From patchwork Tue Jul 26 18:21:15 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nick Lowe X-Patchwork-Id: 652864 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2001:1868:205::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3rzRKk50YFz9t1l for ; Wed, 27 Jul 2016 04:22:02 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=lugatech-com.20150623.gappssmtp.com header.i=@lugatech-com.20150623.gappssmtp.com header.b=p47GyzZM; dkim-atps=neutral Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.85_2 #1 (Red Hat Linux)) id 1bS6z8-000797-0m; Tue, 26 Jul 2016 18:21:42 +0000 Received: from mail-wm0-x241.google.com ([2a00:1450:400c:c09::241]) by bombadil.infradead.org with esmtps (Exim 4.85_2 #1 (Red Hat Linux)) id 1bS6z4-00073e-Oz for hostap@lists.infradead.org; Tue, 26 Jul 2016 18:21:40 +0000 Received: by mail-wm0-x241.google.com with SMTP id o80so2943929wme.0 for ; Tue, 26 Jul 2016 11:21:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lugatech-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=nNf2ZNICBzIS5IsAnhVMHoAMOl31oLHyhN0ZfROl6/4=; b=p47GyzZMKTJOwtaa73N7XdLewdoIbfILB08f+YzGxCWHWlk17S+P9OukQKmx9+ctWM +WPQmVR53OzVzVkTnzpCRUMk9ed6PZolaO2SFT2jpV2/uwDLHf2cco14Z0jDfrTBbI1i 9lKT9OjXkLxzNj5mQi23xs7gFrop/WEokLes7JDDs4Wcm2RgA12yXlApCQZ9ohzmB9q4 I+JKo2LpSBnn/tX9ZXQxIydis8zGbmZxrjVA78zGaxZH88EAVl48x1HFUEh4KjYHK7Zf 6y6qXRx5fSUF34g0Fy4QE9aFqOn/LZgH2Yk1Qhif8os1vX7grzxh102KyLjxr/vXbhX+ w1Yw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=nNf2ZNICBzIS5IsAnhVMHoAMOl31oLHyhN0ZfROl6/4=; b=FvP7A/vO2eAIJWuC/hdq67dxZMuM2iOpIqzDHSpNatvPWVwiDj2lHO+be9gkcRcpSL pEGe0wjaWajPJ7Rv1xI5qNR41b1NxeQA6GtNjcEH1kiWYPXbJ2N5vKFxICWDb7LYETBL 9daLm8B2ZylAjMcaJrAHe47erGmL80uUPRlig3dI5JdB/zCpvf3IXi+NXJvy0Qunjkc/ aan4ouPrPPKAIhY3D2lVtzpA12JqNpqrxbbruzZHz+2MXznctD+xUac0XdbGbotN+rVl U0ilhKXigWiTd8qTYtbqGlxVICiU6b8x+9DyNnW9fmGxdvXhLY9aXakW3vcnJFdfUn2v uthA== X-Gm-Message-State: ALyK8tLktLNqJg2wMHl82NvGZqIFy4s6+sS7Sd7PWHDVi2qBN2WOFv5rzl6rzNHoDSqShJfXvysnJvJG44u8bw== X-Received: by 10.28.175.16 with SMTP id y16mr37117826wme.64.1469557276879; Tue, 26 Jul 2016 11:21:16 -0700 (PDT) MIME-Version: 1.0 Received: by 10.194.55.232 with HTTP; Tue, 26 Jul 2016 11:21:15 -0700 (PDT) X-Originating-IP: [82.44.63.18] From: Nick Lowe Date: Tue, 26 Jul 2016 19:21:15 +0100 Message-ID: Subject: [PATCH] Add a require_message_authenticator configuration option to mandate the presence of the Message-Authenticator attribute on CoA/Disconnect-Request packets. To: hostap@lists.infradead.org X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20160726_112139_199772_76752951 X-CRM114-Status: GOOD ( 15.39 ) X-Spam-Score: -2.6 (--) X-Spam-Report: SpamAssassin version 3.4.0 on bombadil.infradead.org summary: Content analysis details: (-2.6 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [2a00:1450:400c:c09:0:0:0:241 listed in] [list.dnswl.org] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org [PATCH] Add a require_message_authenticator configuration option to mandate the presence of the Message-Authenticator attribute on CoA/Disconnect-Request packets. Signed-off-by: Nick Lowe --- hostapd/config_file.c | 2 ++ hostapd/hostapd.conf | 3 +++ src/ap/ap_config.h | 1 + src/ap/hostapd.c | 2 ++ src/radius/radius.c | 8 ++++++-- src/radius/radius.h | 2 +- src/radius/radius_das.c | 10 +++++++--- src/radius/radius_das.h | 1 + 8 files changed, 23 insertions(+), 6 deletions(-) diff --git a/hostapd/config_file.c b/hostapd/config_file.c index 6dc7e8c..1116b48 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -2411,6 +2411,8 @@ static int hostapd_config_fill(struct hostapd_config *conf, bss->radius_das_time_window = atoi(pos); } else if (os_strcmp(buf, "radius_das_require_event_timestamp") == 0) { bss->radius_das_require_event_timestamp = atoi(pos); + } else if (os_strcmp(buf, "radius_das_require_message_authenticator") == 0) { + bss->radius_das_require_message_authenticator = atoi(pos); #endif /* CONFIG_NO_RADIUS */ } else if (os_strcmp(buf, "auth_algs") == 0) { bss->auth_algs = atoi(pos); diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index c244624..a310c05 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -1088,6 +1088,9 @@ own_ip_addr=127.0.0.1 # # DAS require Event-Timestamp #radius_das_require_event_timestamp=1 +# +# DAS require Message-Authenticator +#radius_das_require_message_authenticator=1 ##### RADIUS authentication server configuration ############################## diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index 0ae9a6e..64daf4c 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -263,6 +263,7 @@ struct hostapd_bss_config { int radius_das_port; unsigned int radius_das_time_window; int radius_das_require_event_timestamp; + int radius_das_require_message_authenticator; struct hostapd_ip_addr radius_das_client_addr; u8 *radius_das_shared_secret; size_t radius_das_shared_secret_len; diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c index 30f57f4..65f513d 100644 --- a/src/ap/hostapd.c +++ b/src/ap/hostapd.c @@ -1044,6 +1044,8 @@ static int hostapd_setup_bss(struct hostapd_data *hapd, int first) das_conf.time_window = conf->radius_das_time_window; das_conf.require_event_timestamp = conf->radius_das_require_event_timestamp; + das_conf.require_message_authenticator = + conf->radius_das_require_message_authenticator; das_conf.ctx = hapd; das_conf.disconnect = hostapd_das_disconnect; hapd->radius_das = radius_das_init(&das_conf); diff --git a/src/radius/radius.c b/src/radius/radius.c index defcd92..2fa4e6c 100644 --- a/src/radius/radius.c +++ b/src/radius/radius.c @@ -538,7 +538,7 @@ int radius_msg_verify_acct_req(struct radius_msg *msg, const u8 *secret, int radius_msg_verify_das_req(struct radius_msg *msg, const u8 *secret, - size_t secret_len) + size_t secret_len, int require_message_authenticator) { const u8 *addr[4]; size_t len[4]; @@ -577,7 +577,11 @@ int radius_msg_verify_das_req(struct radius_msg *msg, const u8 *secret, } if (attr == NULL) { - /* Message-Authenticator is MAY; not required */ + if (require_message_authenticator) { + wpa_printf(MSG_WARNING, "Missing Message-Authenticator " + "attribute in RADIUS message"); + return 1; + } return 0; } diff --git a/src/radius/radius.h b/src/radius/radius.h index cba2b91..08316d4 100644 --- a/src/radius/radius.h +++ b/src/radius/radius.h @@ -242,7 +242,7 @@ void radius_msg_finish_acct_resp(struct radius_msg *msg, const u8 *secret, int radius_msg_verify_acct_req(struct radius_msg *msg, const u8 *secret, size_t secret_len); int radius_msg_verify_das_req(struct radius_msg *msg, const u8 *secret, - size_t secret_len); + size_t secret_len, int require_message_authenticator); struct radius_attr_hdr * radius_msg_add_attr(struct radius_msg *msg, u8 type, const u8 *data, size_t data_len); struct radius_msg * radius_msg_parse(const u8 *data, size_t len); diff --git a/src/radius/radius_das.c b/src/radius/radius_das.c index b7d991b..a5b4602 100644 --- a/src/radius/radius_das.c +++ b/src/radius/radius_das.c @@ -23,6 +23,7 @@ struct radius_das_data { struct hostapd_ip_addr client_addr; unsigned int time_window; int require_event_timestamp; + int require_message_authenticator; void *ctx; enum radius_das_res (*disconnect)(void *ctx, struct radius_das_attrs *attr); @@ -234,9 +235,11 @@ static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx) radius_msg_dump(msg); if (radius_msg_verify_das_req(msg, das->shared_secret, - das->shared_secret_len)) { - wpa_printf(MSG_DEBUG, "DAS: Invalid authenticator in packet " - "from %s:%d - drop", abuf, from_port); + das->shared_secret_len, + das->require_message_authenticator)) { + wpa_printf(MSG_DEBUG, "DAS: Invalid authenticator or " + "Message-Authenticator in packet from %s:%d - drop", + abuf, from_port); goto fail; } @@ -362,6 +365,7 @@ radius_das_init(struct radius_das_conf *conf) das->time_window = conf->time_window; das->require_event_timestamp = conf->require_event_timestamp; + das->require_message_authenticator = conf->require_message_authenticator; das->ctx = conf->ctx; das->disconnect = conf->disconnect; diff --git a/src/radius/radius_das.h b/src/radius/radius_das.h index ce731d4..9863fdc 100644 --- a/src/radius/radius_das.h +++ b/src/radius/radius_das.h @@ -44,6 +44,7 @@ struct radius_das_conf { const struct hostapd_ip_addr *client_addr; unsigned int time_window; int require_event_timestamp; + int require_message_authenticator; void *ctx; enum radius_das_res (*disconnect)(void *ctx, struct radius_das_attrs *attr);