#
secret = testing123
+ #
+ # The global configuration "security.require_message_authenticator"
+ # flag sets the default for all home servers. That default can be
+ # over-ridden here, by setting it to "no".
+ #
+ # This flag exists solely for legacy home servers which do
+ # not send Message-Authenticator in all Access-Accept,
+ # Access-Reject, or Access-Challenge packets. We do not
+ # recommend setting it to "no".
+ #
+ # allowed values: yes, no
+ #
+# require_message_authenticator = no
+
############################################################
#
# The rest of the configuration items listed here are optional,
bool dual; //!< One of a pair of homeservers on consecutive ports.
bool dynamic; //!< is this a dynamically added home server?
bool nonblock; //!< Enable a socket non-blocking to the home server.
+ bool require_ma; //!< for all replies to Access-Request and Status-Server
+
char const *virtual_server; //!< For internal proxying
char const *parent_server;
* server core, but I guess we can fix that later.
*/
if (!request->proxy_reply) {
+ decode_fail_t reason;
+
+ /*
+ * If the home server configuration requires a Message-Authenticator, then set the flag,
+ * but only if the proxied packet is Access-Request or Status-Sercer.
+ *
+ * The realms.c file already clears require_ma for TLS connections.
+ */
+ bool require_ma = request->home_server->require_ma && (request->proxy->code == PW_CODE_ACCESS_REQUEST);
+
if (!request->home_server) {
proxy_reply_too_late(request);
return 0;
}
+ if (!rad_packet_ok(packet, require_ma, &reason)) {
+ DEBUG("Ignoring invalid packet - %s", fr_strerror());
+ return 0;
+ }
+
if (rad_verify(packet, request->proxy,
request->home_server->secret) != 0) {
DEBUG("Ignoring spoofed proxy reply. Signature is invalid");
static CONF_PARSER home_server_config[] = {
{ "nonblock", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, home_server_t, nonblock), "no" },
+ { "require_message_authenticator", FR_CONF_OFFSET(PW_TYPE_BOOLEAN | PW_TYPE_IGNORE_DEFAULT, home_server_t, require_ma), NULL },
{ "ipaddr", FR_CONF_OFFSET(PW_TYPE_COMBO_IP_ADDR, home_server_t, ipaddr), NULL },
{ "ipv4addr", FR_CONF_OFFSET(PW_TYPE_IPV4_ADDR, home_server_t, ipaddr), NULL },
{ "ipv6addr", FR_CONF_OFFSET(PW_TYPE_IPV6_ADDR, home_server_t, ipaddr), NULL },
home->cs = cs;
home->state = HOME_STATE_UNKNOWN;
home->proto = IPPROTO_UDP;
+ home->require_ma = main_config.require_ma;
/*
* Parse the configuration into the home server
if (tls) {
int rcode;
+ /*
+ * We don't require this for TLS connections.
+ */
+ home->require_ma = false;
+
home->tls = tls_client_conf_parse(tls);
if (!home->tls) {
goto error;
projects / thirdparty / freeradius-server.git / commitdiff
