path: root/src/eap_server
Commit message (Collapse)AuthorAgeFilesLines
* Removed WPS supportJouni Malinen2008-02-235-471/+0
* EAP-IKEv2 specification has been released as RFC 5106Jouni Malinen2008-02-222-2/+2
* Updated EAP-TLV definitions to use new EAP-PEAP draft version -10Jouni Malinen2008-02-102-3/+3
| | | | | | draft-josefsson-ppext-eap-tls-eap-10.txt removes conflicts with the TLV types defined for EAP-FAST (RFC 4851), so this cleans up some of the definitions.
* Added some preliminary code for PEAPv2 style TLV encapsulationJouni Malinen2008-02-101-4/+158
| | | | | | The Phase 2 EAP messages are now encapsulated in EAP-Payload TLV if PEAPv2 is used. In addition, the EAP-Request/Identity is sent with the Phase 1 Server Finished message.
* Extend the identity workaround to remove all trailing null charactersJouni Malinen2008-02-042-2/+2
* Do not call Phase 2 method buildReq() if initialization failedJouni Malinen2008-02-031-0/+5
| | | | | | EAP-FAST with EAP-SIM as an inner method could tricker a NULL pointer dereference if EAP-SIM DB was not configured. Avoid this by not calling buildReq() for the Phase 2 method if initialization failed.
* Added support for pending EAP Phase 2 processingJouni Malinen2008-02-033-5/+64
| | | | | | Store and re-use the decrypted Phase 2 data in EAP-{PEAP,TTLS,FAST} if the Phase 2 method enters pending wait state. This allows EAP-SIM and EAP-AKA to be used as the Phase 2 method.
* Fixed EAP-SIM Start response processing for fast reauthentication caseJouni Malinen2008-02-031-14/+14
| | | | | | The AT_NONCE_MT and AT_SELECTED_VERSION attributes are only included in the SIM/Start response when using full authentication. Fixed the code not to require these to be present when fast reauthentication is used.
* EAP-SIM/AKA: Ignore client error when sending success result indicationJouni Malinen2008-02-032-2/+8
| | | | | | RFCs require the EAP-SIM/AKA server to ignore the contents of a response to the protected success indication, so ignore client error in this case and reply with EAP-Success.
* Remove AT_COUNTER from EAP-SIM/AKA result indication in full authenticationJouni Malinen2008-02-032-30/+36
| | | | | | | | Previous version was incorrectly including AT_COUNTER in the Notification message even for full authentication. This caused interoperability issues and was against the RFCs, so AT_COUNTER (and the additional encryption attributes) is now only included in case the notification follows fast reauthentication.
* Include AT_ANY_ID_REQ in EAP-SIM/AKA start/identity per RFC recommendationJouni Malinen2008-02-032-0/+15
| | | | | | | This identity request is not really needed if EAP-Response/Identity already includes the correct identity. However, since the RFC 4186/4187 recommend that the EAP identity is ignored, it is safer to do that here should some peer implementations behave incorrectly.
* EAP-SIM/AKA workaround for incorrect null termination in the usernameJouni Malinen2008-02-032-6/+18
| | | | | | | | It looks like some EAP-SIM/AKA peer implementations include an extra null termination in the end of the identity/username. These implementations do not seem to include these null characters in key derivation and that would result in a key mismatch. As a workaround, drop the possible null characters from the end of the identity/username for key derivation.
* Fixed EAP-SIM/AKA realm processing to allow decorated usernames to be usedJouni Malinen2008-02-031-10/+32
| | | | | | The identity length needs to be compared to IMSI length only after the possible realm has been removed to avoid rejecting decorated usernames (e.g., 1<IMSI>@wlan.mnc###.mcc###.3gppnetwork.org).
* WPS: Move device-specific data from Registrar to generic WPS contextJouni Malinen2008-01-144-5/+6
| | | | | | | | | | | | | | This adds a new struct wps_context for device-specific data that fits better for number of variables than struct wps_registrar. This allows AP configuration to be provided to Enrollee code so that M7 can be built with current AP configuration for external Registrar registration. In addition, Network Key is now hex encoded in wps_hostapd.c if needed to use correct fixed-PSK/passphrase setting. It should be noted that the option of using per-device PSK works only when the supplicant is acting as an Enrollee. If the supplicant is acting as a Registrar, generating a new per-device PSK would likely not work since the external Registrar could provision that PSK to other devices.
* WPS: Added initial part for configuring hostapd to act as an EnrolleeJouni Malinen2008-01-131-0/+9
| | | | | The new ap_pin configuration option is used to set the AP PIN for initial setup or for registering a new external Registrar.
* Fixed printf format for size_t on 64-bit targetsJouni Malinen2008-01-122-5/+6
* WPS: Added WPS configuration entries into hostapd.confJouni Malinen2008-01-064-1/+12
| | | | | | | | | | | | | | | | | | | | Add new configuration parameters wps_state and uuid into hostapd.conf and create a new per-BSS instance of WPS Registrar with this information (and more to be added later). Replaced CONFIG_EAP_WSC configuration option with more generic CONFIG_WPS for hostapd. This enabled EAP-WSC and adds setup for WPS Registrar. Changed EAP user configuration for WPS to be done automatically based on WPS configuration (wps_state != 0). hostapd.eap_user file does not include the special WPS identities anymore. Moved RADIUS server initialization to correct place. It is configured per-BSS and as such, it should be initialized in hostapd_setup_bss(). It was already deinitialized in per-BSS hostapd_cleanup() so this may fix some corner cases where RADIUS server is configured to a secondary BSS. Anyway, the main reason for the change was to make sure RADIUS server is initialized after WPS Registrar (which is a per-BSS element).
* Changes wps_init() to use a configuration struct instead of separateJouni Malinen2008-01-031-1/+6
| | | | arguments to make it easier to add new configuration values.
* Silenced compiler warnings about printf format for size_t on 64-bit builds.Jouni Malinen2008-01-012-6/+10
* Moved the dummy WPS code into a shared file in a new directory as aJouni Malinen2008-01-011-132/+1
| | | | placeholder for proper WPS implementation.
* Synchronized the WPS dummy implementation in EAP-WSC server and peer soJouni Malinen2008-01-011-3/+13
| | | | that this code can be moved into a shared file.
* Changed EAP-WSC to use struct wpabuf for in_buf/out_buf processingJouni Malinen2008-01-011-99/+122
| | | | following the model from EAP-IKEv2 implementation.
* Use u8* instead of void* for pointer arithmetics.Jouni Malinen2008-01-011-3/+4
| | | | Fixed printf format for size_t.
* Fixed IKEv2 error handling.Jouni Malinen2008-01-013-10/+24
| | | | | | | | | | Prevent probing of user accounts by using a fake shared secret in the server if no password is found for the requested IDr. Send AUTHENTICATION_FAILED notification if responder fails to authenticate the initiator. Terminate EAP session if an error occurs.
* Do not leave data->in_buf pointing to stack-based tmpbuf when returningJouni Malinen2008-01-011-0/+2
| | | | | from a function. This fixes a bug where the error path could have triggered freeing of a stack variable.
* Fixed one more wpabuf_free() before wpabuf_len() debug print issue toJouni Malinen2008-01-011-1/+1
| | | | avoid dereferencing freed memory.
* Enforce return value validation for AES functions and resolve the generatedJouni Malinen2008-01-011-13/+26
| | | | warnings.
* Use generate_authenticator_response_pwhash() to avoid extra function callJouni Malinen2008-01-011-11/+4
| | | | since we need to hash the password here anyway.
* Fixed a bug in wpabuf conversion: must not use wpabuf after it has beenJouni Malinen2007-12-311-1/+1
| | | | | freed. The debug print needs to take length of the buffer before wpabuf_free() call.
* Moved DH operations from IKEv2 code into dh_groups.c to allow better codeJouni Malinen2007-12-312-85/+43
| | | | re-use.
* Moved SK key derivation into a shared function.Jouni Malinen2007-12-311-97/+6
* Fixed a memory leak on error path.Jouni Malinen2007-12-311-0/+1
* Moved common EAP-IKEv2 functions into a shared file.Jouni Malinen2007-12-311-113/+27
* Added the main EAP-IKEV2 server file that was forgotten from the initialJouni Malinen2007-12-311-0/+618
| | | | commit.
* Moved IKEv2 keys into a shared structure type to make it easier to shareJouni Malinen2007-12-312-76/+53
| | | | code for initiator and responder.
* Moved ikev2_update_hdr() and ikev2_build_encrypted() into common code.Jouni Malinen2007-12-311-90/+5
* Parse optional SK{IDr} from SA_INIT and use its value as the identity whenJouni Malinen2007-12-311-5/+72
| | | | | fetching user password. This adds support for anonymous identity in EAP-Response/Identity.
* Share the same routine for decrypting payloads in initiator and responder.Jouni Malinen2007-12-311-73/+7
* Added EAP-IKEv2 server implementation.Jouni Malinen2007-12-313-0/+1503
| | | | | | | | This version is limited to only using shared secret authentication for both server and peer authentication. In addition, only a single, hardcoded SAi proposal is currently supported and SK{IDr} from SA_INIT is not used to update user identity (i.e., identity privacy is not supported and the real identity has to be included in EAP-Response/Identity in plaintext).
* Added support for configuring EAP-TTLS phase 2 non-EAP methods in EAPJouni Malinen2007-12-242-12/+16
| | | | | | server configuration; previously all four were enabled for every phase 2 user, now all four are disabled by default and need to be enabled with new method names TTLS-PAP, TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2.
* Share the same CHAP-MD5 implementation for EAP-MD5 and EAP-TTLS to avoidJouni Malinen2007-12-242-29/+14
| | | | code duplication.
* Replaced wpabuf_alloc_ext_data_no_free() with a simpler construction thatJouni Malinen2007-12-242-16/+8
| | | | | | | uses struct wpabuf in stack with wpabuf_set() for encapsulating non-wpabuf data buffers temporarily as a struct wpabuf. This gets rid of need for struct wpabuf having flags field and simplifies code paths since wpabuf_set() cannot fail.
* Added support for protected result indication with AT_RESULT_IND forJouni Malinen2007-12-215-7/+141
| | | | | | EAP-SIM and EAP-AKA. This is disabled by default, but can be enabled in configuration file (hostapd: eap_sim_aka_result_ind=1 and wpa_supplicant: phase1="result_ind=1").
* Added support for protecting EAP-AKA/Identity messages with AT_CHECKCODEJouni Malinen2007-12-191-1/+121
| | | | (optional feature in RFC 4187).
* Removed unused variable. mlen is not used anymore and it was forgotten intoJouni Malinen2007-12-161-2/+1
| | | | the file when the last use was removed.
* Avoid NULL dereferences when in debug mode should something end up callingJouni Malinen2007-12-161-1/+2
| | | | | | eap_sm_parseEapResp() with a NULL message. This should not happen, but we might as well verify here since the previous error checking was already doing this.
* Fixed a memory leak in EAP-FAST provisioning.Jouni Malinen2007-12-161-0/+1
* Added 'struct wpabuf' data structure for presenting data buffers.Jouni Malinen2007-12-1622-1099/+952
| | | | | | | | | | | | | | This can be used to clean up various code areas that are storing a pointer to an allocated buffer and a length field separately. wpabuf.h defines number of helper functions to make it simpler to use wpabuf. In addition, this adds some bounds checking to buffer writes since wpabuf_put*() functions will abort the program should something try to write beyond the end of a buffer. This commit is also changing EAP and EAPOL interfaces to use struct wpabuf which makes the number of changes quite large. This will, obviously, also mean that 0.6.x branch is not anymore source code compatible with 0.5.x as far as EAP method interface is concerned.
* Fixed EAP-TLS server. Previous fix in broke EAP-TLS ACK processing inJouni Malinen2007-12-131-5/+5
| | | | | 5765bcd08f149aef01d7f29ca34a357f63ab00ea. The zero-length message has to be allowed; only the re-assembly of that message needs to be prevented.
* Removed EAP header field from struct eap_psk_hdr_* and started usingJouni Malinen2007-12-091-43/+58
| | | | eap_msg_alloc() and eap_hdr_validate().