path: root/src/radius
Commit message (Collapse)AuthorAgeFilesLines
* RADIUS client: Support SO_BINDTODEVICEBen Greear2021-02-272-5/+29
| | | | | | | | Allow the RADIUS client socket to be bound to a specific netdev. This helps hostapd work better in VRF and other fancy network environments. Signed-off-by: Ben Greear <greearb@candelatech.com> Signed-off-by: Andreas Tobler <andreas.tobler at onway.ch>
* Check for message truncation in RADIUS clientAnusha Datar2021-02-191-4/+13
| | | | | | | | | | | | | | | The RADIUS client currently determines if a radius message is longer than the supported maximum length by checking whether the size of the received buffer and the length of the buffer (as returned by recv()) is equal. This method fails to detect if the buffer has actually been truncated. This change modifies the RADIUS client to instead use the recvmsg() call and then check the message header flags to determine whether or not the received message has been truncated and drop the message if that is the case. Signed-off-by: Anusha Datar <anusha@meter.com> Reviewed-by: Steve deRosier <derosier@cal-sierra.com> Reviewed-by: Julian Squires <julian@cipht.net>
* Set RADIUS message length to reflect RFC 2865Anusha Datar2021-02-191-2/+3
| | | | | | | | | | | | The current RADIUS server message maximum length limits the length of each RADIUS message to 3000 bytes. As specified in RFC 2865 section 3 ("Packet Format"), the RADIUS standard's maximum message size is 4096 bytes, so this change increases the RADIUS server's maximum message size from 3000 to 4096 to match the standard. Signed-off-by: Anusha Datar <anusha@meter.com> Reviewed-by: Steve deRosier <derosier@cal-sierra.com> Reviewed-by: Julian Squires <julian@cipht.net>
* Create RADIUS_MAX_MSG_LEN param in the shared radius.hAnusha Datar2021-02-193-6/+3
| | | | | | | | | | | | | | | The RADIUS client currently uses a hardcoded value of 3000 for the maximum length of a RADIUS message, and the RADIUS server currently defines a constant value for the maximum length of the RADIUS message within its source. The client and the server should use the same maximum length value, so this change creates a shared parameter RADIUS_MAX_MSG_LEN within the header file radius.h and modifies both the client and the server to use that parameter instead of a locally set value. Signed-off-by: Anusha Datar <anusha@meter.com> Reviewed-by: Steve deRosier <derosier@cal-sierra.com> Reviewed-by: Julian Squires <julian@cipht.net>
* build: Make more library things commonJohannes Berg2020-10-121-8/+1
| | | | | | | | We don't really need to duplicate more of this, so just move the lib.rules include to the end and do more of the stuff that's common anyway there. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* build: Make a common library buildJohannes Berg2020-10-121-4/+0
| | | | | | | | | | Derive the library name from the directory name, and let each library Makefile only declare the objects that are needed. This reduces duplicate code for the ar call. While at it, also pretty-print that call. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* gitignore: Clean up a bitJohannes Berg2020-10-111-1/+0
| | | | | | | | Now that we no longer leave build artifacts outside the build folder, we can clean up the gitignore a bit. Also move more things to per-folder files that we mostly had already anyway. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* build: Put archive files into build/ folder tooJohannes Berg2020-10-111-2/+2
| | | | | | | | | | | | | | | | This is something I hadn't previously done, but there are cases where it's needed, e.g., building 'wlantest' and then one of the tests/fuzzing/*/ projects, they use a different configuration (fuzzing vs. not fuzzing). Perhaps more importantly, this gets rid of the last thing that was dumped into the source directories, apart from the binaries themselves. Note that due to the use of thin archives, this required building with absolute paths. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* build: Put object files into build/ folderJohannes Berg2020-10-101-2/+2
| | | | | | | | | | | | | | | | Instead of building in the source tree, put most object files into the build/ folder at the root, and put each thing that's being built into a separate folder. This then allows us to build hostapd and wpa_supplicant (or other combinations) without "make clean" inbetween. For the tests keep the objects in place for now (and to do that, add the build rule) so that we don't have to rewrite all of that with $(call BUILDOBJS,...) which is just noise there. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* build: Use build.rules in lib.rulesJohannes Berg2020-10-101-5/+2
| | | | | | | Use the new build.rules in lib.rules and also unify the clean targets to lib.rules. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* RADIUS: Convert Boolean to C99 boolJouni Malinen2020-04-241-7/+7
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* RADIUS: Use size_t instead of int for message attributesJouni Malinen2020-03-221-1/+1
| | | | | | | While RADIUS messages are limited to 4 kB, use size_t to avoid even a theoretical overflow issue with 16-bit int. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS client: fix extra retry before failoverEthan Everett2019-12-301-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | This commit changes the failover behavior of RADIUS client. Commit 27ebadccfb2 ("RADIUS client: Cease endless retry for message for multiple servers") changed the retry logic, causing RADIUS client to wait RADIUS_CLIENT_NUM_FAILOVER + 1 timeouts before failing over the first time. Prior to that commit, RADIUS client would wait RADIUS_CLIENT_NUM_FAILOVER timeouts before each failover. This was caused by moving the entry->attempts > RADIUS_CLIENT_NUM_FAILOVER comparison to before the retry attempt, where entry->attempts is incremented. The commit in question set entry->attempts in radius_change_server to 1 instead of 0, so RADIUS client would still only wait RADIUS_CLIENT_NUM_FAILOVER timeouts for subsequent failovers, the same as the original behavior. This commit changes the comparison so the initial failover now happens after waiting RADIUS_CLIENT_NUM_FAILOVER timeouts, as it did originally. It also changes the RADIUS_CLIENT_MAX_FAILOVER comparison to prevent an additional attempt to the primary server after the final failover. Signed-off-by: Ethan Everett <ethan.everett@meraki.net>
* RADIUS server: Abort startup on allocation failuresJouni Malinen2019-08-191-21/+25
| | | | | | | | Be more consistent on checking all parameter allocation and copying steps within radius_server_init() and abort startup if anything fails instead of trying to continue with other parts of the configuration. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS server: Use struct eap_config to avoid duplicated definitionsJouni Malinen2019-08-192-192/+6
| | | | | | | | Use struct eap_config as-is within RADIUS server to avoid having to duplicate all the configuration variables at each interface. This continues cleanup on struct eap_config duplication in hostapd. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP server: Allow a specific Identity-Type to be requested/requiredJouni Malinen2019-08-192-0/+2
| | | | | | | The new hostapd configuration parameter eap_teap_id can be used to configure the expected behavior for used identity type. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP server: Use struct eap_config to avoid duplicated definitionsJouni Malinen2019-08-181-202/+48
| | | | | | | | | Use struct eap_config as-is within struct eap_sm and EAPOL authenticator to avoid having to duplicate all the configuration variables at each interface. Split the couple of session specific variables into a separate struct to allow a single const struct eap_config to be used. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP server: Testing mechanism for Result TLV in a separate messageJouni Malinen2019-08-162-0/+4
| | | | | | | | | The new eap_teap_separate_result=1 hostapd configuration parameter can be used to test TEAP exchange where the Intermediate-Result TLV and Crypto-Binding TLV are send in one message exchange while the Result TLV exchange in done after that in a separate message exchange. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-SIM/AKA server: Allow pseudonym/fast reauth to be disabledJouni Malinen2019-08-012-0/+6
| | | | | | | | The new hostapd configuration option eap_sim_id can now be used to disable use of pseudonym and/or fast reauthentication with EAP-SIM, EAP-AKA, and EAP-AKA'. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-TEAP server and peer implementation (RFC 7170)Jouni Malinen2019-07-092-0/+10
| | | | | | | | | | | | | | | | | This adds support for a new EAP method: EAP-TEAP (Tunnel Extensible Authentication Protocol). This should be considered experimental since RFC 7170 has number of conflicting statements and missing details to allow unambiguous interpretation. As such, there may be interoperability issues with other implementations and this version should not be deployed for production purposes until those unclear areas are resolved. This does not yet support use of NewSessionTicket message to deliver a new PAC (either in the server or peer implementation). In other words, only the in-tunnel distribution of PAC-Opaque is supported for now. Use of the NewSessionTicket mechanism would require TLS library support to allow arbitrary data to be specified as the contents of the message. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS server: Add EAP-Key-Name into Access-AcceptJouni Malinen2019-06-031-0/+7
| | | | | | | If the EAP Session-ID is available, add it into Access-Accept (EAP-Key-Name attribute). This is needed for MACsec. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* RADIUS server: Do not close fd=0 in error casesJouni Malinen2019-05-251-0/+2
| | | | | | | | Initialize auth_sock and acct_sock to -1 to avoid radius_server_deinit() attempting to close fd=0 if anything fails in setting up the RADIUS server. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS server: Accept ERP keyName-NAI as user identityJouni Malinen2019-04-081-8/+31
| | | | | | | | | | | Previously the EAP user database had to include a wildcard entry for ERP to work since the keyName-NAI as User-Name in Access-Request would not be recognized without such wildcard entry (that could point to any EAP method). This is not ideal, so add a separate check to allow any stored ERP keyName-NAI to be used for ERP without any requirement for the EAP user database to contain a matching entry. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-pwd server: Fix memory leak with salted passwordsMasashi Honma2019-03-081-6/+10
| | | | | | | | | | | | | The struct hostapd_eap_user changes with a new allocated variable were not covered in the RADIUS server code. Fix this by using eap_user_free() instead of custom memory freeing operation in radius_server.c. The hwsim tests with salted password (ap_wpa2_eap_pwd_salt_sha1, ap_wpa2_eap_pwd_salt_sha256, ap_wpa2_eap_pwd_salt_sha512) triggered these memory leaks. Fixes: d52ead3db7b2 ("EAP-pwd server: Add support for salted password databases") Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* UBSan: Avoid a warning on signed left shiftJouni Malinen2019-02-251-2/+2
| | | | | | | | | Use unsigned 1 (1U) instead of signed (1) when doing left shift that could potentially need to use all bits of the 32-bit unsigned variable. radius_server.c:2254:14: runtime error: left shift of 1 by 31 places cannot be represented in type 'int' Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS client: Cease endless retry for message for multiple serversBo Chen2019-01-071-32/+54
| | | | | | | | | | | | | | | | | | In the previous RADIUS client implementation, when there are multiple RADIUS servers, we kept trying the next server when the current message can not be acked. It leads to endless retry when all the RADIUS servers are down. Fix this by keeping a counter for the accumulated retransmit attempts for the message, and guarantee that after all the servers failover RADIUS_CLIENT_MAX_FAILOVER times the message will be dropped. Another issue with the previous code was that the decision regarding whether the server should fail over was made immediately after we send out the message. This patch guarantees we consider whether a server needs failover after pending ack times out. Signed-off-by: Bo Chen<bochen@meraki.com>
* HS 2.0 server: RADIUS server support for SIM provisioningJouni Malinen2018-12-152-0/+197
| | | | | | | | | | | | | This adds support for hostapd-as-RADIUS-authentication-server to request subscription remediation for SIM-based credentials. The new hostapd.conf parameter hs20_sim_provisioning_url is used to set the URL prefix for the remediation server for SIM provisioning. The random hotspot2dot0-mobile-identifier-hash value will be added to the end of this URL prefix and the same value is stored in a new SQLite database table sim_provisioning for the subscription server implementation to use. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* RADIUS: Support last_msk with EAP-TLSJouni Malinen2018-10-111-8/+18
| | | | | | | | This extends the last_msk testing functionality in the RADIUS server to work with EAP-TLS based on "cert-<serial_num>" form user names in the database. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* RADIUS server: Add testing support for authentication resultJouni Malinen2018-09-111-3/+54
| | | | | | | | | | | CONFIG_RADIUS_TEST builds can now update the user SQLite database based on authentication result from the last attempt. If the database has a last_msk column, that will be set to the hexdump of the MSK whenever authentication succeeds and to "FAIL" whenever authentication fails. This can be used for testing purposes by having an external program track authentication status per user. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Fix Terms and Conditions Server URL macro replacementJouni Malinen2018-07-301-2/+2
| | | | | | | | | The last character of the STA MAC address got replaced with 0x00 due to truncation if the @1@ macro was used at the end of the URL. Fix this case by allocating larger buffer for the URL. Fixes: d4e39c51f8bb ("HS 2.0: Move Terms and Conditions Server URL generation from AP to AS") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* RADIUS: Add DAC implementation in hostapd(AS)Jouni Malinen2018-06-222-0/+350
| | | | | | | | | | The new DAC_REQUEST control interface command can now be used to request hostapd to send out Disconnect-Request and CoA-Request packets for an existing session. DAC_REQUEST <disconnect|coa> <MAC Address> [t_c_clear] Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* RADIUS: Allow to be used as wildard radius_das_clientJouni Malinen2018-06-221-1/+2
| | | | | | | | This allows hostapd DAS to be configured to allow any DAC (with the matching shared secret) to send Disconnect-Request and CoA-Request packets. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* RADIUS server: Add current_sessions SQLite tableJouni Malinen2018-06-221-0/+33
| | | | | | | This can be used to track active sessions, e.g., for the purpose of issuing RADIUS DAS commands (Disconnect-Request or CoA-Request). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Move Terms and Conditions Server URL generation from AP to ASJouni Malinen2018-06-213-0/+53
| | | | | | | | | | This makes it more convenient to generate the URL in a way that interoperates between different vendors. The AP is simply copying the already constructed URL as-is from Access-Accept to WNM-Notification. This means that the HO AAA can generate the URL in a manner that works for the associated T&C Server without having to coordinate with each AP. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Silence new gcc warnings on switch statement fallthroughsJouni Malinen2018-05-151-2/+2
| | | | | | | Reword the comments to make gcc 8.1 recognize these as designed cases and not trigger implicit-fallthrough warnings. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Maintain a database of pending T&C acceptance sessionsJouni Malinen2018-04-301-2/+60
| | | | | | | | | The new SQLite table pending_tc is used to maintain a list of sessions that need to accept Terms and Conditions. This information can be used on an external Terms and Conditions server to map the incoming MAC address information into user identity. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Terms and Conditions testing feature in authentication serverJouni Malinen2018-04-261-0/+62
| | | | | | | | | | | | | Allow hostapd RADIUS authentication server with SQLite EAP user DB to be used for testing Terms and Conditions functionality. This could be used for the HO AAA part of functionality (merging HO AAA and SP AAA into a single component to avoid separate RADIUS proxy in testing setup). A T&C server with HTTPS processing is needed to allow this to be used for full over-the-air testing. This commit adds sufficient functionality to allow hwsim test cases to cover the RADIUS server part. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: CoA-Request processing for Terms and Conditions filteringJouni Malinen2018-04-252-13/+201
| | | | | | | Extend RADIUS DAS to support CoA-Request packets for the case where the HS 2.0 Terms And Conditions filtering VSA is used to remove filtering. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Send Terms and Conditions Acceptance notificationJouni Malinen2018-04-231-0/+1
| | | | | | | | | | | | | This extends hostapd Access-Accept processing to check if the RADIUS server indicated that Terms and Conditions Acceptance is required. The new hs20_t_c_server_url parameter is used to specify the server URL template that the STA is requested to visit. This commit does not enable any kind of filtering, i.e., only the part of forwarding a request from Access-Accept to the STA using WNM-Notification is covered. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Terms and Conditions attributes in Access-Request messagesJouni Malinen2018-04-231-0/+2
| | | | | | | | | This extends hostapd with two new configuration parameters (hs20_t_c_filename and hs20_t_c_timestamp) that can be used to specify that the Terms and Conditions attributes are to be added into all Access-Request messages for Hotspot 2.0 STAs. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Copy Roaming Consortium OI from (Re)AssocReq to Access-RequestJouni Malinen2018-04-171-0/+1
| | | | | | | | | This extends hostapd processing of (Re)Association Request frames to store a local copy of the Consortium OI within the Roaming Consortium Selection element, if present, and then add that in HS 2.0 Roaming Consortium attribute into RADIUS Access-Request messages. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Add definitions for RADIUS attributes standardised in RFC 7055Alejandro Pérez Méndez2018-03-301-0/+4
| | | | | | | | hostap code is used by the Moonshot software (an implementation of the GSS EAP mechanism - RFC 7055), and those definitions are required but missing. Signed-off-by: Alejandro Perez <alex.perez-mendez@jisc.ac.uk>
* RADIUS: Add WLAN-Reason-Code attribute to Access-RejectJouni Malinen2018-01-123-0/+13
| | | | | | | | | | Make the RADIUS server in hostapd add WLAN-Reason-Code attribute to all Access-Reject messages generated based on EAP-Failure from the EAP server. For now, the reason code value is set to 23 (IEEE 802.1X authentication failed). This can be extending in future commits to cover addition failure reasons. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Add hostapd tls_flags parameterJouni Malinen2017-09-182-0/+6
| | | | | | This can be used to set the TLS flags for authentication server. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Use os_memdup()Johannes Berg2017-03-072-12/+7
| | | | | | | | | | | | | | | | | | | | | | This leads to cleaner code overall, and also reduces the size of the hostapd and wpa_supplicant binaries (in hwsim test build on x86_64) by about 2.5 and 3.5KiB respectively. The mechanical conversions all over the code were done with the following spatch: @@ expression SIZE, SRC; expression a; @@ -a = os_malloc(SIZE); +a = os_memdup(SRC, SIZE); <... if (!a) {...} ...> -os_memcpy(a, SRC, SIZE); Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* tests: Add TEST_FAIL() to radius_msg_add_attr()Jouni Malinen2017-03-051-0/+3
| | | | | | | This makes it easier to test error paths for RADIUS message construction. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS server: Fix error paths in new session creationJouni Malinen2017-03-051-3/+3
| | | | | | | | | | | | radius_server_session_free() does not remove the session from the session list and these radius_server_get_new_session() error paths ended up leaving a pointer to freed memory into the session list. This resulted in the following operations failing due to use of freed memory. Fix this by using radius_server_session_remove() which removes the entry from the list in addition to calling radius_server_session_free(). Signed-off-by: Jouni Malinen <j@w1.fi>
* Remove trailing whitespaceJouni Malinen2016-12-282-2/+2
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS server: Increase maximum number of sessionsJouni Malinen2016-12-271-2/+7
| | | | | | | | | | | | | | It was possible to hit the previously used maximum of 100 active session in some hwsim test case sequences like this one: eap_proto_pwd_errors eap_proto_ikev2_errors eap_proto_sim_errors. This happened due to the large number of RADIUS authentication iterations in short period of time, i.e., within the 10 second timeout for expiring completed sessions. Increase RADIUS_MAX_SESSION from 100 to 1000 and also reduce the timeout on expiring completed sessions from 10 to 5 seconds. Signed-off-by: Jouni Malinen <j@w1.fi>
* radius: Sanity check for NULL pointer segfaultEduardo Abinader2016-08-191-1/+6
| | | | | | | When the RADIUS client has not yet been fully enabled, MIB command was segfaulting hostapd. Signed-off-by: Eduardo Abinader <eduardoabinader@gmail.com>