From: Alan T. DeKok Date: Wed, 13 Sep 2023 14:03:02 +0000 (-0400) Subject: make EAP decode nested pairs X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=beedcfe9df1d97d2301a431bcd3e36921909678e;p=thirdparty%2Ffreeradius-server.git make EAP decode nested pairs --- diff --git a/src/lib/eap_aka_sim/decode.c b/src/lib/eap_aka_sim/decode.c index bea787222f0..5bf796dff65 100644 --- a/src/lib/eap_aka_sim/decode.c +++ b/src/lib/eap_aka_sim/decode.c @@ -176,7 +176,7 @@ static ssize_t sim_value_decrypt(TALLOC_CTX *ctx, uint8_t **out, if (unlikely(!packet_ctx->k_encr)) { fr_strerror_printf("%s: No k_encr set, cannot decrypt attributes", __FUNCTION__); - return PAIR_ENCODE_FATAL_ERROR; + return PAIR_DECODE_FATAL_ERROR; } evp_ctx = aka_sim_crypto_cipher_ctx(); @@ -374,15 +374,17 @@ static ssize_t sim_decode_tlv(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t *decr = NULL; ssize_t decr_len; fr_dict_attr_t const *child; - fr_pair_list_t tlv_tmp; + fr_pair_t *tlv; ssize_t ret; - fr_pair_list_init(&tlv_tmp); if (data_len < 2) { fr_strerror_printf("%s: Insufficient data", __FUNCTION__); return -1; /* minimum attr size */ } + tlv = fr_pair_afrom_da(ctx, parent); + if (!tlv) return PAIR_DECODE_OOM; + /* * We have an AES-128-CBC encrypted attribute * @@ -412,6 +414,7 @@ static ssize_t sim_decode_tlv(TALLOC_CTX *ctx, fr_pair_list_t *out, while ((size_t)(end - p) >= sizeof(uint32_t)) { uint8_t sim_at = p[0]; size_t sim_at_len = ((size_t)p[1]) << 2; + fr_dict_attr_t const *unknown_child = NULL; if ((p + sim_at_len) > end) { fr_strerror_printf("%s: Malformed nested attribute %d: Length field (%zu bytes) value " @@ -420,7 +423,7 @@ static ssize_t sim_decode_tlv(TALLOC_CTX *ctx, fr_pair_list_t *out, error: talloc_free(decr); - fr_pair_list_free(&tlv_tmp); + talloc_free(tlv); return -1; } @@ -470,8 +473,6 @@ static ssize_t sim_decode_tlv(TALLOC_CTX *ctx, fr_pair_list_t *out, child = fr_dict_attr_child_by_num(parent, p[0]); if (!child) { - fr_dict_attr_t const *unknown_child; - FR_PROTO_TRACE("Failed to find child %u of TLV %s", p[0], parent->name); /* @@ -495,12 +496,14 @@ static ssize_t sim_decode_tlv(TALLOC_CTX *ctx, fr_pair_list_t *out, } FR_PROTO_TRACE("decode context changed %s -> %s", parent->name, child->name); - ret = sim_decode_pair_value(ctx, &tlv_tmp, child, p + 2, sim_at_len - 2, (end - p) - 2, - decode_ctx); + ret = sim_decode_pair_value(tlv, &tlv->vp_group, child, p + 2, sim_at_len - 2, (end - p) - 2, + decode_ctx); + fr_dict_unknown_free(&unknown_child); if (ret < 0) goto error; p += sim_at_len; } - fr_pair_list_append(out, &tlv_tmp); + fr_pair_append(out, tlv); + talloc_free(decr); return attr_len; diff --git a/src/tests/unit/protocols/eap/sim/decode.txt b/src/tests/unit/protocols/eap/sim/decode.txt index e6dfcc76a11..d7aa7e20386 100644 --- a/src/tests/unit/protocols/eap/sim/decode.txt +++ b/src/tests/unit/protocols/eap/sim/decode.txt @@ -76,18 +76,18 @@ match # Empty TLV decode-pair.sim_tp_decode 82 01 00 00 -match +match Encr-Data = { } # Non-encrypted skippable unknown attribute found inside AT_ENCR_DATA decode-pair.sim_tp_decode 82 05 00 00 e1 8b 0e ec 5a bf 10 ac 81 ac e3 f2 ae 71 cb ef -match raw.Encr-Data.255 = 0x0000000000000000000000000000 +match Encr-Data = { raw.255 = 0x0000000000000000000000000000 } # Mixture of known and than skippable unknown decode-pair.sim_tp_decode 82 05 00 00 47 bd f4 5e 3d c5 69 da e8 fa 73 2a 69 44 a8 78 -match Encr-Data.Counter = 0, raw.Encr-Data.255 = 0x00000000000000000000 +match Encr-Data = { Counter = 0, raw.255 = 0x00000000000000000000 } decode-pair.sim_tp_decode 82 05 00 00 b2 dd 1d a3 e1 fc 91 3d 94 6b 3f a1 ba 5d 73 e2 -match raw.Encr-Data.255 = 0x00000000000000000000, Encr-Data.Counter = 0 +match Encr-Data = { raw.255 = 0x00000000000000000000, Counter = 0 } # RFC4186 A.3. example decode-pair.sim_tp_decode_rfc4186 0f 02 00 02 00 01 00 00 @@ -99,7 +99,7 @@ match Nonce-MT = 0x0123456789abcdeffedcba9876543210, Selected-Version = 1 # RFC4186 A.5. example decode-pair.sim_tp_decode_rfc4186 01 0d 00 00 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f 81 05 00 00 9e 18 b0 c2 9a 65 22 63 c0 6e fb 54 dd 00 a8 95 82 2d 00 00 55 f2 93 9b bd b1 b1 9e a1 b4 7f c0 b3 e0 be 4c ab 2c f7 37 2d 98 e3 02 3c 6b b9 24 15 72 3d 58 ba d6 6c e0 84 e1 01 b6 0f 53 58 35 4b d4 21 82 78 ae a7 bf 2c ba ce 33 10 6a ed dc 62 5b 0c 1d 5a a6 7a 41 73 9a e5 b5 79 50 97 3f c7 ff 83 01 07 3c 6f 95 31 50 fc 30 3e a1 52 d1 e1 0a 2d 1f 4f 52 26 da a1 ee 90 05 47 22 52 bd b3 b7 1d 6f 0c 3a 34 90 31 6c 46 92 98 71 bd 45 cd fd bc a6 11 2f 07 f8 be 71 79 90 d2 5f 6d d7 f2 b7 b3 20 bf 4d 5a 99 2e 88 03 31 d7 29 94 5a ec 75 ae 5d 43 c8 ed a5 fe 62 33 fc ac 49 4e e6 7a 0d 50 4d 0b 05 00 00 fe f3 24 ac 39 62 b5 9f 3b d7 82 53 ae 4d cb 6a -match RAND = 0x101112131415161718191a1b1c1d1e1f, RAND = 0x202122232425262728292a2b2c2d2e2f, RAND = 0x303132333435363738393a3b3c3d3e3f, IV = 0x9e18b0c29a652263c06efb54dd00a895, Encr-Data.Next-Pseudonym = "w8w49PexCazWJ&xCIARmxuMKht5S1sxRDqXSEFBEg3DcZP9cIxTe5J4OyIwNGVzxeJOU1G", Encr-Data.Next-Reauth-ID = "Y24fNSrz8BP274jOJaF17WfxI8YO7QX00pMXk9XMMVOw7broaNhTczuFq53aEpOkk3L0dm@eapsim.foo", MAC = 0xfef324ac3962b59f3bd78253ae4dcb6a +match RAND = 0x101112131415161718191a1b1c1d1e1f, RAND = 0x202122232425262728292a2b2c2d2e2f, RAND = 0x303132333435363738393a3b3c3d3e3f, IV = 0x9e18b0c29a652263c06efb54dd00a895, Encr-Data = { Next-Pseudonym = "w8w49PexCazWJ&xCIARmxuMKht5S1sxRDqXSEFBEg3DcZP9cIxTe5J4OyIwNGVzxeJOU1G", Next-Reauth-ID = "Y24fNSrz8BP274jOJaF17WfxI8YO7QX00pMXk9XMMVOw7broaNhTczuFq53aEpOkk3L0dm@eapsim.foo" }, MAC = 0xfef324ac3962b59f3bd78253ae4dcb6a # RFC4186 A.6. example decode-pair.sim_tp_decode_rfc4186 0b 05 00 00 f5 6d 64 33 e6 8e d2 97 6a c1 19 37 fc 3d 11 54 @@ -107,15 +107,15 @@ match MAC = 0xf56d6433e68ed2976ac11937fc3d1154 # RFC4186 A.9. example decode-pair.sim_tp_decode_rfc4186 81 05 00 00 d5 85 ac 77 86 b9 03 36 65 7c 77 b4 65 75 b9 c4 82 1d 00 00 68 62 91 a9 d2 ab c5 8c aa 32 94 b6 e8 5b 44 84 6c 44 e5 dc b2 de 8b 9e 80 d6 9d 49 85 8a 5d b8 4c dc 1c 9b c9 5c 01 b9 6b 6e ca 31 34 74 ae a6 d3 14 16 e1 9d aa 9d f7 0f 05 00 88 41 ca 80 14 96 4d 3b 30 a4 9b cf 43 e4 d3 f1 8e 86 29 5a 4a 2b 38 d9 6c 97 05 c2 bb b0 5c 4a ac e9 7d 5e af f5 64 04 6c 8b d3 0b c3 9b e5 e1 7a ce 2b 10 a6 0b 05 00 00 48 3a 17 99 b8 3d 7c d3 d0 a1 e4 01 d9 ee 47 70 -match IV = 0xd585ac7786b90336657c77b46575b9c4, Encr-Data.Counter = 1, Encr-Data.Nonce-S = 0x0123456789abcdeffedcba9876543210, Encr-Data.Next-Reauth-ID = "uta0M0iyIsMwWp5TTdSdnOLvg2XDVf21OYt1vnfiMcs5dnIDHOIFVavIRzMRyzW6vFzdHW@eapsim.foo", MAC = 0x483a1799b83d7cd3d0a1e401d9ee4770 +match IV = 0xd585ac7786b90336657c77b46575b9c4, Encr-Data = { Counter = 1, Nonce-S = 0x0123456789abcdeffedcba9876543210, Next-Reauth-ID = "uta0M0iyIsMwWp5TTdSdnOLvg2XDVf21OYt1vnfiMcs5dnIDHOIFVavIRzMRyzW6vFzdHW@eapsim.foo" }, MAC = 0x483a1799b83d7cd3d0a1e401d9ee4770 # RFC4186 A.10. example decode-pair.sim_tp_decode_rfc4186 81 05 00 00 cd f7 ff a6 5d e0 4c 02 6b 56 c8 6b 76 b1 02 ea 82 05 00 00 b6 ed d3 82 79 e2 a1 42 3c 1a fc 5c 45 5c 7d 56 0b 05 00 00 fa f7 6b 71 fb e2 d2 55 b9 6a 35 66 c9 15 c6 17 -match IV = 0xcdf7ffa65de04c026b56c86b76b102ea, Encr-Data.Counter = 1, MAC = 0xfaf76b71fbe2d255b96a3566c915c617 +match IV = 0xcdf7ffa65de04c026b56c86b76b102ea, Encr-Data = { Counter = 1 }, MAC = 0xfaf76b71fbe2d255b96a3566c915c617 # RFC4186 A.10. example - With IV at the end of the packet decode-pair.sim_tp_decode_rfc4186 82 05 00 00 b6 ed d3 82 79 e2 a1 42 3c 1a fc 5c 45 5c 7d 56 0b 05 00 00 fa f7 6b 71 fb e2 d2 55 b9 6a 35 66 c9 15 c6 17 81 05 00 00 cd f7 ff a6 5d e0 4c 02 6b 56 c8 6b 76 b1 02 ea -match Encr-Data.Counter = 1, MAC = 0xfaf76b71fbe2d255b96a3566c915c617, IV = 0xcdf7ffa65de04c026b56c86b76b102ea +match Encr-Data = { Counter = 1 }, MAC = 0xfaf76b71fbe2d255b96a3566c915c617, IV = 0xcdf7ffa65de04c026b56c86b76b102ea count match 56 diff --git a/src/tests/unit/protocols/eap/sim/encode.txt b/src/tests/unit/protocols/eap/sim/encode.txt index 45e1534391a..39b2ca6264e 100644 --- a/src/tests/unit/protocols/eap/sim/encode.txt +++ b/src/tests/unit/protocols/eap/sim/encode.txt @@ -68,21 +68,21 @@ encode-pair.sim_tp_encode Encr-Data.Next-Pseudonym = "testing123" match 82 05 00 00 3f b8 34 1f f8 26 e0 4d 4a f3 f9 61 3c a9 84 26 decode-pair.sim_tp_decode - -match Encr-Data.Next-Pseudonym = "testing123" +match Encr-Data = { Next-Pseudonym = "testing123" } # Encrypt attribute requiring padding encode-pair.sim_tp_encode Encr-Data.Counter-Too-Small = yes match 82 05 00 00 5a f8 99 3c 02 f5 6c 04 b8 6e bb 54 3a af 74 32 decode-pair.sim_tp_decode - -match Encr-Data.Counter-Too-Small = yes +match Encr-Data = { Counter-Too-Small = yes } # Two encrypted attributes, one bool to extend plaintext so it's not a multiple block of block length encode-pair.sim_tp_encode Encr-data.Next-Pseudonym = "testing123", Encr-Data.Counter-Too-Small = yes match 82 09 00 00 3f b8 34 1f f8 26 e0 4d 4a f3 f9 61 3c a9 84 26 0f 4a 53 ce 33 99 9e 4f 29 df a4 79 18 a9 57 dd decode-pair.sim_tp_decode - -match Encr-Data.Next-Pseudonym = "testing123", Encr-Data.Counter-Too-Small = yes +match Encr-Data = { Next-Pseudonym = "testing123", Counter-Too-Small = yes } pair Encr-Data.Next-Pseudonym = "testing123", Any-ID-Req = yes, Encr-Data.Counter-Too-Small = yes match Encr-Data = { Next-Pseudonym = "testing123", Counter-Too-Small = yes }, Any-ID-Req = yes @@ -97,7 +97,7 @@ match 82 09 00 00 3f b8 34 1f f8 26 e0 4d 4a f3 f9 61 3c a9 84 26 0f 4a 53 ce 33 #match 82 05 00 00 3f b8 34 1f f8 26 e0 4d 4a f3 f9 61 3c a9 84 26 0d 01 00 00 82 05 00 00 5a f8 99 3c 02 f5 6c 04 b8 6e bb 54 3a af 74 32 decode-pair.sim_tp_decode - -match Encr-Data.Next-Pseudonym = "testing123", Encr-Data.Counter-Too-Small = yes, Any-ID-Req = yes +match Encr-Data = { Next-Pseudonym = "testing123", Counter-Too-Small = yes }, Any-ID-Req = yes # Array (one element) encode-pair.sim_tp_encode Version-List = 1 diff --git a/src/tests/unit/protocols/eap/sim/encrypted.txt b/src/tests/unit/protocols/eap/sim/encrypted.txt index 350ccf2a261..b190d039fa4 100644 --- a/src/tests/unit/protocols/eap/sim/encrypted.txt +++ b/src/tests/unit/protocols/eap/sim/encrypted.txt @@ -14,4 +14,7 @@ encode-pair.sim_tp_encode_rfc4186 IV = 0xd585ac7786b90336657c77b46575b9c4, Encr- match 81 05 00 00 d5 85 ac 77 86 b9 03 36 65 7c 77 b4 65 75 b9 c4 82 11 00 00 6e a1 2b 5c d1 57 fa fc be a9 c9 7c ad 30 07 ff 72 dc cb c8 a9 96 b3 33 1f 71 aa 06 bb f0 1d 04 6b 51 9e fa 83 31 11 67 c6 93 1e 9c 06 5c 1f 2c 62 0d 1d 6d b0 b1 59 2f 91 f1 56 98 a9 e2 dc 3c decode-pair.sim_tp_decode_rfc4186 - -match IV = 0xd585ac7786b90336657c77b46575b9c4, Encr-Data.Next-Reauth-ID = "8osafwilQBCdof4", Encr-Data.Next-Pseudonym = "7QSzGAfgFKU8De9", Encr-Data.Nonce-S = 0xd61d1c6124106953f6f7283ae680a5ed, Encr-Data.Counter = 1 +match IV = 0xd585ac7786b90336657c77b46575b9c4, Encr-Data = { Next-Reauth-ID = "8osafwilQBCdof4", Next-Pseudonym = "7QSzGAfgFKU8De9", Nonce-S = 0xd61d1c6124106953f6f7283ae680a5ed, Counter = 1 } + +count +match 6