From: Alan T. DeKok <aland@freeradius.org>
Date: Thu, 31 Dec 2015 06:41:56 +0000 (-0500)
Subject: fix for accounting packets
X-Git-Tag: release_3_0_11~43
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7b494d2e6ca56375b7a35cd9f38a3f71ce367357;p=thirdparty%2Ffreeradius-server.git

fix for accounting packets
---

diff --git a/src/lib/radius.c b/src/lib/radius.c
index cc2d08d5ea6..d9d37efdedb 100644
--- a/src/lib/radius.c
+++ b/src/lib/radius.c
@@ -1935,36 +1935,37 @@ int rad_sign(RADIUS_PACKET *packet, RADIUS_PACKET const *original,
 	 *	the original vector, prior to signing.
 	 */
 	switch (packet->code) {
-	case PW_CODE_ACCOUNTING_RESPONSE:
-		if (original && original->code == PW_CODE_STATUS_SERVER) {
-			goto do_ack;
-		}
-
 	case PW_CODE_ACCOUNTING_REQUEST:
 	case PW_CODE_DISCONNECT_REQUEST:
-	case PW_CODE_DISCONNECT_ACK:
-	case PW_CODE_DISCONNECT_NAK:
 	case PW_CODE_COA_REQUEST:
-	case PW_CODE_COA_ACK:
-		memset(hdr->vector, 0, AUTH_VECTOR_LEN);
+		memset(packet->vector, 0, AUTH_VECTOR_LEN);
 		break;
 
-	do_ack:
 	case PW_CODE_ACCESS_ACCEPT:
 	case PW_CODE_ACCESS_REJECT:
 	case PW_CODE_ACCESS_CHALLENGE:
+	case PW_CODE_ACCOUNTING_RESPONSE:
+	case PW_CODE_DISCONNECT_ACK:
+	case PW_CODE_DISCONNECT_NAK:
+	case PW_CODE_COA_ACK:
+	case PW_CODE_COA_NAK:
 		if (!original) {
 			fr_strerror_printf("ERROR: Cannot sign response packet without a request packet");
 			return -1;
 		}
-		memcpy(hdr->vector, original->vector, AUTH_VECTOR_LEN);
+		memcpy(packet->vector, original->vector, AUTH_VECTOR_LEN);
 		break;
 
+	case PW_CODE_ACCESS_REQUEST:
+	case PW_CODE_STATUS_SERVER:
 	default:
-		memcpy(hdr->vector, packet->vector, AUTH_VECTOR_LEN);
-		break;
+		break;		/* packet->vector is already random bytes */
 	}
 
+#ifndef NDEBUG
+	if ((fr_debug_lvl > 3) && fr_log_fp) rad_print_hex(packet);
+#endif
+
 	/*
 	 *	If there's a Message-Authenticator, update it
 	 *	now.
@@ -1972,6 +1973,33 @@ int rad_sign(RADIUS_PACKET *packet, RADIUS_PACKET const *original,
 	if (packet->offset > 0) {
 		uint8_t calc_auth_vector[AUTH_VECTOR_LEN];
 
+		switch (packet->code) {
+		case PW_CODE_ACCOUNTING_RESPONSE:
+			if (original && original->code == PW_CODE_STATUS_SERVER) {
+				goto do_ack;
+			}
+
+		case PW_CODE_ACCOUNTING_REQUEST:
+		case PW_CODE_DISCONNECT_REQUEST:
+		case PW_CODE_DISCONNECT_ACK:
+		case PW_CODE_DISCONNECT_NAK:
+		case PW_CODE_COA_REQUEST:
+		case PW_CODE_COA_ACK:
+		case PW_CODE_COA_NAK:
+			memset(hdr->vector, 0, AUTH_VECTOR_LEN);
+			break;
+
+		do_ack:
+		case PW_CODE_ACCESS_ACCEPT:
+		case PW_CODE_ACCESS_REJECT:
+		case PW_CODE_ACCESS_CHALLENGE:
+			memcpy(hdr->vector, original->vector, AUTH_VECTOR_LEN);
+			break;
+
+		default:
+			break;
+		}
+
 		/*
 		 *	Set the authentication vector to zero,
 		 *	calculate the HMAC, and put it
@@ -1984,6 +2012,11 @@ int rad_sign(RADIUS_PACKET *packet, RADIUS_PACKET const *original,
 		       calc_auth_vector, AUTH_VECTOR_LEN);
 	}
 
+	/*
+	 *	Copy the request authenticator over to the packet.
+	 */
+	memcpy(hdr->vector, packet->vector, AUTH_VECTOR_LEN);
+
 	/*
 	 *	Switch over the packet code, deciding how to
 	 *	sign the packet.