Commit 1a1774bf authored by Ray Bellis's avatar Ray Bellis

added response authentication to the client

parent 36f41849
......@@ -35,14 +35,15 @@ async function _request(client_state, code, attrs)
const server = client_state.servers[n];
const address = server.server;
const port = (code === Code.ACCOUNTING_REQUEST) ? server.acct : server.auth;
const secret = server.secret;
// server-specific packet content
const identifier = (server.id++ & 0xff);
const authenticator = RadiusPacket.randomAuthenticator();
const req = new RadiusPacket(code, identifier, authenticator, attrs);
const buffer = req.toWire(server.secret, response = false);
const buffer = req.toWire(secret, response = false);
state[n] = { code, identifier, authenticator, address, port, buffer };
state[n] = { code, identifier, authenticator, address, port, secret, buffer };
}
return state[n];
}
......@@ -50,29 +51,46 @@ async function _request(client_state, code, attrs)
return new Promise((resolve, reject) => {
const socket = dgram.createSocket('udp4');
let current = {};
socket.on('message', function(msg, rinfo) {
const s = state[attempt];
// check it came from the original target
if (rinfo.address !== s.address ||
rinfo.port !== s.port)
if (rinfo.address !== current.address ||
rinfo.port !== current.port)
{
console.log(`ignoring packet from ${rinfo.address}:${rinfo.port}`);
return;
}
// parse the response
const res = RadiusPacket.fromWire(msg);
// parse the response, ignoring any unparseable packets
let res = undefined;
try {
res = RadiusPacket.fromWire(msg);
} catch (e) {
return;
}
// ignore packets whose identifier doesn't match
if (res.identifier !== s.identifier) {
if (res.identifier !== current.identifier) {
return;
}
// FIXME: validate packet signature
// validate packet signature (dropping invalid packets)
const hash = crypto.createHash('md5');
hash.update(Buffer.from(msg.buffer, 0, 4));
hash.update(current.authenticator);
hash.update(Buffer.from(msg.buffer, 20));
hash.update(current.secret);
const authen = Buffer.from(msg.buffer, 4, 16);
const digest = hash.digest();
if (Buffer.compare(authen, digest) !== 0) {
console.log(`bad authenticator on packet from ${rinfo.address}:${rinfo.port}`);
return;
}
// examine the response code and determine the action to take
const req_code = code.toString();
const res_code = res.code.toString();
......@@ -113,7 +131,7 @@ async function _request(client_state, code, attrs)
// start sending packets
(function send() {
const n = attempt % slen;
const s = getState(n);
current = getState(n);
timer = setTimeout(() => {
timer = undefined;
......@@ -125,7 +143,7 @@ async function _request(client_state, code, attrs)
}
}, timeout);
socket.send(s.buffer, 0, s.buffer.length, s.port, s.address);
socket.send(current.buffer, 0, current.buffer.length, current.port, current.address);
})();
});
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment