aboutsummaryrefslogtreecommitdiffstats
path: root/src/eap_common
Commit message (Collapse)AuthorAgeFilesLines
* TLS: Split tls_connection_prf() into two functionsDavid Benjamin2016-05-232-4/+3
| | | | | | | | | | | | | | | | | | | | | | Most protocols extracting keys from TLS use RFC 5705 exporters which is commonly implemented in TLS libraries. This is the mechanism used by EAP-TLS. (EAP-TLS actually predates RFC 5705, but RFC 5705 was defined to be compatible with it.) EAP-FAST, however, uses a legacy mechanism. It reuses the TLS internal key block derivation and derives key material after the key block. This is uncommon and a misuse of TLS internals, so not all TLS libraries support this. Instead, we reimplement the PRF for the OpenSSL backend and don't support it at all in the GnuTLS one. Since these two are very different operations, split tls_connection_prf() in two. tls_connection_export_key() implements the standard RFC 5705 mechanism that we expect most TLS libraries to support. tls_connection_get_eap_fast_key() implements the EAP-FAST-specific legacy mechanism which may not be implemented on all backends but is only used by EAP-FAST. Signed-Off-By: David Benjamin <davidben@google.com>
* EAP-PAX: Check hmac_sha1_vector() return valueJouni Malinen2016-01-061-2/+4
| | | | | | | | This function can fail at least in theory, so check its return value before proceeding. This is mainly helping automated test case coverage to reach some more error paths. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-EKE: Merge identical error return pathsJouni Malinen2015-12-211-30/+11
| | | | | | | There is no need to maintain multiple copies of the same error return path. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-EKE: Reject too long Prot() data when building a frameJouni Malinen2015-12-211-0/+1
| | | | | | | | | | This error case in own buffer lengths being too short was not handled properly. While this should not really happen since the wpabuf allocation is made large for the fixed cases that are currently supported, better make eap_eke_prot() safer if this functionally ever gets extended with a longer buffer need. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-FAST: Check T-PRF result in MSK/EMSK derivationJouni Malinen2015-12-122-10/+14
| | | | | | Pass the error return from sha1_t_prf() to callers. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-IKEv2: Check HMAC SHA1/MD5 resultJouni Malinen2015-12-051-8/+7
| | | | | | | Make the IKEv2 helper functions return a possible error return from the HMAC routines. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-SAKE: Fix a typo in attribute parser debug printJouni Malinen2015-11-281-1/+1
| | | | | | | Parsing AT_MSK_LIFE ended up writing a debug log entry with incorrect attribute name (AT_IV). Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd: Add support for Brainpool Elliptic CurvesJouni Malinen2015-11-011-0/+20
| | | | | | | This allows the IKE groups 27-30 (RFC 6932) to be used with OpenSSL 1.0.2 and newer. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-GPSK: Check HMAC-SHA256 result in GKDF and MICJouni Malinen2015-10-171-3/+6
| | | | | | | | hmac_sha256() and hmac_sha256_vector() return a result code now, so use that return value to terminate HMAC-SHA256-based GKDF/MIC similarly to what was already done with the CMAC-based GKDF/MIC. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-SAKE: Make attribute parser more readableJouni Malinen2015-05-031-43/+43
| | | | | | | | Clean up eap_sake_parse_add_attr() design by passing in pointer to the payload of the attribute instead of parsing these separately for each attribute within the function. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix a typo in function documentationJouni Malinen2015-05-031-1/+1
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Declare all read only data structures as constMikael Kanstrup2015-04-251-3/+3
| | | | | | | | By analysing objdump output some read only structures were found in .data section. To help compiler further optimize code declare these as const. Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
* tests: Add eapol-fuzzerJouni Malinen2015-04-221-3/+26
| | | | | | | This program can be used to run fuzzing tests for areas related to EAPOL frame parsing and processing on the supplicant side. Signed-off-by: Jouni Malinen <j@w1.fi>
* Make tls_connection_get_keyblock_size() internal to tls_*.cJouni Malinen2015-04-011-10/+2
| | | | | | | | | | This function exposes internal state of the TLS negotiated parameters for the sole purpose of being able to implement PRF for EAP-FAST. Since tls_connection_prf() is now taking care of all TLS-based key derivation cases, it is cleaner to keep this detail internal to each tls_*.c wrapper implementation. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Use tls_connection_prf() for all EAP TLS-based key derivationJouni Malinen2015-03-311-29/+6
| | | | | | | | | | | | tls_openssl.c is the only remaining TLS/crypto wrapper that needs the internal PRF implementation for EAP-FAST (since SSL_export_keying_material() is not available in older versions and does not support server-random-before-client case). As such, it is cleaner to assume that TLS libraries support tls_connection_prf() and move the additional support code for the otherwise unsupported cases into tls_openssl.c. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* EAP-pwd: Mark helper function arguments const when appropriateJouni Malinen2015-03-282-12/+18
| | | | | | These variables are not modified during PWE or key computation. Signed-off-by: Jouni Malinen <j@w1.fi>
* ERP: Add TV/TLV parserJouni Malinen2014-12-042-2/+95
| | | | | | | This is needed for ERP implementation on both the server/authenticator and peer side. Signed-off-by: Jouni Malinen <j@w1.fi>
* ERP: Add defines for EAP Re-Authentication ProtocolJouni Malinen2014-12-031-2/+32
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-PAX: Derive EAP Session-IdJouni Malinen2014-11-302-3/+8
| | | | | | | This adds EAP-PAX server and peer method functions for deriving Session-Id from Method-Id per RFC 4746 and RFC 5247. Signed-off-by: Jouni Malinen <j@w1.fi>
* IKEv2: Use a bit clearer payload header validation stepJouni Malinen2014-11-231-3/+6
| | | | | | | | It looks like the "pos + plen > end" case was not clear enough for a static analyzer to figure out that plen was being verified to not go beyond the buffer. (CID 72687) Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-IKEv2: Fix compilation warningAndrei Otcheretianski2014-11-151-1/+1
| | | | | | | Fix signed/unsigned comparison compilation warning introduced in 08ef442 "EAP-IKEv2: Fix the payload parser". Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
* EAP-IKEv2: Fix the payload parserJouni Malinen2014-10-111-3/+4
| | | | | | | | | The payload lengths were not properly verified and the first check on there being enough buffer for the header was practically ignored. The second check for the full payload would catch length issues, but this is only after the potential read beyond the buffer. (CID 72687) Signed-off-by: Jouni Malinen <j@w1.fi>
* Support building with BoringSSLAdam Langley2014-10-061-0/+2
| | | | | | | | | | | | | | BoringSSL is Google's cleanup of OpenSSL and an attempt to unify Chromium, Android and internal codebases around a single OpenSSL. As part of moving Android to BoringSSL, the wpa_supplicant maintainers in Android requested that I upstream the change. I've worked to reduce the size of the patch a lot but I'm afraid that it still contains a number of #ifdefs. [1] https://www.imperialviolet.org/2014/06/20/boringssl.html Signed-off-by: Adam Langley <agl@chromium.org>
* OpenSSL: Use EC_POINT_clear_free instead of EC_POINT_freeFlorent Daigniere2014-07-241-1/+1
| | | | | | | | | | | | | This changes OpenSSL calls to explicitly clear the EC_POINT memory allocations when freeing them. This adds an extra layer of security by avoiding leaving potentially private keys into local memory after they are not needed anymore. While some of these variables are not really private (e.g., they are sent in clear anyway), the extra cost of clearing them is not significant and it is simpler to just clear these explicitly rather than review each possible code path to confirm where this does not help. Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
* OpenSSL: Use BN_clear_free instead of BN_freeFlorent Daigniere2014-07-241-5/+5
| | | | | | | | | | | | | This changes OpenSSL calls to explicitly clear the bignum memory allocations when freeing them. This adds an extra layer of security by avoiding leaving potentially private keys into local memory after they are not needed anymore. While some of these variables are not really private (e.g., they are sent in clear anyway), the extra cost of clearing them is not significant and it is simpler to just clear these explicitly rather than review each possible code path to confirm where this does not help. Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
* EAP-GPSK: Avoid dead increment by checking pos pointerJouni Malinen2014-07-021-11/+8
| | | | | | | | Instead of using the pre-calculated length of the buffer, determine the length of used data based on the pos pointer. This avoids a static analyzer warning about dead increment. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-EKE: Use os_memcmp_const() for hash/password comparisonsJouni Malinen2014-07-021-1/+1
| | | | | | | | | This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-SIM/AKA: Use os_memcmp_const() for hash/password comparisonsJouni Malinen2014-07-021-2/+2
| | | | | | | | | This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-IKEv2: Use os_memcmp_const() for hash/password comparisonsJouni Malinen2014-07-022-2/+2
| | | | | | | | | This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-SIM/AKA: Pass EAP type as argument to eap_sim_msg_finish()Jouni Malinen2014-07-022-5/+5
| | | | | | | | This makes it easier for static analyzers to figure out which code paths are possible within eap_sim_msg_finish() for EAP-SIM. This will hopefully avoid some false warnings (CID 68110, CID 68113, CID 68114). Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-SIM': Fix AT_KDF parser to avoid infinite loopJouni Malinen2014-06-211-1/+1
| | | | | | | | Hitting maximum number of AT_KDF attributes could result in an infinite loop due to the attribute parser not incrementing the current position properly when skipping the extra KDF. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-FAST: Clean up TLV length validation (CID 62853)Jouni Malinen2014-06-182-2/+2
| | | | | | | | Use size_t instead of int for storing and comparing the TLV length against the remaining buffer length to make this easier for static analyzers to understand. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-IKEv2: Remove obsolete ccns.pl project workaroundsJouni Malinen2014-06-084-90/+0
| | | | | | | | | | It does not look like there is going to be any additional use for this old build option that could be used to build the EAP-IKEv2 peer implementation in a way that interoperates with the eap-ikev2.ccns.pl project. Remove the workarounds that matches incorrect implementation in that project to clean up implementation. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd peer: Export Session-Id through getSessionId callbackJouni Malinen2014-05-112-3/+2
| | | | | | | EAP-pwd was already deriving the EAP Session-Id, but it was not yet exposed through the EAP method API. Signed-off-by: Jouni Malinen <j@w1.fi>
* HS 2.0R2: Add WFA server-only EAP-TLS peer methodJouni Malinen2014-02-251-2/+5
| | | | Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* Add CONFIG_CODE_COVERAGE=y option for gcovJouni Malinen2013-11-241-1/+1
| | | | | | This can be used to measure code coverage from test scripts. Signed-hostap: Jouni Malinen <j@w1.fi>
* Use ARRAY_SIZE() macroJouni Malinen2013-10-261-3/+3
| | | | | | | Replace the common sizeof(a)/sizeof(a[0]) constructions with a more readable version. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-EKE: Add peer implementationJouni Malinen2013-07-073-0/+883
| | | | | | This adds a new password-based EAP method defined in RFC 6124. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP peer: Add Session-Id derivationStevent Li2013-02-082-0/+141
| | | | | | | | This adds a new getSessionId() callback for EAP peer methods to allow EAP Session-Id to be derived. This commits implements this for EAP-FAST, EAP-GPSK, EAP-IKEv2, EAP-PEAP, EAP-TLS, and EAP-TTLS. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* Add UNAUTH-TLS vendor specific EAP typeJouni Malinen2012-08-221-0/+3
| | | | | | | | | | | | | | | This EAP type uses a vendor specific expanded EAP header to encapsulate EAP-TLS with a configuration where the EAP server does not authenticate the EAP peer. In other words, this method includes only server authentication. The peer is configured with only the ca_cert parameter (similarly to other TLS-based EAP methods). This method can be used for cases where the network provides free access to anyone, but use of RSN with a securely derived unique PMK for each station is desired. The expanded EAP header uses the hostapd/wpa_supplicant vendor code 39068 and vendor type 1 to identify the UNAUTH-TLS method. Signed-hostap: Jouni Malinen <j@w1.fi>
* Use proper private enterprise number for EAP VENDOR-TESTJouni Malinen2012-08-221-1/+2
| | | | | | | Now that the project has its own code, it should be used with the VENDOR-TEST EAP method. Signed-hostap: Jouni Malinen <j@w1.fi>
* Add extra validation of EAP header length fieldJouni Malinen2012-08-072-12/+40
| | | | | | | | | These validation steps are already done in the EAP parsing code and in the EAP methods, but the additional check is defensive programming and can make the validation of received EAP messages more easier to understand. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-pwd: Replace direct OpenSSL HMAC use with wrapperJouni Malinen2012-07-022-69/+86
| | | | | | | This is a step towards allowing EAP-pwd to be supported with other crypto libraries. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-pwd: Avoid double-frees on some error pathsJouni Malinen2012-06-301-2/+4
| | | | | | | | | | At least some error paths (e.g., hitting the limit on hunt-and-peck iterations) could have resulted in double-freeing of some memory allocations. Avoid this by setting the pointers to NULL after they have been freed instead of trying to free the data structure in a location where some external references cannot be cleared. [Bug 453] Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-pwd: Increase maximum number of hunting-and-pecking iterationsJouni Malinen2012-06-301-1/+1
| | | | | | | | | The previously used limit (10) is too small for practical purposes since it can result in about 1 out of 1000 authentication attempts failing. Increase the limit to 30 to avoid such issues. [Bug 453] Signed-hostap: Jouni Malinen <j@w1.fi> intended-for: hostap-1
* EAP-AKA': Update to RFC 5448Jouni Malinen2012-05-021-1/+1
| | | | | | | | | | | | | | | There was a technical change between the last IETF draft version (draft-arkko-eap-aka-kdf-10) and RFC 5448 in the leading characters used in the username (i.e., use unique characters for EAP-AKA' instead of reusing the EAP-AKA ones). This commit updates EAP-AKA' server and peer implementations to use the leading characters based on the final RFC. Note: This will make EAP-AKA' not interoperate between the earlier draft version and the new version. Signed-hostap: Jouni Malinen <j@w1.fi> intended-for: hostap-1
* Remove the GPL notification from files contributed by Jouni MalinenJouni Malinen2012-02-1127-216/+54
| | | | | | | Remove the GPL notification text from the files that were initially contributed by myself. Signed-hostap: Jouni Malinen <j@w1.fi>
* Remove the GPL notification from EAP-pwd implementationJouni Malinen2012-02-112-16/+4
| | | | | | | | | Remove the GPL notification text from EAP-pwd implementation per approval from Dan Harkins who contributed these files. (email from Dan Harkins <dharkins@lounge.org> dated Wed, 4 Jan 2012 16:25:48 -0800) Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-pwd: Add support for fragmentationDan Harkins2012-02-111-6/+7
| | | | Signed-hostap: Dan Harkins <dharkins@lounge.org>
* EAP-pwd: Fix the argument name in compute_keys()Dan Harkins2012-02-111-4/+4
| | | | | | The parameters used here are confirm, not commit values. Signed-hostap: Dan Harkins <dharkins@lounge.org>