path: root/src/eap_peer/eap_pwd.c
Commit message (Collapse)AuthorAgeFilesLines
* EAP-pwd peer: Fix error path for unexpected Confirm messageJouni Malinen2015-11-101-1/+2
| | | | | | | | | | | If the Confirm message is received from the server before the Identity exchange has been completed, the group has not yet been determined and data->grp is NULL. The error path in eap_pwd_perform_confirm_exchange() did not take this corner case into account and could end up dereferencing a NULL pointer and terminating the process if invalid message sequence is received. (CVE-2015-5316) Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd peer: Fix last fragment length validationJouni Malinen2015-11-101-4/+3
| | | | | | | | | | | All but the last fragment had their length checked against the remaining room in the reassembly buffer. This allowed a suitably constructed last fragment frame to try to add extra data that would go beyond the buffer. The length validation code in wpabuf_put_data() prevents an actual buffer write overflow from occurring, but this results in process termination. (CVE-2015-5315) Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd peer: Comment out MS password hash if CONFIG_FIPS=yJouni Malinen2015-08-021-0/+7
| | | | | | The needed hash functions are not available in FIPS mode. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd peer: Make sure in_frag_pos is cleared to zero on allocationJouni Malinen2015-05-031-0/+1
| | | | | | | The cleanup code will handle this, but it is more robust to make sure this is cleared to zero when allocating a new buffer. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd peer: Fix asymmetric fragmentation behaviorJouni Malinen2015-05-031-0/+1
| | | | | | | | | | | The L (Length) and M (More) flags needs to be cleared before deciding whether the locally generated response requires fragmentation. This fixes an issue where these flags from the server could have been invalid for the following message. In some cases, this could have resulted in triggering the wpabuf security check that would terminate the process due to invalid buffer allocation. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd peer: Fix Total-Length parsing for fragment reassemblyJouni Malinen2015-05-031-0/+12
| | | | | | | | | | | | | | The remaining number of bytes in the message could be smaller than the Total-Length field size, so the length needs to be explicitly checked prior to reading the field and decrementing the len variable. This could have resulted in the remaining length becoming negative and interpreted as a huge positive integer. In addition, check that there is no already started fragment in progress before allocating a new buffer for reassembling fragments. This avoid a potential memory leak when processing invalid message. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd peer: Fix payload length validation for Commit and ConfirmJouni Malinen2015-05-031-0/+29
| | | | | | | | | | | | | | | | The length of the received Commit and Confirm message payloads was not checked before reading them. This could result in a buffer read overflow when processing an invalid message. Fix this by verifying that the payload is of expected length before processing it. In addition, enforce correct state transition sequence to make sure there is no unexpected behavior if receiving a Commit/Confirm message before the previous exchanges have been completed. Thanks to Kostya Kortchinsky of Google security team for discovering and reporting this issue. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd peer: Add support for hashed passwordJouni Malinen2015-03-281-6/+60
| | | | | | | | | | | This extends EAP-pwd peer support to allow NtHash version of password storage in addition to full plaintext password. In addition, this allows the server to request hashed version even if the plaintext password is available on the client. Furthermore, unsupported password preparation requests are now rejected rather than allowing the authentication attempt to continue. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd: Remove unnecessary OpenSSL EVP_sha256() registrationJouni Malinen2014-11-161-1/+0
| | | | | | | | This gets registered in tls_openssl.c from tls_init(), so there is no need for EAP-pwd implementation to register explicitly. This avoids some corner cases where OpenSSL resources do not get fully freed on exit. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd: Clear identity string and temporary buffer explicitlyJouni Malinen2014-07-241-4/+4
| | | | | | | | | Use an explicit memset call to clear any configuration parameter and dynamic data that contains private information like keys or identity. This brings in an additional layer of protection by reducing the length of time this type of private data is kept in memory. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd: Verify BN_rand_range return codeFlorent Daigniere2014-07-241-5/+9
| | | | | | | | | | | This makes the EAP-pwd server and peer implementations more robust should OpenSSL fail to derive random number for some reason. While this is unlikely to happen in practice, the implementation better be prepared for this should something unexpected ever happen. See http://jbp.io/2014/01/16/openssl-rand-api/#review-of-randbytes-callers for more details. Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
* EAP-pwd: Use os_memcmp_const() for hash comparisonsFlorent Daigniere2014-07-241-1/+1
| | | | | | | | | This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
* OpenSSL: Use EC_POINT_clear_free instead of EC_POINT_freeFlorent Daigniere2014-07-241-5/+5
| | | | | | | | | | | | | This changes OpenSSL calls to explicitly clear the EC_POINT memory allocations when freeing them. This adds an extra layer of security by avoiding leaving potentially private keys into local memory after they are not needed anymore. While some of these variables are not really private (e.g., they are sent in clear anyway), the extra cost of clearing them is not significant and it is simpler to just clear these explicitly rather than review each possible code path to confirm where this does not help. Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
* OpenSSL: Use BN_clear_free instead of BN_freeFlorent Daigniere2014-07-241-12/+12
| | | | | | | | | | | | | This changes OpenSSL calls to explicitly clear the bignum memory allocations when freeing them. This adds an extra layer of security by avoiding leaving potentially private keys into local memory after they are not needed anymore. While some of these variables are not really private (e.g., they are sent in clear anyway), the extra cost of clearing them is not significant and it is simpler to just clear these explicitly rather than review each possible code path to confirm where this does not help. Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
* EAP peer: Clear keying material on deinitJouni Malinen2014-07-021-2/+2
| | | | | | | | | Reduce the amount of time keying material (MSK, EMSK, temporary private data) remains in memory in EAP methods. This provides additional protection should there be any issues that could expose process memory to external observers. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd: Add explicit total length limitJouni Malinen2014-07-021-0/+2
| | | | | | | | | | | Instead of using implicit limit based on 16-bit unsigned integer having a maximum value of 65535, limit the maximum length of a fragmented EAP-pwd message explicitly to 15000 bytes. None of the supported groups use longer messages, so it is fine to reject any longer message without even trying to reassemble it. This will hopefully also help in reducing false warnings from static analyzers (CID 68124). Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd: Fix processing of group setup failureJouni Malinen2014-05-111-3/+6
| | | | | | | | | | | | If invalid group was negotiated, compute_password_element() left some of the data->grp pointer uninitialized and this could result in segmentation fault when deinitializing the EAP method. Fix this by explicitly clearing all the pointer with eap_zalloc(). In addition, speed up EAP failure reporting in this type of error case by indicating that the EAP method execution cannot continue anymore on the peer side instead of waiting for a timeout. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd peer: Export Session-Id through getSessionId callbackJouni Malinen2014-05-111-1/+22
| | | | | | | EAP-pwd was already deriving the EAP Session-Id, but it was not yet exposed through the EAP method API. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd peer: Fix fragmentation of PWD-Confirm-RespJouni Malinen2014-04-051-4/+16
| | | | | | | | | This is somewhat of a corner case since there is no real point in using so short a fragmentation threshold that it would result in this message getting fragmented. Anyway, it is better be complete and support this case as well. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd: Fix memory leak on error path with fragmentationJouni Malinen2014-04-051-0/+4
| | | | | | | If fragmentation is used, the temporary inbuf/outbuf could have been leaked in error cases (e.g., reaching maximum number of roundtrips). Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd peer: Allow fragmentation limit to be configuredJouni Malinen2014-01-071-1/+6
| | | | | | | | The standard fragment_size network parameter can now be used to configure EAP-pwd fragmentation limit instead of always using the hardcoded value of 1020. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-pwd: Replace direct OpenSSL HMAC use with wrapperJouni Malinen2012-07-021-25/+30
| | | | | | | This is a step towards allowing EAP-pwd to be supported with other crypto libraries. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-pwd: Avoid double-frees on some error pathsJouni Malinen2012-06-301-1/+5
| | | | | | | | | | At least some error paths (e.g., hitting the limit on hunt-and-peck iterations) could have resulted in double-freeing of some memory allocations. Avoid this by setting the pointers to NULL after they have been freed instead of trying to free the data structure in a location where some external references cannot be cleared. [Bug 453] Signed-hostap: Jouni Malinen <j@w1.fi>
* Remove the GPL notification from EAP-pwd implementationJouni Malinen2012-02-111-8/+2
| | | | | | | | | Remove the GPL notification text from EAP-pwd implementation per approval from Dan Harkins who contributed these files. (email from Dan Harkins <dharkins@lounge.org> dated Wed, 4 Jan 2012 16:25:48 -0800) Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-pwd: Add support for fragmentationDan Harkins2012-02-111-72/+229
| | | | Signed-hostap: Dan Harkins <dharkins@lounge.org>
* EAP-pwd: Remove struct eap_pwd_hdrJouni Malinen2011-11-191-3/+2
| | | | | | | | | | This structure was not really used for anything apart from figuring out length of the EAP-pwd header (and even that in a way that would not work with fragmentation). Since the bitfields in the structure could have been problematic depending on target endianness, remove this unnecessary structure. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-pwd: Fix zero-padding of input to H()Dan Harkins2011-11-191-14/+33
| | | | | | | | | | Another niceness of OpenSSL is that if the high-order bit of a 521-bit big num is not set then BN_bn2bin() will just return 65 bytes instead of 66 bytes with the 1st (big endian, after all) being all zero. When this happens the wrong number of octets are mixed into function H(). So there's a whole bunch of "offset" computations and BN_bn2bin() dumps the big number into a buffer + offset. That should be obvious in the patch too.
* EAP-pwd: Fix some interoperability issuesDan Harkins2011-01-161-4/+6
| | | | | | | | | | | | The changes are: 1. the word "and" in the hunting-and-pecking string passed to the KDF should be capitalized. 2. the primebitlen used in the KDF should be a short not an int. 3. the computation of MK in hostap is based on an older version of the draft and is not the way it's specified in the RFC. 4. the group being passed into computation of the Commit was not in network order.
* EAP-pwd: Fix couple of memory leaksJouni Malinen2010-09-151-1/+8
* EAP-pwd: Move bnctx into per-protocol instance structureJouni Malinen2010-09-151-21/+26
| | | | This avoids double frees of bnctx and related crashes.
* EAP-pwd: Add support for EAP-pwd server and peer functionalityDan Harkins2010-09-151-0/+730
This adds an initial EAP-pwd (RFC 5931) implementation. For now, this requires OpenSSL.