First working revision.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/RadiusAuthentication.php Wed Jan 06 02:57:23 2010 -0500
@@ -0,0 +1,418 @@
+<?php
+/**!info**
+{
+ "Plugin Name" : "RADIUS authentication",
+ "Plugin URI" : "http://enanocms.org/plugin/radiusauth",
+ "Description" : "Allows authentication to Enano via a RADIUS server.",
+ "Author" : "Dan Fuhry",
+ "Version" : "1.0",
+ "Author URI" : "http://enanocms.org/",
+ "Auth plugin" : true
+}
+**!*/
+
+/*
+ * RADIUS authentication plugin for Enano
+ * (C) 2010 Dan Fuhry
+ *
+ * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+ * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details.
+ *
+ * Please note: the back-end RADIUS library files, libradauth.php and libmschap.php, are under the BSD license.
+ */
+
+if ( getConfig('radius_enable', 0) == 1 )
+{
+ $plugins->attachHook('login_process_userdata_json', 'return radius_auth_hook($userinfo, $req["level"], $req["remember"]);');
+}
+
+function radius_auth_hook($userinfo, $level, $remember)
+{
+ global $db, $session, $paths, $template, $plugins; // Common objects
+
+ // First try to just authenticate the user in RADIUS
+ require_once(ENANO_ROOT . '/plugins/radiusauth/libradauth.php');
+
+ $server = getConfig('radius_server', false);
+ $port = getConfig('radius_port', 1812);
+ $secret = getConfig('radius_secret', '');
+ $method = getConfig('radius_method', 'pap');
+ if ( empty($server) )
+ // bad server? break out and continue the Enano auth chain
+ return null;
+
+ // We're ready to do a RADIUS auth attempt
+ try
+ {
+ $radius = new RadiusAuth($server, $secret, $port);
+ $auth_result = $radius->authenticate($userinfo['username'], $userinfo['password'], $method);
+ }
+ catch ( RadiusError $e )
+ {
+ return array(
+ 'mode' => 'error',
+ 'error' => "The RADIUS interface returned a technical error."
+ );
+ }
+
+ if ( $auth_result )
+ {
+ // RADIUS authentication was successful.
+ $username = $db->escape(strtolower($userinfo['username']));
+ $q = $db->sql_query("SELECT user_id, password FROM " . table_prefix . "users WHERE " . ENANO_SQLFUNC_LOWERCASE . "(username) = '$username';");
+ if ( !$q )
+ $db->_die();
+ if ( $db->numrows() < 1 )
+ {
+ // This user doesn't exist.
+ // Is creating it our job?
+ if ( getConfig('radius_disable_local_auth', 0) == 1 )
+ {
+ // Yep, register him
+ $email = strtolower($userinfo['username']) . '@' . getConfig('radius_email_domain', 'localhost');
+ $random_pass = md5(microtime() . mt_rand());
+ // load the language
+ $session->register_guest_session();
+ $reg_result = $session->create_user($userinfo['username'], $random_pass, $email);
+ if ( $reg_result != 'success' )
+ {
+ // o_O
+ // Registration failed.
+ return array(
+ 'mode' => 'error',
+ 'error' => 'Your username and password were valid, but there was a problem instanciating your local user account.'
+ );
+ }
+ // Get user ID
+ $q = $db->sql_query("SELECT user_id, password FROM " . table_prefix . "users WHERE " . ENANO_SQLFUNC_LOWERCASE . "(username) = '$username';");
+ if ( !$q )
+ $db->_die();
+ if ( $db->numrows() < 1 )
+ return array(
+ 'mode' => 'error',
+ 'error' => 'Your username and password were valid, but there was a problem getting your user ID.'
+ );
+ $row = $db->fetchrow();
+ $db->free_result();
+ // Quick - lock the account
+ $q = $db->sql_query('UPDATE ' . table_prefix . "users SET password = 'Locked by RADIUS plugin', password_salt = 'Locked by RADIUS plugin' WHERE user_id = {$row['user_id']};");
+ if ( !$q )
+ $db->_die();
+
+ $row['password'] = 'Locked by RADIUS plugin';
+ }
+ else
+ {
+ // Nope. Just let Enano fail it properly.
+ return null;
+ }
+ }
+ else
+ {
+ $row = $db->fetchrow();
+ $db->free_result();
+ }
+
+ $session->register_session($row['user_id'], $userinfo['username'], $row['password'], $level, $remember);
+ return true;
+ }
+ else
+ {
+ // RADIUS authentication failed.
+
+ // Are local logons allowed?
+ if ( getConfig('radius_disable_local_auth', 0) == 0 )
+ {
+ // Yes, allow auth to continue
+ return null;
+ }
+
+ // Block the login attempt unless the username is a local admin.
+ $username = $db->escape(strtolower($userinfo['username']));
+ $q = $db->sql_query("SELECT user_level FROM " . table_prefix . "users WHERE " . ENANO_SQLFUNC_LOWERCASE . "(username) = '$username';");
+ if ( !$q )
+ $db->_die();
+ if ( $db->numrows() > 0 )
+ {
+ // Well, the user exists...
+ list($ul) = $db->fetchrow_num();
+ $db->free_result();
+ if ( $ul >= USER_LEVEL_ADMIN )
+ {
+ // They're an admin, allow local logon
+ return null;
+ }
+ }
+ $db->free_result();
+
+ // User doesn't exist, or is not an admin, and users are not allowed to log on locally. Lock them out.
+ $q = $db->sql_query('INSERT INTO ' . table_prefix . "lockout(ipaddr, timestamp, action, username)\n"
+ . " VALUES('" . $db->escape($_SERVER['REMOTE_ADDR']) . "', " . time() . ", 'credential', '" . $db->escape($userinfo['username']) . "');");
+ if ( !$q )
+ $db->_die();
+
+ return array(
+ 'mode' => 'error',
+ 'error' => 'Invalid RADIUS authentication credentials.'
+ );
+ }
+}
+
+// Registration blocking hook
+if ( getConfig('radius_disable_local_auth', 0) == 1 )
+{
+ $plugins->attachHook('ucp_register_validate', 'radius_auth_reg_block($error);');
+}
+
+function radius_auth_reg_block(&$error)
+{
+ $error = 'Registration on this website is disabled because RADIUS authentication is configured. Please log in using a valid RADIUS username and password, and an account will be created for you automatically.';
+}
+
+//
+// ADMIN
+//
+
+$plugins->attachHook('session_started', 'radius_session_hook();');
+
+if ( getConfig('radius_disable_local_auth', 0) == 1 )
+{
+ $plugins->attachHook('common_post', 'radius_tou_hook();');
+}
+
+function radius_session_hook()
+{
+ global $db, $session, $paths, $template, $plugins; // Common objects
+
+ // Register the admin page
+ $paths->addAdminNode('adm_cat_security', 'RADIUS Authentication', 'RadiusConfig');
+
+ // Disable password change
+ if ( getConfig('radius_disable_local_auth', 0) == 1 && $session->user_level < USER_LEVEL_ADMIN )
+ {
+ $link_text = getConfig('radius_password_text', false);
+ if ( empty($link_text) )
+ $link_text = false;
+ $link_url = str_replace('%u', $session->username, getConfig('radius_password_url', ''));
+ if ( empty($link_url) )
+ $link_url = false;
+ $session->disable_password_change($link_url, $link_text);
+ }
+}
+
+function radius_tou_hook()
+{
+ global $db, $session, $paths, $template, $plugins; // Common objects
+
+ // Are we pending TOU acceptance?
+ if ( $session->user_logged_in && !$session->on_critical_page() && trim(getConfig('register_tou', '')) != '' )
+ {
+ $q = $db->sql_query('SELECT account_active FROM ' . table_prefix . "users WHERE user_id = $session->user_id;");
+ if ( !$q )
+ $db->_die();
+
+ list($active) = $db->fetchrow_num();
+ $db->free_result();
+ if ( $active == 1 )
+ {
+ // Pending TOU accept
+ // Basically, what we do here is force the user to accept the TOU and record it by setting account_active to 2 instead of a 1
+ // A bit of a hack, but hey, it works, at least in 1.1.8.
+ // In 1.1.7, it just breaks your whole account, and $session->on_critical_page() is broken in 1.1.7 so you won't even be able
+ // to go the admin CP and re-activate yourself. Good times... erhm, sorry.
+
+ if ( isset($_POST['tou_agreed']) && $_POST['tou_agreed'] === 'I accept the terms and conditions displayed on this site' )
+ {
+ // Accepted
+ $q = $db->sql_query('UPDATE ' . table_prefix . "users SET account_active = 2 WHERE user_id = $session->user_id;");
+ if ( !$q )
+ $db->_die();
+
+ return true;
+ }
+
+ global $output, $lang;
+ $output->set_title('Terms of Use');
+ $output->header();
+
+ ?>
+ <p>Please read and accept the following terms:</p>
+
+ <div style="border: 1px solid #000000; height: 300px; width: 60%; clip: rect(0px,auto,auto,0px); overflow: auto; background-color: #FFF; margin: 0 auto; padding: 4px;">
+ <?php
+ $terms = getConfig('register_tou', '');
+ echo RenderMan::render($terms);
+ ?>
+ </div>
+
+ <form method="post">
+ <p style="text-align: center;">
+ <label>
+ <input tabindex="7" type="checkbox" name="tou_agreed" value="I accept the terms and conditions displayed on this site" />
+ <b><?php echo $lang->get('user_reg_lbl_field_tou'); ?></b>
+ </label>
+ </p>
+ <p style="text-align: center;">
+ <input type="submit" value="Continue" />
+ </p>
+ </form>
+
+ <?php
+
+ $output->footer();
+
+ $db->close();
+ exit;
+ }
+ }
+}
+
+function page_Admin_RadiusConfig()
+{
+ // Security check
+ global $db, $session, $paths, $template, $plugins; // Common objects
+ if ( $session->auth_level < USER_LEVEL_ADMIN )
+ return false;
+
+ if ( isset($_POST['submit']) )
+ {
+ setConfig('radius_enable', isset($_POST['radius_enable']) ? '1' : '0');
+ setConfig('radius_server', $_POST['radius_server']);
+ setConfig('radius_port', intval($_POST['radius_port']) > 0 && intval($_POST['radius_port']) < 65535 ? intval($_POST['radius_port']) : 1812 );
+ setConfig('radius_secret', $_POST['radius_secret']);
+ setConfig('radius_disable_local_auth', isset($_POST['radius_disable_local_auth']) ? '1' : '0');
+ setConfig('radius_password_text', $_POST['radius_password_text']);
+ setConfig('radius_password_url', $_POST['radius_password_url']);
+ setConfig('radius_email_domain', $_POST['radius_email_domain']);
+ setConfig('radius_method', $_POST['radius_method']);
+
+ echo '<div class="info-box">Your changes have been saved.</div>';
+ }
+
+ acp_start_form();
+ ?>
+ <div class="tblholder">
+ <table border="0" cellspacing="1" cellpadding="4">
+ <tr>
+ <th colspan="2">
+ RADIUS Authentication Configuration
+ </th>
+ </tr>
+
+ <!-- RADIUS enable -->
+
+ <tr>
+ <td class="row2" style="width: 50%;">
+ Enable RADIUS authentication:
+ </td>
+ <td class="row1" style="width: 50%;">
+ <label>
+ <input type="checkbox" name="radius_enable" <?php if ( getConfig('radius_enable', 0) ) echo 'checked="checked" '; ?>/>
+ Enabled
+ </label>
+ </td>
+ </tr>
+
+ <!-- Server -->
+
+ <tr>
+ <td class="row2">
+ RADIUS server:
+ </td>
+ <td class="row1">
+ <input type="text" name="radius_server" value="<?php echo htmlspecialchars(getConfig('radius_server', '')); ?>" size="15" />
+ Port:
+ <input type="text" name="radius_port" value="<?php echo getConfig('radius_port', 1812); ?>" size="5" />
+ </td>
+ </tr>
+
+ <!-- Secret -->
+
+ <tr>
+ <td class="row2">
+ Shared secret:
+ </td>
+ <td class="row1">
+ <input type="text" name="radius_secret" value="<?php echo htmlspecialchars(getConfig('radius_secret', '')); ?>" size="30" />
+ </td>
+ </tr>
+
+ <!-- Auth method -->
+
+ <tr>
+ <td class="row2">
+ Authentication method:
+ </td>
+ <td class="row1">
+ <select name="radius_method">
+ <?php
+ $methods = array(
+ 'pap' => 'PAP',
+ 'chap' => 'CHAP',
+ 'mschap' => 'MS-CHAP v1',
+ 'mschapv2' => 'MS-CHAP v2'
+ );
+ foreach ( $methods as $method => $name )
+ {
+ $select = getConfig('radius_method', 'pap') == $method ? ' selected="selected"' : '';
+ echo "<option value=\"$method\"{$select}>$name</option>";
+ }
+ ?>
+ </select>
+ </td>
+ </tr>
+
+ <!-- Block local auth -->
+
+ <tr>
+ <td class="row2">
+ Enforce RADIUS for single-sign-on:<br />
+ <small>Use this option to force RADIUS passwords and accounts to be used, regardless of local accounts, except for administrators.</small>
+ </td>
+ <td class="row1">
+ <label>
+ <input type="checkbox" name="radius_disable_local_auth" <?php if ( getConfig('radius_disable_local_auth', 0) ) echo 'checked="checked" '; ?>/>
+ Enabled
+ </label>
+ </td>
+ </tr>
+
+ <!-- E-mail domain -->
+
+ <tr>
+ <td class="row2">
+ E-mail address domain for autoregistered users:<br />
+ <small>When a user is automatically registered, this domain will be used as the domain for their e-mail address. This way, activation e-mails will
+ (ideally) reach the user.</small>
+ </td>
+ <td class="row1">
+ <input type="text" name="radius_email_domain" value="<?php echo htmlspecialchars(getConfig('radius_email_domain', '')); ?>" size="30" />
+ </td>
+ </tr>
+
+ <!-- Site password change link -->
+
+ <tr>
+ <td class="row2">
+ External password management link:<br />
+ <small>Enter a URL here to link to from Enano's Change Password page. Leave blank to not display a link. The text "%u" will be replaced with the user's username.</small>
+ </td>
+ <td class="row1">
+ Link text: <input type="text" name="radius_password_text" value="<?php echo htmlspecialchars(getConfig('radius_password_text', '')); ?>" size="30" /><br />
+ Link URL: <input type="text" name="radius_password_url" value="<?php echo htmlspecialchars(getConfig('radius_password_url', '')); ?>" size="30" />
+ </td>
+ </tr>
+
+ <tr>
+ <th class="subhead" colspan="2">
+ <input type="submit" name="submit" value="Save changes" />
+ </th>
+ </tr>
+ </table>
+ </div>
+ <?php
+ echo '</form>';
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/radiusauth/libmschap.php Wed Jan 06 02:57:23 2010 -0500
@@ -0,0 +1,101 @@
+<?php
+
+/*
+Copyright (c) 2003, Michael Bretterklieber <michael@bretterklieber.com>
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+3. The names of the authors may not be used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+The author of this file respectfully requests that you refrain from
+relicensing it under the GPL, although the BSD license permits you to do so.
+
+ $Id: mschap.php,v 1.5 2003/01/26 20:31:11 mbretter Exp $
+*/
+
+function des_encrypt_ecb($key, $clearText)
+{
+ return mcrypt_ecb (MCRYPT_DES, $key, $clearText, MCRYPT_ENCRYPT, str_pad("", 8, chr(0x00)));
+}
+
+function NtPasswordHash($plain)
+{
+ return mhash (MHASH_MD4, str2unicode($plain));
+}
+
+function str2unicode($str)
+{
+ $uni = '';
+ for ($i=0;$i<strlen($str);$i++) {
+ $a = ord($str{$i}) << 8;
+ $uni .= sprintf("%X",$a);
+ }
+ return pack('H*', $uni);
+}
+
+function GenerateChallenge($size = 8)
+{
+ $chall = '';
+ mt_srand(hexdec(substr(md5(microtime()), -8)) & 0x7fffffff);
+ for($i = 0; $i < $size; $i++) {
+ $chall .= pack('C', 1 + mt_rand() % 255);
+ }
+ return $chall;
+}
+
+function ChallengeResponse($challenge, $nthash)
+{
+ while (strlen($nthash) < 21)
+ $nthash .= "\0";
+
+ $resp1 = des_encrypt_ecb(substr($nthash, 0, 7), $challenge);
+ $resp2 = des_encrypt_ecb(substr($nthash, 7, 7), $challenge);
+ $resp3 = des_encrypt_ecb(substr($nthash, 14, 7), $challenge);
+
+ return $resp1 . $resp2 . $resp3;
+}
+
+// MS-CHAPv2
+
+function GeneratePeerChallenge()
+{
+ return GenerateChallenge(16);
+}
+
+function NtPasswordHashHash($hash)
+{
+ return mhash (MHASH_MD4, $hash);
+}
+
+function ChallengeHash($challenge, $peerChallenge, $username)
+{
+ return substr(mhash (MHASH_SHA1, $peerChallenge . $challenge . $username), 0, 8);
+}
+
+function GenerateNTResponse($challenge, $peerChallenge, $username, $password)
+{
+ $challengeHash = ChallengeHash($challenge, $peerChallenge, $username);
+ $pwhash = NtPasswordHash($password);
+ return ChallengeResponse($challengeHash, $pwhash);
+}
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/radiusauth/libradauth.php Wed Jan 06 02:57:23 2010 -0500
@@ -0,0 +1,233 @@
+<?php
+
+/*
+Copyright (c) 2003, Michael Bretterklieber <michael@bretterklieber.com>
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+3. The names of the authors may not be used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+The author of this file respectfully requests that you refrain from
+relicensing it under the GPL, although the BSD license permits you to do so.
+
+*/
+
+class RadiusAuth
+{
+ var $radius;
+
+ var $server = 'localhost';
+ var $secret = 's3cr35SHH';
+ var $port = 1812;
+
+ function __construct($server, $secret, $port = 1812)
+ {
+ $this->radius = radius_auth_open();
+ if ( !$this->radius )
+ {
+ throw new RadiusError("Could not get RADIUS resource");
+ }
+
+ $this->set_server_params($server, $secret, $port);
+ $this->create_request();
+ }
+
+ function set_server_params($server, $secret, $port = 1812)
+ {
+ $this->server = $server;
+ $this->secret = $secret;
+ $this->port = $port;
+ }
+
+ function create_request()
+ {
+ if ( !radius_add_server($this->radius, $this->server, $this->port, $this->secret, 3, 3) )
+ throw new RadiusError(radius_strerror($this->radius));
+
+ if ( !radius_create_request($this->radius, RADIUS_ACCESS_REQUEST) )
+ throw new RadiusError(radius_strerror($this->radius));
+
+ if (!radius_put_string($this->radius, RADIUS_NAS_IDENTIFIER, isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : 'localhost'))
+ throw new RadiusError(radius_strerror($this->radius));
+
+ /*
+ if (!radius_put_int($this->radius, RADIUS_SERVICE_TYPE, RADIUS_FRAMED))
+ throw new RadiusError(radius_strerror($this->radius));
+
+ if (!radius_put_int($this->radius, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP))
+ throw new RadiusError(radius_strerror($this->radius));
+ */
+
+ if (!radius_put_string($this->radius, RADIUS_CALLING_STATION_ID, isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '127.0.0.1'))
+ throw new RadiusError(radius_strerror($this->radius));
+ }
+
+ function authenticate($username, $password, $method = 'pap')
+ {
+ //
+ // Send the username
+ //
+
+ if ( !radius_put_string($this->radius, RADIUS_USER_NAME, $username) )
+ throw new RadiusError("RADIUS_USER_NAME: " . radius_strerror($this->radius));
+
+ //
+ // Send the password, or complete the challenge process
+ //
+
+ switch ( $method )
+ {
+ case 'chap':
+
+ //
+ // CHAP
+ //
+
+ /* generate Challenge */
+ mt_srand(time() * mt_rand());
+ $chall = mt_rand();
+
+ // FYI: CHAP = md5(ident + plaintextpass + challenge)
+ $chapval = pack('H*', md5(pack('Ca*', 1, $password . $chall)));
+ // Radius wants the CHAP Ident in the first byte of the CHAP-Password
+ $pass_chap = pack('C', 1) . $chapval;
+
+ if (!radius_put_attr($this->radius, RADIUS_CHAP_PASSWORD, $pass_chap))
+ throw new RadiusError(radius_strerror($this->radius));
+
+ if (!radius_put_attr($this->radius, RADIUS_CHAP_CHALLENGE, $chall))
+ throw new RadiusError(radius_strerror($this->radius));
+
+ break;
+
+ case 'mschap':
+
+ //
+ // MS-CHAP v1
+ //
+
+ require_once(ENANO_ROOT . '/plugins/radiusauth/libradauth.php');
+
+ $challenge = GenerateChallenge();
+
+ if (!radius_put_vendor_attr($this->radius, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP_CHALLENGE, $challenge))
+ throw new RadiusError(radius_strerror($this->radius));
+
+ $ntresp = ChallengeResponse($challenge, NtPasswordHash($password));
+ $lmresp = str_repeat ("\0", 24);
+
+ // Response: chapid, flags (1 = use NT Response), LM Response, NT Response
+ $resp = pack('CCa48',1 , 1, $lmresp . $ntresp);
+
+ if ( !radius_put_vendor_attr($this->radius, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP_RESPONSE, $resp))
+ throw new RadiusError(radius_strerror($this->radius));
+
+ break;
+
+ case 'mschapv2':
+
+ //
+ // MS-CHAP v2
+ //
+
+ require_once(ENANO_ROOT . '/plugins/radiusauth/libradauth.php');
+
+ $authChallenge = GenerateChallenge(16);
+
+ if (!radius_put_vendor_attr($this->radius, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP_CHALLENGE, $authChallenge))
+ throw new RadiusError(radius_strerror($this->radius));
+
+ // we have no client, therefore we generate the Peer-Challenge
+ $peerChallenge = GeneratePeerChallenge();
+
+ $ntresp = GenerateNTResponse($authChallenge, $peerChallenge, $username, $password);
+ $reserved = str_repeat ("\0", 8);
+
+ // Response: chapid, flags (1 = use NT Response), Peer challenge, reserved, Response
+ $resp = pack('CCa16a8a24',1 , 1, $peerChallenge, $reserved, $ntresp);
+
+ if (!radius_put_vendor_attr($this->radius, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP2_RESPONSE, $resp))
+ throw new RadiusError(radius_strerror($this->radius));
+
+ break;
+
+ case 'pap':
+ default:
+
+ //
+ // PAP
+ //
+
+ if ( !radius_put_string($this->radius, RADIUS_USER_PASSWORD, $password) )
+ throw new RadiusError("RADIUS_USER_PASSWORD: " . radius_strerror($this->radius));
+
+ break;
+ }
+
+ $req = radius_send_request($this->radius);
+ if ( !$req )
+ throw new RadiusError(radius_strerror($this->radius));
+
+ switch($req)
+ {
+ case RADIUS_ACCESS_ACCEPT:
+ return true;
+
+ case RADIUS_ACCESS_REJECT:
+ return false;
+
+ default:
+ echo "Unexpected return value:$req\n<br>";
+ return false;
+ }
+ }
+
+ function get_attrs()
+ {
+ $attrs = array();
+ while ($resa = radius_get_attr($this->radius))
+ {
+ $attrs[ $resa['attr'] ] = $resa['data'];
+ }
+
+ return $attrs;
+ }
+
+ function get_authenticator()
+ {
+ if ( $authent = radius_request_authenticator($this->radius) )
+ return $authent;
+
+ throw new RadiusError(radius_strerror($this->radius));
+ }
+
+ function close()
+ {
+ radius_close($this->radius);
+ }
+}
+
+class RadiusError extends Exception
+{
+
+}