diff options
-rw-r--r-- | ChangeLog | 2 | ||||
-rw-r--r-- | radmsg.h | 2 | ||||
-rw-r--r-- | radsecproxy.c | 22 |
3 files changed, 26 insertions, 0 deletions
@@ -4,6 +4,8 @@ Unreleased 1.6.6-dev used to apply rewriteIn using the rewrite block of the client rather than the server. Patch by Fabian Mauchle. Fixes RADSECPROXY-59. + - Handle CHAP authentication properly when there is no + CHAP-Challenge. Fixes RADSECPROXY-58. 2013-09-06 1.6.5 Bug fixes: @@ -17,10 +17,12 @@ #define RAD_Attr_User_Name 1 #define RAD_Attr_User_Password 2 +#define RAD_Attr_CHAP_Password 3 #define RAD_Attr_Reply_Message 18 #define RAD_Attr_Vendor_Specific 26 #define RAD_Attr_Calling_Station_Id 31 #define RAD_Proxy_State 33 +#define RAD_Attr_CHAP_Challenge 60 #define RAD_Attr_Tunnel_Password 69 #define RAD_Attr_Message_Authenticator 80 diff --git a/radsecproxy.c b/radsecproxy.c index 126a0a7..e2b35ff 100644 --- a/radsecproxy.c +++ b/radsecproxy.c @@ -1543,6 +1543,28 @@ int radsrv(struct request *rq) { goto exit; } + /* If there is a CHAP-Password attribute but no CHAP-Challenge + * one, create a CHAP-Challenge containing the Request + * Authenticator because that's what the CHAP-Password is based + * on. */ + attr = radmsg_gettype(msg, RAD_Attr_CHAP_Password); + if (attr) { + debug(DBG_DBG, "%s: found CHAP-Password with value length %d", __func__, + attr->l); + attr = radmsg_gettype(msg, RAD_Attr_CHAP_Challenge); + if (attr == NULL) { + debug(DBG_DBG, "%s: no CHAP-Challenge found, creating one", __func__); + attr = maketlv(RAD_Attr_CHAP_Challenge, 16, msg->auth); + if (attr == NULL || radmsg_add(msg, attr) != 1) { + debug(DBG_ERR, "%s: adding CHAP-Challenge failed, " + "CHAP-Password request dropped", __func__); + freetlv(attr); + goto rmclrqexit; + } + } + } + + /* Create new Request Authenticator. */ if (msg->code == RAD_Accounting_Request) memset(msg->auth, 0, 16); else if (!RAND_bytes(msg->auth, 16)) { |