int alen is used only with SSL.
Reported by: Michael Dexter, Build Option Survey
MFC after: 3 days
Fixes: 8d5c781306 ("libradius: Fix input validation bugs")
Sponsored by: The FreeBSD Foundation
The length of the attribute header needs to be excluded when comparing
the attribute length against the length of the packet. Otherwise,
validation may incorrectly fail when fetching the final attribute in a
message.
Fixes: 8d5c78130 ("libradius: Fix input validation bugs")
Reported by: Peter Eriksson
Tested by: Peter Eriksson
MFC after: now
Sponsored by: The FreeBSD Foundation
These functions appear to intend to produce unpredictable results. Just use
arc4random.
While here, use an explicit_bzero instead of memset where the intent is clearly
to zero out a secret (clear_passphrase).
Mainly focus on files that use BSD 2-Clause license, however the tool I
was using mis-identified many licenses so this was mostly a manual - error
prone - task.
The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.
API, keeping backward compatibility.
First consumer for this functionality is going to become forthcoming MPD-5.4,
supporting CoA and DR of RFC 3576: Dynamic Authorization Extensions to RADIUS.
MFC after: 1 month
MS-CHAPv1 MPPE-keys).
- Added rad_demangle_mppe_key() for demangling mppe-keys (needed
for MPPE-keys).
- Added some typecasts for avoiding compiler warnings.
- Fix: better handle wrong usage of the lib (if the programmer
has not called rad_create_request() but rad_put_*(), then a
weird error message was returned).
- Added a new function for putting the Message-Authenticator.
- Verify the Message-Authenticator, if it was found inside a
response packet and silently drop the packet, if the validation
failed.
- Implicitly put the Message-Authenticator, if the EAP-Message
attribute was added.
- Added some missing defines.
Submitted by: Michael Bretterklieber
PR: 46555
rad_request_authenticator()
Returns the Request-Authenticator relevant to the most recently received
RADIUS response.
rad_server_secret()
Returns the Shared Secret relevant to the most recently received
RADIUS response.
Neither of these functions should be necessary, however, the
MS-MPPE-Recv-Key and MS-MPPE-Send-Key Microsoft Vendor Specific
attributes are supplied in a mangled (encrypted) format, requiring
this information to demangle.
It's not clear whether these functions should be replaced with a
rad_demangle() function or whether these attributes are one-offs.
Sponsored by: Monzoon
of the /etc/radius.conf file. But the code contains hacks for
backward compatibility, so old files will continue to work.
I updated the man pages and made a couple of minor changes, but
everything else was submitted by Oleg.
PR: misc/14284
Submitted by: Oleg Semyonov <os@altavista.net>
Don't insist that RAD_USER_PASSWORD is supplied before
calling rad_send_request(). Instead, insist on only one
of RAD_USER_PASSWORD and RAD_CHAP_PASSWORD.
Sponsored by: Internet Business Solutions Ltd., Switzerland