mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2024-11-25 00:38:24 -05:00
dd5d325b0a
Add the ability to ignore time-based CRL errors from OpenSSL by specifying a new configuration parameter, check_crl_strict=0. This causes the following: - This setting does nothing when CRL checking is not enabled. - When CRL is enabled, "strict mode" will cause CRL time errors to not be ignored and will continue behaving as it currently does. - When CRL is enabled, disabling strict mode will cause CRL time errors to be ignored and will allow connections. By default, check_crl_strict is set to 1, or strict mode, to keep current functionality. Signed-off-by: Sam Voss <sam.voss@rockwellcollins.com>
297 lines
6.3 KiB
C
297 lines
6.3 KiB
C
/*
|
|
* Example application showing how EAP server code from hostapd can be used as
|
|
* a library.
|
|
* Copyright (c) 2007, Jouni Malinen <j@w1.fi>
|
|
*
|
|
* This software may be distributed under the terms of the BSD license.
|
|
* See README for more details.
|
|
*/
|
|
|
|
#include "includes.h"
|
|
|
|
#include "common.h"
|
|
#include "crypto/tls.h"
|
|
#include "eap_server/eap.h"
|
|
#include "wpabuf.h"
|
|
|
|
void eap_example_peer_rx(const u8 *data, size_t data_len);
|
|
|
|
|
|
struct eap_server_ctx {
|
|
struct eap_eapol_interface *eap_if;
|
|
struct eap_sm *eap;
|
|
void *tls_ctx;
|
|
};
|
|
|
|
static struct eap_server_ctx eap_ctx;
|
|
|
|
|
|
static int server_get_eap_user(void *ctx, const u8 *identity,
|
|
size_t identity_len, int phase2,
|
|
struct eap_user *user)
|
|
{
|
|
os_memset(user, 0, sizeof(*user));
|
|
|
|
if (!phase2) {
|
|
/* Only allow EAP-PEAP as the Phase 1 method */
|
|
user->methods[0].vendor = EAP_VENDOR_IETF;
|
|
user->methods[0].method = EAP_TYPE_PEAP;
|
|
return 0;
|
|
}
|
|
|
|
if (identity_len != 4 || identity == NULL ||
|
|
os_memcmp(identity, "user", 4) != 0) {
|
|
printf("Unknown user\n");
|
|
return -1;
|
|
}
|
|
|
|
/* Only allow EAP-MSCHAPv2 as the Phase 2 method */
|
|
user->methods[0].vendor = EAP_VENDOR_IETF;
|
|
user->methods[0].method = EAP_TYPE_MSCHAPV2;
|
|
user->password = (u8 *) os_strdup("password");
|
|
user->password_len = 8;
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
static const char * server_get_eap_req_id_text(void *ctx, size_t *len)
|
|
{
|
|
*len = 0;
|
|
return NULL;
|
|
}
|
|
|
|
|
|
static struct eapol_callbacks eap_cb;
|
|
static struct eap_config eap_conf;
|
|
|
|
static int eap_example_server_init_tls(void)
|
|
{
|
|
struct tls_config tconf;
|
|
struct tls_connection_params tparams;
|
|
|
|
os_memset(&tconf, 0, sizeof(tconf));
|
|
eap_ctx.tls_ctx = tls_init(&tconf);
|
|
if (eap_ctx.tls_ctx == NULL)
|
|
return -1;
|
|
|
|
os_memset(&tparams, 0, sizeof(tparams));
|
|
tparams.ca_cert = "ca.pem";
|
|
tparams.client_cert = "server.pem";
|
|
/* tparams.private_key = "server.key"; */
|
|
tparams.private_key = "server-key.pem";
|
|
/* tparams.private_key_passwd = "whatever"; */
|
|
tparams.dh_file = "dh.conf";
|
|
|
|
if (tls_global_set_params(eap_ctx.tls_ctx, &tparams)) {
|
|
printf("Failed to set TLS parameters\n");
|
|
return -1;
|
|
}
|
|
|
|
if (tls_global_set_verify(eap_ctx.tls_ctx, 0, 1)) {
|
|
printf("Failed to set check_crl\n");
|
|
return -1;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
static int eap_server_register_methods(void)
|
|
{
|
|
int ret = 0;
|
|
|
|
#ifdef EAP_SERVER_IDENTITY
|
|
if (ret == 0)
|
|
ret = eap_server_identity_register();
|
|
#endif /* EAP_SERVER_IDENTITY */
|
|
|
|
#ifdef EAP_SERVER_MD5
|
|
if (ret == 0)
|
|
ret = eap_server_md5_register();
|
|
#endif /* EAP_SERVER_MD5 */
|
|
|
|
#ifdef EAP_SERVER_TLS
|
|
if (ret == 0)
|
|
ret = eap_server_tls_register();
|
|
#endif /* EAP_SERVER_TLS */
|
|
|
|
#ifdef EAP_SERVER_MSCHAPV2
|
|
if (ret == 0)
|
|
ret = eap_server_mschapv2_register();
|
|
#endif /* EAP_SERVER_MSCHAPV2 */
|
|
|
|
#ifdef EAP_SERVER_PEAP
|
|
if (ret == 0)
|
|
ret = eap_server_peap_register();
|
|
#endif /* EAP_SERVER_PEAP */
|
|
|
|
#ifdef EAP_SERVER_TLV
|
|
if (ret == 0)
|
|
ret = eap_server_tlv_register();
|
|
#endif /* EAP_SERVER_TLV */
|
|
|
|
#ifdef EAP_SERVER_GTC
|
|
if (ret == 0)
|
|
ret = eap_server_gtc_register();
|
|
#endif /* EAP_SERVER_GTC */
|
|
|
|
#ifdef EAP_SERVER_TTLS
|
|
if (ret == 0)
|
|
ret = eap_server_ttls_register();
|
|
#endif /* EAP_SERVER_TTLS */
|
|
|
|
#ifdef EAP_SERVER_SIM
|
|
if (ret == 0)
|
|
ret = eap_server_sim_register();
|
|
#endif /* EAP_SERVER_SIM */
|
|
|
|
#ifdef EAP_SERVER_AKA
|
|
if (ret == 0)
|
|
ret = eap_server_aka_register();
|
|
#endif /* EAP_SERVER_AKA */
|
|
|
|
#ifdef EAP_SERVER_AKA_PRIME
|
|
if (ret == 0)
|
|
ret = eap_server_aka_prime_register();
|
|
#endif /* EAP_SERVER_AKA_PRIME */
|
|
|
|
#ifdef EAP_SERVER_PAX
|
|
if (ret == 0)
|
|
ret = eap_server_pax_register();
|
|
#endif /* EAP_SERVER_PAX */
|
|
|
|
#ifdef EAP_SERVER_PSK
|
|
if (ret == 0)
|
|
ret = eap_server_psk_register();
|
|
#endif /* EAP_SERVER_PSK */
|
|
|
|
#ifdef EAP_SERVER_SAKE
|
|
if (ret == 0)
|
|
ret = eap_server_sake_register();
|
|
#endif /* EAP_SERVER_SAKE */
|
|
|
|
#ifdef EAP_SERVER_GPSK
|
|
if (ret == 0)
|
|
ret = eap_server_gpsk_register();
|
|
#endif /* EAP_SERVER_GPSK */
|
|
|
|
#ifdef EAP_SERVER_VENDOR_TEST
|
|
if (ret == 0)
|
|
ret = eap_server_vendor_test_register();
|
|
#endif /* EAP_SERVER_VENDOR_TEST */
|
|
|
|
#ifdef EAP_SERVER_FAST
|
|
if (ret == 0)
|
|
ret = eap_server_fast_register();
|
|
#endif /* EAP_SERVER_FAST */
|
|
|
|
#ifdef EAP_SERVER_WSC
|
|
if (ret == 0)
|
|
ret = eap_server_wsc_register();
|
|
#endif /* EAP_SERVER_WSC */
|
|
|
|
#ifdef EAP_SERVER_IKEV2
|
|
if (ret == 0)
|
|
ret = eap_server_ikev2_register();
|
|
#endif /* EAP_SERVER_IKEV2 */
|
|
|
|
#ifdef EAP_SERVER_TNC
|
|
if (ret == 0)
|
|
ret = eap_server_tnc_register();
|
|
#endif /* EAP_SERVER_TNC */
|
|
|
|
return ret;
|
|
}
|
|
|
|
|
|
int eap_example_server_init(void)
|
|
{
|
|
if (eap_server_register_methods() < 0)
|
|
return -1;
|
|
|
|
os_memset(&eap_ctx, 0, sizeof(eap_ctx));
|
|
|
|
if (eap_example_server_init_tls() < 0)
|
|
return -1;
|
|
|
|
os_memset(&eap_cb, 0, sizeof(eap_cb));
|
|
eap_cb.get_eap_user = server_get_eap_user;
|
|
eap_cb.get_eap_req_id_text = server_get_eap_req_id_text;
|
|
|
|
os_memset(&eap_conf, 0, sizeof(eap_conf));
|
|
eap_conf.eap_server = 1;
|
|
eap_conf.ssl_ctx = eap_ctx.tls_ctx;
|
|
|
|
eap_ctx.eap = eap_server_sm_init(&eap_ctx, &eap_cb, &eap_conf);
|
|
if (eap_ctx.eap == NULL)
|
|
return -1;
|
|
|
|
eap_ctx.eap_if = eap_get_interface(eap_ctx.eap);
|
|
|
|
/* Enable "port" and request EAP to start authentication. */
|
|
eap_ctx.eap_if->portEnabled = TRUE;
|
|
eap_ctx.eap_if->eapRestart = TRUE;
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
void eap_example_server_deinit(void)
|
|
{
|
|
eap_server_sm_deinit(eap_ctx.eap);
|
|
eap_server_unregister_methods();
|
|
tls_deinit(eap_ctx.tls_ctx);
|
|
}
|
|
|
|
|
|
int eap_example_server_step(void)
|
|
{
|
|
int res, process = 0;
|
|
|
|
res = eap_server_sm_step(eap_ctx.eap);
|
|
|
|
if (eap_ctx.eap_if->eapReq) {
|
|
printf("==> Request\n");
|
|
process = 1;
|
|
eap_ctx.eap_if->eapReq = 0;
|
|
}
|
|
|
|
if (eap_ctx.eap_if->eapSuccess) {
|
|
printf("==> Success\n");
|
|
process = 1;
|
|
res = 0;
|
|
eap_ctx.eap_if->eapSuccess = 0;
|
|
|
|
if (eap_ctx.eap_if->eapKeyAvailable) {
|
|
wpa_hexdump(MSG_DEBUG, "EAP keying material",
|
|
eap_ctx.eap_if->eapKeyData,
|
|
eap_ctx.eap_if->eapKeyDataLen);
|
|
}
|
|
}
|
|
|
|
if (eap_ctx.eap_if->eapFail) {
|
|
printf("==> Fail\n");
|
|
process = 1;
|
|
eap_ctx.eap_if->eapFail = 0;
|
|
}
|
|
|
|
if (process && eap_ctx.eap_if->eapReqData) {
|
|
/* Send EAP request to the peer */
|
|
eap_example_peer_rx(wpabuf_head(eap_ctx.eap_if->eapReqData),
|
|
wpabuf_len(eap_ctx.eap_if->eapReqData));
|
|
}
|
|
|
|
return res;
|
|
}
|
|
|
|
|
|
void eap_example_server_rx(const u8 *data, size_t data_len)
|
|
{
|
|
/* Make received EAP message available to the EAP library */
|
|
wpabuf_free(eap_ctx.eap_if->eapRespData);
|
|
eap_ctx.eap_if->eapRespData = wpabuf_alloc_copy(data, data_len);
|
|
if (eap_ctx.eap_if->eapRespData)
|
|
eap_ctx.eap_if->eapResp = TRUE;
|
|
}
|