Commit graph

348 commits

Author SHA1 Message Date
Jouni Malinen
0ed57c5ea8 EAP-TEAP server and peer implementation (RFC 7170)
This adds support for a new EAP method: EAP-TEAP (Tunnel Extensible
Authentication Protocol). This should be considered experimental since
RFC 7170 has number of conflicting statements and missing details to
allow unambiguous interpretation. As such, there may be interoperability
issues with other implementations and this version should not be
deployed for production purposes until those unclear areas are resolved.

This does not yet support use of NewSessionTicket message to deliver a
new PAC (either in the server or peer implementation). In other words,
only the in-tunnel distribution of PAC-Opaque is supported for now. Use
of the NewSessionTicket mechanism would require TLS library support to
allow arbitrary data to be specified as the contents of the message.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-09 16:56:02 +03:00
Jouni Malinen
31bc66e4d1 More forceful clearing of stack memory with keys
gcc 8.3.0 was apparently clever enough to optimize away the previously
used os_memset() to explicitly clear a stack buffer that contains keys
when that clearing happened just before returning from the function.
Since memset_s() is not exactly portable (or commonly available yet..),
use a less robust mechanism that is still pretty likely to prevent
current compilers from optimizing the explicit clearing of the memory
away.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-26 16:11:56 +03:00
Mohit Sethi
5eefa8115b EAP-AKA: Add Session-Id derivation during fast-reauth
The Session-Id derivation for EAP-AKA in RFC 5247 only explained how the
Session-Id is derived for regular authentication. Jouni reported it as
an errata with text explaining how to derive it during fast
reauthentication.

This patch now exports the Session-Id for EAP-AKA during fast
reauthentication based on this Session-Id = 0x17 || NONCE_S || MAC
construction.

Also documented by Alan Dekok in draft-dekok-emu-eap-session-id.

Signed-off-by: Mohit Sethi <mohit.sethi@aalto.fi>
2019-05-25 17:17:00 +03:00
Mohit Sethi
1c16b257a0 EAP-SIM: Add Session-Id derivation during fast-reauth
The Session-Id derivation for EAP-SIM in RFC 5247 only explained how the
Session-Id is derived for regular authentication. Jouni reported it as
an errata with text explaining how to derive it during fast
reauthentication.

This patch now exports the Session-Id for EAP-SIM during fast
reauthentication based on this Session-Id = 0x12 || NONCE_S || MAC
construction.

Signed-off-by: Mohit Sethi <mohit.sethi@aalto.fi>
2019-05-25 17:05:03 +03:00
Jouni Malinen
51dc146f3e EAP-PAX server: Avoid debug prints of uninitialized memory in error cases
Use a separate error case handler for eap_pax_mac() failures and memcmp
to avoid wpa_hexdump() calls for the (mainly theoretical) local error
cases in deriving the MAC.

Fixes: b3c2b5d9f7 ("EAP-PAX server: Check hash function results")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-08 19:02:19 +03:00
Jouni Malinen
fa52bc8b98 EAP-PAX server: Fix message length checks for MSGDUMP level hexdump
EAP-PAX server implementation could end up reading beyond the end of the
buffer if MSGDUMP level debugging was enabled and a message without the
ICV field was received. Fix this by using more strict message length
validation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-04-20 00:27:15 +03:00
Jouni Malinen
b3c2b5d9f7 EAP-PAX server: Check hash function results
While these local failure cases are mostly theoretical, it is better to
check for the errors explicitly.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-04-20 00:27:15 +03:00
Jouni Malinen
a3be79a142 EAP-GPSK server: Fix memory freeing on error path
Allocated struct wpabuf was freed with incorrect freeing function. Fix
this by using the appropriate function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-04-19 17:08:27 +03:00
Jouni Malinen
848718ddde EAP-SAKE: Report hash function failures to callers
While this is mostly theoretical, the hash functions can fail and it is
better for the upper layer code to explicitly check for such failures.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-04-19 16:52:01 +03:00
Jouni Malinen
24b06511e2 EAP-SAKE server: Fix memory freeing on error path
Allocated struct wpabuf was freed with incorrect freeing function. Fix
this by using the appropriate function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-04-19 16:44:38 +03:00
Jouni Malinen
6151c9b900 EAP-pwd server: Remove unused srandom() call
Commit 4b16c15bbc ("EAP-pwd server: Use os_get_random() for
unpredictable token") replaced use of os_random(), i.e., of random(),
with os_get_random(), but forgot to remove the now unused srandom()
call. Clean up the implementation and remove that unneeded code.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-17 13:24:37 +03:00
Jouni Malinen
fe76f487e2 EAP-pwd server: Fix reassembly buffer handling
data->inbuf allocation might fail and if that were to happen, the next
fragment in the exchange could have resulted in NULL pointer
dereference. Unexpected fragment with more bit might also be able to
trigger this. Fix that by explicitly checking for data->inbuf to be
available before using it.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-17 02:23:31 +03:00
Jouni Malinen
a9d224f560 EAP-pwd server: Fix a memory leak on error path
eap_pwd_h_final() needs to be called to free the value from
eap_pwd_h_init() even in error cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-17 01:48:40 +03:00
Jouni Malinen
90ee1bf5f1 EAP-MSCHAPv2: Propagate GetAsymetricStartKey() failures up from getKey()
Report failure from getKey() if MSK cannot be derived due to unexpected
sha1_vector() local failure.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-16 21:21:35 +03:00
Jouni Malinen
8b093db2c3 EAP-pwd: Remove unused checks for cofactor > 1 cases
None of the ECC groups supported in the implementation had a cofactor
greater than 1, so these checks are unreachable and for all cases, the
cofactor is known to be 1. Furthermore, RFC 5931 explicitly disallow use
of ECC groups with cofactor larger than 1, so this checks cannot be
needed for any curve that is compliant with the RFC.

Remove the unneeded group cofactor checks to simplify the
implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-04-13 18:28:05 +03:00
Jouni Malinen
89bbe6f87a EAP-pwd: Get rid of unnecessary allocation of temporary buffer
Binary presentations of element and scalar can be written directly to
the allocated commit message buffer instead of having to first write
them into temporary buffers just to copy them to the actual message
buffer.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 17:11:15 +03:00
Jouni Malinen
4396f74a36 EAP-pwd: Enforce 1 < rand,mask < r and rand+mask mod r > 1
RFC 5931 has these conditions as MUST requirements, so better follow
them explicitly even if the rand,mask == 0 or rand+mask == 0 or 1 cases
are very unlikely to occur in practice while generating random values
locally.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 17:11:15 +03:00
Jouni Malinen
16d4f10691 EAP-pwd: Check element x,y coordinates explicitly
This adds an explicit check for 0 < x,y < prime based on RFC 5931,
2.8.5.2.2 requirement. The earlier checks might have covered this
implicitly, but it is safer to avoid any dependency on implicit checks
and specific crypto library behavior. (CVE-2019-9498 and CVE-2019-9499)

Furthermore, this moves the EAP-pwd element and scalar parsing and
validation steps into shared helper functions so that there is no need
to maintain two separate copies of this common functionality between the
server and peer implementations.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 17:11:15 +03:00
Mathy Vanhoef
d63edfa902 EAP-pwd server: Detect reflection attacks
When processing an EAP-pwd Commit frame, verify that the peer's scalar
and elliptic curve element differ from the one sent by the server. This
prevents reflection attacks where the adversary reflects the scalar and
element sent by the server. (CVE-2019-9497)

The vulnerability allows an adversary to complete the EAP-pwd handshake
as any user. However, the adversary does not learn the negotiated
session key, meaning the subsequent 4-way handshake would fail. As a
result, this cannot be abused to bypass authentication unless EAP-pwd is
used in non-WLAN cases without any following key exchange that would
require the attacker to learn the MSK.

Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
2019-04-09 17:11:15 +03:00
Mathy Vanhoef
70ff850e89 EAP-pwd server: Verify received scalar and element
When processing an EAP-pwd Commit frame, the peer's scalar and element
(elliptic curve point) were not validated. This allowed an adversary to
bypass authentication, and impersonate any user if the crypto
implementation did not verify the validity of the EC point.

Fix this vulnerability by assuring the received scalar lies within the
valid range, and by checking that the received element is not the point
at infinity and lies on the elliptic curve being used. (CVE-2019-9498)

The vulnerability is only exploitable if OpenSSL version 1.0.2 or lower
is used, or if LibreSSL or wolfssl is used. Newer versions of OpenSSL
(and also BoringSSL) implicitly validate the elliptic curve point in
EC_POINT_set_affine_coordinates_GFp(), preventing the attack.

Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
2019-04-09 17:11:15 +03:00
Ervin Oro
a916ff5cd8 Add support for an optional context parameter to TLS exporter
Allow an additional context value to be passed to TLS exporter as
specified in RFC 5705 section 4.

This does not yet implement it for the internal TLS implementation.
However, as currently nothing uses context yet, this will not break
anything right now. WolfSSL maintainers also stated that they are not
going to add context support yet, but would look into it if/when this is
required by a published draft or a standard.

Signed-off-by: Ervin Oro <ervin.oro@aalto.fi>
2019-03-16 18:52:09 +02:00
Masashi Honma
1e653daa31 EAP-pwd server: Fix memory leak with salted passwords
The struct hostapd_eap_user changes with a new allocated variable were
not covered in the RADIUS server code. Fix this by using eap_user_free()
instead of custom memory freeing operation in radius_server.c.

The hwsim tests with salted password (ap_wpa2_eap_pwd_salt_sha1,
ap_wpa2_eap_pwd_salt_sha256, ap_wpa2_eap_pwd_salt_sha512) triggered
these memory leaks.

Fixes: d52ead3db7 ("EAP-pwd server: Add support for salted password databases")
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2019-03-08 16:59:27 +02:00
Jouni Malinen
d05dda61d8 PEAP: Explicitly clear temporary keys from memory when using CMK
The case of PEAPv0 with crypto binding did not clear some of the
temporary keys from stack/heap when those keys were not needed anymore.
Clear those explicitly to avoid unnecessary caching of keying material.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-02 00:01:29 +02:00
Jouni Malinen
4e1cd3468e EAP-PEAP: Derive EMSK and use 128-octet derivation for MSK
Derive EMSK when using EAP-PEAP to enable ERP. In addition, change the
MSK derivation for EAP-PEAP to always derive 128 octets of key material
instead of the 64 octets to cover just the MSK. This is needed with the
PRF used in TLS 1.3 since the output length is mixed into the PRF
context.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-01 23:52:28 +02:00
Jouni Malinen
aae0eece5f EAP-TLS: Update Session-Id derivation with TLS v1.3
Move to the version used in draft-ietf-emu-eap-tls13-03.txt, i.e.,
include the 0x0D prefix and use a different TLS-Exporter() label string.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-05 18:00:26 +02:00
Jouni Malinen
79fec6a92d EAP: Make method and IMSI available from server structures
Expose EAP method and IMSI from the completed (or ongoing) EAP
authentication session. These are needed for implementing Hotspot 2.0
SIM provisioning.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-14 15:56:16 +02:00
Jouni Malinen
11adf76a71 EAP-TLS server: Update user information based on serial number
This allows EAP user database entries for "cert-<serial number>" to be
used for client certificate based parameters when using EAP-TLS. This
commit addresses only the full authentication case and TLS session
resumption is not yet covered.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-03 23:29:56 +02:00
Jouni Malinen
063cbb87a6 EAP server: Add eap_get_serial_num()
This can be used to fetch the serial number of the peer certificate
during TLS-based EAP session.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-11 12:12:30 +03:00
Jouni Malinen
3a11c69e0d EAP-TLS: Derive Session-Id using TLS-Exporter when TLS v1.3 is used
This updates Session-Id derivation with TLS v1.3 per
draft-ietf-emu-eap-tls13-00.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-01 17:58:56 +03:00
Jouni Malinen
2d26434ac7 EAP-TLS server: Fix EMSK derivation with TLS v1.3
The new label string for TLS-Exporter was taken into use for MSK
derivation, but it was missed from EMSK deriation in the server side
implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-01 17:52:18 +03:00
Jouni Malinen
f8aed720e4 EAP-TLS: Update key derivation label per draft-ietf-emu-eap-tls13-00
The label strings used for deriving Key_Material with TLS v1.3 were
changed, so update the implementation to match the new values.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-01 17:41:59 +03:00
Dan Harkins
d52ead3db7 EAP-pwd server: Add support for salted password databases
These changes add support for salted password databases to EAP-pwd per
RFC 8146. This commits introduces the framework for enabling this and
the salting mechanisms based on SHA-1, SHA256, and SHA512 hash
algorithms.

Signed-off-by: Dan Harkins <dharkins@lounge.org>
2018-05-28 22:08:51 +03:00
Dan Harkins
2a5c291881 EAP-pwd: Move EC group initialization to earlier step
This is needed for adding support for salted passwords.

Signed-off-by: Dan Harkins <dharkins@lounge.org>
2018-05-28 17:15:07 +03:00
Jouni Malinen
d267bdf9bd Silence new gcc warnings on switch statement fallthroughs
Reword the comments to make gcc 8.1 recognize these as designed cases
and not trigger implicit-fallthrough warnings.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-05-15 20:55:17 +03:00
Jouni Malinen
a80423b521 EAP-TLS server: MSK/EMSK derivation with TLS v1.3
Use new MSK/EMSK derivation mechanism if TLS v1.3 or newer is used per
draft-mattsson-eap-tls13-02.txt.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-05-01 17:47:22 +03:00
Jouni Malinen
fe7b06c5e1 EAP-TLS server: Determine whether TLS v1.3 or newer is used
This is needed to be able to handle different key derivation and message
handshakes in EAP implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-05-01 17:44:22 +03:00
Jouni Malinen
c26ac18958 Mark eap_server_tls_derive_key() label argument const
This value is going to be used only with a helper function that takes it
in as a const value, so use the same style here to simplify callers in
upcoming TLS v1.3 changes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-05-01 17:43:24 +03:00
Jouni Malinen
34c6949fb7 EAP-TLS server: Remove trailing whitespace
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-05-01 17:40:58 +03:00
Jouni Malinen
4526038092 HS 2.0: Terms and Conditions testing feature in authentication server
Allow hostapd RADIUS authentication server with SQLite EAP user DB to be
used for testing Terms and Conditions functionality. This could be used
for the HO AAA part of functionality (merging HO AAA and SP AAA into a
single component to avoid separate RADIUS proxy in testing setup).

A T&C server with HTTPS processing is needed to allow this to be used
for full over-the-air testing. This commit adds sufficient functionality
to allow hwsim test cases to cover the RADIUS server part.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-26 17:56:22 +03:00
Sean Parkinson
04b1bcc5f3 EAP-pwd: Use abstract crypto API
This makes it easier to use EAP-pwd with other crypto libraries than
OpenSSL.

Signed-off-by: Sean Parkinson <sean@wolfssl.com>
2017-12-24 21:40:21 +02:00
Jouni Malinen
3546ef5104 EAP-pwd: Remove trailing empty line
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-23 17:27:15 +02:00
Michael Baird
5f7c9e50f5 EAP server: Add event messages for more EAP states
While using an external RADIUS server SUCCESS messages were not being
sent (internal was fine). Also add event messages for other states that
others might find useful, and consistency between the two.

Signed-off-by: Michael Baird <Michael.Baird@ecs.vuw.ac.nz>
2017-10-21 20:28:46 +03:00
Jouni Malinen
6418400db9 Add hostapd tls_flags parameter
This can be used to set the TLS flags for authentication server.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-18 12:12:48 +03:00
Johannes Berg
a1f11e34c4 Use os_memdup()
This leads to cleaner code overall, and also reduces the size
of the hostapd and wpa_supplicant binaries (in hwsim test build
on x86_64) by about 2.5 and 3.5KiB respectively.

The mechanical conversions all over the code were done with
the following spatch:

    @@
    expression SIZE, SRC;
    expression a;
    @@
    -a = os_malloc(SIZE);
    +a = os_memdup(SRC, SIZE);
    <...
    if (!a) {...}
    ...>
    -os_memcpy(a, SRC, SIZE);

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-03-07 13:19:10 +02:00
Jouni Malinen
b41d3e0a75 crypto: Process des_encrypt() error returns in callers
This updates all the des_encrypt() callers to handle error cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-28 11:24:05 +02:00
Jouni Malinen
7a6c3de23a ERP: Use macro for EMSKname length instead of hardcoded integer value
While RFC 5295 uses "8" as the value to use in the length field in KDF
context when deriving EMSKname, it is clearer to use the macro defining
EMSKname as the value since the KDF design in RFC 5295 encodes the
length of the derived data in octets in that part of the context data.
This change is just making the implementation easier to understand while
not actually changing the behavior.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-03 15:35:21 +02:00
Jouni Malinen
bb3ea71a23 ERP: Fix rIK derivation
Unlike the EMSKname and rRK derivations, rIK derivation is actually
using the "optional data" component in the context data (see RFC 5295).
RFC 6696 defines that optional data to be the cryptosuite field for rIK.
This was missing from the previous implementation and that resulted in
incorrect rIK being derived.

In addition, the rIK Label string does not actually include the "EAP "
prefix in the way as the rRK Label in RFC 6696 does. This would also
have resulted in incorrect rIK value.

Fix rIK derivation by adding the cryptosuite value into the KDF context
data and fixing the label string. This change is not backwards
compatible and breaks all ERP use cases (including FILS shared key
authentication) with older (broken) and new (fixed)
hostapd/wpa_supplicant builds.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-03 15:34:59 +02:00
Jouni Malinen
95de34a10a Remove trailing whitespace
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-28 14:31:42 +02:00
Jouni Malinen
a6228b8ed6 ERP: Update client identity based on EAP-Initiate/Re-auth
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 23:13:17 +03:00
Jouni Malinen
53b2555f67 EAP-pwd: Validate Prep field in EAP-pwd-ID/Response
RFC 5931 Section 2.8.5.1 does not list the Prep field as something that
the server validates to match the Request. However, the supplicant side
has to use the same pre-processing mechanism for the password for the
authentication to work, so we may as well as enforce this field to match
the requested value now that wpa_supplicant implementation is fixed to
copy the value from the request.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-10-08 19:43:36 +03:00