psiphon-tunnel-core/vendor/github.com/google/gopacket/layers/radius.go

// Copyright 2020 The GoPacket Authors. All rights reserved.
//
// Use of this source code is governed by a BSD-style license that can be found
// in the LICENSE file in the root of the source tree.

package layers

import (
	"encoding/binary"
	"fmt"

	"github.com/google/gopacket"
)

const (
	// RFC 2865 3.  Packet Format
	// `The minimum length is 20 and maximum length is 4096.`
	radiusMinimumRecordSizeInBytes int = 20
	radiusMaximumRecordSizeInBytes int = 4096

	// RFC 2865 5.  Attributes
	// `The Length field is one octet, and indicates the length of this Attribute including the Type, Length and Value fields.`
	// `The Value field is zero or more octets and contains information specific to the Attribute.`
	radiusAttributesMinimumRecordSizeInBytes int = 2
)

// RADIUS represents a Remote Authentication Dial In User Service layer.
type RADIUS struct {
	BaseLayer

	Code          RADIUSCode
	Identifier    RADIUSIdentifier
	Length        RADIUSLength
	Authenticator RADIUSAuthenticator
	Attributes    []RADIUSAttribute
}

// RADIUSCode represents packet type.
type RADIUSCode uint8

// constants that define RADIUSCode.
const (
	RADIUSCodeAccessRequest      RADIUSCode = 1   // RFC2865 3.  Packet Format
	RADIUSCodeAccessAccept       RADIUSCode = 2   // RFC2865 3.  Packet Format
	RADIUSCodeAccessReject       RADIUSCode = 3   // RFC2865 3.  Packet Format
	RADIUSCodeAccountingRequest  RADIUSCode = 4   // RFC2865 3.  Packet Format
	RADIUSCodeAccountingResponse RADIUSCode = 5   // RFC2865 3.  Packet Format
	RADIUSCodeAccessChallenge    RADIUSCode = 11  // RFC2865 3.  Packet Format
	RADIUSCodeStatusServer       RADIUSCode = 12  // RFC2865 3.  Packet Format (experimental)
	RADIUSCodeStatusClient       RADIUSCode = 13  // RFC2865 3.  Packet Format (experimental)
	RADIUSCodeReserved           RADIUSCode = 255 // RFC2865 3.  Packet Format
)

// String returns a string version of a RADIUSCode.
func (t RADIUSCode) String() (s string) {
	switch t {
	case RADIUSCodeAccessRequest:
		s = "Access-Request"
	case RADIUSCodeAccessAccept:
		s = "Access-Accept"
	case RADIUSCodeAccessReject:
		s = "Access-Reject"
	case RADIUSCodeAccountingRequest:
		s = "Accounting-Request"
	case RADIUSCodeAccountingResponse:
		s = "Accounting-Response"
	case RADIUSCodeAccessChallenge:
		s = "Access-Challenge"
	case RADIUSCodeStatusServer:
		s = "Status-Server"
	case RADIUSCodeStatusClient:
		s = "Status-Client"
	case RADIUSCodeReserved:
		s = "Reserved"
	default:
		s = fmt.Sprintf("Unknown(%d)", t)
	}
	return
}

// RADIUSIdentifier represents packet identifier.
type RADIUSIdentifier uint8

// RADIUSLength represents packet length.
type RADIUSLength uint16

// RADIUSAuthenticator represents authenticator.
type RADIUSAuthenticator [16]byte

// RADIUSAttribute represents attributes.
type RADIUSAttribute struct {
	Type   RADIUSAttributeType
	Length RADIUSAttributeLength
	Value  RADIUSAttributeValue
}

// RADIUSAttributeType represents attribute type.
type RADIUSAttributeType uint8

// constants that define RADIUSAttributeType.
const (
	RADIUSAttributeTypeUserName               RADIUSAttributeType = 1  // RFC2865  5.1.  User-Name
	RADIUSAttributeTypeUserPassword           RADIUSAttributeType = 2  // RFC2865  5.2.  User-Password
	RADIUSAttributeTypeCHAPPassword           RADIUSAttributeType = 3  // RFC2865  5.3.  CHAP-Password
	RADIUSAttributeTypeNASIPAddress           RADIUSAttributeType = 4  // RFC2865  5.4.  NAS-IP-Address
	RADIUSAttributeTypeNASPort                RADIUSAttributeType = 5  // RFC2865  5.5.  NAS-Port
	RADIUSAttributeTypeServiceType            RADIUSAttributeType = 6  // RFC2865  5.6.  Service-Type
	RADIUSAttributeTypeFramedProtocol         RADIUSAttributeType = 7  // RFC2865  5.7.  Framed-Protocol
	RADIUSAttributeTypeFramedIPAddress        RADIUSAttributeType = 8  // RFC2865  5.8.  Framed-IP-Address
	RADIUSAttributeTypeFramedIPNetmask        RADIUSAttributeType = 9  // RFC2865  5.9.  Framed-IP-Netmask
	RADIUSAttributeTypeFramedRouting          RADIUSAttributeType = 10 // RFC2865 5.10.  Framed-Routing
	RADIUSAttributeTypeFilterId               RADIUSAttributeType = 11 // RFC2865 5.11.  Filter-Id
	RADIUSAttributeTypeFramedMTU              RADIUSAttributeType = 12 // RFC2865 5.12.  Framed-MTU
	RADIUSAttributeTypeFramedCompression      RADIUSAttributeType = 13 // RFC2865 5.13.  Framed-Compression
	RADIUSAttributeTypeLoginIPHost            RADIUSAttributeType = 14 // RFC2865 5.14.  Login-IP-Host
	RADIUSAttributeTypeLoginService           RADIUSAttributeType = 15 // RFC2865 5.15.  Login-Service
	RADIUSAttributeTypeLoginTCPPort           RADIUSAttributeType = 16 // RFC2865 5.16.  Login-TCP-Port
	RADIUSAttributeTypeReplyMessage           RADIUSAttributeType = 18 // RFC2865 5.18.  Reply-Message
	RADIUSAttributeTypeCallbackNumber         RADIUSAttributeType = 19 // RFC2865 5.19.  Callback-Number
	RADIUSAttributeTypeCallbackId             RADIUSAttributeType = 20 // RFC2865 5.20.  Callback-Id
	RADIUSAttributeTypeFramedRoute            RADIUSAttributeType = 22 // RFC2865 5.22.  Framed-Route
	RADIUSAttributeTypeFramedIPXNetwork       RADIUSAttributeType = 23 // RFC2865 5.23.  Framed-IPX-Network
	RADIUSAttributeTypeState                  RADIUSAttributeType = 24 // RFC2865 5.24.  State
	RADIUSAttributeTypeClass                  RADIUSAttributeType = 25 // RFC2865 5.25.  Class
	RADIUSAttributeTypeVendorSpecific         RADIUSAttributeType = 26 // RFC2865 5.26.  Vendor-Specific
	RADIUSAttributeTypeSessionTimeout         RADIUSAttributeType = 27 // RFC2865 5.27.  Session-Timeout
	RADIUSAttributeTypeIdleTimeout            RADIUSAttributeType = 28 // RFC2865 5.28.  Idle-Timeout
	RADIUSAttributeTypeTerminationAction      RADIUSAttributeType = 29 // RFC2865 5.29.  Termination-Action
	RADIUSAttributeTypeCalledStationId        RADIUSAttributeType = 30 // RFC2865 5.30.  Called-Station-Id
	RADIUSAttributeTypeCallingStationId       RADIUSAttributeType = 31 // RFC2865 5.31.  Calling-Station-Id
	RADIUSAttributeTypeNASIdentifier          RADIUSAttributeType = 32 // RFC2865 5.32.  NAS-Identifier
	RADIUSAttributeTypeProxyState             RADIUSAttributeType = 33 // RFC2865 5.33.  Proxy-State
	RADIUSAttributeTypeLoginLATService        RADIUSAttributeType = 34 // RFC2865 5.34.  Login-LAT-Service
	RADIUSAttributeTypeLoginLATNode           RADIUSAttributeType = 35 // RFC2865 5.35.  Login-LAT-Node
	RADIUSAttributeTypeLoginLATGroup          RADIUSAttributeType = 36 // RFC2865 5.36.  Login-LAT-Group
	RADIUSAttributeTypeFramedAppleTalkLink    RADIUSAttributeType = 37 // RFC2865 5.37.  Framed-AppleTalk-Link
	RADIUSAttributeTypeFramedAppleTalkNetwork RADIUSAttributeType = 38 // RFC2865 5.38.  Framed-AppleTalk-Network
	RADIUSAttributeTypeFramedAppleTalkZone    RADIUSAttributeType = 39 // RFC2865 5.39.  Framed-AppleTalk-Zone
	RADIUSAttributeTypeAcctStatusType         RADIUSAttributeType = 40 // RFC2866  5.1.  Acct-Status-Type
	RADIUSAttributeTypeAcctDelayTime          RADIUSAttributeType = 41 // RFC2866  5.2.  Acct-Delay-Time
	RADIUSAttributeTypeAcctInputOctets        RADIUSAttributeType = 42 // RFC2866  5.3.  Acct-Input-Octets
	RADIUSAttributeTypeAcctOutputOctets       RADIUSAttributeType = 43 // RFC2866  5.4.  Acct-Output-Octets
	RADIUSAttributeTypeAcctSessionId          RADIUSAttributeType = 44 // RFC2866  5.5.  Acct-Session-Id
	RADIUSAttributeTypeAcctAuthentic          RADIUSAttributeType = 45 // RFC2866  5.6.  Acct-Authentic
	RADIUSAttributeTypeAcctSessionTime        RADIUSAttributeType = 46 // RFC2866  5.7.  Acct-Session-Time
	RADIUSAttributeTypeAcctInputPackets       RADIUSAttributeType = 47 // RFC2866  5.8.  Acct-Input-Packets
	RADIUSAttributeTypeAcctOutputPackets      RADIUSAttributeType = 48 // RFC2866  5.9.  Acct-Output-Packets
	RADIUSAttributeTypeAcctTerminateCause     RADIUSAttributeType = 49 // RFC2866 5.10.  Acct-Terminate-Cause
	RADIUSAttributeTypeAcctMultiSessionId     RADIUSAttributeType = 50 // RFC2866 5.11.  Acct-Multi-Session-Id
	RADIUSAttributeTypeAcctLinkCount          RADIUSAttributeType = 51 // RFC2866 5.12.  Acct-Link-Count
	RADIUSAttributeTypeAcctInputGigawords     RADIUSAttributeType = 52 // RFC2869  5.1.  Acct-Input-Gigawords
	RADIUSAttributeTypeAcctOutputGigawords    RADIUSAttributeType = 53 // RFC2869  5.2.  Acct-Output-Gigawords
	RADIUSAttributeTypeEventTimestamp         RADIUSAttributeType = 55 // RFC2869  5.3.  Event-Timestamp
	RADIUSAttributeTypeCHAPChallenge          RADIUSAttributeType = 60 // RFC2865 5.40.  CHAP-Challenge
	RADIUSAttributeTypeNASPortType            RADIUSAttributeType = 61 // RFC2865 5.41.  NAS-Port-Type
	RADIUSAttributeTypePortLimit              RADIUSAttributeType = 62 // RFC2865 5.42.  Port-Limit
	RADIUSAttributeTypeLoginLATPort           RADIUSAttributeType = 63 // RFC2865 5.43.  Login-LAT-Port
	RADIUSAttributeTypeTunnelType             RADIUSAttributeType = 64 // RFC2868  3.1.  Tunnel-Type
	RADIUSAttributeTypeTunnelMediumType       RADIUSAttributeType = 65 // RFC2868  3.2.  Tunnel-Medium-Type
	RADIUSAttributeTypeTunnelClientEndpoint   RADIUSAttributeType = 66 // RFC2868  3.3.  Tunnel-Client-Endpoint
	RADIUSAttributeTypeTunnelServerEndpoint   RADIUSAttributeType = 67 // RFC2868  3.4.  Tunnel-Server-Endpoint
	RADIUSAttributeTypeAcctTunnelConnection   RADIUSAttributeType = 68 // RFC2867  4.1.  Acct-Tunnel-Connection
	RADIUSAttributeTypeTunnelPassword         RADIUSAttributeType = 69 // RFC2868  3.5.  Tunnel-Password
	RADIUSAttributeTypeARAPPassword           RADIUSAttributeType = 70 // RFC2869  5.4.  ARAP-Password
	RADIUSAttributeTypeARAPFeatures           RADIUSAttributeType = 71 // RFC2869  5.5.  ARAP-Features
	RADIUSAttributeTypeARAPZoneAccess         RADIUSAttributeType = 72 // RFC2869  5.6.  ARAP-Zone-Access
	RADIUSAttributeTypeARAPSecurity           RADIUSAttributeType = 73 // RFC2869  5.7.  ARAP-Security
	RADIUSAttributeTypeARAPSecurityData       RADIUSAttributeType = 74 // RFC2869  5.8.  ARAP-Security-Data
	RADIUSAttributeTypePasswordRetry          RADIUSAttributeType = 75 // RFC2869  5.9.  Password-Retry
	RADIUSAttributeTypePrompt                 RADIUSAttributeType = 76 // RFC2869 5.10.  Prompt
	RADIUSAttributeTypeConnectInfo            RADIUSAttributeType = 77 // RFC2869 5.11.  Connect-Info
	RADIUSAttributeTypeConfigurationToken     RADIUSAttributeType = 78 // RFC2869 5.12.  Configuration-Token
	RADIUSAttributeTypeEAPMessage             RADIUSAttributeType = 79 // RFC2869 5.13.  EAP-Message
	RADIUSAttributeTypeMessageAuthenticator   RADIUSAttributeType = 80 // RFC2869 5.14.  Message-Authenticator
	RADIUSAttributeTypeTunnelPrivateGroupID   RADIUSAttributeType = 81 // RFC2868  3.6.  Tunnel-Private-Group-ID
	RADIUSAttributeTypeTunnelAssignmentID     RADIUSAttributeType = 82 // RFC2868  3.7.  Tunnel-Assignment-ID
	RADIUSAttributeTypeTunnelPreference       RADIUSAttributeType = 83 // RFC2868  3.8.  Tunnel-Preference
	RADIUSAttributeTypeARAPChallengeResponse  RADIUSAttributeType = 84 // RFC2869 5.15.  ARAP-Challenge-Response
	RADIUSAttributeTypeAcctInterimInterval    RADIUSAttributeType = 85 // RFC2869 5.16.  Acct-Interim-Interval
	RADIUSAttributeTypeAcctTunnelPacketsLost  RADIUSAttributeType = 86 // RFC2867  4.2.  Acct-Tunnel-Packets-Lost
	RADIUSAttributeTypeNASPortId              RADIUSAttributeType = 87 // RFC2869 5.17.  NAS-Port-Id
	RADIUSAttributeTypeFramedPool             RADIUSAttributeType = 88 // RFC2869 5.18.  Framed-Pool
	RADIUSAttributeTypeTunnelClientAuthID     RADIUSAttributeType = 90 // RFC2868  3.9.  Tunnel-Client-Auth-ID
	RADIUSAttributeTypeTunnelServerAuthID     RADIUSAttributeType = 91 // RFC2868 3.10.  Tunnel-Server-Auth-ID
)

// RADIUSAttributeType represents attribute length.
type RADIUSAttributeLength uint8

// RADIUSAttributeType represents attribute value.
type RADIUSAttributeValue []byte

// String returns a string version of a RADIUSAttributeType.
func (t RADIUSAttributeType) String() (s string) {
	switch t {
	case RADIUSAttributeTypeUserName:
		s = "User-Name"
	case RADIUSAttributeTypeUserPassword:
		s = "User-Password"
	case RADIUSAttributeTypeCHAPPassword:
		s = "CHAP-Password"
	case RADIUSAttributeTypeNASIPAddress:
		s = "NAS-IP-Address"
	case RADIUSAttributeTypeNASPort:
		s = "NAS-Port"
	case RADIUSAttributeTypeServiceType:
		s = "Service-Type"
	case RADIUSAttributeTypeFramedProtocol:
		s = "Framed-Protocol"
	case RADIUSAttributeTypeFramedIPAddress:
		s = "Framed-IP-Address"
	case RADIUSAttributeTypeFramedIPNetmask:
		s = "Framed-IP-Netmask"
	case RADIUSAttributeTypeFramedRouting:
		s = "Framed-Routing"
	case RADIUSAttributeTypeFilterId:
		s = "Filter-Id"
	case RADIUSAttributeTypeFramedMTU:
		s = "Framed-MTU"
	case RADIUSAttributeTypeFramedCompression:
		s = "Framed-Compression"
	case RADIUSAttributeTypeLoginIPHost:
		s = "Login-IP-Host"
	case RADIUSAttributeTypeLoginService:
		s = "Login-Service"
	case RADIUSAttributeTypeLoginTCPPort:
		s = "Login-TCP-Port"
	case RADIUSAttributeTypeReplyMessage:
		s = "Reply-Message"
	case RADIUSAttributeTypeCallbackNumber:
		s = "Callback-Number"
	case RADIUSAttributeTypeCallbackId:
		s = "Callback-Id"
	case RADIUSAttributeTypeFramedRoute:
		s = "Framed-Route"
	case RADIUSAttributeTypeFramedIPXNetwork:
		s = "Framed-IPX-Network"
	case RADIUSAttributeTypeState:
		s = "State"
	case RADIUSAttributeTypeClass:
		s = "Class"
	case RADIUSAttributeTypeVendorSpecific:
		s = "Vendor-Specific"
	case RADIUSAttributeTypeSessionTimeout:
		s = "Session-Timeout"
	case RADIUSAttributeTypeIdleTimeout:
		s = "Idle-Timeout"
	case RADIUSAttributeTypeTerminationAction:
		s = "Termination-Action"
	case RADIUSAttributeTypeCalledStationId:
		s = "Called-Station-Id"
	case RADIUSAttributeTypeCallingStationId:
		s = "Calling-Station-Id"
	case RADIUSAttributeTypeNASIdentifier:
		s = "NAS-Identifier"
	case RADIUSAttributeTypeProxyState:
		s = "Proxy-State"
	case RADIUSAttributeTypeLoginLATService:
		s = "Login-LAT-Service"
	case RADIUSAttributeTypeLoginLATNode:
		s = "Login-LAT-Node"
	case RADIUSAttributeTypeLoginLATGroup:
		s = "Login-LAT-Group"
	case RADIUSAttributeTypeFramedAppleTalkLink:
		s = "Framed-AppleTalk-Link"
	case RADIUSAttributeTypeFramedAppleTalkNetwork:
		s = "Framed-AppleTalk-Network"
	case RADIUSAttributeTypeFramedAppleTalkZone:
		s = "Framed-AppleTalk-Zone"
	case RADIUSAttributeTypeAcctStatusType:
		s = "Acct-Status-Type"
	case RADIUSAttributeTypeAcctDelayTime:
		s = "Acct-Delay-Time"
	case RADIUSAttributeTypeAcctInputOctets:
		s = "Acct-Input-Octets"
	case RADIUSAttributeTypeAcctOutputOctets:
		s = "Acct-Output-Octets"
	case RADIUSAttributeTypeAcctSessionId:
		s = "Acct-Session-Id"
	case RADIUSAttributeTypeAcctAuthentic:
		s = "Acct-Authentic"
	case RADIUSAttributeTypeAcctSessionTime:
		s = "Acct-Session-Time"
	case RADIUSAttributeTypeAcctInputPackets:
		s = "Acct-Input-Packets"
	case RADIUSAttributeTypeAcctOutputPackets:
		s = "Acct-Output-Packets"
	case RADIUSAttributeTypeAcctTerminateCause:
		s = "Acct-Terminate-Cause"
	case RADIUSAttributeTypeAcctMultiSessionId:
		s = "Acct-Multi-Session-Id"
	case RADIUSAttributeTypeAcctLinkCount:
		s = "Acct-Link-Count"
	case RADIUSAttributeTypeAcctInputGigawords:
		s = "Acct-Input-Gigawords"
	case RADIUSAttributeTypeAcctOutputGigawords:
		s = "Acct-Output-Gigawords"
	case RADIUSAttributeTypeEventTimestamp:
		s = "Event-Timestamp"
	case RADIUSAttributeTypeCHAPChallenge:
		s = "CHAP-Challenge"
	case RADIUSAttributeTypeNASPortType:
		s = "NAS-Port-Type"
	case RADIUSAttributeTypePortLimit:
		s = "Port-Limit"
	case RADIUSAttributeTypeLoginLATPort:
		s = "Login-LAT-Port"
	case RADIUSAttributeTypeTunnelType:
		s = "Tunnel-Type"
	case RADIUSAttributeTypeTunnelMediumType:
		s = "Tunnel-Medium-Type"
	case RADIUSAttributeTypeTunnelClientEndpoint:
		s = "Tunnel-Client-Endpoint"
	case RADIUSAttributeTypeTunnelServerEndpoint:
		s = "Tunnel-Server-Endpoint"
	case RADIUSAttributeTypeAcctTunnelConnection:
		s = "Acct-Tunnel-Connection"
	case RADIUSAttributeTypeTunnelPassword:
		s = "Tunnel-Password"
	case RADIUSAttributeTypeARAPPassword:
		s = "ARAP-Password"
	case RADIUSAttributeTypeARAPFeatures:
		s = "ARAP-Features"
	case RADIUSAttributeTypeARAPZoneAccess:
		s = "ARAP-Zone-Access"
	case RADIUSAttributeTypeARAPSecurity:
		s = "ARAP-Security"
	case RADIUSAttributeTypeARAPSecurityData:
		s = "ARAP-Security-Data"
	case RADIUSAttributeTypePasswordRetry:
		s = "Password-Retry"
	case RADIUSAttributeTypePrompt:
		s = "Prompt"
	case RADIUSAttributeTypeConnectInfo:
		s = "Connect-Info"
	case RADIUSAttributeTypeConfigurationToken:
		s = "Configuration-Token"
	case RADIUSAttributeTypeEAPMessage:
		s = "EAP-Message"
	case RADIUSAttributeTypeMessageAuthenticator:
		s = "Message-Authenticator"
	case RADIUSAttributeTypeTunnelPrivateGroupID:
		s = "Tunnel-Private-Group-ID"
	case RADIUSAttributeTypeTunnelAssignmentID:
		s = "Tunnel-Assignment-ID"
	case RADIUSAttributeTypeTunnelPreference:
		s = "Tunnel-Preference"
	case RADIUSAttributeTypeARAPChallengeResponse:
		s = "ARAP-Challenge-Response"
	case RADIUSAttributeTypeAcctInterimInterval:
		s = "Acct-Interim-Interval"
	case RADIUSAttributeTypeAcctTunnelPacketsLost:
		s = "Acct-Tunnel-Packets-Lost"
	case RADIUSAttributeTypeNASPortId:
		s = "NAS-Port-Id"
	case RADIUSAttributeTypeFramedPool:
		s = "Framed-Pool"
	case RADIUSAttributeTypeTunnelClientAuthID:
		s = "Tunnel-Client-Auth-ID"
	case RADIUSAttributeTypeTunnelServerAuthID:
		s = "Tunnel-Server-Auth-ID"
	default:
		s = fmt.Sprintf("Unknown(%d)", t)
	}
	return
}

// Len returns the length of a RADIUS packet.
func (radius *RADIUS) Len() (int, error) {
	n := radiusMinimumRecordSizeInBytes
	for _, v := range radius.Attributes {
		alen, err := attributeValueLength(v.Value)
		if err != nil {
			return 0, err
		}
		n += int(alen) + 2 // Added Type and Length
	}
	return n, nil
}

// LayerType returns LayerTypeRADIUS.
func (radius *RADIUS) LayerType() gopacket.LayerType {
	return LayerTypeRADIUS
}

// DecodeFromBytes decodes the given bytes into this layer.
func (radius *RADIUS) DecodeFromBytes(data []byte, df gopacket.DecodeFeedback) error {
	if len(data) > radiusMaximumRecordSizeInBytes {
		df.SetTruncated()
		return fmt.Errorf("RADIUS length %d too big", len(data))
	}

	if len(data) < radiusMinimumRecordSizeInBytes {
		df.SetTruncated()
		return fmt.Errorf("RADIUS length %d too short", len(data))
	}

	radius.BaseLayer = BaseLayer{Contents: data}

	radius.Code = RADIUSCode(data[0])
	radius.Identifier = RADIUSIdentifier(data[1])
	radius.Length = RADIUSLength(binary.BigEndian.Uint16(data[2:4]))

	if int(radius.Length) > radiusMaximumRecordSizeInBytes {
		df.SetTruncated()
		return fmt.Errorf("RADIUS length %d too big", radius.Length)
	}

	if int(radius.Length) < radiusMinimumRecordSizeInBytes {
		df.SetTruncated()
		return fmt.Errorf("RADIUS length %d too short", radius.Length)
	}

	// RFC 2865 3.  Packet Format
	// `If the packet is shorter than the Length field indicates, it MUST be silently discarded.`
	if int(radius.Length) > len(data) {
		df.SetTruncated()
		return fmt.Errorf("RADIUS length %d too big", radius.Length)
	}

	// RFC 2865 3.  Packet Format
	// `Octets outside the range of the Length field MUST be treated as padding and ignored on reception.`
	if int(radius.Length) < len(data) {
		df.SetTruncated()
		data = data[:radius.Length]
	}

	copy(radius.Authenticator[:], data[4:20])

	if len(data) == radiusMinimumRecordSizeInBytes {
		return nil
	}

	pos := radiusMinimumRecordSizeInBytes
	for {
		if len(data) == pos {
			break
		}

		if len(data[pos:]) < radiusAttributesMinimumRecordSizeInBytes {
			df.SetTruncated()
			return fmt.Errorf("RADIUS attributes length %d too short", len(data[pos:]))
		}

		attr := RADIUSAttribute{}
		attr.Type = RADIUSAttributeType(data[pos])
		attr.Length = RADIUSAttributeLength(data[pos+1])

		if int(attr.Length) > len(data[pos:]) {
			df.SetTruncated()
			return fmt.Errorf("RADIUS attributes length %d too big", attr.Length)
		}

		if int(attr.Length) < radiusAttributesMinimumRecordSizeInBytes {
			df.SetTruncated()
			return fmt.Errorf("RADIUS attributes length %d too short", attr.Length)
		}

		if int(attr.Length) > radiusAttributesMinimumRecordSizeInBytes {
			attr.Value = make([]byte, attr.Length-2)
			copy(attr.Value[:], data[pos+2:pos+int(attr.Length)])
			radius.Attributes = append(radius.Attributes, attr)
		}

		pos += int(attr.Length)
	}

	for _, v := range radius.Attributes {
		if v.Type == RADIUSAttributeTypeEAPMessage {
			radius.BaseLayer.Payload = append(radius.BaseLayer.Payload, v.Value...)
		}
	}

	return nil
}

// SerializeTo writes the serialized form of this layer into the
// SerializationBuffer, implementing gopacket.SerializableLayer.
// See the docs for gopacket.SerializableLayer for more info.
func (radius *RADIUS) SerializeTo(b gopacket.SerializeBuffer, opts gopacket.SerializeOptions) error {
	plen, err := radius.Len()
	if err != nil {
		return err
	}

	if opts.FixLengths {
		radius.Length = RADIUSLength(plen)
	}

	data, err := b.PrependBytes(plen)
	if err != nil {
		return err
	}

	data[0] = byte(radius.Code)
	data[1] = byte(radius.Identifier)
	binary.BigEndian.PutUint16(data[2:], uint16(radius.Length))
	copy(data[4:20], radius.Authenticator[:])

	pos := radiusMinimumRecordSizeInBytes
	for _, v := range radius.Attributes {
		if opts.FixLengths {
			v.Length, err = attributeValueLength(v.Value)
			if err != nil {
				return err
			}
		}

		data[pos] = byte(v.Type)
		data[pos+1] = byte(v.Length)
		copy(data[pos+2:], v.Value[:])

		pos += len(v.Value) + 2 // Added Type and Length
	}

	return nil
}

// CanDecode returns the set of layer types that this DecodingLayer can decode.
func (radius *RADIUS) CanDecode() gopacket.LayerClass {
	return LayerTypeRADIUS
}

// NextLayerType returns the layer type contained by this DecodingLayer.
func (radius *RADIUS) NextLayerType() gopacket.LayerType {
	if len(radius.BaseLayer.Payload) > 0 {
		return LayerTypeEAP
	} else {
		return gopacket.LayerTypeZero
	}
}

// Payload returns the EAP Type-Data for EAP-Message attributes.
func (radius *RADIUS) Payload() []byte {
	return radius.BaseLayer.Payload
}

func decodeRADIUS(data []byte, p gopacket.PacketBuilder) error {
	radius := &RADIUS{}
	err := radius.DecodeFromBytes(data, p)
	if err != nil {
		return err
	}
	p.AddLayer(radius)
	p.SetApplicationLayer(radius)
	next := radius.NextLayerType()
	if next == gopacket.LayerTypeZero {
		return nil
	}
	return p.NextDecoder(next)
}

func attributeValueLength(v []byte) (RADIUSAttributeLength, error) {
	n := len(v)
	if n > 255 {
		return 0, fmt.Errorf("RADIUS attribute value length %d too long", n)
	} else {
		return RADIUSAttributeLength(n), nil
	}
}