From 58097123ec5ea6f8276b38cb9b07669ec368a6c1 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 17 Mar 2024 10:42:56 +0200 Subject: [PATCH 8/9] RADIUS: Require Message-Authenticator attribute in MAC ACL cases hostapd required Message-Authenticator attribute to be included in EAP authentication cases, but that requirement was not in place for MAC ACL cases. Start requiring Message-Authenticator attribute for MAC ACL by default. Unlike the EAP case, this can still be disabled with radius_require_message_authenticator=1 to maintain compatibility with some RADIUS servers when used in a network where the connection to such a server is secure. Signed-off-by: Jouni Malinen CVE: CVE-2024-3596 Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=58097123ec5ea6f8276b38cb9b07669ec368a6c1] Signed-off-by: Peter Marko --- src/ap/ap_config.c | 1 + src/ap/ap_config.h | 1 + src/ap/ieee802_11_auth.c | 4 +++- 5 files changed, 19 insertions(+), 1 deletion(-) diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c index 86b6e097c..cf497a180 100644 --- a/src/ap/ap_config.c +++ b/src/ap/ap_config.c @@ -120,6 +120,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss) #endif /* CONFIG_IEEE80211R_AP */ bss->radius_das_time_window = 300; + bss->radius_require_message_authenticator = 1; bss->anti_clogging_threshold = 5; bss->sae_sync = 5; diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index 49cd3168a..22ad617f4 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -302,6 +302,7 @@ struct hostapd_bss_config { struct hostapd_ip_addr own_ip_addr; char *nas_identifier; struct hostapd_radius_servers *radius; + int radius_require_message_authenticator; int acct_interim_interval; int radius_request_cui; struct hostapd_radius_attr *radius_auth_req_attr; diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c index 2a950cf7f..dab9bcde3 100644 --- a/src/ap/ieee802_11_auth.c +++ b/src/ap/ieee802_11_auth.c @@ -474,7 +474,9 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req, "Found matching Access-Request for RADIUS message (id=%d)", query->radius_id); - if (radius_msg_verify(msg, shared_secret, shared_secret_len, req, 0)) { + if (radius_msg_verify( + msg, shared_secret, shared_secret_len, req, + hapd->conf->radius_require_message_authenticator)) { wpa_printf(MSG_INFO, "Incoming RADIUS packet did not have correct authenticator - dropped"); return RADIUS_RX_INVALID_AUTHENTICATOR; -- 2.30.2