From owner-freebsd-current@FreeBSD.ORG Tue Jul 5 19:54:18 2005 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F3EA16A422 for ; Tue, 5 Jul 2005 19:54:18 +0000 (GMT) (envelope-from pquerna@apache.org) Received: from utopia.in.force-elite.com (force-elite.com [216.255.199.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2571344177 for ; Tue, 5 Jul 2005 19:32:43 +0000 (GMT) (envelope-from pquerna@apache.org) X-AuthUser: chip@force-elite.com Received: from [10.0.0.41] (10.0.0.41:3678) by utopia.in.force-elite.com with [XMail 1.17 (Linux/Ix86) ESMTP Server] id for from ; Tue, 05 Jul 2005 12:32:42 -0700 Message-ID: <42CAE06A.6000003@apache.org> Date: Tue, 05 Jul 2005 12:32:58 -0700 From: Paul Querna User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-current@freebsd.org Content-Type: multipart/mixed; boundary="------------000403060103040608030905" Subject: [PATCH] libradius: Always Include Authenticator X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jul 2005 19:54:18 -0000 This is a multi-part message in MIME format. --------------000403060103040608030905 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Forgive me if this is not the correct place to send this patch. libradius doesn't seem to have an active maintainer? The attached patch will always include the Authenticator Field, in all RADIUS packets, not just accounting packets. This is a SHOULD violation from the RFC. I found this problem fixing a bug for my mod_auth_xradius[1]. It appears that some commercial RADIUS authentication servers will reject packets with identical Authenticator fields as duplicates. This also has some security implications, since without unique Authenticator field values, it could allow the spoofing of a reply message. Thanks, -Paul Querna [1] http://www.outoforder.cc/projects/apache/mod_auth_xradius/ --------------000403060103040608030905 Content-Type: text/plain; name="radlib-authenticator.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="radlib-authenticator.patch" --- orig-radlib.c Mon Jun 14 15:55:30 2004 +++ radlib.c Tue Jul 5 14:29:25 2005 @@ -555,10 +555,10 @@ if (++h->srv >= h->num_servers) h->srv = 0; - if (h->request[POS_CODE] == RAD_ACCOUNTING_REQUEST) - /* Insert the request authenticator into the request */ - insert_request_authenticator(h, h->srv); - else + /* Insert the request authenticator into the request */ + insert_request_authenticator(h, h->srv); + + if (h->request[POS_CODE] != RAD_ACCOUNTING_REQUEST) /* Insert the scrambled password into the request */ if (h->pass_pos != 0) insert_scrambled_password(h, h->srv); --------------000403060103040608030905--