From: Bjørn Mork Date: Tue, 27 Mar 2012 08:57:36 +0000 (+0200) Subject: Decode encrypted VSAs in requests X-Git-Tag: release_3_0_0_beta0~245 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b596b306ef0078f1192c54b47eb345035fc5f9b2;p=thirdparty%2Ffreeradius-server.git Decode encrypted VSAs in requests Incoming CoA requests can contain encrypted VSAs. At least one vendor is known to use this. These VSAs must be decrypted before being proxied to enable the server to re-encrypt them using the correct home server secret. Fix by attempting to decode any encrypted request attribute using a static vector of \0 bytes. This also fixes debug logging of encrypted request attributes. Signed-off-by: Bjørn Mork --- diff --git a/src/lib/radius.c b/src/lib/radius.c index 8bcca4f3948..3105f4d6d43 100644 --- a/src/lib/radius.c +++ b/src/lib/radius.c @@ -75,6 +75,7 @@ typedef struct radius_packet_t { static fr_randctx fr_rand_pool; /* across multiple calls */ static int fr_rand_initialized = 0; static unsigned int salt_offset = 0; +static uint8_t nullvector[AUTH_VECTOR_LEN] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; /* for CoA decode */ const char *fr_packet_codes[FR_MAX_PACKET_CODE] = { "", @@ -2944,12 +2945,9 @@ static ssize_t data2vp_any(const RADIUS_PACKET *packet, * in response packets. */ case FLAG_ENCRYPT_TUNNEL_PASSWORD: - if (!original) goto raw; - - if (rad_tunnel_pwdecode(buffer, &vp->length, - secret, original->vector) < 0) { + if (rad_tunnel_pwdecode(buffer, &vp->length, secret, + original ? original->vector : nullvector) < 0) goto raw; - } break; /*