In pairmove2, if given Vendor-Specific, then move ALL vendor

	specific attributes.

	Updated rfc_clean() to move VSA's over, so that they can appear
	in authentication reject packets, too.

diff --git a/src/lib/valuepair.c b/src/lib/valuepair.c
index 7d6e56d..eca9c3c 100644 (file)
--- a/src/lib/valuepair.c
+++ b/src/lib/valuepair.c
@@ -379,10 +379,21 @@ void pairmove2(VALUE_PAIR **to, VALUE_PAIR **from, int attr)
 
 
                /*
-                *      FIXME: Do we want to match *any* VSA if
-                *      'attr == PW_VENDOR_SPECIFIC' ???
+                *      If the attribute to move is NOT a VSA, then it
+                *      ignores any attributes which do not match exactly.
                 */
-               if (i->attribute != attr) {
+               if ((attr != PW_VENDOR_SPECIFIC) &&
+                   (i->attribute != attr)) {
+                       iprev = i;
+                       continue;
+               }
+
+               /*
+                *      If the attribute to move IS a VSA, then it ignores
+                *      any non-VSA attribute.
+                */
+               if ((attr == PW_VENDOR_SPECIFIC) &&
+                   (VENDOR(i->attribute) == 0)) {
                        iprev = i;
                        continue;
                }

diff --git a/src/main/radiusd.c b/src/main/radiusd.c
index 4e59fb4..264ba4d 100644 (file)
--- a/src/main/radiusd.c
+++ b/src/main/radiusd.c
@@ -1286,16 +1286,29 @@ static void rad_reject(REQUEST *request)
 static void rfc_clean(RADIUS_PACKET *packet)
 {
        VALUE_PAIR *vps = NULL;
-       
+
        switch (packet->code) {
+               /*
+                *      In the default case, we just move all of the
+                *      attributes over.
+                */
        default:
+               vps = packet->vps;
+               packet->vps = NULL;
                break;
                
                /*
-                *      FIXME: Accounting responses can only contain
-                *      Proxy-State and VSA's.
+                *      Accounting responses can only contain
+                *      Proxy-State and VSA's.  Note that we do NOT
+                *      move the Proxy-State attributes over, as the
+                *      Proxy-State attributes in this packet are NOT
+                *      the right ones to use.  The reply function
+                *      takes care of copying those attributes from
+                *      the original request, which ARE the right ones
+                *      to use.
                 */
        case PW_ACCOUNTING_RESPONSE:
+               pairmove2(&vps, &(packet->vps), PW_VENDOR_SPECIFIC);
                break;
 
                /*
@@ -1311,12 +1324,17 @@ static void rfc_clean(RADIUS_PACKET *packet)
                pairmove2(&vps, &(packet->vps), PW_EAP_MESSAGE);
                pairmove2(&vps, &(packet->vps), PW_MESSAGE_AUTHENTICATOR);
                pairmove2(&vps, &(packet->vps), PW_REPLY_MESSAGE);
-               pairfree(&packet->vps);
-               packet->vps = vps;
+               pairmove2(&vps, &(packet->vps), PW_VENDOR_SPECIFIC);
                break;
        }
 
        /*
+        *      Move the newly cleaned attributes over.
+        */
+       pairfree(&packet->vps);
+       packet->vps = vps;
+
+       /*
         *      FIXME: Perform other, more generic sanity checks.
         */
 }