Commit 8bbdecd3 authored by Linus Nordberg's avatar Linus Nordberg

When CHAP-Password, copy Request Authenticator to CHAP-Challenge.

Conflicts:
	radmsg.h
parent bf2cb969
......@@ -4,6 +4,8 @@ Unreleased 1.6.6-dev
used to apply rewriteIn using the rewrite block of the client
rather than the server. Patch by Fabian Mauchle. Fixes
RADSECPROXY-59.
- Handle CHAP authentication properly when there is no
CHAP-Challenge. Fixes RADSECPROXY-58.
2013-09-06 1.6.5
Bug fixes:
......
......@@ -17,10 +17,12 @@
#define RAD_Attr_User_Name 1
#define RAD_Attr_User_Password 2
#define RAD_Attr_CHAP_Password 3
#define RAD_Attr_Reply_Message 18
#define RAD_Attr_Vendor_Specific 26
#define RAD_Attr_Calling_Station_Id 31
#define RAD_Proxy_State 33
#define RAD_Attr_CHAP_Challenge 60
#define RAD_Attr_Tunnel_Password 69
#define RAD_Attr_Message_Authenticator 80
......
......@@ -1543,6 +1543,28 @@ int radsrv(struct request *rq) {
goto exit;
}
/* If there is a CHAP-Password attribute but no CHAP-Challenge
* one, create a CHAP-Challenge containing the Request
* Authenticator because that's what the CHAP-Password is based
* on. */
attr = radmsg_gettype(msg, RAD_Attr_CHAP_Password);
if (attr) {
debug(DBG_DBG, "%s: found CHAP-Password with value length %d", __func__,
attr->l);
attr = radmsg_gettype(msg, RAD_Attr_CHAP_Challenge);
if (attr == NULL) {
debug(DBG_DBG, "%s: no CHAP-Challenge found, creating one", __func__);
attr = maketlv(RAD_Attr_CHAP_Challenge, 16, msg->auth);
if (attr == NULL || radmsg_add(msg, attr) != 1) {
debug(DBG_ERR, "%s: adding CHAP-Challenge failed, "
"CHAP-Password request dropped", __func__);
freetlv(attr);
goto rmclrqexit;
}
}
}
/* Create new Request Authenticator. */
if (msg->code == RAD_Accounting_Request)
memset(msg->auth, 0, 16);
else if (!RAND_bytes(msg->auth, 16)) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment