FR_RADIUS_CODE_DISCONNECT_ACK, //!< RFC3575/RFC5176 - Disconnect-Ack (positive)
FR_RADIUS_CODE_DISCONNECT_NAK, //!< RFC3575/RFC5176 - Disconnect-Nak (not willing to perform)
FR_RADIUS_CODE_COA_REQUEST, //!< RFC3575/RFC5176 - CoA-Request
- FR_RADIUS_CODE_COA_ACK, //!< RFC3575/RFC5176 - CoA-Ack (positive)
- FR_RADIUS_CODE_COA_NAK, //!< RFC3575/RFC5176 - CoA-Nak (not willing to perform)
+ FR_RADIUS_CODE_COA_ACK, //!< RFC3575/RFC5176 - CoA-Ack (positive)
+ FR_RADIUS_CODE_COA_NAK, //!< RFC3575/RFC5176 - CoA-Nak (not willing to perform)
};
static fr_table_num_sorted_t const rs_events[] = {
return;
}
- if (conf->verify_radius_authenticator && original) {
+ if (conf->verify_radius_authenticator) {
int ret;
FILE *log_fp = fr_log_fp;
if (conf->verify_radius_authenticator) {
switch (packet->code) {
+ case FR_RADIUS_CODE_ACCESS_REQUEST: /* Even though this is just random bytes, we still might need to check Message-Authenticator */
case FR_RADIUS_CODE_ACCOUNTING_REQUEST:
case FR_RADIUS_CODE_COA_REQUEST:
case FR_RADIUS_CODE_DISCONNECT_REQUEST:
}
/*
- * Implement verification as a signature, followed by
- * checking our signature against the sent one. This is
- * slightly more CPU work than having verify-specific
- * functions, but it ends up being cleaner in the code.
+ * Overwrite the contents of Message-Authenticator
+ * with the one we calculate.
*/
rcode = fr_radius_sign(packet, vector, secret, secret_len);
if (rcode < 0) {
* If it's invalid, restore the original
* Message-Authenticator and Request Authenticator
* fields.
+ *
+ * If it's valid the original and calculated
+ * message authenticators are the same, so we don't
+ * need to do anything.
*/
if ((msg < end) &&
(fr_digest_cmp(message_authenticator, msg + 2, sizeof(message_authenticator)) != 0)) {
void fr_radius_global_free(void)
{
- fr_assert(instance_count > 0);
-
- if (--instance_count > 0) return;
+ if (--instance_count != 0) return;
fr_dict_autofree(libfreeradius_radius_dict);
}
projects / thirdparty / freeradius-server.git / commitdiff
