Date: Tue, 05 Jul 2005 12:32:58 -0700 From: Paul Querna <pquerna@apache.org> To: freebsd-current@freebsd.org Subject: [PATCH] libradius: Always Include Authenticator Message-ID: <42CAE06A.6000003@apache.org>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Forgive me if this is not the correct place to send this patch. libradius doesn't seem to have an active maintainer? The attached patch will always include the Authenticator Field, in all RADIUS packets, not just accounting packets. This is a SHOULD violation from the RFC. I found this problem fixing a bug for my mod_auth_xradius[1]. It appears that some commercial RADIUS authentication servers will reject packets with identical Authenticator fields as duplicates. This also has some security implications, since without unique Authenticator field values, it could allow the spoofing of a reply message. Thanks, -Paul Querna [1] http://www.outoforder.cc/projects/apache/mod_auth_xradius/ [-- Attachment #2 --] --- orig-radlib.c Mon Jun 14 15:55:30 2004 +++ radlib.c Tue Jul 5 14:29:25 2005 @@ -555,10 +555,10 @@ if (++h->srv >= h->num_servers) h->srv = 0; - if (h->request[POS_CODE] == RAD_ACCOUNTING_REQUEST) - /* Insert the request authenticator into the request */ - insert_request_authenticator(h, h->srv); - else + /* Insert the request authenticator into the request */ + insert_request_authenticator(h, h->srv); + + if (h->request[POS_CODE] != RAD_ACCOUNTING_REQUEST) /* Insert the scrambled password into the request */ if (h->pass_pos != 0) insert_scrambled_password(h, h->srv);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42CAE06A.6000003>