"Alan DeKok" <[EMAIL PROTECTED]> writes:
> =?iso-8859-1?Q?Bj=F8rn_Mork?= <[EMAIL PROTECTED]> wrote:
>> My problem seems to be that FreeRADIUS will only encrypt string or
>> octet values, while Juniper has defined salt encrypted integer and
>> ipaddr VSAs too.
>
> Try setting "encrypt=2" for attribute 59. That should work there.
Yup. Thanks. I should have seen that 2 was the correct method.
> For the non-string attributes, it may be possible to patch
> src/lib/radius.c to decrypt them, too. I wouldn't be surprised if the
> patch was only a few lines.
>
> But either you need C experience to write the patch, or you need to
> supply the packet data to someone who can write the patch.
This seems to do the job:
--- freeradius-1.0.4/src/lib/radius.c Sun Dec 19 21:11:54 2004
+++ freeradius-1.0.4-bmork/src/lib/radius.c Fri Aug 26 11:15:03 2005
@@ -488,8 +488,6 @@
case PW_TYPE_INTEGER:
case PW_TYPE_IPADDR:
- *length_ptr += 4;
- if (vsa_length_ptr) *vsa_length_ptr += 4;
if (reply->type == PW_TYPE_INTEGER ) {
/* If tagged, the tag becomes the MSB of the value */
@@ -510,9 +508,23 @@
*/
lvalue = reply->lvalue;
}
- memcpy(ptr, &lvalue, 4);
- ptr += 4;
- total_length += 4;
+
+ len = 4;
+ if (reply->flags.encrypt == FLAG_ENCRYPT_TUNNEL_PASSWORD) {
+ if (!original) {
+ librad_log("ERROR: No request packet, cannot encrypt Tunnel-Password attribute in the reply.");
+ return -1;
+ }
+ memcpy(reply->strvalue, &lvalue, len); /* NOTE: destroys the original text attribute */
+ rad_tunnel_pwencode(reply->strvalue, &len, secret, original->vector);
+ memcpy(ptr, reply->strvalue, len);
+ } else {
+ memcpy(ptr, &lvalue, len);
+ }
+ *length_ptr += len;
+ if (vsa_length_ptr) *vsa_length_ptr += len;
+ ptr += len;
+ total_length += len;
break;
/*
Any chance of getting something like this into the 1.0 branch, or
should I prepare a nicer patch for CVS HEAD instead?
There is also this dictionary update to go with it, but it's pretty
useless without the patch:
Bjørn
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
