path: root/src/eap_server/eap_server_aka.c
Commit message (Collapse)AuthorAgeFilesLines
* EAP server: Add getSessionIdJouni Malinen2014-11-301-0/+24
| | | | | | | This extends EAP server implementation to derive Session-Id similarly to the existing EAP peer implementation. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP server: Clear keying material on deinitJouni Malinen2014-07-021-1/+1
| | | | | | | | | Reduce the amount of time keying material (MSK, EMSK, temporary private data) remains in memory in EAP methods. This provides additional protection should there be any issues that could expose process memory to external observers. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-SIM/AKA: Use os_memcmp_const() for hash/password comparisonsJouni Malinen2014-07-021-2/+2
| | | | | | | | | This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-SIM/AKA: Pass EAP type as argument to eap_sim_msg_finish()Jouni Malinen2014-07-021-4/+4
| | | | | | | | This makes it easier for static analyzers to figure out which code paths are possible within eap_sim_msg_finish() for EAP-SIM. This will hopefully avoid some false warnings (CID 68110, CID 68113, CID 68114). Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-AKA server: Fix AUTS processingJouni Malinen2013-09-291-0/+1
| | | | | | | | | | | Commit 8a9f58f2cca92e5e362809ae4a531a4676c29888 ("EAP-AKA server: Store permanent username in session data") broke AUTS processing by skipping new authentication triplet fetch after having reported AUTS. Fix this by started new full authentication sequence immediately after reporting AUTS so that the updated parameters are available for the Challenge message. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-AKA server: Fix fallback to full authJouni Malinen2013-01-081-0/+11
| | | | | | | | | Commit 68a41bbb44ac78087076ce65e6c1803d036bc4a2 broke fallback from reauth id to fullauth id by not allowing a second AKA/Identity round to be used after having received unrecognized reauth_id in the first round. Fix this by allowing fullauth id to be requested in such a case. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* EAP-SIM/AKA server: Fix memory leak in error pathJouni Malinen2012-11-111-0/+1
| | | | | | | If identity round limit is reached, EAP-SIM/AKA session is terminated. This needs to free the allocated message. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-AKA server: Skip AKA/Identity exchange if EAP identity recognizedJouni Malinen2012-09-021-31/+96
| | | | | | | | If EAP-Response/Identity includes a known pseudonym or re-auth username, skip the AKA/Identity exchange since we already know the permanent username of the peer. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-AKA server: Remove unnecessary protocol version checkJouni Malinen2012-09-011-8/+0
| | | | | | | This validation is done automatically as part of the prefix value use in the username. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-SIM DB: Use char* strings instead of u8* pointer and lengthJouni Malinen2012-09-011-36/+17
| | | | | | | | | | | Since the EAP-SIM/AKA identities are ASCII strings, there is no need to use more complex way for storing and passing them. In addition, be more strict about enforcing username (i.e., no realm part) to be used in the EAP-SIM DB API. Similarly, require specific username type instead of any of the types to be used as the key in the pseudonym and reauth operations. This allows simpler lookup operations to be used. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-AKA server: Store permanent username in session dataJouni Malinen2012-09-011-126/+111
| | | | | | This allows identity use to be cleaned up in various operations. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-AKA server: Split fullauth setup into a separate functionJouni Malinen2012-09-011-1/+13
| | | | | | This is an initial cleanup step for AKA/Identity processing. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-AKA server: Require AKA/Identity response to include identityJouni Malinen2012-09-011-8/+23
| | | | | | | | Since we always request an identity in the request, the response has to include AT_IDENTITY. This allows the AKA/Identity response processing to be simplified a bit. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-AKA server: Use simpler AKA/Identity request determinationJouni Malinen2012-09-011-15/+15
| | | | | | | | | | There is no need to use eap_sim_db_identity_known() here since a new AKA/Identity message is built only if the identity in the previous response was not recognized. The first round is always used to request AT_ANY_ID_REQ to meet the RFC 4187 recommendation on EAP method specific identity request. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-SIM DB: Remove unnecessary aka_prime parameterJouni Malinen2012-09-011-1/+2
| | | | | | | | The reauth_id prefix can be used to determine which AKA version is used, so there is no need to store the aka_prime information in a separate field. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-SIM/AKA server: Allow pseudonym to be used after unknown reauth idJouni Malinen2012-06-151-2/+12
| | | | | | | | | If the peer uses an unknown reauth id, it would still be possible to use pseudonym instead of permanent id. Allow this by changing the AT_PERMANENT_ID_REQ to AT_FULLAUTH_ID_REQ in case unknown reauth id is used in EAP-Response/Identity. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* EAP-AKA': Update to RFC 5448Jouni Malinen2012-05-021-5/+12
| | | | | | | | | | | | | | | There was a technical change between the last IETF draft version (draft-arkko-eap-aka-kdf-10) and RFC 5448 in the leading characters used in the username (i.e., use unique characters for EAP-AKA' instead of reusing the EAP-AKA ones). This commit updates EAP-AKA' server and peer implementations to use the leading characters based on the final RFC. Note: This will make EAP-AKA' not interoperate between the earlier draft version and the new version. Signed-hostap: Jouni Malinen <j@w1.fi> intended-for: hostap-1
* EAP-AKA' server: Fix identity for MK derivationJouni Malinen2012-05-021-1/+1
| | | | | | | | | Incorrect identity string could end up being used with EAP-AKA' when the EAP client is using pseudonym. This code was supposed to use sm->identity just like the EAP-AKA case. Signed-hostap: Jouni Malinen <j@w1.fi> intended-for: hostap-1
* EAP-SIM/AKA server: Fix re-authentication not to update pseudonymJouni Malinen2012-02-161-7/+7
| | | | | | | | | | | AT_NEXT_PSEUDONYM is supposed to be included only in the Challenge messages, not in the Re-authentication messages. This attribute was incorrectly included in the Re-authentication messages and could have been used to update the pseudonym state on the server without the peer updating its state. Signed-hostap: Jouni Malinen <j@w1.fi> intended-for: hostap-1
* Remove the GPL notification from files contributed by Jouni MalinenJouni Malinen2012-02-111-8/+2
| | | | | | | Remove the GPL notification text from the files that were initially contributed by myself. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-AKA: Use strdup instead of strlen + malloc + memcpyJouni Malinen2011-11-271-2/+1
| | | | | | | While the copy is not used as a null terminated string, this can prevent some static analyzers from complaining about non-issue. Signed-hostap: Jouni Malinen <j@w1.fi>
* Annotate places depending on strong random numbersJouni Malinen2010-11-231-1/+2
| | | | | | | | | | | | | This commit adds a new wrapper, random_get_bytes(), that is currently defined to use os_get_random() as is. The places using random_get_bytes() depend on the returned value being strong random number, i.e., something that is infeasible for external device to figure out. These values are used either directly as a key or as nonces/challenges that are used as input for key derivation or authentication. The remaining direct uses of os_get_random() do not need as strong random numbers to function correctly.
* Rename EAP server source files to avoid duplicate namesJouni Malinen2010-02-191-0/+1277
This makes it easier to build both EAP peer and server functionality into the same project with some toolchains.