Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

RADIUS DAS: Validate Event-Timestamp

DAS will now validate Event-Timestamp value to be within an acceptable
time window (300 seconds by default; can be set using
radius_das_time_window parameter). In addition, Event-Timestamp can be
required in Disconnect-Request and CoA-Request messages with
radius_das_require_event_timestamp=1.

Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen 13 years ago
parent
c2d76aa624
commit
bde7ba6caf
7 changed files with 48 additions and 2 deletions
Split View Show Diff Stats
  1. 5 0
      hostapd/config_file.c
  2. 6 0
      hostapd/hostapd.conf
  3. 2 0
      src/ap/ap_config.c
  4. 2 0
      src/ap/ap_config.h
  5. 3 0
      src/ap/hostapd.c
  6. 28 2
      src/radius/radius_das.c
  7. 2 0
      src/radius/radius_das.h

+ 5 - 0
hostapd/config_file.c
View File 

@@ -1693,6 +1693,11 @@ static int hostapd_config_fill(struct hostapd_config *conf,
 
 					   "DAS client", line);
 
 				errors++;
 
 			}
 
+		} else if (os_strcmp(buf, "radius_das_time_window") == 0) {
 
+			bss->radius_das_time_window = atoi(pos);
 
+		} else if (os_strcmp(buf, "radius_das_require_event_timestamp")
 
+			   == 0) {
 
+			bss->radius_das_require_event_timestamp = atoi(pos);
 
 #endif /* CONFIG_NO_RADIUS */
 
 		} else if (os_strcmp(buf, "auth_algs") == 0) {
 
 			bss->auth_algs = atoi(pos);

+ 6 - 0
hostapd/hostapd.conf
View File 

@@ -708,6 +708,12 @@ own_ip_addr=127.0.0.1
 
 #
 
 # DAS client (the host that can send Disconnect/CoA requests) and shared secret
 
 #radius_das_client=192.168.1.123 shared secret here
 
+#
 
+# DAS Event-Timestamp time window in seconds
 
+#radius_das_time_window=300
 
+#
 
+# DAS require Event-Timestamp
 
+#radius_das_require_event_timestamp=1
 
 
 ##### RADIUS authentication server configuration ##############################

+ 2 - 0
src/ap/ap_config.c
View File 

@@ -87,6 +87,8 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
 
 #ifdef CONFIG_IEEE80211R
 
 	bss->ft_over_ds = 1;
 
 #endif /* CONFIG_IEEE80211R */
 
+
 
+	bss->radius_das_time_window = 300;
 
 }

+ 2 - 0
src/ap/ap_config.h
View File 

@@ -187,6 +187,8 @@ struct hostapd_bss_config {
 
 	struct hostapd_radius_attr *radius_auth_req_attr;
 
 	struct hostapd_radius_attr *radius_acct_req_attr;
 
 	int radius_das_port;
 
+	unsigned int radius_das_time_window;
 
+	int radius_das_require_event_timestamp;
 
 	struct hostapd_ip_addr radius_das_client_addr;
 
 	u8 *radius_das_shared_secret;
 
 	size_t radius_das_shared_secret_len;

+ 3 - 0
src/ap/hostapd.c
View File 

@@ -639,6 +639,9 @@ static int hostapd_setup_bss(struct hostapd_data *hapd, int first)
 
 		das_conf.shared_secret_len =
 
 			hapd->conf->radius_das_shared_secret_len;
 
 		das_conf.client_addr = &hapd->conf->radius_das_client_addr;
 
+		das_conf.time_window = hapd->conf->radius_das_time_window;
 
+		das_conf.require_event_timestamp =
 
+			hapd->conf->radius_das_require_event_timestamp;
 
 		hapd->radius_das = radius_das_init(&das_conf);
 
 		if (hapd->radius_das == NULL) {
 
 			wpa_printf(MSG_ERROR, "RADIUS DAS initialization "

+ 28 - 2
src/radius/radius_das.c
View File 

@@ -24,6 +24,8 @@ struct radius_das_data {
 
 	u8 *shared_secret;
 
 	size_t shared_secret_len;
 
 	struct hostapd_ip_addr client_addr;
 
+	unsigned int time_window;
 
+	int require_event_timestamp;
 
 };
 
 
 
@@ -45,6 +47,8 @@ static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx)
 
 	struct radius_msg *msg, *reply = NULL;
 
 	struct radius_hdr *hdr;
 
 	struct wpabuf *rbuf;
 
+	u32 val;
 
+	int res;
 
 
 	fromlen = sizeof(from);
 
 	len = recvfrom(sock, buf, sizeof(buf), 0,
 
@@ -81,6 +85,27 @@ static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx)
 
 		goto fail;
 
 	}
 
 
+	res = radius_msg_get_attr(msg, RADIUS_ATTR_EVENT_TIMESTAMP,
 
+				  (u8 *) &val, 4);
 
+	if (res == 4) {
 
+		u32 timestamp = ntohl(val);
 
+		struct os_time now;
 
+
 
+		os_get_time(&now);
 
+		if (abs(now.sec - timestamp) > das->time_window) {
 
+			wpa_printf(MSG_DEBUG, "DAS: Unacceptable "
 
+				   "Event-Timestamp (%u; local time %u) in "
 
+				   "packet from %s:%d - drop",
 
+				   timestamp, (unsigned int) now.sec,
 
+				   abuf, from_port);
 
+			goto fail;
 
+		}
 
+	} else if (das->require_event_timestamp) {
 
+		wpa_printf(MSG_DEBUG, "DAS: Missing Event-Timestamp in packet "
 
+			   "from %s:%d - drop", abuf, from_port);
 
+		goto fail;
 
+	}
 
+
 
 	hdr = radius_msg_get_hdr(msg);
 
 
 	switch (hdr->code) {
 
@@ -110,8 +135,6 @@ static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx)
 
 	}
 
 
 	if (reply) {
 
-		int res;
 
-
 
 		wpa_printf(MSG_DEBUG, "DAS: Reply to %s:%d", abuf, from_port);
 
 
 		if (radius_msg_finish_das_resp(reply, das->shared_secret,
 
@@ -177,6 +200,9 @@ radius_das_init(struct radius_das_conf *conf)
 
 	if (das == NULL)
 
 		return NULL;
 
 
+	das->time_window = conf->time_window;
 
+	das->require_event_timestamp = conf->require_event_timestamp;
 
+
 
 	os_memcpy(&das->client_addr, conf->client_addr,
 
 		  sizeof(das->client_addr));

+ 2 - 0
src/radius/radius_das.h
View File 

@@ -16,6 +16,8 @@ struct radius_das_conf {
 
 	const u8 *shared_secret;
 
 	size_t shared_secret_len;
 
 	const struct hostapd_ip_addr *client_addr;
 
+	unsigned int time_window;
 
+	int require_event_timestamp;
 
 };
 
 
 struct radius_das_data *