From: Alan T. DeKok <aland@freeradius.org>
Date: Thu, 25 Jan 2024 01:12:48 +0000 (-0500)
Subject: move to using request_authenticator for encode, too
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2046a02625baae5ebed3e62c604a9d8399e8832d;p=thirdparty%2Ffreeradius-server.git

move to using request_authenticator for encode, too
---

diff --git a/src/protocols/radius/base.c b/src/protocols/radius/base.c
index 2d5c5b31032..cfb8bc05f91 100644
--- a/src/protocols/radius/base.c
+++ b/src/protocols/radius/base.c
@@ -875,6 +875,7 @@ ssize_t fr_radius_encode_dbuff(fr_dbuff_t *dbuff, uint8_t const *original,
 	common_ctx.secret_length = secret_len;
 
 	packet_ctx.common = &common_ctx;
+	packet_ctx.request_authenticator = common_ctx.vector;
 	packet_ctx.rand_ctx.a = fr_rand();
 	packet_ctx.rand_ctx.b = fr_rand();
 	packet_ctx.disallow_tunnel_passwords = disallow_tunnel_passwords[code];
diff --git a/src/protocols/radius/encode.c b/src/protocols/radius/encode.c
index d71841d962f..b7a1bdd5f80 100644
--- a/src/protocols/radius/encode.c
+++ b/src/protocols/radius/encode.c
@@ -190,7 +190,7 @@ static ssize_t encode_tunnel_password(fr_dbuff_t *dbuff, fr_dbuff_marker_t *in,
 	fr_md5_update(md5_ctx, (uint8_t const *) packet_ctx->common->secret, talloc_array_length(packet_ctx->common->secret) - 1);
 	fr_md5_ctx_copy(md5_ctx_old, md5_ctx);
 
-	fr_md5_update(md5_ctx, packet_ctx->common->vector, RADIUS_AUTH_VECTOR_LENGTH);
+	fr_md5_update(md5_ctx, packet_ctx->request_authenticator, RADIUS_AUTH_VECTOR_LENGTH);
 	fr_md5_update(md5_ctx, &tpasswd[0], 2);
 
 	/*
@@ -506,7 +506,7 @@ static ssize_t encode_value(fr_dbuff_t *dbuff,
 		 *	Encode the password in place
 		 */
 		slen = encode_password(&work_dbuff, &value_start, fr_dbuff_used(&value_dbuff),
-				       packet_ctx->common->secret, packet_ctx->common->vector);
+				       packet_ctx->common->secret, packet_ctx->request_authenticator);
 		if (slen < 0) return slen;
 		encrypted = true;
 		break;
@@ -557,7 +557,7 @@ static ssize_t encode_value(fr_dbuff_t *dbuff,
 		 *	there can pass a marker so we can use it here, too.
 		 */
 		slen = fr_radius_ascend_secret(&work_dbuff, fr_dbuff_current(&value_start), fr_dbuff_used(&value_dbuff),
-					       packet_ctx->common->secret, packet_ctx->common->vector);
+					       packet_ctx->common->secret, packet_ctx->request_authenticator);
 		if (slen < 0) return slen;
 		encrypted = true;
 		break;
@@ -1680,7 +1680,7 @@ static int encode_test_ctx(void **out, TALLOC_CTX *ctx)
 	test_ctx->common->secret = talloc_strdup(test_ctx->common, "testing123");
 	test_ctx->common->secret_length = talloc_array_length(test_ctx->common->secret);
 
-	memcpy(test_ctx->common->vector, vector, sizeof(test_ctx->common->vector));
+	test_ctx->request_authenticator = vector;
 	test_ctx->rand_ctx.a = 6809;
 	test_ctx->rand_ctx.b = 2112;
 	talloc_set_destructor(test_ctx, _test_ctx_free);
diff --git a/src/protocols/radius/radius.h b/src/protocols/radius/radius.h
index c8b5019a2d1..56c11a88c2e 100644
--- a/src/protocols/radius/radius.h
+++ b/src/protocols/radius/radius.h
@@ -122,6 +122,8 @@ typedef struct {
 typedef struct {
 	fr_radius_ctx_t		*common;
 
+	uint8_t const		*request_authenticator;
+
 	fr_fast_rand_t		rand_ctx;		//!< for tunnel passwords
 	int			salt_offset;		//!< for tunnel passwords