Commit graph

125 commits

Author SHA1 Message Date
Maneesh Jain
4457f41b54 radius: Fix NULL dereference issue on allocation failure
In case memory allocation fails, data->pac_opaque_encr_key may be NULL
and lead to possible crash.

Signed-off-by: Maneesh Jain <maneesh.jain@samsung.com>
2015-06-26 22:44:41 +03:00
Jouni Malinen
dea0d8ee29 RADIUS: Fix a copy-paste error in variable name
MS-MPPE-Recv-Key generation in radius_msg_add_mppe_keys() used incorrect
function argument (send_key_len; should be recv_key_len) when allocating
a temporary buffer. Fix this by using the correct argument.

The only caller of the function uses the same length for both
send_key_len and recv_key_len, so this copy-paste error did not result
in any difference in the behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-29 12:08:27 +03:00
Mikael Kanstrup
8b423edbd3 Declare all read only data structures as const
By analysing objdump output some read only structures were found in
.data section. To help compiler further optimize code declare these
as const.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2015-04-25 17:33:06 +03:00
Jouni Malinen
26b3f64428 tests: Add ap-mgmt-fuzzer
This program can be used to run fuzzing tests for areas related to AP
management frame parsing and processing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-22 11:44:19 +03:00
Michael Braun
3ffdeb7ac8 Fix RSN preauthentication with dynamic_vlan enabled but unused
sta->vlan_id == -1 means no VLAN, as does vlan_id = 0.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2015-04-13 15:26:40 +03:00
Ben Greear
fc48d33b0d Improve error messages related to EAP DB
Add SQLite error message and DB name to the DB related errors. Add
enough tracing so that users can know exactly where users are failing to
be found.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2015-03-28 13:16:26 +02:00
Jouni Malinen
b4a9292cfb RADIUS client: Fix server failover on return-to-primary on error case
If a connection with the primary server cannot be established, restore
connection to the previously used server.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-01 22:36:52 +02:00
Jouni Malinen
1a7ed38670 RADIUS client: Fix a copy-paste error in accounting server failover
Commit 347c55e216 ('RADIUS client: Re-try
connection if socket is closed on retransmit') added a new option for
initialing RADIUS server failover from radius_client_retransmit(), but
ended up trying to change authentication servers when accounting server
was supposed to be changed due to a copy-paste issue.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-01 22:36:52 +02:00
Jouni Malinen
70fd8287eb RADIUS client: Fix previous failover change
Commit 347c55e216 ('RADIUS client: Re-try
connection if socket is closed on retransmit') added a possibility of
executing RADIUS server failover change within
radius_client_retransmit() without taking into account that this
operation may end up freeing the pending message that is being
processed. This could result in use of freed memory. Avoid this by
checking whether any pending messages have been removed and if so, do
not try to retransmit the potentially freed message.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-28 20:52:08 +02:00
Jouni Malinen
347c55e216 RADIUS client: Re-try connection if socket is closed on retransmit
Previously, send() was called with invalid fd = -1 in some error cases
for retransmission and this could even result in a loop of multiple such
attempts. This is obviously not going to work, so drop such attempts and
instead, try to reconnect a socket to the server if the current socket
is not valid.

In addition, initiate server failover immediately if the current socket
is not valid instead of waiting for a timeout.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-28 16:40:58 +02:00
Jouni Malinen
94b39e5927 RADIUS client: Fix server connection recovery after initial failure
If the initial attempt at opening the socket connection to the RADIUS
server failed due to missing IP connectivity during startup, e.g., with
"connect[radius]: Network is unreachable", hostapd did not try to
reconnect when RADIUS messages were sent. Instead, it only reported "No
authentication server configured" even if the configuration did have a
server entry.

This was broken by commit 9ed4076673
('RADIUS client: Do not try to send message without socket') for the
initial case and the more recent fixes in RADIUS server failover cases
did not cover the initial failure case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-28 15:45:17 +02:00
Ben Greear
400de9b1fe hostapd: Debug messages for dodgy RADIUS servers
These were helpful when tracking down why hostapd did not work
properly with a RADIUS server.

Signed-hostap: Ben Greear <greearb@candelatech.com>
2015-01-23 01:48:27 +02:00
Jouni Malinen
0d787f0242 Fix RADIUS client with out-of-memory and missing shared secret
It was possible for an out-of-memory code path to trigger NULL pointer
dereference when preparing a RADIUS accounting report.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-19 02:35:43 +02:00
Jouni Malinen
4e871ed1c3 RADIUS DAS: Support Acct-Multi-Session-Id as a session identifier
This extends Disconnect-Request support for an additiona session
identification attribute.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-16 13:09:44 +02:00
Jouni Malinen
861beb7269 RADIUS DAS: Check for single session match for Disconnect-Request
Previously, the first matching STA was picked. That is not really the
design in RFC 5176, so extend this matching code to go through all
specified session identification attributes and verify that all of them
match. In addition, check for a possible case of multiple sessions
matching. If such a case is detected, return with Disconnect-NAK and
Error-Code 508 (multiple session selection not supported).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-16 12:50:16 +02:00
Jouni Malinen
2c6411edd0 ERP: Add ERP_FLUSH for hostapd
This can be used to drop any pending ERP key from both the internal AP
authentication server and RADIUS server use of hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-14 15:47:04 +02:00
Jouni Malinen
d85e1fc8a5 Check os_snprintf() result more consistently - automatic 1
This converts os_snprintf() result validation cases to use
os_snprintf_error() where the exact rule used in os_snprintf_error() was
used. These changes were done automatically with spatch using the
following semantic patch:

@@
identifier E1;
expression E2,E3,E4,E5,E6;
statement S1;
@@

(
  E1 = os_snprintf(E2, E3, ...);
|
  int E1 = os_snprintf(E2, E3, ...);
|
  if (E5)
	E1 = os_snprintf(E2, E3, ...);
  else
	E1 = os_snprintf(E2, E3, ...);
|
  if (E5)
	E1 = os_snprintf(E2, E3, ...);
  else if (E6)
	E1 = os_snprintf(E2, E3, ...);
  else
	E1 = 0;
|
  if (E5) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else {
	...
	return -1;
  }
|
  if (E5) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else if (E6) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else {
	...
	return -1;
  }
|
  if (E5) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else {
	...
	E1 = os_snprintf(E2, E3, ...);
  }
)
? os_free(E4);
- if (E1 < 0 || \( E1 >= E3 \| (size_t) E1 >= E3 \| (unsigned int) E1 >= E3 \| E1 >= (int) E3 \))
+ if (os_snprintf_error(E3, E1))
(
  S1
|
{ ... }
)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-08 11:42:07 +02:00
Jouni Malinen
d3bddd8b84 ERP: Add support for ERP on EAP server and authenticator
Derive rRK and rIK on EAP server if ERP is enabled and use these keys to
allow EAP re-authentication to be used and to derive rMSK.

The new hostapd configuration parameter eap_server_erp=1 can now be used
to configure the integrated EAP server to derive EMSK, rRK, and rIK at
the successful completion of an EAP authentication method. This
functionality is not included in the default build and can be enabled
with CONFIG_ERP=y.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-04 12:16:27 +02:00
Jouni Malinen
2a5156a66c ERP: Add optional EAP-Initiate/Re-auth-Start transmission
hostapd can now be configured to transmit EAP-Initiate/Re-auth-Start
before EAP-Request/Identity to try to initiate ERP. This is disabled by
default and can be enabled with erp_send_reauth_start=1 and optional
erp_reauth_start_domain=<domain>.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-04 12:08:56 +02:00
Jouni Malinen
b81e274cdf RADIUS client: Print a clear debug log entry if socket is not available
It could have been possible to select a socket that is not open
(sel_sock == -1) and try to use that in socket operations. This would
fail with potentially confusing error messages. Make this clearer by
printing a clear debug log entry on socket not being available.
(CID 72696)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 17:41:13 +02:00
Jouni Malinen
0ffe7a5481 RADIUS: Define new attributes from RFC 5580
This adds definition and names for the RADIUS attributes defined in RFC
5580 (Carrying Location Objects in RADIUS and Diameter).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-18 09:30:35 +03:00
Jouni Malinen
58b992489c RADIUS: Remove unused write
There is no need to update the left variable when breaking out from the
loop.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-11 18:06:52 +03:00
Jouni Malinen
54461f3e03 RADIUS server: Remove unreachable code
The previous break will already stop the loop, so this unnecessary check
can be removed (CID 72708).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-09-13 16:22:16 +03:00
Jouni Malinen
3a413e0ed8 RADIUS client: Check getsockname() return value
In theory, this function could fail, so check the return value before
printing out the RADIUS local address debug message (CID 72700).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-09-07 18:35:46 +03:00
Jouni Malinen
c9cd78e5a1 RADIUS server: Fix IPv6 radiusAuthClientAddress mask
Incorrect buffer was used when writing the IPv6 mask for RADIUS server
MIB information (CID 72707).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-09-07 18:25:04 +03:00
Jouni Malinen
6c460eaf7e Add RSN cipher/AKM suite attributes into RADIUS messages
This adds hostapd support for the new WLAN-Pairwise-Cipher,
WLAN-Group-Cipher, WLAN-AKM-Suite, and WLAN-Group-Mgmt-Pairwise-Cipher
attributes defined in RFC 7268. These attributes are added to RADIUS
messages when the station negotiates use of WPA/RSN.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-31 19:55:29 +03:00
Jouni Malinen
cdffd72173 Add WLAN-HESSID into RADIUS messages
This adds hostapd support for the new WLAN-HESSID attribute defined in
RFC 7268. This attribute contains the HESSID and it is added whenever
Interworking is enabled and HESSID is configured.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-31 19:55:29 +03:00
Jouni Malinen
69002fb0a8 Add Mobility-Domain-Id into RADIUS messages
This adds hostapd support for the new Mobility-Domain-Id attribute
defined in RFC 7268. This attribute contains the mobility domain id and
it is added whenever the station negotiates use of FT.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-31 19:55:29 +03:00
Jouni Malinen
b7175b4d02 Clear hostapd configuration keys explicitly
Use an explicit memset call to clear any hostapd configuration parameter
that contains private information like keys or identity. This brings in
an additional layer of protection by reducing the length of time this
type of private data is kept in memory.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:48 +03:00
Jouni Malinen
c2371953f8 RADIUS: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
95f6f6a49d RADIUS/EAP server: Use longer username buffer to avoid truncation
If the peer provides a username with large part of it being non-ASCII
characters, the previously used buffers may not have been long enough to
include the full string in debug logs and database search due to forced
truncation of the string by printf_encode(). Avoid this by increasing
the buffer sizes to fit in the maximum result.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-06-02 17:36:51 +03:00
Jouni Malinen
b523973611 RADIUS client: Trigger failover more quickly if socket is not valid
It is possible for the connect() call to fail (e.g., due to unreachable
network based on local routing table), so the current auth/acct_sock may
be left to -1. Use that as an addition trigger to allow server failover
operation to be performed more quickly if it is known that the
retransmission attempt will not succeed anyway.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-30 20:52:08 +03:00
Jouni Malinen
09844c0984 RADIUS client: Do not flush pending messages if server did not change
The re-open socket to the current RADIUS server code path did not work
in the expected way here. The pending authentication messages do not
need to be flushed in that case and neither should the retransmission
parameters be cleared. Fix this by performing these operations only if
the server did actually change as a part of a failover operation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-30 20:46:20 +03:00
Jouni Malinen
70d4084885 RADIUS client: Fix socket close/re-open on server change
Both IPv4 and IPv6 sockets were not closed consistently in the paths
that tried to change RADIUS servers. This could result in leaking
sockets and leaving behind registered eloop events to freed memory on
interface removal.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-30 18:09:42 +03:00
Jerry Yang
d045cc8e4c RADIUS client: Fix crash issue in radius_client_timer()
While iterating through RADIUS messages in radius_client_timer(), one
message entry may get flushed by "radius_client_retransmit -->
radius_client_handle_send_error --> radius_client_init_auth -->
radius_change_server --> radius_client_flush". This could result in
freed memory being accessed afterwards.

Signed-off-by: Jerry Yang <xyang@sonicwall.com>
2014-05-30 18:08:59 +03:00
Jouni Malinen
c1fb75a6e2 RADIUS client: Handle ENETUNREACH similarly to other failure cases
This is one more possible send() error that should trigger RADIUS server
change if multiple servers are configured.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-30 18:08:54 +03:00
Jouni Malinen
9ed4076673 RADIUS client: Do not try to send message without socket
It is possible for the RADIUS authentication/accounting socket to not be
open even if partial RADIUS server configuration has been done through
the control interface SET commands. Previously, this resulted in send()
attempt using fd=-1 which fails with bad file descriptor. Clean this up
by logging this as a missing configuration instead of trying to send the
message when that is known to fail.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-30 18:08:37 +03:00
Jouni Malinen
f6fb1926bb HS 2.0R2: Fix subscr_remediation_method for RADIUS server
This configuration parameter was not used at all in the RADIUS server
implementation and instead, hard coded 0 was sent.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-28 00:56:13 +03:00
Jouni Malinen
251c53e084 RADIUS: Define EAP-Key-Name
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-11 21:10:03 +03:00
Jouni Malinen
8943cc998a RADIUS server: Add support for MAC ACL
"user" MACACL "password" style lines in the eap_user file can now be
used to configured user entries for RADIUS-based MAC ACL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-29 19:31:56 +02:00
Jouni Malinen
47bd94a09f TLS testing: Add new test cases for RSA-DHE primes
test-tls-4: Short 511-bit RSA-DHE prime
test-tls-5: Short 767-bit RSA-DHE prime
test-tls-6: Bogus RSA-DHE "prime" 15
test-tls-7: Very short 58-bit RSA-DHE prime in a long container
test-tls-8: Non-prime as RSA-DHE prime

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-16 12:43:49 +02:00
Jouni Malinen
390b92913a TLS testing: Allow hostapd to be used as a TLS testing tool
The internal TLS server implementation and RADIUS server implementation
in hostapd can be configured to allow EAP clients to be tested to
perform TLS validation steps correctly. This functionality is not
included in the default build; CONFIG_TESTING_OPTIONS=y in
hostapd/.config can be used to enable this.

When enabled, the RADIUS server will configure special TLS test modes
based on the received User-Name attribute value in this format:
<user>@test-tls-<id>.<rest-of-realm>. For example,
anonymous@test-tls-1.example.com. When this special format is used, TLS
test modes are enabled. For other cases, the RADIUS server works
normally.

The following TLS test cases are enabled in this commit:
1 - break verify_data in the server Finished message
2 - break signed_params hash in ServerKeyExchange
3 - break Signature in ServerKeyExchange

Correctly behaving TLS client must abort connection if any of these
failures is detected and as such, shall not transmit continue the
session.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-09 18:47:09 +02:00
Jouni Malinen
01f7fe10ef RADIUS server: Allow EAP methods to log into SQLite DB
This extends RADIUS server logging capabilities to allow EAP server
methods to add log entries.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-09 18:21:13 +02:00
Jouni Malinen
8a57da7e28 RADIUS server: Add option for storing log information to SQLite DB
If eap_user_file is configured to point to an SQLite database, RADIUS
server code can use that database for log information.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-09 18:21:13 +02:00
Jouni Malinen
d0ee16edc8 Allow arbitrary RADIUS attributes to be added into Access-Accept
This extends the design already available for Access-Request packets to
the RADIUS server and Access-Accept messages. Each user entry can be
configured to add arbitrary RADIUS attributes.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-08 11:35:08 +02:00
Jouni Malinen
7738163951 RADIUS server: Copy IPv4 address only when IPv6 is not used
The local addr variable is valid only when !ipv6, so there is no point
in copying it for the IPv6 case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-02 17:15:12 +02:00
Jouni Malinen
8d2a9921af HS 2.0R2: RADIUS server support to request Subscr Remediation
The new hostapd.conf parameter subscr_remediation_url can be used to
define the URL of the Subscription Remediation Server that will be added
in a WFA VSA to Access-Accept message if the SQLite user database
indicates that the user need subscription remediation.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:25 +02:00
Jouni Malinen
97596f8ed4 HS 2.0R2 AP: Add support for Session Info URL RADIUS AVP
If the authentication server includes the WFA HS 2.0 Session Info URL
AVP in Access-Accept, schedule ESS Disassociation Imminent frame to be
transmitted specified warning time prior to session timeout.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:24 +02:00
Jouni Malinen
8e1146d9da HS 2.0R2 AP: Add support for deauthentication request
If the RADIUS server includes deauthentication request in Access-Accept,
send a WNM-Notification frame to the station after 4-way handshake and
disconnect the station after configurable timeout.

A new control interface command, WNM_DEAUTH_REQ, is added for testing
purposes to allow the notification frame to sent based on local request.
This case does not disconnect the station automatically, i.e., a
separate control interface command would be needed for that.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:24 +02:00
Jouni Malinen
0dd100fb40 HS 2.0R2 AP: Add definition and helper function for WFA RADIUS VSA
These changes make it easier to add WFA vendor specific attributes
to RADIUS messages.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:24 +02:00