RADIUS authentication: radiusauth/libradauth.php@7e0b422b1725 (annotated)

0 7e0b422b1725 First working revision. Dan parents: diff changeset	1	<?php
7e0b422b1725 First working revision. Dan parents: diff changeset	2
7e0b422b1725 First working revision. Dan parents: diff changeset	3	/*
7e0b422b1725 First working revision. Dan parents: diff changeset	4	Copyright (c) 2003, Michael Bretterklieber <michael@bretterklieber.com>
7e0b422b1725 First working revision. Dan parents: diff changeset	5	All rights reserved.
7e0b422b1725 First working revision. Dan parents: diff changeset	6
7e0b422b1725 First working revision. Dan parents: diff changeset	7	Redistribution and use in source and binary forms, with or without
7e0b422b1725 First working revision. Dan parents: diff changeset	8	modification, are permitted provided that the following conditions
7e0b422b1725 First working revision. Dan parents: diff changeset	9	are met:
7e0b422b1725 First working revision. Dan parents: diff changeset	10
7e0b422b1725 First working revision. Dan parents: diff changeset	11	1. Redistributions of source code must retain the above copyright
7e0b422b1725 First working revision. Dan parents: diff changeset	12	notice, this list of conditions and the following disclaimer.
7e0b422b1725 First working revision. Dan parents: diff changeset	13	2. Redistributions in binary form must reproduce the above copyright
7e0b422b1725 First working revision. Dan parents: diff changeset	14	notice, this list of conditions and the following disclaimer in the
7e0b422b1725 First working revision. Dan parents: diff changeset	15	documentation and/or other materials provided with the distribution.
7e0b422b1725 First working revision. Dan parents: diff changeset	16	3. The names of the authors may not be used to endorse or promote products
7e0b422b1725 First working revision. Dan parents: diff changeset	17	derived from this software without specific prior written permission.
7e0b422b1725 First working revision. Dan parents: diff changeset	18
7e0b422b1725 First working revision. Dan parents: diff changeset	19	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
7e0b422b1725 First working revision. Dan parents: diff changeset	20	ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
7e0b422b1725 First working revision. Dan parents: diff changeset	21	WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
7e0b422b1725 First working revision. Dan parents: diff changeset	22	IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
7e0b422b1725 First working revision. Dan parents: diff changeset	23	INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
7e0b422b1725 First working revision. Dan parents: diff changeset	24	BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
7e0b422b1725 First working revision. Dan parents: diff changeset	25	DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
7e0b422b1725 First working revision. Dan parents: diff changeset	26	OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
7e0b422b1725 First working revision. Dan parents: diff changeset	27	NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
7e0b422b1725 First working revision. Dan parents: diff changeset	28	EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
7e0b422b1725 First working revision. Dan parents: diff changeset	29
7e0b422b1725 First working revision. Dan parents: diff changeset	30	The author of this file respectfully requests that you refrain from
7e0b422b1725 First working revision. Dan parents: diff changeset	31	relicensing it under the GPL, although the BSD license permits you to do so.
7e0b422b1725 First working revision. Dan parents: diff changeset	32
7e0b422b1725 First working revision. Dan parents: diff changeset	33	*/
7e0b422b1725 First working revision. Dan parents: diff changeset	34
7e0b422b1725 First working revision. Dan parents: diff changeset	35	class RadiusAuth
7e0b422b1725 First working revision. Dan parents: diff changeset	36	{
7e0b422b1725 First working revision. Dan parents: diff changeset	37	var $radius;
7e0b422b1725 First working revision. Dan parents: diff changeset	38
7e0b422b1725 First working revision. Dan parents: diff changeset	39	var $server = 'localhost';
7e0b422b1725 First working revision. Dan parents: diff changeset	40	var $secret = 's3cr35SHH';
7e0b422b1725 First working revision. Dan parents: diff changeset	41	var $port = 1812;
7e0b422b1725 First working revision. Dan parents: diff changeset	42
7e0b422b1725 First working revision. Dan parents: diff changeset	43	function __construct($server, $secret, $port = 1812)
7e0b422b1725 First working revision. Dan parents: diff changeset	44	{
7e0b422b1725 First working revision. Dan parents: diff changeset	45	$this->radius = radius_auth_open();
7e0b422b1725 First working revision. Dan parents: diff changeset	46	if ( !$this->radius )
7e0b422b1725 First working revision. Dan parents: diff changeset	47	{
7e0b422b1725 First working revision. Dan parents: diff changeset	48	throw new RadiusError("Could not get RADIUS resource");
7e0b422b1725 First working revision. Dan parents: diff changeset	49	}
7e0b422b1725 First working revision. Dan parents: diff changeset	50
7e0b422b1725 First working revision. Dan parents: diff changeset	51	$this->set_server_params($server, $secret, $port);
7e0b422b1725 First working revision. Dan parents: diff changeset	52	$this->create_request();
7e0b422b1725 First working revision. Dan parents: diff changeset	53	}
7e0b422b1725 First working revision. Dan parents: diff changeset	54
7e0b422b1725 First working revision. Dan parents: diff changeset	55	function set_server_params($server, $secret, $port = 1812)
7e0b422b1725 First working revision. Dan parents: diff changeset	56	{
7e0b422b1725 First working revision. Dan parents: diff changeset	57	$this->server = $server;
7e0b422b1725 First working revision. Dan parents: diff changeset	58	$this->secret = $secret;
7e0b422b1725 First working revision. Dan parents: diff changeset	59	$this->port = $port;
7e0b422b1725 First working revision. Dan parents: diff changeset	60	}
7e0b422b1725 First working revision. Dan parents: diff changeset	61
7e0b422b1725 First working revision. Dan parents: diff changeset	62	function create_request()
7e0b422b1725 First working revision. Dan parents: diff changeset	63	{
7e0b422b1725 First working revision. Dan parents: diff changeset	64	if ( !radius_add_server($this->radius, $this->server, $this->port, $this->secret, 3, 3) )
7e0b422b1725 First working revision. Dan parents: diff changeset	65	throw new RadiusError(radius_strerror($this->radius));
7e0b422b1725 First working revision. Dan parents: diff changeset	66
7e0b422b1725 First working revision. Dan parents: diff changeset	67	if ( !radius_create_request($this->radius, RADIUS_ACCESS_REQUEST) )
7e0b422b1725 First working revision. Dan parents: diff changeset	68	throw new RadiusError(radius_strerror($this->radius));
7e0b422b1725 First working revision. Dan parents: diff changeset	69
7e0b422b1725 First working revision. Dan parents: diff changeset	70	if (!radius_put_string($this->radius, RADIUS_NAS_IDENTIFIER, isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : 'localhost'))
7e0b422b1725 First working revision. Dan parents: diff changeset	71	throw new RadiusError(radius_strerror($this->radius));
7e0b422b1725 First working revision. Dan parents: diff changeset	72
7e0b422b1725 First working revision. Dan parents: diff changeset	73	/*
7e0b422b1725 First working revision. Dan parents: diff changeset	74	if (!radius_put_int($this->radius, RADIUS_SERVICE_TYPE, RADIUS_FRAMED))
7e0b422b1725 First working revision. Dan parents: diff changeset	75	throw new RadiusError(radius_strerror($this->radius));
7e0b422b1725 First working revision. Dan parents: diff changeset	76
7e0b422b1725 First working revision. Dan parents: diff changeset	77	if (!radius_put_int($this->radius, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP))
7e0b422b1725 First working revision. Dan parents: diff changeset	78	throw new RadiusError(radius_strerror($this->radius));
7e0b422b1725 First working revision. Dan parents: diff changeset	79	*/
7e0b422b1725 First working revision. Dan parents: diff changeset	80
7e0b422b1725 First working revision. Dan parents: diff changeset	81	if (!radius_put_string($this->radius, RADIUS_CALLING_STATION_ID, isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '127.0.0.1'))
7e0b422b1725 First working revision. Dan parents: diff changeset	82	throw new RadiusError(radius_strerror($this->radius));
7e0b422b1725 First working revision. Dan parents: diff changeset	83	}
7e0b422b1725 First working revision. Dan parents: diff changeset	84
7e0b422b1725 First working revision. Dan parents: diff changeset	85	function authenticate($username, $password, $method = 'pap')
7e0b422b1725 First working revision. Dan parents: diff changeset	86	{
7e0b422b1725 First working revision. Dan parents: diff changeset	87	//
7e0b422b1725 First working revision. Dan parents: diff changeset	88	// Send the username
7e0b422b1725 First working revision. Dan parents: diff changeset	89	//
7e0b422b1725 First working revision. Dan parents: diff changeset	90
7e0b422b1725 First working revision. Dan parents: diff changeset	91	if ( !radius_put_string($this->radius, RADIUS_USER_NAME, $username) )
7e0b422b1725 First working revision. Dan parents: diff changeset	92	throw new RadiusError("RADIUS_USER_NAME: " . radius_strerror($this->radius));
7e0b422b1725 First working revision. Dan parents: diff changeset	93
7e0b422b1725 First working revision. Dan parents: diff changeset	94	//
7e0b422b1725 First working revision. Dan parents: diff changeset	95	// Send the password, or complete the challenge process
7e0b422b1725 First working revision. Dan parents: diff changeset	96	//
7e0b422b1725 First working revision. Dan parents: diff changeset	97
7e0b422b1725 First working revision. Dan parents: diff changeset	98	switch ( $method )
7e0b422b1725 First working revision. Dan parents: diff changeset	99	{
7e0b422b1725 First working revision. Dan parents: diff changeset	100	case 'chap':
7e0b422b1725 First working revision. Dan parents: diff changeset	101
7e0b422b1725 First working revision. Dan parents: diff changeset	102	//
7e0b422b1725 First working revision. Dan parents: diff changeset	103	// CHAP
7e0b422b1725 First working revision. Dan parents: diff changeset	104	//
7e0b422b1725 First working revision. Dan parents: diff changeset	105
7e0b422b1725 First working revision. Dan parents: diff changeset	106	/* generate Challenge */
7e0b422b1725 First working revision. Dan parents: diff changeset	107	mt_srand(time() * mt_rand());
7e0b422b1725 First working revision. Dan parents: diff changeset	108	$chall = mt_rand();
7e0b422b1725 First working revision. Dan parents: diff changeset	109
7e0b422b1725 First working revision. Dan parents: diff changeset	110	// FYI: CHAP = md5(ident + plaintextpass + challenge)
7e0b422b1725 First working revision. Dan parents: diff changeset	111	$chapval = pack('H', md5(pack('Ca', 1, $password . $chall)));
7e0b422b1725 First working revision. Dan parents: diff changeset	112	// Radius wants the CHAP Ident in the first byte of the CHAP-Password
7e0b422b1725 First working revision. Dan parents: diff changeset	113	$pass_chap = pack('C', 1) . $chapval;
7e0b422b1725 First working revision. Dan parents: diff changeset	114
7e0b422b1725 First working revision. Dan parents: diff changeset	115	if (!radius_put_attr($this->radius, RADIUS_CHAP_PASSWORD, $pass_chap))
7e0b422b1725 First working revision. Dan parents: diff changeset	116	throw new RadiusError(radius_strerror($this->radius));
7e0b422b1725 First working revision. Dan parents: diff changeset	117
7e0b422b1725 First working revision. Dan parents: diff changeset	118	if (!radius_put_attr($this->radius, RADIUS_CHAP_CHALLENGE, $chall))
7e0b422b1725 First working revision. Dan parents: diff changeset	119	throw new RadiusError(radius_strerror($this->radius));
7e0b422b1725 First working revision. Dan parents: diff changeset	120
7e0b422b1725 First working revision. Dan parents: diff changeset	121	break;
7e0b422b1725 First working revision. Dan parents: diff changeset	122
7e0b422b1725 First working revision. Dan parents: diff changeset	123	case 'mschap':
7e0b422b1725 First working revision. Dan parents: diff changeset	124
7e0b422b1725 First working revision. Dan parents: diff changeset	125	//
7e0b422b1725 First working revision. Dan parents: diff changeset	126	// MS-CHAP v1
7e0b422b1725 First working revision. Dan parents: diff changeset	127	//
7e0b422b1725 First working revision. Dan parents: diff changeset	128
7e0b422b1725 First working revision. Dan parents: diff changeset	129	require_once(ENANO_ROOT . '/plugins/radiusauth/libradauth.php');
7e0b422b1725 First working revision. Dan parents: diff changeset	130
7e0b422b1725 First working revision. Dan parents: diff changeset	131	$challenge = GenerateChallenge();
7e0b422b1725 First working revision. Dan parents: diff changeset	132
7e0b422b1725 First working revision. Dan parents: diff changeset	133	if (!radius_put_vendor_attr($this->radius, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP_CHALLENGE, $challenge))
7e0b422b1725 First working revision. Dan parents: diff changeset	134	throw new RadiusError(radius_strerror($this->radius));
7e0b422b1725 First working revision. Dan parents: diff changeset	135
7e0b422b1725 First working revision. Dan parents: diff changeset	136	$ntresp = ChallengeResponse($challenge, NtPasswordHash($password));
7e0b422b1725 First working revision. Dan parents: diff changeset	137	$lmresp = str_repeat ("\0", 24);
7e0b422b1725 First working revision. Dan parents: diff changeset	138
7e0b422b1725 First working revision. Dan parents: diff changeset	139	// Response: chapid, flags (1 = use NT Response), LM Response, NT Response
7e0b422b1725 First working revision. Dan parents: diff changeset	140	$resp = pack('CCa48',1 , 1, $lmresp . $ntresp);
7e0b422b1725 First working revision. Dan parents: diff changeset	141
7e0b422b1725 First working revision. Dan parents: diff changeset	142	if ( !radius_put_vendor_attr($this->radius, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP_RESPONSE, $resp))
7e0b422b1725 First working revision. Dan parents: diff changeset	143	throw new RadiusError(radius_strerror($this->radius));
7e0b422b1725 First working revision. Dan parents: diff changeset	144
7e0b422b1725 First working revision. Dan parents: diff changeset	145	break;
7e0b422b1725 First working revision. Dan parents: diff changeset	146
7e0b422b1725 First working revision. Dan parents: diff changeset	147	case 'mschapv2':
7e0b422b1725 First working revision. Dan parents: diff changeset	148
7e0b422b1725 First working revision. Dan parents: diff changeset	149	//
7e0b422b1725 First working revision. Dan parents: diff changeset	150	// MS-CHAP v2
7e0b422b1725 First working revision. Dan parents: diff changeset	151	//
7e0b422b1725 First working revision. Dan parents: diff changeset	152
7e0b422b1725 First working revision. Dan parents: diff changeset	153	require_once(ENANO_ROOT . '/plugins/radiusauth/libradauth.php');
7e0b422b1725 First working revision. Dan parents: diff changeset	154
7e0b422b1725 First working revision. Dan parents: diff changeset	155	$authChallenge = GenerateChallenge(16);
7e0b422b1725 First working revision. Dan parents: diff changeset	156
7e0b422b1725 First working revision. Dan parents: diff changeset	157	if (!radius_put_vendor_attr($this->radius, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP_CHALLENGE, $authChallenge))
7e0b422b1725 First working revision. Dan parents: diff changeset	158	throw new RadiusError(radius_strerror($this->radius));
7e0b422b1725 First working revision. Dan parents: diff changeset	159
7e0b422b1725 First working revision. Dan parents: diff changeset	160	// we have no client, therefore we generate the Peer-Challenge
7e0b422b1725 First working revision. Dan parents: diff changeset	161	$peerChallenge = GeneratePeerChallenge();
7e0b422b1725 First working revision. Dan parents: diff changeset	162
7e0b422b1725 First working revision. Dan parents: diff changeset	163	$ntresp = GenerateNTResponse($authChallenge, $peerChallenge, $username, $password);
7e0b422b1725 First working revision. Dan parents: diff changeset	164	$reserved = str_repeat ("\0", 8);
7e0b422b1725 First working revision. Dan parents: diff changeset	165
7e0b422b1725 First working revision. Dan parents: diff changeset	166	// Response: chapid, flags (1 = use NT Response), Peer challenge, reserved, Response
7e0b422b1725 First working revision. Dan parents: diff changeset	167	$resp = pack('CCa16a8a24',1 , 1, $peerChallenge, $reserved, $ntresp);
7e0b422b1725 First working revision. Dan parents: diff changeset	168
7e0b422b1725 First working revision. Dan parents: diff changeset	169	if (!radius_put_vendor_attr($this->radius, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP2_RESPONSE, $resp))
7e0b422b1725 First working revision. Dan parents: diff changeset	170	throw new RadiusError(radius_strerror($this->radius));
7e0b422b1725 First working revision. Dan parents: diff changeset	171
7e0b422b1725 First working revision. Dan parents: diff changeset	172	break;
7e0b422b1725 First working revision. Dan parents: diff changeset	173
7e0b422b1725 First working revision. Dan parents: diff changeset	174	case 'pap':
7e0b422b1725 First working revision. Dan parents: diff changeset	175	default:
7e0b422b1725 First working revision. Dan parents: diff changeset	176
7e0b422b1725 First working revision. Dan parents: diff changeset	177	//
7e0b422b1725 First working revision. Dan parents: diff changeset	178	// PAP
7e0b422b1725 First working revision. Dan parents: diff changeset	179	//
7e0b422b1725 First working revision. Dan parents: diff changeset	180
7e0b422b1725 First working revision. Dan parents: diff changeset	181	if ( !radius_put_string($this->radius, RADIUS_USER_PASSWORD, $password) )
7e0b422b1725 First working revision. Dan parents: diff changeset	182	throw new RadiusError("RADIUS_USER_PASSWORD: " . radius_strerror($this->radius));
7e0b422b1725 First working revision. Dan parents: diff changeset	183
7e0b422b1725 First working revision. Dan parents: diff changeset	184	break;
7e0b422b1725 First working revision. Dan parents: diff changeset	185	}
7e0b422b1725 First working revision. Dan parents: diff changeset	186
7e0b422b1725 First working revision. Dan parents: diff changeset	187	$req = radius_send_request($this->radius);
7e0b422b1725 First working revision. Dan parents: diff changeset	188	if ( !$req )
7e0b422b1725 First working revision. Dan parents: diff changeset	189	throw new RadiusError(radius_strerror($this->radius));
7e0b422b1725 First working revision. Dan parents: diff changeset	190
7e0b422b1725 First working revision. Dan parents: diff changeset	191	switch($req)
7e0b422b1725 First working revision. Dan parents: diff changeset	192	{
7e0b422b1725 First working revision. Dan parents: diff changeset	193	case RADIUS_ACCESS_ACCEPT:
7e0b422b1725 First working revision. Dan parents: diff changeset	194	return true;
7e0b422b1725 First working revision. Dan parents: diff changeset	195
7e0b422b1725 First working revision. Dan parents: diff changeset	196	case RADIUS_ACCESS_REJECT:
7e0b422b1725 First working revision. Dan parents: diff changeset	197	return false;
7e0b422b1725 First working revision. Dan parents: diff changeset	198
7e0b422b1725 First working revision. Dan parents: diff changeset	199	default:
7e0b422b1725 First working revision. Dan parents: diff changeset	200	echo "Unexpected return value:$req\n<br>";
7e0b422b1725 First working revision. Dan parents: diff changeset	201	return false;
7e0b422b1725 First working revision. Dan parents: diff changeset	202	}
7e0b422b1725 First working revision. Dan parents: diff changeset	203	}
7e0b422b1725 First working revision. Dan parents: diff changeset	204
7e0b422b1725 First working revision. Dan parents: diff changeset	205	function get_attrs()
7e0b422b1725 First working revision. Dan parents: diff changeset	206	{
7e0b422b1725 First working revision. Dan parents: diff changeset	207	$attrs = array();
7e0b422b1725 First working revision. Dan parents: diff changeset	208	while ($resa = radius_get_attr($this->radius))
7e0b422b1725 First working revision. Dan parents: diff changeset	209	{
7e0b422b1725 First working revision. Dan parents: diff changeset	210	$attrs[ $resa['attr'] ] = $resa['data'];
7e0b422b1725 First working revision. Dan parents: diff changeset	211	}
7e0b422b1725 First working revision. Dan parents: diff changeset	212
7e0b422b1725 First working revision. Dan parents: diff changeset	213	return $attrs;
7e0b422b1725 First working revision. Dan parents: diff changeset	214	}
7e0b422b1725 First working revision. Dan parents: diff changeset	215
7e0b422b1725 First working revision. Dan parents: diff changeset	216	function get_authenticator()
7e0b422b1725 First working revision. Dan parents: diff changeset	217	{
7e0b422b1725 First working revision. Dan parents: diff changeset	218	if ( $authent = radius_request_authenticator($this->radius) )
7e0b422b1725 First working revision. Dan parents: diff changeset	219	return $authent;
7e0b422b1725 First working revision. Dan parents: diff changeset	220
7e0b422b1725 First working revision. Dan parents: diff changeset	221	throw new RadiusError(radius_strerror($this->radius));
7e0b422b1725 First working revision. Dan parents: diff changeset	222	}
7e0b422b1725 First working revision. Dan parents: diff changeset	223
7e0b422b1725 First working revision. Dan parents: diff changeset	224	function close()
7e0b422b1725 First working revision. Dan parents: diff changeset	225	{
7e0b422b1725 First working revision. Dan parents: diff changeset	226	radius_close($this->radius);
7e0b422b1725 First working revision. Dan parents: diff changeset	227	}
7e0b422b1725 First working revision. Dan parents: diff changeset	228	}
7e0b422b1725 First working revision. Dan parents: diff changeset	229
7e0b422b1725 First working revision. Dan parents: diff changeset	230	class RadiusError extends Exception
7e0b422b1725 First working revision. Dan parents: diff changeset	231	{
7e0b422b1725 First working revision. Dan parents: diff changeset	232
7e0b422b1725 First working revision. Dan parents: diff changeset	233	}

author	Dan
	Wed, 06 Jan 2010 02:57:23 -0500
changeset 0	7e0b422b1725
permissions	-rw-r--r--