[PATCH] libradius: Always Include Authenticator
Paul Querna
pquerna at apache.org
Tue Jul 5 19:54:18 GMT 2005
Forgive me if this is not the correct place to send this patch.
libradius doesn't seem to have an active maintainer?
The attached patch will always include the Authenticator Field, in all
RADIUS packets, not just accounting packets. This is a SHOULD violation
from the RFC.
I found this problem fixing a bug for my mod_auth_xradius[1]. It
appears that some commercial RADIUS authentication servers will reject
packets with identical Authenticator fields as duplicates. This also
has some security implications, since without unique Authenticator field
values, it could allow the spoofing of a reply message.
Thanks,
-Paul Querna
[1] http://www.outoforder.cc/projects/apache/mod_auth_xradius/
-------------- next part --------------
--- orig-radlib.c Mon Jun 14 15:55:30 2004
+++ radlib.c Tue Jul 5 14:29:25 2005
@@ -555,10 +555,10 @@
if (++h->srv >= h->num_servers)
h->srv = 0;
- if (h->request[POS_CODE] == RAD_ACCOUNTING_REQUEST)
- /* Insert the request authenticator into the request */
- insert_request_authenticator(h, h->srv);
- else
+ /* Insert the request authenticator into the request */
+ insert_request_authenticator(h, h->srv);
+
+ if (h->request[POS_CODE] != RAD_ACCOUNTING_REQUEST)
/* Insert the scrambled password into the request */
if (h->pass_pos != 0)
insert_scrambled_password(h, h->srv);
More information about the freebsd-current
mailing list