EAP-TEAP server: Testing mechanism for Result TLV in a separate message

The new eap_teap_separate_result=1 hostapd configuration parameter can
be used to test TEAP exchange where the Intermediate-Result TLV and
Crypto-Binding TLV are send in one message exchange while the Result TLV
exchange in done after that in a separate message exchange.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2019-08-16 23:54:51 +03:00
parent 4c327146f0
commit 76ddfae6eb
13 changed files with 41 additions and 4 deletions

View file

@ -2620,6 +2620,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
bss->eap_teap_auth = val; bss->eap_teap_auth = val;
} else if (os_strcmp(buf, "eap_teap_pac_no_inner") == 0) { } else if (os_strcmp(buf, "eap_teap_pac_no_inner") == 0) {
bss->eap_teap_pac_no_inner = atoi(pos); bss->eap_teap_pac_no_inner = atoi(pos);
} else if (os_strcmp(buf, "eap_teap_separate_result") == 0) {
bss->eap_teap_separate_result = atoi(pos);
#endif /* EAP_SERVER_TEAP */ #endif /* EAP_SERVER_TEAP */
#ifdef EAP_SERVER_SIM #ifdef EAP_SERVER_SIM
} else if (os_strcmp(buf, "eap_sim_db") == 0) { } else if (os_strcmp(buf, "eap_sim_db") == 0) {

View file

@ -1201,6 +1201,11 @@ eap_server=0
# 1 = skip inner authentication (inner EAP/Basic-Password-Auth) # 1 = skip inner authentication (inner EAP/Basic-Password-Auth)
#eap_teap_pac_no_inner=0 #eap_teap_pac_no_inner=0
# EAP-TEAP behavior with Result TLV
# 0 = include with Intermediate-Result TLV (default)
# 1 = send in a separate message (for testing purposes)
#eap_teap_separate_result=0
# EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND # EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND
# (default: 0 = disabled). # (default: 0 = disabled).
#eap_sim_aka_result_ind=1 #eap_sim_aka_result_ind=1

View file

@ -429,6 +429,7 @@ struct hostapd_bss_config {
int pac_key_refresh_time; int pac_key_refresh_time;
int eap_teap_auth; int eap_teap_auth;
int eap_teap_pac_no_inner; int eap_teap_pac_no_inner;
int eap_teap_separate_result;
int eap_sim_aka_result_ind; int eap_sim_aka_result_ind;
int eap_sim_id; int eap_sim_id;
int tnc; int tnc;

View file

@ -122,6 +122,7 @@ static int hostapd_setup_radius_srv(struct hostapd_data *hapd)
srv.pac_key_refresh_time = conf->pac_key_refresh_time; srv.pac_key_refresh_time = conf->pac_key_refresh_time;
srv.eap_teap_auth = conf->eap_teap_auth; srv.eap_teap_auth = conf->eap_teap_auth;
srv.eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner; srv.eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner;
srv.eap_teap_separate_result = conf->eap_teap_separate_result;
srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
srv.eap_sim_id = conf->eap_sim_id; srv.eap_sim_id = conf->eap_sim_id;
srv.tnc = conf->tnc; srv.tnc = conf->tnc;

View file

@ -2435,7 +2435,7 @@ int ieee802_1x_init(struct hostapd_data *hapd)
conf.pac_key_lifetime = hapd->conf->pac_key_lifetime; conf.pac_key_lifetime = hapd->conf->pac_key_lifetime;
conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time; conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time;
conf.eap_teap_auth = hapd->conf->eap_teap_auth; conf.eap_teap_auth = hapd->conf->eap_teap_auth;
conf.eap_teap_pac_no_inner = hapd->conf->eap_teap_pac_no_inner; conf.eap_teap_separate_result = hapd->conf->eap_teap_separate_result;
conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind;
conf.eap_sim_id = hapd->conf->eap_sim_id; conf.eap_sim_id = hapd->conf->eap_sim_id;
conf.tnc = hapd->conf->tnc; conf.tnc = hapd->conf->tnc;

View file

@ -123,6 +123,7 @@ struct eap_config {
int pac_key_refresh_time; int pac_key_refresh_time;
int eap_teap_auth; int eap_teap_auth;
int eap_teap_pac_no_inner; int eap_teap_pac_no_inner;
int eap_teap_separate_result;
int eap_sim_aka_result_ind; int eap_sim_aka_result_ind;
int eap_sim_id; int eap_sim_id;
int tnc; int tnc;

View file

@ -192,6 +192,7 @@ struct eap_sm {
int pac_key_refresh_time; int pac_key_refresh_time;
int eap_teap_auth; int eap_teap_auth;
int eap_teap_pac_no_inner; int eap_teap_pac_no_inner;
int eap_teap_separate_result;
int eap_sim_aka_result_ind; int eap_sim_aka_result_ind;
int eap_sim_id; int eap_sim_id;
int tnc; int tnc;

View file

@ -1871,6 +1871,7 @@ struct eap_sm * eap_server_sm_init(void *eapol_ctx,
sm->pac_key_refresh_time = conf->pac_key_refresh_time; sm->pac_key_refresh_time = conf->pac_key_refresh_time;
sm->eap_teap_auth = conf->eap_teap_auth; sm->eap_teap_auth = conf->eap_teap_auth;
sm->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner; sm->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner;
sm->eap_teap_separate_result = conf->eap_teap_separate_result;
sm->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; sm->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
sm->eap_sim_id = conf->eap_sim_id; sm->eap_sim_id = conf->eap_sim_id;
sm->tnc = conf->tnc; sm->tnc = conf->tnc;

View file

@ -31,7 +31,7 @@ struct eap_teap_data {
enum { enum {
START, PHASE1, PHASE1B, PHASE2_START, PHASE2_ID, START, PHASE1, PHASE1B, PHASE2_START, PHASE2_ID,
PHASE2_BASIC_AUTH, PHASE2_METHOD, CRYPTO_BINDING, REQUEST_PAC, PHASE2_BASIC_AUTH, PHASE2_METHOD, CRYPTO_BINDING, REQUEST_PAC,
FAILURE_SEND_RESULT, SUCCESS, FAILURE FAILURE_SEND_RESULT, SUCCESS_SEND_RESULT, SUCCESS, FAILURE
} state; } state;
u8 teap_version; u8 teap_version;
@ -100,6 +100,8 @@ static const char * eap_teap_state_txt(int state)
return "REQUEST_PAC"; return "REQUEST_PAC";
case FAILURE_SEND_RESULT: case FAILURE_SEND_RESULT:
return "FAILURE_SEND_RESULT"; return "FAILURE_SEND_RESULT";
case SUCCESS_SEND_RESULT:
return "SUCCESS_SEND_RESULT";
case SUCCESS: case SUCCESS:
return "SUCCESS"; return "SUCCESS";
case FAILURE: case FAILURE:
@ -565,7 +567,7 @@ static struct wpabuf * eap_teap_build_crypto_binding(
return NULL; return NULL;
if (data->send_new_pac || data->anon_provisioning || if (data->send_new_pac || data->anon_provisioning ||
data->phase2_method) data->phase2_method || sm->eap_teap_separate_result)
data->final_result = 0; data->final_result = 0;
else else
data->final_result = 1; data->final_result = 1;
@ -901,6 +903,10 @@ static struct wpabuf * eap_teap_buildReq(struct eap_sm *sm, void *priv, u8 id)
req = wpabuf_concat( req = wpabuf_concat(
req, eap_teap_tlv_error(data->error_code)); req, eap_teap_tlv_error(data->error_code));
break; break;
case SUCCESS_SEND_RESULT:
req = eap_teap_tlv_result(TEAP_STATUS_SUCCESS, 0);
data->final_result = 1;
break;
default: default:
wpa_printf(MSG_DEBUG, "EAP-TEAP: %s - unexpected state %d", wpa_printf(MSG_DEBUG, "EAP-TEAP: %s - unexpected state %d",
__func__, data->state); __func__, data->state);
@ -1498,8 +1504,11 @@ static void eap_teap_process_phase2_tlvs(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, wpa_printf(MSG_DEBUG,
"EAP-TEAP: Server triggered re-keying of Tunnel PAC"); "EAP-TEAP: Server triggered re-keying of Tunnel PAC");
eap_teap_state(data, REQUEST_PAC); eap_teap_state(data, REQUEST_PAC);
} else if (data->final_result) } else if (data->final_result) {
eap_teap_state(data, SUCCESS); eap_teap_state(data, SUCCESS);
} else if (sm->eap_teap_separate_result) {
eap_teap_state(data, SUCCESS_SEND_RESULT);
}
} }
if (tlv.basic_auth_resp) { if (tlv.basic_auth_resp) {
@ -1523,6 +1532,13 @@ static void eap_teap_process_phase2_tlvs(struct eap_sm *sm,
eap_teap_process_phase2_eap(sm, data, tlv.eap_payload_tlv, eap_teap_process_phase2_eap(sm, data, tlv.eap_payload_tlv,
tlv.eap_payload_tlv_len); tlv.eap_payload_tlv_len);
} }
if (data->state == SUCCESS_SEND_RESULT &&
tlv.result == TEAP_STATUS_SUCCESS) {
wpa_printf(MSG_DEBUG,
"EAP-TEAP: Peer agreed with final success - authentication completed");
eap_teap_state(data, SUCCESS);
}
} }
@ -1693,6 +1709,7 @@ static void eap_teap_process_msg(struct eap_sm *sm, void *priv,
case PHASE2_METHOD: case PHASE2_METHOD:
case CRYPTO_BINDING: case CRYPTO_BINDING:
case REQUEST_PAC: case REQUEST_PAC:
case SUCCESS_SEND_RESULT:
eap_teap_process_phase2(sm, data, data->ssl.tls_in); eap_teap_process_phase2(sm, data, data->ssl.tls_in);
break; break;
case FAILURE_SEND_RESULT: case FAILURE_SEND_RESULT:

View file

@ -837,6 +837,8 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr,
eap_conf.pac_key_refresh_time = eapol->conf.pac_key_refresh_time; eap_conf.pac_key_refresh_time = eapol->conf.pac_key_refresh_time;
eap_conf.eap_teap_auth = eapol->conf.eap_teap_auth; eap_conf.eap_teap_auth = eapol->conf.eap_teap_auth;
eap_conf.eap_teap_pac_no_inner = eapol->conf.eap_teap_pac_no_inner; eap_conf.eap_teap_pac_no_inner = eapol->conf.eap_teap_pac_no_inner;
eap_conf.eap_teap_separate_result =
eapol->conf.eap_teap_separate_result;
eap_conf.eap_sim_aka_result_ind = eapol->conf.eap_sim_aka_result_ind; eap_conf.eap_sim_aka_result_ind = eapol->conf.eap_sim_aka_result_ind;
eap_conf.eap_sim_id = eapol->conf.eap_sim_id; eap_conf.eap_sim_id = eapol->conf.eap_sim_id;
eap_conf.tnc = eapol->conf.tnc; eap_conf.tnc = eapol->conf.tnc;
@ -1236,6 +1238,7 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
dst->pac_key_refresh_time = src->pac_key_refresh_time; dst->pac_key_refresh_time = src->pac_key_refresh_time;
dst->eap_teap_auth = src->eap_teap_auth; dst->eap_teap_auth = src->eap_teap_auth;
dst->eap_teap_pac_no_inner = src->eap_teap_pac_no_inner; dst->eap_teap_pac_no_inner = src->eap_teap_pac_no_inner;
dst->eap_teap_separate_result = src->eap_teap_separate_result;
dst->eap_sim_aka_result_ind = src->eap_sim_aka_result_ind; dst->eap_sim_aka_result_ind = src->eap_sim_aka_result_ind;
dst->eap_sim_id = src->eap_sim_id; dst->eap_sim_id = src->eap_sim_id;
dst->tnc = src->tnc; dst->tnc = src->tnc;

View file

@ -38,6 +38,7 @@ struct eapol_auth_config {
int pac_key_refresh_time; int pac_key_refresh_time;
int eap_teap_auth; int eap_teap_auth;
int eap_teap_pac_no_inner; int eap_teap_pac_no_inner;
int eap_teap_separate_result;
int eap_sim_aka_result_ind; int eap_sim_aka_result_ind;
int eap_sim_id; int eap_sim_id;
int tnc; int tnc;

View file

@ -240,6 +240,7 @@ struct radius_server_data {
int eap_teap_auth; int eap_teap_auth;
int eap_teap_pac_no_inner; int eap_teap_pac_no_inner;
int eap_teap_separate_result;
/** /**
* eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication * eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication
@ -799,6 +800,7 @@ radius_server_get_new_session(struct radius_server_data *data,
eap_conf.pac_key_refresh_time = data->pac_key_refresh_time; eap_conf.pac_key_refresh_time = data->pac_key_refresh_time;
eap_conf.eap_teap_auth = data->eap_teap_auth; eap_conf.eap_teap_auth = data->eap_teap_auth;
eap_conf.eap_teap_pac_no_inner = data->eap_teap_pac_no_inner; eap_conf.eap_teap_pac_no_inner = data->eap_teap_pac_no_inner;
eap_conf.eap_teap_separate_result = data->eap_teap_separate_result;
eap_conf.eap_sim_aka_result_ind = data->eap_sim_aka_result_ind; eap_conf.eap_sim_aka_result_ind = data->eap_sim_aka_result_ind;
eap_conf.eap_sim_id = data->eap_sim_id; eap_conf.eap_sim_id = data->eap_sim_id;
eap_conf.tnc = data->tnc; eap_conf.tnc = data->tnc;
@ -2394,6 +2396,7 @@ radius_server_init(struct radius_server_conf *conf)
data->pac_key_refresh_time = conf->pac_key_refresh_time; data->pac_key_refresh_time = conf->pac_key_refresh_time;
data->eap_teap_auth = conf->eap_teap_auth; data->eap_teap_auth = conf->eap_teap_auth;
data->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner; data->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner;
data->eap_teap_separate_result = conf->eap_teap_separate_result;
data->get_eap_user = conf->get_eap_user; data->get_eap_user = conf->get_eap_user;
data->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; data->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
data->eap_sim_id = conf->eap_sim_id; data->eap_sim_id = conf->eap_sim_id;

View file

@ -130,6 +130,7 @@ struct radius_server_conf {
int eap_teap_auth; int eap_teap_auth;
int eap_teap_pac_no_inner; int eap_teap_pac_no_inner;
int eap_teap_separate_result;
/** /**
* eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication * eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication