From f302d9f9646704cce745734af21d540baa0da65f Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 17 Mar 2024 10:47:58 +0200
Subject: [PATCH] RADIUS: Check Message-Authenticator if it is present even if
 not required

Always check the Message-Authenticator attribute in a received RADIUS
message if it is present. Previously, this would have been skipped if
the attribute was not required to be present.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/radius/radius.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/radius/radius.c b/src/radius/radius.c
index a7a137a98..37aa216b1 100644
--- a/src/radius/radius.c
+++ b/src/radius/radius.c
@@ -1001,6 +1001,20 @@ int radius_msg_verify(struct radius_msg *msg, const u8 *secret,
 		return 1;
 	}
 
+	if (!auth) {
+		u8 *pos;
+		size_t alen;
+
+		if (radius_msg_get_attr_ptr(msg,
+					    RADIUS_ATTR_MESSAGE_AUTHENTICATOR,
+					    &pos, &alen, NULL) == 0) {
+			/* Check the Message-Authenticator attribute since it
+			 * was included even if we are configured to not
+			 * require it. */
+			auth = 1;
+		}
+	}
+
 	if (auth &&
 	    radius_msg_verify_msg_auth(msg, secret, secret_len,
 				       sent_msg->hdr->authenticator)) {