Removed the "verified" field from RADIUS_PACKET, as we no longer

	accept old-style accounting packets

diff --git a/src/include/libradius.h b/src/include/libradius.h
index 4f45850..9707fdd 100644 (file)
--- a/src/include/libradius.h
+++ b/src/include/libradius.h
@@ -174,7 +174,6 @@ typedef struct lrad_ipaddr_t {
        } ipaddr;
 } lrad_ipaddr_t;
 
-
 /*
  *     vector:         Request authenticator from access-request packet
  *                     Put in there by rad_decode, and must be put in the
@@ -194,11 +193,11 @@ typedef struct radius_packet {
        unsigned int            code;
        uint8_t                 vector[AUTH_VECTOR_LEN];
        time_t                  timestamp;
-       int                     verified;
        uint8_t                 *data;
        int                     data_len;
        VALUE_PAIR              *vps;
        uint32_t                hash;
+       ssize_t                 offset;
 } RADIUS_PACKET;
 
 /*

diff --git a/src/lib/radius.c b/src/lib/radius.c
index 30bdc5e..82be2ce 100644 (file)
--- a/src/lib/radius.c
+++ b/src/lib/radius.c
@@ -961,12 +961,12 @@ int rad_encode(RADIUS_PACKET *packet, const RADIUS_PACKET *original,
        memcpy(hdr->vector, packet->vector, sizeof(hdr->vector));
 
        total_length = AUTH_HDR_LEN;
-       packet->verified = 0;
        
        /*
         *      Load up the configuration values for the user
         */
        ptr = hdr->data;
+       packet->offset = 0;
 
        /*
         *      FIXME: Loop twice over the reply list.  The first time,
@@ -996,7 +996,12 @@ int rad_encode(RADIUS_PACKET *packet, const RADIUS_PACKET *original,
                if (reply->attribute == PW_MESSAGE_AUTHENTICATOR) {
                        reply->length = AUTH_VECTOR_LEN;
                        memset(reply->vp_strvalue, 0, AUTH_VECTOR_LEN);
-                       packet->verified = total_length; /* HACK! */
+
+                       /*
+                        *      Cache the offset to the
+                        *      Message-Authenticator
+                        */
+                       packet->offset = total_length;
                }
 
                /*
@@ -1068,7 +1073,7 @@ int rad_sign(RADIUS_PACKET *packet, const RADIUS_PACKET *original,
        }
 
        if (!packet->data || (packet->data_len < AUTH_HDR_LEN) ||
-           (packet->verified < 0)) {
+           (packet->offset < 0)) {
                librad_log("ERROR: You must call rad_encode() before rad_sign()");
                return -1;
        }
@@ -1076,10 +1081,8 @@ int rad_sign(RADIUS_PACKET *packet, const RADIUS_PACKET *original,
        /*
         *      If there's a Message-Authenticator, update it
         *      now, BEFORE updating the authentication vector.
-        *
-        *      This is a hack...
         */
-       if (packet->verified > 0) {
+       if (packet->offset > 0) {
                uint8_t calc_auth_vector[AUTH_VECTOR_LEN];
                
                switch (packet->code) {
@@ -1119,7 +1122,7 @@ int rad_sign(RADIUS_PACKET *packet, const RADIUS_PACKET *original,
                lrad_hmac_md5(packet->data, packet->data_len,
                              secret, strlen(secret),
                              calc_auth_vector);
-               memcpy(packet->data + packet->verified + 2,
+               memcpy(packet->data + packet->offset + 2,
                       calc_auth_vector, AUTH_VECTOR_LEN);
                
                /*
@@ -1244,16 +1247,6 @@ static int calc_acctdigest(RADIUS_PACKET *packet, const char *secret)
        MD5_CTX         context;
 
        /*
-        *      Older clients have the authentication vector set to
-        *      all zeros. Return `1' in that case.
-        */
-       memset(digest, 0, sizeof(digest));
-       if (memcmp(packet->vector, digest, AUTH_VECTOR_LEN) == 0) {
-               packet->verified = 1;
-               return 1;
-       }
-
-       /*
         *      Zero out the auth_vector in the received packet.
         *      Then append the shared secret to the received packet,
         *      and calculate the MD5 sum. This must be the same
@@ -1272,12 +1265,11 @@ static int calc_acctdigest(RADIUS_PACKET *packet, const char *secret)
        /*
         *      Return 0 if OK, 2 if not OK.
         */
-       packet->verified =
-       memcmp(digest, packet->vector, AUTH_VECTOR_LEN) ? 2 : 0;
-
-       return packet->verified;
+       if (memcmp(digest, packet->vector, AUTH_VECTOR_LEN) != 0) return 2;
+       return 0;
 }
 
+
 /*
  *     Validates the requesting client NAS.  Calculates the
  *     signature based on the clients private key.
@@ -1316,9 +1308,8 @@ static int calc_replydigest(RADIUS_PACKET *packet, RADIUS_PACKET *original,
        /*
         *      Return 0 if OK, 2 if not OK.
         */
-       packet->verified =
-               memcmp(packet->vector, calc_digest, AUTH_VECTOR_LEN) ? 2 : 0;
-       return packet->verified;
+       if (memcmp(packet->vector, calc_digest, AUTH_VECTOR_LEN) != 0) return 2;
+       return 0;
 }
 
 
@@ -1513,7 +1504,6 @@ int rad_packet_ok(RADIUS_PACKET *packet)
                default:        /* don't do anything by default */
                        break;
 
-
                        /*
                         *      If there's an EAP-Message, we require
                         *      a Message-Authenticator.
@@ -2853,7 +2843,7 @@ RADIUS_PACKET *rad_alloc(int newvector)
        }
        memset(rp, 0, sizeof(*rp));
        rp->id = -1;
-       rp->verified = -1;
+       rp->offset = -1;
 
        if (newvector) {
                int i;

diff --git a/src/main/xlat.c b/src/main/xlat.c
index 633a28e..4653d4c 100644 (file)
--- a/src/main/xlat.c
+++ b/src/main/xlat.c
@@ -1038,10 +1038,7 @@ int radius_xlat(char *out, int outlen, const char *fmt,
                                p++;
                                break;
                        case 'V': /* Request-Authenticator */
-                               if (request->packet->verified)
-                                       strlcpy(q,"Verified",freespace);
-                               else
-                                       strlcpy(q,"None",freespace);
+                               strlcpy(q,"Verified",freespace);
                                q += strlen(q);
                                p++;
                                break;

diff --git a/src/modules/rlm_detail/rlm_detail.c b/src/modules/rlm_detail/rlm_detail.c
index 650844c..a77f01b 100644 (file)
--- a/src/modules/rlm_detail/rlm_detail.c
+++ b/src/modules/rlm_detail/rlm_detail.c
@@ -459,10 +459,11 @@ static int do_detail(void *instance, REQUEST *request, RADIUS_PACKET *packet,
                fprintf(outfp, "\tTimestamp = %ld\n",
                        (unsigned long) request->timestamp);
 
-               if (request->packet->verified == 2)
-                       fputs("\tRequest-Authenticator = Verified\n", outfp);
-               else if (request->packet->verified == 1)
-                       fputs("\tRequest-Authenticator = None\n", outfp);
+               /*
+                *      We no longer permit Accounting-Request packets
+                *      with an authenticator of zero.
+                */
+               fputs("\tRequest-Authenticator = Verified\n", outfp);
        }
 
        fputs("\n", outfp);