X-Git-Url: http://git.ozlabs.org/?a=blobdiff_plain;f=pppd%2Fchap-new.c;h=2714bff6478589412aeed098f77262e89a91349c;hb=f8c05f21cc743132fb7c4b996568c09a374725b9;hp=cf54f57dd8568b8acc07e1bbae1401a29195b927;hpb=cf141d059db0db1419e99b99099389c4c2e0ca0f;p=ppp.git diff --git a/pppd/chap-new.c b/pppd/chap-new.c index cf54f57..2714bff 100644 --- a/pppd/chap-new.c +++ b/pppd/chap-new.c @@ -28,11 +28,12 @@ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#define RCSID "$Id: chap-new.c,v 1.8 2005/07/13 10:41:58 paulus Exp $" +#define RCSID "$Id: chap-new.c,v 1.9 2007/06/19 02:08:35 carlsonj Exp $" #include #include #include "pppd.h" +#include "session.h" #include "chap-new.h" #include "chap-md5.h" @@ -366,6 +367,22 @@ chap_handle_response(struct chap_server_state *ss, int id, if (ss->flags & CHALLENGE_VALID) { ss->flags &= ~CHALLENGE_VALID; + if (!(ss->flags & AUTH_DONE) && !(ss->flags & AUTH_FAILED)) { + /* + * Auth is OK, so now we need to check session restrictions + * to ensure everything is OK, but only if we used a + * plugin, and only if we're configured to check. This + * allows us to do PAM checks on PPP servers that + * authenticate against ActiveDirectory, and use AD for + * account info (like when using Winbind integrated with + * PAM). + */ + if (session_mgmt && + session_check(name, NULL, devnam, NULL) == 0) { + ss->flags |= AUTH_FAILED; + warn("Peer %q failed CHAP Session verification", name); + } + } if (ss->flags & AUTH_FAILED) { auth_peer_fail(0, PPP_CHAP); } else { @@ -481,7 +498,7 @@ chap_handle_status(struct chap_client_state *cs, int code, int id, if (code == CHAP_SUCCESS) { /* used for MS-CHAP v2 mutual auth, yuck */ if (cs->digest->check_success != NULL) { - if (!(*cs->digest->check_success)(pkt, len, cs->priv)) + if (!(*cs->digest->check_success)(id, pkt, len)) code = CHAP_FAILURE; } else msg = "CHAP authentication succeeded";