it helps to sign the packets.

Note the the salted fields still don't have deterministic randomness. That will need to be fixed by passing packet_ctx to fr_radius_encode()
FreeRADIUS · Apr 24, 2020 · ed5c2b8 · ed5c2b8
1 parent 6cd03c6
commit ed5c2b8
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 3 deletions.
diff --git a/src/protocols/radius/encode.c b/src/protocols/radius/encode.c
@@ -1466,12 +1466,32 @@ static ssize_t fr_radius_encode_proto(UNUSED TALLOC_CTX *ctx, VALUE_PAIR *vps, u
 	fr_radius_ctx_t	*test_ctx = talloc_get_type_abort(proto_ctx, fr_radius_ctx_t);
 	int packet_type = FR_CODE_ACCESS_REQUEST;
 	VALUE_PAIR *vp;
+	ssize_t slen;
 
 	vp = fr_pair_find_by_da(vps, attr_packet_type, TAG_ANY);
 	if (vp) packet_type = vp->vp_uint32;
 
-	return fr_radius_encode(data, data_len, NULL, test_ctx->secret, talloc_array_length(test_ctx->secret) - 1,
+	if ((packet_type == FR_CODE_ACCESS_REQUEST) || (packet_type == FR_CODE_STATUS_SERVER)) {
+		int i;
+
+		for (i = 0; i < RADIUS_AUTH_VECTOR_LENGTH; i++) {
+			data[4 + i] = fr_fast_rand(&test_ctx->rand_ctx);
+		}
+	}
+
+	/*
+	 *	@todo - pass in test_ctx to this function, so that we
+	 *	can leverage a consistent random number generator.
+	 */
+	slen = fr_radius_encode(data, data_len, NULL, test_ctx->secret, talloc_array_length(test_ctx->secret) - 1,
 				packet_type, 0, vps);
+	if (slen <= 0) return slen;
+
+	if (fr_radius_sign(data, NULL, (uint8_t const *) test_ctx->secret, talloc_array_length(test_ctx->secret) - 1) < 0) {
+		return -1;
+	}
+
+	return slen;
 }
 
 /*

diff --git a/src/tests/unit/protocols/radius/packet_rfc3162.txt b/src/tests/unit/protocols/radius/packet_rfc3162.txt
@@ -61,6 +61,8 @@ proto-dictionary radius
 decode-proto 01 f0 00 8d 2a fd b0 90 41 8a c6 36 52 98 fb bb 15 e0 fd 2e 01 05 62 6f 62 02 12 45 e8 d5 da ea d8 7e 40 15 e0 fc c0 ec 0f 08 a1 5f 12 20 01 0d b8 0a 0b 12 f0 00 00 00 00 00 00 00 01 61 14 00 40 20 01 0d b8 0a 0b 12 f0 00 00 00 00 00 00 00 00 61 0c 00 40 20 01 0d b8 0a 0b 12 f0 61 04 00 00 61 03 00 61 15 00 40 20 01 0d b8 0a 0b 12 f0 00 00 00 00 00 00 00 00 00 61 14 00 81 20 01 0d b8 0a 0b 12 f0 00 00 00 00 00 00 00 01
 match Packet-Type = Access-Request, Packet-Authentication-Vector = 0x2afdb090418ac6365298fbbb15e0fd2e, User-Name = "bob", User-Password = "\323\006\334\020\236%\004Z\005\246\373\344\354\033\212*", NAS-IPv6-Address = 2001:db8:a0b:12f0::1, Framed-IPv6-Prefix = 2001:db8:a0b:12f0::/64, Framed-IPv6-Prefix = 2001:db8:a0b:12f0::/64, Framed-IPv6-Prefix = ::/0, Attr-97 = 0x00, Attr-97 = 0x004020010db80a0b12f0000000000000000000, Attr-97 = 0x008120010db80a0b12f00000000000000001
 
-count
-match 4
+encode-proto -
+match 01 00 00 85 00 44 be 93 a9 c4 d0 90 66 04 bc 31 93 7a 49 51 01 05 62 6f 62 02 12 3b ab 4a 9a db 55 c5 f9 98 99 d7 09 e3 c0 9e 32 5f 12 20 01 0d b8 0a 0b 12 f0 00 00 00 00 00 00 00 01 61 0c 00 40 20 01 0d b8 0a 0b 12 f0 61 0c 00 40 20 01 0d b8 0a 0b 12 f0 61 04 00 00 61 03 00 61 15 00 40 20 01 0d b8 0a 0b 12 f0 00 00 00 00 00 00 00 00 00 61 14 00 81 20 01 0d b8 0a 0b 12 f0 00 00 00 00 00 00 00 01
 
+count
+match 6