#define KRAD_SERVICE_TYPE_CALL_CHECK 10
#define KRAD_SERVICE_TYPE_CALLBACK_ADMINISTRATIVE 11
+#define KRAD_ATTR_USER_NAME 1
+#define KRAD_ATTR_USER_PASSWORD 2
+#define KRAD_ATTR_SERVICE_TYPE 6
+#define KRAD_ATTR_NAS_IDENTIFIER 32
+#define KRAD_ATTR_PROXY_STATE 33
+#define KRAD_ATTR_MESSAGE_AUTHENTICATOR 80
+
+#define KRAD_CODE_ACCESS_REQUEST 1
+#define KRAD_CODE_ACCESS_ACCEPT 2
+#define KRAD_CODE_ACCESS_REJECT 3
+#define KRAD_CODE_ACCESS_CHALLENGE 11
+
typedef struct krad_attrset_st krad_attrset;
typedef struct krad_packet_st krad_packet;
typedef struct krad_client_st krad_client;
unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen)
{
krb5_error_code retval;
- krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator");
const uint8_t zeroes[MD5_DIGEST_SIZE] = { 0 };
krb5_data zerodata;
size_t i = 0;
/* Encode Message-Authenticator as the first attribute, per
* draft-ietf-radext-deprecating-radius-03 section 5.2. */
zerodata = make_data((uint8_t *)zeroes, MD5_DIGEST_SIZE);
- retval = append_attr(set->ctx, secret, auth, msgauth_type, &zerodata,
+ retval = append_attr(set->ctx, secret, auth,
+ KRAD_ATTR_MESSAGE_AUTHENTICATOR, &zerodata,
outbuf, &i);
if (retval)
return retval;
* Message-Authenticator is required in Access-Request packets and all
* potential responses when UDP or TCP transport is used.
*/
- return code == krad_code_name2num("Access-Request") ||
- code == krad_code_name2num("Access-Reject") ||
- code == krad_code_name2num("Access-Accept") ||
- code == krad_code_name2num("Access-Challenge");
+ return code == KRAD_CODE_ACCESS_REQUEST ||
+ code == KRAD_CODE_ACCESS_ACCEPT || code == KRAD_CODE_ACCESS_REJECT ||
+ code == KRAD_CODE_ACCESS_CHALLENGE;
}
/* Check if the packet has a Message-Authenticator attribute. */
static inline krb5_boolean
has_pkt_msgauth(const krad_packet *pkt)
{
- krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator");
-
- return krad_attrset_get(pkt->attrset, msgauth_type, 0) != NULL;
+ return krad_attrset_get(pkt->attrset, KRAD_ATTR_MESSAGE_AUTHENTICATOR,
+ 0) != NULL;
}
/* Return the beginning of the Message-Authenticator attribute in pkt, or NULL
static const uint8_t *
lookup_msgauth_addr(const krad_packet *pkt)
{
- krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator");
size_t i;
uint8_t *p;
i = OFFSET_ATTR;
while (i + 2 < pkt->pkt.length) {
p = (uint8_t *)offset(&pkt->pkt, i);
- if (msgauth_type == *p)
+ if (*p == KRAD_ATTR_MESSAGE_AUTHENTICATOR)
return p;
i += p[1];
}
const uint8_t auth[AUTH_FIELD_SIZE],
uint8_t mac_out[MD5_DIGEST_SIZE])
{
- uint8_t zeroed_msgauth[MSGAUTH_SIZE];
- krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator");
const uint8_t *msgauth_attr, *msgauth_end, *pkt_end;
krb5_crypto_iov input[5];
krb5_data ksecr, mac;
+ static const uint8_t zeroed_msgauth[MSGAUTH_SIZE] = {
+ KRAD_ATTR_MESSAGE_AUTHENTICATOR, MSGAUTH_SIZE
+ };
msgauth_attr = lookup_msgauth_addr(pkt);
if (msgauth_attr == NULL)
/* Read Message-Authenticator with the data bytes all set to zero, per RFC
* 2869 section 5.14. */
- zeroed_msgauth[0] = msgauth_type;
- zeroed_msgauth[1] = MSGAUTH_SIZE;
- memset(zeroed_msgauth + 2, 0, MD5_DIGEST_SIZE);
input[3].flags = KRB5_CRYPTO_TYPE_DATA;
- input[3].data = make_data(zeroed_msgauth, MSGAUTH_SIZE);
+ input[3].data = make_data((uint8_t *)zeroed_msgauth, MSGAUTH_SIZE);
/* Read any attributes after Message-Authenticator. */
input[4].flags = KRB5_CRYPTO_TYPE_DATA;
goto error;
/* Determine if Message-Authenticator is required. */
- msgauth_required = (*secret != '\0' &&
- code == krad_code_name2num("Access-Request"));
+ msgauth_required = (*secret != '\0' && code == KRAD_CODE_ACCESS_REQUEST);
/* Encode the attributes. */
retval = kr_attrset_encode(set, secret, pkt_auth(pkt), msgauth_required,
const uint8_t auth[AUTH_FIELD_SIZE])
{
uint8_t mac[MD5_DIGEST_SIZE];
- krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator");
const krb5_data *msgauth;
krb5_error_code retval;
- msgauth = krad_packet_get_attr(pkt, msgauth_type, 0);
+ msgauth = krad_packet_get_attr(pkt, KRAD_ATTR_MESSAGE_AUTHENTICATOR, 0);
if (msgauth == NULL)
return ENODATA;
/* Test decoding. */
in = make_data((void *)encoded, sizeof(encoded));
- noerror(kr_attr_decode(ctx, secret, auth,
- krad_attr_name2num("User-Password"),
+ noerror(kr_attr_decode(ctx, secret, auth, KRAD_ATTR_USER_PASSWORD,
&in, outbuf, &len));
insist(len == strlen(decoded));
insist(memcmp(outbuf, decoded, len) == 0);
/* Test encoding. */
in = string2data((char *)decoded);
- retval = kr_attr_encode(ctx, secret, auth,
- krad_attr_name2num("User-Password"),
+ retval = kr_attr_encode(ctx, secret, auth, KRAD_ATTR_USER_PASSWORD,
&in, outbuf, &len);
insist(retval == 0);
insist(len == sizeof(encoded));
/* Test constraint. */
in.length = 100;
- insist(kr_attr_valid(krad_attr_name2num("User-Password"), &in) == 0);
+ insist(kr_attr_valid(KRAD_ATTR_USER_PASSWORD, &in) == 0);
in.length = 200;
- insist(kr_attr_valid(krad_attr_name2num("User-Password"), &in) != 0);
+ insist(kr_attr_valid(KRAD_ATTR_USER_PASSWORD, &in) != 0);
krb5_free_context(ctx);
return 0;
/* Add username. */
tmp = string2data((char *)username);
- noerror(krad_attrset_add(set, krad_attr_name2num("User-Name"), &tmp));
+ noerror(krad_attrset_add(set, KRAD_ATTR_USER_NAME, &tmp));
/* Add password. */
tmp = string2data((char *)password);
- noerror(krad_attrset_add(set, krad_attr_name2num("User-Password"), &tmp));
+ noerror(krad_attrset_add(set, KRAD_ATTR_USER_PASSWORD, &tmp));
/* Encode attrset. */
noerror(kr_attrset_encode(set, "foo", auth, FALSE, buffer, &encode_len));
krad_attrset_free(set);
/* Manually encode User-Name. */
- encoded[len + 0] = krad_attr_name2num("User-Name");
+ encoded[len + 0] = KRAD_ATTR_USER_NAME;
encoded[len + 1] = strlen(username) + 2;
memcpy(encoded + len + 2, username, strlen(username));
len += encoded[len + 1];
/* Manually encode User-Password. */
- encoded[len + 0] = krad_attr_name2num("User-Password");
+ encoded[len + 0] = KRAD_ATTR_USER_PASSWORD;
encoded[len + 1] = sizeof(encpass) + 2;
memcpy(encoded + len + 2, encpass, sizeof(encpass));
len += encoded[len + 1];
/* Test getting an attribute. */
tmp = string2data((char *)username);
- tmpp = krad_attrset_get(set, krad_attr_name2num("User-Name"), 0);
+ tmpp = krad_attrset_get(set, KRAD_ATTR_USER_NAME, 0);
insist(tmpp != NULL);
insist(tmpp->length == tmp.length);
insist(strncmp(tmpp->data, tmp.data, tmp.length) == 0);
tmp = string2data("testUser");
noerror(krad_attrset_new(kctx, &attrs));
- noerror(krad_attrset_add(attrs, krad_attr_name2num("User-Name"), &tmp));
+ noerror(krad_attrset_add(attrs, KRAD_ATTR_USER_NAME, &tmp));
/* Test accept. */
tmp = string2data("accept");
- noerror(krad_attrset_add(attrs, krad_attr_name2num("User-Password"),
- &tmp));
- noerror(krad_client_send(rc, krad_code_name2num("Access-Request"), attrs,
- "localhost", "foo", 1000, 3, callback, NULL));
+ noerror(krad_attrset_add(attrs, KRAD_ATTR_USER_PASSWORD, &tmp));
+ noerror(krad_client_send(rc, KRAD_CODE_ACCESS_REQUEST, attrs, "localhost",
+ "foo", 1000, 3, callback, NULL));
verto_run(vctx);
/* Test reject. */
tmp = string2data("reject");
- krad_attrset_del(attrs, krad_attr_name2num("User-Password"), 0);
- noerror(krad_attrset_add(attrs, krad_attr_name2num("User-Password"),
- &tmp));
- noerror(krad_client_send(rc, krad_code_name2num("Access-Request"), attrs,
- "localhost", "foo", 1000, 3, callback, NULL));
+ krad_attrset_del(attrs, KRAD_ATTR_USER_PASSWORD, 0);
+ noerror(krad_attrset_add(attrs, KRAD_ATTR_USER_PASSWORD, &tmp));
+ noerror(krad_client_send(rc, KRAD_CODE_ACCESS_REQUEST, attrs, "localhost",
+ "foo", 1000, 3, callback, NULL));
verto_run(vctx);
/* Test timeout. */
daemon_stop();
- noerror(krad_client_send(rc, krad_code_name2num("Access-Request"), attrs,
- "localhost", "foo", 1000, 3, callback, NULL));
+ noerror(krad_client_send(rc, KRAD_CODE_ACCESS_REQUEST, attrs, "localhost",
+ "foo", 1000, 3, callback, NULL));
verto_run(vctx);
/* Test outstanding packet freeing. */
- noerror(krad_client_send(rc, krad_code_name2num("Access-Request"), attrs,
- "localhost", "foo", 1000, 3, callback, NULL));
+ noerror(krad_client_send(rc, KRAD_CODE_ACCESS_REQUEST, attrs, "localhost",
+ "foo", 1000, 3, callback, NULL));
krad_client_free(rc);
rc = NULL;
/* Verify the results. */
insist(record.count == EVENT_COUNT);
insist(record.events[0].error == FALSE);
- insist(record.events[0].result.code ==
- krad_code_name2num("Access-Accept"));
+ insist(record.events[0].result.code == KRAD_CODE_ACCESS_ACCEPT);
insist(record.events[1].error == FALSE);
- insist(record.events[1].result.code ==
- krad_code_name2num("Access-Reject"));
+ insist(record.events[1].result.code == KRAD_CODE_ACCESS_REJECT);
insist(record.events[2].error == TRUE);
insist(record.events[2].result.retval == ETIMEDOUT);
insist(record.events[3].error == TRUE);
if (retval != 0)
goto out;
- retval = krad_attrset_add(set, krad_attr_name2num("User-Name"), username);
+ retval = krad_attrset_add(set, KRAD_ATTR_USER_NAME, username);
if (retval != 0)
goto out;
- retval = krad_attrset_add(set, krad_attr_name2num("User-Password"),
+ retval = krad_attrset_add(set, KRAD_ATTR_USER_PASSWORD,
password);
if (retval != 0)
goto out;
- retval = krad_attrset_add(set, krad_attr_name2num("NAS-Identifier"),
- &nas_id);
+ retval = krad_attrset_add(set, KRAD_ATTR_NAS_IDENTIFIER, &nas_id);
if (retval != 0)
goto out;
- retval = krad_packet_new_request(ctx, "foo",
- krad_code_name2num("Access-Request"),
+ retval = krad_packet_new_request(ctx, "foo", KRAD_CODE_ACCESS_REQUEST,
set, iterator, &i, &tmp);
if (retval != 0)
goto out;
- data = krad_packet_get_attr(tmp, krad_attr_name2num("User-Name"), 0);
+ data = krad_packet_get_attr(tmp, KRAD_ATTR_USER_NAME, 0);
if (data == NULL) {
retval = ENOENT;
goto out;
goto out;
}
- *auth = krad_packet_get_code(rsp) == krad_code_name2num("Access-Accept");
+ *auth = krad_packet_get_code(rsp) == KRAD_CODE_ACCESS_ACCEPT;
out:
krad_packet_free(rsp);
krb5_error_code retval;
krb5_data tmp = string2data((char *)password);
- retval = krad_attrset_add(set, krad_attr_name2num("User-Password"), &tmp);
+ retval = krad_attrset_add(set, KRAD_ATTR_USER_PASSWORD, &tmp);
if (retval != 0)
return retval;
- retval = kr_remote_send(rr, krad_code_name2num("Access-Request"), set,
- callback, NULL, 1000, 3, &tmppkt);
- krad_attrset_del(set, krad_attr_name2num("User-Password"), 0);
+ retval = kr_remote_send(rr, KRAD_CODE_ACCESS_REQUEST, set, callback, NULL,
+ 1000, 3, &tmppkt);
+ krad_attrset_del(set, KRAD_ATTR_USER_PASSWORD, 0);
if (retval != 0)
return retval;
/* Create attribute set. */
noerror(krad_attrset_new(kctx, &set));
tmp = string2data("testUser");
- noerror(krad_attrset_add(set, krad_attr_name2num("User-Name"), &tmp));
+ noerror(krad_attrset_add(set, KRAD_ATTR_USER_NAME, &tmp));
/* Send accept packet. */
noerror(do_auth("accept", NULL));
/* Verify the results. */
insist(record.count == EVENT_COUNT);
insist(record.events[0].error == FALSE);
- insist(record.events[0].result.code ==
- krad_code_name2num("Access-Accept"));
+ insist(record.events[0].result.code == KRAD_CODE_ACCESS_ACCEPT);
insist(record.events[1].error == FALSE);
- insist(record.events[1].result.code ==
- krad_code_name2num("Access-Reject"));
+ insist(record.events[1].result.code == KRAD_CODE_ACCESS_REJECT);
insist(record.events[2].error == TRUE);
insist(record.events[2].result.retval == ECANCELED);
insist(record.events[3].error == TRUE);
goto error;
hndata = make_data(hostname, strlen(hostname));
- retval = krad_attrset_add(self->attrs,
- krad_attr_name2num("NAS-Identifier"), &hndata);
+ retval = krad_attrset_add(self->attrs, KRAD_ATTR_NAS_IDENTIFIER, &hndata);
if (retval != 0)
goto error;
- retval = krad_attrset_add_number(self->attrs,
- krad_attr_name2num("Service-Type"),
+ retval = krad_attrset_add_number(self->attrs, KRAD_ATTR_SERVICE_TYPE,
KRAD_SERVICE_TYPE_AUTHENTICATE_ONLY);
if (retval != 0)
goto error;
goto error;
/* If we received an accept packet, success! */
- if (krad_packet_get_code(resp) ==
- krad_code_name2num("Access-Accept")) {
+ if (krad_packet_get_code(resp) == KRAD_CODE_ACCESS_ACCEPT) {
indicators = tok->indicators;
if (indicators == NULL)
indicators = tok->type->indicators;
token *tok = &req->tokens[req->index];
const token_type *t = tok->type;
- retval = krad_attrset_add(req->attrs, krad_attr_name2num("User-Name"),
- &tok->username);
+ retval = krad_attrset_add(req->attrs, KRAD_ATTR_USER_NAME, &tok->username);
if (retval != 0)
goto error;
- retval = krad_client_send(req->state->radius,
- krad_code_name2num("Access-Request"), req->attrs,
- t->server, t->secret, t->timeout, t->retries,
- callback, req);
- krad_attrset_del(req->attrs, krad_attr_name2num("User-Name"), 0);
+ retval = krad_client_send(req->state->radius, KRAD_CODE_ACCESS_REQUEST,
+ req->attrs, t->server, t->secret, t->timeout,
+ t->retries, callback, req);
+ krad_attrset_del(req->attrs, KRAD_ATTR_USER_NAME, 0);
if (retval != 0)
goto error;
if (retval != 0)
goto error;
- retval = krad_attrset_add(rqst->attrs, krad_attr_name2num("User-Password"),
+ retval = krad_attrset_add(rqst->attrs, KRAD_ATTR_USER_PASSWORD,
&req->otp_value);
if (retval != 0)
goto error;
projects / thirdparty / krb5.git / commitdiff
