From 7dd9766a72d9ad26f4db09c8a52067d1dd4e777c Mon Sep 17 00:00:00 2001 From: Vladislav Grishenko Date: Sun, 28 Jun 2020 20:57:57 +0500 Subject: sstp: fix compound mac validation with broken clients sstp-client sends SSTP_MSG_CALL_CONNECTED message too early, before auth response, so HLAK can't be known yet and subsequent HLAK-based validation fails. workaround the issue by defer accepting SSTP_MSG_CALL_CONNECTED after auth either has been succeeded or bypassed. --- accel-pppd/ppp/ppp_auth.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'accel-pppd/ppp') diff --git a/accel-pppd/ppp/ppp_auth.c b/accel-pppd/ppp/ppp_auth.c index c475dad..33d0021 100644 --- a/accel-pppd/ppp/ppp_auth.c +++ b/accel-pppd/ppp/ppp_auth.c @@ -279,13 +279,12 @@ static void __ppp_auth_started(struct ppp_t *ppp) if (ppp->ses.terminating) return; - log_ppp_debug("auth_layer_started\n"); - ppp_layer_started(ppp, &ad->ld); - - log_ppp_info1("%s: authentication succeeded\n", ppp->ses.username); triton_event_fire(EV_SES_AUTHORIZED, &ppp->ses); + + log_ppp_debug("auth_layer_started\n"); + ppp_layer_started(ppp, &ad->ld); } int __export ppp_auth_succeeded(struct ppp_t *ppp, char *username) -- cgit v1.2.3