jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

EAP-PEAP server: Support vendor EAP types in Phase 2

Browse source 
This was already allowed with EAP-PEAP, but EAP-TEAP was hardcoded to
use only the non-expanded EAP types. Extend that to allow vendor EAP
types to be used.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2019-08-17 16:11:20 +03:00
parent 357c1062dc
commit aba8dc82fc
1 changed files with 28 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
src/eap_server/eap_server_teap.c
View file

@ -938,15 +938,14 @@ static Boolean eap_teap_check(struct eap_sm *sm, void *priv,
static int eap_teap_phase2_init(struct eap_sm *sm, struct eap_teap_data *data,
enum eap_type eap_type)
int vendor, enum eap_type eap_type)
{
if (data->phase2_priv && data->phase2_method) {
data->phase2_method->reset(sm, data->phase2_priv);
data->phase2_method = NULL;
data->phase2_priv = NULL;
}
data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF,
eap_type);
data->phase2_method = eap_server_get_eap_method(vendor, eap_type);
if (!data->phase2_method)
return -1;
@ -962,7 +961,8 @@ static void eap_teap_process_phase2_response(struct eap_sm *sm,
struct eap_teap_data *data,
u8 *in_data, size_t in_len)
{
u8 next_type = EAP_TYPE_NONE;
int next_vendor = EAP_VENDOR_IETF;
enum eap_type next_type = EAP_TYPE_NONE;
struct eap_hdr *hdr;
u8 *pos;
size_t left;
@ -990,8 +990,9 @@ static void eap_teap_process_phase2_response(struct eap_sm *sm,
m->method == EAP_TYPE_TNC) {
wpa_printf(MSG_DEBUG,
"EAP-TEAP: Peer Nak'ed required TNC negotiation");
next_vendor = EAP_VENDOR_IETF;
next_type = eap_teap_req_failure(data, 0);
eap_teap_phase2_init(sm, data, next_type);
eap_teap_phase2_init(sm, data, next_vendor, next_type);
return;
}
#endif /* EAP_SERVER_TNC */
@ -999,14 +1000,17 @@ static void eap_teap_process_phase2_response(struct eap_sm *sm,
if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
sm->user->methods[sm->user_eap_method_index].method !=
EAP_TYPE_NONE) {
next_vendor = sm->user->methods[
sm->user_eap_method_index].vendor;
next_type = sm->user->methods[
sm->user_eap_method_index++].method;
wpa_printf(MSG_DEBUG, "EAP-TEAP: try EAP type %d",
next_type);
wpa_printf(MSG_DEBUG, "EAP-TEAP: try EAP type %u:%u",
next_vendor, next_type);
} else {
next_vendor = EAP_VENDOR_IETF;
next_type = eap_teap_req_failure(data, 0);
}
eap_teap_phase2_init(sm, data, next_type);
eap_teap_phase2_init(sm, data, next_vendor, next_type);
return;
}
@ -1026,8 +1030,9 @@ static void eap_teap_process_phase2_response(struct eap_sm *sm,
if (!m->isSuccess(sm, priv)) {
wpa_printf(MSG_DEBUG, "EAP-TEAP: Phase 2 method failed");
next_vendor = EAP_VENDOR_IETF;
next_type = eap_teap_req_failure(data, TEAP_ERROR_INNER_METHOD);
eap_teap_phase2_init(sm, data, next_type);
eap_teap_phase2_init(sm, data, next_vendor, next_type);
return;
}
@ -1037,6 +1042,7 @@ static void eap_teap_process_phase2_response(struct eap_sm *sm,
wpa_hexdump_ascii(MSG_DEBUG,
"EAP-TEAP: Phase 2 Identity not found in the user database",
sm->identity, sm->identity_len);
next_vendor = EAP_VENDOR_IETF;
next_type = eap_teap_req_failure(
data, TEAP_ERROR_INNER_METHOD);
break;
@ -1047,23 +1053,28 @@ static void eap_teap_process_phase2_response(struct eap_sm *sm,
/* TODO: Allow any inner EAP method that provides
* mutual authentication and EMSK derivation (i.e.,
* EAP-pwd or EAP-EKE). */
next_vendor = EAP_VENDOR_IETF;
next_type = EAP_TYPE_PWD;
sm->user_eap_method_index = 0;
} else {
next_vendor = sm->user->methods[0].vendor;
next_type = sm->user->methods[0].method;
sm->user_eap_method_index = 1;
}
wpa_printf(MSG_DEBUG, "EAP-TEAP: Try EAP type %d", next_type);
wpa_printf(MSG_DEBUG, "EAP-TEAP: Try EAP type %u:%u",
next_vendor, next_type);
break;
case PHASE2_METHOD:
case CRYPTO_BINDING:
eap_teap_update_icmk(sm, data);
eap_teap_state(data, CRYPTO_BINDING);
data->eap_seq++;
next_vendor = EAP_VENDOR_IETF;
next_type = EAP_TYPE_NONE;
#ifdef EAP_SERVER_TNC
if (sm->tnc && !data->tnc_started) {
wpa_printf(MSG_DEBUG, "EAP-TEAP: Initialize TNC");
next_vendor = EAP_VENDOR_IETF;
next_type = EAP_TYPE_TNC;
data->tnc_started = 1;
}
@ -1077,7 +1088,7 @@ static void eap_teap_process_phase2_response(struct eap_sm *sm,
break;
}
eap_teap_phase2_init(sm, data, next_type);
eap_teap_phase2_init(sm, data, next_vendor, next_type);
}
@ -1640,7 +1651,8 @@ static int eap_teap_process_phase1(struct eap_sm *sm,
static int eap_teap_process_phase2_start(struct eap_sm *sm,
struct eap_teap_data *data)
{
u8 next_type;
int next_vendor;
enum eap_type next_type;
if (data->identity) {
/* Used PAC and identity is from PAC-Opaque */
@ -1653,6 +1665,7 @@ static int eap_teap_process_phase2_start(struct eap_sm *sm,
wpa_hexdump_ascii(MSG_DEBUG,
"EAP-TEAP: Phase 2 Identity not found in the user database",
sm->identity, sm->identity_len);
next_vendor = EAP_VENDOR_IETF;
next_type = EAP_TYPE_NONE;
eap_teap_state(data, PHASE2_METHOD);
} else if (sm->eap_teap_pac_no_inner) {
@ -1672,6 +1685,7 @@ static int eap_teap_process_phase2_start(struct eap_sm *sm,
} else {
wpa_printf(MSG_DEBUG,
"EAP-TEAP: Identity already known - skip Phase 2 Identity Request");
next_vendor = sm->user->methods[0].vendor;
next_type = sm->user->methods[0].method;
sm->user_eap_method_index = 1;
eap_teap_state(data, PHASE2_METHOD);
@ -1682,10 +1696,11 @@ static int eap_teap_process_phase2_start(struct eap_sm *sm,
return 0;
} else {
eap_teap_state(data, PHASE2_ID);
next_vendor = EAP_VENDOR_IETF;
next_type = EAP_TYPE_IDENTITY;
}
return eap_teap_phase2_init(sm, data, next_type);
return eap_teap_phase2_init(sm, data, next_vendor, next_type);
}