<feed xmlns='http://www.w3.org/2005/Atom'>
<title>accel-ppp.git/accel-pppd/radius/packet.c, branch stable</title>
<subtitle>High performance PPTP/L2TP/SSTP/PPPoE/IPoE server for Linux (mirror of https://github.com/accel-ppp/accel-ppp.git)
</subtitle>
<id>https://git.amelek.net/accel-ppp/accel-ppp.git/atom?h=stable</id>
<link rel='self' href='https://git.amelek.net/accel-ppp/accel-ppp.git/atom?h=stable'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/accel-ppp/accel-ppp.git/'/>
<updated>2026-03-22T22:04:34+00:00</updated>
<entry>
<title>radius: Invalid integer and date parsing</title>
<updated>2026-03-22T22:04:34+00:00</updated>
<author>
<name>Denys Fedoryshchenko</name>
<email>denys.f@collabora.com</email>
</author>
<published>2026-02-06T16:09:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/accel-ppp/accel-ppp.git/commit/?id=d6cc7e88c1ad37f19c818d000d37e610d0c448ee'/>
<id>urn:sha1:d6cc7e88c1ad37f19c818d000d37e610d0c448ee</id>
<content type='text'>
Actually 3 fixes in same place:

INTEGER: size mismatch now breaks instead of falling through - a malformed INTEGER attribute is rejected rather than silently parsed with a wrong size
INTEGER/DATE split: each case has its own break, no more fallthrough
DATE: strictly requires len == 4 (per RFC 2865), warns and skips otherwise instead of silently accepting 1 or 2-byte dates

Signed-off-by: Denys Fedoryshchenko &lt;denys.f@collabora.com&gt;
</content>
</entry>
<entry>
<title>radius: Fix invalid check after mempool allocation</title>
<updated>2026-03-22T22:04:34+00:00</updated>
<author>
<name>Denys Fedoryshchenko</name>
<email>denys.f@collabora.com</email>
</author>
<published>2026-02-06T16:05:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/accel-ppp/accel-ppp.git/commit/?id=8de38d67e27b841a73fbd4c6051963ffdb816c02'/>
<id>urn:sha1:8de38d67e27b841a73fbd4c6051963ffdb816c02</id>
<content type='text'>
This check left old, relevant to mmap, migrate to proper check.

Signed-off-by: Denys Fedoryshchenko &lt;denys.f@collabora.com&gt;
</content>
</entry>
<entry>
<title>radius: Vendor attribute parsing over-reads</title>
<updated>2026-03-22T22:04:34+00:00</updated>
<author>
<name>Denys Fedoryshchenko</name>
<email>denys.f@collabora.com</email>
</author>
<published>2026-02-06T16:02:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/accel-ppp/accel-ppp.git/commit/?id=3c7fa6f67831098975e65a02a3055ff6b1889dd6'/>
<id>urn:sha1:3c7fa6f67831098975e65a02a3055ff6b1889dd6</id>
<content type='text'>
When parsing vendor-specific attributes (type 26),
the code reads internal structure without checking that the attribute data is long enough.

Signed-off-by: Denys Fedoryshchenko &lt;denys.f@collabora.com&gt;
</content>
</entry>
<entry>
<title>Merge pull request #267 from nuclearcat/fix-ssl-warnings</title>
<updated>2025-11-28T06:39:54+00:00</updated>
<author>
<name>Denys Fedoryshchenko</name>
<email>denys.f@collabora.com</email>
</author>
<published>2025-11-28T06:39:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/accel-ppp/accel-ppp.git/commit/?id=ac31c84a36c069c90e37ab28a9e980c0749b2b37'/>
<id>urn:sha1:ac31c84a36c069c90e37ab28a9e980c0749b2b37</id>
<content type='text'>
Suppress OpenSSL 3.0 deprecation warnings for legacy crypto APIs</content>
</entry>
<entry>
<title>fixup! Add RADIUS blast attack protection with Message-Authenticator</title>
<updated>2025-11-26T18:29:52+00:00</updated>
<author>
<name>Denys Fedoryshchenko</name>
<email>denys.f@collabora.com</email>
</author>
<published>2025-11-26T18:28:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/accel-ppp/accel-ppp.git/commit/?id=92110f9f3c9473de3d32bdc6202abb47315d41e7'/>
<id>urn:sha1:92110f9f3c9473de3d32bdc6202abb47315d41e7</id>
<content type='text'>
Not a bug, but to supress warnings.

Signed-off-by: Denys Fedoryshchenko &lt;denys.f@collabora.com&gt;
</content>
</entry>
<entry>
<title>Suppress OpenSSL 3.0 deprecation warnings for legacy crypto APIs</title>
<updated>2025-11-26T18:23:38+00:00</updated>
<author>
<name>Denys Fedoryshchenko</name>
<email>denys.f@collabora.com</email>
</author>
<published>2025-11-26T18:22:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/accel-ppp/accel-ppp.git/commit/?id=f03dc39ae891d20e56d7acd764a9b5764a8a2fef'/>
<id>urn:sha1:f03dc39ae891d20e56d7acd764a9b5764a8a2fef</id>
<content type='text'>
We are using similar approach as in other projects, easiest one,
but probably in future it will break as soon as this functions
will be removed completely.

Signed-off-by: Denys Fedoryshchenko &lt;denys.f@collabora.com&gt;
</content>
</entry>
<entry>
<title>Add RADIUS blast attack protection with Message-Authenticator</title>
<updated>2025-07-01T11:32:13+00:00</updated>
<author>
<name>Denys Fedoryshchenko</name>
<email>denys.f@collabora.com</email>
</author>
<published>2025-06-25T19:31:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/accel-ppp/accel-ppp.git/commit/?id=1ce263f13ac0b3aed3b14b4a9bb6a51afe210684'/>
<id>urn:sha1:1ce263f13ac0b3aed3b14b4a9bb6a51afe210684</id>
<content type='text'>
Recently FreeRadius started to complain accel-ppp doesn't pass
BlastRADIUS check. This commit fixes that.

This commit implements protection against RADIUS blast attacks
by adding support for the Message-Authenticator attribute in
Access-Request packets. This security enhancement helps
prevent unauthorized access attempts and replay attacks
on RADIUS authentication.

- Added new configuration option `blast-protection=1`
  in [radius] to enable Message-Authenticator inclusion
- Implemented HMAC-MD5 calculation for
  Message-Authenticator attribute (RFC 2869)
- Modified packet building to include 18-byte Message-Authenticator
  attribute when enabled
- Updated packet structure to support signing with shared secret

Enable blast protection by adding to the `[radius]` section:
```
blast-protection=1
```

When enabled, all Access-Request packets will include a
Message-Authenticator attribute with HMAC-MD5 signature,
providing cryptographic integrity verification and protection
against packet modification attacks.

Signed-off-by: Denys Fedoryshchenko &lt;denys.f@collabora.com&gt;
</content>
</entry>
<entry>
<title>build: fix compile errors on GCC 14</title>
<updated>2024-08-27T22:41:58+00:00</updated>
<author>
<name>Sergey V. Lobanov</name>
<email>sergey@lobanov.in</email>
</author>
<published>2024-08-27T21:44:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/accel-ppp/accel-ppp.git/commit/?id=966c2bc8df039c67f4711ba9bb3f267fbd405c8d'/>
<id>urn:sha1:966c2bc8df039c67f4711ba9bb3f267fbd405c8d</id>
<content type='text'>
This patch fixes compile errors on GCC 14 like the following

/root/accel-ppp/accel-pppd/radius/packet.c: In function 'rad_packet_recv':
/root/accel-ppp/accel-pppd/radius/packet.c:142:72: error: passing argument 5 of 'recvfrom' from incompatible pointer type [-Wincompatible-pointer-types]
  142 |                         n = recvfrom(fd, pack-&gt;buf, REQ_LENGTH_MAX, 0, addr, &amp;addr_len);
      |                                                                        ^~~~
      |                                                                        |
      |                                                                        struct sockaddr_in *
In file included from /usr/include/netinet/in.h:10,
                 from /usr/include/arpa/inet.h:9,
                 from /root/accel-ppp/accel-pppd/radius/packet.c:10:
/usr/include/sys/socket.h:397:55: note: expected 'struct sockaddr * restrict' but argument is of type 'struct sockaddr_in *'

Reference: https://gcc.gnu.org/gcc-14/porting_to.html
</content>
</entry>
<entry>
<title>fix buffer overflow when receive radius packet</title>
<updated>2021-12-29T06:54:13+00:00</updated>
<author>
<name>Sergey V. Lobanov</name>
<email>sergey@lobanov.in</email>
</author>
<published>2021-12-29T06:54:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/accel-ppp/accel-ppp.git/commit/?id=d4cb89721cc8e5b3dd3fbefaf173eb77ecb85615'/>
<id>urn:sha1:d4cb89721cc8e5b3dd3fbefaf173eb77ecb85615</id>
<content type='text'>
This patch fixes buffer overflow if radius packet contains invalid atribute length
and attrubute type from the following list: ipv4addr, ipv6addr, ipv6prefix or ifid

Reported-by: Chloe Ong
Reported-by: Eugene Lim &lt;spaceraccoon@users.noreply.github.com&gt;
Reported-by: Kar Wei Loh

Signed-off-by: Sergey V. Lobanov &lt;sergey@lobanov.in&gt;
</content>
</entry>
<entry>
<title>radius: sanity check for vendor attribute length</title>
<updated>2020-10-21T09:40:26+00:00</updated>
<author>
<name>Dmitry Kozlov</name>
<email>xeb@mail.ru</email>
</author>
<published>2020-10-21T09:40:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/accel-ppp/accel-ppp.git/commit/?id=e9d369aa0054312b7633e964e9f7eb323f1f3d69'/>
<id>urn:sha1:e9d369aa0054312b7633e964e9f7eb323f1f3d69</id>
<content type='text'>
</content>
</entry>
</feed>
