Commit graph

506 commits

Author SHA1 Message Date
Jouni Malinen
bbbc7e8016 EAP-TLS: Extend TLS version config to allow TLS v1.3 to be disabled
This may be needed to avoid interoperability issues with the new
protocol version and significant changes for EAP use cases in both key
derivation and handshake termination.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-05-01 22:13:38 +03:00
Jouni Malinen
0de820b333 EAP-TLS peer: MSK/EMSK derivation with TLS v1.3
Use new MSK/EMSK derivation mechanism if TLS v1.3 or newer is used per
draft-mattsson-eap-tls13-02.txt.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-05-01 17:53:07 +03:00
Jouni Malinen
1854981c78 EAP-TLS peer: Allow NewSessionTicket after Client Finished with TLS v1.3
The EAP session cannot be marked fully completed on sending Client
Finished with TLS v1.3 since the server may still send NewSessionTicket
before EAP-Success.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-05-01 17:51:34 +03:00
Jouni Malinen
6dd98483eb EAP-TLS peer: Support fragmentation of last message
With TLS v1.3, the Finished message from the client can require
fragmentation. Postpone key derivation and marking of the EAP session
fully completed until all the fragments of that last message are sent to
avoid losing all the subsequent fragments.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-05-01 17:49:19 +03:00
Jouni Malinen
bac1bdba3e EAP-TLS peer: Determine whether TLS v1.3 or newer is used
This is needed to be able to handle different key derivation and message
handshakes in EAP implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-05-01 17:45:37 +03:00
Ahmed ElArabawy
45f7574d31 Propagate the EAP method error code
In the current implementation, upon an EAP method failure, followed by
an EAP failure, the EAP Status is propagated up in wpa_supplicant with a
general failure parameter string "failure". This parameter is used for a
notification on the dbus.

This commit reports the EAP method failure error code in a separate
callback.

The solution in this commit is generic to all EAP methods, and can be
used by any method that need to pass its error code. However, this
commit only implements the reporting for EAP-SIM and EAP-AKA methods
where the Notification Code (in AT_NOTIFICATION) is used as the method
specific error code value.

Signed-off-by: Ahmed ElArabawy <arabawy@google.com>
2018-03-31 11:57:33 +03:00
Jouni Malinen
9e834fc648 EAP-SIM/AKA: Separate identity for MK derivation
This allows a separate configuration parameter (imsi_identity) to be
used in EAP-SIM/AKA/AKA' profiles to override the identity used in MK
derivation for the case where the identity is expected to be from the
last AT_IDENTITY attribute (or EAP-Response/Identity if AT_IDENTITY was
not used). This may be needed to avoid sending out an unprotected
permanent identity information over-the-air and if the EAP-SIM/AKA
server ends up using a value based on the real IMSI during the internal
key derivation operation (that does not expose the data to others).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2018-01-21 11:28:53 +02:00
Sean Parkinson
04b1bcc5f3 EAP-pwd: Use abstract crypto API
This makes it easier to use EAP-pwd with other crypto libraries than
OpenSSL.

Signed-off-by: Sean Parkinson <sean@wolfssl.com>
2017-12-24 21:40:21 +02:00
Vidyullatha Kanchanapally
084131c850 FILS: Allow eap_peer_get_erp_info() to be called without config
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-18 01:19:40 +03:00
Jouni Malinen
2ed70c7586 OpenSSL: Add option to disable ECDHE with Suite B RSA
The hostapd.conf tls_flags=[SUITEB-NO-ECDH] and wpa_supplicant network
profile phase1="tls_suiteb_no_ecdh=1" can now be used to configure Suite
B RSA constraints with ECDHE disabled. This is mainly to allow
the DHE TLS cipher suite to be tested.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-18 12:12:48 +03:00
Jouni Malinen
60ed2f24eb Suite B: Add tls_suiteb=1 parameter for RSA 3k key case
This adds phase1 parameter tls_suiteb=1 into wpa_supplicant
configuration to allow TLS library (only OpenSSL supported for now) to
use Suite B 192-bit level rules with RSA when using >= 3k (3072) keys.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-17 00:09:47 +03:00
Akihiro Onodera
84fccc7242 Send Client-Error when AT_KDF attributes from the server are incorrect
After KDF negotiation, must check only requested change occurred in the
list of AT_KDF attributes. If there are any other changes, the peer must
behave like the case that AT_MAC had been incorrect and authentication
is failed. These are defined in EAP-AKA' specification RFC 5448, Section
3.2.

Add a complete check of AT_KDF attributes and send Client-Error if a
change which is not requested is included in it.

Signed-off-by: Tomoharu Hatano <tomoharu.hatano@sony.com>
2017-09-10 20:11:07 +03:00
Akihiro Onodera
446600c354 Add AT_KDF attributes to Synchronization-Failure in EAP-AKA'
AT_KDF attributes need to be included in Synchronization-Failure
according to EAP-AKA' specification RFC 5448.

Signed-off-by: Tomoharu Hatano <tomoharu.hatano@sony.com>
2017-09-10 01:39:37 +03:00
Jouni Malinen
1f2ae8cff5 EAP-TTLS: Fix a memory leak on error paths
The allocated challenge needs to be freed on these error paths as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-07-08 16:21:38 +03:00
Ilan Peer
83e003a913 EAP-TTLS: Fix possible memory leak in eap_ttls_phase2_request_mschap()
The msg buffer needs to be freed on these two error paths.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2017-07-08 16:19:36 +03:00
Ilan Peer
96e595a9f1 EAP-LEAP: Fix possible memory leak in eap_leap_process_request()
Free 'resp' object in case of a failure to derive the response.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2017-07-08 16:14:03 +03:00
Vidyullatha Kanchanapally
2a71673e27 ERP: Derive ERP key only after successful EAP authentication
ERP key was previously derived immediately after the availability of
EMSK and Session-Id and the ERP key hierarchy was saved even if the
authentication resulted in failure eventually. Instead, derive the ERP
key only after a successful EAP authentication.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-23 19:37:14 +03:00
Vidyullatha Kanchanapally
b5db6e5dc4 eap_proxy: Support multiple SIMs in get_imsi()
This allows the eap_proxy mechanism to be used with multiple SIMs by
following the configured sim_num to index which SIM to use for when
fetching the IMSI through eap_proxy.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-06 03:42:32 +03:00
Vidyullatha Kanchanapally
0020876514 eap_proxy: Build realm from IMSI for proxy based EAP methods
For proxy based EAP methods, the EAP identity is constructed in
eap_proxy layer from IMSI when required. Realm information from identity
is used to do ERP eventually, hence construct the realm for proxy based
methods from IMSI in core wpa_supplicant to enable the ERP use case.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-06 03:41:23 +03:00
Vidyullatha Kanchanapally
8696e61702 eap_proxy: Add support for deriving ERP information
This commit adds support for deriving ERP key information in EAP Proxy
based EAP method implementations.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-05 08:04:52 +03:00
Vidyullatha Kanchanapally
4aa329298d ERP: Do not generate ERP keys when domain name is not specified
This commit adds changes to not generate ERP information if the domain
name is not specified in the EAP identity. keyName-NAI needs the realm
part and as such, it is reasonable to require the main EAP configuration
to provide that realm.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-22 13:51:23 +03:00
Jouni Malinen
01dd2b1054 ERP: Silence static analyzer warning
The check for erp->keyname_nai within eap_erp_get_key() is apparently
too difficult for some static analyzers to notice. Add an explicit check
for os_strchr() return value being non-NULL to avoid false reports.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-01 22:08:16 +03:00
Vidyullatha Kanchanapally
15def72fab ERP: External control of ERP key information
This allows ERP keys to be managed by external entities, e.g., when
offloading FILS shared key authentication to a driver.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-04-07 18:46:13 +03:00
Johannes Berg
a1f11e34c4 Use os_memdup()
This leads to cleaner code overall, and also reduces the size
of the hostapd and wpa_supplicant binaries (in hwsim test build
on x86_64) by about 2.5 and 3.5KiB respectively.

The mechanical conversions all over the code were done with
the following spatch:

    @@
    expression SIZE, SRC;
    expression a;
    @@
    -a = os_malloc(SIZE);
    +a = os_memdup(SRC, SIZE);
    <...
    if (!a) {...}
    ...>
    -os_memcpy(a, SRC, SIZE);

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-03-07 13:19:10 +02:00
Jouni Malinen
b41d3e0a75 crypto: Process des_encrypt() error returns in callers
This updates all the des_encrypt() callers to handle error cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-28 11:24:05 +02:00
Jouni Malinen
76aa318381 EAP: Call deinit_for_reauth() for Phase 2 EAP methods
EAP-TTLS/PEAP/FAST were previously doing this for init_for_reauth(), but
not for deinit_for_reauth(). Add the deinit_for_reauth() call as well to
cover cases like EAP-AKA cleaup of AT_CHECKCODE data.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-10 19:48:12 +02:00
Jouni Malinen
02156b98b7 EAP-AKA: Don't use anonymous identity in phase2
This adds the same changes to EAP-AKA that were previous done for
EAP-SIM to allow functionality within an EAP-TTLS/PEAP/FAST tunnel
without causing issues to the phase 1 identity string.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-10 19:48:12 +02:00
Paul Stewart
9e2afe10e6 EAP-SIM: Don't use anonymous identity in phase2
The "anonymous_identity" configuration field has more than one
semantic meaning. For tunneled EAP methods, this refers to the
outer EAP identity. For EAP-SIM, this refers to the pseudonym
identity. Also, interestingly, EAP-SIM can overwrite the
"anonymous_identity" field if one is provided to it by the
authenticator.

When EAP-SIM is tunneled within an outer method, it makes sense
to only use this value for the outer method, since it's unlikely
that this will also be valid as an identity for the inner EAP-SIM
method. Also, presumably since the outer method protects the
EAP-SIM transaction, there is no need for a pseudonym in this
usage.

Similarly, if EAP-SIM is being used as an inner method, it must
not push the pseudonym identity using eap_set_anon_id() since it
could overwrite the identity for the outer EAP method.

Signed-off-by: Paul Stewart <pstew@google.com>
2017-02-10 19:48:12 +02:00
Paul Stewart
ed9b1c16d5 EAP peer: Cache decrypted requests for EAP-SIM/AKA/AKA'
Add an internal flag which indicates to tunneled EAP methods (FAST,
PEAP, TTLS) that they should cache decrypted EAP-SIM/AKA/AKA' requests.
This allows EAP-SIM/AKA/AKA' to be tunneled within these outer methods
while using an external SIM authenticator over the control interface.

Signed-off-by: Paul Stewart <pstew@google.com>
2017-02-10 19:48:12 +02:00
Jouni Malinen
7a6c3de23a ERP: Use macro for EMSKname length instead of hardcoded integer value
While RFC 5295 uses "8" as the value to use in the length field in KDF
context when deriving EMSKname, it is clearer to use the macro defining
EMSKname as the value since the KDF design in RFC 5295 encodes the
length of the derived data in octets in that part of the context data.
This change is just making the implementation easier to understand while
not actually changing the behavior.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-03 15:35:21 +02:00
Jouni Malinen
bb3ea71a23 ERP: Fix rIK derivation
Unlike the EMSKname and rRK derivations, rIK derivation is actually
using the "optional data" component in the context data (see RFC 5295).
RFC 6696 defines that optional data to be the cryptosuite field for rIK.
This was missing from the previous implementation and that resulted in
incorrect rIK being derived.

In addition, the rIK Label string does not actually include the "EAP "
prefix in the way as the rRK Label in RFC 6696 does. This would also
have resulted in incorrect rIK value.

Fix rIK derivation by adding the cryptosuite value into the KDF context
data and fixing the label string. This change is not backwards
compatible and breaks all ERP use cases (including FILS shared key
authentication) with older (broken) and new (fixed)
hostapd/wpa_supplicant builds.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-03 15:34:59 +02:00
Jouni Malinen
95de34a10a Remove trailing whitespace
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-28 14:31:42 +02:00
Purushottam Kushwaha
a6f3761f7d eap_proxy: Add support for SIM state change indication from eap_proxy
This registers a new callback to indicate change in SIM state. This
helps to do some clean up (more specifically pmksa_flush) based on the
state change of the SIM. Without this, the reconnection using the cached
PMKSA could happen though the SIM is changed.

Currently eap_proxy_sim_state corresponds to only SIM_STATE_ERROR. This
can be further extended.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-19 22:21:07 +02:00
Jouni Malinen
79a54ab9f6 eap_proxy: Fix eap_proxy_init() prototype to use const eapol_cb
The eapol_cb structure was made const and that change resulted in a
compilation warning/error if CONFIG_EAP_PROXY=<name> is enabled in the
wpa_supplicant build configuration. Fix this by updating the function
prototype to match the change.

Note: This results in a change needed to external eap_proxy_*.c
implementations to match the change.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-19 22:14:07 +02:00
Jouni Malinen
de57d87353 ERP: Make eap_peer_finish() callable
This is needed for FILS to process EAP-Finish/Re-auth.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 18:26:00 +03:00
Jouni Malinen
c28767e11c ERP: Make eap_peer_erp_reauth_start() available
This needs to be callable through the EAPOL supplicant wrappers to allow
FILS implementation to use ERP.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 18:25:50 +03:00
Jouni Malinen
bf07e05349 ERP: Do not pass full EAP header to eap_peer_erp_reauth_start()
That function does not need the full EAP header -- it only needs to know
which EAP identifier to use in the message. Make this usable for cases
where the previous EAP message may not exist (FILS).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:47 +03:00
Brian Candler
2875e32333 EAP-pwd: Fix Prep in EAP-pwd-ID/Response when EAP_PWD_PREP_MS is used
Fix the pre-processing field in the response when EAP_PWD_PREP_MS is
being used. This fixes interoperability with EAP-pwd servers that
validate the Prep field in EAP-pwd-ID/Response when the RFC2759
(PasswordHashHash) pre-processing is used.

Signed-off-by: Brian Candler <B.Candler@pobox.com>
2016-10-08 19:43:09 +03:00
Jouni Malinen
205d2d1ff5 Fix typos in wpa_supplicant configuration parameter documentation
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-09-10 21:09:52 +03:00
Jouni Malinen
ac36b133aa TNCC: Mark functions static
These are called through function pointers, so no need to make the
function symbols directly available outside this file.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-06-24 01:38:04 +03:00
David Benjamin
7358170787 TLS: Split tls_connection_prf() into two functions
Most protocols extracting keys from TLS use RFC 5705 exporters which is
commonly implemented in TLS libraries. This is the mechanism used by
EAP-TLS. (EAP-TLS actually predates RFC 5705, but RFC 5705 was defined
to be compatible with it.)

EAP-FAST, however, uses a legacy mechanism. It reuses the TLS internal
key block derivation and derives key material after the key block. This
is uncommon and a misuse of TLS internals, so not all TLS libraries
support this. Instead, we reimplement the PRF for the OpenSSL backend
and don't support it at all in the GnuTLS one.

Since these two are very different operations, split
tls_connection_prf() in two. tls_connection_export_key() implements the
standard RFC 5705 mechanism that we expect most TLS libraries to
support. tls_connection_get_eap_fast_key() implements the
EAP-FAST-specific legacy mechanism which may not be implemented on all
backends but is only used by EAP-FAST.

Signed-Off-By: David Benjamin <davidben@google.com>
2016-05-23 20:40:12 +03:00
Jouni Malinen
9d136b00ac EAP-SAKE: Do not debug print result if eap_sake_compute_mic() fails
This gets rid of a valgrind warning on uninitialized memory read in the
eap_proto_sake_errors test case where the result was used after the
failed eap_sake_compute_mic() call.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-05-16 22:26:37 +03:00
Jouni Malinen
0884633577 EAP-PAX: Do not debug print result if eap_pax_mac() fails
This gets rid of a valgrind warning on uninitialized memory read in the
eap_proto_pax_errors test case where the result was used after the
failed eap_pax_mac() call.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-05-16 22:25:25 +03:00
Jouni Malinen
92abe3782f EAP-FAST: Check sha1_t_prf() result in eap_fast_get_cmk()
This gets rid of a valgrind warning on uninitialized memory read in the
eap_proto_fast_errors test case where the result was used after the
failed sha1_t_prf() call.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-05-16 22:24:01 +03:00
Ilan Peer
b8f02d8baf EAP-PWD peer: Fix possible memory leak on error path
Fix possible memory leak in eap_pwd_perform_commit_exchange().

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2016-03-03 16:28:41 +02:00
Jouni Malinen
5558b9980f EAP-FAST peer: Remove fixed return value from eap_fast_parse_phase1()
This function was always returning 0, so the error path was unreachable.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-20 10:07:29 +02:00
Jouni Malinen
d1d8a2bd62 EAP peer: Simplify buildNotify return
There is no need for the local variable and two return statements.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-07 21:01:41 +02:00
Jouni Malinen
1314bc11cf Clean up EAP peer PCSC identity functions
Leave out more code if PCSC_FUNCS is not defined since config->pcsc != 0
case cannot be used with such a build.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-07 20:51:04 +02:00
Jouni Malinen
e265838a43 EAP-FAST: Fix an error path in PAC binary format parsing
Need to clear the pac pointer for the first error case to avoid freeing
the previous PAC entry if the following entry has an invalid header.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-06 00:26:31 +02:00
Jouni Malinen
269f9d5d10 EAP peer: Use ifdef PCSC_FUNCS to get rid of compiler warnings
clang started warning about the use of || with constants that came from
PCSC_FUNCS not being enabled in the build. It seems to be easier to just
ifdef this block out completely since that has the same outcome for
builds that do not include PC/SC support.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 18:41:30 +02:00
Jouni Malinen
0daa9f6a13 EAP-TTLS peer: Fix success after fragmented final Phase 2 message
If the final Phase 2 message needed fragmentation, EAP method decision
was cleared from UNCOND_SUCC or COND_SUCC to FAIL and that resulted in
the authentication failing when the EAP-Success message from the server
got rejected. Fix this by restoring the EAP method decision after
fragmentation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 13:37:15 +02:00
Jouni Malinen
49a26bb3e3 EAP peer: Simplify EAP method registration call
Free the allocated structure in error cases to remove need for each EAP
method to handle the error cases separately. Each registration function
can simply do "return eap_peer_method_register(eap);" in the end of the
function.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-13 23:30:25 +02:00
Jouni Malinen
7ce5603251 EAP-WSC peer: Remove unused state values
The FRAG_ACK and DONE state were not used at all, so remove them.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-13 22:09:08 +02:00
Jouni Malinen
7a36f1184e EAP-PAX: Check hmac_sha1_vector() return value
This function can fail at least in theory, so check its return value
before proceeding. This is mainly helping automated test case coverage
to reach some more error paths.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-01-06 21:12:08 +02:00
Jouni Malinen
acc39435ff EAP-PEAP peer: Cryptobinding in fast-reconnect case with inner EAP
This was reported to fail with Windows 2012r2 with "Invalid Compound_MAC
in cryptobinding TLV". It turns out that the server decided to go
through inner EAP method (EAP-MSCHAPv2 in the reported case) even when
using PEAP fast-reconnect. This seems to be against the [MS-PEAP]
specification which claims that inner EAP method is not used in such a
case. This resulted in a different CMK being derived by the server (used
the version that used ISK) and wpa_supplicant (used the version where
IPMK|CMK = TK without ISK when using fast-reconnect).

Fix this interop issue by making wpa_supplicant to use the
fast-reconnect version of CMK derivation only when using TLS session
resumption and the server having not initiated inner EAP method before
going through the cryptobinding exchange.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-01-05 23:50:50 +02:00
Jouni Malinen
750f5d9964 EAP-FAST: Enable AES256-based TLS cipher suites with OpenSSL
This extends the list of TLS cipher suites enabled for EAP-FAST to
include AES256-based suites.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-31 20:52:58 +02:00
Jouni Malinen
d39f796f43 EAP-TNC peer: Remove dead code related to fragmentation
The data->state == WAIT_FRAG_ACK case is already handling all cases
where data->out_buf could be non-NULL, so this additional check after
the WAIT_FRAG_ACK steps cannot be reached. Remove the duplicated dead
code.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-24 19:16:15 +02:00
Jouni Malinen
abbbaa4997 TNC: Print received IF-TNCCS message as debug ASCII hexdump
This makes it easier to see what TNCC is processing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-24 18:33:19 +02:00
Jouni Malinen
d745f02e0e EAP-TNC peer: Allow fragment_size to be configured
Previously, a fixed 1300 fragment_size was hardcoded. Now the EAP
profile parameter fragment_size can be used to override this.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-24 14:19:23 +02:00
Jouni Malinen
d6b536f7e5 Add ocsp=3 configuration parameter for multi-OCSP
ocsp=3 extends ocsp=2 by require all not-trusted certificates in the
server certificate chain to receive a good OCSP status. This requires
support for ocsp_multi (RFC 6961). This commit is only adding the
configuration value, but all the currently included TLS library wrappers
are rejecting this as unsupported for now.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-24 00:54:30 +02:00
Jouni Malinen
cb73008594 EAP-TTLS/PEAP/FAST: Reject unsupported Phase 2 method in configuration
Instead of using default list of methods, reject a configuration with an
unsupported EAP method at the time the main TLS method is being
initialized.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-20 17:32:10 +02:00
Jouni Malinen
18704f6cdc EAP-TLS: Merge common error paths
There is no need to keep these identical error paths separate.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-20 17:25:41 +02:00
Jouni Malinen
4f5c86e7bd EAP-PEAP peer: Fix a memory leak on an error path
If memory allocation for adding SoH response fails, the SoH response was
not freed properly on the error path.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-20 17:25:41 +02:00
Jouni Malinen
4b90fcdb76 EAP-PEAP peer: Check SHA1 result when deriving Compond_MAC
This handles a mostly theoretical case where hmac_sha1_vector() might
fail for some reason.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-19 20:34:27 +02:00
Jouni Malinen
6560caf2ca EAP-PEAP peer: Remove unused return value and error path
eap_peap_parse_phase1() returned 0 unconditionally, so there was no need
for that return value or the code path that tried to address the error
case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-19 19:54:56 +02:00
Pali Rohár
f24e48861d EAP-TTLS peer: Fix parsing auth= and autheap= phase2 params
This patch fixes an issue with an invalid phase2 parameter value
auth=MSCHAPv2 getting interpreted as auth=MSCHAP (v1) which could
degrade security (though, only within a protected TLS tunnel). Now when
invalid or unsupported auth= phase2 parameter combinations are
specified, EAP-TTLS initialization throws an error instead of silently
doing something.

More then one auth= phase2 type cannot be specified and also both auth= and
autheap= options cannot be specified.

Parsing phase2 type is case sensitive (as in other EAP parts), so phase2
parameter auth=MSCHAPv2 is invalid. Only auth=MSCHAPV2 is correct.

Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
[Use cstr_token() to get rid of unnecessary allocation; cleanup]
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-18 00:24:30 +02:00
Jouni Malinen
3c108b7573 EAP peer: External server certificate chain validation
This adds support for optional functionality to validate server
certificate chain in TLS-based EAP methods in an external program.
wpa_supplicant control interface is used to indicate when such
validation is needed and what the result of the external validation is.

This external validation can extend or replace the internal validation.
When ca_cert or ca_path parameter is set, the internal validation is
used. If these parameters are omitted, only the external validation is
used. It needs to be understood that leaving those parameters out will
disable most of the validation steps done with the TLS library and that
configuration is not really recommend.

By default, the external validation is not used. It can be enabled by
addingtls_ext_cert_check=1 into the network profile phase1 parameter.
When enabled, external validation is required through the CTRL-REQ/RSP
mechanism similarly to other EAP authentication parameters through the
control interface.

The request to perform external validation is indicated by the following
event:
CTRL-REQ-EXT_CERT_CHECK-<id>:External server certificate validation needed for SSID <ssid>

Before that event, the server certificate chain is provided with the
CTRL-EVENT-EAP-PEER-CERT events that include the cert=<hexdump>
parameter. depth=# indicates which certificate is in question (0 for the
server certificate, 1 for its issues, and so on).

The result of the external validation is provided with the following
command:
CTRL-RSP-EXT_CERT_CHECK-<id>:<good|bad>

It should be noted that this is currently enabled only for OpenSSL (and
BoringSSL/LibreSSL). Due to the constraints in the library API, the
validation result from external processing cannot be reported cleanly
with TLS alert. In other words, if the external validation reject the
server certificate chain, the pending TLS handshake is terminated
without sending more messages to the server.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-12 18:24:27 +02:00
Jouni Malinen
b6e5e14fd4 EAP-FAST peer: Fix PAC parser error messages
Do not override the parsing error with the "PAC block not terminated
with END" message if the reason for the END line not yet being seen is
in failure to parse an earlier line.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-12 12:00:28 +02:00
Jouni Malinen
5b904b3e42 EAP-FAST: Check T-PRF result in MSK/EMSK derivation
Pass the error return from sha1_t_prf() to callers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-12 11:20:05 +02:00
Jouni Malinen
b1d8c5ce6a EAP-FAST peer: Fix error path handling for Session-Id
It was possible to hit a NULL pointer dereference if Session-Id
derivation failed due to a memory allocation failure.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-12 11:12:32 +02:00
Jouni Malinen
9ea91cd67c EAP-EKE peer: Fix memory leak on error path
If DHComponent_P derivation fails (local crypto operation failure), the
message buffer was not freed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-01 00:20:25 +02:00
Jouni Malinen
ea52a46e13 EAP-SIM peer: Fix memory leak on reauth error path
If init_for_reauth fails, the EAP-SIM peer state was not freed properly.
Use eap_sim_deinit() to make sure all allocations get freed. This could
be hit only if no random data could be derived for NONCE_MT.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-28 20:46:36 +02:00
Jouni Malinen
95577884ca EAP-pwd peer: Fix error path for unexpected Confirm message
If the Confirm message is received from the server before the Identity
exchange has been completed, the group has not yet been determined and
data->grp is NULL. The error path in eap_pwd_perform_confirm_exchange()
did not take this corner case into account and could end up
dereferencing a NULL pointer and terminating the process if invalid
message sequence is received. (CVE-2015-5316)

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-10 18:40:54 +02:00
Jouni Malinen
8057821706 EAP-pwd peer: Fix last fragment length validation
All but the last fragment had their length checked against the remaining
room in the reassembly buffer. This allowed a suitably constructed last
fragment frame to try to add extra data that would go beyond the buffer.
The length validation code in wpabuf_put_data() prevents an actual
buffer write overflow from occurring, but this results in process
termination. (CVE-2015-5315)

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-10 18:40:54 +02:00
Jouni Malinen
17b7032891 EAP peer: Clear ignore flag in INITIALIZE state
While this is not part of RFC 4137, the way m.check(eapReqData) is
implemented in wpa_supplicant allows an EAP method to not update the
ignore value even though each such call is really supposed to get a new
response. It seems to be possible to hit a sequence where a previous EAP
authentication attempt terminates with sm->ignore set from the last
m.check() call and the following EAP authentication attempt could fail
to go through the expected code path if it does not clear the ignore
flag. This is likely only hit in some error cases, though. The hwsim
test cases could trigger this with the following sequence:
eap_proto_ikev2 ap_wps_m1_oom

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-31 21:56:59 +02:00
Jouni Malinen
3991cb7b3c EAP-IKEv2 peer: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-24 21:43:54 +03:00
Jouni Malinen
72bb05a033 EAP-FAST peer: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-24 21:43:54 +03:00
Jouni Malinen
5882c011d6 EAP-WSC peer: Reject connection on unexpected failure
Previously, the EAP-WSC peer state machine ended up just ignoring an
error and waiting for a new message from the AP. This is not going to
recover the exchange, so simply force the connection to terminate
immediately.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-30 18:37:44 +03:00
Jouni Malinen
7cb53ded11 Add build option to remove all internal RC4 uses
The new CONFIG_NO_RC4=y build option can be used to remove all internal
hostapd and wpa_supplicant uses of RC4. It should be noted that external
uses (e.g., within a TLS library) do not get disabled when doing this.

This removes capability of supporting WPA/TKIP, dynamic WEP keys with
IEEE 802.1X, WEP shared key authentication, and MSCHAPv2 password
changes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-02 16:52:56 +03:00
Jouni Malinen
4549607b04 EAP-pwd peer: Comment out MS password hash if CONFIG_FIPS=y
The needed hash functions are not available in FIPS mode.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-02 16:52:56 +03:00
Jouni Malinen
1046db8b53 Rename tls_connection_get_keys() to tls_connection_get_random()
Commit 94f1fe6f63 ('Remove master key
extraction from tls_connection_get_keys()') left only fetching of
server/client random, but did not rename the function and structure to
minimize code changes. The only name is quite confusing, so rename this
through the repository to match the new purpose.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-02 16:52:56 +03:00
Jouni Malinen
835c89a16b EAP-TTLS: Disable CHAP, MSCHAP, and MSCHAPV2 in CONFIG_FIPS=y builds
FIPS builds do not include support for MD4/MD5, so disable
EAP-TTLS/CHAP, MSCHAP, and MSCHAPV2 when CONFIG_FIPS=y is used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 21:07:44 +03:00
Jouni Malinen
125bbef0e7 EAP peer: Replace MD5 with SHA1 in duplicate message workaround
MD5 is not available in CONFIG_FIPS=y builds, so use SHA1 for the EAP
peer workaround that tries to detect more robustly whether a duplicate
message was sent.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 16:57:04 +03:00
Jouni Malinen
3947997dcc EAP-TLS/TTLS/PEAP/FAST peer: Stop connection more quickly on local failure
If there is only zero-length buffer of output data in error case, mark
that as an immediate failure instead of trying to report that
non-existing error report to the server. This allows faster connection
termination in cases where a non-recoverable error occurs in local TLS
processing, e.g., if none of the configured ciphers are available.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-28 21:00:18 +03:00
Jouni Malinen
bb91243047 EAP-TTLS/PEAP/FAST peer: Stop immediately on local TLS processing failure
EAP-TLS was already doing this, but the other TLS-based EAP methods did
not mark methodState DONE and decision FAIL on local TLS processing
errors (instead, they left the connection waiting for a longer timeout).

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-28 21:00:18 +03:00
Jouni Malinen
fe1bf32974 Make TLS version number available in STATUS command
This adds a new STATUS command field "eap_tls_version" that shows the
TLS version number that was used during EAP-TLS/TTLS/PEAP/FAST exchange.
For now, this is only supported with OpenSSL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-08 19:51:03 +03:00
Jouni Malinen
5650d379a3 OpenSSL: Add option to disable use of TLSv1.0
The new phase1 config parameter value tls_disable_tlsv1_0=1 can now be
used to disable use of TLSv1.0 for a network configuration. This can be
used to force a newer TLS version to be used. For example,
phase1="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1" would indicate that
only TLS v1.2 is accepted.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-08 19:27:57 +03:00
Mike Gerow
471c810bc1 pkcs11: Don't ask for a new PIN on TLS handshake failure
The only time the PIN should fail is when we initialize the TLS
connection, so it doesn't really make sense to get rid of the PIN just
because some other part of the handshake failed.

This is a followup to commit fd4fb28179
('OpenSSL: Try to ensure we don't throw away the PIN unnecessarily').

Signed-off-by: Mike Gerow <gerow@google.com>
2015-07-07 19:25:31 +03:00
Jouni Malinen
e9ed7d9898 EAP-TTLS: Avoid ubsan warning on 0x80<<24 not fitting in int
Use a typecast to make this unsigned so that the MSB fits within the
range of allowed values.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-07 16:25:06 +03:00
Jouni Malinen
597e8afeb4 ERP: Avoid mixing of enum types
Use explicit typecasting to avoid implicit conversion warnings in cases
where enum eap_erp_type is used in functions taking an EapType argument.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-07 16:25:06 +03:00
Jouni Malinen
33ba27d387 EAP-FAST peer: Stop immediately on key derivation failure
If key derivation fails, there is no point in trying to continue
authentication. In theory, this could happen if memory allocation during
TLS PRF fails.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-19 01:23:24 +03:00
Jouni Malinen
ca24117a5a EAP-EKE: Add Session-Id
While RFC 6124 does not define how Session-Id is constructed for
EAP-EKE, there seems to be consensus among the authors on the
construction. Use this Type | Nonce_P | Nonce_S construction based on
the following email:

 From: Yaron Sheffer <yaronf.ietf at gmail.com>
 To: ietf at ietf.org
 Date: Wed, 17 Nov 2010 13:13:42 +0200

Expanding on my previous response, I suggest to resolve Bernard's
concern by adding the following text:

5.6 EAP Key Generation

EAP-EKE can be used for EAP key generation, as defined by [RFC 5247].
When used in this manner, the values required to establish the key
hierarchy are defined as follows:

- Peer-Id is the EAP-EKE ID_P value.
- Server-Id is the EAP-EKE ID_S value.
- Session-Id is the concatenated Type | Nonce_P | Nonce_S, where Type is
  the method type defined for EAP-EKE in [Sec. 4.1], a single octet.

Thanks,
	Yaron

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-24 11:58:45 +03:00
Jouni Malinen
6aa5d95dab EAP-pwd peer: Make sure in_frag_pos is cleared to zero on allocation
The cleanup code will handle this, but it is more robust to make sure
this is cleared to zero when allocating a new buffer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 18:26:50 +03:00
Jouni Malinen
28a069a545 EAP-pwd peer: Fix asymmetric fragmentation behavior
The L (Length) and M (More) flags needs to be cleared before deciding
whether the locally generated response requires fragmentation. This
fixes an issue where these flags from the server could have been invalid
for the following message. In some cases, this could have resulted in
triggering the wpabuf security check that would terminate the process
due to invalid buffer allocation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 18:26:50 +03:00
Jouni Malinen
477c74395a EAP-pwd peer: Fix Total-Length parsing for fragment reassembly
The remaining number of bytes in the message could be smaller than the
Total-Length field size, so the length needs to be explicitly checked
prior to reading the field and decrementing the len variable. This could
have resulted in the remaining length becoming negative and interpreted
as a huge positive integer.

In addition, check that there is no already started fragment in progress
before allocating a new buffer for reassembling fragments. This avoid a
potential memory leak when processing invalid message.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 18:26:50 +03:00
Jouni Malinen
dd2f043c9c EAP-pwd peer: Fix payload length validation for Commit and Confirm
The length of the received Commit and Confirm message payloads was not
checked before reading them. This could result in a buffer read
overflow when processing an invalid message.

Fix this by verifying that the payload is of expected length before
processing it. In addition, enforce correct state transition sequence to
make sure there is no unexpected behavior if receiving a Commit/Confirm
message before the previous exchanges have been completed.

Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 18:26:50 +03:00
Jouni Malinen
ff4a6d4382 EAP-SIM/AKA: Explicitly check for header to include Reserved field
This was previously checked as part of the eap_sim_parse_attr()
processing, but it is easier to review the code if there is an
additional explicit check for confirming that the Reserved field is
present since the pos variable is advanced beyond it.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:33:03 +03:00
Jouni Malinen
0dfb7be470 EAP-SAKE: Pass EAP identifier instead of full request
This simplifies analysis of areas that get access to unverified message
payload.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:32:46 +03:00
Jouni Malinen
87fcb5a735 EAP-PAX: Fix PAX_STD-1 and PAX_STD-3 payload length validation
The req_plen argument to eap_pax_process_std_1() and
eap_pax_process_std_3() could be smaller than sizeof(struct eap_pax_hdr)
since the main processing function was only verifying that there is
enough room for the ICV and then removed ICV length from the remaining
payload length.

In theory, this could have resulted in the size_t left parameter being
set to a negative value that would be interpreted as a huge positive
integer. That could then result in a small buffer read overflow and
process termination if MSGDUMP debug verbosity was in use.

In practice, it does not seem to be feasible to construct a short
message that would be able to pass the ICV validation (calculated using
HMAC-SHA1-128) even for the case where an empty password is used.
Anyway, the implementation should really check the length explicitly
instead of depending on implicit check through ICV validation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:32:36 +03:00
Jouni Malinen
c3c5615ee0 EAP-GPSK: Pass EAP identifier instead of full request
This simplifies analysis of areas that get access to unverified message
payload.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:32:28 +03:00
Jouni Malinen
d36c803c69 EAP-TLS/PEAP/TTLS/FAST: Move more towards using struct wpabuf
The EAP-TLS-based helper functions can easily use struct wpabuf in more
places, so continue cleanup in that direction by replacing separate
pointer and length arguments with a single struct wpabuf argument.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:32:23 +03:00
Jouni Malinen
8d9f3b8ed6 EAP-FAST: Do not use type cast to remove const specification
All the uses here are read only, so there is no need to type case the
const specification away.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:32:19 +03:00
Jouni Malinen
07f9034d14 EAP-FAST: Pass EAP identifier instead of full request
This simplifies analysis of areas that get access to unverified message
payload.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:32:10 +03:00
Jouni Malinen
f153e41bb2 EAP-EKE: Do not pass full request to eap_eke_build_fail()
This function is only using the Identifier field from the EAP request
header, so there is no need to pass it a pointer to the full message.
This makes it a bit easier to analyze the area that gets access to
unverified message payload.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:32:05 +03:00
Mikael Kanstrup
8b423edbd3 Declare all read only data structures as const
By analysing objdump output some read only structures were found in
.data section. To help compiler further optimize code declare these
as const.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2015-04-25 17:33:06 +03:00
Mike Gerow
fd4fb28179 OpenSSL: Try to ensure we don't throw away the PIN unnecessarily
Now on an engine error we decode the error value and determine if the
issue is due to a true PIN error or not. If it is due to incorrrect PIN,
delete the PIN as usual, but if it isn't let the PIN be.

Signed-off-by: Mike Gerow <gerow@google.com>
2015-04-25 16:05:50 +03:00
Jouni Malinen
46c3befe24 tests: Add eapol-fuzzer
This program can be used to run fuzzing tests for areas related to EAPOL
frame parsing and processing on the supplicant side.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-22 11:44:19 +03:00
Jouni Malinen
a867082cb8 EAP peer: Use 32-bit EAP method type for Phase 2 processing
This is a step towards enabling expanded EAP header within Phase 2 EAP
methods.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-01 12:57:11 +03:00
Jouni Malinen
af851914f8 Make tls_connection_get_keyblock_size() internal to tls_*.c
This function exposes internal state of the TLS negotiated parameters
for the sole purpose of being able to implement PRF for EAP-FAST. Since
tls_connection_prf() is now taking care of all TLS-based key derivation
cases, it is cleaner to keep this detail internal to each tls_*.c
wrapper implementation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-01 12:56:54 +03:00
Jouni Malinen
fa0e715100 Use tls_connection_prf() for all EAP TLS-based key derivation
tls_openssl.c is the only remaining TLS/crypto wrapper that needs the
internal PRF implementation for EAP-FAST (since
SSL_export_keying_material() is not available in older versions and does
not support server-random-before-client case). As such, it is cleaner to
assume that TLS libraries support tls_connection_prf() and move the
additional support code for the otherwise unsupported cases into
tls_openssl.c.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-31 15:47:32 +03:00
Jouni Malinen
3e808b831c EAP-pwd peer: Add support for hashed password
This extends EAP-pwd peer support to allow NtHash version of password
storage in addition to full plaintext password. In addition, this allows
the server to request hashed version even if the plaintext password is
available on the client. Furthermore, unsupported password preparation
requests are now rejected rather than allowing the authentication
attempt to continue.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-28 09:43:33 +02:00
Sunil Dutt
dd5c155e2e eap_proxy: Callback to notify any updates from eap_proxy
This commit introduces a callback to notify any configuration updates
from the eap_proxy layer. This is used to trigger re-reading of IMSI and
MNC length.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-02 12:47:20 +02:00
Jouni Malinen
7f7bfba919 Add an option allow canned EAP-Success for wired IEEE 802.1X
For wired IEEE 802.1X authentication, phase1="allow_canned_success=1"
can now be used to configure a mode that allows EAP-Success (and
EAP-Failure) without going through authentication step. Some switches
use such sequence when forcing the port to be authorized/unauthorized or
as a fallback option if the authentication server is unreachable. By
default, wpa_supplicant discards such frames to protect against
potential attacks by rogue devices, but this option can be used to
disable that protection for cases where the server/authenticator does
not need to be authenticated.

When enabled, this mode allows EAP-Success/EAP-Failure as an immediate
response to EAPOL-Start (or even without EAPOL-Start) and EAP-Success is
also allowed immediately after EAP-Identity exchange (fallback case for
authenticator not being able to connect to authentication server).

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-01 19:22:54 +02:00
Jouni Malinen
49fcc32e91 EAP-MSCHAPv2 peer: Add option to disable password retry query
wpa_supplicant used to request user to re-enter username/password if the
server indicated that EAP-MSCHAPv2 (e.g., in PEAP Phase 2)
authentication failed (E=691), but retry is allowed (R=1). This is a
reasonable default behavior, but there may be cases where it is more
convenient to close the authentication session immediately rather than
wait for user to do something.

Add a new "mschapv2_retry=0" option to the phase2 field to allow the
retry behavior to be disabled. This will make wpa_supplicant abort
authentication attempt on E=691 regardless of whether the server allows
retry.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-01 17:45:19 +02:00
Jouni Malinen
467775c5ac tests: Pending EAP peer processing with VENDOR-TEST
This extends the VENDOR-TEST EAP method peer implementation to allow
pending processing case to be selected at run time. The
ap_wpa2_eap_vendor_test test case is similarly extended to include this
option as the second case for full coverage.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-28 13:09:31 +02:00
Ben
9bd0273931 EAP: Fix possible memory leak in eap_ttls_process_decrypted()
In case eap_peer_tls_encrypt() fails in eap_ttls_process_decrypted(),
free resp memory.

Signed-off-by: Ben Rosenfeld <ben.rosenfeld@intel.com>
2015-01-20 02:13:15 +02:00
Jouni Malinen
cebee30f31 Add domain_match network profile parameter
This is similar with domain_suffix_match, but required a full match of
the domain name rather than allowing suffix match (subdomains) or
wildcard certificates.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-14 15:45:18 +02:00
Jouni Malinen
d07d3fbda2 Add peer certificate alt subject name information to EAP events
A new "CTRL-EVENT-EAP-PEER-ALT depth=<i> <alt name>" event is now used
to provide information about server certificate chain alternative
subject names for upper layers, e.g., to make it easier to configure
constraints on the server certificate. For example:
CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:server.example.com

Currently, this includes DNS, EMAIL, and URI components from the
certificates. Similar information is priovided to D-Bus Certification
signal in the new altsubject argument which is a string array of these
items.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-14 15:45:18 +02:00
Jouni Malinen
e24aef10cf Fix a typo in domain_suffix_match documentation
Spell SubjectName correctly.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:27:01 +02:00
Jouni Malinen
394b54732e Improve subject_match and domain_suffix_match documentation
These were already covered in both README-HS20 for credentials and in
header files for developers' documentation, but the copy in
wpa_supplicant.conf did not include all the details. In addition, add a
clearer note pointing at subject_match not being suitable for suffix
matching domain names; domain_suffix_match must be used for that.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:27:01 +02:00
Jouni Malinen
8779ac8a67 EAP-IKEv2: Fix a typo in a debug message
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-21 13:19:14 +02:00
Jouni Malinen
bb68a6e3cc EAP-IKEv2 peer: Fix fragmentation reassembly
ret->ignore needs to be cleared to FALSE when sending fragment ack
message to avoid ignoring the fragment.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-21 00:48:24 +02:00
Jouni Malinen
8e5c1ec32f EAP-IKEv2: Add explicit limit for maximum message length
This avoids accepting unnecessarily large memory allocations.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-21 00:25:16 +02:00
Jouni Malinen
ce460118a8 ERP: Drop ERP keys on failure on the peer
This allows recovery through fallback to full EAP authentication if the
server rejects us, e.g., due to having dropped ERP state.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-14 15:47:04 +02:00
Jouni Malinen
b90d064f1a Add tls_session_reused=<0/1> into EAP peer TLS status
This can be used to determine whether the last TLS-based EAP
authentication instance re-used a previous session (e.g., TLS session
resumption or EAP-FAST session ticket).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-09 23:41:09 +02:00
Jouni Malinen
d4913c585e OpenSSL: Fix EAP-FAST peer regression
Commit 35efa2479f ('OpenSSL: Allow TLS
v1.1 and v1.2 to be negotiated by default') changed from using
TLSv1_method() to SSLv23_method() to allow negotiation of TLS v1.0,
v1.1, and v1.2.

Unfortunately, it looks like EAP-FAST does not work with this due to
OpenSSL not allowing ClientHello extensions to be configured with
SSL_set_session_ticket_ext() when SSLv23_method() is used. Work around
this regression by initiating a separate SSL_CTX instance for EAP-FAST
phase 1 needs with TLSv1_method() while leaving all other EAP cases
using TLS to work with the new default that allows v1.1 and v1.2 to be
negotiated. This is not ideal and will hopefully get fixed in the future
with a new OpenSSL method, but until that time, this can be used allow
other methods use newer TLS versions while still allowing EAP-FAST to be
used even if it remains to be constraint to TLS v1.0 only.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-09 16:57:05 +02:00
Jouni Malinen
1f102d3bb0 Check os_snprintf() result more consistently - manual
This converts os_snprintf() result validation cases to use
os_snprintf_error() for cases that were note covered by spatch and
semantic patches.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-08 11:42:07 +02:00
Jouni Malinen
d85e1fc8a5 Check os_snprintf() result more consistently - automatic 1
This converts os_snprintf() result validation cases to use
os_snprintf_error() where the exact rule used in os_snprintf_error() was
used. These changes were done automatically with spatch using the
following semantic patch:

@@
identifier E1;
expression E2,E3,E4,E5,E6;
statement S1;
@@

(
  E1 = os_snprintf(E2, E3, ...);
|
  int E1 = os_snprintf(E2, E3, ...);
|
  if (E5)
	E1 = os_snprintf(E2, E3, ...);
  else
	E1 = os_snprintf(E2, E3, ...);
|
  if (E5)
	E1 = os_snprintf(E2, E3, ...);
  else if (E6)
	E1 = os_snprintf(E2, E3, ...);
  else
	E1 = 0;
|
  if (E5) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else {
	...
	return -1;
  }
|
  if (E5) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else if (E6) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else {
	...
	return -1;
  }
|
  if (E5) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else {
	...
	E1 = os_snprintf(E2, E3, ...);
  }
)
? os_free(E4);
- if (E1 < 0 || \( E1 >= E3 \| (size_t) E1 >= E3 \| (unsigned int) E1 >= E3 \| E1 >= (int) E3 \))
+ if (os_snprintf_error(E3, E1))
(
  S1
|
{ ... }
)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-08 11:42:07 +02:00
Jouni Malinen
faebdeaa9e Use os_calloc() instead of os_zalloc()
Automatic changes with spatch using the following semantic patch:

@@
constant C;
type T;
@@

- os_zalloc(C*sizeof(T))
+ os_calloc(C,sizeof(T))

@@
expression E;
type T;
@@

- os_zalloc((E)*sizeof(T))
+ os_calloc(E,sizeof(T))

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-08 11:42:07 +02:00
Jouni Malinen
56b352ec58 ERP: Avoid a static analyzer warning on uninitialized emsk_len
This was not really a real issue since bin_clear_free() would not use
the emsk_len argument when emsk is NULL as it would be on the path where
emsk_len has not been initilized. Anyway, it is better to get rid of the
warning.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-05 00:33:31 +02:00
Jouni Malinen
65d9a5e254 ERP: Add wpa_supplicant ERP_FLUSH ctrl_iface command
This can be used to flush all the ERP keys.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-04 12:16:29 +02:00
Jouni Malinen
02a8d45ace ERP: Add support for ERP on EAP peer
Derive rRK and rIK on EAP peer if ERP is enabled. The new wpa_supplicant
network configuration parameter erp=1 can now be used to configure the
EAP peer to derive EMSK, rRK, and rIK at the successful completion of an
EAP authentication method. This functionality is not included in the
default build and can be enabled with CONFIG_ERP=y.

If EAP authenticator indicates support for re-authentication protocol,
initiate this with EAP-Initiate/Re-auth and complete protocol when
receiving EAP-Finish/Re-auth.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-04 12:16:29 +02:00
Jouni Malinen
92e3c0b14c EAP-PAX: Derive EAP Session-Id
This adds EAP-PAX server and peer method functions for deriving
Session-Id from Method-Id per RFC 4746 and RFC 5247.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-01 01:46:07 +02:00
Jouni Malinen
a7bec9e7b2 EAP-TTLS: Add support for deriving EMSK
This extends EAP-TTLS server and peer implementations to support EMSK
derivation per RFC 5281.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-01 01:28:19 +02:00
Jouni Malinen
d68f74c5ff EAP peer: Clean up TLS Session-Id derivation function
The comment about library not supporting Session-Id derivation was not
accurate and there is no need to check for master key that is not used
as part of derivation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-30 15:53:11 +02:00
Jouni Malinen
adf96fb66b WPS: Add explicit message length limit of 50000 bytes
Previously, this was implicitly limited by the 16-bit length field to
65535. This resulted in unhelpful static analyzer warnings (CID 62868).
Add an explicit (but pretty arbitrary) limit of 50000 bytes to avoid
this. The actual WSC messages are significantly shorter in practice, but
there is no specific protocol limit, so 50000 is as good as any limit to
use here.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
d36f416926 EAP-IKEv2: Make proposal_len validation clearer
Some static analyzers seem to have issues understanding "pos +
proposal_len > end" style validation, so convert this to "proposal_len >
end - pos" to make this more obvious to be bounds checking for
proposal_len. (CID 62874)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
c4de71cec5 EAP-FAST: Make PAC file A_ID parser easier to analyze
Some static analyzers seem to have issues with "pos + len > end"
validation (CID 62875), so convert this to "len > end - pos" to make it
more obvious that len is validated against its bounds.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
364182a80f EAP-FAST: Clean up binary PAC file parser validation steps
This was too difficult for some static analyzers (CID 62876). In
addition, the pac_info_len assignment should really have explicitly
validated that there is room for the two octet length field instead of
trusting the following validation step to handle both this and the
actual pac_info_len bounds checking.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
453553698c EAP-pwd: Remove unnecessary OpenSSL EVP_sha256() registration
This gets registered in tls_openssl.c from tls_init(), so there is no
need for EAP-pwd implementation to register explicitly. This avoids some
corner cases where OpenSSL resources do not get fully freed on exit.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-17 01:20:10 +02:00
Jouni Malinen
07e2de3193 wpa_supplicant: Allow OpenSSL cipherlist string to be configured
The new openssl_cipher configuration parameter can be used to select
which TLS cipher suites are enabled for TLS-based EAP methods when
OpenSSL is used as the TLS library. This parameter can be used both as a
global parameter to set the default for all network blocks and as a
network block parameter to override the default for each network
profile.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-12 11:55:13 +03:00
Jouni Malinen
27a725cf74 EAP: Do not allow fast session resumption with different network block
This forces EAP peer implementation to drop any possible fast resumption
data if the network block for the current connection is not the same as
the one used for the previous one. This allows different network blocks
to be used with non-matching parameters to enforce different rules even
if the same authentication server is used. For example, this allows
different CA trust rules to be enforced with different ca_cert
parameters which can prevent EAP-TTLS Phase 2 from being used based on
TLS session resumption.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-26 19:39:13 +03:00
Jouni Malinen
1f1fe195cd EAP-pwd: Clear identity string and temporary buffer explicitly
Use an explicit memset call to clear any configuration parameter and
dynamic data that contains private information like keys or identity.
This brings in an additional layer of protection by reducing the length
of time this type of private data is kept in memory.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-24 20:12:57 +03:00
Florent Daigniere
f119d66942 EAP-pwd: Verify BN_rand_range return code
This makes the EAP-pwd server and peer implementations more robust
should OpenSSL fail to derive random number for some reason. While this
is unlikely to happen in practice, the implementation better be prepared
for this should something unexpected ever happen. See
http://jbp.io/2014/01/16/openssl-rand-api/#review-of-randbytes-callers
for more details.

Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
2014-07-24 19:42:44 +03:00
Florent Daigniere
5197f0335c EAP-pwd: Use os_memcmp_const() for hash comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
2014-07-24 19:39:44 +03:00
Florent Daigniere
26c10f797c OpenSSL: Use EC_POINT_clear_free instead of EC_POINT_free
This changes OpenSSL calls to explicitly clear the EC_POINT memory
allocations when freeing them. This adds an extra layer of security by
avoiding leaving potentially private keys into local memory after they
are not needed anymore. While some of these variables are not really
private (e.g., they are sent in clear anyway), the extra cost of
clearing them is not significant and it is simpler to just clear these
explicitly rather than review each possible code path to confirm where
this does not help.

Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
2014-07-24 19:35:07 +03:00
Florent Daigniere
3248071dc3 OpenSSL: Use BN_clear_free instead of BN_free
This changes OpenSSL calls to explicitly clear the bignum memory
allocations when freeing them. This adds an extra layer of security by
avoiding leaving potentially private keys into local memory after they
are not needed anymore. While some of these variables are not really
private (e.g., they are sent in clear anyway), the extra cost of
clearing them is not significant and it is simpler to just clear these
explicitly rather than review each possible code path to confirm where
this does not help.

Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
2014-07-24 19:28:39 +03:00
Dmitry Shmidt
870dfe9932 EAP-TTLS: Remove FreeRADIUS workaround for EAP-TTLS/MSCHAPv2
FreeRADIUS releases before 1.1.4 did not send MS-CHAP2-Success in
EAP-TTLS/MSCHAPv2. A wpa_supplicant workaround for that was added in
2005 and it has been enabled by default to avoid interoperability
issues. This could be disabled with all other EAP workarounds
(eap_workaround=0). However, that will disable some workarounds that are
still needed with number of authentication servers.

Old FreeRADIUS versions should not be in use anymore, so it makes sense
to remove this EAP-TTLS/MSCHAPv2 workaround completely to get more
complete validation of server behavior. This allows MSCHAPv2 to verify
that the server knows the password instead of relying only on the TLS
certificate validation.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2014-07-20 10:20:24 +03:00
Jouni Malinen
f534ee0804 EAP peer: Clear keying material on deinit
Reduce the amount of time keying material (MSK, EMSK, temporary private
data) remains in memory in EAP methods. This provides additional
protection should there be any issues that could expose process memory
to external observers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:48 +03:00
Jouni Malinen
19c48da06b Clear wpa_supplicant configuration keys explicitly
Use an explicit memset call to clear any wpa_supplicant configuration
parameter that contains private information like keys or identity. This
brings in an additional layer of protection by reducing the length of
time this type of private data is kept in memory.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:48 +03:00