[PATCH 32/44] RADIUS: enable PSK generation at RADIUS Server
michael-dev at fami-braun.de
michael-dev at fami-braun.de
Wed Feb 24 03:53:38 PST 2016
From: Michael Braun <michael-dev at fami-braun.de>
If the AP is slow, passphrase hashing takes to long to serve the client
before timeout. Thus interpret 64 char Tunnel-Password as already hashed
PSK and send SSID to RADIUS server.
This is especially important for FT-PSK with FT-over-air, where hashing
cannot be deferred.
Signed-off-by: Michael Braun <michael-dev at fami-braun.de>
---
src/ap/ieee802_11_auth.c | 27 ++++++++++++++++++++++-----
1 file changed, 22 insertions(+), 5 deletions(-)
diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c
index c6a5b67..8058505 100644
--- a/src/ap/ieee802_11_auth.c
+++ b/src/ap/ieee802_11_auth.c
@@ -460,23 +460,40 @@ static void decode_tunnel_passwords(struct hostapd_data *hapd,
*/
if (passphrase == NULL)
break;
+
+ /*
+ * Passphase should be 8..63 chars (to be hashed with ssid)
+ * or 64 chars hex string (already hashed with ssid)
+ */
+
+ if (passphraselen < 8 || passphraselen > PASSPHRASE_LEN)
+ continue;
+
/*
* passphrase does not contain the NULL termination.
* Add it here as pbkdf2_sha1() requires it.
*/
psk = os_zalloc(sizeof(struct hostapd_sta_wpa_psk_short));
if (psk) {
- if (passphraselen > PASSPHRASE_LEN - 1)
- os_memcpy(psk->passphrase, passphrase,
- PASSPHRASE_LEN - 1);
- else
+ if ((passphraselen == PASSPHRASE_LEN) &&
+ (hexstr2bin(passphrase, psk->psk, PMK_LEN) < 0)) {
+ hostapd_logger(hapd, cache->addr,
+ HOSTAPD_MODULE_RADIUS,
+ HOSTAPD_LEVEL_WARNING,
+ "invalid hex string (%d chars) "
+ "in Tunnel-Password",
+ passphraselen);
+ goto skip;
+ } else if (passphraselen < PASSPHRASE_LEN) {
os_memcpy(psk->passphrase, passphrase,
passphraselen);
- psk->ispassphrase = 1;
+ psk->ispassphrase = 1;
+ }
psk->next = cache->psk;
cache->psk = psk;
psk = NULL;
}
+skip:
os_free(psk);
os_free(passphrase);
}
--
1.9.1
More information about the Hostap
mailing list