EAP peer: Cache decrypted requests for EAP-SIM/AKA/AKA'

Add an internal flag which indicates to tunneled EAP methods (FAST, PEAP, TTLS) that they should cache decrypted EAP-SIM/AKA/AKA' requests. This allows EAP-SIM/AKA/AKA' to be tunneled within these outer methods while using an external SIM authenticator over the control interface. Signed-off-by: Paul Stewart <pstew@google.com>
2017-02-08 16:46:41 -08:00 · 2017-02-08 16:46:41 -08:00 · ed9b1c16d5
commit ed9b1c16d5
parent c299dea558
6 changed files with 20 additions and 5 deletions
--- a/src/eap_peer/eap.c
+++ b/src/eap_peer/eap.c
@ -2246,6 +2246,7 @@ static void eap_sm_request(struct eap_sm *sm, enum wpa_ctrl_req_type field,
 		config->pending_req_passphrase++;
 		break;
 	case WPA_CTRL_REQ_SIM:
+		config->pending_req_sim++;
 		txt = msg;
 		break;
 	case WPA_CTRL_REQ_EXT_CERT_CHECK:
--- a/src/eap_peer/eap_config.h
+++ b/src/eap_peer/eap_config.h
@ -627,6 +627,15 @@ struct eap_peer_config {
 	 */
 	int pending_req_passphrase;

+	/**
+	 * pending_req_sim - Pending SIM request
+	 *
+	 * This field should not be set in configuration step. It is only used
+	 * internally when control interface is used to request needed
+	 * information.
+	 */
+	int pending_req_sim;
+
 	/**
 	 * pending_req_otp - Whether there is a pending OTP request
 	 *
--- a/src/eap_peer/eap_fast.c
+++ b/src/eap_peer/eap_fast.c
@ -484,7 +484,8 @@ static int eap_fast_phase2_request(struct eap_sm *sm,

 	if (*resp == NULL && config &&
 	    (config->pending_req_identity || config->pending_req_password ||
-	     config->pending_req_otp || config->pending_req_new_password)) {
+	     config->pending_req_otp || config->pending_req_new_password ||
+	     config->pending_req_sim)) {
 		wpabuf_free(data->pending_phase2_req);
 		data->pending_phase2_req = wpabuf_alloc_copy(hdr, len);
 	} else if (*resp == NULL)
--- a/src/eap_peer/eap_peap.c
+++ b/src/eap_peer/eap_peap.c
@ -726,7 +726,8 @@ static int eap_peap_phase2_request(struct eap_sm *sm,

 	if (*resp == NULL &&
 	    (config->pending_req_identity || config->pending_req_password ||
-	     config->pending_req_otp || config->pending_req_new_password)) {
+	     config->pending_req_otp || config->pending_req_new_password ||
+	     config->pending_req_sim)) {
 		wpabuf_free(data->pending_phase2_req);
 		data->pending_phase2_req = wpabuf_alloc_copy(hdr, len);
 	}
--- a/src/eap_peer/eap_ttls.c
+++ b/src/eap_peer/eap_ttls.c
@ -458,7 +458,7 @@ static int eap_ttls_phase2_request_eap(struct eap_sm *sm,

 	if (*resp == NULL &&
 	    (config->pending_req_identity || config->pending_req_password ||
-	     config->pending_req_otp)) {
+	     config->pending_req_otp || config->pending_req_sim)) {
 		return 0;
 	}

@ -1280,7 +1280,8 @@ static int eap_ttls_process_decrypted(struct eap_sm *sm,
 	} else if (config->pending_req_identity ||
 		   config->pending_req_password ||
 		   config->pending_req_otp ||
-		   config->pending_req_new_password) {
+		   config->pending_req_new_password ||
+		   config->pending_req_sim) {
 		wpabuf_free(data->pending_phase2_req);
 		data->pending_phase2_req = wpabuf_dup(in_decrypted);
 	}
@ -1317,7 +1318,8 @@ static int eap_ttls_implicit_identity_request(struct eap_sm *sm,
 		    (config->pending_req_identity ||
 		     config->pending_req_password ||
 		     config->pending_req_otp ||
-		     config->pending_req_new_password)) {
+		     config->pending_req_new_password ||
+		     config->pending_req_sim)) {
 			/*
 			 * Use empty buffer to force implicit request
 			 * processing when EAP request is re-processed after
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@ -5974,6 +5974,7 @@ int wpa_supplicant_ctrl_iface_ctrl_rsp_handle(struct wpa_supplicant *wpa_s,
 	case WPA_CTRL_REQ_SIM:
 		str_clear_free(eap->external_sim_resp);
 		eap->external_sim_resp = os_strdup(value);
+		eap->pending_req_sim = 0;
 		break;
 	case WPA_CTRL_REQ_PSK_PASSPHRASE:
 		if (wpa_config_set(ssid, "psk", value, 0) < 0)