[PATCH] eap-sim: Improve derived-key error message.

Masashi Honma masashi.honma at gmail.com
Wed Jan 8 02:01:49 EST 2014


2014/1/8 Ben Greear <greearb at candelatech.com>:
> A build-time failure would be better, but I haven't had time to work
> on that yet.

I made an attached patch for this.

[PATCH] EAP-SIM: Prevent build for invalid TLS implementation

Currently EAP-SIM could not be used with GnuTLS, Microsoft CryptoAPI and NSS.
So prevent build by #error.

Signed-hostap: Masashi Honma <masashi.honma at gmail.com>

Regards,
Masashi Honma.

2014/1/8 Ben Greear <greearb at candelatech.com>:
> On 01/07/2014 05:39 AM, Jouni Malinen wrote:
>> On Thu, Jan 02, 2014 at 02:32:02PM -0800, greearb at candelatech.com wrote:
>>> This error is caused by a crypto library that does not have
>>> proper support for the requested feature, so warn loudly
>>> about it.
>>
>> That is not the only reason for this failure and anyway, all the
>> eap_sim_prf() callers are already using MSG_ERROR level message
>> displaying the failure.
>
> I replaced two identical messages with a single message
> with some extra information about why the error might
> happen.  It took quite a while for me to find that one
> small line of text and figure out it was indicating the problem,
> and more searching around in the code before I could figure out why.
>
> At least for the encryption libraries I looked at, that
> method cannot fail except when it is not implemented at
> all.
>
>>> diff --git a/src/eap_common/eap_sim_common.c b/src/eap_common/eap_sim_common.c
>>>  static int eap_sim_prf(const u8 *key, u8 *x, size_t xlen)
>>>  {
>>> -    return fips186_2_prf(key, EAP_SIM_MK_LEN, x, xlen);
>>> +    int rv = fips186_2_prf(key, EAP_SIM_MK_LEN, x, xlen);
>>> +    if (rv < 0) {
>>> +            wpa_printf(MSG_ERROR, "EAP-SIM: Failed to derive keys: %i,"
>>> +                       " Compiled with INVALID CRYPTO LIBRARY?", rv);
>>
>> I don't think this would that helpful way of addressing this. Better
>> fixes would be to add support for it in GnuTLS case or prevent that
>> build.
>
> A build-time failure would be better, but I haven't had time to work
> on that yet.
>
> Thanks,
> Ben
>
> --
> Ben Greear <greearb at candelatech.com>
> Candela Technologies Inc  http://www.candelatech.com
>
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch
Type: application/octet-stream
Size: 1212 bytes
Desc: not available
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20140108/51f35b73/attachment-0001.obj>


More information about the HostAP mailing list