It looks like [MS-PEAP] 3.2.5.6 points towards this being the expected
behavior (however, that chapter is very confusing).
In addition, remove Cryptobinding TLV from response if the received
Cryptobinding TLV is not valid. Add some more debug messages to the case
where the received Cryptobinding TLV is found invalid.
I fixed the engine issue in phase2 of EAP-TTLS. The problem was that you
only defined one engine variable, which was read already in phase1. I
defined some new variables:
engine2
engine2_id
pin2
and added support to read those in phase2 wheres all the engine
variables without number are only read in phase1. That solved it and I
am now able to use an engine also in EAP-TTLS phase2.
It looks like ACS did not like PAC Acknowledgment TLV before Result TLV, so
reorder the TLVs to match the order shown in a
draft-cam-winget-eap-fast-provisioning-09.txt example. This allows
authenticated provisioning to be terminated with Access-Accept (if ACS has
that option enabled). Previously, provisioning was otherwise successful,
but the server rejected connection due to not understanding the PAC Ack
("Invalid TEAP Data recieved").
Previously, hardcoded identity in the network configuration skipped both
IMSI reading and PIN verification. This broke cases where PIN is needed for
GSM/UMTS authentication. Now, only IMSI reading is skipped if identity is
hardcoded.
This adds all the attributes that are marked as mandatory for SoH in
IF-TNCCS-SOH v1.0. MS-Machine-Inventory does not contain correct data
(i.e., all version fields are just marked as inapplicable) and
MS-MachineName is hardcoded to wpa_supplicant@w1.fi for now.
The change to support fragmentation added extra function to generate the
EAP header, but forgot to remove the original code and ended up getting two
EAP headers and TNC flags field in the generated message. These header
fields need to be added only in the function that builds the final message
(and if necessary, fragments the data).
Even though we try to disable TLS compression, it is possible that this
cannot be done with all TLS libraries. For example, OpenSSL 0.9.8 does not
seem to have a configuration item for disabling all compression (0.9.9 has
such an option). If compression is used, Phase 2 decryption may end up
producing more data than the input buffer due to compressed data. This
shows up especially with EAP-TNC that uses very compressible data format.
As a workaround, increase the decryption buffer length to (orig_len+500)*3.
This is a hack, but at least it handles most cases. TLS compression should
really be disabled for EAP use of TLS, but since this can show up with
common setups, it is better to handle this case.
Process SoH Request in SoH EAP Extension method and reply with SoH TLV. The
contents of SSoH is not yet complete (i.e., some of the required attributes
are still missing). Use of SoH is disabled by default; it can be enabled
with tnc=soh in phase1 parameter for PEAP.
crypto_binding=# in phase1 network parameter can now be used to change the
PEAPv0 cryptobinding behavior (0 = do not use, 1 = optional (default),
2 = required).
The previous version was deriving unnecessarily large amount of output data
for the implicit challenge. With the TLS PRF, this was not causing any
problems because the output length is not explicitly bound into the
derivation. Anyway, it is better to use the correct output length should
the PRF be ever changed to a one that uses the output length to change the
beginning of the output data.
It looks like Microsoft implementation does not match with their
specification as far as PRF+ label usage is concerned.. IPMK|CMK is derived
without null termination on the label, but the label for CSK derivation
must be null terminated.
This allows cryptobinding to be used with PEAPv0 in a way that
interoperates with Windows XP SP3 (RC2) and as such, this functionality is
now enabled as an optional addition to PEAPv0.
Microsoft uses reverse order for MS-MPPE keys in EAP-PEAP when compared to
EAP-FAST derivation of ISK. Swap the keys here to get the correct ISK for
EAP-PEAPv0 cryptobinding. This resolves the cryptobinding interop issue
with WinXP SP3 RC2. However, it looks like MSK derivation does not
interoperate when using cryptobinding, so this code remains disabled for
the time being.
This implementation is complete for PEAPv0 (Microsoft extension), but the
use of cryptobinding is disabled in this version, i.e., this does not
change protocol behavior at all.
Interop tests between hostapd and wpa_supplicant work fine, but there are
some problems in getting hostapd to interoperate with Windows XP SP3 RC2
(peer replies with Result Failure to the attempted cryptobinding). The
implementation will remain disabled until this issue has been resolved.
EAP-PEAP was the only method that used the external eap_tlv.c peer
implementation. This worked fine just for the simple protected result
notification, but extending the TLV support for cryptobinding etc. is not
trivial with such separation. With the TLV processing integrated into
eap_peap.c, all the needed information is now available for using
additional TLVs.
Need to process EAP AVP after the non-EAP Phase 2 method. In addition,
EAP-TTLS/MSCHAPv2 needs special code for handling the starting of TNC after
extra roundtrip of MSCHAPv2 success message.
Number of TLVs were processed in groups and these cases were now separated
into more flexible processing of one TLV at the time. wpabuf_concat()
function was added to make it easier to concatenate TLVs. EAP Sequences are
now supported in both server and peer code, but the server side is not
enabled by default.