Skip to content

Commit

Permalink
add and document "require_message_authenticator" flag
Browse files Browse the repository at this point in the history
  • Loading branch information
@alandekok
alandekok committed Jul 15, 2024
1 parent 470f56b commit 17a8a42
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 2 deletions.
3 changes: 3 additions & 0 deletions USAGE
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,5 +101,8 @@ prompt_attribute - Enable honoring of Prompt attribute sent from server for
input. Without this option all user input during
challenge-response will be echoed. See RFC2869 Section 5.10

require_message_authenticator - Discard Access-Accept, Access-Challenge, and
Access-Reject packets which do not contain Message-Authenticator.

---------------------------------------------------------------------------

11 changes: 9 additions & 2 deletions src/pam_radius_auth.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -197,6 +197,9 @@ static int _pam_parse(int argc, CONST char **argv, radius_conf_t *conf)
} else if (!strcmp(arg, "privilege_level")) {
conf->privilege_level = TRUE;

} else if (!strcmp(arg, "require_message_authenticator")) {
conf->require_message_authenticator = TRUE;

} else {
_pam_log(LOG_WARNING, "unrecognized option '%s'", arg);
}
Expand Down Expand Up @@ -435,7 +438,7 @@ static void get_accounting_vector(AUTH_HDR *request, radius_server_t *server)
/**
* Verify the response from the server
*/
static int verify_packet(radius_server_t *server, AUTH_HDR *response, AUTH_HDR *request)
static int verify_packet(radius_server_t *server, AUTH_HDR *response, AUTH_HDR *request, radius_conf_t *conf)
{
MD5_CTX my_md5;
uint8_t calculated[AUTH_VECTOR_LEN];
Expand Down Expand Up @@ -470,6 +473,10 @@ static int verify_packet(radius_server_t *server, AUTH_HDR *response, AUTH_HDR *
attr += attr[1];
}

if ((request->code == PW_ACCESS_REQUEST) && conf->require_message_authenticator && !message_authenticator) {
return FALSE;
}

/*
* We could dispense with the memcpy, and do MD5's of the packet
* + vector piece by piece. This is easier understand, and maybe faster.
Expand Down Expand Up @@ -1242,7 +1249,7 @@ static int talk_radius(radius_conf_t *conf, AUTH_HDR *request, AUTH_HDR *respons
continue;
}

if (!verify_packet(server, response, request)) {
if (!verify_packet(server, response, request, conf)) {
_pam_log(LOG_ERR, "packet from RADIUS server %s failed verification: "
"The shared secret is probably incorrect.", server->hostname);
continue;
Expand Down
1 change: 1 addition & 0 deletions src/pam_radius_auth.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -188,6 +188,7 @@ typedef struct radius_conf_t {
char prompt[MAXPROMPT];
int prompt_attribute;
int privilege_level;
int require_message_authenticator;
uint8_t *message_authenticator;
} radius_conf_t;

Expand Down

2 comments on commit 17a8a42

@archs94
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alandekok - when would this fix get released?

@asdx1937
Copy link

@asdx1937 asdx1937 commented on 17a8a42 Oct 18, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alandekok
Hi there. I am curious about the code of line 476-478.
When the value of require_message_authenticator is TRUE, but the Access-Accept, Access-Challenge, and Access-Reject packets do not have a message authenticator, will it be detected?
Thank you in advance for responding to my question.

Please sign in to comment.