Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Every Incoming packets are sent to handler even if the hash is not valid #17

Open
tofgau opened this issue Nov 30, 2018 · 1 comment
Open

Every Incoming packets are sent to handler even if the hash is not valid #17

tofgau opened this issue Nov 30, 2018 · 1 comment

Comments

@tofgau
Copy link

tofgau commented Nov 30, 2018

Hello,
Based on my tests, it seems Decodepacket calls the handler even if the hash is insane.
I think the good behaevior would be to silently drop malformed packet (perhaps notify but NOT call the handler)

The following decode check the hash correctly before calling the handler.
tofgau

func DecodePacket(Secret string, buf []byte) (p Packet, err error) {
// fmt.Printf("\n\ndecEntr*%v", buf)
if len(buf) < 20 {
return nil, errors.New("invalid length")
}
p = &Packet{Secret: Secret}
p.Code = PacketCode(buf[0])
p.Identifier = buf[1]
copy(p.Authenticator[:], buf[4:20])
//read attributes
b := buf[20:]
for len(b) >= 2 {
length := uint8(b[1])
if int(length) > len(b) {
return nil, errors.New("invalid length")
}
attr := AVP{}
attr.Type = AttributeType(b[0])
attr.Value = append(attr.Value, b[2:length]...)
p.AVPs = append(p.AVPs, attr)
b = b[length:]
}

//验证Message-Authenticator,并且通过测试验证此处算法是正确的
//Verify Message-Authenticator, and tested to verify the algorithm is correct here
//	err = p.checkMessageAuthenticator()
//Tofgau 201812 : this is not used anymore

//tofau : Dump Original Buffer
//fmt.Printf("\n\n****BUF0 %x", buf)
oldAuth := p.Authenticator
//fmt.Printf("\n****PKHASH %x", oldAuth)

//Duplicate the buffer and white the hash part
tmp := make([]byte, len(buf))
copy(tmp, buf)
var white [16]byte
copy(tmp[4:20], white[:])

//tofau : Calculate a hash on this new buffer concatenated with the secret
hasher := crypto.Hash(crypto.MD5).New()
hasher.Write(tmp)
hasher.Write([]byte(p.Secret))

calculatedHash := hasher.Sum(nil)

//tofau :
//fmt.Printf("\n****MYHASH %x", calculatedHash)

if !hmac.Equal(calculatedHash, oldAuth[:]) {
	//fmt.Printf("\n\nINVALID PACKET")
	return p, ErrMessageAuthenticatorCheckFail
} else {
	//fmt.Printf("\n\nVALID PACKET")
}

return p, nil

/* supressed by tofgau
if err != nil {

	return p, err
}

return p, nil
*/

}
@bronze1man
Copy link
Owner

Can you add a test and send a pull request?
Sorry, I do not have radius test environment right now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bronze1man @tofgau