diff options
| author | Denys Fedoryshchenko <denys.f@collabora.com> | 2025-06-25 22:31:08 +0300 |
|---|---|---|
| committer | Denys Fedoryshchenko <denys.f@collabora.com> | 2025-07-01 14:32:13 +0300 |
| commit | 1ce263f13ac0b3aed3b14b4a9bb6a51afe210684 (patch) | |
| tree | ce765094676327c751586010e65ce4af4545f262 /kernel/driver/find_kernel_headers | |
| parent | e06f5b835eb3ef28a2489ca903bc410175225c11 (diff) | |
| download | accel-ppp-1ce263f13ac0b3aed3b14b4a9bb6a51afe210684.tar.gz accel-ppp-1ce263f13ac0b3aed3b14b4a9bb6a51afe210684.zip | |
Add RADIUS blast attack protection with Message-Authenticator
Recently FreeRadius started to complain accel-ppp doesn't pass
BlastRADIUS check. This commit fixes that.
This commit implements protection against RADIUS blast attacks
by adding support for the Message-Authenticator attribute in
Access-Request packets. This security enhancement helps
prevent unauthorized access attempts and replay attacks
on RADIUS authentication.
- Added new configuration option `blast-protection=1`
in [radius] to enable Message-Authenticator inclusion
- Implemented HMAC-MD5 calculation for
Message-Authenticator attribute (RFC 2869)
- Modified packet building to include 18-byte Message-Authenticator
attribute when enabled
- Updated packet structure to support signing with shared secret
Enable blast protection by adding to the `[radius]` section:
```
blast-protection=1
```
When enabled, all Access-Request packets will include a
Message-Authenticator attribute with HMAC-MD5 signature,
providing cryptographic integrity verification and protection
against packet modification attacks.
Signed-off-by: Denys Fedoryshchenko <denys.f@collabora.com>
Diffstat (limited to 'kernel/driver/find_kernel_headers')
0 files changed, 0 insertions, 0 deletions
