Support signing of RADIUS accounting messages

diff --git a/src/libcharon/plugins/eap_radius/radius_message.c b/src/libcharon/plugins/eap_radius/radius_message.c
index 35f37414b9dc1054d24e97bab3750ec2e9df9baf..b62745ad2d485945a4a0907d1c582b25cfd8773b 100644 (file)
--- a/src/libcharon/plugins/eap_radius/radius_message.c
+++ b/src/libcharon/plugins/eap_radius/radius_message.c
@@ -272,19 +272,32 @@ METHOD(radius_message_t, add, void,
 }
 
 METHOD(radius_message_t, sign, void,
-       private_radius_message_t *this, rng_t *rng, signer_t *signer)
+       private_radius_message_t *this, rng_t *rng, signer_t *signer,
+       hasher_t *hasher, chunk_t secret)
 {
-       char buf[HASH_SIZE_MD5];
+       if (this->msg->code == RMC_ACCOUNTING_REQUEST)
+       {
+               chunk_t msg;
 
-       /* build Request-Authenticator */
-       rng->get_bytes(rng, HASH_SIZE_MD5, this->msg->authenticator);
+               memset(this->msg->authenticator, 0, sizeof(this->msg->authenticator));
+               msg = chunk_create((u_char*)this->msg, ntohs(this->msg->length));
+               hasher->get_hash(hasher, msg, NULL);
+               hasher->get_hash(hasher, secret, this->msg->authenticator);
+       }
+       else
+       {
+               char buf[HASH_SIZE_MD5];
 
-       /* build Message-Authenticator attribute, using 16 null bytes */
-       memset(buf, 0, sizeof(buf));
-       add(this, RAT_MESSAGE_AUTHENTICATOR, chunk_create(buf, sizeof(buf)));
-       signer->get_signature(signer,
+               /* build Request-Authenticator */
+               rng->get_bytes(rng, HASH_SIZE_MD5, this->msg->authenticator);
+
+               /* build Message-Authenticator attribute, using 16 null bytes */
+               memset(buf, 0, sizeof(buf));
+               add(this, RAT_MESSAGE_AUTHENTICATOR, chunk_create(buf, sizeof(buf)));
+               signer->get_signature(signer,
                                chunk_create((u_char*)this->msg, ntohs(this->msg->length)),
                                ((u_char*)this->msg) + ntohs(this->msg->length) - HASH_SIZE_MD5);
+       }
 }
 
 METHOD(radius_message_t, verify, bool,

diff --git a/src/libcharon/plugins/eap_radius/radius_message.h b/src/libcharon/plugins/eap_radius/radius_message.h
index 18a2bcec152b43465ee29745479e26dd641a91b3..1920931ce534ef320c3ac0931e0b1376dae4e620 100644 (file)
--- a/src/libcharon/plugins/eap_radius/radius_message.h
+++ b/src/libcharon/plugins/eap_radius/radius_message.h
@@ -238,8 +238,11 @@ struct radius_message_t {
         *
         * @param rng                   RNG to create Request-Authenticator
         * @param signer                HMAC-MD5 signer with secret set
+        * @param hasher                MD5 hasher
+        * @param secret                shared RADIUS secret
         */
-       void (*sign)(radius_message_t *this, rng_t *rng, signer_t *signer);
+       void (*sign)(radius_message_t *this, rng_t *rng, signer_t *signer,
+                                hasher_t *hasher, chunk_t secret);
 
        /**
         * Verify the integrity of a received RADIUS response.

diff --git a/src/libcharon/plugins/eap_radius/radius_socket.c b/src/libcharon/plugins/eap_radius/radius_socket.c
index b3229c28872cd3ce33e946ee47326f3c9c59bf21..46513ee570fa20c227fcbac78fe1047208d05c5c 100644 (file)
--- a/src/libcharon/plugins/eap_radius/radius_socket.c
+++ b/src/libcharon/plugins/eap_radius/radius_socket.c
@@ -132,7 +132,7 @@ METHOD(radius_socket_t, request, radius_message_t*,
        /* set Message Identifier */
        request->set_identifier(request, this->identifier++);
        /* sign the request */
-       request->sign(request, this->rng, this->signer);
+       request->sign(request, this->rng, this->signer, this->hasher, this->secret);
 
        if (!check_connection(this))
        {