Ensure that the authentication vectors are always updated

diff --git a/src/lib/radius.c b/src/lib/radius.c
index a8da6b7e16a96517b961e15bda7fc12de4d2a13c..592dbd3a395d0892e6edcfd7b7769a1f9a5e0347 100644 (file)
--- a/src/lib/radius.c
+++ b/src/lib/radius.c
@@ -1931,43 +1931,47 @@ int rad_sign(RADIUS_PACKET *packet, RADIUS_PACKET const *original,
        }
 
        /*
-        *      If there's a Message-Authenticator, update it
-        *      now, BEFORE updating the authentication vector.
+        *      Set up the authentication vector with zero, or with
+        *      the original vector, prior to signing.
         */
-       if (packet->offset > 0) {
-               uint8_t calc_auth_vector[AUTH_VECTOR_LEN];
-
-               switch (packet->code) {
-               case PW_CODE_ACCOUNTING_RESPONSE:
-                       if (original && original->code == PW_CODE_STATUS_SERVER) {
-                               goto do_ack;
-                       }
+       switch (packet->code) {
+       case PW_CODE_ACCOUNTING_RESPONSE:
+               if (original && original->code == PW_CODE_STATUS_SERVER) {
+                       goto do_ack;
+               }
 
-               case PW_CODE_ACCOUNTING_REQUEST:
-               case PW_CODE_DISCONNECT_REQUEST:
-               case PW_CODE_DISCONNECT_ACK:
-               case PW_CODE_DISCONNECT_NAK:
-               case PW_CODE_COA_REQUEST:
-               case PW_CODE_COA_ACK:
-                       memset(hdr->vector, 0, AUTH_VECTOR_LEN);
-                       break;
+       case PW_CODE_ACCOUNTING_REQUEST:
+       case PW_CODE_DISCONNECT_REQUEST:
+       case PW_CODE_DISCONNECT_ACK:
+       case PW_CODE_DISCONNECT_NAK:
+       case PW_CODE_COA_REQUEST:
+       case PW_CODE_COA_ACK:
+               memset(hdr->vector, 0, AUTH_VECTOR_LEN);
+               memset(packet->vector, 0, AUTH_VECTOR_LEN);
+               break;
 
-               do_ack:
-               case PW_CODE_ACCESS_ACCEPT:
-               case PW_CODE_ACCESS_REJECT:
-               case PW_CODE_ACCESS_CHALLENGE:
-                       if (!original) {
-                               fr_strerror_printf("ERROR: Cannot sign response packet without a request packet");
-                               return -1;
-                       }
-                       memcpy(hdr->vector, original->vector,
-                              AUTH_VECTOR_LEN);
-                       break;
+       do_ack:
+       case PW_CODE_ACCESS_ACCEPT:
+       case PW_CODE_ACCESS_REJECT:
+       case PW_CODE_ACCESS_CHALLENGE:
+               if (!original) {
+                       fr_strerror_printf("ERROR: Cannot sign response packet without a request packet");
+                       return -1;
+               }
+               memcpy(hdr->vector, original->vector, AUTH_VECTOR_LEN);
+               memcpy(packet->vector, original->vector, AUTH_VECTOR_LEN);
+               break;
 
-               default:        /* others have vector already set to zero */
-                       break;
+       default:        /* others have vector already set to whatever */
+               break;
+       }
 
-               }
+       /*
+        *      If there's a Message-Authenticator, update it
+        *      now, using the zero / original authentication vector.
+        */
+       if (packet->offset > 0) {
+               uint8_t calc_auth_vector[AUTH_VECTOR_LEN];
 
                /*
                 *      Set the authentication vector to zero,
@@ -1981,7 +1985,7 @@ int rad_sign(RADIUS_PACKET *packet, RADIUS_PACKET const *original,
                       calc_auth_vector, AUTH_VECTOR_LEN);
 
                /*
-                *      Copy the original request vector back
+                *      Copy the request vector back
                 *      to the raw packet.
                 */
                memcpy(hdr->vector, packet->vector, AUTH_VECTOR_LEN);
@@ -1993,7 +1997,7 @@ int rad_sign(RADIUS_PACKET *packet, RADIUS_PACKET const *original,
         */
        switch (packet->code) {
                /*
-                *      Request packets are not signed, bur
+                *      Request packets are not signed, but
                 *      have a random authentication vector.
                 */
        case PW_CODE_ACCESS_REQUEST: