From 2e4093d54ebb073bc674f0c19a587ebdb6856a4c Mon Sep 17 00:00:00 2001 From: =?utf8?q?Bj=C3=B8rn=20Mork?= Date: Tue, 27 Mar 2012 10:57:36 +0200 Subject: [PATCH] Decode encrypted VSAs in requests MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Incoming CoA requests can contain encrypted VSAs. At least one vendor is known to use this. These VSAs must be decrypted before being proxied to enable the server to re-encrypt them using the correct home server secret. Fix by attempting to decode any encrypted request attribute using a static vector of \0 bytes. This also fixes debug logging of encrypted request attributes. Signed-off-by: Bjørn Mork --- src/lib/radius.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/lib/radius.c b/src/lib/radius.c index 824f70b227b..31948547872 100644 --- a/src/lib/radius.c +++ b/src/lib/radius.c @@ -67,6 +67,7 @@ typedef struct radius_packet_t { static fr_randctx fr_rand_pool; /* across multiple calls */ static int fr_rand_initialized = 0; static unsigned int salt_offset = 0; +static uint8_t nullvector[AUTH_VECTOR_LEN] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; /* for CoA decode */ const char *fr_packet_codes[FR_MAX_PACKET_CODE] = { "", @@ -2290,12 +2291,9 @@ static VALUE_PAIR *data2vp(const RADIUS_PACKET *packet, * in response packets. */ case FLAG_ENCRYPT_TUNNEL_PASSWORD: - if (!original) goto raw; - - if (rad_tunnel_pwdecode(vp->vp_octets, &vp->length, - secret, original->vector) < 0) { + if (rad_tunnel_pwdecode(vp->vp_octets, &vp->length, secret, + original ? original->vector : nullvector) < 0) goto raw; - } break; /* -- 2.47.3