From: YASUOKA Masahiko <yasuoka@openbsd.org>
Subject: diff: multiple attribute values when resending RADIUS
To: markus@openbsd.org, tobhe@openbsd.org
Cc: tech@openbsd.org
Date: Sat, 13 Dec 2025 17:27:19 +0900

Hello,

When resending a RADIUS message, some attributes are added without
deleting the old ones.  Then the message mistakenly had multiple
values for an attribute when it was resent.

The diff fixes so that a RADIUS message has one value for an attribute
even when it is resent.

ok?

Index: sbin/iked/radius.c
===================================================================
RCS file: /disk/cvs/openbsd/src/sbin/iked/radius.c,v
diff -u -p -r1.14 radius.c
--- sbin/iked/radius.c	24 Jun 2025 00:05:42 -0000	1.14
+++ sbin/iked/radius.c	13 Dec 2025 07:54:14 -0000
@@ -457,17 +457,17 @@ iked_radius_request_send(struct iked *en
 		}
 		req->rr_reqid = seq;
 		radius_set_id(req->rr_reqpkt, req->rr_reqid);
-	}
 
-	if (server->rs_nas_ipv4.s_addr != INADDR_ANY)
-		radius_put_ipv4_attr(req->rr_reqpkt, RADIUS_TYPE_NAS_IP_ADDRESS,
-		    server->rs_nas_ipv4);
-	else if (!IN6_IS_ADDR_UNSPECIFIED(&server->rs_nas_ipv6))
-		radius_put_ipv6_attr(req->rr_reqpkt,
-		    RADIUS_TYPE_NAS_IPV6_ADDRESS, &server->rs_nas_ipv6);
-	/* Identifier */
-	radius_put_string_attr(req->rr_reqpkt, RADIUS_TYPE_NAS_IDENTIFIER,
-	    IKED_NAS_ID);
+		if (server->rs_nas_ipv4.s_addr != INADDR_ANY)
+			radius_put_ipv4_attr(req->rr_reqpkt,
+			    RADIUS_TYPE_NAS_IP_ADDRESS, server->rs_nas_ipv4);
+		else if (!IN6_IS_ADDR_UNSPECIFIED(&server->rs_nas_ipv6))
+			radius_put_ipv6_attr(req->rr_reqpkt,
+			    RADIUS_TYPE_NAS_IPV6_ADDRESS, &server->rs_nas_ipv6);
+		/* Identifier */
+		radius_put_string_attr(req->rr_reqpkt,
+		    RADIUS_TYPE_NAS_IDENTIFIER, IKED_NAS_ID);
+	}
 
 	if (req->rr_accounting) {
 		if (req->rr_ntry == 0 && req->rr_nfailover == 0)
@@ -476,14 +476,16 @@ iked_radius_request_send(struct iked *en
 		else {
 			clock_gettime(CLOCK_MONOTONIC, &now);
 			timespecsub(&now, &req->rr_accttime, &now);
-			radius_put_uint32_attr(req->rr_reqpkt,
+			radius_set_uint32_attr(req->rr_reqpkt,
 			    RADIUS_TYPE_ACCT_DELAY_TIME, now.tv_sec);
 		}
 		radius_set_accounting_request_authenticator(req->rr_reqpkt,
 		    server->rs_secret);
 	} else {
-		radius_put_message_authenticator(req->rr_reqpkt,
-		    server->rs_secret);
+		if (req->rr_ntry == 0)
+			radius_put_message_authenticator(req->rr_reqpkt,
+			    server->rs_secret);
+		/* else reset msgauth is needed if the pkt is modified */
 	}
 
 	if (radius_send(server->rs_sock, req->rr_reqpkt, 0) < 0)