add and document "require_message_authenticator" flag

author: Alan T. DeKok <aland@freeradius.org> 2024-06-12 13:29:36 -0400
committer: Robert Gingras <rgingras@mieweb.com> 2025-03-31 11:39:54 -0400
commit: dde67d80623bdca4da8e76467b90754e34835ae3 (patch)
tree: 06a8d6335fca0d8322717efd5215b04ae329eb7d /src
parent: 84184844ec80c840a3499bb3fedd74ea9acf4dd2 (diff)
download: libpam-radius-auth-dde67d80623bdca4da8e76467b90754e34835ae3.tar.gz
libpam-radius-auth-dde67d80623bdca4da8e76467b90754e34835ae3.zip
2 files changed, 10 insertions, 2 deletions
diff --git a/src/pam_radius_auth.c b/src/pam_radius_auth.c
index aa3a650..560b141 100644
--- a/src/pam_radius_auth.c
+++ b/src/pam_radius_auth.c
@@ -131,6 +131,9 @@ static int _pam_parse(pam_handle_t * pamh, int argc, CONST char **argv,
 		} else if (!strncmp(*argv, "max_challenge=", 14)) {
 			conf->max_challenge = atoi(*argv + 14);
 
+		} else if (!strcmp(*argv, "require_message_authenticator")) {
+			conf->require_message_authenticator = TRUE;
+
 		} else {
 			_pam_log(pamh, LOG_WARNING, "unrecognized option '%s'",
 				 *argv);
@@ -379,7 +382,7 @@ static void get_accounting_vector(AUTH_HDR * request, radius_server_t * server)
 /*
  * Verify the response from the server
  */
-static int verify_packet(radius_server_t *server, AUTH_HDR *response, AUTH_HDR *request)
+static int verify_packet(radius_server_t *server, AUTH_HDR *response, AUTH_HDR *request, radius_conf_t *conf)
 {
 	MD5_CTX my_md5;
 	uint8_t calculated[AUTH_VECTOR_LEN];
@@ -414,6 +417,10 @@ static int verify_packet(radius_server_t *server, AUTH_HDR *response, AUTH_HDR *
 		attr += attr[1];
 	}
 
+	if ((request->code == PW_AUTHENTICATION_REQUEST) && conf->require_message_authenticator && !message_authenticator) {
+		return FALSE;
+	}
+
 	/*
 	 * We could dispense with the memcpy, and do MD5's of the packet
 	 * + vector piece by piece.     This is easier understand, and maybe faster.
@@ -1248,7 +1255,7 @@ static int talk_radius(radius_conf_t * conf, AUTH_HDR * request,
 					}
 
 					if (!verify_packet
-					    (server, response, request)) {
+					    (server, response, request, conf)) {
 						_pam_log(pamh, LOG_ERR,
 							 "response from server"
 							 " %s failed"
diff --git a/src/pam_radius_auth.h b/src/pam_radius_auth.h
index da7177b..5f056c5 100644
--- a/src/pam_radius_auth.h
+++ b/src/pam_radius_auth.h
@@ -158,6 +158,7 @@ typedef struct radius_conf_t {
 	char privusrmap[64];
 	int prompt_attribute;
 	int privilege_level;
+	int require_message_authenticator;
 	uint8_t *message_authenticator;
 } radius_conf_t;
author	Alan T. DeKok <aland@freeradius.org>	2024-06-12 13:29:36 -0400
committer	Robert Gingras <rgingras@mieweb.com>	2025-03-31 11:39:54 -0400
commit	dde67d80623bdca4da8e76467b90754e34835ae3 (patch)
tree	06a8d6335fca0d8322717efd5215b04ae329eb7d /src
parent	84184844ec80c840a3499bb3fedd74ea9acf4dd2 (diff)
download	libpam-radius-auth-dde67d80623bdca4da8e76467b90754e34835ae3.tar.gz libpam-radius-auth-dde67d80623bdca4da8e76467b90754e34835ae3.zip