added msg_auth flag in radius_message_t sign() method
authorAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 8 Mar 2012 21:36:06 +0000 (22:36 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 13 Mar 2012 15:27:17 +0000 (16:27 +0100)
src/libcharon/plugins/eap_radius/eap_radius_dae.c
src/libcharon/plugins/tnc_pdp/tnc_pdp.c
src/libradius/radius_message.c
src/libradius/radius_message.h
src/libradius/radius_socket.c

index 1cc19af..5823142 100644 (file)
@@ -190,7 +190,7 @@ static void send_response(private_eap_radius_dae_t *this,
        response = radius_message_create(code);
        response->set_identifier(response, request->get_identifier(request));
        response->sign(response, request->get_authenticator(request),
-                                  this->secret, this->hasher, this->signer, NULL);
+                                  this->secret, this->hasher, this->signer, NULL, FALSE);
 
        send_message(this, response, client);
        save_retransmit(this, response, client);
index 0edecc8..2e330e7 100644 (file)
@@ -183,7 +183,7 @@ static void send_response(private_tnc_pdp_t *this,
        }
        response->set_identifier(response, request->get_identifier(request));
        response->sign(response, request->get_authenticator(request),
-                                  this->secret, this->hasher, this->signer, NULL);
+                                  this->secret, this->hasher, this->signer, NULL, TRUE);
 
        DBG1(DBG_CFG, "sending RADIUS %N to client '%H'", radius_message_code_names,
                 code, client);
index a63374b..03be5a2 100644 (file)
@@ -280,7 +280,7 @@ METHOD(radius_message_t, add, void,
 
 METHOD(radius_message_t, sign, void,
        private_radius_message_t *this, u_int8_t *req_auth, chunk_t secret,
-       hasher_t *hasher, signer_t *signer, rng_t *rng)
+       hasher_t *hasher, signer_t *signer, rng_t *rng, bool msg_auth)
 {
        if (rng)
        {
@@ -289,7 +289,7 @@ METHOD(radius_message_t, sign, void,
        }
        else
        {
-               /* build Response-Authenticator */
+               /* prepare build of Response-Authenticator */
                if (req_auth)
                {
                        memcpy(this->msg->authenticator, req_auth, HASH_SIZE_MD5);
@@ -300,9 +300,7 @@ METHOD(radius_message_t, sign, void,
                }
        }
 
-       if (rng || this->msg->code == RMC_ACCESS_CHALLENGE
-                       || this->msg->code == RMC_ACCESS_ACCEPT
-                       || this->msg->code == RMC_ACCESS_REJECT)
+       if (msg_auth)
        {
                char buf[HASH_SIZE_MD5];
 
@@ -318,6 +316,7 @@ METHOD(radius_message_t, sign, void,
        {
                chunk_t msg;
 
+               /* build Response-Authenticator */
                msg = chunk_create((u_char*)this->msg, ntohs(this->msg->length));
                hasher->get_hash(hasher, msg, NULL);
                hasher->get_hash(hasher, secret, this->msg->authenticator);
index 41cfb51..a03af33 100644 (file)
@@ -251,10 +251,11 @@ struct radius_message_t {
         * @param secret                shared RADIUS secret
         * @param signer                HMAC-MD5 signer with secret set
         * @param hasher                MD5 hasher
-        * @param rng                   RNG to create Message-Authenticator, NULL to omit
+        * @param rng                   RNG to create Request-Authenticator, NULL to omit
+        * @param msg_auth              calculate and add Message-Authenticator
         */
        void (*sign)(radius_message_t *this, u_int8_t *req_auth, chunk_t secret,
-                                hasher_t *hasher, signer_t *signer, rng_t *rng);
+                                hasher_t *hasher, signer_t *signer, rng_t *rng, bool msg_auth);
 
        /**
         * Verify the integrity of a received RADIUS message.
index f848569..70500f5 100644 (file)
@@ -157,7 +157,8 @@ METHOD(radius_socket_t, request, radius_message_t*,
        /* set Message Identifier */
        request->set_identifier(request, this->identifier++);
        /* sign the request */
-       request->sign(request, NULL, this->secret, this->hasher, this->signer, rng);
+       request->sign(request, NULL, this->secret, this->hasher, this->signer,
+                                                  rng, rng != NULL);
 
        if (!check_connection(this, fd, port))
        {