Compare commits
No commits in common. "c8s" and "c8" have entirely different histories.
25
.gitignore
vendored
25
.gitignore
vendored
@ -1,24 +1 @@
|
|||||||
madwifi-headers.tar.bz2
|
SOURCES/wpa_supplicant-2.10.tar.gz
|
||||||
wpa_supplicant-0.4.7.tar.gz
|
|
||||||
wpa_supplicant-0.5.1.tar.gz
|
|
||||||
wpa_supplicant-0.4.8.tar.gz
|
|
||||||
madwifi-headers-r1475.tar.bz2
|
|
||||||
wpa_supplicant-0.4.9.tar.gz
|
|
||||||
wpa_supplicant-0.5.7.tar.gz
|
|
||||||
wpa_supplicant-0.6.3.tar.gz
|
|
||||||
wpa_supplicant-0.6.4.tar.gz
|
|
||||||
wpa_supplicant-0.6.7.tar.gz
|
|
||||||
wpa_supplicant-0.6.8.tar.gz
|
|
||||||
/wpa_supplicant-0.7.3.tar.gz
|
|
||||||
/wpa_supplicant-1.0-rc1.tar.gz
|
|
||||||
/wpa_supplicant-1.0-rc2.tar.gz
|
|
||||||
/wpa_supplicant-1.1.tar.gz
|
|
||||||
/wpa_supplicant-2.0.tar.gz
|
|
||||||
/wpa_supplicant-2.3.tar.gz
|
|
||||||
/wpa_supplicant-2.4.tar.gz
|
|
||||||
/wpa_supplicant-2.5.tar.gz
|
|
||||||
/wpa_supplicant-2.6.tar.gz
|
|
||||||
/wpa_supplicant-2.7.tar.gz
|
|
||||||
/wpa_supplicant-2.9.tar.gz
|
|
||||||
/wpa_supplicant-2.9.20211112.gitc8b94bc7b347.tar.gz
|
|
||||||
/wpa_supplicant-2.10.tar.gz
|
|
||||||
|
1
.wpa_supplicant.metadata
Normal file
1
.wpa_supplicant.metadata
Normal file
@ -0,0 +1 @@
|
|||||||
|
e295b07d599da4b99c3836d4402ec5746f77e8e8 SOURCES/wpa_supplicant-2.10.tar.gz
|
@ -7,7 +7,7 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant
|
|||||||
Name: wpa_supplicant
|
Name: wpa_supplicant
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Version: 2.10
|
Version: 2.10
|
||||||
Release: 2%{?dist}
|
Release: 1%{?dist}
|
||||||
License: BSD
|
License: BSD
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz
|
Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz
|
||||||
@ -31,9 +31,6 @@ Patch3: wpa_supplicant-quiet-scan-results-message.patch
|
|||||||
Patch5: rh1542234-remove-wpa_gui.patch
|
Patch5: rh1542234-remove-wpa_gui.patch
|
||||||
Patch6: wpa_supplicant-gui-qt4.patch
|
Patch6: wpa_supplicant-gui-qt4.patch
|
||||||
|
|
||||||
# fix PEAP client to require successful Phase2 authentication when needed (CVE-2023-52160)
|
|
||||||
Patch7: wpa_supplicant-PEAP-client-Update-Phase-2-authentication-requiremen.patch
|
|
||||||
|
|
||||||
URL: http://w1.fi/wpa_supplicant/
|
URL: http://w1.fi/wpa_supplicant/
|
||||||
|
|
||||||
%if %{build_gui}
|
%if %{build_gui}
|
||||||
@ -176,9 +173,6 @@ chmod -R 0644 %{name}/examples/*.py
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Feb 20 2024 Davide Caratti <dcaratti@redhat.com> - 1:2.10-2
|
|
||||||
- Backport fix for PEAP client (CVE-2023-52160)
|
|
||||||
|
|
||||||
* Thu Jan 20 2022 Davide Caratti <dcaratti@redhat.com> - 1:2.10-1
|
* Thu Jan 20 2022 Davide Caratti <dcaratti@redhat.com> - 1:2.10-1
|
||||||
- Update to version 2.10 (rh #2042104)
|
- Update to version 2.10 (rh #2042104)
|
||||||
|
|
@ -1,6 +0,0 @@
|
|||||||
--- !Policy
|
|
||||||
product_versions:
|
|
||||||
- rhel-8
|
|
||||||
decision_context: osci_compose_gate
|
|
||||||
rules:
|
|
||||||
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
|
|
1
sources
1
sources
@ -1 +0,0 @@
|
|||||||
SHA512 (wpa_supplicant-2.10.tar.gz) = 021c2a48f45d39c1dc6557730be5debaee071bc0ff82a271638beee6e32314e353e49d39e2f0dc8dff6e094dcc7008cfe1c32d0c7a34a1a345a12a3f1c1e11a1
|
|
@ -1,15 +0,0 @@
|
|||||||
---
|
|
||||||
- hosts: localhost
|
|
||||||
tags:
|
|
||||||
- classic
|
|
||||||
roles:
|
|
||||||
- role: standard-test-beakerlib
|
|
||||||
tests:
|
|
||||||
- wpa_supplicant_standalone
|
|
||||||
required_packages:
|
|
||||||
- kernel-modules-extra
|
|
||||||
- kernel-modules-internal
|
|
||||||
- wpa_supplicant
|
|
||||||
- iproute
|
|
||||||
- iw
|
|
||||||
- util-linux
|
|
@ -1,63 +0,0 @@
|
|||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Makefile of /CoreOS/wpa_supplicant/Sanity/wpa_supplicant_standalone
|
|
||||||
# Description: sanity test for wpa_supplicant
|
|
||||||
# Author: Davide Caratti <dcaratti@redhat.com>
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Copyright (c) 2019 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# This program is free software: you can redistribute it and/or
|
|
||||||
# modify it under the terms of the GNU General Public License as
|
|
||||||
# published by the Free Software Foundation, either version 2 of
|
|
||||||
# the License, or (at your option) any later version.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be
|
|
||||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
||||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
||||||
# PURPOSE. See the GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program. If not, see http://www.gnu.org/licenses/.
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
export TEST=/CoreOS/wpa_supplicant/Sanity/wpa_supplicant_standalone
|
|
||||||
export TESTVERSION=1.0
|
|
||||||
|
|
||||||
BUILT_FILES=
|
|
||||||
|
|
||||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
|
||||||
|
|
||||||
.PHONY: all install download clean
|
|
||||||
|
|
||||||
run: $(FILES) build
|
|
||||||
./runtest.sh
|
|
||||||
|
|
||||||
build: $(BUILT_FILES)
|
|
||||||
test -x runtest.sh || chmod a+x runtest.sh
|
|
||||||
|
|
||||||
clean:
|
|
||||||
rm -f *~ $(BUILT_FILES)
|
|
||||||
|
|
||||||
|
|
||||||
include /usr/share/rhts/lib/rhts-make.include
|
|
||||||
|
|
||||||
$(METADATA): Makefile
|
|
||||||
@echo "Owner: Davide Caratti <dcaratti@redhat.com>" > $(METADATA)
|
|
||||||
@echo "Name: $(TEST)" >> $(METADATA)
|
|
||||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
|
||||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
|
||||||
@echo "Description: sanity test for wpa_supplicant" >> $(METADATA)
|
|
||||||
@echo "Type: Sanity" >> $(METADATA)
|
|
||||||
@echo "TestTime: 10m" >> $(METADATA)
|
|
||||||
@echo "RunFor: wpa_supplicant" >> $(METADATA)
|
|
||||||
@echo "Requires: util-linux iproute iw wpa_supplicant" >> $(METADATA)
|
|
||||||
@echo "Priority: Normal" >> $(METADATA)
|
|
||||||
@echo "License: GPLv2+" >> $(METADATA)
|
|
||||||
@echo "Confidential: no" >> $(METADATA)
|
|
||||||
@echo "Destructive: no" >> $(METADATA)
|
|
||||||
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
|
||||||
|
|
||||||
rhts-lint $(METADATA)
|
|
@ -1,3 +0,0 @@
|
|||||||
PURPOSE of /CoreOS/wpa_supplicant/Sanity/wpa_supplicant_standalone
|
|
||||||
Description: sanity test for wpa_supplicant
|
|
||||||
Author: Davide Caratti <dcaratti@redhat.com>
|
|
@ -1,221 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# runtest.sh of /CoreOS/wpa_supplicant/Sanity/wpa_supplicant_standalone
|
|
||||||
# Description: sanity test for wpa_supplicant
|
|
||||||
# Author: Davide Caratti <dcaratti@redhat.com>
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Copyright (c) 2019 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# This program is free software: you can redistribute it and/or
|
|
||||||
# modify it under the terms of the GNU General Public License as
|
|
||||||
# published by the Free Software Foundation, either version 2 of
|
|
||||||
# the License, or (at your option) any later version.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be
|
|
||||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
||||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
||||||
# PURPOSE. See the GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program. If not, see http://www.gnu.org/licenses/.
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
# Include Beaker environment
|
|
||||||
. /usr/bin/rhts-environment.sh || exit 1
|
|
||||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
|
||||||
|
|
||||||
PACKAGE="wpa_supplicant"
|
|
||||||
|
|
||||||
MACSTA="00:00:0a:bb:e1:1a"
|
|
||||||
IFACEAP="wlan0"
|
|
||||||
IFACESTA="wlan1"
|
|
||||||
|
|
||||||
open_ap() {
|
|
||||||
local SSID=${1:-notreallyassid}
|
|
||||||
|
|
||||||
cat >openap.conf <<-EOF
|
|
||||||
network={
|
|
||||||
frequency=2412
|
|
||||||
ssid="$SSID"
|
|
||||||
mode=2
|
|
||||||
key_mgmt=NONE
|
|
||||||
}
|
|
||||||
EOF
|
|
||||||
wpa_supplicant -ddd -Dnl80211 -i$IFACEAP -copenap.conf -B -fopenap.log -Pw1ap.pid
|
|
||||||
}
|
|
||||||
|
|
||||||
open_sta() {
|
|
||||||
local SSID=${1:-notreallyassid}
|
|
||||||
|
|
||||||
cat >opensta.conf <<-EOF
|
|
||||||
network={
|
|
||||||
ssid="$SSID"
|
|
||||||
key_mgmt=NONE
|
|
||||||
}
|
|
||||||
EOF
|
|
||||||
wpa_supplicant -ddd -Dnl80211 -i$IFACESTA -copensta.conf -B -fopensta.log -Pw1sta.pid
|
|
||||||
}
|
|
||||||
|
|
||||||
wpa2psk_ap() {
|
|
||||||
local SSID=${1:-notreallyassid}
|
|
||||||
|
|
||||||
cat >wpapskap.conf <<-EOF
|
|
||||||
network={
|
|
||||||
frequency=2437
|
|
||||||
ssid="$SSID"
|
|
||||||
mode=2
|
|
||||||
key_mgmt=WPA-PSK
|
|
||||||
pairwise=CCMP
|
|
||||||
group=CCMP
|
|
||||||
psk="hunter2?"
|
|
||||||
}
|
|
||||||
EOF
|
|
||||||
wpa_supplicant -ddd -Dnl80211 -i$IFACEAP -cwpapskap.conf -B -fwpapskap.log -Pw2ap.pid
|
|
||||||
}
|
|
||||||
|
|
||||||
wpa2psk_sta() {
|
|
||||||
local SSID=${1:-notreallyassid}
|
|
||||||
|
|
||||||
cat >wpapsksta.conf <<-EOF
|
|
||||||
network={
|
|
||||||
frequency=2437
|
|
||||||
ssid="$SSID"
|
|
||||||
proto=WPA
|
|
||||||
key_mgmt=WPA-PSK
|
|
||||||
pairwise=CCMP
|
|
||||||
group=CCMP
|
|
||||||
psk="hunter2?"
|
|
||||||
}
|
|
||||||
EOF
|
|
||||||
wpa_supplicant -ddd -Dnl80211 -i$IFACESTA -cwpapsksta.conf -B -fwpapsksta.log -Pw2sta.pid
|
|
||||||
}
|
|
||||||
|
|
||||||
kill_supplicants() {
|
|
||||||
local a=`cat w*.pid`
|
|
||||||
local iter=0
|
|
||||||
|
|
||||||
while [ ${#a} -gt 0 -a $iter -lt 10 ]; do
|
|
||||||
for a in $a; do
|
|
||||||
kill $a 1>/dev/null 2>&1
|
|
||||||
sleep 1
|
|
||||||
done
|
|
||||||
a=`cat w*.pid`
|
|
||||||
iter=$((iter+1))
|
|
||||||
done
|
|
||||||
|
|
||||||
ip link set dev $IFACEAP down
|
|
||||||
ip link set dev $IFACESTA down
|
|
||||||
|
|
||||||
if [ $iter -ge 10 -a ${#a} -gt 0 ]; then
|
|
||||||
return 1
|
|
||||||
else
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
check_for_associated_sta()
|
|
||||||
{
|
|
||||||
|
|
||||||
local assoc_found=0 assoc_missed=0
|
|
||||||
|
|
||||||
ip link set dev $IFACEAP up
|
|
||||||
while sleep 2; do
|
|
||||||
if iw dev $IFACEAP station dump | grep -i $MACSTA ; then
|
|
||||||
assoc_found=$((assoc_found+1))
|
|
||||||
rlLog "found $MACSTA in $IFACEAP associations ($assoc_found)"
|
|
||||||
else
|
|
||||||
if [ $assoc_found -gt 0 ]; then
|
|
||||||
rlLog "association disappeared after $assoc_found cycles"
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
rlLog "didn't find association ($assoc_missed)"
|
|
||||||
assoc_missed=$((assoc_missed+1))
|
|
||||||
fi
|
|
||||||
if [ $assoc_missed -gt 5 ]; then
|
|
||||||
rlLog "timeout waiting for $MACSTA in $IFACEAP station dump"
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
if [ $assoc_found -gt 5 ]; then
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
rlLog "sleep failed!"
|
|
||||||
return 1
|
|
||||||
}
|
|
||||||
|
|
||||||
check_for_running_aps()
|
|
||||||
{
|
|
||||||
local probe_ok=0 probe_missed=0
|
|
||||||
|
|
||||||
ip link set dev $IFACESTA up
|
|
||||||
while sleep 1; do
|
|
||||||
if iw dev $IFACESTA scan | grep "${1:-notreallyassid}"; then
|
|
||||||
probe_ok=$((probe_ok+1))
|
|
||||||
rlLog "$probe_ok probe received"
|
|
||||||
else
|
|
||||||
if [ $probe_ok -gt 0 ]; then
|
|
||||||
rlLog "probe failure after $probe_ok attempts"
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
rlLog "missed probe response"
|
|
||||||
probe_missed=$((probe_missed+1))
|
|
||||||
fi
|
|
||||||
if [ $probe_missed -gt 5 ]; then
|
|
||||||
rlLog "timeout waiting for beacons"
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
if [ $probe_ok -gt 5 ]; then
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
rlLog "sleep failed!"
|
|
||||||
return 1
|
|
||||||
}
|
|
||||||
|
|
||||||
rlJournalStart
|
|
||||||
rlPhaseStartSetup
|
|
||||||
rlAssertRpm $PACKAGE
|
|
||||||
# avoid randomizing MAC for wlan0 and wlan1
|
|
||||||
rlRun "systemctl stop NetworkManager"
|
|
||||||
# allow scans
|
|
||||||
rlRun "systemctl stop wpa_supplicant"
|
|
||||||
# install required modules
|
|
||||||
rlRun "modprobe rfkill"
|
|
||||||
rlRun "modprobe mac80211_hwsim radio=2"
|
|
||||||
rlRun "rfkill unblock wifi"
|
|
||||||
rlRun "ip link set dev $IFACESTA address $MACSTA"
|
|
||||||
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
|
||||||
rlRun "pushd $TmpDir"
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest
|
|
||||||
# cleartext wifi
|
|
||||||
rlRun "kill_supplicants"
|
|
||||||
rlRun "open_ap test_OPEN"
|
|
||||||
rlRun "check_for_running_aps test_OPEN"
|
|
||||||
rlRun "open_sta test_OPEN"
|
|
||||||
rlRun "check_for_associated_sta test_OPEN"
|
|
||||||
|
|
||||||
# WPA2 personal
|
|
||||||
rlRun "kill_supplicants"
|
|
||||||
rlRun "wpa2psk_ap test_WPAPSK"
|
|
||||||
rlRun "check_for_running_aps test_WPAPSK"
|
|
||||||
rlRun "wpa2psk_sta test_WPAPSK"
|
|
||||||
rlRun "check_for_associated_sta test_WPAPSK"
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartCleanup
|
|
||||||
rlRun kill_supplicants
|
|
||||||
rlRun "popd"
|
|
||||||
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
|
||||||
rlRun "modprobe -r mac80211_hwsim"
|
|
||||||
rlRun "systemctl restart wpa_supplicant"
|
|
||||||
rlRun "systemctl restart NetworkManager"
|
|
||||||
rlPhaseEnd
|
|
||||||
rlJournalPrintText
|
|
||||||
rlJournalEnd
|
|
@ -1,198 +0,0 @@
|
|||||||
From 8e6485a1bcb0baffdea9e55255a81270b768439c Mon Sep 17 00:00:00 2001
|
|
||||||
Message-ID: <8e6485a1bcb0baffdea9e55255a81270b768439c.1708356763.git.davide.caratti@gmail.com>
|
|
||||||
From: Jouni Malinen <j@w1.fi>
|
|
||||||
Date: Sat, 8 Jul 2023 19:55:32 +0300
|
|
||||||
Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements
|
|
||||||
|
|
||||||
The previous PEAP client behavior allowed the server to skip Phase 2
|
|
||||||
authentication with the expectation that the server was authenticated
|
|
||||||
during Phase 1 through TLS server certificate validation. Various PEAP
|
|
||||||
specifications are not exactly clear on what the behavior on this front
|
|
||||||
is supposed to be and as such, this ended up being more flexible than
|
|
||||||
the TTLS/FAST/TEAP cases. However, this is not really ideal when
|
|
||||||
unfortunately common misconfiguration of PEAP is used in deployed
|
|
||||||
devices where the server trust root (ca_cert) is not configured or the
|
|
||||||
user has an easy option for allowing this validation step to be skipped.
|
|
||||||
|
|
||||||
Change the default PEAP client behavior to be to require Phase 2
|
|
||||||
authentication to be successfully completed for cases where TLS session
|
|
||||||
resumption is not used and the client certificate has not been
|
|
||||||
configured. Those two exceptions are the main cases where a deployed
|
|
||||||
authentication server might skip Phase 2 and as such, where a more
|
|
||||||
strict default behavior could result in undesired interoperability
|
|
||||||
issues. Requiring Phase 2 authentication will end up disabling TLS
|
|
||||||
session resumption automatically to avoid interoperability issues.
|
|
||||||
|
|
||||||
Allow Phase 2 authentication behavior to be configured with a new phase1
|
|
||||||
configuration parameter option:
|
|
||||||
'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
|
|
||||||
tunnel) behavior for PEAP:
|
|
||||||
* 0 = do not require Phase 2 authentication
|
|
||||||
* 1 = require Phase 2 authentication when client certificate
|
|
||||||
(private_key/client_cert) is no used and TLS session resumption was
|
|
||||||
not used (default)
|
|
||||||
* 2 = require Phase 2 authentication in all cases
|
|
||||||
|
|
||||||
Signed-off-by: Jouni Malinen <j@w1.fi>
|
|
||||||
---
|
|
||||||
src/eap_peer/eap_config.h | 8 ++++++
|
|
||||||
src/eap_peer/eap_peap.c | 40 +++++++++++++++++++++++++++---
|
|
||||||
src/eap_peer/eap_tls_common.c | 6 +++++
|
|
||||||
src/eap_peer/eap_tls_common.h | 5 ++++
|
|
||||||
wpa_supplicant/wpa_supplicant.conf | 7 ++++++
|
|
||||||
5 files changed, 63 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
--- a/src/eap_peer/eap_config.h
|
|
||||||
+++ b/src/eap_peer/eap_config.h
|
|
||||||
@@ -469,6 +469,14 @@ struct eap_peer_config {
|
|
||||||
* 1 = use cryptobinding if server supports it
|
|
||||||
* 2 = require cryptobinding
|
|
||||||
*
|
|
||||||
+ * phase2_auth option can be used to control Phase 2 (i.e., within TLS
|
|
||||||
+ * tunnel) behavior for PEAP:
|
|
||||||
+ * 0 = do not require Phase 2 authentication
|
|
||||||
+ * 1 = require Phase 2 authentication when client certificate
|
|
||||||
+ * (private_key/client_cert) is no used and TLS session resumption was
|
|
||||||
+ * not used (default)
|
|
||||||
+ * 2 = require Phase 2 authentication in all cases
|
|
||||||
+ *
|
|
||||||
* EAP-WSC (WPS) uses following options: pin=Device_Password and
|
|
||||||
* uuid=Device_UUID
|
|
||||||
*
|
|
||||||
--- a/src/eap_peer/eap_peap.c
|
|
||||||
+++ b/src/eap_peer/eap_peap.c
|
|
||||||
@@ -67,6 +67,7 @@ struct eap_peap_data {
|
|
||||||
u8 cmk[20];
|
|
||||||
int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP)
|
|
||||||
* is enabled. */
|
|
||||||
+ enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth;
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
||||||
@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct
|
|
||||||
wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding");
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (os_strstr(phase1, "phase2_auth=0")) {
|
|
||||||
+ data->phase2_auth = NO_AUTH;
|
|
||||||
+ wpa_printf(MSG_DEBUG,
|
|
||||||
+ "EAP-PEAP: Do not require Phase 2 authentication");
|
|
||||||
+ } else if (os_strstr(phase1, "phase2_auth=1")) {
|
|
||||||
+ data->phase2_auth = FOR_INITIAL;
|
|
||||||
+ wpa_printf(MSG_DEBUG,
|
|
||||||
+ "EAP-PEAP: Require Phase 2 authentication for initial connection");
|
|
||||||
+ } else if (os_strstr(phase1, "phase2_auth=2")) {
|
|
||||||
+ data->phase2_auth = ALWAYS;
|
|
||||||
+ wpa_printf(MSG_DEBUG,
|
|
||||||
+ "EAP-PEAP: Require Phase 2 authentication for all cases");
|
|
||||||
+ }
|
|
||||||
#ifdef EAP_TNC
|
|
||||||
if (os_strstr(phase1, "tnc=soh2")) {
|
|
||||||
data->soh = 2;
|
|
||||||
@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_s
|
|
||||||
data->force_peap_version = -1;
|
|
||||||
data->peap_outer_success = 2;
|
|
||||||
data->crypto_binding = OPTIONAL_BINDING;
|
|
||||||
+ data->phase2_auth = FOR_INITIAL;
|
|
||||||
|
|
||||||
if (config && config->phase1)
|
|
||||||
eap_peap_parse_phase1(data, config->phase1);
|
|
||||||
@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobindin
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
+static bool peap_phase2_sufficient(struct eap_sm *sm,
|
|
||||||
+ struct eap_peap_data *data)
|
|
||||||
+{
|
|
||||||
+ if ((data->phase2_auth == ALWAYS ||
|
|
||||||
+ (data->phase2_auth == FOR_INITIAL &&
|
|
||||||
+ !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) &&
|
|
||||||
+ !data->ssl.client_cert_conf) ||
|
|
||||||
+ data->phase2_eap_started) &&
|
|
||||||
+ !data->phase2_eap_success)
|
|
||||||
+ return false;
|
|
||||||
+ return true;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* eap_tlv_process - Process a received EAP-TLV message and generate a response
|
|
||||||
* @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
|
|
||||||
@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm
|
|
||||||
" - force failed Phase 2");
|
|
||||||
resp_status = EAP_TLV_RESULT_FAILURE;
|
|
||||||
ret->decision = DECISION_FAIL;
|
|
||||||
+ } else if (!peap_phase2_sufficient(sm, data)) {
|
|
||||||
+ wpa_printf(MSG_INFO,
|
|
||||||
+ "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed");
|
|
||||||
+ resp_status = EAP_TLV_RESULT_FAILURE;
|
|
||||||
+ ret->decision = DECISION_FAIL;
|
|
||||||
} else {
|
|
||||||
resp_status = EAP_TLV_RESULT_SUCCESS;
|
|
||||||
ret->decision = DECISION_UNCOND_SUCC;
|
|
||||||
@@ -887,8 +921,7 @@ continue_req:
|
|
||||||
/* EAP-Success within TLS tunnel is used to indicate
|
|
||||||
* shutdown of the TLS channel. The authentication has
|
|
||||||
* been completed. */
|
|
||||||
- if (data->phase2_eap_started &&
|
|
||||||
- !data->phase2_eap_success) {
|
|
||||||
+ if (!peap_phase2_sufficient(sm, data)) {
|
|
||||||
wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 "
|
|
||||||
"Success used to indicate success, "
|
|
||||||
"but Phase 2 EAP was not yet "
|
|
||||||
@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(
|
|
||||||
static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv)
|
|
||||||
{
|
|
||||||
struct eap_peap_data *data = priv;
|
|
||||||
+
|
|
||||||
return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
|
|
||||||
- data->phase2_success;
|
|
||||||
+ data->phase2_success && data->phase2_auth != ALWAYS;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
--- a/src/eap_peer/eap_tls_common.c
|
|
||||||
+++ b/src/eap_peer/eap_tls_common.c
|
|
||||||
@@ -239,6 +239,12 @@ static int eap_tls_params_from_conf(stru
|
|
||||||
|
|
||||||
sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK);
|
|
||||||
|
|
||||||
+ if (!phase2)
|
|
||||||
+ data->client_cert_conf = params->client_cert ||
|
|
||||||
+ params->client_cert_blob ||
|
|
||||||
+ params->private_key ||
|
|
||||||
+ params->private_key_blob;
|
|
||||||
+
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
--- a/src/eap_peer/eap_tls_common.h
|
|
||||||
+++ b/src/eap_peer/eap_tls_common.h
|
|
||||||
@@ -79,6 +79,11 @@ struct eap_ssl_data {
|
|
||||||
* tls_v13 - Whether TLS v1.3 or newer is used
|
|
||||||
*/
|
|
||||||
int tls_v13;
|
|
||||||
+
|
|
||||||
+ /**
|
|
||||||
+ * client_cert_conf: Whether client certificate has been configured
|
|
||||||
+ */
|
|
||||||
+ bool client_cert_conf;
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
||||||
--- a/wpa_supplicant/wpa_supplicant.conf
|
|
||||||
+++ b/wpa_supplicant/wpa_supplicant.conf
|
|
||||||
@@ -1330,6 +1330,13 @@ fast_reauth=1
|
|
||||||
# * 0 = do not use cryptobinding (default)
|
|
||||||
# * 1 = use cryptobinding if server supports it
|
|
||||||
# * 2 = require cryptobinding
|
|
||||||
+# 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
|
|
||||||
+# tunnel) behavior for PEAP:
|
|
||||||
+# * 0 = do not require Phase 2 authentication
|
|
||||||
+# * 1 = require Phase 2 authentication when client certificate
|
|
||||||
+# (private_key/client_cert) is no used and TLS session resumption was
|
|
||||||
+# not used (default)
|
|
||||||
+# * 2 = require Phase 2 authentication in all cases
|
|
||||||
# EAP-WSC (WPS) uses following options: pin=<Device Password> or
|
|
||||||
# pbc=1.
|
|
||||||
#
|
|
Loading…
Reference in New Issue
Block a user