From 0c101d631253baab62a9ad108138942856312991 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Thu, 22 Feb 2024 05:36:33 -0500
Subject: [PATCH] add and document global limit_proxy_state

---
 raddb/radiusd.conf.in | 34 ++++++++++++++++++++++++++++++++++
 src/include/radiusd.h |  2 ++
 src/main/mainconfig.c |  1 +
 3 files changed, 37 insertions(+)

diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
index 92d25c2400..74ba00a262 100644
--- a/raddb/radiusd.conf.in
+++ b/raddb/radiusd.conf.in
@@ -634,8 +634,42 @@ security {
 	#  home server by adding a flag to that section which says
 	#  "require_message_authenticator = false".
 	#
+	#  If the server produces error message which says "Packet
+	#  does not contain required Message-Authenticator attribute",
+	#  then this configuration item has to be updated.
+	#
+	#  WARNING: This item should always be left as "yes",
+	#  otherwise it is possible for MITM attackers to create fake
+	#  Access-Accept packets to the NAS!
+	#
 	require_message_authenticator = yes
 
+	#
+	#  Global configuration for requiring Message-Authenticator
+	#  Access-Request packets from a NAS, but only if those
+	#  packets also contain Proxy-State.
+	#
+	#  If "require_message_authenticator" is set to "yes", this
+	#  configuration item is ignored.
+	#
+	#  If "require_message_authenticator" is set to "no", this
+	#  configuration item is checked.
+	#
+	#  This configuration item should ALWAYS be set to "yes".
+	#
+	#  The only reason to set it to "no" is when the client is a
+	#  proxy, AND the proxy does not send Message-Authenticator in
+	#  Access-Request packets.  Even then, the best approach to
+	#  fix the issue is to (1) update the client to send
+	#  Message-Authenticator, and if that can't be done, then (2)
+	#  set this flag to "no", but ONLY on a per-client basis.
+	#
+	#  WARNING: This item should always be left as "yes",
+	#  otherwise it is possible for MITM attackers to create fake
+	#  Access-Accept packets to the NAS!
+	#
+	limit_proxy_state = yes
+
 @openssl_version_check_config@
 }
 
diff --git a/src/include/radiusd.h b/src/include/radiusd.h
index bc2080211b..e1d90f5b99 100644
--- a/src/include/radiusd.h
+++ b/src/include/radiusd.h
@@ -176,6 +176,8 @@ typedef struct main_config {
 
 	bool		require_ma;			//!< global configuration for all clients and home servers
 
+	bool		limit_proxy_state;     		//!< global configuration for all clients
+
 #ifdef ENABLE_OPENSSL_VERSION_CHECK
 	char const	*allow_vulnerable_openssl;	//!< The CVE number of the last security issue acknowledged.
 #endif
diff --git a/src/main/mainconfig.c b/src/main/mainconfig.c
index 7b53ae23b2..5d318fafac 100644
--- a/src/main/mainconfig.c
+++ b/src/main/mainconfig.c
@@ -161,6 +161,7 @@ static const CONF_PARSER security_config[] = {
 	{ "reject_delay",  FR_CONF_POINTER(PW_TYPE_TIMEVAL, &main_config.reject_delay), STRINGIFY(0) },
 	{ "status_server", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.status_server), "no"},
 	{ "require_message_authenticator", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.require_ma), "yes"},
+	{ "limit_proxy_state", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.limit_proxy_state), "yes"},
 #ifdef ENABLE_OPENSSL_VERSION_CHECK
 	{ "allow_vulnerable_openssl", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.allow_vulnerable_openssl), "no"},
 #endif
-- 
2.47.3