mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2025-01-18 19:04:02 -05:00
EAP-pwd peer: Add support for salted password databases
These changes add support for salted password databases to EAP-pwd per RFC 8146. This commits introduces the framework for enabling this and the actual salting mechanisms are introduced in the following commits. Signed-off-by: Dan Harkins <dharkins@lounge.org>
This commit is contained in:
parent
b30639b77e
commit
44136f6ca2
@ -299,7 +299,7 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||||||
{
|
{
|
||||||
struct crypto_ec_point *K = NULL, *point = NULL;
|
struct crypto_ec_point *K = NULL, *point = NULL;
|
||||||
struct crypto_bignum *mask = NULL, *cofactor = NULL;
|
struct crypto_bignum *mask = NULL, *cofactor = NULL;
|
||||||
const u8 *ptr;
|
const u8 *ptr = payload;
|
||||||
u8 *scalar = NULL, *element = NULL;
|
u8 *scalar = NULL, *element = NULL;
|
||||||
size_t prime_len, order_len;
|
size_t prime_len, order_len;
|
||||||
const u8 *password;
|
const u8 *password;
|
||||||
@ -322,21 +322,23 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||||||
prime_len = crypto_ec_prime_len(data->grp->group);
|
prime_len = crypto_ec_prime_len(data->grp->group);
|
||||||
order_len = crypto_ec_order_len(data->grp->group);
|
order_len = crypto_ec_order_len(data->grp->group);
|
||||||
|
|
||||||
if (payload_len != 2 * prime_len + order_len) {
|
switch (data->prep) {
|
||||||
wpa_printf(MSG_INFO,
|
case EAP_PWD_PREP_MS:
|
||||||
"EAP-pwd: Unexpected Commit payload length %u (expected %u)",
|
wpa_printf(MSG_DEBUG,
|
||||||
(unsigned int) payload_len,
|
"EAP-pwd commit request, password prep is MS");
|
||||||
(unsigned int) (2 * prime_len + order_len));
|
|
||||||
goto fin;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (data->prep == EAP_PWD_PREP_MS) {
|
|
||||||
#ifdef CONFIG_FIPS
|
#ifdef CONFIG_FIPS
|
||||||
wpa_printf(MSG_ERROR,
|
wpa_printf(MSG_ERROR,
|
||||||
"EAP-PWD (peer): MS password hash not supported in FIPS mode");
|
"EAP-PWD (peer): MS password hash not supported in FIPS mode");
|
||||||
eap_pwd_state(data, FAILURE);
|
eap_pwd_state(data, FAILURE);
|
||||||
return;
|
return;
|
||||||
#else /* CONFIG_FIPS */
|
#else /* CONFIG_FIPS */
|
||||||
|
if (payload_len != 2 * prime_len + order_len) {
|
||||||
|
wpa_printf(MSG_INFO,
|
||||||
|
"EAP-pwd: Unexpected Commit payload length %u (expected %u)",
|
||||||
|
(unsigned int) payload_len,
|
||||||
|
(unsigned int) (2 * prime_len + order_len));
|
||||||
|
goto fin;
|
||||||
|
}
|
||||||
if (data->password_hash) {
|
if (data->password_hash) {
|
||||||
res = hash_nt_password_hash(data->password, pwhashhash);
|
res = hash_nt_password_hash(data->password, pwhashhash);
|
||||||
} else {
|
} else {
|
||||||
@ -357,9 +359,32 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||||||
password = pwhashhash;
|
password = pwhashhash;
|
||||||
password_len = sizeof(pwhashhash);
|
password_len = sizeof(pwhashhash);
|
||||||
#endif /* CONFIG_FIPS */
|
#endif /* CONFIG_FIPS */
|
||||||
} else {
|
break;
|
||||||
|
case EAP_PWD_PREP_NONE:
|
||||||
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"EAP-pwd commit request, password prep is NONE");
|
||||||
|
if (data->password_hash) {
|
||||||
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"EAP-PWD: Unhashed password not available");
|
||||||
|
eap_pwd_state(data, FAILURE);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if (payload_len != 2 * prime_len + order_len) {
|
||||||
|
wpa_printf(MSG_INFO,
|
||||||
|
"EAP-pwd: Unexpected Commit payload length %u (expected %u)",
|
||||||
|
(unsigned int) payload_len,
|
||||||
|
(unsigned int) (2 * prime_len + order_len));
|
||||||
|
goto fin;
|
||||||
|
}
|
||||||
password = data->password;
|
password = data->password;
|
||||||
password_len = data->password_len;
|
password_len = data->password_len;
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"EAP-pwd: Unsupported password pre-processing technique (Prep=%u)",
|
||||||
|
data->prep);
|
||||||
|
eap_pwd_state(data, FAILURE);
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* compute PWE */
|
/* compute PWE */
|
||||||
@ -433,7 +458,6 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* element, x then y, followed by scalar */
|
/* element, x then y, followed by scalar */
|
||||||
ptr = payload;
|
|
||||||
data->server_element = crypto_ec_point_from_bin(data->grp->group, ptr);
|
data->server_element = crypto_ec_point_from_bin(data->grp->group, ptr);
|
||||||
if (!data->server_element) {
|
if (!data->server_element) {
|
||||||
wpa_printf(MSG_INFO, "EAP-PWD (peer): setting peer element "
|
wpa_printf(MSG_INFO, "EAP-PWD (peer): setting peer element "
|
||||||
|
Loading…
Reference in New Issue
Block a user