diff options
author | Martin Willi <martin@strongswan.org> | 2009-03-27 13:25:34 +0000 |
---|---|---|
committer | Martin Willi <martin@strongswan.org> | 2009-03-27 13:25:34 +0000 |
commit | 9d1bd182434052e4aae05f6936596e33a439e052 (patch) | |
tree | 56fe7fdb5aa448423ead3cc70d907ccef4e2a399 | |
parent | 510be1a32af7f61d2ddb32549f73eae645457cde (diff) | |
download | strongswan-9d1bd182434052e4aae05f6936596e33a439e052.tar.bz2 strongswan-9d1bd182434052e4aae05f6936596e33a439e052.tar.xz |
require Message-Authenticator attribute only if we have a EAP-Message
-rw-r--r-- | src/charon/plugins/eap_radius/radius_message.c | 24 |
1 files changed, 18 insertions, 6 deletions
diff --git a/src/charon/plugins/eap_radius/radius_message.c b/src/charon/plugins/eap_radius/radius_message.c index 7279c7957..a95d2bb93 100644 --- a/src/charon/plugins/eap_radius/radius_message.c +++ b/src/charon/plugins/eap_radius/radius_message.c @@ -308,6 +308,7 @@ static bool verify(private_radius_message_t *this, u_int8_t *req_auth, enumerator_t *enumerator; int type; chunk_t data, msg; + bool has_eap = FALSE, has_auth = FALSE; /* replace Response by Request Authenticator for verification */ memcpy(res_auth, this->msg->authenticator, HASH_SIZE_MD5); @@ -339,11 +340,11 @@ static bool verify(private_radius_message_t *this, u_int8_t *req_auth, memset(data.ptr, 0, data.len); if (signer->verify_signature(signer, msg, chunk_create(buf, sizeof(buf)))) - { /* good, restore Authenticators */ - memcpy(this->msg->authenticator, res_auth, HASH_SIZE_MD5); + { + /* restore Message-Authenticator */ memcpy(data.ptr, buf, data.len); - enumerator->destroy(enumerator); - return TRUE; + has_auth = TRUE; + break; } else { @@ -352,10 +353,21 @@ static bool verify(private_radius_message_t *this, u_int8_t *req_auth, return FALSE; } } + else if (type == RAT_EAP_MESSAGE) + { + has_eap = TRUE; + } } enumerator->destroy(enumerator); - DBG1(DBG_CFG, "RADIUS Message-Authenticator attribute missing"); - return FALSE; + /* restore Response-Authenticator */ + memcpy(this->msg->authenticator, res_auth, HASH_SIZE_MD5); + + if (has_eap && !has_auth) + { /* Message-Authenticator is required if we have an EAP-Message */ + DBG1(DBG_CFG, "RADIUS Message-Authenticator attribute missing"); + return FALSE; + } + return TRUE; } /** |