summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLinus Nordberg <linus@nordberg.se>2015-01-16 12:23:37 +0100
committerLinus Nordberg <linus@nordberg.se>2015-01-16 12:35:28 +0100
commit8bbdecd3a0f12411fb004b4ae47dc3ce383661e4 (patch)
tree08c617570998d4a4da2be929499e52bf6cb7a357
parentbf2cb969447de320734baa72e90dedbf95e926de (diff)
When CHAP-Password, copy Request Authenticator to CHAP-Challenge.
Conflicts: radmsg.h
-rw-r--r--ChangeLog2
-rw-r--r--radmsg.h2
-rw-r--r--radsecproxy.c22
3 files changed, 26 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index d3991c0..b120401 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,8 @@ Unreleased 1.6.6-dev
used to apply rewriteIn using the rewrite block of the client
rather than the server. Patch by Fabian Mauchle. Fixes
RADSECPROXY-59.
+ - Handle CHAP authentication properly when there is no
+ CHAP-Challenge. Fixes RADSECPROXY-58.
2013-09-06 1.6.5
Bug fixes:
diff --git a/radmsg.h b/radmsg.h
index 074f752..c37c8eb 100644
--- a/radmsg.h
+++ b/radmsg.h
@@ -17,10 +17,12 @@
#define RAD_Attr_User_Name 1
#define RAD_Attr_User_Password 2
+#define RAD_Attr_CHAP_Password 3
#define RAD_Attr_Reply_Message 18
#define RAD_Attr_Vendor_Specific 26
#define RAD_Attr_Calling_Station_Id 31
#define RAD_Proxy_State 33
+#define RAD_Attr_CHAP_Challenge 60
#define RAD_Attr_Tunnel_Password 69
#define RAD_Attr_Message_Authenticator 80
diff --git a/radsecproxy.c b/radsecproxy.c
index 126a0a7..e2b35ff 100644
--- a/radsecproxy.c
+++ b/radsecproxy.c
@@ -1543,6 +1543,28 @@ int radsrv(struct request *rq) {
goto exit;
}
+ /* If there is a CHAP-Password attribute but no CHAP-Challenge
+ * one, create a CHAP-Challenge containing the Request
+ * Authenticator because that's what the CHAP-Password is based
+ * on. */
+ attr = radmsg_gettype(msg, RAD_Attr_CHAP_Password);
+ if (attr) {
+ debug(DBG_DBG, "%s: found CHAP-Password with value length %d", __func__,
+ attr->l);
+ attr = radmsg_gettype(msg, RAD_Attr_CHAP_Challenge);
+ if (attr == NULL) {
+ debug(DBG_DBG, "%s: no CHAP-Challenge found, creating one", __func__);
+ attr = maketlv(RAD_Attr_CHAP_Challenge, 16, msg->auth);
+ if (attr == NULL || radmsg_add(msg, attr) != 1) {
+ debug(DBG_ERR, "%s: adding CHAP-Challenge failed, "
+ "CHAP-Password request dropped", __func__);
+ freetlv(attr);
+ goto rmclrqexit;
+ }
+ }
+ }
+
+ /* Create new Request Authenticator. */
if (msg->code == RAD_Accounting_Request)
memset(msg->auth, 0, 16);
else if (!RAND_bytes(msg->auth, 16)) {