/*
* Set the authentication vector to zero,
- * calculate the signature, and put it
+ * calculate the HMAC, and put it
* into the Message-Authenticator
* attribute.
*/
/*
* Validates the requesting client NAS. Calculates the
- * signature based on the clients private key.
+ * Request Authenticator based on the clients private key.
*/
static int calc_acctdigest(RADIUS_PACKET *packet, const char *secret)
{
/*
* Validates the requesting client NAS. Calculates the
- * signature based on the clients private key.
+ * Response Authenticator based on the clients private key.
*/
static int calc_replydigest(RADIUS_PACKET *packet, RADIUS_PACKET *original,
const char *secret)
/*
- * Verify the signature of a packet.
+ * Verify the Request/Response Authenticator
+ * (and Message-Authenticator if present) of a packet.
*/
int rad_verify(RADIUS_PACKET *packet, RADIUS_PACKET *original,
const char *secret)
} /* loop over the packet, sanity checking the attributes */
/*
- * It looks like a RADIUS packet, but we can't validate
- * the signature.
+ * It looks like a RADIUS packet, but we don't know what it is
+ * so can't validate the authenticators.
*/
if ((packet->code == 0) || (packet->code >= FR_MAX_PACKET_CODE)) {
char buffer[32];
fr_strerror_printf("Received Unknown packet code %d "
- "from client %s port %d: Cannot validate signature.",
+ "from client %s port %d: Cannot validate Request/Response Authenticator.",
packet->code,
inet_ntop(packet->src_ipaddr.af,
&packet->src_ipaddr.ipaddr,
}
/*
- * Calculate and/or verify digest.
+ * Calculate and/or verify Request or Response Authenticator.
*/
switch(packet->code) {
int rcode;
case PW_ACCOUNTING_REQUEST:
if (calc_acctdigest(packet, secret) > 1) {
fr_strerror_printf("Received %s packet "
- "from client %s with invalid signature! (Shared secret is incorrect.)",
+ "from client %s with invalid Request Authenticator! (Shared secret is incorrect.)",
fr_packet_codes[packet->code],
inet_ntop(packet->src_ipaddr.af,
&packet->src_ipaddr.ipaddr,
rcode = calc_replydigest(packet, original, secret);
if (rcode > 1) {
fr_strerror_printf("Received %s packet "
- "from home server %s port %d with invalid signature! (Shared secret is incorrect.)",
+ "from home server %s port %d with invalid Response Authenticator! (Shared secret is incorrect.)",
fr_packet_codes[packet->code],
inet_ntop(packet->src_ipaddr.af,
&packet->src_ipaddr.ipaddr,
default:
fr_strerror_printf("Received Unknown packet code %d "
- "from client %s port %d: Cannot validate signature",
+ "from client %s port %d: Cannot validate Request/Response Authenticator",
packet->code,
inet_ntop(packet->src_ipaddr.af,
&packet->src_ipaddr.ipaddr,
/*
* Use Chap-Challenge pair if present,
- * Request-Authenticator otherwise.
+ * Request Authenticator otherwise.
*/
challenge = pairfind(packet->vps, PW_CHAP_CHALLENGE);
if (challenge) {
cprintf(listener, "\tdup\t\t%u\n", stats->total_dup_requests);
cprintf(listener, "\tinvalid\t\t%u\n", stats->total_invalid_requests);
cprintf(listener, "\tmalformed\t%u\n", stats->total_malformed_requests);
- cprintf(listener, "\tbad_signature\t%u\n", stats->total_bad_authenticators);
+ cprintf(listener, "\tbad_authenticator\t%u\n", stats->total_bad_authenticators);
cprintf(listener, "\tdropped\t\t%u\n", stats->total_packets_dropped);
cprintf(listener, "\tunknown_types\t%u\n", stats->total_unknown_types);
projects / thirdparty / freeradius-server.git / commitdiff
