Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Add a require_message_authenticator configuration option

This can be used to mandate the presence of the Message-Authenticator
attribute on CoA/Disconnect-Request packets.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
Nick Lowe 8 years ago
parent
715ad3386e
commit
42d30e9ea0
8 changed files with 27 additions and 6 deletions
Split View Show Diff Stats
  1. 3 0
      hostapd/config_file.c
  2. 3 0
      hostapd/hostapd.conf
  3. 1 0
      src/ap/ap_config.h
  4. 2 0
      src/ap/hostapd.c
  5. 7 2
      src/radius/radius.c
  6. 2 1
      src/radius/radius.h
  7. 8 3
      src/radius/radius_das.c
  8. 1 0
      src/radius/radius_das.h

+ 3 - 0
hostapd/config_file.c
View File 

@@ -2411,6 +2411,9 @@ static int hostapd_config_fill(struct hostapd_config *conf,
 
 		bss->radius_das_time_window = atoi(pos);
 
 	} else if (os_strcmp(buf, "radius_das_require_event_timestamp") == 0) {
 
 		bss->radius_das_require_event_timestamp = atoi(pos);
 
+	} else if (os_strcmp(buf, "radius_das_require_message_authenticator") ==
 
+		   0) {
 
+		bss->radius_das_require_message_authenticator = atoi(pos);
 
 #endif /* CONFIG_NO_RADIUS */
 
 	} else if (os_strcmp(buf, "auth_algs") == 0) {
 
 		bss->auth_algs = atoi(pos);

+ 3 - 0
hostapd/hostapd.conf
View File 

@@ -1088,6 +1088,9 @@ own_ip_addr=127.0.0.1
 
 #
 
 # DAS require Event-Timestamp
 
 #radius_das_require_event_timestamp=1
 
+#
 
+# DAS require Message-Authenticator
 
+#radius_das_require_message_authenticator=1
 
 
 ##### RADIUS authentication server configuration ##############################

+ 1 - 0
src/ap/ap_config.h
View File 

@@ -263,6 +263,7 @@ struct hostapd_bss_config {
 
 	int radius_das_port;
 
 	unsigned int radius_das_time_window;
 
 	int radius_das_require_event_timestamp;
 
+	int radius_das_require_message_authenticator;
 
 	struct hostapd_ip_addr radius_das_client_addr;
 
 	u8 *radius_das_shared_secret;
 
 	size_t radius_das_shared_secret_len;

+ 2 - 0
src/ap/hostapd.c
View File 

@@ -1044,6 +1044,8 @@ static int hostapd_setup_bss(struct hostapd_data *hapd, int first)
 
 		das_conf.time_window = conf->radius_das_time_window;
 
 		das_conf.require_event_timestamp =
 
 			conf->radius_das_require_event_timestamp;
 
+		das_conf.require_message_authenticator =
 
+			conf->radius_das_require_message_authenticator;
 
 		das_conf.ctx = hapd;
 
 		das_conf.disconnect = hostapd_das_disconnect;
 
 		hapd->radius_das = radius_das_init(&das_conf);

+ 7 - 2
src/radius/radius.c
View File 

@@ -538,7 +538,8 @@ int radius_msg_verify_acct_req(struct radius_msg *msg, const u8 *secret,
 
 
 
 int radius_msg_verify_das_req(struct radius_msg *msg, const u8 *secret,
 
-			      size_t secret_len)
 
+			      size_t secret_len,
 
+			      int require_message_authenticator)
 
 {
 
 	const u8 *addr[4];
 
 	size_t len[4];
 
@@ -577,7 +578,11 @@ int radius_msg_verify_das_req(struct radius_msg *msg, const u8 *secret,
 
 	}
 
 
 	if (attr == NULL) {
 
-		/* Message-Authenticator is MAY; not required */
 
+		if (require_message_authenticator) {
 
+			wpa_printf(MSG_WARNING,
 
+				   "Missing Message-Authenticator attribute in RADIUS message");
 
+			return 1;
 
+		}
 
 		return 0;
 
 	}

+ 2 - 1
src/radius/radius.h
View File 

@@ -242,7 +242,8 @@ void radius_msg_finish_acct_resp(struct radius_msg *msg, const u8 *secret,
 
 int radius_msg_verify_acct_req(struct radius_msg *msg, const u8 *secret,
 
 			       size_t secret_len);
 
 int radius_msg_verify_das_req(struct radius_msg *msg, const u8 *secret,
 
-			       size_t secret_len);
 
+			      size_t secret_len,
 
+			      int require_message_authenticator);
 
 struct radius_attr_hdr * radius_msg_add_attr(struct radius_msg *msg, u8 type,
 
 					     const u8 *data, size_t data_len);
 
 struct radius_msg * radius_msg_parse(const u8 *data, size_t len);

+ 8 - 3
src/radius/radius_das.c
View File 

@@ -23,6 +23,7 @@ struct radius_das_data {
 
 	struct hostapd_ip_addr client_addr;
 
 	unsigned int time_window;
 
 	int require_event_timestamp;
 
+	int require_message_authenticator;
 
 	void *ctx;
 
 	enum radius_das_res (*disconnect)(void *ctx,
 
 					  struct radius_das_attrs *attr);
 
@@ -234,9 +235,11 @@ static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx)
 
 		radius_msg_dump(msg);
 
 
 	if (radius_msg_verify_das_req(msg, das->shared_secret,
 
-				       das->shared_secret_len)) {
 
-		wpa_printf(MSG_DEBUG, "DAS: Invalid authenticator in packet "
 
-			   "from %s:%d - drop", abuf, from_port);
 
+				       das->shared_secret_len,
 
+				       das->require_message_authenticator)) {
 
+		wpa_printf(MSG_DEBUG,
 
+			   "DAS: Invalid authenticator or Message-Authenticator in packet from %s:%d - drop",
 
+			   abuf, from_port);
 
 		goto fail;
 
 	}
 
 
@@ -362,6 +365,8 @@ radius_das_init(struct radius_das_conf *conf)
 
 
 	das->time_window = conf->time_window;
 
 	das->require_event_timestamp = conf->require_event_timestamp;
 
+	das->require_message_authenticator =
 
+		conf->require_message_authenticator;
 
 	das->ctx = conf->ctx;
 
 	das->disconnect = conf->disconnect;

+ 1 - 0
src/radius/radius_das.h
View File 

@@ -44,6 +44,7 @@ struct radius_das_conf {
 
 	const struct hostapd_ip_addr *client_addr;
 
 	unsigned int time_window;
 
 	int require_event_timestamp;
 
+	int require_message_authenticator;
 
 	void *ctx;
 
 	enum radius_das_res (*disconnect)(void *ctx,
 
 					  struct radius_das_attrs *attr);