-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VerifyReply broken when multiple instances of same attribute are not adjacent on reply #140
Comments
Hi, thanks for the detailed bug report! You're right this is indeed a problem.
I think the API itself is not good. I'll fix the function, but the function should have only taken a rawreply in the first place and return a Packet object on success, some Exception on failure. Just taking the raw reply would be also some kind of solution, but then you'd loose the relation between the created Packet object and the raw_reply. It is not too bad, but still an (unnecessary) point of failure. |
…e instances of an attribute do not appear sequentially in the attributes list
In
packet.py
, theVerifyReply
function incorrectly calculates the expected authenticator when multiple values for a single attribute type are present on the reply and those attributes are not "next to" each other. For example, if a reply has twoClass
attributes (which is valid per the RADIUS RFC) with aFramed-Protocol
attribute between them,VerifyReply
will returnFalse
even though the reply is valid.This bug was introduced by the change here to add support for the message authenticator: fbbfb74
Specifically, the change to use
reply._PktEncodeAttributes()
instead ofrawreply[20:]
is the cause of the bug._PktEncodeAttributes()
changes the order of the attributes, causing the verification of the reply to fail despite the reply being valid. The solution is to revert back to usingrawreply[20:]
.Here is a script that demonstrates this. It builds out a reply packet with two
Class
attributes that have aFramed-Protocol
attribute between them (this is done "by hand" since pyrad will keep theClass
attributes together).Against pyrad 2.2, the output of this script is the following (note that the call to
_PktEncodeAttributes
changed moved theclasstwo
attribute value to be adjacent to theclassone
attribute value):If in my script I change the ordering of
attribute_value_pairs
to not have theFramed-Protocol
attribute between them, then the existing pyrad 2.2. code works.Applications can and do send multiple instances of an attribute with attributes between them (e.g. Microsoft's Network Policy Server does this when acting as a RADIUS server), though, so that case needs to work.
If I revert
VerifyReply
to userawreply[20:]
instead, then the script outputs that the reply is valid, as expected.Additionally,
VerifyReply
has the following if-block:This is also problematic because
ReplyPacket()
makes use of_PktEncodeAttributes
. Therefore if someone callsVerifyReply
with arawreply=None
(the default), they will still encounter this bug, even after no longer calling_PktEncodeAttributes
directly fromVerifyReply
. I'm not sure if this is the best solution, but it seems to me thatVerifyReply
needs to be modified to only take in therawreply
.The text was updated successfully, but these errors were encountered: