diff options
| author | Dave Olson <olson@cumulusnetworks.com> | 2018-04-02 11:38:51 -0700 |
|---|---|---|
| committer | Dave Olson <olson@cumulusnetworks.com> | 2018-04-02 11:38:51 -0700 |
| commit | 6b62b02e99bb0c338e5848206b9c0d0bf0a467f1 (patch) | |
| tree | b23732e7f555ce7e9bcb5f1a49162b9ed13191da | |
| parent | 8e021b7a98234a58ecb18c523a3fc22b8b055ecf (diff) | |
| download | libpam-radius-auth-6b62b02e99bb0c338e5848206b9c0d0bf0a467f1.tar.gz libpam-radius-auth-6b62b02e99bb0c338e5848206b9c0d0bf0a467f1.zip | |
Cleaned up whitespace on my mods with indent -linux -l80
No actual code changes.
| -rw-r--r-- | src/pam_radius_auth.c | 735 | ||||
| -rw-r--r-- | src/pam_radius_auth.h | 59 |
2 files changed, 452 insertions, 342 deletions
diff --git a/src/pam_radius_auth.c b/src/pam_radius_auth.c index 04a547e..249a7b2 100644 --- a/src/pam_radius_auth.c +++ b/src/pam_radius_auth.c @@ -32,25 +32,24 @@ #define DPRINT if (debug) _pam_log - /* logging */ -static void _pam_log(pam_handle_t *pamh, int err, CONST char *format, ...) +static void _pam_log(pam_handle_t * pamh, int err, CONST char *format, ...) { va_list args; - va_start(args, format); + va_start(args, format); pam_vsyslog(pamh, err, format, args); - va_end(args); + va_end(args); } /* argument parsing */ -static int _pam_parse(pam_handle_t *pamh, int argc, CONST char **argv, - radius_conf_t *conf) +static int _pam_parse(pam_handle_t * pamh, int argc, CONST char **argv, + radius_conf_t * conf) { - int ctrl=0; + int ctrl = 0; - memset(conf, 0, sizeof(radius_conf_t)); /* ensure it's initialized */ + memset(conf, 0, sizeof(radius_conf_t)); /* ensure it's initialized */ conf->conf_file = CONF_FILE; @@ -58,18 +57,18 @@ static int _pam_parse(pam_handle_t *pamh, int argc, CONST char **argv, snprintf(conf->prompt, MAXPROMPT, "%s: ", DEFAULT_PROMPT); /* - * If either is not there, then we can't parse anything. + * If either is not there, then we can't parse anything. */ if ((argc == 0) || (argv == NULL)) { return ctrl; } /* step through arguments */ - for (ctrl=0; argc-- > 0; ++argv) { + for (ctrl = 0; argc-- > 0; ++argv) { /* generic options */ - if (!strncmp(*argv,"conf=",5)) { - conf->conf_file = *argv+5; + if (!strncmp(*argv, "conf=", 5)) { + conf->conf_file = *argv + 5; } else if (!strcmp(*argv, "use_first_pass")) { ctrl |= PAM_USE_FIRST_PASS; @@ -81,7 +80,7 @@ static int _pam_parse(pam_handle_t *pamh, int argc, CONST char **argv, ctrl |= PAM_SKIP_PASSWD; } else if (!strncmp(*argv, "retry=", 6)) { - conf->retries = atoi(*argv+6); + conf->retries = atoi(*argv + 6); } else if (!strcmp(*argv, "localifdown")) { conf->localifdown = 1; @@ -91,7 +90,7 @@ static int _pam_parse(pam_handle_t *pamh, int argc, CONST char **argv, _pam_log(pamh, LOG_WARNING, "ignoring duplicate" " '%s'", *argv); } else { - conf->client_id = (char *) *argv+10; /* point to the client-id */ + conf->client_id = (char *)*argv + 10; /* point to the client-id */ } } else if (!strcmp(*argv, "accounting_bug")) { conf->accounting_bug = TRUE; @@ -104,24 +103,28 @@ static int _pam_parse(pam_handle_t *pamh, int argc, CONST char **argv, conf->debug = TRUE; } else if (!strncmp(*argv, "prompt=", 7)) { - if (!strncmp(conf->prompt, (char*)*argv+7, MAXPROMPT)) { - _pam_log(pamh, LOG_WARNING, "ignoring duplicate" - " '%s'", *argv); + if (!strncmp + (conf->prompt, (char *)*argv + 7, MAXPROMPT)) { + _pam_log(pamh, LOG_WARNING, + "ignoring duplicate" " '%s'", *argv); } else { /* truncate excessive prompts to (MAXPROMPT - 3) length */ - if (strlen((char*)*argv+7) >= (MAXPROMPT - 3)) { - *((char*)*argv+7 + (MAXPROMPT - 3)) = 0; + if (strlen((char *)*argv + 7) >= + (MAXPROMPT - 3)) { + *((char *)*argv + 7 + (MAXPROMPT - 3)) = + 0; } /* set the new prompt */ memset(conf->prompt, 0, sizeof(conf->prompt)); - snprintf(conf->prompt, MAXPROMPT, "%s: ", (char*)*argv+7); + snprintf(conf->prompt, MAXPROMPT, "%s: ", + (char *)*argv + 7); } } else if (!strcmp(*argv, "force_prompt")) { - conf->force_prompt= TRUE; + conf->force_prompt = TRUE; } else if (!strncmp(*argv, "max_challenge=", 14)) { - conf->max_challenge = atoi(*argv+14); + conf->max_challenge = atoi(*argv + 14); } else { _pam_log(pamh, LOG_WARNING, "unrecognized option '%s'", @@ -135,7 +138,7 @@ static int _pam_parse(pam_handle_t *pamh, int argc, CONST char **argv, /* Callback function used to free the saved return value for pam_setcred. */ void _int_free(pam_handle_t * pamh, void *x, int error_status) { - free(x); + free(x); } /************************************************************************* @@ -145,14 +148,15 @@ void _int_free(pam_handle_t * pamh, void *x, int error_status) /* * A strerror_r() wrapper function to deal with its nuisances. */ -static void get_error_string(int errnum, char *buf, size_t buflen) { +static void get_error_string(int errnum, char *buf, size_t buflen) +{ #if !defined(__GLIBC__) || ((_POSIX_C_SOURCE >= 200112L || _XOPEN_SOURCE >= 600) && ! _GNU_SOURCE) /* XSI version of strerror_r(). */ int retval = strerror_r(errnum, buf, buflen); /* POSIX does not state what will happen to the buffer if the function fails. * Put it into a known state rather than leave it possibly uninitialized. */ - if (retval != 0 && buflen > (size_t)0) { + if (retval != 0 && buflen > (size_t) 0) { buf[0] = '\0'; } #else @@ -167,7 +171,8 @@ static void get_error_string(int errnum, char *buf, size_t buflen) { /* * Return an IP address as a struct sockaddr *. */ -static int get_ipaddr(char *host, struct sockaddr *addr, char *port) { +static int get_ipaddr(char *host, struct sockaddr *addr, char *port) +{ struct addrinfo hints; struct addrinfo *results; int r; @@ -189,7 +194,7 @@ static int get_ipaddr(char *host, struct sockaddr *addr, char *port) { /* * take server->hostname, and convert it to server->ip */ -static int host2server(int debug, radius_server_t *server) +static int host2server(int debug, radius_server_t * server) { char hostbuffer[256]; char tmp[256]; @@ -233,7 +238,7 @@ static int host2server(int debug, radius_server_t *server) /* * Do XOR of two buffers. */ -static unsigned char * xor(unsigned char *p, unsigned char *q, int length) +static unsigned char *xor(unsigned char *p, unsigned char *q, int length) { int i; unsigned char *retval = p; @@ -254,13 +259,14 @@ static unsigned char * xor(unsigned char *p, unsigned char *q, int length) static void get_random_vector(unsigned char *vector) { #ifdef linux - int fd = open("/dev/urandom",O_RDONLY); /* Linux: get *real* random numbers */ + int fd = open("/dev/urandom", O_RDONLY); /* Linux: get *real* random numbers */ int total = 0; if (fd >= 0) { while (total < AUTH_VECTOR_LEN) { - int bytes = read(fd, vector + total, AUTH_VECTOR_LEN - total); + int bytes = + read(fd, vector + total, AUTH_VECTOR_LEN - total); if (bytes <= 0) - break; /* oops! Error */ + break; /* oops! Error */ total += bytes; } close(fd); @@ -268,15 +274,15 @@ static void get_random_vector(unsigned char *vector) if (total != AUTH_VECTOR_LEN) #endif - { /* do this *always* on other platforms */ + { /* do this *always* on other platforms */ MD5_CTX my_md5; struct timeval tv; struct timezone tz; - static unsigned int session = 0; /* make the number harder to guess */ + static unsigned int session = 0; /* make the number harder to guess */ /* Use the time of day with the best resolution the system can - give us -- often close to microsecond accuracy. */ - gettimeofday(&tv,&tz); + give us -- often close to microsecond accuracy. */ + gettimeofday(&tv, &tz); if (session == 0) { session = getppid(); /* (possibly) hard to guess information */ @@ -286,9 +292,9 @@ static void get_random_vector(unsigned char *vector) /* Hash things to get maybe cryptographically strong pseudo-random numbers */ MD5Init(&my_md5); - MD5Update(&my_md5, (unsigned char *) &tv, sizeof(tv)); - MD5Update(&my_md5, (unsigned char *) &tz, sizeof(tz)); - MD5Final(vector, &my_md5); /* set the final vector */ + MD5Update(&my_md5, (unsigned char *)&tv, sizeof(tv)); + MD5Update(&my_md5, (unsigned char *)&tz, sizeof(tz)); + MD5Final(vector, &my_md5); /* set the final vector */ } } @@ -298,7 +304,7 @@ static void get_random_vector(unsigned char *vector) * server (http://home.cistron.nl/~miquels/radius/) does, and this code * seems to work with it. It also works with Funk's Steel-Belted RADIUS. */ -static void get_accounting_vector(AUTH_HDR *request, radius_server_t *server) +static void get_accounting_vector(AUTH_HDR * request, radius_server_t * server) { MD5_CTX my_md5; int secretlen = strlen(server->secret); @@ -309,43 +315,43 @@ static void get_accounting_vector(AUTH_HDR *request, radius_server_t *server) memcpy(((char *)request) + len, server->secret, secretlen); MD5Update(&my_md5, (unsigned char *)request, len + secretlen); - MD5Final(request->vector, &my_md5); /* set the final vector */ + MD5Final(request->vector, &my_md5); /* set the final vector */ } /* * Verify the response from the server */ -static int verify_packet(char *secret, AUTH_HDR *response, AUTH_HDR *request) +static int verify_packet(char *secret, AUTH_HDR * response, AUTH_HDR * request) { MD5_CTX my_md5; - unsigned char calculated[AUTH_VECTOR_LEN]; - unsigned char reply[AUTH_VECTOR_LEN]; + unsigned char calculated[AUTH_VECTOR_LEN]; + unsigned char reply[AUTH_VECTOR_LEN]; /* * We could dispense with the memcpy, and do MD5's of the packet - * + vector piece by piece. This is easier understand, and maybe faster. + * + vector piece by piece. This is easier understand, and maybe faster. */ - memcpy(reply, response->vector, AUTH_VECTOR_LEN); /* save the reply */ - memcpy(response->vector, request->vector, AUTH_VECTOR_LEN); /* sent vector */ + memcpy(reply, response->vector, AUTH_VECTOR_LEN); /* save the reply */ + memcpy(response->vector, request->vector, AUTH_VECTOR_LEN); /* sent vector */ /* MD5(response packet header + vector + response packet data + secret) */ MD5Init(&my_md5); - MD5Update(&my_md5, (unsigned char *) response, ntohs(response->length)); + MD5Update(&my_md5, (unsigned char *)response, ntohs(response->length)); /* * This next bit is necessary because of a bug in the original Livingston - * RADIUS server. The authentication vector is *supposed* to be MD5'd + * RADIUS server. The authentication vector is *supposed* to be MD5'd * with the old password (as the secret) for password changes. - * However, the old password isn't used. The "authentication" vector + * However, the old password isn't used. The "authentication" vector * for the server reply packet is simply the MD5 of the reply packet. * Odd, the code is 99% there, but the old password is never copied * to the secret! */ if (*secret) { - MD5Update(&my_md5, (unsigned char *) secret, strlen(secret)); + MD5Update(&my_md5, (unsigned char *)secret, strlen(secret)); } - MD5Final(calculated, &my_md5); /* set the final vector */ + MD5Final(calculated, &my_md5); /* set the final vector */ /* Did he use the same random vector + shared secret? */ if (memcmp(calculated, reply, AUTH_VECTOR_LEN) != 0) { @@ -358,17 +364,17 @@ static int verify_packet(char *secret, AUTH_HDR *response, AUTH_HDR *request) * Find an attribute in a RADIUS packet. Note that the packet length * is *always* kept in network byte order. */ -static attribute_t *find_attribute(AUTH_HDR *response, unsigned char type) +static attribute_t *find_attribute(AUTH_HDR * response, unsigned char type) { - attribute_t *attr = (attribute_t *) &response->data; + attribute_t *attr = (attribute_t *) & response->data; int len = ntohs(response->length) - AUTH_HDR_LEN; while (attr->attribute != type) { if ((len -= attr->length) <= 0) { - return NULL; /* not found */ + return NULL; /* not found */ } - attr = (attribute_t *) ((char *) attr + attr->length); + attr = (attribute_t *) ((char *)attr + attr->length); } return attr; @@ -377,13 +383,14 @@ static attribute_t *find_attribute(AUTH_HDR *response, unsigned char type) /* * Add an attribute to a RADIUS packet. */ -static void add_attribute(AUTH_HDR *request, unsigned char type, CONST unsigned char *data, int length) +static void add_attribute(AUTH_HDR * request, unsigned char type, + CONST unsigned char *data, int length) { attribute_t *p; p = (attribute_t *) ((unsigned char *)request + ntohs(request->length)); p->attribute = type; - p->length = length + 2; /* the total size of the attribute */ + p->length = length + 2; /* the total size of the attribute */ request->length = htons(ntohs(request->length) + p->length); memcpy(p->data, data, length); } @@ -391,14 +398,15 @@ static void add_attribute(AUTH_HDR *request, unsigned char type, CONST unsigned /* * Add an integer attribute to a RADIUS packet. */ -static void add_int_attribute(AUTH_HDR *request, unsigned char type, int data) +static void add_int_attribute(AUTH_HDR * request, unsigned char type, int data) { int value = htonl(data); - add_attribute(request, type, (unsigned char *) &value, sizeof(int)); + add_attribute(request, type, (unsigned char *)&value, sizeof(int)); } -static void add_nas_ip_address(AUTH_HDR *request, char *hostname) { +static void add_nas_ip_address(AUTH_HDR * request, char *hostname) +{ struct addrinfo hints; struct addrinfo *ai; int v4seen = 0, v6seen = 0; @@ -416,13 +424,16 @@ static void add_nas_ip_address(AUTH_HDR *request, char *hostname) { while (ai != NULL) { if (!v4seen && ai->ai_family == AF_INET) { v4seen = 1; - r = ((struct sockaddr_in *)ai->ai_addr)->sin_addr.s_addr; + r = ((struct sockaddr_in *)ai->ai_addr)->sin_addr. + s_addr; add_int_attribute(request, PW_NAS_IP_ADDRESS, ntohl(r)); } if (!v6seen && ai->ai_family == AF_INET6) { v6seen = 1; add_attribute(request, PW_NAS_IPV6_ADDRESS, - (unsigned char *) &((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr, 16); + (unsigned char *)&((struct sockaddr_in6 *) + ai->ai_addr)-> + sin6_addr, 16); } ai = ai->ai_next; } @@ -439,7 +450,8 @@ static void add_nas_ip_address(AUTH_HDR *request, char *hostname) { * us to simply call add_password to update the password for different * servers. */ -static void add_password(AUTH_HDR *request, unsigned char type, CONST char *password, char *secret) +static void add_password(AUTH_HDR * request, unsigned char type, + CONST char *password, char *secret) { MD5_CTX md5_secret, my_md5; unsigned char misc[AUTH_VECTOR_LEN]; @@ -449,7 +461,7 @@ static void add_password(AUTH_HDR *request, unsigned char type, CONST char *pass unsigned char *vector; attribute_t *attr; - if (length > MAXPASS) { /* shorten the password for now */ + if (length > MAXPASS) { /* shorten the password for now */ length = MAXPASS; } @@ -457,35 +469,37 @@ static void add_password(AUTH_HDR *request, unsigned char type, CONST char *pass memset(hashed + length, 0, sizeof(hashed) - length); if (length == 0) { - length = AUTH_PASS_LEN; /* 0 maps to 16 */ - } if ((length & (AUTH_PASS_LEN - 1)) != 0) { - length += (AUTH_PASS_LEN - 1); /* round it up */ - length &= ~(AUTH_PASS_LEN - 1); /* chop it off */ - } /* 16*N maps to itself */ - + length = AUTH_PASS_LEN; /* 0 maps to 16 */ + } + if ((length & (AUTH_PASS_LEN - 1)) != 0) { + length += (AUTH_PASS_LEN - 1); /* round it up */ + length &= ~(AUTH_PASS_LEN - 1); /* chop it off */ + } + /* 16*N maps to itself */ attr = find_attribute(request, PW_PASSWORD); if (type == PW_PASSWORD) { vector = request->vector; } else { - vector = attr->data; /* attr CANNOT be NULL here. */ + vector = attr->data; /* attr CANNOT be NULL here. */ } /* ************************************************************ */ /* encrypt the password */ /* password : e[0] = p[0] ^ MD5(secret + vector) */ MD5Init(&md5_secret); - MD5Update(&md5_secret, (unsigned char *) secret, strlen(secret)); - my_md5 = md5_secret; /* so we won't re-do the hash later */ + MD5Update(&md5_secret, (unsigned char *)secret, strlen(secret)); + my_md5 = md5_secret; /* so we won't re-do the hash later */ MD5Update(&my_md5, vector, AUTH_VECTOR_LEN); - MD5Final(misc, &my_md5); /* set the final vector */ + MD5Final(misc, &my_md5); /* set the final vector */ xor(hashed, misc, AUTH_PASS_LEN); /* For each step through, e[i] = p[i] ^ MD5(secret + e[i-1]) */ for (i = 1; i < (length >> 4); i++) { - my_md5 = md5_secret; /* grab old value of the hash */ - MD5Update(&my_md5, &hashed[(i-1) * AUTH_PASS_LEN], AUTH_PASS_LEN); - MD5Final(misc, &my_md5); /* set the final vector */ + my_md5 = md5_secret; /* grab old value of the hash */ + MD5Update(&my_md5, &hashed[(i - 1) * AUTH_PASS_LEN], + AUTH_PASS_LEN); + MD5Final(misc, &my_md5); /* set the final vector */ xor(&hashed[i * AUTH_PASS_LEN], misc, AUTH_PASS_LEN); } @@ -496,11 +510,11 @@ static void add_password(AUTH_HDR *request, unsigned char type, CONST char *pass if (!attr) { add_attribute(request, type, hashed, length); } else { - memcpy(attr->data, hashed, length); /* overwrite the packet */ + memcpy(attr->data, hashed, length); /* overwrite the packet */ } } -static void cleanup(radius_server_t *server) +static void cleanup(radius_server_t * server) { radius_server_t *next; @@ -517,7 +531,7 @@ static void cleanup(radius_server_t *server) * allocate and open a local port for communication with the RADIUS * server */ -static int initialize(pam_handle_t *pamh, radius_conf_t *conf, int accounting) +static int initialize(pam_handle_t * pamh, radius_conf_t * conf, int accounting) { struct sockaddr_storage salocal; struct sockaddr_storage salocal4; @@ -541,7 +555,7 @@ static int initialize(pam_handle_t *pamh, radius_conf_t *conf, int accounting) ((struct sockaddr *)&salocal6)->sa_family = AF_INET6; /* the first time around, read the configuration file */ - if ((fserver = fopen (conf->conf_file, "r")) == (FILE*)NULL) { + if ((fserver = fopen(conf->conf_file, "r")) == (FILE *) NULL) { char error_string[BUFFER_SIZE]; get_error_string(errno, error_string, sizeof(error_string)); _pam_log(pamh, LOG_ERR, "Could not open configuration file %s:" @@ -549,23 +563,27 @@ static int initialize(pam_handle_t *pamh, radius_conf_t *conf, int accounting) return PAM_ABORT; } - vrfname[0] = '\0'; - while (!feof(fserver) && (fgets (buffer, sizeof(buffer), fserver) != (char*) NULL) && (!ferror(fserver))) { + vrfname[0] = '\0'; + while (!feof(fserver) + && (fgets(buffer, sizeof(buffer), fserver) != (char *)NULL) + && (!ferror(fserver))) { line++; p = buffer; /* - * Skip whitespace + * Skip whitespace */ - while ((*p == ' ') || (*p == '\t')) p++; + while ((*p == ' ') || (*p == '\t')) + p++; /* - * Skip blank lines and comments. + * Skip blank lines and comments. */ - if ((*p == '\r') || (*p == '\n') || (*p == '#')) continue; + if ((*p == '\r') || (*p == '\n') || (*p == '#')) + continue; /* - * Error out if the text is too long. + * Error out if the text is too long. */ if (!*p) { _pam_log(pamh, LOG_ERR, "ERROR reading %s, line %d:" @@ -573,27 +591,31 @@ static int initialize(pam_handle_t *pamh, radius_conf_t *conf, int accounting) break; } - scancnt = sscanf(p, "%s %s %d %s", hostname, secret, &timeout, src_ip); + scancnt = + sscanf(p, "%s %s %d %s", hostname, secret, &timeout, + src_ip); /* is it the name of a vrf we should bind to? */ if (!strcmp(hostname, "vrf-name")) { if (scancnt < 2) - _pam_log(pamh, LOG_ERR, "ERROR reading %s, line %d:" - " only %d fields\n", conf->conf_file, line, - scancnt); + _pam_log(pamh, LOG_ERR, + "ERROR reading %s, line %d:" + " only %d fields\n", conf->conf_file, + line, scancnt); else - snprintf(vrfname, sizeof vrfname, "%s", secret); + snprintf(vrfname, sizeof vrfname, "%s", secret); continue; } - /* allow setting debug in config file as well */ + /* allow setting debug in config file as well */ if (!strcmp(hostname, "debug")) { if (scancnt < 1) - _pam_log(pamh, LOG_ERR, "ERROR reading %s, line %d:" - " only %d fields\n", conf->conf_file, line, - scancnt); + _pam_log(pamh, LOG_ERR, + "ERROR reading %s, line %d:" + " only %d fields\n", conf->conf_file, + line, scancnt); else - conf->debug = 1; + conf->debug = 1; continue; } @@ -601,12 +623,12 @@ static int initialize(pam_handle_t *pamh, radius_conf_t *conf, int accounting) _pam_log(pamh, LOG_ERR, "ERROR reading %s, line %d:" " only %d fields\n", conf->conf_file, line, scancnt); - continue; /* invalid line */ + continue; /* invalid line */ } if (scancnt < 4) { src_ip[0] = 0; if (scancnt < 3) - timeout = 3; /* default timeout */ + timeout = 3; /* default timeout */ } /* read it in and save the data */ @@ -616,7 +638,7 @@ static int initialize(pam_handle_t *pamh, radius_conf_t *conf, int accounting) server = server->next; } else { conf->server = tmp; - server= tmp; /* first time */ + server = tmp; /* first time */ } /* sometime later do memory checks here */ @@ -636,13 +658,13 @@ static int initialize(pam_handle_t *pamh, radius_conf_t *conf, int accounting) memset(&salocal, 0, sizeof(salocal)); get_ipaddr(src_ip, (struct sockaddr *)&salocal, NULL); switch (salocal.ss_family) { - case AF_INET: - memcpy(&salocal4, &salocal, sizeof(salocal)); - break; - case AF_INET6: - seen_v6 = 1; - memcpy(&salocal6, &salocal, sizeof(salocal)); - break; + case AF_INET: + memcpy(&salocal4, &salocal, sizeof(salocal)); + break; + case AF_INET6: + seen_v6 = 1; + memcpy(&salocal6, &salocal, sizeof(salocal)); + break; } } } @@ -655,11 +677,11 @@ static int initialize(pam_handle_t *pamh, radius_conf_t *conf, int accounting) } /* - * FIXME- we could have different source-ips for different servers, so - * sockfd should probably be in the server struct, not in the conf struct. + * FIXME- we could have different source-ips for different servers, so + * sockfd should probably be in the server struct, not in the conf struct. */ - /* open a socket. Dies if it fails */ + /* open a socket. Dies if it fails */ conf->sockfd = socket(AF_INET, SOCK_DGRAM, 0); if (conf->sockfd < 0) { char error_string[BUFFER_SIZE]; @@ -668,11 +690,10 @@ static int initialize(pam_handle_t *pamh, radius_conf_t *conf, int accounting) error_string); return PAM_AUTHINFO_UNAVAIL; } - #ifndef HAVE_POLL_H if (conf->sockfd >= FD_SETSIZE) { _pam_log(pamh, LOG_ERR, "Unusable socket, FD is larger than" - " %d\n", FD_SETSIZE); + " %d\n", FD_SETSIZE); close(conf->sockfd); return PAM_AUTHINFO_UNAVAIL; } @@ -681,25 +702,28 @@ static int initialize(pam_handle_t *pamh, radius_conf_t *conf, int accounting) if (vrfname[0]) { /* do not fail if the bind fails, connection may succeed */ if (setsockopt(conf->sockfd, SOL_SOCKET, SO_BINDTODEVICE, - vrfname, strlen(vrfname)+1) < 0) - _pam_log(pamh, LOG_WARNING, "Binding IPv4 socket to VRF %s" - " failed: %m", vrfname); - else if(conf->debug) - _pam_log(pamh, LOG_DEBUG, "Configured IPv4 vrf as: %s", - vrfname); + vrfname, strlen(vrfname) + 1) < 0) + _pam_log(pamh, LOG_WARNING, + "Binding IPv4 socket to VRF %s" " failed: %m", + vrfname); + else if (conf->debug) + _pam_log(pamh, LOG_DEBUG, "Configured IPv4 vrf as: %s", + vrfname); } /* set up the local end of the socket communications */ - if (bind(conf->sockfd, (struct sockaddr *)&salocal4, sizeof (struct sockaddr_in)) < 0) { + if (bind + (conf->sockfd, (struct sockaddr *)&salocal4, + sizeof(struct sockaddr_in)) < 0) { char error_string[BUFFER_SIZE]; get_error_string(errno, error_string, sizeof(error_string)); _pam_log(pamh, LOG_ERR, "Failed binding to port: %s", - error_string); + error_string); close(conf->sockfd); return PAM_AUTHINFO_UNAVAIL; } - /* open a IPv6 socket. Dies if it fails */ + /* open a IPv6 socket. Dies if it fails */ conf->sockfd6 = socket(AF_INET6, SOCK_DGRAM, 0); if (conf->sockfd6 < 0) { if (!seen_v6) @@ -707,14 +731,14 @@ static int initialize(pam_handle_t *pamh, radius_conf_t *conf, int accounting) char error_string[BUFFER_SIZE]; get_error_string(errno, error_string, sizeof(error_string)); _pam_log(pamh, LOG_ERR, "Failed to open RADIUS IPv6 socket:" - " %s\n", error_string); + " %s\n", error_string); close(conf->sockfd); return PAM_AUTHINFO_UNAVAIL; } #ifndef HAVE_POLL_H if (conf->sockfd6 >= FD_SETSIZE) { _pam_log(pamh, LOG_ERR, "Unusable socket, FD is larger than" - " %d\n", FD_SETSIZE); + " %d\n", FD_SETSIZE); close(conf->sockfd); close(conf->sockfd6); return PAM_AUTHINFO_UNAVAIL; @@ -723,16 +747,19 @@ static int initialize(pam_handle_t *pamh, radius_conf_t *conf, int accounting) if (vrfname[0]) { /* do not fail if the bind fails, connection may succeed */ if (setsockopt(conf->sockfd6, SOL_SOCKET, SO_BINDTODEVICE, - vrfname, strlen(vrfname)+1) < 0) - _pam_log(pamh, LOG_WARNING, "Binding IPv6 socket to VRF %s" - " failed: %m", vrfname); - else if(conf->debug) - _pam_log(pamh, LOG_DEBUG, "Configured IPv6 vrf as: %s", - vrfname); + vrfname, strlen(vrfname) + 1) < 0) + _pam_log(pamh, LOG_WARNING, + "Binding IPv6 socket to VRF %s" " failed: %m", + vrfname); + else if (conf->debug) + _pam_log(pamh, LOG_DEBUG, "Configured IPv6 vrf as: %s", + vrfname); } /* set up the local end of the socket communications */ - if (bind(conf->sockfd6, (struct sockaddr *)&salocal6, sizeof (struct sockaddr_in6)) < 0) { + if (bind + (conf->sockfd6, (struct sockaddr *)&salocal6, + sizeof(struct sockaddr_in6)) < 0) { char error_string[BUFFER_SIZE]; get_error_string(errno, error_string, sizeof(error_string)); _pam_log(pamh, LOG_ERR, "Failed binding to IPv6 port: %s", @@ -749,7 +776,8 @@ static int initialize(pam_handle_t *pamh, radius_conf_t *conf, int accounting) * Helper function for building a radius packet. * It initializes *some* of the header, and adds common attributes. */ -static void build_radius_packet(AUTH_HDR *request, CONST char *user, CONST char *password, radius_conf_t *conf) +static void build_radius_packet(AUTH_HDR * request, CONST char *user, + CONST char *password, radius_conf_t * conf) { char hostname[256]; @@ -762,16 +790,18 @@ static void build_radius_packet(AUTH_HDR *request, CONST char *user, CONST char get_random_vector(request->vector); } - add_attribute(request, PW_USER_NAME, (unsigned char *) user, strlen(user)); + add_attribute(request, PW_USER_NAME, (unsigned char *)user, + strlen(user)); /* - * Add a password, if given. + * Add a password, if given. */ if (password) { - add_password(request, PW_PASSWORD, password, conf->server->secret); + add_password(request, PW_PASSWORD, password, + conf->server->secret); /* - * Add a NULL password to non-accounting requests. + * Add a NULL password to non-accounting requests. */ } else if (request->code != PW_ACCOUNTING_REQUEST) { add_password(request, PW_PASSWORD, "", conf->server->secret); @@ -782,13 +812,15 @@ static void build_radius_packet(AUTH_HDR *request, CONST char *user, CONST char /* There's always a NAS identifier */ if (conf->client_id && *conf->client_id) { - add_attribute(request, PW_NAS_IDENTIFIER, (unsigned char *) conf->client_id, strlen(conf->client_id)); + add_attribute(request, PW_NAS_IDENTIFIER, + (unsigned char *)conf->client_id, + strlen(conf->client_id)); } /* - * Add in the port (pid) and port type (virtual). + * Add in the port (pid) and port type (virtual). * - * We might want to give the TTY name here, too. + * We might want to give the TTY name here, too. */ add_int_attribute(request, PW_NAS_PORT_ID, getpid()); add_int_attribute(request, PW_NAS_PORT_TYPE, PW_NAS_PORT_TYPE_VIRTUAL); @@ -798,8 +830,9 @@ static void build_radius_packet(AUTH_HDR *request, CONST char *user, CONST char * Talk RADIUS to a server. * Send a packet and get the response */ -static int talk_radius(radius_conf_t *conf, AUTH_HDR *request, AUTH_HDR *response, - char *password, char *old_password, int tries, pam_handle_t *pamh) +static int talk_radius(radius_conf_t * conf, AUTH_HDR * request, + AUTH_HDR * response, char *password, char *old_password, + int tries, pam_handle_t * pamh) { int total_length; #ifdef HAVE_POLL_H @@ -821,12 +854,12 @@ static int talk_radius(radius_conf_t *conf, AUTH_HDR *request, AUTH_HDR *respons /* Now that we're done building the request, we can send it */ /* - Hmm... on password change requests, all of the found server information - could be saved with a pam_set_data(), which means even the radius_conf_t - information will have to be malloc'd at some point + Hmm... on password change requests, all of the found server information + could be saved with a pam_set_data(), which means even the radius_conf_t + information will have to be malloc'd at some point - On the other hand, we could just try all of the servers again in - sequence, on the off chance that one may have ended up fixing itself. + On the other hand, we could just try all of the servers again in + sequence, on the off chance that one may have ended up fixing itself. */ @@ -842,50 +875,56 @@ static int talk_radius(radius_conf_t *conf, AUTH_HDR *request, AUTH_HDR *respons "Failed looking up IP address for RADIUS server %s (error=%s)", server->hostname, gai_strerror(retval)); ok = FALSE; - goto next; /* skip to the next server */ + goto next; /* skip to the next server */ } - if (!password) { /* make an RFC 2139 p6 request authenticator */ + if (!password) { /* make an RFC 2139 p6 request authenticator */ get_accounting_vector(request, server); } - sockfd = server->ip->sa_family == AF_INET ? conf->sockfd : conf->sockfd6; + sockfd = + server->ip->sa_family == + AF_INET ? conf->sockfd : conf->sockfd6; total_length = ntohs(request->length); server_tries = tries; - send: + send: /* send the packet */ - if (sendto(sockfd, (char *) request, total_length, 0, + if (sendto(sockfd, (char *)request, total_length, 0, server->ip, sizeof(struct sockaddr_storage)) < 0) { char error_string[BUFFER_SIZE]; - get_error_string(errno, error_string, sizeof(error_string)); - _pam_log(pamh, LOG_ERR, "Error sending RADIUS packet to" + get_error_string(errno, error_string, + sizeof(error_string)); + _pam_log(pamh, LOG_ERR, + "Error sending RADIUS packet to" " server %s: %s", server->hostname, error_string); ok = FALSE; - goto next; /* skip to the next server */ + goto next; /* skip to the next server */ } /* ************************************************************ */ /* Wait for the response, and verify it. */ time(&now); - tv.tv_sec = server->timeout; /* wait for the specified time */ + tv.tv_sec = server->timeout; /* wait for the specified time */ tv.tv_usec = 0; end = now + tv.tv_sec; #ifdef HAVE_POLL_H - pollfds[0].fd = sockfd; /* wait only for the RADIUS UDP socket */ - pollfds[0].events = POLLIN; /* wait for data to read */ + pollfds[0].fd = sockfd; /* wait only for the RADIUS UDP socket */ + pollfds[0].events = POLLIN; /* wait for data to read */ #else - FD_ZERO(&set); /* clear out the set */ - FD_SET(sockfd, &set); /* wait only for the RADIUS UDP socket */ + FD_ZERO(&set); /* clear out the set */ + FD_SET(sockfd, &set); /* wait only for the RADIUS UDP socket */ #endif /* loop, waiting for the network to return data */ ok = TRUE; while (ok) { #ifdef HAVE_POLL_H - rcode = poll((struct pollfd *) &pollfds, 1, tv.tv_sec * 1000); + rcode = + poll((struct pollfd *)&pollfds, 1, + tv.tv_sec * 1000); #else rcode = select(sockfd + 1, &set, NULL, NULL, &tv); #endif @@ -893,12 +932,13 @@ static int talk_radius(radius_conf_t *conf, AUTH_HDR *request, AUTH_HDR *respons /* timed out */ if (rcode == 0) { _pam_log(pamh, LOG_ERR, "RADIUS server %s" - " failed to respond", server->hostname); + " failed to respond", + server->hostname); if (--server_tries) { goto send; } ok = FALSE; - break; /* exit from the loop */ + break; /* exit from the loop */ } else if (rcode < 0) { /* poll returned an error */ @@ -910,27 +950,31 @@ static int talk_radius(radius_conf_t *conf, AUTH_HDR *request, AUTH_HDR *respons "RADIUS server %s " "failed to respond", server->hostname); - if (--server_tries) goto send; + if (--server_tries) + goto send; ok = FALSE; - break; /* exit from the loop */ + break; /* exit from the loop */ } tv.tv_sec = end - now; - if (tv.tv_sec == 0) { /* keep waiting */ + if (tv.tv_sec == 0) { /* keep waiting */ tv.tv_sec = 1; } - } else { /* not an interrupt, it was a real error */ + } else { /* not an interrupt, it was a real error */ char error_string[BUFFER_SIZE]; - get_error_string(errno, error_string, sizeof(error_string)); - _pam_log(pamh, LOG_ERR, "Error waiting" + get_error_string(errno, error_string, + sizeof(error_string)); + _pam_log(pamh, LOG_ERR, + "Error waiting" " for response from RADIUS" " server %s: %s", - server->hostname, error_string); + server->hostname, + error_string); ok = FALSE; break; } - /* the call returned OK */ + /* the call returned OK */ #ifdef HAVE_POLL_H } else if (pollfds[0].revents & POLLIN) { #else @@ -938,28 +982,34 @@ static int talk_radius(radius_conf_t *conf, AUTH_HDR *request, AUTH_HDR *respons #endif /* try to receive some data */ - if ((total_length = recvfrom(sockfd, (void *) response, BUFFER_SIZE, - 0, NULL, NULL)) < 0) { + if ((total_length = + recvfrom(sockfd, (void *)response, + BUFFER_SIZE, 0, NULL, + NULL)) < 0) { char error_string[BUFFER_SIZE]; - get_error_string(errno, error_string, sizeof(error_string)); - _pam_log(pamh, LOG_ERR, "error reading" + get_error_string(errno, error_string, + sizeof(error_string)); + _pam_log(pamh, LOG_ERR, + "error reading" " RADIUS packet from server" " %s: %s", server->hostname, error_string); ok = FALSE; break; - /* there's data, see if it's valid */ + /* there's data, see if it's valid */ } else { char *p = server->secret; - if ((ntohs(response->length) != total_length) || - (ntohs(response->length) > BUFFER_SIZE)) { + if ((ntohs(response->length) != + total_length) + || (ntohs(response->length) > + BUFFER_SIZE)) { _pam_log(pamh, LOG_ERR, "RADIUS packet from " "server %s is " "corrupted", - server->hostname); + server->hostname); ok = FALSE; break; } @@ -970,21 +1020,23 @@ static int talk_radius(radius_conf_t *conf, AUTH_HDR *request, AUTH_HDR *respons #ifdef LIVINGSTON_PASSWORD_VERIFY_BUG_FIXED p = old_password; /* what it should be */ #else - p = ""; /* what it really is */ + p = ""; /* what it really is */ #endif } - /* - * RFC 2139 p.6 says not do do this, but the Livingston 1.16 - * server disagrees. If the user says he wants the bug, give in. - */ - } else { /* authentication request */ + /* + * RFC 2139 p.6 says not do do this, but the Livingston 1.16 + * server disagrees. If the user says he wants the bug, give in. + */ + } else { /* authentication request */ if (conf->accounting_bug) { p = ""; } } - if (!verify_packet(p, response, request)) { - _pam_log(pamh, LOG_ERR, "packet" + if (!verify_packet + (p, response, request)) { + _pam_log(pamh, LOG_ERR, + "packet" " from RADIUS server %s" " failed verification:" " The shared secret is" @@ -1004,7 +1056,8 @@ static int talk_radius(radius_conf_t *conf, AUTH_HDR *request, AUTH_HDR *respons " request packet ID" " %d: verification of" " packet fails", - response->id, request->id); + response->id, + request->id); ok = FALSE; break; } @@ -1012,7 +1065,7 @@ static int talk_radius(radius_conf_t *conf, AUTH_HDR *request, AUTH_HDR *respons /* * Whew! The poll is done. It hasn't timed out, or errored out. - * It's our descriptor. We've got some data. It's the right size. + * It's our descriptor. We've got some data. It's the right size. * The packet is valid. * NOW, we can skip out of the loop, and process the packet */ @@ -1021,8 +1074,8 @@ static int talk_radius(radius_conf_t *conf, AUTH_HDR *request, AUTH_HDR *respons /* otherwise, we've got data on another descriptor, keep checking the network */ } - /* go to the next server if this one didn't respond */ - next: + /* go to the next server if this one didn't respond */ + next: if (!ok) { radius_server_t *old; /* forget about this server */ @@ -1034,7 +1087,7 @@ static int talk_radius(radius_conf_t *conf, AUTH_HDR *request, AUTH_HDR *respons free(old->hostname); free(old); - if (server) { /* if there's more servers to check */ + if (server) { /* if there's more servers to check */ /* get a new authentication vector, and update the passwords */ get_random_vector(request->vector); request->id = request->vector[0]; @@ -1043,10 +1096,19 @@ static int talk_radius(radius_conf_t *conf, AUTH_HDR *request, AUTH_HDR *respons if (password) { get_random_vector(request->vector); if (old_password) { /* password change request */ - add_password(request, PW_PASSWORD, password, old_password); - add_password(request, PW_OLD_PASSWORD, old_password, old_password); - } else { /* authentication request */ - add_password(request, PW_PASSWORD, password, server->secret); + add_password(request, + PW_PASSWORD, + password, + old_password); + add_password(request, + PW_OLD_PASSWORD, + old_password, + old_password); + } else { /* authentication request */ + add_password(request, + PW_PASSWORD, + password, + server->secret); } } } @@ -1082,7 +1144,8 @@ static int talk_radius(radius_conf_t *conf, AUTH_HDR *request, AUTH_HDR *respons #undef PAM_FAIL_CHECK #define PAM_FAIL_CHECK if (retval != PAM_SUCCESS) { return retval; } -static int rad_converse(pam_handle_t *pamh, int msg_style, char *message, char **password) +static int rad_converse(pam_handle_t * pamh, int msg_style, char *message, + char **password) { CONST struct pam_conv *conv; struct pam_message resp_msg; @@ -1095,10 +1158,10 @@ static int rad_converse(pam_handle_t *pamh, int msg_style, char *message, char * msg[0] = &resp_msg; /* grab the password */ - retval = pam_get_item(pamh, PAM_CONV, (CONST void **) &conv); + retval = pam_get_item(pamh, PAM_CONV, (CONST void **)&conv); PAM_FAIL_CHECK; - retval = conv->conv(1, msg, &resp,conv->appdata_ptr); + retval = conv->conv(1, msg, &resp, conv->appdata_ptr); PAM_FAIL_CHECK; if (password) { /* assume msg.type needs a response */ @@ -1128,7 +1191,8 @@ static int rad_converse(pam_handle_t *pamh, int msg_style, char *message, char * pam_set_data(pamh, "rad_setcred_return", (void *) pret, _int_free); \ return retval; } -PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,CONST char **argv) +PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, + CONST char **argv) { CONST char *user; CONST char *userinfo; @@ -1157,7 +1221,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,CONST c if ((user == NULL) || (strlen(user) > MAXPWNAM)) { int *pret = malloc(sizeof(int)); *pret = PAM_USER_UNKNOWN; - pam_set_data(pamh, "rad_setcred_return", (void *) pret, _int_free); + pam_set_data(pamh, "rad_setcred_return", (void *)pret, + _int_free); DPRINT(pamh, LOG_DEBUG, "User name was NULL, or too long"); return PAM_USER_UNKNOWN; @@ -1165,15 +1230,18 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,CONST c DPRINT(pamh, LOG_DEBUG, "Got user name %s", user); if (ctrl & PAM_RUSER_ARG) { - retval = pam_get_item(pamh, PAM_RUSER, (CONST void **) &userinfo); + retval = + pam_get_item(pamh, PAM_RUSER, (CONST void **)&userinfo); PAM_FAIL_CHECK; DPRINT(pamh, LOG_DEBUG, "Got PAM_RUSER name %s", userinfo); if (!strcmp("root", user)) { user = userinfo; - DPRINT(pamh, LOG_DEBUG, "Username now %s from ruser", user); + DPRINT(pamh, LOG_DEBUG, "Username now %s from ruser", + user); } else { - DPRINT(pamh, LOG_DEBUG, "Skipping ruser for non-root auth"); + DPRINT(pamh, LOG_DEBUG, + "Skipping ruser for non-root auth"); } } @@ -1189,7 +1257,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,CONST c * keep track of which service is doing the authentication. */ if (!config.client_id) { - retval = pam_get_item(pamh, PAM_SERVICE, (CONST void **) &config.client_id); + retval = + pam_get_item(pamh, PAM_SERVICE, + (CONST void **)&config.client_id); PAM_FAIL_CHECK; } @@ -1200,14 +1270,15 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,CONST c /* build and initialize the RADIUS packet */ request->code = PW_AUTHENTICATION_REQUEST; get_random_vector(request->vector); - request->id = request->vector[0]; /* this should be evenly distributed */ + request->id = request->vector[0]; /* this should be evenly distributed */ /* grab the password (if any) from the previous authentication layer */ - if (!config.force_prompt) { - DPRINT(pamh, LOG_DEBUG, "ignore last_pass, force_prompt set"); - retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &password); + if (!config.force_prompt) { + DPRINT(pamh, LOG_DEBUG, "ignore last_pass, force_prompt set"); + retval = + pam_get_item(pamh, PAM_AUTHTOK, (CONST void **)&password); PAM_FAIL_CHECK; - } + } if (password) { password = strdup(password); @@ -1223,32 +1294,35 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,CONST c /* check to see if we send a NULL password the first time around */ if (!(ctrl & PAM_SKIP_PASSWD)) { - retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, config.prompt, &password); + retval = + rad_converse(pamh, PAM_PROMPT_ECHO_OFF, + config.prompt, &password); PAM_FAIL_CHECK; } else { password = strdup(""); } - } /* end of password == NULL */ - + } + /* end of password == NULL */ build_radius_packet(request, user, password, &config); /* not all servers understand this service type, but some do */ add_int_attribute(request, PW_USER_SERVICE_TYPE, PW_AUTHENTICATE_ONLY); /* - * Tell the server which host the user is coming from. + * Tell the server which host the user is coming from. * - * Note that this is NOT the IP address of the machine running PAM! - * It's the IP address of the client. + * Note that this is NOT the IP address of the machine running PAM! + * It's the IP address of the client. */ - retval = pam_get_item(pamh, PAM_RHOST, (CONST void **) &rhost); + retval = pam_get_item(pamh, PAM_RHOST, (CONST void **)&rhost); PAM_FAIL_CHECK; if (rhost) { - add_attribute(request, PW_CALLING_STATION_ID, (unsigned char *) rhost, - strlen(rhost)); + add_attribute(request, PW_CALLING_STATION_ID, + (unsigned char *)rhost, strlen(rhost)); } - DPRINT(pamh, LOG_DEBUG, "Sending RADIUS request code %d", request->code); + DPRINT(pamh, LOG_DEBUG, "Sending RADIUS request code %d", + request->code); retval = talk_radius(&config, request, response, password, NULL, config.retries + 1, pamh); @@ -1257,11 +1331,11 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,CONST c DPRINT(pamh, LOG_DEBUG, "Got RADIUS response code %d", response->code); /* - * If we get an authentication failure, and we sent a NULL password, - * ask the user for one and continue. + * If we get an authentication failure, and we sent a NULL password, + * ask the user for one and continue. * - * If we get an access challenge, then do a response, for as many - * challenges as we receive. + * If we get an access challenge, then do a response, for as many + * challenges as we receive. */ while (response->code == PW_ACCESS_CHALLENGE) { attribute_t *a_state, *a_reply; @@ -1269,7 +1343,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,CONST c /* Now we do a bit more work: challenge the user, and get a response */ if (((a_state = find_attribute(response, PW_STATE)) == NULL) || - ((a_reply = find_attribute(response, PW_REPLY_MESSAGE)) == NULL)) { + ((a_reply = + find_attribute(response, PW_REPLY_MESSAGE)) == NULL)) { /* Actually, State isn't required. */ _pam_log(pamh, LOG_ERR, "RADIUS Access-Challenge" " received with State or Reply-Message" @@ -1279,7 +1354,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,CONST c } /* - * Security fixes. + * Security fixes. */ if ((a_state->length <= 2) || (a_reply->length <= 2)) { _pam_log(pamh, LOG_ERR, "RADIUS Access-Challenge" @@ -1293,38 +1368,44 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,CONST c challenge[a_reply->length - 2] = 0; /* It's full challenge-response, we should have echo on */ - retval = rad_converse(pamh, PAM_PROMPT_ECHO_ON, challenge, &resp2challenge); + retval = + rad_converse(pamh, PAM_PROMPT_ECHO_ON, challenge, + &resp2challenge); PAM_FAIL_CHECK; /* now that we've got a response, build a new radius packet */ build_radius_packet(request, user, resp2challenge, &config); /* request->code is already PW_AUTHENTICATION_REQUEST */ - request->id++; /* one up from the request */ + request->id++; /* one up from the request */ if (rhost) { - add_attribute(request, PW_CALLING_STATION_ID, (unsigned char *) rhost, - strlen(rhost)); + add_attribute(request, PW_CALLING_STATION_ID, + (unsigned char *)rhost, strlen(rhost)); } /* copy the state over from the servers response */ - add_attribute(request, PW_STATE, a_state->data, a_state->length - 2); + add_attribute(request, PW_STATE, a_state->data, + a_state->length - 2); - retval = talk_radius(&config, request, response, resp2challenge, NULL, - 1, pamh); + retval = + talk_radius(&config, request, response, resp2challenge, + NULL, 1, pamh); PAM_FAIL_CHECK; DPRINT(pamh, LOG_DEBUG, "Got response to challenge code %d", - response->code); + response->code); /* * max_challenge limits the # of challenges a server can issue * It's a workaround for buggy servers */ - if (config.max_challenge > 0 && response->code == PW_ACCESS_CHALLENGE) { + if (config.max_challenge > 0 + && response->code == PW_ACCESS_CHALLENGE) { num_challenge++; if (num_challenge >= config.max_challenge) { - DPRINT(pamh, LOG_DEBUG, "maximum number of challenges (%d)" - " reached, failing", num_challenge); + DPRINT(pamh, LOG_DEBUG, + "maximum number of challenges (%d)" + " reached, failing", num_challenge); break; } } @@ -1337,14 +1418,14 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,CONST c retval = PAM_AUTH_ERR; /* authentication failure */ } -do_next: + do_next: /* If there was a password pass it to the next layer */ if (password && *password) { pam_set_item(pamh, PAM_AUTHTOK, password); } DPRINT(pamh, LOG_DEBUG, "authentication %s", - retval==PAM_SUCCESS ? "succeeded":"failed"); + retval == PAM_SUCCESS ? "succeeded" : "failed"); close(config.sockfd); if (config.sockfd6 >= 0) @@ -1355,7 +1436,8 @@ do_next: { int *pret = malloc(sizeof(int)); *pret = retval; - pam_set_data(pamh, "rad_setcred_return", (void *) pret, _int_free); + pam_set_data(pamh, "rad_setcred_return", (void *)pret, + _int_free); } return retval; } @@ -1366,20 +1448,22 @@ do_next: * (Always returning PAM_SUCCESS breaks other authentication modules; * always returning PAM_IGNORE breaks PAM when we're the only module.) */ -PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc,CONST char **argv) +PAM_EXTERN int pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, + CONST char **argv) { int retval, *pret; retval = PAM_SUCCESS; pret = &retval; - pam_get_data(pamh, "rad_setcred_return", (CONST void **) &pret); + pam_get_data(pamh, "rad_setcred_return", (CONST void **)&pret); return *pret; } #undef PAM_FAIL_CHECK #define PAM_FAIL_CHECK if (retval != PAM_SUCCESS) { return PAM_SESSION_ERR; } -static int pam_private_session(pam_handle_t *pamh, int flags, int argc, CONST char **argv, int status) +static int pam_private_session(pam_handle_t * pamh, int flags, int argc, + CONST char **argv, int status) { CONST char *user; CONST char *rhost; @@ -1391,7 +1475,7 @@ static int pam_private_session(pam_handle_t *pamh, int flags, int argc, CONST ch AUTH_HDR *response = (AUTH_HDR *) recv_buffer; radius_conf_t config; - (void) _pam_parse(pamh, argc, argv, &config); + (void)_pam_parse(pamh, argc, argv, &config); /* grab the user name */ retval = pam_get_user(pamh, &user, NULL); @@ -1414,7 +1498,9 @@ static int pam_private_session(pam_handle_t *pamh, int flags, int argc, CONST ch * keep track of which service is doing the authentication. */ if (!config.client_id) { - retval = pam_get_item(pamh, PAM_SERVICE, (CONST void **) &config.client_id); + retval = + pam_get_item(pamh, PAM_SERVICE, + (CONST void **)&config.client_id); PAM_FAIL_CHECK; } @@ -1425,46 +1511,51 @@ static int pam_private_session(pam_handle_t *pamh, int flags, int argc, CONST ch /* build and initialize the RADIUS packet */ request->code = PW_ACCOUNTING_REQUEST; get_random_vector(request->vector); - request->id = request->vector[0]; /* this should be evenly distributed */ + request->id = request->vector[0]; /* this should be evenly distributed */ build_radius_packet(request, user, NULL, &config); add_int_attribute(request, PW_ACCT_STATUS_TYPE, status); - sprintf(recv_buffer, "%08d", (int) getpid()); - add_attribute(request, PW_ACCT_SESSION_ID, (unsigned char *) recv_buffer, strlen(recv_buffer)); + sprintf(recv_buffer, "%08d", (int)getpid()); + add_attribute(request, PW_ACCT_SESSION_ID, (unsigned char *)recv_buffer, + strlen(recv_buffer)); add_int_attribute(request, PW_ACCT_AUTHENTIC, PW_AUTH_RADIUS); if (status == PW_STATUS_START) { time_t *session_time = malloc(sizeof(time_t)); time(session_time); - pam_set_data(pamh, "rad_session_time", (void *) session_time, _int_free); + pam_set_data(pamh, "rad_session_time", (void *)session_time, + _int_free); } else { time_t *session_time; - retval = pam_get_data(pamh, "rad_session_time", (CONST void **) &session_time); + retval = + pam_get_data(pamh, "rad_session_time", + (CONST void **)&session_time); PAM_FAIL_CHECK; - add_int_attribute(request, PW_ACCT_SESSION_TIME, time(NULL) - *session_time); + add_int_attribute(request, PW_ACCT_SESSION_TIME, + time(NULL) - *session_time); } /* - * Tell the server which host the user is coming from. + * Tell the server which host the user is coming from. * - * Note that this is NOT the IP address of the machine running PAM! - * It's the IP address of the client. + * Note that this is NOT the IP address of the machine running PAM! + * It's the IP address of the client. */ - retval = pam_get_item(pamh, PAM_RHOST, (CONST void **) &rhost); + retval = pam_get_item(pamh, PAM_RHOST, (CONST void **)&rhost); PAM_FAIL_CHECK; if (rhost) { - add_attribute(request, PW_CALLING_STATION_ID, (unsigned char *) rhost, - strlen(rhost)); + add_attribute(request, PW_CALLING_STATION_ID, + (unsigned char *)rhost, strlen(rhost)); } retval = talk_radius(&config, request, response, NULL, NULL, 1, pamh); PAM_FAIL_CHECK; - /* oops! They don't have the right password. Complain and die. */ + /* oops! They don't have the right password. Complain and die. */ if (response->code != PW_ACCOUNTING_RESPONSE) { retval = PAM_PERM_DENIED; goto error; @@ -1472,7 +1563,7 @@ static int pam_private_session(pam_handle_t *pamh, int flags, int argc, CONST ch retval = PAM_SUCCESS; -error: + error: close(config.sockfd); if (config.sockfd6 >= 0) @@ -1482,12 +1573,14 @@ error: return retval; } -PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, CONST char **argv) +PAM_EXTERN int pam_sm_open_session(pam_handle_t * pamh, int flags, int argc, + CONST char **argv) { return pam_private_session(pamh, flags, argc, argv, PW_STATUS_START); } -PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, CONST char **argv) +PAM_EXTERN int pam_sm_close_session(pam_handle_t * pamh, int flags, int argc, + CONST char **argv) { return pam_private_session(pamh, flags, argc, argv, PW_STATUS_STOP); } @@ -1496,7 +1589,8 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, CON #define PAM_FAIL_CHECK if (retval != PAM_SUCCESS) {return retval; } #define MAX_PASSWD_TRIES 3 -PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, CONST char **argv) +PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, int argc, + CONST char **argv) { CONST char *user; char *password = NULL; @@ -1535,7 +1629,9 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, CONST c * keep track of which service is doing the authentication. */ if (!config.client_id) { - retval = pam_get_item(pamh, PAM_SERVICE, (CONST void **) &config.client_id); + retval = + pam_get_item(pamh, PAM_SERVICE, + (CONST void **)&config.client_id); PAM_FAIL_CHECK; } @@ -1544,26 +1640,30 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, CONST c #define PAM_FAIL_CHECK if (retval != PAM_SUCCESS) {goto error; } /* grab the old password (if any) from the previous password layer */ - retval = pam_get_item(pamh, PAM_OLDAUTHTOK, (CONST void **) &password); + retval = pam_get_item(pamh, PAM_OLDAUTHTOK, (CONST void **)&password); PAM_FAIL_CHECK; - if (password) password = strdup(password); + if (password) + password = strdup(password); /* grab the new password (if any) from the previous password layer */ - retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &new_password); + retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **)&new_password); PAM_FAIL_CHECK; - if (new_password) new_password = strdup(new_password); + if (new_password) + new_password = strdup(new_password); /* preliminary password change checks. */ if (flags & PAM_PRELIM_CHECK) { - if (!password) { /* no previous password: ask for one */ - retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, config.prompt, &password); + if (!password) { /* no previous password: ask for one */ + retval = + rad_converse(pamh, PAM_PROMPT_ECHO_OFF, + config.prompt, &password); PAM_FAIL_CHECK; } /* * We now check the password to see if it's the right one. * If it isn't, we let the user try again. - * Note that RADIUS doesn't have any concept of 'root'. The only way + * Note that RADIUS doesn't have any concept of 'root'. The only way * that root can change someone's password is to log into the RADIUS * server, and and change it there. */ @@ -1571,15 +1671,18 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, CONST c /* build and initialize the access request RADIUS packet */ request->code = PW_AUTHENTICATION_REQUEST; get_random_vector(request->vector); - request->id = request->vector[0]; /* this should be evenly distributed */ + request->id = request->vector[0]; /* this should be evenly distributed */ build_radius_packet(request, user, password, &config); - add_int_attribute(request, PW_USER_SERVICE_TYPE, PW_AUTHENTICATE_ONLY); + add_int_attribute(request, PW_USER_SERVICE_TYPE, + PW_AUTHENTICATE_ONLY); - retval = talk_radius(&config, request, response, password, NULL, 1, pamh); + retval = + talk_radius(&config, request, response, password, NULL, 1, + pamh); PAM_FAIL_CHECK; - /* oops! They don't have the right password. Complain and die. */ + /* oops! They don't have the right password. Complain and die. */ if (response->code != PW_AUTHENTICATION_ACK) { _pam_forget(password); retval = PAM_PERM_DENIED; @@ -1601,35 +1704,44 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, CONST c /* loop, trying to get a new password */ new_attempts = 0; while (new_attempts++ < 3) { - retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, - "New password: ", &new_password); + retval = + rad_converse(pamh, + PAM_PROMPT_ECHO_OFF, + "New password: ", + &new_password); PAM_FAIL_CHECK; - /* the old password may be short. Check it, first. */ - if (strcmp(password, new_password) == 0) { /* are they the same? */ - rad_converse(pamh, PAM_ERROR_MSG, - "You must choose a new password.", NULL); + /* the old password may be short. Check it, first. */ + if (strcmp(password, new_password) == 0) { /* are they the same? */ + rad_converse(pamh, + PAM_ERROR_MSG, + "You must choose a new password.", + NULL); _pam_forget(new_password); continue; } else if (strlen(new_password) < 6) { - rad_converse(pamh, PAM_ERROR_MSG, "it's WAY too short", NULL); + rad_converse(pamh, + PAM_ERROR_MSG, + "it's WAY too short", + NULL); _pam_forget(new_password); continue; } /* insert crypt password checking here */ - break; /* the new password is OK */ + break; /* the new password is OK */ } - if (new_attempts >= 3) { /* too many new password attempts: die */ + if (new_attempts >= 3) { /* too many new password attempts: die */ retval = PAM_AUTHTOK_ERR; goto error; } /* make sure of the password by asking for verification */ retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, - "New password (again): ", &check_password); + "New password (again): ", + &check_password); PAM_FAIL_CHECK; retval = strcmp(new_password, check_password); @@ -1639,20 +1751,22 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, CONST c if (retval != 0) { _pam_forget(new_password); rad_converse(pamh, PAM_ERROR_MSG, - "You must enter the same password twice.", NULL); + "You must enter the same password twice.", + NULL); retval = PAM_AUTHTOK_ERR; - goto error; /* ??? maybe this should be a 'continue' ??? */ + goto error; /* ??? maybe this should be a 'continue' ??? */ } - break; /* everything's fine */ + break; /* everything's fine */ } /* loop, trying to get matching new passwords */ - if (attempts >= 3) { /* too many new password attempts: die */ + if (attempts >= 3) { /* too many new password attempts: die */ retval = PAM_AUTHTOK_ERR; goto error; } - } /* now we have a new password which passes all of our tests */ + } + /* now we have a new password which passes all of our tests */ /* * Solaris 2.6 calls pam_sm_chauthtok only ONCE, with PAM_PRELIM_CHECK * set. @@ -1662,7 +1776,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, CONST c } else if (flags & PAM_UPDATE_AUTHTOK) { #endif - if (!password || !new_password) { /* ensure we've got passwords */ + if (!password || !new_password) { /* ensure we've got passwords */ retval = PAM_AUTHTOK_ERR; goto error; } @@ -1670,17 +1784,18 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, CONST c /* build and initialize the password change request RADIUS packet */ request->code = PW_PASSWORD_REQUEST; get_random_vector(request->vector); - request->id = request->vector[0]; /* this should be evenly distributed */ + request->id = request->vector[0]; /* this should be evenly distributed */ /* the secret here can not be know to the user, so it's the new password */ _pam_forget(config.server->secret); - config.server->secret = strdup(password); /* it's free'd later */ + config.server->secret = strdup(password); /* it's free'd later */ build_radius_packet(request, user, new_password, &config); add_password(request, PW_OLD_PASSWORD, password, password); - retval = talk_radius(&config, request, response, new_password, password, - 1, pamh); + retval = + talk_radius(&config, request, response, new_password, + password, 1, pamh); PAM_FAIL_CHECK; /* Whew! Done password changing, check for password acknowledge */ @@ -1695,7 +1810,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, CONST c * or if the password change request fails. */ if ((flags & PAM_PRELIM_CHECK) || (retval != PAM_SUCCESS)) { - error: + error: /* If there was a password pass it to the next layer */ if (password && *password) { @@ -1709,7 +1824,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, CONST c if (ctrl & PAM_DEBUG_ARG) { _pam_log(pamh, LOG_DEBUG, "password change %s", - retval==PAM_SUCCESS ? "succeeded" : "failed"); + retval == PAM_SUCCESS ? "succeeded" : "failed"); } close(config.sockfd); @@ -1726,13 +1841,14 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, CONST c * Do nothing for account management. This is apparently needed by * some programs. */ -PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc,CONST char **argv) +PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, int argc, + CONST char **argv) { int retval = PAM_SUCCESS; CONST char *user; radius_conf_t config; - (void) _pam_parse(pamh, argc, argv, &config); + (void)_pam_parse(pamh, argc, argv, &config); /* grab the user name */ retval = pam_get_user(pamh, &user, NULL); @@ -1741,24 +1857,23 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc,CONST char } /* - * parse the config file. We don't make any connections here, so ignore - * any failures. For consistency only. - */ + * parse the config file. We don't make any connections here, so ignore + * any failures. For consistency only. + */ retval = initialize(pamh, &config, FALSE); /* - * set SUDO_PROMPT in env so that it prompts as the login user, not the mapped - * user, unless (unlikely) the prompt has already been set. - * It won't hurt to do this if the user wasn't mapped. - */ + * set SUDO_PROMPT in env so that it prompts as the login user, not the mapped + * user, unless (unlikely) the prompt has already been set. + * It won't hurt to do this if the user wasn't mapped. + */ if (!pam_getenv(pamh, "SUDO_PROMPT")) { - char nprompt[strlen("SUDO_PROMPT=[sudo] password for ") + - strlen(user) + 3]; /* + 3 for ": " and the \0 */ - snprintf(nprompt, sizeof nprompt, - "SUDO_PROMPT=[sudo] password for %s: ", user); - if (pam_putenv(pamh, nprompt) != PAM_SUCCESS) + char nprompt[strlen("SUDO_PROMPT=[sudo] password for ") + strlen(user) + 3]; /* + 3 for ": " and the \0 */ + snprintf(nprompt, sizeof nprompt, + "SUDO_PROMPT=[sudo] password for %s: ", user); + if (pam_putenv(pamh, nprompt) != PAM_SUCCESS) _pam_log(pamh, LOG_NOTICE, "failed to set PAM sudo" - " prompt (%s)", nprompt); + " prompt (%s)", nprompt); } return retval; diff --git a/src/pam_radius_auth.h b/src/pam_radius_auth.h index 8f389b5..5e69b37 100644 --- a/src/pam_radius_auth.h +++ b/src/pam_radius_auth.h @@ -31,52 +31,49 @@ #endif #if defined(HAVE_SECURITY_PAM_APPL_H) -# include <security/pam_appl.h> +#include <security/pam_appl.h> #elif defined(HAVE_PAM_PAM_APPL_H) -# include <pam/pam_appl.h> +#include <pam/pam_appl.h> #endif #if defined(HAVE_SECURITY_PAM_MODULES_H) -# include <security/pam_modules.h> +#include <security/pam_modules.h> #elif defined(HAVE_PAM_PAM_APPL_H) -# include <pam/pam_modules.h> +#include <pam/pam_modules.h> #else -# error security/pam_modules.h or pam/pam_modules.h required +#error security/pam_modules.h or pam/pam_modules.h required #endif - #include "radius.h" #include "md5.h" /* Defaults for the prompt option */ -#define MAXPROMPT 33 /* max prompt length, including '\0' */ -#define DEFAULT_PROMPT "Password" /* default prompt, without the ': ' */ - +#define MAXPROMPT 33 /* max prompt length, including '\0' */ +#define DEFAULT_PROMPT "Password" /* default prompt, without the ': ' */ /************************************************************************* * Platform specific defines *************************************************************************/ #ifndef CONST -# if defined(__sun) || defined(__linux__) || defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__NetBSD__) || defined(__APPLE__) +#if defined(__sun) || defined(__linux__) || defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__NetBSD__) || defined(__APPLE__) /* * On older versions of Solaris, you may have to change this to: * #define CONST */ -# define CONST const -# else -# define CONST -# endif +#define CONST const +#else +#define CONST +#endif #endif #ifndef PAM_EXTERN -# ifdef __sun -# define PAM_EXTERN extern -# else -# define PAM_EXTERN -# endif +#ifdef __sun +#define PAM_EXTERN extern +#else +#define PAM_EXTERN +#endif #endif - /************************************************************************* * Useful macros and defines @@ -93,23 +90,22 @@ #define PAM_TRY_FIRST_PASS 8 #define PAM_RUSER_ARG 16 - /* buffer size for IP address in string form */ #define MAX_IP_LEN 16 /* Module defines */ #ifndef BUFFER_SIZE #define BUFFER_SIZE 1024 -#endif /* BUFFER_SIZE */ -#define MAXPWNAM 253 /* maximum user name length. Server dependent, - * this is the default value - */ -#define MAXPASS 128 /* max password length. Again, depends on server - * compiled in. This is the default. - */ -#ifndef CONF_FILE /* the configuration file holding the server secret */ +#endif /* BUFFER_SIZE */ +#define MAXPWNAM 253 /* maximum user name length. Server dependent, + * this is the default value + */ +#define MAXPASS 128 /* max password length. Again, depends on server + * compiled in. This is the default. + */ +#ifndef CONF_FILE /* the configuration file holding the server secret */ #define CONF_FILE "/etc/raddb/server" -#endif /* CONF_FILE */ +#endif /* CONF_FILE */ #ifndef FALSE #define FALSE 0 @@ -117,7 +113,6 @@ #define TRUE !FALSE #endif - /************************************************************************* * Additional RADIUS definitions *************************************************************************/ @@ -154,4 +149,4 @@ typedef struct radius_conf_t { char prompt[MAXPROMPT]; } radius_conf_t; -#endif /* PAM_RADIUS_H */ +#endif /* PAM_RADIUS_H */ |