aboutsummaryrefslogtreecommitdiffstats
path: root/src/radius
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2012-06-17 17:43:36 +0300
committerJouni Malinen <j@w1.fi>2012-06-17 17:43:36 +0300
commitbde7ba6caf3a2e56b277d9fcf3ff05b0606cb833 (patch)
tree58e7f172c472d1410328d34b040ada38bd568598 /src/radius
parentc2d76aa6247b4769b935f11c902aa3f31278278e (diff)
downloadexternal_wpa_supplicant_8_ti-bde7ba6caf3a2e56b277d9fcf3ff05b0606cb833.zip
external_wpa_supplicant_8_ti-bde7ba6caf3a2e56b277d9fcf3ff05b0606cb833.tar.gz
external_wpa_supplicant_8_ti-bde7ba6caf3a2e56b277d9fcf3ff05b0606cb833.tar.bz2
RADIUS DAS: Validate Event-Timestamp
DAS will now validate Event-Timestamp value to be within an acceptable time window (300 seconds by default; can be set using radius_das_time_window parameter). In addition, Event-Timestamp can be required in Disconnect-Request and CoA-Request messages with radius_das_require_event_timestamp=1. Signed-hostap: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/radius')
-rw-r--r--src/radius/radius_das.c30
-rw-r--r--src/radius/radius_das.h2
2 files changed, 30 insertions, 2 deletions
diff --git a/src/radius/radius_das.c b/src/radius/radius_das.c
index ae3df89..20c2fc9 100644
--- a/src/radius/radius_das.c
+++ b/src/radius/radius_das.c
@@ -24,6 +24,8 @@ struct radius_das_data {
u8 *shared_secret;
size_t shared_secret_len;
struct hostapd_ip_addr client_addr;
+ unsigned int time_window;
+ int require_event_timestamp;
};
@@ -45,6 +47,8 @@ static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx)
struct radius_msg *msg, *reply = NULL;
struct radius_hdr *hdr;
struct wpabuf *rbuf;
+ u32 val;
+ int res;
fromlen = sizeof(from);
len = recvfrom(sock, buf, sizeof(buf), 0,
@@ -81,6 +85,27 @@ static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx)
goto fail;
}
+ res = radius_msg_get_attr(msg, RADIUS_ATTR_EVENT_TIMESTAMP,
+ (u8 *) &val, 4);
+ if (res == 4) {
+ u32 timestamp = ntohl(val);
+ struct os_time now;
+
+ os_get_time(&now);
+ if (abs(now.sec - timestamp) > das->time_window) {
+ wpa_printf(MSG_DEBUG, "DAS: Unacceptable "
+ "Event-Timestamp (%u; local time %u) in "
+ "packet from %s:%d - drop",
+ timestamp, (unsigned int) now.sec,
+ abuf, from_port);
+ goto fail;
+ }
+ } else if (das->require_event_timestamp) {
+ wpa_printf(MSG_DEBUG, "DAS: Missing Event-Timestamp in packet "
+ "from %s:%d - drop", abuf, from_port);
+ goto fail;
+ }
+
hdr = radius_msg_get_hdr(msg);
switch (hdr->code) {
@@ -110,8 +135,6 @@ static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx)
}
if (reply) {
- int res;
-
wpa_printf(MSG_DEBUG, "DAS: Reply to %s:%d", abuf, from_port);
if (radius_msg_finish_das_resp(reply, das->shared_secret,
@@ -177,6 +200,9 @@ radius_das_init(struct radius_das_conf *conf)
if (das == NULL)
return NULL;
+ das->time_window = conf->time_window;
+ das->require_event_timestamp = conf->require_event_timestamp;
+
os_memcpy(&das->client_addr, conf->client_addr,
sizeof(das->client_addr));
diff --git a/src/radius/radius_das.h b/src/radius/radius_das.h
index 4e21c6d..c3d501d 100644
--- a/src/radius/radius_das.h
+++ b/src/radius/radius_das.h
@@ -16,6 +16,8 @@ struct radius_das_conf {
const u8 *shared_secret;
size_t shared_secret_len;
const struct hostapd_ip_addr *client_addr;
+ unsigned int time_window;
+ int require_event_timestamp;
};
struct radius_das_data *
generated by cgit v1.1 at 2024-05-01 09:36:06 +0000