pre-2.2.2: a bug in module return code evaluation / 2013101601

Jan Rafaj jr-freeradius at cedric.unob.cz
Wed Oct 16 14:23:20 CEST 2013 

Hello,

I gave a try to current HEAD of the v2.x.x branch (commit 8925e16).

In sites-enabled/default, in 'authenticate { }' I have:

         Auth-Type MS-CHAP {
                 mschap {
                         ok = return
                         fail = 1
                         reject = 1
                         userlock = 1
                         invalid = 1
                 }
                 if (fail || reject || userlock || invalid) {
                         linelog.rejects.tunnelled
                         reject
                 }
         }

In 2.2.0, the corresponding debug output triggered by

   radmin -e "debug file mydebug.log" \
          -e "debug condition \"(User-Name =~ /testuser.*domain\.tld/)\""

was:

...
Tue Oct 15 22:55:03 2013 : Debug: [mschap]      expand: 
--nt-response=%{%{mschap:NT-Response}:-00} -> 
--nt-response=e78a6a598e4b23bdb5f2feebf9ce5f6ab43851421b6387df
Tue Oct 15 22:55:03 2013 : Debug: [mschap] External script failed.
Tue Oct 15 22:55:03 2013 : Debug: [mschap] FAILED: MS-CHAP2-Response is 
incorrect
Tue Oct 15 22:55:03 2013 : Debug: ++[mschap] returns reject
Tue Oct 15 22:55:03 2013 : Debug: ++? if (fail || reject || userlock || 
invalid)Tue Oct 15 22:55:03 2013 : Debug: ? Evaluating (fail ) -> FALSE
Tue Oct 15 22:55:03 2013 : Debug: ? Evaluating (reject ) -> TRUE
Tue Oct 15 22:55:03 2013 : Debug: ? Skipping (userlock )
Tue Oct 15 22:55:03 2013 : Debug: ? Skipping (invalid)
Tue Oct 15 22:55:03 2013 : Debug: ++? if (fail || reject || userlock || 
invalid) -> TRUE
Tue Oct 15 22:55:03 2013 : Debug: ++- entering if (fail || reject || 
userlock || invalid) {...}
...

while in pre-2.2.2 HEAD, the output is:

...
Tue Oct 15 22:42:45 2013 : Debug: [mschap]      expand: 
--nt-response=%{%{mschap:NT-Response}:-00} -> 
--nt-response=8c600892bca040638bfa1145278982c141b1bf9924ce5c1f
Tue Oct 15 22:42:45 2013 : Debug: [mschap] Exec: program returned: 1
Tue Oct 15 22:42:45 2013 : Debug: [mschap] External script failed.
Tue Oct 15 22:42:45 2013 : Debug: [mschap] FAILED: MS-CHAP2-Response is 
incorrect
Tue Oct 15 22:42:45 2013 : Debug: ++[mschap] = reject
Tue Oct 15 22:42:45 2013 : Debug: ++? if (fail || reject || userlock || 
invalid)Tue Oct 15 22:42:45 2013 : Debug: ? Evaluating (fail ) -> FALSE
Tue Oct 15 22:42:45 2013 : Debug: ? Evaluating (reject ) -> FALSE
Tue Oct 15 22:42:45 2013 : Debug: ? Evaluating (userlock ) -> FALSE
Tue Oct 15 22:42:45 2013 : Debug: ? Evaluating (invalid) -> FALSE
Tue Oct 15 22:42:45 2013 : Debug: ++? if (fail || reject || userlock || 
invalid) -> FALSE
Tue Oct 15 22:42:45 2013 : Debug: +} # group MS-CHAP = ok
...

As you can see, in pre-2.2.2, although the mschap module still
(correctly) returns 'reject', the condition evaluating 'reject'
incorrectly yields FALSE (it yields TRUE in 2.2.0). I think 
this is a bug (and it has forced me to downgrade back to 2.2.0). Please 
could you fix this?

Thanks a lot,

Jan

More information about the Freeradius-Users mailing list