6 files changed, 2526 insertions, 0 deletions
diff --git a/src/config.h.in b/src/config.h.in
new file mode 100644
index 0000000..4780376
--- /dev/null
+++ b/src/config.h.in
@@ -0,0 +1,236 @@
+/* src/config.h.in.  Generated from configure.ac by autoheader.  */
+
+/* Define if building universal (internal helper macro) */
+#undef AC_APPLE_UNIVERSAL_BUILD
+
+/* Define if your processor stores words with the most significant byte first
+   */
+#undef AC_BIG_ENDIAN
+
+/* Define if your processor stores words with the least significant byte first
+   */
+#undef AC_LITTLE_ENDIAN
+
+/* Define to 1 if you have the <ctype.h> header file. */
+#undef HAVE_CTYPE_H
+
+/* Define to 1 if you have the <errno.h> header file. */
+#undef HAVE_ERRNO_H
+
+/* Define to 1 if you have the <fcntl.h> header file. */
+#undef HAVE_FCNTL_H
+
+/* Define to 1 if you have the `inet_aton' function. */
+#undef HAVE_INET_ATON
+
+/* Define to 1 if you have the `inet_ntop' function. */
+#undef HAVE_INET_NTOP
+
+/* Define to 1 if you have the `inet_pton' function. */
+#undef HAVE_INET_PTON
+
+/* Define to 1 if you have the <inttypes.h> header file. */
+#undef HAVE_INTTYPES_H
+
+/* Define to 1 if you have the `nsl' library (-lnsl). */
+#undef HAVE_LIBNSL
+
+/* Define to 1 if you have the `resolv' library (-lresolv). */
+#undef HAVE_LIBRESOLV
+
+/* Define to 1 if you have the <limits.h> header file. */
+#undef HAVE_LIMITS_H
+
+/* Define to 1 if you have the <malloc.h> header file. */
+#undef HAVE_MALLOC_H
+
+/* Define to 1 if you have the <memory.h> header file. */
+#undef HAVE_MEMORY_H
+
+/* Define to 1 if you have the <netdb.h> header file. */
+#undef HAVE_NETDB_H
+
+/* Define to 1 if you have the <netinet/in.h> header file. */
+#undef HAVE_NETINET_IN_H
+
+/* Define to 1 if you have the <net/if.h> header file. */
+#undef HAVE_NET_IF_H
+
+/* Define to 1 if you have the <pam/pam_appl.h> header file. */
+#undef HAVE_PAM_PAM_APPL_H
+
+/* Define to 1 if you have the <pam/pam_modules.h> header file. */
+#undef HAVE_PAM_PAM_MODULES_H
+
+/* Define to 1 if you have the <security/pam_appl.h> header file. */
+#undef HAVE_SECURITY_PAM_APPL_H
+
+/* Define to 1 if you have the <security/pam_modules.h> header file. */
+#undef HAVE_SECURITY_PAM_MODULES_H
+
+/* Define to 1 if you have the `snprintf' function. */
+#undef HAVE_SNPRINTF
+
+/* Define to 1 if you have the <stdarg.h> header file. */
+#undef HAVE_STDARG_H
+
+/* Define to 1 if you have the <stdint.h> header file. */
+#undef HAVE_STDINT_H
+
+/* Define to 1 if you have the <stdio.h> header file. */
+#undef HAVE_STDIO_H
+
+/* Define to 1 if you have the <stdlib.h> header file. */
+#undef HAVE_STDLIB_H
+
+/* Define to 1 if you have the <strings.h> header file. */
+#undef HAVE_STRINGS_H
+
+/* Define to 1 if you have the <string.h> header file. */
+#undef HAVE_STRING_H
+
+/* Define to 1 if you have the `strlcat' function. */
+#undef HAVE_STRLCAT
+
+/* Define to 1 if you have the `strlcpy' function. */
+#undef HAVE_STRLCPY
+
+/* IPv6 address structure */
+#undef HAVE_STRUCT_IN6_ADDR
+
+/* Define to 1 if you have the <syslog.h> header file. */
+#undef HAVE_SYSLOG_H
+
+/* Define to 1 if you have the <sys/param.h> header file. */
+#undef HAVE_SYS_PARAM_H
+
+/* Define to 1 if you have the <sys/resource.h> header file. */
+#undef HAVE_SYS_RESOURCE_H
+
+/* Define to 1 if you have the <sys/socket.h> header file. */
+#undef HAVE_SYS_SOCKET_H
+
+/* Define to 1 if you have the <sys/stat.h> header file. */
+#undef HAVE_SYS_STAT_H
+
+/* Define to 1 if you have the <sys/time.h> header file. */
+#undef HAVE_SYS_TIME_H
+
+/* Define to 1 if you have the <sys/types.h> header file. */
+#undef HAVE_SYS_TYPES_H
+
+/* Define to 1 if you have the <time.h> header file. */
+#undef HAVE_TIME_H
+
+/* Define to 1 if you have the <unistd.h> header file. */
+#undef HAVE_UNISTD_H
+
+/* Define to 1 if you have the <utmp.h> header file. */
+#undef HAVE_UTMP_H
+
+/* Define to the address where bug reports for this package should be sent. */
+#undef PACKAGE_BUGREPORT
+
+/* Define to the full name of this package. */
+#undef PACKAGE_NAME
+
+/* Define to the full name and version of this package. */
+#undef PACKAGE_STRING
+
+/* Define to the one symbol short name of this package. */
+#undef PACKAGE_TARNAME
+
+/* Define to the home page for this package. */
+#undef PACKAGE_URL
+
+/* Define to the version of this package. */
+#undef PACKAGE_VERSION
+
+/* Version integer in format <ma><ma><mi><mi><in><in> */
+#undef PAM_RADIUS_VERSION
+
+/* Raw version string from VERSION file */
+#undef PAM_RADIUS_VERSION_STRING
+
+/* Define to 1 if you have the ANSI C header files. */
+#undef STDC_HEADERS
+
+/* Enable extensions on AIX 3, Interix.  */
+#ifndef _ALL_SOURCE
+# undef _ALL_SOURCE
+#endif
+/* Enable GNU extensions on systems that have them.  */
+#ifndef _GNU_SOURCE
+# undef _GNU_SOURCE
+#endif
+/* Enable threading extensions on Solaris.  */
+#ifndef _POSIX_PTHREAD_SEMANTICS
+# undef _POSIX_PTHREAD_SEMANTICS
+#endif
+/* Enable extensions on HP NonStop.  */
+#ifndef _TANDEM_SOURCE
+# undef _TANDEM_SOURCE
+#endif
+/* Enable general extensions on Solaris.  */
+#ifndef __EXTENSIONS__
+# undef __EXTENSIONS__
+#endif
+
+
+/* define if pam_radius was built with -DNDEBUG */
+#undef WITH_NDEBUG
+
+/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
+   significant byte first (like Motorola and SPARC, unlike Intel). */
+#if defined AC_APPLE_UNIVERSAL_BUILD
+# if defined __BIG_ENDIAN__
+#  define WORDS_BIGENDIAN 1
+# endif
+#else
+# ifndef WORDS_BIGENDIAN
+#  undef WORDS_BIGENDIAN
+# endif
+#endif
+
+/* Define to 1 if on MINIX. */
+#undef _MINIX
+
+/* Define to 2 if the system does not provide POSIX.1 features except with
+   this defined. */
+#undef _POSIX_1_SOURCE
+
+/* Define to 1 if you need to in order for `stat' and other things to work. */
+#undef _POSIX_SOURCE
+
+/* Define to empty if `const' does not conform to ANSI C. */
+#undef const
+
+/* Define to `int' if <sys/types.h> doesn't define. */
+#undef gid_t
+
+/* Define to `long int' if <sys/types.h> does not define. */
+#undef off_t
+
+/* Define to `int' if <sys/types.h> does not define. */
+#undef pid_t
+
+/* Define to `unsigned int' if <sys/types.h> does not define. */
+#undef size_t
+
+/* socklen_t is generally 'int' on systems which don't use it */
+#undef socklen_t
+
+/* Define to `int' if <sys/types.h> doesn't define. */
+#undef uid_t
+
+/* uint16_t should be the canonical '2 octets' for network traffic */
+#undef uint16_t
+
+/* uint32_t should be the canonical 'network integer' */
+#undef uint32_t
+
+/* uint64_t is required for larger counters */
+#undef uint64_t
+
+/* uint8_t should be the canonical 'octet' for network traffic */
+#undef uint8_t
diff --git a/src/md5.c b/src/md5.c
new file mode 100644
index 0000000..bb4546e
--- /dev/null
+++ b/src/md5.c
@@ -0,0 +1,278 @@
+/* $Id: md5.c,v 1.3 2007/03/26 04:21:07 fcusack Exp $
+ *
+ * This code implements the MD5 message-digest algorithm.
+ * The algorithm is due to Ron Rivest.  This code was
+ * written by Colin Plumb in 1993, no copyright is claimed.
+ * This code is in the public domain; do with it what you wish.
+ *
+ * Equivalent code is available from RSA Data Security, Inc.
+ * This code has been tested against that, and is equivalent,
+ * except that you don't need to include two pages of legalese
+ * with every copy.
+ *
+ * To compute the message digest of a chunk of bytes, declare an
+ * MD5Context structure, pass it to MD5Init, call MD5Update as
+ * needed on buffers full of bytes, and then call MD5Final, which
+ * will fill a supplied 16-byte array with the digest.
+ *
+ * $Log: md5.c,v $
+ * Revision 1.3  2007/03/26 04:21:07  fcusack
+ * 	use uint32_t (C99) not u_int32_t
+ *
+ * Revision 1.2  2002/06/28 06:29:21  fcusack
+ * 	change HIGHFIRST #ifdef from 'sun' to __sparc, and add __mips
+ *
+ * Revision 1.1.1.1  1999/08/19 13:13:26  aland
+ * 	Start of the pam_radius module
+ *
+ * Revision 1.2  1998/04/03 20:19:21  aland
+ * now builds cleanly on Solaris 2.6
+ *
+ * Revision 1.1  1998/04/03 19:36:59  aland
+ * oh yeah, do MD5 stuff, too
+ *
+ * Revision 1.1  1996/12/01 03:06:54  morgan
+ * Initial revision
+ *
+ * Revision 1.1  1996/09/05 06:43:31  morgan
+ * Initial revision
+ *
+ */
+
+#include <string.h>
+#include "md5.h"
+
+#ifdef LITTLE_ENDIAN
+#  define byteReverse(buf, len)	/* Nothing */
+#else
+void byteReverse(unsigned char *buf, unsigned longs);
+
+#ifndef ASM_MD5
+/*
+ * Note: this code is harmless on little-endian machines.
+ */
+void byteReverse(unsigned char *buf, unsigned longs)
+{
+	uint32_t t;
+	do {
+		t = (uint32_t) ((unsigned) buf[3] << 8 | buf[2]) << 16 |
+				((unsigned) buf[1] << 8 | buf[0]);
+		*(uint32_t *) buf = t;
+		buf += 4;
+	} while (--longs);
+}
+#endif
+#endif
+
+/*
+ * Start MD5 accumulation.	Set bit count to 0 and buffer to mysterious
+ * initialization constants.
+ */
+void MD5Init(struct MD5Context *ctx)
+{
+		ctx->buf[0] = 0x67452301U;
+		ctx->buf[1] = 0xefcdab89U;
+		ctx->buf[2] = 0x98badcfeU;
+		ctx->buf[3] = 0x10325476U;
+
+		ctx->bits[0] = 0;
+		ctx->bits[1] = 0;
+}
+
+/*
+ * Update context to reflect the concatenation of another buffer full
+ * of bytes.
+ */
+void MD5Update(struct MD5Context *ctx, unsigned const char *buf, unsigned len)
+{
+	uint32_t t;
+
+	/* Update bitcount */
+
+	t = ctx->bits[0];
+	if ((ctx->bits[0] = t + ((uint32_t) len << 3)) < t) {
+		ctx->bits[1]++;		/* Carry from low to high */
+	}
+	ctx->bits[1] += len >> 29;
+
+	t = (t >> 3) & 0x3f;	/* Bytes already in shsInfo->data */
+
+	/* Handle any leading odd-sized chunks */
+
+	if (t) {
+		unsigned char *p = (unsigned char *) ctx->in + t;
+
+		t = 64 - t;
+		if (len < t) {
+			memcpy(p, buf, len);
+			return;
+		}
+		memcpy(p, buf, t);
+		byteReverse(ctx->in, 16);
+		MD5Transform(ctx->buf, (uint32_t *) ctx->in);
+		buf += t;
+		len -= t;
+	}
+	/* Process data in 64-byte chunks */
+
+	while (len >= 64) {
+		memcpy(ctx->in, buf, 64);
+		byteReverse(ctx->in, 16);
+		MD5Transform(ctx->buf, (uint32_t *) ctx->in);
+		buf += 64;
+		len -= 64;
+	}
+
+	/* Handle any remaining bytes of data. */
+
+	memcpy(ctx->in, buf, len);
+}
+
+/*
+ * Final wrapup - pad to 64-byte boundary with the bit pattern
+ * 1 0* (64-bit count of bits processed, MSB-first)
+ */
+void MD5Final(unsigned char digest[16], struct MD5Context *ctx)
+{
+	unsigned count;
+	unsigned char *p;
+
+	/* Compute number of bytes mod 64 */
+	count = (ctx->bits[0] >> 3) & 0x3F;
+
+	/* Set the first char of padding to 0x80. This is safe since there is always at least one byte free */
+	p = ctx->in + count;
+	*p++ = 0x80;
+
+	/* Bytes of padding needed to make 64 bytes */
+	count = 64 - 1 - count;
+
+	/* Pad out to 56 mod 64 */
+	if (count < 8) {
+		/* Two lots of padding:	Pad the first block to 64 bytes */
+		memset(p, 0, count);
+		byteReverse(ctx->in, 16);
+		MD5Transform(ctx->buf, (uint32_t *) ctx->in);
+
+		/* Now fill the next block with 56 bytes */
+		memset(ctx->in, 0, 56);
+	} else {
+		/* Pad block to 56 bytes */
+		memset(p, 0, count - 8);
+	}
+
+	byteReverse(ctx->in, 14);
+
+	/* Append length in bits and transform */
+	((uint32_t *) ctx->in)[14] = ctx->bits[0];
+	((uint32_t *) ctx->in)[15] = ctx->bits[1];
+
+	MD5Transform(ctx->buf, (uint32_t *) ctx->in);
+	byteReverse((unsigned char *) ctx->buf, 4);
+	memcpy(digest, ctx->buf, 16);
+	memset(ctx, 0, sizeof(*ctx));	/* In case it's sensitive */
+}
+
+#ifndef ASM_MD5
+
+/* The four core functions - F1 is optimized somewhat */
+
+/* #define F1(x, y, z) (x & y | ~x & z) */
+#define F1(x, y, z) (z ^ (x & (y ^ z)))
+#define F2(x, y, z) F1(z, x, y)
+#define F3(x, y, z) (x ^ y ^ z)
+#define F4(x, y, z) (y ^ (x | ~z))
+
+/* This is the central step in the MD5 algorithm. */
+#define MD5STEP(f, w, x, y, z, data, s) \
+	(w += f(x, y, z) + data, w = w<<s | w>>(32-s),	w += x)
+
+/*
+ * The core of the MD5 algorithm, this alters an existing MD5 hash to
+ * reflect the addition of 16 longwords of new data.	MD5Update blocks
+ * the data and converts bytes into longwords for this routine.
+ */
+void MD5Transform(uint32_t buf[4], uint32_t const in[16])
+{
+	register uint32_t a, b, c, d;
+
+	a = buf[0];
+	b = buf[1];
+	c = buf[2];
+	d = buf[3];
+
+	MD5STEP(F1, a, b, c, d,	in[0] + 0xd76aa478U,	7);
+	MD5STEP(F1, d, a, b, c,	in[1] + 0xe8c7b756U, 12);
+	MD5STEP(F1, c, d, a, b,	in[2] + 0x242070dbU, 17);
+	MD5STEP(F1, b, c, d, a,	in[3] + 0xc1bdceeeU, 22);
+	MD5STEP(F1, a, b, c, d,	in[4] + 0xf57c0fafU,	7);
+	MD5STEP(F1, d, a, b, c,	in[5] + 0x4787c62aU, 12);
+	MD5STEP(F1, c, d, a, b,	in[6] + 0xa8304613U, 17);
+	MD5STEP(F1, b, c, d, a,	in[7] + 0xfd469501U, 22);
+	MD5STEP(F1, a, b, c, d,	in[8] + 0x698098d8U,	7);
+	MD5STEP(F1, d, a, b, c,	in[9] + 0x8b44f7afU, 12);
+	MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1U, 17);
+	MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7beU, 22);
+	MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122U,	7);
+	MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193U, 12);
+	MD5STEP(F1, c, d, a, b, in[14] + 0xa679438eU, 17);
+	MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821U, 22);
+
+	MD5STEP(F2, a, b, c, d,	in[1] + 0xf61e2562U,	5);
+	MD5STEP(F2, d, a, b, c,	in[6] + 0xc040b340U,	9);
+	MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51U, 14);
+	MD5STEP(F2, b, c, d, a,	in[0] + 0xe9b6c7aaU, 20);
+	MD5STEP(F2, a, b, c, d,	in[5] + 0xd62f105dU,	5);
+	MD5STEP(F2, d, a, b, c, in[10] + 0x02441453U,	9);
+	MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681U, 14);
+	MD5STEP(F2, b, c, d, a,	in[4] + 0xe7d3fbc8U, 20);
+	MD5STEP(F2, a, b, c, d,	in[9] + 0x21e1cde6U,	5);
+	MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6U,	9);
+	MD5STEP(F2, c, d, a, b,	in[3] + 0xf4d50d87U, 14);
+	MD5STEP(F2, b, c, d, a,	in[8] + 0x455a14edU, 20);
+	MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905U,	5);
+	MD5STEP(F2, d, a, b, c,	in[2] + 0xfcefa3f8U,	9);
+	MD5STEP(F2, c, d, a, b,	in[7] + 0x676f02d9U, 14);
+	MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8aU, 20);
+
+	MD5STEP(F3, a, b, c, d,	in[5] + 0xfffa3942U,	4);
+	MD5STEP(F3, d, a, b, c,	in[8] + 0x8771f681U, 11);
+	MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122U, 16);
+	MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380cU, 23);
+	MD5STEP(F3, a, b, c, d,	in[1] + 0xa4beea44U,	4);
+	MD5STEP(F3, d, a, b, c,	in[4] + 0x4bdecfa9U, 11);
+	MD5STEP(F3, c, d, a, b,	in[7] + 0xf6bb4b60U, 16);
+	MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70U, 23);
+	MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6U,	4);
+	MD5STEP(F3, d, a, b, c,	in[0] + 0xeaa127faU, 11);
+	MD5STEP(F3, c, d, a, b,	in[3] + 0xd4ef3085U, 16);
+	MD5STEP(F3, b, c, d, a,	in[6] + 0x04881d05U, 23);
+	MD5STEP(F3, a, b, c, d,	in[9] + 0xd9d4d039U,	4);
+	MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5U, 11);
+	MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8U, 16);
+	MD5STEP(F3, b, c, d, a,	in[2] + 0xc4ac5665U, 23);
+
+	MD5STEP(F4, a, b, c, d,	in[0] + 0xf4292244U,	6);
+	MD5STEP(F4, d, a, b, c,	in[7] + 0x432aff97U, 10);
+	MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7U, 15);
+	MD5STEP(F4, b, c, d, a,	in[5] + 0xfc93a039U, 21);
+	MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3U,	6);
+	MD5STEP(F4, d, a, b, c,	in[3] + 0x8f0ccc92U, 10);
+	MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47dU, 15);
+	MD5STEP(F4, b, c, d, a,	in[1] + 0x85845dd1U, 21);
+	MD5STEP(F4, a, b, c, d,	in[8] + 0x6fa87e4fU,	6);
+	MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0U, 10);
+	MD5STEP(F4, c, d, a, b,	in[6] + 0xa3014314U, 15);
+	MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1U, 21);
+	MD5STEP(F4, a, b, c, d,	in[4] + 0xf7537e82U,	6);
+	MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235U, 10);
+	MD5STEP(F4, c, d, a, b,	in[2] + 0x2ad7d2bbU, 15);
+	MD5STEP(F4, b, c, d, a,	in[9] + 0xeb86d391U, 21);
+
+	buf[0] += a;
+	buf[1] += b;
+	buf[2] += c;
+	buf[3] += d;
+}
+
+#endif
diff --git a/src/md5.h b/src/md5.h
new file mode 100644
index 0000000..ce0e350
--- /dev/null
+++ b/src/md5.h
@@ -0,0 +1,60 @@
+#ifndef MD5_H
+#define MD5_H
+#include "config.h"
+
+/*
+ *	Try and determine endianness of the target system.
+ *
+ *	Other projects seem to use endian.h and variants, but these are
+ *	in non standard locations, and may mess up cross compiling.
+ *
+ *	Here at least the endianess can be set explicitly with
+ *	-DLITTLE_ENDIAN or -DBIG_ENDIAN.
+ */
+#if !defined(LITTLE_ENDIAN) && !defined(BIG_ENDIAN)
+#  if defined(__LITTLE_ENDIAN__) || \
+      (defined(__BYTE_ORDER__) && (__BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__)) || \
+      defined(AC_LITTLE_ENDIAN)
+#    define LITTLE_ENDIAN 1
+#  elif defined(__BIG_ENDIAN__) || \
+      (defined(__BYTE_ORDER__) && (__BYTE_ORDER__ == __ORDER_BIG_ENDIAN__)) || \
+      defined(AC_BIG_ENDIAN)
+#    define BIG_ENDIAN 1
+#  else
+#    error Failed determining endianness of system
+#  endif
+#endif
+
+/*
+ *  Some operating systems MAY resolve the MD5* functions to
+ *  secret functions in one of their libraries.  These OS supplied
+ *  MD5 functions almost always blow up, and cause problems.
+ *  To get around the issue, we re-define the MD5 function names
+ *  so that we're sure that our module uses our tested and working
+ *  MD5 functions.
+ */
+#define MD5Init       pra_MD5Init
+#define MD5Update     pra_MD5Update
+#define MD5Final      pra_MD5Final
+#define MD5Transform  pra_MD5Transform
+
+#include <inttypes.h>
+
+struct MD5Context {
+	uint32_t buf[4];
+	uint32_t bits[2];
+	unsigned char in[64];
+};
+
+void MD5Init(struct MD5Context *);
+void MD5Update(struct MD5Context *, unsigned const char *, unsigned);
+void MD5Final(unsigned char digest[16], struct MD5Context *);
+void MD5Transform(uint32_t buf[4], uint32_t const in[16]);
+
+/*
+ * This is needed to make RSAREF happy on some MS-DOS compilers.
+ */
+
+typedef struct MD5Context MD5_CTX;
+
+#endif /* MD5_H */
diff --git a/src/pam_radius_auth.c b/src/pam_radius_auth.c
new file mode 100644
index 0000000..887ee1e
--- /dev/null
+++ b/src/pam_radius_auth.c
@@ -0,0 +1,1596 @@
+/*
+ * $Id: pam_radius_auth.c,v 1.39 2007/03/26 05:35:31 fcusack Exp $
+ * pam_radius_auth
+ *      Authenticate a user via a RADIUS session
+ *
+ * 0.9.0 - Didn't compile quite right.
+ * 0.9.1 - Hands off passwords properly.  Solaris still isn't completely happy
+ * 0.9.2 - Solaris now does challenge-response.  Added configuration file
+ *         handling, and skip_passwd field
+ * 1.0.0 - Added handling of port name/number, and continue on select
+ * 1.1.0 - more options, password change requests work now, too.
+ * 1.1.1 - Added client_id=foo (NAS-Identifier), defaulting to PAM_SERVICE
+ * 1.1.2 - multi-server capability.
+ * 1.2.0 - ugly merger of pam_radius.c to get full RADIUS capability
+ * 1.3.0 - added my own accounting code.  Simple, clean, and neat.
+ * 1.3.1 - Supports accounting port (oops!), and do accounting authentication
+ * 1.3.2 - added support again for 'skip_passwd' control flag.
+ * 1.3.10 - ALWAYS add Password attribute, to make packets RFC compliant.
+ * 1.3.11 - Bug fixes by Jon Nelson <jnelson@securepipe.com>
+ * 1.3.12 - miscellanous bug fixes.  Don't add password to accounting
+ *          requests; log more errors; add NAS-Port and NAS-Port-Type
+ *          attributes to ALL packets.  Some patches based on input from
+ *          Grzegorz Paszka <Grzegorz.Paszka@pik-net.pl>
+ * 1.3.13 - Always update the configuration file, even if we're given
+ *          no options.  Patch from Jon Nelson <jnelson@securepipe.com>
+ * 1.3.14 - Don't use PATH_MAX, so it builds on GNU Hurd.
+ * 1.3.15 - Implement retry option, miscellanous bug fixes.
+ * 1.3.16 - Miscellaneous fixes (see CVS for history)
+ * 1.3.17 - Security fixes
+ *
+ *
+ *   This program is free software; you can redistribute it and/or modify
+ *   it under the terms of the GNU General Public License as published by
+ *   the Free Software Foundation; either version 2 of the License, or
+ *   (at your option) any later version.
+ *
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program; if not, write to the Free Software
+ *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ *
+ * The original pam_radius.c code is copyright (c) Cristian Gafton, 1996,
+ *                                             <gafton@redhat.com>
+ *
+ * Some challenge-response code is copyright (c) CRYPTOCard Inc, 1998.
+ *                                              All rights reserved.
+ */
+
+#define PAM_SM_AUTH
+#define PAM_SM_PASSWORD
+#define PAM_SM_SESSION
+
+#include <limits.h>
+#include <errno.h>
+#include <sys/time.h>
+
+#include "pam_radius_auth.h"
+
+#define DPRINT if (ctrl & PAM_DEBUG_ARG) _pam_log
+
+/* internal data */
+static CONST char *pam_module_name = "pam_radius_auth";
+static char conf_file[BUFFER_SIZE]; /* configuration file */
+
+/* we need to save these from open_session to close_session, since
+ * when close_session will be called we won't be root anymore and
+ * won't be able to access again the radius server configuration file
+ * -- cristiang */
+static radius_server_t *live_server = NULL;
+static time_t session_time;
+
+/* logging */
+static void _pam_log(int err, CONST char *format, ...)
+{
+	va_list args;
+	char buffer[BUFFER_SIZE];
+
+	va_start(args, format);
+	vsprintf(buffer, format, args);
+	/* don't do openlog or closelog, but put our name in to be friendly */
+	syslog(err, "%s: %s", pam_module_name, buffer);
+	va_end(args);
+}
+
+/* argument parsing */
+static int _pam_parse(int argc, CONST char **argv, radius_conf_t *conf)
+{
+	int ctrl=0;
+
+	memset(conf, 0, sizeof(radius_conf_t)); /* ensure it's initialized */
+
+	strcpy(conf_file, CONF_FILE);
+
+	/*
+	 *	If either is not there, then we can't parse anything.
+	 */
+	if ((argc == 0) || (argv == NULL)) {
+		return ctrl;
+	}
+
+	/* step through arguments */
+	for (ctrl=0; argc-- > 0; ++argv) {
+
+		/* generic options */
+		if (!strncmp(*argv,"conf=",5)) {
+			strcpy(conf_file,*argv+5);
+
+		} else if (!strcmp(*argv, "use_first_pass")) {
+			ctrl |= PAM_USE_FIRST_PASS;
+
+		} else if (!strcmp(*argv, "try_first_pass")) {
+			ctrl |= PAM_TRY_FIRST_PASS;
+
+		} else if (!strcmp(*argv, "skip_passwd")) {
+			ctrl |= PAM_SKIP_PASSWD;
+
+		} else if (!strncmp(*argv, "retry=", 6)) {
+			conf->retries = atoi(*argv+6);
+
+		} else if (!strcmp(*argv, "localifdown")) {
+			conf->localifdown = 1;
+
+		} else if (!strncmp(*argv, "client_id=", 10)) {
+			if (conf->client_id) {
+				_pam_log(LOG_WARNING, "ignoring duplicate '%s'", *argv);
+			} else {
+				conf->client_id = (char *) *argv+10; /* point to the client-id */
+			}
+		} else if (!strcmp(*argv, "accounting_bug")) {
+			conf->accounting_bug = TRUE;
+
+		} else if (!strcmp(*argv, "ruser")) {
+			ctrl |= PAM_RUSER_ARG;
+
+		} else if (!strcmp(*argv, "debug")) {
+			ctrl |= PAM_DEBUG_ARG;
+			conf->debug = 1;
+
+		} else {
+			_pam_log(LOG_WARNING, "unrecognized option '%s'", *argv);
+		}
+	}
+
+	return ctrl;
+}
+
+/* Callback function used to free the saved return value for pam_setcred. */
+void _int_free(pam_handle_t * pamh, void *x, int error_status)
+{
+		free(x);
+}
+
+/*************************************************************************
+ * SMALL HELPER FUNCTIONS
+ *************************************************************************/
+
+/*
+ * Return an IP address in host long notation from
+ * one supplied in standard dot notation.
+ */
+static uint32_t ipstr2long(char *ip_str) {
+	char	buf[6];
+	char	*ptr;
+	int	i;
+	int	count;
+	uint32_t	ipaddr;
+	int	cur_byte;
+
+	ipaddr = (uint32_t)0;
+
+	for(i = 0;i < 4;i++) {
+		ptr = buf;
+		count = 0;
+		*ptr = '\0';
+
+		while(*ip_str != '.' && *ip_str != '\0' && count < 4) {
+			if(!isdigit(*ip_str)) {
+				return((uint32_t)0);
+			}
+			*ptr++ = *ip_str++;
+			count++;
+		}
+
+		if(count >= 4 || count == 0) {
+			return((uint32_t)0);
+		}
+
+		*ptr = '\0';
+		cur_byte = atoi(buf);
+		if(cur_byte < 0 || cur_byte > 255) {
+			return ((uint32_t)0);
+		}
+
+		ip_str++;
+		ipaddr = ipaddr << 8 | (uint32_t)cur_byte;
+	}
+	return(ipaddr);
+}
+
+/*
+ * Check for valid IP address in standard dot notation.
+ */
+static int good_ipaddr(char *addr) {
+	int dot_count;
+	int digit_count;
+
+	dot_count = 0;
+	digit_count = 0;
+	while(*addr != '\0' && *addr != ' ') {
+		if(*addr == '.') {
+			dot_count++;
+			digit_count = 0;
+		} else if(!isdigit(*addr)) {
+			dot_count = 5;
+		} else {
+			digit_count++;
+			if(digit_count > 3) {
+				dot_count = 5;
+			}
+		}
+		addr++;
+	}
+	if(dot_count != 3) {
+		return(-1);
+	} else {
+		return(0);
+	}
+}
+
+/*
+ * Return an IP address in host long notation from a host
+ * name or address in dot notation.
+ */
+static uint32_t get_ipaddr(char *host) {
+	struct hostent *hp;
+
+	if(good_ipaddr(host) == 0) {
+		return(ipstr2long(host));
+	} else if((hp = gethostbyname(host)) == (struct hostent *)NULL) {
+		return((uint32_t)0);
+	}
+
+	return(ntohl(*(uint32_t *)hp->h_addr));
+}
+
+/*
+ * take server->hostname, and convert it to server->ip and server->port
+ */
+static int host2server(radius_server_t *server)
+{
+	char *p;
+	int ctrl = 1; /* for DPRINT */
+
+	if ((p = strchr(server->hostname, ':')) != NULL) {
+		*(p++) = '\0';		/* split the port off from the host name */
+	}
+
+	if ((server->ip.s_addr = get_ipaddr(server->hostname)) == ((uint32_t)0)) {
+		DPRINT(LOG_DEBUG, "DEBUG: get_ipaddr(%s) returned 0.\n", server->hostname);
+		return PAM_AUTHINFO_UNAVAIL;
+	}
+
+	/*
+	 *	If the server port hasn't already been defined, go get it.
+	 */
+	if (!server->port) {
+		if (p && isdigit(*p)) {	/* the port looks like it's a number */
+			unsigned int i = atoi(p) & 0xffff;
+
+			if (!server->accounting) {
+				server->port = htons((uint16_t) i);
+			} else {
+				server->port = htons((uint16_t) (i + 1));
+			}
+		} else {			/* the port looks like it's a name */
+			struct servent *svp;
+
+			if (p) {			/* maybe it's not "radius" */
+				svp = getservbyname (p, "udp");
+				/* quotes allow distinction from above, lest p be radius or radacct */
+				DPRINT(LOG_DEBUG, "DEBUG: getservbyname('%s', udp) returned %d.\n", p, svp);
+				*(--p) = ':';		/* be sure to put the delimiter back */
+			} else {
+				if (!server->accounting) {
+					svp = getservbyname ("radius", "udp");
+					DPRINT(LOG_DEBUG, "DEBUG: getservbyname(radius, udp) returned %d.\n", svp);
+				} else {
+					svp = getservbyname ("radacct", "udp");
+					DPRINT(LOG_DEBUG, "DEBUG: getservbyname(radacct, udp) returned %d.\n", svp);
+				}
+			}
+
+			if (svp == (struct servent *) 0) {
+				/* debugging above... */
+				return PAM_AUTHINFO_UNAVAIL;
+			}
+
+			server->port = svp->s_port;
+		}
+	}
+
+	return PAM_SUCCESS;
+}
+
+/*
+ * Do XOR of two buffers.
+ */
+static unsigned char * xor(unsigned char *p, unsigned char *q, int length)
+{
+	int i;
+	unsigned char *retval = p;
+
+	for (i = 0; i < length; i++) {
+		*(p++) ^= *(q++);
+	}
+	return retval;
+}
+
+/**************************************************************************
+ * MID-LEVEL RADIUS CODE
+ **************************************************************************/
+
+/*
+ * get a pseudo-random vector.
+ */
+static void get_random_vector(unsigned char *vector)
+{
+#ifdef linux
+	int fd = open("/dev/urandom",O_RDONLY); /* Linux: get *real* random numbers */
+	int total = 0;
+	if (fd >= 0) {
+		while (total < AUTH_VECTOR_LEN) {
+			int bytes = read(fd, vector + total, AUTH_VECTOR_LEN - total);
+			if (bytes <= 0)
+				break;			/* oops! Error */
+			total += bytes;
+		}
+		close(fd);
+	}
+
+	if (total != AUTH_VECTOR_LEN)
+#endif
+	{				/* do this *always* on other platforms */
+		MD5_CTX my_md5;
+		struct timeval tv;
+		struct timezone tz;
+		static unsigned int session = 0; /* make the number harder to guess */
+
+		/* Use the time of day with the best resolution the system can
+	 	   give us -- often close to microsecond accuracy. */
+		gettimeofday(&tv,&tz);
+
+		if (session == 0) {
+			session = getppid();	/* (possibly) hard to guess information */
+		}
+
+		tv.tv_sec ^= getpid() * session++;
+
+		/* Hash things to get maybe cryptographically strong pseudo-random numbers */
+		MD5Init(&my_md5);
+		MD5Update(&my_md5, (unsigned char *) &tv, sizeof(tv));
+		MD5Update(&my_md5, (unsigned char *) &tz, sizeof(tz));
+		MD5Final(vector, &my_md5);				/* set the final vector */
+	}
+}
+
+/*
+ * RFC 2139 says to do generate the accounting request vector this way.
+ * However, the Livingston 1.16 server doesn't check it.	The Cistron
+ * server (http://home.cistron.nl/~miquels/radius/) does, and this code
+ * seems to work with it.	It also works with Funk's Steel-Belted RADIUS.
+ */
+static void get_accounting_vector(AUTH_HDR *request, radius_server_t *server)
+{
+	MD5_CTX my_md5;
+	int secretlen = strlen(server->secret);
+	int len = ntohs(request->length);
+
+	memset(request->vector, 0, AUTH_VECTOR_LEN);
+	MD5Init(&my_md5);
+	memcpy(((char *)request) + len, server->secret, secretlen);
+
+	MD5Update(&my_md5, (unsigned char *)request, len + secretlen);
+	MD5Final(request->vector, &my_md5);			/* set the final vector */
+}
+
+/*
+ * Verify the response from the server
+ */
+static int verify_packet(char *secret, AUTH_HDR *response, AUTH_HDR *request)
+{
+	MD5_CTX my_md5;
+	unsigned char	calculated[AUTH_VECTOR_LEN];
+	unsigned char	reply[AUTH_VECTOR_LEN];
+
+	/*
+	 * We could dispense with the memcpy, and do MD5's of the packet
+	 * + vector piece by piece.	This is easier understand, and maybe faster.
+	 */
+	memcpy(reply, response->vector, AUTH_VECTOR_LEN); /* save the reply */
+	memcpy(response->vector, request->vector, AUTH_VECTOR_LEN); /* sent vector */
+
+	/* MD5(response packet header + vector + response packet data + secret) */
+	MD5Init(&my_md5);
+	MD5Update(&my_md5, (unsigned char *) response, ntohs(response->length));
+
+	/*
+	 * This next bit is necessary because of a bug in the original Livingston
+	 * RADIUS server.	The authentication vector is *supposed* to be MD5'd
+	 * with the old password (as the secret) for password changes.
+	 * However, the old password isn't used.	The "authentication" vector
+	 * for the server reply packet is simply the MD5 of the reply packet.
+	 * Odd, the code is 99% there, but the old password is never copied
+	 * to the secret!
+	 */
+	if (*secret) {
+		MD5Update(&my_md5, (unsigned char *) secret, strlen(secret));
+	}
+
+	MD5Final(calculated, &my_md5);			/* set the final vector */
+
+	/* Did he use the same random vector + shared secret? */
+	if (memcmp(calculated, reply, AUTH_VECTOR_LEN) != 0) {
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/*
+ * Find an attribute in a RADIUS packet.	Note that the packet length
+ * is *always* kept in network byte order.
+ */
+static attribute_t *find_attribute(AUTH_HDR *response, unsigned char type)
+{
+	attribute_t *attr = (attribute_t *) &response->data;
+
+	int len = ntohs(response->length) - AUTH_HDR_LEN;
+
+	while (attr->attribute != type) {
+		if ((len -= attr->length) <= 0) {
+			return NULL;		/* not found */
+		}
+		attr = (attribute_t *) ((char *) attr + attr->length);
+	}
+
+	return attr;
+}
+
+/*
+ * Add an attribute to a RADIUS packet.
+ */
+static void add_attribute(AUTH_HDR *request, unsigned char type, CONST unsigned char *data, int length)
+{
+	attribute_t *p;
+
+	p = (attribute_t *) ((unsigned char *)request + ntohs(request->length));
+	p->attribute = type;
+	p->length = length + 2;		/* the total size of the attribute */
+	request->length = htons(ntohs(request->length) + p->length);
+	memcpy(p->data, data, length);
+}
+
+/*
+ * Add an integer attribute to a RADIUS packet.
+ */
+static void add_int_attribute(AUTH_HDR *request, unsigned char type, int data)
+{
+	int value = htonl(data);
+
+	add_attribute(request, type, (unsigned char *) &value, sizeof(int));
+}
+
+/*
+ * Add a RADIUS password attribute to the packet.	Some magic is done here.
+ *
+ * If it's an PW_OLD_PASSWORD attribute, it's encrypted using the encrypted
+ * PW_PASSWORD attribute as the initialization vector.
+ *
+ * If the password attribute already exists, it's over-written.	This allows
+ * us to simply call add_password to update the password for different
+ * servers.
+ */
+static void add_password(AUTH_HDR *request, unsigned char type, CONST char *password, char *secret)
+{
+	MD5_CTX md5_secret, my_md5;
+	unsigned char misc[AUTH_VECTOR_LEN];
+	int i;
+	int length = strlen(password);
+	unsigned char hashed[256 + AUTH_PASS_LEN];	/* can't be longer than this */
+	unsigned char *vector;
+	attribute_t *attr;
+
+	if (length > MAXPASS) {				/* shorten the password for now */
+		length = MAXPASS;
+	}
+
+	if (length == 0) {
+		length = AUTH_PASS_LEN;			/* 0 maps to 16 */
+	} if ((length & (AUTH_PASS_LEN - 1)) != 0) {
+		length += (AUTH_PASS_LEN - 1);		/* round it up */
+		length &= ~(AUTH_PASS_LEN - 1);		/* chop it off */
+	}						/* 16*N maps to itself */
+
+	memset(hashed, 0, length);
+	memcpy(hashed, password, strlen(password));
+
+	attr = find_attribute(request, PW_PASSWORD);
+
+	if (type == PW_PASSWORD) {
+		vector = request->vector;
+	} else {
+		vector = attr->data;			/* attr CANNOT be NULL here. */
+	}
+
+	/* ************************************************************ */
+	/* encrypt the password */
+	/* password : e[0] = p[0] ^ MD5(secret + vector) */
+	MD5Init(&md5_secret);
+	MD5Update(&md5_secret, (unsigned char *) secret, strlen(secret));
+	my_md5 = md5_secret;				/* so we won't re-do the hash later */
+	MD5Update(&my_md5, vector, AUTH_VECTOR_LEN);
+	MD5Final(misc, &my_md5);			/* set the final vector */
+	xor(hashed, misc, AUTH_PASS_LEN);
+
+	/* For each step through, e[i] = p[i] ^ MD5(secret + e[i-1]) */
+	for (i = 1; i < (length >> 4); i++) {
+		my_md5 = md5_secret;			/* grab old value of the hash */
+		MD5Update(&my_md5, &hashed[(i-1) * AUTH_PASS_LEN], AUTH_PASS_LEN);
+		MD5Final(misc, &my_md5);			/* set the final vector */
+		xor(&hashed[i * AUTH_PASS_LEN], misc, AUTH_PASS_LEN);
+	}
+
+	if (type == PW_OLD_PASSWORD) {
+		attr = find_attribute(request, PW_OLD_PASSWORD);
+	}
+
+	if (!attr) {
+		add_attribute(request, type, hashed, length);
+	} else {
+		memcpy(attr->data, hashed, length); /* overwrite the packet */
+	}
+}
+
+static void cleanup(radius_server_t *server)
+{
+	radius_server_t *next;
+
+	while (server) {
+		next = server->next;
+		_pam_drop(server->hostname);
+		_pam_forget(server->secret);
+		_pam_drop(server);
+		server = next;
+	}
+}
+
+/*
+ * allocate and open a local port for communication with the RADIUS
+ * server
+ */
+static int initialize(radius_conf_t *conf, int accounting)
+{
+	struct sockaddr salocal;
+	uint16_t local_port;
+	char hostname[BUFFER_SIZE];
+	char secret[BUFFER_SIZE];
+
+	char buffer[BUFFER_SIZE];
+	char *p;
+	FILE *fserver;
+	radius_server_t *server = NULL;
+	struct sockaddr_in * s_in;
+	int timeout;
+	int line = 0;
+
+	/* the first time around, read the configuration file */
+	if ((fserver = fopen (conf_file, "r")) == (FILE*)NULL) {
+		_pam_log(LOG_ERR, "Could not open configuration file %s: %s\n",
+			conf_file, strerror(errno));
+		return PAM_ABORT;
+	}
+
+	while (!feof(fserver) && (fgets (buffer, sizeof(buffer), fserver) != (char*) NULL) && (!ferror(fserver))) {
+		line++;
+		p = buffer;
+
+		/*
+		 *	Skip blank lines and whitespace
+		 */
+		while (*p && ((*p == ' ') || (*p == '\t') || (*p == '\r') || (*p == '\n'))) {
+			p++;
+		}
+
+		/*
+		 *	Nothing, or just a comment. Ignore the line.
+		 */
+		if ((!*p) || (*p == '#')) {
+			continue;
+		}
+
+		timeout = 3;
+		if (sscanf(p, "%s %s %d", hostname, secret, &timeout) < 2) {
+			_pam_log(LOG_ERR, "ERROR reading %s, line %d: Could not read hostname or secret\n",
+				 conf_file, line);
+			continue;			/* invalid line */
+		} else {				/* read it in and save the data */
+			radius_server_t *tmp;
+
+			tmp = malloc(sizeof(radius_server_t));
+			if (server) {
+				server->next = tmp;
+				server = server->next;
+			} else {
+				conf->server = tmp;
+				server= tmp;		/* first time */
+			}
+
+			/* sometime later do memory checks here */
+			server->hostname = strdup(hostname);
+			server->secret = strdup(secret);
+			server->accounting = accounting;
+			server->port = 0;
+
+			if ((timeout < 1) || (timeout > 60)) {
+				server->timeout = 3;
+			} else {
+				server->timeout = timeout;
+			}
+			server->next = NULL;
+		}
+	}
+	fclose(fserver);
+
+	if (!server) {		/* no server found, die a horrible death */
+		_pam_log(LOG_ERR, "No RADIUS server found in configuration file %s\n",
+			 conf_file);
+		return PAM_AUTHINFO_UNAVAIL;
+	}
+
+	/* open a socket.	Dies if it fails */
+	conf->sockfd = socket(AF_INET, SOCK_DGRAM, 0);
+	if (conf->sockfd < 0) {
+		_pam_log(LOG_ERR, "Failed to open RADIUS socket: %s\n", strerror(errno));
+		return PAM_AUTHINFO_UNAVAIL;
+	}
+
+	/* set up the local end of the socket communications */
+	s_in = (struct sockaddr_in *) &salocal;
+	memset ((char *) s_in, '\0', sizeof(struct sockaddr));
+	s_in->sin_family = AF_INET;
+	s_in->sin_addr.s_addr = INADDR_ANY;
+
+	/*
+	 *	Use our process ID as a local port for RADIUS.
+	 */
+	local_port = (getpid() & 0x7fff) + 1024;
+	do {
+		local_port++;
+		s_in->sin_port = htons(local_port);
+	} while ((bind(conf->sockfd, &salocal, sizeof (struct sockaddr_in)) < 0) && (local_port < 64000));
+
+	if (local_port >= 64000) {
+		close(conf->sockfd);
+		_pam_log(LOG_ERR, "No open port we could bind to.");
+		return PAM_AUTHINFO_UNAVAIL;
+	}
+
+	return PAM_SUCCESS;
+}
+
+/*
+ * Helper function for building a radius packet.
+ * It initializes *some* of the header, and adds common attributes.
+ */
+static void build_radius_packet(AUTH_HDR *request, CONST char *user, CONST char *password, radius_conf_t *conf)
+{
+	char hostname[256];
+	uint32_t ipaddr;
+
+	hostname[0] = '\0';
+	gethostname(hostname, sizeof(hostname) - 1);
+
+	request->length = htons(AUTH_HDR_LEN);
+
+	if (password) {		/* make a random authentication req vector */
+		get_random_vector(request->vector);
+	}
+
+	add_attribute(request, PW_USER_NAME, (unsigned char *) user, strlen(user));
+
+	/*
+	 *	Add a password, if given.
+	 */
+	if (password) {
+		add_password(request, PW_PASSWORD, password, conf->server->secret);
+
+		/*
+		 *	Add a NULL password to non-accounting requests.
+		 */
+	} else if (request->code != PW_ACCOUNTING_REQUEST) {
+		add_password(request, PW_PASSWORD, "", conf->server->secret);
+	}
+
+	/* the packet is from localhost if on localhost, to make configs easier */
+	if ((conf->server->ip.s_addr == ntohl(0x7f000001)) || (!hostname[0])) {
+		ipaddr = 0x7f000001;
+	} else {
+		struct hostent *hp;
+
+		if ((hp = gethostbyname(hostname)) == (struct hostent *) NULL) {
+			ipaddr = 0x00000000;	/* no client IP address */
+		} else {
+			ipaddr = ntohl(*(uint32_t *) hp->h_addr); /* use the first one available */
+		}
+	}
+
+	/* If we can't find an IP address, then don't add one */
+	if (ipaddr) {
+		add_int_attribute(request, PW_NAS_IP_ADDRESS, ipaddr);
+	}
+
+	/* There's always a NAS identifier */
+	if (conf->client_id && *conf->client_id) {
+		add_attribute(request, PW_NAS_IDENTIFIER, (unsigned char *) conf->client_id, strlen(conf->client_id));
+	}
+
+	/*
+	 *	Add in the port (pid) and port type (virtual).
+	 *
+	 *	We might want to give the TTY name here, too.
+	 */
+	add_int_attribute(request, PW_NAS_PORT_ID, getpid());
+	add_int_attribute(request, PW_NAS_PORT_TYPE, PW_NAS_PORT_TYPE_VIRTUAL);
+}
+
+/*
+ * Talk RADIUS to a server.
+ * Send a packet and get the response
+ */
+static int talk_radius(radius_conf_t *conf, AUTH_HDR *request, AUTH_HDR *response,
+		       char *password, char *old_password, int tries)
+{
+	socklen_t salen;
+	int total_length;
+	fd_set set;
+	struct timeval tv;
+	time_t now, end;
+	int rcode;
+	struct sockaddr saremote;
+	struct sockaddr_in *s_in = (struct sockaddr_in *) &saremote;
+	radius_server_t *server = conf->server;
+	int ok;
+	int server_tries;
+	int retval;
+
+	/* ************************************************************ */
+	/* Now that we're done building the request, we can send it */
+
+	/*
+	 Hmm... on password change requests, all of the found server information
+	 could be saved with a pam_set_data(), which means even the radius_conf_t
+	 information will have to be malloc'd at some point
+
+	 On the other hand, we could just try all of the servers again in
+	 sequence, on the off chance that one may have ended up fixing itself.
+
+	 */
+
+	/* loop over all available servers */
+	while (server != NULL) {
+
+		/* only look up IP information as necessary */
+		if ((retval = host2server(server)) != PAM_SUCCESS) {
+			_pam_log(LOG_ERR,
+				 "Failed looking up IP address for RADIUS server %s (errcode=%d)",
+				 server->hostname, retval);
+			ok = FALSE;
+			goto next;		/* skip to the next server */
+		}
+
+		/* set up per-server IP && port configuration */
+		memset ((char *) s_in, '\0', sizeof(struct sockaddr));
+		s_in->sin_family = AF_INET;
+		s_in->sin_addr.s_addr = htonl(server->ip.s_addr);
+		s_in->sin_port = server->port;
+		total_length = ntohs(request->length);
+
+		if (!password) { 		/* make an RFC 2139 p6 request authenticator */
+			get_accounting_vector(request, server);
+		}
+
+		server_tries = tries;
+	send:
+		/* send the packet */
+		if (sendto(conf->sockfd, (char *) request, total_length, 0,
+			   &saremote, sizeof(struct sockaddr_in)) < 0) {
+			_pam_log(LOG_ERR, "Error sending RADIUS packet to server %s: %s",
+				 server->hostname, strerror(errno));
+			ok = FALSE;
+			goto next;		/* skip to the next server */
+		}
+
+		/* ************************************************************ */
+		/* Wait for the response, and verify it. */
+		salen = sizeof(struct sockaddr);
+		tv.tv_sec = server->timeout;	/* wait for the specified time */
+		tv.tv_usec = 0;
+		FD_ZERO(&set);			/* clear out the set */
+		FD_SET(conf->sockfd, &set);	/* wait only for the RADIUS UDP socket */
+
+		time(&now);
+		end = now + tv.tv_sec;
+
+		/* loop, waiting for the select to return data */
+		ok = TRUE;
+		while (ok) {
+			rcode = select(conf->sockfd + 1, &set, NULL, NULL, &tv);
+
+			/* select timed out */
+			if (rcode == 0) {
+				_pam_log(LOG_ERR, "RADIUS server %s failed to respond", server->hostname);
+				if (--server_tries) {
+					goto send;
+				}
+				ok = FALSE;
+				break;			/* exit from the select loop */
+			} else if (rcode < 0) {
+
+				/* select had an error */
+				if (errno == EINTR) {	/* we were interrupted */
+					time(&now);
+
+					if (now > end) {
+						_pam_log(LOG_ERR, "RADIUS server %s failed to respond",
+							 server->hostname);
+						if (--server_tries) goto send;
+						ok = FALSE;
+						break;		/* exit from the select loop */
+					}
+
+					tv.tv_sec = end - now;
+					if (tv.tv_sec == 0) {	/* keep waiting */
+						tv.tv_sec = 1;
+					}
+
+				} else {			/* not an interrupt, it was a real error */
+					_pam_log(LOG_ERR, "Error waiting for response from RADIUS server %s: %s",
+						 server->hostname, strerror(errno));
+					ok = FALSE;
+					break;
+				}
+
+			/* the select returned OK */
+			} else if (FD_ISSET(conf->sockfd, &set)) {
+
+				/* try to receive some data */
+				if ((total_length = recvfrom(conf->sockfd, (void *) response, BUFFER_SIZE,
+						     	     0, &saremote, &salen)) < 0) {
+					_pam_log(LOG_ERR, "error reading RADIUS packet from server %s: %s",
+					 	 server->hostname, strerror(errno));
+					ok = FALSE;
+					break;
+
+				/* there's data, see if it's valid */
+				} else {
+					char *p = server->secret;
+
+					if ((ntohs(response->length) != total_length) ||
+					    (ntohs(response->length) > BUFFER_SIZE)) {
+						_pam_log(LOG_ERR, "RADIUS packet from server %s is corrupted",
+						 	 server->hostname);
+						ok = FALSE;
+						break;
+					}
+
+					/* Check if we have the data OK. We should also check request->id */
+					if (password) {
+						if (old_password) {
+#ifdef LIVINGSTON_PASSWORD_VERIFY_BUG_FIXED
+							p = old_password;	/* what it should be */
+#else
+							p = "";			/* what it really is */
+#endif
+						}
+					/*
+					 * RFC 2139 p.6 says not do do this, but the Livingston 1.16
+					 * server disagrees.	If the user says he wants the bug, give in.
+					 */
+					} else {		/* authentication request */
+						if (conf->accounting_bug) {
+							p = "";
+						}
+					}
+
+					if (!verify_packet(p, response, request)) {
+						_pam_log(LOG_ERR, "packet from RADIUS server %s failed verification: "
+							 "The shared secret is probably incorrect.", server->hostname);
+						ok = FALSE;
+						break;
+					}
+
+					/*
+					 * Check that the response ID matches the request ID.
+					 */
+					if (response->id != request->id) {
+						_pam_log(LOG_WARNING, "Response packet ID %d does not match the "
+							 "request packet ID %d: verification of packet fails",
+							 response->id, request->id);
+						ok = FALSE;
+						break;
+					}
+				}
+
+				/*
+				 * Whew! The select is done. It hasn't timed out, or errored out.
+				 * It's our descriptor.	We've got some data. It's the right size.
+				 * The packet is valid.
+				 * NOW, we can skip out of the select loop, and process the packet
+				 */
+				break;
+			}
+			/* otherwise, we've got data on another descriptor, keep select'ing */
+		}
+
+			/* go to the next server if this one didn't respond */
+		next:
+		if (!ok) {
+			radius_server_t *old;	/* forget about this server */
+
+			old = server;
+			server = server->next;
+			conf->server = server;
+
+			_pam_forget(old->secret);
+			free(old->hostname);
+			free(old);
+
+			if (server) {		/* if there's more servers to check */
+				/* get a new authentication vector, and update the passwords */
+				get_random_vector(request->vector);
+				request->id = request->vector[0];
+
+				/* update passwords, as appropriate */
+				if (password) {
+					get_random_vector(request->vector);
+					if (old_password) {	/* password change request */
+						add_password(request, PW_PASSWORD, password, old_password);
+						add_password(request, PW_OLD_PASSWORD, old_password, old_password);
+					} else {		/* authentication request */
+						add_password(request, PW_PASSWORD, password, server->secret);
+					}
+				}
+			}
+			continue;
+
+		} else {
+			/* we've found one that does respond, forget about the other servers */
+			cleanup(server->next);
+			server->next = NULL;
+			live_server = server;	/* we've got a live one! */
+			break;
+		}
+	}
+
+	if (!server) {
+		_pam_log(LOG_ERR, "All RADIUS servers failed to respond.");
+		if (conf->localifdown)
+			retval = PAM_IGNORE;
+		else
+			retval = PAM_AUTHINFO_UNAVAIL;
+	} else {
+		retval = PAM_SUCCESS;
+	}
+
+	return retval;
+}
+
+/**************************************************************************
+ * MIDLEVEL PAM CODE
+ **************************************************************************/
+
+/* this is our front-end for module-application conversations */
+
+#undef PAM_FAIL_CHECK
+#define PAM_FAIL_CHECK if (retval != PAM_SUCCESS) { return retval; }
+
+static int rad_converse(pam_handle_t *pamh, int msg_style, char *message, char **password)
+{
+	CONST struct pam_conv *conv;
+	struct pam_message resp_msg;
+	CONST struct pam_message *msg[1];
+	struct pam_response *resp = NULL;
+	int retval;
+
+	resp_msg.msg_style = msg_style;
+	resp_msg.msg = message;
+	msg[0] = &resp_msg;
+
+	/* grab the password */
+	retval = pam_get_item(pamh, PAM_CONV, (CONST void **) &conv);
+	PAM_FAIL_CHECK;
+
+	retval = conv->conv(1, msg, &resp,conv->appdata_ptr);
+	PAM_FAIL_CHECK;
+
+	if (password) {		/* assume msg.type needs a response */
+		/* I'm not sure if this next bit is necessary on Linux */
+#ifdef sun
+		/* NULL response, fail authentication */
+		if ((resp == NULL) || (resp->resp == NULL)) {
+			return PAM_SYSTEM_ERR;
+		}
+#endif
+
+		*password = resp->resp;
+		free(resp);
+	}
+
+	return PAM_SUCCESS;
+}
+
+/**************************************************************************
+ * GENERAL CODE
+ **************************************************************************/
+
+#undef PAM_FAIL_CHECK
+#define PAM_FAIL_CHECK if (retval != PAM_SUCCESS) { \
+	int *pret = malloc(sizeof(int)); \
+	*pret = retval;	\
+	pam_set_data(pamh, "rad_setcred_return", (void *) pret, _int_free);	\
+	return retval; }
+
+PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,CONST char **argv)
+{
+	CONST char *user;
+	CONST char *userinfo;
+	char *password = NULL;
+	CONST char *rhost;
+	char *resp2challenge = NULL;
+	int ctrl;
+	int retval = PAM_AUTH_ERR;
+
+	char recv_buffer[4096];
+	char send_buffer[4096];
+	AUTH_HDR *request = (AUTH_HDR *) send_buffer;
+	AUTH_HDR *response = (AUTH_HDR *) recv_buffer;
+	radius_conf_t config;
+
+	ctrl = _pam_parse(argc, argv, &config);
+
+	/* grab the user name */
+	retval = pam_get_user(pamh, &user, NULL);
+	PAM_FAIL_CHECK;
+
+	/* check that they've entered something, and not too long, either */
+	if ((user == NULL) || (strlen(user) > MAXPWNAM)) {
+		int *pret = malloc(sizeof(int));
+		*pret = PAM_USER_UNKNOWN;
+		pam_set_data(pamh, "rad_setcred_return", (void *) pret, _int_free);
+
+		DPRINT(LOG_DEBUG, "User name was NULL, or too long");
+		return PAM_USER_UNKNOWN;
+	}
+	DPRINT(LOG_DEBUG, "Got user name %s", user);
+
+	if (ctrl & PAM_RUSER_ARG) {
+		retval = pam_get_item(pamh, PAM_RUSER, (CONST void **) &userinfo);
+		PAM_FAIL_CHECK;
+		DPRINT(LOG_DEBUG, "Got PAM_RUSER name %s", userinfo);
+
+		if (!strcmp("root", user)) {
+			user = userinfo;
+			DPRINT(LOG_DEBUG, "Username now %s from ruser", user);
+		} else {
+			DPRINT(LOG_DEBUG, "Skipping ruser for non-root auth");
+		};
+	};
+
+	/*
+	 * Get the IP address of the authentication server
+	 * Then, open a socket, and bind it to a port
+	 */
+	retval = initialize(&config, FALSE);
+	PAM_FAIL_CHECK;
+
+	/*
+	 * If there's no client id specified, use the service type, to help
+	 * keep track of which service is doing the authentication.
+	 */
+	if (!config.client_id) {
+		retval = pam_get_item(pamh, PAM_SERVICE, (CONST void **) &config.client_id);
+		PAM_FAIL_CHECK;
+	}
+
+	/* now we've got a socket open, so we've got to clean it up on error */
+#undef PAM_FAIL_CHECK
+#define PAM_FAIL_CHECK if (retval != PAM_SUCCESS) {goto error; }
+
+	/* build and initialize the RADIUS packet */
+	request->code = PW_AUTHENTICATION_REQUEST;
+	get_random_vector(request->vector);
+	request->id = request->vector[0]; /* this should be evenly distributed */
+
+	/* grab the password (if any) from the previous authentication layer */
+	retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &password);
+	PAM_FAIL_CHECK;
+
+	if(password) {
+		password = strdup(password);
+		DPRINT(LOG_DEBUG, "Got password %s", password);
+	}
+
+	/* no previous password: maybe get one from the user */
+	if (!password) {
+		if (ctrl & PAM_USE_FIRST_PASS) {
+			retval = PAM_AUTH_ERR;	/* use one pass only, stopping if it fails */
+			goto error;
+		}
+
+		/* check to see if we send a NULL password the first time around */
+		if (!(ctrl & PAM_SKIP_PASSWD)) {
+			retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, "Password: ", &password);
+			PAM_FAIL_CHECK;
+
+		}
+	} /* end of password == NULL */
+
+	build_radius_packet(request, user, password, &config);
+	/* not all servers understand this service type, but some do */
+	add_int_attribute(request, PW_USER_SERVICE_TYPE, PW_AUTHENTICATE_ONLY);
+
+	/*
+	 *	Tell the server which host the user is coming from.
+	 *
+	 *	Note that this is NOT the IP address of the machine running PAM!
+	 *	It's the IP address of the client.
+	 */
+	retval = pam_get_item(pamh, PAM_RHOST, (CONST void **) &rhost);
+	PAM_FAIL_CHECK;
+	if (rhost) {
+		add_attribute(request, PW_CALLING_STATION_ID, (unsigned char *) rhost,
+			strlen(rhost));
+	}
+
+	DPRINT(LOG_DEBUG, "Sending RADIUS request code %d", request->code);
+
+	retval = talk_radius(&config, request, response, password, NULL, config.retries + 1);
+	PAM_FAIL_CHECK;
+
+	DPRINT(LOG_DEBUG, "Got RADIUS response code %d", response->code);
+
+	/*
+	 *	If we get an authentication failure, and we sent a NULL password,
+	 *	ask the user for one and continue.
+	 *
+	 *	If we get an access challenge, then do a response, for as many
+	 *	challenges as we receive.
+	 */
+	while (response->code == PW_ACCESS_CHALLENGE) {
+		attribute_t *a_state, *a_reply;
+		char challenge[BUFFER_SIZE];
+
+		/* Now we do a bit more work: challenge the user, and get a response */
+		if (((a_state = find_attribute(response, PW_STATE)) == NULL) ||
+		    ((a_reply = find_attribute(response, PW_REPLY_MESSAGE)) == NULL)) {
+			/* Actually, State isn't required. */
+			_pam_log(LOG_ERR, "RADIUS Access-Challenge received with State or Reply-Message missing");
+			retval = PAM_AUTHINFO_UNAVAIL;
+			goto error;
+		}
+
+		/*
+		 *	Security fixes.
+		 */
+		if ((a_state->length <= 2) || (a_reply->length <= 2)) {
+			_pam_log(LOG_ERR, "RADIUS Access-Challenge received with invalid State or Reply-Message");
+			retval = PAM_AUTHINFO_UNAVAIL;
+			goto error;
+		}
+
+		memcpy(challenge, a_reply->data, a_reply->length - 2);
+		challenge[a_reply->length - 2] = 0;
+
+		/* It's full challenge-response, we should have echo on */
+		retval = rad_converse(pamh, PAM_PROMPT_ECHO_ON, challenge, &resp2challenge);
+
+		/* now that we've got a response, build a new radius packet */
+		build_radius_packet(request, user, resp2challenge, &config);
+		/* request->code is already PW_AUTHENTICATION_REQUEST */
+		request->id++;		/* one up from the request */
+
+		/* copy the state over from the servers response */
+		add_attribute(request, PW_STATE, a_state->data, a_state->length - 2);
+
+		retval = talk_radius(&config, request, response, resp2challenge, NULL, 1);
+		PAM_FAIL_CHECK;
+
+		DPRINT(LOG_DEBUG, "Got response to challenge code %d", response->code);
+	}
+
+	/* Whew! Done the pasword checks, look for an authentication acknowledge */
+	if (response->code == PW_AUTHENTICATION_ACK) {
+		retval = PAM_SUCCESS;
+	} else {
+		retval = PAM_AUTH_ERR;	/* authentication failure */
+
+error:
+		/* If there was a password pass it to the next layer */
+		if (password && *password) {
+			pam_set_item(pamh, PAM_AUTHTOK, password);
+		}
+	}
+
+	if (ctrl & PAM_DEBUG_ARG) {
+		_pam_log(LOG_DEBUG, "authentication %s", retval==PAM_SUCCESS ? "succeeded":"failed");
+	}
+
+	close(config.sockfd);
+	cleanup(config.server);
+	_pam_forget(password);
+	_pam_forget(resp2challenge);
+	{
+		int *pret = malloc(sizeof(int));
+		*pret = retval;
+		pam_set_data(pamh, "rad_setcred_return", (void *) pret, _int_free);
+	}
+	return retval;
+}
+
+/*
+ * Return a value matching the return value of pam_sm_authenticate, for
+ * greatest compatibility.
+ * (Always returning PAM_SUCCESS breaks other authentication modules;
+ * always returning PAM_IGNORE breaks PAM when we're the only module.)
+ */
+PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc,CONST char **argv)
+{
+	int retval, *pret;
+
+	retval = PAM_SUCCESS;
+	pret = &retval;
+	pam_get_data(pamh, "rad_setcred_return", (CONST void **) &pret);
+	return *pret;
+}
+
+#undef PAM_FAIL_CHECK
+#define PAM_FAIL_CHECK if (retval != PAM_SUCCESS) { return PAM_SESSION_ERR; }
+
+static int pam_private_session(pam_handle_t *pamh, int flags, int argc, CONST char **argv, int status)
+{
+	CONST char *user;
+	int ctrl;
+	int retval = PAM_AUTH_ERR;
+
+	char recv_buffer[4096];
+	char send_buffer[4096];
+	AUTH_HDR *request = (AUTH_HDR *) send_buffer;
+	AUTH_HDR *response = (AUTH_HDR *) recv_buffer;
+	radius_conf_t config;
+
+	ctrl = _pam_parse(argc, argv, &config);
+
+	/* grab the user name */
+	retval = pam_get_user(pamh, &user, NULL);
+	PAM_FAIL_CHECK;
+
+	/* check that they've entered something, and not too long, either */
+	if ((user == NULL) || (strlen(user) > MAXPWNAM)) {
+		return PAM_USER_UNKNOWN;
+	}
+
+	/*
+	 * Get the IP address of the authentication server
+	 * Then, open a socket, and bind it to a port
+	 */
+	retval = initialize(&config, TRUE);
+	PAM_FAIL_CHECK;
+
+	/*
+	 * If there's no client id specified, use the service type, to help
+	 * keep track of which service is doing the authentication.
+	 */
+	if (!config.client_id) {
+		retval = pam_get_item(pamh, PAM_SERVICE, (CONST void **) &config.client_id);
+		PAM_FAIL_CHECK;
+	}
+
+	/* now we've got a socket open, so we've got to clean it up on error */
+#undef PAM_FAIL_CHECK
+#define PAM_FAIL_CHECK if (retval != PAM_SUCCESS) {goto error; }
+
+	/* build and initialize the RADIUS packet */
+	request->code = PW_ACCOUNTING_REQUEST;
+	get_random_vector(request->vector);
+	request->id = request->vector[0]; /* this should be evenly distributed */
+
+	build_radius_packet(request, user, NULL, &config);
+
+	add_int_attribute(request, PW_ACCT_STATUS_TYPE, status);
+
+	sprintf(recv_buffer, "%08d", (int) getpid());
+	add_attribute(request, PW_ACCT_SESSION_ID, (unsigned char *) recv_buffer, strlen(recv_buffer));
+
+	add_int_attribute(request, PW_ACCT_AUTHENTIC, PW_AUTH_RADIUS);
+
+	if (status == PW_STATUS_START) {
+		session_time = time(NULL);
+	} else {
+		add_int_attribute(request, PW_ACCT_SESSION_TIME, time(NULL) - session_time);
+	}
+
+	retval = talk_radius(&config, request, response, NULL, NULL, 1);
+	PAM_FAIL_CHECK;
+
+	/* oops! They don't have the right password.	Complain and die. */
+	if (response->code != PW_ACCOUNTING_RESPONSE) {
+		retval = PAM_PERM_DENIED;
+		goto error;
+	}
+
+	retval = PAM_SUCCESS;
+
+error:
+
+	close(config.sockfd);
+	cleanup(config.server);
+
+	return retval;
+}
+
+PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, CONST char **argv)
+{
+	return pam_private_session(pamh, flags, argc, argv, PW_STATUS_START);
+}
+
+PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, CONST char **argv)
+{
+	return pam_private_session(pamh, flags, argc, argv, PW_STATUS_STOP);
+}
+
+#undef PAM_FAIL_CHECK
+#define PAM_FAIL_CHECK if (retval != PAM_SUCCESS) {return retval; }
+#define MAX_PASSWD_TRIES 3
+
+PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, CONST char **argv)
+{
+	CONST char *user;
+	char *password = NULL;
+	char *new_password = NULL;
+	char *check_password = NULL;
+	int ctrl;
+	int retval = PAM_AUTHTOK_ERR;
+	int attempts;
+
+	char recv_buffer[4096];
+	char send_buffer[4096];
+	AUTH_HDR *request = (AUTH_HDR *) send_buffer;
+	AUTH_HDR *response = (AUTH_HDR *) recv_buffer;
+	radius_conf_t config;
+
+	ctrl = _pam_parse(argc, argv, &config);
+
+	/* grab the user name */
+	retval = pam_get_user(pamh, &user, NULL);
+	PAM_FAIL_CHECK;
+
+	/* check that they've entered something, and not too long, either */
+	if ((user == NULL) || (strlen(user) > MAXPWNAM)) {
+		return PAM_USER_UNKNOWN;
+	}
+
+	/*
+	 * Get the IP address of the authentication server
+	 * Then, open a socket, and bind it to a port
+	 */
+	retval = initialize(&config, FALSE);
+	PAM_FAIL_CHECK;
+
+	/*
+	 * If there's no client id specified, use the service type, to help
+	 * keep track of which service is doing the authentication.
+	 */
+	if (!config.client_id) {
+		retval = pam_get_item(pamh, PAM_SERVICE, (CONST void **) &config.client_id);
+		PAM_FAIL_CHECK;
+	}
+
+	/* now we've got a socket open, so we've got to clean it up on error */
+#undef PAM_FAIL_CHECK
+#define PAM_FAIL_CHECK if (retval != PAM_SUCCESS) {goto error; }
+
+	/* grab the old password (if any) from the previous password layer */
+	retval = pam_get_item(pamh, PAM_OLDAUTHTOK, (CONST void **) &password);
+	PAM_FAIL_CHECK;
+	if(password) password = strdup(password);
+
+	/* grab the new password (if any) from the previous password layer */
+	retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &new_password);
+	PAM_FAIL_CHECK;
+	if(new_password) new_password = strdup(new_password);
+
+	/* preliminary password change checks. */
+	if (flags & PAM_PRELIM_CHECK) {
+		if (!password) {		/* no previous password: ask for one */
+			retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, "Password: ", &password);
+			PAM_FAIL_CHECK;
+		}
+
+		/*
+		 * We now check the password to see if it's the right one.
+		 * If it isn't, we let the user try again.
+		 * Note that RADIUS doesn't have any concept of 'root'.	The only way
+		 * that root can change someone's password is to log into the RADIUS
+		 * server, and and change it there.
+		 */
+
+		/* build and initialize the access request RADIUS packet */
+		request->code = PW_AUTHENTICATION_REQUEST;
+		get_random_vector(request->vector);
+		request->id = request->vector[0]; /* this should be evenly distributed */
+
+		build_radius_packet(request, user, password, &config);
+		add_int_attribute(request, PW_USER_SERVICE_TYPE, PW_AUTHENTICATE_ONLY);
+
+		retval = talk_radius(&config, request, response, password, NULL, 1);
+		PAM_FAIL_CHECK;
+
+		/* oops! They don't have the right password.	Complain and die. */
+		if (response->code != PW_AUTHENTICATION_ACK) {
+			_pam_forget(password);
+			retval = PAM_PERM_DENIED;
+			goto error;
+		}
+
+		/*
+		 * We're now sure it's the right user.
+		 * Ask for their new password, if appropriate
+		 */
+
+		if (!new_password) {	/* not found yet: ask for it */
+			int new_attempts;
+			attempts = 0;
+
+			/* loop, trying to get matching new passwords */
+			while (attempts++ < 3) {
+
+				/* loop, trying to get a new password */
+				new_attempts = 0;
+				while (new_attempts++ < 3) {
+					retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF,
+							"New password: ", &new_password);
+					PAM_FAIL_CHECK;
+
+					/* the old password may be short.	Check it, first. */
+					if (strcmp(password, new_password) == 0) { /* are they the same? */
+						rad_converse(pamh, PAM_ERROR_MSG,
+						 "You must choose a new password.", NULL);
+						_pam_forget(new_password);
+						continue;
+					} else if (strlen(new_password) < 6) {
+						rad_converse(pamh, PAM_ERROR_MSG, "it's WAY too short", NULL);
+						_pam_forget(new_password);
+						continue;
+					}
+
+					/* insert crypt password checking here */
+
+					break;		/* the new password is OK */
+				}
+
+				if (new_attempts >= 3) { /* too many new password attempts: die */
+					retval = PAM_AUTHTOK_ERR;
+					goto error;
+				}
+
+				/* make sure of the password by asking for verification */
+				retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF,
+						      "New password (again): ", &check_password);
+				PAM_FAIL_CHECK;
+
+				retval = strcmp(new_password, check_password);
+				_pam_forget(check_password);
+
+				/* if they don't match, don't pass them to the next module */
+				if (retval != 0) {
+					_pam_forget(new_password);
+					rad_converse(pamh, PAM_ERROR_MSG,
+								 "You must enter the same password twice.", NULL);
+					retval = PAM_AUTHTOK_ERR;
+					goto error;		/* ??? maybe this should be a 'continue' ??? */
+				}
+
+				break;			/* everything's fine */
+			}	/* loop, trying to get matching new passwords */
+
+			if (attempts >= 3) { /* too many new password attempts: die */
+				retval = PAM_AUTHTOK_ERR;
+				goto error;
+			}
+		} /* now we have a new password which passes all of our tests */
+
+		/*
+		 * Solaris 2.6 calls pam_sm_chauthtok only ONCE, with PAM_PRELIM_CHECK
+		 * set.
+		 */
+#ifndef sun
+		/* If told to update the authentication token, do so. */
+	} else if (flags & PAM_UPDATE_AUTHTOK) {
+#endif
+
+		if (!password || !new_password) { /* ensure we've got passwords */
+			retval = PAM_AUTHTOK_ERR;
+			goto error;
+		}
+
+		/* build and initialize the password change request RADIUS packet */
+		request->code = PW_PASSWORD_REQUEST;
+		get_random_vector(request->vector);
+		request->id = request->vector[0]; /* this should be evenly distributed */
+
+		/* the secret here can not be know to the user, so it's the new password */
+		_pam_forget(config.server->secret);
+		config.server->secret = strdup(password); /* it's free'd later */
+
+		build_radius_packet(request, user, new_password, &config);
+		add_password(request, PW_OLD_PASSWORD, password, password);
+
+		retval = talk_radius(&config, request, response, new_password, password, 1);
+		PAM_FAIL_CHECK;
+
+		/* Whew! Done password changing, check for password acknowledge */
+		if (response->code != PW_PASSWORD_ACK) {
+			retval = PAM_AUTHTOK_ERR;
+			goto error;
+		}
+	}
+
+	/*
+	 * Send the passwords to the next stage if preliminary checks fail,
+	 * or if the password change request fails.
+	 */
+	if ((flags & PAM_PRELIM_CHECK) || (retval != PAM_SUCCESS)) {
+	error:
+
+		/* If there was a password pass it to the next layer */
+		if (password && *password) {
+			pam_set_item(pamh, PAM_OLDAUTHTOK, password);
+		}
+
+		if (new_password && *new_password) {
+			pam_set_item(pamh, PAM_AUTHTOK, new_password);
+		}
+	}
+
+	if (ctrl & PAM_DEBUG_ARG) {
+		_pam_log(LOG_DEBUG, "password change %s", retval==PAM_SUCCESS ? "succeeded" : "failed");
+	}
+
+	close(config.sockfd);
+	cleanup(config.server);
+
+	_pam_forget(password);
+	_pam_forget(new_password);
+	return retval;
+}
+
+/*
+ *	Do nothing for account management. This is apparently needed by
+ *	some programs.
+ */
+PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc,CONST char **argv)
+{
+	int retval;
+	retval = PAM_SUCCESS;
+	return retval;
+}
+
+#ifdef PAM_STATIC
+
+/* static module data */
+
+struct pam_module _pam_radius_modstruct = {
+	"pam_radius_auth",
+	pam_sm_authenticate,
+	pam_sm_setcred,
+	pam_sm_acct_mgmt,
+	pam_sm_open_session,
+	pam_sm_close_session,
+	pam_sm_chauthtok,
+};
+#endif
+
diff --git a/src/pam_radius_auth.h b/src/pam_radius_auth.h
new file mode 100644
index 0000000..7241117
--- /dev/null
+++ b/src/pam_radius_auth.h
@@ -0,0 +1,126 @@
+#ifndef PAM_RADIUS_H
+#define PAM_RADIUS_H
+
+#include "config.h"
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/resource.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include <syslog.h>
+#include <stdarg.h>
+#include <utmp.h>
+#include <time.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <fcntl.h>
+
+#if defined(HAVE_SECURITY_PAM_APPL_H)
+#  include <security/pam_appl.h>
+#elif defined(HAVE_PAM_PAM_APPL_H)
+#  include <pam/pam_appl.h>
+#endif
+
+#if defined(HAVE_SECURITY_PAM_MODULES_H)
+#  include <security/pam_modules.h>
+#elif defined(HAVE_PAM_PAM_APPL_H)
+#  include <pam/pam_modules.h>
+#else
+#  error security/pam_modules.h or pam/pam_modules.h required
+#endif
+
+
+#include "radius.h"
+#include "md5.h"
+
+
+/*************************************************************************
+ * Additional RADIUS definitions
+ *************************************************************************/
+
+/* Per-attribute structure */
+typedef struct attribute_t {
+	unsigned char attribute;
+	unsigned char length;
+	unsigned char data[1];
+} attribute_t;
+
+typedef struct radius_server_t {
+	struct radius_server_t *next;
+	struct in_addr ip;
+	uint16_t port;
+	char *hostname;
+	char *secret;
+	int timeout;
+	int accounting;
+} radius_server_t;
+
+typedef struct radius_conf_t {
+	radius_server_t *server;
+	int retries;
+	int localifdown;
+	char *client_id;
+	int accounting_bug;
+	int sockfd;
+	int debug;
+} radius_conf_t;
+
+
+/*************************************************************************
+ * Platform specific defines
+ *************************************************************************/
+
+#ifdef sun
+#define PAM_EXTERN extern
+/*
+ *  On older versions of Solaris, you may have to change this to:
+ *  #define CONST
+ */
+#define CONST const
+#else
+#define CONST const
+#endif
+
+/*************************************************************************
+ * Useful macros and defines
+ *************************************************************************/
+
+#define _pam_forget(X) if (X) {memset(X, 0, strlen(X));free(X);X = NULL;}
+#ifndef _pam_drop
+#define _pam_drop(X) if (X) {free(X);X = NULL;}
+#endif
+
+#define PAM_DEBUG_ARG      1
+#define PAM_SKIP_PASSWD    2
+#define PAM_USE_FIRST_PASS 4
+#define PAM_TRY_FIRST_PASS 8
+#define PAM_RUSER_ARG      16
+
+
+/* Module defines */
+#ifndef BUFFER_SIZE
+#define BUFFER_SIZE      1024
+#endif /* BUFFER_SIZE */
+#define MAXPWNAM 253    /* maximum user name length. Server dependent,
+                         * this is the default value
+                         */
+#define MAXPASS 128     /* max password length. Again, depends on server
+                         * compiled in. This is the default.
+                         */
+#ifndef CONF_FILE       /* the configuration file holding the server secret */
+#define CONF_FILE       "/etc/raddb/server"
+#endif /* CONF_FILE */
+
+#ifndef FALSE
+#define FALSE 0
+#undef TRUE
+#define TRUE !FALSE
+#endif
+
+#endif /* PAM_RADIUS_H */
diff --git a/src/radius.h b/src/radius.h
new file mode 100644
index 0000000..bcfe547
--- /dev/null
+++ b/src/radius.h
@@ -0,0 +1,230 @@
+/*
+ *
+ *	RADIUS
+ *	Remote Authentication Dial In User Service
+ *
+ *
+ *	Livingston Enterprises, Inc.
+ *	6920 Koll Center Parkway
+ *	Pleasanton, CA   94566
+ *
+ *	Copyright 1992 Livingston Enterprises, Inc.
+ *
+ *	Permission to use, copy, modify, and distribute this software for any
+ *	purpose and without fee is hereby granted, provided that this
+ *	copyright and permission notice appear on all copies and supporting
+ *	documentation, the name of Livingston Enterprises, Inc. not be used
+ *	in advertising or publicity pertaining to distribution of the
+ *	program without specific prior permission, and notice be given
+ *	in supporting documentation that copying and distribution is by
+ *	permission of Livingston Enterprises, Inc.
+ *
+ *	Livingston Enterprises, Inc. makes no representations about
+ *	the suitability of this software for any purpose.  It is
+ *	provided "as is" without express or implied warranty.
+ *
+ */
+
+/*
+ *	@(#)radius.h	1.9 11/14/94
+ */
+#ifndef RADIUS_H
+#define RADIUS_H
+
+#define AUTH_VECTOR_LEN		16
+#define AUTH_PASS_LEN		16
+#define AUTH_STRING_LEN		128	/* maximum of 254 */
+
+typedef struct pw_auth_hdr {
+	uint8_t		code;
+	uint8_t		id;
+	uint16_t	length;
+	uint8_t		vector[AUTH_VECTOR_LEN];
+	uint8_t		data[2];
+} AUTH_HDR;
+
+#define AUTH_HDR_LEN			20
+#define CHAP_VALUE_LENGTH		16
+
+#define PW_AUTH_UDP_PORT		1645
+#define PW_ACCT_UDP_PORT		1646
+
+#define PW_TYPE_STRING			0
+#define PW_TYPE_INTEGER			1
+#define PW_TYPE_IPADDR			2
+#define PW_TYPE_DATE			3
+
+
+#define	PW_AUTHENTICATION_REQUEST	1
+#define	PW_AUTHENTICATION_ACK		2
+#define	PW_AUTHENTICATION_REJECT	3
+#define	PW_ACCOUNTING_REQUEST		4
+#define	PW_ACCOUNTING_RESPONSE		5
+#define	PW_ACCOUNTING_STATUS		6
+#define PW_PASSWORD_REQUEST		7
+#define PW_PASSWORD_ACK			8
+#define PW_PASSWORD_REJECT		9
+#define	PW_ACCOUNTING_MESSAGE		10
+#define PW_ACCESS_CHALLENGE		11
+
+#define	PW_USER_NAME			1
+#define	PW_PASSWORD			2
+#define	PW_CHAP_PASSWORD		3
+#define	PW_NAS_IP_ADDRESS	       	4
+#define	PW_NAS_PORT_ID			5
+#define	PW_USER_SERVICE_TYPE		6
+#define	PW_FRAMED_PROTOCOL		7
+#define	PW_FRAMED_ADDRESS		8
+#define	PW_FRAMED_NETMASK		9
+#define	PW_FRAMED_ROUTING		10
+#define	PW_FRAMED_FILTER_ID		11
+#define	PW_FRAMED_MTU			12
+#define	PW_FRAMED_COMPRESSION		13
+#define	PW_LOGIN_HOST			14
+#define	PW_LOGIN_SERVICE		15
+#define	PW_LOGIN_TCP_PORT		16
+#define PW_OLD_PASSWORD			17
+#define PW_REPLY_MESSAGE		18
+#define PW_CALLBACK_NUMBER     		19
+#define PW_CALLBACK_ID			20
+#define PW_EXPIRATION			21
+#define PW_FRAMED_ROUTE			22
+#define PW_FRAMED_IPXNET		23
+#define PW_STATE			24
+#define PW_CLASS                        25      /* string */
+#define PW_VENDOR_SPECIFIC              26      /* vendor */
+#define PW_SESSION_TIMEOUT              27      /* integer */
+#define PW_IDLE_TIMEOUT                 28      /* integer */
+#define PW_TERMINATION_ACTION           29      /* integer */
+#define PW_CALLED_STATION_ID            30      /* string */
+#define PW_CALLING_STATION_ID           31      /* string */
+#define PW_NAS_IDENTIFIER               32      /* string */
+#define PW_PROXY_STATE                  33      /* string */
+#define PW_LOGIN_LAT_SERVICE            34      /* string */
+#define PW_LOGIN_LAT_NODE               35      /* string */
+#define PW_LOGIN_LAT_GROUP              36      /* string */
+#define PW_FRAMED_APPLETALK_LINK        37      /* integer */
+#define PW_FRAMED_APPLETALK_NETWORK     38      /* integer */
+#define PW_FRAMED_APPLETALK_ZONE        39      /* string */
+
+#define PW_ACCT_STATUS_TYPE		40
+#define PW_ACCT_DELAY_TIME		41
+#define PW_ACCT_INPUT_OCTETS		42
+#define PW_ACCT_OUTPUT_OCTETS		43
+#define PW_ACCT_SESSION_ID		44
+#define PW_ACCT_AUTHENTIC		45
+#define PW_ACCT_SESSION_TIME		46
+
+#define PW_CHAP_CHALLENGE               60      /* string */
+#define PW_NAS_PORT_TYPE                61      /* integer */
+#define PW_PORT_LIMIT                   62      /* integer */
+#define PW_LOGIN_LAT_PORT               63      /* string */
+#define PW_PROMPT                       64      /* integer */
+
+/*
+ *	INTEGER TRANSLATIONS
+ */
+
+/*	USER TYPES	*/
+
+#define	PW_LOGIN_USER			1
+#define	PW_FRAMED_USER			2
+#define	PW_DIALBACK_LOGIN_USER	3
+#define	PW_DIALBACK_FRAMED_USER	4
+#define PW_OUTBOUND_USER		5
+#define PW_SHELL_USER			6
+
+/*	FRAMED PROTOCOLS	*/
+
+#define	PW_PPP				1
+#define	PW_SLIP				2
+
+/*	FRAMED ROUTING VALUES	*/
+
+#define	PW_NONE				0
+#define	PW_BROADCAST			1
+#define	PW_LISTEN			2
+#define	PW_BROADCAST_LISTEN		3
+
+/*	NAS PORT TYPES */
+#define PW_NAS_PORT_TYPE_VIRTUAL	5
+
+/*	FRAMED COMPRESSION TYPES	*/
+
+#define	PW_VAN_JACOBSEN_TCP_IP		1
+
+/*	LOGIN SERVICES	*/
+
+#define	PW_TELNET			0
+#define	PW_RLOGIN			1
+#define	PW_TCP_CLEAR			2
+#define	PW_PORTMASTER			3
+#define PW_AUTHENTICATE_ONLY            8
+
+/*	AUTHENTICATION LEVEL	*/
+
+#define PW_AUTH_NONE			0
+#define PW_AUTH_RADIUS			1
+#define PW_AUTH_LOCAL			2
+
+/*	STATUS TYPES	*/
+
+#define PW_STATUS_START			1
+#define PW_STATUS_STOP			2
+#define PW_STATUS_ALIVE			3
+
+/* Default Database File Names */
+
+#define RADIUS_DIR		"/etc/raddb"
+#define RADACCT_DIR		"/usr/adm/radacct"
+
+#define RADIUS_DICTIONARY	"dictionary"
+#define RADIUS_CLIENTS		"clients"
+#define RADIUS_USERS		"users"
+#define RADIUS_HOLD		"holdusers"
+#define RADIUS_LOG		"logfile"
+
+/* Server data structures */
+
+typedef struct dict_attr {
+	char			name[32];
+	int			value;
+	int			type;
+	struct dict_attr	*next;
+} DICT_ATTR;
+
+typedef struct dict_value {
+	char			attrname[32];
+	char			name[32];
+	int			value;
+	struct dict_value	*next;
+} DICT_VALUE;
+
+typedef struct value_pair {
+	char			name[32];
+	int			attribute;
+	int			type;
+	uint32_t		lvalue;
+	char			strvalue[AUTH_STRING_LEN];
+	struct value_pair	*next;
+} VALUE_PAIR;
+
+typedef struct auth_req {
+	uint32_t		ipaddr;
+	uint16_t		udp_port;
+	uint8_t			id;
+	uint8_t			code;
+	uint8_t			vector[16];
+	uint8_t			secret[16];
+	VALUE_PAIR		*request;
+	int			child_pid;	/* Process ID of child */
+	uint32_t		timestamp;
+	struct auth_req		*next;		/* Next active request */
+} AUTH_REQ;
+
+#define SECONDS_PER_DAY		86400
+#define MAX_REQUEST_TIME	30
+#define CLEANUP_DELAY		5
+#define MAX_REQUESTS		100
+
+#endif /* RADIUS_H */