if (decode(h, &reply, &code,
h, h->status_request, h->status_u, u->packet + RADIUS_AUTH_VECTOR_OFFSET,
- h->buffer, slen) != DECODE_FAIL_NONE) return;
+ h->buffer, slen) != FR_RADIUS_FAIL_NONE) return;
fr_pair_list_free(&reply); /* FIXME - Do something with these... */
* the logging destination of the module.
*/
if (!fr_radius_ok(data, size, h->ctx.inst->max_attributes, REQUIRE_MA(h), &failure)) {
- if (failure == DECODE_FAIL_UNKNOWN_PACKET_CODE) return FR_BIO_VERIFY_DISCARD;
+ if (failure == FR_RADIUS_FAIL_UNKNOWN_PACKET_CODE) return FR_BIO_VERIFY_DISCARD;
PERROR("%s - Connection %s received bad packet", h->ctx.module_name, h->ctx.fd_info->name);
- if (failure == DECODE_FAIL_MA_MISSING) {
+ if (failure == FR_RADIUS_FAIL_MA_MISSING) {
if (h->ctx.inst->require_message_authenticator == FR_RADIUS_REQUIRE_MA_YES) {
ERROR("We are configured with 'require_message_authenticator = true'");
} else {
* @param[in] data to decode.
* @param[in] data_len Length of input data.
* @return
- * - DECODE_FAIL_NONE on success.
- * - DECODE_FAIL_* on failure.
+ * - FR_RADIUS_FAIL_NONE on success.
+ * - FR_RADIUS_FAIL_* on failure.
*/
static fr_radius_decode_fail_t decode(TALLOC_CTX *ctx, fr_pair_list_t *reply, uint8_t *response_code,
bio_handle_t *h, request_t *request, bio_request_t *u,
if (fr_radius_decode(ctx, reply, data, data_len, &decode_ctx) < 0) {
talloc_free(decode_ctx.tmp_ctx);
RPEDEBUG("Failed reading packet");
- return DECODE_FAIL_UNKNOWN;
+ return FR_RADIUS_FAIL_UNKNOWN;
}
talloc_free(decode_ctx.tmp_ctx);
*/
if (fr_time_gt(u->retry.start, h->mrs_time)) h->mrs_time = u->retry.start;
- return DECODE_FAIL_NONE;
+ return FR_RADIUS_FAIL_NONE;
}
static int encode(bio_handle_t *h, request_t *request, bio_request_t *u, uint8_t id)
* Decode the incoming packet.
*/
reason = decode(request->reply_ctx, &reply, &code, h, request, u, rr->vector, h->buffer, (size_t)slen);
- if (reason != DECODE_FAIL_NONE) continue;
+ if (reason != FR_RADIUS_FAIL_NONE) continue;
/*
* Only valid packets are processed
* Decode the incoming packet
*/
reason = decode(request->reply_ctx, &reply, &code, h, request, u, rr->vector, h->buffer, (size_t)slen);
- if (reason != DECODE_FAIL_NONE) continue;
+ if (reason != FR_RADIUS_FAIL_NONE) continue;
/*
* Only valid packets are processed
return 0;
}
-char const *fr_radius_decode_fail_reason[DECODE_FAIL_MAX + 1] = {
- [DECODE_FAIL_NONE] = "none",
- [DECODE_FAIL_MIN_LENGTH_PACKET] = "packet is smaller than the minimum packet length",
- [DECODE_FAIL_MAX_LENGTH_PACKET] = "packet is larger than the maximum packet length",
- [DECODE_FAIL_MIN_LENGTH_FIELD] = "header 'length' field has a value smaller than the minimum packet length",
- [DECODE_FAIL_MIN_LENGTH_MISMATCH] = "header 'length' field has a value larger than the received data",
- [DECODE_FAIL_UNKNOWN_PACKET_CODE] = "unknown packet code",
- [DECODE_FAIL_UNEXPECTED_REQUEST_CODE] = "unexpected request code",
- [DECODE_FAIL_UNEXPECTED_RESPONSE_CODE] = "unexpected response code",
- [DECODE_FAIL_TOO_MANY_ATTRIBUTES] = "packet contains too many attributes",
-
- [DECODE_FAIL_INVALID_ATTRIBUTE] = "attribute number 0 is invalid",
-
- [DECODE_FAIL_HEADER_OVERFLOW] = "attribute header overflows the packet",
- [DECODE_FAIL_ATTRIBUTE_TOO_SHORT] = "attribute 'length' field contains invalid value",
- [DECODE_FAIL_ATTRIBUTE_OVERFLOW] = "attribute 'length' field overflows the packet",
-
- [DECODE_FAIL_MA_INVALID_LENGTH] = "Message-Authenticate has invalid length",
- [DECODE_FAIL_MA_MISSING] = "Message-Authenticator is required for this packet, but it is missing",
- [DECODE_FAIL_MA_INVALID] = "Message-Authenticator fails verification (shared secret is incorrect)",
- [DECODE_FAIL_PROXY_STATE_MISSING] = "Proxy-State is required for this request, but it is missing",
-
- [DECODE_FAIL_VERIFY] = "packet fails verification (shared secret is incorrect)",
- [DECODE_FAIL_UNKNOWN] = "???",
- [DECODE_FAIL_MAX] = "???",
+char const *fr_radius_decode_fail_reason[FR_RADIUS_FAIL_MAX + 1] = {
+ [FR_RADIUS_FAIL_NONE] = "none",
+ [FR_RADIUS_FAIL_MIN_LENGTH_PACKET] = "packet is smaller than the minimum packet length",
+ [FR_RADIUS_FAIL_MAX_LENGTH_PACKET] = "packet is larger than the maximum packet length",
+ [FR_RADIUS_FAIL_MIN_LENGTH_FIELD] = "header 'length' field has a value smaller than the minimum packet length",
+ [FR_RADIUS_FAIL_MIN_LENGTH_MISMATCH] = "header 'length' field has a value larger than the received data",
+ [FR_RADIUS_FAIL_UNKNOWN_PACKET_CODE] = "unknown packet code",
+ [FR_RADIUS_FAIL_UNEXPECTED_REQUEST_CODE] = "unexpected request code",
+ [FR_RADIUS_FAIL_UNEXPECTED_RESPONSE_CODE] = "unexpected response code",
+ [FR_RADIUS_FAIL_TOO_MANY_ATTRIBUTES] = "packet contains too many attributes",
+
+ [FR_RADIUS_FAIL_INVALID_ATTRIBUTE] = "attribute number 0 is invalid",
+
+ [FR_RADIUS_FAIL_HEADER_OVERFLOW] = "attribute header overflows the packet",
+ [FR_RADIUS_FAIL_ATTRIBUTE_TOO_SHORT] = "attribute 'length' field contains invalid value",
+ [FR_RADIUS_FAIL_ATTRIBUTE_OVERFLOW] = "attribute 'length' field overflows the packet",
+
+ [FR_RADIUS_FAIL_MA_INVALID_LENGTH] = "Message-Authenticate has invalid length",
+ [FR_RADIUS_FAIL_MA_MISSING] = "Message-Authenticator is required for this packet, but it is missing",
+ [FR_RADIUS_FAIL_MA_INVALID] = "Message-Authenticator fails verification (shared secret is incorrect)",
+ [FR_RADIUS_FAIL_PROXY_STATE_MISSING] = "Proxy-State is required for this request, but it is missing",
+
+ [FR_RADIUS_FAIL_VERIFY] = "packet fails verification (shared secret is incorrect)",
+ [FR_RADIUS_FAIL_UNKNOWN] = "???",
+ [FR_RADIUS_FAIL_MAX] = "???",
};
/** See if the data pointed to by PTR is a valid RADIUS packet.
size_t totallen;
bool seen_ma = false;
uint32_t num_attributes;
- fr_radius_decode_fail_t failure = DECODE_FAIL_NONE;
+ fr_radius_decode_fail_t failure = FR_RADIUS_FAIL_NONE;
size_t packet_len = *packet_len_p;
/*
* "The minimum length is 20 ..."
*/
if (packet_len < RADIUS_HEADER_LENGTH) {
- failure = DECODE_FAIL_MIN_LENGTH_PACKET;
+ failure = FR_RADIUS_FAIL_MIN_LENGTH_PACKET;
goto finish;
}
*/
if ((packet[0] == 0) ||
(packet[0] >= FR_RADIUS_CODE_MAX)) {
- failure = DECODE_FAIL_UNKNOWN_PACKET_CODE;
+ failure = FR_RADIUS_FAIL_UNKNOWN_PACKET_CODE;
goto finish;
}
* "The minimum length is 20 ..."
*/
if (totallen < RADIUS_HEADER_LENGTH) {
- failure = DECODE_FAIL_MIN_LENGTH_FIELD;
+ failure = FR_RADIUS_FAIL_MIN_LENGTH_FIELD;
goto finish;
}
* i.e. No response to the NAS.
*/
if (totallen > packet_len) {
- failure = DECODE_FAIL_MIN_LENGTH_MISMATCH;
+ failure = FR_RADIUS_FAIL_MIN_LENGTH_MISMATCH;
goto finish;
}
* attribute header.
*/
if ((end - attr) < 2) {
- failure = DECODE_FAIL_HEADER_OVERFLOW;
+ failure = FR_RADIUS_FAIL_HEADER_OVERFLOW;
goto finish;
}
* Attribute number zero is NOT defined.
*/
if (attr[0] == 0) {
- failure = DECODE_FAIL_INVALID_ATTRIBUTE;
+ failure = FR_RADIUS_FAIL_INVALID_ATTRIBUTE;
goto finish;
}
* fields. Anything shorter is an invalid attribute.
*/
if (attr[1] < 2) {
- failure = DECODE_FAIL_ATTRIBUTE_TOO_SHORT;
+ failure = FR_RADIUS_FAIL_ATTRIBUTE_TOO_SHORT;
goto finish;
}
* attribute, it's a bad packet.
*/
if ((attr + attr[1]) > end) {
- failure = DECODE_FAIL_ATTRIBUTE_OVERFLOW;
+ failure = FR_RADIUS_FAIL_ATTRIBUTE_OVERFLOW;
goto finish;
}
case FR_MESSAGE_AUTHENTICATOR:
if (attr[1] != 2 + RADIUS_AUTH_VECTOR_LENGTH) {
- failure = DECODE_FAIL_MA_INVALID_LENGTH;
+ failure = FR_RADIUS_FAIL_MA_INVALID_LENGTH;
goto finish;
}
seen_ma = true;
* then throw the packet away, as a possible DoS.
*/
if (num_attributes > max_attributes) {
- failure = DECODE_FAIL_TOO_MANY_ATTRIBUTES;
+ failure = FR_RADIUS_FAIL_TOO_MANY_ATTRIBUTES;
goto finish;
}
* Message-Authenticator attributes.
*/
if (require_message_authenticator && !seen_ma) {
- failure = DECODE_FAIL_MA_MISSING;
+ failure = FR_RADIUS_FAIL_MA_MISSING;
goto finish;
}
if (reason) *reason = failure;
- return (failure == DECODE_FAIL_NONE);
+ return (failure == FR_RADIUS_FAIL_NONE);
}
if (packet_len < RADIUS_HEADER_LENGTH) {
fr_strerror_printf("invalid packet length %zu", packet_len);
- return -DECODE_FAIL_MIN_LENGTH_PACKET;
+ return -FR_RADIUS_FAIL_MIN_LENGTH_PACKET;
}
code = packet[0];
if (!code || (code >= FR_RADIUS_CODE_MAX)) {
fr_strerror_printf("Unknown reply code %d", code);
- return -DECODE_FAIL_UNKNOWN_PACKET_CODE;
+ return -FR_RADIUS_FAIL_UNKNOWN_PACKET_CODE;
}
memcpy(request_authenticator, packet + 4, sizeof(request_authenticator));
if ((msg + msg[1]) > end) {
invalid_attribute:
fr_strerror_printf("invalid attribute at offset %zd", msg - packet);
- return -DECODE_FAIL_INVALID_ATTRIBUTE;
+ return -FR_RADIUS_FAIL_INVALID_ATTRIBUTE;
}
msg += msg[1];
continue;
if (msg[1] < 18) {
fr_strerror_const("too small Message-Authenticator");
- return -DECODE_FAIL_MA_INVALID_LENGTH;
+ return -FR_RADIUS_FAIL_MA_INVALID_LENGTH;
}
/*
if (packet[0] == FR_RADIUS_CODE_ACCESS_REQUEST) {
if (limit_proxy_state && found_proxy_state && !found_message_authenticator) {
fr_strerror_const("Proxy-State is not allowed without Message-Authenticator");
- return -DECODE_FAIL_MA_MISSING;
+ return -FR_RADIUS_FAIL_MA_MISSING;
}
if (require_message_authenticator && !found_message_authenticator) {
fr_strerror_const("Access-Request is missing the required Message-Authenticator attribute");
- return -DECODE_FAIL_MA_MISSING;
+ return -FR_RADIUS_FAIL_MA_MISSING;
}
}
rcode = fr_radius_sign(packet, vector, secret, secret_len);
if (rcode < 0) {
fr_strerror_const_push("Failed calculating correct authenticator");
- return -DECODE_FAIL_VERIFY;
+ return -FR_RADIUS_FAIL_VERIFY;
}
/*
memcpy(packet + 4, request_authenticator, sizeof(request_authenticator));
fr_strerror_const("invalid Message-Authenticator (shared secret is incorrect)");
- return -DECODE_FAIL_MA_INVALID;
+ return -FR_RADIUS_FAIL_MA_INVALID;
}
/*
} else {
fr_strerror_const("invalid Request Authenticator (shared secret is incorrect)");
}
- return -DECODE_FAIL_VERIFY;
+ return -FR_RADIUS_FAIL_VERIFY;
}
return 0;
unsigned int code = packet[0];
if (code >= FR_RADIUS_CODE_MAX) {
- return -DECODE_FAIL_UNKNOWN_PACKET_CODE;
+ return -FR_RADIUS_FAIL_UNKNOWN_PACKET_CODE;
}
if (decode_ctx->request_code >= FR_RADIUS_CODE_MAX) {
- return -DECODE_FAIL_UNKNOWN_PACKET_CODE;
+ return -FR_RADIUS_FAIL_UNKNOWN_PACKET_CODE;
}
if (!allowed_replies[code]) {
fr_strerror_printf("%s packet received unknown reply code %s",
fr_radius_packet_name[decode_ctx->request_code], fr_radius_packet_name[code]);
- return -DECODE_FAIL_UNKNOWN_PACKET_CODE;
+ return -FR_RADIUS_FAIL_UNKNOWN_PACKET_CODE;
}
/*
(decode_ctx->request_code != FR_RADIUS_CODE_STATUS_SERVER)) {
fr_strerror_printf("%s packet received invalid reply code %s",
fr_radius_packet_name[decode_ctx->request_code], fr_radius_packet_name[code]);
- return -DECODE_FAIL_UNKNOWN_PACKET_CODE;
+ return -FR_RADIUS_FAIL_UNKNOWN_PACKET_CODE;
}
}
/** Failure reasons */
typedef enum {
- DECODE_FAIL_NONE = 0,
- DECODE_FAIL_MIN_LENGTH_PACKET,
- DECODE_FAIL_MAX_LENGTH_PACKET,
- DECODE_FAIL_MIN_LENGTH_FIELD,
- DECODE_FAIL_MIN_LENGTH_MISMATCH,
- DECODE_FAIL_UNKNOWN_PACKET_CODE,
- DECODE_FAIL_UNEXPECTED_REQUEST_CODE,
- DECODE_FAIL_UNEXPECTED_RESPONSE_CODE,
- DECODE_FAIL_TOO_MANY_ATTRIBUTES,
-
- DECODE_FAIL_INVALID_ATTRIBUTE,
-
- DECODE_FAIL_HEADER_OVERFLOW,
- DECODE_FAIL_ATTRIBUTE_TOO_SHORT,
- DECODE_FAIL_ATTRIBUTE_OVERFLOW,
-
- DECODE_FAIL_MA_INVALID_LENGTH,
- DECODE_FAIL_MA_MISSING,
- DECODE_FAIL_MA_INVALID,
- DECODE_FAIL_PROXY_STATE_MISSING,
-
- DECODE_FAIL_VERIFY,
- DECODE_FAIL_UNKNOWN,
- DECODE_FAIL_MAX
+ FR_RADIUS_FAIL_NONE = 0,
+ FR_RADIUS_FAIL_MIN_LENGTH_PACKET,
+ FR_RADIUS_FAIL_MAX_LENGTH_PACKET,
+ FR_RADIUS_FAIL_MIN_LENGTH_FIELD,
+ FR_RADIUS_FAIL_MIN_LENGTH_MISMATCH,
+ FR_RADIUS_FAIL_UNKNOWN_PACKET_CODE,
+ FR_RADIUS_FAIL_UNEXPECTED_REQUEST_CODE,
+ FR_RADIUS_FAIL_UNEXPECTED_RESPONSE_CODE,
+ FR_RADIUS_FAIL_TOO_MANY_ATTRIBUTES,
+
+ FR_RADIUS_FAIL_INVALID_ATTRIBUTE,
+
+ FR_RADIUS_FAIL_HEADER_OVERFLOW,
+ FR_RADIUS_FAIL_ATTRIBUTE_TOO_SHORT,
+ FR_RADIUS_FAIL_ATTRIBUTE_OVERFLOW,
+
+ FR_RADIUS_FAIL_MA_INVALID_LENGTH,
+ FR_RADIUS_FAIL_MA_MISSING,
+ FR_RADIUS_FAIL_MA_INVALID,
+ FR_RADIUS_FAIL_PROXY_STATE_MISSING,
+
+ FR_RADIUS_FAIL_VERIFY,
+ FR_RADIUS_FAIL_UNKNOWN,
+ FR_RADIUS_FAIL_MAX
} fr_radius_decode_fail_t;
-extern char const *fr_radius_decode_fail_reason[DECODE_FAIL_MAX + 1];
+extern char const *fr_radius_decode_fail_reason[FR_RADIUS_FAIL_MAX + 1];
DIAG_OFF(unused-function)
/** Return RADIUS-specific flags for a given attribute
projects / thirdparty / freeradius-server.git / commitdiff
