From patchwork Tue Mar 19 08:26:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: xinpeng wang X-Patchwork-Id: 1913448 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=1P94KAkK; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TzPx23m8Kz1yWn for ; Tue, 19 Mar 2024 19:27:50 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=IRDxujzLrnVFsl6wfzrAqHDNVI1KbbmoJpGaCYND60I=; b=1P94KAkKqXQrTX 5O4NgUMryKFILEgTeAs1LgtQrvXhqtfPeU8k80L587mEwvaA3a5H6nb+t/5NcU2k8LI+xlD8p1zP+ J8bqkIFnYRFrNL1KlnhXDz0/Y5wwbBWiMLpbPxPwbKXNz8lB2YFY0iaeiIIAl1ZlsbeZV8oJOaAeD HnpSKU4niteFNPnGgtZYK2cf1VoxCcp+N7ewXZdxZ/WVOrbrtvavDNaLJU92zhlpcBcCBTG0Un068 8NyVm23XUillWDD4CZc61xkW/N3w2lprUxn/qQ+AybLmIs3rXOSjvxMNvq6IOJhIW3gt5crHc7RWM A/WDNCHTtWPuQdCvOU6Q==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rmUoJ-0000000BuJc-1A9t; Tue, 19 Mar 2024 08:27:03 +0000 Received: from smtpbg153.qq.com ([13.245.218.24]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rmUoD-0000000Bu7b-2AU5 for hostap@lists.infradead.org; Tue, 19 Mar 2024 08:27:02 +0000 X-QQ-mid: bizesmtp79t1710836792tvmexxd1 X-QQ-Originating-IP: tEEo2T6Khtvlmn0kzP3ghMylojztBHg7ZJQinhKGksw= Received: from localhost.localdomain ( [113.57.152.160]) by bizesmtp.qq.com (ESMTP) with id ; Tue, 19 Mar 2024 16:26:27 +0800 (CST) X-QQ-SSF: 01400000000000H0P000000A0000000 X-QQ-FEAT: 3M0okmaRx3hDlEzMIU7uSixNmi0tHKQSRMREqbUDCcTXE1Qck7dPc5qQNIRD2 0fQWWwYkV9TpMkG9pH4pokiohCCUCp94HKQ4LAb+x1Ot73Jv9vFAwX5xBaguwFsKFOfJJXr XbEVx5U9SGjitcUP3U7j89JKFZe3IoSTL2+7n6G7qNhQX6hBB0adO+eTeY1H92bXv+l+91u 314B59pv5uyjvBht/VKag+xdTsywJVES8cSDwe+6u0KMjHnGVbFVRL4YgeJtK1uJM+cLRzc 9e1h4d8BTdNzSnrKPjcU1FYuV+UMq3F9so3fF0V22aPhOMsSKynXzNO+DN+BhQYlOl6zuWU Al7Ykr6AmbPX0/rOM4A5iD3jwR4+GWhMlaLGT8yWU6LS0iveM5qvgWKhY79dK30TjDo5uj2 X-QQ-GoodBg: 2 X-BIZMAIL-ID: 12488876084527577952 From: xinpeng wang To: hostap@lists.infradead.org Cc: xinpeng wang Subject: [PATCH v2] eapol: ignore response in workarond mode Date: Tue, 19 Mar 2024 16:26:26 +0800 Message-Id: <20240319082626.19128-1-wangxinpeng@uniontech.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-QQ-SENDSIZE: 520 Feedback-ID: bizesmtp:uniontech.com:qybglogicsvrgz:qybglogicsvrgz8a-0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240319_012658_438900_D7AE2671 X-CRM114-Status: UNSURE ( 9.44 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: During eap authentication, the supplier sends the response to the address 01:80:c2:00:00:03, the PAE group address. Some switches will broadcast messages sent to this address, which will cause the dev [...] Content analysis details: (-0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [13.245.218.24 listed in list.dnswl.org] 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [13.245.218.24 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders -0.0 T_SCC_BODY_TEXT_LINE No description available. X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org During eap authentication, the supplier sends the response to the address 01:80:c2:00:00:03, the PAE group address. Some switches will broadcast messages sent to this address, which will cause the devices under the same switch to receive these response packets, which will cause the device's eap state machine to migrate incorrectly, resulting in repeated authentication or slow authentication. Signed-off-by: xinpeng wang --- src/eapol_supp/eapol_supp_sm.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/src/eapol_supp/eapol_supp_sm.c b/src/eapol_supp/eapol_supp_sm.c index abc1416a3..e5a8cc6ff 100644 --- a/src/eapol_supp/eapol_supp_sm.c +++ b/src/eapol_supp/eapol_supp_sm.c @@ -1365,6 +1365,25 @@ int eapol_sm_rx_eapol(struct eapol_sm *sm, const u8 *src, const u8 *buf, wpa_printf(MSG_DEBUG, "EAPOL: Ignore EAP packet with unknown code 10"); break; } + + if (plen >= sizeof(*ehdr) && ehdr->code == EAP_CODE_RESPONSE) { + const u8 *pos_tmp = (const u8 *) (ehdr + 1); + enum eap_type eap_type; + if (*pos_tmp != EAP_TYPE_EXPANDED) { + eap_type = *pos_tmp; + } else { + if (plen < sizeof(*ehdr) + 8) { + wpa_printf(MSG_INFO, "EAP: Invalid expanded EAP length"); + break; + } + pos_tmp += 4; + eap_type = WPA_GET_BE32(pos_tmp); + } + if (eap_type != EAP_TYPE_LEAP) { + wpa_printf(MSG_DEBUG, "EAPOL: Ignore EAP packet with response"); + break; + } + } } if (sm->cached_pmk) {