git.ipfire.org Git - people/ms/strongswan.git/commit

author	Tobias Brunner <tobias@strongswan.org>
	Tue, 14 Dec 2021 09:51:35 +0000 (10:51 +0100)
committer	Tobias Brunner <tobias@strongswan.org>
	Thu, 20 Jan 2022 16:23:24 +0000 (17:23 +0100)
commit	64cc9acbf06f193fbb418b4dd408a233d6313889
tree	d565eb24c654219c1ba0df325e777a6549b46489	tree \| snapshot
parent	de15386d94edda4a330aa4382f0f71fa146db88f	commit \| diff

eap-authenticator: Enforce failure if MSK generation fails

Without this, the authentication succeeded if the server sent an early
EAP-Success message for mutual, key-generating EAP methods like EAP-TLS,
which may be used in EAP-only scenarios but would complete without server
or client authentication. For clients configured for such EAP-only
scenarios, a rogue server could capture traffic after the tunnel is
established or even access hosts behind the client. For non-mutual EAP
methods, public key server authentication has been enforced for a while.

A server previously could also crash a client by sending an EAP-Success
immediately without initiating an actual EAP method.

Fixes: 0706c39cda52 ("added support for EAP methods not establishing an MSK")
Fixes: CVE-2021-45079

src/libcharon/plugins/eap_gtc/eap_gtc.c		diff \| blob \| blame \| history
src/libcharon/plugins/eap_md5/eap_md5.c		diff \| blob \| blame \| history
src/libcharon/plugins/eap_radius/eap_radius.c		diff \| blob \| blame \| history
src/libcharon/sa/eap/eap_method.h		diff \| blob \| blame \| history
src/libcharon/sa/ikev2/authenticators/eap_authenticator.c		diff \| blob \| blame \| history