EAP-TEAP server: Testing mechanism for Result TLV in a separate message
The new eap_teap_separate_result=1 hostapd configuration parameter can be used to test TEAP exchange where the Intermediate-Result TLV and Crypto-Binding TLV are send in one message exchange while the Result TLV exchange in done after that in a separate message exchange. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
4c327146f0
commit
76ddfae6eb
13 changed files with 41 additions and 4 deletions
|
|
@ -2620,6 +2620,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
|
|||
bss->eap_teap_auth = val;
|
||||
} else if (os_strcmp(buf, "eap_teap_pac_no_inner") == 0) {
|
||||
bss->eap_teap_pac_no_inner = atoi(pos);
|
||||
} else if (os_strcmp(buf, "eap_teap_separate_result") == 0) {
|
||||
bss->eap_teap_separate_result = atoi(pos);
|
||||
#endif /* EAP_SERVER_TEAP */
|
||||
#ifdef EAP_SERVER_SIM
|
||||
} else if (os_strcmp(buf, "eap_sim_db") == 0) {
|
||||
|
|
|
|||
|
|
@ -1201,6 +1201,11 @@ eap_server=0
|
|||
# 1 = skip inner authentication (inner EAP/Basic-Password-Auth)
|
||||
#eap_teap_pac_no_inner=0
|
||||
|
||||
# EAP-TEAP behavior with Result TLV
|
||||
# 0 = include with Intermediate-Result TLV (default)
|
||||
# 1 = send in a separate message (for testing purposes)
|
||||
#eap_teap_separate_result=0
|
||||
|
||||
# EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND
|
||||
# (default: 0 = disabled).
|
||||
#eap_sim_aka_result_ind=1
|
||||
|
|
|
|||
|
|
@ -429,6 +429,7 @@ struct hostapd_bss_config {
|
|||
int pac_key_refresh_time;
|
||||
int eap_teap_auth;
|
||||
int eap_teap_pac_no_inner;
|
||||
int eap_teap_separate_result;
|
||||
int eap_sim_aka_result_ind;
|
||||
int eap_sim_id;
|
||||
int tnc;
|
||||
|
|
|
|||
|
|
@ -122,6 +122,7 @@ static int hostapd_setup_radius_srv(struct hostapd_data *hapd)
|
|||
srv.pac_key_refresh_time = conf->pac_key_refresh_time;
|
||||
srv.eap_teap_auth = conf->eap_teap_auth;
|
||||
srv.eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner;
|
||||
srv.eap_teap_separate_result = conf->eap_teap_separate_result;
|
||||
srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
|
||||
srv.eap_sim_id = conf->eap_sim_id;
|
||||
srv.tnc = conf->tnc;
|
||||
|
|
|
|||
|
|
@ -2435,7 +2435,7 @@ int ieee802_1x_init(struct hostapd_data *hapd)
|
|||
conf.pac_key_lifetime = hapd->conf->pac_key_lifetime;
|
||||
conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time;
|
||||
conf.eap_teap_auth = hapd->conf->eap_teap_auth;
|
||||
conf.eap_teap_pac_no_inner = hapd->conf->eap_teap_pac_no_inner;
|
||||
conf.eap_teap_separate_result = hapd->conf->eap_teap_separate_result;
|
||||
conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind;
|
||||
conf.eap_sim_id = hapd->conf->eap_sim_id;
|
||||
conf.tnc = hapd->conf->tnc;
|
||||
|
|
|
|||
|
|
@ -123,6 +123,7 @@ struct eap_config {
|
|||
int pac_key_refresh_time;
|
||||
int eap_teap_auth;
|
||||
int eap_teap_pac_no_inner;
|
||||
int eap_teap_separate_result;
|
||||
int eap_sim_aka_result_ind;
|
||||
int eap_sim_id;
|
||||
int tnc;
|
||||
|
|
|
|||
|
|
@ -192,6 +192,7 @@ struct eap_sm {
|
|||
int pac_key_refresh_time;
|
||||
int eap_teap_auth;
|
||||
int eap_teap_pac_no_inner;
|
||||
int eap_teap_separate_result;
|
||||
int eap_sim_aka_result_ind;
|
||||
int eap_sim_id;
|
||||
int tnc;
|
||||
|
|
|
|||
|
|
@ -1871,6 +1871,7 @@ struct eap_sm * eap_server_sm_init(void *eapol_ctx,
|
|||
sm->pac_key_refresh_time = conf->pac_key_refresh_time;
|
||||
sm->eap_teap_auth = conf->eap_teap_auth;
|
||||
sm->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner;
|
||||
sm->eap_teap_separate_result = conf->eap_teap_separate_result;
|
||||
sm->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
|
||||
sm->eap_sim_id = conf->eap_sim_id;
|
||||
sm->tnc = conf->tnc;
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ struct eap_teap_data {
|
|||
enum {
|
||||
START, PHASE1, PHASE1B, PHASE2_START, PHASE2_ID,
|
||||
PHASE2_BASIC_AUTH, PHASE2_METHOD, CRYPTO_BINDING, REQUEST_PAC,
|
||||
FAILURE_SEND_RESULT, SUCCESS, FAILURE
|
||||
FAILURE_SEND_RESULT, SUCCESS_SEND_RESULT, SUCCESS, FAILURE
|
||||
} state;
|
||||
|
||||
u8 teap_version;
|
||||
|
|
@ -100,6 +100,8 @@ static const char * eap_teap_state_txt(int state)
|
|||
return "REQUEST_PAC";
|
||||
case FAILURE_SEND_RESULT:
|
||||
return "FAILURE_SEND_RESULT";
|
||||
case SUCCESS_SEND_RESULT:
|
||||
return "SUCCESS_SEND_RESULT";
|
||||
case SUCCESS:
|
||||
return "SUCCESS";
|
||||
case FAILURE:
|
||||
|
|
@ -565,7 +567,7 @@ static struct wpabuf * eap_teap_build_crypto_binding(
|
|||
return NULL;
|
||||
|
||||
if (data->send_new_pac || data->anon_provisioning ||
|
||||
data->phase2_method)
|
||||
data->phase2_method || sm->eap_teap_separate_result)
|
||||
data->final_result = 0;
|
||||
else
|
||||
data->final_result = 1;
|
||||
|
|
@ -901,6 +903,10 @@ static struct wpabuf * eap_teap_buildReq(struct eap_sm *sm, void *priv, u8 id)
|
|||
req = wpabuf_concat(
|
||||
req, eap_teap_tlv_error(data->error_code));
|
||||
break;
|
||||
case SUCCESS_SEND_RESULT:
|
||||
req = eap_teap_tlv_result(TEAP_STATUS_SUCCESS, 0);
|
||||
data->final_result = 1;
|
||||
break;
|
||||
default:
|
||||
wpa_printf(MSG_DEBUG, "EAP-TEAP: %s - unexpected state %d",
|
||||
__func__, data->state);
|
||||
|
|
@ -1498,8 +1504,11 @@ static void eap_teap_process_phase2_tlvs(struct eap_sm *sm,
|
|||
wpa_printf(MSG_DEBUG,
|
||||
"EAP-TEAP: Server triggered re-keying of Tunnel PAC");
|
||||
eap_teap_state(data, REQUEST_PAC);
|
||||
} else if (data->final_result)
|
||||
} else if (data->final_result) {
|
||||
eap_teap_state(data, SUCCESS);
|
||||
} else if (sm->eap_teap_separate_result) {
|
||||
eap_teap_state(data, SUCCESS_SEND_RESULT);
|
||||
}
|
||||
}
|
||||
|
||||
if (tlv.basic_auth_resp) {
|
||||
|
|
@ -1523,6 +1532,13 @@ static void eap_teap_process_phase2_tlvs(struct eap_sm *sm,
|
|||
eap_teap_process_phase2_eap(sm, data, tlv.eap_payload_tlv,
|
||||
tlv.eap_payload_tlv_len);
|
||||
}
|
||||
|
||||
if (data->state == SUCCESS_SEND_RESULT &&
|
||||
tlv.result == TEAP_STATUS_SUCCESS) {
|
||||
wpa_printf(MSG_DEBUG,
|
||||
"EAP-TEAP: Peer agreed with final success - authentication completed");
|
||||
eap_teap_state(data, SUCCESS);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -1693,6 +1709,7 @@ static void eap_teap_process_msg(struct eap_sm *sm, void *priv,
|
|||
case PHASE2_METHOD:
|
||||
case CRYPTO_BINDING:
|
||||
case REQUEST_PAC:
|
||||
case SUCCESS_SEND_RESULT:
|
||||
eap_teap_process_phase2(sm, data, data->ssl.tls_in);
|
||||
break;
|
||||
case FAILURE_SEND_RESULT:
|
||||
|
|
|
|||
|
|
@ -837,6 +837,8 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr,
|
|||
eap_conf.pac_key_refresh_time = eapol->conf.pac_key_refresh_time;
|
||||
eap_conf.eap_teap_auth = eapol->conf.eap_teap_auth;
|
||||
eap_conf.eap_teap_pac_no_inner = eapol->conf.eap_teap_pac_no_inner;
|
||||
eap_conf.eap_teap_separate_result =
|
||||
eapol->conf.eap_teap_separate_result;
|
||||
eap_conf.eap_sim_aka_result_ind = eapol->conf.eap_sim_aka_result_ind;
|
||||
eap_conf.eap_sim_id = eapol->conf.eap_sim_id;
|
||||
eap_conf.tnc = eapol->conf.tnc;
|
||||
|
|
@ -1236,6 +1238,7 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
|
|||
dst->pac_key_refresh_time = src->pac_key_refresh_time;
|
||||
dst->eap_teap_auth = src->eap_teap_auth;
|
||||
dst->eap_teap_pac_no_inner = src->eap_teap_pac_no_inner;
|
||||
dst->eap_teap_separate_result = src->eap_teap_separate_result;
|
||||
dst->eap_sim_aka_result_ind = src->eap_sim_aka_result_ind;
|
||||
dst->eap_sim_id = src->eap_sim_id;
|
||||
dst->tnc = src->tnc;
|
||||
|
|
|
|||
|
|
@ -38,6 +38,7 @@ struct eapol_auth_config {
|
|||
int pac_key_refresh_time;
|
||||
int eap_teap_auth;
|
||||
int eap_teap_pac_no_inner;
|
||||
int eap_teap_separate_result;
|
||||
int eap_sim_aka_result_ind;
|
||||
int eap_sim_id;
|
||||
int tnc;
|
||||
|
|
|
|||
|
|
@ -240,6 +240,7 @@ struct radius_server_data {
|
|||
|
||||
int eap_teap_auth;
|
||||
int eap_teap_pac_no_inner;
|
||||
int eap_teap_separate_result;
|
||||
|
||||
/**
|
||||
* eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication
|
||||
|
|
@ -799,6 +800,7 @@ radius_server_get_new_session(struct radius_server_data *data,
|
|||
eap_conf.pac_key_refresh_time = data->pac_key_refresh_time;
|
||||
eap_conf.eap_teap_auth = data->eap_teap_auth;
|
||||
eap_conf.eap_teap_pac_no_inner = data->eap_teap_pac_no_inner;
|
||||
eap_conf.eap_teap_separate_result = data->eap_teap_separate_result;
|
||||
eap_conf.eap_sim_aka_result_ind = data->eap_sim_aka_result_ind;
|
||||
eap_conf.eap_sim_id = data->eap_sim_id;
|
||||
eap_conf.tnc = data->tnc;
|
||||
|
|
@ -2394,6 +2396,7 @@ radius_server_init(struct radius_server_conf *conf)
|
|||
data->pac_key_refresh_time = conf->pac_key_refresh_time;
|
||||
data->eap_teap_auth = conf->eap_teap_auth;
|
||||
data->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner;
|
||||
data->eap_teap_separate_result = conf->eap_teap_separate_result;
|
||||
data->get_eap_user = conf->get_eap_user;
|
||||
data->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
|
||||
data->eap_sim_id = conf->eap_sim_id;
|
||||
|
|
|
|||
|
|
@ -130,6 +130,7 @@ struct radius_server_conf {
|
|||
|
||||
int eap_teap_auth;
|
||||
int eap_teap_pac_no_inner;
|
||||
int eap_teap_separate_result;
|
||||
|
||||
/**
|
||||
* eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication
|
||||
|
|
|
|||
Loading…
Reference in a new issue