From 3ae2a32a1aaaf70bbc57e653c10d4dd5a75f04a2 Mon Sep 17 00:00:00 2001 From: yasuoka Date: Wed, 17 Jul 2024 20:50:28 +0000 Subject: [PATCH] Add Message-Authenticator attriubte when sending Access-Request. ok millert --- libexec/login_radius/Makefile | 6 +++--- libexec/login_radius/raddauth.c | 21 +++++++++++++++++++-- 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/libexec/login_radius/Makefile b/libexec/login_radius/Makefile index fb9f330ec3a..4d350b2343c 100644 --- a/libexec/login_radius/Makefile +++ b/libexec/login_radius/Makefile @@ -1,10 +1,10 @@ -# $OpenBSD: Makefile,v 1.2 2002/11/21 22:26:32 millert Exp $ +# $OpenBSD: Makefile,v 1.3 2024/07/17 20:50:28 yasuoka Exp $ PROG= login_radius SRCS= login_radius.c raddauth.c MAN= login_radius.8 -DPADD= ${LIBUTIL} -LDADD= -lutil +DPADD= ${LIBUTIL} ${LIBCRYPTO} +LDADD= -lutil -lcrypto CFLAGS+=-Wall BINOWN= root diff --git a/libexec/login_radius/raddauth.c b/libexec/login_radius/raddauth.c index 3d3a679618b..7f55886251e 100644 --- a/libexec/login_radius/raddauth.c +++ b/libexec/login_radius/raddauth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: raddauth.c,v 1.31 2023/03/02 16:13:57 millert Exp $ */ +/* $OpenBSD: raddauth.c,v 1.32 2024/07/17 20:50:28 yasuoka Exp $ */ /*- * Copyright (c) 1996, 1997 Berkeley Software Design, Inc. All rights reserved. @@ -86,6 +86,7 @@ #include #include #include +#include #include "login_radius.h" @@ -95,6 +96,7 @@ #define AUTH_VECTOR_LEN 16 #define AUTH_HDR_LEN 20 #define AUTH_PASS_LEN (256 - 16) +#define AUTH_MSGAUTH_LEN 16 #define PW_AUTHENTICATION_REQUEST 1 #define PW_AUTHENTICATION_ACK 2 #define PW_AUTHENTICATION_REJECT 3 @@ -105,6 +107,7 @@ #define PW_CLIENT_PORT_ID 5 #define PW_PORT_MESSAGE 18 #define PW_STATE 24 +#define PW_MSG_AUTH 80 #ifndef RADIUS_DIR #define RADIUS_DIR "/etc/raddb" @@ -347,7 +350,7 @@ rad_request(u_char id, char *name, char *password, int port, char *vector, int i, len, secretlen, total_length, p; struct sockaddr_in sin; u_char md5buf[MAXSECRETLEN+AUTH_VECTOR_LEN], digest[AUTH_VECTOR_LEN], - pass_buf[AUTH_PASS_LEN], *pw, *ptr; + pass_buf[AUTH_PASS_LEN], *pw, *ptr, *ma; u_int length; in_addr_t ipaddr; MD5_CTX context; @@ -359,6 +362,15 @@ rad_request(u_char id, char *name, char *password, int port, char *vector, total_length = AUTH_HDR_LEN; ptr = auth.data; + /* Preserve space for msgauth */ + *ptr++ = PW_MSG_AUTH; + length = 16; + *ptr++ = length + 2; + ma = ptr; + memset(ma, 0, 16); + ptr += length; + total_length += length + 2; + /* User name */ *ptr++ = PW_USER_NAME; length = strlen(name); @@ -431,6 +443,11 @@ rad_request(u_char id, char *name, char *password, int port, char *vector, auth.length = htons(total_length); + /* Calc msgauth */ + if (HMAC(EVP_md5(), auth_secret, secretlen, (unsigned char *)&auth, + total_length, ma, NULL) == NULL) + errx(1, "HMAC() failed"); + memset(&sin, 0, sizeof (sin)); sin.sin_family = AF_INET; sin.sin_addr.s_addr = auth_server; -- 2.20.1