From b8040e72bc7e6fe202438d0b8980e9894daa6164 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Sun, 10 May 2009 19:33:32 +0200
Subject: [PATCH] Moved verifiation of proxy responses to earlier in the packet
 handling

This slows down the main server thread a bit, but means that we
catch attackers earlier, i.e. before pushing a request to a
child thread.
---
 src/main/event.c  | 23 +++++++++++++++++------
 src/main/listen.c |  7 +++----
 2 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/src/main/event.c b/src/main/event.c
index 98d2dd8..fdfa544 100644
--- a/src/main/event.c
+++ b/src/main/event.c
@@ -706,12 +706,6 @@ static void received_response_to_ping(REQUEST *request)
 
 	rad_assert(request->home_server != NULL);
 
-	if (rad_verify(request->proxy_reply, request->proxy,
-		       request->home_server->secret) != 0) {
-		DEBUG("Ignoring spoofed proxy reply.  Signature is invalid");
-		return;
-	}
-		
 	home = request->home_server;
 	home->num_received_pings++;
 
@@ -2950,6 +2944,23 @@ REQUEST *received_proxy_response(RADIUS_PACKET *packet)
 		return NULL;
 	}
 
+	/*
+	 *	Verify the packet before doing ANYTHING with it.  This
+	 *	means we're doing more MD5 checks in the server core.
+	 *	However, we can fix that by moving to multiple threads
+	 *	listening on sockets.
+	 *
+	 *	We do this AFTER looking the request up in the hash,
+	 *	and AFTER vhecking if we saw a previous request.  This
+	 *	helps minimize the DoS effect of people attacking us
+	 *	with spoofed packets.
+	 */
+	if (rad_verify(request->proxy_reply, packet,
+		       request->home_server->secret) != 0) {
+		DEBUG("Ignoring spoofed proxy reply.  Signature is invalid");
+		return;
+	}
+
 	gettimeofday(&now, NULL);
 
 	/*
diff --git a/src/main/listen.c b/src/main/listen.c
index 2867e3b..2b12e5b 100644
--- a/src/main/listen.c
+++ b/src/main/listen.c
@@ -1038,10 +1038,9 @@ static int proxy_socket_encode(UNUSED rad_listen_t *listener, REQUEST *request)
 
 static int proxy_socket_decode(UNUSED rad_listen_t *listener, REQUEST *request)
 {
-	if (rad_verify(request->proxy_reply, request->proxy,
-		       request->home_server->secret) < 0) {
-		return -1;
-	}
+	/*
+	 *	rad_verify is run in event.c, received_proxy_response()
+	 */
 
 	return rad_decode(request->proxy_reply, request->proxy,
 			   request->home_server->secret);
-- 
2.1.4