Put the RADIUS message authenticator in the Access-Request and check

the message authenticators of any received messages from servers only if they include a message authenticator.
2025-01-03 06:45:37 -08:00 · 2024-02-26 08:47:28 +00:00 · 2024-02-26 08:47:28 +00:00 · 006a08d99c
commit 006a08d99c
parent 963e0d127e
5 changed files with 43 additions and 22 deletions
--- a/usr.sbin/npppd/npppd/chap.c
+++ b/usr.sbin/npppd/npppd/chap.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: chap.c,v 1.17 2021/03/29 03:54:39 yasuoka Exp $ */
+/*	$OpenBSD: chap.c,v 1.18 2024/02/26 08:47:28 yasuoka Exp $ */

 /*-
 * Copyright (c) 2009 Internet Initiative Japan Inc.
@ -36,7 +36,7 @@
 * </ul></p>
 */
 /* RFC 1994, 2433 */
-/* $Id: chap.c,v 1.17 2021/03/29 03:54:39 yasuoka Exp $ */
+/* $Id: chap.c,v 1.18 2024/02/26 08:47:28 yasuoka Exp $ */
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/time.h>
@ -862,6 +862,11 @@ chap_radius_response(void *context, RADIUS_PACKET *pkt, int flags,
 		reason="bad_authenticator";
 		goto auth_failed;
 	}
+	if ((flags & RADIUS_REQUEST_CHECK_MSG_AUTHENTICATOR_OK) == 0 &&
+	    (flags & RADIUS_REQUEST_CHECK_NO_MSG_AUTHENTICATOR) == 0) {
+		reason="bad_msg_authenticator";
+		goto auth_failed;
+	}
 	/*
 	 * Authentication OK
 	 */
--- a/usr.sbin/npppd/npppd/npppd_radius.c
+++ b/usr.sbin/npppd/npppd/npppd_radius.c
@ -1,4 +1,4 @@
-/* $Id: npppd_radius.c,v 1.8 2015/07/23 09:04:06 yasuoka Exp $ */
+/* $Id: npppd_radius.c,v 1.9 2024/02/26 08:47:28 yasuoka Exp $ */
 /*-
 * Copyright (c) 2009 Internet Initiative Japan Inc.
 * All rights reserved.
@ -301,9 +301,6 @@ radius_acct_request(npppd *pppd, npppd_ppp *ppp, int stop)
 		    ppp->obytes >> 32);
 	}

-	radius_set_accounting_request_authenticator(radpkt,
-	    radius_get_server_secret(radctx));
-
 	/* Send the request */
 	radius_request(radctx, radpkt);

--- a/usr.sbin/npppd/npppd/pap.c
+++ b/usr.sbin/npppd/npppd/pap.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: pap.c,v 1.12 2021/03/29 03:54:39 yasuoka Exp $ */
+/*	$OpenBSD: pap.c,v 1.13 2024/02/26 08:47:28 yasuoka Exp $ */

 /*-
 * Copyright (c) 2009 Internet Initiative Japan Inc.
@ -25,7 +25,7 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */
-/* $Id: pap.c,v 1.12 2021/03/29 03:54:39 yasuoka Exp $ */
+/* $Id: pap.c,v 1.13 2024/02/26 08:47:28 yasuoka Exp $ */
 /**@file
 * This file provides Password Authentication Protocol (PAP) handlers.
 * @author Yasuoka Masahiko
@ -501,6 +501,11 @@ pap_radius_response(void *context, RADIUS_PACKET *pkt, int flags,
 		reason="bad_authenticator";
 		goto auth_failed;
 	}
+	if ((flags & RADIUS_REQUEST_CHECK_MSG_AUTHENTICATOR_OK) == 0 &&
+	    (flags & RADIUS_REQUEST_CHECK_NO_MSG_AUTHENTICATOR) == 0) {
+		reason="bad_authenticator";
+		goto auth_failed;
+	}
 	/* Authentication succeeded */
 	pap_response(_this, 1, DEFAULT_SUCCESS_MESSAGE);
 	ppp_process_radius_framed_ip(_this->ppp, pkt);
--- a/usr.sbin/npppd/npppd/radius_req.c
+++ b/usr.sbin/npppd/npppd/radius_req.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: radius_req.c,v 1.11 2015/12/05 18:43:36 mmcc Exp $ */
+/*	$OpenBSD: radius_req.c,v 1.12 2024/02/26 08:47:28 yasuoka Exp $ */

 /*-
 * Copyright (c) 2009 Internet Initiative Japan Inc.
@ -28,7 +28,7 @@
 /**@file
 * This file provides functions for RADIUS request using radius(3) and event(3).
 * @author	Yasuoka Masahiko
- * $Id: radius_req.c,v 1.11 2015/12/05 18:43:36 mmcc Exp $
+ * $Id: radius_req.c,v 1.12 2024/02/26 08:47:28 yasuoka Exp $
 */
 #include <sys/types.h>
 #include <sys/time.h>
@ -68,7 +68,7 @@ struct overlapped {
 	radius_req_setting	*setting;
 };

-static int   radius_request0 (struct overlapped *, int);
+static int   radius_request0(struct overlapped *);
 static int   radius_prepare_socket(struct overlapped *);
 static void  radius_request_io_event (int, short, void *);
 static void  radius_on_response(RADIUS_REQUEST_CTX, RADIUS_PACKET *, int, int);
@ -107,7 +107,7 @@ radius_request(RADIUS_REQUEST_CTX ctx, RADIUS_PACKET *pkt)
 	if (radius_get_uint32_attr(pkt, RADIUS_TYPE_ACCT_DELAY_TIME, &ival)
 	    == 0)
 		lap->acct_delay_time = 1;
-	radius_request0(lap, 0);
+	radius_request0(lap);
 }

 /**
@ -207,7 +207,7 @@ radius_request_failover(RADIUS_REQUEST_CTX ctx)
 	if (radius_prepare_socket(lap) != 0)
 		return -1;

-	if (radius_request0(lap, 1) != 0)
+	if (radius_request0(lap) != 0)
 		return -1;

 	lap->failovers++;
@ -359,7 +359,7 @@ radius_get_server_address(RADIUS_REQUEST_CTX ctx)
 }

 static int
-radius_request0(struct overlapped *lap, int new_message)
+radius_request0(struct overlapped *lap)
 {
 	struct timeval tv0;

@ -378,16 +378,16 @@ radius_request0(struct overlapped *lap, int new_message)
 		else {
 			timespecsub(&curr, &lap->req_time, &delta);
 			if (radius_set_uint32_attr(lap->pkt,
-			    RADIUS_TYPE_ACCT_DELAY_TIME, delta.tv_sec) == 0) {
+			    RADIUS_TYPE_ACCT_DELAY_TIME, delta.tv_sec) == 0)
 				radius_update_id(lap->pkt);
-				new_message = 1;
-			}
 		}
 	}
-	if (new_message) {
+	if (radius_get_code(lap->pkt) == RADIUS_CODE_ACCOUNTING_REQUEST)
 		radius_set_accounting_request_authenticator(lap->pkt,
 		    radius_get_server_secret(lap));
-	}
+	else
+		radius_put_message_authenticator(lap->pkt,
+		    radius_get_server_secret(lap));

 	lap->ntry--;
 	if (radius_send(lap->socket, lap->pkt, 0) != 0) {
@ -440,12 +440,17 @@ radius_request_io_event(int fd, short evmask, void *context)
 			}
 			flags |= RADIUS_REQUEST_ERROR;
 		} else if (lap->secret[0] == '\0') {
-			flags |= RADIUS_REQUEST_CHECK_AUTHENTICATOR_NO_CHECK;
+			flags |= RADIUS_REQUEST_CHECK_AUTHENTICATOR_NO_CHECK
+			    | RADIUS_REQUEST_CHECK_MSG_AUTHENTICATOR_NO_CHECK;
 		} else {
 			radius_set_request_packet(respkt, lap->pkt);
 			if (!radius_check_response_authenticator(respkt,
 			    lap->secret))
 				flags |= RADIUS_REQUEST_CHECK_AUTHENTICATOR_OK;
+			if (!radius_has_attr(respkt, RADIUS_TYPE_MESSAGE_AUTHENTICATOR))
+				flags |= RADIUS_REQUEST_CHECK_NO_MSG_AUTHENTICATOR;
+			else if (radius_check_message_authenticator(respkt, lap->secret) == 0)
+				flags |= RADIUS_REQUEST_CHECK_MSG_AUTHENTICATOR_OK;
 		}
 		radius_on_response(lap, respkt, flags, 0);
 		radius_delete_packet(respkt);
@ -453,7 +458,7 @@ radius_request_io_event(int fd, short evmask, void *context)
 		if (lap->ntry > 0) {
 			RADIUS_REQ_DBG((LOG_DEBUG,
 			    "%s() timed out retry", __func__));
-			radius_request0(lap, 0);
+			radius_request0(lap);
 			return;
 		}
 		RADIUS_REQ_DBG((LOG_DEBUG, "%s() timed out", __func__));
--- a/usr.sbin/npppd/npppd/radius_req.h
+++ b/usr.sbin/npppd/npppd/radius_req.h
@ -1,4 +1,4 @@
-/*	$OpenBSD: radius_req.h,v 1.7 2015/07/23 09:04:06 yasuoka Exp $ */
+/*	$OpenBSD: radius_req.h,v 1.8 2024/02/26 08:47:28 yasuoka Exp $ */

 /*-
 * Copyright (c) 2009 Internet Initiative Japan Inc.
@ -51,6 +51,15 @@
 /** authenticator is not checked */
 #define	RADIUS_REQUEST_CHECK_AUTHENTICATOR_NO_CHECK	0x0020

+/** no message authenticator */
+#define	RADIUS_REQUEST_CHECK_NO_MSG_AUTHENTICATOR	0x0040
+
+/** has valid message authenticator */
+#define	RADIUS_REQUEST_CHECK_MSG_AUTHENTICATOR_OK	0x0080
+
+/** message authenticator is not checked*/
+#define	RADIUS_REQUEST_CHECK_MSG_AUTHENTICATOR_NO_CHECK	0x0100
+
 /** type for context to handle RADIUS request / response */
 typedef void * RADIUS_REQUEST_CTX;