aboutsummaryrefslogtreecommitdiffstats
path: root/src/eap_server
Commit message (Collapse)AuthorAgeFilesLines
* EAP-TTLS: Add support for deriving EMSKJouni Malinen2014-11-301-0/+33
| | | | | | | This extends EAP-TTLS server and peer implementations to support EMSK derivation per RFC 5281. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TLS server: Clear temporary buffer during EMSK derivationJouni Malinen2014-11-301-1/+1
| | | | | | | | Now that EMSK derivation is taken into use with ERP, it is better to make sure the temporary MSK + EMSK buffer does not get left in heap after use. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP server: Add getSessionIdJouni Malinen2014-11-3016-0/+306
| | | | | | | This extends EAP server implementation to derive Session-Id similarly to the existing EAP peer implementation. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Add explicit message length limit of 50000 bytesJouni Malinen2014-11-231-1/+1
| | | | | | | | | | | Previously, this was implicitly limited by the 16-bit length field to 65535. This resulted in unhelpful static analyzer warnings (CID 62868). Add an explicit (but pretty arbitrary) limit of 50000 bytes to avoid this. The actual WSC messages are significantly shorter in practice, but there is no specific protocol limit, so 50000 is as good as any limit to use here. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd: Remove unnecessary OpenSSL EVP_sha256() registrationJouni Malinen2014-11-161-2/+0
| | | | | | | | This gets registered in tls_openssl.c from tls_init(), so there is no need for EAP-pwd implementation to register explicitly. This avoids some corner cases where OpenSSL resources do not get fully freed on exit. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-MSCHAPv2 server: Check ms_funcs results more consistentlyJouni Malinen2014-10-111-7/+10
| | | | | | | This makes the code more consistent by checking the somewhat theoretical error cases more consistently (CID 72685). Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-PAX server: Remove unused assignmentJouni Malinen2014-10-111-1/+0
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-SIM DB: Remove unused assignmentJouni Malinen2014-10-111-1/+1
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-FAST server: Remove unused assignmentJouni Malinen2014-10-111-1/+0
| | | | | | | | | | Commit e8c08c9a363340c45baf8e13c758c99078bc0d8b ('EAP-FAST server: Fix potential read-after-buffer (by one byte)') changed the while loop design in a way that does not require the pos variable to be updated anymore. Remove that unneeded code to clean up static analyzer warnings about unused assignments. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-FAST server: Remove unused writeJouni Malinen2014-10-111-1/+1
| | | | | | next_type is not used in case m->check() results in ignoring the packet. Signed-off-by: Jouni Malinen <j@w1.fi>
* AES: Extend key wrap design to support longer AES keysJouni Malinen2014-10-071-4/+4
| | | | | | | | | | | This adds kek_len argument to aes_wrap() and aes_unwrap() functions and allows AES to be initialized with 192 and 256 bit KEK in addition to the previously supported 128 bit KEK. The test vectors in test-aes.c are extended to cover all the test vectors from RFC 3394. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-PAX server: Add explicit CID length limitJouni Malinen2014-09-071-2/+7
| | | | | | | | | Instead of using implicit limit based on 16-bit unsigned integer having a maximum value of 65535, limit the maximum length of a CID explicitly to 1500 bytes. This will hopefully help in reducing false warnings from static analyzers (CID 72712). Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-FAST server: Fix potential read-after-buffer (by one byte)Jouni Malinen2014-07-261-1/+2
| | | | | | | | The special PAC_OPAQUE_TYPE_PAD case did not skip incrementing of the pos pointer and could result in one octet read-after-buffer when parsing the PAC-Opaque data. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd: Clear identity string and temporary buffer explicitlyJouni Malinen2014-07-241-6/+6
| | | | | | | | | Use an explicit memset call to clear any configuration parameter and dynamic data that contains private information like keys or identity. This brings in an additional layer of protection by reducing the length of time this type of private data is kept in memory. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd: Verify BN_rand_range return codeFlorent Daigniere2014-07-241-5/+9
| | | | | | | | | | | This makes the EAP-pwd server and peer implementations more robust should OpenSSL fail to derive random number for some reason. While this is unlikely to happen in practice, the implementation better be prepared for this should something unexpected ever happen. See http://jbp.io/2014/01/16/openssl-rand-api/#review-of-randbytes-callers for more details. Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
* EAP-pwd: Use os_memcmp_const() for hash comparisonsFlorent Daigniere2014-07-241-1/+1
| | | | | | | | | This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
* OpenSSL: Use EC_POINT_clear_free instead of EC_POINT_freeFlorent Daigniere2014-07-241-5/+5
| | | | | | | | | | | | | This changes OpenSSL calls to explicitly clear the EC_POINT memory allocations when freeing them. This adds an extra layer of security by avoiding leaving potentially private keys into local memory after they are not needed anymore. While some of these variables are not really private (e.g., they are sent in clear anyway), the extra cost of clearing them is not significant and it is simpler to just clear these explicitly rather than review each possible code path to confirm where this does not help. Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
* OpenSSL: Use BN_clear_free instead of BN_freeFlorent Daigniere2014-07-241-16/+16
| | | | | | | | | | | | | This changes OpenSSL calls to explicitly clear the bignum memory allocations when freeing them. This adds an extra layer of security by avoiding leaving potentially private keys into local memory after they are not needed anymore. While some of these variables are not really private (e.g., they are sent in clear anyway), the extra cost of clearing them is not significant and it is simpler to just clear these explicitly rather than review each possible code path to confirm where this does not help. Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
* EAP server: Clear keying material on deinitJouni Malinen2014-07-0214-21/+21
| | | | | | | | | Reduce the amount of time keying material (MSK, EMSK, temporary private data) remains in memory in EAP methods. This provides additional protection should there be any issues that could expose process memory to external observers. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-GTC: Use os_memcmp_const() for hash/password comparisonsJouni Malinen2014-07-021-1/+1
| | | | | | | | | This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-MSCHAPv2: Use os_memcmp_const() for hash/password comparisonsJouni Malinen2014-07-021-1/+1
| | | | | | | | | This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TTLS: Use os_memcmp_const() for hash/password comparisonsJouni Malinen2014-07-021-8/+12
| | | | | | | | | This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-MD5: Use os_memcmp_const() for hash/password comparisonsJouni Malinen2014-07-021-1/+1
| | | | | | | | | This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-PSK: Use os_memcmp_const() for hash/password comparisonsJouni Malinen2014-07-021-1/+1
| | | | | | | | | This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-PEAP: Use os_memcmp_const() for hash/password comparisonsJouni Malinen2014-07-021-1/+1
| | | | | | | | | This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-GPSK: Use os_memcmp_const() for hash/password comparisonsJouni Malinen2014-07-021-2/+2
| | | | | | | | | This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-PAX: Use os_memcmp_const() for hash/password comparisonsJouni Malinen2014-07-021-3/+3
| | | | | | | | | This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-FAST: Use os_memcmp_const() for hash/password comparisonsJouni Malinen2014-07-021-2/+2
| | | | | | | | | This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-EKE: Use os_memcmp_const() for hash/password comparisonsJouni Malinen2014-07-021-2/+2
| | | | | | | | | This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-SAKE: Use os_memcmp_const() for hash/password comparisonsJouni Malinen2014-07-021-2/+2
| | | | | | | | | This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-SIM/AKA: Use os_memcmp_const() for hash/password comparisonsJouni Malinen2014-07-021-2/+2
| | | | | | | | | This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-IKEv2: Use os_memcmp_const() for hash/password comparisonsJouni Malinen2014-07-021-1/+1
| | | | | | | | | This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd: Add explicit total length limitJouni Malinen2014-07-021-0/+2
| | | | | | | | | | | Instead of using implicit limit based on 16-bit unsigned integer having a maximum value of 65535, limit the maximum length of a fragmented EAP-pwd message explicitly to 15000 bytes. None of the supported groups use longer messages, so it is fine to reject any longer message without even trying to reassemble it. This will hopefully also help in reducing false warnings from static analyzers (CID 68124). Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-SIM/AKA: Pass EAP type as argument to eap_sim_msg_finish()Jouni Malinen2014-07-022-9/+9
| | | | | | | | This makes it easier for static analyzers to figure out which code paths are possible within eap_sim_msg_finish() for EAP-SIM. This will hopefully avoid some false warnings (CID 68110, CID 68113, CID 68114). Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-FAST: Clean up TLV length validation (CID 62853)Jouni Malinen2014-06-181-4/+6
| | | | | | | | Use size_t instead of int for storing and comparing the TLV length against the remaining buffer length to make this easier for static analyzers to understand. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TNC: Limit maximum message buffer to 75000 bytes (CID 62873)Jouni Malinen2014-06-131-1/+2
| | | | | | | | | | Since there is a limit on the EAP exchange due to maximum number of roundtrips, there is no point in allowing excessively large buffers to be allocated based on what the peer device claims the total message to be. Instead, reject the message if it would not be possible to receive it in full anyway. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS/EAP server: Use longer username buffer to avoid truncationJouni Malinen2014-06-023-6/+6
| | | | | | | | | | If the peer provides a username with large part of it being non-ASCII characters, the previously used buffers may not have been long enough to include the full string in debug logs and database search due to forced truncation of the string by printf_encode(). Avoid this by increasing the buffer sizes to fit in the maximum result. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TNC: Allow TNC to be enabled dynamicallyJouni Malinen2014-05-171-0/+3
| | | | | | | | | Previously, hostapd had to be started with at least one of the configuration files enabling TNC for TNC to be usable. Change this to allow TNC to be enabled when the first interface with TNC enabled gets added during runtime. Signed-off-by: Jouni Malinen <j@w1.fi>
* TNC: Move common definitions into a shared header fileJouni Malinen2014-05-171-69/+1
| | | | | | No need to duplicate these in multiple places. Signed-off-by: Jouni Malinen <j@w1.fi>
* TNC: Allow tnc_config file path to be replacedJouni Malinen2014-05-171-0/+2
| | | | | | | | | This is for enabling easier testing of TNCS/TNCC functionality as part of the test scripts without having to use the fixed /etc/tnc_config location that could be used by the main system and would require changes within /etc. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd server: Allow fragment_size to be configuredJouni Malinen2014-05-111-1/+2
| | | | | | | Previously, the fragment_size parameter was ignored and the default value of 1020 was hardcoded. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-IKEv2: Allow frag ack without integrity checksumJouni Malinen2014-05-111-3/+6
| | | | | | | | | | RFC 5106 is not exactly clear on the requirements for the "no data" packet that is used to acknowledge a fragmented message. Allow it to be processed without the integrity checksum data field since it is possible to interpret the RFC as this not being included. This fixes reassembly of fragmented frames after keys have been derived. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd: Fix processing of group setup failureJouni Malinen2014-05-111-1/+2
| | | | | | | | | | | | If invalid group was negotiated, compute_password_element() left some of the data->grp pointer uninitialized and this could result in segmentation fault when deinitializing the EAP method. Fix this by explicitly clearing all the pointer with eap_zalloc(). In addition, speed up EAP failure reporting in this type of error case by indicating that the EAP method execution cannot continue anymore on the peer side instead of waiting for a timeout. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd peer: Export Session-Id through getSessionId callbackJouni Malinen2014-05-111-1/+3
| | | | | | | EAP-pwd was already deriving the EAP Session-Id, but it was not yet exposed through the EAP method API. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd: Fix memory leak on error path with fragmentationJouni Malinen2014-04-051-0/+4
| | | | | | | If fragmentation is used, the temporary inbuf/outbuf could have been leaked in error cases (e.g., reaching maximum number of roundtrips). Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS server: Add support for MAC ACLJouni Malinen2014-03-291-0/+1
| | | | | | | "user" MACACL "password" style lines in the eap_user file can now be used to configured user entries for RADIUS-based MAC ACL. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS testing: Allow hostapd to be used as a TLS testing toolJouni Malinen2014-03-094-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | The internal TLS server implementation and RADIUS server implementation in hostapd can be configured to allow EAP clients to be tested to perform TLS validation steps correctly. This functionality is not included in the default build; CONFIG_TESTING_OPTIONS=y in hostapd/.config can be used to enable this. When enabled, the RADIUS server will configure special TLS test modes based on the received User-Name attribute value in this format: <user>@test-tls-<id>.<rest-of-realm>. For example, anonymous@test-tls-1.example.com. When this special format is used, TLS test modes are enabled. For other cases, the RADIUS server works normally. The following TLS test cases are enabled in this commit: 1 - break verify_data in the server Finished message 2 - break signed_params hash in ServerKeyExchange 3 - break Signature in ServerKeyExchange Correctly behaving TLS client must abort connection if any of these failures is detected and as such, shall not transmit continue the session. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS server: Allow TLS implementation add log entriesJouni Malinen2014-03-091-0/+13
| | | | | | | | This allows the internal TLS implementation to write log entries to the same authlog with rest of the RADIUS server and EAP server functionality. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS server: Allow EAP methods to log into SQLite DBJouni Malinen2014-03-096-0/+58
| | | | | | | This extends RADIUS server logging capabilities to allow EAP server methods to add log entries. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Allow arbitrary RADIUS attributes to be added into Access-AcceptJouni Malinen2014-03-081-0/+1
| | | | | | | | This extends the design already available for Access-Request packets to the RADIUS server and Access-Accept messages. Each user entry can be configured to add arbitrary RADIUS attributes. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>