when doing a rad_send(), do NOT encode the PW_PASSWORD or the

	PW_CHAP_PASSWORD attribute.  This is to prevent double encryption.

	This also prevents the server from breaking the CHAP-Password
	when doing proxying.  Bug found by David Kerry <dk@snti.com>

diff --git a/src/lib/radius.c b/src/lib/radius.c
index cc7d9a0..a7bcf3a 100644 (file)
--- a/src/lib/radius.c
+++ b/src/lib/radius.c
@@ -174,30 +174,6 @@ int rad_send(RADIUS_PACKET *packet, const char *secret)
                    switch(reply->type) {
                      
                    case PW_TYPE_STRING:
-                     /*
-                      *        If it's a password, encode it.
-                      */
-                     if (!vendorpec) {
-                       if (reply->attribute == PW_PASSWORD) {
-                         rad_pwencode((char *)reply->strvalue,
-                                      &(reply->length),
-                                      secret, (char *)packet->vector);
-
-                         /*
-                          *    If there's a CHAP password, assume it's
-                          *    currently in clear text, and encode it
-                          *    in place.
-                          *
-                          *    The ID is taken from pseudo-random
-                          *    numbers somehow...
-                          */
-                       } else if (reply->attribute == PW_CHAP_PASSWORD) {
-                         rad_chap_encode(packet, (char *)reply->strvalue,
-                                         packet->id, reply);
-                         reply->length = 1 + CHAP_VALUE_LENGTH;
-                       } 
-                     }
-                     
 #ifndef ASCEND_BINARY
                    case PW_TYPE_ABINARY:
 #endif