Decode encrypted VSAs in requests

Incoming CoA requests can contain encrypted VSAs.  At least one
vendor is known to use this. These VSAs must be decrypted before
being proxied to enable the server to re-encrypt them using
the correct home server secret.

Fix by attempting to decode any encrypted request attribute using
a static vector of \0 bytes.

This also fixes debug logging of encrypted request attributes.

Signed-off-by: Bjørn Mork <bjorn@mork.no>

diff --git a/src/lib/radius.c b/src/lib/radius.c
index 824f70b227bb510e38d0c297d59c4bde15f5542d..3194854787210802b287db3c2c8cedb41926018a 100644 (file)
--- a/src/lib/radius.c
+++ b/src/lib/radius.c
@@ -67,6 +67,7 @@ typedef struct radius_packet_t {
 static fr_randctx fr_rand_pool;        /* across multiple calls */
 static int fr_rand_initialized = 0;
 static unsigned int salt_offset = 0;
+static uint8_t nullvector[AUTH_VECTOR_LEN] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; /* for CoA decode */
 
 const char *fr_packet_codes[FR_MAX_PACKET_CODE] = {
   "",
@@ -2290,12 +2291,9 @@ static VALUE_PAIR *data2vp(const RADIUS_PACKET *packet,
                 *      in response packets.
                 */
        case FLAG_ENCRYPT_TUNNEL_PASSWORD:
-               if (!original) goto raw;
-
-               if (rad_tunnel_pwdecode(vp->vp_octets, &vp->length,
-                                       secret, original->vector) < 0) {
+               if (rad_tunnel_pwdecode(vp->vp_octets, &vp->length, secret,
+                                       original ? original->vector : nullvector) < 0)
                        goto raw;
-               }
                break;
 
                /*