[PATCH] Simplify and make properly random the generation of the Request Authenticator.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Version with sane whitespace attached.

Simplify and make properly random the generation of the Request Authenticator.

Signed-off-by: Nick Lowe <nick.lowe@xxxxxxxxxxxx>
---
 src/ap/accounting.c      |  7 +++----
 src/ap/ieee802_11_auth.c |  5 ++++-
 src/ap/ieee802_1x.c      |  5 ++++-
 src/radius/radius.c      | 23 ++++++-----------------
 src/radius/radius.h      |  3 +--
 5 files changed, 18 insertions(+), 25 deletions(-)

diff --git a/src/ap/accounting.c b/src/ap/accounting.c
index 163b715..e2d9fa1 100644
--- a/src/ap/accounting.c
+++ b/src/ap/accounting.c
@@ -50,10 +50,9 @@ static struct radius_msg * accounting_msg(struct
hostapd_data *hapd,
         return NULL;
     }

-    if (sta) {
-        radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta));
-    } else {
-        radius_msg_make_authenticator(msg, (u8 *) hapd, sizeof(*hapd));
+    if (radius_msg_make_authenticator(msg) < 0) {
+        wpa_printf(MSG_INFO, "Could not make Request Authenticator");
+        goto fail;
     }

     if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_ACCT_STATUS_TYPE,
diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c
index b7e7ce3..ec0037a 100644
--- a/src/ap/ieee802_11_auth.c
+++ b/src/ap/ieee802_11_auth.c
@@ -165,7 +165,10 @@ static int hostapd_radius_acl_query(struct
hostapd_data *hapd, const u8 *addr,
     if (msg == NULL)
         return -1;

-    radius_msg_make_authenticator(msg, addr, ETH_ALEN);
+    if (radius_msg_make_authenticator(msg) < 0) {
+        wpa_printf(MSG_INFO, "Could not make Request Authenticator");
+        goto fail;
+    }

     os_snprintf(buf, sizeof(buf), RADIUS_ADDR_FORMAT, MAC2STR(addr));
     if (!radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, (u8 *) buf,
diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index 6ac4379..54931b7 100644
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -617,7 +617,10 @@ static void ieee802_1x_encapsulate_radius(struct
hostapd_data *hapd,
         return;
     }

-    radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta));
+    if (radius_msg_make_authenticator(msg) < 0) {
+        wpa_printf(MSG_INFO, "Could not make Request Authenticator");
+        goto fail;
+    }

     if (sm->identity &&
         !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME,
diff --git a/src/radius/radius.c b/src/radius/radius.c
index 440f958..d4b84c1 100644
--- a/src/radius/radius.c
+++ b/src/radius/radius.c
@@ -894,25 +894,14 @@ int radius_msg_copy_attr(struct radius_msg *dst,
struct radius_msg *src,

 /* Create Request Authenticator. The value should be unique over the lifetime
  * of the shared secret between authenticator and authentication server.
- * Use one-way MD5 hash calculated from current timestamp and some data given
- * by the caller. */
-void radius_msg_make_authenticator(struct radius_msg *msg,
-                   const u8 *data, size_t len)
+ */
+int radius_msg_make_authenticator(struct radius_msg *msg)
 {
-    struct os_time tv;
-    long int l;
-    const u8 *addr[3];
-    size_t elen[3];
+    if (os_get_random((u8 *) &msg->hdr->authenticator,
+              sizeof(msg->hdr->authenticator)) < 0)
+        return -1;

-    os_get_time(&tv);
-    l = os_random();
-    addr[0] = (u8 *) &tv;
-    elen[0] = sizeof(tv);
-    addr[1] = data;
-    elen[1] = len;
-    addr[2] = (u8 *) &l;
-    elen[2] = sizeof(l);
-    md5_vector(3, addr, elen, msg->hdr->authenticator);
+    return 0;
 }


diff --git a/src/radius/radius.h b/src/radius/radius.h
index 09b674a..5ab6318 100644
--- a/src/radius/radius.h
+++ b/src/radius/radius.h
@@ -252,8 +252,7 @@ int radius_msg_verify_msg_auth(struct radius_msg
*msg, const u8 *secret,
                    size_t secret_len, const u8 *req_auth);
 int radius_msg_copy_attr(struct radius_msg *dst, struct radius_msg *src,
              u8 type);
-void radius_msg_make_authenticator(struct radius_msg *msg,
-                   const u8 *data, size_t len);
+int radius_msg_make_authenticator(struct radius_msg *msg);
 struct radius_ms_mppe_keys *
 radius_msg_get_ms_keys(struct radius_msg *msg, struct radius_msg *sent_msg,
                const u8 *secret, size_t secret_len);
-- 
2.5.0
From d31325913ddea6733f053a0e07b59954f1fa1a0d Mon Sep 17 00:00:00 2001
From: Nick Lowe <nick.lowe@xxxxxxxxxxxx>
Date: Wed, 27 Jan 2016 13:22:48 +0000
Subject: [PATCH] Simplify and make properly random the generation of the
 Request Authenticator.

Signed-off-by: Nick Lowe <nick.lowe@xxxxxxxxxxxx>
---
 src/ap/accounting.c      |  7 +++----
 src/ap/ieee802_11_auth.c |  5 ++++-
 src/ap/ieee802_1x.c      |  5 ++++-
 src/radius/radius.c      | 23 ++++++-----------------
 src/radius/radius.h      |  3 +--
 5 files changed, 18 insertions(+), 25 deletions(-)

diff --git a/src/ap/accounting.c b/src/ap/accounting.c
index 163b715..e2d9fa1 100644
--- a/src/ap/accounting.c
+++ b/src/ap/accounting.c
@@ -50,10 +50,9 @@ static struct radius_msg * accounting_msg(struct hostapd_data *hapd,
 		return NULL;
 	}
 
-	if (sta) {
-		radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta));
-	} else {
-		radius_msg_make_authenticator(msg, (u8 *) hapd, sizeof(*hapd));
+	if (radius_msg_make_authenticator(msg) < 0) {
+		wpa_printf(MSG_INFO, "Could not make Request Authenticator");
+		goto fail;
 	}
 
 	if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_ACCT_STATUS_TYPE,
diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c
index b7e7ce3..ec0037a 100644
--- a/src/ap/ieee802_11_auth.c
+++ b/src/ap/ieee802_11_auth.c
@@ -165,7 +165,10 @@ static int hostapd_radius_acl_query(struct hostapd_data *hapd, const u8 *addr,
 	if (msg == NULL)
 		return -1;
 
-	radius_msg_make_authenticator(msg, addr, ETH_ALEN);
+	if (radius_msg_make_authenticator(msg) < 0) {
+		wpa_printf(MSG_INFO, "Could not make Request Authenticator");
+		goto fail;
+	}
 
 	os_snprintf(buf, sizeof(buf), RADIUS_ADDR_FORMAT, MAC2STR(addr));
 	if (!radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, (u8 *) buf,
diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index 6ac4379..54931b7 100644
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -617,7 +617,10 @@ static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd,
 		return;
 	}
 
-	radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta));
+	if (radius_msg_make_authenticator(msg) < 0) {
+		wpa_printf(MSG_INFO, "Could not make Request Authenticator");
+		goto fail;
+	}
 
 	if (sm->identity &&
 	    !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME,
diff --git a/src/radius/radius.c b/src/radius/radius.c
index 440f958..d4b84c1 100644
--- a/src/radius/radius.c
+++ b/src/radius/radius.c
@@ -894,25 +894,14 @@ int radius_msg_copy_attr(struct radius_msg *dst, struct radius_msg *src,
 
 /* Create Request Authenticator. The value should be unique over the lifetime
  * of the shared secret between authenticator and authentication server.
- * Use one-way MD5 hash calculated from current timestamp and some data given
- * by the caller. */
-void radius_msg_make_authenticator(struct radius_msg *msg,
-				   const u8 *data, size_t len)
+ */
+int radius_msg_make_authenticator(struct radius_msg *msg)
 {
-	struct os_time tv;
-	long int l;
-	const u8 *addr[3];
-	size_t elen[3];
+	if (os_get_random((u8 *) &msg->hdr->authenticator,
+			  sizeof(msg->hdr->authenticator)) < 0)
+		return -1;
 
-	os_get_time(&tv);
-	l = os_random();
-	addr[0] = (u8 *) &tv;
-	elen[0] = sizeof(tv);
-	addr[1] = data;
-	elen[1] = len;
-	addr[2] = (u8 *) &l;
-	elen[2] = sizeof(l);
-	md5_vector(3, addr, elen, msg->hdr->authenticator);
+	return 0;
 }
 
 
diff --git a/src/radius/radius.h b/src/radius/radius.h
index 09b674a..5ab6318 100644
--- a/src/radius/radius.h
+++ b/src/radius/radius.h
@@ -252,8 +252,7 @@ int radius_msg_verify_msg_auth(struct radius_msg *msg, const u8 *secret,
 			       size_t secret_len, const u8 *req_auth);
 int radius_msg_copy_attr(struct radius_msg *dst, struct radius_msg *src,
 			 u8 type);
-void radius_msg_make_authenticator(struct radius_msg *msg,
-				   const u8 *data, size_t len);
+int radius_msg_make_authenticator(struct radius_msg *msg);
 struct radius_ms_mppe_keys *
 radius_msg_get_ms_keys(struct radius_msg *msg, struct radius_msg *sent_msg,
 		       const u8 *secret, size_t secret_len);
-- 
2.5.0

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap

[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux