From: jan@unixpapa.com Date: Mon, 18 May 2009 05:13:31 +0000 (+0000) Subject: Remove radius code from distribution X-Git-Tag: mod_authnz_external-3.2.4~4 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=797d2651c3dbe43d471ad8c92bb21ea651cea839;p=apache-authnz-external Remove radius code from distribution --- diff --git a/mod_authnz_external/radius/CHANGES b/mod_authnz_external/radius/CHANGES deleted file mode 100644 index cc0ec58..0000000 --- a/mod_authnz_external/radius/CHANGES +++ /dev/null @@ -1,20 +0,0 @@ -> From: radius@msg.net -> -> One bug in the current implementation is that if no reply to a request is -> received within the timeout interval, another request is sent with the SAME -> request-id. The problem is, the new Livingston Radius server will reject -> subsequent requests with duplicate IDs, giving false negatives. -> -> -> The most important "fix" that seemed to clear up this problem was to change -> line 554 of 'mod-radfuncs.c' from: -> -> authtime.tv_usec = 0L; -> -> To instead read: -> -> authtime.tv_usec = 999L; - -FIXED and to be tested soon. - -allison@nas.nasa.gov \ No newline at end of file diff --git a/mod_authnz_external/radius/README b/mod_authnz_external/radius/README index c813d91..f8a9dd4 100644 --- a/mod_authnz_external/radius/README +++ b/mod_authnz_external/radius/README @@ -1,7 +1,12 @@ -This is a hardcoded internal authentication function for use with -mod_auth_external or mod_authnz_external. It supports authenticating -from a Radius server. +Older versions of mod_auth_external included an example of a hard +coded internal authentication function which was designed for +authenticating from a Radius server. -Author: Tyler Allison +It is no longer included in the mod_auth_external distribution because +its license did not appear to be a full open source license. -This code is no longer being maintained. +People interested in a radius authenticator, should probably look into +mod_auth_radius. + +For the time being, the old contents of this directory will be available +from http://unixpapa.com/software/mae_radius.tar.gz diff --git a/mod_authnz_external/radius/md5-radius.c b/mod_authnz_external/radius/md5-radius.c deleted file mode 100644 index d8d5953..0000000 --- a/mod_authnz_external/radius/md5-radius.c +++ /dev/null @@ -1,183 +0,0 @@ -/* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm - */ - -#include "md5-radius.h" - -md5_calc (output, input, inlen) -unsigned char *output; -unsigned char *input; /* input block */ -unsigned int inlen; /* length of input block */ -{ - MD5_CTX context; - - MD5Init (&context); - MD5Update (&context, input, inlen); - MD5Final (output, &context); -} - - -/* MD5 basic transformation. Transforms state based on block. - */ -static void -MD5Transform (state, block) -UINT4 state[4]; -unsigned char block[64]; -{ - UINT4 a = state[0], - b = state[1], - c = state[2], - d = state[3], - x[16]; - - Decode (x, block, 64); - - /* Round 1 */ - FF (a, b, c, d, x[0], S11, 0xd76aa478); /* 1 */ - FF (d, a, b, c, x[1], S12, 0xe8c7b756); /* 2 */ - FF (c, d, a, b, x[2], S13, 0x242070db); /* 3 */ - FF (b, c, d, a, x[3], S14, 0xc1bdceee); /* 4 */ - FF (a, b, c, d, x[4], S11, 0xf57c0faf); /* 5 */ - FF (d, a, b, c, x[5], S12, 0x4787c62a); /* 6 */ - FF (c, d, a, b, x[6], S13, 0xa8304613); /* 7 */ - FF (b, c, d, a, x[7], S14, 0xfd469501); /* 8 */ - FF (a, b, c, d, x[8], S11, 0x698098d8); /* 9 */ - FF (d, a, b, c, x[9], S12, 0x8b44f7af); /* 10 */ - FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */ - FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */ - FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */ - FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */ - FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */ - FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */ - - /* Round 2 */ - GG (a, b, c, d, x[1], S21, 0xf61e2562); /* 17 */ - GG (d, a, b, c, x[6], S22, 0xc040b340); /* 18 */ - GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */ - GG (b, c, d, a, x[0], S24, 0xe9b6c7aa); /* 20 */ - GG (a, b, c, d, x[5], S21, 0xd62f105d); /* 21 */ - GG (d, a, b, c, x[10], S22, 0x2441453); /* 22 */ - GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */ - GG (b, c, d, a, x[4], S24, 0xe7d3fbc8); /* 24 */ - GG (a, b, c, d, x[9], S21, 0x21e1cde6); /* 25 */ - GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */ - GG (c, d, a, b, x[3], S23, 0xf4d50d87); /* 27 */ - GG (b, c, d, a, x[8], S24, 0x455a14ed); /* 28 */ - GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */ - GG (d, a, b, c, x[2], S22, 0xfcefa3f8); /* 30 */ - GG (c, d, a, b, x[7], S23, 0x676f02d9); /* 31 */ - GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */ - - /* Round 3 */ - HH (a, b, c, d, x[5], S31, 0xfffa3942); /* 33 */ - HH (d, a, b, c, x[8], S32, 0x8771f681); /* 34 */ - HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */ - HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */ - HH (a, b, c, d, x[1], S31, 0xa4beea44); /* 37 */ - HH (d, a, b, c, x[4], S32, 0x4bdecfa9); /* 38 */ - HH (c, d, a, b, x[7], S33, 0xf6bb4b60); /* 39 */ - HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */ - HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */ - HH (d, a, b, c, x[0], S32, 0xeaa127fa); /* 42 */ - HH (c, d, a, b, x[3], S33, 0xd4ef3085); /* 43 */ - HH (b, c, d, a, x[6], S34, 0x4881d05); /* 44 */ - HH (a, b, c, d, x[9], S31, 0xd9d4d039); /* 45 */ - HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */ - HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */ - HH (b, c, d, a, x[2], S34, 0xc4ac5665); /* 48 */ - - /* Round 4 */ - II (a, b, c, d, x[0], S41, 0xf4292244); /* 49 */ - II (d, a, b, c, x[7], S42, 0x432aff97); /* 50 */ - II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */ - II (b, c, d, a, x[5], S44, 0xfc93a039); /* 52 */ - II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */ - II (d, a, b, c, x[3], S42, 0x8f0ccc92); /* 54 */ - II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */ - II (b, c, d, a, x[1], S44, 0x85845dd1); /* 56 */ - II (a, b, c, d, x[8], S41, 0x6fa87e4f); /* 57 */ - II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */ - II (c, d, a, b, x[6], S43, 0xa3014314); /* 59 */ - II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */ - II (a, b, c, d, x[4], S41, 0xf7537e82); /* 61 */ - II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */ - II (c, d, a, b, x[2], S43, 0x2ad7d2bb); /* 63 */ - II (b, c, d, a, x[9], S44, 0xeb86d391); /* 64 */ - - state[0] += a; - state[1] += b; - state[2] += c; - state[3] += d; - - /* - * Zeroize sensitive information. - */ - MD5_memset ((POINTER) x, 0, sizeof (x)); -} - -/* Encodes input (UINT4) into output (unsigned char). Assumes len is - a multiple of 4. - */ -static void -Encode (output, input, len) -unsigned char *output; -UINT4 *input; -unsigned int len; -{ - unsigned int i, - j; - - for (i = 0, j = 0; j < len; i++, j += 4) - { - output[j] = (unsigned char) (input[i] & 0xff); - output[j + 1] = (unsigned char) ((input[i] >> 8) & 0xff); - output[j + 2] = (unsigned char) ((input[i] >> 16) & 0xff); - output[j + 3] = (unsigned char) ((input[i] >> 24) & 0xff); - } -} - -/* Decodes input (unsigned char) into output (UINT4). Assumes len is - a multiple of 4. - */ -static void -Decode (output, input, len) -UINT4 *output; -unsigned char *input; -unsigned int len; -{ - unsigned int i, - j; - - for (i = 0, j = 0; j < len; i++, j += 4) - output[i] = ((UINT4) input[j]) | (((UINT4) input[j + 1]) << 8) | (((UINT4) input[j + 2]) << 16) | (((UINT4) input[j + 3]) << 24); -} - -/* Note: Replace "for loop" with standard memcpy if possible. - */ - -static void -MD5_memcpy (output, input, len) -POINTER output; -POINTER input; -unsigned int len; -{ - unsigned int i; - - for (i = 0; i < len; i++) - output[i] = input[i]; -} - -/* Note: Replace "for loop" with standard memset if possible. - */ -static void -MD5_memset (output, value, len) -POINTER output; -int value; -unsigned int len; -{ - unsigned int i; - - for (i = 0; i < len; i++) - ((char *) output)[i] = (char) value; -} - -/**************** END OF MD5 ************/ diff --git a/mod_authnz_external/radius/md5-radius.h b/mod_authnz_external/radius/md5-radius.h deleted file mode 100644 index 9a5b757..0000000 --- a/mod_authnz_external/radius/md5-radius.h +++ /dev/null @@ -1,123 +0,0 @@ - -/* PROTOTYPES should be set to one if and only if the compiler supports - function argument prototyping. - The following makes PROTOTYPES default to 0 if it has not already - been defined with C compiler flags. - */ - -#ifndef PROTOTYPES -#define PROTOTYPES 0 -#endif - -/* POINTER defines a generic pointer type */ -typedef unsigned char *POINTER; - -/* UINT2 defines a two byte word */ -typedef unsigned short int UINT2; - -/* UINT4 defines a four byte word */ -typedef unsigned int UINT4; - -/* MD5 context. */ -typedef struct { - UINT4 state[4]; /* state (ABCD) */ - UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */ - unsigned char buffer[64]; /* input buffer */ -} MD5_CTX; - -extern void MD5Init(MD5_CTX *context); -extern void MD5Update(MD5_CTX *context, const unsigned char *input, - unsigned int inputLen); -extern void MD5Final(unsigned char digest[16], MD5_CTX *context); - - -/* PROTO_LIST is defined depending on how PROTOTYPES is defined above. - If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it - returns an empty list. - */ - -#if PROTOTYPES -#define PROTO_LIST(list) list -#else -#define PROTO_LIST(list) () -#endif - - -/* Constants for MD5 routines - */ -#define S11 7 -#define S12 12 -#define S13 17 -#define S14 22 -#define S21 5 -#define S22 9 -#define S23 14 -#define S24 20 -#define S31 4 -#define S32 11 -#define S33 16 -#define S34 23 -#define S41 6 -#define S42 10 -#define S43 15 -#define S44 21 - -static void MD5Transform PROTO_LIST ((UINT4[4], unsigned char[64])); -static void Encode PROTO_LIST - ((unsigned char *, UINT4 *, unsigned int)); -static void Decode PROTO_LIST - ((UINT4 *, unsigned char *, unsigned int)); -static void MD5_memcpy PROTO_LIST ((POINTER, POINTER, unsigned int)); -static void MD5_memset PROTO_LIST ((POINTER, int, unsigned int)); - -static unsigned char PADDING[64] = { - 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 -}; - -/* F, G, H and I are basic MD5 functions. - */ -#define F(x, y, z) (((x) & (y)) | ((~x) & (z))) -#define G(x, y, z) (((x) & (z)) | ((y) & (~z))) -#define H(x, y, z) ((x) ^ (y) ^ (z)) -#define I(x, y, z) ((y) ^ ((x) | (~z))) - -/* ROTATE_LEFT rotates x left n bits. - */ -#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n)))) - -/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4. -Rotation is separate from addition to prevent recomputation. - */ -#define FF(a, b, c, d, x, s, ac) { \ - (a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \ - (a) = ROTATE_LEFT ((a), (s)); \ - (a) += (b); \ - } -#define GG(a, b, c, d, x, s, ac) { \ - (a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \ - (a) = ROTATE_LEFT ((a), (s)); \ - (a) += (b); \ - } -#define HH(a, b, c, d, x, s, ac) { \ - (a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \ - (a) = ROTATE_LEFT ((a), (s)); \ - (a) += (b); \ - } -#define II(a, b, c, d, x, s, ac) { \ - (a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \ - (a) = ROTATE_LEFT ((a), (s)); \ - (a) += (b); \ - } - -/* end For MD5 */ - - - - - - - - - diff --git a/mod_authnz_external/radius/mod-radfuncs.c b/mod_authnz_external/radius/mod-radfuncs.c deleted file mode 100644 index 9098c7d..0000000 --- a/mod_authnz_external/radius/mod-radfuncs.c +++ /dev/null @@ -1,694 +0,0 @@ -/************************************************************************* - * - * Function: get_ipaddr - * - * Purpose: Return an IP address in host long notation from a host - * name or address in dot notation. - * - *************************************************************************/ - -UINT4 -get_ipaddr (host) - -char *host; - -{ - struct hostent *hp; - - if (good_ipaddr (host) == 0) - { - return ntohl(inet_addr (host)); - } - else if ((hp = gethostbyname (host)) == (struct hostent *) NULL) - { - return ((UINT4) 0); - } - return ntohl((*(UINT4 *) hp->h_addr)); -} /* end of get_ipaddr () */ - - -/************************************************************************* - * - * Function: good_ipaddr - * - * Purpose: Check for valid IP address in standard dot notation. - * - *************************************************************************/ - -int -good_ipaddr (addr) - -char *addr; - -{ - int dot_count; - int digit_count; - - if (addr == (char *) NULL) - { - return (-1); - } - - dot_count = 0; - digit_count = 0; - - while (*addr != '\0' && *addr != ' ') - { - if (*addr == '.') - { - dot_count++; - digit_count = 0; - } - else if (!isdigit (*addr)) - { - dot_count = 5; - } - else - { - digit_count++; - if (digit_count > 3) - { - dot_count = 5; - } - } - addr++; - } - if (dot_count != 3) - { - return (-1); - } - else - { - return (0); - } -} /* end of good_ipaddr () */ - - -/************************************************************************* -* -* find_match - See if given IP address matches any address of hostname. -* -* Returns: 0 success -* -1 failure -* -**************************************************************************/ - -static int -find_match (ip_addr, hostname) - -UINT4 *ip_addr; -char *hostname; - -{ - UINT4 addr; - char **paddr; - struct hostent *hp; - - if (good_ipaddr (hostname) == 0) - { - if (*ip_addr == ntohl(inet_addr (hostname))) - { - return (0); - } - } - else - { - if ((hp = gethostbyname (hostname)) == (struct hostent *) NULL) - { - return (-1); - } - if (hp->h_addr_list != (char **) NULL) - { - for (paddr = hp->h_addr_list; *paddr; paddr++) - { - addr = ** (UINT4 **) paddr; - if (ntohl(addr) == *ip_addr) - { - return (0); - } - } - } - } - return (-1); -} /* end of find_match */ - - -/************************************************************************* -* -* find_server - Look up the given server name in the clients file. -* -* Returns: 0 success -* -1 failure -* -**************************************************************************/ - -static int -find_server (server_name, ustype, ip_addr, secret, msg) - -char *server_name; -int ustype; -UINT4 *ip_addr; -char *secret; -char *msg; - -{ - static UINT4 myipaddr = 0; - int len; - int line_nbr = 0; - int result; - FILE *clientfd; - char *h; - char *s; - char *host2; - char buffer[128]; - char fname[MAXPATHLEN]; - char hostnm[AUTH_ID_LEN + 1]; - - /* Get the IP address of the authentication server */ - if ((*ip_addr = get_ipaddr (server_name)) == (UINT4) 0) - { - return (-1); - } - sprintf (fname, "%s/%s", radius_dir, RADIUS_CLIENTS); - if ((clientfd = fopen (fname, "r")) == (FILE *) NULL) - { - return (-1); - } - if (!myipaddr) - { - if ((myipaddr = get_ipaddr (ourhostname)) == 0) - { - fclose (clientfd); - return (-1); - } - } - - result = 0; - while (fgets (buffer, sizeof (buffer), clientfd) != (char *) NULL) - { - line_nbr++; - - if (*buffer == '#') - { - continue; - } - - if ((h = strtok (buffer, " \t\n\r")) == NULL) /* 1st hostname */ { - continue; - } - - memset (hostnm, '\0', AUTH_ID_LEN); - len = strlen (h); - if (len > AUTH_ID_LEN) - { - len = AUTH_ID_LEN; - } - strncpy (hostnm, h, len); - hostnm[AUTH_ID_LEN] = '\0'; - - if ((s = strtok (NULL, " \t\n\r")) == NULL) /* & secret field */ { - continue; - } - - memset (secret, '\0', MAX_SECRET_LENGTH); - len = strlen (s); - if (len > MAX_SECRET_LENGTH) - { - len = MAX_SECRET_LENGTH; - } - strncpy (secret, s, len); - secret[MAX_SECRET_LENGTH] = '\0'; - - if (!strchr (hostnm, '/')) /* If single name form */ - { - if (find_match (ip_addr, hostnm) == 0) - { - result++; - break; - } - } - else /* / "paired" form */ - { - strtok (hostnm, "/"); /* replaces "/" with NULL char */ - host2 = strtok (NULL, " "); - if (find_match (&myipaddr, hostnm) == 0) - { /* If we're the 1st name, target is 2nd */ - if (find_match (ip_addr, host2) == 0) - { - result++; - break; - } - } - else /* Check to see if we are the second name */ - { - if (find_match (&myipaddr, host2) == 0) - { /* We are the 2nd name, target is 1st name */ - if (find_match (ip_addr, hostnm) == 0) - { - result++; - break; - } - } - } - } - } - fclose (clientfd); - if (result == 0) - { - memset (buffer, '\0', sizeof (buffer)); - memset (secret, '\0', sizeof (secret)); - return (-1); - } - return 0; -} /* end of find_server () */ - - -/************************************************************************* -* -* random_vector - Generates a random vector of AUTH_VECTOR_LEN octets. -* -* Returns: the vector (call by reference) -* -**************************************************************************/ - -void -random_vector (vector) - -u_char *vector; - -{ - int randno; - int i; - - srand (time (0)); - for (i = 0; i < AUTH_VECTOR_LEN;) - { - randno = rand (); - memcpy ((char *) vector, (char *) &randno, sizeof (int)); - vector += sizeof (int); - i += sizeof (int); - } - return; -} /* end of random_vector () */ - - - - - -/************************************************************************* -* -* send_server - Sends request to specified RADIUS server and waits -* for response. Request is retransmitted every -* "response_timeout" seconds a maximum of "retry_max" -* times. Result is 0 if response was received, -1 if -* a problem occurred, or +1 on no-response condition. -* Returns request retransmit count in "retries" if -* server does respond. -* -* Returns: -1 ERROR_RC -- on local error, -* 0 OK_RC -- on valid response from server, -* 1 TIMEOUT_RC -- after retries * resp_timeout seconds, -* -2 BADRESP_RC -- if response from server had errors. -* -**************************************************************************/ - -int -send_server (data, retries, msg) - -SEND_DATA *data; /* Data structure built by clients */ -int *retries; /* Maximum num of times to retransmit request */ - /* Receives number of retries required, also */ -char *msg; /* Receives error or advisory message */ - -{ - u_char seq_nbr; /* Sequence number to use in request */ - int fptype; /* Framed proto, ustype == PW_FRAMED */ - int i; - int length; - int result; - int retry_max; - int salen; - int secretlen; - int sockfd; - int timeout; /* Number of secs. to wait for response */ - int total_length; - int ustype; /* User service type for this user */ - UINT4 auth_ipaddr; - UINT4 lvalue; - UINT4 myipaddr; - UINT4 port_num; /* Port number to use in request */ - AUTH_HDR *auth; - VALUE_PAIR *check; - char *passwd; /* User password (unencrypted) */ - u_char *ptr; - VALUE_PAIR *reply; - char *server_name; /* Name of server to query */ - struct sockaddr_in *sin; - struct servent *svp; - struct timeval authtime; - fd_set readfds; - struct sockaddr salocal; - struct sockaddr saremote; - u_char md5buf[256]; - u_char passbuf[AUTH_PASS_LEN]; - u_char send_buffer[1024]; - u_char recv_buffer[1024]; - u_char vector[AUTH_VECTOR_LEN]; - char file[MAXPATHLEN]; - char secret[MAX_SECRET_LENGTH + 1]; - - server_name = data->server; - - - if (server_name == (char *) NULL || server_name[0] == '\0') - { - server_name = DEFAULT_RADIUS_SERVER; - } - - ustype = data->ustype; - - if (find_server (server_name, ustype, &auth_ipaddr, secret, msg) != 0) - { - return (ERROR_RC); - } - - timeout = data->timeout; - if (timeout == 0) - { - timeout++; - } - - if (data->svc_port == 0) - { - if ((svp = getservbyname ("radius", "udp")) == NULL) - { - data->svc_port = PW_AUTH_UDP_PORT; - } - else - { - data->svc_port = ntohs (svp->s_port); - } - } - - if (!radsock) - { - sockfd = socket (AF_INET, SOCK_DGRAM, 0); - if (sockfd < 0) - { - memset (secret, '\0', sizeof (secret)); - return (ERROR_RC); - } - - length = sizeof (salocal); - sin = (struct sockaddr_in *) & salocal; - memset ((char *) sin, '\0', length); - sin->sin_family = AF_INET; - sin->sin_addr.s_addr = INADDR_ANY; - sin->sin_port = htons (0); - if (bind (sockfd, (struct sockaddr *) sin, length) < 0 || - getsockname (sockfd, (struct sockaddr *) sin, - &length) < 0) - { - close (sockfd); - memset (secret, '\0', sizeof (secret)); - return (ERROR_RC); - } - retry_max = *retries; /* Max. numbers to try for reply */ - *retries = 0; /* Init retry cnt for blocking call */ - } - else - { - sockfd = radsock; - retry_max = 0; /* No retries if non-blocking */ - } - - /* Build an authentication request */ - auth = (AUTH_HDR *) send_buffer; - auth->code = data->code; - random_vector (vector); - seq_nbr = data->seq_nbr; - auth->id = seq_nbr; - memcpy ((char *) auth->vector, (char *) vector, AUTH_VECTOR_LEN); - total_length = AUTH_HDR_LEN; - ptr = auth->data; - - /* User Name */ - *ptr++ = PW_USER_NAME; - length = strlen (data->user_name); - if (length > AUTH_ID_LEN) - { - length = AUTH_ID_LEN; - } - *ptr++ = length + 2; - memcpy ((char *) ptr, data->user_name, length); - ptr += length; - total_length += length + 2; - - passwd = data->password; - - if (auth->code != PW_ACCOUNTING_REQUEST) - { - /* User Password */ - *ptr++ = PW_USER_PASSWORD; - *ptr++ = AUTH_PASS_LEN + 2; - - /* Encrypt the Password */ - length = strlen (passwd); - if (length > AUTH_PASS_LEN) - { - length = AUTH_PASS_LEN; - } - memset ((char *) passbuf, '\0', AUTH_PASS_LEN); - memcpy ((char *) passbuf, passwd, length); - - /* Calculate the MD5 Digest */ - secretlen = strlen (secret); - strcpy ((char *) md5buf, secret); - memcpy ((char *) md5buf + secretlen, - (char *) auth->vector, AUTH_VECTOR_LEN); - md5_calc (ptr, md5buf, secretlen + AUTH_VECTOR_LEN); - - /* Xor the password into the MD5 digest */ - for (i = 0; i < AUTH_PASS_LEN; i++) - { - *ptr++ ^= passbuf[i]; - } - total_length += AUTH_PASS_LEN + 2; - - } - - /* Service Type */ - *ptr++ = PW_SERVICE_TYPE; - *ptr++ = 2 + sizeof (UINT4); - lvalue = htonl (ustype); - memcpy ((char *) ptr, (char *) &lvalue, sizeof (UINT4)); - ptr = ptr + sizeof (UINT4); - total_length += sizeof (UINT4) + 2; - - fptype = data->fptype; - if (fptype > 0) /* if -t [slip | ppp] */ - { - /* Framed Protocol Type */ - *ptr++ = PW_FRAMED_PROTOCOL; - *ptr++ = 2 + sizeof (UINT4); - lvalue = htonl (fptype); - memcpy ((char *) ptr, (char *) &lvalue, sizeof (UINT4)); - ptr = ptr + sizeof (UINT4); - total_length += sizeof (UINT4) + 2; - } - - /* Client IP Address */ - *ptr++ = PW_NAS_IP_ADDRESS; - *ptr++ = 2 + sizeof (UINT4); - myipaddr = htonl(data->client_id); - memcpy ((char *) ptr, (char *) &myipaddr, sizeof (UINT4)); - ptr = ptr + sizeof (UINT4); - total_length += sizeof (UINT4) + 2; - - /* Client Port Number */ - *ptr++ = PW_NAS_PORT; - *ptr++ = 2 + sizeof (UINT4); - port_num = htonl((UINT4) data->port_num); - memcpy ((char *) ptr, (char *) &port_num, sizeof (UINT4)); - ptr = ptr + sizeof (UINT4); - total_length += sizeof (UINT4) + 2; - - if (data->user_file != (char *) NULL) /* add a/v pairs from user_file */ { - /* We should never get here! but just in case */ - return(-77); - } - - if (data->send_pairs != (VALUE_PAIR *) NULL) /* add more a/v pairs */ - { - /* We should never get here! but just in case */ - return(-88); - - } - - auth->length = htons (total_length); - - sin = (struct sockaddr_in *) & saremote; - memset ((char *) sin, '\0', sizeof (saremote)); - sin->sin_family = AF_INET; - sin->sin_addr.s_addr = htonl (auth_ipaddr); - sin->sin_port = htons (data->svc_port); - - for (;;) - { - sendto (sockfd, (char *) auth, (int) total_length, (int) 0, - (struct sockaddr *) sin, sizeof (struct sockaddr_in)); - - if (radsock) - { /* If non-blocking */ - - /* - * Return stuff to be saved for evaluation of reply - * when it comes in - */ - strcpy (msg, secret); - memcpy (msg + strlen (msg) + 1, (char *) vector, - AUTH_VECTOR_LEN); - memset (secret, '\0', sizeof (secret)); - return 1; /* Pos. return means no error */ - } - /* according to radius@msg.com 0L causing problems with BSD */ - /* Changing it to 999L for a longer timeout interval */ - authtime.tv_usec = 999L; - authtime.tv_sec = (long) timeout; - FD_ZERO (&readfds); - FD_SET (sockfd, &readfds); - if (select (sockfd + 1, &readfds, NULL, NULL, &authtime) < 0) - { - if (errno == EINTR) - continue; - memset (secret, '\0', sizeof (secret)); - close (sockfd); - return (ERROR_RC); - } - if (FD_ISSET (sockfd, &readfds)) - break; - - /* - * Timed out waiting for response. Retry "retry_max" times - * before giving up. If retry_max = 0, don't retry at all. - */ - if (++(*retries) >= retry_max) - { - close (sockfd); - memset (secret, '\0', sizeof (secret)); - return (TIMEOUT_RC); - } - } - salen = sizeof (saremote); - length = recvfrom (sockfd, (char *) recv_buffer, - (int) sizeof (recv_buffer), - (int) 0, &saremote, &salen); - - if (length <= 0) - { - close (sockfd); - memset (secret, '\0', sizeof (secret)); - return (ERROR_RC); - } - result = check_radius_reply (recv_buffer, secret, vector, - (u_int) seq_nbr, msg); - close (sockfd); - memset (secret, '\0', sizeof (secret)); - return (result); - -} /* end of send_server () */ - - -/************************************************************************* -* -* check_radius_reply - Verify items in returned packet. -* -* Returns: OK_RC -- upon success, -* BADRESP_RC -- if anything looks funny. -* -* Public entry point necessary for MINOS/MNET daemon. -* -**************************************************************************/ - -int -check_radius_reply (buffer, secret, vector, seq_nbr, msg) - -u_char *buffer; -char *secret; -u_char vector[]; -u_int seq_nbr; -char *msg; - -{ - u_char len; - int result; - int secretlen; - int totallen; - AUTH_HDR *auth; - u_char *next; - u_char *ptr; - VALUE_PAIR *vp; - u_char calc_digest[AUTH_VECTOR_LEN]; - u_char reply_digest[AUTH_VECTOR_LEN]; - - auth = (AUTH_HDR *) buffer; - totallen = ntohs (auth->length); - - - /* Verify that id (seq. number) matches what we sent */ - if (auth->id != (u_char) seq_nbr) - { - return (BADRESP_RC); - } - - /* Verify the reply digest */ - memcpy ((char *) reply_digest, (char *) auth->vector, AUTH_VECTOR_LEN); - memcpy ((char *) auth->vector, (char *) vector, AUTH_VECTOR_LEN); - secretlen = strlen (secret); - memcpy ((char *) buffer + totallen, secret, secretlen); - md5_calc (calc_digest, (char *) auth, totallen + secretlen); - - if (memcmp ((char *) reply_digest, (char *) calc_digest, - AUTH_VECTOR_LEN) != 0) - { - return (BADRESP_RC); - } - - msg[0] = '\0'; - ptr = (u_char *) auth->data; - totallen -= AUTH_HDR_LEN; - while (totallen > 0) - { - len = ptr[1]; - totallen -= len; - next = ptr + len; - if (*ptr == '\0') - { - return (BADRESP_RC); - } - - if (*ptr == PW_REPLY_MESSAGE) - { - ptr++; - ptr++; - strncat (msg, (char *) ptr, len - 2); - strcat (msg, "\n"); - } - ptr = next; - } - - if ((auth->code == PW_ACCESS_ACCEPT) || - (auth->code == PW_PASSWORD_ACK) || - (auth->code == PW_ACCOUNTING_RESPONSE)) - { - result = OK_RC; - } - else - { - result = BADRESP_RC; - } - - return (result); -} /* end of check_radius_reply () */ - - diff --git a/mod_authnz_external/radius/mod-radius.h b/mod_authnz_external/radius/mod-radius.h deleted file mode 100644 index 34932e4..0000000 --- a/mod_authnz_external/radius/mod-radius.h +++ /dev/null @@ -1,1124 +0,0 @@ -#ifndef RADIUS_H -#define RADIUS_H - -/* - * RADIUS Remote Authentication Dial In User Service - * - * Livingston Enterprises, Inc. - * 6920 Koll Center Parkway - * Pleasanton, CA 94566 - * - * Copyright 1992 Livingston Enterprises, Inc. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose and without fee is hereby granted, provided that this - * copyright and permission notice appear on all copies and supporting - * documentation, the name of Livingston Enterprises, Inc. not be used - * in advertising or publicity pertaining to distribution of the - * program without specific prior permission, and notice be given - * in supporting documentation that copying and distribution is by - * permission of Livingston Enterprises, Inc. - * - * Livingston Enterprises, Inc. makes no representations about - * the suitability of this software for any purpose. It is - * provided "as is" without express or implied warranty. - * - * [C] The Regents of the University of Michigan and Merit Network, Inc. 1992, - * 1993, 1994, 1995, 1996 All Rights Reserved - * - * Permission to use, copy, modify, and distribute this software and its - * documentation for any purpose and without fee is hereby granted, provided - * that the above copyright notice and this permission notice appear in all - * copies of the software and derivative works or modified versions thereof, - * and that both the copyright notice and this permission and disclaimer - * notice appear in supporting documentation. - * - * THIS SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF - * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE REGENTS OF THE - * UNIVERSITY OF MICHIGAN AND MERIT NETWORK, INC. DO NOT WARRANT THAT THE - * FUNCTIONS CONTAINED IN THE SOFTWARE WILL MEET LICENSEE'S REQUIREMENTS OR - * THAT OPERATION WILL BE UNINTERRUPTED OR ERROR FREE. The Regents of the - * University of Michigan and Merit Network, Inc. shall not be liable for any - * special, indirect, incidental or consequential damages with respect to any - * claim by Licensee or any third party arising from use of the software. - * - * @(#)radius.h 1.3 1/20/93 - * - * $Id: radius.h,v 2.64 1996/06/19 18:16:23 web Exp $ - */ - - -#define COMMENT '#' /* comment char for config files */ - -#define AUTH_VECTOR_LEN 16 -#define AUTH_PASS_LEN 16 -#define AUTH_ID_LEN 64 -#define AUTH_STRING_LEN 128 /* maximum of 253 */ - -#define FILTER_LEN 16 -#define NAME_LENGTH 32 -#define MAX_FSMID_LEN 20 /* Maximum length of %FSMID string */ - -typedef struct pw_auth_hdr -{ - u_char code; - u_char id; - u_short length; - u_char vector[AUTH_VECTOR_LEN]; - u_char data[2]; -} AUTH_HDR; - -#define AUTH_HDR_LEN 20 -#define MAX_SECRET_LENGTH 16 -#define CHAP_VALUE_LENGTH 16 - -#if !defined(PW_AUTH_UDP_PORT) -#define PW_AUTH_UDP_PORT 1647 -#endif - -#if !defined(PW_ACCT_UDP_PORT) -#define PW_ACCT_UDP_PORT 1648 -#endif - -#define PW_TYPE_STRING 0 -#define PW_TYPE_INTEGER 1 -#define PW_TYPE_IPADDR 2 -#define PW_TYPE_DATE 3 -#define PW_TYPE_OCTETS 4 -#define PW_TYPE_VENDOR 5 - -/* standard RADIUS codes */ - -#define PW_ACCESS_REQUEST 1 -#define PW_ACCESS_ACCEPT 2 -#define PW_ACCESS_REJECT 3 -#define PW_ACCOUNTING_REQUEST 4 -#define PW_ACCOUNTING_RESPONSE 5 -#define PW_ACCOUNTING_STATUS 6 -#define PW_PASSWORD_REQUEST 7 -#define PW_PASSWORD_ACK 8 -#define PW_PASSWORD_REJECT 9 -#define PW_ACCOUNTING_MESSAGE 10 -#define PW_ACCESS_CHALLENGE 11 -#define PW_STATUS_SERVER 12 -#define PW_STATUS_CLIENT 13 -#define PW_FORWARDING 216 - - -/* standard RADIUS attribute-value pairs */ - -#define PW_USER_NAME 1 /* string */ -#define PW_USER_PASSWORD 2 /* string */ -#define PW_CHAP_PASSWORD 3 /* string */ -#define PW_NAS_IP_ADDRESS 4 /* ipaddr */ -#define PW_NAS_PORT 5 /* integer */ -#define PW_SERVICE_TYPE 6 /* integer */ -#define PW_FRAMED_PROTOCOL 7 /* integer */ -#define PW_FRAMED_IP_ADDRESS 8 /* ipaddr */ -#define PW_FRAMED_IP_NETMASK 9 /* ipaddr */ -#define PW_FRAMED_ROUTING 10 /* integer */ -#define PW_FILTER_ID 11 /* string */ -#define PW_FRAMED_MTU 12 /* integer */ -#define PW_FRAMED_COMPRESSION 13 /* integer */ -#define PW_LOGIN_IP_HOST 14 /* ipaddr */ -#define PW_LOGIN_SERVICE 15 /* integer */ -#define PW_LOGIN_PORT 16 /* integer */ -#define PW_OLD_PASSWORD 17 /* string */ /* deprecated */ -#define PW_REPLY_MESSAGE 18 /* string */ -#define PW_LOGIN_CALLBACK_NUMBER 19 /* string */ -#define PW_FRAMED_CALLBACK_ID 20 /* string */ -#define PW_EXPIRATION 21 /* date */ /* deprecated */ -#define PW_FRAMED_ROUTE 22 /* string */ -#define PW_FRAMED_IPX_NETWORK 23 /* integer */ -#define PW_STATE 24 /* string */ -#define PW_CLASS 25 /* string */ -#define PW_VENDOR_SPECIFIC 26 /* string */ -#define PW_SESSION_TIMEOUT 27 /* integer */ -#define PW_IDLE_TIMEOUT 28 /* integer */ -#define PW_TERMINATION_ACTION 29 /* integer */ -#define PW_CALLED_STATION_ID 30 /* string */ -#define PW_CALLING_STATION_ID 31 /* string */ -#define PW_NAS_IDENTIFIER 32 /* string */ -#define PW_PROXY_STATE 33 /* string */ -#define PW_LOGIN_LAT_SERVICE 34 /* string */ -#define PW_LOGIN_LAT_NODE 35 /* string */ -#define PW_LOGIN_LAT_GROUP 36 /* string */ -#define PW_FRAMED_APPLETALK_LINK 37 /* integer */ -#define PW_FRAMED_APPLETALK_NETWORK 38 /* integer */ -#define PW_FRAMED_APPLETALK_ZONE 39 /* string */ -#define PW_CHAP_CHALLENGE 60 /* string */ -#define PW_NAS_PORT_TYPE 61 /* integer */ -#define PW_PORT_LIMIT 62 /* integer */ -#define PW_LOGIN_LAT_PORT 63 /* string */ - -/* Accounting */ - -#define PW_ACCT_STATUS_TYPE 40 /* integer */ -#define PW_ACCT_DELAY_TIME 41 /* integer */ -#define PW_ACCT_INPUT_OCTETS 42 /* integer */ -#define PW_ACCT_OUTPUT_OCTETS 43 /* integer */ -#define PW_ACCT_SESSION_ID 44 /* string */ -#define PW_ACCT_AUTHENTIC 45 /* integer */ -#define PW_ACCT_SESSION_TIME 46 /* integer */ -#define PW_ACCT_INPUT_PACKETS 47 /* integer */ -#define PW_ACCT_OUTPUT_PACKETS 48 /* integer */ -#define PW_ACCT_TERMINATE_CAUSE 49 /* integer */ -#define PW_ACCT_MULTI_SESSION_ID 50 /* string */ - -/* Merit Experimental Extensions */ - -/* Temporary assignment for LOG AATV session logging */ - -#define PW_LAS_START_TIME 145 /* integer */ -#define PW_LAS_CODE 146 /* integer */ -#define PW_LAS_DURATION 147 /* integer */ -#define PW_LOCAL_DURATION 148 /* integer */ - -#define PW_SERVICE_CLASS 149 /* string */ -#define PW_PORT_ENTRY 150 /* string */ -#define PW_PROXY_ACTION 211 /* string */ -#define PW_TOKEN 213 /* string */ -#define PW_HUNTGROUP_NAME 221 /* string */ -#define PW_USER_ID 222 /* string */ -#define PW_USER_REALM 223 /* string */ - -/* Configuration Only Attributes (for check-items) */ - -#define CI_COMMENT 1024 /* string */ -#define CI_XVALUE 1025 /* integer */ -#define CI_XSTRING 1026 /* string */ -#define CI_AUTHENTICATION_TYPE 1027 /* integer */ -#define CI_PROHIBIT 1028 /* integer */ -#define CI_USER_CATEGORY 1029 /* string */ -#define CI_GROUP_NAME 1030 /* string */ -#define CI_ENCRYPTED_PASSWORD 1031 /* string */ -#define CI_EXPIRATION 1032 /* date */ -#define CI_USER_PASSWORD 1033 /* string */ -#define CI_SIMULTANEOUS_USE 1034 /* integer */ -#define CI_SERVER_NAME 1035 /* string */ - -/* Integer Translations */ - -/* SERVICE TYPES */ - -#define PW_LOGIN 1 -#define PW_FRAMED 2 -#define PW_CALLBACK_LOGIN 3 -#define PW_CALLBACK_FRAMED 4 -#define PW_OUTBOUND_USER 5 -#define PW_ADMINISTRATIVE_USER 6 -#define PW_SHELL_USER 7 -#define PW_AUTHENTICATE_ONLY 8 -#define PW_CALLBACK_ADMIN_USER 9 - -/* FRAMED PROTOCOLS */ - -#define PW_PPP 1 -#define PW_SLIP 2 -#define PW_ARA 3 -#define PW_GANDALF 4 - -/* FRAMED ROUTING VALUES */ - -#define PW_NONE 0 -#define PW_BROADCAST 1 -#define PW_LISTEN 2 -#define PW_BROADCAST_LISTEN 3 - -/* FRAMED COMPRESSION TYPES */ - -#define PW_VAN_JACOBSON_TCP_IP 1 -#define PW_IPX_HEADER_COMPRESSION 2 - -/* LOGIN SERVICES */ - -#define PW_TELNET 0 -#define PW_RLOGIN 1 -#define PW_TCP_CLEAR 2 -#define PW_PORTMASTER 3 -#define PW_LAT 4 - -/* TERMINATION ACTIONS */ - -#define PW_DEFAULT 0 -#define PW_RADIUS_REQUEST 1 - -/* AUTHENTICATION TYPES */ - -#define AA_NONE 0 /* This is not a valid user id entry */ -#define AA_UNIX 1 /* Use local Unix password file */ -#define AA_AKRB 2 /* AFS Kerberos type authentication */ -#define AA_MKRB 3 /* MIT Kerberos type authentication */ -#define AA_RAD 4 /* Pass to remote RADIUS server */ -#define AA_MNET 5 /* Do Merit specific authentication */ -#define AA_KCHAP 6 /* Kerberos CHAP authentication */ -#define AA_TACACS 7 /* Encrypted TACACS authentication */ -#define AA_REALM 8 /* Find given realm in authfile */ -#define AA_LOCAL 9 -#define AA_FILE 10 /* ID/PW list in a file */ - -#define PW_AUTH_MAX 10 /* Highest authentication type */ - -/* PROHIBIT PROTOCOL */ - -#define PW_DUMB 0 /* 1 and 2 are defined in FRAMED PROTOCOLS */ -#define PW_AUTH_ONLY 3 -#define PW_ALL 255 - -/* ACCOUNTING STATUS TYPES */ - -#define PW_STATUS_START 1 -#define PW_STATUS_STOP 2 -#define PW_STATUS_ALIVE 3 -#define PW_STATUS_MODEM_START 4 -#define PW_STATUS_MODEM_STOP 5 -#define PW_STATUS_CANCEL 6 -#define PW_ACCOUNTING_ON 7 -#define PW_ACCOUNTING_OFF 8 - -/* ACCOUNTING TERMINATION CAUSES */ - -#define PW_USER_REQUEST 1 -#define PW_LOST_CARRIER 2 -#define PW_LOST_SERVICE 3 -#define PW_ACCT_IDLE_TIMEOUT 4 -#define PW_ACCT_SESSION_TIMEOUT 5 -#define PW_ADMIN_RESET 6 -#define PW_ADMIN_REBOOT 7 -#define PW_PORT_ERROR 8 -#define PW_NAS_ERROR 9 -#define PW_NAS_REQUEST 10 -#define PW_NAS_REBOOT 11 -#define PW_PORT_UNNEEDED 12 -#define PW_PORT_PREEMPTED 13 -#define PW_PORT_SUSPENDED 14 -#define PW_SERVICE_UNAVAILABLE 15 -#define PW_CALLBACK 16 -#define PW_USER_ERROR 17 -#define PW_HOST_REQUEST 18 - -/* NAS PORT TYPES */ - -#define PW_ASYNC 0 -#define PW_SYNC 1 -#define PW_ISDN_SYNC 2 -#define PW_ISDN_SYNC_V120 3 -#define PW_ISDN_SYNC_V110 4 - -/* Default Database File Names */ - -#ifndef RADIUS_DIR -#define RADIUS_DIR "/usr/private/etc/raddb" -#endif - -#ifndef RADACCT_DIR -#define RADACCT_DIR "/usr/private/etc/radacct" -#endif - -/* - * Note: To change where these files go, do not change the #defines - * below, instead change the RADIUS_DIR #define above. - */ - -#define RADIUS_DICTIONARY "dictionary" -#define RADIUS_CLIENTS "clients" -#define RADIUS_USERS "users" -#define RADIUS_HOLD "holdusers" -#define RADIUS_LOG "logfile" -#define RADIUS_AUTH "authfile" -#define RADIUS_PID "radiusd.pid" -#define RADIUS_FSM "radius.fsm" -#define RADIUS_DEBUG "radius.debug" - -#ifndef RADIUS_COMPRESS -#define RADIUS_COMPRESS "/usr/ucb/compress" /* might be gzip, etc. */ -#endif - -#ifndef RADIUS_LOCALSERVER -#define RADIUS_LOCALSERVER "nimic.nas.nasa.gov" -#endif - -#ifndef DEFAULT_REALM -#define DEFAULT_REALM "DEFAULT" -#endif - -#ifndef NULL_REALM -#define NULL_REALM "NULL" -#endif - -/* Server data structures */ - -typedef struct dict_attr -{ - char name[NAME_LENGTH + 1]; /* attribute name */ - int value; /* attribute index */ - int type; /* string, int, etc. */ - struct dict_attr *next; -} DICT_ATTR; - -typedef struct dict_value -{ - char attrname[NAME_LENGTH +1]; - char name[NAME_LENGTH + 1]; - int value; - struct dict_value *next; -} DICT_VALUE; - -typedef struct value_pair -{ - char name[NAME_LENGTH + 1]; - int attribute; - int type; - UINT4 lvalue; - char strvalue[AUTH_STRING_LEN + 1]; - struct value_pair *next; -} VALUE_PAIR; - -typedef struct auth_req -{ - UINT4 ipaddr; /* IP address of requestor */ - u_short udp_port; /* UDP reply socket of requestor */ - u_char id; /* Original request seq. number */ - u_char code; /* Type of RADIUS packet */ - u_char vector[AUTH_VECTOR_LEN]; - char *secret; - char *file_pfx; - char *realm_filter; - u_char ttl; /* Global queue time-to-live secs */ - u_char timer; /* General utility timer */ - u_char reply_id; /* RADIUS-to-RADIUS seq. number */ - u_char retry_cnt; /* Counter for duplicate requests */ - u_char state; /* State of current request */ - u_char sws; /* Switches, flags, etc. */ - int result; /* Result of previous action */ - int cur_count; /* Original number request pairs */ - struct aatv *fsm_aatv; /* Pointer to current FSM action */ - struct aatv *direct_aatv; /* Pointer to actual action */ - struct event_ent *event_q; /* Pointer to active event queue */ - struct auth_req *next; /* Global request queue link */ - VALUE_PAIR *request; /* Original client a/v pairs */ - VALUE_PAIR *cur_request; /* Represents current a/v pairs */ - VALUE_PAIR *user_check; /* List of users file check items */ -} AUTH_REQ; - -typedef struct event_ent -{ - struct event_ent *next; - AUTH_REQ *auth_head; /* pointer back to the authreq structure */ - struct aatv *fsm_aatv; /* record action from FSM table */ - struct aatv *sub_aatv; /* record action when request was issued */ - u_char *packet; /* copy of request packet which was sent */ - int len; /* length of packet */ - pid_t pid; /* fork type: pid, socket type: == zero */ - struct sockaddr_in sin; /* socket info for packet re-sending */ - int evalue; /* AATV act_func integer argument */ - u_char state; /* state in which the request was issued */ - char action[NAME_LENGTH+1]; /* "cmd" arg to radius_send */ - char estring[AUTH_ID_LEN]; /* AATV act_func string arg */ -} EVENT_ENT; - -typedef struct user_ent -{ - struct user_ent *next; - char *name; - VALUE_PAIR *check; - VALUE_PAIR *reply; -} USER_ENTRY; - -#ifdef MERIT_LAS -typedef struct lasrealm_ent *LAS_REALM; -#endif /* MERIT_LAS */ - -typedef struct auth_ent -{ - struct auth_ent *next; - char *name; - struct auth_ent *parent; - int prot; - int type; - char *host; - char *filter; -#ifdef MERIT_LAS - LAS_REALM las_realm; -#endif /* MERIT_LAS */ -} AUTH_ENTRY; - -/* The following must match the beginning of the auth_ent structure */ -typedef struct auth_aent -{ - struct auth_ent *next; - char *name; - struct auth_ent *parent; -} AUTH_ALIAS_ENTRY; - -typedef struct linklist_entry -{ - struct linklist_entry *next; /* pointer to next entry in list */ -} LINKLIST_ENT; - -#define numbof(X) (sizeof(X)/sizeof(X[0])) - -typedef struct name_list -{ - struct name_list *next; - char *name; - u_char flag; - u_short num; -} NAME_LIST; - -/* Binary port entry structure used in Port-Entry attribute */ - -#define PORT_ENTRY_VERSION 0 /* increase if change structure here */ - -typedef struct bin_port_ent -{ - u_char version; /* be sure to use PORT_ENTRY_VERSION */ - u_char port_source; /* zero => was HGAS, one => otherwise */ - time_t start_time; /* start time of session on this port */ - UINT4 port_nbr; /* port number of this session */ - UINT4 duration; /* session length (seconds) */ -} BIN_PORT_ENT; - -/* - * Use the following to specify default "realm" names to use for - * authentication-type entries of RADIUS or TACACS that may be - * configured in the "users" file. May be configured globally - * in the Makefile or changed in the authfile on a running server. - */ - -#ifndef DEFAULT_RADIUS_SERVER -#define DEFAULT_RADIUS_SERVER "nimic.nas.nasa.gov" -#endif - -#ifndef DEFAULT_TACACS_SERVER -#define DEFAULT_TACACS_SERVER "" -#endif - -/****************************************************************** - * - * PW_PROTTYPE & PW_PROTTYPES - define authentication protocol allowed - * for particular realm entry in authfile. - * - * The PW_PROTTYPE value is stored in the auth_ent.prot field. - * The PW_PROTTYPE value corresponds to the order of PW_PROTTYPES. - * - *****************************************************************/ - -#define PW_PROTTYPE_DFLT 0 /* Use this entry for any protocol */ -#define PW_PROTTYPE_CHAP 1 /* Entry is for CHAP style authent. */ -#define PW_PROTTYPE_PW 2 /* Entry is for id/pw style authent. */ - -#define PW_PROTTYPES_DFLT "DEFAULT" -#define PW_PROTTYPES_CHAP "CHAP" -#define PW_PROTTYPES_PW "PW" - -typedef struct file_list -{ - struct file_list *next; - char *prefix; - USER_ENTRY *user_list; - AUTH_ENTRY *auth_list; -} FILE_LIST; - -typedef struct ip_address -{ - struct ip_address *next; - struct in_addr ipaddr; -} IP_ADDRESS; - -typedef struct dns_name -{ - struct dns_name *next; - u_char type; /* 0 = official name, 1 = alias */ - char name[1]; -} DNS_NAME; - -typedef struct client_ent -{ - struct client_ent *next; - IP_ADDRESS *addrs; - char *secret; - char *prefix; - char *hostname; - DNS_NAME *names; - time_t expire_time; - enum {CE_DNS, CE_NUMERIC, CE_OURADDR} type; -} CLIENT_ENTRY; - -/* Define return codes from "SendServer" utility */ - -#define BADRESP_RC -2 -#define ERROR_RC -1 -#define OK_RC 0 -#define TIMEOUT_RC 1 - -typedef struct send_data /* Used to pass information to sendserver() function */ -{ - u_char code; /* RADIUS packet code */ - u_char seq_nbr; /* Packet sequence number */ - char *user_name; - char *password; /* Cleartext user password */ - u_char ustype; /* Service-Type attribute */ - u_char fptype; /* Framed-Protocol attribute */ - char *server; /* Name/addrress of RADIUS server */ - int svc_port; /* RADIUS protocol destination port */ - int timeout; /* Session timeout in seconds */ - UINT4 client_id; /* IP address of client */ - int port_num; /* Port number on client */ - char *user_file; /* Users style file of a/v pairs */ - char *group; - VALUE_PAIR *send_pairs; /* More a/v pairs to send */ - VALUE_PAIR **receive_pairs; /* Where to place received a/v pairs */ -} SEND_DATA; - -/* - * Handle older syslog versions, too! - */ - -#ifndef LOG_CONS -#define LOG_DAEMON 0 -#define LOG_AUTH 0 -#endif - -#define MGMT_POLL_SECRET "Hardlyasecret" -#define MAX_REQUESTS 128 -#define MAX_REQUEST_TIME 30 /* Lifetime of a request */ -#define CLEANUP_DELAY 5 /* Hold onto old requests this long */ -#define DEFAULT_INETD_TIMEOUT 15 /* Fifteen minutes by default */ -#define DEFAULT_TIMER_VALUE 3 /* Three seconds by default */ -#define ADDRESS_AGING 60*60 /* One hour by default */ -#define DFLT_TACACS_UDP_PORT 49 /* Default TACACS server port */ -#define SESS_ID_LEN 8 /* session id length */ -#define SECONDS_PER_DAY 86400 -#define TRUNCATION_DAY 7 /* Sunday is zero (0), daily is seven (7) */ -#define DNS_SLEEP 100 /* Time which DNS sub-process sleeps. */ - -typedef enum /* error code */ -{ - EC_OK, /* no error */ - EC_INTERNAL, /* internal error */ - EC_CONFIG, /* configuration error */ - EC_NO_MEMORY, /* out of memory */ - EC_CREATE_FILE, /* error creating file */ - EC_NO_TOKEN, /* no token available */ - EC_NO_PORTS, /* no ports available for guests */ - EC_TOO_MANY_SESSIONS, /* user has too many sessions */ - EC_ABS_FAILURE, /* ABS failed (with message) */ - EC_NO_BALANCE, /* error querying for balance */ - EC_BAD_BALANCE /* balance too low */ -} ERRORCODE; - -typedef enum /* accounting code */ -{ - AC_ERROR = -1, /* no accounting code */ - AC_NORMAL, /* normal disconnect */ - AC_REJECT, /* rejected by this server */ - AC_CANCEL, /* access rejected by someone */ - AC_NOCONFIRM, /* no confirmation */ - AC_OVERTIME, /* session over maximum time allowed */ - AC_UNKNOWN, /* session ended for unknown reason */ - AC_NOTOKEN, /* rejected because no token */ - AC_NOTLOCAL, /* session not local */ - AC_SUSPEND, /* session suspended */ - AC_FAILED, /* authentication failed */ - AC_AUTHORIZED, /* session authorized (for stats) */ - AC_NASREBOOT, /* released due to NAS reboot */ - AC_REMOTE, /* remote session, failed to forward */ - AC_NUMBOFCODE /* number of accounting code */ -} ACCTCODE; - -#ifndef PROTO -#ifdef __STDC__ -#define PROTO(x) x -#else -#define PROTO(x) () -#define const -#endif /* !__STDC__ */ -#endif /* !PROTO */ - -union action_u -{ - struct aatv *aatv; /* points to the id field of an AATV */ - char *proxy; /* pointer to a Proxy-Action string */ -} UACTION; - -/* Define event structure (for events generated by AATV recv functions */ - -typedef struct ev -{ - u_char state; - union action_u a; - int isproxy; /* set to one if action "a" is proxy */ - int value; - char xstring[AUTH_ID_LEN]; -} EV; - -/* Define aatvfunc_type codes */ - -#define AA_DIRECT 0 /* Function gives direct reply */ -#define AA_SOCKET 1 /* Deferred reply returned on socket */ -#define AA_FORK 2 /* Spawn a process to wait for reply */ -#define AA_FREPLY 3 /* Fork & get reply on server socket */ - -typedef struct aatv -{ - u_char id[NAME_LENGTH + 1]; - char authen_type; /* a -1 value indicates built-in AATV types */ - u_char aatvfunc_type; - void (*init) PROTO((struct aatv *)); - int (*timer) PROTO((void)); - int (*act_func) PROTO((AUTH_REQ *, int, char *)); - AUTH_REQ * (*recv) PROTO((struct sockaddr_in *, UINT4, u_int, EV *)); - void (*cleanup) PROTO((void)); - UINT4 sockfd; -} AATV, *AATVPTR; - -extern AATV *authtype_tv[]; - -#ifdef MERIT_LAS -extern AATVPTR rad_log_aatv; /* For logging (selector) */ -extern AATVPTR rad_log_all_aatv; /* For logging (debugging) */ -extern AATVPTR rad_log_brief_aatv; /* For logging (logging) */ -extern AATVPTR rad_log_old_aatv; /* For logging (logging) */ -extern AATVPTR rad_log_v1_0_aatv; /* For logging (logging) */ -extern AATVPTR rad_log_v1_1_aatv; /* For logging (logging) */ -extern AATVPTR rad_log_v2_0_aatv; /* For logging (logging) */ -extern AATVPTR rad_log_v2_1_aatv; /* For logging (logging) */ -#endif /* MERIT_LAS */ - -/* Specify all authentication/authorization transfer vectors here. */ - -extern AATVPTR rad_realm_aatv; /* Needed for authtype = realm */ -extern AATVPTR rad_2rad_aatv; /* Authtype = Radius */ -extern AATVPTR rad_tacs_aatv; /* Authtype = TACACS */ -extern AATVPTR rad_unix_aatv; /* Authtype = Unix-pw */ -extern AATVPTR rad_kchp_aatv; /* Authtype = KCHAP */ -extern AATVPTR rad_mnet_aatv; /* Authtype = mnet */ -extern AATVPTR rad_akrb_aatv; /* Authtype = akerb */ -extern AATVPTR rad_mkrb_aatv; /* Authtype = mkerb */ -#ifdef MERIT_LAS -extern AATVPTR rad_file_aatv; /* Authtype = File */ -#endif /* MERIT_LAS */ -extern AATVPTR rad_authen_aatv; /* Authentication begins here */ -extern AATVPTR rad_passwd_aatv; /* Used for changing passwords */ - -#ifdef MERIT_HUNTGROUP -#include "huntgroup.h" -#define EN_HGAS1 "HGAS1" -#define EN_HGAS2 "HGAS2" -#define EN_HGAS3 "HGAS3" -#define EN_HGAS4 "HGAS4" -#define EN_BACCT "BACCT" -extern AATVPTR rad_hgas1_aatv; /* Hg Authorization begins here */ -extern AATVPTR rad_hgas2_aatv; /* Hg Authorization continues here */ -extern AATVPTR rad_hgas3_aatv; /* Hg Accounting begins here */ -extern AATVPTR rad_hgas4_aatv; /* Hg Accounting continues here */ -extern AATVPTR rad_hgasrmt_aatv; /* Hg forwarding to remote server */ -extern AATVPTR rad_hgacctrmt_aatv; /* Hg accounting origination */ -extern AATVPTR rad_hgaslog_aatv; /* Hg logging action (for HGAS1) */ - -#ifdef MERIT_HUNTGROUP_DAC -extern AATVPTR rad_hgdac1_aatv; /* Hg DAC policy begins here */ -extern AATVPTR rad_hgdac2_aatv; /* Hg DAC policy continues here */ -extern AATVPTR rad_hgdac3_aatv; /* Hg DAC accounting begins here */ -#define DACAATVS ,&rad_hgdac1_aatv,&rad_hgdac2_aatv,&rad_hgdac3_aatv -#else /* MERIT_HUNTGROUP_DAC */ -#define DACAATVS -#endif /* MERIT_HUNTGROUP_DAC */ - -#ifdef MERIT_HUNTGROUP_SHP -extern AATVPTR rad_hgshp1_aatv; /* Hg SHP policy begins here */ -extern AATVPTR rad_hgshp2_aatv; /* Hg SHP policy continues here */ -extern AATVPTR rad_hgshp3_aatv; /* Hg SHP accounting begins here */ -#define SHPAATVS ,&rad_hgshp1_aatv,&rad_hgshp2_aatv,&rad_hgshp3_aatv -#else /* MERIT_HUNTGROUP_SHP */ -#define SHPAATVS -#endif /* MERIT_HUNTGROUP_SHP */ - -#define HGAATVS ,&rad_hgas1_aatv,&rad_hgas2_aatv,&rad_hgas3_aatv,&rad_hgas4_aatv,&rad_hgasrmt_aatv,&rad_hgaslog_aatv,&rad_hgacctrmt_aatv DACAATVS SHPAATVS -#else /* MERIT_HUNTGROUP */ -#define HGAATVS -#define EN_HGAS1 "" -#define EN_HGAS2 "" -#define EN_HGAS3 "" -#define EN_HGAS4 "" -#define EN_BACCT "" -#endif /* MERIT_HUNTGROUP */ - -#ifdef MERIT_ORGANIZATION -#include "oas.h" -#define EN_OAS "OAS" -#define EN_OAS_ACCT "OAS_ACCT" -extern AATVPTR rad_oas_aatv; /* Org Authorization begins here */ -extern AATVPTR rad_oasrem_aatv; /* Org Authorization remote stuff */ -extern AATVPTR rad_oasloc_aatv; /* Org Authorization local stuff */ -extern AATVPTR oas_acct_aatv; /* Org Accounting begins here */ -#define OASAATVS ,&rad_oas_aatv,&rad_oasrem_aatv,&rad_oasloc_aatv,&oas_acct_aatv -#else /* MERIT_ORGANIZATION */ -#define OASAATVS -#define EN_OAS "" -#define EN_OAS_ACCT "" -#endif /* MERIT_ORGANIZATION */ - -#ifdef MERIT_LAS -#include "las.h" -#define EN_LAS "AUTHENTICATE" -#define EN_LAS_ACCT "LAS_ACCT" -extern AATVPTR rad_las_aatv; /* Local authorization */ -extern AATVPTR las_auth_subaatv; /* Generic LAS authorization */ -extern AATVPTR las_acct_subaatv; /* Generic LAS accounting */ -extern AATVPTR las_acct_aatv; /* LAS accounting */ - -#ifdef LAS_NO_HGAS -#define LASCPAATV -#else /* LAS_NO_HGAS */ -extern AATVPTR lascp_aatv; /* LAS synchronizing */ -#define LASCPAATV ,&lascp_aatv -#endif /* LAS_NO_HGAS */ - -#ifdef UOFM_LAS -#include "umlas.h" -extern AATVPTR las_um_aatv; /* U of M LAS */ -#define LASAATVS ,&las_auth_subaatv,&las_acct_subaatv,&las_um_aatv, \ - &rad_las_aatv,&las_acct_aatv LASCPAATV -#else /* UOFM_LAS */ -#define LASAATVS ,&las_auth_subaatv,&las_acct_subaatv, \ - &rad_las_aatv,&las_acct_aatv LASCPAATV -#endif /* UOFM_LAS */ -#else /* MERIT_LAS */ -#define LASAATVS -#define EN_LAS "" -#define EN_LAS_ACCT "" -#endif /* MERIT_LAS */ - -#ifdef MERIT_LAS -#define AUTHENAATVS &rad_realm_aatv, &rad_unix_aatv, &rad_2rad_aatv, \ - &rad_tacs_aatv, &rad_kchp_aatv, &rad_mnet_aatv, \ - &rad_akrb_aatv, &rad_mkrb_aatv, &rad_file_aatv, \ - &rad_authen_aatv, &rad_passwd_aatv -#else /* MERIT_LAS */ -#define AUTHENAATVS &rad_realm_aatv, &rad_unix_aatv, &rad_2rad_aatv, \ - &rad_tacs_aatv, &rad_kchp_aatv, &rad_mnet_aatv, \ - &rad_akrb_aatv, &rad_mkrb_aatv, &rad_authen_aatv, \ - &rad_passwd_aatv -#endif /* MERIT_LAS */ - - -#define AATVS AUTHENAATVS HGAATVS OASAATVS LASAATVS - -/* - * Event names (EN_*) in RADIUS ### see the NOTE in enum_event() - */ - -#define EN_NAK "NAK" -#define EN_ACK "ACK" -#define EN_ERROR "ERROR" -#define EN_WAIT "WAIT" -#define EN_FATAL "FATAL" -#define EN_DUP_REQ "DUP" -#define EN_TIMER "TIMER" -#define EN_TIMEOUT "TIMEOUT" -#define EN_ABORT "ABORT" -#define EN_NEW_AUTHEN "AUTHEN" -#define EN_NEW_ACCT "ACCT" -#define EN_NEW_PASSWD "PASSWD" -#define EN_RE_ACCESS "REACCESS" -#define EN_ACC_CHAL "ACC_CHAL" -#define EN_MGT_POLL "MGT_POLL" -#define EN_AUTH_ONLY "AUTH_ONLY" -#define EN_ACCT_START "ACCT_START" -#define EN_ACCT_STOP "ACCT_STOP" -#define EN_ACCT_ALIVE "ACCT_ALIVE" -#define EN_ACCT_MODEM_START "ACCT_MSTART" -#define EN_ACCT_MODEM_STOP "ACCT_MSTOP" -#define EN_ACCT_CANCEL "ACCT_CANCEL" -#define EN_RC1 "RC1" -#define EN_RC2 "RC2" -#define EN_RC3 "RC3" -#define EN_RC4 "RC4" -#define EN_RC5 "RC5" -#define EN_RC6 "RC6" -#define EN_RC7 "RC7" -#define EN_RC8 "RC8" -#define EN_RC9 "RC9" -#define EN_RC10 "RC10" -#define EN_RC11 "RC11" -#define EN_RC12 "RC12" -#define EN_RC13 "RC13" -#define EN_RC14 "RC14" -#define EN_RC15 "RC15" -#define EN_RC16 "RC16" -#define EN_RC17 "RC17" -#define EN_RC18 "RC18" -#define EN_RC19 "RC19" -#define EN_RC20 "RC20" -#define EN_RC21 "RC21" - -/* - * Event numbers in RADIUS ### see the NOTE in enum_event() - */ -typedef enum -{ - EV_NAK = -1, - EV_ACK = 0, - EV_ERROR = 1, - EV_WAIT = 2, - EV_FATAL = 3, - EV_DUP_REQ = 4, - EV_TIMER = 5, - EV_TIMEOUT = 6, - EV_ABORT = 7, - - /* arbitrary return codes from AATV action functions */ - - EV_RC1 = 8, - EV_RC2 = 9, - EV_RC3 = 10, - EV_RC4 = 11, - EV_RC5 = 12, - EV_RC6 = 13, - EV_RC7 = 14, - EV_RC8 = 15, - EV_RC9 = 16, - EV_RC10 = 17, - EV_RC11 = 18, - EV_RC12 = 19, - EV_RC13 = 20, - EV_RC14 = 21, - EV_RC15 = 22, - EV_RC16 = 23, - EV_RC17 = 24, - EV_RC18 = 25, - EV_RC19 = 26, - EV_RC20 = 27, - EV_RC21 = 28 -} EVENT; - -/* Request type events */ - -#define EV_NEW_AUTHEN EV_RC1 -#define EV_NEW_ACCT EV_RC2 -#define EV_NEW_PASSWD EV_RC3 -#define EV_RE_ACCESS EV_RC4 -#define EV_ACC_CHAL EV_RC5 -#define EV_MGT_POLL EV_RC6 -#define EV_AUTH_ONLY EV_RC7 -#ifdef MERIT_HUNTGROUP -#define EV_HGAS1 EV_RC8 -#define EV_HGAS2 EV_RC9 -#define EV_HGAS3 EV_RC10 -#define EV_BACCT EV_RC11 -#else /* MERIT_HUNTGROUP */ -#define EV_HGAS1 EV_ACK -#define EV_HGAS2 EV_ACK -#define EV_HGAS3 EV_ACK -#define EV_BACCT EV_ACK -#endif /* MERIT_HUNTGROUP */ -#define EV_ACCT_START EV_RC12 -#define EV_ACCT_STOP EV_RC13 -#define EV_ACCT_ALIVE EV_RC14 -#define EV_ACCT_MODEM_START EV_RC15 -#define EV_ACCT_MODEM_STOP EV_RC16 -#define EV_ACCT_CANCEL EV_RC17 -#ifdef MERIT_ORGANIZATION -#define EV_OAS EV_RC18 -#define EV_OAS_ACCT EV_RC19 -#else /* MERIT_ORGANIZATION */ -#define EV_OAS EV_ACK -#define EV_OAS_ACCT EV_ACK -#endif /* MERIT_ORGANIZATION */ -#ifdef MERIT_LAS -#define EV_LAS EV_RC20 -#define EV_LAS_ACCT EV_RC21 -#else /* MERIT_LAS */ -#define EV_LAS EV_ACK -#define EV_LAS_ACCT EV_ACK -#endif /* MERIT_LAS */ - -typedef enum /* Typedef for second add_string() argument */ -{ - ASIS = 0x0000, /* No conversion on string */ - ASLC = 0x0001, /* Store as lower case sting */ - FINDONLY = 0x0002 /* Find string only */ -} AS_CONVERT; - -/* - * The finite state machine (FSM) table is laid out as follows: - * - * state0: - * event01 aatv01 nextstate01 - * event02 aatv02 nextstate02 - * ... - * state1: - * event11 aatv11 nextstate11 - * ... - */ - -#define NUMSTATES 32 /* initial maximum number of states */ - -#define ST_INIT 0 /* initial state */ - -#define ST_RESERVED 240 /* beginning of reserved state range */ -#define ST_SEEN 241 /* flag for state seen before being defined */ -#define ST_DEFINED 242 /* flag for state definition */ - -#define ST_RECV 251 /* to indicate state which receives requests */ -#define ST_HOLD 252 /* to indicate dead requests */ -#define ST_SAME 253 /* for default action table */ -#define ST_ANY 254 /* for default action table */ -#define ST_END 255 /* end of FSM table */ - -typedef struct statelist /* list of all state names */ -{ - int maxst; /* capacity of this list */ - int nst; /* number of states already there */ - NAME_LIST *states; /* list of states found in the config file */ -} STATELIST; - -typedef struct fsm_entry /* The Finite State Machine an array of these */ -{ - struct fsm_entry *next; /* list of entries for this state */ - EV event; /* (state.action.event) 3-tuple */ - AATV *action; /* what AATV (action) to invoke */ - int xvalue; /* miscellaneous integer from FSM */ - char *xstring; /* miscellaneous string from FSM */ - u_char next_state; /* the next state to visit */ -} FSM_ENT; - -typedef struct prun_rule /* Pruning data structure (from RADIUS DRAFT RFC) */ -{ - int value; /* this is the attribute value */ - int flags; /* inclusive OR of PRUN_FLG values */ - int count; /* how many the RFC says to allow */ -} PRUN_RULE; - -typedef struct prun_list -{ - char vendor[AUTH_ID_LEN + 1]; - PRUN_RULE *rules; - struct prun_list *next; -} PRUN_LIST; - -#define PRUN_FLG1 1 /* this attribute allowable in Access_Accept */ -#define PRUN_FLG2 2 /* this attribute allowable in Access_Reject */ - -#define AR_NO_LOG 0x01 /* sws: Suppress logging flag */ -#define AR_FROM_PROXY 0x04 /* sws: authreq came from NAS */ - -#define SAR_NO_LOG(authreq) (authreq->sws |= AR_NO_LOG) /* set flag */ -#define CAR_NO_LOG(authreq) (authreq->sws &= ~AR_NO_LOG) /* clear flag */ -#define TAR_NO_LOG(authreq) ((authreq->sws & AR_NO_LOG) != 0) /* test flag */ - -#define SAR_FROM_PROXY(authreq) (authreq->sws |= AR_FROM_PROXY) /* set flag */ -#define CAR_FROM_PROXY(authreq) (authreq->sws &= ~AR_FROM_PROXY) /* clr flag */ -#define TAR_FROM_PROXY(authreq) ((authreq->sws & AR_FROM_PROXY) != 0) /* test */ - -#define AVPAIR_VTOA_QUOTE 0x0001 /* Quote strings with "'" */ -#define AVPAIR_VTOA_NULL 0x0002 /* Print "" instead of NULL for missing item */ -#define AVPAIR_VTOA_MASK 0x00ff /* Reserve fourteen more bits. */ - -#define LOG_VP_QUOTE 0x0001 /* Quote strings (same as AVPAIR_VTOA_QUOTE) */ -#define LOG_VP_NULL 0x0002 /* Use "" (incompatible with LOG_VP_NA) */ -#define LOG_VP_TAB 0x0100 /* Put tab after printing. */ -#define LOG_VP_NA 0x0200 /* fprintf ("NA") if no attr exists in list. */ -#define LOG_VP_LAST 0x0400 /* Log last value pair found. */ -#define LOG_VP_ALL 0x0800 /* Log all attributes found. */ -#define LOG_VP_MASK 0xFFFF /* Switches available. */ - -/* dict.c */ -int dict_init PROTO((void)); -DICT_ATTR * dict_attrget PROTO((int)); -DICT_ATTR * dict_attrfind PROTO((char *)); -DICT_VALUE * dict_valfind PROTO((char *)); -DICT_VALUE * dict_valget PROTO((UINT4, char *)); - -/* fsm.c */ -AATV * find_aatv PROTO((char *)); -int init_fsm PROTO((int, AATVPTR **, int, char *, FSM_ENT ***, FSM_ENT ***)); - -/* funcs.c */ -char * add_string PROTO((char *, int)); -char * authtype_toa PROTO((int)); -VALUE_PAIR * avpair_add PROTO((VALUE_PAIR **, int, void *, int)); -int avpair_assign PROTO((VALUE_PAIR *, void *, int)); -int avpair_copy PROTO((VALUE_PAIR **, VALUE_PAIR *, int)); -int avpair_get PROTO((void *, VALUE_PAIR *, int)); -VALUE_PAIR * avpair_new PROTO((int, void *, int)); -char * avpair_vtoa PROTO((VALUE_PAIR *, int)); -void compress_file PROTO((FILE **, char *)); -void debug_list PROTO((FILE *, VALUE_PAIR *)); -void debug_pair PROTO((FILE *, VALUE_PAIR *)); -int dumpit PROTO((/* int, int, void *, int, int, char *, ...*/)); -void fprint_attr_val PROTO((FILE *, VALUE_PAIR *)); -VALUE_PAIR * gen_valpairs PROTO((AUTH_HDR *)); -char * get_errmsg PROTO((void)); -int get_passwd PROTO((AUTH_REQ *, char *, char *, char *)); -VALUE_PAIR * get_vp PROTO((VALUE_PAIR *, UINT4)); -VALUE_PAIR * get_last_vp PROTO((VALUE_PAIR *, UINT4)); -int hex_dump PROTO((char *, char *, int, int)); -void insert_vp PROTO((VALUE_PAIR **, VALUE_PAIR *, VALUE_PAIR *)); -int loghead PROTO(( /* va_alist */ )); - -void missing_attribute PROTO((AUTH_REQ *, char *, int, char *)); -VALUE_PAIR * parse_realm PROTO((AUTH_REQ *)); -int prune_pairs PROTO((AUTH_REQ *, PRUN_LIST *, int)); -#define reply_message(authreq, msgno, msg) _reply_message(authreq, msgno, msg,__FILE__, __LINE__) -int _reply_message PROTO((AUTH_REQ *, ERRORCODE, char *, char *, int)); -int reply_sprintf PROTO(( /* int logsw, AUTHREQ *, char *format, ... */ )); -int setupsock PROTO((struct sockaddr_in *, int)); -void trunc_logfile PROTO((FILE **, char *)); -char * type_string PROTO((AUTH_REQ *, VALUE_PAIR *)); - -/* passchange.c */ -int pw_expired PROTO((UINT4)); - -/* radiusd.c */ -AUTH_REQ * build_acct_req PROTO((AUTH_REQ *, int, char *, int, VALUE_PAIR *)); -int call_action PROTO((AATV *, AUTH_REQ *, int, char *)); -AUTH_REQ * rad_2rad_recv PROTO((struct sockaddr_in *, UINT4, u_int, EV *)); -AUTH_REQ * rad_recv PROTO((struct sockaddr_in *, UINT4, u_int, EV *)); -int radius_send PROTO((char *, u_int, char *, AUTH_REQ *, int)); -void start_fsm PROTO((AUTH_REQ *, int, char *, char *)); - -/* sesslog.c */ -VALUE_PAIR *log_vp PROTO((FILE *, VALUE_PAIR *, int, int)); -int logfmt_brief PROTO((FILE *, VALUE_PAIR *)); -int logfmt_old PROTO((FILE *, VALUE_PAIR *, int)); -int logfmt_v1_0 PROTO((FILE *, VALUE_PAIR *)); -int logfmt_v1_1 PROTO((FILE *, VALUE_PAIR *)); -int logfmt_v2_0 PROTO((FILE *, VALUE_PAIR *, int, u_short *)); -int logfmt_v2_1 PROTO((FILE *, VALUE_PAIR *, int)); - -/* users.c */ -int add_file_list PROTO((char *)); -void config_init PROTO((void)); -int config_files PROTO((int, int, int)); -void config_fini PROTO((void)); -void dns_recv PROTO((struct sockaddr_in *, UINT4, int)); -AUTH_ENTRY * find_auth_ent PROTO((char *, int, char*)); -int find_auth_type PROTO((char *, int, char *, int *, char **, char **, char **)); -int find_client PROTO((UINT4, char **, char **, char **)); -int find_client_by_name PROTO((UINT4 *, char *, char **, char **)); -int find_host_by_name PROTO((UINT4 *, char *)); -void free_user_ent PROTO((USER_ENTRY *)); -UINT4 get_our_addr PROTO((void)); -char * ip_hostname PROTO((UINT4)); -void list_cat PROTO((VALUE_PAIR **, VALUE_PAIR *)); -void list_copy PROTO((VALUE_PAIR **, VALUE_PAIR *)); -int pair_parse PROTO((char *, VALUE_PAIR **)); -FILE_LIST * return_file_list PROTO((void)); -int update_clients PROTO((void)); -int user_find PROTO((char *, char *, int, VALUE_PAIR **, VALUE_PAIR **, int)); -void user_gettime PROTO((char *, struct tm *)); -int user_update PROTO((char *, VALUE_PAIR *, VALUE_PAIR*)); - -/* util.c */ -UINT4 get_ipaddr PROTO((char *)); -int good_ipaddr PROTO((char *)); -void list_free PROTO((VALUE_PAIR *)); - -/* version.c */ -char * version PROTO((void)); - -#endif /* RADIUS_H */ diff --git a/mod_authnz_external/radius/mod_auth_external_radius.c b/mod_authnz_external/radius/mod_auth_external_radius.c deleted file mode 100644 index 8732b58..0000000 --- a/mod_authnz_external/radius/mod_auth_external_radius.c +++ /dev/null @@ -1,334 +0,0 @@ -/* - * - * RADIUS -- Remote Authentication Dial In User Service - * - * COPYRIGHT (c) 1992, 1993, 1994, 1995, 1996 - * THE REGENTS OF THE UNIVERSITY OF MICHIGAN AND MERIT NETWORK, INCORPORATED - * ALL RIGHTS RESERVED - * - * PERMISSION IS GRANTED TO USE, COPY, CREATE DERIVATIVE WORKS AND REDISTRIBUTE - * THIS SOFTWARE AND SUCH DERIVATIVE WORKS IN BINARY FORM ONLY FOR ANY PURPOSE, - * SO LONG AS NO FEE IS CHARGED, AND SO LONG AS THE COPYRIGHT NOTICE ABOVE, THIS - * GRANT OF PERMISSION, AND THE DISCLAIMER BELOW APPEAR IN ALL COPIES MADE; AND - * SO LONG AS THE NAME OF THE UNIVERSITY OF MICHIGAN IS NOT USED IN ANY - * ADVERTISING OR PUBLICITY PERTAINING TO THE USE OR DISTRIBUTION OF THIS - * SOFTWARE WITHOUT SPECIFIC, WRITTEN PRIOR AUTHORIZATION. - * - * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION FROM THE UNIVERSITY - * OF MICHIGAN AS TO ITS FITNESS FOR ANY PURPOSE, AND WITHOUT WARRANTY BY THE - * UNIVERSITY OF MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING - * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE. THE REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE - * LIABLE FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR - * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING OUT OF OR IN - * CONNECTION WITH THE USE OF THE SOFTWARE, EVEN IF IT HAS BEEN OR IS HEREAFTER - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. - * - * For a License to distribute source code or to charge a fee for the program - * or a product containing the program, contact MERIT at the University of - * Michigan: - * - * aaa-license@merit.edu - * - * [This version puts NO LIMITS on the use. It grants the right to create - * DERIVATIVE WORKS. The user may copy and distribute the code in the form - * received AND DERIVATIVE WORKS, so long as no fee is charged. If copies are - * made, our copyright notice and the disclaimer must be included on them. USE - * THIS VERSION WITH CARE. THIS VERSION VERY LIKELY WILL KILL ANY POTENTIAL - * FOR LATER COMMERCIALIZATION OF THE SOFTWARE.] - ***************************************************************************** - * - * The code below is a derivative work based on the Merit Radius code found in - * radpwtst.c v1.38 1996/05/18 - * - * This code has ONLY been tested, compiled, and used on IRIX 6.2 - * - * Your config file should look like this: - * : - * : - * (eg: radius1.merit.edu:1645 ) - * - * If you place more than one server in the config file the code will query - * each server until the user has been authenticated or the last server has - * been asked. - * - * - Tyler Allison - * allison@nas.nasa.gov - */ - -/* You should only need to change the next couple defines */ -/* If your config file is setup correctly DEFAULT_* are never used */ -#define DEFAULT_RADIUS_SERVER "radius1.merit.edu" -#define DEFAULT_RADIUS_PORT 1645 -#define RADIUS_DIR "/usr/local/etc/raddb" -#define CONFIG_FILE "/usr/local/etc/raddb/rad_config" -#define MAX_CONFIG_LINE 256 -#define RESPONSE_TIMEOUT 3 -#define MAX_RETRIES 0 -#define MAX_PASSWORD_LENGTH 8 /* Radius has a problem with users who */ - /* "think" they have passwords longer than is supported by the */ - /* system. So we need to truncate the password before sending. */ - /* For example: user thinks his password is 'foobarblaz' but we */ - /* all know that passwords can only be 8 characters (on standard) */ - /* so the system stores 'foobarbl' as his password. Now the system */ - /* knows that if the user types in 'foobarblaz' just to truncate */ - /* at the 8th character and move on...but Radius doesnt! */ - - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include "md5-radius.c" /* Has some md5 functions we need */ -#include "mod-radius.h" - - -#define FIND_MODE_REPLY 1 -#define FIND_MODE_NAME 0 -#define MAX_HOSTNAME_BUFFERS 20 -#define PARSE_MODE_EQUAL 1 -#define PARSE_MODE_NAME 0 -#define PARSE_MODE_VALUE 2 -#define MAX_AVPAIR_VTOA 20 -#define LIST_COPY_LIMIT 256 -#define LOG_ERR 1 -#define LOG_DEBUG 4 -#define null ((void*)0) /* NULL is already defined but It wont catch everything */ - - -extern FILE *ddt; -extern FILE *msgfd; -extern char *radius_dir; -extern AATVPTR rad_authen_aatv; -extern time_t birthdate; -extern char recv_buffer[4096]; -extern char send_buffer[4096]; -extern char ourhostname[MAXHOSTNAMELEN]; - - -static FILE_LIST *file_list = (FILE_LIST *) NULL; -static UINT4 self_ip[11]; /* Used with multi-homed servers */ -static CLIENT_ENTRY *client_list = (CLIENT_ENTRY *) NULL; -static CLIENT_ENTRY *old_clients; -static DICT_ATTR *dictionary_attributes; -static DICT_VALUE *dictionary_values; -int dnspid = 0; /* PID of current DNS resolver process */ -int rad_ipc_port = 0; -static char * months[] = - { - "Jan", "Feb", "Mar", "Apr", "May", "Jun", - "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" - }; - -/* Put radcheck decleration here so we can put the code later in the file */ - -int radcheck (char *user_name,char *user_passwd,char *config_path); - -int radsock = 0; /* fd for radius socket, if non-blocking mode */ - -char recv_buffer[4096]; -char send_buffer[4096]; -char ourhostname[MAXHOSTNAMELEN]; -char *progname; -char *radius_dir; -int dumpcore = 0; -int authfile_cnt = 0; -int clients_cnt = 0; -int users_cnt = 0; -time_t birthdate; -AATVPTR rad_authen_aatv = (AATV *) NULL; -AATVPTR rad_ipc_aatv = (AATV *) NULL; -AATV *authtype_tv[PW_AUTH_MAX + 1]; -FILE *ddt = NULL; -FILE *msgfd = stderr; - -typedef struct string_list_struct -{ - struct string_list_struct *next; - char *str; -}string_list; - -#include "mod-radfuncs.c" /* These are the funcs we dont need to know about */ - - - -int -radcheck2 (char *user_name,char *user_passwd, char *host, int port) - -{ - int final_result; - int retries; - int new_old; - int zero = 0; - char *client_name = (char *) NULL; - char msg[4096]; /* big enough to hold several messages */ - char passwd[AUTH_PASS_LEN + 1]; - - SEND_DATA data; - int send_server (); - - - data.user_name=user_name; - data.password=user_passwd; - - /* Set up some defaults */ - - data.code = PW_ACCESS_REQUEST; - - data.svc_port = port; - data.server = host; - - radius_dir = RADIUS_DIR; /* SendServer picks directory, if need be */ - data.timeout = RESPONSE_TIMEOUT; - data.user_file = null; - data.group = null; - data.send_pairs = null; - - retries = MAX_RETRIES; /* Try for response this many times */ - new_old = 0; /* Assume old style */ - data.ustype = 0; - data.fptype = 0; /* by default */ - data.port_num = 1; /* just default to port number one here */ - - - /* Plain authentication request ==> PW_AUTHENTICATE_ONLY */ - if (data.ustype == 0) - { - if (new_old == 1) /* new style */ - { - data.ustype = PW_AUTHENTICATE_ONLY; - } - else /* old style */ - { - data.ustype = PW_OUTBOUND_USER; - } - } - - srand (time (0)); /* Use random sequence number in request */ - data.seq_nbr = (u_char) rand (); - - if (gethostname (ourhostname, sizeof (ourhostname)) < 0) - { - perror ("gethostname"); - return (-2); - } - - - if (client_name == null) - { - if ((data.client_id = get_ipaddr (ourhostname)) == 0) - { - data.client_id = 0; - return (-3); - } - } - - - if ((data.user_file != null) && (data.group == null)) - { - data.group = "DEFAULT"; - } - - - if (send_server(&data, &retries, msg) == OK_RC) - { - final_result = 1; - } - else - { - final_result = 0; - } - return (final_result); -} /* end of radcheck2 () */ - - -/****************************************************************************/ -/* This is the meat of the RADIUS authentication. It is called from */ -/* mod_auth_external.c */ -/* Pass it a username and password and returns: */ -/* 0 = Authenticated */ -/* 1 = Not Authenticated */ -/****************************************************************************/ - -int -radcheck (char *user_name,char *user_passwd,char *config_path) - -{ - int auth; - char config_line[MAX_CONFIG_LINE]; - char *host; /* Pointer to the host we want to query */ - char *port; /* Pointer to the port we want to query */ - char *ptrunc; /* Pointer for truncating user_passwd */ - - long rad_port; - - /* Okay lets get the config file */ - - FILE *rad_config; - auth = 1; /* Authentication assumed to be NO unless told otherwise */ - - /* lets check the length of user_passwd and truncate as needed */ - if (strlen(user_passwd) > MAX_PASSWORD_LENGTH ) { - /* argh! more pointers! */ - ptrunc = &user_passwd[MAX_PASSWORD_LENGTH+ 1]; - *ptrunc = '\0'; - } - - rad_config = fopen(config_path, "r"); /* open the file */ - - if (rad_config == null) { - /* Aww damn it! No config file let's use default!*/ - auth = radcheck2(user_name,user_passwd,DEFAULT_RADIUS_SERVER,DEFAULT_RADIUS_PORT); - } - else { - /* Loop inside the config file testing each host */ - while(fgets(config_line,MAX_CONFIG_LINE,rad_config) != null) { - config_line[strlen(config_line)-1] = '\0'; /* remove newline at end*/ - host = config_line; /* host is at the beginning of line */ - port = strchr(config_line, ':'); /* Find the colon seperator */ - - /* Check for errors */ - if (port == null) { - - printf("Radius Error: Unable to parse Radius server file: %s\n",config_path); - return(-9); - } - *port = '\0'; /* Put newline where the colon is */ - port++; /* Point to next character */ - rad_port = strtol(port,null,10); /* Port has to be an int so convert! */ - auth = radcheck2(user_name,user_passwd,host,rad_port); - if (auth == 1) { - return(0); /*This needs to change to 'auth' when new */ - /* mod_auth_external.c comes out*/ - } - } - } - return(1); /* This needs to change to 'auth' when new */ - /* mod_auth_external.c comes out */ -} - - -