hostapd: Move Message-Authenticator attribute to be the first one in req

Even if this is not strictly speaking necessary for mitigating certain
RADIUS protocol attacks, be consistent with the RADIUS server behavior
and move the Message-Authenticator attribute to be the first attribute
in the message from RADIUS client in hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2024-03-16 11:22:43 +02:00
parent 689a248260
commit 37fe8e48ab
2 changed files with 6 additions and 0 deletions

View file

@ -128,6 +128,9 @@ static int hostapd_radius_acl_query(struct hostapd_data *hapd, const u8 *addr,
goto fail; goto fail;
} }
if (!radius_msg_add_msg_auth(msg))
goto fail;
os_snprintf(buf, sizeof(buf), RADIUS_ADDR_FORMAT, MAC2STR(addr)); os_snprintf(buf, sizeof(buf), RADIUS_ADDR_FORMAT, MAC2STR(addr));
if (!radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, (u8 *) buf, if (!radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, (u8 *) buf,
os_strlen(buf))) { os_strlen(buf))) {

View file

@ -767,6 +767,9 @@ void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd,
goto fail; goto fail;
} }
if (!radius_msg_add_msg_auth(msg))
goto fail;
if (sm->identity && if (sm->identity &&
!radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME,
sm->identity, sm->identity_len)) { sm->identity, sm->identity_len)) {