]> git.ipfire.org Git - thirdparty/freeradius-server.git/commitdiff
projects / thirdparty / freeradius-server.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: eb042be)
Create CHAP-Challenge attribute if not set
authorNick Porter <nick@portercomputing.co.uk>
Mon, 16 Jun 2025 10:35:56 +0000 (11:35 +0100)
committerNick Porter <nick@portercomputing.co.uk>
Mon, 16 Jun 2025 11:25:23 +0000 (12:25 +0100)
fr_packet_sign() re-calculates the request authenticator, so it can't be
used as CHAP-Challenge

src/bin/radclient-ng.c patch | blob | blame | history
src/bin/radclient.c patch | blob | blame | history

diff --git a/src/bin/radclient-ng.c b/src/bin/radclient-ng.c
index 60fc4d04dcc6593d59cab9c989ddab2315216bb5..dfdb57d3f90e8b7058b223ea1c4cbe4739856cac 100644 (file)
--- a/src/bin/radclient-ng.c
+++ b/src/bin/radclient-ng.c
@@ -1004,22 +1004,21 @@ static int send_one_packet(fr_bio_packet_t *client, rc_request_t *request)
                if ((vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_chap_password)) != NULL) {
                        uint8_t         buffer[17];
                        fr_pair_t       *challenge;
-                       uint8_t const   *vector;
 
                        /*
-                        *      Use Chap-Challenge pair if present,
-                        *      Request Authenticator otherwise.
+                        *      Use CHAP-Challenge pair if present, otherwise create CHAP-Challenge and
+                        *      populate with current Request Authenticator.
+                        *
+                        *      Request Authenticator is re-calculated by fr_packet_sign
                         */
                        challenge = fr_pair_find_by_da(&request->request_pairs, NULL, attr_chap_challenge);
-                       if (challenge && (challenge->vp_length >= 7)) {
-                               vector = challenge->vp_octets;
-                       } else {
-                               vector = request->packet->vector;
+                       if (!challenge || (challenge->vp_length < 7)) {
+                               pair_update_request(challenge, attr_chap_challenge);
+                               fr_pair_value_memdup(challenge, request->packet->vector, RADIUS_AUTH_VECTOR_LENGTH, false);
                        }
 
                        fr_chap_encode(buffer,
-                                      fr_rand() & 0xff, vector,
-                                      challenge ? challenge->vp_length : RADIUS_AUTH_VECTOR_LENGTH,
+                                      fr_rand() & 0xff, challenge->vp_octets, challenge->vp_length,
                                       request->password->vp_strvalue,
                                       request->password->vp_length);
                        fr_pair_value_memdup(vp, buffer, sizeof(buffer), false);
diff --git a/src/bin/radclient.c b/src/bin/radclient.c
index 727d9fef7b7f10cb58ae5e82cb362fd22c5de844..f67fc443ff801e6c2a65b5ef7a723345d9c60e94 100644 (file)
--- a/src/bin/radclient.c
+++ b/src/bin/radclient.c
@@ -1010,22 +1010,21 @@ static int send_one_packet(rc_request_t *request)
                        if ((vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_chap_password)) != NULL) {
                                uint8_t         buffer[17];
                                fr_pair_t       *challenge;
-                               uint8_t const   *vector;
 
                                /*
-                                *      Use Chap-Challenge pair if present,
-                                *      Request Authenticator otherwise.
+                                *      Use CHAP-Challenge pair if present, otherwise create CHAP-Challenge and
+                                *      populate with current Request Authenticator.
+                                *
+                                *      Request Authenticator is re-calculated by fr_packet_sign
                                 */
                                challenge = fr_pair_find_by_da(&request->request_pairs, NULL, attr_chap_challenge);
-                               if (challenge && (challenge->vp_length >= 7)) {
-                                       vector = challenge->vp_octets;
-                               } else {
-                                       vector = request->packet->vector;
+                               if (!challenge || (challenge->vp_length < 7)) {
+                                       pair_update_request(challenge, attr_chap_challenge);
+                                       fr_pair_value_memdup(challenge, request->packet->vector, RADIUS_AUTH_VECTOR_LENGTH, false);
                                }
 
                                fr_chap_encode(buffer,
-                                              fr_rand() & 0xff, vector,
-                                              challenge ? challenge->vp_length : RADIUS_AUTH_VECTOR_LENGTH,
+                                              fr_rand() & 0xff, challenge->vp_octets, challenge->vp_length,
                                               request->password->vp_strvalue,
                                               request->password->vp_length);
                                fr_pair_value_memdup(vp, buffer, sizeof(buffer), false);
Mirror of https://github.com/FreeRADIUS/freeradius-server.git