aboutsummaryrefslogtreecommitdiffstats
path: root/src/eap_common
Commit message (Collapse)AuthorAgeFilesLines
* EAP-TEAP: Add parsing and generation routines for Identity-Type TLVJouni Malinen2019-08-192-0/+35
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP peer: Support vendor EAP method in Phase 2Jouni Malinen2019-08-172-3/+5
| | | | | | | | The implementation was previously hardcoded to use only the non-expanded IETF EAP methods in Phase 2. Extend that to allow vendor EAP methods with expanded header to be used. Signed-off-by: Jouni Malinen <j@w1.fi>
* Replace EapType typedef with enum eap_typeJouni Malinen2019-08-173-10/+10
| | | | | | | This cleans up coding style of the EAP implementation by avoiding typedef of an enum hiding the type of the variables. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP: Add parsing of Error TLVJouni Malinen2019-08-162-0/+10
| | | | | | | This TLV needs to be processed properly instead of NAK'ed as unsupported. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP: Fix TLS-PRF for TLS ciphersuites that use SHA384Jouni Malinen2019-08-162-15/+26
| | | | | | | These need to be using the HMAC-based TLS-PRF with SHA384 instead of SHA256 as the hash algorithm. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP server and peer implementation (RFC 7170)Jouni Malinen2019-07-093-0/+917
| | | | | | | | | | | | | | | | | This adds support for a new EAP method: EAP-TEAP (Tunnel Extensible Authentication Protocol). This should be considered experimental since RFC 7170 has number of conflicting statements and missing details to allow unambiguous interpretation. As such, there may be interoperability issues with other implementations and this version should not be deployed for production purposes until those unclear areas are resolved. This does not yet support use of NewSessionTicket message to deliver a new PAC (either in the server or peer implementation). In other words, only the in-tunnel distribution of PAC-Opaque is supported for now. Use of the NewSessionTicket mechanism would require TLS library support to allow arbitrary data to be specified as the contents of the message. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd: Run through prf result processing even if it >= primeJouni Malinen2019-07-021-4/+12
| | | | | | | | This reduces differences in timing and memory access within the hunting-and-pecking loop for ECC groups that have a prime that is not close to a power of two (e.g., Brainpool curves). Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: New style fuzzing tool for EAP-SIM peer processingJouni Malinen2019-06-021-0/+5
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-SIM/AKA: Add support for anonymous@realmHai Shalom2019-05-312-0/+17
| | | | | | | | | | | | SIM-based EAP authentication with IMSI encryption requires a special EAP Identity response: anonymous@realm. Then the server sends AKA-Identity request which is answered with the encrypted IMSI. Add logic that indicates if the special anonymous identity is used. Otherwise, this field is used for storing the pseudonym. Test: Connect to Carrier Wi-Fi, verify correct behavior from captures Test: Connect to non IMSI encrypted EAP-AKA AP, verify pseudonym usage Signed-off-by: Hai Shalom <haishalom@google.com>
* Share common SAE and EAP-pwd functionality: own scalar generationJouni Malinen2019-04-261-21/+2
| | | | | | Use a shared helper function for deriving rand, mask, and own scalar. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Share common SAE and EAP-pwd functionality: is_quadratic_residueJouni Malinen2019-04-251-45/+10
| | | | | | | Use a shared helper function for the blinded mechanism of determining the Legendre symbol. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Share common SAE and EAP-pwd functionality: random 1..p-1 creationJouni Malinen2019-04-251-11/+5
| | | | | | | Use a shared helper function to create a random value in 1..p-1 range for is_quadratic_residue(). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Share common SAE and EAP-pwd functionality: random qr/qnr creationJouni Malinen2019-04-251-15/+2
| | | | | | Use a shared helper function to create random qr/qnr values. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Share common SAE and EAP-pwd functionality: suitable groupsJouni Malinen2019-04-251-10/+2
| | | | | | | | Start sharing common SAE and EAP-pwd functionality by adding a new source code file that can be included into both. This first step is bringing in a shared function to check whether a group is suitable. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Share a single buf_shift_right() implementationJouni Malinen2019-04-251-9/+0
| | | | | | | Move the identical function used by both SAE and EAP-pwd to src/utils/common.c to avoid duplicated implementation. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-pwd: Use const_time_memcmp() for pwd_value >= prime comparisonJouni Malinen2019-04-251-5/+8
| | | | | | | This reduces timing and memory access pattern differences for an operation that could depend on the used password. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-SAKE: Report hash function failures to callersJouni Malinen2019-04-192-35/+48
| | | | | | | While this is mostly theoretical, the hash functions can fail and it is better for the upper layer code to explicitly check for such failures. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd: Remove unused checks for cofactor > 1 casesJouni Malinen2019-04-131-51/+2
| | | | | | | | | | | | | None of the ECC groups supported in the implementation had a cofactor greater than 1, so these checks are unreachable and for all cases, the cofactor is known to be 1. Furthermore, RFC 5931 explicitly disallow use of ECC groups with cofactor larger than 1, so this checks cannot be needed for any curve that is compliant with the RFC. Remove the unneeded group cofactor checks to simplify the implementation. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd: Disallow ECC groups with a prime under 256 bitsJouni Malinen2019-04-131-0/+13
| | | | | | | | Based on the SAE implementation guidance update to not allow ECC groups with a prime that is under 256 bits, reject groups 25, 26, and 27 in EAP-pwd. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd: Enforce 1 < rand,mask < r and rand+mask mod r > 1Jouni Malinen2019-04-092-0/+31
| | | | | | | | | RFC 5931 has these conditions as MUST requirements, so better follow them explicitly even if the rand,mask == 0 or rand+mask == 0 or 1 cases are very unlikely to occur in practice while generating random values locally. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-pwd: Check element x,y coordinates explicitlyJouni Malinen2019-04-092-0/+109
| | | | | | | | | | | | | | This adds an explicit check for 0 < x,y < prime based on RFC 5931, 2.8.5.2.2 requirement. The earlier checks might have covered this implicitly, but it is safer to avoid any dependency on implicit checks and specific crypto library behavior. (CVE-2019-9498 and CVE-2019-9499) Furthermore, this moves the EAP-pwd element and scalar parsing and validation steps into shared helper functions so that there is no need to maintain two separate copies of this common functionality between the server and peer implementations. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-pwd: Use constant time and memory access for finding the PWEJouni Malinen2019-04-091-88/+99
| | | | | | | | | | | | | | | | | | | This algorithm could leak information to external observers in form of timing differences or memory access patterns (cache use). While the previous implementation had protection against the most visible timing differences (looping 40 rounds and masking the legendre operation), it did not protect against memory access patterns between the two possible code paths in the masking operations. That might be sufficient to allow an unprivileged process running on the same device to be able to determine which path is being executed through a cache attack and based on that, determine information about the used password. Convert the PWE finding loop to use constant time functions and identical memory access path without different branches for the QR/QNR cases to minimize possible side-channel information similarly to the changes done for SAE authentication. (CVE-2019-9495) Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-pwd: Fix a memory leak in hunting-and-pecking loopJouni Malinen2019-03-061-0/+1
| | | | | | | | tmp2 (y^2) was derived once in each iteration of the loop and only freed after all the loop iterations. Fix this by freeing the temporary value during each iteration. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Add explicit checks for peer's DH public keyJouni Malinen2019-03-051-1/+1
| | | | | | | | | | | | | Pass the group order (if known/specified) to crypto_dh_derive_secret() (and also to OpenSSL DH_generate_key() in case of Group 5) and verify that the public key received from the peer meets 1 < pubkey < p and pubkey^q == 1 mod p conditions. While all these use cases were using only ephemeral DH keys, it is better to use more explicit checks while deriving the shared secret to avoid unexpected behavior. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-pwd: Mask timing of PWE derivationDan Harkins2018-05-281-41/+130
| | | | | | | | Run through the hunting-and-pecking loop 40 times to mask the time necessary to find PWE. The odds of PWE not being found in 40 loops is roughly 1 in 1 trillion. Signed-off-by: Dan Harkins <dharkins@lounge.org>
* EAP-pwd: Pre-processing method definitions from RFC 8146Dan Harkins2018-05-281-0/+3
| | | | | | | Add new password pre-processing method definitions in preparation for salted passwords with EAP-pwd. Signed-off-by: Dan Harkins <dharkins@lounge.org>
* EAP-pwd: Move EC group initialization to earlier stepDan Harkins2018-05-282-9/+24
| | | | | | This is needed for adding support for salted passwords. Signed-off-by: Dan Harkins <dharkins@lounge.org>
* EAP-pwd: Use abstract crypto APISean Parkinson2017-12-242-124/+67
| | | | | | | This makes it easier to use EAP-pwd with other crypto libraries than OpenSSL. Signed-off-by: Sean Parkinson <sean@wolfssl.com>
* EAP-EKE: Use abstract crypto APISean Parkinson2017-12-241-27/+5
| | | | | | This makes it easier to use EAP-pwd with other crypto libraries. Signed-off-by: Sean Parkinson <sean@wolfssl.com>
* Use os_memdup()Johannes Berg2017-03-071-6/+3
| | | | | | | | | | | | | | | | | | | | | | This leads to cleaner code overall, and also reduces the size of the hostapd and wpa_supplicant binaries (in hwsim test build on x86_64) by about 2.5 and 3.5KiB respectively. The mechanical conversions all over the code were done with the following spatch: @@ expression SIZE, SRC; expression a; @@ -a = os_malloc(SIZE); +a = os_memdup(SRC, SIZE); <... if (!a) {...} ...> -os_memcpy(a, SRC, SIZE); Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* Remove trailing whitespaceJouni Malinen2016-12-281-1/+1
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Split tls_connection_prf() into two functionsDavid Benjamin2016-05-232-4/+3
| | | | | | | | | | | | | | | | | | | | | | Most protocols extracting keys from TLS use RFC 5705 exporters which is commonly implemented in TLS libraries. This is the mechanism used by EAP-TLS. (EAP-TLS actually predates RFC 5705, but RFC 5705 was defined to be compatible with it.) EAP-FAST, however, uses a legacy mechanism. It reuses the TLS internal key block derivation and derives key material after the key block. This is uncommon and a misuse of TLS internals, so not all TLS libraries support this. Instead, we reimplement the PRF for the OpenSSL backend and don't support it at all in the GnuTLS one. Since these two are very different operations, split tls_connection_prf() in two. tls_connection_export_key() implements the standard RFC 5705 mechanism that we expect most TLS libraries to support. tls_connection_get_eap_fast_key() implements the EAP-FAST-specific legacy mechanism which may not be implemented on all backends but is only used by EAP-FAST. Signed-Off-By: David Benjamin <davidben@google.com>
* EAP-PAX: Check hmac_sha1_vector() return valueJouni Malinen2016-01-061-2/+4
| | | | | | | | This function can fail at least in theory, so check its return value before proceeding. This is mainly helping automated test case coverage to reach some more error paths. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-EKE: Merge identical error return pathsJouni Malinen2015-12-211-30/+11
| | | | | | | There is no need to maintain multiple copies of the same error return path. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-EKE: Reject too long Prot() data when building a frameJouni Malinen2015-12-211-0/+1
| | | | | | | | | | This error case in own buffer lengths being too short was not handled properly. While this should not really happen since the wpabuf allocation is made large for the fixed cases that are currently supported, better make eap_eke_prot() safer if this functionally ever gets extended with a longer buffer need. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-FAST: Check T-PRF result in MSK/EMSK derivationJouni Malinen2015-12-122-10/+14
| | | | | | Pass the error return from sha1_t_prf() to callers. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-IKEv2: Check HMAC SHA1/MD5 resultJouni Malinen2015-12-051-8/+7
| | | | | | | Make the IKEv2 helper functions return a possible error return from the HMAC routines. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-SAKE: Fix a typo in attribute parser debug printJouni Malinen2015-11-281-1/+1
| | | | | | | Parsing AT_MSK_LIFE ended up writing a debug log entry with incorrect attribute name (AT_IV). Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd: Add support for Brainpool Elliptic CurvesJouni Malinen2015-11-011-0/+20
| | | | | | | This allows the IKE groups 27-30 (RFC 6932) to be used with OpenSSL 1.0.2 and newer. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-GPSK: Check HMAC-SHA256 result in GKDF and MICJouni Malinen2015-10-171-3/+6
| | | | | | | | hmac_sha256() and hmac_sha256_vector() return a result code now, so use that return value to terminate HMAC-SHA256-based GKDF/MIC similarly to what was already done with the CMAC-based GKDF/MIC. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-SAKE: Make attribute parser more readableJouni Malinen2015-05-031-43/+43
| | | | | | | | Clean up eap_sake_parse_add_attr() design by passing in pointer to the payload of the attribute instead of parsing these separately for each attribute within the function. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix a typo in function documentationJouni Malinen2015-05-031-1/+1
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Declare all read only data structures as constMikael Kanstrup2015-04-251-3/+3
| | | | | | | | By analysing objdump output some read only structures were found in .data section. To help compiler further optimize code declare these as const. Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
* tests: Add eapol-fuzzerJouni Malinen2015-04-221-3/+26
| | | | | | | This program can be used to run fuzzing tests for areas related to EAPOL frame parsing and processing on the supplicant side. Signed-off-by: Jouni Malinen <j@w1.fi>
* Make tls_connection_get_keyblock_size() internal to tls_*.cJouni Malinen2015-04-011-10/+2
| | | | | | | | | | This function exposes internal state of the TLS negotiated parameters for the sole purpose of being able to implement PRF for EAP-FAST. Since tls_connection_prf() is now taking care of all TLS-based key derivation cases, it is cleaner to keep this detail internal to each tls_*.c wrapper implementation. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Use tls_connection_prf() for all EAP TLS-based key derivationJouni Malinen2015-03-311-29/+6
| | | | | | | | | | | | tls_openssl.c is the only remaining TLS/crypto wrapper that needs the internal PRF implementation for EAP-FAST (since SSL_export_keying_material() is not available in older versions and does not support server-random-before-client case). As such, it is cleaner to assume that TLS libraries support tls_connection_prf() and move the additional support code for the otherwise unsupported cases into tls_openssl.c. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* EAP-pwd: Mark helper function arguments const when appropriateJouni Malinen2015-03-282-12/+18
| | | | | | These variables are not modified during PWE or key computation. Signed-off-by: Jouni Malinen <j@w1.fi>
* ERP: Add TV/TLV parserJouni Malinen2014-12-042-2/+95
| | | | | | | This is needed for ERP implementation on both the server/authenticator and peer side. Signed-off-by: Jouni Malinen <j@w1.fi>
* ERP: Add defines for EAP Re-Authentication ProtocolJouni Malinen2014-12-031-2/+32
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-PAX: Derive EAP Session-IdJouni Malinen2014-11-302-3/+8
| | | | | | | This adds EAP-PAX server and peer method functions for deriving Session-Id from Method-Id per RFC 4746 and RFC 5247. Signed-off-by: Jouni Malinen <j@w1.fi>