From 834c20a7b5c2a65cf5762aa69a1d44b3ff24e960 Mon Sep 17 00:00:00 2001
From: yasuoka <yasuoka@openbsd.org>
Date: Wed, 24 Jul 2024 08:19:16 +0000
Subject: [PATCH] Place Message-Authenticator at the beginning of the
 attributes as draft-ietf-radext-deprecating-radius-02 suggests.

---
 lib/libradius/radius_attr.c               | 27 ++++++++++++++++++++++-
 lib/libradius/radius_local.h              |  4 +++-
 lib/libradius/radius_msgauth.c            |  6 ++---
 lib/libradius/radius_new_request_packet.3 | 14 +++++++-----
 4 files changed, 41 insertions(+), 10 deletions(-)

diff --git a/lib/libradius/radius_attr.c b/lib/libradius/radius_attr.c
index 1a994700dfd..561aceee335 100644
--- a/lib/libradius/radius_attr.c
+++ b/lib/libradius/radius_attr.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: radius_attr.c,v 1.2 2023/07/08 08:53:26 yasuoka Exp $ */
+/*	$OpenBSD: radius_attr.c,v 1.3 2024/07/24 08:19:16 yasuoka Exp $ */
 
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -199,6 +199,31 @@ radius_put_raw_attr(RADIUS_PACKET * packet, uint8_t type, const void *buf,
 	return (0);
 }
 
+int
+radius_unshift_raw_attr(RADIUS_PACKET * packet, uint8_t type, const void *buf,
+    size_t length)
+{
+	RADIUS_ATTRIBUTE	*newattr;
+
+	if (length > 255 - 2)
+		return (-1);
+
+	if (radius_ensure_add_capacity(packet, length + 2) != 0)
+		return (-1);
+
+	memmove(packet->pdata->attributes + length + 2,
+	    packet->pdata->attributes,
+	    radius_get_length(packet) - sizeof(RADIUS_PACKET_DATA));
+
+	newattr = ATTRS_BEGIN(packet->pdata);
+	newattr->type = type;
+	newattr->length = length + 2;
+	memcpy(newattr->data, buf, length);
+	packet->pdata->length = htons(radius_get_length(packet) + length + 2);
+
+	return (0);
+}
+
 int
 radius_put_vs_raw_attr(RADIUS_PACKET * packet, uint32_t vendor, uint8_t vtype,
     const void *buf, size_t length)
diff --git a/lib/libradius/radius_local.h b/lib/libradius/radius_local.h
index cd2dfe4af77..efc59e31277 100644
--- a/lib/libradius/radius_local.h
+++ b/lib/libradius/radius_local.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: radius_local.h,v 1.1 2015/07/20 23:52:29 yasuoka Exp $ */
+/*	$OpenBSD: radius_local.h,v 1.2 2024/07/24 08:19:16 yasuoka Exp $ */
 
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -74,6 +74,8 @@ struct _RADIUS_PACKET {
 #define ATTRS_ADVANCE(x) (x = ATTRS_NEXT(x))
 
 int radius_ensure_add_capacity(RADIUS_PACKET * packet, size_t capacity);
+int radius_unshift_raw_attr(RADIUS_PACKET * packet, uint8_t type,
+    const void *buf, size_t length);
 
 #define ROUNDUP(a, b)	((((a) + (b) - 1) / (b)) * (b))
 #define	MINIMUM(a, b)	(((a) < (b))? (a) : (b))
diff --git a/lib/libradius/radius_msgauth.c b/lib/libradius/radius_msgauth.c
index c17a8eed870..bbc26e77ac3 100644
--- a/lib/libradius/radius_msgauth.c
+++ b/lib/libradius/radius_msgauth.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: radius_msgauth.c,v 1.2 2021/12/16 17:32:51 tb Exp $ */
+/*	$OpenBSD: radius_msgauth.c,v 1.3 2024/07/24 08:19:16 yasuoka Exp $ */
 
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -112,8 +112,8 @@ radius_put_message_authenticator(RADIUS_PACKET * packet, const char *secret)
 	 * because content of Message-Authenticator attribute is assumed zero
 	 * during calculation.
 	 */
-	if (radius_put_raw_attr(packet, RADIUS_TYPE_MESSAGE_AUTHENTICATOR,
-		ma, sizeof(ma)) != 0)
+	if (radius_unshift_raw_attr(packet, RADIUS_TYPE_MESSAGE_AUTHENTICATOR,
+	    ma, sizeof(ma)) != 0)
 		return (-1);
 
 	return (radius_set_message_authenticator(packet, secret));
diff --git a/lib/libradius/radius_new_request_packet.3 b/lib/libradius/radius_new_request_packet.3
index 36c8ea6a989..ccbb3f76c3c 100644
--- a/lib/libradius/radius_new_request_packet.3
+++ b/lib/libradius/radius_new_request_packet.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: radius_new_request_packet.3,v 1.6 2022/09/11 06:38:11 jmc Exp $
+.\" $OpenBSD: radius_new_request_packet.3,v 1.7 2024/07/24 08:19:16 yasuoka Exp $
 .\"
 .\" Copyright (c) 2009 Internet Initiative Japan Inc.
 .\" All rights reserved.
@@ -24,7 +24,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 11 2022 $
+.Dd $Mdocdate: July 24 2024 $
 .Dt RADIUS_NEW_REQUEST_PACKET 3
 .Os
 .Sh NAME
@@ -285,6 +285,10 @@ There are helper functions for Message-Authenticator attributes.
 and
 .Fn radius_set_message_authenticator
 calculate a Message-Authenticator and put or set it to packet, respectively.
+When
+.Fn radius_put_message_authenticator
+is used,
+the Message-Authenticator attribute is placed at the first in the attributes.
 .Pp
 .Fn radius_check_message_authenticator
 checks a Message-Authenticator.
@@ -368,9 +372,9 @@ NULL on failure.
 .Sh HISTORY
 The
 .Nm radius+
-library was first written by UMEZAWA Takeshi in 2002 for the ID gateway service
-of Internet Initiative Japan.
-YASUOKA Masahiko added support for Message-Authentication attributes in 2008.
+library was first written by UMEZAWA Takeshi in 2002 for the ID Gateway service
+of Internet Initiative Japan Inc.
+YASUOKA Masahiko added support for Message-Authenticator attributes in 2008.
 .Ox
 project rewrote C++ code to pure C code in 2010.
 The
-- 
2.20.1