Commit Graph

25 Commits

Author SHA1 Message Date
Ed Maste
a901f2af58 libradius: fix WITHOUT_OPENSSL build
int alen is used only with SSL.

Reported by:	Michael Dexter, Build Option Survey
MFC after:	3 days
Fixes:		8d5c781306 ("libradius: Fix input validation bugs")
Sponsored by:	The FreeBSD Foundation
2021-10-28 17:05:53 -04:00
Cy Schubert
48b11217bf libradius: fix no SSL build
int alen is only used with SSL.
2021-06-02 17:25:37 -07:00
Mark Johnston
6bb5699d2b libradius: Fix attribute length validation in rad_get_attr(3)
The length of the attribute header needs to be excluded when comparing
the attribute length against the length of the packet.  Otherwise,
validation may incorrectly fail when fetching the final attribute in a
message.

Fixes:		8d5c78130 ("libradius: Fix input validation bugs")
Reported by:	Peter Eriksson
Tested by:	Peter Eriksson
MFC after:	now
Sponsored by:	The FreeBSD Foundation
2021-05-28 12:58:29 -04:00
Mark Johnston
8d5c781306 libradius: Fix input validation bugs
Approved by:	so
Security:	FreeBSD-SA-21:12.libradius
Security:	CVE-2021-29629
MFC after:	now
Sponsored by:	The FreeBSD Foundation
2021-05-26 16:30:23 -04:00
Conrad Meyer
d449578f86 libradius: Rip out dubious use of srandomdev(3)+random(3)
These functions appear to intend to produce unpredictable results.  Just use
arc4random.

While here, use an explicit_bzero instead of memset where the intent is clearly
to zero out a secret (clear_passphrase).
2019-12-13 04:55:17 +00:00
Jung-uk Kim
328bbc11c9 Make libradius(3) buildable. 2018-09-19 07:06:20 +00:00
Pedro F. Giffuni
5e53a4f90f lib: further adoption of SPDX licensing ID tags.
Mainly focus on files that use BSD 2-Clause license, however the tool I
was using mis-identified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.
2017-11-26 02:00:33 +00:00
Xin LI
c2654dc8fa Fix build: reflect the increased field number. 2012-12-07 01:36:53 +00:00
Sergey Matveychuk
bf5a1b6502 - Rewrite radius servers traversal algorithm.
- Add functions for working with IPv6 attributes.

Approved by:	ae
2012-12-06 19:00:37 +00:00
Alexander V. Chernikov
07d7b74b81 Add binding support to libradius(3).
Submitted by:    Sergey Matveychuk <sem33@yandex-team.ru>
Approved by:     ae (mentor)
MFC after:       2 weeks
2011-12-20 11:13:44 +00:00
Alexander Motin
21fc30e1a3 Fix bug, when RADIUS client gave up after single sendto() error, do not
trying backup servers.

PR:		kern/103764, misc/139214
2009-09-29 19:09:17 +00:00
Alexander Motin
3fc0b61c51 Add simple embedded RADIUS server support to libradius, by extending existing
API, keeping backward compatibility.

First consumer for this functionality is going to become forthcoming MPD-5.4,
supporting CoA and DR of RFC 3576: Dynamic Authorization Extensions to RADIUS.

MFC after:	1 month
2009-09-11 11:42:56 +00:00
Alexander Kabaev
c5384974d9 Use correct u_int and socklen_t types for parameters if function is
expecting them, not int.
2007-04-04 02:59:54 +00:00
Stefan Farfeleder
067a9d4cc7 Use %zu to print values with type size_t. 2004-06-14 20:55:30 +00:00
Ruslan Ermilov
b4b831ef39 - Added rad_demangle() for demangling user-passwords (needed for
MS-CHAPv1 MPPE-keys).
- Added rad_demangle_mppe_key() for demangling mppe-keys (needed
  for MPPE-keys).
- Added some typecasts for avoiding compiler warnings.
- Fix: better handle wrong usage of the lib (if the programmer
  has not called rad_create_request() but rad_put_*(), then a
  weird error message was returned).
- Added a new function for putting the Message-Authenticator.
- Verify the Message-Authenticator, if it was found inside a
  response packet and silently drop the packet, if the validation
  failed.
- Implicitly put the Message-Authenticator, if the EAP-Message
  attribute was added.
- Added some missing defines.

Submitted by:	Michael Bretterklieber
PR:		46555
2004-04-27 15:00:29 +00:00
Brian Somers
628e6cd45f Add the following functions:
rad_request_authenticator()
    Returns the Request-Authenticator relevant to the most recently received
    RADIUS response.

  rad_server_secret()
    Returns the Shared Secret relevant to the most recently received
    RADIUS response.

Neither of these functions should be necessary, however, the
MS-MPPE-Recv-Key and MS-MPPE-Send-Key Microsoft Vendor Specific
attributes are supplied in a mangled (encrypted) format, requiring
this information to demangle.

It's not clear whether these functions should be replaced with a
rad_demangle() function or whether these attributes are one-offs.

Sponsored by: Monzoon
2002-06-12 00:21:07 +00:00
Brian Somers
fc3f62faaa Add rad_get_vendor_attr() for deciphering vendor attributes received
from the RADIUS server.
2002-05-10 02:40:23 +00:00
Brian Somers
b49a88f653 Add support for vendor specific RADIUS extensions.
Only the extensions from rfc2548 are specified for now.
2002-05-07 10:47:18 +00:00
Matthew Dillon
f8014c0927 Add __FBSDID()s to libradius 2001-09-30 22:12:36 +00:00
Eivind Eklund
62ac643d25 Fix password clearing bug which prevented challenge/response from working.
Reviewed by:	jdp
2000-11-08 18:36:56 +00:00
Andrey A. Chernov
c515991040 strtok -> strsep (no strtok allowed in libraries) 2000-08-29 21:49:11 +00:00
John Polstra
0981dfef84 Add support for RADIUS accounting. Note, this changes the format
of the /etc/radius.conf file.   But the code contains hacks for
backward compatibility, so old files will continue to work.

I updated the man pages and made a couple of minor changes, but
everything else was submitted by Oleg.

PR:		misc/14284
Submitted by:	Oleg Semyonov <os@altavista.net>
1999-10-31 04:47:59 +00:00
Brian Somers
48caee2acd Allow an alternate to rad_send_request() for programs that
don't wish to wait for the RADIUS server to respond.
Reviewed by: jdp
1999-02-05 11:23:44 +00:00
Brian Somers
d30ad2abf7 Install -C radlib.h
Don't insist that RAD_USER_PASSWORD is supplied before
calling rad_send_request().  Instead, insist on only one
of RAD_USER_PASSWORD and RAD_CHAP_PASSWORD.

Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-01-29 22:44:47 +00:00
John Polstra
082bfe6741 Initial import of RADIUS client library donated by Juniper Networks, Inc. 1998-11-13 00:53:01 +00:00