From acc39435ff42f3ba02774a79ca6d3df7f60175d1 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Tue, 5 Jan 2016 23:50:50 +0200 Subject: [PATCH] EAP-PEAP peer: Cryptobinding in fast-reconnect case with inner EAP This was reported to fail with Windows 2012r2 with "Invalid Compound_MAC in cryptobinding TLV". It turns out that the server decided to go through inner EAP method (EAP-MSCHAPv2 in the reported case) even when using PEAP fast-reconnect. This seems to be against the [MS-PEAP] specification which claims that inner EAP method is not used in such a case. This resulted in a different CMK being derived by the server (used the version that used ISK) and wpa_supplicant (used the version where IPMK|CMK = TK without ISK when using fast-reconnect). Fix this interop issue by making wpa_supplicant to use the fast-reconnect version of CMK derivation only when using TLS session resumption and the server having not initiated inner EAP method before going through the cryptobinding exchange. Signed-off-by: Jouni Malinen --- src/eap_peer/eap_peap.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c index 503d4b02d..bf420cc8c 100644 --- a/src/eap_peer/eap_peap.c +++ b/src/eap_peer/eap_peap.c @@ -253,6 +253,7 @@ static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data) { u8 *tk; u8 isk[32], imck[60]; + int resumed; /* * Tunnel key (TK) is the first 60 octets of the key generated by @@ -263,8 +264,12 @@ static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data) return -1; wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TK", tk, 60); - if (data->reauth && - tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) { + resumed = tls_connection_resumed(sm->ssl_ctx, data->ssl.conn); + wpa_printf(MSG_DEBUG, + "EAP-PEAP: CMK derivation - reauth=%d resumed=%d phase2_eap_started=%d phase2_success=%d", + data->reauth, resumed, data->phase2_eap_started, + data->phase2_success); + if (data->reauth && !data->phase2_eap_started && resumed) { /* Fast-connect: IPMK|CMK = TK */ os_memcpy(data->ipmk, tk, 40); wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK from TK",