trying to verify accounting request authenticator, and correctly compute the authenti...

git-svn-id: https://svn.testnett.uninett.no/radsecproxy/branches/release-1.1@298 e88ac4ed-0b26-0410-9574-a7f39faa03bf

diff --git a/radsecproxy.c b/radsecproxy.c
index 3eb601e..4400065 100644 (file)
--- a/radsecproxy.c
+++ b/radsecproxy.c
@@ -1861,6 +1861,14 @@ void radsrv(struct request *rq) {
     
     /* below: code == RAD_Access_Request || code == RAD_Accounting_Request */
 
+    if (code == RAD_Accounting_Request) {
+       memset(newauth, 0, 16);
+       if (!validauth(rq->buf, newauth, (unsigned char *)rq->from->conf->secret)) {
+           debug(DBG_WARN, "radsrv: Accounting-Request message authentication failed");
+           goto exit;
+       }
+    }
+    
     if (rq->from->conf->rewrite) {
        dorewrite(rq->buf, rq->from->conf->rewrite);
        len = RADLEN(rq->buf) - 20;
@@ -1918,9 +1926,11 @@ void radsrv(struct request *rq) {
        goto exit;
     }
 
-    if (!RAND_bytes(newauth, 16)) {
-       debug(DBG_WARN, "radsrv: failed to generate random auth");
-       goto exit;
+    if (code != RAD_Accounting_Request) {
+       if (!RAND_bytes(newauth, 16)) {
+           debug(DBG_WARN, "radsrv: failed to generate random auth");
+           goto exit;
+       }
     }
 
 #ifdef DEBUG
@@ -1943,7 +1953,13 @@ void radsrv(struct request *rq) {
 
     rq->origid = id;
     memcpy(rq->origauth, auth, 16);
-    memcpy(auth, newauth, 16);
+    if (code == RAD_Accounting_Request) {
+       if (!radsign(rq->buf, (unsigned char *)to->conf->secret)) {
+           debug(DBG_WARN, "radsrv: failed to sign Accounting-Request message");
+           goto exit;
+       }
+    } else
+       memcpy(auth, newauth, 16);
     sendrq(to, rq);
     return;