From 5a1480c7c46c4236d93bfd303dde32062bee04ac Mon Sep 17 00:00:00 2001 From: Dmitry Shmidt Date: Mon, 12 May 2014 09:46:02 -0700 Subject: Cumulative patch from commit f4626235de4b6d19c7399a2522241f7c43e0caf6 f462623 EAP-pwd server: Allow fragment_size to be configured c876dcd EAP-IKEv2: Allow frag ack without integrity checksum 0f73c64 EAP-pwd: Fix processing of group setup failure 13e2574 EAP-pwd peer: Export Session-Id through getSessionId callback cfdb32e eapol_test: Check EAP-Key-Name 251c53e RADIUS: Define EAP-Key-Name 04cad50 EAP-SIM peer: Fix counter-too-small message building 270c9a4 Interworking: Allow FT to be used for connection 81ed499 Remove duplicated ibss_rsn_deinit() call 144f104 X.509: Fix v3 parsing with issuerUniqueID/subjectUniqueID present 0f1034e P2P: Refrain from performing extended listen during P2P connection 8d0dd4e Add macsec_qca driver wrapper dd10abc MACsec: wpa_supplicant integration 887d9d0 MACsec: Add PAE implementation 7baec80 MACsec: Add driver_ops 4e9528c MACsec: Add common IEEE 802.1X definitions 3bcfab8 MACsec: Add define for EAPOL type MKA 0836c04 MACsec: Allow EAPOL version 3 to be configured 49be483 Add function to fetch EAP Session-Id from EAPOL supplicant ea40a57 nl80211: Use max associated STAs information in AP mode Change-Id: I0e37a10ca58d0dc1be95a0088d6a4c37b2505ad4 Signed-off-by: Dmitry Shmidt --- src/eap_server/eap_server_ikev2.c | 9 ++++++--- src/eap_server/eap_server_pwd.c | 10 +++++++--- 2 files changed, 13 insertions(+), 6 deletions(-) (limited to 'src/eap_server') diff --git a/src/eap_server/eap_server_ikev2.c b/src/eap_server/eap_server_ikev2.c index 1ada0c8a..3e32cc90 100644 --- a/src/eap_server/eap_server_ikev2.c +++ b/src/eap_server/eap_server_ikev2.c @@ -256,7 +256,8 @@ static Boolean eap_ikev2_check(struct eap_sm *sm, void *priv, static int eap_ikev2_process_icv(struct eap_ikev2_data *data, const struct wpabuf *respData, - u8 flags, const u8 *pos, const u8 **end) + u8 flags, const u8 *pos, const u8 **end, + int frag_ack) { if (flags & IKEV2_FLAGS_ICV_INCLUDED) { int icv_len = eap_ikev2_validate_icv( @@ -266,7 +267,7 @@ static int eap_ikev2_process_icv(struct eap_ikev2_data *data, return -1; /* Hide Integrity Checksum Data from further processing */ *end -= icv_len; - } else if (data->keys_ready) { + } else if (data->keys_ready && !frag_ack) { wpa_printf(MSG_INFO, "EAP-IKEV2: The message should have " "included integrity checksum"); return -1; @@ -365,7 +366,9 @@ static void eap_ikev2_process(struct eap_sm *sm, void *priv, } else flags = *pos++; - if (eap_ikev2_process_icv(data, respData, flags, pos, &end) < 0) { + if (eap_ikev2_process_icv(data, respData, flags, pos, &end, + data->state == WAIT_FRAG_ACK && len == 0) < 0) + { eap_ikev2_state(data, FAIL); return; } diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c index 3467dd16..ec53481f 100644 --- a/src/eap_server/eap_server_pwd.c +++ b/src/eap_server/eap_server_pwd.c @@ -45,6 +45,7 @@ struct eap_pwd_data { u8 msk[EAP_MSK_LEN]; u8 emsk[EAP_EMSK_LEN]; + u8 session_id[1 + SHA256_MAC_LEN]; BN_CTX *bnctx; }; @@ -123,7 +124,8 @@ static void * eap_pwd_init(struct eap_sm *sm) data->in_frag_pos = data->out_frag_pos = 0; data->inbuf = data->outbuf = NULL; - data->mtu = 1020; /* default from RFC 5931, make it configurable! */ + /* use default MTU from RFC 5931 if not configured otherwise */ + data->mtu = sm->fragment_size > 0 ? sm->fragment_size : 1020; return data; } @@ -598,7 +600,8 @@ static void eap_pwd_process_id_resp(struct eap_sm *sm, wpa_hexdump_ascii(MSG_DEBUG, "EAP-PWD (server): peer sent id of", data->id_peer, data->id_peer_len); - if ((data->grp = os_malloc(sizeof(EAP_PWD_group))) == NULL) { + data->grp = os_zalloc(sizeof(EAP_PWD_group)); + if (data->grp == NULL) { wpa_printf(MSG_INFO, "EAP-PWD: failed to allocate memory for " "group"); return; @@ -841,7 +844,8 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data, wpa_printf(MSG_DEBUG, "EAP-pwd (server): confirm verified"); if (compute_keys(data->grp, data->bnctx, data->k, data->peer_scalar, data->my_scalar, conf, - data->my_confirm, &cs, data->msk, data->emsk) < 0) + data->my_confirm, &cs, data->msk, data->emsk, + data->session_id) < 0) eap_pwd_state(data, FAILURE); else eap_pwd_state(data, SUCCESS); -- cgit v1.2.3