Commit b94fe52e authored by Ondrej Sury's avatar Ondrej Sury

Imported Upstream version 1.4.0~b1

parent bfb4a3a4
This diff is collapsed.
$Id: CHANGES,v 1.2 2002/01/23 23:21:20 mavetju Exp $
v1.2
- Michael Long <mlong@infoave.net> suggested a select
timeout feature.
v1.1
- PHP 4.1.1 is out, and the socket functions have been
renamed. Updated for this.
- Added sample script with caching
v1.0
- Initial release
$Id: CONTACT,v 1.1 2002/01/20 22:28:11 mavetju Exp $
HOW TO CONTACT
Via email: edwin@mavetju.org
Via snail-mail: Edwin Groothuis
7 Islington Crescent
Greenacre NSW2190
AUSTRALIA
I have two mailing-lists:
announce@lists.mavetju.org <- low traffic announcements only
questions@lists.mavetju.org <- general questions
See http://www.mavetju.org/contacts.php on how to subscribe to them.
Copyright 2000, 2001, 2002 by Edwin Groothuis. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software
must display the following acknowledgement:
This product includes software developed by Edwin Groothuis.
4. Neither the name of Edwin Groothuis may be used to endorse or
promote products derived from this software without specific
prior written permission.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
$Id: README,v 1.3 2002/01/23 23:21:20 mavetju Exp $
This script allows you to do authentication against Radius servers.
It's updated for PHP 4.1.1, with new names for the sockets-functions.
Edwin Groothuis
edwin@mavetju.org
http://www.mavetju.org/programming/php.php
<?php
/*
* Copyright (C) 2004 Roberto Lumbreras <rover@debian.org>
* License: public domain.
*/
function check_login_pass($username, $password) {
require("/usr/share/php-radius/radius_authentication.inc.php");
$retval = RADIUS_AUTHENTICATION($username, $password);
switch ($retval) {
case 2:
/* 2 -> Access-Accept */
return TRUE;
break;
case 3:
/* 3 -> Access-Reject */
echo "login incorrect";
break;
default:
echo "temporally failure or other error";
break;
}
return FALSE;
}
?>
<?php
//
// $Id: radius.php,v 1.1 2002/01/20 11:52:59 mavetju Exp $
//
//
// This script is protected. Only people who are able to
// authenticate themselves against a Radius server will be
// allowed to watch this.
//
//
// To make sure that the radius-server isn't overflown by
// requests and that it still works if the Radius server
// is using a one-time-password, we keep a local cache
// of the already authenticated people. The cache is valid
// for 15 minutes, but refreshed everytime a user is
// requesting this page (within the 15 minutes of course).
//
// The name of the cache is /tmp/radiuscache
// The name of the cookie is radius_test
//
// To use dbm-files you should compile PHP with --with-ndbm --with-db
if ($PHP_AUTH_USER=="") {
header("HTTP/1.0 401 Unauthorized");
Header("WWW-Authenticate: Basic realm=\"PHP Radius test script\"");
echo "<html><head><title>401 Unauthorized access</title></head><body>";
echo "<h1>401 Unauthorized access</h1>";
echo "You must login using your username and password.</body></html>";
exit;
}
require "radius_authentication.inc";
function radius_authenticate($user,$password) {
global $HTTP_COOKIE_VARS;
global $REMOTE_ADDR;
if (($db=dba_open("/tmp/radiuscache","c","ndbm"))==FALSE) {
echo "Couldn't open /tmp/radiuscache<br>\n";
}
$cookie=$HTTP_COOKIE_VARS["radius_test"];
if ($cookie!="") {
$lastid=dba_fetch($cookie."_id",$db);
$laston=dba_fetch($cookie."_laston",$db);
$lasthost=dba_fetch($cookie."_fromip",$db);
$lastuserid=dba_fetch($cookie."_userid",$db);
}
//
// Sanity checking
//
if ($cookie=="" || $lastid=="" ||
$laston==0 || $laston<time()-15*60 ||
$lasthost!=$REMOTE_ADDR || $lastuserid!=$user) {
// 2 -> Access-Accept
// 3 -> Access-Reject
if (($retval=RADIUS_AUTHENTICATION($user,$password))==2) {
if ($cookie=="") $cookie=md5(uniqid(rand()));
setcookie("radius_test",$cookie);
dba_replace($cookie."_id",$cookie,$db);
dba_replace($cookie."_userid",$user,$db);
dba_replace($cookie."_fromip",$REMOTE_ADDR,$db);
dba_replace($cookie."_laston",time(),$db);
}
} else {
setcookie("radius_test",$cookie);
dba_replace($cookie."_laston",time(),$db);
$retval=2;
}
dba_close($db);
return $retval==2;
}
if (!radius_authenticate($PHP_AUTH_USER,$PHP_AUTH_PW)) {
header("HTTP/1.0 401 Unauthorized");
Header("WWW-Authenticate: Basic realm=\"PHP Radius test script\"");
echo "<html><head><title>401 Unauthorized access</title></head><body>";
echo "<h1>401 Unauthorized access</h1>";
echo "You must login using a valid username and password</body></html>";
echo "Used was '$PHP_AUTH_USER' '$PHP_AUTH_PW'<br>\n";
exit;
}
echo "<html><head><title>200 Welcome!</title></head><body>";
echo "<h1>200 Welcome</h1>";
echo "You logged in using a valid username and password</body></html>";
?>
#
# $Id: radius_authentication.conf.template,v 1.1 2001/08/24 14:19:10 mavetju Exp $
#
# The IP address or hostname of the radius server
#
server a.b.c.d
#
# The port of the radius-server, if it is zero it will take the
# one specified in /etc/services. 1645 is a well known one.
#
port 0
#
# Suffix for the userids (if no @ in the userid yet)
#
# This might be a little bit tricky to understand. Normally, you can
# authenticate via "user" or "user@domain". To make it easier for
# people, the "@domain" is often defaulted to a special domain. For
# example, if the suffix is foo.bar, the users will be authenticated
# as "user@foo.bar", while it is still possible for somebody else,
# who is not in domain foo.bar to give "admin@foo2.bar" for his userid.
#
#
suffix ""
#
# Shared secret for the server
#
secret sharedsecret
<?
//
// $Id: radius_authentication.inc,v 1.3 2002/01/23 23:21:20 mavetju Exp $
//
// Roberto Lumbreras <rover@debian.org> Tue, 23 Mar 2004 00:34:01 +0100
// select fixes, error checks, more than one config file
//
// radius authentication v1.0 by Edwin Groothuis (edwin@mavetju.org)
//
// If you didn't get this file via http://www.mavetju.org, please
// check for the availability of newer versions.
//
// See LICENSE for distribution issues. If this file isn't in
// the distribution, please inform me about it.
//
// If you want to use this script, fill in the configuration in
// radius_authentication.conf and call the function
// RADIUS_AUTHENTICATION() with the username and password
// provided by the user. If it returns a 2, the authentication
// was successfull!
// If you want to use this, make sure that you have raw sockets
// enabled during compile-time: "./configure --enable-sockets".
function init_radiusconfig(&$server,&$port,&$sharedsecret,&$suffix) {
global $radius_server;
if (is_file("radius_authentication.conf")) {
$filename="radius_authentication.conf";
} else if (isset($radius_server) &&
is_file("/etc/php-radius/server-$radius_server.conf")) {
$filename="/etc/php-radius/server-$radius_server.conf";
} else if (is_file("/etc/php-radius/server.conf")){
$filename="/etc/php-radius/server.conf";
} else {
echo "Couldn't find any config file, exiting";
exit(0);
}
$file=fopen($filename,"r");
if ($file==0) {
echo "Couldn't open $filename, exiting";
exit(0);
}
while (!feof($file)) {
$s=fgets($file,1024);
$s=chop($s);
if ($s[0]=="#") continue;
if (strlen($s)==0) continue;
if (preg_match("/^([a-zA-Z]+) (.*)$/",$s,$a)) {
if ($a[1]=="port") { $port=$a[2];continue; }
if ($a[1]=="server") { $server=$a[2];continue; }
if ($a[1]=="secret") { $sharedsecret=$a[2];continue; }
if ($a[1]=="suffix") {
$suffix=$a[2];
if ($suffix=="\"\"") {
$suffix="";
}
continue;
}
}
echo "Unknown config-file option: $a[1] ($s)\n";
exit(0);
}
fclose($file);
}
function RADIUS_AUTHENTICATION($username,$password) {
global $debug;
$radiushost="";
$sharedsecret="";
$suffix="";
init_radiusconfig($radiushost,$radiusport,$sharedsecret,$suffix);
// check your /etc/services. Some radius servers
// listen on port 1812, some on 1645.
if ($radiusport==0)
$radiusport=getservbyname("radius","udp");
$nasIP=explode(".",$_SERVER['SERVER_ADDR']);
$ip=gethostbyname($radiushost);
// 17 is UDP, formerly known as PROTO_UDP
$sock=socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
if ($sock==FALSE) {
echo "socket_create() failed: " . socket_strerror(socket_last_error()) . "\n";
exit(0);
}
$retval=socket_connect($sock,$ip,$radiusport);
if ($retval==FALSE) {
echo "socket_connect() failed: " . socket_strerror(socket_last_error()) . "\n";
exit(0);
}
if (!preg_match("/@/",$username))
$username.=$suffix;
if ($debug)
echo "<br>radius-port: $radiusport<br>radius-host: $radiushost<br>username: $username<br>suffix: $suffix<hr>\n";
$RA=pack("CCCCCCCCCCCCCCCC", // auth code
1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255,
1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255,
1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255,
1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255, 1+mt_rand()%255);
$encryptedpassword=Encrypt($password,$sharedsecret,$RA);
$length=4+ // header
16+ // auth code
6+ // service type
2+strlen($username)+ // username
2+strlen($encryptedpassword)+ // userpassword
6+ // nasIP
6; // nasPort
$thisidentifier=mt_rand()%256;
// v v v v v v v v
$data=pack("CCCCa*CCCCCCCCa*CCa*CCCCCCCCN",
1,$thisidentifier,$length/256,$length%256, // header
$RA, // authcode
6,6,0,0,0,1, // service type
1,2+strlen($username),$username, // username
2,2+strlen($encryptedpassword),$encryptedpassword, // userpassword
4,6,$nasIP[0],$nasIP[1],$nasIP[2],$nasIP[3], // nasIP
5,6,$_SERVER['SERVER_PORT'] // nasPort
);
socket_write($sock,$data,$length);
if ($debug)
echo "<br>writing $length bytes<hr>\n";
//
// Wait at most five seconds for the answer. Thanks to
// Michael Long <mlong@infoave.net> for his remark about this.
//
$read = array($sock);
$num_sockets = socket_select($read, $write = NULL, $except = NULL, 60);
if ($num_sockets === FALSE) {
echo "socket_select() failed: " .
socket_strerror(socket_last_error()) . "\n";
socket_close($sock);
exit(0);
} elseif ($num_sockets == 0) {
echo "No answer from radius server, aborting\n";
socket_close($sock);
exit(0);
}
unset($read);
$readdata=socket_read($sock,2);
socket_close($sock);
if ($readdata===FALSE) {
echo "socket_read() failed: " .
socket_strerror(socket_last_error()) . "\n";
exit(0);
}
if (ord(substr($readdata, 1, 1)) != $thisidentifier) {
//echo "Wrong id received from radius server, aborting\n";
//exit(0);
return 3; // FIXME this is awfull
}
return ord($readdata);
// 2 -> Access-Accept
// 3 -> Access-Reject
// See RFC2138 for this.
}
function Encrypt($password,$key,$RA) {
global $debug;
$keyRA=$key.$RA;
if ($debug)
echo "<br>key: $key<br>password: $password<hr>\n";
$md5checksum=md5($keyRA);
$output="";
for ($i=0;$i<=15;$i++) {
if (2*$i>strlen($md5checksum)) $m=0; else $m=hexdec(substr($md5checksum,2*$i,2));
if ($i>strlen($keyRA)) $k=0; else $k=ord(substr($keyRA,$i,1));
if ($i>strlen($password)) $p=0; else $p=ord(substr($password,$i,1));
$c=$m^$p;
$output.=chr($c);
}
return $output;
}
?>
RADIUS
Michael Bretterklieber, The FreeBSD Project http://www.freebsd.org
\ No newline at end of file
Michael Bretterklieber, The FreeBSD Project http://www.freebsd.org
RFC3576 support
Gabriel Blanchard <gabe@teksavvy.com>
Copyright (c) 2003, Michael Bretterklieber <michael@bretterklieber.com>
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The names of the authors may not be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// $Id$
// vim:ft=javascript
ARG_WITH("radius", "Radius Support", "no");
if (PHP_RADIUS == "yes") {
EXTENSION("radius", "radius.c radlib.c radlib_compat.c");
AC_DEFINE('HAVE_RADIUS', 1, 'Have Radius support', false);
}
/*
+----------------------------------------------------------------------+
| Compatibility macros for different PHP versions |
+----------------------------------------------------------------------+
| Copyright (c) 2015 The PHP Group |
+----------------------------------------------------------------------+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is |
| available through the world-wide-web at the following url: |
| http://www.php.net/license/3_01.txt. |
| If you did not receive a copy of the PHP license and are unable to |
| obtain it through the world-wide-web, please send a note to |
| license@php.net so we can mail you a copy immediately. |
+----------------------------------------------------------------------+
| Author: Francois Laupretre <francois@tekwire.net> |
+----------------------------------------------------------------------+
*/
#ifndef _COMPAT_H
#define _COMPAT_H
#define PECL_COMPAT_VERSION 1.2
#include <stdio.h>
#include <assert.h>
#include <fcntl.h>
#include "php.h"
#include "zend.h"
#include "zend_extensions.h"
#include "zend_API.h"
#define PHP_5_0_X_API_NO 220040412
#define PHP_5_1_X_API_NO 220051025
#define PHP_5_2_X_API_NO 220060519
#define PHP_5_3_X_API_NO 220090626
#define PHP_5_4_X_API_NO 220100525
#define PHP_5_5_X_API_NO 220121212
#define PHP_5_6_X_API_NO 220131226
#if PHP_MAJOR_VERSION >= 7
# define PHP_7
#endif
#ifdef HAVE_CONFIG_H
# include "config.h"
#endif
#if HAVE_STRING_H
# include <string.h>
#endif
#ifdef HAVE_SYS_TYPES_H
# include <sys/types.h>
#endif
#ifdef PHP_WIN32
# include "win32/time.h"
#elif defined(NETWARE)
# include <sys/timeval.h>
# include <sys/time.h>
#else
# include <sys/time.h>
#endif
#ifdef HAVE_SYS_RESOURCE_H
# include <sys/resource.h>
#endif
#ifdef HAVE_STDARG_H
#include <stdarg.h>
#endif
#ifdef HAVE_STDLIB_H
# include <stdlib.h>
#endif
#ifdef HAVE_UNISTD_H
# include <unistd.h>
#endif
#ifdef HAVE_SYS_STAT_H
# include <sys/stat.h>
#endif
#ifdef PHP_WIN32
#include <win32/php_stdint.h>
#else
#include <inttypes.h>
#endif
#if ZEND_EXTENSION_API_NO >= PHP_5_6_X_API_NO
#include "zend_virtual_cwd.h"
#else
#include "TSRM/tsrm_virtual_cwd.h"
#endif
#ifdef PHP_7
#include "Zend/zend_portability.h"
#endif
/*-- Include submodules */
#include "src/misc.h"
#include "src/zend_string.h"
#include "src/zend_hash.h"
#include "src/zend_API.h"
#include "src/zend_resource.h"
#endif /* _COMPAT_H */
/*
+----------------------------------------------------------------------+
| Compatibility between PHP versions |
+----------------------------------------------------------------------+
| Copyright (c) 2015 The PHP Group |
+----------------------------------------------------------------------+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is |
| available through the world-wide-web at the following url: |
| http://www.php.net/license/3_01.txt. |
| If you did not receive a copy of the PHP license and are unable to |
| obtain it through the world-wide-web, please send a note to |
| license@php.net so we can mail you a copy immediately. |
+----------------------------------------------------------------------+
| Author: Francois Laupretre <francois@tekwire.net> |
+----------------------------------------------------------------------+
*/
#ifndef __PECL_COMPAT_MISC_H
#define __PECL_COMPAT_MISC_H 1
#ifdef PHP_7
/*============================================================================*/
typedef zend_string * OPENED_PATH_PTR; /* Type of stream opened_path argument */
typedef size_t COMPAT_ARG_SIZE_T; /* Size of string arguments */
typedef zend_long COMPAT_ARG_LONG_T; /* Type of long (integer) arguments */
#define compat_zval_ptr_dtor(zp) zval_ptr_dtor(zp)
#else
/*== PHP 5 ===================================================================*/
typedef char * OPENED_PATH_PTR;
typedef off_t zend_off_t;
typedef int COMPAT_ARG_SIZE_T;
typedef long COMPAT_ARG_LONG_T;
typedef long zend_long;
#define compat_zval_ptr_dtor(zp) zval_dtor(zp)
#endif
/*============================================================================*/
#ifndef MIN
# define MIN(a,b) (((a) < (b)) ? (a) : (b))
#endif
#ifndef MAX
# define MAX(a,b) (((a) > (b)) ? (a) : (b))
#endif
/*---------------------------------------------------------------*/
/* (Taken from pcre/pcrelib/internal.h) */
/* To cope with SunOS4 and other systems that lack memmove() but have bcopy(),
define a macro for memmove() if HAVE_MEMMOVE is false, provided that HAVE_BCOPY
is set. Otherwise, include an emulating function for those systems that have
neither (there are some non-Unix environments where this is the case). This
assumes that all calls to memmove are moving strings upwards in store,
which is the case in this extension. */
#if ! HAVE_MEMMOVE
# ifdef memmove
# undef memmove /* some systems may have a macro */
# endif
# if HAVE_BCOPY
# define memmove(a, b, c) bcopy(b, a, c)
# else
static void *my_memmove(unsigned char *dest, const unsigned char *src,
size_t n)
{
int i;
dest += n;
src += n;
for (i = 0; i < n; ++i)
*(--dest) = *(--src);
}
# define memmove(a, b, c) my_memmove(a, b, c)
# endif /* not HAVE_BCOPY */
#endif /* not HAVE_MEMMOVE */
#ifdef _AIX
# undef PHP_SHLIB_SUFFIX
# define PHP_SHLIB_SUFFIX "a"
#endif
#ifndef ZVAL_IS_ARRAY
#define ZVAL_IS_ARRAY(zp) (Z_TYPE_P((zp))==IS_ARRAY)
#endif
#ifndef ZVAL_IS_STRING
#define ZVAL_IS_STRING(zp) (Z_TYPE_P((zp))==IS_STRING)
#endif
#ifndef ZVAL_IS_LONG
#define ZVAL_IS_LONG(zp) (Z_TYPE_P((zp))==IS_LONG)
#endif
#ifndef ZVAL_IS_BOOL
#define ZVAL_IS_BOOL(zp) (Z_TYPE_P((zp))==IS_BOOL)
#endif
#ifndef INIT_ZVAL
#define INIT_ZVAL(z) memset(&z, 0, sizeof(z))
#endif
#ifndef ZVAL_UNDEF
#define ZVAL_UNDEF(z) INIT_ZVAL(*(z))
#endif
#ifndef MAKE_STD_ZVAL
#define MAKE_STD_ZVAL(zp) { zp = emalloc(sizeof(zval)); INIT_ZVAL(*zp); }
#endif
#ifndef ALLOC_INIT_ZVAL
#define ALLOC_INIT_ZVAL(zp) MAKE_STD_ZVAL(zp)
#endif
#ifndef ZEND_ASSUME
#if defined(ZEND_WIN32) && !defined(__clang__)
# define ZEND_ASSUME(c) __assume(c)
#else
# define ZEND_ASSUME(c)
#endif
#endif
#ifndef ZEND_ASSERT
#if ZEND_DEBUG
# define ZEND_ASSERT(c) assert(c)
#else
# define ZEND_ASSERT(c) ZEND_ASSUME(c)
#endif