From 8fc1bddddf4b783aa3684c86159a419d540c1b7c Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Fri, 4 Oct 2024 12:38:16 +0200
Subject: [PATCH] Fix Message-Authenticator verification for requests

---
 src/lib/krad/packet.c | 55 +++++++++++++++++++++++++------------------
 1 file changed, 32 insertions(+), 23 deletions(-)

diff --git a/src/lib/krad/packet.c b/src/lib/krad/packet.c
index 0197027189..e5c9a75ea5 100644
--- a/src/lib/krad/packet.c
+++ b/src/lib/krad/packet.c
@@ -569,26 +569,32 @@ static krb5_error_code
 verify_msgauth(const char *secret, const krad_packet *req,
                const krad_packet *rsp)
 {
-    uint8_t signature[MD5_DIGEST_SIZE]; /* XXX rename */
+    uint8_t mac[MD5_DIGEST_SIZE];
     krad_attr msgauth_type = krad_attr_name2num("Message-Authenticator");
     const krb5_data *msgauth;
+    const krad_packet *pkt;
+    uint8_t *auth = NULL;
     krb5_error_code retval;
 
-    msgauth = krad_packet_get_attr(rsp, msgauth_type, 0);
+    if (rsp != NULL) {
+        pkt = rsp;
+        auth = pkt_auth(req);
+    } else {
+        pkt = req;
+    }
+
+    msgauth = krad_packet_get_attr(pkt, msgauth_type, 0);
     if (msgauth == NULL)
         return ENODATA;
 
-    if (rsp != NULL)
-        retval = calculate_msgauth(secret, rsp, pkt_auth(req), signature);
-    else
-        retval = calculate_msgauth(secret, req, NULL, signature);
+    retval = calculate_msgauth(secret, pkt, auth, mac);
     if (retval)
         return retval;
 
     if (msgauth->length != MD5_DIGEST_SIZE)
         return EMSGSIZE;
 
-    if (k5_bcmp(signature, msgauth->data, MD5_DIGEST_SIZE) != 0)
+    if (k5_bcmp(mac, msgauth->data, MD5_DIGEST_SIZE) != 0)
         return EBADMSG;
 
     return 0;
@@ -648,27 +654,30 @@ krad_packet_decode_request(krb5_context ctx, const char *secret,
     krb5_error_code retval;
 
     retval = decode_packet(ctx, secret, buffer, reqpkt);
-    if (cb != NULL && retval == 0) {
-        while ((tmp = (*cb)(data, FALSE)) != NULL) {
-            if (pkt_id_get(*reqpkt) != pkt_id_get(tmp))
-                continue;
+    if (retval != 0)
+        return retval;
 
-            /* Verify Message-Authenticator if present. */
-            if (has_pkt_msgauth(tmp))
-                retval = verify_msgauth(secret, tmp, NULL);
-            else if (requires_msgauth(secret, pkt_code_get(tmp)))
-                retval = ENODATA;
+    /* Verify Message-Authenticator if present. */
+    if (has_pkt_msgauth(*reqpkt)) {
+        retval = verify_msgauth(secret, *reqpkt, NULL);
+        if (retval != 0)
+            return retval;
+    } else if (requires_msgauth(secret, pkt_code_get(*reqpkt))) {
+        return ENODATA;
+    }
 
-            break;
+    if (cb != NULL) {
+        while ((tmp = (*cb)(data, FALSE)) != NULL) {
+            if (pkt_id_get(*reqpkt) == pkt_id_get(tmp))
+                break;
         }
-    }
 
-    if (cb != NULL && (retval != 0 || tmp != NULL))
-        (*cb)(data, TRUE);
+        if (tmp != NULL)
+            (*cb)(data, TRUE);
+    }
 
-    if (retval == 0)
-        *duppkt = tmp;
-    return retval;
+    *duppkt = tmp;
+    return 0;
 }
 
 krb5_error_code