From cbcaa6a7c8f8a6704f6b4a68f260020957214a07 Mon Sep 17 00:00:00 2001
From: Linus Nordberg <linus@nordu.net>
Date: Mon, 7 Mar 2011 15:23:40 +0100
Subject: Move verification of response packets up to a level where it makes
 sense.

Replace the user_dispatch_flag on connections with
conn_user_dispatch_p().

Remove the 'original' member from packet and instead have an upper
layer verify.

Rename packet valid_flag --> received_flag to reflect that we don't
verify.

Move _close_conn() --> conn_close().

Move packet flags into a single unsigned int, for portability.

(_read_packet): Don't verify packet.

(rs_conn_receive_packet): Don't touch PKT_OUT if there isn't a packet.

(rs_conn_receive_packet): Verify packet using packet_verify_response().
---
 lib/packet.c | 39 ++++++++++++++++++++++++++++++++++++---
 1 file changed, 36 insertions(+), 3 deletions(-)

(limited to 'lib/packet.c')

diff --git a/lib/packet.c b/lib/packet.c
index 6ba9fd3..799234f 100644
--- a/lib/packet.c
+++ b/lib/packet.c
@@ -9,6 +9,7 @@
 #include <event2/bufferevent.h>
 #include <radsec/radsec.h>
 #include <radsec/radsec-impl.h>
+#include "conn.h"
 #include "debug.h"
 #include "packet.h"
 
@@ -18,15 +19,47 @@
 #include <event2/buffer.h>
 #endif
 
-/* Badly named helper function for preparing a RADIUS message and
-   queue it.  FIXME: Rename.  */
+int
+packet_verify_response (struct rs_connection *conn,
+			struct rs_packet *response,
+			struct rs_packet *request)
+{
+  assert (conn);
+  assert (conn->active_peer);
+  assert (conn->active_peer->secret);
+  assert (response);
+  assert (response->rpkt);
+  assert (request);
+  assert (request->rpkt);
+
+  /* Verify header and message authenticator.  */
+  if (rad_verify (response->rpkt, request->rpkt, conn->active_peer->secret))
+    {
+      conn_close (&conn);
+      return rs_err_conn_push_fl (conn, RSE_FR, __FILE__, __LINE__,
+				  "rad_verify: %s", fr_strerror ());
+    }
+
+  /* Decode and decrypt.  */
+  if (rad_decode (response->rpkt, request->rpkt, conn->active_peer->secret))
+    {
+      conn_close (&conn);
+      return rs_err_conn_push_fl (conn, RSE_FR, __FILE__, __LINE__,
+				  "rad_decode: %s", fr_strerror ());
+    }
+
+  return RSE_OK;
+}
+
+
+/* Badly named function for preparing a RADIUS message and queue it.
+   FIXME: Rename.  */
 int
 packet_do_send (struct rs_packet *pkt)
 {
   VALUE_PAIR *vp = NULL;
 
   assert (pkt->rpkt);
-  assert (!pkt->original);
 
   /* Add Message-Authenticator, RFC 2869.  */
   /* FIXME: Make Message-Authenticator optional?  */
-- 
cgit v1.1