aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2008-02-03 19:03:13 (GMT)
committerJouni Malinen <j@w1.fi>2008-02-03 19:03:13 (GMT)
commitbebe76f4bced193a485cb55ac64a46b05276f3e9 (patch)
tree7ac9cb54d08024c0fb294fb555e65809b5800eb1
parentba2c1028d20d313994213ad3ada7779af63bf59e (diff)
downloadhostap-history-bebe76f4bced193a485cb55ac64a46b05276f3e9.zip
hostap-history-bebe76f4bced193a485cb55ac64a46b05276f3e9.tar.gz
hostap-history-bebe76f4bced193a485cb55ac64a46b05276f3e9.tar.bz2
Added support for pending EAP Phase 2 processing
Store and re-use the decrypted Phase 2 data in EAP-{PEAP,TTLS,FAST} if the Phase 2 method enters pending wait state. This allows EAP-SIM and EAP-AKA to be used as the Phase 2 method.
-rw-r--r--hostapd/ChangeLog2
-rw-r--r--src/eap_server/eap_fast.c25
-rw-r--r--src/eap_server/eap_peap.c22
-rw-r--r--src/eap_server/eap_ttls.c22
4 files changed, 66 insertions, 5 deletions
diff --git a/hostapd/ChangeLog b/hostapd/ChangeLog
index e6dce2a..666fbd1 100644
--- a/hostapd/ChangeLog
+++ b/hostapd/ChangeLog
@@ -27,6 +27,8 @@ ChangeLog for hostapd
reauthentication
* fixed EAP-SIM Start response processing for fast reauthentication
case
+ * added support for pending EAP processing in EAP-{PEAP,TTLS,FAST}
+ phase 2 to allow EAP-SIM and EAP-AKA to be used as the Phase 2 method
2008-01-01 - v0.6.2
* fixed EAP-SIM and EAP-AKA message parser to validate attribute
diff --git a/src/eap_server/eap_fast.c b/src/eap_server/eap_fast.c
index cb9c331..54507c5 100644
--- a/src/eap_server/eap_fast.c
+++ b/src/eap_server/eap_fast.c
@@ -1,6 +1,6 @@
/*
* EAP-FAST server (RFC 4851)
- * Copyright (c) 2004-2007, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
@@ -70,6 +70,7 @@ struct eap_fast_data {
int anon_provisioning;
int send_new_pac; /* server triggered re-keying of Tunnel PAC */
+ struct wpabuf *pending_phase2_resp;
};
@@ -515,6 +516,7 @@ static void eap_fast_reset(struct eap_sm *sm, void *priv)
eap_server_tls_ssl_deinit(sm, &data->ssl);
os_free(data->srv_id);
os_free(data->key_block_p);
+ wpabuf_free(data->pending_phase2_resp);
os_free(data);
}
@@ -1341,7 +1343,7 @@ static void eap_fast_process_phase2_tlvs(struct eap_sm *sm,
int check_crypto_binding = data->state == CRYPTO_BINDING;
if (eap_fast_parse_tlvs(in_data, in_len, &tlv) < 0) {
- wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to parse receivede "
+ wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to parse received "
"Phase 2 TLVs");
return;
}
@@ -1447,6 +1449,17 @@ static void eap_fast_process_phase2(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, "EAP-FAST: Received %lu bytes encrypted data for"
" Phase 2", (unsigned long) in_len);
+ if (data->pending_phase2_resp) {
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 response - "
+ "skip decryption and use old data");
+ eap_fast_process_phase2_tlvs(
+ sm, data, wpabuf_mhead(data->pending_phase2_resp),
+ wpabuf_len(data->pending_phase2_resp));
+ wpabuf_free(data->pending_phase2_resp);
+ data->pending_phase2_resp = NULL;
+ return;
+ }
+
/* FIX: get rid of const -> non-const typecast */
res = eap_server_tls_data_reassemble(sm, &data->ssl, (u8 **) &in_data,
&in_len);
@@ -1485,6 +1498,14 @@ static void eap_fast_process_phase2(struct eap_sm *sm,
eap_fast_process_phase2_tlvs(sm, data, in_decrypted, len_decrypted);
+ if (sm->method_pending == METHOD_PENDING_WAIT) {
+ wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 method is in "
+ "pending wait state - save decrypted response");
+ wpabuf_free(data->pending_phase2_resp);
+ data->pending_phase2_resp = wpabuf_alloc_copy(in_decrypted,
+ len_decrypted);
+ }
+
os_free(in_decrypted);
}
diff --git a/src/eap_server/eap_peap.c b/src/eap_server/eap_peap.c
index a5126a0..0b8d184 100644
--- a/src/eap_server/eap_peap.c
+++ b/src/eap_server/eap_peap.c
@@ -1,6 +1,6 @@
/*
* hostapd / EAP-PEAP (draft-josefsson-pppext-eap-tls-eap-07.txt)
- * Copyright (c) 2004-2007, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
@@ -42,6 +42,7 @@ struct eap_peap_data {
const struct eap_method *phase2_method;
void *phase2_priv;
int force_version;
+ struct wpabuf *pending_phase2_resp;
};
@@ -159,6 +160,7 @@ static void eap_peap_reset(struct eap_sm *sm, void *priv)
if (data->phase2_priv && data->phase2_method)
data->phase2_method->reset(sm, data->phase2_priv);
eap_server_tls_ssl_deinit(sm, &data->ssl);
+ wpabuf_free(data->pending_phase2_resp);
os_free(data);
}
@@ -405,10 +407,16 @@ static void eap_peap_process_phase2_response(struct eap_sm *sm,
data->phase2_method->process(sm, data->phase2_priv, in_data);
+ if (sm->method_pending == METHOD_PENDING_WAIT) {
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase2 method is in "
+ "pending wait state - save decrypted response");
+ wpabuf_free(data->pending_phase2_resp);
+ data->pending_phase2_resp = wpabuf_dup(in_data);
+ }
+
if (!data->phase2_method->isDone(sm, data->phase2_priv))
return;
-
if (!data->phase2_method->isSuccess(sm, data->phase2_priv)) {
wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase2 method failed");
next_type = eap_peap_req_failure(sm, data);
@@ -468,6 +476,16 @@ static void eap_peap_process_phase2(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, "EAP-PEAP: received %lu bytes encrypted data for"
" Phase 2", (unsigned long) in_len);
+ if (data->pending_phase2_resp) {
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 response - "
+ "skip decryption and use old data");
+ eap_peap_process_phase2_response(sm, data,
+ data->pending_phase2_resp);
+ wpabuf_free(data->pending_phase2_resp);
+ data->pending_phase2_resp = NULL;
+ return;
+ }
+
/* FIX: get rid of const -> non-const typecast */
res = eap_server_tls_data_reassemble(sm, &data->ssl, (u8 **) &in_data,
&in_len);
diff --git a/src/eap_server/eap_ttls.c b/src/eap_server/eap_ttls.c
index e17352e..63b2745 100644
--- a/src/eap_server/eap_ttls.c
+++ b/src/eap_server/eap_ttls.c
@@ -1,6 +1,6 @@
/*
* hostapd / EAP-TTLS (draft-ietf-pppext-eap-ttls-05.txt)
- * Copyright (c) 2004-2007, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
@@ -54,6 +54,7 @@ struct eap_ttls_data {
u8 mschapv2_auth_response[20];
u8 mschapv2_ident;
int tls_ia_configured;
+ struct wpabuf *pending_phase2_eap_resp;
};
@@ -416,6 +417,7 @@ static void eap_ttls_reset(struct eap_sm *sm, void *priv)
if (data->phase2_priv && data->phase2_method)
data->phase2_method->reset(sm, data->phase2_priv);
eap_server_tls_ssl_deinit(sm, &data->ssl);
+ wpabuf_free(data->pending_phase2_eap_resp);
os_free(data);
}
@@ -1038,6 +1040,13 @@ static void eap_ttls_process_phase2_eap_response(struct eap_sm *sm,
m->process(sm, priv, &buf);
+ if (sm->method_pending == METHOD_PENDING_WAIT) {
+ wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method is in "
+ "pending wait state - save decrypted response");
+ wpabuf_free(data->pending_phase2_eap_resp);
+ data->pending_phase2_eap_resp = wpabuf_dup(&buf);
+ }
+
if (!m->isDone(sm, priv))
return;
@@ -1148,6 +1157,17 @@ static void eap_ttls_process_phase2(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for"
" Phase 2", (unsigned long) in_len);
+ if (data->pending_phase2_eap_resp) {
+ wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 EAP response "
+ "- skip decryption and use old data");
+ eap_ttls_process_phase2_eap(
+ sm, data, wpabuf_head(data->pending_phase2_eap_resp),
+ wpabuf_len(data->pending_phase2_eap_resp));
+ wpabuf_free(data->pending_phase2_eap_resp);
+ data->pending_phase2_eap_resp = NULL;
+ return;
+ }
+
res = eap_server_tls_data_reassemble(sm, &data->ssl, &in_data,
&in_len);
if (res < 0 || res == 1)