aboutsummaryrefslogtreecommitdiffstats
path: root/src/eap_peer
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2019-08-20 10:13:25 (GMT)
committerJouni Malinen <j@w1.fi>2019-08-20 10:24:14 (GMT)
commitc41936566e6e94f30366f64930c9125fadead611 (patch)
tree1cdc5c2456cd8b8f1f6372460f701510a3c8b649 /src/eap_peer
parentc724a0a16cd865b700f14ae18bbf9bd16168293a (diff)
downloadhostap-c41936566e6e94f30366f64930c9125fadead611.zip
hostap-c41936566e6e94f30366f64930c9125fadead611.tar.gz
hostap-c41936566e6e94f30366f64930c9125fadead611.tar.bz2
EAP-TEAP peer: Add support for machine authentication
This allows a separate machine credential to be used for authentication if the server requests Identity-Type = 2 (machine). Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/eap_peer')
-rw-r--r--src/eap_peer/eap_teap.c30
1 files changed, 24 insertions, 6 deletions
diff --git a/src/eap_peer/eap_teap.c b/src/eap_peer/eap_teap.c
index 3c86feb..1e351f3 100644
--- a/src/eap_peer/eap_teap.c
+++ b/src/eap_peer/eap_teap.c
@@ -522,6 +522,18 @@ static struct wpabuf * eap_teap_tlv_pac_ack(void)
}
+static struct wpabuf * eap_teap_add_identity_type(struct eap_sm *sm,
+ struct wpabuf *msg)
+{
+ struct wpabuf *tlv;
+
+ tlv = eap_teap_tlv_identity_type(sm->use_machine_cred ?
+ TEAP_IDENTITY_TYPE_MACHINE :
+ TEAP_IDENTITY_TYPE_USER);
+ return wpabuf_concat(msg, tlv);
+}
+
+
static struct wpabuf * eap_teap_process_eap_payload_tlv(
struct eap_sm *sm, struct eap_teap_data *data,
struct eap_method_ret *ret,
@@ -560,9 +572,8 @@ static struct wpabuf * eap_teap_process_eap_payload_tlv(
resp = eap_teap_tlv_eap_payload(resp);
if (req_id_type)
- resp = wpabuf_concat(
- resp,
- eap_teap_tlv_identity_type(TEAP_IDENTITY_TYPE_USER));
+ resp = eap_teap_add_identity_type(sm, resp);
+
return resp;
}
@@ -601,9 +612,7 @@ static struct wpabuf * eap_teap_process_basic_auth_req(
wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TEAP: Basic-Password-Auth-Resp",
resp);
if (req_id_type)
- resp = wpabuf_concat(
- resp,
- eap_teap_tlv_identity_type(TEAP_IDENTITY_TYPE_USER));
+ resp = eap_teap_add_identity_type(sm, resp);
/* Assume this succeeds so that Result TLV(Success) from the server can
* be used to terminate TEAP. */
@@ -1278,6 +1287,15 @@ static int eap_teap_process_decrypted(struct eap_sm *sm,
goto done;
}
+ if (tlv.identity_type == TEAP_IDENTITY_TYPE_MACHINE) {
+ struct eap_peer_config *config = eap_get_config(sm);
+
+ sm->use_machine_cred = config && config->machine_identity &&
+ config->machine_identity_len;
+ } else if (tlv.identity_type) {
+ sm->use_machine_cred = 0;
+ }
+
if (tlv.basic_auth_req) {
tmp = eap_teap_process_basic_auth_req(sm, data,
tlv.basic_auth_req,