mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2025-01-30 08:44:03 -05:00
RADIUS DAS: Validate Event-Timestamp
DAS will now validate Event-Timestamp value to be within an acceptable time window (300 seconds by default; can be set using radius_das_time_window parameter). In addition, Event-Timestamp can be required in Disconnect-Request and CoA-Request messages with radius_das_require_event_timestamp=1. Signed-hostap: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
c2d76aa624
commit
bde7ba6caf
@ -1693,6 +1693,11 @@ static int hostapd_config_fill(struct hostapd_config *conf,
|
|||||||
"DAS client", line);
|
"DAS client", line);
|
||||||
errors++;
|
errors++;
|
||||||
}
|
}
|
||||||
|
} else if (os_strcmp(buf, "radius_das_time_window") == 0) {
|
||||||
|
bss->radius_das_time_window = atoi(pos);
|
||||||
|
} else if (os_strcmp(buf, "radius_das_require_event_timestamp")
|
||||||
|
== 0) {
|
||||||
|
bss->radius_das_require_event_timestamp = atoi(pos);
|
||||||
#endif /* CONFIG_NO_RADIUS */
|
#endif /* CONFIG_NO_RADIUS */
|
||||||
} else if (os_strcmp(buf, "auth_algs") == 0) {
|
} else if (os_strcmp(buf, "auth_algs") == 0) {
|
||||||
bss->auth_algs = atoi(pos);
|
bss->auth_algs = atoi(pos);
|
||||||
|
|||||||
@ -708,6 +708,12 @@ own_ip_addr=127.0.0.1
|
|||||||
#
|
#
|
||||||
# DAS client (the host that can send Disconnect/CoA requests) and shared secret
|
# DAS client (the host that can send Disconnect/CoA requests) and shared secret
|
||||||
#radius_das_client=192.168.1.123 shared secret here
|
#radius_das_client=192.168.1.123 shared secret here
|
||||||
|
#
|
||||||
|
# DAS Event-Timestamp time window in seconds
|
||||||
|
#radius_das_time_window=300
|
||||||
|
#
|
||||||
|
# DAS require Event-Timestamp
|
||||||
|
#radius_das_require_event_timestamp=1
|
||||||
|
|
||||||
##### RADIUS authentication server configuration ##############################
|
##### RADIUS authentication server configuration ##############################
|
||||||
|
|
||||||
|
|||||||
@ -87,6 +87,8 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
|
|||||||
#ifdef CONFIG_IEEE80211R
|
#ifdef CONFIG_IEEE80211R
|
||||||
bss->ft_over_ds = 1;
|
bss->ft_over_ds = 1;
|
||||||
#endif /* CONFIG_IEEE80211R */
|
#endif /* CONFIG_IEEE80211R */
|
||||||
|
|
||||||
|
bss->radius_das_time_window = 300;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -187,6 +187,8 @@ struct hostapd_bss_config {
|
|||||||
struct hostapd_radius_attr *radius_auth_req_attr;
|
struct hostapd_radius_attr *radius_auth_req_attr;
|
||||||
struct hostapd_radius_attr *radius_acct_req_attr;
|
struct hostapd_radius_attr *radius_acct_req_attr;
|
||||||
int radius_das_port;
|
int radius_das_port;
|
||||||
|
unsigned int radius_das_time_window;
|
||||||
|
int radius_das_require_event_timestamp;
|
||||||
struct hostapd_ip_addr radius_das_client_addr;
|
struct hostapd_ip_addr radius_das_client_addr;
|
||||||
u8 *radius_das_shared_secret;
|
u8 *radius_das_shared_secret;
|
||||||
size_t radius_das_shared_secret_len;
|
size_t radius_das_shared_secret_len;
|
||||||
|
|||||||
@ -639,6 +639,9 @@ static int hostapd_setup_bss(struct hostapd_data *hapd, int first)
|
|||||||
das_conf.shared_secret_len =
|
das_conf.shared_secret_len =
|
||||||
hapd->conf->radius_das_shared_secret_len;
|
hapd->conf->radius_das_shared_secret_len;
|
||||||
das_conf.client_addr = &hapd->conf->radius_das_client_addr;
|
das_conf.client_addr = &hapd->conf->radius_das_client_addr;
|
||||||
|
das_conf.time_window = hapd->conf->radius_das_time_window;
|
||||||
|
das_conf.require_event_timestamp =
|
||||||
|
hapd->conf->radius_das_require_event_timestamp;
|
||||||
hapd->radius_das = radius_das_init(&das_conf);
|
hapd->radius_das = radius_das_init(&das_conf);
|
||||||
if (hapd->radius_das == NULL) {
|
if (hapd->radius_das == NULL) {
|
||||||
wpa_printf(MSG_ERROR, "RADIUS DAS initialization "
|
wpa_printf(MSG_ERROR, "RADIUS DAS initialization "
|
||||||
|
|||||||
@ -24,6 +24,8 @@ struct radius_das_data {
|
|||||||
u8 *shared_secret;
|
u8 *shared_secret;
|
||||||
size_t shared_secret_len;
|
size_t shared_secret_len;
|
||||||
struct hostapd_ip_addr client_addr;
|
struct hostapd_ip_addr client_addr;
|
||||||
|
unsigned int time_window;
|
||||||
|
int require_event_timestamp;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
@ -45,6 +47,8 @@ static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx)
|
|||||||
struct radius_msg *msg, *reply = NULL;
|
struct radius_msg *msg, *reply = NULL;
|
||||||
struct radius_hdr *hdr;
|
struct radius_hdr *hdr;
|
||||||
struct wpabuf *rbuf;
|
struct wpabuf *rbuf;
|
||||||
|
u32 val;
|
||||||
|
int res;
|
||||||
|
|
||||||
fromlen = sizeof(from);
|
fromlen = sizeof(from);
|
||||||
len = recvfrom(sock, buf, sizeof(buf), 0,
|
len = recvfrom(sock, buf, sizeof(buf), 0,
|
||||||
@ -81,6 +85,27 @@ static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx)
|
|||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
res = radius_msg_get_attr(msg, RADIUS_ATTR_EVENT_TIMESTAMP,
|
||||||
|
(u8 *) &val, 4);
|
||||||
|
if (res == 4) {
|
||||||
|
u32 timestamp = ntohl(val);
|
||||||
|
struct os_time now;
|
||||||
|
|
||||||
|
os_get_time(&now);
|
||||||
|
if (abs(now.sec - timestamp) > das->time_window) {
|
||||||
|
wpa_printf(MSG_DEBUG, "DAS: Unacceptable "
|
||||||
|
"Event-Timestamp (%u; local time %u) in "
|
||||||
|
"packet from %s:%d - drop",
|
||||||
|
timestamp, (unsigned int) now.sec,
|
||||||
|
abuf, from_port);
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
} else if (das->require_event_timestamp) {
|
||||||
|
wpa_printf(MSG_DEBUG, "DAS: Missing Event-Timestamp in packet "
|
||||||
|
"from %s:%d - drop", abuf, from_port);
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
|
||||||
hdr = radius_msg_get_hdr(msg);
|
hdr = radius_msg_get_hdr(msg);
|
||||||
|
|
||||||
switch (hdr->code) {
|
switch (hdr->code) {
|
||||||
@ -110,8 +135,6 @@ static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx)
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (reply) {
|
if (reply) {
|
||||||
int res;
|
|
||||||
|
|
||||||
wpa_printf(MSG_DEBUG, "DAS: Reply to %s:%d", abuf, from_port);
|
wpa_printf(MSG_DEBUG, "DAS: Reply to %s:%d", abuf, from_port);
|
||||||
|
|
||||||
if (radius_msg_finish_das_resp(reply, das->shared_secret,
|
if (radius_msg_finish_das_resp(reply, das->shared_secret,
|
||||||
@ -177,6 +200,9 @@ radius_das_init(struct radius_das_conf *conf)
|
|||||||
if (das == NULL)
|
if (das == NULL)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
|
das->time_window = conf->time_window;
|
||||||
|
das->require_event_timestamp = conf->require_event_timestamp;
|
||||||
|
|
||||||
os_memcpy(&das->client_addr, conf->client_addr,
|
os_memcpy(&das->client_addr, conf->client_addr,
|
||||||
sizeof(das->client_addr));
|
sizeof(das->client_addr));
|
||||||
|
|
||||||
|
|||||||
@ -16,6 +16,8 @@ struct radius_das_conf {
|
|||||||
const u8 *shared_secret;
|
const u8 *shared_secret;
|
||||||
size_t shared_secret_len;
|
size_t shared_secret_len;
|
||||||
const struct hostapd_ip_addr *client_addr;
|
const struct hostapd_ip_addr *client_addr;
|
||||||
|
unsigned int time_window;
|
||||||
|
int require_event_timestamp;
|
||||||
};
|
};
|
||||||
|
|
||||||
struct radius_das_data *
|
struct radius_das_data *
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user