--- php-radius-1.2.5.orig/radius-1.2.5/radlib.c +++ php-radius-1.2.5/radius-1.2.5/radlib.c @@ -898,15 +898,24 @@ } int -rad_get_vendor_attr(u_int32_t *vendor, const void **data, size_t *len) +rad_get_vendor_attr(u_int32_t *vendor, unsigned char *type, const void **data, size_t *len, const void *raw, size_t raw_len) { struct vendor_attribute *attr; - attr = (struct vendor_attribute *)*data; + if (raw_len < sizeof(struct vendor_attribute)) { + return -1; + } + + attr = (struct vendor_attribute *) raw; *vendor = ntohl(attr->vendor_value); + *type = attr->attrib_type; *data = attr->attrib_data; *len = attr->attrib_len - 2; + if ((attr->attrib_len + 4) > raw_len) { + return -1; + } + return (attr->attrib_type); } --- php-radius-1.2.5.orig/radius-1.2.5/radlib_vs.h +++ php-radius-1.2.5/radius-1.2.5/radlib_vs.h @@ -74,7 +74,7 @@ struct rad_handle; -int rad_get_vendor_attr(u_int32_t *, const void **, size_t *); +int rad_get_vendor_attr(u_int32_t *, unsigned char *, const void **, size_t *, const void *, size_t); int rad_put_vendor_addr(struct rad_handle *, int, int, struct in_addr); int rad_put_vendor_attr(struct rad_handle *, int, int, const void *, size_t); --- php-radius-1.2.5.orig/radius-1.2.5/radius.c +++ php-radius-1.2.5/radius-1.2.5/radius.c @@ -62,7 +62,7 @@ * * Every user visible function must have an entry in radius_functions[]. */ -function_entry radius_functions[] = { +zend_function_entry radius_functions[] = { PHP_FE(radius_auth_open, NULL) PHP_FE(radius_acct_open, NULL) PHP_FE(radius_close, NULL) @@ -265,7 +265,7 @@ /* {{{ proto bool radius_create_request(desc, code) */ PHP_FUNCTION(radius_create_request) { - int code; + long code; radius_descriptor *raddesc; zval *z_radh; @@ -541,23 +541,24 @@ /* {{{ proto string radius_get_vendor_attr(data) */ PHP_FUNCTION(radius_get_vendor_attr) { - int res, vendor; - const void *data; + int vendor; + const void *data, *raw; size_t len; + unsigned char type; + size_t data_len; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &data, &len) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &raw, &len) == FAILURE) { return; } - res = rad_get_vendor_attr(&vendor, &data, &len); - if (res == -1) { + if (rad_get_vendor_attr(&vendor, &type, &data, &data_len, raw, len) == -1) { RETURN_FALSE; } else { array_init(return_value); - add_assoc_long(return_value, "attr", res); + add_assoc_long(return_value, "attr", type); add_assoc_long(return_value, "vendor", vendor); - add_assoc_stringl(return_value, "data", (char *) data, len, 1); + add_assoc_stringl(return_value, "data", (char *) data, data_len, 1); return; } } --- php-radius-1.2.5.orig/debian/php5-radius.examples +++ php-radius-1.2.5/debian/php5-radius.examples @@ -0,0 +1 @@ +radius-*/examples/* --- php-radius-1.2.5.orig/debian/changelog.xsl +++ php-radius-1.2.5/debian/changelog.xsl @@ -0,0 +1,122 @@ + + + + + + + + + + + + 0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Version + + - + + + ( + + ) + + ---------------------------------------- Notes: + + + + + --- php-radius-1.2.5.orig/debian/php5-radius.docs +++ php-radius-1.2.5/debian/php5-radius.docs @@ -0,0 +1 @@ +radius-*/CREDITS --- php-radius-1.2.5.orig/debian/compat +++ php-radius-1.2.5/debian/compat @@ -0,0 +1 @@ +5 --- php-radius-1.2.5.orig/debian/watch +++ php-radius-1.2.5/debian/watch @@ -0,0 +1,3 @@ +version=3 +http://pecl.php.net/package/radius \ + /get/radius-([\d\.]*).tgz debian uupdate --- php-radius-1.2.5.orig/debian/php-radius-legacy.docs +++ php-radius-1.2.5/debian/php-radius-legacy.docs @@ -0,0 +1,2 @@ +php-radius-*/CONTACT +php-radius-*/README --- php-radius-1.2.5.orig/debian/rules +++ php-radius-1.2.5/debian/rules @@ -0,0 +1,148 @@ +#!/usr/bin/make -f +# template debian/rules provided by dh-make-php. +# GNU copyright 2005 by Uwe Steinmann. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +# This has to be exported to make some magic below work. +export DH_OPTIONS + +CFLAGS = -O2 -Wall +CFLAGS += -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 +ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS))) + CFLAGS += -g + DEBUG := --enable-debug +else + DEBUG := --disable-debug +endif + +TAR=tar +PECL_PKG_NAME=radius +PECL_PKG_REALNAME=radius +PECL_PKG_VERSION=1.2.5 +PACKAGE_NAME=php-radius +BIN_PACKAGE_NAME=php$*-radius +PHPIZE=/usr/bin/phpize +PHPCONFIG=/usr/bin/php-config +EXT_DIR=$(shell $(PHPCONFIG)$* --extension-dir) +SOURCE_DIR=$(shell ls -d $(PECL_PKG_REALNAME)-*) +BINARYTARGETS=binary-arch-v5 +BUILDTARGETS=build-v5 +CLEANTARGETS=clean-v5 + +# Sarge doesn't support --phpapi option (Bug #365667) +phpapiver4=$(shell /usr/bin/php-config4 --phpapi) +#phpapiver4=$(/usr/bin/php-config4 --extension-dir | xargs basename) +phpapiver5=$(shell /usr/bin/php-config5 --phpapi) + +configure-v4 configure-v5: configure-v%: configure-stamp-v% +configure-stamp-v4 configure-stamp-v5: configure-stamp-v%: + dh_testdir + # Add here commands to configure the package. + (cd $(SOURCE_DIR); \ + $(PHPIZE)$*; \ + ./configure --with-php-config=$(PHPCONFIG)$* --prefix=/usr) +# rm -f configure-stamp-v* + touch $@ + +build: $(BUILDTARGETS) + +build-v4 build-v5: build-v%: build-stamp-v% + +build-stamp: +# xsltproc --nonet --novalid debian/changelog.xsl package.xml > debian/Changelog + $(shell /usr/share/dh-make-php/phppkginfo . changelog > debian/Changelog) + touch build-stamp + +build-stamp-v4 build-stamp-v5: build-stamp-v%: build-stamp configure-stamp-v% + dh_testdir + + # Add here commands to compile the package. + (cd $(SOURCE_DIR); $(MAKE); mkdir -p ../tmp/modules$*; cp modules/* ../tmp/modules$*; $(MAKE) clean) +# rm -f build-stamp-v* + touch $@ + +clean: $(CLEANTARGETS) + dh_clean + +clean-v4 clean-v5: clean-v%: + dh_testdir + dh_testroot + rm -f build-stamp* configure-stamp* + + # Add here commands to clean up after the build process. + (cd $(SOURCE_DIR); \ + $(MAKE) clean; \ + $(PHPIZE)$* --clean) + rm -rf tmp/modules$* + +install-v4 install-v5: install-v%: build-v% + dh_testdir + dh_testroot + # can't dh_clean here without specifically excluding the possibly existing installed dirs + # for other version. + #dh_clean -k + dh_installdirs +# dh_pecl + + # Add here commands to install the package into debian/$(PACKAGE_NAME). +# $(MAKE) INSTALL_ROOT=$(CURDIR)/debian/$(PACKAGE_NAME) install +# sh -c 'VERSION=`egrep "#define ZEND_MODULE_API_NO" \ +# /usr/include/php4/Zend/zend_modules.h \ +# | sed "s/#define ZEND_MODULE_API_NO //"`; \ +# chmod 644 debian/$(PACKAGE_NAME)/usr/lib/php4/$$VERSION/*.so' + mkdir -p debian/$(BIN_PACKAGE_NAME)/$(EXT_DIR) + install -m 644 -o root -g root tmp/modules$*/$(PECL_PKG_NAME).so debian/$(BIN_PACKAGE_NAME)/$(EXT_DIR)/$(PECL_PKG_NAME).so + if [ -f "debian/$(PECL_PKG_NAME).ini" ]; then \ + mkdir -p debian/$(BIN_PACKAGE_NAME)/etc/php$*/conf.d; \ + cp debian/$(PECL_PKG_NAME).ini debian/$(BIN_PACKAGE_NAME)/etc/php$*/conf.d; \ + fi + +# Build architecture-independent files here. +binary-indep: + dh_testdir + dh_testroot + dh_installdirs + dh_installchangelogs -i php-radius-*/CHANGES + dh_installdocs -i + dh_installexamples -i + cp php-radius-*/radius_authentication.inc debian/php-radius-legacy/usr/share/php-radius/radius_authentication.inc.php + cp php-radius-*/radius_authentication.conf.template debian/php-radius-legacy/usr/share/doc/php-radius-legacy/examples/server.conf + cp php-radius-*/CHANGES debian/php-radius-legacy/usr/share/doc/php-radius-legacy/changelog +ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) + dh_strip -i +endif + dh_compress -i + dh_fixperms -i + dh_installdeb -i + dh_shlibdeps -i + dh_gencontrol -i + dh_md5sums -i + dh_builddeb -i + +# Build architecture-dependent files here. + +binary-arch-v4 binary-arch-v5: binary-arch-v%: install-v% + echo "php:Depends=phpapi-$(phpapiver$*)" >> debian/$(BIN_PACKAGE_NAME).substvars + +binary-arch: $(BINARYTARGETS) + dh_testdir + dh_testroot + dh_installchangelogs -a debian/Changelog + dh_installdocs -a + dh_installexamples -a + dh_installdebconf -a +ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) + dh_strip -a +endif + dh_compress -a + dh_fixperms -a + dh_installdeb -a + dh_shlibdeps -a + dh_gencontrol -a + dh_md5sums -a + dh_builddeb -a + +binary: binary-indep binary-arch +.PHONY: build build-v4 build-v5 clean clean-v4 clean-v5 binary-indep binary-arch binary-arch-v4 binary-arch-v5 binary install-v4 install-v5 configure-v4 configure-v5 --- php-radius-1.2.5.orig/debian/control +++ php-radius-1.2.5/debian/control @@ -0,0 +1,24 @@ +Source: php-radius +Section: web +Priority: optional +Maintainer: Roberto Lumbreras +Build-Depends: debhelper (>= 5), po-debconf, php5-dev, dh-make-php +Standards-Version: 3.7.3 + +Package: php5-radius +Architecture: any +Depends: ${shlibs:Depends}, ${php:Depends}, ${misc:Depends} +Description: PECL radius module for PHP 5 + This PECL provides full support for RADIUS authentication (RFC 2865) + and RADIUS accounting (RFC 2866), + +Package: php-radius-legacy +Architecture: all +Depends: ${shlibs:Depends}, ${php:Depends}, ${misc:Depends}, php5 | php5-cgi, apache | httpd-cgi +Replaces: php-radius (<< 1.2.5) +Provides: php-radius +Conflicts: php-radius (<< 1.2.5) +Description: Radius protocol implementation in PHP + Implementation of the Radius protocol in PHP, so you can use it to + authenticate against Radius servers in PHP scripts. + --- php-radius-1.2.5.orig/debian/php-radius-legacy.dirs +++ php-radius-1.2.5/debian/php-radius-legacy.dirs @@ -0,0 +1,3 @@ +usr/share/php-radius +usr/share/doc/php-radius-legacy/examples +etc/php-radius --- php-radius-1.2.5.orig/debian/copyright +++ php-radius-1.2.5/debian/copyright @@ -0,0 +1,80 @@ +radius PECL module (php?-radius packages) + +This package was debianized by Roberto Lumbreras +using dh-make-pecl on Tue, 11 Mar 2008 12:43:37 +0100. + +It was downloaded from http://pecl.php.net/package/radius + +Upstream Author: Michael Bretterklieber + +Copyright (C) 2007 Michael Bretterklieber + +License: BSD + + Redistribution and use in source and binary forms, with or without + modification, are permitted under the terms of the BSD License. + + THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +On Debian systems, the complete text of the BSD License can be +found in `/usr/share/common-licenses/BSD'. + +------------------------------------------------------------------------------- +old php-radius implementation (php-radius-legacy package): + +This package was debianized by Roberto Lumbreras on +Tue, 23 Mar 2004 00:13:41 +0100. + +It was downloaded from http://www.mavetju.org/programming/php.php + +Upstream Author: Edwin Groothuis + +Warning: the following license is NOT compatible with GNU GPL2, because +of the third clause. Please see /usr/share/common-licenses/GPL and the +following pages for more details: + + http://www.gnu.org/licenses/info/BSD_4Clause.html + http://www.gnu.org/philosophy/bsd.html + +I think that you can use php-radius with your GPL2 program, if you +put "with the exceptions needed so it can be used with BSD with +advertising clause". But I'm not a lawyer, so you check it first. + +Copyright 2000, 2001, 2002 by Edwin Groothuis. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. +3. All advertising materials mentioning features or use of this software + must display the following acknowledgement: + This product includes software developed by Edwin Groothuis. +4. Neither the name of Edwin Groothuis may be used to endorse or + promote products derived from this software without specific + prior written permission. + +THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED +WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT +OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, +EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. --- php-radius-1.2.5.orig/debian/php-radius-legacy.examples +++ php-radius-1.2.5/debian/php-radius-legacy.examples @@ -0,0 +1,2 @@ +php-radius-*/radius.php +php-radius-*/check_login_pass.php --- php-radius-1.2.5.orig/debian/radius.ini +++ php-radius-1.2.5/debian/radius.ini @@ -0,0 +1 @@ +extension=radius.so --- php-radius-1.2.5.orig/debian/Changelog +++ php-radius-1.2.5/debian/Changelog @@ -0,0 +1,61 @@ +Version 1.2.5 - 2007-03-18 (stable) +---------------------------------------- +Notes: + - amd64 arch fixes + +Version 0.9 - 2002-12-11 (beta) +---------------------------------------- +Notes: + - Well tested under Linux, FreeBSD and Windows + +Version 1.0 - 2002-12-17 (stable) +---------------------------------------- +Notes: + - Release 1.0 + +Version 1.1 - 2002-12-22 (stable) +---------------------------------------- +Notes: + - Release 1.1 - Fixed source code style - added examples directory - added + examples for MS-CHAPv1 and MS-CHAPv2 + +Version 1.2 - 2003-01-11 (stable) +---------------------------------------- +Notes: + - Release 1.2 - BugFix: a to short challenge was generated sometimes + (MS-CHAPv1, MS-CHAPv2) - New functions: radius_demangle: demangles radius + passwords and mppe MS-CHAPv1 Keys radius_demangle_mppe_key: demangles mppe + send- and recvkey (MS-CHAPv2) - Provide examples for radius-accounting - + Replaced mcrypt-functions with own des-ecb-encryption function - Some minor + changes in radius-auth.php - Added php-script for testing MS-CHAP functions + +Version 1.2.1 - 2003-05-02 (stable) +---------------------------------------- +Notes: + - Release 1.2.1 - Change License to BSD - BugFix: The MS-CHAPv2 + Authenticator-Challenge has 16 Bytes and not 8 Bytes - BugFix: build under + Solaris - Generate better challenges - Many source-code-style fixes - + Removed unneeded sources - Some cleanup's + +Version 1.2.2 - 2003-07-17 (stable) +---------------------------------------- +Notes: + - Release 1.2.2 - Changed role for example-files to doc - Removed + deprecated files - Added IPv6 related attributes defined in RFC3162 + +Version 1.2.3 - 2003-11-04 (stable) +---------------------------------------- +Notes: + - Release 1.2.3 - Fixed a typo in radius_init_const.h wich caused + RADIUS_ACCT_STATUS_TYPE to be undefined. - Re-added Makefile.in + +Version 1.2.4 - 2003-11-17 (stable) +---------------------------------------- +Notes: + - Release 1.2.4 - Forgot including updated radius_init_const.h + +Version 1.2.5 - 2007-03-18 (stable) +---------------------------------------- +Notes: + - Release 1.2.5 - amd64 arch fixes + --- php-radius-1.2.5.orig/debian/php5-radius.dirs +++ php-radius-1.2.5/debian/php5-radius.dirs @@ -0,0 +1 @@ +usr/lib/php5 --- php-radius-1.2.5.orig/debian/pecl +++ php-radius-1.2.5/debian/pecl @@ -0,0 +1 @@ +modules/radius.so --- php-radius-1.2.5.orig/debian/changelog +++ php-radius-1.2.5/debian/changelog @@ -0,0 +1,83 @@ +php-radius (1.2.5-2.4) unstable; urgency=high + + * Non-maintainer upload. + * Fix security issue in radius_get_vendor_attr() + (CVE-2013-2220, closes: #714362) + + -- Thijs Kinkhorst Thu, 25 Jul 2013 14:28:53 +0200 + +php-radius (1.2.5-2.3) unstable; urgency=high + + * Non-maintainer upload. + * Initialise type parameter to radius_create_request() as long, to avoid + segfaulting in zend_parse_parameters() (Closes: #702872). + + -- Thijs Kinkhorst Tue, 12 Mar 2013 15:04:53 +0100 + +php-radius (1.2.5-2.2) unstable; urgency=low + + * Non-maintainer upload. + * Update zoph to PHP 5.4: fix "Call-time pass-by-reference" error. + Affected file is php-radius-1.2/radius_authentication.inc + (Closes: #658956) + + -- Mònica Ramírez Arceda Sat, 28 Apr 2012 14:20:00 +0200 + +php-radius (1.2.5-2.1) unstable; urgency=low + + * Non-maintainer upload. + * Fix build with PHP 5.4 (Closes: #656490) + * Replace dependency of xlstproc with dh-make-php to generate the changelog + + -- Lior Kaplan Sat, 21 Jan 2012 17:21:14 +0200 + +php-radius (1.2.5-2) unstable; urgency=low + + * Do not call clean-v4 target in clean (Closes: #472321). + + -- Roberto Lumbreras Sun, 23 Mar 2008 14:08:06 +0100 + +php-radius (1.2.5-1) unstable; urgency=low + + * Merge with radius PECL module (Closes: #458438). + * Rename php-radius binary package to php-radius-legacy. + + -- Roberto Lumbreras Mon, 17 Mar 2008 01:27:06 +0100 + +php-radius (1.2-4) unstable; urgency=low + + * Depend on php5 instead of php4 (Closes: #418303). + * debian/rules: switched to debhelper. + * debian/control: lintian & linda clean. + * Upgraded to standards 3.7.2 (no changes). + + -- Roberto Lumbreras Tue, 17 Apr 2007 16:56:29 +0200 + +php-radius (1.2-3) unstable; urgency=low + + * Fixed NAS-IP-Port length in the radius packet (Closes: #338152). + * Send $_SERVER['SERVER_PORT'] as the NAS-IP-Port, and + $_SERVER['SERVER_ADDR'] instead of $SERVER_ADDR as the NAS-IP-Address. + * Use SOL_UDP as protocol instead of 17. Increased socket_select timeout to + 60 seconds to be sure that the answer is received. Look at the id of the + answer and reject access if not the same as the request (this should be + done in a better way) + + -- Roberto Lumbreras Tue, 08 Nov 2005 20:47:01 +0100 + +php-radius (1.2-2) unstable; urgency=low + + * Depend on php4-cli instead of php4-cgi. (Closes: #337440) + * Upgraded to standards 3.6.2 (no changes). + + -- Roberto Lumbreras Fri, 04 Nov 2005 20:15:07 +0100 + +php-radius (1.2-1) unstable; urgency=low + + * New package. (closes: #239244) + * Fixed select calls (socket_fd_* no longer exist). + Added error checks to socket function calls. + Use mt_rand instead of rand, it is faster and better. + Added code so more than one config file can be used. + + -- Roberto Lumbreras Tue, 03 Aug 2004 15:24:26 +0200 --- php-radius-1.2.5.orig/php-radius-1.2/README +++ php-radius-1.2.5/php-radius-1.2/README @@ -0,0 +1,8 @@ +$Id: README,v 1.3 2002/01/23 23:21:20 mavetju Exp $ + +This script allows you to do authentication against Radius servers. +It's updated for PHP 4.1.1, with new names for the sockets-functions. + +Edwin Groothuis +edwin@mavetju.org +http://www.mavetju.org/programming/php.php --- php-radius-1.2.5.orig/php-radius-1.2/CHANGES +++ php-radius-1.2.5/php-radius-1.2/CHANGES @@ -0,0 +1,13 @@ +$Id: CHANGES,v 1.2 2002/01/23 23:21:20 mavetju Exp $ + +v1.2 + - Michael Long suggested a select + timeout feature. + +v1.1 + - PHP 4.1.1 is out, and the socket functions have been + renamed. Updated for this. + - Added sample script with caching + +v1.0 + - Initial release --- php-radius-1.2.5.orig/php-radius-1.2/LICENSE +++ php-radius-1.2.5/php-radius-1.2/LICENSE @@ -0,0 +1,30 @@ + +Copyright 2000, 2001, 2002 by Edwin Groothuis. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. +3. All advertising materials mentioning features or use of this software + must display the following acknowledgement: + This product includes software developed by Edwin Groothuis. +4. Neither the name of Edwin Groothuis may be used to endorse or + promote products derived from this software without specific + prior written permission. + +THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED +WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT +OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, +EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + --- php-radius-1.2.5.orig/php-radius-1.2/radius.php +++ php-radius-1.2.5/php-radius-1.2/radius.php @@ -0,0 +1,93 @@ +401 Unauthorized access"; + echo "

401 Unauthorized access

"; + echo "You must login using your username and password."; + exit; + } + + require "radius_authentication.inc"; + function radius_authenticate($user,$password) { + global $HTTP_COOKIE_VARS; + global $REMOTE_ADDR; + + if (($db=dba_open("/tmp/radiuscache","c","ndbm"))==FALSE) { + echo "Couldn't open /tmp/radiuscache
\n"; + } + + $cookie=$HTTP_COOKIE_VARS["radius_test"]; + if ($cookie!="") { + $lastid=dba_fetch($cookie."_id",$db); + $laston=dba_fetch($cookie."_laston",$db); + $lasthost=dba_fetch($cookie."_fromip",$db); + $lastuserid=dba_fetch($cookie."_userid",$db); + } + + // + // Sanity checking + // + if ($cookie=="" || $lastid=="" || + $laston==0 || $laston Access-Accept + // 3 -> Access-Reject + if (($retval=RADIUS_AUTHENTICATION($user,$password))==2) { + if ($cookie=="") $cookie=md5(uniqid(rand())); + setcookie("radius_test",$cookie); + dba_replace($cookie."_id",$cookie,$db); + dba_replace($cookie."_userid",$user,$db); + dba_replace($cookie."_fromip",$REMOTE_ADDR,$db); + dba_replace($cookie."_laston",time(),$db); + } + } else { + setcookie("radius_test",$cookie); + dba_replace($cookie."_laston",time(),$db); + $retval=2; + } + + dba_close($db); + return $retval==2; + } + + if (!radius_authenticate($PHP_AUTH_USER,$PHP_AUTH_PW)) { + header("HTTP/1.0 401 Unauthorized"); + Header("WWW-Authenticate: Basic realm=\"PHP Radius test script\""); + echo "401 Unauthorized access"; + echo "

401 Unauthorized access

"; + echo "You must login using a valid username and password"; + echo "Used was '$PHP_AUTH_USER' '$PHP_AUTH_PW'
\n"; + exit; + } + + echo "200 Welcome!"; + echo "

200 Welcome

"; + echo "You logged in using a valid username and password"; + +?> --- php-radius-1.2.5.orig/php-radius-1.2/radius_authentication.inc +++ php-radius-1.2.5/php-radius-1.2/radius_authentication.inc @@ -0,0 +1,190 @@ + Tue, 23 Mar 2004 00:34:01 +0100 + // select fixes, error checks, more than one config file + // + // radius authentication v1.0 by Edwin Groothuis (edwin@mavetju.org) + // + // If you didn't get this file via http://www.mavetju.org, please + // check for the availability of newer versions. + // + // See LICENSE for distribution issues. If this file isn't in + // the distribution, please inform me about it. + // + // If you want to use this script, fill in the configuration in + // radius_authentication.conf and call the function + // RADIUS_AUTHENTICATION() with the username and password + // provided by the user. If it returns a 2, the authentication + // was successfull! + + // If you want to use this, make sure that you have raw sockets + // enabled during compile-time: "./configure --enable-sockets". + + function init_radiusconfig(&$server,&$port,&$sharedsecret,&$suffix) { + global $radius_server; + if (is_file("radius_authentication.conf")) { + $filename="radius_authentication.conf"; + } else if (isset($radius_server) && + is_file("/etc/php-radius/server-$radius_server.conf")) { + $filename="/etc/php-radius/server-$radius_server.conf"; + } else if (is_file("/etc/php-radius/server.conf")){ + $filename="/etc/php-radius/server.conf"; + } else { + echo "Couldn't find any config file, exiting"; + exit(0); + } + $file=fopen($filename,"r"); + if ($file==0) { + echo "Couldn't open $filename, exiting"; + exit(0); + } + while (!feof($file)) { + $s=fgets($file,1024); + $s=chop($s); + if ($s[0]=="#") continue; + if (strlen($s)==0) continue; + if (preg_match("/^([a-zA-Z]+) (.*)$/",$s,$a)) { + if ($a[1]=="port") { $port=$a[2];continue; } + if ($a[1]=="server") { $server=$a[2];continue; } + if ($a[1]=="secret") { $sharedsecret=$a[2];continue; } + if ($a[1]=="suffix") { + $suffix=$a[2]; + if ($suffix=="\"\"") { + $suffix=""; + } + continue; + } + } + echo "Unknown config-file option: $a[1] ($s)\n"; + exit(0); + } + fclose($file); + } + + function RADIUS_AUTHENTICATION($username,$password) { + global $debug; + $radiushost=""; + $sharedsecret=""; + $suffix=""; + + init_radiusconfig($radiushost,$radiusport,$sharedsecret,$suffix); + + // check your /etc/services. Some radius servers + // listen on port 1812, some on 1645. + if ($radiusport==0) + $radiusport=getservbyname("radius","udp"); + + $nasIP=explode(".",$_SERVER['SERVER_ADDR']); + $ip=gethostbyname($radiushost); + + // 17 is UDP, formerly known as PROTO_UDP + $sock=socket_create(AF_INET, SOCK_DGRAM, SOL_UDP); + if ($sock==FALSE) { + echo "socket_create() failed: " . socket_strerror(socket_last_error()) . "\n"; + exit(0); + } + $retval=socket_connect($sock,$ip,$radiusport); + if ($retval==FALSE) { + echo "socket_connect() failed: " . socket_strerror(socket_last_error()) . "\n"; + exit(0); + } + + if (!preg_match("/@/",$username)) + $username.=$suffix; + + if ($debug) + echo "
radius-port: $radiusport
radius-host: $radiushost
username: $username
suffix: $suffix
\n"; + + $RA=pack("CCCCCCCCCCCCCCCC", // auth code + 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255, + 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255, + 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255, + 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255); + + $encryptedpassword=Encrypt($password,$sharedsecret,$RA); + + $length=4+ // header + 16+ // auth code + 6+ // service type + 2+strlen($username)+ // username + 2+strlen($encryptedpassword)+ // userpassword + 6+ // nasIP + 6; // nasPort + + $thisidentifier=mt_rand()%256; + // v v v v v v v v + $data=pack("CCCCa*CCCCCCCCa*CCa*CCCCCCCCN", + 1,$thisidentifier,$length/256,$length%256, // header + $RA, // authcode + 6,6,0,0,0,1, // service type + 1,2+strlen($username),$username, // username + 2,2+strlen($encryptedpassword),$encryptedpassword, // userpassword + 4,6,$nasIP[0],$nasIP[1],$nasIP[2],$nasIP[3], // nasIP + 5,6,$_SERVER['SERVER_PORT'] // nasPort + ); + + socket_write($sock,$data,$length); + + if ($debug) + echo "
writing $length bytes
\n"; + + // + // Wait at most five seconds for the answer. Thanks to + // Michael Long for his remark about this. + // + $read = array($sock); + $num_sockets = socket_select($read, $write = NULL, $except = NULL, 60); + if ($num_sockets === FALSE) { + echo "socket_select() failed: " . + socket_strerror(socket_last_error()) . "\n"; + socket_close($sock); + exit(0); + } elseif ($num_sockets == 0) { + echo "No answer from radius server, aborting\n"; + socket_close($sock); + exit(0); + } + unset($read); + + $readdata=socket_read($sock,2); + socket_close($sock); + if ($readdata===FALSE) { + echo "socket_read() failed: " . + socket_strerror(socket_last_error()) . "\n"; + exit(0); + } + if (ord(substr($readdata, 1, 1)) != $thisidentifier) { + //echo "Wrong id received from radius server, aborting\n"; + //exit(0); + return 3; // FIXME this is awfull + } + + return ord($readdata); + // 2 -> Access-Accept + // 3 -> Access-Reject + // See RFC2138 for this. + } + + function Encrypt($password,$key,$RA) { + global $debug; + + $keyRA=$key.$RA; + + if ($debug) + echo "
key: $key
password: $password
\n"; + + $md5checksum=md5($keyRA); + $output=""; + + for ($i=0;$i<=15;$i++) { + if (2*$i>strlen($md5checksum)) $m=0; else $m=hexdec(substr($md5checksum,2*$i,2)); + if ($i>strlen($keyRA)) $k=0; else $k=ord(substr($keyRA,$i,1)); + if ($i>strlen($password)) $p=0; else $p=ord(substr($password,$i,1)); + $c=$m^$p; + $output.=chr($c); + } + return $output; + } +?> --- php-radius-1.2.5.orig/php-radius-1.2/check_login_pass.php +++ php-radius-1.2.5/php-radius-1.2/check_login_pass.php @@ -0,0 +1,26 @@ + + * License: public domain. + */ +function check_login_pass($username, $password) { + require("/usr/share/php-radius/radius_authentication.inc.php"); + + $retval = RADIUS_AUTHENTICATION($username, $password); + switch ($retval) { + case 2: + /* 2 -> Access-Accept */ + return TRUE; + break; + case 3: + /* 3 -> Access-Reject */ + echo "login incorrect"; + break; + default: + echo "temporally failure or other error"; + break; + } + return FALSE; +} + +?> --- php-radius-1.2.5.orig/php-radius-1.2/radius_authentication.conf.template +++ php-radius-1.2.5/php-radius-1.2/radius_authentication.conf.template @@ -0,0 +1,27 @@ +# +# $Id: radius_authentication.conf.template,v 1.1 2001/08/24 14:19:10 mavetju Exp $ +# +# The IP address or hostname of the radius server +# +server a.b.c.d +# +# The port of the radius-server, if it is zero it will take the +# one specified in /etc/services. 1645 is a well known one. +# +port 0 +# +# Suffix for the userids (if no @ in the userid yet) +# +# This might be a little bit tricky to understand. Normally, you can +# authenticate via "user" or "user@domain". To make it easier for +# people, the "@domain" is often defaulted to a special domain. For +# example, if the suffix is foo.bar, the users will be authenticated +# as "user@foo.bar", while it is still possible for somebody else, +# who is not in domain foo.bar to give "admin@foo2.bar" for his userid. +# +# +suffix "" +# +# Shared secret for the server +# +secret sharedsecret --- php-radius-1.2.5.orig/php-radius-1.2/CONTACT +++ php-radius-1.2.5/php-radius-1.2/CONTACT @@ -0,0 +1,15 @@ +$Id: CONTACT,v 1.1 2002/01/20 22:28:11 mavetju Exp $ + +HOW TO CONTACT + +Via email: edwin@mavetju.org +Via snail-mail: Edwin Groothuis + 7 Islington Crescent + Greenacre NSW2190 + AUSTRALIA + +I have two mailing-lists: + announce@lists.mavetju.org <- low traffic announcements only + questions@lists.mavetju.org <- general questions + +See http://www.mavetju.org/contacts.php on how to subscribe to them.