summaryrefslogtreecommitdiff
path: root/lib/radius/radpkt.c
diff options
context:
space:
mode:
authorLinus Nordberg <linus@nordberg.se>2012-04-27 17:00:17 +0200
committerLinus Nordberg <linus@nordberg.se>2012-04-27 17:00:17 +0200
commit4b0ff99282a91bba93eec9db37831be73b8134e4 (patch)
tree087509c14291f207260d350c9fabf07c665a4f25 /lib/radius/radpkt.c
parentc562df4b073a288862dd3c4ceaba7d6439f33b45 (diff)
parentefb18a601811888127be69499cf10891aa3a4c37 (diff)
Merge libradsec-new-client.
Diffstat (limited to 'lib/radius/radpkt.c')
-rw-r--r--lib/radius/radpkt.c916
1 files changed, 916 insertions, 0 deletions
diff --git a/lib/radius/radpkt.c b/lib/radius/radpkt.c
new file mode 100644
index 0000000..bb8f75e
--- /dev/null
+++ b/lib/radius/radpkt.c
@@ -0,0 +1,916 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ * Neither the name of the <organization> nor the
+ names of its contributors may be used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/** \file packet.c
+ * \brief Encoding and decoding packets
+ */
+
+#include "client.h"
+
+#if RS_MAX_PACKET_LEN < 64
+#error RS_MAX_PACKET_LEN is too small. It should be at least 64.
+#endif
+
+#if RS_MAX_PACKET_LEN > 16384
+#error RS_MAX_PACKET_LEN is too large. It should be smaller than 16K.
+#endif
+
+const char *nr_packet_codes[RS_MAX_PACKET_CODE + 1] = {
+ NULL,
+ "Access-Request",
+ "Access-Accept",
+ "Access-Reject",
+ "Accounting-Request",
+ "Accounting-Response",
+ NULL, NULL, NULL, NULL, NULL,
+ "Access-Challenge",
+ "Status-Server", /* 12 */
+ NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 19 */
+ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 20..29 */
+ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 30..39 */
+ "Disconnect-Request",
+ "Disconnect-ACK",
+ "Disconnect-NAK",
+ "CoA-Request",
+ "CoA-ACK",
+ "CoA-NAK"
+};
+
+
+static uint64_t allowed_responses[RS_MAX_PACKET_CODE + 1] = {
+ 0,
+ (1 << PW_ACCESS_ACCEPT) | (1 << PW_ACCESS_REJECT) | (1 << PW_ACCESS_CHALLENGE),
+ 0, 0,
+ 1 << PW_ACCOUNTING_RESPONSE,
+ 0,
+ 0, 0, 0, 0, 0,
+ 0,
+ (1 << PW_ACCESS_ACCEPT) | (1 << PW_ACCESS_REJECT) | (1 << PW_ACCESS_CHALLENGE) | (1 << PW_ACCOUNTING_RESPONSE),
+ 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 20..29 */
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 30..39 */
+ (((uint64_t) 1) << PW_DISCONNECT_ACK) | (((uint64_t) 1) << PW_DISCONNECT_NAK),
+ 0,
+ 0,
+ (((uint64_t) 1) << PW_COA_ACK) | (((uint64_t) 1) << PW_COA_NAK),
+ 0,
+ 0
+};
+
+
+int nr_packet_ok_raw(const uint8_t *data, size_t sizeof_data)
+{
+ size_t packet_len;
+ const uint8_t *attr, *end;
+
+ if (!data || (sizeof_data < 20)) {
+ nr_debug_error("Invalid argument");
+ return -RSE_INVAL;
+ }
+
+ packet_len = (data[2] << 8) | data[3];
+ if (packet_len < 20) {
+ nr_debug_error("Packet length is too small");
+ return -RSE_PACKET_TOO_SMALL;
+ }
+
+ if (packet_len > sizeof_data) {
+ nr_debug_error("Packet length overflows received data");
+ return -RSE_PACKET_TOO_LARGE;
+ }
+
+ /*
+ * If we receive 100 bytes, and the header says it's 20 bytes,
+ * then it's 20 bytes.
+ */
+ end = data + packet_len;
+
+ for (attr = data + 20; attr < end; attr += attr[1]) {
+ if ((attr + 2) > end) {
+ nr_debug_error("Attribute overflows packet");
+ return -RSE_ATTR_OVERFLOW;
+ }
+
+ if (attr[1] < 2) {
+ nr_debug_error("Attribute length is too small");
+ return -RSE_ATTR_TOO_SMALL;
+ }
+
+ if ((attr + attr[1]) > end) {
+ nr_debug_error("Attribute length is too large");
+ return -RSE_ATTR_TOO_LARGE;
+ }
+ }
+
+ return 0;
+}
+
+int nr_packet_ok(RADIUS_PACKET *packet)
+{
+ int rcode;
+
+ if (!packet) return -RSE_INVAL;
+
+ if ((packet->flags & RS_PACKET_OK) != 0) return 0;
+
+ rcode = nr_packet_ok_raw(packet->data, packet->length);
+ if (rcode < 0) return rcode;
+
+ packet->flags |= RS_PACKET_OK;
+ return 0;
+}
+
+
+/*
+ * Comparison function that is time-independent. Using "memcmp"
+ * would satisfy the "comparison" part. However, it would also
+ * leak information about *which* bytes are wrong. Attackers
+ * could use that leak to create a "correct" RADIUS packet which
+ * will be accepted by the client and/or server.
+ */
+static int digest_cmp(const uint8_t *a, const uint8_t *b, size_t length)
+{
+ int result = 0;
+ size_t i;
+
+ for (i = 0; i < length; i++) {
+ result |= (a[i] ^ b[i]);
+ }
+
+ return result;
+}
+
+
+#ifdef PW_MESSAGE_AUTHENTICATOR
+static int msg_auth_ok(const RADIUS_PACKET *original,
+ uint8_t *ma,
+ uint8_t *data, size_t length)
+{
+ uint8_t packet_vector[sizeof(original->vector)];
+ uint8_t msg_auth_vector[sizeof(original->vector)];
+ uint8_t calc_auth_vector[sizeof(original->vector)];
+
+ if (ma[1] != 18) {
+ nr_debug_error("Message-Authenticator has invalid length");
+ return -RSE_MSG_AUTH_LEN;
+ }
+
+ memcpy(packet_vector, data + 4, sizeof(packet_vector));
+ memcpy(msg_auth_vector, ma + 2, sizeof(msg_auth_vector));
+ memset(ma + 2, 0, sizeof(msg_auth_vector));
+
+ switch (data[0]) {
+ default:
+ break;
+
+ case PW_ACCOUNTING_REQUEST:
+ case PW_ACCOUNTING_RESPONSE:
+ case PW_DISCONNECT_REQUEST:
+ case PW_DISCONNECT_ACK:
+ case PW_DISCONNECT_NAK:
+ case PW_COA_REQUEST:
+ case PW_COA_ACK:
+ case PW_COA_NAK:
+ memset(data + 4, 0, sizeof(packet_vector));
+ break;
+
+ case PW_ACCESS_ACCEPT:
+ case PW_ACCESS_REJECT:
+ case PW_ACCESS_CHALLENGE:
+ if (!original) {
+ nr_debug_error("Cannot validate response without request");
+ return -RSE_REQUEST_REQUIRED;
+ }
+ memcpy(data + 4, original->vector, sizeof(original->vector));
+ break;
+ }
+
+ nr_hmac_md5(data, length,
+ (const uint8_t *) original->secret, original->sizeof_secret,
+ calc_auth_vector);
+
+ memcpy(ma + 2, msg_auth_vector, sizeof(msg_auth_vector));
+ memcpy(data + 4, packet_vector, sizeof(packet_vector));
+
+ if (digest_cmp(calc_auth_vector, msg_auth_vector,
+ sizeof(calc_auth_vector)) != 0) {
+ nr_debug_error("Invalid Message-Authenticator");
+ return -RSE_MSG_AUTH_WRONG;
+ }
+
+ return 1;
+}
+#endif
+
+/*
+ * The caller ensures that the packet codes are as expected.
+ */
+static int packet_auth_ok(const RADIUS_PACKET *original,
+ uint8_t *data, size_t length)
+{
+ uint8_t packet_vector[sizeof(original->vector)];
+ uint8_t calc_digest[sizeof(original->vector)];
+ RS_MD5_CTX ctx;
+
+ if ((data[0] == PW_ACCESS_REQUEST) ||
+ (data[0] == PW_STATUS_SERVER)) return 1;
+
+ memcpy(packet_vector, data + 4, sizeof(packet_vector));
+
+ if (!original) {
+ memset(data + 4, 0, sizeof(packet_vector));
+ } else {
+ memcpy(data + 4, original->vector, sizeof(original->vector));
+ }
+
+ RS_MD5Init(&ctx);
+ RS_MD5Update(&ctx, data, length);
+ RS_MD5Update(&ctx, (const unsigned char *)original->secret, original->sizeof_secret);
+ RS_MD5Final(calc_digest, &ctx);
+
+ memcpy(data + 4, packet_vector, sizeof(packet_vector));
+
+ if (digest_cmp(calc_digest, packet_vector,
+ sizeof(packet_vector)) != 0) {
+ nr_debug_error("Invalid authentication vector");
+ return -RSE_AUTH_VECTOR_WRONG;
+ }
+
+ return 0;
+}
+
+
+int nr_packet_verify(RADIUS_PACKET *packet, const RADIUS_PACKET *original)
+{
+ int rcode;
+ uint8_t *attr;
+#ifdef PW_MESSAGE_AUTHENTICATOR
+ const uint8_t *end;
+#endif
+
+ if (!packet || !packet->data || !packet->secret) {
+ nr_debug_error("Invalid argument");
+ return -RSE_INVAL;
+ }
+
+ if ((packet->flags & RS_PACKET_VERIFIED) != 0) return 0;
+
+ /*
+ * Packet isn't well formed. Ignore it.
+ */
+ rcode = nr_packet_ok(packet);
+ if (rcode < 0) return rcode;
+
+ /*
+ * Get rid of improper packets as early as possible.
+ */
+ if (original) {
+ uint64_t mask;
+
+ if (original->code > RS_MAX_PACKET_CODE) {
+ nr_debug_error("Invalid original code %u",
+ original->code);
+ return -RSE_INVALID_REQUEST_CODE;
+ }
+
+ if (packet->data[1] != original->id) {
+ nr_debug_error("Ignoring response with wrong ID %u",
+ packet->data[1]);
+ return -RSE_INVALID_RESPONSE_CODE;
+ }
+
+ mask = 1;
+ mask <<= packet->data[0];
+
+ if ((allowed_responses[original->code] & mask) == 0) {
+ nr_debug_error("Ignoring response with wrong code %u",
+ packet->data[0]);
+ return -RSE_INVALID_RESPONSE_CODE;
+ }
+
+ if ((memcmp(&packet->src, &original->dst, sizeof(packet->src)) != 0) &&
+ (evutil_sockaddr_cmp((struct sockaddr *)&packet->src, (struct sockaddr *)&original->dst, 1) != 0)) {
+ nr_debug_error("Ignoring response from wrong IP/port");
+ return -RSE_INVALID_RESPONSE_SRC;
+ }
+
+ } else if (allowed_responses[packet->data[0]] != 0) {
+ nr_debug_error("Ignoring response without original");
+ return -RSE_INVALID_RESPONSE_CODE;
+ }
+
+#ifdef PW_MESSAGE_AUTHENTICATOR
+ end = packet->data + packet->length;
+
+ /*
+ * Note that the packet MUST be well-formed here.
+ */
+ for (attr = packet->data + 20; attr < end; attr += attr[1]) {
+ if (attr[0] == PW_MESSAGE_AUTHENTICATOR) {
+ rcode = msg_auth_ok(original, attr,
+ packet->data, packet->length);
+ if (rcode < 0) return rcode;
+ }
+ }
+#endif
+
+ /*
+ * Verify the packet authenticator.
+ */
+ rcode = packet_auth_ok(original, packet->data, packet->length);
+ if (rcode < 0) return rcode;
+
+ packet->flags |= RS_PACKET_VERIFIED;
+
+ return 0;
+}
+
+
+int nr_packet_decode(RADIUS_PACKET *packet, const RADIUS_PACKET *original)
+{
+ int rcode, num_attributes;
+ uint8_t *data, *attr;
+ const uint8_t *end;
+ VALUE_PAIR **tail, *vp;
+
+ if (!packet) return -RSE_INVAL;
+
+ if ((packet->flags & RS_PACKET_DECODED) != 0) return 0;
+
+ rcode = nr_packet_ok(packet);
+ if (rcode < 0) return rcode;
+
+ data = packet->data;
+ end = data + packet->length;
+ tail = &packet->vps;
+ num_attributes = 0;
+
+ /*
+ * Loop over the packet, converting attrs to VPs.
+ */
+ for (attr = data + 20; attr < end; attr += attr[1]) {
+ rcode = nr_attr2vp(packet, original,
+ attr, end - attr, &vp);
+ if (rcode < 0) {
+ nr_vp_free(&packet->vps);
+ return -rcode;
+ }
+
+ *tail = vp;
+ while (vp) {
+ num_attributes++;
+ tail = &(vp->next);
+ vp = vp->next;
+ }
+
+ if (num_attributes > RS_MAX_ATTRIBUTES) {
+ nr_debug_error("Too many attributes");
+ nr_vp_free(&packet->vps);
+ return -RSE_TOO_MANY_ATTRS;
+ }
+ }
+
+ packet->code = data[0];
+ packet->id = data[1];
+ memcpy(packet->vector, data + 4, sizeof(packet->vector));
+
+ packet->flags |= RS_PACKET_DECODED;
+
+ return 0;
+}
+
+
+int nr_packet_sign(RADIUS_PACKET *packet, const RADIUS_PACKET *original)
+{
+#ifdef PW_MESSAGE_AUTHENTICATOR
+ size_t ma = 0;
+ const uint8_t *attr, *end;
+#endif
+
+ if ((packet->flags & RS_PACKET_SIGNED) != 0) return 0;
+
+ if ((packet->flags & RS_PACKET_ENCODED) == 0) {
+ int rcode;
+
+ rcode = nr_packet_encode(packet, original);
+ if (rcode < 0) return rcode;
+ }
+
+ if ((packet->code == PW_ACCESS_ACCEPT) ||
+ (packet->code == PW_ACCESS_CHALLENGE) ||
+ (packet->code == PW_ACCESS_REJECT)) {
+#ifdef PW_MESSAGE_AUTHENTICATOR
+ if (!original) {
+ nr_debug_error("Original packet is required to create the Message-Authenticator");
+ return -RSE_REQUEST_REQUIRED;
+ }
+#endif
+
+ memcpy(packet->data + 4, original->vector,
+ sizeof(original->vector));
+ } else {
+ memcpy(packet->data + 4, packet->vector,
+ sizeof(packet->vector));
+ }
+
+#ifdef PW_MESSAGE_AUTHENTICATOR
+ end = packet->data + packet->length;
+
+ for (attr = packet->data + 20; attr < end; attr += attr[1]) {
+ if (attr[0] == PW_MESSAGE_AUTHENTICATOR) {
+ ma = (attr - packet->data);
+ break;
+ }
+ }
+
+ /*
+ * Force all Access-Request packets to have a
+ * Message-Authenticator.
+ */
+ if (!ma && ((packet->length + 18) <= packet->sizeof_data) &&
+ ((packet->code == PW_ACCESS_REQUEST) ||
+ (packet->code == PW_STATUS_SERVER))) {
+ ma = packet->length;
+
+ packet->data[ma]= PW_MESSAGE_AUTHENTICATOR;
+ packet->data[ma + 1] = 18;
+ memset(&packet->data[ma + 2], 0, 16);
+ packet->length += 18;
+ }
+
+ /*
+ * Reset the length.
+ */
+ packet->data[2] = (packet->length >> 8) & 0xff;
+ packet->data[3] = packet->length & 0xff;
+
+ /*
+ * Sign the Message-Authenticator && packet.
+ */
+ if (ma) {
+ nr_hmac_md5(packet->data, packet->length,
+ (const uint8_t *) packet->secret, packet->sizeof_secret,
+ packet->data + ma + 2);
+ }
+#endif
+
+ /*
+ * Calculate the signature.
+ */
+ if (!((packet->code == PW_ACCESS_REQUEST) ||
+ (packet->code == PW_STATUS_SERVER))) {
+ RS_MD5_CTX ctx;
+
+ RS_MD5Init(&ctx);
+ RS_MD5Update(&ctx, packet->data, packet->length);
+ RS_MD5Update(&ctx, (const unsigned char *)packet->secret, packet->sizeof_secret);
+ RS_MD5Final(packet->vector, &ctx);
+ }
+
+ memcpy(packet->data + 4, packet->vector, sizeof(packet->vector));
+
+ packet->attempts = 0;
+ packet->flags |= RS_PACKET_SIGNED;
+
+ return 0;
+}
+
+
+static int can_encode_packet(RADIUS_PACKET *packet,
+ const RADIUS_PACKET *original)
+{
+ if ((packet->code == 0) ||
+ (packet->code > RS_MAX_PACKET_CODE) ||
+ (original && (original->code > RS_MAX_PACKET_CODE))) {
+ nr_debug_error("Cannot send unknown packet code");
+ return -RSE_INVALID_REQUEST_CODE;
+ }
+
+ if (!nr_packet_codes[packet->code]) {
+ nr_debug_error("Cannot handle packet code %u",
+ packet->code);
+ return -RSE_INVALID_REQUEST_CODE;
+ }
+
+#ifdef NR_NO_MALLOC
+ if (!packet->data) {
+ nr_debug_error("No place to put packet");
+ return -RSE_NO_PACKET_DATA;
+ }
+#endif
+
+ if (packet->sizeof_data < 20) {
+ nr_debug_error("The buffer is too small to encode the packet");
+ return -RSE_PACKET_TOO_SMALL;
+ }
+
+ /*
+ * Enforce request / response correlation.
+ */
+ if (original) {
+ uint64_t mask;
+
+ mask = 1;
+ mask <<= packet->code;
+
+ if ((allowed_responses[original->code] & mask) == 0) {
+ nr_debug_error("Cannot encode response %u to packet %u",
+ packet->code, original->code);
+ return -RSE_INVALID_RESPONSE_CODE;
+ }
+ packet->id = original->id;
+
+ } else if (allowed_responses[packet->code] == 0) {
+ nr_debug_error("Cannot encode response %u without original",
+ packet->code);
+ return -RSE_REQUEST_REQUIRED;
+ }
+
+ return 0;
+}
+
+static void encode_header(RADIUS_PACKET *packet)
+{
+ if ((packet->flags & RS_PACKET_HEADER) != 0) return;
+
+ memset(packet->data, 0, 20);
+ packet->data[0] = packet->code;
+ packet->data[1] = packet->id;
+ packet->data[2] = 0;
+ packet->data[3] = 20;
+ packet->length = 20;
+
+ /*
+ * Calculate a random authentication vector.
+ */
+ if ((packet->code == PW_ACCESS_REQUEST) ||
+ (packet->code == PW_STATUS_SERVER)) {
+ nr_rand_bytes(packet->vector, sizeof(packet->vector));
+ } else {
+ memset(packet->vector, 0, sizeof(packet->vector));
+ }
+
+ memcpy(packet->data + 4, packet->vector, sizeof(packet->vector));
+
+ packet->flags |= RS_PACKET_HEADER;
+}
+
+int nr_packet_encode(RADIUS_PACKET *packet, const RADIUS_PACKET *original)
+{
+#ifdef PW_MESSAGE_AUTHENTICATOR
+ size_t ma = 0;
+#endif
+ int rcode;
+ ssize_t len;
+ const VALUE_PAIR *vp;
+ uint8_t *data, *end;
+
+ if ((packet->flags & RS_PACKET_ENCODED) != 0) return 0;
+
+ rcode = can_encode_packet(packet, original);
+ if (rcode < 0) return rcode;
+
+ data = packet->data;
+ end = data + packet->sizeof_data;
+
+ encode_header(packet);
+ data += 20;
+
+ /*
+ * Encode each VALUE_PAIR
+ */
+ vp = packet->vps;
+ while (vp) {
+#ifdef PW_MESSAGE_AUTHENTICATOR
+ if (vp->da->attr == PW_MESSAGE_AUTHENTICATOR) {
+ ma = (data - packet->data);
+ }
+#endif
+ len = nr_vp2attr(packet, original, &vp,
+ data, end - data);
+ if (len < 0) return len;
+
+ if (len == 0) break; /* insufficient room to encode it */
+
+ data += data[1];
+ }
+
+#ifdef PW_MESSAGE_AUTHENTICATOR
+ /*
+ * Always send a Message-Authenticator.
+ *
+ * We do *not* recommend removing this code.
+ */
+ if (((packet->code == PW_ACCESS_REQUEST) ||
+ (packet->code == PW_STATUS_SERVER)) &&
+ !ma &&
+ ((data + 18) <= end)) {
+ ma = (data - packet->data);
+ data[0] = PW_MESSAGE_AUTHENTICATOR;
+ data[1] = 18;
+ memset(data + 2, 0, 16);
+ data += data[1];
+ }
+#endif
+
+ packet->length = data - packet->data;
+
+ packet->data[2] = (packet->length >> 8) & 0xff;
+ packet->data[3] = packet->length & 0xff;
+
+ packet->flags |= RS_PACKET_ENCODED;
+
+ return packet->length;
+}
+
+
+/*
+ * Ensure that the nr_data2attr_t structure is filled in
+ * appropriately. This includes filling in a fake DICT_ATTR
+ * structure, if necessary.
+ */
+static int do_callback(void *ctx, nr_packet_walk_func_t callback,
+ int attr, int vendor,
+ const uint8_t *data, size_t sizeof_data)
+
+{
+ int rcode;
+ const DICT_ATTR *da;
+ DICT_ATTR myda;
+ char buffer[64];
+
+ da = nr_dict_attr_byvalue(attr, vendor);
+
+ /*
+ * The attribute is supposed to have a particular length,
+ * but does not. It is therefore malformed.
+ */
+ if (da && (da->flags.length != 0) &&
+ da->flags.length != sizeof_data) {
+ da = NULL;
+ }
+
+ if (!da) {
+ rcode = nr_dict_attr_2struct(&myda, attr, vendor,
+ buffer, sizeof(buffer));
+
+ if (rcode < 0) return rcode;
+ da = &myda;
+ }
+
+ rcode = callback(ctx, da, data, sizeof_data);
+ if (rcode < 0) return rcode;
+
+ return 0;
+}
+
+
+int nr_packet_walk(RADIUS_PACKET *packet, void *ctx,
+ nr_packet_walk_func_t callback)
+{
+ int rcode;
+ uint8_t *attr;
+ const uint8_t *end;
+
+ if (!packet || !callback) return -RSE_INVAL;
+
+ rcode = nr_packet_ok(packet);
+ if (rcode < 0) return rcode;
+
+ end = packet->data + packet->length;
+
+ for (attr = packet->data + 20; attr < end; attr += attr[1]) {
+ int length, value;
+ int dv_type, dv_length;
+ uint32_t vendorpec;
+ const uint8_t *vsa;
+ const DICT_VENDOR *dv = NULL;
+
+ vendorpec = 0;
+ value = attr[0];
+
+ if (value != PW_VENDOR_SPECIFIC) {
+ raw:
+ rcode = do_callback(ctx, callback,
+ attr[0], 0,
+ attr + 2, attr[1] - 2);
+ if (rcode < 0) return rcode;
+ continue;
+ }
+
+ if (attr[1] < 6) goto raw;
+ memcpy(&vendorpec, attr + 2, 4);
+ vendorpec = ntohl(vendorpec);
+
+ if (dv && (dv->vendor != vendorpec)) dv = NULL;
+
+ if (!dv) dv = nr_dict_vendor_byvalue(vendorpec);
+
+ if (dv) {
+ dv_type = dv->type;
+ dv_length = dv->length;
+ } else {
+ dv_type = 1;
+ dv_length = 1;
+ }
+
+ /*
+ * Malformed: it's a raw attribute.
+ */
+ if (nr_tlv_ok(attr + 6, attr[1] - 6, dv_type, dv_length) < 0) {
+ goto raw;
+ }
+
+ for (vsa = attr + 6; vsa < attr + attr[1]; vsa += length) {
+ switch (dv_type) {
+ case 4:
+ value = (vsa[2] << 8) | vsa[3];
+ break;
+
+ case 2:
+ value = (vsa[0] << 8) | vsa[1];
+ break;
+
+ case 1:
+ value = vsa[0];
+ break;
+
+ default:
+ return -RSE_INTERNAL;
+ }
+
+ switch (dv_length) {
+ case 0:
+ length = attr[1] - 6 - dv_type;
+ break;
+
+ case 2:
+ case 1:
+ length = vsa[dv_type + dv_length - 1];
+ break;
+
+ default:
+ return -RSE_INTERNAL;
+ }
+
+ rcode = do_callback(ctx, callback,
+ value, vendorpec,
+ vsa + dv_type + dv_length,
+ length - dv_type - dv_length);
+ if (rcode < 0) return rcode;
+ }
+ }
+
+ return 0;
+}
+
+int nr_packet_init(RADIUS_PACKET *packet, const RADIUS_PACKET *original,
+ const char *secret, int code,
+ void *data, size_t sizeof_data)
+{
+ int rcode;
+
+ if ((code < 0) || (code > RS_MAX_PACKET_CODE)) {
+ return -RSE_INVALID_REQUEST_CODE;
+ }
+
+ if (!data || (sizeof_data < 20)) return -RSE_INVAL;
+
+ memset(packet, 0, sizeof(*packet));
+ packet->secret = secret;
+ packet->sizeof_secret = secret ? strlen(secret) : 0;
+ packet->code = code;
+ packet->id = 0;
+ packet->data = data;
+ packet->sizeof_data = sizeof_data;
+
+ rcode = can_encode_packet(packet, original);
+ if (rcode < 0) return rcode;
+
+ encode_header(packet);
+
+ return 0;
+}
+
+
+static int pack_eap(RADIUS_PACKET *packet,
+ const void *data, size_t data_len)
+{
+ uint8_t *attr, *end;
+ const uint8_t *eap;
+ size_t left;
+
+ eap = data;
+ left = data_len;
+ attr = packet->data + packet->length;
+ end = attr + packet->sizeof_data;
+
+ while (left > 253) {
+ if ((attr + 255) > end) return -RSE_ATTR_OVERFLOW;
+
+ attr[0] = PW_EAP_MESSAGE;
+ attr[1] = 255;
+ memcpy(attr + 2, eap, 253);
+ attr += attr[1];
+ eap += 253;
+ left -= 253;
+ }
+
+ if ((attr + (2 + left)) > end) return -RSE_ATTR_OVERFLOW;
+
+ attr[0] = PW_EAP_MESSAGE;
+ attr[1] = 2 + left;
+ memcpy(attr + 2, eap, left);
+ attr += attr[1];
+ packet->length = attr - packet->data;
+
+ return 0;
+}
+
+ssize_t nr_packet_attr_append(RADIUS_PACKET *packet,
+ const RADIUS_PACKET *original,
+ const DICT_ATTR *da,
+ const void *data, size_t data_len)
+{
+ ssize_t rcode;
+ uint8_t *attr, *end;
+ VALUE_PAIR my_vp;
+ const VALUE_PAIR *vp;
+
+ if (!packet || !da || !data) {
+ return -RSE_INVAL;
+ }
+
+ if (data_len == 0) {
+ if (da->type != RS_TYPE_STRING) return -RSE_ATTR_TOO_SMALL;
+
+ data_len = strlen(data);
+ }
+
+ packet->flags |= RS_PACKET_ENCODED; /* ignore any VPs */
+
+ attr = packet->data + packet->length;
+ end = attr + packet->sizeof_data;
+
+ if ((attr + 2 + data_len) > end) {
+ return -RSE_ATTR_OVERFLOW;
+ }
+
+ if ((da->flags.length != 0) &&
+ (data_len != da->flags.length)) {
+ return -RSE_ATTR_VALUE_MALFORMED;
+ }
+
+#ifdef PW_EAP_MESSAGE
+ /*
+ * automatically split EAP-Message into multiple
+ * attributes.
+ */
+ if (!da->vendor && (da->attr == PW_EAP_MESSAGE) && (data_len > 253)) {
+ return pack_eap(packet, data, data_len);
+ }
+#endif
+
+ if (data_len > 253) return -RSE_ATTR_TOO_LARGE;
+
+ vp = nr_vp_init(&my_vp, da);
+ rcode = nr_vp_set_data(&my_vp, data, data_len);
+ if (rcode < 0) return rcode;
+
+ /*
+ * Note that this function packs VSAs each into their own
+ * Vendor-Specific attribute. If this isn't what you
+ * want, use the version of the library with full support
+ * for TLVs, WiMAX, and extended attributes.
+ */
+ rcode = nr_vp2attr(packet, original, &vp, attr, end - attr);
+ if (rcode <= 0) return rcode;
+
+ packet->length += rcode;
+
+ return rcode;
+}