Require Message-Authenticator in Access-Reject even without EAP-Message

Do not allow the exception for missing Message-Authenticator in Access-Reject without EAP-Message. While such exception is allowed in RADIUS definition, there is no strong reason to maintain this since Access-Reject is supposed to include EAP-Message and even if it doesn't, discarding Access-Reject will result in the connection not completing. Signed-off-by: Jouni Malinen <j@w1.fi>
2024-03-16 11:31:37 +02:00 · 2024-03-16 11:31:37 +02:00 · 934b0c3a45
commit 934b0c3a45
parent f54157077f
1 changed files with 1 additions and 10 deletions
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@ -2042,16 +2042,7 @@ ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req,
 	}
 	sta = sm->sta;

-	/* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be
-	 * present when packet contains an EAP-Message attribute */
-	if (hdr->code == RADIUS_CODE_ACCESS_REJECT &&
-	    radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL,
-				0) < 0 &&
-	    radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) {
-		wpa_printf(MSG_DEBUG,
-			   "Allowing RADIUS Access-Reject without Message-Authenticator since it does not include EAP-Message");
-	} else if (radius_msg_verify(msg, shared_secret, shared_secret_len,
-				     req, 1)) {
+	if (radius_msg_verify(msg, shared_secret, shared_secret_len, req, 1)) {
 		wpa_printf(MSG_INFO,
 			   "Incoming RADIUS packet did not have correct Message-Authenticator - dropped");
 		return RADIUS_RX_INVALID_AUTHENTICATOR;