Version with sane whitespace attached. Simplify and make properly random the generation of the Request Authenticator. Signed-off-by: Nick Lowe <nick.lowe@xxxxxxxxxxxx> --- src/ap/accounting.c | 7 +++---- src/ap/ieee802_11_auth.c | 5 ++++- src/ap/ieee802_1x.c | 5 ++++- src/radius/radius.c | 23 ++++++----------------- src/radius/radius.h | 3 +-- 5 files changed, 18 insertions(+), 25 deletions(-) diff --git a/src/ap/accounting.c b/src/ap/accounting.c index 163b715..e2d9fa1 100644 --- a/src/ap/accounting.c +++ b/src/ap/accounting.c @@ -50,10 +50,9 @@ static struct radius_msg * accounting_msg(struct hostapd_data *hapd, return NULL; } - if (sta) { - radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta)); - } else { - radius_msg_make_authenticator(msg, (u8 *) hapd, sizeof(*hapd)); + if (radius_msg_make_authenticator(msg) < 0) { + wpa_printf(MSG_INFO, "Could not make Request Authenticator"); + goto fail; } if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_ACCT_STATUS_TYPE, diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c index b7e7ce3..ec0037a 100644 --- a/src/ap/ieee802_11_auth.c +++ b/src/ap/ieee802_11_auth.c @@ -165,7 +165,10 @@ static int hostapd_radius_acl_query(struct hostapd_data *hapd, const u8 *addr, if (msg == NULL) return -1; - radius_msg_make_authenticator(msg, addr, ETH_ALEN); + if (radius_msg_make_authenticator(msg) < 0) { + wpa_printf(MSG_INFO, "Could not make Request Authenticator"); + goto fail; + } os_snprintf(buf, sizeof(buf), RADIUS_ADDR_FORMAT, MAC2STR(addr)); if (!radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, (u8 *) buf, diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c index 6ac4379..54931b7 100644 --- a/src/ap/ieee802_1x.c +++ b/src/ap/ieee802_1x.c @@ -617,7 +617,10 @@ static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, return; } - radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta)); + if (radius_msg_make_authenticator(msg) < 0) { + wpa_printf(MSG_INFO, "Could not make Request Authenticator"); + goto fail; + } if (sm->identity && !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, diff --git a/src/radius/radius.c b/src/radius/radius.c index 440f958..d4b84c1 100644 --- a/src/radius/radius.c +++ b/src/radius/radius.c @@ -894,25 +894,14 @@ int radius_msg_copy_attr(struct radius_msg *dst, struct radius_msg *src, /* Create Request Authenticator. The value should be unique over the lifetime * of the shared secret between authenticator and authentication server. - * Use one-way MD5 hash calculated from current timestamp and some data given - * by the caller. */ -void radius_msg_make_authenticator(struct radius_msg *msg, - const u8 *data, size_t len) + */ +int radius_msg_make_authenticator(struct radius_msg *msg) { - struct os_time tv; - long int l; - const u8 *addr[3]; - size_t elen[3]; + if (os_get_random((u8 *) &msg->hdr->authenticator, + sizeof(msg->hdr->authenticator)) < 0) + return -1; - os_get_time(&tv); - l = os_random(); - addr[0] = (u8 *) &tv; - elen[0] = sizeof(tv); - addr[1] = data; - elen[1] = len; - addr[2] = (u8 *) &l; - elen[2] = sizeof(l); - md5_vector(3, addr, elen, msg->hdr->authenticator); + return 0; } diff --git a/src/radius/radius.h b/src/radius/radius.h index 09b674a..5ab6318 100644 --- a/src/radius/radius.h +++ b/src/radius/radius.h @@ -252,8 +252,7 @@ int radius_msg_verify_msg_auth(struct radius_msg *msg, const u8 *secret, size_t secret_len, const u8 *req_auth); int radius_msg_copy_attr(struct radius_msg *dst, struct radius_msg *src, u8 type); -void radius_msg_make_authenticator(struct radius_msg *msg, - const u8 *data, size_t len); +int radius_msg_make_authenticator(struct radius_msg *msg); struct radius_ms_mppe_keys * radius_msg_get_ms_keys(struct radius_msg *msg, struct radius_msg *sent_msg, const u8 *secret, size_t secret_len); -- 2.5.0
From d31325913ddea6733f053a0e07b59954f1fa1a0d Mon Sep 17 00:00:00 2001 From: Nick Lowe <nick.lowe@xxxxxxxxxxxx> Date: Wed, 27 Jan 2016 13:22:48 +0000 Subject: [PATCH] Simplify and make properly random the generation of the Request Authenticator. Signed-off-by: Nick Lowe <nick.lowe@xxxxxxxxxxxx> --- src/ap/accounting.c | 7 +++---- src/ap/ieee802_11_auth.c | 5 ++++- src/ap/ieee802_1x.c | 5 ++++- src/radius/radius.c | 23 ++++++----------------- src/radius/radius.h | 3 +-- 5 files changed, 18 insertions(+), 25 deletions(-) diff --git a/src/ap/accounting.c b/src/ap/accounting.c index 163b715..e2d9fa1 100644 --- a/src/ap/accounting.c +++ b/src/ap/accounting.c @@ -50,10 +50,9 @@ static struct radius_msg * accounting_msg(struct hostapd_data *hapd, return NULL; } - if (sta) { - radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta)); - } else { - radius_msg_make_authenticator(msg, (u8 *) hapd, sizeof(*hapd)); + if (radius_msg_make_authenticator(msg) < 0) { + wpa_printf(MSG_INFO, "Could not make Request Authenticator"); + goto fail; } if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_ACCT_STATUS_TYPE, diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c index b7e7ce3..ec0037a 100644 --- a/src/ap/ieee802_11_auth.c +++ b/src/ap/ieee802_11_auth.c @@ -165,7 +165,10 @@ static int hostapd_radius_acl_query(struct hostapd_data *hapd, const u8 *addr, if (msg == NULL) return -1; - radius_msg_make_authenticator(msg, addr, ETH_ALEN); + if (radius_msg_make_authenticator(msg) < 0) { + wpa_printf(MSG_INFO, "Could not make Request Authenticator"); + goto fail; + } os_snprintf(buf, sizeof(buf), RADIUS_ADDR_FORMAT, MAC2STR(addr)); if (!radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, (u8 *) buf, diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c index 6ac4379..54931b7 100644 --- a/src/ap/ieee802_1x.c +++ b/src/ap/ieee802_1x.c @@ -617,7 +617,10 @@ static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, return; } - radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta)); + if (radius_msg_make_authenticator(msg) < 0) { + wpa_printf(MSG_INFO, "Could not make Request Authenticator"); + goto fail; + } if (sm->identity && !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, diff --git a/src/radius/radius.c b/src/radius/radius.c index 440f958..d4b84c1 100644 --- a/src/radius/radius.c +++ b/src/radius/radius.c @@ -894,25 +894,14 @@ int radius_msg_copy_attr(struct radius_msg *dst, struct radius_msg *src, /* Create Request Authenticator. The value should be unique over the lifetime * of the shared secret between authenticator and authentication server. - * Use one-way MD5 hash calculated from current timestamp and some data given - * by the caller. */ -void radius_msg_make_authenticator(struct radius_msg *msg, - const u8 *data, size_t len) + */ +int radius_msg_make_authenticator(struct radius_msg *msg) { - struct os_time tv; - long int l; - const u8 *addr[3]; - size_t elen[3]; + if (os_get_random((u8 *) &msg->hdr->authenticator, + sizeof(msg->hdr->authenticator)) < 0) + return -1; - os_get_time(&tv); - l = os_random(); - addr[0] = (u8 *) &tv; - elen[0] = sizeof(tv); - addr[1] = data; - elen[1] = len; - addr[2] = (u8 *) &l; - elen[2] = sizeof(l); - md5_vector(3, addr, elen, msg->hdr->authenticator); + return 0; } diff --git a/src/radius/radius.h b/src/radius/radius.h index 09b674a..5ab6318 100644 --- a/src/radius/radius.h +++ b/src/radius/radius.h @@ -252,8 +252,7 @@ int radius_msg_verify_msg_auth(struct radius_msg *msg, const u8 *secret, size_t secret_len, const u8 *req_auth); int radius_msg_copy_attr(struct radius_msg *dst, struct radius_msg *src, u8 type); -void radius_msg_make_authenticator(struct radius_msg *msg, - const u8 *data, size_t len); +int radius_msg_make_authenticator(struct radius_msg *msg); struct radius_ms_mppe_keys * radius_msg_get_ms_keys(struct radius_msg *msg, struct radius_msg *sent_msg, const u8 *secret, size_t secret_len); -- 2.5.0
_______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap