Message ID | 20200917212328.1564-1-alex@digriz.org.uk |
---|---|
State | Changes Requested |
Headers | show |
Series | PEAP peer: allow autheap for EAP-TLS phase2 support | expand |
This path is for PEAP with inner EAP-TLS, which is supported by Windows. It came out of the IETF EMU testing for TLS 1.3. Alan DeKok.
On Thu, Sep 17, 2020 at 10:23:29PM +0100, Alexander Clouter wrote: > --- > src/eap_peer/eap_peap.c | 22 +++++++++++++++++++--- > 1 file changed, 19 insertions(+), 3 deletions(-) Why would this be needed? EAP-PEAP inner method is configured with "auth", not "autheap". The "autheap" special case is needed with EAP-TTLS where both EAP and non-EAP inner methods are supported. That is not the case with EAP-PEAP. Furthermore, the commit message would need to include the Signed-off-by: line as described in the CONTRIBUTIONS file for me to be able to consider applying a patch.
On Oct 9, 2020, at 8:22 AM, Jouni Malinen <j@w1.fi> wrote: > > On Thu, Sep 17, 2020 at 10:23:29PM +0100, Alexander Clouter wrote: >> --- >> src/eap_peer/eap_peap.c | 22 +++++++++++++++++++--- >> 1 file changed, 19 insertions(+), 3 deletions(-) > > Why would this be needed? EAP-PEAP inner method is configured with > "auth", not "autheap". The "autheap" special case is needed with > EAP-TTLS where both EAP and non-EAP inner methods are supported. That is > not the case with EAP-PEAP. It's mainly for consistency. "auth" is used elsewhere to indicate non-EAP methods. and "autheap" is used for EAP methods. It's not a big issue, and can be dropped. > Furthermore, the commit message would need to include the Signed-off-by: > line as described in the CONTRIBUTIONS file for me to be able to > consider applying a patch. I'll push on that. Alan DeKok.
Hello, On Fri, 9 Oct 2020, at 13:22, Jouni Malinen wrote: > > Why would this be needed? As the inner method is EAP-TLS and not a non-EAP method such as MSCHAPv2. If there is an already existing way of doing EAP-TLS inside PEAP then I could not find it in the examples provided with wpa_supplicant, maybe I missed them? > EAP-PEAP inner method is configured with "auth", not "autheap". I do not remember auth=*TLS* working for me when I tried the few months ago when I originally posted this. > The "autheap" special case is needed with > EAP-TTLS where both EAP and non-EAP inner methods are supported. That is > not the case with EAP-PEAP. PEAP supports EAP-TLS as an inner method. I could not get PEAP with EAP-TLS working as an inner method, but I noticed eapol_test/wpa_supplicant does support TTLS/EAP-TLS. I browsed the code, noticed autheap=... being used and cribbed the methodology from there. If I did something wrong, sorry, I tried, I guessed on what needed to be done based on the existing code I saw already in there and it looks like I made a crappy job of it all. Sorry. > Furthermore, the commit message would need to include the Signed-off-by: > line as described in the CONTRIBUTIONS file for me to be able to > consider applying a patch. My bad, I will get that added and reposted. Regards
diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c index 7c3704369..7bcba4de2 100644 --- a/src/eap_peer/eap_peap.c +++ b/src/eap_peer/eap_peap.c @@ -146,13 +146,29 @@ static void * eap_peap_init(struct eap_sm *sm) if (config && config->phase1) eap_peap_parse_phase1(data, config->phase1); - if (eap_peer_select_phase2_methods(config, "auth=", - &data->phase2_types, - &data->num_phase2_types, 0) < 0) { + if (os_strstr(config->phase2, "auth=") && os_strstr(config->phase2, "autheap=")) { + wpa_printf(MSG_ERROR, + "EAP-PEAP: Both auth= and autheap= params cannot be specified"); eap_peap_deinit(sm, data); return NULL; } + if (os_strstr(config->phase2, "auth=")) { + if (eap_peer_select_phase2_methods(config, "auth=", + &data->phase2_types, + &data->num_phase2_types, 0) < 0) { + eap_peap_deinit(sm, data); + return NULL; + } + } else { + if (eap_peer_select_phase2_methods(config, "autheap=", + &data->phase2_types, + &data->num_phase2_types, 0) < 0) { + eap_peap_deinit(sm, data); + return NULL; + } + } + data->phase2_type.vendor = EAP_VENDOR_IETF; data->phase2_type.method = EAP_TYPE_NONE;