libkrad: add krad_packet_decode_response_unsafe()

jrisc · Sep 9, 2024 · 41a5966 · 41a5966
1 parent 5fb1c76
commit 41a5966
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 6 deletions.
diff --git a/src/include/krad.h b/src/include/krad.h
@@ -211,6 +211,20 @@ krad_packet_decode_response(krb5_context ctx, const char *secret,
                             void *data, const krad_packet **reqpkt,
                             krad_packet **rsppkt);
 
+/*
+ * Decode a response radius packet from krb5_data.
+ *
+ * Identical to krad_packet_decode_response(), but does not require
+ * Message-Authenticator attribute to be present in Access-Request,
+ * Access-Accept, Access-Reject, Access-Challenge, and Protocol-Error.
+ */
+krb5_error_code
+krad_packet_decode_response_unsafe(krb5_context ctx, const char *secret,
+                                   const krb5_data *buffer,
+                                   krad_packet_iter_cb cb,
+                                   void *data, const krad_packet **reqpkt,
+                                   krad_packet **rsppkt);
+
 /* Encode packet. */
 const krb5_data *
 krad_packet_encode(const krad_packet *pkt);

diff --git a/src/lib/krad/libkrad.exports b/src/lib/krad/libkrad.exports
@@ -15,6 +15,7 @@ krad_packet_new_request
 krad_packet_new_response
 krad_packet_decode_request
 krad_packet_decode_response
+krad_packet_decode_response_unsafe
 krad_packet_encode
 krad_packet_get_code
 krad_packet_get_attr

diff --git a/src/lib/krad/packet.c b/src/lib/krad/packet.c
@@ -686,11 +686,10 @@ krad_packet_decode_request(krb5_context ctx, const char *secret,
     return retval;
 }
 
-krb5_error_code
-krad_packet_decode_response(krb5_context ctx, const char *secret,
-                            const krb5_data *buffer, krad_packet_iter_cb cb,
-                            void *data, const krad_packet **reqpkt,
-                            krad_packet **rsppkt)
+static krb5_error_code
+decode_response(krb5_context ctx, const char *secret, const krb5_data *buffer,
+                krad_packet_iter_cb cb, void *data, const krad_packet **reqpkt,
+                krad_packet **rsppkt, krb5_boolean msgauth_enforced)
 {
     uchar auth[AUTH_FIELD_SIZE];
     const krad_packet *req = NULL;
@@ -721,7 +720,8 @@ krad_packet_decode_response(krb5_context ctx, const char *secret,
                 retval = verify_msgauth(secret, req, rsp);
                 if (retval != 0)
                     goto cleanup;
-            } else if (requires_msgauth(secret, pkt_code_get(rsp))) {
+            } else if (msgauth_enforced
+                       && requires_msgauth(secret, pkt_code_get(rsp))) {
                 retval = ENODATA;
                 goto cleanup;
             }
@@ -742,6 +742,26 @@ krad_packet_decode_response(krb5_context ctx, const char *secret,
     return retval;
 }
 
+krb5_error_code
+krad_packet_decode_response(krb5_context ctx, const char *secret,
+                            const krb5_data *buffer, krad_packet_iter_cb cb,
+                            void *data, const krad_packet **reqpkt,
+                            krad_packet **rsppkt)
+{
+    return decode_response(ctx, secret, buffer, cb, data, reqpkt, rsppkt, TRUE);
+}
+
+krb5_error_code
+krad_packet_decode_response_unsafe(krb5_context ctx, const char *secret,
+                                   const krb5_data *buffer,
+                                   krad_packet_iter_cb cb,
+                                   void *data, const krad_packet **reqpkt,
+                                   krad_packet **rsppkt)
+{
+    return decode_response(ctx, secret, buffer, cb, data, reqpkt, rsppkt,
+                           FALSE);
+}
+
 const krb5_data *
 krad_packet_encode(const krad_packet *pkt)
 {