DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

RADIUS DAS: Validate Event-Timestamp

Browse source 
DAS will now validate Event-Timestamp value to be within an acceptable
time window (300 seconds by default; can be set using
radius_das_time_window parameter). In addition, Event-Timestamp can be
required in Disconnect-Request and CoA-Request messages with
radius_das_require_event_timestamp=1.

Signed-hostap: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2012-06-17 17:43:36 +03:00
parent c2d76aa624
commit bde7ba6caf
7 changed files with 48 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

30
src/radius/radius_das.c
View file

@ -24,6 +24,8 @@ struct radius_das_data {
u8 *shared_secret;
size_t shared_secret_len;
struct hostapd_ip_addr client_addr;
unsigned int time_window;
int require_event_timestamp;
};
@ -45,6 +47,8 @@ static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx)
struct radius_msg *msg, *reply = NULL;
struct radius_hdr *hdr;
struct wpabuf *rbuf;
u32 val;
int res;
fromlen = sizeof(from);
len = recvfrom(sock, buf, sizeof(buf), 0,
@ -81,6 +85,27 @@ static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx)
goto fail;
}
res = radius_msg_get_attr(msg, RADIUS_ATTR_EVENT_TIMESTAMP,
(u8 *) &val, 4);
if (res == 4) {
u32 timestamp = ntohl(val);
struct os_time now;
os_get_time(&now);
if (abs(now.sec - timestamp) > das->time_window) {
wpa_printf(MSG_DEBUG, "DAS: Unacceptable "
"Event-Timestamp (%u; local time %u) in "
"packet from %s:%d - drop",
timestamp, (unsigned int) now.sec,
abuf, from_port);
goto fail;
}
} else if (das->require_event_timestamp) {
wpa_printf(MSG_DEBUG, "DAS: Missing Event-Timestamp in packet "
"from %s:%d - drop", abuf, from_port);
goto fail;
}
hdr = radius_msg_get_hdr(msg);
switch (hdr->code) {
@ -110,8 +135,6 @@ static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx)
}
if (reply) {
int res;
wpa_printf(MSG_DEBUG, "DAS: Reply to %s:%d", abuf, from_port);
if (radius_msg_finish_das_resp(reply, das->shared_secret,
@ -177,6 +200,9 @@ radius_das_init(struct radius_das_conf *conf)
if (das == NULL)
return NULL;
das->time_window = conf->time_window;
das->require_event_timestamp = conf->require_event_timestamp;
os_memcpy(&das->client_addr, conf->client_addr,
sizeof(das->client_addr));