Mercurial > hg > waaad
changeset 361:fbe54f8d535e
Added some metadata in the radius messages
author | Sebastien Decugis <sdecugis@nict.go.jp> |
---|---|
date | Thu, 21 May 2009 10:15:09 +0900 |
parents | 2206c7f2945a |
children | 93e6eaf04b95 |
files | extensions/radius_gw/radius_gw.h extensions/radius_gw/rgw_servers.c extensions/radius_gw/rgw_work.c |
diffstat | 3 files changed, 27 insertions(+), 19 deletions(-) [+] |
line wrap: on
line diff
--- a/extensions/radius_gw/radius_gw.h Wed May 20 18:23:30 2009 +0900 +++ b/extensions/radius_gw/radius_gw.h Thu May 21 10:15:09 2009 +0900 @@ -68,7 +68,10 @@ struct rad_attr { /* Meta data */ struct rg_list chain; /* link this attribute in a message */ - int handled; /* Has this attribute already been converted to Diameter? */ + struct { + unsigned handled : 1; /* Has this attribute already been converted to Diameter? */ + } flags; + /* Data */ uint8_t type; @@ -99,6 +102,10 @@ typedef struct _rad_t { /* Metadata */ struct rg_list attributes; /* The list of attributes */ + struct { + unsigned serv_type : 2; /* The server (auth or acct) it was received on */ + unsigned auth_ok : 1; /* The message has a valid message-authenticator ? */ + } flags; /* Data */ uint8_t code;
--- a/extensions/radius_gw/rgw_servers.c Wed May 20 18:23:30 2009 +0900 +++ b/extensions/radius_gw/rgw_servers.c Thu May 21 10:15:09 2009 +0900 @@ -148,6 +148,8 @@ continue; } ); + msg->flags.serv_type = me->port; + if (TRACE_BOOL(FULL)) rg_msg_dump(FULL, msg);
--- a/extensions/radius_gw/rgw_work.c Wed May 20 18:23:30 2009 +0900 +++ b/extensions/radius_gw/rgw_work.c Thu May 21 10:15:09 2009 +0900 @@ -74,10 +74,6 @@ TRACE_ENTRY("%p %p", rad, cli); - CHECK_FCT( rgw_clients_getkey(cli, &key, &key_len) ); - - memset(buf, 0, sizeof(buf)); - /* Find the authenticator attribute */ for (attr_li = rad->attributes.next; attr_li != &rad->attributes; attr_li = attr_li->next) { struct rad_attr * attr = (struct rad_attr *)attr_li; @@ -90,42 +86,48 @@ msg_mac = attr; } } - if (msg_mac == NULL) { - TRACE_DEBUG(INFO, "RADIUS message without Message-Authenticator attribute, invalid."); - return EINVAL; + TRACE_DEBUG(FULL, "RADIUS message without Message-Authenticator attribute."); + return 0; } - - /* Save and clear the authenticator value */ if (msg_mac->length != (2 + sizeof(msg_mac_save))) { TRACE_DEBUG(INFO, "Unexpected size of Message-Authenticator attribute, discarding."); return EINVAL; } + + /* Save and clear the authenticator value */ memcpy( &msg_mac_save[0], &msg_mac->data.buf[0], sizeof(msg_mac_save) ); memset( &msg_mac->data.buf[0], 0, sizeof(msg_mac_save) ); if (req_auth) { - /* compute the mac with the authenticator from the request */ + /* compute the MAC with the authenticator from the request */ memcpy( &msg_auth_orig[0], &rad->authenticator[0], 16 ); memcpy( &rad->authenticator[0], req_auth, 16 ); } - /* Recreate a false message to compute the md5 sum. This is very bad design! Optimization possible here... */ + /* Recreate a false message to compute the md5 sum. This is very bad design, optimization possible here... */ + memset(buf, 0, sizeof(buf)); CHECK_FCT( rgw_msg_gen(rad, (unsigned char **)&buf, &buflen) ); - /* Now compute the MAC with our known shared key */ + /* Get the shared secret associated with this client */ + CHECK_FCT( rgw_clients_getkey(cli, &key, &key_len) ); + + /* Now compute the MAC with our shared key */ hmac_md5( key, key_len, &buf[0], buflen, &msg_mac_calc[0] ); /* Restore the original msg */ memcpy( &msg_mac->data.buf[0], &msg_mac_save[0], sizeof(msg_mac_save) ); if (req_auth) { - /* compute the mac with the authenticator from the request */ + /* also restore the authenticator */ memcpy( &rad->authenticator[0], &msg_auth_orig[0], 16 ); } /* Finally, check if the MAC is correct (validates the common shared secret) */ if (memcmp(&msg_mac_save[0], &msg_mac_calc[0], sizeof(msg_mac_save) )) { - TRACE_DEBUG(INFO, "Invalid Message-Authenticator attribute, discarding."); + TRACE_DEBUG(INFO, "Invalid Message-Authenticator attribute (bad shared secret?)."); return EINVAL; + } else { + rad->flags.auth_ok = 1; + TRACE_DEBUG(FULL, "Valid Message-Authenticator attribute found."); } return 0; @@ -180,15 +182,12 @@ /* Check authenticator */ CHECK_FCT_DO( work_auth_check(msg, cli, NULL), { - /* Invalid authenticator, discard message */ - TRACE_DEBUG(INFO, "Discarding message with invalid authenticator"); + /* An error occurred, discard message */ rg_msg_free(msg); rgw_clients_dispose(&cli); continue; } ); - TRACE_DEBUG(FULL, "Message-Authenticator is valid"); - }