From e95b290a2932b18d10f2d080fdf9b30686409e46 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Thu, 22 Aug 2024 17:15:50 +0200
Subject: [PATCH] Enforce Message-Authenticator for Access-* packets

---
 src/lib/krad/packet.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/lib/krad/packet.c b/src/lib/krad/packet.c
index 461b965e14e..f109682ea11 100644
--- a/src/lib/krad/packet.c
+++ b/src/lib/krad/packet.c
@@ -565,6 +565,8 @@ krad_packet_decode_request(krb5_context ctx, const char *secret,
         retval = verify_msgauth(secret, *reqpkt, pkt_auth(*reqpkt));
         if (retval)
             return retval;
+    } else if (requires_msgauth(secret, pkt_code_get(*reqpkt))) {
+        return ENODATA;
     }
 
     if (cb != NULL) {
@@ -619,6 +621,8 @@ krad_packet_decode_response(krb5_context ctx, const char *secret,
                 retval = verify_msgauth(secret, rsp, pkt_auth(req));
                 if (retval != 0)
                     continue;
+            } else if (requires_msgauth(secret, pkt_code_get(rsp))) {
+                continue;
             }
 
             break;