[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-gnu-radius] patchinfo: 2170 Tunnel-Password attribute encryption (R
|
From: |
Maurice Makaay |
|
Subject: |
[Bug-gnu-radius] patchinfo: 2170 Tunnel-Password attribute encryption (RFC2868 par. 3.5) |
|
Date: |
Wed, 29 Oct 2003 22:54:20 +0100 |
2170 Tunnel-Password attribute encryption (RFC2868 par. 3.5)
----------------------------------------------------------------------
We are using a setup according to RFC2868 ("RADIUS Attributes for
Tunnel Protocol Support", included in the gnu-radius distribution as
doc/rfc/rfc2868.txt). This RFC is not fully supported by gnu-radius.
The Tunnel-Password attribute is always sent in clear text. This
is not correct (see paragraph 3.5). This patch adds attribute
encryption following the RFC. I only implemented encryption. I do not
know if it makes sense to also implement decription (maybe in a proxy
setup?). If you have comments on the need of a decryption algorithm,
please let me know and I'll look into it.
Implementation details:
For the patch, I created a new dictionary attribute flag 'T'
(for Tunnel), which internally sets the AP_RFC2868_CRYPT property
for dictionary items. Just before sending out a radius reply packet,
the server loops through the reply pairs to see if any of them
has the AP_RFC2868_CRYPT property set. If yes, the clear text password
which is stored in the pair is encrypted by calling the function
encrypt_attr_rfc2868().
----------------------------------------------------------------------
With kind regards,
Maurice Makaay
InterNLnet BV
The Netherlands
- [Bug-gnu-radius] patchinfo: 2170 Tunnel-Password attribute encryption (RFC2868 par. 3.5),
Maurice Makaay <=