From: Alan T. DeKok <aland@freeradius.org>
Date: Wed, 12 Feb 2025 15:45:24 +0000 (-0500)
Subject: warn if the secret changes
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cb5a8367bf969abcaecc80c82597b559ad2cc501;p=thirdparty%2Ffreeradius-server.git

warn if the secret changes
---

diff --git a/src/modules/rlm_radius/bio.c b/src/modules/rlm_radius/bio.c
index caece1c5bdc..5c6c120b9b7 100644
--- a/src/modules/rlm_radius/bio.c
+++ b/src/modules/rlm_radius/bio.c
@@ -2719,6 +2719,16 @@ static xlat_action_t xlat_radius_client(UNUSED TALLOC_CTX *ctx, UNUSED fr_dcurso
 		fr_time_t now = fr_time();
 		home_server_t *old;
 
+		/*
+		 *	We can't change secrets on the fly.  The home
+		 *	server has to expire first, and then the
+		 *	secret can be changed.
+		 */
+		if ((home->ctx.radius_ctx.secret_length != secret->vb_length) ||
+		    (strcmp(home->ctx.radius_ctx.secret, secret->vb_strvalue) != 0)) {
+			RWDEBUG("The new secret is not the same as the old secret: Ignoring the new one");
+		}
+
 		fr_rb_expire_update(expire, home, now);
 
 		while ((old = fr_dlist_head(&expire->head)) != NULL) {