path: root/src/eap_peer
Commit message (Collapse)AuthorAgeFilesLines
* EAP-TEAP (client): Allow Phase 2 to be skipped if certificate is usedJouni Malinen2020-06-201-0/+9
| | | | | | | | The EAP-TEAP server may skip Phase 2 if the client authentication could be completed during Phase 1 based on client certificate. Handle this similarly to the case of PAC use. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP peer: Convert Boolean to C99 boolJouni Malinen2020-04-2426-294/+294
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAPOL supp: Convert Boolean to C99 boolJouni Malinen2020-04-241-3/+2
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-SIM peer: Do not accept SIM/Challenge without SIM/StartJouni Malinen2019-12-231-2/+15
| | | | | | | | | | | | | EAP-SIM full authentication starts with one or more SIM/Start rounds, so reject an unexpected SIM/Challenge round without any preceeding SIM/Start rounds to avoid unexpected behavior. In practice, an attempt to start with SIM/Challenge would have resulted in different MK being derived and the Challenge message getting rejected due to mismatching AT_MAC unless the misbehaving server has access to valid Kc, so the end result is identical, but it is cleaner to reject the unexpected message explicitly to avoid any risk of trying to proceed without NONCE_MT. Signed-off-by: Jouni Malinen <j@w1.fi>
* Clean up base64_{encode,decode} pointer typesJouni Malinen2019-11-281-3/+2
| | | | | | | | Allow any pointer to be used as source for encoding and use char * as the return value from encoding and input value for decoding to reduce number of type casts needed in the callers. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Fix wpa_supplicant build with CONFIG_PCSC=yJouni Malinen2019-09-181-3/+3
| | | | | | | | | This code block with dependency on PCSC_FUNCS was missed when conf->pin was moved to conf->cert.pin. Fix this to get rid of compilation issues with CONFIG_PCSC=y builds. Fixes: b99c4cadb7f8 ("EAP peer: Move certificate configuration params into shared struct") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-TEAP peer: Clear Phase 2 EAP method on new Identity exchangeJouni Malinen2019-09-011-9/+19
| | | | | | | | This is needed to allow clean transition from one inner EAP authentication method to another one if EAP method negotiation is needed within Phase 2. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP peer: Add support for machine credentials using certificatesJouni Malinen2019-09-018-18/+71
| | | | | | | | | This allows EAP-TLS to be used within an EAP-TEAP tunnel when there is an explicit request for machine credentials. The network profile parameters are otherwise same as the Phase 1 parameters, but each one uses a "machine_" prefix for the parameter name. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP peer config: Move ocsp param to phase1/phase2Jouni Malinen2019-09-012-15/+15
| | | | | | | | | OCSP configuration is applicable to each instance of TLS-based authentication and as such, the configuration might need to be different for Phase 1 and Phase 2. Move ocsp into struct eap_peer_cert_config and add a separate ocsp2 network profile parameter to set this for Phase 2. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP peer: Move certificate configuration params into shared structJouni Malinen2019-09-015-312/+140
| | | | | | | | | | | These parameters for certificate authentication are identical for the Phase 1 (EAP-TLS alone) and Phase 2 (EAP-TLS inside a TLS tunnel). Furthermore, yet another copy would be needed to support separate machine credential in Phase 2. Clean this up by moving the shared parameters into a separate data struct that can then be used for each need without having to define separate struct members for each use. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP peer: Fix protected indication of inner EAP method failureJouni Malinen2019-08-241-1/+2
| | | | | | | | Need to leave EAP-TEAP methodState == MAY_CONT when marking decision = FAIL based on inner EAP method failure since this message will be followed by protected failure indication. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP peer: Add support for machine authenticationJouni Malinen2019-08-201-6/+24
| | | | | | | This allows a separate machine credential to be used for authentication if the server requests Identity-Type = 2 (machine). Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP peer: Add a concept of a separate machine credentialJouni Malinen2019-08-203-9/+88
| | | | | | | | | | | | | | | | | This is an initial step in adding support for configuring separate user and machine credentials. The new wpa_supplicant network profile parameters machine_identity and machine_password are similar to the existing identity and password, but explicitly assigned for the purpose of machine authentication. This commit alone does not change actual EAP peer method behavior as separate commits are needed to determine when there is an explicit request for machine authentication. Furthermore, this is only addressing the username/password credential type, i.e., additional changes following this design approach will be needed for certificate credentials. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP peer: Support Identity-Type TLVJouni Malinen2019-08-191-5/+18
| | | | | | | | Parse the received Identity-Type TLV and report the used Identity-Type in response if the request included this TLV. For now, only the Identity-Type 1 (User) is supported. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP: Increase the maximum number of message exchangesJouni Malinen2019-08-182-1/+19
| | | | | | | | | | | Allow 100 rounds of EAP messages if there is data being transmitted. Keep the old 50 round limit for cases where only short EAP messages are sent (i.e., the likely case of getting stuck in ACK loop). This allows larger EAP data (e.g., large certificates) to be exchanged without breaking the workaround for ACK loop interop issues. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP peer: Support vendor EAP method in Phase 2Jouni Malinen2019-08-171-13/+32
| | | | | | | | The implementation was previously hardcoded to use only the non-expanded IETF EAP methods in Phase 2. Extend that to allow vendor EAP methods with expanded header to be used. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-FAST peer: Support vendor EAP method in Phase 2Jouni Malinen2019-08-171-14/+34
| | | | | | | | The implementation was previously hardcoded to use only the non-expanded IETF EAP methods in Phase 2. Extend that to allow vendor EAP methods with expanded header to be used. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-PEAP peer: Support vendor EAP method in Phase 2Jouni Malinen2019-08-171-5/+21
| | | | | | | | | The implementation was previously hardcoded to allow only the Microsoft SoH expanded EAP method in Phase 2 in addition to non-expanded EAP methods. Extend that to allow any vendor EAP method with an expanded header to be used. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP peer: Allow VENDOR-TEST method in Phase 2Jouni Malinen2019-08-171-0/+2
| | | | | | | This allows EAP methods to be tested for support of expanded EAP headers in Phase 2. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TTLS peer: Support vendor EAP method in Phase 2Jouni Malinen2019-08-171-14/+31
| | | | | | | | The implementation was previously hardcoded to use only the non-expanded IETF EAP methods in Phase 2. Extend that to allow vendor EAP methods with expanded header to be used. Signed-off-by: Jouni Malinen <j@w1.fi>
* Replace EapType typedef with enum eap_typeJouni Malinen2019-08-176-28/+34
| | | | | | | This cleans up coding style of the EAP implementation by avoiding typedef of an enum hiding the type of the variables. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP peer: Allow Result TLV without Crypto-Binding TLVJouni Malinen2019-08-161-9/+22
| | | | | | | | | | If the Crypto-Binding TLV for the last EAP method has been validated successfully in a previous message exchange with Intermediate-Result TLV and no new EAP method has been started, Result TLV can be accepted without an additional Crypto-Binding TLV. This allows the server to go through additional message exchanges after inner EAP method, if needed. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP peer: Add Intermediate-Result TLV with Crypto-Binding TLVJouni Malinen2019-08-161-0/+9
| | | | | | | | | Previously, only the Result TLV was added when writing Crypto-Binding TLV response. This is not sufficient, since RFC 7170 require Intermediate-Result TLV response to be included from the peer if the server included Intermediate-Result TLV. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP: Fix TLS-PRF for TLS ciphersuites that use SHA384Jouni Malinen2019-08-161-4/+8
| | | | | | | These need to be using the HMAC-based TLS-PRF with SHA384 instead of SHA256 as the hash algorithm. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP peer: Fix fragmentation of final messageJouni Malinen2019-08-061-4/+16
| | | | | | | Need to update methodState/decision when completing transmission of fragmented last Phase 2 message. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-SIM/AKA: Do not allow anonymous@realm "pseudonym" to be clearedJouni Malinen2019-07-312-4/+14
| | | | | | | | | | | | | If the EAP-SIM/AKA server does not provide a new pseudonym and the locally configured "pseudonym" in anonymous_identity is actually an anonymous identitity instead of a real EAP-SIM/AKA pseudonym, do not clear the anonymous_identity network profile parameter. This is needed to avoid forgetting the anonymous identity when going through EAP-SIM/AKA authentication and then reverting back to using IMSI-based (e.g., encrypted) identity. Fixes: 4df4133917ab ("EAP-SIM/AKA: Add support for anonymous@realm") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-pwd peer: Configurable set of groups with reduced defaultJouni Malinen2019-07-231-3/+50
| | | | | | | | | | | | | | | | | | Make the EAP-pwd peer use same default set of allowed groups as the SAE implementation in wpa_supplicant uses, i.e., the groups 19-21 using NIST curves P-256, P-384, and P-521. Previously, all groups that were supported by the crypto library were allowed. In practice, this change disables use of the Brainpool curves (groups 28-30) with recent OpenSSL versions. The default set of groups can be overridden with a new phase1 network profile parameter, eap_pwd_groups=<list of allowed ranges>. For example, phase1="eap_pwd_groups=0-65535" would restore previous behavior of allowing all implemented groups to be used while eap_pwd_groups=19,20 would enable only the groups using NIST curves P-256 and P-384 to be used. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-TLS peer: Handle possible application data at the endJouni Malinen2019-07-121-0/+12
| | | | | | | | | EAP-TLS with TLS 1.3 uses an empty application data record from the server to indicate end of the exchange, so EAP-TLS peer will need to check for this special case and finish the exchange with an empty EAP-TLS (ACK) so that the server can send out EAP-Success. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add Type-Code context to EAP-TLS 1.3 exported Key_Material and Method-IdErvin Oro2019-07-112-3/+9
| | | | | | | | Change to require the Type-Code in context for Key_Material and Method-Id has now been published as draft-ietf-emu-eap-tls13-04. https://tools.ietf.org/html/draft-ietf-emu-eap-tls13-04#section-2.3 Signed-off-by: Ervin Oro <ervin.oro@aalto.fi>
* EAP-TEAP server and peer implementation (RFC 7170)Jouni Malinen2019-07-098-3/+3019
| | | | | | | | | | | | | | | | | This adds support for a new EAP method: EAP-TEAP (Tunnel Extensible Authentication Protocol). This should be considered experimental since RFC 7170 has number of conflicting statements and missing details to allow unambiguous interpretation. As such, there may be interoperability issues with other implementations and this version should not be deployed for production purposes until those unclear areas are resolved. This does not yet support use of NewSessionTicket message to deliver a new PAC (either in the server or peer implementation). In other words, only the in-tunnel distribution of PAC-Opaque is supported for now. Use of the NewSessionTicket mechanism would require TLS library support to allow arbitrary data to be specified as the contents of the message. Signed-off-by: Jouni Malinen <j@w1.fi>
* Pass full struct to peer certificate callbacksJouni Malinen2019-06-142-14/+6
| | | | | | | | This makes it easier to add new information to the callbacks without having to modify each callback function type in EAPOL and EAP code every time. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: New style fuzzing tool for EAP-AKA peer processingJouni Malinen2019-06-021-0/+15
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: New style fuzzing tool for EAP-SIM peer processingJouni Malinen2019-06-021-0/+17
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-SIM/AKA: Add support for anonymous@realmHai Shalom2019-05-312-4/+12
| | | | | | | | | | | | SIM-based EAP authentication with IMSI encryption requires a special EAP Identity response: anonymous@realm. Then the server sends AKA-Identity request which is answered with the encrypted IMSI. Add logic that indicates if the special anonymous identity is used. Otherwise, this field is used for storing the pseudonym. Test: Connect to Carrier Wi-Fi, verify correct behavior from captures Test: Connect to non IMSI encrypted EAP-AKA AP, verify pseudonym usage Signed-off-by: Hai Shalom <haishalom@google.com>
* More forceful clearing of stack memory with keysJouni Malinen2019-05-264-14/+14
| | | | | | | | | | | | gcc 8.3.0 was apparently clever enough to optimize away the previously used os_memset() to explicitly clear a stack buffer that contains keys when that clearing happened just before returning from the function. Since memset_s() is not exactly portable (or commonly available yet..), use a less robust mechanism that is still pretty likely to prevent current compilers from optimizing the explicit clearing of the memory away. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-AKA: Add Session-Id derivation during fast-reauthMohit Sethi2019-05-251-3/+22
| | | | | | | | | | | | | | | The Session-Id derivation for EAP-AKA in RFC 5247 only explained how the Session-Id is derived for regular authentication. Jouni reported it as an errata with text explaining how to derive it during fast reauthentication. This patch now exports the Session-Id for EAP-AKA during fast reauthentication based on this Session-Id = 0x17 || NONCE_S || MAC construction. Also documented by Alan Dekok in draft-dekok-emu-eap-session-id. Signed-off-by: Mohit Sethi <mohit.sethi@aalto.fi>
* EAP-SIM: Add Session-Id derivation during fast-reauthMohit Sethi2019-05-251-4/+22
| | | | | | | | | | | | | The Session-Id derivation for EAP-SIM in RFC 5247 only explained how the Session-Id is derived for regular authentication. Jouni reported it as an errata with text explaining how to derive it during fast reauthentication. This patch now exports the Session-Id for EAP-SIM during fast reauthentication based on this Session-Id = 0x12 || NONCE_S || MAC construction. Signed-off-by: Mohit Sethi <mohit.sethi@aalto.fi>
* EAP-SAKE: Report hash function failures to callersJouni Malinen2019-04-191-4/+8
| | | | | | | While this is mostly theoretical, the hash functions can fail and it is better for the upper layer code to explicitly check for such failures. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd peer: Fix reassembly buffer handlingJouni Malinen2019-04-171-1/+8
| | | | | | | | | Unexpected fragment might result in data->inbuf not being allocated before processing and that could have resulted in NULL pointer dereference. Fix that by explicitly checking for data->inbuf to be available before using it. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-MSCHAPv2: Propagate GetAsymetricStartKey() failures up from getKey()Jouni Malinen2019-04-161-3/+7
| | | | | | | Report failure from getKey() if MSK cannot be derived due to unexpected sha1_vector() local failure. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-pwd: Remove unused checks for cofactor > 1 casesJouni Malinen2019-04-131-20/+3
| | | | | | | | | | | | | None of the ECC groups supported in the implementation had a cofactor greater than 1, so these checks are unreachable and for all cases, the cofactor is known to be 1. Furthermore, RFC 5931 explicitly disallow use of ECC groups with cofactor larger than 1, so this checks cannot be needed for any curve that is compliant with the RFC. Remove the unneeded group cofactor checks to simplify the implementation. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd: Get rid of unnecessary allocation of temporary bufferJouni Malinen2019-04-091-16/+6
| | | | | | | | | Binary presentations of element and scalar can be written directly to the allocated commit message buffer instead of having to first write them into temporary buffers just to copy them to the actual message buffer. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-pwd: Enforce 1 < rand,mask < r and rand+mask mod r > 1Jouni Malinen2019-04-091-12/+2
| | | | | | | | | RFC 5931 has these conditions as MUST requirements, so better follow them explicitly even if the rand,mask == 0 or rand+mask == 0 or 1 cases are very unlikely to occur in practice while generating random values locally. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-pwd: Check element x,y coordinates explicitlyJouni Malinen2019-04-091-41/+4
| | | | | | | | | | | | | | This adds an explicit check for 0 < x,y < prime based on RFC 5931, requirement. The earlier checks might have covered this implicitly, but it is safer to avoid any dependency on implicit checks and specific crypto library behavior. (CVE-2019-9498 and CVE-2019-9499) Furthermore, this moves the EAP-pwd element and scalar parsing and validation steps into shared helper functions so that there is no need to maintain two separate copies of this common functionality between the server and peer implementations. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-pwd client: Verify received scalar and elementMathy Vanhoef2019-04-091-0/+20
| | | | | | | | | | | | | | | | | | When processing an EAP-pwd Commit frame, the server's scalar and element (elliptic curve point) were not validated. This allowed an adversary to bypass authentication, and act as a rogue Access Point (AP) if the crypto implementation did not verify the validity of the EC point. Fix this vulnerability by assuring the received scalar lies within the valid range, and by checking that the received element is not the point at infinity and lies on the elliptic curve being used. (CVE-2019-9499) The vulnerability is only exploitable if OpenSSL version 1.0.2 or lower is used, or if LibreSSL or wolfssl is used. Newer versions of OpenSSL (and also BoringSSL) implicitly validate the elliptic curve point in EC_POINT_set_affine_coordinates_GFp(), preventing the attack. Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
* Extend domain_match and domain_suffix_match to allow list of valuesJouni Malinen2019-04-091-10/+19
| | | | | | | | | | | | | These wpa_supplicant network profile parameters could be used to specify a single match string that would be used against the dNSName items in subjectAltName or CN. There may be use cases where more than one alternative match string would be useful, so extend these to allow a semicolon delimited list of values to be used (e.g., "example.org;example.com"). If any of the specified values matches any of the dNSName/CN values in the server certificate, consider the certificate as meeting this requirement. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Add support for an optional context parameter to TLS exporterErvin Oro2019-03-165-6/+16
| | | | | | | | | | | | | Allow an additional context value to be passed to TLS exporter as specified in RFC 5705 section 4. This does not yet implement it for the internal TLS implementation. However, as currently nothing uses context yet, this will not break anything right now. WolfSSL maintainers also stated that they are not going to add context support yet, but would look into it if/when this is required by a published draft or a standard. Signed-off-by: Ervin Oro <ervin.oro@aalto.fi>
* OpenSSL: Add 'check_cert_subject' support for TLS serverJared Bents2019-03-112-0/+44
| | | | | | | | | | | | | | | | | This patch added 'check_cert_subject' support to match the value of every field against the DN of the subject in the client certificate. If the values do not match, the certificate verification will fail and will reject the user. This option allows hostapd to match every individual field in the right order, also allow '*' character as a wildcard (e.g OU=Development*). Note: hostapd will match string up to 'wildcard' against the DN of the subject in the client certificate for every individual field. Signed-off-by: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com> Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com> Signed-off-by: Jouni Malinen <j@w1.fi>
* Use char pointers for EAP configuration parameters without lengthJouni Malinen2019-03-112-30/+30
| | | | | | | | These parameters were using the u8*/len style types even though they were used as char* strings without an explicit length field. Make this char* instead of u8* to avoid confusion and unnecessary type casting. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* wpa_supplicant: Support Multi-AP backhaul STA onboarding with WPSDavina Lu2019-02-181-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The Wi-Fi Alliance Multi-AP Specification v1.0 allows onboarding of a backhaul STA through WPS. To enable this, the backhaul STA needs to add a Multi-AP IE to the WFA vendor extension element in the WSC M1 message that indicates it supports the Multi-AP backhaul STA role. The Registrar (if it support Multi-AP onboarding) will respond to that with a WSC M8 message that also contains the Multi-AP IE, and that contains the credentials for the backhaul SSID (which may be different from the SSID on which WPS is performed). Introduce a new parameter to wpas_wps_start_pbc() and allow it to be set via control interface's new multi_ap=1 parameter of WPS_PBC call. multi_ap_backhaul_sta is set to 1 in the automatically created SSID. Thus, if the AP does not support Multi-AP, association will fail and WPS will be terminated. Only wps_pbc is supported. This commit adds the multi_ap argument only to the control socket interface, not to the D-Bus interface. Since WPS associates with the fronthaul BSS instead of the backhaul BSS, we should not drop association if the AP announces fronthaul-only BSS. Still, we should only do that in the specific case of WPS. Therefore, add a check to multi_ap_process_assoc_resp() to allow association with a fronthaul-only BSS if and only if key_mgmt contains WPS. Signed-off-by: Davina Lu <ylu@quantenna.com> Signed-off-by: Igor Mitsyanko <igor.mitsyanko.os@quantenna.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Daniel Golle <daniel@makrotopia.org> Cc: Marianna Carrera <marianna.carrera.so@quantenna.com>