diff options
Diffstat (limited to 'crypto/krb5/src/lib/krad')
| -rw-r--r-- | crypto/krb5/src/lib/krad/attr.c | 17 | ||||
| -rw-r--r-- | crypto/krb5/src/lib/krad/attrset.c | 58 | ||||
| -rw-r--r-- | crypto/krb5/src/lib/krad/internal.h | 7 | ||||
| -rw-r--r-- | crypto/krb5/src/lib/krad/packet.c | 203 | ||||
| -rw-r--r-- | crypto/krb5/src/lib/krad/remote.c | 15 | ||||
| -rw-r--r-- | crypto/krb5/src/lib/krad/t_attr.c | 12 | ||||
| -rw-r--r-- | crypto/krb5/src/lib/krad/t_attrset.c | 14 | ||||
| -rw-r--r-- | crypto/krb5/src/lib/krad/t_client.c | 32 | ||||
| -rw-r--r-- | crypto/krb5/src/lib/krad/t_code.c | 2 | ||||
| -rwxr-xr-x | crypto/krb5/src/lib/krad/t_daemon.py | 3 | ||||
| -rw-r--r-- | crypto/krb5/src/lib/krad/t_packet.c | 25 | ||||
| -rw-r--r-- | crypto/krb5/src/lib/krad/t_remote.c | 16 |
12 files changed, 315 insertions, 89 deletions
diff --git a/crypto/krb5/src/lib/krad/attr.c b/crypto/krb5/src/lib/krad/attr.c index 9c13d9d75568..4ad32122a8ef 100644 --- a/crypto/krb5/src/lib/krad/attr.c +++ b/crypto/krb5/src/lib/krad/attr.c @@ -122,6 +122,23 @@ static const attribute_record attributes[UCHAR_MAX] = { {"NAS-Port-Type", 4, 4, NULL, NULL}, {"Port-Limit", 4, 4, NULL, NULL}, {"Login-LAT-Port", 1, MAX_ATTRSIZE, NULL, NULL}, + {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */ + {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */ + {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */ + {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */ + {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */ + {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */ + {NULL, 0, 0, NULL, NULL}, /* Reserved for Apple Remote Access Protocol */ + {NULL, 0, 0, NULL, NULL}, /* Reserved for Apple Remote Access Protocol */ + {NULL, 0, 0, NULL, NULL}, /* Reserved for Apple Remote Access Protocol */ + {NULL, 0, 0, NULL, NULL}, /* Reserved for Apple Remote Access Protocol */ + {NULL, 0, 0, NULL, NULL}, /* Reserved for Apple Remote Access Protocol */ + {NULL, 0, 0, NULL, NULL}, /* Password-Retry */ + {NULL, 0, 0, NULL, NULL}, /* Prompt */ + {NULL, 0, 0, NULL, NULL}, /* Connect-Info */ + {NULL, 0, 0, NULL, NULL}, /* Configuration-Token */ + {NULL, 0, 0, NULL, NULL}, /* EAP-Message */ + {"Message-Authenticator", MD5_DIGEST_SIZE, MD5_DIGEST_SIZE, NULL, NULL}, }; /* Encode User-Password attribute. */ diff --git a/crypto/krb5/src/lib/krad/attrset.c b/crypto/krb5/src/lib/krad/attrset.c index f309f1581c1f..d52622ff94b7 100644 --- a/crypto/krb5/src/lib/krad/attrset.c +++ b/crypto/krb5/src/lib/krad/attrset.c @@ -164,14 +164,41 @@ krad_attrset_copy(const krad_attrset *set, krad_attrset **copy) return 0; } +/* Place an encoded attributes into outbuf at position *i. Increment *i by the + * length of the encoding. */ +static krb5_error_code +append_attr(krb5_context ctx, const char *secret, + const uint8_t *auth, krad_attr type, const krb5_data *data, + uint8_t outbuf[MAX_ATTRSETSIZE], size_t *i) +{ + uint8_t buffer[MAX_ATTRSIZE]; + size_t attrlen; + krb5_error_code retval; + + retval = kr_attr_encode(ctx, secret, auth, type, data, buffer, &attrlen); + if (retval) + return retval; + + if (attrlen > MAX_ATTRSETSIZE - *i - 2) + return EMSGSIZE; + + outbuf[(*i)++] = type; + outbuf[(*i)++] = attrlen + 2; + memcpy(outbuf + *i, buffer, attrlen); + *i += attrlen; + + return 0; +} + krb5_error_code kr_attrset_encode(const krad_attrset *set, const char *secret, - const unsigned char *auth, + const uint8_t *auth, krb5_boolean add_msgauth, unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen) { - unsigned char buffer[MAX_ATTRSIZE]; krb5_error_code retval; - size_t i = 0, attrlen; + const uint8_t zeroes[MD5_DIGEST_SIZE] = { 0 }; + krb5_data zerodata; + size_t i = 0; attr *a; if (set == NULL) { @@ -179,19 +206,22 @@ kr_attrset_encode(const krad_attrset *set, const char *secret, return 0; } - K5_TAILQ_FOREACH(a, &set->list, list) { - retval = kr_attr_encode(set->ctx, secret, auth, a->type, &a->attr, - buffer, &attrlen); - if (retval != 0) + if (add_msgauth) { + /* Encode Message-Authenticator as the first attribute, per + * draft-ietf-radext-deprecating-radius-03 section 5.2. */ + zerodata = make_data((uint8_t *)zeroes, MD5_DIGEST_SIZE); + retval = append_attr(set->ctx, secret, auth, + KRAD_ATTR_MESSAGE_AUTHENTICATOR, &zerodata, + outbuf, &i); + if (retval) return retval; + } - if (i + attrlen + 2 > MAX_ATTRSETSIZE) - return EMSGSIZE; - - outbuf[i++] = a->type; - outbuf[i++] = attrlen + 2; - memcpy(&outbuf[i], buffer, attrlen); - i += attrlen; + K5_TAILQ_FOREACH(a, &set->list, list) { + retval = append_attr(set->ctx, secret, auth, a->type, &a->attr, + outbuf, &i); + if (retval) + return retval; } *outlen = i; diff --git a/crypto/krb5/src/lib/krad/internal.h b/crypto/krb5/src/lib/krad/internal.h index 7619563fc56c..e2a16c77a64b 100644 --- a/crypto/krb5/src/lib/krad/internal.h +++ b/crypto/krb5/src/lib/krad/internal.h @@ -43,6 +43,8 @@ #define UCHAR_MAX 255 #endif +#define MD5_DIGEST_SIZE 16 + /* RFC 2865 */ #define MAX_ATTRSIZE (UCHAR_MAX - 2) #define MAX_ATTRSETSIZE (KRAD_PACKET_SIZE_MAX - 20) @@ -65,10 +67,11 @@ kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth, krad_attr type, const krb5_data *in, unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen); -/* Encode the attributes into the buffer. */ +/* Encode set into outbuf. If add_msgauth is true, include a zeroed + * Message-Authenticator as the first attribute. */ krb5_error_code kr_attrset_encode(const krad_attrset *set, const char *secret, - const unsigned char *auth, + const uint8_t *auth, krb5_boolean add_msgauth, unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen); /* Decode attributes from a buffer. */ diff --git a/crypto/krb5/src/lib/krad/packet.c b/crypto/krb5/src/lib/krad/packet.c index c597174b6576..ed19385f71a6 100644 --- a/crypto/krb5/src/lib/krad/packet.c +++ b/crypto/krb5/src/lib/krad/packet.c @@ -36,6 +36,7 @@ typedef unsigned char uchar; /* RFC 2865 */ +#define MSGAUTH_SIZE (2 + MD5_DIGEST_SIZE) #define OFFSET_CODE 0 #define OFFSET_ID 1 #define OFFSET_LENGTH 2 @@ -200,7 +201,7 @@ auth_generate_response(krb5_context ctx, const char *secret, /* Create a new packet. */ static krad_packet * -packet_new() +packet_new(void) { krad_packet *pkt; @@ -222,6 +223,101 @@ packet_set_attrset(krb5_context ctx, const char *secret, krad_packet *pkt) return kr_attrset_decode(ctx, &tmp, secret, pkt_auth(pkt), &pkt->attrset); } +/* Determine if a packet requires a Message-Authenticator attribute. */ +static inline krb5_boolean +requires_msgauth(const char *secret, krad_code code) +{ + /* If no secret is provided, assume that the transport is a UNIX socket. + * Message-Authenticator is required only on UDP and TCP connections. */ + if (*secret == '\0') + return FALSE; + + /* + * Per draft-ietf-radext-deprecating-radius-03 sections 5.2.1 and 5.2.4, + * Message-Authenticator is required in Access-Request packets and all + * potential responses when UDP or TCP transport is used. + */ + return code == KRAD_CODE_ACCESS_REQUEST || + code == KRAD_CODE_ACCESS_ACCEPT || code == KRAD_CODE_ACCESS_REJECT || + code == KRAD_CODE_ACCESS_CHALLENGE; +} + +/* Check if the packet has a Message-Authenticator attribute. */ +static inline krb5_boolean +has_pkt_msgauth(const krad_packet *pkt) +{ + return krad_attrset_get(pkt->attrset, KRAD_ATTR_MESSAGE_AUTHENTICATOR, + 0) != NULL; +} + +/* Return the beginning of the Message-Authenticator attribute in pkt, or NULL + * if no such attribute is present. */ +static const uint8_t * +lookup_msgauth_addr(const krad_packet *pkt) +{ + size_t i; + uint8_t *p; + + i = OFFSET_ATTR; + while (i + 2 < pkt->pkt.length) { + p = (uint8_t *)offset(&pkt->pkt, i); + if (*p == KRAD_ATTR_MESSAGE_AUTHENTICATOR) + return p; + i += p[1]; + } + + return NULL; +} + +/* + * Calculate the message authenticator MAC for pkt as specified in RFC 2869 + * section 5.14, placing the result in mac_out. Use the provided authenticator + * auth, which may be from pkt or from a corresponding request. + */ +static krb5_error_code +calculate_mac(const char *secret, const krad_packet *pkt, + const uint8_t auth[AUTH_FIELD_SIZE], + uint8_t mac_out[MD5_DIGEST_SIZE]) +{ + const uint8_t *msgauth_attr, *msgauth_end, *pkt_end; + krb5_crypto_iov input[5]; + krb5_data ksecr, mac; + static const uint8_t zeroed_msgauth[MSGAUTH_SIZE] = { + KRAD_ATTR_MESSAGE_AUTHENTICATOR, MSGAUTH_SIZE + }; + + msgauth_attr = lookup_msgauth_addr(pkt); + if (msgauth_attr == NULL) + return EINVAL; + msgauth_end = msgauth_attr + MSGAUTH_SIZE; + pkt_end = (const uint8_t *)pkt->pkt.data + pkt->pkt.length; + + /* Read code, id, and length from the packet. */ + input[0].flags = KRB5_CRYPTO_TYPE_DATA; + input[0].data = make_data(pkt->pkt.data, OFFSET_AUTH); + + /* Read the provided authenticator. */ + input[1].flags = KRB5_CRYPTO_TYPE_DATA; + input[1].data = make_data((uint8_t *)auth, AUTH_FIELD_SIZE); + + /* Read any attributes before Message-Authenticator. */ + input[2].flags = KRB5_CRYPTO_TYPE_DATA; + input[2].data = make_data(pkt_attr(pkt), msgauth_attr - pkt_attr(pkt)); + + /* Read Message-Authenticator with the data bytes all set to zero, per RFC + * 2869 section 5.14. */ + input[3].flags = KRB5_CRYPTO_TYPE_DATA; + input[3].data = make_data((uint8_t *)zeroed_msgauth, MSGAUTH_SIZE); + + /* Read any attributes after Message-Authenticator. */ + input[4].flags = KRB5_CRYPTO_TYPE_DATA; + input[4].data = make_data((uint8_t *)msgauth_end, pkt_end - msgauth_end); + + mac = make_data(mac_out, MD5_DIGEST_SIZE); + ksecr = string2data((char *)secret); + return k5_hmac_md5(&ksecr, input, 5, &mac); +} + ssize_t krad_packet_bytes_needed(const krb5_data *buffer) { @@ -255,6 +351,7 @@ krad_packet_new_request(krb5_context ctx, const char *secret, krad_code code, krad_packet *pkt; uchar id; size_t attrset_len; + krb5_boolean msgauth_required; pkt = packet_new(); if (pkt == NULL) { @@ -274,9 +371,12 @@ krad_packet_new_request(krb5_context ctx, const char *secret, krad_code code, if (retval != 0) goto error; + /* Determine if Message-Authenticator is required. */ + msgauth_required = (*secret != '\0' && code == KRAD_CODE_ACCESS_REQUEST); + /* Encode the attributes. */ - retval = kr_attrset_encode(set, secret, pkt_auth(pkt), pkt_attr(pkt), - &attrset_len); + retval = kr_attrset_encode(set, secret, pkt_auth(pkt), msgauth_required, + pkt_attr(pkt), &attrset_len); if (retval != 0) goto error; @@ -285,6 +385,13 @@ krad_packet_new_request(krb5_context ctx, const char *secret, krad_code code, pkt_code_set(pkt, code); pkt_len_set(pkt, pkt->pkt.length); + if (msgauth_required) { + /* Calculate and set the Message-Authenticator MAC. */ + retval = calculate_mac(secret, pkt, pkt_auth(pkt), pkt_attr(pkt) + 2); + if (retval != 0) + goto error; + } + /* Copy the attrset for future use. */ retval = packet_set_attrset(ctx, secret, pkt); if (retval != 0) @@ -307,14 +414,18 @@ krad_packet_new_response(krb5_context ctx, const char *secret, krad_code code, krb5_error_code retval; krad_packet *pkt; size_t attrset_len; + krb5_boolean msgauth_required; pkt = packet_new(); if (pkt == NULL) return ENOMEM; + /* Determine if Message-Authenticator is required. */ + msgauth_required = requires_msgauth(secret, code); + /* Encode the attributes. */ - retval = kr_attrset_encode(set, secret, pkt_auth(request), pkt_attr(pkt), - &attrset_len); + retval = kr_attrset_encode(set, secret, pkt_auth(request), + msgauth_required, pkt_attr(pkt), &attrset_len); if (retval != 0) goto error; @@ -330,6 +441,18 @@ krad_packet_new_response(krb5_context ctx, const char *secret, krad_code code, if (retval != 0) goto error; + if (msgauth_required) { + /* + * Calculate and replace the Message-Authenticator MAC. Per RFC 2869 + * section 5.14, use the authenticator from the request, not from the + * response. + */ + retval = calculate_mac(secret, pkt, pkt_auth(request), + pkt_attr(pkt) + 2); + if (retval != 0) + goto error; + } + /* Copy the attrset for future use. */ retval = packet_set_attrset(ctx, secret, pkt); if (retval != 0) @@ -343,6 +466,36 @@ error: return retval; } +/* Verify the Message-Authenticator value in pkt, using the provided + * authenticator (which may be from pkt or from a corresponding request). */ +static krb5_error_code +verify_msgauth(const char *secret, const krad_packet *pkt, + const uint8_t auth[AUTH_FIELD_SIZE]) +{ + uint8_t mac[MD5_DIGEST_SIZE]; + const krb5_data *msgauth; + krb5_error_code retval; + + msgauth = krad_packet_get_attr(pkt, KRAD_ATTR_MESSAGE_AUTHENTICATOR, 0); +/* XXX ENODATA does not exist in FreeBSD. The closest thing we have to */ +/* XXX ENODATA is ENOATTR. We use that instead. */ +#define ENODATA ENOATTR + if (msgauth == NULL) + return ENODATA; + + retval = calculate_mac(secret, pkt, auth, mac); + if (retval) + return retval; + + if (msgauth->length != MD5_DIGEST_SIZE) + return EMSGSIZE; + + if (k5_bcmp(mac, msgauth->data, MD5_DIGEST_SIZE) != 0) + return EBADMSG; + + return 0; +} + /* Decode a packet. */ static krb5_error_code decode_packet(krb5_context ctx, const char *secret, const krb5_data *buffer, @@ -394,21 +547,35 @@ krad_packet_decode_request(krb5_context ctx, const char *secret, krad_packet **reqpkt) { const krad_packet *tmp = NULL; + krad_packet *req; krb5_error_code retval; - retval = decode_packet(ctx, secret, buffer, reqpkt); - if (cb != NULL && retval == 0) { + retval = decode_packet(ctx, secret, buffer, &req); + if (retval) + return retval; + + /* Verify Message-Authenticator if present. */ + if (has_pkt_msgauth(req)) { + retval = verify_msgauth(secret, req, pkt_auth(req)); + if (retval) { + krad_packet_free(req); + return retval; + } + } + + if (cb != NULL) { for (tmp = (*cb)(data, FALSE); tmp != NULL; tmp = (*cb)(data, FALSE)) { if (pkt_id_get(*reqpkt) == pkt_id_get(tmp)) break; } - } - if (cb != NULL && (retval != 0 || tmp != NULL)) - (*cb)(data, TRUE); + if (tmp != NULL) + (*cb)(data, TRUE); + } + *reqpkt = req; *duppkt = tmp; - return retval; + return 0; } krb5_error_code @@ -435,9 +602,17 @@ krad_packet_decode_response(krb5_context ctx, const char *secret, break; } - /* If the authenticator matches, then the response is valid. */ - if (memcmp(pkt_auth(*rsppkt), auth, sizeof(auth)) == 0) - break; + /* Verify the response authenticator. */ + if (k5_bcmp(pkt_auth(*rsppkt), auth, sizeof(auth)) != 0) + continue; + + /* Verify Message-Authenticator if present. */ + if (has_pkt_msgauth(*rsppkt)) { + if (verify_msgauth(secret, *rsppkt, pkt_auth(tmp)) != 0) + continue; + } + + break; } } diff --git a/crypto/krb5/src/lib/krad/remote.c b/crypto/krb5/src/lib/krad/remote.c index 06ae751bc877..28f2e83d0d3a 100644 --- a/crypto/krb5/src/lib/krad/remote.c +++ b/crypto/krb5/src/lib/krad/remote.c @@ -76,15 +76,15 @@ on_timeout(verto_ctx *ctx, verto_ev *ev); /* Iterate over the set of outstanding packets. */ static const krad_packet * -iterator(request **out) +iterator(void *data, krb5_boolean cancel) { - request *tmp = *out; + request **rptr = data, *req = *rptr; - if (tmp == NULL) + if (cancel || req == NULL) return NULL; - *out = K5_TAILQ_NEXT(tmp, list); - return tmp->request; + *rptr = K5_TAILQ_NEXT(req, list); + return req->request; } /* Create a new request. */ @@ -349,8 +349,7 @@ on_io_read(krad_remote *rr) /* Decode the packet. */ tmp = K5_TAILQ_FIRST(&rr->list); retval = krad_packet_decode_response(rr->kctx, rr->secret, &rr->buffer, - (krad_packet_iter_cb)iterator, &tmp, - &req, &rsp); + iterator, &tmp, &req, &rsp); rr->buffer.length = 0; if (retval != 0) return; @@ -457,7 +456,7 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs, r = K5_TAILQ_FIRST(&rr->list); retval = krad_packet_new_request(rr->kctx, rr->secret, code, attrs, - (krad_packet_iter_cb)iterator, &r, &tmp); + iterator, &r, &tmp); if (retval != 0) goto error; diff --git a/crypto/krb5/src/lib/krad/t_attr.c b/crypto/krb5/src/lib/krad/t_attr.c index eb2a780c89a7..f8940862d63f 100644 --- a/crypto/krb5/src/lib/krad/t_attr.c +++ b/crypto/krb5/src/lib/krad/t_attr.c @@ -40,7 +40,7 @@ const static unsigned char auth[] = { }; int -main() +main(void) { unsigned char outbuf[MAX_ATTRSETSIZE]; const char *decoded = "accept"; @@ -63,16 +63,14 @@ main() /* Test decoding. */ in = make_data((void *)encoded, sizeof(encoded)); - noerror(kr_attr_decode(ctx, secret, auth, - krad_attr_name2num("User-Password"), + noerror(kr_attr_decode(ctx, secret, auth, KRAD_ATTR_USER_PASSWORD, &in, outbuf, &len)); insist(len == strlen(decoded)); insist(memcmp(outbuf, decoded, len) == 0); /* Test encoding. */ in = string2data((char *)decoded); - retval = kr_attr_encode(ctx, secret, auth, - krad_attr_name2num("User-Password"), + retval = kr_attr_encode(ctx, secret, auth, KRAD_ATTR_USER_PASSWORD, &in, outbuf, &len); insist(retval == 0); insist(len == sizeof(encoded)); @@ -80,9 +78,9 @@ main() /* Test constraint. */ in.length = 100; - insist(kr_attr_valid(krad_attr_name2num("User-Password"), &in) == 0); + insist(kr_attr_valid(KRAD_ATTR_USER_PASSWORD, &in) == 0); in.length = 200; - insist(kr_attr_valid(krad_attr_name2num("User-Password"), &in) != 0); + insist(kr_attr_valid(KRAD_ATTR_USER_PASSWORD, &in) != 0); krb5_free_context(ctx); return 0; diff --git a/crypto/krb5/src/lib/krad/t_attrset.c b/crypto/krb5/src/lib/krad/t_attrset.c index 7928335ca400..17a281f15fb4 100644 --- a/crypto/krb5/src/lib/krad/t_attrset.c +++ b/crypto/krb5/src/lib/krad/t_attrset.c @@ -40,7 +40,7 @@ const static unsigned char encpass[] = { }; int -main() +main(void) { unsigned char buffer[KRAD_PACKET_SIZE_MAX], encoded[MAX_ATTRSETSIZE]; const char *username = "testUser", *password = "accept"; @@ -55,24 +55,24 @@ main() /* Add username. */ tmp = string2data((char *)username); - noerror(krad_attrset_add(set, krad_attr_name2num("User-Name"), &tmp)); + noerror(krad_attrset_add(set, KRAD_ATTR_USER_NAME, &tmp)); /* Add password. */ tmp = string2data((char *)password); - noerror(krad_attrset_add(set, krad_attr_name2num("User-Password"), &tmp)); + noerror(krad_attrset_add(set, KRAD_ATTR_USER_PASSWORD, &tmp)); /* Encode attrset. */ - noerror(kr_attrset_encode(set, "foo", auth, buffer, &encode_len)); + noerror(kr_attrset_encode(set, "foo", auth, FALSE, buffer, &encode_len)); krad_attrset_free(set); /* Manually encode User-Name. */ - encoded[len + 0] = krad_attr_name2num("User-Name"); + encoded[len + 0] = KRAD_ATTR_USER_NAME; encoded[len + 1] = strlen(username) + 2; memcpy(encoded + len + 2, username, strlen(username)); len += encoded[len + 1]; /* Manually encode User-Password. */ - encoded[len + 0] = krad_attr_name2num("User-Password"); + encoded[len + 0] = KRAD_ATTR_USER_PASSWORD; encoded[len + 1] = sizeof(encpass) + 2; memcpy(encoded + len + 2, encpass, sizeof(encpass)); len += encoded[len + 1]; @@ -87,7 +87,7 @@ main() /* Test getting an attribute. */ tmp = string2data((char *)username); - tmpp = krad_attrset_get(set, krad_attr_name2num("User-Name"), 0); + tmpp = krad_attrset_get(set, KRAD_ATTR_USER_NAME, 0); insist(tmpp != NULL); insist(tmpp->length == tmp.length); insist(strncmp(tmpp->data, tmp.data, tmp.length) == 0); diff --git a/crypto/krb5/src/lib/krad/t_client.c b/crypto/krb5/src/lib/krad/t_client.c index 3d0fda93e984..9ba5b9efb243 100644 --- a/crypto/krb5/src/lib/krad/t_client.c +++ b/crypto/krb5/src/lib/krad/t_client.c @@ -74,45 +74,41 @@ main(int argc, const char **argv) tmp = string2data("testUser"); noerror(krad_attrset_new(kctx, &attrs)); - noerror(krad_attrset_add(attrs, krad_attr_name2num("User-Name"), &tmp)); + noerror(krad_attrset_add(attrs, KRAD_ATTR_USER_NAME, &tmp)); /* Test accept. */ tmp = string2data("accept"); - noerror(krad_attrset_add(attrs, krad_attr_name2num("User-Password"), - &tmp)); - noerror(krad_client_send(rc, krad_code_name2num("Access-Request"), attrs, - "localhost", "foo", 1000, 3, callback, NULL)); + noerror(krad_attrset_add(attrs, KRAD_ATTR_USER_PASSWORD, &tmp)); + noerror(krad_client_send(rc, KRAD_CODE_ACCESS_REQUEST, attrs, "localhost", + "foo", 1000, 3, callback, NULL)); verto_run(vctx); /* Test reject. */ tmp = string2data("reject"); - krad_attrset_del(attrs, krad_attr_name2num("User-Password"), 0); - noerror(krad_attrset_add(attrs, krad_attr_name2num("User-Password"), - &tmp)); - noerror(krad_client_send(rc, krad_code_name2num("Access-Request"), attrs, - "localhost", "foo", 1000, 3, callback, NULL)); + krad_attrset_del(attrs, KRAD_ATTR_USER_PASSWORD, 0); + noerror(krad_attrset_add(attrs, KRAD_ATTR_USER_PASSWORD, &tmp)); + noerror(krad_client_send(rc, KRAD_CODE_ACCESS_REQUEST, attrs, "localhost", + "foo", 1000, 3, callback, NULL)); verto_run(vctx); /* Test timeout. */ daemon_stop(); - noerror(krad_client_send(rc, krad_code_name2num("Access-Request"), attrs, - "localhost", "foo", 1000, 3, callback, NULL)); + noerror(krad_client_send(rc, KRAD_CODE_ACCESS_REQUEST, attrs, "localhost", + "foo", 1000, 3, callback, NULL)); verto_run(vctx); /* Test outstanding packet freeing. */ - noerror(krad_client_send(rc, krad_code_name2num("Access-Request"), attrs, - "localhost", "foo", 1000, 3, callback, NULL)); + noerror(krad_client_send(rc, KRAD_CODE_ACCESS_REQUEST, attrs, "localhost", + "foo", 1000, 3, callback, NULL)); krad_client_free(rc); rc = NULL; /* Verify the results. */ insist(record.count == EVENT_COUNT); insist(record.events[0].error == FALSE); - insist(record.events[0].result.code == - krad_code_name2num("Access-Accept")); + insist(record.events[0].result.code == KRAD_CODE_ACCESS_ACCEPT); insist(record.events[1].error == FALSE); - insist(record.events[1].result.code == - krad_code_name2num("Access-Reject")); + insist(record.events[1].result.code == KRAD_CODE_ACCESS_REJECT); insist(record.events[2].error == TRUE); insist(record.events[2].result.retval == ETIMEDOUT); insist(record.events[3].error == TRUE); diff --git a/crypto/krb5/src/lib/krad/t_code.c b/crypto/krb5/src/lib/krad/t_code.c index b245a7efc0f2..6cd522af55e1 100644 --- a/crypto/krb5/src/lib/krad/t_code.c +++ b/crypto/krb5/src/lib/krad/t_code.c @@ -30,7 +30,7 @@ #include "t_test.h" int -main() +main(void) { const char *tmp; diff --git a/crypto/krb5/src/lib/krad/t_daemon.py b/crypto/krb5/src/lib/krad/t_daemon.py index 4a3de079c7d3..647d4894eb82 100755 --- a/crypto/krb5/src/lib/krad/t_daemon.py +++ b/crypto/krb5/src/lib/krad/t_daemon.py @@ -40,6 +40,7 @@ DICTIONARY = """ ATTRIBUTE\tUser-Name\t1\tstring ATTRIBUTE\tUser-Password\t2\toctets ATTRIBUTE\tNAS-Identifier\t32\tstring +ATTRIBUTE\tMessage-Authenticator\t80\toctets """ class TestServer(server.Server): @@ -52,7 +53,7 @@ class TestServer(server.Server): if key == "User-Password": passwd = [pkt.PwDecrypt(x) for x in pkt[key]] - reply = self.CreateReplyPacket(pkt) + reply = self.CreateReplyPacket(pkt, message_authenticator=True) if passwd == ['accept']: reply.code = packet.AccessAccept else: diff --git a/crypto/krb5/src/lib/krad/t_packet.c b/crypto/krb5/src/lib/krad/t_packet.c index c22489144f4b..3bdabb5cb76a 100644 --- a/crypto/krb5/src/lib/krad/t_packet.c +++ b/crypto/krb5/src/lib/krad/t_packet.c @@ -70,27 +70,25 @@ make_packet(krb5_context ctx, const krb5_data *username, if (retval != 0) goto out; - retval = krad_attrset_add(set, krad_attr_name2num("User-Name"), username); + retval = krad_attrset_add(set, KRAD_ATTR_USER_NAME, username); if (retval != 0) goto out; - retval = krad_attrset_add(set, krad_attr_name2num("User-Password"), + retval = krad_attrset_add(set, KRAD_ATTR_USER_PASSWORD, password); if (retval != 0) goto out; - retval = krad_attrset_add(set, krad_attr_name2num("NAS-Identifier"), - &nas_id); + retval = krad_attrset_add(set, KRAD_ATTR_NAS_IDENTIFIER, &nas_id); if (retval != 0) goto out; - retval = krad_packet_new_request(ctx, "foo", - krad_code_name2num("Access-Request"), + retval = krad_packet_new_request(ctx, "foo", KRAD_CODE_ACCESS_REQUEST, set, iterator, &i, &tmp); if (retval != 0) goto out; - data = krad_packet_get_attr(tmp, krad_attr_name2num("User-Name"), 0); + data = krad_packet_get_attr(tmp, KRAD_ATTR_USER_NAME, 0); if (data == NULL) { retval = ENOENT; goto out; @@ -156,7 +154,7 @@ do_auth(krb5_context ctx, struct addrinfo *ai, const char *secret, goto out; } - *auth = krad_packet_get_code(rsp) == krad_code_name2num("Access-Accept"); + *auth = krad_packet_get_code(rsp) == KRAD_CODE_ACCESS_ACCEPT; out: krad_packet_free(rsp); @@ -172,6 +170,9 @@ main(int argc, const char **argv) krb5_data username, password; krb5_boolean auth = FALSE; krb5_context ctx; + const krad_packet *dupreq; + const krb5_data *encpkt; + krad_packet *decreq; username = string2data("testUser"); @@ -184,9 +185,17 @@ main(int argc, const char **argv) password = string2data("accept"); noerror(make_packet(ctx, &username, &password, &packets[ACCEPT_PACKET])); + encpkt = krad_packet_encode(packets[ACCEPT_PACKET]); + noerror(krad_packet_decode_request(ctx, "foo", encpkt, NULL, NULL, + &dupreq, &decreq)); + krad_packet_free(decreq); password = string2data("reject"); noerror(make_packet(ctx, &username, &password, &packets[REJECT_PACKET])); + encpkt = krad_packet_encode(packets[REJECT_PACKET]); + noerror(krad_packet_decode_request(ctx, "foo", encpkt, NULL, NULL, + &dupreq, &decreq)); + krad_packet_free(decreq); memset(&hints, 0, sizeof(hints)); hints.ai_family = AF_INET; diff --git a/crypto/krb5/src/lib/krad/t_remote.c b/crypto/krb5/src/lib/krad/t_remote.c index a521ecb7cd0b..d2877ad60c44 100644 --- a/crypto/krb5/src/lib/krad/t_remote.c +++ b/crypto/krb5/src/lib/krad/t_remote.c @@ -78,13 +78,13 @@ do_auth(const char *password, const krad_packet **pkt) krb5_error_code retval; krb5_data tmp = string2data((char *)password); - retval = krad_attrset_add(set, krad_attr_name2num("User-Password"), &tmp); + retval = krad_attrset_add(set, KRAD_ATTR_USER_PASSWORD, &tmp); if (retval != 0) return retval; - retval = kr_remote_send(rr, krad_code_name2num("Access-Request"), set, - callback, NULL, 1000, 3, &tmppkt); - krad_attrset_del(set, krad_attr_name2num("User-Password"), 0); + retval = kr_remote_send(rr, KRAD_CODE_ACCESS_REQUEST, set, callback, NULL, + 1000, 3, &tmppkt); + krad_attrset_del(set, KRAD_ATTR_USER_PASSWORD, 0); if (retval != 0) return retval; @@ -122,7 +122,7 @@ main(int argc, const char **argv) /* Create attribute set. */ noerror(krad_attrset_new(kctx, &set)); tmp = string2data("testUser"); - noerror(krad_attrset_add(set, krad_attr_name2num("User-Name"), &tmp)); + noerror(krad_attrset_add(set, KRAD_ATTR_USER_NAME, &tmp)); /* Send accept packet. */ noerror(do_auth("accept", NULL)); @@ -150,11 +150,9 @@ main(int argc, const char **argv) /* Verify the results. */ insist(record.count == EVENT_COUNT); insist(record.events[0].error == FALSE); - insist(record.events[0].result.code == - krad_code_name2num("Access-Accept")); + insist(record.events[0].result.code == KRAD_CODE_ACCESS_ACCEPT); insist(record.events[1].error == FALSE); - insist(record.events[1].result.code == - krad_code_name2num("Access-Reject")); + insist(record.events[1].result.code == KRAD_CODE_ACCESS_REJECT); insist(record.events[2].error == TRUE); insist(record.events[2].result.retval == ECANCELED); insist(record.events[3].error == TRUE); |