Forgive me if this is not the correct place to send this patch. libradius doesn't seem to have an active maintainer? The attached patch will always include the Authenticator Field, in all RADIUS packets, not just accounting packets. This is a SHOULD violation from the RFC. I found this problem fixing a bug for my mod_auth_xradius[1]. It appears that some commercial RADIUS authentication servers will reject packets with identical Authenticator fields as duplicates. This also has some security implications, since without unique Authenticator field values, it could allow the spoofing of a reply message. Thanks, -Paul Querna [1] http://www.outoforder.cc/projects/apache/mod_auth_xradius/ --- orig-radlib.c Mon Jun 14 15:55:30 2004 +++ radlib.c Tue Jul 5 14:29:25 2005 _at__at_ -555,10 +555,10 _at__at_ if (++h->srv >= h->num_servers) h->srv = 0; - if (h->request[POS_CODE] == RAD_ACCOUNTING_REQUEST) - /* Insert the request authenticator into the request */ - insert_request_authenticator(h, h->srv); - else + /* Insert the request authenticator into the request */ + insert_request_authenticator(h, h->srv); + + if (h->request[POS_CODE] != RAD_ACCOUNTING_REQUEST) /* Insert the scrambled password into the request */ if (h->pass_pos != 0) insert_scrambled_password(h, h->srv);Received on Tue Jul 05 2005 - 17:54:18 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:38 UTC