From patchwork Sun Feb 28 14:18:05 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Nick Lowe X-Patchwork-Id: 589517 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2001:1868:205::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 9BF1E14076A for ; Mon, 29 Feb 2016 01:18:42 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=lugatech-com.20150623.gappssmtp.com header.i=@lugatech-com.20150623.gappssmtp.com header.b=Cbd7zaME; dkim-atps=neutral Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux)) id 1aa2B7-0004fK-3d; Sun, 28 Feb 2016 14:18:33 +0000 Received: from mail-lb0-x234.google.com ([2a00:1450:4010:c04::234]) by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1aa2B2-0004cT-5a for hostap@lists.infradead.org; Sun, 28 Feb 2016 14:18:31 +0000 Received: by mail-lb0-x234.google.com with SMTP id x1so67414095lbj.3 for ; Sun, 28 Feb 2016 06:18:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lugatech-com.20150623.gappssmtp.com; s=20150623; h=mime-version:date:message-id:subject:from:to; bh=cavDSMYtd9YSwih3LtrXJJHz+ppugTMgg+Yfr5soPCA=; b=Cbd7zaMEW3yY2ArBi7Ppoh6K4IxHixROWDj5UsTbr7MFsr2L7dwQwml6m7F3IDVo03 RXaEKmBDgJFtlyBI0a0ZtC4+9bp62RG1ybVjGn1z9w+0LCaHS2chkUyKODhuJavDFD/a ED+fWCDdABJfW3lsca75DSTM2saODoR4/ozKtbLUjjKPMGDozjhAnVZ33e5Rymq1mkSe wZlSt1vDH3fDDf+zmDzJwBanw7g/4YSpiLO7waZW2h+pL9fIovwz6d53btW7JhVrzcvA +eCazUfWkrcylU/IlKyHnmar2aRDT9eSEZUERE0RHjmvXAW4WKiFHE1b+IdbdGQYlYHW PcAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to; bh=cavDSMYtd9YSwih3LtrXJJHz+ppugTMgg+Yfr5soPCA=; b=B2V52KAu95Ltc1KaVEcnH/fk1YnKpHdPAfsGkUAWQMHAujWQpweIt6arNDzdA8zquK 8l/u8ZbcHrxfxxnsFSifpJDtzncbXAAj4S3VjAs/aCigLxgoFR1xiptIbBbbMRnOC+W6 FQbuyPtZCEtMZrFFFHK89PulDYFDLe9YsKvTzUxs5bS9pwibRXLikDvhepAiZd8F6c6a qCn7w+qo+0zhDPULF3WWGHidtvxqfpI+/kKXw4psMoVbA0nNXJG/IqYQpUjtsrlBNOHx eL4xkMg7UPZWteDPm+YKDYGuLyY7c0ziEjKK88wHscAM7XEyowuZCyq/Q7l/M79Farsy sVZA== X-Gm-Message-State: AD7BkJId/8EHoWkSYp0qqZbnppouhBAWgi5rk5/5HWr7kfBZ5O4A0xjHEI68jvj7wTfjEM16hav1vBwQHTMSBw== MIME-Version: 1.0 X-Received: by 10.112.67.1 with SMTP id j1mr2977225lbt.103.1456669085935; Sun, 28 Feb 2016 06:18:05 -0800 (PST) Received: by 10.112.126.99 with HTTP; Sun, 28 Feb 2016 06:18:05 -0800 (PST) X-Originating-IP: [77.96.75.177] Date: Sun, 28 Feb 2016 14:18:05 +0000 Message-ID: Subject: [PATCH] Define new config option nas-identifier-use-bssid From: Nick Lowe To: hostap@lists.infradead.org X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20160228_061828_736581_5532017D X-CRM114-Status: GOOD ( 19.13 ) X-Spam-Score: -2.6 (--) X-Spam-Report: SpamAssassin version 3.4.0 on bombadil.infradead.org summary: Content analysis details: (-2.6 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [2a00:1450:4010:c04:0:0:0:234 listed in] [list.dnswl.org] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Define new config option nas-identifier-use-bssid to include the BSSID in the NAS-Identifier attribute value of RADIUS packets. This value defaults to 0, maintaining backwards compatibility, and is set to the value 1 in the supplied hostapd.conf This new configuration option works in combination with the nas-identifier option. Where the nas-identifier is unset, the default in hostapd.conf, the BSSID will be used to populate this value in the form in all cases, irrespective of the value of nas-identifier-use-bssid. Omitting the NAS-Identifier in RADIUS packets causes significant problems in the RADIUS protocol so this is not allowed to ever occur. (Accounting-On and Accounting-Off forms of RADIUS accounting packets are allowed to be sent in this case.) Where the nas-identifier is set and the nas-identifier-use-bssid is set to 1, the BSSID will be included in the value used for the NAS-Identifier in the form “”. (Accounting-On and Accounting-Off forms of RADIUS accounting packets are allowed to be sent in this case.) Where the nas-identifier is set and the nas-identifier-use-bssid is set to 0, the BSSID will not be included in the value used for the NAS-Identifier. (Accounting-On and Accounting-Off forms of RADIUS accounting packets will not be sent in this case.) Range checks for nas-identifier now require this string value to be, inclusive, between 3 and 104 characters in length. Signed-off-by: Nick Lowe --- hostapd/config_file.c | 13 +++++++++++-- hostapd/hostapd.conf | 24 ++++++++++++++++++++---- src/ap/accounting.c | 3 ++- src/ap/ap_config.c | 8 ++++---- src/ap/ap_config.h | 4 +++- src/ap/hostapd.c | 40 ++++++++++++++++++++++++++++++++-------- src/ap/ieee802_1x.c | 35 ++++++++++++++++++++++++++++------- src/ap/wpa_auth_glue.c | 6 +++--- src/radius/radius_das.c | 1 - 9 files changed, 103 insertions(+), 31 deletions(-) if (len != 4) { From afd75242c90c4d33ecdb9e9219cd117d82e90c94 Mon Sep 17 00:00:00 2001 From: Nick Lowe Date: Sun, 28 Feb 2016 14:13:34 +0000 Subject: [PATCH] Define new config option nas-identifier-use-bssid to include the BSSID in the NAS-Identifier attribute value of RADIUS packets. This value defaults to 0, maintaining backwards compatibility, and is set to the value 1 in the supplied hostapd.conf MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This new configuration option works in combination with the nas-identifier option. Where the nas-identifier is unset, the default in hostapd.conf, the BSSID will be used to populate this value in the form in all cases, irrespective of the value of nas-identifier-use-bssid. Omitting the NAS-Identifier in RADIUS packets causes significant problems in the RADIUS protocol so this is not allowed to ever occur. (Accounting-On and Accounting-Off forms of RADIUS accounting packets are allowed to be sent in this case.) Where the nas-identifier is set and the nas-identifier-use-bssid is set to 1, the BSSID will be included in the value used for the NAS-Identifier in the form “”. (Accounting-On and Accounting-Off forms of RADIUS accounting packets are allowed to be sent in this case.) Where the nas-identifier is set and the nas-identifier-use-bssid is set to 0, the BSSID will not be included in the value used for the NAS-Identifier. (Accounting-On and Accounting-Off forms of RADIUS accounting packets will not be sent in this case.) Range checks for nas-identifier now require this string value to be, inclusive, between 3 and 104 characters in length. Signed-off-by: Nick Lowe --- hostapd/config_file.c | 13 +++++++++++-- hostapd/hostapd.conf | 24 ++++++++++++++++++++---- src/ap/accounting.c | 3 ++- src/ap/ap_config.c | 8 ++++---- src/ap/ap_config.h | 4 +++- src/ap/hostapd.c | 40 ++++++++++++++++++++++++++++++++-------- src/ap/ieee802_1x.c | 35 ++++++++++++++++++++++++++++------- src/ap/wpa_auth_glue.c | 6 +++--- src/radius/radius_das.c | 1 - 9 files changed, 103 insertions(+), 31 deletions(-) diff --git a/hostapd/config_file.c b/hostapd/config_file.c index 76f02ca..edb500d 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -2282,9 +2282,18 @@ static int hostapd_config_fill(struct hostapd_config *conf, return 1; } } else if (os_strcmp(buf, "nas_identifier") == 0) { - os_free(bss->nas_identifier); - bss->nas_identifier = os_strdup(pos); + os_free(bss->nas_identifier_base); + bss->nas_identifier_base = os_strdup(pos); + bss->nas_identifier_base_len = os_strlen(bss->nas_identifier_base); + if (bss->nas_identifier_base_len < 3 || bss->nas_identifier_base_len > 104) { + wpa_printf(MSG_ERROR, "Line %d: invalid nas_identifier len %lu", + line, + (unsigned long) bss->nas_identifier_base_len); + return 1; + } #ifndef CONFIG_NO_RADIUS + } else if (os_strcmp(buf, "nas_identifier_use_bssid") == 0) { + bss->nas_identifier_use_bssid = atoi(pos); } else if (os_strcmp(buf, "radius_client_addr") == 0) { if (hostapd_parse_ip_addr(pos, &bss->radius->client_addr)) { wpa_printf(MSG_ERROR, diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index d535eec..c780a47 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -909,13 +909,29 @@ eap_server=0 # The own IP address of the access point (used as NAS-IP-Address) own_ip_addr=127.0.0.1 -# Optional NAS-Identifier string for RADIUS messages. When used, this should be -# a unique to the NAS within the scope of the RADIUS server. For example, a -# fully qualified domain name can be used here. -# When using IEEE 802.11r, nas_identifier must be set and must be between 1 and +# Optional NAS-Identifier, containing a string value used to identify the NAS +# originating RADIUS packets. This must be unique to the NAS within the +# scope of a RADIUS server. For example, a fully qualified domain name can be +# used here appended with the . +# Where nas_identifier has not been set, the BSSID will used. +# This will be of the form "00-10-A4-23-19-C0". +# When using IEEE 802.11r, nas_identifier must be set and be between 1 and # 48 octets long. #nas_identifier=ap.example.com +# Whether to use the BSSID in the NAS-Identifier sent in RADIUS packets. +# For example, where the nas_identifier is configured as ap.example.com, a +# value of the form "00-10-A4-23-19-C0:ap.example.com" will be used. +# Where mutiple BSSes are offered by a NAS, each BSS for which RADIUS accounting +# is occuring must be presented as being an individual NAS for Accounting-On and +# Accounting-Off to be handled correctly by a RADIUS server. +# This option has no effect where the nas_identifier has not been set. +# Where this is the case, the BSSID will always be sent. +# This will be of the form "00-10-A4-23-19-C0". +# 0 = disabled (default, for backwards compatiblity) +# 1 = enabled (best practice) +nas_identifier_use_bssid=1 + # RADIUS client forced local IP address for the access point # Normally the local IP address is determined automatically based on configured # IP addresses, but this field can be used to force a specific address to be diff --git a/src/ap/accounting.c b/src/ap/accounting.c index 9357a46..e13f94b 100644 --- a/src/ap/accounting.c +++ b/src/ap/accounting.c @@ -424,7 +424,8 @@ static void accounting_report_state(struct hostapd_data *hapd, int on) { struct radius_msg *msg; - if (!hapd->conf->radius->acct_server || hapd->radius == NULL) + if (!hapd->conf->radius->acct_server || hapd->radius == NULL || + (hapd->conf->nas_identifier_use_bssid != 1 && hapd->conf->nas_identifier_base)) return; /* Inform RADIUS server that accounting will start/stop so that the diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c index 458faa4..62d74db 100644 --- a/src/ap/ap_config.c +++ b/src/ap/ap_config.c @@ -455,7 +455,7 @@ void hostapd_config_free_bss(struct hostapd_bss_config *conf) os_free(conf->erp_domain); os_free(conf->accept_mac); os_free(conf->deny_mac); - os_free(conf->nas_identifier); + os_free(conf->nas_identifier_base); if (conf->radius) { hostapd_config_free_radius(conf->radius->auth_servers, conf->radius->num_auth_servers); @@ -808,9 +808,9 @@ static int hostapd_config_check_bss(struct hostapd_bss_config *bss, #ifdef CONFIG_IEEE80211R if (full_config && wpa_key_mgmt_ft(bss->wpa_key_mgmt) && - (bss->nas_identifier == NULL || - os_strlen(bss->nas_identifier) < 1 || - os_strlen(bss->nas_identifier) > FT_R0KH_ID_MAX_LEN)) { + (bss->nas_identifier_base == NULL || + os_strlen(bss->nas_identifier_base) < 1 || + os_strlen(bss->nas_identifier_base) > FT_R0KH_ID_MAX_LEN)) { wpa_printf(MSG_ERROR, "FT (IEEE 802.11r) requires " "nas_identifier to be configured as a 1..48 octet " "string"); diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index 763eaaa..9f6118d 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -245,7 +245,9 @@ struct hostapd_bss_config { unsigned int eap_sim_db_timeout; int eap_server_erp; /* Whether ERP is enabled on internal EAP server */ struct hostapd_ip_addr own_ip_addr; - char *nas_identifier; + char *nas_identifier_base; + size_t nas_identifier_base_len; + int nas_identifier_use_bssid; struct hostapd_radius_servers *radius; int acct_interim_interval; int radius_request_cui; diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c index dd2dc17..834464a 100644 --- a/src/ap/hostapd.c +++ b/src/ap/hostapd.c @@ -608,14 +608,38 @@ static int mac_in_conf(struct hostapd_config *conf, const void *a) static int hostapd_das_nas_mismatch(struct hostapd_data *hapd, struct radius_das_attrs *attr) { - if (attr->nas_identifier && - (!hapd->conf->nas_identifier || - os_strlen(hapd->conf->nas_identifier) != - attr->nas_identifier_len || - os_memcmp(hapd->conf->nas_identifier, attr->nas_identifier, - attr->nas_identifier_len) != 0)) { - wpa_printf(MSG_DEBUG, "RADIUS DAS: NAS-Identifier mismatch"); - return 1; + char buf[128]; + int len; + + if (attr->nas_identifier) { + if (hapd->conf->nas_identifier_base) { + if (hapd->conf->nas_identifier_use_bssid == 1) { + len = os_snprintf(buf, sizeof(buf), + RADIUS_802_1X_ADDR_FORMAT ":", + MAC2STR(hapd->own_addr)); + os_memcpy(&buf[len], + hapd->conf->nas_identifier_base, + hapd->conf->nas_identifier_base_len); + len += hapd->conf->nas_identifier_base_len; + } + else { + os_memcpy(&buf[0], + hapd->conf->nas_identifier_base, + hapd->conf->nas_identifier_base_len); + len = hapd->conf->nas_identifier_base_len; + } + } + else + len = os_snprintf(buf, sizeof(buf), + RADIUS_802_1X_ADDR_FORMAT, + MAC2STR(hapd->own_addr)); + + if (len != attr->nas_identifier_len || + os_memcmp(buf, attr->nas_identifier, + len) != 0) { + wpa_printf(MSG_DEBUG, "RADIUS DAS: NAS-Identifier mismatch"); + return 1; + } } if (attr->nas_ip_addr && diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c index c774d5c..badb09c 100644 --- a/src/ap/ieee802_1x.c +++ b/src/ap/ieee802_1x.c @@ -524,13 +524,34 @@ int add_common_radius_attr(struct hostapd_data *hapd, #endif /* CONFIG_IPV6 */ if (!hostapd_config_get_radius_attr(req_attr, - RADIUS_ATTR_NAS_IDENTIFIER) && - hapd->conf->nas_identifier && - !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER, - (u8 *) hapd->conf->nas_identifier, - os_strlen(hapd->conf->nas_identifier))) { - wpa_printf(MSG_ERROR, "Could not add NAS-Identifier"); - return -1; + RADIUS_ATTR_NAS_IDENTIFIER)) { + if (hapd->conf->nas_identifier_base) { + if (hapd->conf->nas_identifier_use_bssid == 1) { + len = os_snprintf(buf, sizeof(buf), + RADIUS_802_1X_ADDR_FORMAT ":", + MAC2STR(hapd->own_addr)); + os_memcpy(&buf[len], + hapd->conf->nas_identifier_base, + hapd->conf->nas_identifier_base_len); + len += hapd->conf->nas_identifier_base_len; + } + else { + os_memcpy(&buf[0], + hapd->conf->nas_identifier_base, + hapd->conf->nas_identifier_base_len); + len = hapd->conf->nas_identifier_base_len; + } + } + else + len = os_snprintf(buf, sizeof(buf), + RADIUS_802_1X_ADDR_FORMAT, + MAC2STR(hapd->own_addr)); + + if (!radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER, + (u8 *) buf, len)) { + wpa_printf(MSG_ERROR, "Could not add NAS-Identifier"); + return -1; + } } len = os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":", diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c index ffd0790..8e363a3 100644 --- a/src/ap/wpa_auth_glue.c +++ b/src/ap/wpa_auth_glue.c @@ -59,9 +59,9 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf, os_memcpy(wconf->ssid, conf->ssid.ssid, wconf->ssid_len); os_memcpy(wconf->mobility_domain, conf->mobility_domain, MOBILITY_DOMAIN_ID_LEN); - if (conf->nas_identifier && - os_strlen(conf->nas_identifier) <= FT_R0KH_ID_MAX_LEN) { - wconf->r0_key_holder_len = os_strlen(conf->nas_identifier); + if (conf->nas_identifier_base && + conf->nas_identifier_base_len <= FT_R0KH_ID_MAX_LEN) { + wconf->r0_key_holder_len = conf->nas_identifier_base_len; os_memcpy(wconf->r0_key_holder, conf->nas_identifier, wconf->r0_key_holder_len); } diff --git a/src/radius/radius_das.c b/src/radius/radius_das.c index b7d991b..5232fa3 100644 --- a/src/radius/radius_das.c +++ b/src/radius/radius_das.c @@ -72,7 +72,6 @@ static struct radius_msg * radius_das_disconnect(struct radius_das_data *das, } os_memset(&attrs, 0, sizeof(attrs)); - if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, &buf, &len, NULL) == 0) { if (len != 4) { -- 2.7.1