From 0ca8243622380f17a7418cbcfbb9a82d4b5a85d7 Mon Sep 17 00:00:00 2001 From: Fabian Mauchle Date: Thu, 26 Sep 2019 13:43:56 +0200 Subject: [PATCH] apply tunnel-password reencryption in the correct (response, not request) direction. --- radsecproxy.c | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/radsecproxy.c b/radsecproxy.c index 9863aaf..76b9f90 100644 --- a/radsecproxy.c +++ b/radsecproxy.c @@ -1357,18 +1357,6 @@ int radsrv(struct request *rq) { goto rmclrqexit; } - attr = radmsg_gettype(msg, RAD_Attr_Tunnel_Password); - if (attr) { - uint8_t newsalt[2]; - debug(DBG_DBG, "radsrv: found tunnelpwdattr with value length %d", attr->l); - if (!RAND_bytes(newsalt,2)) - goto rmclrqexit; - newsalt[0] |= 0x80; - if (!pwdrecrypt(attr->v+3, attr->l-3, from->conf->secret, from->conf->secret_len, to->conf->secret, to->conf->secret_len, rq->rqauth, msg->auth, attr->v+1, 2, newsalt, 2)) - goto rmclrqexit; - memcpy(attr->v+1, newsalt, 2); - } - if (to->conf->rewriteout && !dorewrite(msg, to->conf->rewriteout)) goto rmclrqexit; @@ -1482,6 +1470,20 @@ void replyh(struct server *server, unsigned char *buf) { goto errunlock; } + /* reencrypt tunnel-password RFC2868 */ + attr = radmsg_gettype(msg, RAD_Attr_Tunnel_Password); + if (attr && msg->code == RAD_Access_Accept) { + uint8_t newsalt[2]; + debug(DBG_DBG, "replyh: found tunnelpwdattr with value length %d", attr->l); + if (!RAND_bytes(newsalt,2)) + goto errunlock; + newsalt[0] |= 0x80; + if (!pwdrecrypt(attr->v+3, attr->l-3, server->conf->secret, server->conf->secret_len, from->conf->secret, from->conf->secret_len, + rqout->rq->msg->auth, rqout->rq->rqauth, attr->v+1, 2, newsalt, 2)) + goto errunlock; + memcpy(attr->v+1, newsalt, 2); + } + replylog(msg, server, rqout->rq); if (msg->code == RAD_Access_Accept || msg->code == RAD_Access_Reject)