mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2024-11-29 02:38:22 -05:00
RADIUS: Allow RADIUS server to provide PSK instead of passphrase
If the AP is slow, passphrase hashing takes too long to serve the client before timeout. Extend the Tunnel-Password design to allow a 64 character value to be interpreted as a PSK and send SSID to RADIUS server. This allows the RADIUS server to either take care of passphrase hashing or to use raw PSK without such hashing. This is especially important for FT-PSK with FT-over-air, where hashing cannot be deferred. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
This commit is contained in:
parent
d8912fd80e
commit
57b2c9140c
@ -128,6 +128,7 @@ struct hostapd_vlan {
|
|||||||
};
|
};
|
||||||
|
|
||||||
#define PMK_LEN 32
|
#define PMK_LEN 32
|
||||||
|
#define MIN_PASSPHRASE_LEN 8
|
||||||
#define MAX_PASSPHRASE_LEN 63
|
#define MAX_PASSPHRASE_LEN 63
|
||||||
struct hostapd_sta_wpa_psk_short {
|
struct hostapd_sta_wpa_psk_short {
|
||||||
struct hostapd_sta_wpa_psk_short *next;
|
struct hostapd_sta_wpa_psk_short *next;
|
||||||
|
@ -449,20 +449,40 @@ static void decode_tunnel_passwords(struct hostapd_data *hapd,
|
|||||||
*/
|
*/
|
||||||
if (passphrase == NULL)
|
if (passphrase == NULL)
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Passphase should be 8..63 chars (to be hashed with SSID)
|
||||||
|
* or 64 chars hex string (no separate hashing with SSID).
|
||||||
|
*/
|
||||||
|
|
||||||
|
if (passphraselen < MIN_PASSPHRASE_LEN ||
|
||||||
|
passphraselen > MAX_PASSPHRASE_LEN + 1)
|
||||||
|
continue;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* passphrase does not contain the NULL termination.
|
* passphrase does not contain the NULL termination.
|
||||||
* Add it here as pbkdf2_sha1() requires it.
|
* Add it here as pbkdf2_sha1() requires it.
|
||||||
*/
|
*/
|
||||||
psk = os_zalloc(sizeof(struct hostapd_sta_wpa_psk_short));
|
psk = os_zalloc(sizeof(struct hostapd_sta_wpa_psk_short));
|
||||||
if (psk) {
|
if (psk) {
|
||||||
if (passphraselen > MAX_PASSPHRASE_LEN)
|
if ((passphraselen == MAX_PASSPHRASE_LEN + 1) &&
|
||||||
passphraselen = MAX_PASSPHRASE_LEN;
|
(hexstr2bin(passphrase, psk->psk, PMK_LEN) < 0)) {
|
||||||
os_memcpy(psk->passphrase, passphrase, passphraselen);
|
hostapd_logger(hapd, cache->addr,
|
||||||
|
HOSTAPD_MODULE_RADIUS,
|
||||||
|
HOSTAPD_LEVEL_WARNING,
|
||||||
|
"invalid hex string (%d chars) in Tunnel-Password",
|
||||||
|
passphraselen);
|
||||||
|
goto skip;
|
||||||
|
} else if (passphraselen <= MAX_PASSPHRASE_LEN) {
|
||||||
|
os_memcpy(psk->passphrase, passphrase,
|
||||||
|
passphraselen);
|
||||||
psk->is_passphrase = 1;
|
psk->is_passphrase = 1;
|
||||||
|
}
|
||||||
psk->next = cache->psk;
|
psk->next = cache->psk;
|
||||||
cache->psk = psk;
|
cache->psk = psk;
|
||||||
psk = NULL;
|
psk = NULL;
|
||||||
}
|
}
|
||||||
|
skip:
|
||||||
os_free(psk);
|
os_free(psk);
|
||||||
os_free(passphrase);
|
os_free(passphrase);
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user