Refactoring, mainly packet nomenclature

370440a8 · Robert Dubner · 0cdafb7e · 370440a8 · 370440a8 · 370440a8
Commit 370440a8 authored Sep 25, 2021 by Robert Dubner
--- a/contrib/slapd-modules/radiusov/radius.c
+++ b/contrib/slapd-modules/radiusov/radius.c
@@ -108,61 +108,26 @@ get_or_create_state_string(char *state_string, RADIUS_PACKET *request)
 #define DONT_INCLUDE_STATE 2

 static void
-build_response_postamble(   RADIUS_PACKET *response,
-                            RADIUS_PACKET *request,
-                            const char *state_string,
-                            const char *shared_secret,
-                            int include_state_attribute )
+server_postamble(   RADIUS_PACKET *response,
+                    RADIUS_PACKET *request,
+                    const char *shared_secret)
    {
-    // At this point, we set up the Message-Authenticator.
-    // For now we leave the 16-byte payload as zeroes; they'll get filled
-    // in by AdjustPacketForSending()
+    char state_string_[255];
+    char *state_string = NULL;
+    PACKET_CODES code = get_code(response);

-    uint8_t message_authenticator[MD5_DIGEST_LENGTH];
-    memset(message_authenticator, 0, MD5_DIGEST_LENGTH);
-    add_attribute_to_radius_packet( response,
-                                    RATV_Message_Authenticator,
-                                    MD5_DIGEST_LENGTH,
-                                    message_authenticator);
-
-    if( state_string )
+    if( code != PC_Access_Request
+        && code != PC_Access_Accept
+        && code != PC_Access_Reject)
        {
-        add_attribute_to_radius_packet( response,
-                                        RATV_State,
-                                        (uint8_t)strlen(state_string),
-                                        (uint8_t *)state_string);
+        get_or_create_state_string(state_string_, request);
+        state_string = state_string_;
        }

-    // We now know the length of the RADIUS packet:
-    set_length(response, response->build_loc);
-
-    // With the entire packet built, we can now polish it off by creating the
-    // MD5 hash and HMAC fields:
-    if( response )
-        {
-        // Since we are responding to something, we must be a server:
-        AdjustServerPacketForSending( response, request, shared_secret);
-        }
-    else
-        {
-        AdjustClientPacketForSending( response, shared_secret);
-        }
-    }
-
-static void
-server_postamble(   RADIUS_PACKET *response,
-                    RADIUS_PACKET *request,
-                    const char *shared_secret,
-                    int include_state_attribute )
-    {
-    char state_string[255];
-    get_or_create_state_string(state_string, request);
-
-    build_response_postamble(   response,
-                                request,
-                                state_string,
-                                shared_secret,
-                                include_state_attribute);
+    build_packet_postamble( response,
+                            request,
+                            state_string,
+                            shared_secret);
    }


@@ -173,7 +138,7 @@ build_md5_challenge(RADIUS_PACKET *response,
                    const char *shared_secret)
    {
    DENTER;
-    build_response_preamble(response, get_identifier(request));
+    build_packet_preamble(response, PC_Access_Challenge, get_identifier(request));
    // This brings us to the attributes portion of the RADIUS packet we are building.

    // The first attribute we are going to build is an EAP-MD5 challenge.
@@ -193,7 +158,7 @@ build_md5_challenge(RADIUS_PACKET *response,
                                    EAP_CHALLENGE_ATTRIBUTE_LENGTH,
                                    eap_message_data);

-    server_postamble(response, request, shared_secret, INCLUDE_STATE);
+    server_postamble(response, request, shared_secret);
    }

 static void
@@ -204,7 +169,7 @@ build_peap_challenge(   RADIUS_PACKET *response,
    {
    DENTER;

-    build_response_preamble(response, get_identifier(request));
+    build_packet_preamble(response, PC_Access_Challenge, get_identifier(request));
    // This brings us to the attributes portion of the RADIUS packet we are building.

    // The first attribute we are going to build is an EAP-PEAP challenge.
@@ -222,7 +187,7 @@ build_peap_challenge(   RADIUS_PACKET *response,
                                    EAP_CHALLENGE_ATTRIBUTE_LENGTH,
                                    eap_message_data);

-    server_postamble(response, request, shared_secret, INCLUDE_STATE);
+    server_postamble(response, request, shared_secret);
    }

 static void
@@ -232,7 +197,7 @@ build_ttls_challenge(   RADIUS_PACKET *response,
                        const char *shared_secret)
    {
    DENTER;
-    build_response_preamble(response, get_identifier(request));
+    build_packet_preamble(response, PC_Access_Challenge, get_identifier(request));
    // This brings us to the attributes portion of the RADIUS packet we are building.

    // The first attribute we are going to build is an EAP-TTLS challenge.
@@ -250,7 +215,7 @@ build_ttls_challenge(   RADIUS_PACKET *response,
                                    EAP_CHALLENGE_ATTRIBUTE_LENGTH,
                                    eap_message_data);

-    server_postamble(response, request, shared_secret, INCLUDE_STATE);
+    server_postamble(response, request, shared_secret);
    }

 static int
@@ -643,7 +608,7 @@ build_tls_response( RADIUS_PACKET *response,
    //      123 bytes of EAP-TLS data, to make up the 129 bytes

    int retval = NO_RESPONSE_NECESSARY;
-    build_response_preamble(response, get_identifier(volatiles->request));
+    build_packet_preamble(response, PC_Access_Challenge, get_identifier(volatiles->request));

    // Figure out how many EAP-TLS bytes we'll be transferring
    size_t remaining_packet_tls_bytes = state->mtu; //MAXIMUM_PEAP_BYTES_PER_RADIUS_PACKET;
@@ -774,7 +739,7 @@ build_tls_response( RADIUS_PACKET *response,
        }

    // With the PEAP messages out of the way, finish up the RADIUS packet:
-    server_postamble(response, volatiles->request, volatiles->shared_secret, INCLUDE_STATE);
+    server_postamble(response, volatiles->request, volatiles->shared_secret);

    Debug(  LDAP_DEBUG_ARGS,
            DPREFIX "Built eap_tls response with %d EAP-message attributes\n",
@@ -795,7 +760,7 @@ encrypt_and_send_response(  STATE *state,

    RADIUS_PACKET response_;
    RADIUS_PACKET *response = &response_;
-    build_response_preamble(response, get_identifier(volatiles->request));
+    build_packet_preamble(response, PC_Access_Challenge, get_identifier(volatiles->request));

    // It's now time to encrypt the data in cleartext_out
    SSL_write(  state->ssl,
@@ -861,8 +826,7 @@ encrypt_and_send_response(  STATE *state,
    // With the PEAP message out of the way, finish up the RADIUS packet:
    server_postamble(   response,
                        volatiles->request,
-                        volatiles->shared_secret,
-                        INCLUDE_STATE);
+                        volatiles->shared_secret);

    rc = SendThePacket( response,
                        volatiles->radius_info->udp_socket,
@@ -1570,10 +1534,7 @@ send_access_accept(STATE *state)
    RADIUS_PACKET response_;
    RADIUS_PACKET *response = &response_;

-    build_response_preamble(response, get_identifier(volatiles->request));
-
-    // Rather ham-handedly change the packet code::
-    response->packet_data[0] = PC_Access_Accept;
+    build_packet_preamble(response, PC_Access_Accept, get_identifier(volatiles->request));

    // This brings us to the attributes portion of the RADIUS packet we are building.

@@ -1613,8 +1574,7 @@ send_access_accept(STATE *state)

    server_postamble(   response,
                        volatiles->request,
-                        volatiles->shared_secret,
-                        DONT_INCLUDE_STATE);
+                        volatiles->shared_secret);

    return SendThePacket(   response,
                            volatiles->radius_info->udp_socket,
@@ -1634,10 +1594,7 @@ send_access_reject(STATE *state)
    RADIUS_PACKET response_;
    RADIUS_PACKET *response = &response_;

-    build_response_preamble(response, get_identifier(volatiles->request));
-
-    // Rather ham-handedly change the packet code::
-    response->packet_data[0] = PC_Access_Reject;
+    build_packet_preamble(response, PC_Access_Reject, get_identifier(volatiles->request));

    // This brings us to the attributes portion of the RADIUS packet we are building.

@@ -1656,8 +1613,7 @@ send_access_reject(STATE *state)

    server_postamble(   response,
                        volatiles->request,
-                        volatiles->shared_secret,
-                        DONT_INCLUDE_STATE);
+                        volatiles->shared_secret);

    return SendThePacket(   response,
                            volatiles->radius_info->udp_socket,

--- a/contrib/slapd-modules/radiusov/rpacket.c
+++ b/contrib/slapd-modules/radiusov/rpacket.c
@@ -593,12 +593,12 @@ debugging_display_of(RADIUS_PACKET *packet)
    }

 void
-build_response_preamble(RADIUS_PACKET *response, uint8_t packet_id)
+build_packet_preamble(RADIUS_PACKET *response, PACKET_CODES packet_code, uint8_t packet_id)
    {
    radius_packet_initialize(response);

-    // Indicate that we are a RADIUS access challenge:
-    response->packet_data[response->build_loc++] = PC_Access_Challenge;
+    // Establish the packet code:
+    response->packet_data[response->build_loc++] = packet_code;

    // Establish the RADIUS identifier:
    response->packet_data[response->build_loc++] = packet_id;
@@ -612,6 +612,47 @@ build_response_preamble(RADIUS_PACKET *response, uint8_t packet_id)
    response->build_loc += AUTHENTICATOR_LENGTH;
    }

+void
+build_packet_postamble( RADIUS_PACKET *response,
+                        RADIUS_PACKET *request,
+                        const char *state_string,
+                        const char *shared_secret )
+    {
+    // At this point, we set up the Message-Authenticator.
+    // For now we leave the 16-byte payload as zeroes; they'll get filled
+    // in by AdjustPacketForSending()
+
+    uint8_t message_authenticator[MD5_DIGEST_LENGTH];
+    memset(message_authenticator, 0, MD5_DIGEST_LENGTH);
+    add_attribute_to_radius_packet( response,
+                                    RATV_Message_Authenticator,
+                                    MD5_DIGEST_LENGTH,
+                                    message_authenticator);
+
+    if( state_string )
+        {
+        add_attribute_to_radius_packet( response,
+                                        RATV_State,
+                                        (uint8_t)strlen(state_string),
+                                        (uint8_t *)state_string);
+        }
+
+    // We now know the length of the RADIUS packet:
+    set_length(response, response->build_loc);
+
+    // With the entire packet built, we can now polish it off by creating the
+    // MD5 hash and HMAC fields:
+    if( request )
+        {
+        // Since we are responding to a request, we must be a server:
+        AdjustServerPacketForSending( response, request, shared_secret);
+        }
+    else
+        {
+        AdjustClientPacketForSending( response, shared_secret);
+        }
+    }
+
 void
 AdjustServerPacketForSending(   RADIUS_PACKET *response,
                                RADIUS_PACKET *request,

--- a/contrib/slapd-modules/radiusov/rpacket.h
+++ b/contrib/slapd-modules/radiusov/rpacket.h
@@ -294,16 +294,28 @@ void      set_length(RADIUS_PACKET *radius_packet, int length);
 uint8_t  *get_authenticator(RADIUS_PACKET *radius_packet);

 void debugging_display_of(RADIUS_PACKET *packet);
-char * radius_attribute_to_text(RADIUS_ATTRIBUTE *ra, char *buffer, size_t buf_len);
+char * radius_attribute_to_text(RADIUS_ATTRIBUTE *ra,
+                                char *buffer,
+                                size_t buf_len);

 void radius_packet_initialize( RADIUS_PACKET *radius_packet );
-void build_response_preamble(RADIUS_PACKET *response, uint8_t packet_idt);
-
+void build_packet_preamble(     RADIUS_PACKET *response,
+                                PACKET_CODES packet_code,
+                                uint8_t packet_idt);
+void build_packet_postamble(  RADIUS_PACKET *response,
+                                RADIUS_PACKET *request,
+                                const char *state_string,
+                                const char *shared_secret);
 int radiusov_get_packet_from_request(   RADIUS_PACKET *radius_packet,
                                        uint8_t *incoming_request,
                                        ssize_t recv_len);
-RADIUS_ATTRIBUTE *fetch_attribute_from_packet(RADIUS_PACKET *radius_packet, uint8_t Type);
-void add_attribute_to_radius_packet( RADIUS_PACKET *radius_packet, uint8_t Type, uint8_t DataLength, uint8_t *Data);
+RADIUS_ATTRIBUTE *fetch_attribute_from_packet(  RADIUS_PACKET
+        *radius_packet,
+        uint8_t Type);
+void add_attribute_to_radius_packet(RADIUS_PACKET *radius_packet,
+                                    uint8_t Type,
+                                    uint8_t DataLength,
+                                    uint8_t *Data);
 void AdjustServerPacketForSending(  RADIUS_PACKET *response,
                                    RADIUS_PACKET *request,
                                    const char *shared_secret);