Support signing of RADIUS accounting messages

3 files changed, 26 insertions, 10 deletions

diff --git a/src/libcharon/plugins/eap_radius/radius_message.c b/src/libcharon/plugins/eap_radius/radius_message.c
index 35f37414b..b62745ad2 100644
--- a/src/libcharon/plugins/eap_radius/radius_message.c
+++ b/src/libcharon/plugins/eap_radius/radius_message.c
@@ -272,19 +272,32 @@ METHOD(radius_message_t, add, void,
 }
 
 METHOD(radius_message_t, sign, void,
-	private_radius_message_t *this, rng_t *rng, signer_t *signer)
+	private_radius_message_t *this, rng_t *rng, signer_t *signer,
+	hasher_t *hasher, chunk_t secret)
 {
-	char buf[HASH_SIZE_MD5];
+	if (this->msg->code == RMC_ACCOUNTING_REQUEST)
+	{
+		chunk_t msg;
 
-	/* build Request-Authenticator */
-	rng->get_bytes(rng, HASH_SIZE_MD5, this->msg->authenticator);
+		memset(this->msg->authenticator, 0, sizeof(this->msg->authenticator));
+		msg = chunk_create((u_char*)this->msg, ntohs(this->msg->length));
+		hasher->get_hash(hasher, msg, NULL);
+		hasher->get_hash(hasher, secret, this->msg->authenticator);
+	}
+	else
+	{
+		char buf[HASH_SIZE_MD5];
 
-	/* build Message-Authenticator attribute, using 16 null bytes */
-	memset(buf, 0, sizeof(buf));
-	add(this, RAT_MESSAGE_AUTHENTICATOR, chunk_create(buf, sizeof(buf)));
-	signer->get_signature(signer,
+		/* build Request-Authenticator */
+		rng->get_bytes(rng, HASH_SIZE_MD5, this->msg->authenticator);
+
+		/* build Message-Authenticator attribute, using 16 null bytes */
+		memset(buf, 0, sizeof(buf));
+		add(this, RAT_MESSAGE_AUTHENTICATOR, chunk_create(buf, sizeof(buf)));
+		signer->get_signature(signer,
 				chunk_create((u_char*)this->msg, ntohs(this->msg->length)),
 				((u_char*)this->msg) + ntohs(this->msg->length) - HASH_SIZE_MD5);
+	}
 }
 
 METHOD(radius_message_t, verify, bool,
diff --git a/src/libcharon/plugins/eap_radius/radius_message.h b/src/libcharon/plugins/eap_radius/radius_message.h
index 18a2bcec1..1920931ce 100644
--- a/src/libcharon/plugins/eap_radius/radius_message.h
+++ b/src/libcharon/plugins/eap_radius/radius_message.h
@@ -238,8 +238,11 @@ struct radius_message_t {
 	 *
 	 * @param rng			RNG to create Request-Authenticator
 	 * @param signer		HMAC-MD5 signer with secret set
+	 * @param hasher		MD5 hasher
+	 * @param secret		shared RADIUS secret
 	 */
-	void (*sign)(radius_message_t *this, rng_t *rng, signer_t *signer);
+	void (*sign)(radius_message_t *this, rng_t *rng, signer_t *signer,
+				 hasher_t *hasher, chunk_t secret);
 
 	/**
 	 * Verify the integrity of a received RADIUS response.
diff --git a/src/libcharon/plugins/eap_radius/radius_socket.c b/src/libcharon/plugins/eap_radius/radius_socket.c
index b3229c288..46513ee57 100644
--- a/src/libcharon/plugins/eap_radius/radius_socket.c
+++ b/src/libcharon/plugins/eap_radius/radius_socket.c
@@ -132,7 +132,7 @@ METHOD(radius_socket_t, request, radius_message_t*,
 	/* set Message Identifier */
 	request->set_identifier(request, this->identifier++);
 	/* sign the request */
-	request->sign(request, this->rng, this->signer);
+	request->sign(request, this->rng, this->signer, this->hasher, this->secret);
 
 	if (!check_connection(this))
 	{