From: Alan T. DeKok Date: Mon, 12 Aug 2024 02:14:29 +0000 (-0400) Subject: don't add Proxy-State to "ping" packets X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e91aee47822e18f1d58da087e3ae40f0cf401d53;p=thirdparty%2Ffreeradius-server.git don't add Proxy-State to "ping" packets --- diff --git a/src/modules/rlm_radius/rlm_radius_udp.c b/src/modules/rlm_radius/rlm_radius_udp.c index 77e1029fb34..7ad8b6edf5c 100644 --- a/src/modules/rlm_radius/rlm_radius_udp.c +++ b/src/modules/rlm_radius/rlm_radius_udp.c @@ -1225,20 +1225,6 @@ static int encode(rlm_radius_udp_t const *inst, request_t *request, udp_request_ u->packet_len = inst->max_packet_size; MEM(u->packet = talloc_array(u, uint8_t, u->packet_len)); - /* - * If we're sending a status check packet, update any - * necessary timestamps. Also, don't add Proxy-State, as - * we're originating the packet. - */ - if (u->status_check) { - fr_pair_t *vp; - - vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_event_timestamp); - if (vp) vp->vp_date = fr_time_to_unix_time(u->retry.updated); - - if (u->code == FR_RADIUS_CODE_STATUS_SERVER) u->can_retransmit = false; - } - /* * We should have at minimum 64-byte packets, so don't * bother doing run-time checks here. @@ -1253,8 +1239,24 @@ static int encode(rlm_radius_udp_t const *inst, request_t *request, udp_request_ }, .code = u->code, .id = id, + .add_proxy_state = !inst->parent->originate, }; + /* + * If we're sending a status check packet, update any + * necessary timestamps. Also, don't add Proxy-State, as + * we're originating the packet. + */ + if (u->status_check) { + fr_pair_t *vp; + + vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_event_timestamp); + if (vp) vp->vp_date = fr_time_to_unix_time(u->retry.updated); + + u->can_retransmit = false; + encode_ctx.add_proxy_state = false; + } + /* * Encode it, leaving room for Proxy-State if necessary. */ @@ -1297,7 +1299,7 @@ static int encode(rlm_radius_udp_t const *inst, request_t *request, udp_request_ * request->request_pairs, because multiple modules * may be sending the packets at the same time. */ - if (inst->common_ctx.add_proxy_state) { + if (encode_ctx.add_proxy_state) { fr_pair_t *vp; MEM(vp = fr_pair_afrom_da(u->packet, attr_proxy_state)); @@ -2683,7 +2685,6 @@ static int mod_instantiate(module_inst_ctx_t const *mctx) inst->common_ctx = (fr_radius_ctx_t) { .secret = inst->secret, .secret_length = talloc_array_length(inst->secret) - 1, - .add_proxy_state = !inst->parent->originate, .proxy_state = inst->parent->proxy_state, }; diff --git a/src/protocols/radius/base.c b/src/protocols/radius/base.c index 027987f746e..737d18e3149 100644 --- a/src/protocols/radius/base.c +++ b/src/protocols/radius/base.c @@ -1028,7 +1028,7 @@ ssize_t fr_radius_encode(fr_dbuff_t *dbuff, fr_pair_list_t *vps, fr_radius_encod /* * Add Proxy-State to the end of the packet if the caller requested it. */ - if (packet_ctx->common->add_proxy_state) { + if (packet_ctx->add_proxy_state) { FR_DBUFF_IN_BYTES_RETURN(&work_dbuff, FR_PROXY_STATE, 6); FR_DBUFF_IN_RETURN(&work_dbuff, packet_ctx->common->proxy_state); } diff --git a/src/protocols/radius/radius.h b/src/protocols/radius/radius.h index b82cf31dd00..74ba690ce63 100644 --- a/src/protocols/radius/radius.h +++ b/src/protocols/radius/radius.h @@ -142,7 +142,6 @@ typedef struct { bool secure_transport; //!< for TLS - bool add_proxy_state; //!< do we add a Proxy-State? uint32_t proxy_state; //!< if so, this is its value } fr_radius_ctx_t; @@ -162,6 +161,7 @@ typedef struct { uint8_t code; uint8_t id; + bool add_proxy_state; //!< do we add a Proxy-State? bool disallow_tunnel_passwords; //!< not all packets can have tunnel passwords bool seen_message_authenticator; } fr_radius_encode_ctx_t;