#
# PROXY - Proxies request to server(s) given by REP:Target-Server. First
#	  strips realm from REQ:User-Name if REQ:strip-realm is true.
#
# Return value: always true.
# Side effects: adds a result set to RADIUS response code
# 		given by authentication server or RADIUS client, resp.
#

function PROXY (

  # strip realm before proxying if asked to

  strip-realm and REQ:User-Name := (User-Name afterfirst "/" or
				    User-Name beforelast "@" or
				    User-Name),

  # Proxy

  Trustedproxy, 
  result = del int
),


#
# COMMONAUTHEN - Authentication tail common for all types (PAP, CHAP, EAP);
#		 contains verification schemes that are independent of the
#		 authentication protocol.
#
#		 At this point it's proxy or reject.
#
# return value: always true
# side effects: one instance of result added containing Accept, Reject
#	        or a RADIUS client error code.
#

function COMMONAUTHEN (

  # All authentication schemes allow proxying

  rep:Target-Server exists and return PROXY,

  # We have no ways to verify the credentials we were given, so reject.

  # Uncomment if you want to log passwords
  rep:Log-Line := rep:Log-Line . " - insufficient data to authenticate user",

  result = RAD-Code::Access-Reject
),


#
# PAP - Verifies the last instance of REQ:User-Password based 
#	on attributes from the database. Supported are clear-password,
#	md5-hex-password and Target-Server. Other schemes may be added here as
#	well.
#
# Return value: always true.
# Side effects:	adds a result set to Access-Accept or -Reject.
#

function PAP (

  # Remove padding, if any

  User-Password := (User-Password beforefirst "\x00" or User-Password),

  # Uncomment if you want to log passwords
  #
  rep:Log-Line := rep:Log-Line . " [" . User-Password . "]",

  # PAP using stored cleartext

  rep:clear-password exists and (

    User-Password == rep:clear-password and (

      # Uncomment if you want to log passwords
      rep:Log-Line := rep:Log-Line . " - matches [" . rep:clear-password . "]",

      return (result = RAD-Code::Access-Accept)
    ),

    # Uncomment if you want to log passwords
    rep:Log-Line := rep:Log-Line . " - does not match [" . rep:clear-password . "]",

    return (result = RAD-Code::Access-Reject)
  ),

  # PAP using stored MD5 hash (salted)

  rep:md5-hex-password exists and (

    # Hash password with stored salt and compare to stored hash

    32 lastof rep:md5-hex-password == 
	hex md5 (User-Password . 4 firstof rep:md5-hex-password) and (

      # Uncomment if you want to log passwords
      rep:Log-Line := rep:Log-Line . " - matches MD5 password [" .
		      rep:md5-hex-password . "]",

      return (result = RAD-Code::Access-Accept)
    ),

    # Uncomment if you want to log passwords
    rep:Log-Line := rep:Log-Line . " - does not match MD5 password [" .
		    rep:md5-hex-password . "]",

    return (result = RAD-Code::Access-Reject)
  ),

  # Shared with other authentication types

  COMMONAUTHEN
),


#
# CHAP - Verifies the last instance of REQ:CHAP-Password using on 
#	 REQ:CHAP-Challenge or REQ:RAD-Authenticator and attributes from
#	 the database. Supported verifiers are clear-password and
#	 Target-Server. Other schemes may be added here as well.
#
# Return value: always true.
# Side effects:	adds a result set to Access-Accept or -Reject.
#

function CHAP (

  # Set challenge from authenticator if not given separately

  CHAP-Challenge or (REQ:CHAP-Challenge = RAD-Authenticator),

  # Uncomment if you want to log passwords
  #
  rep:Log-Line := rep:Log-Line . " response [" . hex CHAP-Password . 
			     "] to challenge [" . hex CHAP-Challenge . "]",

  # CHAP using cleartext password

  rep:clear-password exists and (

    # compare received hash to hash calculated from cleartext and challenge

    16 lastof CHAP-Password == md5 (1 firstof CHAP-Password . 
				    rep:clear-password . CHAP-Challenge) and (

      # Uncomment if you want to log passwords
      rep:Log-Line := rep:Log-Line . " - matches [" . rep:clear-password . "]",

      return (result = RAD-Code::Access-Accept)
    ),

    # Uncomment if you want to log passwords
    rep:Log-Line := rep:Log-Line . " - does not match [" . 
		    rep:clear-password . "]",

    return (result = RAD-Code::Access-Reject)
  ),

  # Shared with other authentication types

  COMMONAUTHEN
),

# vim:softtabstop=2:sw=2

