RADIUS: Check Message-Authenticator if it is present even if not required

Always check the Message-Authenticator attribute in a received RADIUS
message if it is present. Previously, this would have been skipped if
the attribute was not required to be present.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2024-03-17 10:47:58 +02:00
parent 58097123ec
commit f302d9f964

View file

@ -1001,6 +1001,20 @@ int radius_msg_verify(struct radius_msg *msg, const u8 *secret,
return 1;
}
if (!auth) {
u8 *pos;
size_t alen;
if (radius_msg_get_attr_ptr(msg,
RADIUS_ATTR_MESSAGE_AUTHENTICATOR,
&pos, &alen, NULL) == 0) {
/* Check the Message-Authenticator attribute since it
* was included even if we are configured to not
* require it. */
auth = 1;
}
}
if (auth &&
radius_msg_verify_msg_auth(msg, secret, secret_len,
sent_msg->hdr->authenticator)) {