jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
14958 commits 3 branches 0 tags 27 MiB
Commit graph

8 commits

Author SHA1 Message Date
Jouni Malinen
c41936566e EAP-TEAP peer: Add support for machine authentication 
This allows a separate machine credential to be used for authentication
if the server requests Identity-Type = 2 (machine).

Signed-off-by: Jouni Malinen <j@w1.fi>
 2019-08-20 13:24:14 +03:00
Jouni Malinen
f186ec54c3 EAP-TEAP peer: Support Identity-Type TLV 
Parse the received Identity-Type TLV and report the used Identity-Type
in response if the request included this TLV. For now, only the
Identity-Type 1 (User) is supported.

Signed-off-by: Jouni Malinen <j@w1.fi>
 2019-08-20 01:46:00 +03:00
Jouni Malinen
62af2b18f7 EAP-TEAP peer: Support vendor EAP method in Phase 2 
The implementation was previously hardcoded to use only the non-expanded
IETF EAP methods in Phase 2. Extend that to allow vendor EAP methods
with expanded header to be used.

Signed-off-by: Jouni Malinen <j@w1.fi>
 2019-08-17 16:18:21 +03:00
Jouni Malinen
4c327146f0 EAP-TEAP peer: Allow Result TLV without Crypto-Binding TLV 
If the Crypto-Binding TLV for the last EAP method has been validated
successfully in a previous message exchange with Intermediate-Result TLV
and no new EAP method has been started, Result TLV can be accepted
without an additional Crypto-Binding TLV. This allows the server to go
through additional message exchanges after inner EAP method, if needed.

Signed-off-by: Jouni Malinen <j@w1.fi>
 2019-08-17 00:08:47 +03:00
Jouni Malinen
0f7c91f2b9 EAP-TEAP peer: Add Intermediate-Result TLV with Crypto-Binding TLV 
Previously, only the Result TLV was added when writing Crypto-Binding
TLV response. This is not sufficient, since RFC 7170 require
Intermediate-Result TLV response to be included from the peer if the
server included Intermediate-Result TLV.

Signed-off-by: Jouni Malinen <j@w1.fi>
 2019-08-16 23:11:28 +03:00
Jouni Malinen
a66e53c419 EAP-TEAP: Fix TLS-PRF for TLS ciphersuites that use SHA384 
These need to be using the HMAC-based TLS-PRF with SHA384 instead of
SHA256 as the hash algorithm.

Signed-off-by: Jouni Malinen <j@w1.fi>
 2019-08-16 21:16:44 +03:00
Jouni Malinen
d776bf8c66 EAP-TEAP peer: Fix fragmentation of final message 
Need to update methodState/decision when completing transmission of
fragmented last Phase 2 message.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
 2019-08-07 01:11:54 +03:00
Jouni Malinen
0ed57c5ea8 EAP-TEAP server and peer implementation (RFC 7170) 
This adds support for a new EAP method: EAP-TEAP (Tunnel Extensible
Authentication Protocol). This should be considered experimental since
RFC 7170 has number of conflicting statements and missing details to
allow unambiguous interpretation. As such, there may be interoperability
issues with other implementations and this version should not be
deployed for production purposes until those unclear areas are resolved.

This does not yet support use of NewSessionTicket message to deliver a
new PAC (either in the server or peer implementation). In other words,
only the in-tunnel distribution of PAC-Opaque is supported for now. Use
of the NewSessionTicket mechanism would require TLS library support to
allow arbitrary data to be specified as the contents of the message.

Signed-off-by: Jouni Malinen <j@w1.fi>
 2019-07-09 16:56:02 +03:00