, RAD_NAS_IDENTIFIER, CS primary_hostname) != 0)
{
*errptr = string_sprintf("RADIUS: %s", rad_strerror(h));
result = ERROR;
}
else
switch (result = rad_send_request(h))
{
case RAD_ACCESS_ACCEPT:
result = OK;
break;
case RAD_ACCESS_REJECT:
result = FAIL;
break;
case -1:
*errptr = string_sprintf("RADIUS: %s", rad_strerror(h));
result = ERROR;
break;
default:
*errptr = string_sprintf("RADIUS: unexpected response (%d)", result);
result= ERROR;
break;
}
if (*errptr) DEBUG(D_auth) debug_printf("%s\n", *errptr);
rad_close(h);
return result;
#endif /* RADIUS_LIB_RADLIB */
}
#endif /* RADIUS_CONFIG_FILE */
/* End of call_radius.c */
|