RADIUS: Redesign Request Authenticator generation

Simplify and make properly random the generation of the Request
Authenticator.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>

diff --git a/radius_example/radius_example.c b/radius_example/radius_example.c
index e4b3678..8b0f475 100644 (file)
--- a/radius_example/radius_example.c
+++ b/radius_example/radius_example.c
@@ -61,7 +61,7 @@ static void start_example(void *eloop_ctx, void *timeout_ctx)
                return;
        }
 
-       radius_msg_make_authenticator(msg, (u8 *) ctx, sizeof(*ctx));
+       radius_msg_make_authenticator(msg);
 
        if (!radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME,
                                 (u8 *) "user", 4)) {

diff --git a/src/ap/accounting.c b/src/ap/accounting.c
index dfb593a..22684a6 100644 (file)
--- a/src/ap/accounting.c
+++ b/src/ap/accounting.c
@@ -50,10 +50,9 @@ static struct radius_msg * accounting_msg(struct hostapd_data *hapd,
                return NULL;
        }
 
-       if (sta) {
-               radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta));
-       } else {
-               radius_msg_make_authenticator(msg, (u8 *) hapd, sizeof(*hapd));
+       if (radius_msg_make_authenticator(msg) < 0) {
+               wpa_printf(MSG_INFO, "Could not make Request Authenticator");
+               goto fail;
        }
 
        if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_ACCT_STATUS_TYPE,

diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c
index b7e7ce3..ec0037a 100644 (file)
--- a/src/ap/ieee802_11_auth.c
+++ b/src/ap/ieee802_11_auth.c
@@ -165,7 +165,10 @@ static int hostapd_radius_acl_query(struct hostapd_data *hapd, const u8 *addr,
        if (msg == NULL)
                return -1;
 
-       radius_msg_make_authenticator(msg, addr, ETH_ALEN);
+       if (radius_msg_make_authenticator(msg) < 0) {
+               wpa_printf(MSG_INFO, "Could not make Request Authenticator");
+               goto fail;
+       }
 
        os_snprintf(buf, sizeof(buf), RADIUS_ADDR_FORMAT, MAC2STR(addr));
        if (!radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, (u8 *) buf,

diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index 037a8f9..d399b1e 100644 (file)
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -602,7 +602,10 @@ static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd,
                return;
        }
 
-       radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta));
+       if (radius_msg_make_authenticator(msg) < 0) {
+               wpa_printf(MSG_INFO, "Could not make Request Authenticator");
+               goto fail;
+       }
 
        if (sm->identity &&
            !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME,

diff --git a/src/radius/radius.c b/src/radius/radius.c
index 266b29f..d48a4b5 100644 (file)
--- a/src/radius/radius.c
+++ b/src/radius/radius.c
@@ -893,25 +893,11 @@ int radius_msg_copy_attr(struct radius_msg *dst, struct radius_msg *src,
 
 /* Create Request Authenticator. The value should be unique over the lifetime
  * of the shared secret between authenticator and authentication server.
- * Use one-way MD5 hash calculated from current timestamp and some data given
- * by the caller. */
-void radius_msg_make_authenticator(struct radius_msg *msg,
-                                  const u8 *data, size_t len)
+ */
+int radius_msg_make_authenticator(struct radius_msg *msg)
 {
-       struct os_time tv;
-       long int l;
-       const u8 *addr[3];
-       size_t elen[3];
-
-       os_get_time(&tv);
-       l = os_random();
-       addr[0] = (u8 *) &tv;
-       elen[0] = sizeof(tv);
-       addr[1] = data;
-       elen[1] = len;
-       addr[2] = (u8 *) &l;
-       elen[2] = sizeof(l);
-       md5_vector(3, addr, elen, msg->hdr->authenticator);
+       return os_get_random((u8 *) &msg->hdr->authenticator,
+                            sizeof(msg->hdr->authenticator));
 }
 
 

diff --git a/src/radius/radius.h b/src/radius/radius.h
index f14de53..9218c94 100644 (file)
--- a/src/radius/radius.h
+++ b/src/radius/radius.h
@@ -251,8 +251,7 @@ int radius_msg_verify_msg_auth(struct radius_msg *msg, const u8 *secret,
                               size_t secret_len, const u8 *req_auth);
 int radius_msg_copy_attr(struct radius_msg *dst, struct radius_msg *src,
                         u8 type);
-void radius_msg_make_authenticator(struct radius_msg *msg,
-                                  const u8 *data, size_t len);
+int radius_msg_make_authenticator(struct radius_msg *msg);
 struct radius_ms_mppe_keys *
 radius_msg_get_ms_keys(struct radius_msg *msg, struct radius_msg *sent_msg,
                       const u8 *secret, size_t secret_len);

diff --git a/wpa_supplicant/eapol_test.c b/wpa_supplicant/eapol_test.c
index 7c7d54a..1aede79 100644 (file)
--- a/wpa_supplicant/eapol_test.c
+++ b/wpa_supplicant/eapol_test.c
@@ -193,7 +193,7 @@ static void ieee802_1x_encapsulate_radius(struct eapol_test_data *e,
                return;
        }
 
-       radius_msg_make_authenticator(msg, (u8 *) e, sizeof(*e));
+       radius_msg_make_authenticator(msg);
 
        hdr = (const struct eap_hdr *) eap;
        pos = (const u8 *) (hdr + 1);