X-Git-Url: http://git.ozlabs.org/?p=ppp.git;a=blobdiff_plain;f=pppd%2Fchap-new.c;h=2714bff6478589412aeed098f77262e89a91349c;hp=e5fe16106d85ad80508d5ad070fe4c983dce8856;hb=afc4b130bbd6f5f5cd9baafdc7e836d8f6238deb;hpb=67e53ed830e2e6f881a52518c32f2fa628778018

diff --git a/pppd/chap-new.c b/pppd/chap-new.c
index e5fe161..2714bff 100644
--- a/pppd/chap-new.c
+++ b/pppd/chap-new.c
@@ -28,11 +28,12 @@
  * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-#define RCSID	"$Id: chap-new.c,v 1.7 2005/07/10 07:31:26 paulus Exp $"
+#define RCSID	"$Id: chap-new.c,v 1.9 2007/06/19 02:08:35 carlsonj Exp $"
 
 #include <stdlib.h>
 #include <string.h>
 #include "pppd.h"
+#include "session.h"
 #include "chap-new.h"
 #include "chap-md5.h"
 
@@ -366,6 +367,22 @@ chap_handle_response(struct chap_server_state *ss, int id,
 
 	if (ss->flags & CHALLENGE_VALID) {
 		ss->flags &= ~CHALLENGE_VALID;
+		if (!(ss->flags & AUTH_DONE) && !(ss->flags & AUTH_FAILED)) {
+		    /*
+		     * Auth is OK, so now we need to check session restrictions
+		     * to ensure everything is OK, but only if we used a
+		     * plugin, and only if we're configured to check.  This
+		     * allows us to do PAM checks on PPP servers that
+		     * authenticate against ActiveDirectory, and use AD for
+		     * account info (like when using Winbind integrated with
+		     * PAM).
+		     */
+		    if (session_mgmt &&
+			session_check(name, NULL, devnam, NULL) == 0) {
+			ss->flags |= AUTH_FAILED;
+			warn("Peer %q failed CHAP Session verification", name);
+		    }
+		}
 		if (ss->flags & AUTH_FAILED) {
 			auth_peer_fail(0, PPP_CHAP);
 		} else {
@@ -481,7 +498,7 @@ chap_handle_status(struct chap_client_state *cs, int code, int id,
 	if (code == CHAP_SUCCESS) {
 		/* used for MS-CHAP v2 mutual auth, yuck */
 		if (cs->digest->check_success != NULL) {
-			if (!(*cs->digest->check_success)(pkt, len, cs->priv))
+			if (!(*cs->digest->check_success)(id, pkt, len))
 				code = CHAP_FAILURE;
 		} else
 			msg = "CHAP authentication succeeded";
@@ -501,6 +518,7 @@ chap_handle_status(struct chap_client_state *cs, int code, int id,
 		auth_withpeer_success(0, PPP_CHAP, cs->digest->code);
 	else {
 		cs->flags |= AUTH_FAILED;
+		error("CHAP authentication failed");
 		auth_withpeer_fail(0, PPP_CHAP);
 	}
 }
@@ -552,6 +570,7 @@ chap_protrej(int unit)
 	}
 	if ((cs->flags & (AUTH_STARTED|AUTH_DONE)) == AUTH_STARTED) {
 		cs->flags &= ~AUTH_STARTED;
+		error("CHAP authentication failed due to protocol-reject");
 		auth_withpeer_fail(0, PPP_CHAP);
 	}
 }