Mercurial > hg > waaad

changeset 361:fbe54f8d535e

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Added some metadata in the radius messages
author Sebastien Decugis <sdecugis@nict.go.jp>
date Thu, 21 May 2009 10:15:09 +0900
parents 2206c7f2945a
children 93e6eaf04b95
files extensions/radius_gw/radius_gw.h extensions/radius_gw/rgw_servers.c extensions/radius_gw/rgw_work.c
diffstat 3 files changed, 27 insertions(+), 19 deletions(-) [+]
line wrap: on
line diff
--- a/extensions/radius_gw/radius_gw.h	Wed May 20 18:23:30 2009 +0900
+++ b/extensions/radius_gw/radius_gw.h	Thu May 21 10:15:09 2009 +0900
@@ -68,7 +68,10 @@
 struct rad_attr {
 	/* Meta data */
 	struct rg_list	chain;	/* link this attribute in a message */
-	int		handled; /* Has this attribute already been converted to Diameter? */
+	struct {
+		unsigned	handled : 1; /* Has this attribute already been converted to Diameter? */
+	} flags;
+	
 	
 	/* Data */
 	uint8_t		type;
@@ -99,6 +102,10 @@
 typedef struct _rad_t {
 	/* Metadata */
 	struct rg_list	attributes;	/* The list of attributes */
+	struct {
+		unsigned serv_type 	: 2; /* The server (auth or acct) it was received on */
+		unsigned auth_ok 	: 1; /* The message has a valid message-authenticator ? */
+	} flags;
 		
 	/* Data */
 	uint8_t		code;
--- a/extensions/radius_gw/rgw_servers.c	Wed May 20 18:23:30 2009 +0900
+++ b/extensions/radius_gw/rgw_servers.c	Thu May 21 10:15:09 2009 +0900
@@ -148,6 +148,8 @@
 				continue; 
 			} );
 		
+		msg->flags.serv_type = me->port;
+		
 		if (TRACE_BOOL(FULL))
 			rg_msg_dump(FULL, msg);
 		
--- a/extensions/radius_gw/rgw_work.c	Wed May 20 18:23:30 2009 +0900
+++ b/extensions/radius_gw/rgw_work.c	Thu May 21 10:15:09 2009 +0900
@@ -74,10 +74,6 @@
 	
 	TRACE_ENTRY("%p %p", rad, cli);
 	
-	CHECK_FCT( rgw_clients_getkey(cli, &key, &key_len) );
-	
-	memset(buf, 0, sizeof(buf));
-	
 	/* Find the authenticator attribute */
 	for (attr_li = rad->attributes.next; attr_li != &rad->attributes; attr_li = attr_li->next) {
 		struct rad_attr * attr = (struct rad_attr *)attr_li;
@@ -90,42 +86,48 @@
 			msg_mac = attr;
 		}
 	}
-	
 	if (msg_mac == NULL) {
-		TRACE_DEBUG(INFO, "RADIUS message without Message-Authenticator attribute, invalid.");
-		return EINVAL;
+		TRACE_DEBUG(FULL, "RADIUS message without Message-Authenticator attribute.");
+		return 0;
 	}
-	
-	/* Save and clear the authenticator value */
 	if (msg_mac->length != (2 + sizeof(msg_mac_save))) {
 		TRACE_DEBUG(INFO, "Unexpected size of Message-Authenticator attribute, discarding.");
 		return EINVAL;
 	}
+	
+	/* Save and clear the authenticator value */
 	memcpy( &msg_mac_save[0], &msg_mac->data.buf[0], sizeof(msg_mac_save) );
 	memset( &msg_mac->data.buf[0], 0, sizeof(msg_mac_save) );
 	if (req_auth) {
-		/* compute the mac with the authenticator from the request */
+		/* compute the MAC with the authenticator from the request */
 		memcpy( &msg_auth_orig[0], &rad->authenticator[0], 16 );
 		memcpy( &rad->authenticator[0], req_auth, 16 );
 	}
 	
-	/* Recreate a false message to compute the md5 sum. This is very bad design! Optimization possible here... */
+	/* Recreate a false message to compute the md5 sum. This is very bad design, optimization possible here... */
+	memset(buf, 0, sizeof(buf));
 	CHECK_FCT( rgw_msg_gen(rad, (unsigned char **)&buf, &buflen) );
 	
-	/* Now compute the MAC with our known shared key */
+	/* Get the shared secret associated with this client */
+	CHECK_FCT( rgw_clients_getkey(cli, &key, &key_len) );
+	
+	/* Now compute the MAC with our shared key */
 	hmac_md5( key, key_len, &buf[0], buflen, &msg_mac_calc[0] );
 	
 	/* Restore the original msg */
 	memcpy( &msg_mac->data.buf[0], &msg_mac_save[0], sizeof(msg_mac_save) );
 	if (req_auth) {
-		/* compute the mac with the authenticator from the request */
+		/* also restore the authenticator */
 		memcpy( &rad->authenticator[0], &msg_auth_orig[0], 16 );
 	}
 	
 	/* Finally, check if the MAC is correct (validates the common shared secret) */
 	if (memcmp(&msg_mac_save[0], &msg_mac_calc[0], sizeof(msg_mac_save) )) {
-		TRACE_DEBUG(INFO, "Invalid Message-Authenticator attribute, discarding.");
+		TRACE_DEBUG(INFO, "Invalid Message-Authenticator attribute (bad shared secret?).");
 		return EINVAL;
+	} else {
+		rad->flags.auth_ok = 1;
+		TRACE_DEBUG(FULL, "Valid Message-Authenticator attribute found.");
 	}
 	
 	return 0;
@@ -180,15 +182,12 @@
 		/* Check authenticator */
 		CHECK_FCT_DO( work_auth_check(msg, cli, NULL),
 			{
-				/* Invalid authenticator, discard message */
-				TRACE_DEBUG(INFO, "Discarding message with invalid authenticator");
+				/* An error occurred, discard message */
 				rg_msg_free(msg);
 				rgw_clients_dispose(&cli);
 				continue;
 			}  );
 		
-		TRACE_DEBUG(FULL, "Message-Authenticator is valid");
-		
 		
 	}
"Welcome to our mercurial repository"