From: Jouni Malinen <j@w1.fi>
Date: Sat, 16 Mar 2024 09:13:32 +0000 (+0200)
Subject: RADIUS server: Place Message-Authenticator attribute as the first one
X-Git-Tag: hostap_2_11~71
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=54abb0d3cf35894e7d86e3f7555e95b106306803;p=thirdparty%2Fhostap.git

RADIUS server: Place Message-Authenticator attribute as the first one

Move the Message-Authenticator attribute to be the first attribute in
the RADIUS messages. This mitigates certain MD5 attacks against
RADIUS/UDP.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/radius/radius_server.c b/src/radius/radius_server.c
index e02c21540..fa3691548 100644
--- a/src/radius/radius_server.c
+++ b/src/radius/radius_server.c
@@ -920,6 +920,11 @@ radius_server_encapsulate_eap(struct radius_server_data *data,
 		return NULL;
 	}
 
+	if (!radius_msg_add_msg_auth(msg)) {
+		radius_msg_free(msg);
+		return NULL;
+	}
+
 	sess_id = htonl(sess->sess_id);
 	if (code == RADIUS_CODE_ACCESS_CHALLENGE &&
 	    !radius_msg_add_attr(msg, RADIUS_ATTR_STATE,
@@ -1204,6 +1209,11 @@ radius_server_macacl(struct radius_server_data *data,
 		return NULL;
 	}
 
+	if (!radius_msg_add_msg_auth(msg)) {
+		radius_msg_free(msg);
+		return NULL;
+	}
+
 	if (radius_msg_copy_attr(msg, request, RADIUS_ATTR_PROXY_STATE) < 0) {
 		RADIUS_DEBUG("Failed to copy Proxy-State attribute(s)");
 		radius_msg_free(msg);
@@ -1253,6 +1263,11 @@ static int radius_server_reject(struct radius_server_data *data,
 		return -1;
 	}
 
+	if (!radius_msg_add_msg_auth(msg)) {
+		radius_msg_free(msg);
+		return -1;
+	}
+
 	os_memset(&eapfail, 0, sizeof(eapfail));
 	eapfail.code = EAP_CODE_FAILURE;
 	eapfail.identifier = 0;