RADIUS DAS: Move Message-Authenticator attribute to be the first one

Even if this might not be strictly speaking necessary for mitigating
certain RADIUS protocol attacks, be consistent with the RADIUS server
behavior and move the Message-Authenticator attribute to be the first
attribute in the RADIUS DAS responses from hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/radius/radius_das.c b/src/radius/radius_das.c
index aaa3fc26723ad16d3b492c3ceb8d61720bb9676c..8d7c9b4c4566bdaed1caa4e921751c7e57c7d9d9 100644 (file)
--- a/src/radius/radius_das.c
+++ b/src/radius/radius_das.c
@@ -177,6 +177,11 @@ fail:
        if (reply == NULL)
                return NULL;
 
+       if (!radius_msg_add_msg_auth(reply)) {
+               radius_msg_free(reply);
+               return NULL;
+       }
+
        if (error) {
                if (!radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE,
                                               error)) {
@@ -368,6 +373,11 @@ fail:
        if (!reply)
                return NULL;
 
+       if (!radius_msg_add_msg_auth(reply)) {
+               radius_msg_free(reply);
+               return NULL;
+       }
+
        if (error &&
            !radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE, error)) {
                radius_msg_free(reply);