pw-freeradiusclient

1. #include "portable.h" /* need to ./configure openldap source to get this file */
2. #include <stdio.h>
3. #include <lber.h>
4. #include <lber_pvt.h>   /* BER_BVC definition */
5. #include "lutil.h"
6. #include <ldap_pvt_thread.h>
7. #include <ac/string.h>
8. #include <ac/unistd.h>
9. #include <freeradius-client.h>
10.  
11. static LUTIL_PASSWD_CHK_FUNC chk_radius;
12. static const struct berval scheme = BER_BVC("{RADIUS}");
13. static ldap_pvt_thread_mutex_t libradius_mutex;
14.  
15. /* these taken from freeradius 1.1.7 as they don't exist in 1.1.6 */
16. #define RC_CONFIG_FILE "/etc/radiusclient/radiusclient.conf"
17. /* this value was 4096 hard-coded for char msg[] below */
18. #define PW_MAX_MSG_SIZE 4096
19.  
20. static int chk_radius (const struct berval *sc, const struct berval *passwd, const struct berval *cred, const char **text )
21. {
22.     unsigned int i;
23.     int rc = LUTIL_PASSWD_ERR; /* default to password error */
24.    int result = 0;
25.    
26.    char username[128]; 
27.    char user_pass [AUTH_PASS_LEN + 1];
28.  
29.     VALUE_PAIR *send, *receive;
30.     uint32_t        service;
31.     char           msg[PW_MAX_MSG_SIZE];
32.    char        username_realm[256];
33.     char           *default_realm;
34.     rc_handle   *rh;
35.    
36.    fprintf(stderr, "chk_radius(): start\n");
37.  
38.     for ( i = 0; i < cred->bv_len; i++ )
39.    {
40.         if ( cred->bv_val[ i ] == '\0' )
41.       {
42.             return LUTIL_PASSWD_ERR;    /* NUL character in cred */
43.         }
44.     }
45.  
46.    if ( cred->bv_val[ i ] != '\0' )
47.    {
48.         return LUTIL_PASSWD_ERR;    /* cred must behave like a string */
49.     }
50.  
51.     for ( i = 0; i < passwd->bv_len; i++ )
52.    {
53.         if ( passwd->bv_val[ i ] == '\0' )
54.       {
55.             return LUTIL_PASSWD_ERR;    /* NUL character in password */
56.         }
57.     }
58.  
59.     if ( passwd->bv_val[ i ] != '\0' )
60.    {
61.         return LUTIL_PASSWD_ERR;    /* passwd must behave like a string */
62.     }
63.  
64.     ldap_pvt_thread_mutex_lock( &libradius_mutex );
65.  
66.     if ((rh = rc_read_config(RC_CONFIG_FILE)) == NULL)
67.    {
68.       fprintf(stderr, "chk_radius(): RC_CONFIG_FILE error \n");
69.        ldap_pvt_thread_mutex_unlock( &libradius_mutex );
70.         return LUTIL_PASSWD_ERR;
71.    }
72.    
73.     if (rc_read_dictionary(rh, rc_conf_str(rh, "dictionary")) != 0)
74.    {
75.       fprintf(stderr, "chk_radius(): dictionary error \n");
76.        ldap_pvt_thread_mutex_unlock( &libradius_mutex );
77.         return LUTIL_PASSWD_ERR;
78.    }
79.  
80.     default_realm = rc_conf_str(rh, "default_realm");
81.     send = NULL;
82.  
83.    /* setup username and pass as sent from ldap */
84.    snprintf (username, sizeof(username), "%s", passwd->bv_val);
85.    snprintf (user_pass, sizeof(user_pass), "%s", cred->bv_val);
86.    
87.    result = radtest (username, user_pass);
88.  
89.    /* Fill in User-Name */
90.     snprintf (username_realm, sizeof(username_realm), "%s", username);
91.  
92.     /* Append default realm */
93.     if ((strchr(username_realm, '@') == NULL) && default_realm && (*default_realm != '\0'))
94.     {
95.         strncat(username_realm, "@", sizeof(username_realm)-strlen(username_realm)-1);
96.         strncat(username_realm, default_realm, sizeof(username_realm)-strlen(username_realm)-1);
97.     }
98.  
99.    if (rc_avpair_add(rh, &send, PW_USER_NAME, username_realm, -1, 0) == NULL)
100.    {
101.       fprintf(stderr, "chk_radius(): adding username failed (%s)\n", username);
102.        ldap_pvt_thread_mutex_unlock( &libradius_mutex );
103.         return LUTIL_PASSWD_ERR;
104.    }
105.      
106.     /* Fill in User-Password */
107.     if (rc_avpair_add(rh, &send, PW_USER_PASSWORD, user_pass, -1, 0) == NULL)
108.    {
109.       fprintf(stderr, "chk_radius(): auth for %s failed\n", username);
110.        ldap_pvt_thread_mutex_unlock( &libradius_mutex );
111.         return LUTIL_PASSWD_ERR;
112.    }
113.  
114.     /* Fill in Service-Type */
115.     service = PW_AUTHENTICATE_ONLY;
116.     if (rc_avpair_add(rh, &send, PW_SERVICE_TYPE, &service, -1, 0) == NULL)
117.    {
118.       fprintf(stderr, "chk_radius(): error setting PW_SERVICE_TYPE\n");
119.        ldap_pvt_thread_mutex_unlock( &libradius_mutex );
120.         return LUTIL_PASSWD_ERR;
121.    }
122.  
123.    fprintf(stderr, "chk_radius(): calling rc_auth()");
124.  
125.    // 2016-02-01 - dak - seems to be bombing here occasionally
126.    result = rc_auth(rh, 0, send, &receive, msg);
127.    
128.    fprintf(stderr, "chk_radius(): rc_auth() completed");
129.  
130.    if (receive == NULL)
131.    {
132.        ldap_pvt_thread_mutex_unlock( &libradius_mutex );
133.         return LUTIL_PASSWD_ERR;
134.    }
135.    else
136.       rc_avpair_free(receive);
137.  
138.    /* return OK if auth succes, otherwise fail */
139.     if (result == OK_RC)
140.     {
141.         fprintf(stderr, "chk_radius(): \"%s\" RADIUS Authentication OK\n", username);
142.       rc = LUTIL_PASSWD_OK;
143.     }
144.     else
145.     {
146.         fprintf(stderr, "chk_radius():\"%s\" RADIUS Authentication failure (RC=%i)\n", username, result);
147.     }
148.  
149.     ldap_pvt_thread_mutex_unlock( &libradius_mutex );
150.     return rc;
151. }
152.  
153.  
154. int term_module()
155. {
156.    fprintf(stderr, "term_module(): pw-freeradiusclient\n");
157.     return ldap_pvt_thread_mutex_destroy( &libradius_mutex );
158. }
159.  
160. int init_module( int argc, char *argv[] )
161. {
162.    fprintf(stderr, "init_module(): pw-freeradiusclient\n");
163.     ldap_pvt_thread_mutex_init( &libradius_mutex );
164.     return lutil_passwd_add( (struct berval *)&scheme, chk_radius, NULL );
165. }