--- php-radius-1.2.5.orig/php-radius-1.2/radius_authentication.conf.template
+++ php-radius-1.2.5/php-radius-1.2/radius_authentication.conf.template
@@ -0,0 +1,27 @@
+#
+# $Id: radius_authentication.conf.template,v 1.1 2001/08/24 14:19:10 mavetju Exp $
+#
+# The IP address or hostname of the radius server
+#
+server a.b.c.d
+#
+# The port of the radius-server, if it is zero it will take the
+# one specified in /etc/services. 1645 is a well known one.
+#
+port 0
+#
+# Suffix for the userids (if no @ in the userid yet)
+#
+# This might be a little bit tricky to understand. Normally, you can
+# authenticate via "user" or "user@domain". To make it easier for
+# people, the "@domain" is often defaulted to a special domain. For
+# example, if the suffix is foo.bar, the users will be authenticated
+# as "user@foo.bar", while it is still possible for somebody else,
+# who is not in domain foo.bar to give "admin@foo2.bar" for his userid.
+#
+#
+suffix ""
+#
+# Shared secret for the server
+#
+secret sharedsecret
--- php-radius-1.2.5.orig/php-radius-1.2/radius.php
+++ php-radius-1.2.5/php-radius-1.2/radius.php
@@ -0,0 +1,93 @@
+<?php
+
+ //
+ // $Id: radius.php,v 1.1 2002/01/20 11:52:59 mavetju Exp $
+ //
+
+ //
+ // This script is protected. Only people who are able to
+ // authenticate themselves against a Radius server will be
+ // allowed to watch this.
+ //
+
+ //
+ // To make sure that the radius-server isn't overflown by
+ // requests and that it still works if the Radius server
+ // is using a one-time-password, we keep a local cache
+ // of the already authenticated people. The cache is valid
+ // for 15 minutes, but refreshed everytime a user is
+ // requesting this page (within the 15 minutes of course).
+ //
+ // The name of the cache is /tmp/radiuscache
+ // The name of the cookie is radius_test
+ //
+ // To use dbm-files you should compile PHP with --with-ndbm --with-db
+
+ if ($PHP_AUTH_USER=="") {
+ header("HTTP/1.0 401 Unauthorized");
+ Header("WWW-Authenticate: Basic realm=\"PHP Radius test script\"");
+ echo "<html><head><title>401 Unauthorized access</title></head><body>";
+ echo "<h1>401 Unauthorized access</h1>";
+ echo "You must login using your username and password.</body></html>";
+ exit;
+ }
+
+ require "radius_authentication.inc";
+ function radius_authenticate($user,$password) {
+ global $HTTP_COOKIE_VARS;
+ global $REMOTE_ADDR;
+
+ if (($db=dba_open("/tmp/radiuscache","c","ndbm"))==FALSE) {
+ echo "Couldn't open /tmp/radiuscache<br>\n";
+ }
+
+ $cookie=$HTTP_COOKIE_VARS["radius_test"];
+ if ($cookie!="") {
+ $lastid=dba_fetch($cookie."_id",$db);
+ $laston=dba_fetch($cookie."_laston",$db);
+ $lasthost=dba_fetch($cookie."_fromip",$db);
+ $lastuserid=dba_fetch($cookie."_userid",$db);
+ }
+
+ //
+ // Sanity checking
+ //
+ if ($cookie=="" || $lastid=="" ||
+ $laston==0 || $laston<time()-15*60 ||
+ $lasthost!=$REMOTE_ADDR || $lastuserid!=$user) {
+
+ // 2 -> Access-Accept
+ // 3 -> Access-Reject
+ if (($retval=RADIUS_AUTHENTICATION($user,$password))==2) {
+ if ($cookie=="") $cookie=md5(uniqid(rand()));
+ setcookie("radius_test",$cookie);
+ dba_replace($cookie."_id",$cookie,$db);
+ dba_replace($cookie."_userid",$user,$db);
+ dba_replace($cookie."_fromip",$REMOTE_ADDR,$db);
+ dba_replace($cookie."_laston",time(),$db);
+ }
+ } else {
+ setcookie("radius_test",$cookie);
+ dba_replace($cookie."_laston",time(),$db);
+ $retval=2;
+ }
+
+ dba_close($db);
+ return $retval==2;
+ }
+
+ if (!radius_authenticate($PHP_AUTH_USER,$PHP_AUTH_PW)) {
+ header("HTTP/1.0 401 Unauthorized");
+ Header("WWW-Authenticate: Basic realm=\"PHP Radius test script\"");
+ echo "<html><head><title>401 Unauthorized access</title></head><body>";
+ echo "<h1>401 Unauthorized access</h1>";
+ echo "You must login using a valid username and password</body></html>";
+ echo "Used was '$PHP_AUTH_USER' '$PHP_AUTH_PW'<br>\n";
+ exit;
+ }
+
+ echo "<html><head><title>200 Welcome!</title></head><body>";
+ echo "<h1>200 Welcome</h1>";
+ echo "You logged in using a valid username and password</body></html>";
+
+?>
--- php-radius-1.2.5.orig/php-radius-1.2/README
+++ php-radius-1.2.5/php-radius-1.2/README
@@ -0,0 +1,8 @@
+$Id: README,v 1.3 2002/01/23 23:21:20 mavetju Exp $
+
+This script allows you to do authentication against Radius servers.
+It's updated for PHP 4.1.1, with new names for the sockets-functions.
+
+Edwin Groothuis
+edwin@mavetju.org
+http://www.mavetju.org/programming/php.php
--- php-radius-1.2.5.orig/php-radius-1.2/LICENSE
+++ php-radius-1.2.5/php-radius-1.2/LICENSE
@@ -0,0 +1,30 @@
+
+Copyright 2000, 2001, 2002 by Edwin Groothuis. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+3. All advertising materials mentioning features or use of this software
+ must display the following acknowledgement:
+ This product includes software developed by Edwin Groothuis.
+4. Neither the name of Edwin Groothuis may be used to endorse or
+ promote products derived from this software without specific
+ prior written permission.
+
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
+OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
--- php-radius-1.2.5.orig/php-radius-1.2/CONTACT
+++ php-radius-1.2.5/php-radius-1.2/CONTACT
@@ -0,0 +1,15 @@
+$Id: CONTACT,v 1.1 2002/01/20 22:28:11 mavetju Exp $
+
+HOW TO CONTACT
+
+Via email: edwin@mavetju.org
+Via snail-mail: Edwin Groothuis
+ 7 Islington Crescent
+ Greenacre NSW2190
+ AUSTRALIA
+
+I have two mailing-lists:
+ announce@lists.mavetju.org <- low traffic announcements only
+ questions@lists.mavetju.org <- general questions
+
+See http://www.mavetju.org/contacts.php on how to subscribe to them.
--- php-radius-1.2.5.orig/php-radius-1.2/CHANGES
+++ php-radius-1.2.5/php-radius-1.2/CHANGES
@@ -0,0 +1,13 @@
+$Id: CHANGES,v 1.2 2002/01/23 23:21:20 mavetju Exp $
+
+v1.2
+ - Michael Long <mlong@infoave.net> suggested a select
+ timeout feature.
+
+v1.1
+ - PHP 4.1.1 is out, and the socket functions have been
+ renamed. Updated for this.
+ - Added sample script with caching
+
+v1.0
+ - Initial release
--- php-radius-1.2.5.orig/php-radius-1.2/radius_authentication.inc
+++ php-radius-1.2.5/php-radius-1.2/radius_authentication.inc
@@ -0,0 +1,190 @@
+<?
+ //
+ // $Id: radius_authentication.inc,v 1.3 2002/01/23 23:21:20 mavetju Exp $
+ //
+ // Roberto Lumbreras <rover@debian.org> Tue, 23 Mar 2004 00:34:01 +0100
+ // select fixes, error checks, more than one config file
+ //
+ // radius authentication v1.0 by Edwin Groothuis (edwin@mavetju.org)
+ //
+ // If you didn't get this file via http://www.mavetju.org, please
+ // check for the availability of newer versions.
+ //
+ // See LICENSE for distribution issues. If this file isn't in
+ // the distribution, please inform me about it.
+ //
+ // If you want to use this script, fill in the configuration in
+ // radius_authentication.conf and call the function
+ // RADIUS_AUTHENTICATION() with the username and password
+ // provided by the user. If it returns a 2, the authentication
+ // was successfull!
+
+ // If you want to use this, make sure that you have raw sockets
+ // enabled during compile-time: "./configure --enable-sockets".
+
+ function init_radiusconfig(&$server,&$port,&$sharedsecret,&$suffix) {
+ global $radius_server;
+ if (is_file("radius_authentication.conf")) {
+ $filename="radius_authentication.conf";
+ } else if (isset($radius_server) &&
+ is_file("/etc/php-radius/server-$radius_server.conf")) {
+ $filename="/etc/php-radius/server-$radius_server.conf";
+ } else if (is_file("/etc/php-radius/server.conf")){
+ $filename="/etc/php-radius/server.conf";
+ } else {
+ echo "Couldn't find any config file, exiting";
+ exit(0);
+ }
+ $file=fopen($filename,"r");
+ if ($file==0) {
+ echo "Couldn't open $filename, exiting";
+ exit(0);
+ }
+ while (!feof($file)) {
+ $s=fgets($file,1024);
+ $s=chop($s);
+ if ($s[0]=="#") continue;
+ if (strlen($s)==0) continue;
+ if (preg_match("/^([a-zA-Z]+) (.*)$/",$s,$a)) {
+ if ($a[1]=="port") { $port=$a[2];continue; }
+ if ($a[1]=="server") { $server=$a[2];continue; }
+ if ($a[1]=="secret") { $sharedsecret=$a[2];continue; }
+ if ($a[1]=="suffix") {
+ $suffix=$a[2];
+ if ($suffix=="\"\"") {
+ $suffix="";
+ }
+ continue;
+ }
+ }
+ echo "Unknown config-file option: $a[1] ($s)\n";
+ exit(0);
+ }
+ fclose($file);
+ }
+
+ function RADIUS_AUTHENTICATION($username,$password) {
+ global $debug;
+ $radiushost="";
+ $sharedsecret="";
+ $suffix="";
+
+ init_radiusconfig(&$radiushost,&$radiusport,&$sharedsecret,&$suffix);
+
+ // check your /etc/services. Some radius servers
+ // listen on port 1812, some on 1645.
+ if ($radiusport==0)
+ $radiusport=getservbyname("radius","udp");
+
+ $nasIP=explode(".",$_SERVER['SERVER_ADDR']);
+ $ip=gethostbyname($radiushost);
+
+ // 17 is UDP, formerly known as PROTO_UDP
+ $sock=socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
+ if ($sock==FALSE) {
+ echo "socket_create() failed: " . socket_strerror(socket_last_error()) . "\n";
+ exit(0);
+ }
+ $retval=socket_connect($sock,$ip,$radiusport);
+ if ($retval==FALSE) {
+ echo "socket_connect() failed: " . socket_strerror(socket_last_error()) . "\n";
+ exit(0);
+ }
+
+ if (!preg_match("/@/",$username))
+ $username.=$suffix;
+
+ if ($debug)
+ echo "<br>radius-port: $radiusport<br>radius-host: $radiushost<br>username: $username<br>suffix: $suffix<hr>\n";
+
+ $RA=pack("CCCCCCCCCCCCCCCC", // auth code
+ 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255,
+ 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255,
+ 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255,
+ 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255);
+
+ $encryptedpassword=Encrypt($password,$sharedsecret,$RA);
+
+ $length=4+ // header
+ 16+ // auth code
+ 6+ // service type
+ 2+strlen($username)+ // username
+ 2+strlen($encryptedpassword)+ // userpassword
+ 6+ // nasIP
+ 6; // nasPort
+
+ $thisidentifier=mt_rand()%256;
+ // v v v v v v v v
+ $data=pack("CCCCa*CCCCCCCCa*CCa*CCCCCCCCN",
+ 1,$thisidentifier,$length/256,$length%256, // header
+ $RA, // authcode
+ 6,6,0,0,0,1, // service type
+ 1,2+strlen($username),$username, // username
+ 2,2+strlen($encryptedpassword),$encryptedpassword, // userpassword
+ 4,6,$nasIP[0],$nasIP[1],$nasIP[2],$nasIP[3], // nasIP
+ 5,6,$_SERVER['SERVER_PORT'] // nasPort
+ );
+
+ socket_write($sock,$data,$length);
+
+ if ($debug)
+ echo "<br>writing $length bytes<hr>\n";
+
+ //
+ // Wait at most five seconds for the answer. Thanks to
+ // Michael Long <mlong@infoave.net> for his remark about this.
+ //
+ $read = array($sock);
+ $num_sockets = socket_select($read, $write = NULL, $except = NULL, 60);
+ if ($num_sockets === FALSE) {
+ echo "socket_select() failed: " .
+ socket_strerror(socket_last_error()) . "\n";
+ socket_close($sock);
+ exit(0);
+ } elseif ($num_sockets == 0) {
+ echo "No answer from radius server, aborting\n";
+ socket_close($sock);
+ exit(0);
+ }
+ unset($read);
+
+ $readdata=socket_read($sock,2);
+ socket_close($sock);
+ if ($readdata===FALSE) {
+ echo "socket_read() failed: " .
+ socket_strerror(socket_last_error()) . "\n";
+ exit(0);
+ }
+ if (ord(substr($readdata, 1, 1)) != $thisidentifier) {
+ //echo "Wrong id received from radius server, aborting\n";
+ //exit(0);
+ return 3; // FIXME this is awfull
+ }
+
+ return ord($readdata);
+ // 2 -> Access-Accept
+ // 3 -> Access-Reject
+ // See RFC2138 for this.
+ }
+
+ function Encrypt($password,$key,$RA) {
+ global $debug;
+
+ $keyRA=$key.$RA;
+
+ if ($debug)
+ echo "<br>key: $key<br>password: $password<hr>\n";
+
+ $md5checksum=md5($keyRA);
+ $output="";
+
+ for ($i=0;$i<=15;$i++) {
+ if (2*$i>strlen($md5checksum)) $m=0; else $m=hexdec(substr($md5checksum,2*$i,2));
+ if ($i>strlen($keyRA)) $k=0; else $k=ord(substr($keyRA,$i,1));
+ if ($i>strlen($password)) $p=0; else $p=ord(substr($password,$i,1));
+ $c=$m^$p;
+ $output.=chr($c);
+ }
+ return $output;
+ }
+?>
--- php-radius-1.2.5.orig/php-radius-1.2/check_login_pass.php
+++ php-radius-1.2.5/php-radius-1.2/check_login_pass.php
@@ -0,0 +1,26 @@
+<?php
+/*
+ * Copyright (C) 2004 Roberto Lumbreras <rover@debian.org>
+ * License: public domain.
+ */
+function check_login_pass($username, $password) {
+ require("/usr/share/php-radius/radius_authentication.inc.php");
+
+ $retval = RADIUS_AUTHENTICATION($username, $password);
+ switch ($retval) {
+ case 2:
+ /* 2 -> Access-Accept */
+ return TRUE;
+ break;
+ case 3:
+ /* 3 -> Access-Reject */
+ echo "login incorrect";
+ break;
+ default:
+ echo "temporally failure or other error";
+ break;
+ }
+ return FALSE;
+}
+
+?>
![[patchlogo]](http://patch-tracker.debian.org/static/img/swirlpatch.png)