aboutsummaryrefslogtreecommitdiffstats
path: root/src/radius
Commit message (Collapse)AuthorAgeFilesLines
* radius: Sanity check for NULL pointer segfaultEduardo Abinader2016-08-191-1/+6
| | | | | | | When the RADIUS client has not yet been fully enabled, MIB command was segfaulting hostapd. Signed-off-by: Eduardo Abinader <eduardoabinader@gmail.com>
* Add a require_message_authenticator configuration optionNick Lowe2016-08-074-6/+18
| | | | | | | This can be used to mandate the presence of the Message-Authenticator attribute on CoA/Disconnect-Request packets. Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
* Check md5_vector() result in decrypt_ms_key()Jouni Malinen2016-05-161-1/+4
| | | | | | | | This gets rid of a valgrind warning on uninitialized memory read in the hostapd_oom_wpa2_eap_connect test case where the result is used after failed md5_vector() call. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Check hmac_md5() result in radius_msg_verify_msg_auth()Jouni Malinen2016-05-161-2/+3
| | | | | | | | This gets rid of a valgrind warning on uninitialized memory read in the hostapd_oom_wpa2_eap_connect test case where memcmp is used after failed hmac_md5() call. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Check md5_vector() result in radius_msg_verify()Jouni Malinen2016-05-161-2/+2
| | | | | | | | This gets rid of a valgrind warning on uninitialized memory read in the hostapd_oom_wpa2_eap test case where memcmp is used after failed md5_vector() call. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* RADIUS: Fix a possible memory leak on an error pathAyala Beker2016-04-081-1/+3
| | | | | | | Fix a possible memory leak in radius_msg_add_mppe_keys() if os_get_random() fails. Signed-off-by: Ayala Beker <ayala.beker@intel.com>
* RADIUS: Add Acct-Delay-Time into accounting messagesJouni Malinen2016-02-291-0/+30
| | | | | | | | | | | | | | | | | | This tells to the server how long we have been trying to transmit the message so that the actual time of the message generation can be determined from receive time (ignoring network delays and only at accuracy of one second). For interim updates, only value 0 is used since there are no retransmissions of the same message. For other accounting messages, the initial attempt goes out with value 0 and the retransmissions, if needed, show the number of seconds the message has been waiting in the queue. Update the Identifier and Authenticator in the messages whenever updating the Acct-Delay-Time per RFC 2866, 4.1 requirements. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS: Update full message for interim accounting updatesJouni Malinen2016-02-292-43/+52
| | | | | | | | | | | | Instead of using the RADIUS client retransmission design with the old RADIUS message contents for each retry, trigger a completely new interim accounting update instance more quickly (using the same schedule as RADIUS message retransmissions) to improve accounting updates in cases where RADIUS message delivery fails. This allows the server to get up to date information from the time the "retry" message was sent instead of the old information from the time the first failed attempt was sent. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add RADIUS Service-Type attribute with a value of FramedNick Lowe2016-02-192-0/+5
| | | | | | | This seems to be the common value used by APs and also mentioned in RFC 3580. Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
* radius: Add tagged VLAN parsingMichael Braun2016-02-172-6/+54
| | | | | | | | | | | | | | 1. Add tagged VLAN to struct vlan_description (compile limited number of tagged VLANs per description) For k tagged VLANs, the first k entries in vlan_description.tagged are used. They are sorted in ascending order. All other entries are zero. This way os_memcmp() can find identical configurations. 2. Let tagged VLANs be parsed from RADIUS Access-Accept 3. Print VLAN %d+ with %d=untagged VID if tagged VLANs are set 4. Select an unused vlan_id > 4096 for new tagged VLAN configurations 5. Add EGRESS_VLAN RADIUS attribute parsing also for untagged VLANs Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* Use stronger PRNG for MS-MPPE-Send/Recv-Key saltNick Lowe2016-02-071-1/+3
| | | | | | | When generating a MS-MPPE-Send/Recv-Key, don't use a weak PRNG for the salt. Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
* RADIUS: Share a single function for generating session IDsJouni Malinen2016-02-062-0/+13
| | | | | | | There is no need to maintain three copies of this functionality even if it is currently implemented as a single function call. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS: Redesign Request Authenticator generationNick Lowe2016-02-062-20/+5
| | | | | | | Simplify and make properly random the generation of the Request Authenticator. Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
* RADIUS: Add EACCES to list of recognized send() errno valuesJouni Malinen2015-12-241-1/+1
| | | | | | | | | | | | | This allows RADIUS failover to be performed if send() return EACCES error which is what happens after a recent Linux kernel commit 0315e382704817b279e5693dca8ab9d89aa20b3f ('net: Fix behaviour of unreachable, blackhole and prohibit') for a local sender when route type is prohibit. This fixes the hwsim test case radius_failover when running against a kernel build that includes that commit. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS: Avoid undefined behavior in pointer arithmeticJouni Malinen2015-10-251-1/+1
| | | | | | | | | Reorder terms in a way that no invalid pointers are generated with pos+len operations. end-pos is always defined (with a valid pos pointer) while pos+len could end up pointing beyond the end pointer which would be undefined behavior. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add Framed-IP-Address to Accounting-Request if STA address is knownJouni Malinen2015-10-172-2/+4
| | | | | | | | | The recently added ProxyARP support (proxy_arp=1) in hostapd allows a STA IPv4 address to be learned from DHCP or ARP messages. If that information is available, add it to Account-Request messages in Framed-IP-Address attribute. Signed-off-by: Jouni Malinen <j@w1.fi>
* hostapd: Force RADIUS socket renewal on RADIUS auth failuresHelmut Schaa2015-10-051-3/+16
| | | | | | | | | | | | On RADIUS auth/acct failures hostapd will try a new server if one is available. Reuse the failover logic to force a socket renewal if only one RADIUS server is configured. This fixes problems when a route for the RADIUS server gets added after the socket was "connected". The RADIUS socket is still sending the RADIUS requests out using the previous route. Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
* EAP server: Add tls_session_lifetime configurationJouni Malinen2015-08-232-0/+6
| | | | | | | | | | This new hostapd configuration parameter can be used to enable TLS session resumption. This commit adds the configuration parameter through the configuration system and RADIUS/EAPOL/EAP server components. The actual changes to enable session caching will be addressed in followup commits. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS DAS: Avoid compiler warning on abs()Jouni Malinen2015-07-071-1/+1
| | | | | | | The input parameter ended up being converted to long int instead of int, so use an explicit typecase to get rid of the compiler warning. Signed-off-by: Jouni Malinen <j@w1.fi>
* radius: Fix NULL dereference issue on allocation failureManeesh Jain2015-06-261-2/+4
| | | | | | | In case memory allocation fails, data->pac_opaque_encr_key may be NULL and lead to possible crash. Signed-off-by: Maneesh Jain <maneesh.jain@samsung.com>
* RADIUS: Fix a copy-paste error in variable nameJouni Malinen2015-04-291-1/+1
| | | | | | | | | | | | MS-MPPE-Recv-Key generation in radius_msg_add_mppe_keys() used incorrect function argument (send_key_len; should be recv_key_len) when allocating a temporary buffer. Fix this by using the correct argument. The only caller of the function uses the same length for both send_key_len and recv_key_len, so this copy-paste error did not result in any difference in the behavior. Signed-off-by: Jouni Malinen <j@w1.fi>
* Declare all read only data structures as constMikael Kanstrup2015-04-252-5/+5
| | | | | | | | By analysing objdump output some read only structures were found in .data section. To help compiler further optimize code declare these as const. Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
* tests: Add ap-mgmt-fuzzerJouni Malinen2015-04-221-0/+1
| | | | | | | This program can be used to run fuzzing tests for areas related to AP management frame parsing and processing. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix RSN preauthentication with dynamic_vlan enabled but unusedMichael Braun2015-04-131-2/+2
| | | | | | sta->vlan_id == -1 means no VLAN, as does vlan_id = 0. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* Improve error messages related to EAP DBBen Greear2015-03-281-0/+6
| | | | | | | | Add SQLite error message and DB name to the DB related errors. Add enough tracing so that users can know exactly where users are failing to be found. Signed-off-by: Ben Greear <greearb@candelatech.com>
* RADIUS client: Fix server failover on return-to-primary on error caseJouni Malinen2015-03-011-6/+16
| | | | | | | If a connection with the primary server cannot be established, restore connection to the previously used server. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS client: Fix a copy-paste error in accounting server failoverJouni Malinen2015-03-011-1/+1
| | | | | | | | | | Commit 347c55e216f22002246e378097a16ecb24b7c106 ('RADIUS client: Re-try connection if socket is closed on retransmit') added a new option for initialing RADIUS server failover from radius_client_retransmit(), but ended up trying to change authentication servers when accounting server was supposed to be changed due to a copy-paste issue. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS client: Fix previous failover changeJouni Malinen2015-02-281-2/+11
| | | | | | | | | | | | | Commit 347c55e216f22002246e378097a16ecb24b7c106 ('RADIUS client: Re-try connection if socket is closed on retransmit') added a possibility of executing RADIUS server failover change within radius_client_retransmit() without taking into account that this operation may end up freeing the pending message that is being processed. This could result in use of freed memory. Avoid this by checking whether any pending messages have been removed and if so, do not try to retransmit the potentially freed message. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS client: Re-try connection if socket is closed on retransmitJouni Malinen2015-02-281-45/+75
| | | | | | | | | | | | | Previously, send() was called with invalid fd = -1 in some error cases for retransmission and this could even result in a loop of multiple such attempts. This is obviously not going to work, so drop such attempts and instead, try to reconnect a socket to the server if the current socket is not valid. In addition, initiate server failover immediately if the current socket is not valid instead of waiting for a timeout. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS client: Fix server connection recovery after initial failureJouni Malinen2015-02-281-0/+6
| | | | | | | | | | | | | | | | If the initial attempt at opening the socket connection to the RADIUS server failed due to missing IP connectivity during startup, e.g., with "connect[radius]: Network is unreachable", hostapd did not try to reconnect when RADIUS messages were sent. Instead, it only reported "No authentication server configured" even if the configuration did have a server entry. This was broken by commit 9ed40766735a9628cc6c936076b175e6f66534bb ('RADIUS client: Do not try to send message without socket') for the initial case and the more recent fixes in RADIUS server failover cases did not cover the initial failure case. Signed-off-by: Jouni Malinen <j@w1.fi>
* hostapd: Debug messages for dodgy RADIUS serversBen Greear2015-01-221-3/+14
| | | | | | | These were helpful when tracking down why hostapd did not work properly with a RADIUS server. Signed-hostap: Ben Greear <greearb@candelatech.com>
* Fix RADIUS client with out-of-memory and missing shared secretJouni Malinen2015-01-191-2/+4
| | | | | | | It was possible for an out-of-memory code path to trigger NULL pointer dereference when preparing a RADIUS accounting report. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS DAS: Support Acct-Multi-Session-Id as a session identifierJouni Malinen2015-01-162-0/+9
| | | | | | | This extends Disconnect-Request support for an additiona session identification attribute. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS DAS: Check for single session match for Disconnect-RequestJouni Malinen2015-01-162-1/+8
| | | | | | | | | | | Previously, the first matching STA was picked. That is not really the design in RFC 5176, so extend this matching code to go through all specified session identification attributes and verify that all of them match. In addition, check for a possible case of multiple sessions matching. If such a case is detected, return with Disconnect-NAK and Error-Code 508 (multiple session selection not supported). Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* ERP: Add ERP_FLUSH for hostapdJouni Malinen2014-12-142-7/+20
| | | | | | | This can be used to drop any pending ERP key from both the internal AP authentication server and RADIUS server use of hostapd. Signed-off-by: Jouni Malinen <j@w1.fi>
* Check os_snprintf() result more consistently - automatic 1Jouni Malinen2014-12-081-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This converts os_snprintf() result validation cases to use os_snprintf_error() where the exact rule used in os_snprintf_error() was used. These changes were done automatically with spatch using the following semantic patch: @@ identifier E1; expression E2,E3,E4,E5,E6; statement S1; @@ ( E1 = os_snprintf(E2, E3, ...); | int E1 = os_snprintf(E2, E3, ...); | if (E5) E1 = os_snprintf(E2, E3, ...); else E1 = os_snprintf(E2, E3, ...); | if (E5) E1 = os_snprintf(E2, E3, ...); else if (E6) E1 = os_snprintf(E2, E3, ...); else E1 = 0; | if (E5) { ... E1 = os_snprintf(E2, E3, ...); } else { ... return -1; } | if (E5) { ... E1 = os_snprintf(E2, E3, ...); } else if (E6) { ... E1 = os_snprintf(E2, E3, ...); } else { ... return -1; } | if (E5) { ... E1 = os_snprintf(E2, E3, ...); } else { ... E1 = os_snprintf(E2, E3, ...); } ) ? os_free(E4); - if (E1 < 0 || \( E1 >= E3 \| (size_t) E1 >= E3 \| (unsigned int) E1 >= E3 \| E1 >= (int) E3 \)) + if (os_snprintf_error(E3, E1)) ( S1 | { ... } ) Signed-off-by: Jouni Malinen <j@w1.fi>
* ERP: Add support for ERP on EAP server and authenticatorJouni Malinen2014-12-042-2/+84
| | | | | | | | | | | | | Derive rRK and rIK on EAP server if ERP is enabled and use these keys to allow EAP re-authentication to be used and to derive rMSK. The new hostapd configuration parameter eap_server_erp=1 can now be used to configure the integrated EAP server to derive EMSK, rRK, and rIK at the successful completion of an EAP authentication method. This functionality is not included in the default build and can be enabled with CONFIG_ERP=y. Signed-off-by: Jouni Malinen <j@w1.fi>
* ERP: Add optional EAP-Initiate/Re-auth-Start transmissionJouni Malinen2014-12-041-0/+2
| | | | | | | | | hostapd can now be configured to transmit EAP-Initiate/Re-auth-Start before EAP-Request/Identity to try to initiate ERP. This is disabled by default and can be enabled with erp_send_reauth_start=1 and optional erp_reauth_start_domain=<domain>. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS client: Print a clear debug log entry if socket is not availableJouni Malinen2014-11-231-0/+7
| | | | | | | | | | It could have been possible to select a socket that is not open (sel_sock == -1) and try to use that in socket operations. This would fail with potentially confusing error messages. Make this clearer by printing a clear debug log entry on socket not being available. (CID 72696) Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS: Define new attributes from RFC 5580Jouni Malinen2014-10-182-0/+18
| | | | | | | This adds definition and names for the RADIUS attributes defined in RFC 5580 (Carrying Location Objects in RADIUS and Diameter). Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS: Remove unused writeJouni Malinen2014-10-111-1/+0
| | | | | | | There is no need to update the left variable when breaking out from the loop. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS server: Remove unreachable codeJouni Malinen2014-09-131-2/+0
| | | | | | | The previous break will already stop the loop, so this unnecessary check can be removed (CID 72708). Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS client: Check getsockname() return valueJouni Malinen2014-09-071-9/+13
| | | | | | | In theory, this function could fail, so check the return value before printing out the RADIUS local address debug message (CID 72700). Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS server: Fix IPv6 radiusAuthClientAddress maskJouni Malinen2014-09-071-1/+1
| | | | | | | Incorrect buffer was used when writing the IPv6 mask for RADIUS server MIB information (CID 72707). Signed-off-by: Jouni Malinen <j@w1.fi>
* Add RSN cipher/AKM suite attributes into RADIUS messagesJouni Malinen2014-07-312-0/+12
| | | | | | | | | This adds hostapd support for the new WLAN-Pairwise-Cipher, WLAN-Group-Cipher, WLAN-AKM-Suite, and WLAN-Group-Mgmt-Pairwise-Cipher attributes defined in RFC 7268. These attributes are added to RADIUS messages when the station negotiates use of WPA/RSN. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add WLAN-HESSID into RADIUS messagesJouni Malinen2014-07-312-0/+2
| | | | | | | | This adds hostapd support for the new WLAN-HESSID attribute defined in RFC 7268. This attribute contains the HESSID and it is added whenever Interworking is enabled and HESSID is configured. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add Mobility-Domain-Id into RADIUS messagesJouni Malinen2014-07-312-0/+3
| | | | | | | | This adds hostapd support for the new Mobility-Domain-Id attribute defined in RFC 7268. This attribute contains the mobility domain id and it is added whenever the station negotiates use of FT. Signed-off-by: Jouni Malinen <j@w1.fi>
* Clear hostapd configuration keys explicitlyJouni Malinen2014-07-021-3/+3
| | | | | | | | | Use an explicit memset call to clear any hostapd configuration parameter that contains private information like keys or identity. This brings in an additional layer of protection by reducing the length of time this type of private data is kept in memory. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS: Use os_memcmp_const() for hash/password comparisonsJouni Malinen2014-07-022-6/+6
| | | | | | | | | This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS/EAP server: Use longer username buffer to avoid truncationJouni Malinen2014-06-021-2/+2
| | | | | | | | | | If the peer provides a username with large part of it being non-ASCII characters, the previously used buffers may not have been long enough to include the full string in debug logs and database search due to forced truncation of the string by printf_encode(). Avoid this by increasing the buffer sizes to fit in the maximum result. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>