Commit graph

397 commits

Author SHA1 Message Date
Jouni Malinen
2ed70c7586 OpenSSL: Add option to disable ECDHE with Suite B RSA
The hostapd.conf tls_flags=[SUITEB-NO-ECDH] and wpa_supplicant network
profile phase1="tls_suiteb_no_ecdh=1" can now be used to configure Suite
B RSA constraints with ECDHE disabled. This is mainly to allow
the DHE TLS cipher suite to be tested.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-18 12:12:48 +03:00
Jouni Malinen
60ed2f24eb Suite B: Add tls_suiteb=1 parameter for RSA 3k key case
This adds phase1 parameter tls_suiteb=1 into wpa_supplicant
configuration to allow TLS library (only OpenSSL supported for now) to
use Suite B 192-bit level rules with RSA when using >= 3k (3072) keys.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-17 00:09:47 +03:00
Akihiro Onodera
84fccc7242 Send Client-Error when AT_KDF attributes from the server are incorrect
After KDF negotiation, must check only requested change occurred in the
list of AT_KDF attributes. If there are any other changes, the peer must
behave like the case that AT_MAC had been incorrect and authentication
is failed. These are defined in EAP-AKA' specification RFC 5448, Section
3.2.

Add a complete check of AT_KDF attributes and send Client-Error if a
change which is not requested is included in it.

Signed-off-by: Tomoharu Hatano <tomoharu.hatano@sony.com>
2017-09-10 20:11:07 +03:00
Akihiro Onodera
446600c354 Add AT_KDF attributes to Synchronization-Failure in EAP-AKA'
AT_KDF attributes need to be included in Synchronization-Failure
according to EAP-AKA' specification RFC 5448.

Signed-off-by: Tomoharu Hatano <tomoharu.hatano@sony.com>
2017-09-10 01:39:37 +03:00
Jouni Malinen
1f2ae8cff5 EAP-TTLS: Fix a memory leak on error paths
The allocated challenge needs to be freed on these error paths as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-07-08 16:21:38 +03:00
Ilan Peer
83e003a913 EAP-TTLS: Fix possible memory leak in eap_ttls_phase2_request_mschap()
The msg buffer needs to be freed on these two error paths.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2017-07-08 16:19:36 +03:00
Ilan Peer
96e595a9f1 EAP-LEAP: Fix possible memory leak in eap_leap_process_request()
Free 'resp' object in case of a failure to derive the response.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2017-07-08 16:14:03 +03:00
Vidyullatha Kanchanapally
2a71673e27 ERP: Derive ERP key only after successful EAP authentication
ERP key was previously derived immediately after the availability of
EMSK and Session-Id and the ERP key hierarchy was saved even if the
authentication resulted in failure eventually. Instead, derive the ERP
key only after a successful EAP authentication.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-23 19:37:14 +03:00
Vidyullatha Kanchanapally
b5db6e5dc4 eap_proxy: Support multiple SIMs in get_imsi()
This allows the eap_proxy mechanism to be used with multiple SIMs by
following the configured sim_num to index which SIM to use for when
fetching the IMSI through eap_proxy.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-06 03:42:32 +03:00
Vidyullatha Kanchanapally
0020876514 eap_proxy: Build realm from IMSI for proxy based EAP methods
For proxy based EAP methods, the EAP identity is constructed in
eap_proxy layer from IMSI when required. Realm information from identity
is used to do ERP eventually, hence construct the realm for proxy based
methods from IMSI in core wpa_supplicant to enable the ERP use case.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-06 03:41:23 +03:00
Vidyullatha Kanchanapally
8696e61702 eap_proxy: Add support for deriving ERP information
This commit adds support for deriving ERP key information in EAP Proxy
based EAP method implementations.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-05 08:04:52 +03:00
Vidyullatha Kanchanapally
4aa329298d ERP: Do not generate ERP keys when domain name is not specified
This commit adds changes to not generate ERP information if the domain
name is not specified in the EAP identity. keyName-NAI needs the realm
part and as such, it is reasonable to require the main EAP configuration
to provide that realm.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-22 13:51:23 +03:00
Jouni Malinen
01dd2b1054 ERP: Silence static analyzer warning
The check for erp->keyname_nai within eap_erp_get_key() is apparently
too difficult for some static analyzers to notice. Add an explicit check
for os_strchr() return value being non-NULL to avoid false reports.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-01 22:08:16 +03:00
Vidyullatha Kanchanapally
15def72fab ERP: External control of ERP key information
This allows ERP keys to be managed by external entities, e.g., when
offloading FILS shared key authentication to a driver.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-04-07 18:46:13 +03:00
Johannes Berg
a1f11e34c4 Use os_memdup()
This leads to cleaner code overall, and also reduces the size
of the hostapd and wpa_supplicant binaries (in hwsim test build
on x86_64) by about 2.5 and 3.5KiB respectively.

The mechanical conversions all over the code were done with
the following spatch:

    @@
    expression SIZE, SRC;
    expression a;
    @@
    -a = os_malloc(SIZE);
    +a = os_memdup(SRC, SIZE);
    <...
    if (!a) {...}
    ...>
    -os_memcpy(a, SRC, SIZE);

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-03-07 13:19:10 +02:00
Jouni Malinen
b41d3e0a75 crypto: Process des_encrypt() error returns in callers
This updates all the des_encrypt() callers to handle error cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-28 11:24:05 +02:00
Jouni Malinen
76aa318381 EAP: Call deinit_for_reauth() for Phase 2 EAP methods
EAP-TTLS/PEAP/FAST were previously doing this for init_for_reauth(), but
not for deinit_for_reauth(). Add the deinit_for_reauth() call as well to
cover cases like EAP-AKA cleaup of AT_CHECKCODE data.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-10 19:48:12 +02:00
Jouni Malinen
02156b98b7 EAP-AKA: Don't use anonymous identity in phase2
This adds the same changes to EAP-AKA that were previous done for
EAP-SIM to allow functionality within an EAP-TTLS/PEAP/FAST tunnel
without causing issues to the phase 1 identity string.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-10 19:48:12 +02:00
Paul Stewart
9e2afe10e6 EAP-SIM: Don't use anonymous identity in phase2
The "anonymous_identity" configuration field has more than one
semantic meaning. For tunneled EAP methods, this refers to the
outer EAP identity. For EAP-SIM, this refers to the pseudonym
identity. Also, interestingly, EAP-SIM can overwrite the
"anonymous_identity" field if one is provided to it by the
authenticator.

When EAP-SIM is tunneled within an outer method, it makes sense
to only use this value for the outer method, since it's unlikely
that this will also be valid as an identity for the inner EAP-SIM
method. Also, presumably since the outer method protects the
EAP-SIM transaction, there is no need for a pseudonym in this
usage.

Similarly, if EAP-SIM is being used as an inner method, it must
not push the pseudonym identity using eap_set_anon_id() since it
could overwrite the identity for the outer EAP method.

Signed-off-by: Paul Stewart <pstew@google.com>
2017-02-10 19:48:12 +02:00
Paul Stewart
ed9b1c16d5 EAP peer: Cache decrypted requests for EAP-SIM/AKA/AKA'
Add an internal flag which indicates to tunneled EAP methods (FAST,
PEAP, TTLS) that they should cache decrypted EAP-SIM/AKA/AKA' requests.
This allows EAP-SIM/AKA/AKA' to be tunneled within these outer methods
while using an external SIM authenticator over the control interface.

Signed-off-by: Paul Stewart <pstew@google.com>
2017-02-10 19:48:12 +02:00
Jouni Malinen
7a6c3de23a ERP: Use macro for EMSKname length instead of hardcoded integer value
While RFC 5295 uses "8" as the value to use in the length field in KDF
context when deriving EMSKname, it is clearer to use the macro defining
EMSKname as the value since the KDF design in RFC 5295 encodes the
length of the derived data in octets in that part of the context data.
This change is just making the implementation easier to understand while
not actually changing the behavior.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-03 15:35:21 +02:00
Jouni Malinen
bb3ea71a23 ERP: Fix rIK derivation
Unlike the EMSKname and rRK derivations, rIK derivation is actually
using the "optional data" component in the context data (see RFC 5295).
RFC 6696 defines that optional data to be the cryptosuite field for rIK.
This was missing from the previous implementation and that resulted in
incorrect rIK being derived.

In addition, the rIK Label string does not actually include the "EAP "
prefix in the way as the rRK Label in RFC 6696 does. This would also
have resulted in incorrect rIK value.

Fix rIK derivation by adding the cryptosuite value into the KDF context
data and fixing the label string. This change is not backwards
compatible and breaks all ERP use cases (including FILS shared key
authentication) with older (broken) and new (fixed)
hostapd/wpa_supplicant builds.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-03 15:34:59 +02:00
Jouni Malinen
95de34a10a Remove trailing whitespace
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-28 14:31:42 +02:00
Purushottam Kushwaha
a6f3761f7d eap_proxy: Add support for SIM state change indication from eap_proxy
This registers a new callback to indicate change in SIM state. This
helps to do some clean up (more specifically pmksa_flush) based on the
state change of the SIM. Without this, the reconnection using the cached
PMKSA could happen though the SIM is changed.

Currently eap_proxy_sim_state corresponds to only SIM_STATE_ERROR. This
can be further extended.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-19 22:21:07 +02:00
Jouni Malinen
79a54ab9f6 eap_proxy: Fix eap_proxy_init() prototype to use const eapol_cb
The eapol_cb structure was made const and that change resulted in a
compilation warning/error if CONFIG_EAP_PROXY=<name> is enabled in the
wpa_supplicant build configuration. Fix this by updating the function
prototype to match the change.

Note: This results in a change needed to external eap_proxy_*.c
implementations to match the change.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-19 22:14:07 +02:00
Jouni Malinen
de57d87353 ERP: Make eap_peer_finish() callable
This is needed for FILS to process EAP-Finish/Re-auth.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 18:26:00 +03:00
Jouni Malinen
c28767e11c ERP: Make eap_peer_erp_reauth_start() available
This needs to be callable through the EAPOL supplicant wrappers to allow
FILS implementation to use ERP.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 18:25:50 +03:00
Jouni Malinen
bf07e05349 ERP: Do not pass full EAP header to eap_peer_erp_reauth_start()
That function does not need the full EAP header -- it only needs to know
which EAP identifier to use in the message. Make this usable for cases
where the previous EAP message may not exist (FILS).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:47 +03:00
Brian Candler
2875e32333 EAP-pwd: Fix Prep in EAP-pwd-ID/Response when EAP_PWD_PREP_MS is used
Fix the pre-processing field in the response when EAP_PWD_PREP_MS is
being used. This fixes interoperability with EAP-pwd servers that
validate the Prep field in EAP-pwd-ID/Response when the RFC2759
(PasswordHashHash) pre-processing is used.

Signed-off-by: Brian Candler <B.Candler@pobox.com>
2016-10-08 19:43:09 +03:00
Jouni Malinen
205d2d1ff5 Fix typos in wpa_supplicant configuration parameter documentation
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-09-10 21:09:52 +03:00
Jouni Malinen
ac36b133aa TNCC: Mark functions static
These are called through function pointers, so no need to make the
function symbols directly available outside this file.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-06-24 01:38:04 +03:00
David Benjamin
7358170787 TLS: Split tls_connection_prf() into two functions
Most protocols extracting keys from TLS use RFC 5705 exporters which is
commonly implemented in TLS libraries. This is the mechanism used by
EAP-TLS. (EAP-TLS actually predates RFC 5705, but RFC 5705 was defined
to be compatible with it.)

EAP-FAST, however, uses a legacy mechanism. It reuses the TLS internal
key block derivation and derives key material after the key block. This
is uncommon and a misuse of TLS internals, so not all TLS libraries
support this. Instead, we reimplement the PRF for the OpenSSL backend
and don't support it at all in the GnuTLS one.

Since these two are very different operations, split
tls_connection_prf() in two. tls_connection_export_key() implements the
standard RFC 5705 mechanism that we expect most TLS libraries to
support. tls_connection_get_eap_fast_key() implements the
EAP-FAST-specific legacy mechanism which may not be implemented on all
backends but is only used by EAP-FAST.

Signed-Off-By: David Benjamin <davidben@google.com>
2016-05-23 20:40:12 +03:00
Jouni Malinen
9d136b00ac EAP-SAKE: Do not debug print result if eap_sake_compute_mic() fails
This gets rid of a valgrind warning on uninitialized memory read in the
eap_proto_sake_errors test case where the result was used after the
failed eap_sake_compute_mic() call.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-05-16 22:26:37 +03:00
Jouni Malinen
0884633577 EAP-PAX: Do not debug print result if eap_pax_mac() fails
This gets rid of a valgrind warning on uninitialized memory read in the
eap_proto_pax_errors test case where the result was used after the
failed eap_pax_mac() call.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-05-16 22:25:25 +03:00
Jouni Malinen
92abe3782f EAP-FAST: Check sha1_t_prf() result in eap_fast_get_cmk()
This gets rid of a valgrind warning on uninitialized memory read in the
eap_proto_fast_errors test case where the result was used after the
failed sha1_t_prf() call.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-05-16 22:24:01 +03:00
Ilan Peer
b8f02d8baf EAP-PWD peer: Fix possible memory leak on error path
Fix possible memory leak in eap_pwd_perform_commit_exchange().

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2016-03-03 16:28:41 +02:00
Jouni Malinen
5558b9980f EAP-FAST peer: Remove fixed return value from eap_fast_parse_phase1()
This function was always returning 0, so the error path was unreachable.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-20 10:07:29 +02:00
Jouni Malinen
d1d8a2bd62 EAP peer: Simplify buildNotify return
There is no need for the local variable and two return statements.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-07 21:01:41 +02:00
Jouni Malinen
1314bc11cf Clean up EAP peer PCSC identity functions
Leave out more code if PCSC_FUNCS is not defined since config->pcsc != 0
case cannot be used with such a build.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-07 20:51:04 +02:00
Jouni Malinen
e265838a43 EAP-FAST: Fix an error path in PAC binary format parsing
Need to clear the pac pointer for the first error case to avoid freeing
the previous PAC entry if the following entry has an invalid header.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-06 00:26:31 +02:00
Jouni Malinen
269f9d5d10 EAP peer: Use ifdef PCSC_FUNCS to get rid of compiler warnings
clang started warning about the use of || with constants that came from
PCSC_FUNCS not being enabled in the build. It seems to be easier to just
ifdef this block out completely since that has the same outcome for
builds that do not include PC/SC support.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 18:41:30 +02:00
Jouni Malinen
0daa9f6a13 EAP-TTLS peer: Fix success after fragmented final Phase 2 message
If the final Phase 2 message needed fragmentation, EAP method decision
was cleared from UNCOND_SUCC or COND_SUCC to FAIL and that resulted in
the authentication failing when the EAP-Success message from the server
got rejected. Fix this by restoring the EAP method decision after
fragmentation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 13:37:15 +02:00
Jouni Malinen
49a26bb3e3 EAP peer: Simplify EAP method registration call
Free the allocated structure in error cases to remove need for each EAP
method to handle the error cases separately. Each registration function
can simply do "return eap_peer_method_register(eap);" in the end of the
function.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-13 23:30:25 +02:00
Jouni Malinen
7ce5603251 EAP-WSC peer: Remove unused state values
The FRAG_ACK and DONE state were not used at all, so remove them.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-13 22:09:08 +02:00
Jouni Malinen
7a36f1184e EAP-PAX: Check hmac_sha1_vector() return value
This function can fail at least in theory, so check its return value
before proceeding. This is mainly helping automated test case coverage
to reach some more error paths.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-01-06 21:12:08 +02:00
Jouni Malinen
acc39435ff EAP-PEAP peer: Cryptobinding in fast-reconnect case with inner EAP
This was reported to fail with Windows 2012r2 with "Invalid Compound_MAC
in cryptobinding TLV". It turns out that the server decided to go
through inner EAP method (EAP-MSCHAPv2 in the reported case) even when
using PEAP fast-reconnect. This seems to be against the [MS-PEAP]
specification which claims that inner EAP method is not used in such a
case. This resulted in a different CMK being derived by the server (used
the version that used ISK) and wpa_supplicant (used the version where
IPMK|CMK = TK without ISK when using fast-reconnect).

Fix this interop issue by making wpa_supplicant to use the
fast-reconnect version of CMK derivation only when using TLS session
resumption and the server having not initiated inner EAP method before
going through the cryptobinding exchange.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-01-05 23:50:50 +02:00
Jouni Malinen
750f5d9964 EAP-FAST: Enable AES256-based TLS cipher suites with OpenSSL
This extends the list of TLS cipher suites enabled for EAP-FAST to
include AES256-based suites.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-31 20:52:58 +02:00
Jouni Malinen
d39f796f43 EAP-TNC peer: Remove dead code related to fragmentation
The data->state == WAIT_FRAG_ACK case is already handling all cases
where data->out_buf could be non-NULL, so this additional check after
the WAIT_FRAG_ACK steps cannot be reached. Remove the duplicated dead
code.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-24 19:16:15 +02:00
Jouni Malinen
abbbaa4997 TNC: Print received IF-TNCCS message as debug ASCII hexdump
This makes it easier to see what TNCC is processing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-24 18:33:19 +02:00
Jouni Malinen
d745f02e0e EAP-TNC peer: Allow fragment_size to be configured
Previously, a fixed 1300 fragment_size was hardcoded. Now the EAP
profile parameter fragment_size can be used to override this.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-24 14:19:23 +02:00