From: Alan T. DeKok <aland@freeradius.org>
Date: Fri, 16 Feb 2024 13:09:54 +0000 (-0500)
Subject: add and document global require_message_authenticator
X-Git-Tag: release_3_2_5~23
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9bb874f3d69a28ed1060d1640075324414eec700;p=thirdparty%2Ffreeradius-server.git

add and document global require_message_authenticator
---

diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
index 12fac7abd5e..cd2d80c8e6b 100644
--- a/raddb/radiusd.conf.in
+++ b/raddb/radiusd.conf.in
@@ -603,6 +603,17 @@ security {
 	#
 	status_server = yes
 
+	#
+	#  Global configuration for requiring Message-Authenticator
+	#  in all Access-* packets.
+	#
+	#  This flag sets the global default for all clients and home
+	#  servers.  It can be over-ridden in individual client or
+	#  home server by adding a flag to that section which says
+	#  "require_message_authenticator = false".
+	#
+	require_message_authenticator = yes
+
 @openssl_version_check_config@
 }
 
diff --git a/src/include/radiusd.h b/src/include/radiusd.h
index 4cd9feae369..76931fabd49 100644
--- a/src/include/radiusd.h
+++ b/src/include/radiusd.h
@@ -176,6 +176,7 @@ typedef struct main_config {
 
 	bool		exiting;			//!< are we exiting?
 
+	bool		require_ma;			//!< global configuration for all clients and home servers
 
 #ifdef ENABLE_OPENSSL_VERSION_CHECK
 	char const	*allow_vulnerable_openssl;	//!< The CVE number of the last security issue acknowledged.
diff --git a/src/main/mainconfig.c b/src/main/mainconfig.c
index 80cfedd7759..cbc0d6b646d 100644
--- a/src/main/mainconfig.c
+++ b/src/main/mainconfig.c
@@ -162,6 +162,7 @@ static const CONF_PARSER security_config[] = {
 	{ "max_attributes",  FR_CONF_POINTER(PW_TYPE_INTEGER, &fr_max_attributes), STRINGIFY(0) },
 	{ "reject_delay",  FR_CONF_POINTER(PW_TYPE_TIMEVAL, &main_config.reject_delay), STRINGIFY(0) },
 	{ "status_server", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.status_server), "no"},
+	{ "require_message_authenticator", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.require_ma), "yes"},
 #ifdef ENABLE_OPENSSL_VERSION_CHECK
 	{ "allow_vulnerable_openssl", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.allow_vulnerable_openssl), "no"},
 #endif