radlib: fix a memory leak in `is_valid_request`

Call `HMAC_CTX_free` if returning early from `is_valid_request` when
processing `Message-Authenticator` tags.

Reported by: Coverity
MFC after: 1 week

radlib: fix a memory leak in `is_valid_request`

Call `HMAC_CTX_free` if returning early from `is_valid_request` when
processing `Message-Authenticator` tags.

Reported by: Coverity
MFC after: 1 week
Fixes: 8d5c7813061d ("libradius: Fix input validation bugs")
Differential Revision: https://reviews.freebsd.org/D45488

show more ...

lib: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remov

lib: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/
Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/
Remove /\n+#if.*\n#endif.*\n+/
Remove /^#if.*\n#endif.*\n/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/

Sponsored by: Netflix

show more ...

Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.

Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix

show more ...

libradius: fix WITHOUT_OPENSSL build

int alen is used only with SSL.

Reported by: Michael Dexter, Build Option Survey
MFC after: 3 days
Fixes: 8d5c7813061d ("libradius: Fix input validation bugs")

libradius: fix WITHOUT_OPENSSL build

int alen is used only with SSL.

Reported by: Michael Dexter, Build Option Survey
MFC after: 3 days
Fixes: 8d5c7813061d ("libradius: Fix input validation bugs")
Sponsored by: The FreeBSD Foundation

show more ...

libradius: fix no SSL build

int alen is only used with SSL.

libradius: Fix attribute length validation in rad_get_attr(3)

The length of the attribute header needs to be excluded when comparing
the attribute length against the length of the packet. Otherwise

libradius: Fix attribute length validation in rad_get_attr(3)

The length of the attribute header needs to be excluded when comparing
the attribute length against the length of the packet. Otherwise,
validation may incorrectly fail when fetching the final attribute in a
message.

Fixes: 8d5c78130 ("libradius: Fix input validation bugs")
Reported by: Peter Eriksson
Tested by: Peter Eriksson
MFC after: now
Sponsored by: The FreeBSD Foundation

show more ...

libradius: Fix input validation bugs

Approved by: so
Security: FreeBSD-SA-21:12.libradius
Security: CVE-2021-29629
MFC after: now
Sponsored by: The FreeBSD Foundation

libradius: Rip out dubious use of srandomdev(3)+random(3)

These functions appear to intend to produce unpredictable results. Just use
arc4random.

While here, use an explicit_bzero instead of memse

libradius: Rip out dubious use of srandomdev(3)+random(3)

These functions appear to intend to produce unpredictable results. Just use
arc4random.

While here, use an explicit_bzero instead of memset where the intent is clearly
to zero out a secret (clear_passphrase).

show more ...

Make libradius(3) buildable.

lib: further adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using mis-identified many licenses so this was mostly a manual - error
pr

lib: further adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using mis-identified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

show more ...

Fix build: reflect the increased field number.

- Rewrite radius servers traversal algorithm.
- Add functions for working with IPv6 attributes.

Approved by: ae

Add binding support to libradius(3).

Submitted by: Sergey Matveychuk <sem33@yandex-team.ru>
Approved by: ae (mentor)
MFC after: 2 weeks

Fix bug, when RADIUS client gave up after single sendto() error, do not
trying backup servers.

PR: kern/103764, misc/139214

Add simple embedded RADIUS server support to libradius, by extending existing
API, keeping backward compatibility.

First consumer for this functionality is going to become forthcoming MPD-5.4,
suppo

Add simple embedded RADIUS server support to libradius, by extending existing
API, keeping backward compatibility.

First consumer for this functionality is going to become forthcoming MPD-5.4,
supporting CoA and DR of RFC 3576: Dynamic Authorization Extensions to RADIUS.

MFC after: 1 month

show more ...

Use correct u_int and socklen_t types for parameters if function is
expecting them, not int.

Use %zu to print values with type size_t.

- Added rad_demangle() for demangling user-passwords (needed for
MS-CHAPv1 MPPE-keys).
- Added rad_demangle_mppe_key() for demangling mppe-keys (needed
for MPPE-keys).
- Added some typecasts for

- Added rad_demangle() for demangling user-passwords (needed for
MS-CHAPv1 MPPE-keys).
- Added rad_demangle_mppe_key() for demangling mppe-keys (needed
for MPPE-keys).
- Added some typecasts for avoiding compiler warnings.
- Fix: better handle wrong usage of the lib (if the programmer
has not called rad_create_request() but rad_put_*(), then a
weird error message was returned).
- Added a new function for putting the Message-Authenticator.
- Verify the Message-Authenticator, if it was found inside a
response packet and silently drop the packet, if the validation
failed.
- Implicitly put the Message-Authenticator, if the EAP-Message
attribute was added.
- Added some missing defines.

Submitted by: Michael Bretterklieber
PR: 46555

show more ...

Add the following functions:

rad_request_authenticator()
Returns the Request-Authenticator relevant to the most recently received
RADIUS response.

rad_server_secret()
Returns the Sh

Add the following functions:

rad_request_authenticator()
Returns the Request-Authenticator relevant to the most recently received
RADIUS response.

rad_server_secret()
Returns the Shared Secret relevant to the most recently received
RADIUS response.

Neither of these functions should be necessary, however, the
MS-MPPE-Recv-Key and MS-MPPE-Send-Key Microsoft Vendor Specific
attributes are supplied in a mangled (encrypted) format, requiring
this information to demangle.

It's not clear whether these functions should be replaced with a
rad_demangle() function or whether these attributes are one-offs.

Sponsored by: Monzoon

show more ...

Add rad_get_vendor_attr() for deciphering vendor attributes received
from the RADIUS server.

Add support for vendor specific RADIUS extensions.

Only the extensions from rfc2548 are specified for now.

Add __FBSDID()s to libradius

Fix password clearing bug which prevented challenge/response from working.

Reviewed by: jdp

strtok -> strsep (no strtok allowed in libraries)