From: Bjørn Mork Date: Tue, 27 Mar 2012 08:57:36 +0000 (+0200) Subject: Decode encrypted VSAs in requests X-Git-Tag: release_2_2_0~149 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2e4093d54ebb073bc674f0c19a587ebdb6856a4c;p=thirdparty%2Ffreeradius-server.git Decode encrypted VSAs in requests Incoming CoA requests can contain encrypted VSAs. At least one vendor is known to use this. These VSAs must be decrypted before being proxied to enable the server to re-encrypt them using the correct home server secret. Fix by attempting to decode any encrypted request attribute using a static vector of \0 bytes. This also fixes debug logging of encrypted request attributes. Signed-off-by: Bjørn Mork --- diff --git a/src/lib/radius.c b/src/lib/radius.c index 824f70b227b..31948547872 100644 --- a/src/lib/radius.c +++ b/src/lib/radius.c @@ -67,6 +67,7 @@ typedef struct radius_packet_t { static fr_randctx fr_rand_pool; /* across multiple calls */ static int fr_rand_initialized = 0; static unsigned int salt_offset = 0; +static uint8_t nullvector[AUTH_VECTOR_LEN] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; /* for CoA decode */ const char *fr_packet_codes[FR_MAX_PACKET_CODE] = { "", @@ -2290,12 +2291,9 @@ static VALUE_PAIR *data2vp(const RADIUS_PACKET *packet, * in response packets. */ case FLAG_ENCRYPT_TUNNEL_PASSWORD: - if (!original) goto raw; - - if (rad_tunnel_pwdecode(vp->vp_octets, &vp->length, - secret, original->vector) < 0) { + if (rad_tunnel_pwdecode(vp->vp_octets, &vp->length, secret, + original ? original->vector : nullvector) < 0) goto raw; - } break; /*