Imlement countermeasures against BlastRADIUS vulnerability

[Janfred]

If I see it correctly, pyrad does not support the Message-Authenticator attribute.

This is a serious security problem, since an attacker can modify the RADIUS Requests freely and generate a RADIUS Response.

As far as I can see, this affects only the RADIUS Client implementation, since the RADIUS Server implementation is not standard-compliant to RFC2865. It appears not to mirror back the Proxy-State attribute, which would be required by RFC2865.

See blastradius.fail for more information.

[Janfred]

Since it was pointed out to me (sorry for not seeing it earlier):
pyrad supports Message-Authenticator (via methods add_message_authenticator and verify_message_authenticator).

Nonetheless, at least in outgoing RADIUS packets there should always be a Message-Authenticator attribute included by default, and all examples should include the verify_message_authenticator method.