From: Alan T. DeKok Date: Mon, 27 Jun 2011 11:04:46 +0000 (+0200) Subject: Fix calculation of response authenticator X-Git-Tag: release_3_0_0_beta0~751 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3d1aa1828f18b0ec56ede68820df66b26945dbbb;p=thirdparty%2Ffreeradius-server.git Fix calculation of response authenticator The Status-Server packet can get an Accounting-Response packet in return. Since the Status-Server has a random authentication vector, the response needs to be calculated using that. We can't use the normal Accounting-Response calculation. Oops. No one found this in RFC 5997. --- diff --git a/src/lib/radius.c b/src/lib/radius.c index 034410e3884..5eb3ae3185b 100644 --- a/src/lib/radius.c +++ b/src/lib/radius.c @@ -1787,8 +1787,12 @@ int rad_sign(RADIUS_PACKET *packet, const RADIUS_PACKET *original, uint8_t calc_auth_vector[AUTH_VECTOR_LEN]; switch (packet->code) { - case PW_ACCOUNTING_REQUEST: case PW_ACCOUNTING_RESPONSE: + if (original && original->code == PW_STATUS_SERVER) { + goto do_ack; + } + + case PW_ACCOUNTING_REQUEST: case PW_DISCONNECT_REQUEST: case PW_DISCONNECT_ACK: case PW_DISCONNECT_NAK: @@ -1798,6 +1802,7 @@ int rad_sign(RADIUS_PACKET *packet, const RADIUS_PACKET *original, memset(hdr->vector, 0, AUTH_VECTOR_LEN); break; + do_ack: case PW_AUTHENTICATION_ACK: case PW_AUTHENTICATION_REJECT: case PW_ACCESS_CHALLENGE: @@ -2595,8 +2600,13 @@ int rad_verify(RADIUS_PACKET *packet, RADIUS_PACKET *original, default: break; - case PW_ACCOUNTING_REQUEST: case PW_ACCOUNTING_RESPONSE: + if (original && + (original->code == PW_STATUS_SERVER)) { + goto do_ack; + } + + case PW_ACCOUNTING_REQUEST: case PW_DISCONNECT_REQUEST: case PW_DISCONNECT_ACK: case PW_DISCONNECT_NAK: @@ -2606,6 +2616,7 @@ int rad_verify(RADIUS_PACKET *packet, RADIUS_PACKET *original, memset(packet->data + 4, 0, AUTH_VECTOR_LEN); break; + do_ack: case PW_AUTHENTICATION_ACK: case PW_AUTHENTICATION_REJECT: case PW_ACCESS_CHALLENGE: