hostapd: Move Message-Authenticator attribute to be the first one in req

Even if this is not strictly speaking necessary for mitigating certain
RADIUS protocol attacks, be consistent with the RADIUS server behavior
and move the Message-Authenticator attribute to be the first attribute
in the message from RADIUS client in hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c
index 98a877dece146c69b0115789bf84d040d4c2e014..cc38044d8952f4884c956d163a630123e973fa72 100644 (file)
--- a/src/ap/ieee802_11_auth.c
+++ b/src/ap/ieee802_11_auth.c
@@ -128,6 +128,9 @@ static int hostapd_radius_acl_query(struct hostapd_data *hapd, const u8 *addr,
                goto fail;
        }
 
+       if (!radius_msg_add_msg_auth(msg))
+               goto fail;
+
        os_snprintf(buf, sizeof(buf), RADIUS_ADDR_FORMAT, MAC2STR(addr));
        if (!radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, (u8 *) buf,
                                 os_strlen(buf))) {

diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index 31a1120110ee7a1186175ac354f1ba0fcd8ca978..8394772c5f1126f218178d222a82d260bc005926 100644 (file)
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -767,6 +767,9 @@ void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd,
                goto fail;
        }
 
+       if (!radius_msg_add_msg_auth(msg))
+               goto fail;
+
        if (sm->identity &&
            !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME,
                                 sm->identity, sm->identity_len)) {