src - OpenBSD base system

diff options


context:
space:
mode:

author	Theo Buehler <tb@cvs.openbsd.org>	2021-12-16 17:32:52 +0000
committer	Theo Buehler <tb@cvs.openbsd.org>	2021-12-16 17:32:52 +0000
commit	8688a2857923fc0d7a5e715e93fabc21ea56d6c5 (patch)
tree	4058a68a32383a4d0d935d580dd912b4c9026d95 /lib
parent	eaaf46234a578539f9d1103aeff33b3cbf684ae6 (diff)

libradius: convert to HMAC_CTX on the heap

This is another fairly mechanical conversion to prepare the switch to opaque HMAC_CTX. It adds missing error checking for the HMAC API and uses HMAC_Init_ex() instead of the deprecated HMAC_Init(). ok jsing

Diffstat (limited to 'lib')

-rw-r--r--

lib/libradius/radius_msgauth.c

1 files changed, 38 insertions, 17 deletions

diff --git a/lib/libradius/radius_msgauth.c b/lib/libradius/radius_msgauth.c
index 68123f9e1a2..c17a8eed870 100644
--- a/lib/libradius/radius_msgauth.c
+++ b/lib/libradius/radius_msgauth.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: radius_msgauth.c,v 1.1 2015/07/20 23:52:29 yasuoka Exp $ */

+/* $OpenBSD: radius_msgauth.c,v 1.2 2021/12/16 17:32:51 tb Exp $ */

/*-

@@ -41,30 +41,38 @@

#include "radius_local.h"

-static void

+static int

radius_calc_message_authenticator(RADIUS_PACKET * packet, const char *secret,

void *ma)

{

const RADIUS_ATTRIBUTE *attr;

const RADIUS_ATTRIBUTE *end;

u_char zero16[16];

- HMAC_CTX ctx;

+ HMAC_CTX *ctx;

int mdlen;

+ int ret = -1;

memset(zero16, 0, sizeof(zero16));

- HMAC_Init(&ctx, secret, strlen(secret), EVP_md5());

+ if ((ctx = HMAC_CTX_new()) == NULL)

+ goto err;

+ if (!HMAC_Init_ex(ctx, secret, strlen(secret), EVP_md5(), NULL))

+ goto err;

* Traverse the radius packet.

if (packet->request != NULL) {

- HMAC_Update(&ctx, (const u_char *)packet->pdata, 4);

- HMAC_Update(&ctx, (unsigned char *)packet->request->pdata

- ->authenticator, 16);

+ if (!HMAC_Update(ctx, (const u_char *)packet->pdata, 4))

+ goto err;

+ if (!HMAC_Update(ctx, (unsigned char *)packet->request->pdata

+ ->authenticator, 16))

+ goto err;

} else {

- HMAC_Update(&ctx, (const u_char *)packet->pdata,

- sizeof(RADIUS_PACKET_DATA));

+ if (!HMAC_Update(ctx, (const u_char *)packet->pdata,

+ sizeof(RADIUS_PACKET_DATA)))

+ goto err;

}

attr = ATTRS_BEGIN(packet->pdata);

@@ -72,15 +80,26 @@ radius_calc_message_authenticator(RADIUS_PACKET * packet, const char *secret,

for (; attr < end; ATTRS_ADVANCE(attr)) {

if (attr->type == RADIUS_TYPE_MESSAGE_AUTHENTICATOR) {

- HMAC_Update(&ctx, (u_char *)attr, 2);

- HMAC_Update(&ctx, (u_char *)zero16, sizeof(zero16));

- } else

- HMAC_Update(&ctx, (u_char *)attr, (int) attr->length);

+ if (!HMAC_Update(ctx, (u_char *)attr, 2))

+ goto err;

+ if (!HMAC_Update(ctx, (u_char *)zero16, sizeof(zero16)))

+ goto err;

+ } else {

+ if (!HMAC_Update(ctx, (u_char *)attr,

+ (int)attr->length))

+ goto err;

+ }

}

- HMAC_Final(&ctx, (u_char *)ma, &mdlen);

+ if (!HMAC_Final(ctx, (u_char *)ma, &mdlen))

+ goto err;

+ ret = 0;

+ err:

+ HMAC_CTX_free(ctx);

- HMAC_cleanup(&ctx);

+ return (ret);

}

int

@@ -105,7 +124,8 @@ radius_set_message_authenticator(RADIUS_PACKET * packet, const char *secret)

{

u_char ma[16];

- radius_calc_message_authenticator(packet, secret, ma);

+ if (radius_calc_message_authenticator(packet, secret, ma) != 0)

+ return (-1);

return (radius_set_raw_attr(packet, RADIUS_TYPE_MESSAGE_AUTHENTICATOR,

ma, sizeof(ma)));

@@ -118,7 +138,8 @@ radius_check_message_authenticator(RADIUS_PACKET * packet, const char *secret)

size_t len;

u_char ma0[16], ma1[16];

- radius_calc_message_authenticator(packet, secret, ma0);

+ if (radius_calc_message_authenticator(packet, secret, ma0) != 0)

+ return (-1);

len = sizeof(ma1);

if ((rval = radius_get_raw_attr(packet,