From ed5c2b8b1b6b67b5f5c4900fdec4e80e8697c780 Mon Sep 17 00:00:00 2001 From: "Alan T. DeKok" Date: Thu, 23 Apr 2020 14:59:33 -0400 Subject: [PATCH] it helps to sign the packets. Note the the salted fields still don't have deterministic randomness. That will need to be fixed by passing packet_ctx to fr_radius_encode() --- src/protocols/radius/encode.c | 22 ++++++++++++++++++- .../unit/protocols/radius/packet_rfc3162.txt | 6 +++-- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/src/protocols/radius/encode.c b/src/protocols/radius/encode.c index af889e2aa64b..f052d50ee7f0 100644 --- a/src/protocols/radius/encode.c +++ b/src/protocols/radius/encode.c @@ -1466,12 +1466,32 @@ static ssize_t fr_radius_encode_proto(UNUSED TALLOC_CTX *ctx, VALUE_PAIR *vps, u fr_radius_ctx_t *test_ctx = talloc_get_type_abort(proto_ctx, fr_radius_ctx_t); int packet_type = FR_CODE_ACCESS_REQUEST; VALUE_PAIR *vp; + ssize_t slen; vp = fr_pair_find_by_da(vps, attr_packet_type, TAG_ANY); if (vp) packet_type = vp->vp_uint32; - return fr_radius_encode(data, data_len, NULL, test_ctx->secret, talloc_array_length(test_ctx->secret) - 1, + if ((packet_type == FR_CODE_ACCESS_REQUEST) || (packet_type == FR_CODE_STATUS_SERVER)) { + int i; + + for (i = 0; i < RADIUS_AUTH_VECTOR_LENGTH; i++) { + data[4 + i] = fr_fast_rand(&test_ctx->rand_ctx); + } + } + + /* + * @todo - pass in test_ctx to this function, so that we + * can leverage a consistent random number generator. + */ + slen = fr_radius_encode(data, data_len, NULL, test_ctx->secret, talloc_array_length(test_ctx->secret) - 1, packet_type, 0, vps); + if (slen <= 0) return slen; + + if (fr_radius_sign(data, NULL, (uint8_t const *) test_ctx->secret, talloc_array_length(test_ctx->secret) - 1) < 0) { + return -1; + } + + return slen; } /* diff --git a/src/tests/unit/protocols/radius/packet_rfc3162.txt b/src/tests/unit/protocols/radius/packet_rfc3162.txt index 0d5605f7cd9f..ed55a69f398a 100644 --- a/src/tests/unit/protocols/radius/packet_rfc3162.txt +++ b/src/tests/unit/protocols/radius/packet_rfc3162.txt @@ -61,6 +61,8 @@ proto-dictionary radius decode-proto 01 f0 00 8d 2a fd b0 90 41 8a c6 36 52 98 fb bb 15 e0 fd 2e 01 05 62 6f 62 02 12 45 e8 d5 da ea d8 7e 40 15 e0 fc c0 ec 0f 08 a1 5f 12 20 01 0d b8 0a 0b 12 f0 00 00 00 00 00 00 00 01 61 14 00 40 20 01 0d b8 0a 0b 12 f0 00 00 00 00 00 00 00 00 61 0c 00 40 20 01 0d b8 0a 0b 12 f0 61 04 00 00 61 03 00 61 15 00 40 20 01 0d b8 0a 0b 12 f0 00 00 00 00 00 00 00 00 00 61 14 00 81 20 01 0d b8 0a 0b 12 f0 00 00 00 00 00 00 00 01 match Packet-Type = Access-Request, Packet-Authentication-Vector = 0x2afdb090418ac6365298fbbb15e0fd2e, User-Name = "bob", User-Password = "\323\006\334\020\236%\004Z\005\246\373\344\354\033\212*", NAS-IPv6-Address = 2001:db8:a0b:12f0::1, Framed-IPv6-Prefix = 2001:db8:a0b:12f0::/64, Framed-IPv6-Prefix = 2001:db8:a0b:12f0::/64, Framed-IPv6-Prefix = ::/0, Attr-97 = 0x00, Attr-97 = 0x004020010db80a0b12f0000000000000000000, Attr-97 = 0x008120010db80a0b12f00000000000000001 -count -match 4 +encode-proto - +match 01 00 00 85 00 44 be 93 a9 c4 d0 90 66 04 bc 31 93 7a 49 51 01 05 62 6f 62 02 12 3b ab 4a 9a db 55 c5 f9 98 99 d7 09 e3 c0 9e 32 5f 12 20 01 0d b8 0a 0b 12 f0 00 00 00 00 00 00 00 01 61 0c 00 40 20 01 0d b8 0a 0b 12 f0 61 0c 00 40 20 01 0d b8 0a 0b 12 f0 61 04 00 00 61 03 00 61 15 00 40 20 01 0d b8 0a 0b 12 f0 00 00 00 00 00 00 00 00 00 61 14 00 81 20 01 0d b8 0a 0b 12 f0 00 00 00 00 00 00 00 01 +count +match 6