Send not only Access Request, but also Access Challenge with defined

NAS-Identifier and NAS-IP-Address.

Reviewed by:	bz
MFC after:	1 month

1 files changed, 7 insertions, 5 deletions

diff --git a/lib/libpam/modules/pam_radius/pam_radius.c b/lib/libpam/modules/pam_radius/pam_radius.c
index 511baf3..306c4b7 100644
--- a/lib/libpam/modules/pam_radius/pam_radius.c
+++ b/lib/libpam/modules/pam_radius/pam_radius.c
@@ -67,7 +67,7 @@ static int	 build_access_request(struct rad_handle *, const char *,
 		    size_t);
 static int	 do_accept(pam_handle_t *, struct rad_handle *);
 static int	 do_challenge(pam_handle_t *, struct rad_handle *,
-		    const char *);
+		    const char *, const char *, const char *);
 
 /*
  * Construct an access request, but don't send it.  Returns 0 on success,
@@ -162,7 +162,8 @@ do_accept(pam_handle_t *pamh, struct rad_handle *radh)
 }
 
 static int
-do_challenge(pam_handle_t *pamh, struct rad_handle *radh, const char *user)
+do_challenge(pam_handle_t *pamh, struct rad_handle *radh, const char *user,
+    const char *nas_id, const char *nas_ipaddr)
 {
 	int retval;
 	int attrtype;
@@ -229,8 +230,8 @@ do_challenge(pam_handle_t *pamh, struct rad_handle *radh, const char *user)
 	if ((retval = conv->conv(num_msgs, msg_ptrs, &resp,
 	    conv->appdata_ptr)) != PAM_SUCCESS)
 		return (retval);
-	if (build_access_request(radh, user, resp[num_msgs-1].resp, NULL,
-	    NULL, state, statelen) == -1)
+	if (build_access_request(radh, user, resp[num_msgs-1].resp, nas_id,
+	    nas_ipaddr, state, statelen) == -1)
 		return (PAM_SERVICE_ERR);
 	memset(resp[num_msgs-1].resp, 0, strlen(resp[num_msgs-1].resp));
 	free(resp[num_msgs-1].resp);
@@ -329,7 +330,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
 			return (PAM_AUTH_ERR);
 
 		case RAD_ACCESS_CHALLENGE:
-			retval = do_challenge(pamh, radh, user);
+			retval = do_challenge(pamh, radh, user, nas_id,
+			    nas_ipaddr);
 			if (retval != PAM_SUCCESS) {
 				rad_close(radh);
 				return (retval);