/usr/share/php-radius/radius_authentication.inc.php is in php-radius-legacy 1.2.5-2.4build1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 | <?
//
// $Id: radius_authentication.inc,v 1.3 2002/01/23 23:21:20 mavetju Exp $
//
// Roberto Lumbreras <rover@debian.org> Tue, 23 Mar 2004 00:34:01 +0100
// select fixes, error checks, more than one config file
//
// radius authentication v1.0 by Edwin Groothuis (edwin@mavetju.org)
//
// If you didn't get this file via http://www.mavetju.org, please
// check for the availability of newer versions.
//
// See LICENSE for distribution issues. If this file isn't in
// the distribution, please inform me about it.
//
// If you want to use this script, fill in the configuration in
// radius_authentication.conf and call the function
// RADIUS_AUTHENTICATION() with the username and password
// provided by the user. If it returns a 2, the authentication
// was successfull!
// If you want to use this, make sure that you have raw sockets
// enabled during compile-time: "./configure --enable-sockets".
function init_radiusconfig(&$server,&$port,&$sharedsecret,&$suffix) {
global $radius_server;
if (is_file("radius_authentication.conf")) {
$filename="radius_authentication.conf";
} else if (isset($radius_server) &&
is_file("/etc/php-radius/server-$radius_server.conf")) {
$filename="/etc/php-radius/server-$radius_server.conf";
} else if (is_file("/etc/php-radius/server.conf")){
$filename="/etc/php-radius/server.conf";
} else {
echo "Couldn't find any config file, exiting";
exit(0);
}
$file=fopen($filename,"r");
if ($file==0) {
echo "Couldn't open $filename, exiting";
exit(0);
}
while (!feof($file)) {
$s=fgets($file,1024);
$s=chop($s);
if ($s[0]=="#") continue;
if (strlen($s)==0) continue;
if (preg_match("/^([a-zA-Z]+) (.*)$/",$s,$a)) {
if ($a[1]=="port") { $port=$a[2];continue; }
if ($a[1]=="server") { $server=$a[2];continue; }
if ($a[1]=="secret") { $sharedsecret=$a[2];continue; }
if ($a[1]=="suffix") {
$suffix=$a[2];
if ($suffix=="\"\"") {
$suffix="";
}
continue;
}
}
echo "Unknown config-file option: $a[1] ($s)\n";
exit(0);
}
fclose($file);
}
function RADIUS_AUTHENTICATION($username,$password) {
global $debug;
$radiushost="";
$sharedsecret="";
$suffix="";
init_radiusconfig($radiushost,$radiusport,$sharedsecret,$suffix);
// check your /etc/services. Some radius servers
// listen on port 1812, some on 1645.
if ($radiusport==0)
$radiusport=getservbyname("radius","udp");
$nasIP=explode(".",$_SERVER['SERVER_ADDR']);
$ip=gethostbyname($radiushost);
// 17 is UDP, formerly known as PROTO_UDP
$sock=socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
if ($sock==FALSE) {
echo "socket_create() failed: " . socket_strerror(socket_last_error()) . "\n";
exit(0);
}
$retval=socket_connect($sock,$ip,$radiusport);
if ($retval==FALSE) {
echo "socket_connect() failed: " . socket_strerror(socket_last_error()) . "\n";
exit(0);
}
if (!preg_match("/@/",$username))
$username.=$suffix;
if ($debug)
echo "<br>radius-port: $radiusport<br>radius-host: $radiushost<br>username: $username<br>suffix: $suffix<hr>\n";
$RA=pack("CCCCCCCCCCCCCCCC", // auth code
1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255,
1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255,
1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255,
1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255);
$encryptedpassword=Encrypt($password,$sharedsecret,$RA);
$length=4+ // header
16+ // auth code
6+ // service type
2+strlen($username)+ // username
2+strlen($encryptedpassword)+ // userpassword
6+ // nasIP
6; // nasPort
$thisidentifier=mt_rand()%256;
// v v v v v v v v
$data=pack("CCCCa*CCCCCCCCa*CCa*CCCCCCCCN",
1,$thisidentifier,$length/256,$length%256, // header
$RA, // authcode
6,6,0,0,0,1, // service type
1,2+strlen($username),$username, // username
2,2+strlen($encryptedpassword),$encryptedpassword, // userpassword
4,6,$nasIP[0],$nasIP[1],$nasIP[2],$nasIP[3], // nasIP
5,6,$_SERVER['SERVER_PORT'] // nasPort
);
socket_write($sock,$data,$length);
if ($debug)
echo "<br>writing $length bytes<hr>\n";
//
// Wait at most five seconds for the answer. Thanks to
// Michael Long <mlong@infoave.net> for his remark about this.
//
$read = array($sock);
$num_sockets = socket_select($read, $write = NULL, $except = NULL, 60);
if ($num_sockets === FALSE) {
echo "socket_select() failed: " .
socket_strerror(socket_last_error()) . "\n";
socket_close($sock);
exit(0);
} elseif ($num_sockets == 0) {
echo "No answer from radius server, aborting\n";
socket_close($sock);
exit(0);
}
unset($read);
$readdata=socket_read($sock,2);
socket_close($sock);
if ($readdata===FALSE) {
echo "socket_read() failed: " .
socket_strerror(socket_last_error()) . "\n";
exit(0);
}
if (ord(substr($readdata, 1, 1)) != $thisidentifier) {
//echo "Wrong id received from radius server, aborting\n";
//exit(0);
return 3; // FIXME this is awfull
}
return ord($readdata);
// 2 -> Access-Accept
// 3 -> Access-Reject
// See RFC2138 for this.
}
function Encrypt($password,$key,$RA) {
global $debug;
$keyRA=$key.$RA;
if ($debug)
echo "<br>key: $key<br>password: $password<hr>\n";
$md5checksum=md5($keyRA);
$output="";
for ($i=0;$i<=15;$i++) {
if (2*$i>strlen($md5checksum)) $m=0; else $m=hexdec(substr($md5checksum,2*$i,2));
if ($i>strlen($keyRA)) $k=0; else $k=ord(substr($keyRA,$i,1));
if ($i>strlen($password)) $p=0; else $p=ord(substr($password,$i,1));
$c=$m^$p;
$output.=chr($c);
}
return $output;
}
?>
|