RADIUS: Redesign Request Authenticator generation
Simplify and make properly random the generation of the Request Authenticator. Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
This commit is contained in:
parent
b71a64aa01
commit
2cbc6ffb3a
7 changed files with 18 additions and 28 deletions
|
@ -61,7 +61,7 @@ static void start_example(void *eloop_ctx, void *timeout_ctx)
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
radius_msg_make_authenticator(msg, (u8 *) ctx, sizeof(*ctx));
|
radius_msg_make_authenticator(msg);
|
||||||
|
|
||||||
if (!radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME,
|
if (!radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME,
|
||||||
(u8 *) "user", 4)) {
|
(u8 *) "user", 4)) {
|
||||||
|
|
|
@ -50,10 +50,9 @@ static struct radius_msg * accounting_msg(struct hostapd_data *hapd,
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (sta) {
|
if (radius_msg_make_authenticator(msg) < 0) {
|
||||||
radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta));
|
wpa_printf(MSG_INFO, "Could not make Request Authenticator");
|
||||||
} else {
|
goto fail;
|
||||||
radius_msg_make_authenticator(msg, (u8 *) hapd, sizeof(*hapd));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_ACCT_STATUS_TYPE,
|
if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_ACCT_STATUS_TYPE,
|
||||||
|
|
|
@ -165,7 +165,10 @@ static int hostapd_radius_acl_query(struct hostapd_data *hapd, const u8 *addr,
|
||||||
if (msg == NULL)
|
if (msg == NULL)
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
radius_msg_make_authenticator(msg, addr, ETH_ALEN);
|
if (radius_msg_make_authenticator(msg) < 0) {
|
||||||
|
wpa_printf(MSG_INFO, "Could not make Request Authenticator");
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
|
||||||
os_snprintf(buf, sizeof(buf), RADIUS_ADDR_FORMAT, MAC2STR(addr));
|
os_snprintf(buf, sizeof(buf), RADIUS_ADDR_FORMAT, MAC2STR(addr));
|
||||||
if (!radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, (u8 *) buf,
|
if (!radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, (u8 *) buf,
|
||||||
|
|
|
@ -602,7 +602,10 @@ static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd,
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta));
|
if (radius_msg_make_authenticator(msg) < 0) {
|
||||||
|
wpa_printf(MSG_INFO, "Could not make Request Authenticator");
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
|
||||||
if (sm->identity &&
|
if (sm->identity &&
|
||||||
!radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME,
|
!radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME,
|
||||||
|
|
|
@ -893,25 +893,11 @@ int radius_msg_copy_attr(struct radius_msg *dst, struct radius_msg *src,
|
||||||
|
|
||||||
/* Create Request Authenticator. The value should be unique over the lifetime
|
/* Create Request Authenticator. The value should be unique over the lifetime
|
||||||
* of the shared secret between authenticator and authentication server.
|
* of the shared secret between authenticator and authentication server.
|
||||||
* Use one-way MD5 hash calculated from current timestamp and some data given
|
*/
|
||||||
* by the caller. */
|
int radius_msg_make_authenticator(struct radius_msg *msg)
|
||||||
void radius_msg_make_authenticator(struct radius_msg *msg,
|
|
||||||
const u8 *data, size_t len)
|
|
||||||
{
|
{
|
||||||
struct os_time tv;
|
return os_get_random((u8 *) &msg->hdr->authenticator,
|
||||||
long int l;
|
sizeof(msg->hdr->authenticator));
|
||||||
const u8 *addr[3];
|
|
||||||
size_t elen[3];
|
|
||||||
|
|
||||||
os_get_time(&tv);
|
|
||||||
l = os_random();
|
|
||||||
addr[0] = (u8 *) &tv;
|
|
||||||
elen[0] = sizeof(tv);
|
|
||||||
addr[1] = data;
|
|
||||||
elen[1] = len;
|
|
||||||
addr[2] = (u8 *) &l;
|
|
||||||
elen[2] = sizeof(l);
|
|
||||||
md5_vector(3, addr, elen, msg->hdr->authenticator);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -251,8 +251,7 @@ int radius_msg_verify_msg_auth(struct radius_msg *msg, const u8 *secret,
|
||||||
size_t secret_len, const u8 *req_auth);
|
size_t secret_len, const u8 *req_auth);
|
||||||
int radius_msg_copy_attr(struct radius_msg *dst, struct radius_msg *src,
|
int radius_msg_copy_attr(struct radius_msg *dst, struct radius_msg *src,
|
||||||
u8 type);
|
u8 type);
|
||||||
void radius_msg_make_authenticator(struct radius_msg *msg,
|
int radius_msg_make_authenticator(struct radius_msg *msg);
|
||||||
const u8 *data, size_t len);
|
|
||||||
struct radius_ms_mppe_keys *
|
struct radius_ms_mppe_keys *
|
||||||
radius_msg_get_ms_keys(struct radius_msg *msg, struct radius_msg *sent_msg,
|
radius_msg_get_ms_keys(struct radius_msg *msg, struct radius_msg *sent_msg,
|
||||||
const u8 *secret, size_t secret_len);
|
const u8 *secret, size_t secret_len);
|
||||||
|
|
|
@ -193,7 +193,7 @@ static void ieee802_1x_encapsulate_radius(struct eapol_test_data *e,
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
radius_msg_make_authenticator(msg, (u8 *) e, sizeof(*e));
|
radius_msg_make_authenticator(msg);
|
||||||
|
|
||||||
hdr = (const struct eap_hdr *) eap;
|
hdr = (const struct eap_hdr *) eap;
|
||||||
pos = (const u8 *) (hdr + 1);
|
pos = (const u8 *) (hdr + 1);
|
||||||
|
|
Loading…
Reference in a new issue