Commit graph

65 commits

Author SHA1 Message Date
Jouni Malinen
67fe933d40 Add server identity configuration for EAP server
The new server_id parameter in hostapd.conf can now be used to specify
which identity is delivered to the EAP peer with EAP methods that
support authenticated server identity.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-07-07 20:30:10 +03:00
Michael Braun
14e919478e Extend radius_msg_get_tunnel_password() to support multiple passwords
The new function parameter can now be used to specify which password to
return.

Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
2012-11-25 17:19:04 +02:00
Jouni Malinen
236a52fd1f RADIUS DAS: Verify that Error-Code attribute is added
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-19 18:32:35 +03:00
Jouni Malinen
067ffa2696 Convert os_realloc() for an array to use os_realloc_array()
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-13 21:21:23 +03:00
Jouni Malinen
f9884c096a Convert os_zalloc() for an array to use os_calloc()
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-13 20:44:21 +03:00
Jouni Malinen
47e9d50d18 RADIUS: Add explicit attribute length validation checks in functions
These checks would not really be needed since radius_msg_parse()
validates the attribute header fields. Anyway, these makes it more
obvious to anyone reviewing the code that there are no integer underflow
issues in the functions processing RADIUS attributes.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-07 21:11:04 +03:00
Jouni Malinen
c50b0233ed Add sparse endianness annotation for RADIUS header
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-07 20:54:08 +03:00
Jouni Malinen
e100828b76 Return wpabuf from radius_msg_get_eap()
This simplifies the implementation by using the buffer type to which the
returned data will be converted anyway. This avoids one memory
allocation for each processed RADIUS message.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-07 18:14:42 +03:00
Jouni Malinen
302fc0a3c7 RADIUS DAS: Support Chargeable-User-Identity with Disconnect-Request
Chargeable-User-Identity can now be used in Disconnect-Request to
identify the station to be disconnected.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-06-17 19:44:46 +03:00
Jouni Malinen
e58b5ffed7 RADIUS: Fix a typo in attribute name in debug messages
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-06-17 19:39:29 +03:00
Jouni Malinen
ff7e4589ea RADIUS DAS: Add Event-Timestamp attribute into ACK/NAK messages
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-06-17 19:35:03 +03:00
Jouni Malinen
8047a95809 RADIUS DAS: Add support for Disconnect-Request
Calling-Station-Id, Acct-Session-Id, and User-Name attributes in a
Disconnect-Request message can now be used to indicate which station is
to be disconnected.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-06-17 19:30:01 +03:00
Jouni Malinen
fc2a924a8c RADIUS DAS: Check Disconnect-Request attributes
Reject Disconnect-Request if it includes unsupported attributes.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-06-17 18:14:43 +03:00
Jouni Malinen
bde7ba6caf RADIUS DAS: Validate Event-Timestamp
DAS will now validate Event-Timestamp value to be within an acceptable
time window (300 seconds by default; can be set using
radius_das_time_window parameter). In addition, Event-Timestamp can be
required in Disconnect-Request and CoA-Request messages with
radius_das_require_event_timestamp=1.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-06-17 17:43:36 +03:00
Jouni Malinen
b031338cf0 Add preliminary RADIUS dynamic authorization server (RFC 5176)
This adds the basic DAS mechanism to enable hostapd to be configured
to request dynamic authorization requests (Disconnect-Request and
CoA-Request). This commit does not add actual processing of the
requests, i.e., this will only receive and authenticate the requests
and NAK them regardless of what operation is requested.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-05-06 22:02:42 +03:00
Jouni Malinen
8c6f80e023 Remove extra linefeed from hostapd_logger message
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-04-01 13:41:03 +03:00
Alexander Couzens
a4e73a0e47 Fix potential double free and use of freed memory in RADIUS client
ieee802_1x_encapsulate_radius() frees the RADIUS message if
radius_client_send() returns error. This could have resulted in use of
freed memory and double freeing of the RADIUS message if send() fails
since the message is also left in the retransmit list. Avoid this by not
returning error to the caller in such a case.

Signed-off-by: Alexander Couzens <lynxis@c-base.org>
2012-04-01 13:36:52 +03:00
Jouni Malinen
0f3d578efc Remove the GPL notification from files contributed by Jouni Malinen
Remove the GPL notification text from the files that were
initially contributed by myself.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-02-11 19:39:36 +02:00
Michael Braun
05ab9712b9 Allow WPA passphrase to be fetched with RADIUS Tunnel-Password attribute
This allows per-device PSK to be configured for WPA-Personal using a
RADIUS authentication server. This uses RADIUS-based MAC address ACL
(macaddr_acl=2), i.e., Access-Request uses the MAC address of the
station as the User-Name and User-Password. The WPA passphrase is
returned in Tunnel-Password attribute in Access-Accept. This
functionality can be enabled with the new hostapd.conf parameter,
wpa_psk_radius.

Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
2011-12-11 13:01:57 +02:00
Jouni Malinen
505a36941e Add MSK dump mechanism into hostapd RADIUS server for testing
Testing code can now be enabled in the hostapd RADIUS server to dump
each derived MSK into a text file (e.g., to be used as an input to
wlantest). This functionality is not included in the default build
and can be enabled by adding the following line to hostapd/.config:
CFLAGS += -DCONFIG_RADIUS_TEST

The MSK dump file is specified with dump_msk_file parameter in
hostapd.conf (path to the dump file). If this variable is not set,
MSK dump mechanism is not enabled at run time.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-12-09 00:15:04 +02:00
Jouni Malinen
16cc7a4304 Make radius_msg_add_attr_user_password() easier for static analyzers
Explicitly validate data_len so that static analyzers do not get
confused about the padlen validation. This is not really needed, but it
makes the code a bit easier for static analyzers.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-13 23:14:57 +02:00
Jouni Malinen
e3e52e364e hostapd: Fix RADIUS client configuration update on reconfig
The internal pointer to RADIUS client configuration needs to be
updated whenever a new hostapd configuration is loaded. Without
this, freed memory may be dereferenced and this can result in
segmentation faults.
2011-02-10 22:12:29 +02:00
Dan Harkins
df684d82ff EAP-pwd: Add support for EAP-pwd server and peer functionality
This adds an initial EAP-pwd (RFC 5931) implementation. For now,
this requires OpenSSL.
2010-09-14 21:51:40 -10:00
Jouni Malinen
7992b07f6a Remove unnecessary SUBDIRS loops from src/*/Makefile
There are no subdirectories in any of these directories or plans
for adding ones. As such, there is no point in running the loop
that does not do anything and can cause problems with some shells.
2010-04-17 17:10:31 +03:00
Gregory Detal
bb437f282b AP: Add wpa_msg() events for EAP server state machine 2010-04-07 11:13:14 +03:00
Jouni Malinen
1b9eb51bbd Enable IPv6 support for libutils.a and libradius.a 2009-12-24 12:27:42 +02:00
Jouni Malinen
64ce68fc42 Comment out CONFIG_IPV6 for now in RADIUS library build
This needs to be used consistently in order to get correct size for
struct hostapd_ip_addr.
2009-12-24 12:18:22 +02:00
Jouni Malinen
8a404b598d Add build rules for src/radius/libradius.a 2009-12-24 11:59:08 +02:00
Jouni Malinen
2988796257 Fix RADIUS client to cancel IPv6 socket read notifications 2009-12-19 18:52:42 +02:00
Jouni Malinen
f481459f5e Fix RADIUS server deinit to cancel timeout for session removal 2009-12-19 18:52:15 +02:00
Jouni Malinen
1489e11a94 Make struct radius_msg private to radius.c
This is internal data structure for RADIUS message handling and
external code should not touch it directly.
2009-12-19 17:26:57 +02:00
Jouni Malinen
aa235d2ef7 Convert RADIUS message code to use wpabuf internally 2009-12-19 17:12:07 +02:00
Jouni Malinen
9e7245bdb4 Change radius_msg_free() to free the buffer
Since all callers were freeing the buffer immediately anyway, move
this operation into radius_msg_free() to reduce code size.
2009-12-19 16:34:41 +02:00
Jouni Malinen
d94f86d85e RADIUS message initialization cleanup 2009-12-19 16:20:53 +02:00
Jouni Malinen
d04a96b0d6 Add documentation for RADIUS code and some minor cleanup 2009-12-19 16:13:06 +02:00
Jouni Malinen
74784010af Remove conditional no-RADIUS build from src/radius
Make it responsibility of the src/radius user to handle conditional
build rules.
2009-12-06 17:53:59 +02:00
Jouni Malinen
362bd35f2d Add more Doxygen documentation for RADIUS server implementation 2009-12-02 21:29:32 +02:00
Jouni Malinen
03da66bd59 Remove src/crypto from default include path
In addition, start ordering header file includes to be in more
consistent order: system header files, src/utils, src/*, same
directory as the *.c file.
2009-11-29 23:04:43 +02:00
Jouni Malinen
90973fb2fd Remove src/common from default header file path
This makes it clearer which files are including header from src/common.
Some of these cases should probably be cleaned up in the future not to
do that.

In addition, src/common/nl80211_copy.h and wireless_copy.h were moved
into src/drivers since they are only used by driver wrappers and do not
need to live in src/common.
2009-11-29 17:51:55 +02:00
Jouni Malinen
15ef92d3cc Complete Doxygen documentation for RADIUS client
No more warnings from Doxygen about missing documentation from
radius_client.[ch].
2009-11-29 11:48:28 +02:00
Jouni Malinen
93704f8f95 Remove unused RADIUS client reconfig function
This is not actually used at all and it looks like the rules for
maintaining the old/new RADIUS configuration are not very clear in the
case the RADIUS client configuration did not change. Consequently, it
is better to just remove this for now and if similar functionality is
ever needed, redesign it to be easier to use without causing hard to
find issues with using freed memory.

Simpler approach to reconfiguring the RADIUS client would involve
just deinitializing the old context unconditionally and initializing
a new one whenever the configuration could have changed.
2009-11-28 23:04:35 +02:00
Jouni Malinen
5843e1c9a6 Move acct_interim_interval away from RADIUS client configuration
This is not used at all inside RADIUS client and as such, it belongs
into hostapd configuration.
2009-11-28 23:03:20 +02:00
Jouni Malinen
df1e24aceb Improved Doxygen documentation for RADIUS client code 2009-11-28 23:00:29 +02:00
Jouni Malinen
5a641ae01e Use type-punning to avoid breaking strict aliasing rules
While the actual use here would be unlikely to be broken by any C
optimization, it is better to use explicit union construction to let
gcc know about the aliasing and avoid warnings from gcc 4.4.
2009-11-05 12:11:49 +02:00
Alex Badea
7598210b79 radius_server: clean up completed sessions sooner
radius_server_encapsulate_eap() resets sess->eap->if->eap{Success,Fail}
to FALSE, such that the completion condition is never true.

The net effect is that completed sessions would linger for
RADIUS_SESSION_TIMEOUT seconds.

Signed-off-by: Alex Badea <vamposdecampos@gmail.com>

Previously, the default settings allowed 100 sessions in 60 seconds.
With this fix, the default limit is now 100 sessions per 10 seconds.
[Bug 329]
2009-09-09 23:54:03 +03:00
Jouni Malinen
5cd89c26f9 Disable PMTU discovery for RADIUS packets (sent them without DF)
When Linux has Path MTU discovery enabled, it sets by default the DF bit
on all outgoing datagrams, also UDP ones. If a RADIUS message is bigger
than the smallest MTU size to the target, it will be discarded.

This effectively limits RADIUS messages to ~ 1500 Bytes, while they can
be up to 4k according to RFC2865. In practice, this can mean trouble
when doing EAP-TLS with many RADIUS attributes besides the EAP-Message.
[Bug 326]
2009-08-23 21:32:27 +03:00
Stefan Winter
a2fbf12524 Disable PMTU discovery for RADIUS packets (sent them without DF)
When Linux has Path MTU discovery enabled, it sets by default the DF bit
on all outgoing datagrams, also UDP ones. If a RADIUS message is bigger
than the smallest MTU size to the target, it will be discarded.

This effectively limits RADIUS messages to ~ 1500 Bytes, while they can
be up to 4k according to RFC2865. In practice, this can mean trouble
when doing EAP-TLS with many RADIUS attributes besides the EAP-Message.
[Bug 326]
2009-08-23 21:21:25 +03:00
Jouni Malinen
064bb8232c Add root .gitignore file to cleanup ignore lists
This removes need for local configuration to ignore *.o and *~
and allows the src/*/.gitignore files to be removed (subdirectories
will inherit the rules from the root .gitignore).
2009-06-29 21:47:19 +03:00
Jouni Malinen
af12135524 Fix hostapd build with RADIUS support removed 2009-03-02 21:25:53 +02:00
Daniel Mierswa
d94d4bafbb Improved 'make install' (use BINDIR/LIBDIR, install shared objects) 2009-02-15 14:22:50 +02:00