1 files changed, 21 insertions, 5 deletions

diff --git a/radsecproxy.c b/radsecproxy.c
index 56b9a54..d84642f 100644
--- a/radsecproxy.c
+++ b/radsecproxy.c
@@ -2029,6 +2029,14 @@ void radsrv(struct request *rq) {
     
     /* below: code == RAD_Access_Request || code == RAD_Accounting_Request */
 
+    if (code == RAD_Accounting_Request) {
+	memset(newauth, 0, 16);
+	if (!validauth(rq->buf, newauth, (unsigned char *)rq->from->conf->secret)) {
+	    debug(DBG_WARN, "radsrv: Accounting-Request message authentication failed");
+	    goto exit;
+	}
+    }
+    
     if (rq->from->conf->rewrite) {
 	dorewrite(rq->buf, rq->from->conf->rewrite);
 	len = RADLEN(rq->buf) - 20;
@@ -2083,10 +2091,12 @@ void radsrv(struct request *rq) {
 	      radmsgtype2string(code), rq->from->conf->host, id);
 	goto exit;
     }
-
-    if (!RAND_bytes(newauth, 16)) {
-	debug(DBG_WARN, "radsrv: failed to generate random auth");
-	goto exit;
+    
+    if (code != RAD_Accounting_Request) {
+	if (!RAND_bytes(newauth, 16)) {
+	    debug(DBG_WARN, "radsrv: failed to generate random auth");
+	    goto exit;
+	}
     }
 
 #ifdef DEBUG
@@ -2109,7 +2119,13 @@ void radsrv(struct request *rq) {
 
     rq->origid = id;
     memcpy(rq->origauth, auth, 16);
-    memcpy(auth, newauth, 16);
+    if (code == RAD_Accounting_Request) {
+	if (!radsign(rq->buf, (unsigned char *)to->conf->secret)) {
+	    debug(DBG_WARN, "radsrv: failed to sign Accounting-Request message");
+	    goto exit;
+	}
+    } else
+	memcpy(auth, newauth, 16);
     sendrq(to, rq);
     return;