summaryrefslogtreecommitdiff
path: root/src/pam_radius_auth.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/pam_radius_auth.c')
-rw-r--r--src/pam_radius_auth.c11
1 files changed, 9 insertions, 2 deletions
diff --git a/src/pam_radius_auth.c b/src/pam_radius_auth.c
index aa3a650..560b141 100644
--- a/src/pam_radius_auth.c
+++ b/src/pam_radius_auth.c
@@ -131,6 +131,9 @@ static int _pam_parse(pam_handle_t * pamh, int argc, CONST char **argv,
} else if (!strncmp(*argv, "max_challenge=", 14)) {
conf->max_challenge = atoi(*argv + 14);
+ } else if (!strcmp(*argv, "require_message_authenticator")) {
+ conf->require_message_authenticator = TRUE;
+
} else {
_pam_log(pamh, LOG_WARNING, "unrecognized option '%s'",
*argv);
@@ -379,7 +382,7 @@ static void get_accounting_vector(AUTH_HDR * request, radius_server_t * server)
/*
* Verify the response from the server
*/
-static int verify_packet(radius_server_t *server, AUTH_HDR *response, AUTH_HDR *request)
+static int verify_packet(radius_server_t *server, AUTH_HDR *response, AUTH_HDR *request, radius_conf_t *conf)
{
MD5_CTX my_md5;
uint8_t calculated[AUTH_VECTOR_LEN];
@@ -414,6 +417,10 @@ static int verify_packet(radius_server_t *server, AUTH_HDR *response, AUTH_HDR *
attr += attr[1];
}
+ if ((request->code == PW_AUTHENTICATION_REQUEST) && conf->require_message_authenticator && !message_authenticator) {
+ return FALSE;
+ }
+
/*
* We could dispense with the memcpy, and do MD5's of the packet
* + vector piece by piece. This is easier understand, and maybe faster.
@@ -1248,7 +1255,7 @@ static int talk_radius(radius_conf_t * conf, AUTH_HDR * request,
}
if (!verify_packet
- (server, response, request)) {
+ (server, response, request, conf)) {
_pam_log(pamh, LOG_ERR,
"response from server"
" %s failed"
generated by cgit v1.2.3 (git 2.39.1) at 2025-10-14 01:13:55 +0000