+++ /dev/null
-> From: radius@msg.net
->
-> One bug in the current implementation is that if no reply to a request is
-> received within the timeout interval, another request is sent with the SAME
-> request-id. The problem is, the new Livingston Radius server will reject
-> subsequent requests with duplicate IDs, giving false negatives.
->
->
-> The most important "fix" that seemed to clear up this problem was to change
-> line 554 of 'mod-radfuncs.c' from:
->
-> authtime.tv_usec = 0L;
->
-> To instead read:
->
-> authtime.tv_usec = 999L;
-
-FIXED and to be tested soon.
-
-allison@nas.nasa.gov
\ No newline at end of file
-This is a hardcoded internal authentication function for use with
-mod_auth_external or mod_authnz_external. It supports authenticating
-from a Radius server.
+Older versions of mod_auth_external included an example of a hard
+coded internal authentication function which was designed for
+authenticating from a Radius server.
-Author: Tyler Allison <allison@nas.nasa.gov>
+It is no longer included in the mod_auth_external distribution because
+its license did not appear to be a full open source license.
-This code is no longer being maintained.
+People interested in a radius authenticator, should probably look into
+mod_auth_radius.
+
+For the time being, the old contents of this directory will be available
+from http://unixpapa.com/software/mae_radius.tar.gz
+++ /dev/null
-/* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm
- */
-
-#include "md5-radius.h"
-
-md5_calc (output, input, inlen)
-unsigned char *output;
-unsigned char *input; /* input block */
-unsigned int inlen; /* length of input block */
-{
- MD5_CTX context;
-
- MD5Init (&context);
- MD5Update (&context, input, inlen);
- MD5Final (output, &context);
-}
-
-
-/* MD5 basic transformation. Transforms state based on block.
- */
-static void
-MD5Transform (state, block)
-UINT4 state[4];
-unsigned char block[64];
-{
- UINT4 a = state[0],
- b = state[1],
- c = state[2],
- d = state[3],
- x[16];
-
- Decode (x, block, 64);
-
- /* Round 1 */
- FF (a, b, c, d, x[0], S11, 0xd76aa478); /* 1 */
- FF (d, a, b, c, x[1], S12, 0xe8c7b756); /* 2 */
- FF (c, d, a, b, x[2], S13, 0x242070db); /* 3 */
- FF (b, c, d, a, x[3], S14, 0xc1bdceee); /* 4 */
- FF (a, b, c, d, x[4], S11, 0xf57c0faf); /* 5 */
- FF (d, a, b, c, x[5], S12, 0x4787c62a); /* 6 */
- FF (c, d, a, b, x[6], S13, 0xa8304613); /* 7 */
- FF (b, c, d, a, x[7], S14, 0xfd469501); /* 8 */
- FF (a, b, c, d, x[8], S11, 0x698098d8); /* 9 */
- FF (d, a, b, c, x[9], S12, 0x8b44f7af); /* 10 */
- FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
- FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
- FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
- FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
- FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
- FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */
-
- /* Round 2 */
- GG (a, b, c, d, x[1], S21, 0xf61e2562); /* 17 */
- GG (d, a, b, c, x[6], S22, 0xc040b340); /* 18 */
- GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */
- GG (b, c, d, a, x[0], S24, 0xe9b6c7aa); /* 20 */
- GG (a, b, c, d, x[5], S21, 0xd62f105d); /* 21 */
- GG (d, a, b, c, x[10], S22, 0x2441453); /* 22 */
- GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */
- GG (b, c, d, a, x[4], S24, 0xe7d3fbc8); /* 24 */
- GG (a, b, c, d, x[9], S21, 0x21e1cde6); /* 25 */
- GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */
- GG (c, d, a, b, x[3], S23, 0xf4d50d87); /* 27 */
- GG (b, c, d, a, x[8], S24, 0x455a14ed); /* 28 */
- GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */
- GG (d, a, b, c, x[2], S22, 0xfcefa3f8); /* 30 */
- GG (c, d, a, b, x[7], S23, 0x676f02d9); /* 31 */
- GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */
-
- /* Round 3 */
- HH (a, b, c, d, x[5], S31, 0xfffa3942); /* 33 */
- HH (d, a, b, c, x[8], S32, 0x8771f681); /* 34 */
- HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
- HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
- HH (a, b, c, d, x[1], S31, 0xa4beea44); /* 37 */
- HH (d, a, b, c, x[4], S32, 0x4bdecfa9); /* 38 */
- HH (c, d, a, b, x[7], S33, 0xf6bb4b60); /* 39 */
- HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
- HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
- HH (d, a, b, c, x[0], S32, 0xeaa127fa); /* 42 */
- HH (c, d, a, b, x[3], S33, 0xd4ef3085); /* 43 */
- HH (b, c, d, a, x[6], S34, 0x4881d05); /* 44 */
- HH (a, b, c, d, x[9], S31, 0xd9d4d039); /* 45 */
- HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
- HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
- HH (b, c, d, a, x[2], S34, 0xc4ac5665); /* 48 */
-
- /* Round 4 */
- II (a, b, c, d, x[0], S41, 0xf4292244); /* 49 */
- II (d, a, b, c, x[7], S42, 0x432aff97); /* 50 */
- II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
- II (b, c, d, a, x[5], S44, 0xfc93a039); /* 52 */
- II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
- II (d, a, b, c, x[3], S42, 0x8f0ccc92); /* 54 */
- II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
- II (b, c, d, a, x[1], S44, 0x85845dd1); /* 56 */
- II (a, b, c, d, x[8], S41, 0x6fa87e4f); /* 57 */
- II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
- II (c, d, a, b, x[6], S43, 0xa3014314); /* 59 */
- II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
- II (a, b, c, d, x[4], S41, 0xf7537e82); /* 61 */
- II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
- II (c, d, a, b, x[2], S43, 0x2ad7d2bb); /* 63 */
- II (b, c, d, a, x[9], S44, 0xeb86d391); /* 64 */
-
- state[0] += a;
- state[1] += b;
- state[2] += c;
- state[3] += d;
-
- /*
- * Zeroize sensitive information.
- */
- MD5_memset ((POINTER) x, 0, sizeof (x));
-}
-
-/* Encodes input (UINT4) into output (unsigned char). Assumes len is
- a multiple of 4.
- */
-static void
-Encode (output, input, len)
-unsigned char *output;
-UINT4 *input;
-unsigned int len;
-{
- unsigned int i,
- j;
-
- for (i = 0, j = 0; j < len; i++, j += 4)
- {
- output[j] = (unsigned char) (input[i] & 0xff);
- output[j + 1] = (unsigned char) ((input[i] >> 8) & 0xff);
- output[j + 2] = (unsigned char) ((input[i] >> 16) & 0xff);
- output[j + 3] = (unsigned char) ((input[i] >> 24) & 0xff);
- }
-}
-
-/* Decodes input (unsigned char) into output (UINT4). Assumes len is
- a multiple of 4.
- */
-static void
-Decode (output, input, len)
-UINT4 *output;
-unsigned char *input;
-unsigned int len;
-{
- unsigned int i,
- j;
-
- for (i = 0, j = 0; j < len; i++, j += 4)
- output[i] = ((UINT4) input[j]) | (((UINT4) input[j + 1]) << 8) | (((UINT4) input[j + 2]) << 16) | (((UINT4) input[j + 3]) << 24);
-}
-
-/* Note: Replace "for loop" with standard memcpy if possible.
- */
-
-static void
-MD5_memcpy (output, input, len)
-POINTER output;
-POINTER input;
-unsigned int len;
-{
- unsigned int i;
-
- for (i = 0; i < len; i++)
- output[i] = input[i];
-}
-
-/* Note: Replace "for loop" with standard memset if possible.
- */
-static void
-MD5_memset (output, value, len)
-POINTER output;
-int value;
-unsigned int len;
-{
- unsigned int i;
-
- for (i = 0; i < len; i++)
- ((char *) output)[i] = (char) value;
-}
-
-/**************** END OF MD5 ************/
+++ /dev/null
-
-/* PROTOTYPES should be set to one if and only if the compiler supports
- function argument prototyping.
- The following makes PROTOTYPES default to 0 if it has not already
- been defined with C compiler flags.
- */
-
-#ifndef PROTOTYPES
-#define PROTOTYPES 0
-#endif
-
-/* POINTER defines a generic pointer type */
-typedef unsigned char *POINTER;
-
-/* UINT2 defines a two byte word */
-typedef unsigned short int UINT2;
-
-/* UINT4 defines a four byte word */
-typedef unsigned int UINT4;
-
-/* MD5 context. */
-typedef struct {
- UINT4 state[4]; /* state (ABCD) */
- UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */
- unsigned char buffer[64]; /* input buffer */
-} MD5_CTX;
-
-extern void MD5Init(MD5_CTX *context);
-extern void MD5Update(MD5_CTX *context, const unsigned char *input,
- unsigned int inputLen);
-extern void MD5Final(unsigned char digest[16], MD5_CTX *context);
-
-
-/* PROTO_LIST is defined depending on how PROTOTYPES is defined above.
- If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it
- returns an empty list.
- */
-
-#if PROTOTYPES
-#define PROTO_LIST(list) list
-#else
-#define PROTO_LIST(list) ()
-#endif
-
-
-/* Constants for MD5 routines
- */
-#define S11 7
-#define S12 12
-#define S13 17
-#define S14 22
-#define S21 5
-#define S22 9
-#define S23 14
-#define S24 20
-#define S31 4
-#define S32 11
-#define S33 16
-#define S34 23
-#define S41 6
-#define S42 10
-#define S43 15
-#define S44 21
-
-static void MD5Transform PROTO_LIST ((UINT4[4], unsigned char[64]));
-static void Encode PROTO_LIST
- ((unsigned char *, UINT4 *, unsigned int));
-static void Decode PROTO_LIST
- ((UINT4 *, unsigned char *, unsigned int));
-static void MD5_memcpy PROTO_LIST ((POINTER, POINTER, unsigned int));
-static void MD5_memset PROTO_LIST ((POINTER, int, unsigned int));
-
-static unsigned char PADDING[64] = {
- 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
-};
-
-/* F, G, H and I are basic MD5 functions.
- */
-#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
-#define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
-#define H(x, y, z) ((x) ^ (y) ^ (z))
-#define I(x, y, z) ((y) ^ ((x) | (~z)))
-
-/* ROTATE_LEFT rotates x left n bits.
- */
-#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
-
-/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4.
-Rotation is separate from addition to prevent recomputation.
- */
-#define FF(a, b, c, d, x, s, ac) { \
- (a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \
- (a) = ROTATE_LEFT ((a), (s)); \
- (a) += (b); \
- }
-#define GG(a, b, c, d, x, s, ac) { \
- (a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \
- (a) = ROTATE_LEFT ((a), (s)); \
- (a) += (b); \
- }
-#define HH(a, b, c, d, x, s, ac) { \
- (a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \
- (a) = ROTATE_LEFT ((a), (s)); \
- (a) += (b); \
- }
-#define II(a, b, c, d, x, s, ac) { \
- (a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \
- (a) = ROTATE_LEFT ((a), (s)); \
- (a) += (b); \
- }
-
-/* end For MD5 */
-
-
-
-
-
-
-
-
-
+++ /dev/null
-/*************************************************************************
- *
- * Function: get_ipaddr
- *
- * Purpose: Return an IP address in host long notation from a host
- * name or address in dot notation.
- *
- *************************************************************************/
-
-UINT4
-get_ipaddr (host)
-
-char *host;
-
-{
- struct hostent *hp;
-
- if (good_ipaddr (host) == 0)
- {
- return ntohl(inet_addr (host));
- }
- else if ((hp = gethostbyname (host)) == (struct hostent *) NULL)
- {
- return ((UINT4) 0);
- }
- return ntohl((*(UINT4 *) hp->h_addr));
-} /* end of get_ipaddr () */
-
-
-/*************************************************************************
- *
- * Function: good_ipaddr
- *
- * Purpose: Check for valid IP address in standard dot notation.
- *
- *************************************************************************/
-
-int
-good_ipaddr (addr)
-
-char *addr;
-
-{
- int dot_count;
- int digit_count;
-
- if (addr == (char *) NULL)
- {
- return (-1);
- }
-
- dot_count = 0;
- digit_count = 0;
-
- while (*addr != '\0' && *addr != ' ')
- {
- if (*addr == '.')
- {
- dot_count++;
- digit_count = 0;
- }
- else if (!isdigit (*addr))
- {
- dot_count = 5;
- }
- else
- {
- digit_count++;
- if (digit_count > 3)
- {
- dot_count = 5;
- }
- }
- addr++;
- }
- if (dot_count != 3)
- {
- return (-1);
- }
- else
- {
- return (0);
- }
-} /* end of good_ipaddr () */
-
-
-/*************************************************************************
-*
-* find_match - See if given IP address matches any address of hostname.
-*
-* Returns: 0 success
-* -1 failure
-*
-**************************************************************************/
-
-static int
-find_match (ip_addr, hostname)
-
-UINT4 *ip_addr;
-char *hostname;
-
-{
- UINT4 addr;
- char **paddr;
- struct hostent *hp;
-
- if (good_ipaddr (hostname) == 0)
- {
- if (*ip_addr == ntohl(inet_addr (hostname)))
- {
- return (0);
- }
- }
- else
- {
- if ((hp = gethostbyname (hostname)) == (struct hostent *) NULL)
- {
- return (-1);
- }
- if (hp->h_addr_list != (char **) NULL)
- {
- for (paddr = hp->h_addr_list; *paddr; paddr++)
- {
- addr = ** (UINT4 **) paddr;
- if (ntohl(addr) == *ip_addr)
- {
- return (0);
- }
- }
- }
- }
- return (-1);
-} /* end of find_match */
-
-
-/*************************************************************************
-*
-* find_server - Look up the given server name in the clients file.
-*
-* Returns: 0 success
-* -1 failure
-*
-**************************************************************************/
-
-static int
-find_server (server_name, ustype, ip_addr, secret, msg)
-
-char *server_name;
-int ustype;
-UINT4 *ip_addr;
-char *secret;
-char *msg;
-
-{
- static UINT4 myipaddr = 0;
- int len;
- int line_nbr = 0;
- int result;
- FILE *clientfd;
- char *h;
- char *s;
- char *host2;
- char buffer[128];
- char fname[MAXPATHLEN];
- char hostnm[AUTH_ID_LEN + 1];
-
- /* Get the IP address of the authentication server */
- if ((*ip_addr = get_ipaddr (server_name)) == (UINT4) 0)
- {
- return (-1);
- }
- sprintf (fname, "%s/%s", radius_dir, RADIUS_CLIENTS);
- if ((clientfd = fopen (fname, "r")) == (FILE *) NULL)
- {
- return (-1);
- }
- if (!myipaddr)
- {
- if ((myipaddr = get_ipaddr (ourhostname)) == 0)
- {
- fclose (clientfd);
- return (-1);
- }
- }
-
- result = 0;
- while (fgets (buffer, sizeof (buffer), clientfd) != (char *) NULL)
- {
- line_nbr++;
-
- if (*buffer == '#')
- {
- continue;
- }
-
- if ((h = strtok (buffer, " \t\n\r")) == NULL) /* 1st hostname */ {
- continue;
- }
-
- memset (hostnm, '\0', AUTH_ID_LEN);
- len = strlen (h);
- if (len > AUTH_ID_LEN)
- {
- len = AUTH_ID_LEN;
- }
- strncpy (hostnm, h, len);
- hostnm[AUTH_ID_LEN] = '\0';
-
- if ((s = strtok (NULL, " \t\n\r")) == NULL) /* & secret field */ {
- continue;
- }
-
- memset (secret, '\0', MAX_SECRET_LENGTH);
- len = strlen (s);
- if (len > MAX_SECRET_LENGTH)
- {
- len = MAX_SECRET_LENGTH;
- }
- strncpy (secret, s, len);
- secret[MAX_SECRET_LENGTH] = '\0';
-
- if (!strchr (hostnm, '/')) /* If single name form */
- {
- if (find_match (ip_addr, hostnm) == 0)
- {
- result++;
- break;
- }
- }
- else /* <name1>/<name2> "paired" form */
- {
- strtok (hostnm, "/"); /* replaces "/" with NULL char */
- host2 = strtok (NULL, " ");
- if (find_match (&myipaddr, hostnm) == 0)
- { /* If we're the 1st name, target is 2nd */
- if (find_match (ip_addr, host2) == 0)
- {
- result++;
- break;
- }
- }
- else /* Check to see if we are the second name */
- {
- if (find_match (&myipaddr, host2) == 0)
- { /* We are the 2nd name, target is 1st name */
- if (find_match (ip_addr, hostnm) == 0)
- {
- result++;
- break;
- }
- }
- }
- }
- }
- fclose (clientfd);
- if (result == 0)
- {
- memset (buffer, '\0', sizeof (buffer));
- memset (secret, '\0', sizeof (secret));
- return (-1);
- }
- return 0;
-} /* end of find_server () */
-
-
-/*************************************************************************
-*
-* random_vector - Generates a random vector of AUTH_VECTOR_LEN octets.
-*
-* Returns: the vector (call by reference)
-*
-**************************************************************************/
-
-void
-random_vector (vector)
-
-u_char *vector;
-
-{
- int randno;
- int i;
-
- srand (time (0));
- for (i = 0; i < AUTH_VECTOR_LEN;)
- {
- randno = rand ();
- memcpy ((char *) vector, (char *) &randno, sizeof (int));
- vector += sizeof (int);
- i += sizeof (int);
- }
- return;
-} /* end of random_vector () */
-
-
-
-
-
-/*************************************************************************
-*
-* send_server - Sends request to specified RADIUS server and waits
-* for response. Request is retransmitted every
-* "response_timeout" seconds a maximum of "retry_max"
-* times. Result is 0 if response was received, -1 if
-* a problem occurred, or +1 on no-response condition.
-* Returns request retransmit count in "retries" if
-* server does respond.
-*
-* Returns: -1 ERROR_RC -- on local error,
-* 0 OK_RC -- on valid response from server,
-* 1 TIMEOUT_RC -- after retries * resp_timeout seconds,
-* -2 BADRESP_RC -- if response from server had errors.
-*
-**************************************************************************/
-
-int
-send_server (data, retries, msg)
-
-SEND_DATA *data; /* Data structure built by clients */
-int *retries; /* Maximum num of times to retransmit request */
- /* Receives number of retries required, also */
-char *msg; /* Receives error or advisory message */
-
-{
- u_char seq_nbr; /* Sequence number to use in request */
- int fptype; /* Framed proto, ustype == PW_FRAMED */
- int i;
- int length;
- int result;
- int retry_max;
- int salen;
- int secretlen;
- int sockfd;
- int timeout; /* Number of secs. to wait for response */
- int total_length;
- int ustype; /* User service type for this user */
- UINT4 auth_ipaddr;
- UINT4 lvalue;
- UINT4 myipaddr;
- UINT4 port_num; /* Port number to use in request */
- AUTH_HDR *auth;
- VALUE_PAIR *check;
- char *passwd; /* User password (unencrypted) */
- u_char *ptr;
- VALUE_PAIR *reply;
- char *server_name; /* Name of server to query */
- struct sockaddr_in *sin;
- struct servent *svp;
- struct timeval authtime;
- fd_set readfds;
- struct sockaddr salocal;
- struct sockaddr saremote;
- u_char md5buf[256];
- u_char passbuf[AUTH_PASS_LEN];
- u_char send_buffer[1024];
- u_char recv_buffer[1024];
- u_char vector[AUTH_VECTOR_LEN];
- char file[MAXPATHLEN];
- char secret[MAX_SECRET_LENGTH + 1];
-
- server_name = data->server;
-
-
- if (server_name == (char *) NULL || server_name[0] == '\0')
- {
- server_name = DEFAULT_RADIUS_SERVER;
- }
-
- ustype = data->ustype;
-
- if (find_server (server_name, ustype, &auth_ipaddr, secret, msg) != 0)
- {
- return (ERROR_RC);
- }
-
- timeout = data->timeout;
- if (timeout == 0)
- {
- timeout++;
- }
-
- if (data->svc_port == 0)
- {
- if ((svp = getservbyname ("radius", "udp")) == NULL)
- {
- data->svc_port = PW_AUTH_UDP_PORT;
- }
- else
- {
- data->svc_port = ntohs (svp->s_port);
- }
- }
-
- if (!radsock)
- {
- sockfd = socket (AF_INET, SOCK_DGRAM, 0);
- if (sockfd < 0)
- {
- memset (secret, '\0', sizeof (secret));
- return (ERROR_RC);
- }
-
- length = sizeof (salocal);
- sin = (struct sockaddr_in *) & salocal;
- memset ((char *) sin, '\0', length);
- sin->sin_family = AF_INET;
- sin->sin_addr.s_addr = INADDR_ANY;
- sin->sin_port = htons (0);
- if (bind (sockfd, (struct sockaddr *) sin, length) < 0 ||
- getsockname (sockfd, (struct sockaddr *) sin,
- &length) < 0)
- {
- close (sockfd);
- memset (secret, '\0', sizeof (secret));
- return (ERROR_RC);
- }
- retry_max = *retries; /* Max. numbers to try for reply */
- *retries = 0; /* Init retry cnt for blocking call */
- }
- else
- {
- sockfd = radsock;
- retry_max = 0; /* No retries if non-blocking */
- }
-
- /* Build an authentication request */
- auth = (AUTH_HDR *) send_buffer;
- auth->code = data->code;
- random_vector (vector);
- seq_nbr = data->seq_nbr;
- auth->id = seq_nbr;
- memcpy ((char *) auth->vector, (char *) vector, AUTH_VECTOR_LEN);
- total_length = AUTH_HDR_LEN;
- ptr = auth->data;
-
- /* User Name */
- *ptr++ = PW_USER_NAME;
- length = strlen (data->user_name);
- if (length > AUTH_ID_LEN)
- {
- length = AUTH_ID_LEN;
- }
- *ptr++ = length + 2;
- memcpy ((char *) ptr, data->user_name, length);
- ptr += length;
- total_length += length + 2;
-
- passwd = data->password;
-
- if (auth->code != PW_ACCOUNTING_REQUEST)
- {
- /* User Password */
- *ptr++ = PW_USER_PASSWORD;
- *ptr++ = AUTH_PASS_LEN + 2;
-
- /* Encrypt the Password */
- length = strlen (passwd);
- if (length > AUTH_PASS_LEN)
- {
- length = AUTH_PASS_LEN;
- }
- memset ((char *) passbuf, '\0', AUTH_PASS_LEN);
- memcpy ((char *) passbuf, passwd, length);
-
- /* Calculate the MD5 Digest */
- secretlen = strlen (secret);
- strcpy ((char *) md5buf, secret);
- memcpy ((char *) md5buf + secretlen,
- (char *) auth->vector, AUTH_VECTOR_LEN);
- md5_calc (ptr, md5buf, secretlen + AUTH_VECTOR_LEN);
-
- /* Xor the password into the MD5 digest */
- for (i = 0; i < AUTH_PASS_LEN; i++)
- {
- *ptr++ ^= passbuf[i];
- }
- total_length += AUTH_PASS_LEN + 2;
-
- }
-
- /* Service Type */
- *ptr++ = PW_SERVICE_TYPE;
- *ptr++ = 2 + sizeof (UINT4);
- lvalue = htonl (ustype);
- memcpy ((char *) ptr, (char *) &lvalue, sizeof (UINT4));
- ptr = ptr + sizeof (UINT4);
- total_length += sizeof (UINT4) + 2;
-
- fptype = data->fptype;
- if (fptype > 0) /* if -t [slip | ppp] */
- {
- /* Framed Protocol Type */
- *ptr++ = PW_FRAMED_PROTOCOL;
- *ptr++ = 2 + sizeof (UINT4);
- lvalue = htonl (fptype);
- memcpy ((char *) ptr, (char *) &lvalue, sizeof (UINT4));
- ptr = ptr + sizeof (UINT4);
- total_length += sizeof (UINT4) + 2;
- }
-
- /* Client IP Address */
- *ptr++ = PW_NAS_IP_ADDRESS;
- *ptr++ = 2 + sizeof (UINT4);
- myipaddr = htonl(data->client_id);
- memcpy ((char *) ptr, (char *) &myipaddr, sizeof (UINT4));
- ptr = ptr + sizeof (UINT4);
- total_length += sizeof (UINT4) + 2;
-
- /* Client Port Number */
- *ptr++ = PW_NAS_PORT;
- *ptr++ = 2 + sizeof (UINT4);
- port_num = htonl((UINT4) data->port_num);
- memcpy ((char *) ptr, (char *) &port_num, sizeof (UINT4));
- ptr = ptr + sizeof (UINT4);
- total_length += sizeof (UINT4) + 2;
-
- if (data->user_file != (char *) NULL) /* add a/v pairs from user_file */ {
- /* We should never get here! but just in case */
- return(-77);
- }
-
- if (data->send_pairs != (VALUE_PAIR *) NULL) /* add more a/v pairs */
- {
- /* We should never get here! but just in case */
- return(-88);
-
- }
-
- auth->length = htons (total_length);
-
- sin = (struct sockaddr_in *) & saremote;
- memset ((char *) sin, '\0', sizeof (saremote));
- sin->sin_family = AF_INET;
- sin->sin_addr.s_addr = htonl (auth_ipaddr);
- sin->sin_port = htons (data->svc_port);
-
- for (;;)
- {
- sendto (sockfd, (char *) auth, (int) total_length, (int) 0,
- (struct sockaddr *) sin, sizeof (struct sockaddr_in));
-
- if (radsock)
- { /* If non-blocking */
-
- /*
- * Return stuff to be saved for evaluation of reply
- * when it comes in
- */
- strcpy (msg, secret);
- memcpy (msg + strlen (msg) + 1, (char *) vector,
- AUTH_VECTOR_LEN);
- memset (secret, '\0', sizeof (secret));
- return 1; /* Pos. return means no error */
- }
- /* according to radius@msg.com 0L causing problems with BSD */
- /* Changing it to 999L for a longer timeout interval */
- authtime.tv_usec = 999L;
- authtime.tv_sec = (long) timeout;
- FD_ZERO (&readfds);
- FD_SET (sockfd, &readfds);
- if (select (sockfd + 1, &readfds, NULL, NULL, &authtime) < 0)
- {
- if (errno == EINTR)
- continue;
- memset (secret, '\0', sizeof (secret));
- close (sockfd);
- return (ERROR_RC);
- }
- if (FD_ISSET (sockfd, &readfds))
- break;
-
- /*
- * Timed out waiting for response. Retry "retry_max" times
- * before giving up. If retry_max = 0, don't retry at all.
- */
- if (++(*retries) >= retry_max)
- {
- close (sockfd);
- memset (secret, '\0', sizeof (secret));
- return (TIMEOUT_RC);
- }
- }
- salen = sizeof (saremote);
- length = recvfrom (sockfd, (char *) recv_buffer,
- (int) sizeof (recv_buffer),
- (int) 0, &saremote, &salen);
-
- if (length <= 0)
- {
- close (sockfd);
- memset (secret, '\0', sizeof (secret));
- return (ERROR_RC);
- }
- result = check_radius_reply (recv_buffer, secret, vector,
- (u_int) seq_nbr, msg);
- close (sockfd);
- memset (secret, '\0', sizeof (secret));
- return (result);
-
-} /* end of send_server () */
-
-
-/*************************************************************************
-*
-* check_radius_reply - Verify items in returned packet.
-*
-* Returns: OK_RC -- upon success,
-* BADRESP_RC -- if anything looks funny.
-*
-* Public entry point necessary for MINOS/MNET daemon.
-*
-**************************************************************************/
-
-int
-check_radius_reply (buffer, secret, vector, seq_nbr, msg)
-
-u_char *buffer;
-char *secret;
-u_char vector[];
-u_int seq_nbr;
-char *msg;
-
-{
- u_char len;
- int result;
- int secretlen;
- int totallen;
- AUTH_HDR *auth;
- u_char *next;
- u_char *ptr;
- VALUE_PAIR *vp;
- u_char calc_digest[AUTH_VECTOR_LEN];
- u_char reply_digest[AUTH_VECTOR_LEN];
-
- auth = (AUTH_HDR *) buffer;
- totallen = ntohs (auth->length);
-
-
- /* Verify that id (seq. number) matches what we sent */
- if (auth->id != (u_char) seq_nbr)
- {
- return (BADRESP_RC);
- }
-
- /* Verify the reply digest */
- memcpy ((char *) reply_digest, (char *) auth->vector, AUTH_VECTOR_LEN);
- memcpy ((char *) auth->vector, (char *) vector, AUTH_VECTOR_LEN);
- secretlen = strlen (secret);
- memcpy ((char *) buffer + totallen, secret, secretlen);
- md5_calc (calc_digest, (char *) auth, totallen + secretlen);
-
- if (memcmp ((char *) reply_digest, (char *) calc_digest,
- AUTH_VECTOR_LEN) != 0)
- {
- return (BADRESP_RC);
- }
-
- msg[0] = '\0';
- ptr = (u_char *) auth->data;
- totallen -= AUTH_HDR_LEN;
- while (totallen > 0)
- {
- len = ptr[1];
- totallen -= len;
- next = ptr + len;
- if (*ptr == '\0')
- {
- return (BADRESP_RC);
- }
-
- if (*ptr == PW_REPLY_MESSAGE)
- {
- ptr++;
- ptr++;
- strncat (msg, (char *) ptr, len - 2);
- strcat (msg, "\n");
- }
- ptr = next;
- }
-
- if ((auth->code == PW_ACCESS_ACCEPT) ||
- (auth->code == PW_PASSWORD_ACK) ||
- (auth->code == PW_ACCOUNTING_RESPONSE))
- {
- result = OK_RC;
- }
- else
- {
- result = BADRESP_RC;
- }
-
- return (result);
-} /* end of check_radius_reply () */
-
-
+++ /dev/null
-#ifndef RADIUS_H
-#define RADIUS_H
-
-/*
- * RADIUS Remote Authentication Dial In User Service
- *
- * Livingston Enterprises, Inc.
- * 6920 Koll Center Parkway
- * Pleasanton, CA 94566
- *
- * Copyright 1992 Livingston Enterprises, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose and without fee is hereby granted, provided that this
- * copyright and permission notice appear on all copies and supporting
- * documentation, the name of Livingston Enterprises, Inc. not be used
- * in advertising or publicity pertaining to distribution of the
- * program without specific prior permission, and notice be given
- * in supporting documentation that copying and distribution is by
- * permission of Livingston Enterprises, Inc.
- *
- * Livingston Enterprises, Inc. makes no representations about
- * the suitability of this software for any purpose. It is
- * provided "as is" without express or implied warranty.
- *
- * [C] The Regents of the University of Michigan and Merit Network, Inc. 1992,
- * 1993, 1994, 1995, 1996 All Rights Reserved
- *
- * Permission to use, copy, modify, and distribute this software and its
- * documentation for any purpose and without fee is hereby granted, provided
- * that the above copyright notice and this permission notice appear in all
- * copies of the software and derivative works or modified versions thereof,
- * and that both the copyright notice and this permission and disclaimer
- * notice appear in supporting documentation.
- *
- * THIS SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF
- * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE REGENTS OF THE
- * UNIVERSITY OF MICHIGAN AND MERIT NETWORK, INC. DO NOT WARRANT THAT THE
- * FUNCTIONS CONTAINED IN THE SOFTWARE WILL MEET LICENSEE'S REQUIREMENTS OR
- * THAT OPERATION WILL BE UNINTERRUPTED OR ERROR FREE. The Regents of the
- * University of Michigan and Merit Network, Inc. shall not be liable for any
- * special, indirect, incidental or consequential damages with respect to any
- * claim by Licensee or any third party arising from use of the software.
- *
- * @(#)radius.h 1.3 1/20/93
- *
- * $Id: radius.h,v 2.64 1996/06/19 18:16:23 web Exp $
- */
-
-
-#define COMMENT '#' /* comment char for config files */
-
-#define AUTH_VECTOR_LEN 16
-#define AUTH_PASS_LEN 16
-#define AUTH_ID_LEN 64
-#define AUTH_STRING_LEN 128 /* maximum of 253 */
-
-#define FILTER_LEN 16
-#define NAME_LENGTH 32
-#define MAX_FSMID_LEN 20 /* Maximum length of %FSMID string */
-
-typedef struct pw_auth_hdr
-{
- u_char code;
- u_char id;
- u_short length;
- u_char vector[AUTH_VECTOR_LEN];
- u_char data[2];
-} AUTH_HDR;
-
-#define AUTH_HDR_LEN 20
-#define MAX_SECRET_LENGTH 16
-#define CHAP_VALUE_LENGTH 16
-
-#if !defined(PW_AUTH_UDP_PORT)
-#define PW_AUTH_UDP_PORT 1647
-#endif
-
-#if !defined(PW_ACCT_UDP_PORT)
-#define PW_ACCT_UDP_PORT 1648
-#endif
-
-#define PW_TYPE_STRING 0
-#define PW_TYPE_INTEGER 1
-#define PW_TYPE_IPADDR 2
-#define PW_TYPE_DATE 3
-#define PW_TYPE_OCTETS 4
-#define PW_TYPE_VENDOR 5
-
-/* standard RADIUS codes */
-
-#define PW_ACCESS_REQUEST 1
-#define PW_ACCESS_ACCEPT 2
-#define PW_ACCESS_REJECT 3
-#define PW_ACCOUNTING_REQUEST 4
-#define PW_ACCOUNTING_RESPONSE 5
-#define PW_ACCOUNTING_STATUS 6
-#define PW_PASSWORD_REQUEST 7
-#define PW_PASSWORD_ACK 8
-#define PW_PASSWORD_REJECT 9
-#define PW_ACCOUNTING_MESSAGE 10
-#define PW_ACCESS_CHALLENGE 11
-#define PW_STATUS_SERVER 12
-#define PW_STATUS_CLIENT 13
-#define PW_FORWARDING 216
-\f
-
-/* standard RADIUS attribute-value pairs */
-
-#define PW_USER_NAME 1 /* string */
-#define PW_USER_PASSWORD 2 /* string */
-#define PW_CHAP_PASSWORD 3 /* string */
-#define PW_NAS_IP_ADDRESS 4 /* ipaddr */
-#define PW_NAS_PORT 5 /* integer */
-#define PW_SERVICE_TYPE 6 /* integer */
-#define PW_FRAMED_PROTOCOL 7 /* integer */
-#define PW_FRAMED_IP_ADDRESS 8 /* ipaddr */
-#define PW_FRAMED_IP_NETMASK 9 /* ipaddr */
-#define PW_FRAMED_ROUTING 10 /* integer */
-#define PW_FILTER_ID 11 /* string */
-#define PW_FRAMED_MTU 12 /* integer */
-#define PW_FRAMED_COMPRESSION 13 /* integer */
-#define PW_LOGIN_IP_HOST 14 /* ipaddr */
-#define PW_LOGIN_SERVICE 15 /* integer */
-#define PW_LOGIN_PORT 16 /* integer */
-#define PW_OLD_PASSWORD 17 /* string */ /* deprecated */
-#define PW_REPLY_MESSAGE 18 /* string */
-#define PW_LOGIN_CALLBACK_NUMBER 19 /* string */
-#define PW_FRAMED_CALLBACK_ID 20 /* string */
-#define PW_EXPIRATION 21 /* date */ /* deprecated */
-#define PW_FRAMED_ROUTE 22 /* string */
-#define PW_FRAMED_IPX_NETWORK 23 /* integer */
-#define PW_STATE 24 /* string */
-#define PW_CLASS 25 /* string */
-#define PW_VENDOR_SPECIFIC 26 /* string */
-#define PW_SESSION_TIMEOUT 27 /* integer */
-#define PW_IDLE_TIMEOUT 28 /* integer */
-#define PW_TERMINATION_ACTION 29 /* integer */
-#define PW_CALLED_STATION_ID 30 /* string */
-#define PW_CALLING_STATION_ID 31 /* string */
-#define PW_NAS_IDENTIFIER 32 /* string */
-#define PW_PROXY_STATE 33 /* string */
-#define PW_LOGIN_LAT_SERVICE 34 /* string */
-#define PW_LOGIN_LAT_NODE 35 /* string */
-#define PW_LOGIN_LAT_GROUP 36 /* string */
-#define PW_FRAMED_APPLETALK_LINK 37 /* integer */
-#define PW_FRAMED_APPLETALK_NETWORK 38 /* integer */
-#define PW_FRAMED_APPLETALK_ZONE 39 /* string */
-#define PW_CHAP_CHALLENGE 60 /* string */
-#define PW_NAS_PORT_TYPE 61 /* integer */
-#define PW_PORT_LIMIT 62 /* integer */
-#define PW_LOGIN_LAT_PORT 63 /* string */
-
-/* Accounting */
-
-#define PW_ACCT_STATUS_TYPE 40 /* integer */
-#define PW_ACCT_DELAY_TIME 41 /* integer */
-#define PW_ACCT_INPUT_OCTETS 42 /* integer */
-#define PW_ACCT_OUTPUT_OCTETS 43 /* integer */
-#define PW_ACCT_SESSION_ID 44 /* string */
-#define PW_ACCT_AUTHENTIC 45 /* integer */
-#define PW_ACCT_SESSION_TIME 46 /* integer */
-#define PW_ACCT_INPUT_PACKETS 47 /* integer */
-#define PW_ACCT_OUTPUT_PACKETS 48 /* integer */
-#define PW_ACCT_TERMINATE_CAUSE 49 /* integer */
-#define PW_ACCT_MULTI_SESSION_ID 50 /* string */
-\f
-/* Merit Experimental Extensions */
-
-/* Temporary assignment for LOG AATV session logging */
-
-#define PW_LAS_START_TIME 145 /* integer */
-#define PW_LAS_CODE 146 /* integer */
-#define PW_LAS_DURATION 147 /* integer */
-#define PW_LOCAL_DURATION 148 /* integer */
-
-#define PW_SERVICE_CLASS 149 /* string */
-#define PW_PORT_ENTRY 150 /* string */
-#define PW_PROXY_ACTION 211 /* string */
-#define PW_TOKEN 213 /* string */
-#define PW_HUNTGROUP_NAME 221 /* string */
-#define PW_USER_ID 222 /* string */
-#define PW_USER_REALM 223 /* string */
-
-/* Configuration Only Attributes (for check-items) */
-
-#define CI_COMMENT 1024 /* string */
-#define CI_XVALUE 1025 /* integer */
-#define CI_XSTRING 1026 /* string */
-#define CI_AUTHENTICATION_TYPE 1027 /* integer */
-#define CI_PROHIBIT 1028 /* integer */
-#define CI_USER_CATEGORY 1029 /* string */
-#define CI_GROUP_NAME 1030 /* string */
-#define CI_ENCRYPTED_PASSWORD 1031 /* string */
-#define CI_EXPIRATION 1032 /* date */
-#define CI_USER_PASSWORD 1033 /* string */
-#define CI_SIMULTANEOUS_USE 1034 /* integer */
-#define CI_SERVER_NAME 1035 /* string */
-\f
-/* Integer Translations */
-
-/* SERVICE TYPES */
-
-#define PW_LOGIN 1
-#define PW_FRAMED 2
-#define PW_CALLBACK_LOGIN 3
-#define PW_CALLBACK_FRAMED 4
-#define PW_OUTBOUND_USER 5
-#define PW_ADMINISTRATIVE_USER 6
-#define PW_SHELL_USER 7
-#define PW_AUTHENTICATE_ONLY 8
-#define PW_CALLBACK_ADMIN_USER 9
-
-/* FRAMED PROTOCOLS */
-
-#define PW_PPP 1
-#define PW_SLIP 2
-#define PW_ARA 3
-#define PW_GANDALF 4
-
-/* FRAMED ROUTING VALUES */
-
-#define PW_NONE 0
-#define PW_BROADCAST 1
-#define PW_LISTEN 2
-#define PW_BROADCAST_LISTEN 3
-
-/* FRAMED COMPRESSION TYPES */
-
-#define PW_VAN_JACOBSON_TCP_IP 1
-#define PW_IPX_HEADER_COMPRESSION 2
-
-/* LOGIN SERVICES */
-
-#define PW_TELNET 0
-#define PW_RLOGIN 1
-#define PW_TCP_CLEAR 2
-#define PW_PORTMASTER 3
-#define PW_LAT 4
-
-/* TERMINATION ACTIONS */
-
-#define PW_DEFAULT 0
-#define PW_RADIUS_REQUEST 1
-\f
-/* AUTHENTICATION TYPES */
-
-#define AA_NONE 0 /* This is not a valid user id entry */
-#define AA_UNIX 1 /* Use local Unix password file */
-#define AA_AKRB 2 /* AFS Kerberos type authentication */
-#define AA_MKRB 3 /* MIT Kerberos type authentication */
-#define AA_RAD 4 /* Pass to remote RADIUS server */
-#define AA_MNET 5 /* Do Merit specific authentication */
-#define AA_KCHAP 6 /* Kerberos CHAP authentication */
-#define AA_TACACS 7 /* Encrypted TACACS authentication */
-#define AA_REALM 8 /* Find given realm in authfile */
-#define AA_LOCAL 9
-#define AA_FILE 10 /* ID/PW list in a file */
-
-#define PW_AUTH_MAX 10 /* Highest authentication type */
-
-/* PROHIBIT PROTOCOL */
-
-#define PW_DUMB 0 /* 1 and 2 are defined in FRAMED PROTOCOLS */
-#define PW_AUTH_ONLY 3
-#define PW_ALL 255
-
-/* ACCOUNTING STATUS TYPES */
-
-#define PW_STATUS_START 1
-#define PW_STATUS_STOP 2
-#define PW_STATUS_ALIVE 3
-#define PW_STATUS_MODEM_START 4
-#define PW_STATUS_MODEM_STOP 5
-#define PW_STATUS_CANCEL 6
-#define PW_ACCOUNTING_ON 7
-#define PW_ACCOUNTING_OFF 8
-
-/* ACCOUNTING TERMINATION CAUSES */
-
-#define PW_USER_REQUEST 1
-#define PW_LOST_CARRIER 2
-#define PW_LOST_SERVICE 3
-#define PW_ACCT_IDLE_TIMEOUT 4
-#define PW_ACCT_SESSION_TIMEOUT 5
-#define PW_ADMIN_RESET 6
-#define PW_ADMIN_REBOOT 7
-#define PW_PORT_ERROR 8
-#define PW_NAS_ERROR 9
-#define PW_NAS_REQUEST 10
-#define PW_NAS_REBOOT 11
-#define PW_PORT_UNNEEDED 12
-#define PW_PORT_PREEMPTED 13
-#define PW_PORT_SUSPENDED 14
-#define PW_SERVICE_UNAVAILABLE 15
-#define PW_CALLBACK 16
-#define PW_USER_ERROR 17
-#define PW_HOST_REQUEST 18
-
-/* NAS PORT TYPES */
-
-#define PW_ASYNC 0
-#define PW_SYNC 1
-#define PW_ISDN_SYNC 2
-#define PW_ISDN_SYNC_V120 3
-#define PW_ISDN_SYNC_V110 4
-\f
-/* Default Database File Names */
-
-#ifndef RADIUS_DIR
-#define RADIUS_DIR "/usr/private/etc/raddb"
-#endif
-
-#ifndef RADACCT_DIR
-#define RADACCT_DIR "/usr/private/etc/radacct"
-#endif
-
-/*
- * Note: To change where these files go, do not change the #defines
- * below, instead change the RADIUS_DIR #define above.
- */
-
-#define RADIUS_DICTIONARY "dictionary"
-#define RADIUS_CLIENTS "clients"
-#define RADIUS_USERS "users"
-#define RADIUS_HOLD "holdusers"
-#define RADIUS_LOG "logfile"
-#define RADIUS_AUTH "authfile"
-#define RADIUS_PID "radiusd.pid"
-#define RADIUS_FSM "radius.fsm"
-#define RADIUS_DEBUG "radius.debug"
-
-#ifndef RADIUS_COMPRESS
-#define RADIUS_COMPRESS "/usr/ucb/compress" /* might be gzip, etc. */
-#endif
-
-#ifndef RADIUS_LOCALSERVER
-#define RADIUS_LOCALSERVER "nimic.nas.nasa.gov"
-#endif
-
-#ifndef DEFAULT_REALM
-#define DEFAULT_REALM "DEFAULT"
-#endif
-
-#ifndef NULL_REALM
-#define NULL_REALM "NULL"
-#endif
-\f
-/* Server data structures */
-
-typedef struct dict_attr
-{
- char name[NAME_LENGTH + 1]; /* attribute name */
- int value; /* attribute index */
- int type; /* string, int, etc. */
- struct dict_attr *next;
-} DICT_ATTR;
-
-typedef struct dict_value
-{
- char attrname[NAME_LENGTH +1];
- char name[NAME_LENGTH + 1];
- int value;
- struct dict_value *next;
-} DICT_VALUE;
-
-typedef struct value_pair
-{
- char name[NAME_LENGTH + 1];
- int attribute;
- int type;
- UINT4 lvalue;
- char strvalue[AUTH_STRING_LEN + 1];
- struct value_pair *next;
-} VALUE_PAIR;
-
-typedef struct auth_req
-{
- UINT4 ipaddr; /* IP address of requestor */
- u_short udp_port; /* UDP reply socket of requestor */
- u_char id; /* Original request seq. number */
- u_char code; /* Type of RADIUS packet */
- u_char vector[AUTH_VECTOR_LEN];
- char *secret;
- char *file_pfx;
- char *realm_filter;
- u_char ttl; /* Global queue time-to-live secs */
- u_char timer; /* General utility timer */
- u_char reply_id; /* RADIUS-to-RADIUS seq. number */
- u_char retry_cnt; /* Counter for duplicate requests */
- u_char state; /* State of current request */
- u_char sws; /* Switches, flags, etc. */
- int result; /* Result of previous action */
- int cur_count; /* Original number request pairs */
- struct aatv *fsm_aatv; /* Pointer to current FSM action */
- struct aatv *direct_aatv; /* Pointer to actual action */
- struct event_ent *event_q; /* Pointer to active event queue */
- struct auth_req *next; /* Global request queue link */
- VALUE_PAIR *request; /* Original client a/v pairs */
- VALUE_PAIR *cur_request; /* Represents current a/v pairs */
- VALUE_PAIR *user_check; /* List of users file check items */
-} AUTH_REQ;
-\f
-typedef struct event_ent
-{
- struct event_ent *next;
- AUTH_REQ *auth_head; /* pointer back to the authreq structure */
- struct aatv *fsm_aatv; /* record action from FSM table */
- struct aatv *sub_aatv; /* record action when request was issued */
- u_char *packet; /* copy of request packet which was sent */
- int len; /* length of packet */
- pid_t pid; /* fork type: pid, socket type: == zero */
- struct sockaddr_in sin; /* socket info for packet re-sending */
- int evalue; /* AATV act_func integer argument */
- u_char state; /* state in which the request was issued */
- char action[NAME_LENGTH+1]; /* "cmd" arg to radius_send */
- char estring[AUTH_ID_LEN]; /* AATV act_func string arg */
-} EVENT_ENT;
-
-typedef struct user_ent
-{
- struct user_ent *next;
- char *name;
- VALUE_PAIR *check;
- VALUE_PAIR *reply;
-} USER_ENTRY;
-
-#ifdef MERIT_LAS
-typedef struct lasrealm_ent *LAS_REALM;
-#endif /* MERIT_LAS */
-
-typedef struct auth_ent
-{
- struct auth_ent *next;
- char *name;
- struct auth_ent *parent;
- int prot;
- int type;
- char *host;
- char *filter;
-#ifdef MERIT_LAS
- LAS_REALM las_realm;
-#endif /* MERIT_LAS */
-} AUTH_ENTRY;
-
-/* The following must match the beginning of the auth_ent structure */
-typedef struct auth_aent
-{
- struct auth_ent *next;
- char *name;
- struct auth_ent *parent;
-} AUTH_ALIAS_ENTRY;
-
-typedef struct linklist_entry
-{
- struct linklist_entry *next; /* pointer to next entry in list */
-} LINKLIST_ENT;
-
-#define numbof(X) (sizeof(X)/sizeof(X[0]))
-\f
-typedef struct name_list
-{
- struct name_list *next;
- char *name;
- u_char flag;
- u_short num;
-} NAME_LIST;
-
-/* Binary port entry structure used in Port-Entry attribute */
-
-#define PORT_ENTRY_VERSION 0 /* increase if change structure here */
-
-typedef struct bin_port_ent
-{
- u_char version; /* be sure to use PORT_ENTRY_VERSION */
- u_char port_source; /* zero => was HGAS, one => otherwise */
- time_t start_time; /* start time of session on this port */
- UINT4 port_nbr; /* port number of this session */
- UINT4 duration; /* session length (seconds) */
-} BIN_PORT_ENT;
-
-/*
- * Use the following to specify default "realm" names to use for
- * authentication-type entries of RADIUS or TACACS that may be
- * configured in the "users" file. May be configured globally
- * in the Makefile or changed in the authfile on a running server.
- */
-
-#ifndef DEFAULT_RADIUS_SERVER
-#define DEFAULT_RADIUS_SERVER "nimic.nas.nasa.gov"
-#endif
-
-#ifndef DEFAULT_TACACS_SERVER
-#define DEFAULT_TACACS_SERVER ""
-#endif
-
-/******************************************************************
- *
- * PW_PROTTYPE & PW_PROTTYPES - define authentication protocol allowed
- * for particular realm entry in authfile.
- *
- * The PW_PROTTYPE value is stored in the auth_ent.prot field.
- * The PW_PROTTYPE value corresponds to the order of PW_PROTTYPES.
- *
- *****************************************************************/
-
-#define PW_PROTTYPE_DFLT 0 /* Use this entry for any protocol */
-#define PW_PROTTYPE_CHAP 1 /* Entry is for CHAP style authent. */
-#define PW_PROTTYPE_PW 2 /* Entry is for id/pw style authent. */
-
-#define PW_PROTTYPES_DFLT "DEFAULT"
-#define PW_PROTTYPES_CHAP "CHAP"
-#define PW_PROTTYPES_PW "PW"
-\f
-typedef struct file_list
-{
- struct file_list *next;
- char *prefix;
- USER_ENTRY *user_list;
- AUTH_ENTRY *auth_list;
-} FILE_LIST;
-
-typedef struct ip_address
-{
- struct ip_address *next;
- struct in_addr ipaddr;
-} IP_ADDRESS;
-
-typedef struct dns_name
-{
- struct dns_name *next;
- u_char type; /* 0 = official name, 1 = alias */
- char name[1];
-} DNS_NAME;
-
-typedef struct client_ent
-{
- struct client_ent *next;
- IP_ADDRESS *addrs;
- char *secret;
- char *prefix;
- char *hostname;
- DNS_NAME *names;
- time_t expire_time;
- enum {CE_DNS, CE_NUMERIC, CE_OURADDR} type;
-} CLIENT_ENTRY;
-
-/* Define return codes from "SendServer" utility */
-
-#define BADRESP_RC -2
-#define ERROR_RC -1
-#define OK_RC 0
-#define TIMEOUT_RC 1
-
-typedef struct send_data /* Used to pass information to sendserver() function */
-{
- u_char code; /* RADIUS packet code */
- u_char seq_nbr; /* Packet sequence number */
- char *user_name;
- char *password; /* Cleartext user password */
- u_char ustype; /* Service-Type attribute */
- u_char fptype; /* Framed-Protocol attribute */
- char *server; /* Name/addrress of RADIUS server */
- int svc_port; /* RADIUS protocol destination port */
- int timeout; /* Session timeout in seconds */
- UINT4 client_id; /* IP address of client */
- int port_num; /* Port number on client */
- char *user_file; /* Users style file of a/v pairs */
- char *group;
- VALUE_PAIR *send_pairs; /* More a/v pairs to send */
- VALUE_PAIR **receive_pairs; /* Where to place received a/v pairs */
-} SEND_DATA;
-\f
-/*
- * Handle older syslog versions, too!
- */
-
-#ifndef LOG_CONS
-#define LOG_DAEMON 0
-#define LOG_AUTH 0
-#endif
-
-#define MGMT_POLL_SECRET "Hardlyasecret"
-#define MAX_REQUESTS 128
-#define MAX_REQUEST_TIME 30 /* Lifetime of a request */
-#define CLEANUP_DELAY 5 /* Hold onto old requests this long */
-#define DEFAULT_INETD_TIMEOUT 15 /* Fifteen minutes by default */
-#define DEFAULT_TIMER_VALUE 3 /* Three seconds by default */
-#define ADDRESS_AGING 60*60 /* One hour by default */
-#define DFLT_TACACS_UDP_PORT 49 /* Default TACACS server port */
-#define SESS_ID_LEN 8 /* session id length */
-#define SECONDS_PER_DAY 86400
-#define TRUNCATION_DAY 7 /* Sunday is zero (0), daily is seven (7) */
-#define DNS_SLEEP 100 /* Time which DNS sub-process sleeps. */
-
-typedef enum /* error code */
-{
- EC_OK, /* no error */
- EC_INTERNAL, /* internal error */
- EC_CONFIG, /* configuration error */
- EC_NO_MEMORY, /* out of memory */
- EC_CREATE_FILE, /* error creating file */
- EC_NO_TOKEN, /* no token available */
- EC_NO_PORTS, /* no ports available for guests */
- EC_TOO_MANY_SESSIONS, /* user has too many sessions */
- EC_ABS_FAILURE, /* ABS failed (with message) */
- EC_NO_BALANCE, /* error querying for balance */
- EC_BAD_BALANCE /* balance too low */
-} ERRORCODE;
-\f
-typedef enum /* accounting code */
-{
- AC_ERROR = -1, /* no accounting code */
- AC_NORMAL, /* normal disconnect */
- AC_REJECT, /* rejected by this server */
- AC_CANCEL, /* access rejected by someone */
- AC_NOCONFIRM, /* no confirmation */
- AC_OVERTIME, /* session over maximum time allowed */
- AC_UNKNOWN, /* session ended for unknown reason */
- AC_NOTOKEN, /* rejected because no token */
- AC_NOTLOCAL, /* session not local */
- AC_SUSPEND, /* session suspended */
- AC_FAILED, /* authentication failed */
- AC_AUTHORIZED, /* session authorized (for stats) */
- AC_NASREBOOT, /* released due to NAS reboot */
- AC_REMOTE, /* remote session, failed to forward */
- AC_NUMBOFCODE /* number of accounting code */
-} ACCTCODE;
-
-#ifndef PROTO
-#ifdef __STDC__
-#define PROTO(x) x
-#else
-#define PROTO(x) ()
-#define const
-#endif /* !__STDC__ */
-#endif /* !PROTO */
-
-union action_u
-{
- struct aatv *aatv; /* points to the id field of an AATV */
- char *proxy; /* pointer to a Proxy-Action string */
-} UACTION;
-
-/* Define event structure (for events generated by AATV recv functions */
-
-typedef struct ev
-{
- u_char state;
- union action_u a;
- int isproxy; /* set to one if action "a" is proxy */
- int value;
- char xstring[AUTH_ID_LEN];
-} EV;
-\f
-/* Define aatvfunc_type codes */
-
-#define AA_DIRECT 0 /* Function gives direct reply */
-#define AA_SOCKET 1 /* Deferred reply returned on socket */
-#define AA_FORK 2 /* Spawn a process to wait for reply */
-#define AA_FREPLY 3 /* Fork & get reply on server socket */
-
-typedef struct aatv
-{
- u_char id[NAME_LENGTH + 1];
- char authen_type; /* a -1 value indicates built-in AATV types */
- u_char aatvfunc_type;
- void (*init) PROTO((struct aatv *));
- int (*timer) PROTO((void));
- int (*act_func) PROTO((AUTH_REQ *, int, char *));
- AUTH_REQ * (*recv) PROTO((struct sockaddr_in *, UINT4, u_int, EV *));
- void (*cleanup) PROTO((void));
- UINT4 sockfd;
-} AATV, *AATVPTR;
-
-extern AATV *authtype_tv[];
-
-#ifdef MERIT_LAS
-extern AATVPTR rad_log_aatv; /* For logging (selector) */
-extern AATVPTR rad_log_all_aatv; /* For logging (debugging) */
-extern AATVPTR rad_log_brief_aatv; /* For logging (logging) */
-extern AATVPTR rad_log_old_aatv; /* For logging (logging) */
-extern AATVPTR rad_log_v1_0_aatv; /* For logging (logging) */
-extern AATVPTR rad_log_v1_1_aatv; /* For logging (logging) */
-extern AATVPTR rad_log_v2_0_aatv; /* For logging (logging) */
-extern AATVPTR rad_log_v2_1_aatv; /* For logging (logging) */
-#endif /* MERIT_LAS */
-
-/* Specify all authentication/authorization transfer vectors here. */
-
-extern AATVPTR rad_realm_aatv; /* Needed for authtype = realm */
-extern AATVPTR rad_2rad_aatv; /* Authtype = Radius */
-extern AATVPTR rad_tacs_aatv; /* Authtype = TACACS */
-extern AATVPTR rad_unix_aatv; /* Authtype = Unix-pw */
-extern AATVPTR rad_kchp_aatv; /* Authtype = KCHAP */
-extern AATVPTR rad_mnet_aatv; /* Authtype = mnet */
-extern AATVPTR rad_akrb_aatv; /* Authtype = akerb */
-extern AATVPTR rad_mkrb_aatv; /* Authtype = mkerb */
-#ifdef MERIT_LAS
-extern AATVPTR rad_file_aatv; /* Authtype = File */
-#endif /* MERIT_LAS */
-extern AATVPTR rad_authen_aatv; /* Authentication begins here */
-extern AATVPTR rad_passwd_aatv; /* Used for changing passwords */
-\f
-#ifdef MERIT_HUNTGROUP
-#include "huntgroup.h"
-#define EN_HGAS1 "HGAS1"
-#define EN_HGAS2 "HGAS2"
-#define EN_HGAS3 "HGAS3"
-#define EN_HGAS4 "HGAS4"
-#define EN_BACCT "BACCT"
-extern AATVPTR rad_hgas1_aatv; /* Hg Authorization begins here */
-extern AATVPTR rad_hgas2_aatv; /* Hg Authorization continues here */
-extern AATVPTR rad_hgas3_aatv; /* Hg Accounting begins here */
-extern AATVPTR rad_hgas4_aatv; /* Hg Accounting continues here */
-extern AATVPTR rad_hgasrmt_aatv; /* Hg forwarding to remote server */
-extern AATVPTR rad_hgacctrmt_aatv; /* Hg accounting origination */
-extern AATVPTR rad_hgaslog_aatv; /* Hg logging action (for HGAS1) */
-
-#ifdef MERIT_HUNTGROUP_DAC
-extern AATVPTR rad_hgdac1_aatv; /* Hg DAC policy begins here */
-extern AATVPTR rad_hgdac2_aatv; /* Hg DAC policy continues here */
-extern AATVPTR rad_hgdac3_aatv; /* Hg DAC accounting begins here */
-#define DACAATVS ,&rad_hgdac1_aatv,&rad_hgdac2_aatv,&rad_hgdac3_aatv
-#else /* MERIT_HUNTGROUP_DAC */
-#define DACAATVS
-#endif /* MERIT_HUNTGROUP_DAC */
-
-#ifdef MERIT_HUNTGROUP_SHP
-extern AATVPTR rad_hgshp1_aatv; /* Hg SHP policy begins here */
-extern AATVPTR rad_hgshp2_aatv; /* Hg SHP policy continues here */
-extern AATVPTR rad_hgshp3_aatv; /* Hg SHP accounting begins here */
-#define SHPAATVS ,&rad_hgshp1_aatv,&rad_hgshp2_aatv,&rad_hgshp3_aatv
-#else /* MERIT_HUNTGROUP_SHP */
-#define SHPAATVS
-#endif /* MERIT_HUNTGROUP_SHP */
-
-#define HGAATVS ,&rad_hgas1_aatv,&rad_hgas2_aatv,&rad_hgas3_aatv,&rad_hgas4_aatv,&rad_hgasrmt_aatv,&rad_hgaslog_aatv,&rad_hgacctrmt_aatv DACAATVS SHPAATVS
-#else /* MERIT_HUNTGROUP */
-#define HGAATVS
-#define EN_HGAS1 ""
-#define EN_HGAS2 ""
-#define EN_HGAS3 ""
-#define EN_HGAS4 ""
-#define EN_BACCT ""
-#endif /* MERIT_HUNTGROUP */
-\f
-#ifdef MERIT_ORGANIZATION
-#include "oas.h"
-#define EN_OAS "OAS"
-#define EN_OAS_ACCT "OAS_ACCT"
-extern AATVPTR rad_oas_aatv; /* Org Authorization begins here */
-extern AATVPTR rad_oasrem_aatv; /* Org Authorization remote stuff */
-extern AATVPTR rad_oasloc_aatv; /* Org Authorization local stuff */
-extern AATVPTR oas_acct_aatv; /* Org Accounting begins here */
-#define OASAATVS ,&rad_oas_aatv,&rad_oasrem_aatv,&rad_oasloc_aatv,&oas_acct_aatv
-#else /* MERIT_ORGANIZATION */
-#define OASAATVS
-#define EN_OAS ""
-#define EN_OAS_ACCT ""
-#endif /* MERIT_ORGANIZATION */
-
-#ifdef MERIT_LAS
-#include "las.h"
-#define EN_LAS "AUTHENTICATE"
-#define EN_LAS_ACCT "LAS_ACCT"
-extern AATVPTR rad_las_aatv; /* Local authorization */
-extern AATVPTR las_auth_subaatv; /* Generic LAS authorization */
-extern AATVPTR las_acct_subaatv; /* Generic LAS accounting */
-extern AATVPTR las_acct_aatv; /* LAS accounting */
-
-#ifdef LAS_NO_HGAS
-#define LASCPAATV
-#else /* LAS_NO_HGAS */
-extern AATVPTR lascp_aatv; /* LAS synchronizing */
-#define LASCPAATV ,&lascp_aatv
-#endif /* LAS_NO_HGAS */
-
-#ifdef UOFM_LAS
-#include "umlas.h"
-extern AATVPTR las_um_aatv; /* U of M LAS */
-#define LASAATVS ,&las_auth_subaatv,&las_acct_subaatv,&las_um_aatv, \
- &rad_las_aatv,&las_acct_aatv LASCPAATV
-#else /* UOFM_LAS */
-#define LASAATVS ,&las_auth_subaatv,&las_acct_subaatv, \
- &rad_las_aatv,&las_acct_aatv LASCPAATV
-#endif /* UOFM_LAS */
-#else /* MERIT_LAS */
-#define LASAATVS
-#define EN_LAS ""
-#define EN_LAS_ACCT ""
-#endif /* MERIT_LAS */
-
-#ifdef MERIT_LAS
-#define AUTHENAATVS &rad_realm_aatv, &rad_unix_aatv, &rad_2rad_aatv, \
- &rad_tacs_aatv, &rad_kchp_aatv, &rad_mnet_aatv, \
- &rad_akrb_aatv, &rad_mkrb_aatv, &rad_file_aatv, \
- &rad_authen_aatv, &rad_passwd_aatv
-#else /* MERIT_LAS */
-#define AUTHENAATVS &rad_realm_aatv, &rad_unix_aatv, &rad_2rad_aatv, \
- &rad_tacs_aatv, &rad_kchp_aatv, &rad_mnet_aatv, \
- &rad_akrb_aatv, &rad_mkrb_aatv, &rad_authen_aatv, \
- &rad_passwd_aatv
-#endif /* MERIT_LAS */
-
-
-#define AATVS AUTHENAATVS HGAATVS OASAATVS LASAATVS
-\f
-/*
- * Event names (EN_*) in RADIUS ### see the NOTE in enum_event()
- */
-
-#define EN_NAK "NAK"
-#define EN_ACK "ACK"
-#define EN_ERROR "ERROR"
-#define EN_WAIT "WAIT"
-#define EN_FATAL "FATAL"
-#define EN_DUP_REQ "DUP"
-#define EN_TIMER "TIMER"
-#define EN_TIMEOUT "TIMEOUT"
-#define EN_ABORT "ABORT"
-#define EN_NEW_AUTHEN "AUTHEN"
-#define EN_NEW_ACCT "ACCT"
-#define EN_NEW_PASSWD "PASSWD"
-#define EN_RE_ACCESS "REACCESS"
-#define EN_ACC_CHAL "ACC_CHAL"
-#define EN_MGT_POLL "MGT_POLL"
-#define EN_AUTH_ONLY "AUTH_ONLY"
-#define EN_ACCT_START "ACCT_START"
-#define EN_ACCT_STOP "ACCT_STOP"
-#define EN_ACCT_ALIVE "ACCT_ALIVE"
-#define EN_ACCT_MODEM_START "ACCT_MSTART"
-#define EN_ACCT_MODEM_STOP "ACCT_MSTOP"
-#define EN_ACCT_CANCEL "ACCT_CANCEL"
-#define EN_RC1 "RC1"
-#define EN_RC2 "RC2"
-#define EN_RC3 "RC3"
-#define EN_RC4 "RC4"
-#define EN_RC5 "RC5"
-#define EN_RC6 "RC6"
-#define EN_RC7 "RC7"
-#define EN_RC8 "RC8"
-#define EN_RC9 "RC9"
-#define EN_RC10 "RC10"
-#define EN_RC11 "RC11"
-#define EN_RC12 "RC12"
-#define EN_RC13 "RC13"
-#define EN_RC14 "RC14"
-#define EN_RC15 "RC15"
-#define EN_RC16 "RC16"
-#define EN_RC17 "RC17"
-#define EN_RC18 "RC18"
-#define EN_RC19 "RC19"
-#define EN_RC20 "RC20"
-#define EN_RC21 "RC21"
-\f
-/*
- * Event numbers in RADIUS ### see the NOTE in enum_event()
- */
-typedef enum
-{
- EV_NAK = -1,
- EV_ACK = 0,
- EV_ERROR = 1,
- EV_WAIT = 2,
- EV_FATAL = 3,
- EV_DUP_REQ = 4,
- EV_TIMER = 5,
- EV_TIMEOUT = 6,
- EV_ABORT = 7,
-
- /* arbitrary return codes from AATV action functions */
-
- EV_RC1 = 8,
- EV_RC2 = 9,
- EV_RC3 = 10,
- EV_RC4 = 11,
- EV_RC5 = 12,
- EV_RC6 = 13,
- EV_RC7 = 14,
- EV_RC8 = 15,
- EV_RC9 = 16,
- EV_RC10 = 17,
- EV_RC11 = 18,
- EV_RC12 = 19,
- EV_RC13 = 20,
- EV_RC14 = 21,
- EV_RC15 = 22,
- EV_RC16 = 23,
- EV_RC17 = 24,
- EV_RC18 = 25,
- EV_RC19 = 26,
- EV_RC20 = 27,
- EV_RC21 = 28
-} EVENT;
-\f
-/* Request type events */
-
-#define EV_NEW_AUTHEN EV_RC1
-#define EV_NEW_ACCT EV_RC2
-#define EV_NEW_PASSWD EV_RC3
-#define EV_RE_ACCESS EV_RC4
-#define EV_ACC_CHAL EV_RC5
-#define EV_MGT_POLL EV_RC6
-#define EV_AUTH_ONLY EV_RC7
-#ifdef MERIT_HUNTGROUP
-#define EV_HGAS1 EV_RC8
-#define EV_HGAS2 EV_RC9
-#define EV_HGAS3 EV_RC10
-#define EV_BACCT EV_RC11
-#else /* MERIT_HUNTGROUP */
-#define EV_HGAS1 EV_ACK
-#define EV_HGAS2 EV_ACK
-#define EV_HGAS3 EV_ACK
-#define EV_BACCT EV_ACK
-#endif /* MERIT_HUNTGROUP */
-#define EV_ACCT_START EV_RC12
-#define EV_ACCT_STOP EV_RC13
-#define EV_ACCT_ALIVE EV_RC14
-#define EV_ACCT_MODEM_START EV_RC15
-#define EV_ACCT_MODEM_STOP EV_RC16
-#define EV_ACCT_CANCEL EV_RC17
-#ifdef MERIT_ORGANIZATION
-#define EV_OAS EV_RC18
-#define EV_OAS_ACCT EV_RC19
-#else /* MERIT_ORGANIZATION */
-#define EV_OAS EV_ACK
-#define EV_OAS_ACCT EV_ACK
-#endif /* MERIT_ORGANIZATION */
-#ifdef MERIT_LAS
-#define EV_LAS EV_RC20
-#define EV_LAS_ACCT EV_RC21
-#else /* MERIT_LAS */
-#define EV_LAS EV_ACK
-#define EV_LAS_ACCT EV_ACK
-#endif /* MERIT_LAS */
-
-typedef enum /* Typedef for second add_string() argument */
-{
- ASIS = 0x0000, /* No conversion on string */
- ASLC = 0x0001, /* Store as lower case sting */
- FINDONLY = 0x0002 /* Find string only */
-} AS_CONVERT;
-\f
-/*
- * The finite state machine (FSM) table is laid out as follows:
- *
- * state0:
- * event01 aatv01 nextstate01
- * event02 aatv02 nextstate02
- * ...
- * state1:
- * event11 aatv11 nextstate11
- * ...
- */
-
-#define NUMSTATES 32 /* initial maximum number of states */
-
-#define ST_INIT 0 /* initial state */
-
-#define ST_RESERVED 240 /* beginning of reserved state range */
-#define ST_SEEN 241 /* flag for state seen before being defined */
-#define ST_DEFINED 242 /* flag for state definition */
-
-#define ST_RECV 251 /* to indicate state which receives requests */
-#define ST_HOLD 252 /* to indicate dead requests */
-#define ST_SAME 253 /* for default action table */
-#define ST_ANY 254 /* for default action table */
-#define ST_END 255 /* end of FSM table */
-
-typedef struct statelist /* list of all state names */
-{
- int maxst; /* capacity of this list */
- int nst; /* number of states already there */
- NAME_LIST *states; /* list of states found in the config file */
-} STATELIST;
-
-typedef struct fsm_entry /* The Finite State Machine an array of these */
-{
- struct fsm_entry *next; /* list of entries for this state */
- EV event; /* (state.action.event) 3-tuple */
- AATV *action; /* what AATV (action) to invoke */
- int xvalue; /* miscellaneous integer from FSM */
- char *xstring; /* miscellaneous string from FSM */
- u_char next_state; /* the next state to visit */
-} FSM_ENT;
-
-typedef struct prun_rule /* Pruning data structure (from RADIUS DRAFT RFC) */
-{
- int value; /* this is the attribute value */
- int flags; /* inclusive OR of PRUN_FLG values */
- int count; /* how many the RFC says to allow */
-} PRUN_RULE;
-
-typedef struct prun_list
-{
- char vendor[AUTH_ID_LEN + 1];
- PRUN_RULE *rules;
- struct prun_list *next;
-} PRUN_LIST;
-
-#define PRUN_FLG1 1 /* this attribute allowable in Access_Accept */
-#define PRUN_FLG2 2 /* this attribute allowable in Access_Reject */
-\f
-#define AR_NO_LOG 0x01 /* sws: Suppress logging flag */
-#define AR_FROM_PROXY 0x04 /* sws: authreq came from NAS */
-
-#define SAR_NO_LOG(authreq) (authreq->sws |= AR_NO_LOG) /* set flag */
-#define CAR_NO_LOG(authreq) (authreq->sws &= ~AR_NO_LOG) /* clear flag */
-#define TAR_NO_LOG(authreq) ((authreq->sws & AR_NO_LOG) != 0) /* test flag */
-
-#define SAR_FROM_PROXY(authreq) (authreq->sws |= AR_FROM_PROXY) /* set flag */
-#define CAR_FROM_PROXY(authreq) (authreq->sws &= ~AR_FROM_PROXY) /* clr flag */
-#define TAR_FROM_PROXY(authreq) ((authreq->sws & AR_FROM_PROXY) != 0) /* test */
-
-#define AVPAIR_VTOA_QUOTE 0x0001 /* Quote strings with "'" */
-#define AVPAIR_VTOA_NULL 0x0002 /* Print "" instead of NULL for missing item */
-#define AVPAIR_VTOA_MASK 0x00ff /* Reserve fourteen more bits. */
-
-#define LOG_VP_QUOTE 0x0001 /* Quote strings (same as AVPAIR_VTOA_QUOTE) */
-#define LOG_VP_NULL 0x0002 /* Use "" (incompatible with LOG_VP_NA) */
-#define LOG_VP_TAB 0x0100 /* Put tab after printing. */
-#define LOG_VP_NA 0x0200 /* fprintf ("NA") if no attr exists in list. */
-#define LOG_VP_LAST 0x0400 /* Log last value pair found. */
-#define LOG_VP_ALL 0x0800 /* Log all attributes found. */
-#define LOG_VP_MASK 0xFFFF /* Switches available. */
-\f
-/* dict.c */
-int dict_init PROTO((void));
-DICT_ATTR * dict_attrget PROTO((int));
-DICT_ATTR * dict_attrfind PROTO((char *));
-DICT_VALUE * dict_valfind PROTO((char *));
-DICT_VALUE * dict_valget PROTO((UINT4, char *));
-
-/* fsm.c */
-AATV * find_aatv PROTO((char *));
-int init_fsm PROTO((int, AATVPTR **, int, char *, FSM_ENT ***, FSM_ENT ***));
-
-/* funcs.c */
-char * add_string PROTO((char *, int));
-char * authtype_toa PROTO((int));
-VALUE_PAIR * avpair_add PROTO((VALUE_PAIR **, int, void *, int));
-int avpair_assign PROTO((VALUE_PAIR *, void *, int));
-int avpair_copy PROTO((VALUE_PAIR **, VALUE_PAIR *, int));
-int avpair_get PROTO((void *, VALUE_PAIR *, int));
-VALUE_PAIR * avpair_new PROTO((int, void *, int));
-char * avpair_vtoa PROTO((VALUE_PAIR *, int));
-void compress_file PROTO((FILE **, char *));
-void debug_list PROTO((FILE *, VALUE_PAIR *));
-void debug_pair PROTO((FILE *, VALUE_PAIR *));
-int dumpit PROTO((/* int, int, void *, int, int, char *, ...*/));
-void fprint_attr_val PROTO((FILE *, VALUE_PAIR *));
-VALUE_PAIR * gen_valpairs PROTO((AUTH_HDR *));
-char * get_errmsg PROTO((void));
-int get_passwd PROTO((AUTH_REQ *, char *, char *, char *));
-VALUE_PAIR * get_vp PROTO((VALUE_PAIR *, UINT4));
-VALUE_PAIR * get_last_vp PROTO((VALUE_PAIR *, UINT4));
-int hex_dump PROTO((char *, char *, int, int));
-void insert_vp PROTO((VALUE_PAIR **, VALUE_PAIR *, VALUE_PAIR *));
-int loghead PROTO(( /* va_alist */ ));
-
-void missing_attribute PROTO((AUTH_REQ *, char *, int, char *));
-VALUE_PAIR * parse_realm PROTO((AUTH_REQ *));
-int prune_pairs PROTO((AUTH_REQ *, PRUN_LIST *, int));
-#define reply_message(authreq, msgno, msg) _reply_message(authreq, msgno, msg,__FILE__, __LINE__)
-int _reply_message PROTO((AUTH_REQ *, ERRORCODE, char *, char *, int));
-int reply_sprintf PROTO(( /* int logsw, AUTHREQ *, char *format, ... */ ));
-int setupsock PROTO((struct sockaddr_in *, int));
-void trunc_logfile PROTO((FILE **, char *));
-char * type_string PROTO((AUTH_REQ *, VALUE_PAIR *));
-
-/* passchange.c */
-int pw_expired PROTO((UINT4));
-
-/* radiusd.c */
-AUTH_REQ * build_acct_req PROTO((AUTH_REQ *, int, char *, int, VALUE_PAIR *));
-int call_action PROTO((AATV *, AUTH_REQ *, int, char *));
-AUTH_REQ * rad_2rad_recv PROTO((struct sockaddr_in *, UINT4, u_int, EV *));
-AUTH_REQ * rad_recv PROTO((struct sockaddr_in *, UINT4, u_int, EV *));
-int radius_send PROTO((char *, u_int, char *, AUTH_REQ *, int));
-void start_fsm PROTO((AUTH_REQ *, int, char *, char *));
-
-/* sesslog.c */
-VALUE_PAIR *log_vp PROTO((FILE *, VALUE_PAIR *, int, int));
-int logfmt_brief PROTO((FILE *, VALUE_PAIR *));
-int logfmt_old PROTO((FILE *, VALUE_PAIR *, int));
-int logfmt_v1_0 PROTO((FILE *, VALUE_PAIR *));
-int logfmt_v1_1 PROTO((FILE *, VALUE_PAIR *));
-int logfmt_v2_0 PROTO((FILE *, VALUE_PAIR *, int, u_short *));
-int logfmt_v2_1 PROTO((FILE *, VALUE_PAIR *, int));
-
-/* users.c */
-int add_file_list PROTO((char *));
-void config_init PROTO((void));
-int config_files PROTO((int, int, int));
-void config_fini PROTO((void));
-void dns_recv PROTO((struct sockaddr_in *, UINT4, int));
-AUTH_ENTRY * find_auth_ent PROTO((char *, int, char*));
-int find_auth_type PROTO((char *, int, char *, int *, char **, char **, char **));
-int find_client PROTO((UINT4, char **, char **, char **));
-int find_client_by_name PROTO((UINT4 *, char *, char **, char **));
-int find_host_by_name PROTO((UINT4 *, char *));
-void free_user_ent PROTO((USER_ENTRY *));
-UINT4 get_our_addr PROTO((void));
-char * ip_hostname PROTO((UINT4));
-void list_cat PROTO((VALUE_PAIR **, VALUE_PAIR *));
-void list_copy PROTO((VALUE_PAIR **, VALUE_PAIR *));
-int pair_parse PROTO((char *, VALUE_PAIR **));
-FILE_LIST * return_file_list PROTO((void));
-int update_clients PROTO((void));
-int user_find PROTO((char *, char *, int, VALUE_PAIR **, VALUE_PAIR **, int));
-void user_gettime PROTO((char *, struct tm *));
-int user_update PROTO((char *, VALUE_PAIR *, VALUE_PAIR*));
-
-/* util.c */
-UINT4 get_ipaddr PROTO((char *));
-int good_ipaddr PROTO((char *));
-void list_free PROTO((VALUE_PAIR *));
-
-/* version.c */
-char * version PROTO((void));
-
-#endif /* RADIUS_H */
+++ /dev/null
-/*
- *
- * RADIUS -- Remote Authentication Dial In User Service
- *
- * COPYRIGHT (c) 1992, 1993, 1994, 1995, 1996
- * THE REGENTS OF THE UNIVERSITY OF MICHIGAN AND MERIT NETWORK, INCORPORATED
- * ALL RIGHTS RESERVED
- *
- * PERMISSION IS GRANTED TO USE, COPY, CREATE DERIVATIVE WORKS AND REDISTRIBUTE
- * THIS SOFTWARE AND SUCH DERIVATIVE WORKS IN BINARY FORM ONLY FOR ANY PURPOSE,
- * SO LONG AS NO FEE IS CHARGED, AND SO LONG AS THE COPYRIGHT NOTICE ABOVE, THIS
- * GRANT OF PERMISSION, AND THE DISCLAIMER BELOW APPEAR IN ALL COPIES MADE; AND
- * SO LONG AS THE NAME OF THE UNIVERSITY OF MICHIGAN IS NOT USED IN ANY
- * ADVERTISING OR PUBLICITY PERTAINING TO THE USE OR DISTRIBUTION OF THIS
- * SOFTWARE WITHOUT SPECIFIC, WRITTEN PRIOR AUTHORIZATION.
- *
- * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION FROM THE UNIVERSITY
- * OF MICHIGAN AS TO ITS FITNESS FOR ANY PURPOSE, AND WITHOUT WARRANTY BY THE
- * UNIVERSITY OF MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
- * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE. THE REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE
- * LIABLE FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
- * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OF THE SOFTWARE, EVEN IF IT HAS BEEN OR IS HEREAFTER
- * ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
- *
- * For a License to distribute source code or to charge a fee for the program
- * or a product containing the program, contact MERIT at the University of
- * Michigan:
- *
- * aaa-license@merit.edu
- *
- * [This version puts NO LIMITS on the use. It grants the right to create
- * DERIVATIVE WORKS. The user may copy and distribute the code in the form
- * received AND DERIVATIVE WORKS, so long as no fee is charged. If copies are
- * made, our copyright notice and the disclaimer must be included on them. USE
- * THIS VERSION WITH CARE. THIS VERSION VERY LIKELY WILL KILL ANY POTENTIAL
- * FOR LATER COMMERCIALIZATION OF THE SOFTWARE.]
- *****************************************************************************
- *
- * The code below is a derivative work based on the Merit Radius code found in
- * radpwtst.c v1.38 1996/05/18
- *
- * This code has ONLY been tested, compiled, and used on IRIX 6.2
- *
- * Your config file should look like this:
- * <server>:<port>
- * <server>:<port>
- * (eg: radius1.merit.edu:1645 )
- *
- * If you place more than one server in the config file the code will query
- * each server until the user has been authenticated or the last server has
- * been asked.
- *
- * - Tyler Allison
- * allison@nas.nasa.gov
- */
-
-/* You should only need to change the next couple defines */
-/* If your config file is setup correctly DEFAULT_* are never used */
-#define DEFAULT_RADIUS_SERVER "radius1.merit.edu"
-#define DEFAULT_RADIUS_PORT 1645
-#define RADIUS_DIR "/usr/local/etc/raddb"
-#define CONFIG_FILE "/usr/local/etc/raddb/rad_config"
-#define MAX_CONFIG_LINE 256
-#define RESPONSE_TIMEOUT 3
-#define MAX_RETRIES 0
-#define MAX_PASSWORD_LENGTH 8 /* Radius has a problem with users who */
- /* "think" they have passwords longer than is supported by the */
- /* system. So we need to truncate the password before sending. */
- /* For example: user thinks his password is 'foobarblaz' but we */
- /* all know that passwords can only be 8 characters (on standard) */
- /* so the system stores 'foobarbl' as his password. Now the system */
- /* knows that if the user types in 'foobarblaz' just to truncate */
- /* at the 8th character and move on...but Radius doesnt! */
-
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/param.h>
-#include <netinet/in.h>
-#include <sys/time.h>
-#include <sys/signal.h>
-#include <sys/termios.h>
-#include <netdb.h>
-#include <pwd.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <time.h>
-#include <unistd.h>
-#include <strings.h>
-#include <malloc.h>
-#include <pwd.h>
-#include <sys/fcntl.h>
-#include <sys/wait.h>
-#include <net/if.h>
-#include <arpa/inet.h>
-#include <netdb.h>
-#include <ctype.h>
-#include <errno.h>
-#include <dirent.h>
-#include <syslog.h>
-#include <varargs.h>
-
-#include "md5-radius.c" /* Has some md5 functions we need */
-#include "mod-radius.h"
-
-
-#define FIND_MODE_REPLY 1
-#define FIND_MODE_NAME 0
-#define MAX_HOSTNAME_BUFFERS 20
-#define PARSE_MODE_EQUAL 1
-#define PARSE_MODE_NAME 0
-#define PARSE_MODE_VALUE 2
-#define MAX_AVPAIR_VTOA 20
-#define LIST_COPY_LIMIT 256
-#define LOG_ERR 1
-#define LOG_DEBUG 4
-#define null ((void*)0) /* NULL is already defined but It wont catch everything */
-
-
-extern FILE *ddt;
-extern FILE *msgfd;
-extern char *radius_dir;
-extern AATVPTR rad_authen_aatv;
-extern time_t birthdate;
-extern char recv_buffer[4096];
-extern char send_buffer[4096];
-extern char ourhostname[MAXHOSTNAMELEN];
-
-
-static FILE_LIST *file_list = (FILE_LIST *) NULL;
-static UINT4 self_ip[11]; /* Used with multi-homed servers */
-static CLIENT_ENTRY *client_list = (CLIENT_ENTRY *) NULL;
-static CLIENT_ENTRY *old_clients;
-static DICT_ATTR *dictionary_attributes;
-static DICT_VALUE *dictionary_values;
-int dnspid = 0; /* PID of current DNS resolver process */
-int rad_ipc_port = 0;
-static char * months[] =
- {
- "Jan", "Feb", "Mar", "Apr", "May", "Jun",
- "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
- };
-
-/* Put radcheck decleration here so we can put the code later in the file */
-
-int radcheck (char *user_name,char *user_passwd,char *config_path);
-
-int radsock = 0; /* fd for radius socket, if non-blocking mode */
-
-char recv_buffer[4096];
-char send_buffer[4096];
-char ourhostname[MAXHOSTNAMELEN];
-char *progname;
-char *radius_dir;
-int dumpcore = 0;
-int authfile_cnt = 0;
-int clients_cnt = 0;
-int users_cnt = 0;
-time_t birthdate;
-AATVPTR rad_authen_aatv = (AATV *) NULL;
-AATVPTR rad_ipc_aatv = (AATV *) NULL;
-AATV *authtype_tv[PW_AUTH_MAX + 1];
-FILE *ddt = NULL;
-FILE *msgfd = stderr;
-
-typedef struct string_list_struct
-{
- struct string_list_struct *next;
- char *str;
-}string_list;
-
-#include "mod-radfuncs.c" /* These are the funcs we dont need to know about */
-
-
-
-int
-radcheck2 (char *user_name,char *user_passwd, char *host, int port)
-
-{
- int final_result;
- int retries;
- int new_old;
- int zero = 0;
- char *client_name = (char *) NULL;
- char msg[4096]; /* big enough to hold several messages */
- char passwd[AUTH_PASS_LEN + 1];
-
- SEND_DATA data;
- int send_server ();
-
-
- data.user_name=user_name;
- data.password=user_passwd;
-
- /* Set up some defaults */
-
- data.code = PW_ACCESS_REQUEST;
-
- data.svc_port = port;
- data.server = host;
-
- radius_dir = RADIUS_DIR; /* SendServer picks directory, if need be */
- data.timeout = RESPONSE_TIMEOUT;
- data.user_file = null;
- data.group = null;
- data.send_pairs = null;
-
- retries = MAX_RETRIES; /* Try for response this many times */
- new_old = 0; /* Assume old style */
- data.ustype = 0;
- data.fptype = 0; /* by default */
- data.port_num = 1; /* just default to port number one here */
-
-
- /* Plain authentication request ==> PW_AUTHENTICATE_ONLY */
- if (data.ustype == 0)
- {
- if (new_old == 1) /* new style */
- {
- data.ustype = PW_AUTHENTICATE_ONLY;
- }
- else /* old style */
- {
- data.ustype = PW_OUTBOUND_USER;
- }
- }
-
- srand (time (0)); /* Use random sequence number in request */
- data.seq_nbr = (u_char) rand ();
-
- if (gethostname (ourhostname, sizeof (ourhostname)) < 0)
- {
- perror ("gethostname");
- return (-2);
- }
-
-
- if (client_name == null)
- {
- if ((data.client_id = get_ipaddr (ourhostname)) == 0)
- {
- data.client_id = 0;
- return (-3);
- }
- }
-
-
- if ((data.user_file != null) && (data.group == null))
- {
- data.group = "DEFAULT";
- }
-
-
- if (send_server(&data, &retries, msg) == OK_RC)
- {
- final_result = 1;
- }
- else
- {
- final_result = 0;
- }
- return (final_result);
-} /* end of radcheck2 () */
-
-
-/****************************************************************************/
-/* This is the meat of the RADIUS authentication. It is called from */
-/* mod_auth_external.c */
-/* Pass it a username and password and returns: */
-/* 0 = Authenticated */
-/* 1 = Not Authenticated */
-/****************************************************************************/
-
-int
-radcheck (char *user_name,char *user_passwd,char *config_path)
-
-{
- int auth;
- char config_line[MAX_CONFIG_LINE];
- char *host; /* Pointer to the host we want to query */
- char *port; /* Pointer to the port we want to query */
- char *ptrunc; /* Pointer for truncating user_passwd */
-
- long rad_port;
-
- /* Okay lets get the config file */
-
- FILE *rad_config;
- auth = 1; /* Authentication assumed to be NO unless told otherwise */
-
- /* lets check the length of user_passwd and truncate as needed */
- if (strlen(user_passwd) > MAX_PASSWORD_LENGTH ) {
- /* argh! more pointers! */
- ptrunc = &user_passwd[MAX_PASSWORD_LENGTH+ 1];
- *ptrunc = '\0';
- }
-
- rad_config = fopen(config_path, "r"); /* open the file */
-
- if (rad_config == null) {
- /* Aww damn it! No config file let's use default!*/
- auth = radcheck2(user_name,user_passwd,DEFAULT_RADIUS_SERVER,DEFAULT_RADIUS_PORT);
- }
- else {
- /* Loop inside the config file testing each host */
- while(fgets(config_line,MAX_CONFIG_LINE,rad_config) != null) {
- config_line[strlen(config_line)-1] = '\0'; /* remove newline at end*/
- host = config_line; /* host is at the beginning of line */
- port = strchr(config_line, ':'); /* Find the colon seperator */
-
- /* Check for errors */
- if (port == null) {
-
- printf("Radius Error: Unable to parse Radius server file: %s\n",config_path);
- return(-9);
- }
- *port = '\0'; /* Put newline where the colon is */
- port++; /* Point to next character */
- rad_port = strtol(port,null,10); /* Port has to be an int so convert! */
- auth = radcheck2(user_name,user_passwd,host,rad_port);
- if (auth == 1) {
- return(0); /*This needs to change to 'auth' when new */
- /* mod_auth_external.c comes out*/
- }
- }
- }
- return(1); /* This needs to change to 'auth' when new */
- /* mod_auth_external.c comes out */
-}
-
-
-