While RADIUS messages are limited to 4 kB, use size_t to avoid even a
theoretical overflow issue with 16-bit int.
Signed-off-by: Jouni Malinen <j@w1.fi>
Make the RADIUS server in hostapd add WLAN-Reason-Code attribute to all
Access-Reject messages generated based on EAP-Failure from the EAP
server. For now, the reason code value is set to 23 (IEEE 802.1X
authentication failed). This can be extending in future commits to cover
addition failure reasons.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This leads to cleaner code overall, and also reduces the size
of the hostapd and wpa_supplicant binaries (in hwsim test build
on x86_64) by about 2.5 and 3.5KiB respectively.
The mechanical conversions all over the code were done with
the following spatch:
@@
expression SIZE, SRC;
expression a;
@@
-a = os_malloc(SIZE);
+a = os_memdup(SRC, SIZE);
<...
if (!a) {...}
...>
-os_memcpy(a, SRC, SIZE);
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This can be used to mandate the presence of the Message-Authenticator
attribute on CoA/Disconnect-Request packets.
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
This gets rid of a valgrind warning on uninitialized memory read in the
hostapd_oom_wpa2_eap_connect test case where the result is used after
failed md5_vector() call.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This gets rid of a valgrind warning on uninitialized memory read in the
hostapd_oom_wpa2_eap_connect test case where memcmp is used after failed
hmac_md5() call.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This gets rid of a valgrind warning on uninitialized memory read in the
hostapd_oom_wpa2_eap test case where memcmp is used after failed
md5_vector() call.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
1. Add tagged VLAN to struct vlan_description
(compile limited number of tagged VLANs per description)
For k tagged VLANs, the first k entries in vlan_description.tagged
are used. They are sorted in ascending order. All other entries are
zero. This way os_memcmp() can find identical configurations.
2. Let tagged VLANs be parsed from RADIUS Access-Accept
3. Print VLAN %d+ with %d=untagged VID if tagged VLANs are set
4. Select an unused vlan_id > 4096 for new tagged VLAN configurations
5. Add EGRESS_VLAN RADIUS attribute parsing also for untagged VLANs
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
There is no need to maintain three copies of this functionality even if
it is currently implemented as a single function call.
Signed-off-by: Jouni Malinen <j@w1.fi>
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.
Signed-off-by: Jouni Malinen <j@w1.fi>
The recently added ProxyARP support (proxy_arp=1) in hostapd allows a
STA IPv4 address to be learned from DHCP or ARP messages. If that
information is available, add it to Account-Request messages in
Framed-IP-Address attribute.
Signed-off-by: Jouni Malinen <j@w1.fi>
MS-MPPE-Recv-Key generation in radius_msg_add_mppe_keys() used incorrect
function argument (send_key_len; should be recv_key_len) when allocating
a temporary buffer. Fix this by using the correct argument.
The only caller of the function uses the same length for both
send_key_len and recv_key_len, so this copy-paste error did not result
in any difference in the behavior.
Signed-off-by: Jouni Malinen <j@w1.fi>
By analysing objdump output some read only structures were found in
.data section. To help compiler further optimize code declare these
as const.
Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
This adds definition and names for the RADIUS attributes defined in RFC
5580 (Carrying Location Objects in RADIUS and Diameter).
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds hostapd support for the new WLAN-Pairwise-Cipher,
WLAN-Group-Cipher, WLAN-AKM-Suite, and WLAN-Group-Mgmt-Pairwise-Cipher
attributes defined in RFC 7268. These attributes are added to RADIUS
messages when the station negotiates use of WPA/RSN.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds hostapd support for the new WLAN-HESSID attribute defined in
RFC 7268. This attribute contains the HESSID and it is added whenever
Interworking is enabled and HESSID is configured.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds hostapd support for the new Mobility-Domain-Id attribute
defined in RFC 7268. This attribute contains the mobility domain id and
it is added whenever the station negotiates use of FT.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.
Signed-off-by: Jouni Malinen <j@w1.fi>
"user" MACACL "password" style lines in the eap_user file can now be
used to configured user entries for RADIUS-based MAC ACL.
Signed-off-by: Jouni Malinen <j@w1.fi>
These checks would not really be needed since radius_msg_parse()
validates the attribute header fields. Anyway, these makes it more
obvious to anyone reviewing the code that there are no integer underflow
issues in the functions processing RADIUS attributes.
Signed-hostap: Jouni Malinen <j@w1.fi>
This simplifies the implementation by using the buffer type to which the
returned data will be converted anyway. This avoids one memory
allocation for each processed RADIUS message.
Signed-hostap: Jouni Malinen <j@w1.fi>
This adds the basic DAS mechanism to enable hostapd to be configured
to request dynamic authorization requests (Disconnect-Request and
CoA-Request). This commit does not add actual processing of the
requests, i.e., this will only receive and authenticate the requests
and NAK them regardless of what operation is requested.
Signed-hostap: Jouni Malinen <j@w1.fi>
This allows per-device PSK to be configured for WPA-Personal using a
RADIUS authentication server. This uses RADIUS-based MAC address ACL
(macaddr_acl=2), i.e., Access-Request uses the MAC address of the
station as the User-Name and User-Password. The WPA passphrase is
returned in Tunnel-Password attribute in Access-Accept. This
functionality can be enabled with the new hostapd.conf parameter,
wpa_psk_radius.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
Explicitly validate data_len so that static analyzers do not get
confused about the padlen validation. This is not really needed, but it
makes the code a bit easier for static analyzers.
Signed-hostap: Jouni Malinen <j@w1.fi>
