From: Alan T. DeKok Date: Thu, 8 Apr 2021 19:19:02 +0000 (-0400) Subject: make it work with nested VPs X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=85c2f097df7b27805fc055e8ac9958e2c6c1fd1f;p=thirdparty%2Ffreeradius-server.git make it work with nested VPs --- diff --git a/src/modules/rlm_digest/rlm_digest.c b/src/modules/rlm_digest/rlm_digest.c index a45307fb3f..97974855a2 100644 --- a/src/modules/rlm_digest/rlm_digest.c +++ b/src/modules/rlm_digest/rlm_digest.c @@ -92,15 +92,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authorize(rlm_rcode_t *p_result, mod /* * Find the first attribute which is parented by Digest-Attributes. */ - for (vp = fr_pair_list_head(&request->request_pairs); - vp; - vp = fr_pair_list_next(&request->request_pairs, vp)) { - if (vp->da->parent == attr_digest_attributes) break; - } - /* - * For simplicity, we allow the caller to omit things - * that they don't care about. - */ + vp = fr_pair_find_by_da(&request->request_pairs, attr_digest_attributes); if (!vp) RETURN_MODULE_NOOP; if (!inst->auth_type) { @@ -129,6 +121,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result, uint8_t hash[16]; /* MD5 output */ fr_pair_t *vp, *passwd, *algo; fr_pair_t *qop, *nonce; + fr_pair_list_t *list; /* * We require access to the plain-text password, or to the @@ -148,10 +141,17 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result, RETURN_MODULE_INVALID; } + vp = fr_pair_find_by_da(&request->request_pairs, attr_digest_attributes); + if (!vp) { + REDEBUG("Digest-Attributes is required for authentication"); + RETURN_MODULE_INVALID; + } + list = &vp->vp_group; + /* * We require access to the Digest-Nonce-Value */ - nonce = fr_pair_find_by_da(&request->request_pairs, attr_digest_nonce); + nonce = fr_pair_find_by_da(list, attr_digest_nonce); if (!nonce) { REDEBUG("No Digest-Nonce: Cannot perform Digest authentication"); RETURN_MODULE_INVALID; @@ -160,7 +160,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result, /* * A1 = Digest-User-Name ":" Realm ":" Password */ - vp = fr_pair_find_by_da(&request->request_pairs, attr_digest_user_name); + vp = fr_pair_find_by_da(list, attr_digest_user_name); if (!vp) { REDEBUG("No Digest-User-Name: Cannot perform Digest authentication"); RETURN_MODULE_INVALID; @@ -171,7 +171,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result, a1[a1_len] = ':'; a1_len++; - vp = fr_pair_find_by_da(&request->request_pairs, attr_digest_realm); + vp = fr_pair_find_by_da(list, attr_digest_realm); if (!vp) { REDEBUG("No Digest-Realm: Cannot perform Digest authentication"); RETURN_MODULE_INVALID; @@ -197,7 +197,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result, * See which variant we calculate. * Assume MD5 if no Digest-Algorithm attribute received */ - algo = fr_pair_find_by_da(&request->request_pairs, attr_digest_algorithm); + algo = fr_pair_find_by_da(list, attr_digest_algorithm); if ((!algo) || (strcasecmp(algo->vp_strvalue, "MD5") == 0)) { /* @@ -242,7 +242,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result, a1[a1_len] = ':'; a1_len++; - vp = fr_pair_find_by_da(&request->request_pairs, attr_digest_cnonce); + vp = fr_pair_find_by_da(list, attr_digest_cnonce); if (!vp) { REDEBUG("No Digest-CNonce: Cannot perform Digest authentication"); RETURN_MODULE_INVALID; @@ -270,7 +270,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result, /* * A2 = Digest-Method ":" Digest-URI */ - vp = fr_pair_find_by_da(&request->request_pairs, attr_digest_method); + vp = fr_pair_find_by_da(list, attr_digest_method); if (!vp) { REDEBUG("No Digest-Method: Cannot perform Digest authentication"); RETURN_MODULE_INVALID; @@ -281,7 +281,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result, a2[a2_len] = ':'; a2_len++; - vp = fr_pair_find_by_da(&request->request_pairs, attr_digest_uri); + vp = fr_pair_find_by_da(list, attr_digest_uri); if (!vp) { REDEBUG("No Digest-URI: Cannot perform Digest authentication"); RETURN_MODULE_INVALID; @@ -292,7 +292,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result, /* * QOP is "auth-int", tack on ": Digest-Body-Digest" */ - qop = fr_pair_find_by_da(&request->request_pairs, attr_digest_qop); + qop = fr_pair_find_by_da(list, attr_digest_qop); if (qop) { if (strcasecmp(qop->vp_strvalue, "auth-int") == 0) { fr_pair_t *body; @@ -306,7 +306,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result, /* * Must be a hex representation of an MD5 digest. */ - body = fr_pair_find_by_da(&request->request_pairs, attr_digest_body_digest); + body = fr_pair_find_by_da(list, attr_digest_body_digest); if (!body) { REDEBUG("No Digest-Body-Digest: Cannot perform Digest authentication"); RETURN_MODULE_INVALID; @@ -369,7 +369,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result, kd[kd_len] = ':'; kd_len++; - vp = fr_pair_find_by_da(&request->request_pairs, attr_digest_nonce_count); + vp = fr_pair_find_by_da(list, attr_digest_nonce_count); if (!vp) { REDEBUG("No Digest-Nonce-Count: Cannot perform Digest authentication"); RETURN_MODULE_INVALID; @@ -380,7 +380,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result, kd[kd_len] = ':'; kd_len++; - vp = fr_pair_find_by_da(&request->request_pairs, attr_digest_cnonce); + vp = fr_pair_find_by_da(list, attr_digest_cnonce); if (!vp) { REDEBUG("No Digest-CNonce: Cannot perform Digest authentication"); RETURN_MODULE_INVALID; @@ -420,7 +420,8 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result, memcpy(&kd[0], &hash[0], 16); /* - * Get the binary value of Digest-Response + * Get the binary value of Digest-Response. This isn't + * inside of the Digest-Attributes group. */ vp = fr_pair_find_by_da(&request->request_pairs, attr_digest_response); if (!vp) {