1 /* $OpenLDAP$ */
2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
3 *
4 * Copyright 1998-2021 The OpenLDAP Foundation.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted only as authorized by the OpenLDAP
9 * Public License.
10 *
11 * A copy of this license is available in the file LICENSE in the
12 * top-level directory of the distribution or, alternatively, at
13 * <http://www.OpenLDAP.org/license.html>.
14 */
15
16 #include "portable.h"
17
18 #include <stdio.h>
19
20 #include <lber.h>
21 #include <lber_pvt.h> /* BER_BVC definition */
22 #include "lutil.h"
23 #include <ldap_pvt_thread.h>
24 #include <ac/string.h>
25 #include <ac/unistd.h>
26
27 #include <radlib.h>
28
29 extern char *global_host; /* from slapd */
30 static LUTIL_PASSWD_CHK_FUNC chk_radius;
31 static const struct berval scheme = BER_BVC("{RADIUS}");
32 static char *config_filename;
33 static ldap_pvt_thread_mutex_t libradius_mutex;
34
35 static int
chk_radius(const struct berval * sc,const struct berval * passwd,const struct berval * cred,const char ** text)36 chk_radius(
37 const struct berval *sc,
38 const struct berval *passwd,
39 const struct berval *cred,
40 const char **text )
41 {
42 unsigned int i;
43 int rc = LUTIL_PASSWD_ERR;
44
45 struct rad_handle *h = NULL;
46
47 for ( i = 0; i < cred->bv_len; i++ ) {
48 if ( cred->bv_val[ i ] == '\0' ) {
49 return LUTIL_PASSWD_ERR; /* NUL character in cred */
50 }
51 }
52
53 if ( cred->bv_val[ i ] != '\0' ) {
54 return LUTIL_PASSWD_ERR; /* cred must behave like a string */
55 }
56
57 for ( i = 0; i < passwd->bv_len; i++ ) {
58 if ( passwd->bv_val[ i ] == '\0' ) {
59 return LUTIL_PASSWD_ERR; /* NUL character in password */
60 }
61 }
62
63 if ( passwd->bv_val[ i ] != '\0' ) {
64 return LUTIL_PASSWD_ERR; /* passwd must behave like a string */
65 }
66
67 ldap_pvt_thread_mutex_lock( &libradius_mutex );
68
69 h = rad_auth_open();
70 if ( h == NULL ) {
71 ldap_pvt_thread_mutex_unlock( &libradius_mutex );
72 return LUTIL_PASSWD_ERR;
73 }
74
75 if ( rad_config( h, config_filename ) != 0 ) {
76 goto done;
77 }
78
79 if ( rad_create_request( h, RAD_ACCESS_REQUEST ) ) {
80 goto done;
81 }
82
83 if ( rad_put_string( h, RAD_USER_NAME, passwd->bv_val ) != 0 ) {
84 goto done;
85 }
86
87 if ( rad_put_string( h, RAD_USER_PASSWORD, cred->bv_val ) != 0 ) {
88 goto done;
89 }
90
91 if ( rad_put_string( h, RAD_NAS_IDENTIFIER, global_host ) != 0 ) {
92 goto done;
93 }
94
95 switch ( rad_send_request( h ) ) {
96 case RAD_ACCESS_ACCEPT:
97 rc = LUTIL_PASSWD_OK;
98 break;
99
100 case RAD_ACCESS_REJECT:
101 rc = LUTIL_PASSWD_ERR;
102 break;
103
104 case RAD_ACCESS_CHALLENGE:
105 rc = LUTIL_PASSWD_ERR;
106 break;
107
108 case -1:
109 /* no valid response is received */
110 break;
111 }
112
113 done:;
114 rad_close( h );
115
116 ldap_pvt_thread_mutex_unlock( &libradius_mutex );
117 return rc;
118 }
119
120 int
term_module()121 term_module()
122 {
123 return ldap_pvt_thread_mutex_destroy( &libradius_mutex );
124 }
125
126 int
init_module(int argc,char * argv[])127 init_module( int argc, char *argv[] )
128 {
129 int i;
130
131 for ( i = 0; i < argc; i++ ) {
132 if ( strncasecmp( argv[ i ], "config=", STRLENOF( "config=" ) ) == 0 ) {
133 /* FIXME: what if multiple loads of same module?
134 * does it make sense (e.g. override an existing one)? */
135 if ( config_filename == NULL ) {
136 config_filename = ber_strdup( &argv[ i ][ STRLENOF( "config=" ) ] );
137 }
138
139 } else {
140 fprintf( stderr, "init_module(radius): unknown arg#%d=\"%s\".\n",
141 i, argv[ i ] );
142 return 1;
143 }
144 }
145
146 ldap_pvt_thread_mutex_init( &libradius_mutex );
147
148 return lutil_passwd_add( (struct berval *)&scheme, chk_radius, NULL );
149 }
150