krb5 commit: Add numeric constants to krad.h and use them
ghudson at mit.edu
ghudson at mit.edu
Sat Oct 26 19:51:19 EDT 2024
https://github.com/krb5/krb5/commit/ff4d99b1e4f7b652fc98330c21d1c92e01f14736
commit ff4d99b1e4f7b652fc98330c21d1c92e01f14736
Author: Greg Hudson <ghudson at mit.edu>
Date: Wed Oct 16 20:26:57 2024 -0400
Add numeric constants to krad.h and use them
ticket: 9147 (new)
src/include/krad.h | 12 ++++++++++++
src/lib/krad/attrset.c | 4 ++--
src/lib/krad/packet.c | 31 ++++++++++++-------------------
src/lib/krad/t_attr.c | 10 ++++------
src/lib/krad/t_attrset.c | 10 +++++-----
src/lib/krad/t_client.c | 32 ++++++++++++++------------------
src/lib/krad/t_packet.c | 14 ++++++--------
src/lib/krad/t_remote.c | 16 +++++++---------
src/plugins/preauth/otp/otp_state.c | 23 +++++++++--------------
9 files changed, 71 insertions(+), 81 deletions(-)
diff --git a/src/include/krad.h b/src/include/krad.h
index e4edb524c..c347df5aa 100644
--- a/src/include/krad.h
+++ b/src/include/krad.h
@@ -57,6 +57,18 @@
#define KRAD_SERVICE_TYPE_CALL_CHECK 10
#define KRAD_SERVICE_TYPE_CALLBACK_ADMINISTRATIVE 11
+#define KRAD_ATTR_USER_NAME 1
+#define KRAD_ATTR_USER_PASSWORD 2
+#define KRAD_ATTR_SERVICE_TYPE 6
+#define KRAD_ATTR_NAS_IDENTIFIER 32
+#define KRAD_ATTR_PROXY_STATE 33
+#define KRAD_ATTR_MESSAGE_AUTHENTICATOR 80
+
+#define KRAD_CODE_ACCESS_REQUEST 1
+#define KRAD_CODE_ACCESS_ACCEPT 2
+#define KRAD_CODE_ACCESS_REJECT 3
+#define KRAD_CODE_ACCESS_CHALLENGE 11
+
typedef struct krad_attrset_st krad_attrset;
typedef struct krad_packet_st krad_packet;
typedef struct krad_client_st krad_client;
diff --git a/src/lib/krad/attrset.c b/src/lib/krad/attrset.c
index 488bfce7b..d52622ff9 100644
--- a/src/lib/krad/attrset.c
+++ b/src/lib/krad/attrset.c
@@ -196,7 +196,6 @@ kr_attrset_encode(const krad_attrset *set, const char *secret,
unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen)
{
krb5_error_code retval;
- krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator");
const uint8_t zeroes[MD5_DIGEST_SIZE] = { 0 };
krb5_data zerodata;
size_t i = 0;
@@ -211,7 +210,8 @@ kr_attrset_encode(const krad_attrset *set, const char *secret,
/* Encode Message-Authenticator as the first attribute, per
* draft-ietf-radext-deprecating-radius-03 section 5.2. */
zerodata = make_data((uint8_t *)zeroes, MD5_DIGEST_SIZE);
- retval = append_attr(set->ctx, secret, auth, msgauth_type, &zerodata,
+ retval = append_attr(set->ctx, secret, auth,
+ KRAD_ATTR_MESSAGE_AUTHENTICATOR, &zerodata,
outbuf, &i);
if (retval)
return retval;
diff --git a/src/lib/krad/packet.c b/src/lib/krad/packet.c
index 7e599ab39..d0a43431b 100644
--- a/src/lib/krad/packet.c
+++ b/src/lib/krad/packet.c
@@ -237,19 +237,17 @@ requires_msgauth(const char *secret, krad_code code)
* Message-Authenticator is required in Access-Request packets and all
* potential responses when UDP or TCP transport is used.
*/
- return code == krad_code_name2num("Access-Request") ||
- code == krad_code_name2num("Access-Reject") ||
- code == krad_code_name2num("Access-Accept") ||
- code == krad_code_name2num("Access-Challenge");
+ return code == KRAD_CODE_ACCESS_REQUEST ||
+ code == KRAD_CODE_ACCESS_ACCEPT || code == KRAD_CODE_ACCESS_REJECT ||
+ code == KRAD_CODE_ACCESS_CHALLENGE;
}
/* Check if the packet has a Message-Authenticator attribute. */
static inline krb5_boolean
has_pkt_msgauth(const krad_packet *pkt)
{
- krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator");
-
- return krad_attrset_get(pkt->attrset, msgauth_type, 0) != NULL;
+ return krad_attrset_get(pkt->attrset, KRAD_ATTR_MESSAGE_AUTHENTICATOR,
+ 0) != NULL;
}
/* Return the beginning of the Message-Authenticator attribute in pkt, or NULL
@@ -257,14 +255,13 @@ has_pkt_msgauth(const krad_packet *pkt)
static const uint8_t *
lookup_msgauth_addr(const krad_packet *pkt)
{
- krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator");
size_t i;
uint8_t *p;
i = OFFSET_ATTR;
while (i + 2 < pkt->pkt.length) {
p = (uint8_t *)offset(&pkt->pkt, i);
- if (msgauth_type == *p)
+ if (*p == KRAD_ATTR_MESSAGE_AUTHENTICATOR)
return p;
i += p[1];
}
@@ -282,11 +279,12 @@ calculate_mac(const char *secret, const krad_packet *pkt,
const uint8_t auth[AUTH_FIELD_SIZE],
uint8_t mac_out[MD5_DIGEST_SIZE])
{
- uint8_t zeroed_msgauth[MSGAUTH_SIZE];
- krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator");
const uint8_t *msgauth_attr, *msgauth_end, *pkt_end;
krb5_crypto_iov input[5];
krb5_data ksecr, mac;
+ static const uint8_t zeroed_msgauth[MSGAUTH_SIZE] = {
+ KRAD_ATTR_MESSAGE_AUTHENTICATOR, MSGAUTH_SIZE
+ };
msgauth_attr = lookup_msgauth_addr(pkt);
if (msgauth_attr == NULL)
@@ -308,11 +306,8 @@ calculate_mac(const char *secret, const krad_packet *pkt,
/* Read Message-Authenticator with the data bytes all set to zero, per RFC
* 2869 section 5.14. */
- zeroed_msgauth[0] = msgauth_type;
- zeroed_msgauth[1] = MSGAUTH_SIZE;
- memset(zeroed_msgauth + 2, 0, MD5_DIGEST_SIZE);
input[3].flags = KRB5_CRYPTO_TYPE_DATA;
- input[3].data = make_data(zeroed_msgauth, MSGAUTH_SIZE);
+ input[3].data = make_data((uint8_t *)zeroed_msgauth, MSGAUTH_SIZE);
/* Read any attributes after Message-Authenticator. */
input[4].flags = KRB5_CRYPTO_TYPE_DATA;
@@ -377,8 +372,7 @@ krad_packet_new_request(krb5_context ctx, const char *secret, krad_code code,
goto error;
/* Determine if Message-Authenticator is required. */
- msgauth_required = (*secret != '\0' &&
- code == krad_code_name2num("Access-Request"));
+ msgauth_required = (*secret != '\0' && code == KRAD_CODE_ACCESS_REQUEST);
/* Encode the attributes. */
retval = kr_attrset_encode(set, secret, pkt_auth(pkt), msgauth_required,
@@ -479,11 +473,10 @@ verify_msgauth(const char *secret, const krad_packet *pkt,
const uint8_t auth[AUTH_FIELD_SIZE])
{
uint8_t mac[MD5_DIGEST_SIZE];
- krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator");
const krb5_data *msgauth;
krb5_error_code retval;
- msgauth = krad_packet_get_attr(pkt, msgauth_type, 0);
+ msgauth = krad_packet_get_attr(pkt, KRAD_ATTR_MESSAGE_AUTHENTICATOR, 0);
if (msgauth == NULL)
return ENODATA;
diff --git a/src/lib/krad/t_attr.c b/src/lib/krad/t_attr.c
index 2bce7aa87..f8940862d 100644
--- a/src/lib/krad/t_attr.c
+++ b/src/lib/krad/t_attr.c
@@ -63,16 +63,14 @@ main(void)
/* Test decoding. */
in = make_data((void *)encoded, sizeof(encoded));
- noerror(kr_attr_decode(ctx, secret, auth,
- krad_attr_name2num("User-Password"),
+ noerror(kr_attr_decode(ctx, secret, auth, KRAD_ATTR_USER_PASSWORD,
&in, outbuf, &len));
insist(len == strlen(decoded));
insist(memcmp(outbuf, decoded, len) == 0);
/* Test encoding. */
in = string2data((char *)decoded);
- retval = kr_attr_encode(ctx, secret, auth,
- krad_attr_name2num("User-Password"),
+ retval = kr_attr_encode(ctx, secret, auth, KRAD_ATTR_USER_PASSWORD,
&in, outbuf, &len);
insist(retval == 0);
insist(len == sizeof(encoded));
@@ -80,9 +78,9 @@ main(void)
/* Test constraint. */
in.length = 100;
- insist(kr_attr_valid(krad_attr_name2num("User-Password"), &in) == 0);
+ insist(kr_attr_valid(KRAD_ATTR_USER_PASSWORD, &in) == 0);
in.length = 200;
- insist(kr_attr_valid(krad_attr_name2num("User-Password"), &in) != 0);
+ insist(kr_attr_valid(KRAD_ATTR_USER_PASSWORD, &in) != 0);
krb5_free_context(ctx);
return 0;
diff --git a/src/lib/krad/t_attrset.c b/src/lib/krad/t_attrset.c
index a520fe10e..17a281f15 100644
--- a/src/lib/krad/t_attrset.c
+++ b/src/lib/krad/t_attrset.c
@@ -55,24 +55,24 @@ main(void)
/* Add username. */
tmp = string2data((char *)username);
- noerror(krad_attrset_add(set, krad_attr_name2num("User-Name"), &tmp));
+ noerror(krad_attrset_add(set, KRAD_ATTR_USER_NAME, &tmp));
/* Add password. */
tmp = string2data((char *)password);
- noerror(krad_attrset_add(set, krad_attr_name2num("User-Password"), &tmp));
+ noerror(krad_attrset_add(set, KRAD_ATTR_USER_PASSWORD, &tmp));
/* Encode attrset. */
noerror(kr_attrset_encode(set, "foo", auth, FALSE, buffer, &encode_len));
krad_attrset_free(set);
/* Manually encode User-Name. */
- encoded[len + 0] = krad_attr_name2num("User-Name");
+ encoded[len + 0] = KRAD_ATTR_USER_NAME;
encoded[len + 1] = strlen(username) + 2;
memcpy(encoded + len + 2, username, strlen(username));
len += encoded[len + 1];
/* Manually encode User-Password. */
- encoded[len + 0] = krad_attr_name2num("User-Password");
+ encoded[len + 0] = KRAD_ATTR_USER_PASSWORD;
encoded[len + 1] = sizeof(encpass) + 2;
memcpy(encoded + len + 2, encpass, sizeof(encpass));
len += encoded[len + 1];
@@ -87,7 +87,7 @@ main(void)
/* Test getting an attribute. */
tmp = string2data((char *)username);
- tmpp = krad_attrset_get(set, krad_attr_name2num("User-Name"), 0);
+ tmpp = krad_attrset_get(set, KRAD_ATTR_USER_NAME, 0);
insist(tmpp != NULL);
insist(tmpp->length == tmp.length);
insist(strncmp(tmpp->data, tmp.data, tmp.length) == 0);
diff --git a/src/lib/krad/t_client.c b/src/lib/krad/t_client.c
index 3d0fda93e..9ba5b9efb 100644
--- a/src/lib/krad/t_client.c
+++ b/src/lib/krad/t_client.c
@@ -74,45 +74,41 @@ main(int argc, const char **argv)
tmp = string2data("testUser");
noerror(krad_attrset_new(kctx, &attrs));
- noerror(krad_attrset_add(attrs, krad_attr_name2num("User-Name"), &tmp));
+ noerror(krad_attrset_add(attrs, KRAD_ATTR_USER_NAME, &tmp));
/* Test accept. */
tmp = string2data("accept");
- noerror(krad_attrset_add(attrs, krad_attr_name2num("User-Password"),
- &tmp));
- noerror(krad_client_send(rc, krad_code_name2num("Access-Request"), attrs,
- "localhost", "foo", 1000, 3, callback, NULL));
+ noerror(krad_attrset_add(attrs, KRAD_ATTR_USER_PASSWORD, &tmp));
+ noerror(krad_client_send(rc, KRAD_CODE_ACCESS_REQUEST, attrs, "localhost",
+ "foo", 1000, 3, callback, NULL));
verto_run(vctx);
/* Test reject. */
tmp = string2data("reject");
- krad_attrset_del(attrs, krad_attr_name2num("User-Password"), 0);
- noerror(krad_attrset_add(attrs, krad_attr_name2num("User-Password"),
- &tmp));
- noerror(krad_client_send(rc, krad_code_name2num("Access-Request"), attrs,
- "localhost", "foo", 1000, 3, callback, NULL));
+ krad_attrset_del(attrs, KRAD_ATTR_USER_PASSWORD, 0);
+ noerror(krad_attrset_add(attrs, KRAD_ATTR_USER_PASSWORD, &tmp));
+ noerror(krad_client_send(rc, KRAD_CODE_ACCESS_REQUEST, attrs, "localhost",
+ "foo", 1000, 3, callback, NULL));
verto_run(vctx);
/* Test timeout. */
daemon_stop();
- noerror(krad_client_send(rc, krad_code_name2num("Access-Request"), attrs,
- "localhost", "foo", 1000, 3, callback, NULL));
+ noerror(krad_client_send(rc, KRAD_CODE_ACCESS_REQUEST, attrs, "localhost",
+ "foo", 1000, 3, callback, NULL));
verto_run(vctx);
/* Test outstanding packet freeing. */
- noerror(krad_client_send(rc, krad_code_name2num("Access-Request"), attrs,
- "localhost", "foo", 1000, 3, callback, NULL));
+ noerror(krad_client_send(rc, KRAD_CODE_ACCESS_REQUEST, attrs, "localhost",
+ "foo", 1000, 3, callback, NULL));
krad_client_free(rc);
rc = NULL;
/* Verify the results. */
insist(record.count == EVENT_COUNT);
insist(record.events[0].error == FALSE);
- insist(record.events[0].result.code ==
- krad_code_name2num("Access-Accept"));
+ insist(record.events[0].result.code == KRAD_CODE_ACCESS_ACCEPT);
insist(record.events[1].error == FALSE);
- insist(record.events[1].result.code ==
- krad_code_name2num("Access-Reject"));
+ insist(record.events[1].result.code == KRAD_CODE_ACCESS_REJECT);
insist(record.events[2].error == TRUE);
insist(record.events[2].result.retval == ETIMEDOUT);
insist(record.events[3].error == TRUE);
diff --git a/src/lib/krad/t_packet.c b/src/lib/krad/t_packet.c
index 104b6507a..3bdabb5cb 100644
--- a/src/lib/krad/t_packet.c
+++ b/src/lib/krad/t_packet.c
@@ -70,27 +70,25 @@ make_packet(krb5_context ctx, const krb5_data *username,
if (retval != 0)
goto out;
- retval = krad_attrset_add(set, krad_attr_name2num("User-Name"), username);
+ retval = krad_attrset_add(set, KRAD_ATTR_USER_NAME, username);
if (retval != 0)
goto out;
- retval = krad_attrset_add(set, krad_attr_name2num("User-Password"),
+ retval = krad_attrset_add(set, KRAD_ATTR_USER_PASSWORD,
password);
if (retval != 0)
goto out;
- retval = krad_attrset_add(set, krad_attr_name2num("NAS-Identifier"),
- &nas_id);
+ retval = krad_attrset_add(set, KRAD_ATTR_NAS_IDENTIFIER, &nas_id);
if (retval != 0)
goto out;
- retval = krad_packet_new_request(ctx, "foo",
- krad_code_name2num("Access-Request"),
+ retval = krad_packet_new_request(ctx, "foo", KRAD_CODE_ACCESS_REQUEST,
set, iterator, &i, &tmp);
if (retval != 0)
goto out;
- data = krad_packet_get_attr(tmp, krad_attr_name2num("User-Name"), 0);
+ data = krad_packet_get_attr(tmp, KRAD_ATTR_USER_NAME, 0);
if (data == NULL) {
retval = ENOENT;
goto out;
@@ -156,7 +154,7 @@ do_auth(krb5_context ctx, struct addrinfo *ai, const char *secret,
goto out;
}
- *auth = krad_packet_get_code(rsp) == krad_code_name2num("Access-Accept");
+ *auth = krad_packet_get_code(rsp) == KRAD_CODE_ACCESS_ACCEPT;
out:
krad_packet_free(rsp);
diff --git a/src/lib/krad/t_remote.c b/src/lib/krad/t_remote.c
index a521ecb7c..d2877ad60 100644
--- a/src/lib/krad/t_remote.c
+++ b/src/lib/krad/t_remote.c
@@ -78,13 +78,13 @@ do_auth(const char *password, const krad_packet **pkt)
krb5_error_code retval;
krb5_data tmp = string2data((char *)password);
- retval = krad_attrset_add(set, krad_attr_name2num("User-Password"), &tmp);
+ retval = krad_attrset_add(set, KRAD_ATTR_USER_PASSWORD, &tmp);
if (retval != 0)
return retval;
- retval = kr_remote_send(rr, krad_code_name2num("Access-Request"), set,
- callback, NULL, 1000, 3, &tmppkt);
- krad_attrset_del(set, krad_attr_name2num("User-Password"), 0);
+ retval = kr_remote_send(rr, KRAD_CODE_ACCESS_REQUEST, set, callback, NULL,
+ 1000, 3, &tmppkt);
+ krad_attrset_del(set, KRAD_ATTR_USER_PASSWORD, 0);
if (retval != 0)
return retval;
@@ -122,7 +122,7 @@ main(int argc, const char **argv)
/* Create attribute set. */
noerror(krad_attrset_new(kctx, &set));
tmp = string2data("testUser");
- noerror(krad_attrset_add(set, krad_attr_name2num("User-Name"), &tmp));
+ noerror(krad_attrset_add(set, KRAD_ATTR_USER_NAME, &tmp));
/* Send accept packet. */
noerror(do_auth("accept", NULL));
@@ -150,11 +150,9 @@ main(int argc, const char **argv)
/* Verify the results. */
insist(record.count == EVENT_COUNT);
insist(record.events[0].error == FALSE);
- insist(record.events[0].result.code ==
- krad_code_name2num("Access-Accept"));
+ insist(record.events[0].result.code == KRAD_CODE_ACCESS_ACCEPT);
insist(record.events[1].error == FALSE);
- insist(record.events[1].result.code ==
- krad_code_name2num("Access-Reject"));
+ insist(record.events[1].result.code == KRAD_CODE_ACCESS_REJECT);
insist(record.events[2].error == TRUE);
insist(record.events[2].result.retval == ECANCELED);
insist(record.events[3].error == TRUE);
diff --git a/src/plugins/preauth/otp/otp_state.c b/src/plugins/preauth/otp/otp_state.c
index 20cd18abf..d259fe732 100644
--- a/src/plugins/preauth/otp/otp_state.c
+++ b/src/plugins/preauth/otp/otp_state.c
@@ -591,13 +591,11 @@ otp_state_new(krb5_context ctx, otp_state **out)
goto error;
hndata = make_data(hostname, strlen(hostname));
- retval = krad_attrset_add(self->attrs,
- krad_attr_name2num("NAS-Identifier"), &hndata);
+ retval = krad_attrset_add(self->attrs, KRAD_ATTR_NAS_IDENTIFIER, &hndata);
if (retval != 0)
goto error;
- retval = krad_attrset_add_number(self->attrs,
- krad_attr_name2num("Service-Type"),
+ retval = krad_attrset_add_number(self->attrs, KRAD_ATTR_SERVICE_TYPE,
KRAD_SERVICE_TYPE_AUTHENTICATE_ONLY);
if (retval != 0)
goto error;
@@ -637,8 +635,7 @@ callback(krb5_error_code retval, const krad_packet *rqst,
goto error;
/* If we received an accept packet, success! */
- if (krad_packet_get_code(resp) ==
- krad_code_name2num("Access-Accept")) {
+ if (krad_packet_get_code(resp) == KRAD_CODE_ACCESS_ACCEPT) {
indicators = tok->indicators;
if (indicators == NULL)
indicators = tok->type->indicators;
@@ -667,16 +664,14 @@ request_send(request *req)
token *tok = &req->tokens[req->index];
const token_type *t = tok->type;
- retval = krad_attrset_add(req->attrs, krad_attr_name2num("User-Name"),
- &tok->username);
+ retval = krad_attrset_add(req->attrs, KRAD_ATTR_USER_NAME, &tok->username);
if (retval != 0)
goto error;
- retval = krad_client_send(req->state->radius,
- krad_code_name2num("Access-Request"), req->attrs,
- t->server, t->secret, t->timeout, t->retries,
- callback, req);
- krad_attrset_del(req->attrs, krad_attr_name2num("User-Name"), 0);
+ retval = krad_client_send(req->state->radius, KRAD_CODE_ACCESS_REQUEST,
+ req->attrs, t->server, t->secret, t->timeout,
+ t->retries, callback, req);
+ krad_attrset_del(req->attrs, KRAD_ATTR_USER_NAME, 0);
if (retval != 0)
goto error;
@@ -715,7 +710,7 @@ otp_state_verify(otp_state *state, verto_ctx *ctx, krb5_const_principal princ,
if (retval != 0)
goto error;
- retval = krad_attrset_add(rqst->attrs, krad_attr_name2num("User-Password"),
+ retval = krad_attrset_add(rqst->attrs, KRAD_ATTR_USER_PASSWORD,
&req->otp_value);
if (retval != 0)
goto error;
More information about the cvs-krb5
mailing list