From patchwork Sun Dec 6 11:01:32 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Pali_Roh=C3=A1r?= X-Patchwork-Id: 553124 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2001:1868:205::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id BB8601402D2 for ; Sun, 6 Dec 2015 22:41:52 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b=pQNL5N/D; dkim-atps=neutral Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux)) id 1a5XhM-0003CI-2q; Sun, 06 Dec 2015 11:41:48 +0000 Received: from mail-wm0-x22b.google.com ([2a00:1450:400c:c09::22b]) by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1a5X4x-0002ye-SP for hostap@lists.infradead.org; Sun, 06 Dec 2015 11:02:08 +0000 Received: by wmuu63 with SMTP id u63so109176181wmu.0 for ; Sun, 06 Dec 2015 03:01:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=zkFB+hyG0m3LmHrJycg7fwYhvi7p1NveYpHKqJqkJfo=; b=pQNL5N/Dp4AJqUxqMjBVrvdhphNkj4RSC/z3Xa3Ugn0LSEph3UFtt6LC01GqqEBykr 4b0mAez2i2yhMDw+//YYF5FNK5Dq2ysI9HHN2dVDoHI8V5+f0mEaMXfHddA2goBSWhZC mpQz0/2TRkSeIIbaGjd0OytoCuGoDM/P6JCE/+MQNNlwn+deix8Jf8j+fWRl6rAy1l+T a8uxVU5HDLykkZu24cA9dblzrLn9dTYJqT/W6cTm/PBiKq2XLZP+LFogQH/mQ0CNf0Z3 RVeuyPxdWV8b+/Kzj3BVWyf/xgEeT3OTDZe66lAcMzkMUN5TFsfNWjfY+euHJJk72ASt KwSQ== X-Received: by 10.194.243.227 with SMTP id xb3mr29167993wjc.96.1449399705442; Sun, 06 Dec 2015 03:01:45 -0800 (PST) Received: from Pali-Latitude.kolej.mff.cuni.cz (pali.kolej.mff.cuni.cz. [78.128.193.202]) by smtp.gmail.com with ESMTPSA id h189sm11516675wme.1.2015.12.06.03.01.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 06 Dec 2015 03:01:44 -0800 (PST) From: =?UTF-8?q?Pali=20Roh=C3=A1r?= To: hostap@lists.infradead.org Subject: [PATCH] EAP-TTLS: Fix parsing auth= and autheap= Phase2 params Date: Sun, 6 Dec 2015 12:01:32 +0100 Message-Id: <1449399692-21998-1-git-send-email-pali.rohar@gmail.com> X-Mailer: git-send-email 1.7.9.5 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20151206_030208_156311_A9A165D5 X-CRM114-Status: GOOD ( 11.07 ) X-Spam-Score: -2.7 (--) X-Spam-Report: SpamAssassin version 3.4.0 on bombadil.infradead.org summary: Content analysis details: (-2.7 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [2a00:1450:400c:c09:0:0:0:22b listed in] [list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (pali.rohar[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Mailman-Approved-At: Sun, 06 Dec 2015 03:41:47 -0800 X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: =?UTF-8?q?Pali=20Roh=C3=A1r?= MIME-Version: 1.0 Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org This patch fix security issue when Phase2 param auth=MSCHAPv2 was handled as MSCHAP (v1) which degraded security. Now when invalid or unsupported auth= Phase2 param combinations are specified then EAP-TTLS throw error instead silently doing something. More then one auth= Phase2 type cannot be specified and also both auth= and autheap= options cannot be specified. Parsing Phase2 type is case sensitive (as in other EAP parts), so Phase2 param auth=MSCHAPv2 is invalid. Only auth=MSCHAPV2 is correct. Signed-off-by: Pali Rohár --- src/eap_peer/eap_ttls.c | 78 +++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 66 insertions(+), 12 deletions(-) diff --git a/src/eap_peer/eap_ttls.c b/src/eap_peer/eap_ttls.c index b186c91..fa9d60d 100644 --- a/src/eap_peer/eap_ttls.c +++ b/src/eap_peer/eap_ttls.c @@ -70,6 +70,7 @@ static void * eap_ttls_init(struct eap_sm *sm) { struct eap_ttls_data *data; struct eap_peer_config *config = eap_get_config(sm); + int selected_non_eap; char *selected; data = os_zalloc(sizeof(*data)); @@ -77,26 +78,79 @@ static void * eap_ttls_init(struct eap_sm *sm) return NULL; data->ttls_version = EAP_TTLS_VERSION; selected = "EAP"; + selected_non_eap = 0; data->phase2_type = EAP_TTLS_PHASE2_EAP; + /* Either one auth= type is specified or more autheap= methods are specified */ if (config && config->phase2) { + char *start, *pos, *buf; + + start = buf = os_strdup(config->phase2); + if (buf == NULL) { + eap_ttls_deinit(sm, data); + return NULL; + } + + while (start && *start != '\0') { + pos = os_strstr(start, "auth="); + if (pos == NULL) + break; + if (start != pos && *(pos - 1) != ' ') { + start = pos + 5; /* os_strlen("auth=") */ + continue; + } + + start = pos + 5; /* os_strlen("auth=") */ + pos = os_strchr(start, ' '); + if (pos) + *pos++ = '\0'; + + if (os_strcmp(start, "MSCHAPV2") == 0) { + selected = "MSCHAPV2"; + data->phase2_type = EAP_TTLS_PHASE2_MSCHAPV2; + } else if (os_strcmp(start, "MSCHAP") == 0) { + selected = "MSCHAP"; + data->phase2_type = EAP_TTLS_PHASE2_MSCHAP; + } else if (os_strcmp(start, "PAP") == 0) { + selected = "PAP"; + data->phase2_type = EAP_TTLS_PHASE2_PAP; + } else if (os_strcmp(start, "CHAP") == 0) { + selected = "CHAP"; + data->phase2_type = EAP_TTLS_PHASE2_CHAP; + } else { + wpa_printf(MSG_ERROR, "EAP-TTLS: Unsupported Phase2 " + "type '%s'", start); + os_free(buf); + eap_ttls_deinit(sm, data); + return NULL; + } + + if (selected_non_eap) { + wpa_printf(MSG_ERROR, "EAP-TTLS: Only one Phase2 " + "type can be specified"); + os_free(buf); + eap_ttls_deinit(sm, data); + return NULL; + } + + selected_non_eap = 1; + start = pos; + } + + os_free(buf); + if (os_strstr(config->phase2, "autheap=")) { + if (selected_non_eap) { + wpa_printf(MSG_ERROR, "EAP-TTLS: Both auth= and " + "autheap= params cannot be specified"); + eap_ttls_deinit(sm, data); + return NULL; + } selected = "EAP"; data->phase2_type = EAP_TTLS_PHASE2_EAP; - } else if (os_strstr(config->phase2, "auth=MSCHAPV2")) { - selected = "MSCHAPV2"; - data->phase2_type = EAP_TTLS_PHASE2_MSCHAPV2; - } else if (os_strstr(config->phase2, "auth=MSCHAP")) { - selected = "MSCHAP"; - data->phase2_type = EAP_TTLS_PHASE2_MSCHAP; - } else if (os_strstr(config->phase2, "auth=PAP")) { - selected = "PAP"; - data->phase2_type = EAP_TTLS_PHASE2_PAP; - } else if (os_strstr(config->phase2, "auth=CHAP")) { - selected = "CHAP"; - data->phase2_type = EAP_TTLS_PHASE2_CHAP; } } + wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 type: %s", selected); if (data->phase2_type == EAP_TTLS_PHASE2_EAP) {