libradius: support encryption of User-Password attributes

1 files changed, 27 insertions, 0 deletions

diff --git a/src/libradius/radius_message.c b/src/libradius/radius_message.c
index dd3993704..3905a06c7 100644
--- a/src/libradius/radius_message.c
+++ b/src/libradius/radius_message.c
@@ -65,6 +65,11 @@ struct private_radius_message_t {
 	 * message data, allocated
 	 */
 	rmsg_t *msg;
+
+	/**
+	 * User-Password to encrypt and encode, if any
+	 */
+	chunk_t password;
 };
 
 /**
@@ -356,6 +361,15 @@ METHOD(radius_message_t, add, void,
 {
 	rattr_t *attribute;
 
+	if (type == RAT_USER_PASSWORD && !this->password.len)
+	{
+		/* store a null-padded password */
+		this->password = chunk_alloc(round_up(data.len, HASH_SIZE_MD5));
+		memset(this->password.ptr + data.len, 0, this->password.len - data.len);
+		memcpy(this->password.ptr, data.ptr, data.len);
+		return;
+	}
+
 	data.len = min(data.len, MAX_RADIUS_ATTRIBUTE_SIZE);
 	this->msg = realloc(this->msg,
 						ntohs(this->msg->length) + sizeof(rattr_t) + data.len);
@@ -452,6 +466,18 @@ METHOD(radius_message_t, sign, bool,
 		}
 	}
 
+	if (this->password.len)
+	{
+		/* encrypt password inline */
+		if (!crypt(this, chunk_empty, this->password, this->password,
+				   secret, hasher))
+		{
+			return FALSE;
+		}
+		add(this, RAT_USER_PASSWORD, this->password);
+		chunk_clear(&this->password);
+	}
+
 	if (msg_auth)
 	{
 		char buf[HASH_SIZE_MD5];
@@ -601,6 +627,7 @@ METHOD(radius_message_t, get_encoding, chunk_t,
 METHOD(radius_message_t, destroy, void,
 	private_radius_message_t *this)
 {
+	chunk_clear(&this->password);
 	free(this->msg);
 	free(this);
 }