diff options
author | Jouni Malinen <j@w1.fi> | 2008-12-02 21:05:38 +0200 |
---|---|---|
committer | Jouni Malinen <j@w1.fi> | 2008-12-02 21:05:38 +0200 |
commit | f54e2c34bf822dbc30074c01196451224f5fd2cb (patch) | |
tree | 770547ad7169b5b7304b3836e0249b235c9ca4a8 /src | |
parent | f09d19d46af60aeba12c19228fb22f57a0859829 (diff) | |
download | external_wpa_supplicant_8_ti-f54e2c34bf822dbc30074c01196451224f5fd2cb.zip external_wpa_supplicant_8_ti-f54e2c34bf822dbc30074c01196451224f5fd2cb.tar.gz external_wpa_supplicant_8_ti-f54e2c34bf822dbc30074c01196451224f5fd2cb.tar.bz2 |
EAP-AKA': Use SHA256 for AT_CHECKCODE
Diffstat (limited to 'src')
-rw-r--r-- | src/eap_common/eap_sim_common.c | 5 | ||||
-rw-r--r-- | src/eap_common/eap_sim_common.h | 5 | ||||
-rw-r--r-- | src/eap_peer/eap_aka_prime.c | 30 | ||||
-rw-r--r-- | src/eap_server/eap_aka_prime.c | 26 |
4 files changed, 46 insertions, 20 deletions
diff --git a/src/eap_common/eap_sim_common.c b/src/eap_common/eap_sim_common.c index 9a0a1e5..318702a 100644 --- a/src/eap_common/eap_sim_common.c +++ b/src/eap_common/eap_sim_common.c @@ -1,5 +1,5 @@ /* - * EAP peer/server: EAP-SIM/AKA shared routines + * EAP peer/server: EAP-SIM/AKA/AKA' shared routines * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi> * * This program is free software; you can redistribute it and/or modify @@ -554,7 +554,8 @@ int eap_sim_parse_attr(const u8 *start, const u8 *end, } apos += 2; alen -= 2; - if (alen != 0 && alen != EAP_AKA_CHECKCODE_LEN) { + if (alen != 0 && alen != EAP_AKA_CHECKCODE_LEN && + alen != EAP_AKA_PRIME_CHECKCODE_LEN) { wpa_printf(MSG_INFO, "EAP-AKA: Invalid " "AT_CHECKCODE (len %lu)", (unsigned long) alen); diff --git a/src/eap_common/eap_sim_common.h b/src/eap_common/eap_sim_common.h index 98b632c..d64ef13 100644 --- a/src/eap_common/eap_sim_common.h +++ b/src/eap_common/eap_sim_common.h @@ -1,6 +1,6 @@ /* - * EAP peer/server: EAP-SIM/AKA shared routines - * Copyright (c) 2004-2007, Jouni Malinen <j@w1.fi> + * EAP peer/server: EAP-SIM/AKA/AKA' shared routines + * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as @@ -70,6 +70,7 @@ #define EAP_AKA_MIN_RES_LEN 4 #define EAP_AKA_MAX_RES_LEN 16 #define EAP_AKA_CHECKCODE_LEN 20 +#define EAP_AKA_PRIME_CHECKCODE_LEN 32 struct wpabuf; diff --git a/src/eap_peer/eap_aka_prime.c b/src/eap_peer/eap_aka_prime.c index e09aaf7..c2151b1 100644 --- a/src/eap_peer/eap_aka_prime.c +++ b/src/eap_peer/eap_aka_prime.c @@ -19,6 +19,7 @@ #include "pcsc_funcs.h" #include "eap_common/eap_sim_common.h" #include "sha1.h" +#include "sha256.h" #include "crypto.h" #include "eap_peer/eap_config.h" #ifdef CONFIG_USIM_SIMULATOR @@ -309,7 +310,7 @@ static void eap_aka_add_checkcode(struct eap_aka_data *data, { const u8 *addr; size_t len; - u8 hash[SHA1_MAC_LEN]; + u8 hash[SHA256_MAC_LEN]; wpa_printf(MSG_DEBUG, " AT_CHECKCODE"); @@ -322,14 +323,18 @@ static void eap_aka_add_checkcode(struct eap_aka_data *data, return; } - /* Checkcode is SHA1 hash over all EAP-AKA/Identity packets. */ + /* Checkcode is SHA1/SHA256 hash over all EAP-AKA/Identity packets. */ addr = wpabuf_head(data->id_msgs); len = wpabuf_len(data->id_msgs); wpa_hexdump(MSG_MSGDUMP, "EAP-AKA: AT_CHECKCODE data", addr, len); - sha1_vector(1, &addr, &len, hash); + if (data->eap_method == EAP_TYPE_AKA_PRIME) + sha256_vector(1, &addr, &len, hash); + else + sha1_vector(1, &addr, &len, hash); eap_sim_msg_add(msg, EAP_SIM_AT_CHECKCODE, 0, hash, - EAP_AKA_CHECKCODE_LEN); + data->eap_method == EAP_TYPE_AKA_PRIME ? + EAP_AKA_PRIME_CHECKCODE_LEN : EAP_AKA_CHECKCODE_LEN); } @@ -338,7 +343,8 @@ static int eap_aka_verify_checkcode(struct eap_aka_data *data, { const u8 *addr; size_t len; - u8 hash[SHA1_MAC_LEN]; + u8 hash[SHA256_MAC_LEN]; + size_t hash_len; if (checkcode == NULL) return -1; @@ -353,19 +359,25 @@ static int eap_aka_verify_checkcode(struct eap_aka_data *data, return 0; } - if (checkcode_len != EAP_AKA_CHECKCODE_LEN) { + hash_len = data->eap_method == EAP_TYPE_AKA_PRIME ? + EAP_AKA_PRIME_CHECKCODE_LEN : EAP_AKA_CHECKCODE_LEN; + + if (checkcode_len != hash_len) { wpa_printf(MSG_DEBUG, "EAP-AKA: Checkcode from server " "indicates that AKA/Identity message were not " "used, but they were"); return -1; } - /* Checkcode is SHA1 hash over all EAP-AKA/Identity packets. */ + /* Checkcode is SHA1/SHA256 hash over all EAP-AKA/Identity packets. */ addr = wpabuf_head(data->id_msgs); len = wpabuf_len(data->id_msgs); - sha1_vector(1, &addr, &len, hash); + if (data->eap_method == EAP_TYPE_AKA_PRIME) + sha256_vector(1, &addr, &len, hash); + else + sha1_vector(1, &addr, &len, hash); - if (os_memcmp(hash, checkcode, EAP_AKA_CHECKCODE_LEN) != 0) { + if (os_memcmp(hash, checkcode, hash_len) != 0) { wpa_printf(MSG_DEBUG, "EAP-AKA: Mismatch in AT_CHECKCODE"); return -1; } diff --git a/src/eap_server/eap_aka_prime.c b/src/eap_server/eap_aka_prime.c index aaeef42..c4d7359 100644 --- a/src/eap_server/eap_aka_prime.c +++ b/src/eap_server/eap_aka_prime.c @@ -19,6 +19,7 @@ #include "eap_common/eap_sim_common.h" #include "eap_server/eap_sim_db.h" #include "sha1.h" +#include "sha256.h" #include "crypto.h" @@ -149,7 +150,7 @@ static void eap_aka_add_checkcode(struct eap_aka_data *data, { const u8 *addr; size_t len; - u8 hash[SHA1_MAC_LEN]; + u8 hash[SHA256_MAC_LEN]; wpa_printf(MSG_DEBUG, " AT_CHECKCODE"); @@ -166,10 +167,14 @@ static void eap_aka_add_checkcode(struct eap_aka_data *data, addr = wpabuf_head(data->id_msgs); len = wpabuf_len(data->id_msgs); wpa_hexdump(MSG_MSGDUMP, "EAP-AKA: AT_CHECKCODE data", addr, len); - sha1_vector(1, &addr, &len, hash); + if (data->eap_method == EAP_TYPE_AKA_PRIME) + sha256_vector(1, &addr, &len, hash); + else + sha1_vector(1, &addr, &len, hash); eap_sim_msg_add(msg, EAP_SIM_AT_CHECKCODE, 0, hash, - EAP_AKA_CHECKCODE_LEN); + data->eap_method == EAP_TYPE_AKA_PRIME ? + EAP_AKA_PRIME_CHECKCODE_LEN : EAP_AKA_CHECKCODE_LEN); } @@ -178,7 +183,8 @@ static int eap_aka_verify_checkcode(struct eap_aka_data *data, { const u8 *addr; size_t len; - u8 hash[SHA1_MAC_LEN]; + u8 hash[SHA256_MAC_LEN]; + size_t hash_len; if (checkcode == NULL) return -1; @@ -193,7 +199,10 @@ static int eap_aka_verify_checkcode(struct eap_aka_data *data, return 0; } - if (checkcode_len != EAP_AKA_CHECKCODE_LEN) { + hash_len = data->eap_method == EAP_TYPE_AKA_PRIME ? + EAP_AKA_PRIME_CHECKCODE_LEN : EAP_AKA_CHECKCODE_LEN; + + if (checkcode_len != hash_len) { wpa_printf(MSG_DEBUG, "EAP-AKA: Checkcode from peer indicates " "that AKA/Identity message were not used, but they " "were"); @@ -203,9 +212,12 @@ static int eap_aka_verify_checkcode(struct eap_aka_data *data, /* Checkcode is SHA1 hash over all EAP-AKA/Identity packets. */ addr = wpabuf_head(data->id_msgs); len = wpabuf_len(data->id_msgs); - sha1_vector(1, &addr, &len, hash); + if (data->eap_method == EAP_TYPE_AKA_PRIME) + sha256_vector(1, &addr, &len, hash); + else + sha1_vector(1, &addr, &len, hash); - if (os_memcmp(hash, checkcode, EAP_AKA_CHECKCODE_LEN) != 0) { + if (os_memcmp(hash, checkcode, hash_len) != 0) { wpa_printf(MSG_DEBUG, "EAP-AKA: Mismatch in AT_CHECKCODE"); return -1; } |