diff options
author | Linus Nordberg <linus@nordberg.se> | 2015-01-16 12:23:37 +0100 |
---|---|---|
committer | Linus Nordberg <linus@nordberg.se> | 2015-01-16 12:27:30 +0100 |
commit | b000888b17865b0cb4f430bdeda73b30e054632d (patch) | |
tree | 8f486e7113acf5a20b80442959075d0cb821cc3a | |
parent | 29bc92ec52febd23774deb5f731625f1e18e10ef (diff) |
When CHAP-Password, copy Request Authenticator to CHAP-Challenge.
-rw-r--r-- | ChangeLog | 2 | ||||
-rw-r--r-- | radmsg.h | 3 | ||||
-rw-r--r-- | radsecproxy.c | 22 |
3 files changed, 27 insertions, 0 deletions
@@ -4,6 +4,8 @@ Changes between 1.6.5 and the master branch used to apply rewriteIn using the rewrite block of the client rather than the server. Patch by Fabian Mauchle. Fixes RADSECPROXY-59. + - Handle CHAP authentication properly when there is no + CHAP-Challenge. Fixes RADSECPROXY-58. 2013-09-06 1.6.5 Bug fixes: @@ -1,4 +1,5 @@ /* Copyright (c) 2007-2008, UNINETT AS */ +/* Copyright (c) 2015, NORDUnet A/S */ /* See LICENSE for licensing information. */ #define RAD_Access_Request 1 @@ -12,10 +13,12 @@ #define RAD_Attr_User_Name 1 #define RAD_Attr_User_Password 2 +#define RAD_Attr_CHAP_Password 3 #define RAD_Attr_Reply_Message 18 #define RAD_Attr_Vendor_Specific 26 #define RAD_Attr_Calling_Station_Id 31 #define RAD_Attr_Proxy_State 33 +#define RAD_Attr_CHAP_Challenge 60 #define RAD_Attr_Tunnel_Password 69 #define RAD_Attr_Message_Authenticator 80 diff --git a/radsecproxy.c b/radsecproxy.c index b5061e0..8319c6e 100644 --- a/radsecproxy.c +++ b/radsecproxy.c @@ -1530,6 +1530,28 @@ int radsrv(struct request *rq) { goto exit; } + /* If there is a CHAP-Password attribute but no CHAP-Challenge + * one, create a CHAP-Challenge containing the Request + * Authenticator because that's what the CHAP-Password is based + * on. */ + attr = radmsg_gettype(msg, RAD_Attr_CHAP_Password); + if (attr) { + debug(DBG_DBG, "%s: found CHAP-Password with value length %d", __func__, + attr->l); + attr = radmsg_gettype(msg, RAD_Attr_CHAP_Challenge); + if (attr == NULL) { + debug(DBG_DBG, "%s: no CHAP-Challenge found, creating one", __func__); + attr = maketlv(RAD_Attr_CHAP_Challenge, 16, msg->auth); + if (attr == NULL || radmsg_add(msg, attr) != 1) { + debug(DBG_ERR, "%s: adding CHAP-Challenge failed, " + "CHAP-Password request dropped", __func__); + freetlv(attr); + goto rmclrqexit; + } + } + } + + /* Create new Request Authenticator. */ if (msg->code == RAD_Accounting_Request) memset(msg->auth, 0, 16); else if (!RAND_bytes(msg->auth, 16)) { |