Commit graph

506 commits

Author SHA1 Message Date
Jouni Malinen
0daa9f6a13 EAP-TTLS peer: Fix success after fragmented final Phase 2 message
If the final Phase 2 message needed fragmentation, EAP method decision
was cleared from UNCOND_SUCC or COND_SUCC to FAIL and that resulted in
the authentication failing when the EAP-Success message from the server
got rejected. Fix this by restoring the EAP method decision after
fragmentation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 13:37:15 +02:00
Jouni Malinen
49a26bb3e3 EAP peer: Simplify EAP method registration call
Free the allocated structure in error cases to remove need for each EAP
method to handle the error cases separately. Each registration function
can simply do "return eap_peer_method_register(eap);" in the end of the
function.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-13 23:30:25 +02:00
Jouni Malinen
7ce5603251 EAP-WSC peer: Remove unused state values
The FRAG_ACK and DONE state were not used at all, so remove them.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-13 22:09:08 +02:00
Jouni Malinen
7a36f1184e EAP-PAX: Check hmac_sha1_vector() return value
This function can fail at least in theory, so check its return value
before proceeding. This is mainly helping automated test case coverage
to reach some more error paths.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-01-06 21:12:08 +02:00
Jouni Malinen
acc39435ff EAP-PEAP peer: Cryptobinding in fast-reconnect case with inner EAP
This was reported to fail with Windows 2012r2 with "Invalid Compound_MAC
in cryptobinding TLV". It turns out that the server decided to go
through inner EAP method (EAP-MSCHAPv2 in the reported case) even when
using PEAP fast-reconnect. This seems to be against the [MS-PEAP]
specification which claims that inner EAP method is not used in such a
case. This resulted in a different CMK being derived by the server (used
the version that used ISK) and wpa_supplicant (used the version where
IPMK|CMK = TK without ISK when using fast-reconnect).

Fix this interop issue by making wpa_supplicant to use the
fast-reconnect version of CMK derivation only when using TLS session
resumption and the server having not initiated inner EAP method before
going through the cryptobinding exchange.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-01-05 23:50:50 +02:00
Jouni Malinen
750f5d9964 EAP-FAST: Enable AES256-based TLS cipher suites with OpenSSL
This extends the list of TLS cipher suites enabled for EAP-FAST to
include AES256-based suites.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-31 20:52:58 +02:00
Jouni Malinen
d39f796f43 EAP-TNC peer: Remove dead code related to fragmentation
The data->state == WAIT_FRAG_ACK case is already handling all cases
where data->out_buf could be non-NULL, so this additional check after
the WAIT_FRAG_ACK steps cannot be reached. Remove the duplicated dead
code.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-24 19:16:15 +02:00
Jouni Malinen
abbbaa4997 TNC: Print received IF-TNCCS message as debug ASCII hexdump
This makes it easier to see what TNCC is processing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-24 18:33:19 +02:00
Jouni Malinen
d745f02e0e EAP-TNC peer: Allow fragment_size to be configured
Previously, a fixed 1300 fragment_size was hardcoded. Now the EAP
profile parameter fragment_size can be used to override this.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-24 14:19:23 +02:00
Jouni Malinen
d6b536f7e5 Add ocsp=3 configuration parameter for multi-OCSP
ocsp=3 extends ocsp=2 by require all not-trusted certificates in the
server certificate chain to receive a good OCSP status. This requires
support for ocsp_multi (RFC 6961). This commit is only adding the
configuration value, but all the currently included TLS library wrappers
are rejecting this as unsupported for now.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-24 00:54:30 +02:00
Jouni Malinen
cb73008594 EAP-TTLS/PEAP/FAST: Reject unsupported Phase 2 method in configuration
Instead of using default list of methods, reject a configuration with an
unsupported EAP method at the time the main TLS method is being
initialized.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-20 17:32:10 +02:00
Jouni Malinen
18704f6cdc EAP-TLS: Merge common error paths
There is no need to keep these identical error paths separate.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-20 17:25:41 +02:00
Jouni Malinen
4f5c86e7bd EAP-PEAP peer: Fix a memory leak on an error path
If memory allocation for adding SoH response fails, the SoH response was
not freed properly on the error path.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-20 17:25:41 +02:00
Jouni Malinen
4b90fcdb76 EAP-PEAP peer: Check SHA1 result when deriving Compond_MAC
This handles a mostly theoretical case where hmac_sha1_vector() might
fail for some reason.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-19 20:34:27 +02:00
Jouni Malinen
6560caf2ca EAP-PEAP peer: Remove unused return value and error path
eap_peap_parse_phase1() returned 0 unconditionally, so there was no need
for that return value or the code path that tried to address the error
case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-19 19:54:56 +02:00
Pali Rohár
f24e48861d EAP-TTLS peer: Fix parsing auth= and autheap= phase2 params
This patch fixes an issue with an invalid phase2 parameter value
auth=MSCHAPv2 getting interpreted as auth=MSCHAP (v1) which could
degrade security (though, only within a protected TLS tunnel). Now when
invalid or unsupported auth= phase2 parameter combinations are
specified, EAP-TTLS initialization throws an error instead of silently
doing something.

More then one auth= phase2 type cannot be specified and also both auth= and
autheap= options cannot be specified.

Parsing phase2 type is case sensitive (as in other EAP parts), so phase2
parameter auth=MSCHAPv2 is invalid. Only auth=MSCHAPV2 is correct.

Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
[Use cstr_token() to get rid of unnecessary allocation; cleanup]
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-18 00:24:30 +02:00
Jouni Malinen
3c108b7573 EAP peer: External server certificate chain validation
This adds support for optional functionality to validate server
certificate chain in TLS-based EAP methods in an external program.
wpa_supplicant control interface is used to indicate when such
validation is needed and what the result of the external validation is.

This external validation can extend or replace the internal validation.
When ca_cert or ca_path parameter is set, the internal validation is
used. If these parameters are omitted, only the external validation is
used. It needs to be understood that leaving those parameters out will
disable most of the validation steps done with the TLS library and that
configuration is not really recommend.

By default, the external validation is not used. It can be enabled by
addingtls_ext_cert_check=1 into the network profile phase1 parameter.
When enabled, external validation is required through the CTRL-REQ/RSP
mechanism similarly to other EAP authentication parameters through the
control interface.

The request to perform external validation is indicated by the following
event:
CTRL-REQ-EXT_CERT_CHECK-<id>:External server certificate validation needed for SSID <ssid>

Before that event, the server certificate chain is provided with the
CTRL-EVENT-EAP-PEER-CERT events that include the cert=<hexdump>
parameter. depth=# indicates which certificate is in question (0 for the
server certificate, 1 for its issues, and so on).

The result of the external validation is provided with the following
command:
CTRL-RSP-EXT_CERT_CHECK-<id>:<good|bad>

It should be noted that this is currently enabled only for OpenSSL (and
BoringSSL/LibreSSL). Due to the constraints in the library API, the
validation result from external processing cannot be reported cleanly
with TLS alert. In other words, if the external validation reject the
server certificate chain, the pending TLS handshake is terminated
without sending more messages to the server.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-12 18:24:27 +02:00
Jouni Malinen
b6e5e14fd4 EAP-FAST peer: Fix PAC parser error messages
Do not override the parsing error with the "PAC block not terminated
with END" message if the reason for the END line not yet being seen is
in failure to parse an earlier line.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-12 12:00:28 +02:00
Jouni Malinen
5b904b3e42 EAP-FAST: Check T-PRF result in MSK/EMSK derivation
Pass the error return from sha1_t_prf() to callers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-12 11:20:05 +02:00
Jouni Malinen
b1d8c5ce6a EAP-FAST peer: Fix error path handling for Session-Id
It was possible to hit a NULL pointer dereference if Session-Id
derivation failed due to a memory allocation failure.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-12 11:12:32 +02:00
Jouni Malinen
9ea91cd67c EAP-EKE peer: Fix memory leak on error path
If DHComponent_P derivation fails (local crypto operation failure), the
message buffer was not freed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-01 00:20:25 +02:00
Jouni Malinen
ea52a46e13 EAP-SIM peer: Fix memory leak on reauth error path
If init_for_reauth fails, the EAP-SIM peer state was not freed properly.
Use eap_sim_deinit() to make sure all allocations get freed. This could
be hit only if no random data could be derived for NONCE_MT.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-28 20:46:36 +02:00
Jouni Malinen
95577884ca EAP-pwd peer: Fix error path for unexpected Confirm message
If the Confirm message is received from the server before the Identity
exchange has been completed, the group has not yet been determined and
data->grp is NULL. The error path in eap_pwd_perform_confirm_exchange()
did not take this corner case into account and could end up
dereferencing a NULL pointer and terminating the process if invalid
message sequence is received. (CVE-2015-5316)

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-10 18:40:54 +02:00
Jouni Malinen
8057821706 EAP-pwd peer: Fix last fragment length validation
All but the last fragment had their length checked against the remaining
room in the reassembly buffer. This allowed a suitably constructed last
fragment frame to try to add extra data that would go beyond the buffer.
The length validation code in wpabuf_put_data() prevents an actual
buffer write overflow from occurring, but this results in process
termination. (CVE-2015-5315)

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-10 18:40:54 +02:00
Jouni Malinen
17b7032891 EAP peer: Clear ignore flag in INITIALIZE state
While this is not part of RFC 4137, the way m.check(eapReqData) is
implemented in wpa_supplicant allows an EAP method to not update the
ignore value even though each such call is really supposed to get a new
response. It seems to be possible to hit a sequence where a previous EAP
authentication attempt terminates with sm->ignore set from the last
m.check() call and the following EAP authentication attempt could fail
to go through the expected code path if it does not clear the ignore
flag. This is likely only hit in some error cases, though. The hwsim
test cases could trigger this with the following sequence:
eap_proto_ikev2 ap_wps_m1_oom

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-31 21:56:59 +02:00
Jouni Malinen
3991cb7b3c EAP-IKEv2 peer: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-24 21:43:54 +03:00
Jouni Malinen
72bb05a033 EAP-FAST peer: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-24 21:43:54 +03:00
Jouni Malinen
5882c011d6 EAP-WSC peer: Reject connection on unexpected failure
Previously, the EAP-WSC peer state machine ended up just ignoring an
error and waiting for a new message from the AP. This is not going to
recover the exchange, so simply force the connection to terminate
immediately.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-30 18:37:44 +03:00
Jouni Malinen
7cb53ded11 Add build option to remove all internal RC4 uses
The new CONFIG_NO_RC4=y build option can be used to remove all internal
hostapd and wpa_supplicant uses of RC4. It should be noted that external
uses (e.g., within a TLS library) do not get disabled when doing this.

This removes capability of supporting WPA/TKIP, dynamic WEP keys with
IEEE 802.1X, WEP shared key authentication, and MSCHAPv2 password
changes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-02 16:52:56 +03:00
Jouni Malinen
4549607b04 EAP-pwd peer: Comment out MS password hash if CONFIG_FIPS=y
The needed hash functions are not available in FIPS mode.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-02 16:52:56 +03:00
Jouni Malinen
1046db8b53 Rename tls_connection_get_keys() to tls_connection_get_random()
Commit 94f1fe6f63 ('Remove master key
extraction from tls_connection_get_keys()') left only fetching of
server/client random, but did not rename the function and structure to
minimize code changes. The only name is quite confusing, so rename this
through the repository to match the new purpose.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-02 16:52:56 +03:00
Jouni Malinen
835c89a16b EAP-TTLS: Disable CHAP, MSCHAP, and MSCHAPV2 in CONFIG_FIPS=y builds
FIPS builds do not include support for MD4/MD5, so disable
EAP-TTLS/CHAP, MSCHAP, and MSCHAPV2 when CONFIG_FIPS=y is used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 21:07:44 +03:00
Jouni Malinen
125bbef0e7 EAP peer: Replace MD5 with SHA1 in duplicate message workaround
MD5 is not available in CONFIG_FIPS=y builds, so use SHA1 for the EAP
peer workaround that tries to detect more robustly whether a duplicate
message was sent.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 16:57:04 +03:00
Jouni Malinen
3947997dcc EAP-TLS/TTLS/PEAP/FAST peer: Stop connection more quickly on local failure
If there is only zero-length buffer of output data in error case, mark
that as an immediate failure instead of trying to report that
non-existing error report to the server. This allows faster connection
termination in cases where a non-recoverable error occurs in local TLS
processing, e.g., if none of the configured ciphers are available.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-28 21:00:18 +03:00
Jouni Malinen
bb91243047 EAP-TTLS/PEAP/FAST peer: Stop immediately on local TLS processing failure
EAP-TLS was already doing this, but the other TLS-based EAP methods did
not mark methodState DONE and decision FAIL on local TLS processing
errors (instead, they left the connection waiting for a longer timeout).

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-28 21:00:18 +03:00
Jouni Malinen
fe1bf32974 Make TLS version number available in STATUS command
This adds a new STATUS command field "eap_tls_version" that shows the
TLS version number that was used during EAP-TLS/TTLS/PEAP/FAST exchange.
For now, this is only supported with OpenSSL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-08 19:51:03 +03:00
Jouni Malinen
5650d379a3 OpenSSL: Add option to disable use of TLSv1.0
The new phase1 config parameter value tls_disable_tlsv1_0=1 can now be
used to disable use of TLSv1.0 for a network configuration. This can be
used to force a newer TLS version to be used. For example,
phase1="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1" would indicate that
only TLS v1.2 is accepted.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-08 19:27:57 +03:00
Mike Gerow
471c810bc1 pkcs11: Don't ask for a new PIN on TLS handshake failure
The only time the PIN should fail is when we initialize the TLS
connection, so it doesn't really make sense to get rid of the PIN just
because some other part of the handshake failed.

This is a followup to commit fd4fb28179
('OpenSSL: Try to ensure we don't throw away the PIN unnecessarily').

Signed-off-by: Mike Gerow <gerow@google.com>
2015-07-07 19:25:31 +03:00
Jouni Malinen
e9ed7d9898 EAP-TTLS: Avoid ubsan warning on 0x80<<24 not fitting in int
Use a typecast to make this unsigned so that the MSB fits within the
range of allowed values.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-07 16:25:06 +03:00
Jouni Malinen
597e8afeb4 ERP: Avoid mixing of enum types
Use explicit typecasting to avoid implicit conversion warnings in cases
where enum eap_erp_type is used in functions taking an EapType argument.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-07 16:25:06 +03:00
Jouni Malinen
33ba27d387 EAP-FAST peer: Stop immediately on key derivation failure
If key derivation fails, there is no point in trying to continue
authentication. In theory, this could happen if memory allocation during
TLS PRF fails.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-19 01:23:24 +03:00
Jouni Malinen
ca24117a5a EAP-EKE: Add Session-Id
While RFC 6124 does not define how Session-Id is constructed for
EAP-EKE, there seems to be consensus among the authors on the
construction. Use this Type | Nonce_P | Nonce_S construction based on
the following email:

 From: Yaron Sheffer <yaronf.ietf at gmail.com>
 To: ietf at ietf.org
 Date: Wed, 17 Nov 2010 13:13:42 +0200

Expanding on my previous response, I suggest to resolve Bernard's
concern by adding the following text:

5.6 EAP Key Generation

EAP-EKE can be used for EAP key generation, as defined by [RFC 5247].
When used in this manner, the values required to establish the key
hierarchy are defined as follows:

- Peer-Id is the EAP-EKE ID_P value.
- Server-Id is the EAP-EKE ID_S value.
- Session-Id is the concatenated Type | Nonce_P | Nonce_S, where Type is
  the method type defined for EAP-EKE in [Sec. 4.1], a single octet.

Thanks,
	Yaron

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-24 11:58:45 +03:00
Jouni Malinen
6aa5d95dab EAP-pwd peer: Make sure in_frag_pos is cleared to zero on allocation
The cleanup code will handle this, but it is more robust to make sure
this is cleared to zero when allocating a new buffer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 18:26:50 +03:00
Jouni Malinen
28a069a545 EAP-pwd peer: Fix asymmetric fragmentation behavior
The L (Length) and M (More) flags needs to be cleared before deciding
whether the locally generated response requires fragmentation. This
fixes an issue where these flags from the server could have been invalid
for the following message. In some cases, this could have resulted in
triggering the wpabuf security check that would terminate the process
due to invalid buffer allocation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 18:26:50 +03:00
Jouni Malinen
477c74395a EAP-pwd peer: Fix Total-Length parsing for fragment reassembly
The remaining number of bytes in the message could be smaller than the
Total-Length field size, so the length needs to be explicitly checked
prior to reading the field and decrementing the len variable. This could
have resulted in the remaining length becoming negative and interpreted
as a huge positive integer.

In addition, check that there is no already started fragment in progress
before allocating a new buffer for reassembling fragments. This avoid a
potential memory leak when processing invalid message.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 18:26:50 +03:00
Jouni Malinen
dd2f043c9c EAP-pwd peer: Fix payload length validation for Commit and Confirm
The length of the received Commit and Confirm message payloads was not
checked before reading them. This could result in a buffer read
overflow when processing an invalid message.

Fix this by verifying that the payload is of expected length before
processing it. In addition, enforce correct state transition sequence to
make sure there is no unexpected behavior if receiving a Commit/Confirm
message before the previous exchanges have been completed.

Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 18:26:50 +03:00
Jouni Malinen
ff4a6d4382 EAP-SIM/AKA: Explicitly check for header to include Reserved field
This was previously checked as part of the eap_sim_parse_attr()
processing, but it is easier to review the code if there is an
additional explicit check for confirming that the Reserved field is
present since the pos variable is advanced beyond it.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:33:03 +03:00
Jouni Malinen
0dfb7be470 EAP-SAKE: Pass EAP identifier instead of full request
This simplifies analysis of areas that get access to unverified message
payload.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:32:46 +03:00
Jouni Malinen
87fcb5a735 EAP-PAX: Fix PAX_STD-1 and PAX_STD-3 payload length validation
The req_plen argument to eap_pax_process_std_1() and
eap_pax_process_std_3() could be smaller than sizeof(struct eap_pax_hdr)
since the main processing function was only verifying that there is
enough room for the ICV and then removed ICV length from the remaining
payload length.

In theory, this could have resulted in the size_t left parameter being
set to a negative value that would be interpreted as a huge positive
integer. That could then result in a small buffer read overflow and
process termination if MSGDUMP debug verbosity was in use.

In practice, it does not seem to be feasible to construct a short
message that would be able to pass the ICV validation (calculated using
HMAC-SHA1-128) even for the case where an empty password is used.
Anyway, the implementation should really check the length explicitly
instead of depending on implicit check through ICV validation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:32:36 +03:00
Jouni Malinen
c3c5615ee0 EAP-GPSK: Pass EAP identifier instead of full request
This simplifies analysis of areas that get access to unverified message
payload.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:32:28 +03:00
Jouni Malinen
d36c803c69 EAP-TLS/PEAP/TTLS/FAST: Move more towards using struct wpabuf
The EAP-TLS-based helper functions can easily use struct wpabuf in more
places, so continue cleanup in that direction by replacing separate
pointer and length arguments with a single struct wpabuf argument.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:32:23 +03:00
Jouni Malinen
8d9f3b8ed6 EAP-FAST: Do not use type cast to remove const specification
All the uses here are read only, so there is no need to type case the
const specification away.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:32:19 +03:00
Jouni Malinen
07f9034d14 EAP-FAST: Pass EAP identifier instead of full request
This simplifies analysis of areas that get access to unverified message
payload.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:32:10 +03:00
Jouni Malinen
f153e41bb2 EAP-EKE: Do not pass full request to eap_eke_build_fail()
This function is only using the Identifier field from the EAP request
header, so there is no need to pass it a pointer to the full message.
This makes it a bit easier to analyze the area that gets access to
unverified message payload.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:32:05 +03:00
Mikael Kanstrup
8b423edbd3 Declare all read only data structures as const
By analysing objdump output some read only structures were found in
.data section. To help compiler further optimize code declare these
as const.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2015-04-25 17:33:06 +03:00
Mike Gerow
fd4fb28179 OpenSSL: Try to ensure we don't throw away the PIN unnecessarily
Now on an engine error we decode the error value and determine if the
issue is due to a true PIN error or not. If it is due to incorrrect PIN,
delete the PIN as usual, but if it isn't let the PIN be.

Signed-off-by: Mike Gerow <gerow@google.com>
2015-04-25 16:05:50 +03:00
Jouni Malinen
46c3befe24 tests: Add eapol-fuzzer
This program can be used to run fuzzing tests for areas related to EAPOL
frame parsing and processing on the supplicant side.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-22 11:44:19 +03:00
Jouni Malinen
a867082cb8 EAP peer: Use 32-bit EAP method type for Phase 2 processing
This is a step towards enabling expanded EAP header within Phase 2 EAP
methods.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-01 12:57:11 +03:00
Jouni Malinen
af851914f8 Make tls_connection_get_keyblock_size() internal to tls_*.c
This function exposes internal state of the TLS negotiated parameters
for the sole purpose of being able to implement PRF for EAP-FAST. Since
tls_connection_prf() is now taking care of all TLS-based key derivation
cases, it is cleaner to keep this detail internal to each tls_*.c
wrapper implementation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-01 12:56:54 +03:00
Jouni Malinen
fa0e715100 Use tls_connection_prf() for all EAP TLS-based key derivation
tls_openssl.c is the only remaining TLS/crypto wrapper that needs the
internal PRF implementation for EAP-FAST (since
SSL_export_keying_material() is not available in older versions and does
not support server-random-before-client case). As such, it is cleaner to
assume that TLS libraries support tls_connection_prf() and move the
additional support code for the otherwise unsupported cases into
tls_openssl.c.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-31 15:47:32 +03:00
Jouni Malinen
3e808b831c EAP-pwd peer: Add support for hashed password
This extends EAP-pwd peer support to allow NtHash version of password
storage in addition to full plaintext password. In addition, this allows
the server to request hashed version even if the plaintext password is
available on the client. Furthermore, unsupported password preparation
requests are now rejected rather than allowing the authentication
attempt to continue.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-28 09:43:33 +02:00
Sunil Dutt
dd5c155e2e eap_proxy: Callback to notify any updates from eap_proxy
This commit introduces a callback to notify any configuration updates
from the eap_proxy layer. This is used to trigger re-reading of IMSI and
MNC length.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-02 12:47:20 +02:00
Jouni Malinen
7f7bfba919 Add an option allow canned EAP-Success for wired IEEE 802.1X
For wired IEEE 802.1X authentication, phase1="allow_canned_success=1"
can now be used to configure a mode that allows EAP-Success (and
EAP-Failure) without going through authentication step. Some switches
use such sequence when forcing the port to be authorized/unauthorized or
as a fallback option if the authentication server is unreachable. By
default, wpa_supplicant discards such frames to protect against
potential attacks by rogue devices, but this option can be used to
disable that protection for cases where the server/authenticator does
not need to be authenticated.

When enabled, this mode allows EAP-Success/EAP-Failure as an immediate
response to EAPOL-Start (or even without EAPOL-Start) and EAP-Success is
also allowed immediately after EAP-Identity exchange (fallback case for
authenticator not being able to connect to authentication server).

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-01 19:22:54 +02:00
Jouni Malinen
49fcc32e91 EAP-MSCHAPv2 peer: Add option to disable password retry query
wpa_supplicant used to request user to re-enter username/password if the
server indicated that EAP-MSCHAPv2 (e.g., in PEAP Phase 2)
authentication failed (E=691), but retry is allowed (R=1). This is a
reasonable default behavior, but there may be cases where it is more
convenient to close the authentication session immediately rather than
wait for user to do something.

Add a new "mschapv2_retry=0" option to the phase2 field to allow the
retry behavior to be disabled. This will make wpa_supplicant abort
authentication attempt on E=691 regardless of whether the server allows
retry.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-01 17:45:19 +02:00
Jouni Malinen
467775c5ac tests: Pending EAP peer processing with VENDOR-TEST
This extends the VENDOR-TEST EAP method peer implementation to allow
pending processing case to be selected at run time. The
ap_wpa2_eap_vendor_test test case is similarly extended to include this
option as the second case for full coverage.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-28 13:09:31 +02:00
Ben
9bd0273931 EAP: Fix possible memory leak in eap_ttls_process_decrypted()
In case eap_peer_tls_encrypt() fails in eap_ttls_process_decrypted(),
free resp memory.

Signed-off-by: Ben Rosenfeld <ben.rosenfeld@intel.com>
2015-01-20 02:13:15 +02:00
Jouni Malinen
cebee30f31 Add domain_match network profile parameter
This is similar with domain_suffix_match, but required a full match of
the domain name rather than allowing suffix match (subdomains) or
wildcard certificates.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-14 15:45:18 +02:00
Jouni Malinen
d07d3fbda2 Add peer certificate alt subject name information to EAP events
A new "CTRL-EVENT-EAP-PEER-ALT depth=<i> <alt name>" event is now used
to provide information about server certificate chain alternative
subject names for upper layers, e.g., to make it easier to configure
constraints on the server certificate. For example:
CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:server.example.com

Currently, this includes DNS, EMAIL, and URI components from the
certificates. Similar information is priovided to D-Bus Certification
signal in the new altsubject argument which is a string array of these
items.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-14 15:45:18 +02:00
Jouni Malinen
e24aef10cf Fix a typo in domain_suffix_match documentation
Spell SubjectName correctly.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:27:01 +02:00
Jouni Malinen
394b54732e Improve subject_match and domain_suffix_match documentation
These were already covered in both README-HS20 for credentials and in
header files for developers' documentation, but the copy in
wpa_supplicant.conf did not include all the details. In addition, add a
clearer note pointing at subject_match not being suitable for suffix
matching domain names; domain_suffix_match must be used for that.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:27:01 +02:00
Jouni Malinen
8779ac8a67 EAP-IKEv2: Fix a typo in a debug message
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-21 13:19:14 +02:00
Jouni Malinen
bb68a6e3cc EAP-IKEv2 peer: Fix fragmentation reassembly
ret->ignore needs to be cleared to FALSE when sending fragment ack
message to avoid ignoring the fragment.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-21 00:48:24 +02:00
Jouni Malinen
8e5c1ec32f EAP-IKEv2: Add explicit limit for maximum message length
This avoids accepting unnecessarily large memory allocations.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-21 00:25:16 +02:00
Jouni Malinen
ce460118a8 ERP: Drop ERP keys on failure on the peer
This allows recovery through fallback to full EAP authentication if the
server rejects us, e.g., due to having dropped ERP state.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-14 15:47:04 +02:00
Jouni Malinen
b90d064f1a Add tls_session_reused=<0/1> into EAP peer TLS status
This can be used to determine whether the last TLS-based EAP
authentication instance re-used a previous session (e.g., TLS session
resumption or EAP-FAST session ticket).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-09 23:41:09 +02:00
Jouni Malinen
d4913c585e OpenSSL: Fix EAP-FAST peer regression
Commit 35efa2479f ('OpenSSL: Allow TLS
v1.1 and v1.2 to be negotiated by default') changed from using
TLSv1_method() to SSLv23_method() to allow negotiation of TLS v1.0,
v1.1, and v1.2.

Unfortunately, it looks like EAP-FAST does not work with this due to
OpenSSL not allowing ClientHello extensions to be configured with
SSL_set_session_ticket_ext() when SSLv23_method() is used. Work around
this regression by initiating a separate SSL_CTX instance for EAP-FAST
phase 1 needs with TLSv1_method() while leaving all other EAP cases
using TLS to work with the new default that allows v1.1 and v1.2 to be
negotiated. This is not ideal and will hopefully get fixed in the future
with a new OpenSSL method, but until that time, this can be used allow
other methods use newer TLS versions while still allowing EAP-FAST to be
used even if it remains to be constraint to TLS v1.0 only.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-09 16:57:05 +02:00
Jouni Malinen
1f102d3bb0 Check os_snprintf() result more consistently - manual
This converts os_snprintf() result validation cases to use
os_snprintf_error() for cases that were note covered by spatch and
semantic patches.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-08 11:42:07 +02:00
Jouni Malinen
d85e1fc8a5 Check os_snprintf() result more consistently - automatic 1
This converts os_snprintf() result validation cases to use
os_snprintf_error() where the exact rule used in os_snprintf_error() was
used. These changes were done automatically with spatch using the
following semantic patch:

@@
identifier E1;
expression E2,E3,E4,E5,E6;
statement S1;
@@

(
  E1 = os_snprintf(E2, E3, ...);
|
  int E1 = os_snprintf(E2, E3, ...);
|
  if (E5)
	E1 = os_snprintf(E2, E3, ...);
  else
	E1 = os_snprintf(E2, E3, ...);
|
  if (E5)
	E1 = os_snprintf(E2, E3, ...);
  else if (E6)
	E1 = os_snprintf(E2, E3, ...);
  else
	E1 = 0;
|
  if (E5) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else {
	...
	return -1;
  }
|
  if (E5) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else if (E6) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else {
	...
	return -1;
  }
|
  if (E5) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else {
	...
	E1 = os_snprintf(E2, E3, ...);
  }
)
? os_free(E4);
- if (E1 < 0 || \( E1 >= E3 \| (size_t) E1 >= E3 \| (unsigned int) E1 >= E3 \| E1 >= (int) E3 \))
+ if (os_snprintf_error(E3, E1))
(
  S1
|
{ ... }
)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-08 11:42:07 +02:00
Jouni Malinen
faebdeaa9e Use os_calloc() instead of os_zalloc()
Automatic changes with spatch using the following semantic patch:

@@
constant C;
type T;
@@

- os_zalloc(C*sizeof(T))
+ os_calloc(C,sizeof(T))

@@
expression E;
type T;
@@

- os_zalloc((E)*sizeof(T))
+ os_calloc(E,sizeof(T))

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-08 11:42:07 +02:00
Jouni Malinen
56b352ec58 ERP: Avoid a static analyzer warning on uninitialized emsk_len
This was not really a real issue since bin_clear_free() would not use
the emsk_len argument when emsk is NULL as it would be on the path where
emsk_len has not been initilized. Anyway, it is better to get rid of the
warning.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-05 00:33:31 +02:00
Jouni Malinen
65d9a5e254 ERP: Add wpa_supplicant ERP_FLUSH ctrl_iface command
This can be used to flush all the ERP keys.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-04 12:16:29 +02:00
Jouni Malinen
02a8d45ace ERP: Add support for ERP on EAP peer
Derive rRK and rIK on EAP peer if ERP is enabled. The new wpa_supplicant
network configuration parameter erp=1 can now be used to configure the
EAP peer to derive EMSK, rRK, and rIK at the successful completion of an
EAP authentication method. This functionality is not included in the
default build and can be enabled with CONFIG_ERP=y.

If EAP authenticator indicates support for re-authentication protocol,
initiate this with EAP-Initiate/Re-auth and complete protocol when
receiving EAP-Finish/Re-auth.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-04 12:16:29 +02:00
Jouni Malinen
92e3c0b14c EAP-PAX: Derive EAP Session-Id
This adds EAP-PAX server and peer method functions for deriving
Session-Id from Method-Id per RFC 4746 and RFC 5247.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-01 01:46:07 +02:00
Jouni Malinen
a7bec9e7b2 EAP-TTLS: Add support for deriving EMSK
This extends EAP-TTLS server and peer implementations to support EMSK
derivation per RFC 5281.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-01 01:28:19 +02:00
Jouni Malinen
d68f74c5ff EAP peer: Clean up TLS Session-Id derivation function
The comment about library not supporting Session-Id derivation was not
accurate and there is no need to check for master key that is not used
as part of derivation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-30 15:53:11 +02:00
Jouni Malinen
adf96fb66b WPS: Add explicit message length limit of 50000 bytes
Previously, this was implicitly limited by the 16-bit length field to
65535. This resulted in unhelpful static analyzer warnings (CID 62868).
Add an explicit (but pretty arbitrary) limit of 50000 bytes to avoid
this. The actual WSC messages are significantly shorter in practice, but
there is no specific protocol limit, so 50000 is as good as any limit to
use here.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
d36f416926 EAP-IKEv2: Make proposal_len validation clearer
Some static analyzers seem to have issues understanding "pos +
proposal_len > end" style validation, so convert this to "proposal_len >
end - pos" to make this more obvious to be bounds checking for
proposal_len. (CID 62874)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
c4de71cec5 EAP-FAST: Make PAC file A_ID parser easier to analyze
Some static analyzers seem to have issues with "pos + len > end"
validation (CID 62875), so convert this to "len > end - pos" to make it
more obvious that len is validated against its bounds.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
364182a80f EAP-FAST: Clean up binary PAC file parser validation steps
This was too difficult for some static analyzers (CID 62876). In
addition, the pac_info_len assignment should really have explicitly
validated that there is room for the two octet length field instead of
trusting the following validation step to handle both this and the
actual pac_info_len bounds checking.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
453553698c EAP-pwd: Remove unnecessary OpenSSL EVP_sha256() registration
This gets registered in tls_openssl.c from tls_init(), so there is no
need for EAP-pwd implementation to register explicitly. This avoids some
corner cases where OpenSSL resources do not get fully freed on exit.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-17 01:20:10 +02:00
Jouni Malinen
07e2de3193 wpa_supplicant: Allow OpenSSL cipherlist string to be configured
The new openssl_cipher configuration parameter can be used to select
which TLS cipher suites are enabled for TLS-based EAP methods when
OpenSSL is used as the TLS library. This parameter can be used both as a
global parameter to set the default for all network blocks and as a
network block parameter to override the default for each network
profile.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-12 11:55:13 +03:00
Jouni Malinen
27a725cf74 EAP: Do not allow fast session resumption with different network block
This forces EAP peer implementation to drop any possible fast resumption
data if the network block for the current connection is not the same as
the one used for the previous one. This allows different network blocks
to be used with non-matching parameters to enforce different rules even
if the same authentication server is used. For example, this allows
different CA trust rules to be enforced with different ca_cert
parameters which can prevent EAP-TTLS Phase 2 from being used based on
TLS session resumption.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-26 19:39:13 +03:00
Jouni Malinen
1f1fe195cd EAP-pwd: Clear identity string and temporary buffer explicitly
Use an explicit memset call to clear any configuration parameter and
dynamic data that contains private information like keys or identity.
This brings in an additional layer of protection by reducing the length
of time this type of private data is kept in memory.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-24 20:12:57 +03:00
Florent Daigniere
f119d66942 EAP-pwd: Verify BN_rand_range return code
This makes the EAP-pwd server and peer implementations more robust
should OpenSSL fail to derive random number for some reason. While this
is unlikely to happen in practice, the implementation better be prepared
for this should something unexpected ever happen. See
http://jbp.io/2014/01/16/openssl-rand-api/#review-of-randbytes-callers
for more details.

Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
2014-07-24 19:42:44 +03:00
Florent Daigniere
5197f0335c EAP-pwd: Use os_memcmp_const() for hash comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
2014-07-24 19:39:44 +03:00
Florent Daigniere
26c10f797c OpenSSL: Use EC_POINT_clear_free instead of EC_POINT_free
This changes OpenSSL calls to explicitly clear the EC_POINT memory
allocations when freeing them. This adds an extra layer of security by
avoiding leaving potentially private keys into local memory after they
are not needed anymore. While some of these variables are not really
private (e.g., they are sent in clear anyway), the extra cost of
clearing them is not significant and it is simpler to just clear these
explicitly rather than review each possible code path to confirm where
this does not help.

Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
2014-07-24 19:35:07 +03:00
Florent Daigniere
3248071dc3 OpenSSL: Use BN_clear_free instead of BN_free
This changes OpenSSL calls to explicitly clear the bignum memory
allocations when freeing them. This adds an extra layer of security by
avoiding leaving potentially private keys into local memory after they
are not needed anymore. While some of these variables are not really
private (e.g., they are sent in clear anyway), the extra cost of
clearing them is not significant and it is simpler to just clear these
explicitly rather than review each possible code path to confirm where
this does not help.

Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
2014-07-24 19:28:39 +03:00
Dmitry Shmidt
870dfe9932 EAP-TTLS: Remove FreeRADIUS workaround for EAP-TTLS/MSCHAPv2
FreeRADIUS releases before 1.1.4 did not send MS-CHAP2-Success in
EAP-TTLS/MSCHAPv2. A wpa_supplicant workaround for that was added in
2005 and it has been enabled by default to avoid interoperability
issues. This could be disabled with all other EAP workarounds
(eap_workaround=0). However, that will disable some workarounds that are
still needed with number of authentication servers.

Old FreeRADIUS versions should not be in use anymore, so it makes sense
to remove this EAP-TTLS/MSCHAPv2 workaround completely to get more
complete validation of server behavior. This allows MSCHAPv2 to verify
that the server knows the password instead of relying only on the TLS
certificate validation.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2014-07-20 10:20:24 +03:00
Jouni Malinen
f534ee0804 EAP peer: Clear keying material on deinit
Reduce the amount of time keying material (MSK, EMSK, temporary private
data) remains in memory in EAP methods. This provides additional
protection should there be any issues that could expose process memory
to external observers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:48 +03:00
Jouni Malinen
19c48da06b Clear wpa_supplicant configuration keys explicitly
Use an explicit memset call to clear any wpa_supplicant configuration
parameter that contains private information like keys or identity. This
brings in an additional layer of protection by reducing the length of
time this type of private data is kept in memory.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:48 +03:00
Jouni Malinen
28bfa29117 EAP-AKA: Remove unnecessary dead increment
The pos pointer is not used after this now nor in future plans, so no
need to increment the value. This remove a static analyzer warning about
dead increment.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:48 +03:00
Jouni Malinen
a6eae3f7a1 EAP-MSCHAPv2: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:48 +03:00
Jouni Malinen
4685482552 EAP-PSK: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
cba0f8698b EAP-PEAP: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
7b1e745870 EAP-LEAP: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
8f92826b15 EAP-GPSK: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
e1550d4be8 EAP-PAX: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
c434503f5e EAP-FAST: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
dddf7bbd4e EAP-EKE: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
dfb5608139 EAP-SAKE: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
05c79d6acd EAP-SIM/AKA: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
675ddad1c2 EAP-IKEv2: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
ee352f1e5a EAP-pwd: Add explicit total length limit
Instead of using implicit limit based on 16-bit unsigned integer having
a maximum value of 65535, limit the maximum length of a fragmented
EAP-pwd message explicitly to 15000 bytes. None of the supported groups
use longer messages, so it is fine to reject any longer message without
even trying to reassemble it. This will hopefully also help in reducing
false warnings from static analyzers (CID 68124).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
b2b8a4cb10 EAP-SIM/AKA: Pass EAP type as argument to eap_sim_msg_finish()
This makes it easier for static analyzers to figure out which code paths
are possible within eap_sim_msg_finish() for EAP-SIM. This will
hopefully avoid some false warnings (CID 68110, CID 68113, CID 68114).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
79122f9f9c EAP-SIM/AKA: Remove unused RESULT_FAILURE state
This was not set anywhere, so remove the unnecessary code trying to
handle the unused state.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-21 00:26:29 +03:00
Jouni Malinen
4075e2fe77 EAP-GPSK: Clean up CSuite_List length validation (CID 62854)
Use a local variable and size_t in length comparison to make this easier
for static analyzers to understand. In addition, set the return list and
list_len values at the end of the function, i.e., only in success case.
These do not change the actual behavior of the only caller for this
function, but clarifies what the helper function is doing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-18 17:14:59 +03:00
Jouni Malinen
2dbc959699 EAP-FAST: Clean up TLV length validation (CID 62853)
Use size_t instead of int for storing and comparing the TLV length
against the remaining buffer length to make this easier for static
analyzers to understand.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-18 16:45:03 +03:00
Jouni Malinen
8605eabd54 EAP-EKE: Fix typos in debug message
These error messages had an incorrect frame name (likely copy-pasted
from the commit message handler) and couple of typos.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 17:26:52 +03:00
Jouni Malinen
2485835ba3 EAP-MSCHAPv2: Check hash function results more consistently (CID 68105)
While the hash functions would be very unlikely to fail in practice,
they do have option of returning an error. Check that return value more
consistently.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 12:32:45 +03:00
Jouni Malinen
6590b6400f EAP-TNC: Limit maximum message buffer to 75000 bytes (CID 62873)
Since there is a limit on the EAP exchange due to maximum number of
roundtrips, there is no point in allowing excessively large buffers to
be allocated based on what the peer device claims the total message to
be. Instead, reject the message if it would not be possible to receive
it in full anyway.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-13 16:03:45 +03:00
Philippe De Swert
68e2b8882a TNC: Fix minor memory leak (CID 62848)
In tncc_read_config(), the memory allocted for the config
did not get freed if an error occured.

Signed-off-by: Philippe De Swert <philippe.deswert@jollamobile.com>
2014-06-12 19:44:58 +03:00
Jouni Malinen
737754dc2b EAP-IKEv2: Remove obsolete ccns.pl project workarounds
It does not look like there is going to be any additional use for this
old build option that could be used to build the EAP-IKEv2 peer
implementation in a way that interoperates with the eap-ikev2.ccns.pl
project. Remove the workarounds that matches incorrect implementation in
that project to clean up implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-08 12:28:36 +03:00
Jouni Malinen
0a626a5060 TNC: Move common definitions into a shared header file
No need to duplicate these in multiple places.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-17 20:05:55 +03:00
Jouni Malinen
4075e4e862 TNC: Allow tnc_config file path to be replaced
This is for enabling easier testing of TNCS/TNCC functionality as part
of the test scripts without having to use the fixed /etc/tnc_config
location that could be used by the main system and would require changes
within /etc.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-17 20:05:55 +03:00
Jouni Malinen
c876dcd70f EAP-IKEv2: Allow frag ack without integrity checksum
RFC 5106 is not exactly clear on the requirements for the "no data"
packet that is used to acknowledge a fragmented message. Allow it to be
processed without the integrity checksum data field since it is possible
to interpret the RFC as this not being included. This fixes reassembly
of fragmented frames after keys have been derived.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-11 22:47:25 +03:00
Jouni Malinen
0f73c642cc EAP-pwd: Fix processing of group setup failure
If invalid group was negotiated, compute_password_element() left some of
the data->grp pointer uninitialized and this could result in
segmentation fault when deinitializing the EAP method. Fix this by
explicitly clearing all the pointer with eap_zalloc(). In addition,
speed up EAP failure reporting in this type of error case by indicating
that the EAP method execution cannot continue anymore on the peer side
instead of waiting for a timeout.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-11 21:24:05 +03:00
Jouni Malinen
13e2574f7d EAP-pwd peer: Export Session-Id through getSessionId callback
EAP-pwd was already deriving the EAP Session-Id, but it was not yet
exposed through the EAP method API.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-11 21:22:55 +03:00
Jouni Malinen
04cad507e1 EAP-SIM peer: Fix counter-too-small message building
The extra data (nonce_s) used in this message was pointing to the
parsed, decrypted data and that buffer was previously freed just before
building the new message. This resulted in use of freed data and
possibly incorrect extra data value that caused the authentication
attempt to fail. Fix this by reordering the code to free the decrypted
data only after the new message has been generated. This was already the
case for EAP-AKA/AKA', but somehow missing from EAP-SIM.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-11 17:57:28 +03:00
Naresh Jayaram
13f6a07efc Add SIM identifier to the network profile and cred block
This allows the specific SIM to be identified for authentication
purposes in multi-SIM devices. This SIM number represents the index of
the SIM slot. This SIM number shall be used for the authentication using
the respective SIM for the Wi-Fi connection to the corresponding
network.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-24 12:15:32 +03:00
Jouni Malinen
dc39004318 WPS: Remove unused WEP related functionality
Now that WPS 2.0 support is enabled unconditionally, WEP and Shared auth
type are not allowed. This made some of the older code unused and that
can now be removed to clean up the implementation. There is still one
place where WEP is allowed for testing purposes: wpa_supplicant as
Registrar trying to configure an AP to use WEP. That is now only allowed
in CONFIG_TESTING_OPTIONS=y builds, though.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-06 12:31:45 +03:00
Jouni Malinen
9437c2d0ea EAP-pwd peer: Fix fragmentation of PWD-Confirm-Resp
This is somewhat of a corner case since there is no real point in using
so short a fragmentation threshold that it would result in this message
getting fragmented. Anyway, it is better be complete and support this
case as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-06 00:51:00 +03:00
Jouni Malinen
48f668eecf EAP-pwd: Fix memory leak on error path with fragmentation
If fragmentation is used, the temporary inbuf/outbuf could have been
leaked in error cases (e.g., reaching maximum number of roundtrips).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-06 00:34:30 +03:00
Jouni Malinen
3ff8073db7 EAP-FAST: Use clear eap_get_config() result validation
This was previously checked through the eap_peer_tls_ssl_init() call
which made it difficult for static analyzers. Add an explicit check for
config == NULL into the beginnign of eap_fast_init() since this will
always result in initialization failing anyway.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-02 17:15:12 +02:00
Jouni Malinen
8e5fdfabf6 HS 2.0R2: Add WFA server-only EAP-TLS peer method
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:23 +02:00
Stefan Lippers-Hollmann
891330fda9 Fix spelling s/algorith/algorithm/
Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
2014-02-24 23:40:01 +02:00
Dmitry Shmidt
e9a6f18385 TLS: Add tls_disable_tlsv1_1 and tls_disable_tlsv1_2 phase1 params
These can be used to disable TLSv1.1 and TLSv1.2 as a workaround for AAA
servers that have issues interoperating with newer TLS versions.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2014-02-20 15:28:57 +02:00
Eytan Lifshitz
c0c11afaf1 wpa_supplicant: Fix NULL dereference in eap_fast_parse_end()
In eap_fast_parse_end(), pos might be NULL if the line doesn't
contain '='.

Signed-hostap: Eytan Lifshitz <eytan.lifshitz@intel.com>
2014-02-13 15:58:21 +02:00
Jouni Malinen
fa4c2988ae WPS NFC: Process new style handover select
The new WPS connection handover select includes Registrar public key
hash instead of credential. Use the new information to start
abbreviated WPS handshake instead of configuring a new network directly
from the old Credential-from-NFC design.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-27 21:10:55 +02:00
Jouni Malinen
5f4545573f WPS NFC: Validate peer public key hash on Enrollee
Since the Enrollee can now get the public key hash from the Registrar,
there is need to validate this during the WPS protocol run.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-27 21:10:55 +02:00
Jouni Malinen
c60ba9f7ab Skip network disabling on expected EAP failure
Some EAP methods can go through a step that is expected to fail and as
such, should not trigger temporary network disabling when processing
EAP-Failure or deauthentication. EAP-WSC for WPS was already handled as
a special case, but similar behavior is needed for EAP-FAST with
unauthenticated provisioning.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-08 16:42:15 +02:00
Jouni Malinen
7185e16a91 EAP-FAST peer: Make debug clearer on missing pac_file configuration
EAP-FAST requires pac_file to be configured, so make it clearer from the
debug output if missing configuration parameter was the reason for
EAP-FAST initialization failing.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-08 10:25:58 +02:00
Jouni Malinen
7b88b64cd3 EXT PW: Fix hash return in password fetching
The hash return buffer was previously left uninitialized in case
externally stored password ("password=ext:...") was used. This could
result in MSCHAPv2 failure if that uninitialized memory happened to be
something else than zero.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-07 22:32:12 +02:00
Jouni Malinen
188ebcd07b EAP-IKEv2 peer: Fix a memory leak in notify round
The plaintext notification needs to be freed after encryption.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-07 10:45:11 +02:00
Jouni Malinen
a190189d22 Remove PEAPv2 support
PEAPv2 implementation was not fully completed and there does not seem to
be any deployments of PEAPv2 nor any clear sign of such showing up in
the future either. As such, there is not much point in maintaining this
implementation in hostapd/wpa_supplicant.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-07 10:45:11 +02:00
Jouni Malinen
16a19ddae8 EAP-pwd peer: Allow fragmentation limit to be configured
The standard fragment_size network parameter can now be used to
configure EAP-pwd fragmentation limit instead of always using the
hardcoded value of 1020.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-07 10:45:11 +02:00
Jouni Malinen
60bf585cce EAP-IKEv2 peer: Allow fragmentation limit to be configured
The standard fragment_size network parameter can now be used to
configure EAP-IKEv2 fragmentation limit instead of always using the
hardcoded value of 1400.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-07 10:45:11 +02:00
Jouni Malinen
c4b8c71ba4 EAP-GPSK: Report CSuite negotiation failure properly
Setting methodState = DONE for the case where GPSK-1 is found to be
invalid or incompatible allows EAP state machine to proceed to FAILURE
state instead of remaining stuck until AP times out the connection.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-07 10:45:11 +02:00
Jouni Malinen
5a0f596b7b EAP-GPSK: Allow forced algorithm selection to be configured
phase1 parameter 'cipher' can now be used to specify which algorithm
proposal is selected, e.g., with phase1="cipher=1" selecting AES-based
design and cipher=2 SHA256-based. This is mainly for testing purposes,
but can also be used to enforce stronger algorithms to be used.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-07 10:45:11 +02:00
Jouni Malinen
5f01c3c84a EAP peer: Improve failure reporting from METHOD with no eapRespData
One of the RFC 4137 state transitions (METHOD -> FAILURE) had been
forgotten and this could result in EAP peer method processing not
reporting failure immediately and instead, remain stuck waiting for the
connection to time out. Fix this by adding the methodState == DONE &&
decision == FAIL case to allow immediate reporting of failures.

The condition from RFC 4137 as-is would cause problems for number of the
existing EAP method implementations since they use that in places where
the final message before EAP-Failure should really be sent to the EAP
server (e.g., WSC_Done in EAP-WSC). Address this by includng eapRespData
== NULL as an additional constraint for entering FAILURE state directly
from METHOD.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-07 10:45:11 +02:00
Jouni Malinen
069fb4712b EAP-EKE: Allow forced algorithm selection to be configured
phase1 parameters dhgroup, encr, prf, and mac can now be used to specify
which algorithm proposal is selected, e.g., with phase1="dhgroup=3
encr=1 prf=1 mac=1" selecting the mandatory-to-implement case. This is
mainly for testing purposes, but can also be used to enforce stronger
algorithms to be used.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-29 17:18:17 +02:00
Jouni Malinen
7feff06567 Add CONFIG_CODE_COVERAGE=y option for gcov
This can be used to measure code coverage from test scripts.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-24 19:16:12 +02:00
Naresh Jayaram
fa56315cfc eap_proxy: Add context data pointer to the get_imsi call
This was already included in all the other calls to eap_proxy, but
somehow the get_imsi call had been forgotten.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-10-23 20:51:46 +03:00
Jouni Malinen
db13605816 EAP-AKA/AKA' peer: Allow external USIM processing to be used
This allows the new external_sim=1 case to be used to perform UMTS
authentication step in EAP-AKA/AKA' peer process. Following control
interface event is used to request the operation:

CTRL-REQ-SIM-<network id>:UMTS-AUTH:<RAND>:<AUTN> needed for SSID <SSID>

Response from external processing is returned with
CTRL-RSP-SIM-<network id> UMTS-AUTH:<IK>:<CK>:<RES>
or
CTRL-RSP-SIM-<network id> UMTS-AUTS:<AUTS>

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-10-20 13:12:04 +03:00
Jouni Malinen
569ccf719f EAP-SIM peer: Allow external SIM processing to be used
This allows the new external_sim=1 case to be used to perform GSM
authentication step in EAP-SIM peer process. Following control interface
event is used to request the operation:

CTRL-REQ-SIM-<network id>:GSM-AUTH:<RAND1>:<RAND2>[:<RAND3>] needed
for SSID <SSID>

For example:
<3>CTRL-REQ-SIM-0:GSM-AUTH:5e3496ce7d5863b3b09f97f565513bc3:
73f0f0bc5c47bcbed6f572d07ab74056:447b784f08de80bdc2b1e100fccbb534
needed for SSID test

Response from external processing is returned with
CTRL-RSP-SIM-<network id> GSM-AUTH:<Kc1>:<SRES1>:<Kc2>:<SRES2>
[:<Kc3>:<SRES3>]

For example:
wpa_cli sim 0 GSM-AUTH:d41c76e0079247aa:2709ebfb:43baa77cfc8bcd6c:
0fa98dc1:a8ad1f6e30e

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-10-20 13:12:04 +03:00
Jouni Malinen
a5d44ac083 EAP peer: Add framework for external SIM/USIM processing
The new configuration parameter external_sim=<0/1> can now be used to
configure wpa_supplicant to use external SIM/USIM processing (e.g., GSM
authentication for EAP-SIM or UMTS authentication for EAP-AKA). The
requests and responses for such operations are sent over the ctrl_iface
CTRL-REQ-SIM and CTRL-RSP-SIM commands similarly to the existing
password query mechanism.

Changes to the EAP methods to use this new mechanism will be added in
separate commits.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-10-20 13:12:04 +03:00
Jouni Malinen
01f809c7db Add AAA server domain name suffix matching constraint
The new domain_suffix_match (and domain_suffix_match2 for Phase 2
EAP-TLS) can now be used to specify an additional constraint for the
server certificate domain name. If set, one of the dNSName values (or if
no dNSName is present, one of the commonName values) in the certificate
must have a suffix match with the specified value. Suffix match is done
based on full domain name labels, i.e., "example.com" matches
"test.example.com" but not "test-example.com".

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-10-18 13:34:26 +03:00
Andrejs Cainikovs
fcf20528a0 Fix MNC length for Swisscom SIM cards
Swisscom SIM cards do not include MNC length within EF_AD, and end up
using incorrect MNC length based on the 3-digit default. Hardcode MNC
length of 2 for Switzerland, in the same manner as it was done for
Finland.

Signed-hostap: Andrejs Cainikovs <andrejs.cainikovs@sonymobile.com>
2013-08-31 10:58:23 +03:00
Jouni Malinen
7e7610d788 EAP-EKE: Add peer implementation
This adds a new password-based EAP method defined in RFC 6124.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-07-07 20:30:10 +03:00
Jouni Malinen
080585c01a Add support for OCSP stapling to validate server certificate
When using OpenSSL with TLS-based EAP methods, wpa_supplicant can now be
configured to use OCSP stapling (TLS certificate status request) with
ocsp=1 network block parameter. ocsp=2 can be used to require valid OCSP
response before connection is allowed to continue.

hostapd as EAP server can be configured to return cached OCSP response
using the new ocsp_stapling_response parameter and an external mechanism
for updating the response data (e.g., "openssl ocsp ..." command).

This allows wpa_supplicant to verify that the server certificate has not
been revoked as part of the EAP-TLS/PEAP/TTLS/FAST handshake before
actual data connection has been established (i.e., when a CRL could not
be fetched even if a distribution point were specified).

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-06-30 01:01:15 +03:00
Jouni Malinen
5e24dc8a4b Add dup_binstr() to help common binary string tasks
There are quite a few places in the current implementation where a nul
terminated string is generated from binary data. Add a helper function
to simplify the code a bit.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-04-27 23:44:59 +03:00
Shijie Zhang
d78d3c6190 EAP peer: Add check before calling getSessionId method
We should not call getSessionID method if it's not provided. This fixes
a regression from commit 950c563076 where
EAP methods that did not implement getSessionId resulted in NULL pointer
dereference when deriving the key.

Signed-off-by: Shijie Zhang <shijiez@qca.qualcomm.com>
2013-04-26 12:30:01 +03:00
Jouni Malinen
ab547b5857 WPS: Add more helpful debug for invalid WPS_REG command parsing
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-03-31 12:34:35 +03:00
Jouni Malinen
d8ed3a075a WPS: Fix OOB Device Password use in PSK1,PSK1 derivation
WSC specification 2.0 section 7.4 describes OOB password to be expressed
in ASCII format (upper case hexdump) instead of raw binary.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-02-24 10:57:49 +02:00
Jouni Malinen
38a5ad6728 WPS: Fix wps_reg nfc-pw option
Commit ffdaa05a6b added support for using
NFC password token from an AP. However, it had a bug that prevented the
wpa_supplicant wps_reg command from being used with "nfc-pw" as the PIN
value. Fix string comparison to handle this correctly.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-02-14 19:44:54 +02:00
Jouni Malinen
9ca8427486 EAP peer: Add Session-Id derivation to more EAP methods
This commit adds Session-Id derivation for EAP-SIM, EAP-AKA, EAP-AKA',
EAP-PSK, and EAP-SAK peer methods.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-02-09 01:20:45 +02:00
Stevent Li
950c563076 EAP peer: Add Session-Id derivation
This adds a new getSessionId() callback for EAP peer methods to allow
EAP Session-Id to be derived. This commits implements this for EAP-FAST,
EAP-GPSK, EAP-IKEv2, EAP-PEAP, EAP-TLS, and EAP-TTLS.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-02-09 01:20:38 +02:00
Jouni Malinen
62cab3b737 eap_proxy: Add a dummy implementation for compilation testing
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-02-08 11:54:05 +02:00
Deepthi Gowri
45f4a97a3a eap_proxy: Add mechanism for allowing EAP methods to be offloaded
In addition to the offload mechanism, the Android configuration and
makefiles are extended to allow this to be configured for the build by
dropping in platform specific configuration files and makefile without
having to modify any existing files.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-02-08 11:54:01 +02:00
Paul Stewart
93c7e332c2 wpa_supplicant: Add more DBus EAP status
Signal the start of EAP authentication as well as when additional
credentials are required to complete.

Signed-hostap: Paul Stewart <pstew@chromium.org>
2013-01-12 19:51:18 +02:00
Jouni Malinen
34d18540fc EAP-FAST: Allow empty PAC file to be used
Even if the PAC file does not start with the proper header line, allow
the file to be used if it is empty. [Bug 423]

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:33:22 +02:00
Jouni Malinen
ed61d2a5f9 Fix regression in LEAP
Commit 458cb30191 broke LEAP since it
rejects EAP-Success packet that is used within LEAP and this frame does
not have a payload. Fix LEAP by relaxing the generic EAP packet
validation if LEAP has been negotiated.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-10-11 21:50:57 +03:00
Jouni Malinen
458cb30191 EAP-TLS: Add extra validation for TLS Message Length
While the existing code already addresses TLS Message Length validation
for both EAP-TLS peer and server side, this adds explicit checks and
rejection of invalid messages in the functions handling reassembly. This
does not change externally observable behavior in case of EAP server.
For EAP peer, this starts rejecting invalid messages instead of
addressing them by reallocating the buffer (i.e., ignoring TLS Message
Length in practice).

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-10-07 20:18:10 +03:00
Jouni Malinen
e026159a8e EAP-SIM/AKA: Store pseudonym identity in configuration
Use the anonymous_identity field to store EAP-SIM/AKA pseudonym identity
so that this can be maintained between EAP sessions (e.g., after
wpa_supplicant restart) even if fast re-authentication data was cleared.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-02 13:04:18 +03:00
Jouni Malinen
9343498989 EAP-SIM/AKA peer: Note sending of Client-Error in debug log
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-02 00:58:03 +03:00
Jouni Malinen
5d65ca514d EAP-SIM peer: Fix AT_COUNTER_TOO_SMALL use
The AT_NONCE_S value needs to be used in AT_MAC calculation for
SIM/Re-authentication response even if re-authentication is rejected
with AT_COUNTER_TOO_SMALL.

Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
2012-09-02 00:39:48 +03:00
Jouni Malinen
09bcf3be9c Clear idleWhile timer when EAP peer state machine is not in use
This allows the EAPOL tick timer to be stopped more quickly when
getting disconnected.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-26 23:35:08 +03:00
Jouni Malinen
065d2895b4 Add UNAUTH-TLS vendor specific EAP type
This EAP type uses a vendor specific expanded EAP header to encapsulate
EAP-TLS with a configuration where the EAP server does not authenticate
the EAP peer. In other words, this method includes only server
authentication. The peer is configured with only the ca_cert parameter
(similarly to other TLS-based EAP methods). This method can be used for
cases where the network provides free access to anyone, but use of RSN
with a securely derived unique PMK for each station is desired.

The expanded EAP header uses the hostapd/wpa_supplicant vendor
code 39068 and vendor type 1 to identify the UNAUTH-TLS method.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-22 22:34:11 +03:00
Jouni Malinen
d13f9857f8 Use proper private enterprise number for EAP VENDOR-TEST
Now that the project has its own code, it should be used with the
VENDOR-TEST EAP method.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-22 21:37:19 +03:00
Jouni Malinen
c22075e144 Disable TLS Session Ticket extension by default for EAP-TLS/PEAP/TTLS
Some deployed authentication servers seem to be unable to handle the TLS
Session Ticket extension (they are supposed to ignore unrecognized TLS
extensions, but end up rejecting the ClientHello instead). As a
workaround, disable use of TLS Sesson Ticket extension for EAP-TLS,
EAP-PEAP, and EAP-TTLS (EAP-FAST uses session ticket, so any server that
supports EAP-FAST does not need this workaround).

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-17 22:26:28 +03:00
Jouni Malinen
f210493b6e Add phase1/phase2 parameter for disabling TLS Session Ticket extension
tls_disable_session_ticket=1 in phase1/phase2 can now be used to disable
use of TLS Session Ticket extension (which is enabled by default in
recent OpenSSL versions). This can be used to work around issues with
broken authentication servers that do not ignore unrecognized TLS
extensions properly.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-17 22:21:28 +03:00
Jouni Malinen
c9e08af24f Do not export TLS keys in FIPS mode
Only allow the TLS library keying material exporter functionality to be
used for MSK derivation with TLS-based EAP methods to avoid exporting
internal TLS keys from the library.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-16 19:38:15 +03:00
Jouni Malinen
371296881a EAP-TTLS: Allow TTLS to be built without MSCHAPv2 support
Previously, CONFIG_EAP_MSCHAPV2=y was assumed to be set for
CONFIG_EAP_TTLS=y. Avoid this dependency by making including the
MSCHAPv2 parts in EAP-TTLS conditionally.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-16 19:02:44 +03:00
Jouni Malinen
305dbc9870 EAP-MD5: Verify that CHAP operation succeeds
The MD5 operation may be disabled in the security policy so chap_md5()
call can fail.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-16 18:49:02 +03:00
Jouni Malinen
ce7daaae53 MSCHAPv2: Check operation success for NT response generation
These functions could fail (e.g., if MD4 is disabled in the security
policy).

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-16 18:42:27 +03:00
Jouni Malinen
067ffa2696 Convert os_realloc() for an array to use os_realloc_array()
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-13 21:21:23 +03:00
Jouni Malinen
f54eb34995 Add extra validation of EAP header length field
These validation steps are already done in the EAP parsing code and in
the EAP methods, but the additional check is defensive programming and
can make the validation of received EAP messages more easier to
understand.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-07 23:03:25 +03:00
Jouni Malinen
0ebb23e340 EXT PW: Add support for password parameter from external storage
This allows the password parameter for EAP methods to be fetched
from an external storage.

Following example can be used for developer testing:

ext_password_backend=test:pw1=password|pw2=testing

network={
    key_mgmt=WPA-EAP
    eap=TTLS
    identity="user"
    password=ext:pw1
    ca_cert="ca.pem"
    phase2="auth=PAP"
}

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-03 22:15:42 +03:00
Jouni Malinen
daf10baf9e EAP-pwd: Replace direct OpenSSL HMAC use with wrapper
This is a step towards allowing EAP-pwd to be supported with other
crypto libraries.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-07-02 22:10:03 +03:00
Jouni Malinen
8350d0afd8 EAP-pwd: Avoid double-frees on some error paths
At least some error paths (e.g., hitting the limit on hunt-and-peck
iterations) could have resulted in double-freeing of some memory
allocations. Avoid this by setting the pointers to NULL after they have
been freed instead of trying to free the data structure in a location
where some external references cannot be cleared. [Bug 453]

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-06-30 16:16:32 +03:00
Jouni Malinen
e484e927a6 WPS: Allow NFC password token from AP to be used with wps_reg
The AP PIN on wps_reg command can now be replaced with special value
"nfc-pw" to use device password from a NFC password token from the AP.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-06-28 19:41:26 +03:00
Jouni Malinen
0965813640 WPS: Fix OOB Device Password use for EAP-WSC peer
The OOB Device Password is passed in as a hexdump of the real Device
Password (16..32 octets of arbitrary binary data). The hexdump needs to
be converted to binary form before passing it for WPS processing.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-06-27 21:22:12 +03:00
Paul Stewart
dd7fec1f29 wpa_supplicant: Report EAP connection progress to DBus
Send an "EAP" signal via the new DBus interface under various
conditions during EAP authentication:

  - During method selection (ACK and NAK)
  - During certificate verification
  - While sending and receiving TLS alert messages
  - EAP success and failure messages

This provides DBus callers a number of new tools:

  - The ability to probe an AP for available EAP methods
    (given an identity).
  - The ability to identify why the remote certificate was
    not verified.
  - The ability to identify why the remote peer refused
    a TLS connection.

Signed-hostap: Paul Stewart <pstew@chromium.org>
2012-06-04 21:10:01 +03:00
Jouni Malinen
762e4ce620 EAP-AKA': Update to RFC 5448
There was a technical change between the last IETF draft version
(draft-arkko-eap-aka-kdf-10) and RFC 5448 in the leading characters
used in the username (i.e., use unique characters for EAP-AKA' instead
of reusing the EAP-AKA ones). This commit updates EAP-AKA' server and
peer implementations to use the leading characters based on the final
RFC.

Note: This will make EAP-AKA' not interoperate between the earlier
draft version and the new version.

Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
2012-05-02 20:45:01 +03:00
Jouni Malinen
9f98810c5d TLS: Use separate TLS library context for tunneled TLS
OpenSSL wrapper was using the same certificate store for both Phase 1
and Phase 2 TLS exchange in case of EAP-PEAP/TLS, EAP-TTLS/TLS, and
EAP-FAST/TLS. This would be fine if the same CA certificates were used
in both phases, but does not work properly if different CA certificates
are used. Enforce full separation of TLS state between the phases by
using a separate TLS library context in EAP peer implementation.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-04-07 20:57:02 +03:00
Jouni Malinen
e19467e161 TTLS: Fix peer challenge generation for TTLS/MSCHAPv2
Commit 30680e9332 changed the length
of the implicit challenge result to match with the exact length used
in TTLS. However, it failed to update the peer_challenge generation
to use a separate random value. Previously, this was generated as
part of the implicit challenge, but more correct way would have been
to generate a random value for it separately. Do this now to fix the
read after the allocated buffer (16 bytes after the implicit
challenge).

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
2012-03-05 16:59:03 +02:00
Jouni Malinen
05c15c897d EAP-AKA peer: Clean up forgetting-id debug prints
Do not show forgetting of old id values if no value was stored.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-02-16 23:25:53 +02:00
Jouni Malinen
0f3d578efc Remove the GPL notification from files contributed by Jouni Malinen
Remove the GPL notification text from the files that were
initially contributed by myself.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-02-11 19:39:36 +02:00
Jouni Malinen
0dd1603c3f Remove the GPL notification from EAP-pwd implementation
Remove the GPL notification text from EAP-pwd implementation per
approval from Dan Harkins who contributed these files.
(email from Dan Harkins <dharkins@lounge.org> dated
Wed, 4 Jan 2012 16:25:48 -0800)

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-02-11 19:39:36 +02:00
Dan Harkins
5ea93947ca EAP-pwd: Add support for fragmentation
Signed-hostap: Dan Harkins <dharkins@lounge.org>
2012-02-11 12:46:30 +02:00
Simon Baatz
4ac384c596 EAP-AKA peer: Append realm when learning the pseudonym
The pseudonym identity should use a realm in environments where a realm is
used. Thus, the realm of the permanent identity is added to the pseudonym
username sent by the server.

Signed-hostap: Simon Baatz <gmbnomis@gmail.com>
2012-01-28 19:41:19 +02:00