From: Alan T. DeKok <aland@freeradius.org>
Date: Fri, 16 Feb 2024 13:29:54 +0000 (-0500)
Subject: make require_message_authenticator the default for clients
X-Git-Tag: release_3_2_5~20
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6827f4b35a560d27334c81823ebb293569391b8e;p=thirdparty%2Ffreeradius-server.git

make require_message_authenticator the default for clients

and document the behavior change
---

diff --git a/raddb/clients.conf b/raddb/clients.conf
index 9284e3853a5..c8f366d868c 100644
--- a/raddb/clients.conf
+++ b/raddb/clients.conf
@@ -135,15 +135,17 @@ client localhost {
 	secret = testing123
 
 	#
-	#  Old-style clients do not send a Message-Authenticator
-	#  in an Access-Request.  RFC 5080 suggests that all clients
-	#  SHOULD include it in an Access-Request.  The configuration
-	#  item below allows the server to require it.  If a client
-	#  is required to include a Message-Authenticator and it does
-	#  not, then the packet will be silently discarded.
+	#  The global configuration "security.require_message_authenticator"
+	#  flag sets the default for all clients.  That default can be
+	#  over-ridden here, by setting it to "no".
+	#
+	#  This flag exists solely for legacy clients which do not send
+	#  Message-Authenticator in all Access-Request packets.  We do not
+	#  recommend setting it to "no".
 	#
 	#  allowed values: yes, no
-	require_message_authenticator = no
+	#
+#	require_message_authenticator = no
 
 	#
 	#  The short name is used as an alias for the fully qualified
diff --git a/src/main/client.c b/src/main/client.c
index db0f13deb90..2775a8bd475 100644
--- a/src/main/client.c
+++ b/src/main/client.c
@@ -512,7 +512,7 @@ static const CONF_PARSER client_config[] = {
 
 	{ "src_ipaddr", FR_CONF_POINTER(PW_TYPE_STRING, &cl_srcipaddr), NULL },
 
-	{ "require_message_authenticator",  FR_CONF_OFFSET(PW_TYPE_BOOLEAN, RADCLIENT, require_ma), "no" },
+	{ "require_message_authenticator",  FR_CONF_OFFSET(PW_TYPE_BOOLEAN | PW_TYPE_IGNORE_DEFAULT, RADCLIENT, require_ma), NULL },
 
 	{ "secret", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_SECRET, RADCLIENT, secret), NULL },
 	{ "shortname", FR_CONF_OFFSET(PW_TYPE_STRING, RADCLIENT, shortname), NULL },
@@ -906,6 +906,13 @@ RADCLIENT *client_afrom_cs(TALLOC_CTX *ctx, CONF_SECTION *cs, bool in_server, bo
 	c = talloc_zero(ctx, RADCLIENT);
 	c->cs = cs;
 
+	/*
+	 *	Set the "require message authenticator" flag from the
+	 *	global default.  If the configuration item exists, AND
+	 *	is set, it will over-ride this flag.
+	 */
+	c->require_ma = main_config.require_ma;
+
 	memset(&cl_ipaddr, 0, sizeof(cl_ipaddr));
 	cl_netmask = 255;