pyrad 2.3__py3-none-any.whl → 2.5.0__py3-none-any.whl

pyrad/packet.py

@@ -5,10 +5,29 @@
 # A RADIUS packet as defined in RFC 2138
 
 from collections import OrderedDict
-import struct
-import random
-# Hmac needed for Message-Authenticator
+from pyrad import tools
 import hmac
+import struct
+import sys
+
+try:
+    import secrets
+    random_generator = secrets.SystemRandom()
+except ImportError:
+    import random
+    random_generator = random.SystemRandom()
+
+
+def _hmac_md5(*args, **kwargs):
+    """Py3 hmac.new() wrapper with explicit MD5 digestmod."""
+    return hmac.new(*args, digestmod='MD5', **kwargs)
+
+
+if sys.version_info >= (3, 0):
+    hmac_new = _hmac_md5
+else:
+    hmac_new = hmac.new
+
 try:
     import hashlib
     md5_constructor = hashlib.md5
@@ -16,8 +35,6 @@ except ImportError:
     # BBB for python 2.4
     import md5
     md5_constructor = md5.new
-import six
-from pyrad import tools
 
 # Packet codes
 AccessRequest = 1
@@ -35,9 +52,6 @@ CoARequest = 43
 CoAACK = 44
 CoANAK = 45
 
-# Use cryptographic-safe random generator as provided by the OS.
-random_generator = random.SystemRandom()
-
 # Current ID
 CurrentID = random_generator.randrange(1, 255)
 
@@ -52,7 +66,7 @@ class Packet(OrderedDict):
     attributes the value will always be a sequence. pyrad makes sure
     to preserve the ordering when encoding and decoding packets.
 
-    There are two ways to use the map intereface: if attribute
+    There are two ways to use the map interface: if attribute
     names are used pyrad take care of en-/decoding data. If
     the attribute type number (or a vendor ID/attribute type
     tuple for vendor attributes) is used you work with the
@@ -62,7 +76,7 @@ class Packet(OrderedDict):
     :obj:`AuthPacket` or :obj:`AcctPacket` classes.
     """
 
-    def __init__(self, code=0, id=None, secret=six.b(''), authenticator=None,
+    def __init__(self, code=0, id=None, secret=b'', authenticator=None,
                  **attributes):
         """Constructor
 
@@ -83,20 +97,23 @@ class Packet(OrderedDict):
             self.id = id
         else:
             self.id = CreateID()
-        if not isinstance(secret, six.binary_type):
+        if not isinstance(secret, bytes):
             raise TypeError('secret must be a binary string')
         self.secret = secret
         if authenticator is not None and \
-                not isinstance(authenticator, six.binary_type):
+                not isinstance(authenticator, bytes):
             raise TypeError('authenticator must be a binary string')
         self.authenticator = authenticator
+        self.request_authenticator = None      # used for storing request authenticator in reply packets
         self.message_authenticator = None
+        self.raw_packet = None
 
         if 'dict' in attributes:
             self.dict = attributes['dict']
 
         if 'packet' in attributes:
-            self.DecodePacket(attributes['packet'])
+            self.raw_packet = attributes['packet']
+            self.DecodePacket(self.raw_packet)
 
         if 'message_authenticator' in attributes:
             self.message_authenticator = attributes['message_authenticator']
@@ -114,7 +131,7 @@ class Packet(OrderedDict):
 
         self.message_authenticator = True
         # Maintain a zero octets content for md5 and hmac calculation.
-        self['Message-Authenticator'] = 16 * six.b('\00')
+        self['Message-Authenticator'] = 16 * b'\00'
 
         if self.id is None:
             self.id = self.CreateID()
@@ -128,10 +145,10 @@ class Packet(OrderedDict):
         return self.message_authenticator
 
     def _refresh_message_authenticator(self):
-        hmac_constructor = hmac.new(self.secret)
+        hmac_constructor = hmac_new(self.secret)
 
         # Maintain a zero octets content for md5 and hmac calculation.
-        self['Message-Authenticator'] = 16 * six.b('\00')
+        self['Message-Authenticator'] = 16 * b'\00'
         attr = self._PktEncodeAttributes()
 
         header = struct.pack('!BBH', self.code, self.id,
@@ -140,7 +157,7 @@ class Packet(OrderedDict):
         hmac_constructor.update(header[0:4])
         if self.code in (AccountingRequest, DisconnectRequest,
                          CoARequest, AccountingResponse):
-            hmac_constructor.update(16 * six.b('\00'))
+            hmac_constructor.update(16 * b'\00')
         else:
             # NOTE: self.authenticator on reply packet is initialized
             #       with request authenticator by design.
@@ -176,19 +193,32 @@ class Packet(OrderedDict):
         else:
             key = self.secret
 
-        self['Message-Authenticator'] = 16 * six.b('\00')
-        attr = self._PktEncodeAttributes()
+        # If there's a raw packet, use that to calculate the expected
+        # Message-Authenticator. While the Packet class keeps multiple
+        # instances of an attribute grouped together in the attribute list,
+        # other applications may not. Using _PktEncodeAttributes to get
+        # the attributes could therefore end up changing the attribute order
+        # because of the grouping Packet does, which would cause
+        # Message-Authenticator verification to fail. Using the raw packet
+        # instead, if present, ensures the verification is done using the
+        # attributes exactly as sent.
+        if self.raw_packet:
+            attr = self.raw_packet[20:]
+            attr = attr.replace(prev_ma[0], 16 * b'\00')
+        else:
+            self['Message-Authenticator'] = 16 * b'\00'
+            attr = self._PktEncodeAttributes()
 
         header = struct.pack('!BBH', self.code, self.id,
                              (20 + len(attr)))
 
-        hmac_constructor = hmac.new(key)
+        hmac_constructor = hmac_new(key)
         hmac_constructor.update(header)
         if self.code in (AccountingRequest, DisconnectRequest,
                          CoARequest, AccountingResponse):
             if original_code is None or original_code != StatusServer:
                 # TODO: Handle Status-Server response correctly.
-                hmac_constructor.update(16 * six.b('\00'))
+                hmac_constructor.update(16 * b'\00')
         elif self.code in (AccessAccept, AccessChallenge,
                            AccessReject):
             if original_authenticator is None:
@@ -218,6 +248,10 @@ class Packet(OrderedDict):
                       **attributes)
 
     def _DecodeValue(self, attr, value):
+        if attr.encrypt == 2:
+            # salt decrypt attribute
+            value = self.SaltDecrypt(value)
+
         if attr.values.HasBackward(value):
             return attr.values.GetBackward(value)
         else:
@@ -239,7 +273,7 @@ class Packet(OrderedDict):
     def _EncodeKeyValues(self, key, values):
         if not isinstance(key, str):
             return (key, values)
-        
+
         if not isinstance(values, (list, tuple)):
             values = [values]
 
@@ -260,7 +294,7 @@ class Packet(OrderedDict):
             return key
 
         attr = self.dict.attributes[key]
-        if attr.vendor and not attr.is_sub_attribute:  #sub attribute keys don't need vendor
+        if attr.vendor and not attr.is_sub_attribute:  # sub attribute keys don't need vendor
             return (self.dict.vendors.GetForward(attr.vendor), attr.code)
         else:
             return attr.code
@@ -281,7 +315,7 @@ class Packet(OrderedDict):
         :param value: value
         :type value:  depends on type of attribute
         """
-        attr = self.dict.attributes[key]
+        attr = self.dict.attributes[key.partition(':')[0]]
 
         (key, value) = self._EncodeKeyValues(key, value)
 
@@ -294,10 +328,14 @@ class Packet(OrderedDict):
         encoded.extend(value)
 
     def get(self, key, failobj=None):
-        return self.__getitem__(key) or failobj
+        try:
+            res = self.__getitem__(key)
+        except KeyError:
+            res = failobj
+        return res
 
     def __getitem__(self, key):
-        if not isinstance(key, six.string_types):
+        if not isinstance(key, str):
             return OrderedDict.__getitem__(self, key)
 
         values = OrderedDict.__getitem__(self, self._EncodeKey(key))
@@ -328,7 +366,7 @@ class Packet(OrderedDict):
         OrderedDict.__delitem__(self, self._EncodeKey(key))
 
     def __setitem__(self, key, item):
-        if isinstance(key, six.string_types):
+        if isinstance(key, str):
             (key, item) = self._EncodeKeyValues(key, item)
             OrderedDict.__setitem__(self, key, item)
         else:
@@ -347,14 +385,10 @@ class Packet(OrderedDict):
         :return: valid packet authenticator
         :rtype: binary string
         """
-
-        data = []
-        for _ in range(16):
-            data.append(random_generator.randrange(0, 256))
-        if six.PY3:
-            return bytes(data)
-        else:
-            return ''.join(chr(b) for b in data)
+        return bytes(
+            random_generator.randrange(0, 256)
+            for _ in range(16)
+        )
 
     def CreateID(self):
         """Create a packet ID.  All RADIUS requests have a ID which is used to
@@ -376,8 +410,8 @@ class Packet(OrderedDict):
         :return: raw packet
         :rtype:  string
         """
-        assert(self.authenticator)
-        assert(self.secret is not None)
+        assert (self.authenticator)
+        assert (self.secret is not None)
 
         if self.message_authenticator:
             self._refresh_message_authenticator()
@@ -390,27 +424,34 @@ class Packet(OrderedDict):
 
         return header + authenticator + attr
 
-    def VerifyReply(self, reply, rawreply=None):
+    def VerifyReply(self, reply, rawreply=None, enforce_ma=False):
         if reply.id != self.id:
             return False
 
         if rawreply is None:
             rawreply = reply.ReplyPacket()
 
-        attr = reply._PktEncodeAttributes()
-        #  The Authenticator field in an Accounting-Response packet is called
-        #  the Response Authenticator, and contains a one-way MD5 hash
-        #  calculated over a stream of octets consisting of the Accounting
-        #  Response Code, Identifier, Length, the Request Authenticator field
-        #  from the Accounting-Request packet being replied to, and the
-        #  response attributes if any, followed by the shared secret.  The
-        #  resulting 16 octet MD5 hash value is stored in the Authenticator
+        _ = reply._PktEncodeAttributes()
+        # The Authenticator field in an Accounting-Response packet is called
+        # the Response Authenticator, and contains a one-way MD5 hash
+        # calculated over a stream of octets consisting of the Accounting
+        # Response Code, Identifier, Length, the Request Authenticator field
+        # from the Accounting-Request packet being replied to, and the
+        # response attributes if any, followed by the shared secret.  The
+        # resulting 16 octet MD5 hash value is stored in the Authenticator
         # field of the Accounting-Response packet.
         hash = md5_constructor(rawreply[0:4] + self.authenticator +
-                               attr  + self.secret).digest()
+                               rawreply[20:] + self.secret).digest()
 
         if hash != rawreply[4:20]:
             return False
+
+        if enforce_ma:
+            if self.message_authenticator is None:
+                return False
+            if not self.verify_message_authenticator():
+                return False
+
         return True
 
     def _PktEncodeAttribute(self, key, value):
@@ -423,11 +464,11 @@ class Packet(OrderedDict):
 
     def _PktEncodeTlv(self, tlv_key, tlv_value):
         tlv_attr = self.dict.attributes[self._DecodeKey(tlv_key)]
-        curr_avp = six.b('')
+        curr_avp = b''
         avps = []
         max_sub_attribute_len = max(map(lambda item: len(item[1]), tlv_value.items()))
         for i in range(max_sub_attribute_len):
-            sub_attr_encoding = six.b('')
+            sub_attr_encoding = b''
             for (code, datalst) in tlv_value.items():
                 if i < len(datalst):
                     sub_attr_encoding += self._PktEncodeAttribute(code, datalst[i])
@@ -443,7 +484,7 @@ class Packet(OrderedDict):
             value = struct.pack('!BB', tlv_attr.code, (len(avp) + 2)) + avp
             tlv_avps.append(value)
         if tlv_attr.vendor:
-            vendor_avps = six.b('')
+            vendor_avps = b''
             for avp in tlv_avps:
                 vendor_avps += struct.pack(
                     '!BBL', 26, (len(avp) + 6),
@@ -454,10 +495,9 @@ class Packet(OrderedDict):
             return b''.join(tlv_avps)
 
     def _PktEncodeAttributes(self):
-        result = six.b('')
+        result = b''
         for (code, datalst) in self.items():
-            attribute = self.dict.attributes.get(self._DecodeKey(code))
-            if attribute and attribute.type == 'tlv':
+            if self._PktIsTlvAttribute(code):
                 result += self._PktEncodeTlv(code, datalst)
             else:
                 for data in datalst:
@@ -471,21 +511,20 @@ class Packet(OrderedDict):
             return [(26, data)]
 
         (vendor, atype, length) = struct.unpack('!LBB', data[:6])[0:3]
-        attribute = self.dict.attributes.get(self._DecodeKey((vendor, atype)))
         try:
-            if attribute and attribute.type == 'tlv':
+            if self._PktIsTlvAttribute((vendor, atype)):
                 self._PktDecodeTlvAttribute((vendor, atype), data[6:length + 4])
                 tlvs = []  # tlv is added to the packet inside _PktDecodeTlvAttribute
             else:
                 tlvs = [((vendor, atype), data[6:length + 4])]
-        except:
+        except Exception:
             return [(26, data)]
 
         sumlength = 4 + length
         while len(data) > sumlength:
             try:
                 atype, length = struct.unpack('!BB', data[sumlength:sumlength+2])[0:2]
-            except:
+            except Exception:
                 return [(26, data)]
             tlvs.append(((vendor, atype), data[sumlength+2:sumlength+length]))
             sumlength += length
@@ -500,6 +539,10 @@ class Packet(OrderedDict):
             sub_attributes.setdefault(atype, []).append(data[loc+2:loc+length])
             loc += length
 
+    def _PktIsTlvAttribute(self, code):
+        attr = self.dict.attributes.get(self._DecodeKey(code))
+        return (attr is not None and attr.type == 'tlv')
+
     def DecodePacket(self, packet):
         """Initialize the object from raw packet data.  Decode a packet as
         received from the network and decode it.
@@ -528,11 +571,9 @@ class Packet(OrderedDict):
                 raise PacketError('Attribute header is corrupt')
 
             if attrlen < 2:
-                raise PacketError(
-                        'Attribute length is too small (%d)' % attrlen)
+                raise PacketError('Attribute length is too small (%d)' % attrlen)
 
             value = packet[2:attrlen]
-            attribute = self.dict.attributes.get(self._DecodeKey(key))
             if key == 26:
                 for (key, value) in self._PktDecodeVendorAttribute(value):
                     self.setdefault(key, []).append(value)
@@ -540,58 +581,82 @@ class Packet(OrderedDict):
                 # POST: Message Authenticator AVP is present.
                 self.message_authenticator = True
                 self.setdefault(key, []).append(value)
-            elif attribute and attribute.type == 'tlv':
-                self._PktDecodeTlvAttribute(key,value)
+            elif self._PktIsTlvAttribute(key):
+                self._PktDecodeTlvAttribute(key, value)
             else:
                 self.setdefault(key, []).append(value)
 
             packet = packet[attrlen:]
 
+    def _salt_en_decrypt(self, data, salt):
+        result = b''
+        if self.request_authenticator is not None:
+            last = self.request_authenticator + salt
+        else:
+            last = self.authenticator + salt
+        while data:
+            hash = md5_constructor(self.secret + last).digest()
+            for i in range(16):
+                result += bytes((hash[i] ^ data[i],))
+
+            last = result[-16:]
+            data = data[16:]
+        return result
+
     def SaltCrypt(self, value):
-        """Salt Encryption
+        """SaltEncrypt
 
         :param value:    plaintext value
-        :type password:  unicode string
+        :type:           unicode string
         :return:         obfuscated version of the value
         :rtype:          binary string
         """
 
-        if isinstance(value, six.text_type):
+        if isinstance(value, str):
             value = value.encode('utf-8')
 
         if self.authenticator is None:
             # self.authenticator = self.CreateAuthenticator()
-            self.authenticator = 16 * six.b('\x00')
+            self.authenticator = 16 * b'\x00'
 
-        salt = struct.pack('!H', random_generator.randrange(0, 65535))
-        salt = chr(ord(salt[0]) | 1 << 7)+salt[1]
+        # create salt
+        random_value = 32768 + random_generator.randrange(0, 32767)
+        salt_raw = struct.pack('!H', random_value)
 
+        # length prefixing
         length = struct.pack("B", len(value))
-        buf = length + value
-        if len(buf) % 16 != 0:
-            buf += six.b('\x00') * (16 - (len(buf) % 16))
+        value = length + value
 
-        result = six.b(salt)
+        # zero padding
+        if len(value) % 16 != 0:
+            value += b'\x00' * (16 - (len(value) % 16))
 
-        last = self.authenticator + salt
-        while buf:
-            hash = md5_constructor(self.secret + last).digest()
-            if six.PY3:
-                for i in range(16):
-                    result += bytes((hash[i] ^ buf[i],))
-            else:
-                for i in range(16):
-                    result += chr(ord(hash[i]) ^ ord(buf[i]))
+        return salt_raw + self._salt_en_decrypt(value, salt_raw)
 
-            last = result[-16:]
-            buf = buf[16:]
+    def SaltDecrypt(self, value):
+        """ SaltDecrypt
 
-        return result
+        :param value:   encrypted value including salt
+        :type:          binary string
+        :return:        decrypted plaintext string
+        :rtype:         unicode string
+        """
+        # extract salt
+        salt = value[:2]
+
+        # decrypt
+        value = self._salt_en_decrypt(value[2:], salt)
+
+        # remove padding
+        length = value[0]
+        value = value[1:length+1]
+
+        return value
 
 
 class AuthPacket(Packet):
-    def __init__(self, code=AccessRequest, id=None, secret=six.b(''),
-            authenticator=None, **attributes):
+    def __init__(self, code=AccessRequest, id=None, secret=b'',
+                 authenticator=None, auth_type='pap', **attributes):
         """Constructor
 
         :param code:   packet type code
@@ -607,9 +672,9 @@ class AuthPacket(Packet):
         :param packet: raw packet to decode
         :type packet:  string
         """
+
         Packet.__init__(self, code, id, secret, authenticator, **attributes)
-        if 'packet' in attributes:
-            self.raw_packet = attributes['packet']
+        self.auth_type = auth_type
 
     def CreateReply(self, **attributes):
         """Create a new packet as a reply to this one. This method
@@ -618,7 +683,7 @@ class AuthPacket(Packet):
         """
         return AuthPacket(AccessAccept, self.id,
                           self.secret, self.authenticator, dict=self.dict,
-                          **attributes)
+                          auth_type=self.auth_type, **attributes)
 
     def RequestPacket(self):
         """Create a ready-to-transmit authentication request packet.
@@ -638,40 +703,61 @@ class AuthPacket(Packet):
             self._refresh_message_authenticator()
 
         attr = self._PktEncodeAttributes()
+        if self.auth_type == 'eap-md5':
+            header = struct.pack(
+                '!BBH16s', self.code, self.id, (20 + 18 + len(attr)), self.authenticator
+            )
+            digest = hmac_new(
+                self.secret,
+                header
+                + attr
+                + struct.pack('!BB16s', 80, struct.calcsize('!BB16s'), b''),
+            ).digest()
+            return (
+                header
+                + attr
+                + struct.pack('!BB16s', 80, struct.calcsize('!BB16s'), digest)
+            )
+
         header = struct.pack('!BBH16s', self.code, self.id,
                              (20 + len(attr)), self.authenticator)
 
         return header + attr
 
     def PwDecrypt(self, password):
-        """Obfuscate a RADIUS password. RADIUS hides passwords in packets by
+        """De-Obfuscate a RADIUS password. RADIUS hides passwords in packets by
         using an algorithm based on the MD5 hash of the packet authenticator
         and RADIUS secret. This function reverses the obfuscation process.
 
+        Although RFC2865 does not explicitly state UTF-8 for the password field,
+        the rest of RFC2865 defines UTF-8 as the encoding expected for the decrypted password.
+
+
         :param password: obfuscated form of password
         :type password:  binary string
         :return:         plaintext password
         :rtype:          unicode string
         """
         buf = password
-        pw = six.b('')
+        pw = b''
 
         last = self.authenticator
         while buf:
             hash = md5_constructor(self.secret + last).digest()
-            if six.PY3:
-                for i in range(16):
-                    pw += bytes((hash[i] ^ buf[i],))
-            else:
-                for i in range(16):
-                    pw += chr(ord(hash[i]) ^ ord(buf[i]))
-
+            for i in range(16):
+                pw += bytes((hash[i] ^ buf[i],))
             (last, buf) = (buf[:16], buf[16:])
 
-        while pw.endswith(six.b('\x00')):
+        # This is safe even with UTF-8 encoding since no valid encoding of UTF-8
+        # (other than encoding U+0000 NULL) will produce a bytestream containing 0x00 byte.
+        while pw.endswith(b'\x00'):
             pw = pw[:-1]
 
-        return pw.decode('utf-8')
+        # If the shared secret with the client is not the same, then de-obfuscating the password
+        # field may yield illegal UTF-8 bytes. Therefore, in order not to provoke an Exception here
+        # (which would be not consistently generated since this will depend on the random data
+        # chosen by the client) we simply ignore un-parsable UTF-8 sequences.
+        return pw.decode('utf-8', errors="ignore")
 
     def PwCrypt(self, password):
         """Obfuscate password.
@@ -690,25 +776,20 @@ class AuthPacket(Packet):
         if self.authenticator is None:
             self.authenticator = self.CreateAuthenticator()
 
-        if isinstance(password, six.text_type):
+        if isinstance(password, str):
             password = password.encode('utf-8')
 
         buf = password
         if len(password) % 16 != 0:
-            buf += six.b('\x00') * (16 - (len(password) % 16))
+            buf += b'\x00' * (16 - (len(password) % 16))
 
-        result = six.b('')
+        result = b''
 
         last = self.authenticator
         while buf:
             hash = md5_constructor(self.secret + last).digest()
-            if six.PY3:
-                for i in range(16):
-                    result += bytes((hash[i] ^ buf[i],))
-            else:
-                for i in range(16):
-                    result += chr(ord(hash[i]) ^ ord(buf[i]))
-
+            for i in range(16):
+                result += bytes((hash[i] ^ buf[i],))
             last = result[-16:]
             buf = buf[16:]
 
@@ -726,16 +807,14 @@ class AuthPacket(Packet):
         if not self.authenticator:
             self.authenticator = self.CreateAuthenticator()
 
-        if isinstance(userpwd, six.text_type):
+        if isinstance(userpwd, str):
             userpwd = userpwd.strip().encode('utf-8')
 
         chap_password = tools.DecodeOctets(self.get(3)[0])
         if len(chap_password) != 17:
             return False
 
-        chapid = chap_password[0]
-        if six.PY3:
-            chapid = chr(chapid).encode('utf-8')
+        chapid = chap_password[:1]
         password = chap_password[1:]
 
         challenge = self.authenticator
@@ -746,11 +825,11 @@ class AuthPacket(Packet):
     def VerifyAuthRequest(self):
         """Verify request authenticator.
 
-        :return: True if verification failed else False
+        :return: True if verification passed else False
         :rtype: boolean
         """
-        assert(self.raw_packet)
-        hash = md5_constructor(self.raw_packet[0:4] + 16 * six.b('\x00') +
+        assert (self.raw_packet)
+        hash = md5_constructor(self.raw_packet[0:4] + 16 * b'\x00' +
                                self.raw_packet[20:] + self.secret).digest()
         return hash == self.authenticator
 
@@ -760,7 +839,7 @@ class AcctPacket(Packet):
     of the generic :obj:`Packet` class for accounting packets.
     """
 
-    def __init__(self, code=AccountingRequest, id=None, secret=six.b(''),
+    def __init__(self, code=AccountingRequest, id=None, secret=b'',
                  authenticator=None, **attributes):
         """Constructor
 
@@ -776,8 +855,6 @@ class AcctPacket(Packet):
         :type packet:  string
         """
         Packet.__init__(self, code, id, secret, authenticator, **attributes)
-        if 'packet' in attributes:
-            self.raw_packet = attributes['packet']
 
     def CreateReply(self, **attributes):
         """Create a new packet as a reply to this one. This method
@@ -791,12 +868,12 @@ class AcctPacket(Packet):
     def VerifyAcctRequest(self):
         """Verify request authenticator.
 
-        :return: False if verification failed else True
+        :return: True if verification passed else False
         :rtype: boolean
         """
-        assert(self.raw_packet)
+        assert (self.raw_packet)
 
-        hash = md5_constructor(self.raw_packet[0:4] + 16 * six.b('\x00') +
+        hash = md5_constructor(self.raw_packet[0:4] + 16 * b'\x00' +
                                self.raw_packet[20:] + self.secret).digest()
 
         return hash == self.authenticator
@@ -818,7 +895,7 @@ class AcctPacket(Packet):
 
         attr = self._PktEncodeAttributes()
         header = struct.pack('!BBH', self.code, self.id, (20 + len(attr)))
-        self.authenticator = md5_constructor(header[0:4] + 16 * six.b('\x00') +
+        self.authenticator = md5_constructor(header[0:4] + 16 * b'\x00' +
                                              attr + self.secret).digest()
 
         ans = header + self.authenticator + attr
@@ -831,8 +908,8 @@ class CoAPacket(Packet):
     of the generic :obj:`Packet` class for CoA packets.
     """
 
-    def __init__(self, code=CoARequest, id=None, secret=six.b(''),
-            authenticator=None, **attributes):
+    def __init__(self, code=CoARequest, id=None, secret=b'',
+                 authenticator=None, **attributes):
         """Constructor
 
         :param dict:   RADIUS dictionary
@@ -847,8 +924,6 @@ class CoAPacket(Packet):
         :type packet:  string
         """
         Packet.__init__(self, code, id, secret, authenticator, **attributes)
-        if 'packet' in attributes:
-            self.raw_packet = attributes['packet']
 
     def CreateReply(self, **attributes):
         """Create a new packet as a reply to this one. This method
@@ -862,11 +937,11 @@ class CoAPacket(Packet):
     def VerifyCoARequest(self):
         """Verify request authenticator.
 
-        :return: False if verification failed else True
+        :return: True if verification passed else False
         :rtype: boolean
         """
-        assert(self.raw_packet)
-        hash = md5_constructor(self.raw_packet[0:4] + 16 * six.b('\x00') +
+        assert (self.raw_packet)
+        hash = md5_constructor(self.raw_packet[0:4] + 16 * b'\x00' +
                                self.raw_packet[20:] + self.secret).digest()
         return hash == self.authenticator
 
@@ -885,13 +960,13 @@ class CoAPacket(Packet):
             self.id = self.CreateID()
 
         header = struct.pack('!BBH', self.code, self.id, (20 + len(attr)))
-        self.authenticator = md5_constructor(header[0:4] + 16 * six.b('\x00') +
+        self.authenticator = md5_constructor(header[0:4] + 16 * b'\x00' +
                                              attr + self.secret).digest()
 
         if self.message_authenticator:
             self._refresh_message_authenticator()
             attr = self._PktEncodeAttributes()
-            self.authenticator = md5_constructor(header[0:4] + 16 * six.b('\x00') +
+            self.authenticator = md5_constructor(header[0:4] + 16 * b'\x00' +
                                                  attr + self.secret).digest()
 
         return header + self.authenticator + attr