X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/e105384b8046007fe07e66a115e7a1a45a8f7d5a..0f328b4aa16b0b47f05a85c440ce1d07719e3cac:/print-radius.c diff --git a/print-radius.c b/print-radius.c index 3bacab4c..fda7710c 100644 --- a/print-radius.c +++ b/print-radius.c @@ -53,9 +53,15 @@ * RFC 4675: * "RADIUS Attributes for Virtual LAN and Priority Support" * + * RFC 4818: + * "RADIUS Delegated-IPv6-Prefix Attribute" + * * RFC 4849: * "RADIUS Filter Rule Attribute" * + * RFC 5090: + * "RADIUS Extension for Digest Authentication" + * * RFC 5176: * "Dynamic Authorization Extensions to RADIUS" * @@ -542,7 +548,28 @@ static struct attrtype { { "Framed-IPv6-Route", NULL, 0, 0, print_attr_string }, { "Framed-IPv6-Pool", NULL, 0, 0, print_attr_string }, { "Error-Cause", NULL, 0, 0, print_attr_strange }, - { "EAP-Key-Name", NULL, 0, 0, NULL } + { "EAP-Key-Name", NULL, 0, 0, NULL }, + { "Digest-Response", NULL, 0, 0, print_attr_string }, + { "Digest-Realm", NULL, 0, 0, print_attr_string }, + { "Digest-Nonce", NULL, 0, 0, print_attr_string }, + { "Digest-Response-Auth", NULL, 0, 0, print_attr_string }, + { "Digest-Nextnonce", NULL, 0, 0, print_attr_string }, + { "Digest-Method", NULL, 0, 0, print_attr_string }, + { "Digest-URI", NULL, 0, 0, print_attr_string }, + { "Digest-Qop", NULL, 0, 0, print_attr_string }, + { "Digest-Algorithm", NULL, 0, 0, print_attr_string }, + { "Digest-Entity-Body-Hash", NULL, 0, 0, print_attr_string }, + { "Digest-CNonce", NULL, 0, 0, print_attr_string }, + { "Digest-Nonce-Count", NULL, 0, 0, print_attr_string }, + { "Digest-Username", NULL, 0, 0, print_attr_string }, + { "Digest-Opaque", NULL, 0, 0, print_attr_string }, + { "Digest-Auth-Param", NULL, 0, 0, print_attr_string }, + { "Digest-AKA-Auts", NULL, 0, 0, print_attr_string }, + { "Digest-Domain", NULL, 0, 0, print_attr_string }, + { "Digest-Stale", NULL, 0, 0, print_attr_string }, + { "Digest-HA1", NULL, 0, 0, print_attr_string }, + { "SIP-AOR", NULL, 0, 0, print_attr_string }, + { "Delegated-IPv6-Prefix", NULL, 0, 0, print_attr_netmask6 }, }; @@ -566,13 +593,13 @@ print_attr_string(netdissect_options *ndo, case TUNNEL_PASS: if (length < 3) goto trunc; - if (*data && (*data <=0x1F) ) - ND_PRINT((ndo, "Tag[%u] ", *data)); + if (EXTRACT_U_1(data) && (EXTRACT_U_1(data) <= 0x1F)) + ND_PRINT((ndo, "Tag[%u] ", EXTRACT_U_1(data))); else ND_PRINT((ndo, "Tag[Unused] ")); data++; length--; - ND_PRINT((ndo, "Salt %u ", EXTRACT_16BITS(data))); + ND_PRINT((ndo, "Salt %u ", EXTRACT_BE_U_2(data))); data+=2; length-=2; break; @@ -582,12 +609,12 @@ print_attr_string(netdissect_options *ndo, case TUNNEL_ASSIGN_ID: case TUNNEL_CLIENT_AUTH: case TUNNEL_SERVER_AUTH: - if (*data <= 0x1F) + if (EXTRACT_U_1(data) <= 0x1F) { if (length < 1) goto trunc; - if (*data) - ND_PRINT((ndo, "Tag[%u] ", *data)); + if (EXTRACT_U_1(data)) + ND_PRINT((ndo, "Tag[%u] ", EXTRACT_U_1(data))); else ND_PRINT((ndo, "Tag[Unused] ")); data++; @@ -598,15 +625,15 @@ print_attr_string(netdissect_options *ndo, if (length < 1) goto trunc; ND_PRINT((ndo, "%s (0x%02x) ", - tok2str(rfc4675_tagged,"Unknown tag",*data), - *data)); + tok2str(rfc4675_tagged,"Unknown tag",EXTRACT_U_1(data)), + EXTRACT_U_1(data))); data++; length--; break; } - for (i=0; i < length && *data; i++, data++) - ND_PRINT((ndo, "%c", (*data < 32 || *data > 126) ? '.' : *data)); + for (i=0; i < length && EXTRACT_U_1(data); i++, data++) + ND_PRINT((ndo, "%c", ND_ISPRINT(EXTRACT_U_1(data)) ? EXTRACT_U_1(data) : '.')); return; @@ -628,8 +655,8 @@ print_vendor_attr(netdissect_options *ndo, if (length < 4) goto trunc; - ND_TCHECK2(*data, 4); - vendor_id = EXTRACT_32BITS(data); + ND_TCHECK_4(data); + vendor_id = EXTRACT_BE_U_4(data); data+=4; length-=4; @@ -638,10 +665,10 @@ print_vendor_attr(netdissect_options *ndo, vendor_id)); while (length >= 2) { - ND_TCHECK2(*data, 2); + ND_TCHECK_2(data); - vendor_type = *(data); - vendor_length = *(data+1); + vendor_type = EXTRACT_U_1(data); + vendor_length = EXTRACT_U_1(data + 1); if (vendor_length < 2) { @@ -666,7 +693,7 @@ print_vendor_attr(netdissect_options *ndo, vendor_type, vendor_length)); for (idx = 0; idx < vendor_length ; idx++, data++) - ND_PRINT((ndo, "%c", (*data < 32 || *data > 126) ? '.' : *data)); + ND_PRINT((ndo, "%c", ND_ISPRINT(EXTRACT_U_1(data)) ? EXTRACT_U_1(data) : '.')); length-=vendor_length; } return; @@ -694,7 +721,7 @@ print_attr_num(netdissect_options *ndo, return; } - ND_TCHECK2(data[0],4); + ND_TCHECK_4(data); /* This attribute has standard values */ if (attr_type[attr_code].siz_subtypes) { @@ -704,16 +731,16 @@ print_attr_num(netdissect_options *ndo, if ( (attr_code == TUNNEL_TYPE) || (attr_code == TUNNEL_MEDIUM) ) { - if (!*data) + if (!EXTRACT_U_1(data)) ND_PRINT((ndo, "Tag[Unused] ")); else - ND_PRINT((ndo, "Tag[%d] ", *data)); + ND_PRINT((ndo, "Tag[%d] ", EXTRACT_U_1(data))); data++; - data_value = EXTRACT_24BITS(data); + data_value = EXTRACT_BE_U_3(data); } else { - data_value = EXTRACT_32BITS(data); + data_value = EXTRACT_BE_U_4(data); } if ( data_value <= (uint32_t)(attr_type[attr_code].siz_subtypes - 1 + attr_type[attr_code].first_subtype) && @@ -727,10 +754,10 @@ print_attr_num(netdissect_options *ndo, switch(attr_code) /* Be aware of special cases... */ { case FRM_IPX: - if (EXTRACT_32BITS( data) == 0xFFFFFFFE ) + if (EXTRACT_BE_U_4(data) == 0xFFFFFFFE ) ND_PRINT((ndo, "NAS Select")); else - ND_PRINT((ndo, "%d", EXTRACT_32BITS(data))); + ND_PRINT((ndo, "%d", EXTRACT_BE_U_4(data))); break; case SESSION_TIMEOUT: @@ -738,7 +765,7 @@ print_attr_num(netdissect_options *ndo, case ACCT_DELAY: case ACCT_SESSION_TIME: case ACCT_INT_INTERVAL: - timeout = EXTRACT_32BITS( data); + timeout = EXTRACT_BE_U_4(data); if ( timeout < 60 ) ND_PRINT((ndo, "%02d secs", timeout)); else @@ -754,38 +781,38 @@ print_attr_num(netdissect_options *ndo, break; case FRM_ATALK_LINK: - if (EXTRACT_32BITS(data) ) - ND_PRINT((ndo, "%d", EXTRACT_32BITS(data))); + if (EXTRACT_BE_U_4(data)) + ND_PRINT((ndo, "%d", EXTRACT_BE_U_4(data))); else ND_PRINT((ndo, "Unnumbered")); break; case FRM_ATALK_NETWORK: - if (EXTRACT_32BITS(data) ) - ND_PRINT((ndo, "%d", EXTRACT_32BITS(data))); + if (EXTRACT_BE_U_4(data)) + ND_PRINT((ndo, "%d", EXTRACT_BE_U_4(data))); else ND_PRINT((ndo, "NAS assigned")); break; case TUNNEL_PREFERENCE: - if (*data) - ND_PRINT((ndo, "Tag[%d] ", *data)); + if (EXTRACT_U_1(data)) + ND_PRINT((ndo, "Tag[%d] ", EXTRACT_U_1(data))); else ND_PRINT((ndo, "Tag[Unused] ")); data++; - ND_PRINT((ndo, "%d", EXTRACT_24BITS(data))); + ND_PRINT((ndo, "%d", EXTRACT_BE_U_3(data))); break; case EGRESS_VLAN_ID: ND_PRINT((ndo, "%s (0x%02x) ", - tok2str(rfc4675_tagged,"Unknown tag",*data), - *data)); + tok2str(rfc4675_tagged,"Unknown tag",EXTRACT_U_1(data)), + EXTRACT_U_1(data))); data++; - ND_PRINT((ndo, "%d", EXTRACT_24BITS(data))); + ND_PRINT((ndo, "%d", EXTRACT_BE_U_3(data))); break; default: - ND_PRINT((ndo, "%d", EXTRACT_32BITS(data))); + ND_PRINT((ndo, "%d", EXTRACT_BE_U_4(data))); break; } /* switch */ @@ -815,16 +842,16 @@ print_attr_address(netdissect_options *ndo, return; } - ND_TCHECK2(data[0],4); + ND_TCHECK_4(data); switch(attr_code) { case FRM_IPADDR: case LOG_IPHOST: - if (EXTRACT_32BITS(data) == 0xFFFFFFFF ) + if (EXTRACT_BE_U_4(data) == 0xFFFFFFFF ) ND_PRINT((ndo, "User Selected")); else - if (EXTRACT_32BITS(data) == 0xFFFFFFFE ) + if (EXTRACT_BE_U_4(data) == 0xFFFFFFFE ) ND_PRINT((ndo, "NAS Select")); else ND_PRINT((ndo, "%s",ipaddr_string(ndo, data))); @@ -858,7 +885,7 @@ print_attr_address6(netdissect_options *ndo, return; } - ND_TCHECK2(data[0], 16); + ND_TCHECK_16(data); ND_PRINT((ndo, "%s", ip6addr_string(ndo, data))); @@ -872,25 +899,28 @@ static void print_attr_netmask6(netdissect_options *ndo, register const u_char *data, u_int length, u_short attr_code _U_) { - u_char data2[18]; + u_char data2[16]; if (length < 2 || length > 18) { ND_PRINT((ndo, "ERROR: length %u not in range (2..18)", length)); return; } - else if (data[1] > 128) + ND_TCHECK2(data[0], length); + if (EXTRACT_U_1(data + 1) > 128) { - ND_PRINT((ndo, "ERROR: netmask %u not in range (0..128)", data[1])); + ND_PRINT((ndo, "ERROR: netmask %u not in range (0..128)", EXTRACT_U_1(data + 1))); return; } - ND_TCHECK2(data[0], length); memset(data2, 0, sizeof(data2)); if (length > 2) memcpy(data2, data+2, length-2); - ND_PRINT((ndo, "%s/%u", ip6addr_string(ndo, data2), data[1])); + ND_PRINT((ndo, "%s/%u", ip6addr_string(ndo, data2), EXTRACT_U_1(data + 1))); + + if (EXTRACT_U_1(data + 1) > 8 * (length - 2)) + ND_PRINT((ndo, " (inconsistent prefix length)")); return; @@ -919,9 +949,9 @@ print_attr_time(netdissect_options *ndo, return; } - ND_TCHECK2(data[0],4); + ND_TCHECK_4(data); - attr_time = EXTRACT_32BITS(data); + attr_time = EXTRACT_BE_U_4(data); strlcpy(string, ctime(&attr_time), sizeof(string)); /* Get rid of the newline */ string[24] = '\0'; @@ -955,11 +985,11 @@ print_attr_strange(netdissect_options *ndo, return; } ND_PRINT((ndo, "User_challenge (")); - ND_TCHECK2(data[0],8); + ND_TCHECK_8(data); len_data = 8; PRINT_HEX(len_data, data); ND_PRINT((ndo, ") User_resp(")); - ND_TCHECK2(data[0],8); + ND_TCHECK_8(data); len_data = 8; PRINT_HEX(len_data, data); ND_PRINT((ndo, ")")); @@ -971,25 +1001,25 @@ print_attr_strange(netdissect_options *ndo, ND_PRINT((ndo, "ERROR: length %u != 14", length)); return; } - ND_TCHECK2(data[0],1); - if (*data) + ND_TCHECK_1(data); + if (EXTRACT_U_1(data)) ND_PRINT((ndo, "User can change password")); else ND_PRINT((ndo, "User cannot change password")); data++; - ND_TCHECK2(data[0],1); - ND_PRINT((ndo, ", Min password length: %d", *data)); + ND_TCHECK_1(data); + ND_PRINT((ndo, ", Min password length: %d", EXTRACT_U_1(data))); data++; ND_PRINT((ndo, ", created at: ")); - ND_TCHECK2(data[0],4); + ND_TCHECK_4(data); len_data = 4; PRINT_HEX(len_data, data); ND_PRINT((ndo, ", expires in: ")); - ND_TCHECK2(data[0],4); + ND_TCHECK_4(data); len_data = 4; PRINT_HEX(len_data, data); ND_PRINT((ndo, ", Current Time: ")); - ND_TCHECK2(data[0],4); + ND_TCHECK_4(data); len_data = 4; PRINT_HEX(len_data, data); break; @@ -1000,7 +1030,7 @@ print_attr_strange(netdissect_options *ndo, ND_PRINT((ndo, "ERROR: length %u != 8", length)); return; } - ND_TCHECK2(data[0],8); + ND_TCHECK_8(data); len_data = 8; PRINT_HEX(len_data, data); break; @@ -1011,9 +1041,9 @@ print_attr_strange(netdissect_options *ndo, ND_PRINT((ndo, "Error: length %u != 4", length)); return; } - ND_TCHECK2(data[0],4); + ND_TCHECK_4(data); - error_cause_value = EXTRACT_32BITS(data); + error_cause_value = EXTRACT_BE_U_4(data); ND_PRINT((ndo, "Error cause %u: %s", error_cause_value, tok2str(errorcausetype, "Error-Cause %u not known", error_cause_value))); break; } @@ -1093,7 +1123,7 @@ radius_print(netdissect_options *ndo, ND_TCHECK2(*dat, MIN_RADIUS_LEN); rad = (const struct radius_hdr *)dat; - len = EXTRACT_16BITS(&rad->len); + len = EXTRACT_BE_U_2(&rad->len); if (len < MIN_RADIUS_LEN) {