Previously the EAP user database had to include a wildcard entry for ERP
to work since the keyName-NAI as User-Name in Access-Request would not
be recognized without such wildcard entry (that could point to any EAP
method). This is not ideal, so add a separate check to allow any stored
ERP keyName-NAI to be used for ERP without any requirement for the EAP
user database to contain a matching entry.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The struct hostapd_eap_user changes with a new allocated variable were
not covered in the RADIUS server code. Fix this by using eap_user_free()
instead of custom memory freeing operation in radius_server.c.
The hwsim tests with salted password (ap_wpa2_eap_pwd_salt_sha1,
ap_wpa2_eap_pwd_salt_sha256, ap_wpa2_eap_pwd_salt_sha512) triggered
these memory leaks.
Fixes: d52ead3db7 ("EAP-pwd server: Add support for salted password databases")
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Use unsigned 1 (1U) instead of signed (1) when doing left shift that
could potentially need to use all bits of the 32-bit unsigned variable.
radius_server.c:2254:14: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
Signed-off-by: Jouni Malinen <j@w1.fi>
In the previous RADIUS client implementation, when there are multiple
RADIUS servers, we kept trying the next server when the current message
can not be acked. It leads to endless retry when all the RADIUS servers
are down.
Fix this by keeping a counter for the accumulated retransmit attempts
for the message, and guarantee that after all the servers failover
RADIUS_CLIENT_MAX_FAILOVER times the message will be dropped.
Another issue with the previous code was that the decision regarding
whether the server should fail over was made immediately after we send
out the message. This patch guarantees we consider whether a server
needs failover after pending ack times out.
Signed-off-by: Bo Chen<bochen@meraki.com>
This adds support for hostapd-as-RADIUS-authentication-server to request
subscription remediation for SIM-based credentials. The new hostapd.conf
parameter hs20_sim_provisioning_url is used to set the URL prefix for
the remediation server for SIM provisioning. The random
hotspot2dot0-mobile-identifier-hash value will be added to the end of
this URL prefix and the same value is stored in a new SQLite database
table sim_provisioning for the subscription server implementation to
use.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This extends the last_msk testing functionality in the RADIUS server to
work with EAP-TLS based on "cert-<serial_num>" form user names in the
database.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
CONFIG_RADIUS_TEST builds can now update the user SQLite database based
on authentication result from the last attempt. If the database has a
last_msk column, that will be set to the hexdump of the MSK whenever
authentication succeeds and to "FAIL" whenever authentication fails.
This can be used for testing purposes by having an external program
track authentication status per user.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The last character of the STA MAC address got replaced with 0x00 due to
truncation if the @1@ macro was used at the end of the URL. Fix this
case by allocating larger buffer for the URL.
Fixes: d4e39c51f8 ("HS 2.0: Move Terms and Conditions Server URL generation from AP to AS")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new DAC_REQUEST control interface command can now be used to request
hostapd to send out Disconnect-Request and CoA-Request packets for an
existing session.
DAC_REQUEST <disconnect|coa> <MAC Address> [t_c_clear]
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This allows hostapd DAS to be configured to allow any DAC (with the
matching shared secret) to send Disconnect-Request and CoA-Request
packets.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This can be used to track active sessions, e.g., for the purpose of
issuing RADIUS DAS commands (Disconnect-Request or CoA-Request).
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This makes it more convenient to generate the URL in a way that
interoperates between different vendors. The AP is simply copying the
already constructed URL as-is from Access-Accept to WNM-Notification.
This means that the HO AAA can generate the URL in a manner that works
for the associated T&C Server without having to coordinate with each AP.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Reword the comments to make gcc 8.1 recognize these as designed cases
and not trigger implicit-fallthrough warnings.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new SQLite table pending_tc is used to maintain a list of sessions
that need to accept Terms and Conditions. This information can be used
on an external Terms and Conditions server to map the incoming MAC
address information into user identity.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Allow hostapd RADIUS authentication server with SQLite EAP user DB to be
used for testing Terms and Conditions functionality. This could be used
for the HO AAA part of functionality (merging HO AAA and SP AAA into a
single component to avoid separate RADIUS proxy in testing setup).
A T&C server with HTTPS processing is needed to allow this to be used
for full over-the-air testing. This commit adds sufficient functionality
to allow hwsim test cases to cover the RADIUS server part.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Extend RADIUS DAS to support CoA-Request packets for the case where the
HS 2.0 Terms And Conditions filtering VSA is used to remove filtering.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This extends hostapd Access-Accept processing to check if the RADIUS
server indicated that Terms and Conditions Acceptance is required. The
new hs20_t_c_server_url parameter is used to specify the server URL
template that the STA is requested to visit.
This commit does not enable any kind of filtering, i.e., only the part
of forwarding a request from Access-Accept to the STA using
WNM-Notification is covered.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This extends hostapd with two new configuration parameters
(hs20_t_c_filename and hs20_t_c_timestamp) that can be used to specify
that the Terms and Conditions attributes are to be added into all
Access-Request messages for Hotspot 2.0 STAs.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This extends hostapd processing of (Re)Association Request frames to
store a local copy of the Consortium OI within the Roaming Consortium
Selection element, if present, and then add that in HS 2.0 Roaming
Consortium attribute into RADIUS Access-Request messages.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
hostap code is used by the Moonshot software (an implementation of the
GSS EAP mechanism - RFC 7055), and those definitions are required but
missing.
Signed-off-by: Alejandro Perez <alex.perez-mendez@jisc.ac.uk>
Make the RADIUS server in hostapd add WLAN-Reason-Code attribute to all
Access-Reject messages generated based on EAP-Failure from the EAP
server. For now, the reason code value is set to 23 (IEEE 802.1X
authentication failed). This can be extending in future commits to cover
addition failure reasons.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This leads to cleaner code overall, and also reduces the size
of the hostapd and wpa_supplicant binaries (in hwsim test build
on x86_64) by about 2.5 and 3.5KiB respectively.
The mechanical conversions all over the code were done with
the following spatch:
@@
expression SIZE, SRC;
expression a;
@@
-a = os_malloc(SIZE);
+a = os_memdup(SRC, SIZE);
<...
if (!a) {...}
...>
-os_memcpy(a, SRC, SIZE);
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
radius_server_session_free() does not remove the session from the
session list and these radius_server_get_new_session() error paths ended
up leaving a pointer to freed memory into the session list. This
resulted in the following operations failing due to use of freed memory.
Fix this by using radius_server_session_remove() which removes the entry
from the list in addition to calling radius_server_session_free().
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible to hit the previously used maximum of 100 active session
in some hwsim test case sequences like this one: eap_proto_pwd_errors
eap_proto_ikev2_errors eap_proto_sim_errors. This happened due to the
large number of RADIUS authentication iterations in short period of
time, i.e., within the 10 second timeout for expiring completed
sessions.
Increase RADIUS_MAX_SESSION from 100 to 1000 and also reduce the timeout
on expiring completed sessions from 10 to 5 seconds.
Signed-off-by: Jouni Malinen <j@w1.fi>
When the RADIUS client has not yet been fully enabled, MIB command was
segfaulting hostapd.
Signed-off-by: Eduardo Abinader <eduardoabinader@gmail.com>
This can be used to mandate the presence of the Message-Authenticator
attribute on CoA/Disconnect-Request packets.
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
This gets rid of a valgrind warning on uninitialized memory read in the
hostapd_oom_wpa2_eap_connect test case where the result is used after
failed md5_vector() call.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This gets rid of a valgrind warning on uninitialized memory read in the
hostapd_oom_wpa2_eap_connect test case where memcmp is used after failed
hmac_md5() call.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This gets rid of a valgrind warning on uninitialized memory read in the
hostapd_oom_wpa2_eap test case where memcmp is used after failed
md5_vector() call.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This tells to the server how long we have been trying to transmit the
message so that the actual time of the message generation can be
determined from receive time (ignoring network delays and only at
accuracy of one second).
For interim updates, only value 0 is used since there are no
retransmissions of the same message. For other accounting messages, the
initial attempt goes out with value 0 and the retransmissions, if
needed, show the number of seconds the message has been waiting in the
queue.
Update the Identifier and Authenticator in the messages whenever
updating the Acct-Delay-Time per RFC 2866, 4.1 requirements.
Signed-off-by: Jouni Malinen <j@w1.fi>
Instead of using the RADIUS client retransmission design with the old
RADIUS message contents for each retry, trigger a completely new interim
accounting update instance more quickly (using the same schedule as
RADIUS message retransmissions) to improve accounting updates in cases
where RADIUS message delivery fails. This allows the server to get up to
date information from the time the "retry" message was sent instead of
the old information from the time the first failed attempt was sent.
Signed-off-by: Jouni Malinen <j@w1.fi>
1. Add tagged VLAN to struct vlan_description
(compile limited number of tagged VLANs per description)
For k tagged VLANs, the first k entries in vlan_description.tagged
are used. They are sorted in ascending order. All other entries are
zero. This way os_memcmp() can find identical configurations.
2. Let tagged VLANs be parsed from RADIUS Access-Accept
3. Print VLAN %d+ with %d=untagged VID if tagged VLANs are set
4. Select an unused vlan_id > 4096 for new tagged VLAN configurations
5. Add EGRESS_VLAN RADIUS attribute parsing also for untagged VLANs
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
There is no need to maintain three copies of this functionality even if
it is currently implemented as a single function call.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows RADIUS failover to be performed if send() return EACCES
error which is what happens after a recent Linux kernel commit
0315e382704817b279e5693dca8ab9d89aa20b3f ('net: Fix behaviour of
unreachable, blackhole and prohibit') for a local sender when route type
is prohibit.
This fixes the hwsim test case radius_failover when running against a
kernel build that includes that commit.
Signed-off-by: Jouni Malinen <j@w1.fi>
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.
Signed-off-by: Jouni Malinen <j@w1.fi>
The recently added ProxyARP support (proxy_arp=1) in hostapd allows a
STA IPv4 address to be learned from DHCP or ARP messages. If that
information is available, add it to Account-Request messages in
Framed-IP-Address attribute.
Signed-off-by: Jouni Malinen <j@w1.fi>
On RADIUS auth/acct failures hostapd will try a new server if one is
available. Reuse the failover logic to force a socket renewal if only
one RADIUS server is configured.
This fixes problems when a route for the RADIUS server gets added after
the socket was "connected". The RADIUS socket is still sending the
RADIUS requests out using the previous route.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
This new hostapd configuration parameter can be used to enable TLS
session resumption. This commit adds the configuration parameter through
the configuration system and RADIUS/EAPOL/EAP server components. The
actual changes to enable session caching will be addressed in followup
commits.
Signed-off-by: Jouni Malinen <j@w1.fi>
The input parameter ended up being converted to long int instead of int,
so use an explicit typecase to get rid of the compiler warning.
Signed-off-by: Jouni Malinen <j@w1.fi>
In case memory allocation fails, data->pac_opaque_encr_key may be NULL
and lead to possible crash.
Signed-off-by: Maneesh Jain <maneesh.jain@samsung.com>
MS-MPPE-Recv-Key generation in radius_msg_add_mppe_keys() used incorrect
function argument (send_key_len; should be recv_key_len) when allocating
a temporary buffer. Fix this by using the correct argument.
The only caller of the function uses the same length for both
send_key_len and recv_key_len, so this copy-paste error did not result
in any difference in the behavior.
Signed-off-by: Jouni Malinen <j@w1.fi>
By analysing objdump output some read only structures were found in
.data section. To help compiler further optimize code declare these
as const.
Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
