summaryrefslogtreecommitdiffstats
path: root/source/n/wpa_supplicant/patches/8e6485a1bcb0baffdea9e55255a81270b768439c.patch
diff options
context:
space:
mode:
Diffstat (limited to 'source/n/wpa_supplicant/patches/8e6485a1bcb0baffdea9e55255a81270b768439c.patch')
-rw-r--r--source/n/wpa_supplicant/patches/8e6485a1bcb0baffdea9e55255a81270b768439c.patch210
1 files changed, 0 insertions, 210 deletions
diff --git a/source/n/wpa_supplicant/patches/8e6485a1bcb0baffdea9e55255a81270b768439c.patch b/source/n/wpa_supplicant/patches/8e6485a1bcb0baffdea9e55255a81270b768439c.patch
deleted file mode 100644
index 07263730f..000000000
--- a/source/n/wpa_supplicant/patches/8e6485a1bcb0baffdea9e55255a81270b768439c.patch
+++ /dev/null
@@ -1,210 +0,0 @@
-From 8e6485a1bcb0baffdea9e55255a81270b768439c Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sat, 8 Jul 2023 19:55:32 +0300
-Subject: PEAP client: Update Phase 2 authentication requirements
-
-The previous PEAP client behavior allowed the server to skip Phase 2
-authentication with the expectation that the server was authenticated
-during Phase 1 through TLS server certificate validation. Various PEAP
-specifications are not exactly clear on what the behavior on this front
-is supposed to be and as such, this ended up being more flexible than
-the TTLS/FAST/TEAP cases. However, this is not really ideal when
-unfortunately common misconfiguration of PEAP is used in deployed
-devices where the server trust root (ca_cert) is not configured or the
-user has an easy option for allowing this validation step to be skipped.
-
-Change the default PEAP client behavior to be to require Phase 2
-authentication to be successfully completed for cases where TLS session
-resumption is not used and the client certificate has not been
-configured. Those two exceptions are the main cases where a deployed
-authentication server might skip Phase 2 and as such, where a more
-strict default behavior could result in undesired interoperability
-issues. Requiring Phase 2 authentication will end up disabling TLS
-session resumption automatically to avoid interoperability issues.
-
-Allow Phase 2 authentication behavior to be configured with a new phase1
-configuration parameter option:
-'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
-tunnel) behavior for PEAP:
- * 0 = do not require Phase 2 authentication
- * 1 = require Phase 2 authentication when client certificate
- (private_key/client_cert) is no used and TLS session resumption was
- not used (default)
- * 2 = require Phase 2 authentication in all cases
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/eap_peer/eap_config.h | 8 ++++++++
- src/eap_peer/eap_peap.c | 40 +++++++++++++++++++++++++++++++++++---
- src/eap_peer/eap_tls_common.c | 6 ++++++
- src/eap_peer/eap_tls_common.h | 5 +++++
- wpa_supplicant/wpa_supplicant.conf | 7 +++++++
- 5 files changed, 63 insertions(+), 3 deletions(-)
-
-diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
-index 26744ab68..58d5a1359 100644
---- a/src/eap_peer/eap_config.h
-+++ b/src/eap_peer/eap_config.h
-@@ -471,6 +471,14 @@ struct eap_peer_config {
- * 1 = use cryptobinding if server supports it
- * 2 = require cryptobinding
- *
-+ * phase2_auth option can be used to control Phase 2 (i.e., within TLS
-+ * tunnel) behavior for PEAP:
-+ * 0 = do not require Phase 2 authentication
-+ * 1 = require Phase 2 authentication when client certificate
-+ * (private_key/client_cert) is no used and TLS session resumption was
-+ * not used (default)
-+ * 2 = require Phase 2 authentication in all cases
-+ *
- * EAP-WSC (WPS) uses following options: pin=Device_Password and
- * uuid=Device_UUID
- *
-diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c
-index 12e30df29..608069719 100644
---- a/src/eap_peer/eap_peap.c
-+++ b/src/eap_peer/eap_peap.c
-@@ -67,6 +67,7 @@ struct eap_peap_data {
- u8 cmk[20];
- int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP)
- * is enabled. */
-+ enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth;
- };
-
-
-@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data,
- wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding");
- }
-
-+ if (os_strstr(phase1, "phase2_auth=0")) {
-+ data->phase2_auth = NO_AUTH;
-+ wpa_printf(MSG_DEBUG,
-+ "EAP-PEAP: Do not require Phase 2 authentication");
-+ } else if (os_strstr(phase1, "phase2_auth=1")) {
-+ data->phase2_auth = FOR_INITIAL;
-+ wpa_printf(MSG_DEBUG,
-+ "EAP-PEAP: Require Phase 2 authentication for initial connection");
-+ } else if (os_strstr(phase1, "phase2_auth=2")) {
-+ data->phase2_auth = ALWAYS;
-+ wpa_printf(MSG_DEBUG,
-+ "EAP-PEAP: Require Phase 2 authentication for all cases");
-+ }
- #ifdef EAP_TNC
- if (os_strstr(phase1, "tnc=soh2")) {
- data->soh = 2;
-@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm)
- data->force_peap_version = -1;
- data->peap_outer_success = 2;
- data->crypto_binding = OPTIONAL_BINDING;
-+ data->phase2_auth = FOR_INITIAL;
-
- if (config && config->phase1)
- eap_peap_parse_phase1(data, config->phase1);
-@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm,
- }
-
-
-+static bool peap_phase2_sufficient(struct eap_sm *sm,
-+ struct eap_peap_data *data)
-+{
-+ if ((data->phase2_auth == ALWAYS ||
-+ (data->phase2_auth == FOR_INITIAL &&
-+ !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) &&
-+ !data->ssl.client_cert_conf) ||
-+ data->phase2_eap_started) &&
-+ !data->phase2_eap_success)
-+ return false;
-+ return true;
-+}
-+
-+
- /**
- * eap_tlv_process - Process a received EAP-TLV message and generate a response
- * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
-@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data,
- " - force failed Phase 2");
- resp_status = EAP_TLV_RESULT_FAILURE;
- ret->decision = DECISION_FAIL;
-+ } else if (!peap_phase2_sufficient(sm, data)) {
-+ wpa_printf(MSG_INFO,
-+ "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed");
-+ resp_status = EAP_TLV_RESULT_FAILURE;
-+ ret->decision = DECISION_FAIL;
- } else {
- resp_status = EAP_TLV_RESULT_SUCCESS;
- ret->decision = DECISION_UNCOND_SUCC;
-@@ -887,8 +921,7 @@ continue_req:
- /* EAP-Success within TLS tunnel is used to indicate
- * shutdown of the TLS channel. The authentication has
- * been completed. */
-- if (data->phase2_eap_started &&
-- !data->phase2_eap_success) {
-+ if (!peap_phase2_sufficient(sm, data)) {
- wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 "
- "Success used to indicate success, "
- "but Phase 2 EAP was not yet "
-@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv,
- static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv)
- {
- struct eap_peap_data *data = priv;
-+
- return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
-- data->phase2_success;
-+ data->phase2_success && data->phase2_auth != ALWAYS;
- }
-
-
-diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
-index 6193b4bdb..966cbd6c7 100644
---- a/src/eap_peer/eap_tls_common.c
-+++ b/src/eap_peer/eap_tls_common.c
-@@ -242,6 +242,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
-
- sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK);
-
-+ if (!phase2)
-+ data->client_cert_conf = params->client_cert ||
-+ params->client_cert_blob ||
-+ params->private_key ||
-+ params->private_key_blob;
-+
- return 0;
- }
-
-diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h
-index 9ac00121f..334863413 100644
---- a/src/eap_peer/eap_tls_common.h
-+++ b/src/eap_peer/eap_tls_common.h
-@@ -79,6 +79,11 @@ struct eap_ssl_data {
- * tls_v13 - Whether TLS v1.3 or newer is used
- */
- int tls_v13;
-+
-+ /**
-+ * client_cert_conf: Whether client certificate has been configured
-+ */
-+ bool client_cert_conf;
- };
-
-
-diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
-index f0b82443e..1b09f57d3 100644
---- a/wpa_supplicant/wpa_supplicant.conf
-+++ b/wpa_supplicant/wpa_supplicant.conf
-@@ -1370,6 +1370,13 @@ fast_reauth=1
- # * 0 = do not use cryptobinding (default)
- # * 1 = use cryptobinding if server supports it
- # * 2 = require cryptobinding
-+# 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
-+# tunnel) behavior for PEAP:
-+# * 0 = do not require Phase 2 authentication
-+# * 1 = require Phase 2 authentication when client certificate
-+# (private_key/client_cert) is no used and TLS session resumption was
-+# not used (default)
-+# * 2 = require Phase 2 authentication in all cases
- # EAP-WSC (WPS) uses following options: pin=<Device Password> or
- # pbc=1.
- #
---
-cgit v1.2.3-18-g5258
-
generated by cgit v1.2.3-79-gdb01 (git 2.46.1) at 2024-09-19 22:33:06 +0000