Don't assume challenges and responses don't contain embedded '\0's.

Mschapv2 response generation may produce embedded NULs... causing
us to send a bogus response to the radius server and end up
failing the client's valid response.

Problem pointed out by: Eugene Vigovskiy <vigov@com2com.ru>

4 files changed, 12 insertions, 15 deletions

diff --git a/usr.sbin/ppp/chap.c b/usr.sbin/ppp/chap.c
index 437fbc1..3ef6793 100644
--- a/usr.sbin/ppp/chap.c
+++ b/usr.sbin/ppp/chap.c
@@ -810,16 +810,12 @@ chap_Input(struct bundle *bundle, struct link *l, struct mbuf *bp)
         name = chap->auth.in.name;
         nlen = strlen(name);
 #ifndef NORADIUS
-        if (*bundle->radius.cfg.file) {
-          u_char end;
-
-          end = chap->challenge.local[*chap->challenge.local+1];
-          chap->challenge.local[*chap->challenge.local+1] = '\0';
+        if (*bundle->radius.cfg.file)
           radius_Authenticate(&bundle->radius, &chap->auth,
-                              chap->auth.in.name, ans,
-                              chap->challenge.local + 1);
-          chap->challenge.local[*chap->challenge.local+1] = end;
-        } else
+                              chap->auth.in.name, ans, alen + 1,
+                              chap->challenge.local + 1,
+                              *chap->challenge.local);
+        else
 #endif
         {
           key = auth_GetSecret(bundle, name, nlen, p);
diff --git a/usr.sbin/ppp/pap.c b/usr.sbin/ppp/pap.c
index d70e198..a2f4488 100644
--- a/usr.sbin/ppp/pap.c
+++ b/usr.sbin/ppp/pap.c
@@ -249,7 +249,7 @@ pap_Input(struct bundle *bundle, struct link *l, struct mbuf *bp)
 #ifndef NORADIUS
       if (*bundle->radius.cfg.file)
         radius_Authenticate(&bundle->radius, authp, authp->in.name,
-                            key, NULL);
+                            key, strlen(key), NULL, 0);
       else
 #endif
       if (auth_Validate(bundle, authp->in.name, key, p))
diff --git a/usr.sbin/ppp/radius.c b/usr.sbin/ppp/radius.c
index 79c81b0..14a7d1a 100644
--- a/usr.sbin/ppp/radius.c
+++ b/usr.sbin/ppp/radius.c
@@ -368,7 +368,7 @@ radius_Destroy(struct radius *r)
  */
 void
 radius_Authenticate(struct radius *r, struct authinfo *authp, const char *name,
-                    const char *key, const char *challenge)
+                    const char *key, int klen, const char *challenge, int clen)
 {
   struct ttyent *ttyp;
   struct timeval tv;
@@ -416,14 +416,14 @@ radius_Authenticate(struct radius *r, struct authinfo *authp, const char *name,
 
   if (challenge != NULL) {
     /* We're talking CHAP */
-    if (rad_put_string(r->cx.rad, RAD_CHAP_PASSWORD, key) != 0 ||
-        rad_put_string(r->cx.rad, RAD_CHAP_CHALLENGE, challenge) != 0) {
+    if (rad_put_attr(r->cx.rad, RAD_CHAP_PASSWORD, key, klen) != 0 ||
+        rad_put_attr(r->cx.rad, RAD_CHAP_CHALLENGE, challenge, clen) != 0) {
       log_Printf(LogERROR, "CHAP: rad_put_string: %s\n",
                  rad_strerror(r->cx.rad));
       rad_close(r->cx.rad);
       return;
     }
-  } else if (rad_put_string(r->cx.rad, RAD_USER_PASSWORD, key) != 0) {
+  } else if (rad_put_attr(r->cx.rad, RAD_USER_PASSWORD, key, klen) != 0) {
     /* We're talking PAP */
     log_Printf(LogERROR, "PAP: rad_put_string: %s\n", rad_strerror(r->cx.rad));
     rad_close(r->cx.rad);
diff --git a/usr.sbin/ppp/radius.h b/usr.sbin/ppp/radius.h
index a02847c..ca54615 100644
--- a/usr.sbin/ppp/radius.h
+++ b/usr.sbin/ppp/radius.h
@@ -65,7 +65,8 @@ extern void radius_Destroy(struct radius *);
 
 extern void radius_Show(struct radius *, struct prompt *);
 extern void radius_Authenticate(struct radius *, struct authinfo *,
-                                const char *, const char *, const char *);
+                                const char *, const char *, int,
+                                const char *, int);
 extern void radius_Account(struct radius *, struct radacct *, 
                            struct datalink *, int, struct in_addr *,
                            struct in_addr *, struct pppThroughput *);