{"id":793941,"url":"http://patchwork.ozlabs.org/api/patches/793941/?format=json","web_url":"http://patchwork.ozlabs.org/project/hostap/patch/1500953151-5022-1-git-send-email-tomoharu.hatano@sony.com/","project":{"id":22,"url":"http://patchwork.ozlabs.org/api/projects/22/?format=json","name":"HostAP Development","link_name":"hostap","list_id":"hostap.lists.infradead.org","list_email":"hostap@lists.infradead.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<1500953151-5022-1-git-send-email-tomoharu.hatano@sony.com>","list_archive_url":null,"date":"2017-07-25T03:25:51","name":"Send Client-Error when AT_KDF attributes from the server are incorrect","commit_ref":null,"pull_url":null,"state":"accepted","archived":false,"hash":"670c1b12b1466dc018f30fecc240535ad97006dd","submitter":{"id":72046,"url":"http://patchwork.ozlabs.org/api/people/72046/?format=json","name":"Hatano, Tomoharu (Sony Mobile)","email":"tomoharu.hatano@sony.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/hostap/patch/1500953151-5022-1-git-send-email-tomoharu.hatano@sony.com/mbox/","series":[],"comments":"http://patchwork.ozlabs.org/api/patches/793941/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/793941/checks/","tags":{},"related":[],"headers":{"Return-Path":"<hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org; spf=none (mailfrom)\n\tsmtp.mailfrom=lists.infradead.org (client-ip=65.50.211.133;\n\thelo=bombadil.infradead.org;\n\tenvelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n\treceiver=<UNKNOWN>)","ozlabs.org; dkim=pass (2048-bit key;\n\tunprotected) header.d=lists.infradead.org\n\theader.i=@lists.infradead.org header.b=\"KfNJzYNM\"; \n\tdkim-atps=neutral"],"Received":["from bombadil.infradead.org (bombadil.infradead.org\n\t[65.50.211.133])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256\n\tbits)) (No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xHcWV4KzNz9s7g\n\tfor <incoming@patchwork.ozlabs.org>;\n\tThu, 27 Jul 2017 00:12:38 +1000 (AEST)","from localhost ([127.0.0.1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux))\n\tid 1daN31-0001Lf-7K; Wed, 26 Jul 2017 14:12:23 +0000","from jptosegrel01.sonyericsson.com ([124.215.201.71])\n\tby bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux))\n\tid 1dZqY0-0006YT-BC\n\tfor hostap@lists.infradead.org; Tue, 25 Jul 2017 03:30:14 +0000"],"DKIM-Signature":"v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20170209; h=Sender:\n\tContent-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:\n\tList-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:To\n\t:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:\n\tResent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:\n\tList-Owner; bh=Hjtj7hCdYsMLHcfLyo+gtB1EYifbpN2OJZCYyGoAboU=;\n\tb=KfNJzYNMaGmTb6\n\t9WnDYzXumFjzyjwFpFp4pbco0HHaThX8+AjFac10D7S1tUKmqb0GO+3JbqoTELgSpKJdRu8LEIWzV\n\tTXEPO4ZMzEjzQfGSbk/USJReRcjnR4AiHaHd9cfTM64HDmND2k/jnAkIywFmo99q8e4g39yJhTaV/\n\t5cwVJLf0fqzGBtxwq4MK2ImMRmIexYseQmIxRjacE42HUlocneoE85VHuN3RESIJfolY+bPTpcKrG\n\t5JzPf5n/2DsoWdEvGf6dhwiQk/lAtxlfU0JesNfEsNm0X7i112do6T6fAq4YkcX34pRvaQEfsu6AY\n\t0ai5IRzZlilQo/xxnAWg==;","From":"Tomoharu Hatano <tomoharu.hatano@sony.com>","To":"<hostap@lists.infradead.org>","Subject":"[PATCH] Send Client-Error when AT_KDF attributes from the server are\n\tincorrect","Date":"Tue, 25 Jul 2017 12:25:51 +0900","Message-ID":"<1500953151-5022-1-git-send-email-tomoharu.hatano@sony.com>","X-Mailer":"git-send-email 2.7.4","MIME-Version":"1.0","X-CRM114-Version":"20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ","X-CRM114-CacheID":"sfid-20170724_203012_555265_2EB96B02 ","X-CRM114-Status":"GOOD (  17.70  )","X-Spam-Score":"-1.9 (-)","X-Spam-Report":"SpamAssassin version 3.4.1 on bombadil.infradead.org summary:\n\tContent analysis details:   (-1.9 points)\n\tpts rule name              description\n\t---- ----------------------\n\t--------------------------------------------------\n\t0.0 T_SPF_PERMERROR        SPF: test of record failed (permerror)\n\t-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%\n\t[score: 0.0000]","X-Mailman-Approved-At":"Wed, 26 Jul 2017 07:11:52 -0700","X-BeenThere":"hostap@lists.infradead.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"<hostap.lists.infradead.org>","List-Unsubscribe":"<http://lists.infradead.org/mailman/options/hostap>,\n\t<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>","List-Archive":"<http://lists.infradead.org/pipermail/hostap/>","List-Post":"<mailto:hostap@lists.infradead.org>","List-Help":"<mailto:hostap-request@lists.infradead.org?subject=help>","List-Subscribe":"<http://lists.infradead.org/mailman/listinfo/hostap>,\n\t<mailto:hostap-request@lists.infradead.org?subject=subscribe>","Cc":"Tomoharu Hatano <tomoharu.hatano@sony.com>,\n\tAkihiro Onodera <akihiro.onodera@sony.com>, Tomonori.Nanbu@sony.com, \n\tShinji.Sogo@sony.com","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Sender":"\"Hostap\" <hostap-bounces@lists.infradead.org>","Errors-To":"hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org"},"content":"From: Akihiro Onodera <akihiro.onodera@sony.com>\n\nAfter KDF negotiation, must check only requested change occurred in the\nlist of AT_KDF attributes. If there are any other changes, the peer must\nbehave like the case that AT_MAC had been incorrect and authentication\nis failed. These are defined in EAP-AKA' specification RFC5448.\n\nAdds a complete check of AT_KDF attributes and sends Client-Error if a\nchange which is not requested is included in it.\n\nChange-Id: Ic8ac504a7ff01992e2632d35c243f53bdd27df74\nSigned-off-by: Tomoharu Hatano <tomoharu.hatano@sony.com>\n---\n src/eap_peer/eap_aka.c | 42 +++++++++++++++++++++++++++---------------\n 1 file changed, 27 insertions(+), 15 deletions(-)","diff":"diff --git a/src/eap_peer/eap_aka.c b/src/eap_peer/eap_aka.c\nindex 0bac62d..9a09184 100644\n--- a/src/eap_peer/eap_aka.c\n+++ b/src/eap_peer/eap_aka.c\n@@ -53,6 +53,8 @@ struct eap_aka_data {\n \tsize_t network_name_len;\n \tu16 kdf;\n \tint kdf_negotiation;\n+\tu16 last_kdf_attrs[EAP_AKA_PRIME_KDF_MAX];\n+\tsize_t last_kdf_count;\n };\n \n \n@@ -817,9 +819,12 @@ static struct wpabuf * eap_aka_prime_kdf_neg(struct eap_aka_data *data,\n \tsize_t i;\n \n \tfor (i = 0; i < attr->kdf_count; i++) {\n-\t\tif (attr->kdf[i] == EAP_AKA_PRIME_KDF)\n+\t\tif (attr->kdf[i] == EAP_AKA_PRIME_KDF) {\n+\t\t\tos_memcpy(data->last_kdf_attrs, attr->kdf, sizeof(u16) * attr->kdf_count);\n+\t\t\tdata->last_kdf_count = attr->kdf_count;\n \t\t\treturn eap_aka_prime_kdf_select(data, id,\n \t\t\t\t\t\t\tEAP_AKA_PRIME_KDF);\n+\t\t}\n \t}\n \n \t/* No matching KDF found - fail authentication as if AUTN had been\n@@ -840,26 +845,30 @@ static int eap_aka_prime_kdf_valid(struct eap_aka_data *data,\n \t * of the selected KDF into the beginning of the list. */\n \n \tif (data->kdf_negotiation) {\n+\t\t/* When the peer receives the new EAP-Request/AKA'-Challenge message, must check\n+\t\t * only requested change occurred in the list of AT_KDF attributes. If there are any\n+\t\t * other changes, the peer must behave like the case that AT_MAC had been incorrect\n+\t\t * and authentication is failed. These are defined in EAP-AKA' specification\n+\t\t * RFC5448. */\n \t\tif (attr->kdf[0] != data->kdf) {\n \t\t\twpa_printf(MSG_WARNING, \"EAP-AKA': The server did not \"\n \t\t\t\t   \"accept the selected KDF\");\n-\t\t\treturn 0;\n+\t\t\treturn -1;\n \t\t}\n \n-\t\tfor (i = 1; i < attr->kdf_count; i++) {\n-\t\t\tif (attr->kdf[i] == data->kdf)\n-\t\t\t\tbreak;\n-\t\t}\n-\t\tif (i == attr->kdf_count &&\n-\t\t    attr->kdf_count < EAP_AKA_PRIME_KDF_MAX) {\n-\t\t\twpa_printf(MSG_WARNING, \"EAP-AKA': The server did not \"\n-\t\t\t\t   \"duplicate the selected KDF\");\n-\t\t\treturn 0;\n+\t\tif (attr->kdf_count > EAP_AKA_PRIME_KDF_MAX ||\n+\t\t    attr->kdf_count != (data->last_kdf_count + 1)) {\n+\t\t\twpa_printf(MSG_WARNING, \"EAP-AKA': The length of KDF attributes is wrong\");\n+\t\t\treturn -1;\n \t\t}\n \n-\t\t/* TODO: should check that the list is identical to the one\n-\t\t * used in the previous Challenge message apart from the added\n-\t\t * entry in the beginning. */\n+\t\tfor (i = 1; i < attr->kdf_count; i++) {\n+\t\t\tif (attr->kdf[i] != data->last_kdf_attrs[i - 1]) {\n+\t\t\t\twpa_printf(MSG_WARNING, \"EAP-AKA': The KDF attributes except \"\n+\t\t\t\t\t   \"selected KDF are not same as original one.\");\n+\t\t\t\treturn -1;\n+\t\t\t}\n+\t\t}\n \t}\n \n \tfor (i = data->kdf ? 1 : 0; i < attr->kdf_count; i++) {\n@@ -922,8 +931,11 @@ static struct wpabuf * eap_aka_process_challenge(struct eap_sm *sm,\n \t\t\t\t  data->network_name, data->network_name_len);\n \t\t/* TODO: check Network Name per 3GPP.33.402 */\n \n-\t\tif (!eap_aka_prime_kdf_valid(data, attr))\n+\t\tres = eap_aka_prime_kdf_valid(data, attr);\n+\t\tif (res == 0)\n \t\t\treturn eap_aka_authentication_reject(data, id);\n+\t\telse if (res == -1)\n+\t\t\treturn eap_aka_client_error(data, id, EAP_AKA_UNABLE_TO_PROCESS_PACKET);\n \n \t\tif (attr->kdf[0] != EAP_AKA_PRIME_KDF)\n \t\t\treturn eap_aka_prime_kdf_neg(data, id, attr);\n","prefixes":[]}