Commit graph

397 commits

Author SHA1 Message Date
Jouni Malinen
fa0e715100 Use tls_connection_prf() for all EAP TLS-based key derivation
tls_openssl.c is the only remaining TLS/crypto wrapper that needs the
internal PRF implementation for EAP-FAST (since
SSL_export_keying_material() is not available in older versions and does
not support server-random-before-client case). As such, it is cleaner to
assume that TLS libraries support tls_connection_prf() and move the
additional support code for the otherwise unsupported cases into
tls_openssl.c.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-31 15:47:32 +03:00
Jouni Malinen
3e808b831c EAP-pwd peer: Add support for hashed password
This extends EAP-pwd peer support to allow NtHash version of password
storage in addition to full plaintext password. In addition, this allows
the server to request hashed version even if the plaintext password is
available on the client. Furthermore, unsupported password preparation
requests are now rejected rather than allowing the authentication
attempt to continue.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-28 09:43:33 +02:00
Sunil Dutt
dd5c155e2e eap_proxy: Callback to notify any updates from eap_proxy
This commit introduces a callback to notify any configuration updates
from the eap_proxy layer. This is used to trigger re-reading of IMSI and
MNC length.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-02 12:47:20 +02:00
Jouni Malinen
7f7bfba919 Add an option allow canned EAP-Success for wired IEEE 802.1X
For wired IEEE 802.1X authentication, phase1="allow_canned_success=1"
can now be used to configure a mode that allows EAP-Success (and
EAP-Failure) without going through authentication step. Some switches
use such sequence when forcing the port to be authorized/unauthorized or
as a fallback option if the authentication server is unreachable. By
default, wpa_supplicant discards such frames to protect against
potential attacks by rogue devices, but this option can be used to
disable that protection for cases where the server/authenticator does
not need to be authenticated.

When enabled, this mode allows EAP-Success/EAP-Failure as an immediate
response to EAPOL-Start (or even without EAPOL-Start) and EAP-Success is
also allowed immediately after EAP-Identity exchange (fallback case for
authenticator not being able to connect to authentication server).

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-01 19:22:54 +02:00
Jouni Malinen
49fcc32e91 EAP-MSCHAPv2 peer: Add option to disable password retry query
wpa_supplicant used to request user to re-enter username/password if the
server indicated that EAP-MSCHAPv2 (e.g., in PEAP Phase 2)
authentication failed (E=691), but retry is allowed (R=1). This is a
reasonable default behavior, but there may be cases where it is more
convenient to close the authentication session immediately rather than
wait for user to do something.

Add a new "mschapv2_retry=0" option to the phase2 field to allow the
retry behavior to be disabled. This will make wpa_supplicant abort
authentication attempt on E=691 regardless of whether the server allows
retry.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-01 17:45:19 +02:00
Jouni Malinen
467775c5ac tests: Pending EAP peer processing with VENDOR-TEST
This extends the VENDOR-TEST EAP method peer implementation to allow
pending processing case to be selected at run time. The
ap_wpa2_eap_vendor_test test case is similarly extended to include this
option as the second case for full coverage.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-28 13:09:31 +02:00
Ben
9bd0273931 EAP: Fix possible memory leak in eap_ttls_process_decrypted()
In case eap_peer_tls_encrypt() fails in eap_ttls_process_decrypted(),
free resp memory.

Signed-off-by: Ben Rosenfeld <ben.rosenfeld@intel.com>
2015-01-20 02:13:15 +02:00
Jouni Malinen
cebee30f31 Add domain_match network profile parameter
This is similar with domain_suffix_match, but required a full match of
the domain name rather than allowing suffix match (subdomains) or
wildcard certificates.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-14 15:45:18 +02:00
Jouni Malinen
d07d3fbda2 Add peer certificate alt subject name information to EAP events
A new "CTRL-EVENT-EAP-PEER-ALT depth=<i> <alt name>" event is now used
to provide information about server certificate chain alternative
subject names for upper layers, e.g., to make it easier to configure
constraints on the server certificate. For example:
CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:server.example.com

Currently, this includes DNS, EMAIL, and URI components from the
certificates. Similar information is priovided to D-Bus Certification
signal in the new altsubject argument which is a string array of these
items.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-14 15:45:18 +02:00
Jouni Malinen
e24aef10cf Fix a typo in domain_suffix_match documentation
Spell SubjectName correctly.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:27:01 +02:00
Jouni Malinen
394b54732e Improve subject_match and domain_suffix_match documentation
These were already covered in both README-HS20 for credentials and in
header files for developers' documentation, but the copy in
wpa_supplicant.conf did not include all the details. In addition, add a
clearer note pointing at subject_match not being suitable for suffix
matching domain names; domain_suffix_match must be used for that.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:27:01 +02:00
Jouni Malinen
8779ac8a67 EAP-IKEv2: Fix a typo in a debug message
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-21 13:19:14 +02:00
Jouni Malinen
bb68a6e3cc EAP-IKEv2 peer: Fix fragmentation reassembly
ret->ignore needs to be cleared to FALSE when sending fragment ack
message to avoid ignoring the fragment.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-21 00:48:24 +02:00
Jouni Malinen
8e5c1ec32f EAP-IKEv2: Add explicit limit for maximum message length
This avoids accepting unnecessarily large memory allocations.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-21 00:25:16 +02:00
Jouni Malinen
ce460118a8 ERP: Drop ERP keys on failure on the peer
This allows recovery through fallback to full EAP authentication if the
server rejects us, e.g., due to having dropped ERP state.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-14 15:47:04 +02:00
Jouni Malinen
b90d064f1a Add tls_session_reused=<0/1> into EAP peer TLS status
This can be used to determine whether the last TLS-based EAP
authentication instance re-used a previous session (e.g., TLS session
resumption or EAP-FAST session ticket).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-09 23:41:09 +02:00
Jouni Malinen
d4913c585e OpenSSL: Fix EAP-FAST peer regression
Commit 35efa2479f ('OpenSSL: Allow TLS
v1.1 and v1.2 to be negotiated by default') changed from using
TLSv1_method() to SSLv23_method() to allow negotiation of TLS v1.0,
v1.1, and v1.2.

Unfortunately, it looks like EAP-FAST does not work with this due to
OpenSSL not allowing ClientHello extensions to be configured with
SSL_set_session_ticket_ext() when SSLv23_method() is used. Work around
this regression by initiating a separate SSL_CTX instance for EAP-FAST
phase 1 needs with TLSv1_method() while leaving all other EAP cases
using TLS to work with the new default that allows v1.1 and v1.2 to be
negotiated. This is not ideal and will hopefully get fixed in the future
with a new OpenSSL method, but until that time, this can be used allow
other methods use newer TLS versions while still allowing EAP-FAST to be
used even if it remains to be constraint to TLS v1.0 only.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-09 16:57:05 +02:00
Jouni Malinen
1f102d3bb0 Check os_snprintf() result more consistently - manual
This converts os_snprintf() result validation cases to use
os_snprintf_error() for cases that were note covered by spatch and
semantic patches.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-08 11:42:07 +02:00
Jouni Malinen
d85e1fc8a5 Check os_snprintf() result more consistently - automatic 1
This converts os_snprintf() result validation cases to use
os_snprintf_error() where the exact rule used in os_snprintf_error() was
used. These changes were done automatically with spatch using the
following semantic patch:

@@
identifier E1;
expression E2,E3,E4,E5,E6;
statement S1;
@@

(
  E1 = os_snprintf(E2, E3, ...);
|
  int E1 = os_snprintf(E2, E3, ...);
|
  if (E5)
	E1 = os_snprintf(E2, E3, ...);
  else
	E1 = os_snprintf(E2, E3, ...);
|
  if (E5)
	E1 = os_snprintf(E2, E3, ...);
  else if (E6)
	E1 = os_snprintf(E2, E3, ...);
  else
	E1 = 0;
|
  if (E5) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else {
	...
	return -1;
  }
|
  if (E5) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else if (E6) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else {
	...
	return -1;
  }
|
  if (E5) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else {
	...
	E1 = os_snprintf(E2, E3, ...);
  }
)
? os_free(E4);
- if (E1 < 0 || \( E1 >= E3 \| (size_t) E1 >= E3 \| (unsigned int) E1 >= E3 \| E1 >= (int) E3 \))
+ if (os_snprintf_error(E3, E1))
(
  S1
|
{ ... }
)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-08 11:42:07 +02:00
Jouni Malinen
faebdeaa9e Use os_calloc() instead of os_zalloc()
Automatic changes with spatch using the following semantic patch:

@@
constant C;
type T;
@@

- os_zalloc(C*sizeof(T))
+ os_calloc(C,sizeof(T))

@@
expression E;
type T;
@@

- os_zalloc((E)*sizeof(T))
+ os_calloc(E,sizeof(T))

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-08 11:42:07 +02:00
Jouni Malinen
56b352ec58 ERP: Avoid a static analyzer warning on uninitialized emsk_len
This was not really a real issue since bin_clear_free() would not use
the emsk_len argument when emsk is NULL as it would be on the path where
emsk_len has not been initilized. Anyway, it is better to get rid of the
warning.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-05 00:33:31 +02:00
Jouni Malinen
65d9a5e254 ERP: Add wpa_supplicant ERP_FLUSH ctrl_iface command
This can be used to flush all the ERP keys.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-04 12:16:29 +02:00
Jouni Malinen
02a8d45ace ERP: Add support for ERP on EAP peer
Derive rRK and rIK on EAP peer if ERP is enabled. The new wpa_supplicant
network configuration parameter erp=1 can now be used to configure the
EAP peer to derive EMSK, rRK, and rIK at the successful completion of an
EAP authentication method. This functionality is not included in the
default build and can be enabled with CONFIG_ERP=y.

If EAP authenticator indicates support for re-authentication protocol,
initiate this with EAP-Initiate/Re-auth and complete protocol when
receiving EAP-Finish/Re-auth.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-04 12:16:29 +02:00
Jouni Malinen
92e3c0b14c EAP-PAX: Derive EAP Session-Id
This adds EAP-PAX server and peer method functions for deriving
Session-Id from Method-Id per RFC 4746 and RFC 5247.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-01 01:46:07 +02:00
Jouni Malinen
a7bec9e7b2 EAP-TTLS: Add support for deriving EMSK
This extends EAP-TTLS server and peer implementations to support EMSK
derivation per RFC 5281.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-01 01:28:19 +02:00
Jouni Malinen
d68f74c5ff EAP peer: Clean up TLS Session-Id derivation function
The comment about library not supporting Session-Id derivation was not
accurate and there is no need to check for master key that is not used
as part of derivation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-30 15:53:11 +02:00
Jouni Malinen
adf96fb66b WPS: Add explicit message length limit of 50000 bytes
Previously, this was implicitly limited by the 16-bit length field to
65535. This resulted in unhelpful static analyzer warnings (CID 62868).
Add an explicit (but pretty arbitrary) limit of 50000 bytes to avoid
this. The actual WSC messages are significantly shorter in practice, but
there is no specific protocol limit, so 50000 is as good as any limit to
use here.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
d36f416926 EAP-IKEv2: Make proposal_len validation clearer
Some static analyzers seem to have issues understanding "pos +
proposal_len > end" style validation, so convert this to "proposal_len >
end - pos" to make this more obvious to be bounds checking for
proposal_len. (CID 62874)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
c4de71cec5 EAP-FAST: Make PAC file A_ID parser easier to analyze
Some static analyzers seem to have issues with "pos + len > end"
validation (CID 62875), so convert this to "len > end - pos" to make it
more obvious that len is validated against its bounds.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
364182a80f EAP-FAST: Clean up binary PAC file parser validation steps
This was too difficult for some static analyzers (CID 62876). In
addition, the pac_info_len assignment should really have explicitly
validated that there is room for the two octet length field instead of
trusting the following validation step to handle both this and the
actual pac_info_len bounds checking.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
453553698c EAP-pwd: Remove unnecessary OpenSSL EVP_sha256() registration
This gets registered in tls_openssl.c from tls_init(), so there is no
need for EAP-pwd implementation to register explicitly. This avoids some
corner cases where OpenSSL resources do not get fully freed on exit.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-17 01:20:10 +02:00
Jouni Malinen
07e2de3193 wpa_supplicant: Allow OpenSSL cipherlist string to be configured
The new openssl_cipher configuration parameter can be used to select
which TLS cipher suites are enabled for TLS-based EAP methods when
OpenSSL is used as the TLS library. This parameter can be used both as a
global parameter to set the default for all network blocks and as a
network block parameter to override the default for each network
profile.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-12 11:55:13 +03:00
Jouni Malinen
27a725cf74 EAP: Do not allow fast session resumption with different network block
This forces EAP peer implementation to drop any possible fast resumption
data if the network block for the current connection is not the same as
the one used for the previous one. This allows different network blocks
to be used with non-matching parameters to enforce different rules even
if the same authentication server is used. For example, this allows
different CA trust rules to be enforced with different ca_cert
parameters which can prevent EAP-TTLS Phase 2 from being used based on
TLS session resumption.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-26 19:39:13 +03:00
Jouni Malinen
1f1fe195cd EAP-pwd: Clear identity string and temporary buffer explicitly
Use an explicit memset call to clear any configuration parameter and
dynamic data that contains private information like keys or identity.
This brings in an additional layer of protection by reducing the length
of time this type of private data is kept in memory.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-24 20:12:57 +03:00
Florent Daigniere
f119d66942 EAP-pwd: Verify BN_rand_range return code
This makes the EAP-pwd server and peer implementations more robust
should OpenSSL fail to derive random number for some reason. While this
is unlikely to happen in practice, the implementation better be prepared
for this should something unexpected ever happen. See
http://jbp.io/2014/01/16/openssl-rand-api/#review-of-randbytes-callers
for more details.

Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
2014-07-24 19:42:44 +03:00
Florent Daigniere
5197f0335c EAP-pwd: Use os_memcmp_const() for hash comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
2014-07-24 19:39:44 +03:00
Florent Daigniere
26c10f797c OpenSSL: Use EC_POINT_clear_free instead of EC_POINT_free
This changes OpenSSL calls to explicitly clear the EC_POINT memory
allocations when freeing them. This adds an extra layer of security by
avoiding leaving potentially private keys into local memory after they
are not needed anymore. While some of these variables are not really
private (e.g., they are sent in clear anyway), the extra cost of
clearing them is not significant and it is simpler to just clear these
explicitly rather than review each possible code path to confirm where
this does not help.

Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
2014-07-24 19:35:07 +03:00
Florent Daigniere
3248071dc3 OpenSSL: Use BN_clear_free instead of BN_free
This changes OpenSSL calls to explicitly clear the bignum memory
allocations when freeing them. This adds an extra layer of security by
avoiding leaving potentially private keys into local memory after they
are not needed anymore. While some of these variables are not really
private (e.g., they are sent in clear anyway), the extra cost of
clearing them is not significant and it is simpler to just clear these
explicitly rather than review each possible code path to confirm where
this does not help.

Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
2014-07-24 19:28:39 +03:00
Dmitry Shmidt
870dfe9932 EAP-TTLS: Remove FreeRADIUS workaround for EAP-TTLS/MSCHAPv2
FreeRADIUS releases before 1.1.4 did not send MS-CHAP2-Success in
EAP-TTLS/MSCHAPv2. A wpa_supplicant workaround for that was added in
2005 and it has been enabled by default to avoid interoperability
issues. This could be disabled with all other EAP workarounds
(eap_workaround=0). However, that will disable some workarounds that are
still needed with number of authentication servers.

Old FreeRADIUS versions should not be in use anymore, so it makes sense
to remove this EAP-TTLS/MSCHAPv2 workaround completely to get more
complete validation of server behavior. This allows MSCHAPv2 to verify
that the server knows the password instead of relying only on the TLS
certificate validation.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2014-07-20 10:20:24 +03:00
Jouni Malinen
f534ee0804 EAP peer: Clear keying material on deinit
Reduce the amount of time keying material (MSK, EMSK, temporary private
data) remains in memory in EAP methods. This provides additional
protection should there be any issues that could expose process memory
to external observers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:48 +03:00
Jouni Malinen
19c48da06b Clear wpa_supplicant configuration keys explicitly
Use an explicit memset call to clear any wpa_supplicant configuration
parameter that contains private information like keys or identity. This
brings in an additional layer of protection by reducing the length of
time this type of private data is kept in memory.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:48 +03:00
Jouni Malinen
28bfa29117 EAP-AKA: Remove unnecessary dead increment
The pos pointer is not used after this now nor in future plans, so no
need to increment the value. This remove a static analyzer warning about
dead increment.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:48 +03:00
Jouni Malinen
a6eae3f7a1 EAP-MSCHAPv2: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:48 +03:00
Jouni Malinen
4685482552 EAP-PSK: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
cba0f8698b EAP-PEAP: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
7b1e745870 EAP-LEAP: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
8f92826b15 EAP-GPSK: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
e1550d4be8 EAP-PAX: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
c434503f5e EAP-FAST: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
dddf7bbd4e EAP-EKE: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
dfb5608139 EAP-SAKE: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
05c79d6acd EAP-SIM/AKA: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
675ddad1c2 EAP-IKEv2: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
ee352f1e5a EAP-pwd: Add explicit total length limit
Instead of using implicit limit based on 16-bit unsigned integer having
a maximum value of 65535, limit the maximum length of a fragmented
EAP-pwd message explicitly to 15000 bytes. None of the supported groups
use longer messages, so it is fine to reject any longer message without
even trying to reassemble it. This will hopefully also help in reducing
false warnings from static analyzers (CID 68124).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
b2b8a4cb10 EAP-SIM/AKA: Pass EAP type as argument to eap_sim_msg_finish()
This makes it easier for static analyzers to figure out which code paths
are possible within eap_sim_msg_finish() for EAP-SIM. This will
hopefully avoid some false warnings (CID 68110, CID 68113, CID 68114).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
79122f9f9c EAP-SIM/AKA: Remove unused RESULT_FAILURE state
This was not set anywhere, so remove the unnecessary code trying to
handle the unused state.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-21 00:26:29 +03:00
Jouni Malinen
4075e2fe77 EAP-GPSK: Clean up CSuite_List length validation (CID 62854)
Use a local variable and size_t in length comparison to make this easier
for static analyzers to understand. In addition, set the return list and
list_len values at the end of the function, i.e., only in success case.
These do not change the actual behavior of the only caller for this
function, but clarifies what the helper function is doing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-18 17:14:59 +03:00
Jouni Malinen
2dbc959699 EAP-FAST: Clean up TLV length validation (CID 62853)
Use size_t instead of int for storing and comparing the TLV length
against the remaining buffer length to make this easier for static
analyzers to understand.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-18 16:45:03 +03:00
Jouni Malinen
8605eabd54 EAP-EKE: Fix typos in debug message
These error messages had an incorrect frame name (likely copy-pasted
from the commit message handler) and couple of typos.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 17:26:52 +03:00
Jouni Malinen
2485835ba3 EAP-MSCHAPv2: Check hash function results more consistently (CID 68105)
While the hash functions would be very unlikely to fail in practice,
they do have option of returning an error. Check that return value more
consistently.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 12:32:45 +03:00
Jouni Malinen
6590b6400f EAP-TNC: Limit maximum message buffer to 75000 bytes (CID 62873)
Since there is a limit on the EAP exchange due to maximum number of
roundtrips, there is no point in allowing excessively large buffers to
be allocated based on what the peer device claims the total message to
be. Instead, reject the message if it would not be possible to receive
it in full anyway.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-13 16:03:45 +03:00
Philippe De Swert
68e2b8882a TNC: Fix minor memory leak (CID 62848)
In tncc_read_config(), the memory allocted for the config
did not get freed if an error occured.

Signed-off-by: Philippe De Swert <philippe.deswert@jollamobile.com>
2014-06-12 19:44:58 +03:00
Jouni Malinen
737754dc2b EAP-IKEv2: Remove obsolete ccns.pl project workarounds
It does not look like there is going to be any additional use for this
old build option that could be used to build the EAP-IKEv2 peer
implementation in a way that interoperates with the eap-ikev2.ccns.pl
project. Remove the workarounds that matches incorrect implementation in
that project to clean up implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-08 12:28:36 +03:00
Jouni Malinen
0a626a5060 TNC: Move common definitions into a shared header file
No need to duplicate these in multiple places.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-17 20:05:55 +03:00
Jouni Malinen
4075e4e862 TNC: Allow tnc_config file path to be replaced
This is for enabling easier testing of TNCS/TNCC functionality as part
of the test scripts without having to use the fixed /etc/tnc_config
location that could be used by the main system and would require changes
within /etc.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-17 20:05:55 +03:00
Jouni Malinen
c876dcd70f EAP-IKEv2: Allow frag ack without integrity checksum
RFC 5106 is not exactly clear on the requirements for the "no data"
packet that is used to acknowledge a fragmented message. Allow it to be
processed without the integrity checksum data field since it is possible
to interpret the RFC as this not being included. This fixes reassembly
of fragmented frames after keys have been derived.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-11 22:47:25 +03:00
Jouni Malinen
0f73c642cc EAP-pwd: Fix processing of group setup failure
If invalid group was negotiated, compute_password_element() left some of
the data->grp pointer uninitialized and this could result in
segmentation fault when deinitializing the EAP method. Fix this by
explicitly clearing all the pointer with eap_zalloc(). In addition,
speed up EAP failure reporting in this type of error case by indicating
that the EAP method execution cannot continue anymore on the peer side
instead of waiting for a timeout.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-11 21:24:05 +03:00
Jouni Malinen
13e2574f7d EAP-pwd peer: Export Session-Id through getSessionId callback
EAP-pwd was already deriving the EAP Session-Id, but it was not yet
exposed through the EAP method API.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-11 21:22:55 +03:00
Jouni Malinen
04cad507e1 EAP-SIM peer: Fix counter-too-small message building
The extra data (nonce_s) used in this message was pointing to the
parsed, decrypted data and that buffer was previously freed just before
building the new message. This resulted in use of freed data and
possibly incorrect extra data value that caused the authentication
attempt to fail. Fix this by reordering the code to free the decrypted
data only after the new message has been generated. This was already the
case for EAP-AKA/AKA', but somehow missing from EAP-SIM.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-11 17:57:28 +03:00
Naresh Jayaram
13f6a07efc Add SIM identifier to the network profile and cred block
This allows the specific SIM to be identified for authentication
purposes in multi-SIM devices. This SIM number represents the index of
the SIM slot. This SIM number shall be used for the authentication using
the respective SIM for the Wi-Fi connection to the corresponding
network.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-24 12:15:32 +03:00
Jouni Malinen
dc39004318 WPS: Remove unused WEP related functionality
Now that WPS 2.0 support is enabled unconditionally, WEP and Shared auth
type are not allowed. This made some of the older code unused and that
can now be removed to clean up the implementation. There is still one
place where WEP is allowed for testing purposes: wpa_supplicant as
Registrar trying to configure an AP to use WEP. That is now only allowed
in CONFIG_TESTING_OPTIONS=y builds, though.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-06 12:31:45 +03:00
Jouni Malinen
9437c2d0ea EAP-pwd peer: Fix fragmentation of PWD-Confirm-Resp
This is somewhat of a corner case since there is no real point in using
so short a fragmentation threshold that it would result in this message
getting fragmented. Anyway, it is better be complete and support this
case as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-06 00:51:00 +03:00
Jouni Malinen
48f668eecf EAP-pwd: Fix memory leak on error path with fragmentation
If fragmentation is used, the temporary inbuf/outbuf could have been
leaked in error cases (e.g., reaching maximum number of roundtrips).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-06 00:34:30 +03:00
Jouni Malinen
3ff8073db7 EAP-FAST: Use clear eap_get_config() result validation
This was previously checked through the eap_peer_tls_ssl_init() call
which made it difficult for static analyzers. Add an explicit check for
config == NULL into the beginnign of eap_fast_init() since this will
always result in initialization failing anyway.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-02 17:15:12 +02:00
Jouni Malinen
8e5fdfabf6 HS 2.0R2: Add WFA server-only EAP-TLS peer method
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:23 +02:00
Stefan Lippers-Hollmann
891330fda9 Fix spelling s/algorith/algorithm/
Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
2014-02-24 23:40:01 +02:00
Dmitry Shmidt
e9a6f18385 TLS: Add tls_disable_tlsv1_1 and tls_disable_tlsv1_2 phase1 params
These can be used to disable TLSv1.1 and TLSv1.2 as a workaround for AAA
servers that have issues interoperating with newer TLS versions.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2014-02-20 15:28:57 +02:00
Eytan Lifshitz
c0c11afaf1 wpa_supplicant: Fix NULL dereference in eap_fast_parse_end()
In eap_fast_parse_end(), pos might be NULL if the line doesn't
contain '='.

Signed-hostap: Eytan Lifshitz <eytan.lifshitz@intel.com>
2014-02-13 15:58:21 +02:00
Jouni Malinen
fa4c2988ae WPS NFC: Process new style handover select
The new WPS connection handover select includes Registrar public key
hash instead of credential. Use the new information to start
abbreviated WPS handshake instead of configuring a new network directly
from the old Credential-from-NFC design.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-27 21:10:55 +02:00
Jouni Malinen
5f4545573f WPS NFC: Validate peer public key hash on Enrollee
Since the Enrollee can now get the public key hash from the Registrar,
there is need to validate this during the WPS protocol run.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-27 21:10:55 +02:00
Jouni Malinen
c60ba9f7ab Skip network disabling on expected EAP failure
Some EAP methods can go through a step that is expected to fail and as
such, should not trigger temporary network disabling when processing
EAP-Failure or deauthentication. EAP-WSC for WPS was already handled as
a special case, but similar behavior is needed for EAP-FAST with
unauthenticated provisioning.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-08 16:42:15 +02:00
Jouni Malinen
7185e16a91 EAP-FAST peer: Make debug clearer on missing pac_file configuration
EAP-FAST requires pac_file to be configured, so make it clearer from the
debug output if missing configuration parameter was the reason for
EAP-FAST initialization failing.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-08 10:25:58 +02:00
Jouni Malinen
7b88b64cd3 EXT PW: Fix hash return in password fetching
The hash return buffer was previously left uninitialized in case
externally stored password ("password=ext:...") was used. This could
result in MSCHAPv2 failure if that uninitialized memory happened to be
something else than zero.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-07 22:32:12 +02:00
Jouni Malinen
188ebcd07b EAP-IKEv2 peer: Fix a memory leak in notify round
The plaintext notification needs to be freed after encryption.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-07 10:45:11 +02:00
Jouni Malinen
a190189d22 Remove PEAPv2 support
PEAPv2 implementation was not fully completed and there does not seem to
be any deployments of PEAPv2 nor any clear sign of such showing up in
the future either. As such, there is not much point in maintaining this
implementation in hostapd/wpa_supplicant.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-07 10:45:11 +02:00
Jouni Malinen
16a19ddae8 EAP-pwd peer: Allow fragmentation limit to be configured
The standard fragment_size network parameter can now be used to
configure EAP-pwd fragmentation limit instead of always using the
hardcoded value of 1020.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-07 10:45:11 +02:00
Jouni Malinen
60bf585cce EAP-IKEv2 peer: Allow fragmentation limit to be configured
The standard fragment_size network parameter can now be used to
configure EAP-IKEv2 fragmentation limit instead of always using the
hardcoded value of 1400.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-07 10:45:11 +02:00
Jouni Malinen
c4b8c71ba4 EAP-GPSK: Report CSuite negotiation failure properly
Setting methodState = DONE for the case where GPSK-1 is found to be
invalid or incompatible allows EAP state machine to proceed to FAILURE
state instead of remaining stuck until AP times out the connection.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-07 10:45:11 +02:00
Jouni Malinen
5a0f596b7b EAP-GPSK: Allow forced algorithm selection to be configured
phase1 parameter 'cipher' can now be used to specify which algorithm
proposal is selected, e.g., with phase1="cipher=1" selecting AES-based
design and cipher=2 SHA256-based. This is mainly for testing purposes,
but can also be used to enforce stronger algorithms to be used.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-07 10:45:11 +02:00
Jouni Malinen
5f01c3c84a EAP peer: Improve failure reporting from METHOD with no eapRespData
One of the RFC 4137 state transitions (METHOD -> FAILURE) had been
forgotten and this could result in EAP peer method processing not
reporting failure immediately and instead, remain stuck waiting for the
connection to time out. Fix this by adding the methodState == DONE &&
decision == FAIL case to allow immediate reporting of failures.

The condition from RFC 4137 as-is would cause problems for number of the
existing EAP method implementations since they use that in places where
the final message before EAP-Failure should really be sent to the EAP
server (e.g., WSC_Done in EAP-WSC). Address this by includng eapRespData
== NULL as an additional constraint for entering FAILURE state directly
from METHOD.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-07 10:45:11 +02:00
Jouni Malinen
069fb4712b EAP-EKE: Allow forced algorithm selection to be configured
phase1 parameters dhgroup, encr, prf, and mac can now be used to specify
which algorithm proposal is selected, e.g., with phase1="dhgroup=3
encr=1 prf=1 mac=1" selecting the mandatory-to-implement case. This is
mainly for testing purposes, but can also be used to enforce stronger
algorithms to be used.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-29 17:18:17 +02:00
Jouni Malinen
7feff06567 Add CONFIG_CODE_COVERAGE=y option for gcov
This can be used to measure code coverage from test scripts.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-24 19:16:12 +02:00
Naresh Jayaram
fa56315cfc eap_proxy: Add context data pointer to the get_imsi call
This was already included in all the other calls to eap_proxy, but
somehow the get_imsi call had been forgotten.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-10-23 20:51:46 +03:00
Jouni Malinen
db13605816 EAP-AKA/AKA' peer: Allow external USIM processing to be used
This allows the new external_sim=1 case to be used to perform UMTS
authentication step in EAP-AKA/AKA' peer process. Following control
interface event is used to request the operation:

CTRL-REQ-SIM-<network id>:UMTS-AUTH:<RAND>:<AUTN> needed for SSID <SSID>

Response from external processing is returned with
CTRL-RSP-SIM-<network id> UMTS-AUTH:<IK>:<CK>:<RES>
or
CTRL-RSP-SIM-<network id> UMTS-AUTS:<AUTS>

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-10-20 13:12:04 +03:00
Jouni Malinen
569ccf719f EAP-SIM peer: Allow external SIM processing to be used
This allows the new external_sim=1 case to be used to perform GSM
authentication step in EAP-SIM peer process. Following control interface
event is used to request the operation:

CTRL-REQ-SIM-<network id>:GSM-AUTH:<RAND1>:<RAND2>[:<RAND3>] needed
for SSID <SSID>

For example:
<3>CTRL-REQ-SIM-0:GSM-AUTH:5e3496ce7d5863b3b09f97f565513bc3:
73f0f0bc5c47bcbed6f572d07ab74056:447b784f08de80bdc2b1e100fccbb534
needed for SSID test

Response from external processing is returned with
CTRL-RSP-SIM-<network id> GSM-AUTH:<Kc1>:<SRES1>:<Kc2>:<SRES2>
[:<Kc3>:<SRES3>]

For example:
wpa_cli sim 0 GSM-AUTH:d41c76e0079247aa:2709ebfb:43baa77cfc8bcd6c:
0fa98dc1:a8ad1f6e30e

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-10-20 13:12:04 +03:00
Jouni Malinen
a5d44ac083 EAP peer: Add framework for external SIM/USIM processing
The new configuration parameter external_sim=<0/1> can now be used to
configure wpa_supplicant to use external SIM/USIM processing (e.g., GSM
authentication for EAP-SIM or UMTS authentication for EAP-AKA). The
requests and responses for such operations are sent over the ctrl_iface
CTRL-REQ-SIM and CTRL-RSP-SIM commands similarly to the existing
password query mechanism.

Changes to the EAP methods to use this new mechanism will be added in
separate commits.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-10-20 13:12:04 +03:00
Jouni Malinen
01f809c7db Add AAA server domain name suffix matching constraint
The new domain_suffix_match (and domain_suffix_match2 for Phase 2
EAP-TLS) can now be used to specify an additional constraint for the
server certificate domain name. If set, one of the dNSName values (or if
no dNSName is present, one of the commonName values) in the certificate
must have a suffix match with the specified value. Suffix match is done
based on full domain name labels, i.e., "example.com" matches
"test.example.com" but not "test-example.com".

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-10-18 13:34:26 +03:00
Andrejs Cainikovs
fcf20528a0 Fix MNC length for Swisscom SIM cards
Swisscom SIM cards do not include MNC length within EF_AD, and end up
using incorrect MNC length based on the 3-digit default. Hardcode MNC
length of 2 for Switzerland, in the same manner as it was done for
Finland.

Signed-hostap: Andrejs Cainikovs <andrejs.cainikovs@sonymobile.com>
2013-08-31 10:58:23 +03:00
Jouni Malinen
7e7610d788 EAP-EKE: Add peer implementation
This adds a new password-based EAP method defined in RFC 6124.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-07-07 20:30:10 +03:00
Jouni Malinen
080585c01a Add support for OCSP stapling to validate server certificate
When using OpenSSL with TLS-based EAP methods, wpa_supplicant can now be
configured to use OCSP stapling (TLS certificate status request) with
ocsp=1 network block parameter. ocsp=2 can be used to require valid OCSP
response before connection is allowed to continue.

hostapd as EAP server can be configured to return cached OCSP response
using the new ocsp_stapling_response parameter and an external mechanism
for updating the response data (e.g., "openssl ocsp ..." command).

This allows wpa_supplicant to verify that the server certificate has not
been revoked as part of the EAP-TLS/PEAP/TTLS/FAST handshake before
actual data connection has been established (i.e., when a CRL could not
be fetched even if a distribution point were specified).

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-06-30 01:01:15 +03:00
Jouni Malinen
5e24dc8a4b Add dup_binstr() to help common binary string tasks
There are quite a few places in the current implementation where a nul
terminated string is generated from binary data. Add a helper function
to simplify the code a bit.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-04-27 23:44:59 +03:00
Shijie Zhang
d78d3c6190 EAP peer: Add check before calling getSessionId method
We should not call getSessionID method if it's not provided. This fixes
a regression from commit 950c563076 where
EAP methods that did not implement getSessionId resulted in NULL pointer
dereference when deriving the key.

Signed-off-by: Shijie Zhang <shijiez@qca.qualcomm.com>
2013-04-26 12:30:01 +03:00
Jouni Malinen
ab547b5857 WPS: Add more helpful debug for invalid WPS_REG command parsing
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-03-31 12:34:35 +03:00
Jouni Malinen
d8ed3a075a WPS: Fix OOB Device Password use in PSK1,PSK1 derivation
WSC specification 2.0 section 7.4 describes OOB password to be expressed
in ASCII format (upper case hexdump) instead of raw binary.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-02-24 10:57:49 +02:00
Jouni Malinen
38a5ad6728 WPS: Fix wps_reg nfc-pw option
Commit ffdaa05a6b added support for using
NFC password token from an AP. However, it had a bug that prevented the
wpa_supplicant wps_reg command from being used with "nfc-pw" as the PIN
value. Fix string comparison to handle this correctly.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-02-14 19:44:54 +02:00
Jouni Malinen
9ca8427486 EAP peer: Add Session-Id derivation to more EAP methods
This commit adds Session-Id derivation for EAP-SIM, EAP-AKA, EAP-AKA',
EAP-PSK, and EAP-SAK peer methods.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-02-09 01:20:45 +02:00
Stevent Li
950c563076 EAP peer: Add Session-Id derivation
This adds a new getSessionId() callback for EAP peer methods to allow
EAP Session-Id to be derived. This commits implements this for EAP-FAST,
EAP-GPSK, EAP-IKEv2, EAP-PEAP, EAP-TLS, and EAP-TTLS.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-02-09 01:20:38 +02:00
Jouni Malinen
62cab3b737 eap_proxy: Add a dummy implementation for compilation testing
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-02-08 11:54:05 +02:00
Deepthi Gowri
45f4a97a3a eap_proxy: Add mechanism for allowing EAP methods to be offloaded
In addition to the offload mechanism, the Android configuration and
makefiles are extended to allow this to be configured for the build by
dropping in platform specific configuration files and makefile without
having to modify any existing files.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-02-08 11:54:01 +02:00
Paul Stewart
93c7e332c2 wpa_supplicant: Add more DBus EAP status
Signal the start of EAP authentication as well as when additional
credentials are required to complete.

Signed-hostap: Paul Stewart <pstew@chromium.org>
2013-01-12 19:51:18 +02:00
Jouni Malinen
34d18540fc EAP-FAST: Allow empty PAC file to be used
Even if the PAC file does not start with the proper header line, allow
the file to be used if it is empty. [Bug 423]

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:33:22 +02:00
Jouni Malinen
ed61d2a5f9 Fix regression in LEAP
Commit 458cb30191 broke LEAP since it
rejects EAP-Success packet that is used within LEAP and this frame does
not have a payload. Fix LEAP by relaxing the generic EAP packet
validation if LEAP has been negotiated.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-10-11 21:50:57 +03:00
Jouni Malinen
458cb30191 EAP-TLS: Add extra validation for TLS Message Length
While the existing code already addresses TLS Message Length validation
for both EAP-TLS peer and server side, this adds explicit checks and
rejection of invalid messages in the functions handling reassembly. This
does not change externally observable behavior in case of EAP server.
For EAP peer, this starts rejecting invalid messages instead of
addressing them by reallocating the buffer (i.e., ignoring TLS Message
Length in practice).

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-10-07 20:18:10 +03:00
Jouni Malinen
e026159a8e EAP-SIM/AKA: Store pseudonym identity in configuration
Use the anonymous_identity field to store EAP-SIM/AKA pseudonym identity
so that this can be maintained between EAP sessions (e.g., after
wpa_supplicant restart) even if fast re-authentication data was cleared.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-02 13:04:18 +03:00
Jouni Malinen
9343498989 EAP-SIM/AKA peer: Note sending of Client-Error in debug log
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-02 00:58:03 +03:00
Jouni Malinen
5d65ca514d EAP-SIM peer: Fix AT_COUNTER_TOO_SMALL use
The AT_NONCE_S value needs to be used in AT_MAC calculation for
SIM/Re-authentication response even if re-authentication is rejected
with AT_COUNTER_TOO_SMALL.

Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
2012-09-02 00:39:48 +03:00
Jouni Malinen
09bcf3be9c Clear idleWhile timer when EAP peer state machine is not in use
This allows the EAPOL tick timer to be stopped more quickly when
getting disconnected.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-26 23:35:08 +03:00
Jouni Malinen
065d2895b4 Add UNAUTH-TLS vendor specific EAP type
This EAP type uses a vendor specific expanded EAP header to encapsulate
EAP-TLS with a configuration where the EAP server does not authenticate
the EAP peer. In other words, this method includes only server
authentication. The peer is configured with only the ca_cert parameter
(similarly to other TLS-based EAP methods). This method can be used for
cases where the network provides free access to anyone, but use of RSN
with a securely derived unique PMK for each station is desired.

The expanded EAP header uses the hostapd/wpa_supplicant vendor
code 39068 and vendor type 1 to identify the UNAUTH-TLS method.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-22 22:34:11 +03:00
Jouni Malinen
d13f9857f8 Use proper private enterprise number for EAP VENDOR-TEST
Now that the project has its own code, it should be used with the
VENDOR-TEST EAP method.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-22 21:37:19 +03:00
Jouni Malinen
c22075e144 Disable TLS Session Ticket extension by default for EAP-TLS/PEAP/TTLS
Some deployed authentication servers seem to be unable to handle the TLS
Session Ticket extension (they are supposed to ignore unrecognized TLS
extensions, but end up rejecting the ClientHello instead). As a
workaround, disable use of TLS Sesson Ticket extension for EAP-TLS,
EAP-PEAP, and EAP-TTLS (EAP-FAST uses session ticket, so any server that
supports EAP-FAST does not need this workaround).

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-17 22:26:28 +03:00
Jouni Malinen
f210493b6e Add phase1/phase2 parameter for disabling TLS Session Ticket extension
tls_disable_session_ticket=1 in phase1/phase2 can now be used to disable
use of TLS Session Ticket extension (which is enabled by default in
recent OpenSSL versions). This can be used to work around issues with
broken authentication servers that do not ignore unrecognized TLS
extensions properly.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-17 22:21:28 +03:00
Jouni Malinen
c9e08af24f Do not export TLS keys in FIPS mode
Only allow the TLS library keying material exporter functionality to be
used for MSK derivation with TLS-based EAP methods to avoid exporting
internal TLS keys from the library.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-16 19:38:15 +03:00
Jouni Malinen
371296881a EAP-TTLS: Allow TTLS to be built without MSCHAPv2 support
Previously, CONFIG_EAP_MSCHAPV2=y was assumed to be set for
CONFIG_EAP_TTLS=y. Avoid this dependency by making including the
MSCHAPv2 parts in EAP-TTLS conditionally.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-16 19:02:44 +03:00
Jouni Malinen
305dbc9870 EAP-MD5: Verify that CHAP operation succeeds
The MD5 operation may be disabled in the security policy so chap_md5()
call can fail.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-16 18:49:02 +03:00
Jouni Malinen
ce7daaae53 MSCHAPv2: Check operation success for NT response generation
These functions could fail (e.g., if MD4 is disabled in the security
policy).

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-16 18:42:27 +03:00
Jouni Malinen
067ffa2696 Convert os_realloc() for an array to use os_realloc_array()
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-13 21:21:23 +03:00
Jouni Malinen
f54eb34995 Add extra validation of EAP header length field
These validation steps are already done in the EAP parsing code and in
the EAP methods, but the additional check is defensive programming and
can make the validation of received EAP messages more easier to
understand.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-07 23:03:25 +03:00
Jouni Malinen
0ebb23e340 EXT PW: Add support for password parameter from external storage
This allows the password parameter for EAP methods to be fetched
from an external storage.

Following example can be used for developer testing:

ext_password_backend=test:pw1=password|pw2=testing

network={
    key_mgmt=WPA-EAP
    eap=TTLS
    identity="user"
    password=ext:pw1
    ca_cert="ca.pem"
    phase2="auth=PAP"
}

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-03 22:15:42 +03:00
Jouni Malinen
daf10baf9e EAP-pwd: Replace direct OpenSSL HMAC use with wrapper
This is a step towards allowing EAP-pwd to be supported with other
crypto libraries.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-07-02 22:10:03 +03:00
Jouni Malinen
8350d0afd8 EAP-pwd: Avoid double-frees on some error paths
At least some error paths (e.g., hitting the limit on hunt-and-peck
iterations) could have resulted in double-freeing of some memory
allocations. Avoid this by setting the pointers to NULL after they have
been freed instead of trying to free the data structure in a location
where some external references cannot be cleared. [Bug 453]

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-06-30 16:16:32 +03:00
Jouni Malinen
e484e927a6 WPS: Allow NFC password token from AP to be used with wps_reg
The AP PIN on wps_reg command can now be replaced with special value
"nfc-pw" to use device password from a NFC password token from the AP.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-06-28 19:41:26 +03:00
Jouni Malinen
0965813640 WPS: Fix OOB Device Password use for EAP-WSC peer
The OOB Device Password is passed in as a hexdump of the real Device
Password (16..32 octets of arbitrary binary data). The hexdump needs to
be converted to binary form before passing it for WPS processing.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-06-27 21:22:12 +03:00
Paul Stewart
dd7fec1f29 wpa_supplicant: Report EAP connection progress to DBus
Send an "EAP" signal via the new DBus interface under various
conditions during EAP authentication:

  - During method selection (ACK and NAK)
  - During certificate verification
  - While sending and receiving TLS alert messages
  - EAP success and failure messages

This provides DBus callers a number of new tools:

  - The ability to probe an AP for available EAP methods
    (given an identity).
  - The ability to identify why the remote certificate was
    not verified.
  - The ability to identify why the remote peer refused
    a TLS connection.

Signed-hostap: Paul Stewart <pstew@chromium.org>
2012-06-04 21:10:01 +03:00
Jouni Malinen
762e4ce620 EAP-AKA': Update to RFC 5448
There was a technical change between the last IETF draft version
(draft-arkko-eap-aka-kdf-10) and RFC 5448 in the leading characters
used in the username (i.e., use unique characters for EAP-AKA' instead
of reusing the EAP-AKA ones). This commit updates EAP-AKA' server and
peer implementations to use the leading characters based on the final
RFC.

Note: This will make EAP-AKA' not interoperate between the earlier
draft version and the new version.

Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
2012-05-02 20:45:01 +03:00
Jouni Malinen
9f98810c5d TLS: Use separate TLS library context for tunneled TLS
OpenSSL wrapper was using the same certificate store for both Phase 1
and Phase 2 TLS exchange in case of EAP-PEAP/TLS, EAP-TTLS/TLS, and
EAP-FAST/TLS. This would be fine if the same CA certificates were used
in both phases, but does not work properly if different CA certificates
are used. Enforce full separation of TLS state between the phases by
using a separate TLS library context in EAP peer implementation.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-04-07 20:57:02 +03:00
Jouni Malinen
e19467e161 TTLS: Fix peer challenge generation for TTLS/MSCHAPv2
Commit 30680e9332 changed the length
of the implicit challenge result to match with the exact length used
in TTLS. However, it failed to update the peer_challenge generation
to use a separate random value. Previously, this was generated as
part of the implicit challenge, but more correct way would have been
to generate a random value for it separately. Do this now to fix the
read after the allocated buffer (16 bytes after the implicit
challenge).

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
2012-03-05 16:59:03 +02:00
Jouni Malinen
05c15c897d EAP-AKA peer: Clean up forgetting-id debug prints
Do not show forgetting of old id values if no value was stored.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-02-16 23:25:53 +02:00
Jouni Malinen
0f3d578efc Remove the GPL notification from files contributed by Jouni Malinen
Remove the GPL notification text from the files that were
initially contributed by myself.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-02-11 19:39:36 +02:00
Jouni Malinen
0dd1603c3f Remove the GPL notification from EAP-pwd implementation
Remove the GPL notification text from EAP-pwd implementation per
approval from Dan Harkins who contributed these files.
(email from Dan Harkins <dharkins@lounge.org> dated
Wed, 4 Jan 2012 16:25:48 -0800)

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-02-11 19:39:36 +02:00
Dan Harkins
5ea93947ca EAP-pwd: Add support for fragmentation
Signed-hostap: Dan Harkins <dharkins@lounge.org>
2012-02-11 12:46:30 +02:00
Simon Baatz
4ac384c596 EAP-AKA peer: Append realm when learning the pseudonym
The pseudonym identity should use a realm in environments where a realm is
used. Thus, the realm of the permanent identity is added to the pseudonym
username sent by the server.

Signed-hostap: Simon Baatz <gmbnomis@gmail.com>
2012-01-28 19:41:19 +02:00
Simon Baatz
a6689be84f EAP-SIM peer: Append realm when learning the pseudonym
The pseudonym identity should use a realm in environments where a realm is
used. Thus, the realm of the permanent identity is added to the pseudonym
username sent by the server.

Signed-hostap: Simon Baatz <gmbnomis@gmail.com>
2012-01-28 19:38:46 +02:00
Jouni Malinen
e6c6274947 Add preliminary MNC length determination based on IMSI
Some SIM cards do not include MNC length with in EF_AD. Try to figure
out the MNC length based on the MCC/MNC values in the beginning of the
IMSI. This covers a prepaid Elisa/Kolumbus card that would have ended
up using incorrect MNC length based on the 3-digit default.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-01-22 21:54:24 +02:00
Jouni Malinen
a3e0105692 Avoid unnecessary memory allocation in building of SIM realm
The temporary IMSI buffer can be used for this without needing the
extra memory allocation. In addition, the implementation is easier
to understand when the extra identity prefix value for EAP-SIM/AKA
is not included while fetching MCC/MNC from the IMSI.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-01-22 21:54:24 +02:00
Simon Baatz
2d7d0ab307 EAP-SIM/EAP-AKA peer: Support realms according to 3GPP TS 23.003
If the identity is derived from the SIM, use a realm according
to 3GPP TS 23.003.

Signed-hostap: Simon Baatz <gmbnomis@gmail.com>
2012-01-22 21:54:24 +02:00
Jouni Malinen
4646ee67c0 Reject too short IMSI in EAP-SIM/AKA identity generation
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-01-22 21:54:24 +02:00
Jouni Malinen
8b41e05656 EAP-AKA peer: Keep pseudonym identity across EAP exchanges
This updates EAP-AKA peer implementation with the changes that previous
commits did for EAP-SIM.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-12-04 17:21:22 +02:00
Simon Baatz
1037235ca0 EAP-SIM peer: Only log the identities that we actually forget
[Bug 425]
2011-12-04 17:17:21 +02:00
Simon Baatz
a9f40ae720 EAP-SIM: Keep pseudonym identity
The pseudonym is a temporary identity, but is no one-time identifier (like
the fast re-authentication identity). Thus, do not forget it if the server
does not include it in every challenge. There are servers that include the
pseudonym identity only at full-auth. [Bug 424]
2011-12-04 17:15:16 +02:00
Jouni Malinen
cd52acec85 Rename tls_prf() to tls_prf_sha1_md5()
Prepare for multiple TLS PRF functions by renaming the SHA1+MD5 based
TLS PRF function to more specific name and add tls_prf() within the
internal TLS implementation as a wrapper for this for now.

Signed-hostap: Jouni Malinen <j@w1.fi>
2011-11-27 21:27:01 +02:00