Add a Message-Authenticator attribute to the response, if we added EAP-Message

diff --git a/src/modules/rlm_eap/rlm_eap.c b/src/modules/rlm_eap/rlm_eap.c
index 4dbbf8dc15aa375dcd643d758c983827f304309a..38938f6b2b5775bdabf03bb010145b4f17b77cb6 100644 (file)
--- a/src/modules/rlm_eap/rlm_eap.c
+++ b/src/modules/rlm_eap/rlm_eap.c
@@ -770,6 +770,18 @@ static int eap_post_auth(void *instance, REQUEST *request)
        RDEBUG2("Request was previously rejected, inserting EAP-Failure");
        eap_fail(handler);
        eap_handler_free(inst, handler);
+       
+       /*
+        * Make sure there's a message authenticator attribute in the response
+        * RADIUS protocol code will calculate the correct value later...
+        */
+       vp = pairfind(request->reply->vps, PW_MESSAGE_AUTHENTICATOR, 0);
+       if (!vp) {
+               vp = pairmake("Message-Authenticator",
+                                 "0x00", T_OP_EQ);
+               rad_assert(vp != NULL);
+               pairadd(&(request->reply->vps), vp);
+       }
 
        return RLM_MODULE_UPDATED;
 }