Add a require_message_authenticator configuration option
This can be used to mandate the presence of the Message-Authenticator attribute on CoA/Disconnect-Request packets. Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
This commit is contained in:
parent
715ad3386e
commit
42d30e9ea0
8 changed files with 27 additions and 6 deletions
|
@ -2411,6 +2411,9 @@ static int hostapd_config_fill(struct hostapd_config *conf,
|
||||||
bss->radius_das_time_window = atoi(pos);
|
bss->radius_das_time_window = atoi(pos);
|
||||||
} else if (os_strcmp(buf, "radius_das_require_event_timestamp") == 0) {
|
} else if (os_strcmp(buf, "radius_das_require_event_timestamp") == 0) {
|
||||||
bss->radius_das_require_event_timestamp = atoi(pos);
|
bss->radius_das_require_event_timestamp = atoi(pos);
|
||||||
|
} else if (os_strcmp(buf, "radius_das_require_message_authenticator") ==
|
||||||
|
0) {
|
||||||
|
bss->radius_das_require_message_authenticator = atoi(pos);
|
||||||
#endif /* CONFIG_NO_RADIUS */
|
#endif /* CONFIG_NO_RADIUS */
|
||||||
} else if (os_strcmp(buf, "auth_algs") == 0) {
|
} else if (os_strcmp(buf, "auth_algs") == 0) {
|
||||||
bss->auth_algs = atoi(pos);
|
bss->auth_algs = atoi(pos);
|
||||||
|
|
|
@ -1088,6 +1088,9 @@ own_ip_addr=127.0.0.1
|
||||||
#
|
#
|
||||||
# DAS require Event-Timestamp
|
# DAS require Event-Timestamp
|
||||||
#radius_das_require_event_timestamp=1
|
#radius_das_require_event_timestamp=1
|
||||||
|
#
|
||||||
|
# DAS require Message-Authenticator
|
||||||
|
#radius_das_require_message_authenticator=1
|
||||||
|
|
||||||
##### RADIUS authentication server configuration ##############################
|
##### RADIUS authentication server configuration ##############################
|
||||||
|
|
||||||
|
|
|
@ -263,6 +263,7 @@ struct hostapd_bss_config {
|
||||||
int radius_das_port;
|
int radius_das_port;
|
||||||
unsigned int radius_das_time_window;
|
unsigned int radius_das_time_window;
|
||||||
int radius_das_require_event_timestamp;
|
int radius_das_require_event_timestamp;
|
||||||
|
int radius_das_require_message_authenticator;
|
||||||
struct hostapd_ip_addr radius_das_client_addr;
|
struct hostapd_ip_addr radius_das_client_addr;
|
||||||
u8 *radius_das_shared_secret;
|
u8 *radius_das_shared_secret;
|
||||||
size_t radius_das_shared_secret_len;
|
size_t radius_das_shared_secret_len;
|
||||||
|
|
|
@ -1044,6 +1044,8 @@ static int hostapd_setup_bss(struct hostapd_data *hapd, int first)
|
||||||
das_conf.time_window = conf->radius_das_time_window;
|
das_conf.time_window = conf->radius_das_time_window;
|
||||||
das_conf.require_event_timestamp =
|
das_conf.require_event_timestamp =
|
||||||
conf->radius_das_require_event_timestamp;
|
conf->radius_das_require_event_timestamp;
|
||||||
|
das_conf.require_message_authenticator =
|
||||||
|
conf->radius_das_require_message_authenticator;
|
||||||
das_conf.ctx = hapd;
|
das_conf.ctx = hapd;
|
||||||
das_conf.disconnect = hostapd_das_disconnect;
|
das_conf.disconnect = hostapd_das_disconnect;
|
||||||
hapd->radius_das = radius_das_init(&das_conf);
|
hapd->radius_das = radius_das_init(&das_conf);
|
||||||
|
|
|
@ -538,7 +538,8 @@ int radius_msg_verify_acct_req(struct radius_msg *msg, const u8 *secret,
|
||||||
|
|
||||||
|
|
||||||
int radius_msg_verify_das_req(struct radius_msg *msg, const u8 *secret,
|
int radius_msg_verify_das_req(struct radius_msg *msg, const u8 *secret,
|
||||||
size_t secret_len)
|
size_t secret_len,
|
||||||
|
int require_message_authenticator)
|
||||||
{
|
{
|
||||||
const u8 *addr[4];
|
const u8 *addr[4];
|
||||||
size_t len[4];
|
size_t len[4];
|
||||||
|
@ -577,7 +578,11 @@ int radius_msg_verify_das_req(struct radius_msg *msg, const u8 *secret,
|
||||||
}
|
}
|
||||||
|
|
||||||
if (attr == NULL) {
|
if (attr == NULL) {
|
||||||
/* Message-Authenticator is MAY; not required */
|
if (require_message_authenticator) {
|
||||||
|
wpa_printf(MSG_WARNING,
|
||||||
|
"Missing Message-Authenticator attribute in RADIUS message");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -242,7 +242,8 @@ void radius_msg_finish_acct_resp(struct radius_msg *msg, const u8 *secret,
|
||||||
int radius_msg_verify_acct_req(struct radius_msg *msg, const u8 *secret,
|
int radius_msg_verify_acct_req(struct radius_msg *msg, const u8 *secret,
|
||||||
size_t secret_len);
|
size_t secret_len);
|
||||||
int radius_msg_verify_das_req(struct radius_msg *msg, const u8 *secret,
|
int radius_msg_verify_das_req(struct radius_msg *msg, const u8 *secret,
|
||||||
size_t secret_len);
|
size_t secret_len,
|
||||||
|
int require_message_authenticator);
|
||||||
struct radius_attr_hdr * radius_msg_add_attr(struct radius_msg *msg, u8 type,
|
struct radius_attr_hdr * radius_msg_add_attr(struct radius_msg *msg, u8 type,
|
||||||
const u8 *data, size_t data_len);
|
const u8 *data, size_t data_len);
|
||||||
struct radius_msg * radius_msg_parse(const u8 *data, size_t len);
|
struct radius_msg * radius_msg_parse(const u8 *data, size_t len);
|
||||||
|
|
|
@ -23,6 +23,7 @@ struct radius_das_data {
|
||||||
struct hostapd_ip_addr client_addr;
|
struct hostapd_ip_addr client_addr;
|
||||||
unsigned int time_window;
|
unsigned int time_window;
|
||||||
int require_event_timestamp;
|
int require_event_timestamp;
|
||||||
|
int require_message_authenticator;
|
||||||
void *ctx;
|
void *ctx;
|
||||||
enum radius_das_res (*disconnect)(void *ctx,
|
enum radius_das_res (*disconnect)(void *ctx,
|
||||||
struct radius_das_attrs *attr);
|
struct radius_das_attrs *attr);
|
||||||
|
@ -234,9 +235,11 @@ static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx)
|
||||||
radius_msg_dump(msg);
|
radius_msg_dump(msg);
|
||||||
|
|
||||||
if (radius_msg_verify_das_req(msg, das->shared_secret,
|
if (radius_msg_verify_das_req(msg, das->shared_secret,
|
||||||
das->shared_secret_len)) {
|
das->shared_secret_len,
|
||||||
wpa_printf(MSG_DEBUG, "DAS: Invalid authenticator in packet "
|
das->require_message_authenticator)) {
|
||||||
"from %s:%d - drop", abuf, from_port);
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"DAS: Invalid authenticator or Message-Authenticator in packet from %s:%d - drop",
|
||||||
|
abuf, from_port);
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -362,6 +365,8 @@ radius_das_init(struct radius_das_conf *conf)
|
||||||
|
|
||||||
das->time_window = conf->time_window;
|
das->time_window = conf->time_window;
|
||||||
das->require_event_timestamp = conf->require_event_timestamp;
|
das->require_event_timestamp = conf->require_event_timestamp;
|
||||||
|
das->require_message_authenticator =
|
||||||
|
conf->require_message_authenticator;
|
||||||
das->ctx = conf->ctx;
|
das->ctx = conf->ctx;
|
||||||
das->disconnect = conf->disconnect;
|
das->disconnect = conf->disconnect;
|
||||||
|
|
||||||
|
|
|
@ -44,6 +44,7 @@ struct radius_das_conf {
|
||||||
const struct hostapd_ip_addr *client_addr;
|
const struct hostapd_ip_addr *client_addr;
|
||||||
unsigned int time_window;
|
unsigned int time_window;
|
||||||
int require_event_timestamp;
|
int require_event_timestamp;
|
||||||
|
int require_message_authenticator;
|
||||||
void *ctx;
|
void *ctx;
|
||||||
enum radius_das_res (*disconnect)(void *ctx,
|
enum radius_das_res (*disconnect)(void *ctx,
|
||||||
struct radius_das_attrs *attr);
|
struct radius_das_attrs *attr);
|
||||||
|
|
Loading…
Reference in a new issue