From: Greg Hudson Date: Thu, 17 Oct 2024 00:26:57 +0000 (-0400) Subject: Add numeric constants to krad.h and use them X-Git-Tag: krb5-1.22-beta1~61 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1381%2Fhead;p=thirdparty%2Fkrb5.git Add numeric constants to krad.h and use them ticket: 9147 (new) --- diff --git a/src/include/krad.h b/src/include/krad.h index e4edb524ca..c347df5aa2 100644 --- a/src/include/krad.h +++ b/src/include/krad.h @@ -57,6 +57,18 @@ #define KRAD_SERVICE_TYPE_CALL_CHECK 10 #define KRAD_SERVICE_TYPE_CALLBACK_ADMINISTRATIVE 11 +#define KRAD_ATTR_USER_NAME 1 +#define KRAD_ATTR_USER_PASSWORD 2 +#define KRAD_ATTR_SERVICE_TYPE 6 +#define KRAD_ATTR_NAS_IDENTIFIER 32 +#define KRAD_ATTR_PROXY_STATE 33 +#define KRAD_ATTR_MESSAGE_AUTHENTICATOR 80 + +#define KRAD_CODE_ACCESS_REQUEST 1 +#define KRAD_CODE_ACCESS_ACCEPT 2 +#define KRAD_CODE_ACCESS_REJECT 3 +#define KRAD_CODE_ACCESS_CHALLENGE 11 + typedef struct krad_attrset_st krad_attrset; typedef struct krad_packet_st krad_packet; typedef struct krad_client_st krad_client; diff --git a/src/lib/krad/attrset.c b/src/lib/krad/attrset.c index 488bfce7bb..d52622ff94 100644 --- a/src/lib/krad/attrset.c +++ b/src/lib/krad/attrset.c @@ -196,7 +196,6 @@ kr_attrset_encode(const krad_attrset *set, const char *secret, unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen) { krb5_error_code retval; - krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator"); const uint8_t zeroes[MD5_DIGEST_SIZE] = { 0 }; krb5_data zerodata; size_t i = 0; @@ -211,7 +210,8 @@ kr_attrset_encode(const krad_attrset *set, const char *secret, /* Encode Message-Authenticator as the first attribute, per * draft-ietf-radext-deprecating-radius-03 section 5.2. */ zerodata = make_data((uint8_t *)zeroes, MD5_DIGEST_SIZE); - retval = append_attr(set->ctx, secret, auth, msgauth_type, &zerodata, + retval = append_attr(set->ctx, secret, auth, + KRAD_ATTR_MESSAGE_AUTHENTICATOR, &zerodata, outbuf, &i); if (retval) return retval; diff --git a/src/lib/krad/packet.c b/src/lib/krad/packet.c index 7e599ab39b..d0a43431be 100644 --- a/src/lib/krad/packet.c +++ b/src/lib/krad/packet.c @@ -237,19 +237,17 @@ requires_msgauth(const char *secret, krad_code code) * Message-Authenticator is required in Access-Request packets and all * potential responses when UDP or TCP transport is used. */ - return code == krad_code_name2num("Access-Request") || - code == krad_code_name2num("Access-Reject") || - code == krad_code_name2num("Access-Accept") || - code == krad_code_name2num("Access-Challenge"); + return code == KRAD_CODE_ACCESS_REQUEST || + code == KRAD_CODE_ACCESS_ACCEPT || code == KRAD_CODE_ACCESS_REJECT || + code == KRAD_CODE_ACCESS_CHALLENGE; } /* Check if the packet has a Message-Authenticator attribute. */ static inline krb5_boolean has_pkt_msgauth(const krad_packet *pkt) { - krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator"); - - return krad_attrset_get(pkt->attrset, msgauth_type, 0) != NULL; + return krad_attrset_get(pkt->attrset, KRAD_ATTR_MESSAGE_AUTHENTICATOR, + 0) != NULL; } /* Return the beginning of the Message-Authenticator attribute in pkt, or NULL @@ -257,14 +255,13 @@ has_pkt_msgauth(const krad_packet *pkt) static const uint8_t * lookup_msgauth_addr(const krad_packet *pkt) { - krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator"); size_t i; uint8_t *p; i = OFFSET_ATTR; while (i + 2 < pkt->pkt.length) { p = (uint8_t *)offset(&pkt->pkt, i); - if (msgauth_type == *p) + if (*p == KRAD_ATTR_MESSAGE_AUTHENTICATOR) return p; i += p[1]; } @@ -282,11 +279,12 @@ calculate_mac(const char *secret, const krad_packet *pkt, const uint8_t auth[AUTH_FIELD_SIZE], uint8_t mac_out[MD5_DIGEST_SIZE]) { - uint8_t zeroed_msgauth[MSGAUTH_SIZE]; - krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator"); const uint8_t *msgauth_attr, *msgauth_end, *pkt_end; krb5_crypto_iov input[5]; krb5_data ksecr, mac; + static const uint8_t zeroed_msgauth[MSGAUTH_SIZE] = { + KRAD_ATTR_MESSAGE_AUTHENTICATOR, MSGAUTH_SIZE + }; msgauth_attr = lookup_msgauth_addr(pkt); if (msgauth_attr == NULL) @@ -308,11 +306,8 @@ calculate_mac(const char *secret, const krad_packet *pkt, /* Read Message-Authenticator with the data bytes all set to zero, per RFC * 2869 section 5.14. */ - zeroed_msgauth[0] = msgauth_type; - zeroed_msgauth[1] = MSGAUTH_SIZE; - memset(zeroed_msgauth + 2, 0, MD5_DIGEST_SIZE); input[3].flags = KRB5_CRYPTO_TYPE_DATA; - input[3].data = make_data(zeroed_msgauth, MSGAUTH_SIZE); + input[3].data = make_data((uint8_t *)zeroed_msgauth, MSGAUTH_SIZE); /* Read any attributes after Message-Authenticator. */ input[4].flags = KRB5_CRYPTO_TYPE_DATA; @@ -377,8 +372,7 @@ krad_packet_new_request(krb5_context ctx, const char *secret, krad_code code, goto error; /* Determine if Message-Authenticator is required. */ - msgauth_required = (*secret != '\0' && - code == krad_code_name2num("Access-Request")); + msgauth_required = (*secret != '\0' && code == KRAD_CODE_ACCESS_REQUEST); /* Encode the attributes. */ retval = kr_attrset_encode(set, secret, pkt_auth(pkt), msgauth_required, @@ -479,11 +473,10 @@ verify_msgauth(const char *secret, const krad_packet *pkt, const uint8_t auth[AUTH_FIELD_SIZE]) { uint8_t mac[MD5_DIGEST_SIZE]; - krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator"); const krb5_data *msgauth; krb5_error_code retval; - msgauth = krad_packet_get_attr(pkt, msgauth_type, 0); + msgauth = krad_packet_get_attr(pkt, KRAD_ATTR_MESSAGE_AUTHENTICATOR, 0); if (msgauth == NULL) return ENODATA; diff --git a/src/lib/krad/t_attr.c b/src/lib/krad/t_attr.c index 2bce7aa87a..f8940862d6 100644 --- a/src/lib/krad/t_attr.c +++ b/src/lib/krad/t_attr.c @@ -63,16 +63,14 @@ main(void) /* Test decoding. */ in = make_data((void *)encoded, sizeof(encoded)); - noerror(kr_attr_decode(ctx, secret, auth, - krad_attr_name2num("User-Password"), + noerror(kr_attr_decode(ctx, secret, auth, KRAD_ATTR_USER_PASSWORD, &in, outbuf, &len)); insist(len == strlen(decoded)); insist(memcmp(outbuf, decoded, len) == 0); /* Test encoding. */ in = string2data((char *)decoded); - retval = kr_attr_encode(ctx, secret, auth, - krad_attr_name2num("User-Password"), + retval = kr_attr_encode(ctx, secret, auth, KRAD_ATTR_USER_PASSWORD, &in, outbuf, &len); insist(retval == 0); insist(len == sizeof(encoded)); @@ -80,9 +78,9 @@ main(void) /* Test constraint. */ in.length = 100; - insist(kr_attr_valid(krad_attr_name2num("User-Password"), &in) == 0); + insist(kr_attr_valid(KRAD_ATTR_USER_PASSWORD, &in) == 0); in.length = 200; - insist(kr_attr_valid(krad_attr_name2num("User-Password"), &in) != 0); + insist(kr_attr_valid(KRAD_ATTR_USER_PASSWORD, &in) != 0); krb5_free_context(ctx); return 0; diff --git a/src/lib/krad/t_attrset.c b/src/lib/krad/t_attrset.c index a520fe10eb..17a281f15f 100644 --- a/src/lib/krad/t_attrset.c +++ b/src/lib/krad/t_attrset.c @@ -55,24 +55,24 @@ main(void) /* Add username. */ tmp = string2data((char *)username); - noerror(krad_attrset_add(set, krad_attr_name2num("User-Name"), &tmp)); + noerror(krad_attrset_add(set, KRAD_ATTR_USER_NAME, &tmp)); /* Add password. */ tmp = string2data((char *)password); - noerror(krad_attrset_add(set, krad_attr_name2num("User-Password"), &tmp)); + noerror(krad_attrset_add(set, KRAD_ATTR_USER_PASSWORD, &tmp)); /* Encode attrset. */ noerror(kr_attrset_encode(set, "foo", auth, FALSE, buffer, &encode_len)); krad_attrset_free(set); /* Manually encode User-Name. */ - encoded[len + 0] = krad_attr_name2num("User-Name"); + encoded[len + 0] = KRAD_ATTR_USER_NAME; encoded[len + 1] = strlen(username) + 2; memcpy(encoded + len + 2, username, strlen(username)); len += encoded[len + 1]; /* Manually encode User-Password. */ - encoded[len + 0] = krad_attr_name2num("User-Password"); + encoded[len + 0] = KRAD_ATTR_USER_PASSWORD; encoded[len + 1] = sizeof(encpass) + 2; memcpy(encoded + len + 2, encpass, sizeof(encpass)); len += encoded[len + 1]; @@ -87,7 +87,7 @@ main(void) /* Test getting an attribute. */ tmp = string2data((char *)username); - tmpp = krad_attrset_get(set, krad_attr_name2num("User-Name"), 0); + tmpp = krad_attrset_get(set, KRAD_ATTR_USER_NAME, 0); insist(tmpp != NULL); insist(tmpp->length == tmp.length); insist(strncmp(tmpp->data, tmp.data, tmp.length) == 0); diff --git a/src/lib/krad/t_client.c b/src/lib/krad/t_client.c index 3d0fda93e9..9ba5b9efb2 100644 --- a/src/lib/krad/t_client.c +++ b/src/lib/krad/t_client.c @@ -74,45 +74,41 @@ main(int argc, const char **argv) tmp = string2data("testUser"); noerror(krad_attrset_new(kctx, &attrs)); - noerror(krad_attrset_add(attrs, krad_attr_name2num("User-Name"), &tmp)); + noerror(krad_attrset_add(attrs, KRAD_ATTR_USER_NAME, &tmp)); /* Test accept. */ tmp = string2data("accept"); - noerror(krad_attrset_add(attrs, krad_attr_name2num("User-Password"), - &tmp)); - noerror(krad_client_send(rc, krad_code_name2num("Access-Request"), attrs, - "localhost", "foo", 1000, 3, callback, NULL)); + noerror(krad_attrset_add(attrs, KRAD_ATTR_USER_PASSWORD, &tmp)); + noerror(krad_client_send(rc, KRAD_CODE_ACCESS_REQUEST, attrs, "localhost", + "foo", 1000, 3, callback, NULL)); verto_run(vctx); /* Test reject. */ tmp = string2data("reject"); - krad_attrset_del(attrs, krad_attr_name2num("User-Password"), 0); - noerror(krad_attrset_add(attrs, krad_attr_name2num("User-Password"), - &tmp)); - noerror(krad_client_send(rc, krad_code_name2num("Access-Request"), attrs, - "localhost", "foo", 1000, 3, callback, NULL)); + krad_attrset_del(attrs, KRAD_ATTR_USER_PASSWORD, 0); + noerror(krad_attrset_add(attrs, KRAD_ATTR_USER_PASSWORD, &tmp)); + noerror(krad_client_send(rc, KRAD_CODE_ACCESS_REQUEST, attrs, "localhost", + "foo", 1000, 3, callback, NULL)); verto_run(vctx); /* Test timeout. */ daemon_stop(); - noerror(krad_client_send(rc, krad_code_name2num("Access-Request"), attrs, - "localhost", "foo", 1000, 3, callback, NULL)); + noerror(krad_client_send(rc, KRAD_CODE_ACCESS_REQUEST, attrs, "localhost", + "foo", 1000, 3, callback, NULL)); verto_run(vctx); /* Test outstanding packet freeing. */ - noerror(krad_client_send(rc, krad_code_name2num("Access-Request"), attrs, - "localhost", "foo", 1000, 3, callback, NULL)); + noerror(krad_client_send(rc, KRAD_CODE_ACCESS_REQUEST, attrs, "localhost", + "foo", 1000, 3, callback, NULL)); krad_client_free(rc); rc = NULL; /* Verify the results. */ insist(record.count == EVENT_COUNT); insist(record.events[0].error == FALSE); - insist(record.events[0].result.code == - krad_code_name2num("Access-Accept")); + insist(record.events[0].result.code == KRAD_CODE_ACCESS_ACCEPT); insist(record.events[1].error == FALSE); - insist(record.events[1].result.code == - krad_code_name2num("Access-Reject")); + insist(record.events[1].result.code == KRAD_CODE_ACCESS_REJECT); insist(record.events[2].error == TRUE); insist(record.events[2].result.retval == ETIMEDOUT); insist(record.events[3].error == TRUE); diff --git a/src/lib/krad/t_packet.c b/src/lib/krad/t_packet.c index 104b6507a2..3bdabb5cb7 100644 --- a/src/lib/krad/t_packet.c +++ b/src/lib/krad/t_packet.c @@ -70,27 +70,25 @@ make_packet(krb5_context ctx, const krb5_data *username, if (retval != 0) goto out; - retval = krad_attrset_add(set, krad_attr_name2num("User-Name"), username); + retval = krad_attrset_add(set, KRAD_ATTR_USER_NAME, username); if (retval != 0) goto out; - retval = krad_attrset_add(set, krad_attr_name2num("User-Password"), + retval = krad_attrset_add(set, KRAD_ATTR_USER_PASSWORD, password); if (retval != 0) goto out; - retval = krad_attrset_add(set, krad_attr_name2num("NAS-Identifier"), - &nas_id); + retval = krad_attrset_add(set, KRAD_ATTR_NAS_IDENTIFIER, &nas_id); if (retval != 0) goto out; - retval = krad_packet_new_request(ctx, "foo", - krad_code_name2num("Access-Request"), + retval = krad_packet_new_request(ctx, "foo", KRAD_CODE_ACCESS_REQUEST, set, iterator, &i, &tmp); if (retval != 0) goto out; - data = krad_packet_get_attr(tmp, krad_attr_name2num("User-Name"), 0); + data = krad_packet_get_attr(tmp, KRAD_ATTR_USER_NAME, 0); if (data == NULL) { retval = ENOENT; goto out; @@ -156,7 +154,7 @@ do_auth(krb5_context ctx, struct addrinfo *ai, const char *secret, goto out; } - *auth = krad_packet_get_code(rsp) == krad_code_name2num("Access-Accept"); + *auth = krad_packet_get_code(rsp) == KRAD_CODE_ACCESS_ACCEPT; out: krad_packet_free(rsp); diff --git a/src/lib/krad/t_remote.c b/src/lib/krad/t_remote.c index a521ecb7cd..d2877ad60c 100644 --- a/src/lib/krad/t_remote.c +++ b/src/lib/krad/t_remote.c @@ -78,13 +78,13 @@ do_auth(const char *password, const krad_packet **pkt) krb5_error_code retval; krb5_data tmp = string2data((char *)password); - retval = krad_attrset_add(set, krad_attr_name2num("User-Password"), &tmp); + retval = krad_attrset_add(set, KRAD_ATTR_USER_PASSWORD, &tmp); if (retval != 0) return retval; - retval = kr_remote_send(rr, krad_code_name2num("Access-Request"), set, - callback, NULL, 1000, 3, &tmppkt); - krad_attrset_del(set, krad_attr_name2num("User-Password"), 0); + retval = kr_remote_send(rr, KRAD_CODE_ACCESS_REQUEST, set, callback, NULL, + 1000, 3, &tmppkt); + krad_attrset_del(set, KRAD_ATTR_USER_PASSWORD, 0); if (retval != 0) return retval; @@ -122,7 +122,7 @@ main(int argc, const char **argv) /* Create attribute set. */ noerror(krad_attrset_new(kctx, &set)); tmp = string2data("testUser"); - noerror(krad_attrset_add(set, krad_attr_name2num("User-Name"), &tmp)); + noerror(krad_attrset_add(set, KRAD_ATTR_USER_NAME, &tmp)); /* Send accept packet. */ noerror(do_auth("accept", NULL)); @@ -150,11 +150,9 @@ main(int argc, const char **argv) /* Verify the results. */ insist(record.count == EVENT_COUNT); insist(record.events[0].error == FALSE); - insist(record.events[0].result.code == - krad_code_name2num("Access-Accept")); + insist(record.events[0].result.code == KRAD_CODE_ACCESS_ACCEPT); insist(record.events[1].error == FALSE); - insist(record.events[1].result.code == - krad_code_name2num("Access-Reject")); + insist(record.events[1].result.code == KRAD_CODE_ACCESS_REJECT); insist(record.events[2].error == TRUE); insist(record.events[2].result.retval == ECANCELED); insist(record.events[3].error == TRUE); diff --git a/src/plugins/preauth/otp/otp_state.c b/src/plugins/preauth/otp/otp_state.c index 20cd18abfd..d259fe7320 100644 --- a/src/plugins/preauth/otp/otp_state.c +++ b/src/plugins/preauth/otp/otp_state.c @@ -591,13 +591,11 @@ otp_state_new(krb5_context ctx, otp_state **out) goto error; hndata = make_data(hostname, strlen(hostname)); - retval = krad_attrset_add(self->attrs, - krad_attr_name2num("NAS-Identifier"), &hndata); + retval = krad_attrset_add(self->attrs, KRAD_ATTR_NAS_IDENTIFIER, &hndata); if (retval != 0) goto error; - retval = krad_attrset_add_number(self->attrs, - krad_attr_name2num("Service-Type"), + retval = krad_attrset_add_number(self->attrs, KRAD_ATTR_SERVICE_TYPE, KRAD_SERVICE_TYPE_AUTHENTICATE_ONLY); if (retval != 0) goto error; @@ -637,8 +635,7 @@ callback(krb5_error_code retval, const krad_packet *rqst, goto error; /* If we received an accept packet, success! */ - if (krad_packet_get_code(resp) == - krad_code_name2num("Access-Accept")) { + if (krad_packet_get_code(resp) == KRAD_CODE_ACCESS_ACCEPT) { indicators = tok->indicators; if (indicators == NULL) indicators = tok->type->indicators; @@ -667,16 +664,14 @@ request_send(request *req) token *tok = &req->tokens[req->index]; const token_type *t = tok->type; - retval = krad_attrset_add(req->attrs, krad_attr_name2num("User-Name"), - &tok->username); + retval = krad_attrset_add(req->attrs, KRAD_ATTR_USER_NAME, &tok->username); if (retval != 0) goto error; - retval = krad_client_send(req->state->radius, - krad_code_name2num("Access-Request"), req->attrs, - t->server, t->secret, t->timeout, t->retries, - callback, req); - krad_attrset_del(req->attrs, krad_attr_name2num("User-Name"), 0); + retval = krad_client_send(req->state->radius, KRAD_CODE_ACCESS_REQUEST, + req->attrs, t->server, t->secret, t->timeout, + t->retries, callback, req); + krad_attrset_del(req->attrs, KRAD_ATTR_USER_NAME, 0); if (retval != 0) goto error; @@ -715,7 +710,7 @@ otp_state_verify(otp_state *state, verto_ctx *ctx, krb5_const_principal princ, if (retval != 0) goto error; - retval = krad_attrset_add(rqst->attrs, krad_attr_name2num("User-Password"), + retval = krad_attrset_add(rqst->attrs, KRAD_ATTR_USER_PASSWORD, &req->otp_value); if (retval != 0) goto error;