start moving more code to centralized RADIUS library

author Alan T. DeKok <aland@freeradius.org>

Mon, 22 Jan 2024 21:35:38 +0000 (16:35 -0500)

committer Alan T. DeKok <aland@freeradius.org>

Mon, 22 Jan 2024 23:45:06 +0000 (18:45 -0500)
author Alan T. DeKok <aland@freeradius.org>
Mon, 22 Jan 2024 21:35:38 +0000 (16:35 -0500)
committer Alan T. DeKok <aland@freeradius.org>
Mon, 22 Jan 2024 23:45:06 +0000 (18:45 -0500)
diff --git a/src/modules/rlm_radius/rlm_radius_udp.c b/src/modules/rlm_radius/rlm_radius_udp.c

index 0477be3934e03af63a7a3271c4e37c3139a88c91..9fba7b860525536a19343791ba2335d1e7e5e5f9 100644 (file)
--- a/src/modules/rlm_radius/rlm_radius_udp.c
+++ b/src/modules/rlm_radius/rlm_radius_udp.c
@@ -1180,11 +1180,6 @@ static decode_fail_t decode(TALLOC_CTX *ctx, fr_pair_list_t *reply, uint8_t *res
         }
  
         code = data[0];
-       if (!code || (code >= FR_RADIUS_CODE_MAX)) {
-               REDEBUG("Unknown reply code %d", code);
-               return DECODE_FAIL_UNKNOWN_PACKET_CODE;
-       }
-
         if (!allowed_replies[code]) {
                 REDEBUG("%s packet received invalid reply code %s",
                         fr_radius_packet_names[u->code], fr_radius_packet_names[code]);
diff --git a/src/protocols/radius/base.c b/src/protocols/radius/base.c

index 8eb25dbe65c4ce00f49d6649aafcbd354aa87805..6e8f7d0dc12c2631086c68b8c3e6079f739dec77 100644 (file)
--- a/src/protocols/radius/base.c
+++ b/src/protocols/radius/base.c
@@ -698,6 +698,7 @@ int fr_radius_verify(uint8_t *packet, uint8_t const *original,
  {
         bool found_ma;
         int rcode;
+       int code;
         uint8_t *msg, *end;
         size_t packet_len = fr_nbo_to_uint16(packet + 2);
         uint8_t request_authenticator[RADIUS_AUTH_VECTOR_LENGTH];
@@ -708,6 +709,12 @@ int fr_radius_verify(uint8_t *packet, uint8_t const *original,
                 return -1;
         }
  
+       code = packet[0];
+       if (!code || (code >= FR_RADIUS_CODE_MAX)) {
+               fr_strerror_printf("Unknown reply code %d", code);
+               return -1;
+       }
+
         memcpy(request_authenticator, packet + 4, sizeof(request_authenticator));
  
         /*
@@ -833,6 +840,27 @@ ssize_t fr_radius_encode(uint8_t *packet, size_t packet_len, uint8_t const *orig
         return fr_radius_encode_dbuff(&FR_DBUFF_TMP(packet, packet_len), original, secret, secret_len, code, id, vps);
  }
  
+static const bool disallow_tunnel_passwords[FR_RADIUS_CODE_MAX] = {
+       [ FR_RADIUS_CODE_ACCESS_REQUEST ] = true,
+       // can be in Access-Accept
+       [ FR_RADIUS_CODE_ACCESS_REJECT ] = true,
+       [ FR_RADIUS_CODE_ACCESS_CHALLENGE ] = true,
+
+       [ FR_RADIUS_CODE_ACCOUNTING_REQUEST ] = true,
+       [ FR_RADIUS_CODE_ACCOUNTING_RESPONSE ] = true,
+
+       [ FR_RADIUS_CODE_STATUS_SERVER ] = true,
+
+       [ FR_RADIUS_CODE_COA_ACK ] = true,
+       [ FR_RADIUS_CODE_COA_NAK ] = true,
+
+       [ FR_RADIUS_CODE_DISCONNECT_REQUEST ] = true,
+       [ FR_RADIUS_CODE_DISCONNECT_ACK ] = true,
+       [ FR_RADIUS_CODE_DISCONNECT_NAK ] = true,
+
+       [ FR_RADIUS_CODE_PROTOCOL_ERROR ] = true,
+};
+
  ssize_t fr_radius_encode_dbuff(fr_dbuff_t *dbuff, uint8_t const *original,
                          char const *secret, UNUSED size_t secret_len, int code, int id, fr_pair_list_t *vps)
  {
@@ -846,6 +874,7 @@ ssize_t fr_radius_encode_dbuff(fr_dbuff_t *dbuff, uint8_t const *original,
         packet_ctx.secret = secret;
         packet_ctx.rand_ctx.a = fr_rand();
         packet_ctx.rand_ctx.b = fr_rand();
+       packet_ctx.disallow_tunnel_passwords = disallow_tunnel_passwords[code];
  
         /*
          *      The RADIUS header can't do more than 64K of data.
@@ -859,8 +888,6 @@ ssize_t fr_radius_encode_dbuff(fr_dbuff_t *dbuff, uint8_t const *original,
         switch (code) {
         case FR_RADIUS_CODE_ACCESS_REQUEST:
         case FR_RADIUS_CODE_STATUS_SERVER:
-               packet_ctx.disallow_tunnel_passwords = true;
-
                 /*
                  *      Callers in these cases have preloaded the buffer with the authentication vector.
                  */
@@ -875,9 +902,6 @@ ssize_t fr_radius_encode_dbuff(fr_dbuff_t *dbuff, uint8_t const *original,
         case FR_RADIUS_CODE_DISCONNECT_ACK:
         case FR_RADIUS_CODE_DISCONNECT_NAK:
         case FR_RADIUS_CODE_PROTOCOL_ERROR:
-               packet_ctx.disallow_tunnel_passwords = true;
-               FALL_THROUGH;
-
         case FR_RADIUS_CODE_ACCESS_ACCEPT:
                 if (!original) {
                         fr_strerror_const("Cannot encode response without request");
@@ -889,9 +913,6 @@ ssize_t fr_radius_encode_dbuff(fr_dbuff_t *dbuff, uint8_t const *original,
  
         case FR_RADIUS_CODE_ACCOUNTING_REQUEST:
         case FR_RADIUS_CODE_DISCONNECT_REQUEST:
-               packet_ctx.disallow_tunnel_passwords = true;
-               FALL_THROUGH;
-
                 /*
                  *      Tunnel-Password encoded attributes are allowed
                  *      in CoA-Request packets, by RFC 5176 Section
author	Alan T. DeKok <aland@freeradius.org>
	Mon, 22 Jan 2024 21:35:38 +0000 (16:35 -0500)
committer	Alan T. DeKok <aland@freeradius.org>
	Mon, 22 Jan 2024 23:45:06 +0000 (18:45 -0500)
src/modules/rlm_radius/rlm_radius_udp.c		patch \| blob \| blame \| history
src/protocols/radius/base.c		patch \| blob \| blame \| history