[PATCH] eap-sim: Improve derived-key error message.

Ben Greear greearb
Tue Jan 7 10:04:57 PST 2014


On 01/07/2014 05:39 AM, Jouni Malinen wrote:
> On Thu, Jan 02, 2014 at 02:32:02PM -0800, greearb at candelatech.com wrote:
>> This error is caused by a crypto library that does not have
>> proper support for the requested feature, so warn loudly
>> about it.
> 
> That is not the only reason for this failure and anyway, all the
> eap_sim_prf() callers are already using MSG_ERROR level message
> displaying the failure.

I replaced two identical messages with a single message
with some extra information about why the error might
happen.  It took quite a while for me to find that one
small line of text and figure out it was indicating the problem,
and more searching around in the code before I could figure out why.

At least for the encryption libraries I looked at, that
method cannot fail except when it is not implemented at
all.

>> diff --git a/src/eap_common/eap_sim_common.c b/src/eap_common/eap_sim_common.c
>>  static int eap_sim_prf(const u8 *key, u8 *x, size_t xlen)
>>  {
>> -	return fips186_2_prf(key, EAP_SIM_MK_LEN, x, xlen);
>> +	int rv = fips186_2_prf(key, EAP_SIM_MK_LEN, x, xlen);
>> +	if (rv < 0) {
>> +		wpa_printf(MSG_ERROR, "EAP-SIM: Failed to derive keys: %i,"
>> +			   " Compiled with INVALID CRYPTO LIBRARY?", rv);
> 
> I don't think this would that helpful way of addressing this. Better
> fixes would be to add support for it in GnuTLS case or prevent that
> build.

A build-time failure would be better, but I haven't had time to work
on that yet.

Thanks,
Ben

-- 
Ben Greear <greearb at candelatech.com>
Candela Technologies Inc  http://www.candelatech.com




More information about the Hostap mailing list