[exim.git] / src / src / auths / call_radius.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* Copyright (c) The Exim Maintainers 2020 */
/* Copyright (c) University of Cambridge 1995 - 2016 */
/* See the file NOTICE for conditions of use and distribution. */

/* This file was originally supplied by Ian Kirk. The libradius support came
from Alex Kiernan. */

/* ugly hack to work around redefinition of ENV by radiusclient.h and
 * db.h: define _DB_H_ so the db.h include thinks it's already included,
 * we can get away with it like this, since this file doesn't use any db
 * functions. */
#ifndef _DB_H_
# define _DB_H_ 1
# define _DB_EXT_PROT_IN_ 1
# define DB void
#endif

#include "../exim.h"

/* This module contains functions that call the Radius authentication
mechanism.

We can't just compile this code and allow the library mechanism to omit the
functions if they are not wanted, because we need to have the Radius headers
available for compiling. Therefore, compile these functions only if
RADIUS_CONFIG_FILE is defined. However, some compilers don't like compiling
empty modules, so keep them happy with a dummy when skipping the rest. Make it
reference itself to stop picky compilers complaining that it is unused, and put
in a dummy argument to stop even pickier compilers complaining about infinite
loops. Then use a mutually-recursive pair as gcc is just getting stupid. */

#ifndef RADIUS_CONFIG_FILE
static void dummy(int x);
static void dummy2(int x) { dummy(x-1); }
static void dummy(int x) { dummy2(x-1); }
#else  /* RADIUS_CONFIG_FILE */


/* Two different Radius libraries are supported. The default is radiusclient,
using its original API. At release 0.4.0 the API changed. */

#ifdef RADIUS_LIB_RADLIB
  #include <radlib.h>
#else
  #if !defined(RADIUS_LIB_RADIUSCLIENT) && !defined(RADIUS_LIB_RADIUSCLIENTNEW)
  # define RADIUS_LIB_RADIUSCLIENT
  #endif

  #ifdef RADIUS_LIB_RADIUSCLIENTNEW
  # include <freeradius-client.h>
  #else
  # include <radiusclient.h>
  #endif
#endif


/*************************************************
*              Perform RADIUS authentication     *
*************************************************/

/* This function calls the Radius authentication mechanism, passing over one or
more data strings.

Arguments:
  s        a colon-separated list of strings
  errptr   where to point an error message

Returns:   OK if authentication succeeded
           FAIL if authentication failed
           ERROR some other error condition
*/

int
auth_call_radius(const uschar *s, uschar **errptr)
{
uschar *user;
const uschar *radius_args = s;
int result;
int sep = 0;

#ifdef RADIUS_LIB_RADLIB
  struct rad_handle *h;
#else
  #ifdef RADIUS_LIB_RADIUSCLIENTNEW
    rc_handle *h;
  #endif
  VALUE_PAIR *send = NULL;
  VALUE_PAIR *received;
  unsigned int service = PW_AUTHENTICATE_ONLY;
  char msg[4096];
#endif


user = string_nextinlist(&radius_args, &sep, big_buffer, big_buffer_size);
if (!user) user = US"";

DEBUG(D_auth) debug_printf("Running RADIUS authentication for user \"%s\" "
               "and \"%s\"\n", user, radius_args);

*errptr = NULL;


/* Authenticate using the radiusclient library */

#ifndef RADIUS_LIB_RADLIB

rc_openlog("exim");

#ifdef RADIUS_LIB_RADIUSCLIENT
if (rc_read_config(RADIUS_CONFIG_FILE) != 0)
  *errptr = string_sprintf("RADIUS: can't open %s", RADIUS_CONFIG_FILE);

else if (rc_read_dictionary(rc_conf_str("dictionary")) != 0)
  *errptr = US"RADIUS: can't read dictionary";

else if (!rc_avpair_add(&send, PW_USER_NAME, user, 0))
  *errptr = US"RADIUS: add user name failed";

else if (!rc_avpair_add(&send, PW_USER_PASSWORD, CS radius_args, 0))
  *errptr = US"RADIUS: add password failed");

else if (!rc_avpair_add(&send, PW_SERVICE_TYPE, &service, 0))
  *errptr = US"RADIUS: add service type failed";

#else  /* RADIUS_LIB_RADIUSCLIENT unset => RADIUS_LIB_RADIUSCLIENT2 */

if (!(h = rc_read_config(RADIUS_CONFIG_FILE)))
  *errptr = string_sprintf("RADIUS: can't open %s", RADIUS_CONFIG_FILE);

else if (rc_read_dictionary(h, rc_conf_str(h, "dictionary")) != 0)
  *errptr = US"RADIUS: can't read dictionary";

else if (!rc_avpair_add(h, &send, PW_USER_NAME, user, Ustrlen(user), 0))
  *errptr = US"RADIUS: add user name failed";

else if (!rc_avpair_add(h, &send, PW_USER_PASSWORD, CS radius_args,
    Ustrlen(radius_args), 0))
  *errptr = US"RADIUS: add password failed";

else if (!rc_avpair_add(h, &send, PW_SERVICE_TYPE, &service, 0, 0))
  *errptr = US"RADIUS: add service type failed";

#endif  /* RADIUS_LIB_RADIUSCLIENT */

if (*errptr)
  {
  DEBUG(D_auth) debug_printf("%s\n", *errptr);
  return ERROR;
  }

#ifdef RADIUS_LIB_RADIUSCLIENT
result = rc_auth(0, send, &received, msg);
#else
result = rc_auth(h, 0, send, &received, msg);
#endif

DEBUG(D_auth) debug_printf("RADIUS code returned %d\n", result);

switch (result)
  {
  case OK_RC:
    return OK;

  case REJECT_RC:
  case ERROR_RC:
    return FAIL;

  case TIMEOUT_RC:
    *errptr = US"RADIUS: timed out";
    return ERROR;

  case BADRESP_RC:
  default:
    *errptr = string_sprintf("RADIUS: unexpected response (%d)", result);
    return ERROR;
  }

#else  /* RADIUS_LIB_RADLIB is set */

/* Authenticate using the libradius library */

if (!(h = rad_auth_open()))
  {
  *errptr = string_sprintf("RADIUS: can't initialise libradius");
  return ERROR;
  }
if (rad_config(h, RADIUS_CONFIG_FILE) != 0 ||
    rad_create_request(h, RAD_ACCESS_REQUEST) != 0 ||
    rad_put_string(h, RAD_USER_NAME, CS user) != 0 ||
    rad_put_string(h, RAD_USER_PASSWORD, CS radius_args) != 0 ||
    rad_put_int(h, RAD_SERVICE_TYPE, RAD_AUTHENTICATE_ONLY) != 0 ||
    rad_put_string(h, RAD_NAS_IDENTIFIER, CS primary_hostname) != 0)
  {
  *errptr = string_sprintf("RADIUS: %s", rad_strerror(h));
  result = ERROR;
  }
else
  switch (result = rad_send_request(h))
    {
    case RAD_ACCESS_ACCEPT:
      result = OK;
      break;

    case RAD_ACCESS_REJECT:
      result = FAIL;
      break;

    case -1:
      *errptr = string_sprintf("RADIUS: %s", rad_strerror(h));
      result = ERROR;
      break;

    default:
      *errptr = string_sprintf("RADIUS: unexpected response (%d)", result);
      result= ERROR;
      break;
    }

if (*errptr) DEBUG(D_auth) debug_printf("%s\n", *errptr);
rad_close(h);
return result;

#endif  /* RADIUS_LIB_RADLIB */
}

#endif  /* RADIUS_CONFIG_FILE */

/* End of call_radius.c */
Commit	Line	Data
0756eb3c PH	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
	4
8ca559c8	5	/* Copyright (c) The Exim Maintainers 2020 */
80fea873	6	/* Copyright (c) University of Cambridge 1995 - 2016 */
0756eb3c PH	7	/* See the file NOTICE for conditions of use and distribution. */
	8
	9	/* This file was originally supplied by Ian Kirk. The libradius support came
	10	from Alex Kiernan. */
	11
27d93664 JH	12	/* ugly hack to work around redefinition of ENV by radiusclient.h and
	13	* db.h: define _DB_H_ so the db.h include thinks it's already included,
	14	* we can get away with it like this, since this file doesn't use any db
	15	* functions. */
	16	#ifndef _DB_H_
	17	# define _DB_H_ 1
	18	# define _DB_EXT_PROT_IN_ 1
	19	# define DB void
	20	#endif
	21
0756eb3c PH	22	#include "../exim.h"
	23
	24	/* This module contains functions that call the Radius authentication
	25	mechanism.
	26
	27	We can't just compile this code and allow the library mechanism to omit the
	28	functions if they are not wanted, because we need to have the Radius headers
	29	available for compiling. Therefore, compile these functions only if
	30	RADIUS_CONFIG_FILE is defined. However, some compilers don't like compiling
	31	empty modules, so keep them happy with a dummy when skipping the rest. Make it
	32	reference itself to stop picky compilers complaining that it is unused, and put
	33	in a dummy argument to stop even pickier compilers complaining about infinite
e1d15f5e	34	loops. Then use a mutually-recursive pair as gcc is just getting stupid. */
0756eb3c PH	35
0756eb3c PH	36	#ifndef RADIUS_CONFIG_FILE
e1d15f5e JH	37	static void dummy(int x);
	38	static void dummy2(int x) { dummy(x-1); }
	39	static void dummy(int x) { dummy2(x-1); }
0756eb3c PH	40	#else /* RADIUS_CONFIG_FILE */
	41
	42
7766a4f0 PH	43	/* Two different Radius libraries are supported. The default is radiusclient,
7766a4f0 PH	44	using its original API. At release 0.4.0 the API changed. */
0756eb3c PH	45
	46	#ifdef RADIUS_LIB_RADLIB
	47	#include <radlib.h>
	48	#else
7766a4f0	49	#if !defined(RADIUS_LIB_RADIUSCLIENT) && !defined(RADIUS_LIB_RADIUSCLIENTNEW)
27d93664 JH	50	# define RADIUS_LIB_RADIUSCLIENT
	51	#endif
	52
	53	#ifdef RADIUS_LIB_RADIUSCLIENTNEW
	54	# include <freeradius-client.h>
	55	#else
	56	# include <radiusclient.h>
0756eb3c	57	#endif
0756eb3c PH	58	#endif
	59
	60
	61
	62	/*************************************************
	63	* Perform RADIUS authentication *
	64	*************************************************/
	65
	66	/* This function calls the Radius authentication mechanism, passing over one or
	67	more data strings.
	68
	69	Arguments:
	70	s a colon-separated list of strings
	71	errptr where to point an error message
	72
	73	Returns: OK if authentication succeeded
	74	FAIL if authentication failed
	75	ERROR some other error condition
	76	*/
	77
	78	int
1b2adaee	79	auth_call_radius(const uschar s, uschar *errptr)
0756eb3c PH	80	{
0756eb3c PH	81	uschar *user;
1b2adaee	82	const uschar *radius_args = s;
0756eb3c PH	83	int result;
	84	int sep = 0;
	85
	86	#ifdef RADIUS_LIB_RADLIB
7766a4f0	87	struct rad_handle *h;
0756eb3c	88	#else
7766a4f0 PH	89	#ifdef RADIUS_LIB_RADIUSCLIENTNEW
	90	rc_handle *h;
	91	#endif
	92	VALUE_PAIR *send = NULL;
	93	VALUE_PAIR *received;
	94	unsigned int service = PW_AUTHENTICATE_ONLY;
	95	char msg[4096];
0756eb3c PH	96	#endif
	97
	98
	99	user = string_nextinlist(&radius_args, &sep, big_buffer, big_buffer_size);
8ca559c8	100	if (!user) user = US"";
0756eb3c PH	101
	102	DEBUG(D_auth) debug_printf("Running RADIUS authentication for user \"%s\" "
	103	"and \"%s\"\n", user, radius_args);
	104
	105	*errptr = NULL;
	106
	107
	108	/* Authenticate using the radiusclient library */
	109
7766a4f0	110	#ifndef RADIUS_LIB_RADLIB
0756eb3c PH	111
	112	rc_openlog("exim");
	113
7766a4f0	114	#ifdef RADIUS_LIB_RADIUSCLIENT
0756eb3c PH	115	if (rc_read_config(RADIUS_CONFIG_FILE) != 0)
	116	*errptr = string_sprintf("RADIUS: can't open %s", RADIUS_CONFIG_FILE);
	117
	118	else if (rc_read_dictionary(rc_conf_str("dictionary")) != 0)
8ca559c8	119	*errptr = US"RADIUS: can't read dictionary";
0756eb3c	120
8ca559c8 FG	121	else if (!rc_avpair_add(&send, PW_USER_NAME, user, 0))
8ca559c8 FG	122	*errptr = US"RADIUS: add user name failed";
0756eb3c	123
8ca559c8 FG	124	else if (!rc_avpair_add(&send, PW_USER_PASSWORD, CS radius_args, 0))
8ca559c8 FG	125	*errptr = US"RADIUS: add password failed");
0756eb3c	126
8ca559c8 FG	127	else if (!rc_avpair_add(&send, PW_SERVICE_TYPE, &service, 0))
8ca559c8 FG	128	*errptr = US"RADIUS: add service type failed";
0756eb3c	129
7766a4f0 PH	130	#else /* RADIUS_LIB_RADIUSCLIENT unset => RADIUS_LIB_RADIUSCLIENT2 */
7766a4f0 PH	131
8ca559c8	132	if (!(h = rc_read_config(RADIUS_CONFIG_FILE)))
7766a4f0 PH	133	*errptr = string_sprintf("RADIUS: can't open %s", RADIUS_CONFIG_FILE);
	134
	135	else if (rc_read_dictionary(h, rc_conf_str(h, "dictionary")) != 0)
8ca559c8	136	*errptr = US"RADIUS: can't read dictionary";
7766a4f0	137
8ca559c8 FG	138	else if (!rc_avpair_add(h, &send, PW_USER_NAME, user, Ustrlen(user), 0))
8ca559c8 FG	139	*errptr = US"RADIUS: add user name failed";
7766a4f0	140
8ca559c8 FG	141	else if (!rc_avpair_add(h, &send, PW_USER_PASSWORD, CS radius_args,
	142	Ustrlen(radius_args), 0))
	143	*errptr = US"RADIUS: add password failed";
7766a4f0	144
8ca559c8 FG	145	else if (!rc_avpair_add(h, &send, PW_SERVICE_TYPE, &service, 0, 0))
8ca559c8 FG	146	*errptr = US"RADIUS: add service type failed";
7766a4f0 PH	147
	148	#endif /* RADIUS_LIB_RADIUSCLIENT */
	149
8ca559c8	150	if (*errptr)
0756eb3c PH	151	{
	152	DEBUG(D_auth) debug_printf("%s\n", *errptr);
	153	return ERROR;
	154	}
	155
7766a4f0	156	#ifdef RADIUS_LIB_RADIUSCLIENT
0756eb3c	157	result = rc_auth(0, send, &received, msg);
7766a4f0 PH	158	#else
	159	result = rc_auth(h, 0, send, &received, msg);
	160	#endif
	161
0756eb3c PH	162	DEBUG(D_auth) debug_printf("RADIUS code returned %d\n", result);
	163
	164	switch (result)
	165	{
	166	case OK_RC:
8ca559c8	167	return OK;
0756eb3c	168
860cdda2	169	case REJECT_RC:
0756eb3c	170	case ERROR_RC:
8ca559c8	171	return FAIL;
0756eb3c PH	172
0756eb3c PH	173	case TIMEOUT_RC:
8ca559c8 FG	174	*errptr = US"RADIUS: timed out";
8ca559c8 FG	175	return ERROR;
0756eb3c	176
0756eb3c	177	case BADRESP_RC:
8ca559c8 FG	178	default:
	179	*errptr = string_sprintf("RADIUS: unexpected response (%d)", result);
	180	return ERROR;
0756eb3c PH	181	}
0756eb3c PH	182
7766a4f0	183	#else /* RADIUS_LIB_RADLIB is set */
0756eb3c PH	184
	185	/* Authenticate using the libradius library */
	186
8ca559c8	187	if (!(h = rad_auth_open()))
0756eb3c PH	188	{
	189	*errptr = string_sprintf("RADIUS: can't initialise libradius");
	190	return ERROR;
	191	}
	192	if (rad_config(h, RADIUS_CONFIG_FILE) != 0 \|\|
	193	rad_create_request(h, RAD_ACCESS_REQUEST) != 0 \|\|
	194	rad_put_string(h, RAD_USER_NAME, CS user) != 0 \|\|
	195	rad_put_string(h, RAD_USER_PASSWORD, CS radius_args) != 0 \|\|
b4a9bda2 PH	196	rad_put_int(h, RAD_SERVICE_TYPE, RAD_AUTHENTICATE_ONLY) != 0 \|\|
b4a9bda2 PH	197	rad_put_string(h, RAD_NAS_IDENTIFIER, CS primary_hostname) != 0)
0756eb3c PH	198	{
	199	*errptr = string_sprintf("RADIUS: %s", rad_strerror(h));
	200	result = ERROR;
	201	}
	202	else
8ca559c8	203	switch (result = rad_send_request(h))
0756eb3c PH	204	{
0756eb3c PH	205	case RAD_ACCESS_ACCEPT:
8ca559c8 FG	206	result = OK;
8ca559c8 FG	207	break;
0756eb3c PH	208
0756eb3c PH	209	case RAD_ACCESS_REJECT:
8ca559c8 FG	210	result = FAIL;
8ca559c8 FG	211	break;
0756eb3c PH	212
0756eb3c PH	213	case -1:
8ca559c8 FG	214	*errptr = string_sprintf("RADIUS: %s", rad_strerror(h));
	215	result = ERROR;
	216	break;
0756eb3c PH	217
0756eb3c PH	218	default:
8ca559c8 FG	219	*errptr = string_sprintf("RADIUS: unexpected response (%d)", result);
	220	result= ERROR;
	221	break;
0756eb3c	222	}
0756eb3c	223
8ca559c8	224	if (errptr) DEBUG(D_auth) debug_printf("%s\n", errptr);
0756eb3c PH	225	rad_close(h);
	226	return result;
	227
	228	#endif /* RADIUS_LIB_RADLIB */
	229	}
	230
	231	#endif /* RADIUS_CONFIG_FILE */
	232
	233	/* End of call_radius.c */