-/*
+/*
Copyright (c) 1995-1998 by Cisco systems, Inc.
Permission to use, copy, modify, and distribute this software for
FITNESS FOR A PARTICULAR PURPOSE.
*/
+
#include "tac_plus.h"
+
+#include "choose_authen.h"
#include "expire.h"
+#include "enable.h"
+#include "report.h"
+#include "cfgfile.h"
+#include "default_fn.h"
+#include "default_v0_fn.h"
+#include "sendauth.h"
+#include "sendpass.h"
+#include "packet.h"
+#include "main.h"
+#include "do_author.h" /* for "struct identity" */
+
+#ifdef SKEY
+#include "skey_fn.h"
+#endif
-static int choose_login();
-static int choose_sendpass();
-static int choose_sendauth();
-int
+static int choose_sendpass TAC_ARGS((struct authen_data *data, struct authen_type *type));
+static int choose_sendauth TAC_ARGS((struct authen_data *data, struct authen_type *type));
+static int choose_login TAC_ARGS((struct authen_data *data, struct authen_type *type));
+
+
+#if 0 /* unused */
+static int
get_minor_version()
{
return(session.version & ~TAC_PLUS_MAJOR_VER_MASK);
}
+#endif /* unused */
-/*
+/*
* Choose an authentication function. Return CHOOSE_OK if chosen,
- * CHOOSE_GETUSER if we need a username, CHOOSE_FAILED on failure
+ * CHOOSE_GETUSER if we need a username, CHOOSE_FAILED on failure
*/
+int choose_authen TAC_ARGS((struct authen_data *data, struct authen_type *type));
+
int
choose_authen(data, type)
struct authen_data *data;
case TAC_PLUS_AUTHEN_LOGIN:
/* For enabling, enable_fn handles everything. Must be minor
- * version zero
+ * version zero
*/
if (data->service == TAC_PLUS_AUTHEN_SVC_ENABLE) {
if (session.version != TAC_PLUS_VER_0) {
/* never heard of this lot */
report(LOG_ERR, "%s: %s %s Illegal packet ver=%d action=%d type=%d",
- session.peer,
+ session.peer,
session.port,
name ? name : "<unknown>",
session.version,
return(CHOOSE_FAILED);
}
+static int choose_login TAC_ARGS((struct authen_data *data, struct authen_type *type));
+
/* Choose an authentication function for action == LOGIN, service != enable */
static int
choose_login(data, type)
struct authen_data *data;
struct authen_type *type;
{
- char *name = data->NAS_id->username;
- char *cfg_passwd;
+ const char *name = data->NAS_id->username;
+ const char *cfg_passwd;
switch(type->authen_type) {
case TAC_PLUS_AUTHEN_TYPE_ASCII:
cfg_passwd = cfg_get_login_secret(name, TAC_PLUS_RECURSE);
if (cfg_passwd && STREQ(cfg_passwd, "skey")) {
if (debug & DEBUG_PASSWD_FLAG)
- report(LOG_DEBUG, "%s %s: user %s requires skey",
+ report(LOG_DEBUG, "%s %s: user %s requires skey",
session.peer, session.port, name);
#ifdef SKEY
type->authen_func = skey_fn;
strcpy(type->authen_name, "skey_fn");
return (CHOOSE_OK);
#else /* SKEY */
- report(LOG_ERR,
+ report(LOG_ERR,
"%s %s: user %s s/key support has not been compiled in",
name ? name : "<unknown>",
session.peer, session.port);
case TAC_PLUS_AUTHEN_TYPE_ARAP:
#ifndef ARAP_DES
- /*
+ /*
* If we have no des code we can't do ARAP via SENDAUTH. We'll
* have to do it via SENDPASS. Return a down-rev reply
* packet and hope the NAS is smart enough to deal with it.
#ifdef MSCHAP
case TAC_PLUS_AUTHEN_TYPE_MSCHAP:
#ifndef MSCHAP_DES
- /*
+ /*
* If we have no des code we can't do MSCHAP via LOGIN. We'll
* have to do it via SENDPASS. Return a down-rev reply
* packet and hope the NAS is smart enough to deal with it.
}
/* Version 1 login/[pap|chap|arap].
- * The username must in the initial START packet
+ * The username must in the initial START packet
*/
if (!name[0]) {
report(LOG_ERR, "%s %s: No user in START packet for PAP/CHAP/ARAP",
/* Illegal value combination */
report(LOG_ERR, "%s: %s %s Illegal packet ver=%d action=%d type=%d",
- session.peer,
+ session.peer,
session.port,
name ? name : "<unknown>",
session.version,
return(CHOOSE_FAILED);
}
+static int choose_sendauth TAC_ARGS((struct authen_data *data, struct authen_type *type));
+
static int
choose_sendauth(data, type)
struct authen_data *data;
#ifdef MSCHAP
case TAC_PLUS_AUTHEN_TYPE_MSCHAP:
#ifndef MSCHAP_DES
- /*
+ /*
* If we have no des code we can't do MSCHAP via SENDAUTH. We'll
* have to do it via SENDPASS. Return a down-rev reply
* packet and hope the NAS is smart enough to deal with it.
}
/* Illegal value combination */
report(LOG_ERR, "%s: %s %s Illegal packet ver=%d action=%d type=%d",
- session.peer,
+ session.peer,
session.port,
name ? name : "<unknown>",
session.version,
return(CHOOSE_FAILED);
}
+static int choose_sendpass TAC_ARGS((struct authen_data *data, struct authen_type *type));
+
/* Compatibility routine for (obsolete) minor version == 0 */
static int
choose_sendpass(data, type)
/* Illegal value combination */
report(LOG_ERR, "%s: %s %s Illegal packet ver=%d action=%d type=%d",
- session.peer,
+ session.peer,
session.port,
name ? name : "<unknown>",
- session.version,
+ session.version,
data->action,
type->authen_type);
return(CHOOSE_FAILED);
}
-