--- php-radius-1.2.7.orig/debian/changelog +++ php-radius-1.2.7/debian/changelog @@ -0,0 +1,99 @@ +php-radius (1.2.7-2) unstable; urgency=medium + + * Fix typo in git URL + + -- Ondřej Surý Tue, 25 Aug 2015 14:02:58 +0200 + +php-radius (1.2.7-1) unstable; urgency=medium + + * New upstream version 1.2.7 + * Move under Debian PHP PECL Maintainer umbrella + * Modernize packaging to use pkg-php-tools and dh-php5 + * Drop php-radius-legacy package, that should have been a separate + source package (if needed at all) + + -- Ondřej Surý Fri, 22 May 2015 22:51:50 +0200 + +php-radius (1.2.5-2.4) unstable; urgency=high + + * Non-maintainer upload. + * Fix security issue in radius_get_vendor_attr() + (CVE-2013-2220, closes: #714362) + + -- Thijs Kinkhorst Thu, 25 Jul 2013 14:28:53 +0200 + +php-radius (1.2.5-2.3) unstable; urgency=high + + * Non-maintainer upload. + * Initialise type parameter to radius_create_request() as long, to avoid + segfaulting in zend_parse_parameters() (Closes: #702872). + + -- Thijs Kinkhorst Tue, 12 Mar 2013 15:04:53 +0100 + +php-radius (1.2.5-2.2) unstable; urgency=low + + * Non-maintainer upload. + * Update zoph to PHP 5.4: fix "Call-time pass-by-reference" error. + Affected file is php-radius-1.2/radius_authentication.inc + (Closes: #658956) + + -- Mònica Ramírez Arceda Sat, 28 Apr 2012 14:20:00 +0200 + +php-radius (1.2.5-2.1) unstable; urgency=low + + * Non-maintainer upload. + * Fix build with PHP 5.4 (Closes: #656490) + * Replace dependency of xlstproc with dh-make-php to generate the changelog + + -- Lior Kaplan Sat, 21 Jan 2012 17:21:14 +0200 + +php-radius (1.2.5-2) unstable; urgency=low + + * Do not call clean-v4 target in clean (Closes: #472321). + + -- Roberto Lumbreras Sun, 23 Mar 2008 14:08:06 +0100 + +php-radius (1.2.5-1) unstable; urgency=low + + * Merge with radius PECL module (Closes: #458438). + * Rename php-radius binary package to php-radius-legacy. + + -- Roberto Lumbreras Mon, 17 Mar 2008 01:27:06 +0100 + +php-radius (1.2-4) unstable; urgency=low + + * Depend on php5 instead of php4 (Closes: #418303). + * debian/rules: switched to debhelper. + * debian/control: lintian & linda clean. + * Upgraded to standards 3.7.2 (no changes). + + -- Roberto Lumbreras Tue, 17 Apr 2007 16:56:29 +0200 + +php-radius (1.2-3) unstable; urgency=low + + * Fixed NAS-IP-Port length in the radius packet (Closes: #338152). + * Send $_SERVER['SERVER_PORT'] as the NAS-IP-Port, and + $_SERVER['SERVER_ADDR'] instead of $SERVER_ADDR as the NAS-IP-Address. + * Use SOL_UDP as protocol instead of 17. Increased socket_select timeout to + 60 seconds to be sure that the answer is received. Look at the id of the + answer and reject access if not the same as the request (this should be + done in a better way) + + -- Roberto Lumbreras Tue, 08 Nov 2005 20:47:01 +0100 + +php-radius (1.2-2) unstable; urgency=low + + * Depend on php4-cli instead of php4-cgi. (Closes: #337440) + * Upgraded to standards 3.6.2 (no changes). + + -- Roberto Lumbreras Fri, 04 Nov 2005 20:15:07 +0100 + +php-radius (1.2-1) unstable; urgency=low + + * New package. (closes: #239244) + * Fixed select calls (socket_fd_* no longer exist). + Added error checks to socket function calls. + Use mt_rand instead of rand, it is faster and better. + Added code so more than one config file can be used. + + -- Roberto Lumbreras Tue, 03 Aug 2004 15:24:26 +0200 --- php-radius-1.2.7.orig/debian/compat +++ php-radius-1.2.7/debian/compat @@ -0,0 +1 @@ +9 --- php-radius-1.2.7.orig/debian/control +++ php-radius-1.2.7/debian/control @@ -0,0 +1,26 @@ +Source: php-radius +Section: web +Priority: optional +Maintainer: Debian PHP PECL Maintainers +Uploaders: Ondřej Surý , + Roberto Lumbreras +Build-Depends: debhelper (>= 9), + dh-php5, + php5-dev, + pkg-php-tools (>= 1.5~), + po-debconf +Standards-Version: 3.9.6 +Vcs-Git: git://anonscm.debian.org/pkg-php/php-radius.git +Vcs-Browser: http://anonscm.debian.org/gitweb?p=pkg-php/php-radius.git;a=summary +Homepage: http://pecl.php.net/package/radius + +Package: php5-radius +Architecture: any +Depends: ${misc:Depends}, + ${php:Depends}, + ${phppear:Debian-Depends}, + ${shlibs:Depends} +Recommends: ${phppear:Debian-Recommends} +Breaks: ${phppear:Debian-Breaks} +Description: ${phppear:summary} + ${phppear:description} --- php-radius-1.2.7.orig/debian/copyright +++ php-radius-1.2.7/debian/copyright @@ -0,0 +1,58 @@ +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: radius +Upstream-Contact: Michael Bretterklieber +Source: http://pecl.php.net/package/radius + +Files: * +Copyright: 1997-2009 Michael Bretterklieber +License: BSD-2-clause + +Files: debian/* +Copyright: 2015 Ondřej Surý +License: Expat + +License: BSD-2-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY + WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +License: Expat + Permission is hereby granted, free of charge, to any person obtaining + a copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to + permit persons to whom the Software is furnished to do so, subject to + the following conditions: + . + The above copyright notice and this permission notice shall be included + in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY + CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. --- php-radius-1.2.7.orig/debian/pecl +++ php-radius-1.2.7/debian/pecl @@ -0,0 +1 @@ +modules/radius.so --- php-radius-1.2.7.orig/debian/php5-radius.examples +++ php-radius-1.2.7/debian/php5-radius.examples @@ -0,0 +1 @@ +radius-*/examples/* --- php-radius-1.2.7.orig/debian/php5-radius.php5 +++ php-radius-1.2.7/debian/php5-radius.php5 @@ -0,0 +1 @@ +mod debian/radius.ini --- php-radius-1.2.7.orig/debian/radius.ini +++ php-radius-1.2.7/debian/radius.ini @@ -0,0 +1 @@ +extension=radius.so --- php-radius-1.2.7.orig/debian/rules +++ php-radius-1.2.7/debian/rules @@ -0,0 +1,7 @@ +#!/usr/bin/make -f + +export DH_VERBOSE=1 +export NO_INTERACTION=1 + +%: + dh $@ --buildsystem=phppear --with phppear --with php5 --- php-radius-1.2.7.orig/debian/watch +++ php-radius-1.2.7/debian/watch @@ -0,0 +1,3 @@ +version=3 +http://pecl.php.net/package/radius \ + /get/radius-([\d\.]*).tgz debian uupdate --- php-radius-1.2.7.orig/php-radius-1.2/CHANGES +++ php-radius-1.2.7/php-radius-1.2/CHANGES @@ -0,0 +1,13 @@ +$Id: CHANGES,v 1.2 2002/01/23 23:21:20 mavetju Exp $ + +v1.2 + - Michael Long suggested a select + timeout feature. + +v1.1 + - PHP 4.1.1 is out, and the socket functions have been + renamed. Updated for this. + - Added sample script with caching + +v1.0 + - Initial release --- php-radius-1.2.7.orig/php-radius-1.2/CONTACT +++ php-radius-1.2.7/php-radius-1.2/CONTACT @@ -0,0 +1,15 @@ +$Id: CONTACT,v 1.1 2002/01/20 22:28:11 mavetju Exp $ + +HOW TO CONTACT + +Via email: edwin@mavetju.org +Via snail-mail: Edwin Groothuis + 7 Islington Crescent + Greenacre NSW2190 + AUSTRALIA + +I have two mailing-lists: + announce@lists.mavetju.org <- low traffic announcements only + questions@lists.mavetju.org <- general questions + +See http://www.mavetju.org/contacts.php on how to subscribe to them. --- php-radius-1.2.7.orig/php-radius-1.2/LICENSE +++ php-radius-1.2.7/php-radius-1.2/LICENSE @@ -0,0 +1,30 @@ + +Copyright 2000, 2001, 2002 by Edwin Groothuis. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. +3. All advertising materials mentioning features or use of this software + must display the following acknowledgement: + This product includes software developed by Edwin Groothuis. +4. Neither the name of Edwin Groothuis may be used to endorse or + promote products derived from this software without specific + prior written permission. + +THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED +WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT +OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, +EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + --- php-radius-1.2.7.orig/php-radius-1.2/README +++ php-radius-1.2.7/php-radius-1.2/README @@ -0,0 +1,8 @@ +$Id: README,v 1.3 2002/01/23 23:21:20 mavetju Exp $ + +This script allows you to do authentication against Radius servers. +It's updated for PHP 4.1.1, with new names for the sockets-functions. + +Edwin Groothuis +edwin@mavetju.org +http://www.mavetju.org/programming/php.php --- php-radius-1.2.7.orig/php-radius-1.2/check_login_pass.php +++ php-radius-1.2.7/php-radius-1.2/check_login_pass.php @@ -0,0 +1,26 @@ + + * License: public domain. + */ +function check_login_pass($username, $password) { + require("/usr/share/php-radius/radius_authentication.inc.php"); + + $retval = RADIUS_AUTHENTICATION($username, $password); + switch ($retval) { + case 2: + /* 2 -> Access-Accept */ + return TRUE; + break; + case 3: + /* 3 -> Access-Reject */ + echo "login incorrect"; + break; + default: + echo "temporally failure or other error"; + break; + } + return FALSE; +} + +?> --- php-radius-1.2.7.orig/php-radius-1.2/radius.php +++ php-radius-1.2.7/php-radius-1.2/radius.php @@ -0,0 +1,93 @@ +401 Unauthorized access"; + echo "

401 Unauthorized access

"; + echo "You must login using your username and password."; + exit; + } + + require "radius_authentication.inc"; + function radius_authenticate($user,$password) { + global $HTTP_COOKIE_VARS; + global $REMOTE_ADDR; + + if (($db=dba_open("/tmp/radiuscache","c","ndbm"))==FALSE) { + echo "Couldn't open /tmp/radiuscache
\n"; + } + + $cookie=$HTTP_COOKIE_VARS["radius_test"]; + if ($cookie!="") { + $lastid=dba_fetch($cookie."_id",$db); + $laston=dba_fetch($cookie."_laston",$db); + $lasthost=dba_fetch($cookie."_fromip",$db); + $lastuserid=dba_fetch($cookie."_userid",$db); + } + + // + // Sanity checking + // + if ($cookie=="" || $lastid=="" || + $laston==0 || $laston Access-Accept + // 3 -> Access-Reject + if (($retval=RADIUS_AUTHENTICATION($user,$password))==2) { + if ($cookie=="") $cookie=md5(uniqid(rand())); + setcookie("radius_test",$cookie); + dba_replace($cookie."_id",$cookie,$db); + dba_replace($cookie."_userid",$user,$db); + dba_replace($cookie."_fromip",$REMOTE_ADDR,$db); + dba_replace($cookie."_laston",time(),$db); + } + } else { + setcookie("radius_test",$cookie); + dba_replace($cookie."_laston",time(),$db); + $retval=2; + } + + dba_close($db); + return $retval==2; + } + + if (!radius_authenticate($PHP_AUTH_USER,$PHP_AUTH_PW)) { + header("HTTP/1.0 401 Unauthorized"); + Header("WWW-Authenticate: Basic realm=\"PHP Radius test script\""); + echo "401 Unauthorized access"; + echo "

401 Unauthorized access

"; + echo "You must login using a valid username and password"; + echo "Used was '$PHP_AUTH_USER' '$PHP_AUTH_PW'
\n"; + exit; + } + + echo "200 Welcome!"; + echo "

200 Welcome

"; + echo "You logged in using a valid username and password"; + +?> --- php-radius-1.2.7.orig/php-radius-1.2/radius_authentication.conf.template +++ php-radius-1.2.7/php-radius-1.2/radius_authentication.conf.template @@ -0,0 +1,27 @@ +# +# $Id: radius_authentication.conf.template,v 1.1 2001/08/24 14:19:10 mavetju Exp $ +# +# The IP address or hostname of the radius server +# +server a.b.c.d +# +# The port of the radius-server, if it is zero it will take the +# one specified in /etc/services. 1645 is a well known one. +# +port 0 +# +# Suffix for the userids (if no @ in the userid yet) +# +# This might be a little bit tricky to understand. Normally, you can +# authenticate via "user" or "user@domain". To make it easier for +# people, the "@domain" is often defaulted to a special domain. For +# example, if the suffix is foo.bar, the users will be authenticated +# as "user@foo.bar", while it is still possible for somebody else, +# who is not in domain foo.bar to give "admin@foo2.bar" for his userid. +# +# +suffix "" +# +# Shared secret for the server +# +secret sharedsecret --- php-radius-1.2.7.orig/php-radius-1.2/radius_authentication.inc +++ php-radius-1.2.7/php-radius-1.2/radius_authentication.inc @@ -0,0 +1,190 @@ + Tue, 23 Mar 2004 00:34:01 +0100 + // select fixes, error checks, more than one config file + // + // radius authentication v1.0 by Edwin Groothuis (edwin@mavetju.org) + // + // If you didn't get this file via http://www.mavetju.org, please + // check for the availability of newer versions. + // + // See LICENSE for distribution issues. If this file isn't in + // the distribution, please inform me about it. + // + // If you want to use this script, fill in the configuration in + // radius_authentication.conf and call the function + // RADIUS_AUTHENTICATION() with the username and password + // provided by the user. If it returns a 2, the authentication + // was successfull! + + // If you want to use this, make sure that you have raw sockets + // enabled during compile-time: "./configure --enable-sockets". + + function init_radiusconfig(&$server,&$port,&$sharedsecret,&$suffix) { + global $radius_server; + if (is_file("radius_authentication.conf")) { + $filename="radius_authentication.conf"; + } else if (isset($radius_server) && + is_file("/etc/php-radius/server-$radius_server.conf")) { + $filename="/etc/php-radius/server-$radius_server.conf"; + } else if (is_file("/etc/php-radius/server.conf")){ + $filename="/etc/php-radius/server.conf"; + } else { + echo "Couldn't find any config file, exiting"; + exit(0); + } + $file=fopen($filename,"r"); + if ($file==0) { + echo "Couldn't open $filename, exiting"; + exit(0); + } + while (!feof($file)) { + $s=fgets($file,1024); + $s=chop($s); + if ($s[0]=="#") continue; + if (strlen($s)==0) continue; + if (preg_match("/^([a-zA-Z]+) (.*)$/",$s,$a)) { + if ($a[1]=="port") { $port=$a[2];continue; } + if ($a[1]=="server") { $server=$a[2];continue; } + if ($a[1]=="secret") { $sharedsecret=$a[2];continue; } + if ($a[1]=="suffix") { + $suffix=$a[2]; + if ($suffix=="\"\"") { + $suffix=""; + } + continue; + } + } + echo "Unknown config-file option: $a[1] ($s)\n"; + exit(0); + } + fclose($file); + } + + function RADIUS_AUTHENTICATION($username,$password) { + global $debug; + $radiushost=""; + $sharedsecret=""; + $suffix=""; + + init_radiusconfig($radiushost,$radiusport,$sharedsecret,$suffix); + + // check your /etc/services. Some radius servers + // listen on port 1812, some on 1645. + if ($radiusport==0) + $radiusport=getservbyname("radius","udp"); + + $nasIP=explode(".",$_SERVER['SERVER_ADDR']); + $ip=gethostbyname($radiushost); + + // 17 is UDP, formerly known as PROTO_UDP + $sock=socket_create(AF_INET, SOCK_DGRAM, SOL_UDP); + if ($sock==FALSE) { + echo "socket_create() failed: " . socket_strerror(socket_last_error()) . "\n"; + exit(0); + } + $retval=socket_connect($sock,$ip,$radiusport); + if ($retval==FALSE) { + echo "socket_connect() failed: " . socket_strerror(socket_last_error()) . "\n"; + exit(0); + } + + if (!preg_match("/@/",$username)) + $username.=$suffix; + + if ($debug) + echo "
radius-port: $radiusport
radius-host: $radiushost
username: $username
suffix: $suffix
\n"; + + $RA=pack("CCCCCCCCCCCCCCCC", // auth code + 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255, + 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255, + 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255, + 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255); + + $encryptedpassword=Encrypt($password,$sharedsecret,$RA); + + $length=4+ // header + 16+ // auth code + 6+ // service type + 2+strlen($username)+ // username + 2+strlen($encryptedpassword)+ // userpassword + 6+ // nasIP + 6; // nasPort + + $thisidentifier=mt_rand()%256; + // v v v v v v v v + $data=pack("CCCCa*CCCCCCCCa*CCa*CCCCCCCCN", + 1,$thisidentifier,$length/256,$length%256, // header + $RA, // authcode + 6,6,0,0,0,1, // service type + 1,2+strlen($username),$username, // username + 2,2+strlen($encryptedpassword),$encryptedpassword, // userpassword + 4,6,$nasIP[0],$nasIP[1],$nasIP[2],$nasIP[3], // nasIP + 5,6,$_SERVER['SERVER_PORT'] // nasPort + ); + + socket_write($sock,$data,$length); + + if ($debug) + echo "
writing $length bytes
\n"; + + // + // Wait at most five seconds for the answer. Thanks to + // Michael Long for his remark about this. + // + $read = array($sock); + $num_sockets = socket_select($read, $write = NULL, $except = NULL, 60); + if ($num_sockets === FALSE) { + echo "socket_select() failed: " . + socket_strerror(socket_last_error()) . "\n"; + socket_close($sock); + exit(0); + } elseif ($num_sockets == 0) { + echo "No answer from radius server, aborting\n"; + socket_close($sock); + exit(0); + } + unset($read); + + $readdata=socket_read($sock,2); + socket_close($sock); + if ($readdata===FALSE) { + echo "socket_read() failed: " . + socket_strerror(socket_last_error()) . "\n"; + exit(0); + } + if (ord(substr($readdata, 1, 1)) != $thisidentifier) { + //echo "Wrong id received from radius server, aborting\n"; + //exit(0); + return 3; // FIXME this is awfull + } + + return ord($readdata); + // 2 -> Access-Accept + // 3 -> Access-Reject + // See RFC2138 for this. + } + + function Encrypt($password,$key,$RA) { + global $debug; + + $keyRA=$key.$RA; + + if ($debug) + echo "
key: $key
password: $password
\n"; + + $md5checksum=md5($keyRA); + $output=""; + + for ($i=0;$i<=15;$i++) { + if (2*$i>strlen($md5checksum)) $m=0; else $m=hexdec(substr($md5checksum,2*$i,2)); + if ($i>strlen($keyRA)) $k=0; else $k=ord(substr($keyRA,$i,1)); + if ($i>strlen($password)) $p=0; else $p=ord(substr($password,$i,1)); + $c=$m^$p; + $output.=chr($c); + } + return $output; + } +?>