make it work with nested VPs

author Alan T. DeKok <aland@freeradius.org>

Thu, 8 Apr 2021 19:19:02 +0000 (15:19 -0400)

committer Alan T. DeKok <aland@freeradius.org>

Thu, 8 Apr 2021 19:24:40 +0000 (15:24 -0400)
author Alan T. DeKok <aland@freeradius.org>
Thu, 8 Apr 2021 19:19:02 +0000 (15:19 -0400)
committer Alan T. DeKok <aland@freeradius.org>
Thu, 8 Apr 2021 19:24:40 +0000 (15:24 -0400)
diff --git a/src/modules/rlm_digest/rlm_digest.c b/src/modules/rlm_digest/rlm_digest.c

index a45307fb3f2601e0b8120ebbd9b1eca4d6de3476..97974855a235d812c88994473aea4dde5fd86612 100644 (file)
--- a/src/modules/rlm_digest/rlm_digest.c
+++ b/src/modules/rlm_digest/rlm_digest.c
@@ -92,15 +92,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authorize(rlm_rcode_t *p_result, mod
         /*
          *      Find the first attribute which is parented by Digest-Attributes.
          */
-       for (vp = fr_pair_list_head(&request->request_pairs);
-            vp;
-            vp = fr_pair_list_next(&request->request_pairs, vp)) {
-               if (vp->da->parent == attr_digest_attributes) break;
-       }
-       /*
-        *      For simplicity, we allow the caller to omit things
-        *      that they don't care about.
-        */
+       vp = fr_pair_find_by_da(&request->request_pairs, attr_digest_attributes);
         if (!vp) RETURN_MODULE_NOOP;
  
         if (!inst->auth_type) {
@@ -129,6 +121,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result,
         uint8_t hash[16];       /* MD5 output */
         fr_pair_t *vp, *passwd, *algo;
         fr_pair_t *qop, *nonce;
+       fr_pair_list_t *list;
  
         /*
          *      We require access to the plain-text password, or to the
@@ -148,10 +141,17 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result,
                 RETURN_MODULE_INVALID;
         }
  
+       vp = fr_pair_find_by_da(&request->request_pairs, attr_digest_attributes);
+       if (!vp) {
+               REDEBUG("Digest-Attributes is required for authentication");
+               RETURN_MODULE_INVALID;
+       }
+       list = &vp->vp_group;
+
         /*
          *      We require access to the Digest-Nonce-Value
          */
-       nonce = fr_pair_find_by_da(&request->request_pairs, attr_digest_nonce);
+       nonce = fr_pair_find_by_da(list, attr_digest_nonce);
         if (!nonce) {
                 REDEBUG("No Digest-Nonce: Cannot perform Digest authentication");
                 RETURN_MODULE_INVALID;
@@ -160,7 +160,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result,
         /*
          *      A1 = Digest-User-Name ":" Realm ":" Password
          */
-       vp = fr_pair_find_by_da(&request->request_pairs, attr_digest_user_name);
+       vp = fr_pair_find_by_da(list, attr_digest_user_name);
         if (!vp) {
                 REDEBUG("No Digest-User-Name: Cannot perform Digest authentication");
                 RETURN_MODULE_INVALID;
@@ -171,7 +171,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result,
         a1[a1_len] = ':';
         a1_len++;
  
-       vp = fr_pair_find_by_da(&request->request_pairs, attr_digest_realm);
+       vp = fr_pair_find_by_da(list, attr_digest_realm);
         if (!vp) {
                 REDEBUG("No Digest-Realm: Cannot perform Digest authentication");
                 RETURN_MODULE_INVALID;
@@ -197,7 +197,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result,
          *      See which variant we calculate.
          *      Assume MD5 if no Digest-Algorithm attribute received
          */
-       algo = fr_pair_find_by_da(&request->request_pairs, attr_digest_algorithm);
+       algo = fr_pair_find_by_da(list, attr_digest_algorithm);
         if ((!algo) ||
             (strcasecmp(algo->vp_strvalue, "MD5") == 0)) {
                 /*
@@ -242,7 +242,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result,
                 a1[a1_len] = ':';
                 a1_len++;
  
-               vp = fr_pair_find_by_da(&request->request_pairs, attr_digest_cnonce);
+               vp = fr_pair_find_by_da(list, attr_digest_cnonce);
                 if (!vp) {
                         REDEBUG("No Digest-CNonce: Cannot perform Digest authentication");
                         RETURN_MODULE_INVALID;
@@ -270,7 +270,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result,
         /*
          *      A2 = Digest-Method ":" Digest-URI
          */
-       vp = fr_pair_find_by_da(&request->request_pairs, attr_digest_method);
+       vp = fr_pair_find_by_da(list, attr_digest_method);
         if (!vp) {
                 REDEBUG("No Digest-Method: Cannot perform Digest authentication");
                 RETURN_MODULE_INVALID;
@@ -281,7 +281,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result,
         a2[a2_len] = ':';
         a2_len++;
  
-       vp = fr_pair_find_by_da(&request->request_pairs, attr_digest_uri);
+       vp = fr_pair_find_by_da(list, attr_digest_uri);
         if (!vp) {
                 REDEBUG("No Digest-URI: Cannot perform Digest authentication");
                 RETURN_MODULE_INVALID;
@@ -292,7 +292,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result,
         /*
          *  QOP is "auth-int", tack on ": Digest-Body-Digest"
          */
-       qop = fr_pair_find_by_da(&request->request_pairs, attr_digest_qop);
+       qop = fr_pair_find_by_da(list, attr_digest_qop);
         if (qop) {
                 if (strcasecmp(qop->vp_strvalue, "auth-int") == 0) {
                         fr_pair_t *body;
@@ -306,7 +306,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result,
                         /*
                          *  Must be a hex representation of an MD5 digest.
                          */
-                       body = fr_pair_find_by_da(&request->request_pairs, attr_digest_body_digest);
+                       body = fr_pair_find_by_da(list, attr_digest_body_digest);
                         if (!body) {
                                 REDEBUG("No Digest-Body-Digest: Cannot perform Digest authentication");
                                 RETURN_MODULE_INVALID;
@@ -369,7 +369,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result,
                 kd[kd_len] = ':';
                 kd_len++;
  
-               vp = fr_pair_find_by_da(&request->request_pairs, attr_digest_nonce_count);
+               vp = fr_pair_find_by_da(list, attr_digest_nonce_count);
                 if (!vp) {
                         REDEBUG("No Digest-Nonce-Count: Cannot perform Digest authentication");
                         RETURN_MODULE_INVALID;
@@ -380,7 +380,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result,
                 kd[kd_len] = ':';
                 kd_len++;
  
-               vp = fr_pair_find_by_da(&request->request_pairs, attr_digest_cnonce);
+               vp = fr_pair_find_by_da(list, attr_digest_cnonce);
                 if (!vp) {
                         REDEBUG("No Digest-CNonce: Cannot perform Digest authentication");
                         RETURN_MODULE_INVALID;
@@ -420,7 +420,8 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result,
         memcpy(&kd[0], &hash[0], 16);
  
         /*
-        *      Get the binary value of Digest-Response
+        *      Get the binary value of Digest-Response.  This isn't
+        *      inside of the Digest-Attributes group.
          */
         vp = fr_pair_find_by_da(&request->request_pairs, attr_digest_response);
         if (!vp) {
author	Alan T. DeKok <aland@freeradius.org>
	Thu, 8 Apr 2021 19:19:02 +0000 (15:19 -0400)
committer	Alan T. DeKok <aland@freeradius.org>
	Thu, 8 Apr 2021 19:24:40 +0000 (15:24 -0400)