RADIUS: Check Message-Authenticator if it is present even if not required

Always check the Message-Authenticator attribute in a received RADIUS
message if it is present. Previously, this would have been skipped if
the attribute was not required to be present.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/radius/radius.c b/src/radius/radius.c
index a7a137a98b9f2d71419f6c338203526dacc8251d..37aa216b170b777bbb2fc0801a919346e120974a 100644 (file)
--- a/src/radius/radius.c
+++ b/src/radius/radius.c
@@ -1001,6 +1001,20 @@ int radius_msg_verify(struct radius_msg *msg, const u8 *secret,
                return 1;
        }
 
+       if (!auth) {
+               u8 *pos;
+               size_t alen;
+
+               if (radius_msg_get_attr_ptr(msg,
+                                           RADIUS_ATTR_MESSAGE_AUTHENTICATOR,
+                                           &pos, &alen, NULL) == 0) {
+                       /* Check the Message-Authenticator attribute since it
+                        * was included even if we are configured to not
+                        * require it. */
+                       auth = 1;
+               }
+       }
+
        if (auth &&
            radius_msg_verify_msg_auth(msg, secret, secret_len,
                                       sent_msg->hdr->authenticator)) {