From: Jouni Malinen <j@w1.fi>
Date: Sat, 16 Mar 2024 09:26:58 +0000 (+0200)
Subject: RADIUS DAS: Move Message-Authenticator attribute to be the first one
X-Git-Tag: hostap_2_11~68
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f54157077f799d84ce26bed6ad6b01c4a16e31cf;p=thirdparty%2Fhostap.git

RADIUS DAS: Move Message-Authenticator attribute to be the first one

Even if this might not be strictly speaking necessary for mitigating
certain RADIUS protocol attacks, be consistent with the RADIUS server
behavior and move the Message-Authenticator attribute to be the first
attribute in the RADIUS DAS responses from hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/radius/radius_das.c b/src/radius/radius_das.c
index aaa3fc267..8d7c9b4c4 100644
--- a/src/radius/radius_das.c
+++ b/src/radius/radius_das.c
@@ -177,6 +177,11 @@ fail:
 	if (reply == NULL)
 		return NULL;
 
+	if (!radius_msg_add_msg_auth(reply)) {
+		radius_msg_free(reply);
+		return NULL;
+	}
+
 	if (error) {
 		if (!radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE,
 					       error)) {
@@ -368,6 +373,11 @@ fail:
 	if (!reply)
 		return NULL;
 
+	if (!radius_msg_add_msg_auth(reply)) {
+		radius_msg_free(reply);
+		return NULL;
+	}
+
 	if (error &&
 	    !radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE, error)) {
 		radius_msg_free(reply);