Amazing-Mirror/fragattacks
1
0
Fork 0
mirror of https://github.com/vanhoefm/fragattacks.git synced 2024-11-25 00:38:24 -05:00
Code Issues Projects Releases Wiki Activity

Add a require_message_authenticator configuration option

Browse Source 
This can be used to mandate the presence of the Message-Authenticator
attribute on CoA/Disconnect-Request packets.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
This commit is contained in:
Nick Lowe 2016-07-26 19:17:09 +01:00 committed by Jouni Malinen
parent 715ad3386e
commit 42d30e9ea0
8 changed files with 27 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
hostapd/config_file.c
View File

@ -2411,6 +2411,9 @@ static int hostapd_config_fill(struct hostapd_config *conf,
bss->radius_das_time_window = atoi(pos); bss->radius_das_time_window = atoi(pos);
} else if (os_strcmp(buf, "radius_das_require_event_timestamp") == 0) { } else if (os_strcmp(buf, "radius_das_require_event_timestamp") == 0) {
bss->radius_das_require_event_timestamp = atoi(pos); bss->radius_das_require_event_timestamp = atoi(pos);
} else if (os_strcmp(buf, "radius_das_require_message_authenticator") ==
0) {
bss->radius_das_require_message_authenticator = atoi(pos);
#endif /* CONFIG_NO_RADIUS */ #endif /* CONFIG_NO_RADIUS */
} else if (os_strcmp(buf, "auth_algs") == 0) { } else if (os_strcmp(buf, "auth_algs") == 0) {
bss->auth_algs = atoi(pos); bss->auth_algs = atoi(pos);

3
hostapd/hostapd.conf
View File

@ -1088,6 +1088,9 @@ own_ip_addr=127.0.0.1
# #
# DAS require Event-Timestamp # DAS require Event-Timestamp
#radius_das_require_event_timestamp=1 #radius_das_require_event_timestamp=1
#
# DAS require Message-Authenticator
#radius_das_require_message_authenticator=1
##### RADIUS authentication server configuration ############################## ##### RADIUS authentication server configuration ##############################

1
src/ap/ap_config.h
View File

@ -263,6 +263,7 @@ struct hostapd_bss_config {
int radius_das_port; int radius_das_port;
unsigned int radius_das_time_window; unsigned int radius_das_time_window;
int radius_das_require_event_timestamp; int radius_das_require_event_timestamp;
int radius_das_require_message_authenticator;
struct hostapd_ip_addr radius_das_client_addr; struct hostapd_ip_addr radius_das_client_addr;
u8 *radius_das_shared_secret; u8 *radius_das_shared_secret;
size_t radius_das_shared_secret_len; size_t radius_das_shared_secret_len;

2
src/ap/hostapd.c
View File

@ -1044,6 +1044,8 @@ static int hostapd_setup_bss(struct hostapd_data *hapd, int first)
das_conf.time_window = conf->radius_das_time_window; das_conf.time_window = conf->radius_das_time_window;
das_conf.require_event_timestamp = das_conf.require_event_timestamp =
conf->radius_das_require_event_timestamp; conf->radius_das_require_event_timestamp;
das_conf.require_message_authenticator =
conf->radius_das_require_message_authenticator;
das_conf.ctx = hapd; das_conf.ctx = hapd;
das_conf.disconnect = hostapd_das_disconnect; das_conf.disconnect = hostapd_das_disconnect;
hapd->radius_das = radius_das_init(&das_conf); hapd->radius_das = radius_das_init(&das_conf);

9
src/radius/radius.c
View File

@ -538,7 +538,8 @@ int radius_msg_verify_acct_req(struct radius_msg *msg, const u8 *secret,
int radius_msg_verify_das_req(struct radius_msg *msg, const u8 *secret, int radius_msg_verify_das_req(struct radius_msg *msg, const u8 *secret,
size_t secret_len) size_t secret_len,
int require_message_authenticator)
{ {
const u8 *addr[4]; const u8 *addr[4];
size_t len[4]; size_t len[4];
@ -577,7 +578,11 @@ int radius_msg_verify_das_req(struct radius_msg *msg, const u8 *secret,
} }
if (attr == NULL) { if (attr == NULL) {
/* Message-Authenticator is MAY; not required */ if (require_message_authenticator) {
wpa_printf(MSG_WARNING,
"Missing Message-Authenticator attribute in RADIUS message");
return 1;
}
return 0; return 0;
} }

3
src/radius/radius.h
View File

@ -242,7 +242,8 @@ void radius_msg_finish_acct_resp(struct radius_msg *msg, const u8 *secret,
int radius_msg_verify_acct_req(struct radius_msg *msg, const u8 *secret, int radius_msg_verify_acct_req(struct radius_msg *msg, const u8 *secret,
size_t secret_len); size_t secret_len);
int radius_msg_verify_das_req(struct radius_msg *msg, const u8 *secret, int radius_msg_verify_das_req(struct radius_msg *msg, const u8 *secret,
size_t secret_len); size_t secret_len,
int require_message_authenticator);
struct radius_attr_hdr * radius_msg_add_attr(struct radius_msg *msg, u8 type, struct radius_attr_hdr * radius_msg_add_attr(struct radius_msg *msg, u8 type,
const u8 *data, size_t data_len); const u8 *data, size_t data_len);
struct radius_msg * radius_msg_parse(const u8 *data, size_t len); struct radius_msg * radius_msg_parse(const u8 *data, size_t len);

11
src/radius/radius_das.c
View File

@ -23,6 +23,7 @@ struct radius_das_data {
struct hostapd_ip_addr client_addr; struct hostapd_ip_addr client_addr;
unsigned int time_window; unsigned int time_window;
int require_event_timestamp; int require_event_timestamp;
int require_message_authenticator;
void *ctx; void *ctx;
enum radius_das_res (*disconnect)(void *ctx, enum radius_das_res (*disconnect)(void *ctx,
struct radius_das_attrs *attr); struct radius_das_attrs *attr);
@ -234,9 +235,11 @@ static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx)
radius_msg_dump(msg); radius_msg_dump(msg);
if (radius_msg_verify_das_req(msg, das->shared_secret, if (radius_msg_verify_das_req(msg, das->shared_secret,
das->shared_secret_len)) { das->shared_secret_len,
wpa_printf(MSG_DEBUG, "DAS: Invalid authenticator in packet " das->require_message_authenticator)) {
"from %s:%d - drop", abuf, from_port); wpa_printf(MSG_DEBUG,
"DAS: Invalid authenticator or Message-Authenticator in packet from %s:%d - drop",
abuf, from_port);
goto fail; goto fail;
} }
@ -362,6 +365,8 @@ radius_das_init(struct radius_das_conf *conf)
das->time_window = conf->time_window; das->time_window = conf->time_window;
das->require_event_timestamp = conf->require_event_timestamp; das->require_event_timestamp = conf->require_event_timestamp;
das->require_message_authenticator =
conf->require_message_authenticator;
das->ctx = conf->ctx; das->ctx = conf->ctx;
das->disconnect = conf->disconnect; das->disconnect = conf->disconnect;

1
src/radius/radius_das.h
View File

@ -44,6 +44,7 @@ struct radius_das_conf {
const struct hostapd_ip_addr *client_addr; const struct hostapd_ip_addr *client_addr;
unsigned int time_window; unsigned int time_window;
int require_event_timestamp; int require_event_timestamp;
int require_message_authenticator;
void *ctx; void *ctx;
enum radius_das_res (*disconnect)(void *ctx, enum radius_das_res (*disconnect)(void *ctx,
struct radius_das_attrs *attr); struct radius_das_attrs *attr);