switch (code) {
case FR_RADIUS_CODE_ACCESS_REQUEST:
case FR_RADIUS_CODE_STATUS_SERVER:
+ packet_ctx.disallow_tunnel_passwords = true;
+
/*
- * Callers in these cases have preloaded the buffer with the authentication vector.
+ * Callers in these cases have preloaded the buffer with the authentication vector.
*/
FR_DBUFF_OUT_MEMCPY_RETURN(packet_ctx.vector, &work_dbuff, sizeof(packet_ctx.vector));
break;
- case FR_RADIUS_CODE_ACCESS_ACCEPT:
case FR_RADIUS_CODE_ACCESS_REJECT:
case FR_RADIUS_CODE_ACCESS_CHALLENGE:
case FR_RADIUS_CODE_ACCOUNTING_RESPONSE:
case FR_RADIUS_CODE_DISCONNECT_ACK:
case FR_RADIUS_CODE_DISCONNECT_NAK:
case FR_RADIUS_CODE_PROTOCOL_ERROR:
+ packet_ctx.disallow_tunnel_passwords = true;
+ FALL_THROUGH;
+
+ case FR_RADIUS_CODE_ACCESS_ACCEPT:
if (!original) {
fr_strerror_const("Cannot encode response without request");
return -1;
break;
case FR_RADIUS_CODE_ACCOUNTING_REQUEST:
- case FR_RADIUS_CODE_COA_REQUEST:
case FR_RADIUS_CODE_DISCONNECT_REQUEST:
+ packet_ctx.disallow_tunnel_passwords = true;
+ FALL_THROUGH;
+
+ /*
+ * Tunnel-Password encoded attributes are allowed
+ * in CoA-Request packets, by RFC 5176 Section
+ * 3.6. HOWEVER, the tunnel passwords are
+ * "encrypted" using the Request Authenticator,
+ * which is all zeros! That makes them much
+ * easier to decrypt. The only solution here is
+ * to say "don't do that!"
+ */
+ case FR_RADIUS_CODE_COA_REQUEST:
memset(packet_ctx.vector, 0, sizeof(packet_ctx.vector));
FR_DBUFF_MEMSET_RETURN(&work_dbuff, 0, RADIUS_AUTH_VECTOR_LENGTH);
break;
char const *secret; //!< shared secret. MUST be talloc'd
fr_fast_rand_t rand_ctx; //!< for tunnel passwords
int salt_offset; //!< for tunnel passwords
- bool tunnel_password_zeros;
+ bool tunnel_password_zeros; //!< check for trailing zeros on decode
+ bool disallow_tunnel_passwords; //!< not all packets can have tunnel passwords
uint8_t tag; //!< current tag for encoding
fr_radius_tag_ctx_t **tags; //!< for decoding tagged attributes
projects / thirdparty / freeradius-server.git / commitdiff
