From: Alan T. DeKok <aland@freeradius.org>
Date: Wed, 30 Dec 2015 18:47:29 +0000 (-0500)
Subject: Ensure that the authentication vectors are always updated
X-Git-Tag: release_3_0_11~54
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d182083dbda2e64da1955255c18ef26ae27eefb3;p=thirdparty%2Ffreeradius-server.git

Ensure that the authentication vectors are always updated
---

diff --git a/src/lib/radius.c b/src/lib/radius.c
index a8da6b7e16a..592dbd3a395 100644
--- a/src/lib/radius.c
+++ b/src/lib/radius.c
@@ -1931,43 +1931,47 @@ int rad_sign(RADIUS_PACKET *packet, RADIUS_PACKET const *original,
 	}
 
 	/*
-	 *	If there's a Message-Authenticator, update it
-	 *	now, BEFORE updating the authentication vector.
+	 *	Set up the authentication vector with zero, or with
+	 *	the original vector, prior to signing.
 	 */
-	if (packet->offset > 0) {
-		uint8_t calc_auth_vector[AUTH_VECTOR_LEN];
-
-		switch (packet->code) {
-		case PW_CODE_ACCOUNTING_RESPONSE:
-			if (original && original->code == PW_CODE_STATUS_SERVER) {
-				goto do_ack;
-			}
+	switch (packet->code) {
+	case PW_CODE_ACCOUNTING_RESPONSE:
+		if (original && original->code == PW_CODE_STATUS_SERVER) {
+			goto do_ack;
+		}
 
-		case PW_CODE_ACCOUNTING_REQUEST:
-		case PW_CODE_DISCONNECT_REQUEST:
-		case PW_CODE_DISCONNECT_ACK:
-		case PW_CODE_DISCONNECT_NAK:
-		case PW_CODE_COA_REQUEST:
-		case PW_CODE_COA_ACK:
-			memset(hdr->vector, 0, AUTH_VECTOR_LEN);
-			break;
+	case PW_CODE_ACCOUNTING_REQUEST:
+	case PW_CODE_DISCONNECT_REQUEST:
+	case PW_CODE_DISCONNECT_ACK:
+	case PW_CODE_DISCONNECT_NAK:
+	case PW_CODE_COA_REQUEST:
+	case PW_CODE_COA_ACK:
+		memset(hdr->vector, 0, AUTH_VECTOR_LEN);
+		memset(packet->vector, 0, AUTH_VECTOR_LEN);
+		break;
 
-		do_ack:
-		case PW_CODE_ACCESS_ACCEPT:
-		case PW_CODE_ACCESS_REJECT:
-		case PW_CODE_ACCESS_CHALLENGE:
-			if (!original) {
-				fr_strerror_printf("ERROR: Cannot sign response packet without a request packet");
-				return -1;
-			}
-			memcpy(hdr->vector, original->vector,
-			       AUTH_VECTOR_LEN);
-			break;
+	do_ack:
+	case PW_CODE_ACCESS_ACCEPT:
+	case PW_CODE_ACCESS_REJECT:
+	case PW_CODE_ACCESS_CHALLENGE:
+		if (!original) {
+			fr_strerror_printf("ERROR: Cannot sign response packet without a request packet");
+			return -1;
+		}
+		memcpy(hdr->vector, original->vector, AUTH_VECTOR_LEN);
+		memcpy(packet->vector, original->vector, AUTH_VECTOR_LEN);
+		break;
 
-		default:	/* others have vector already set to zero */
-			break;
+	default:	/* others have vector already set to whatever */
+		break;
+	}
 
-		}
+	/*
+	 *	If there's a Message-Authenticator, update it
+	 *	now, using the zero / original authentication vector.
+	 */
+	if (packet->offset > 0) {
+		uint8_t calc_auth_vector[AUTH_VECTOR_LEN];
 
 		/*
 		 *	Set the authentication vector to zero,
@@ -1981,7 +1985,7 @@ int rad_sign(RADIUS_PACKET *packet, RADIUS_PACKET const *original,
 		       calc_auth_vector, AUTH_VECTOR_LEN);
 
 		/*
-		 *	Copy the original request vector back
+		 *	Copy the request vector back
 		 *	to the raw packet.
 		 */
 		memcpy(hdr->vector, packet->vector, AUTH_VECTOR_LEN);
@@ -1993,7 +1997,7 @@ int rad_sign(RADIUS_PACKET *packet, RADIUS_PACKET const *original,
 	 */
 	switch (packet->code) {
 		/*
-		 *	Request packets are not signed, bur
+		 *	Request packets are not signed, but
 		 *	have a random authentication vector.
 		 */
 	case PW_CODE_ACCESS_REQUEST: