| developer | 43a264f | 2024-03-26 14:09:54 +0800 | [diff] [blame^] | 1 | From 8e6485a1bcb0baffdea9e55255a81270b768439c Mon Sep 17 00:00:00 2001 |
| 2 | From: Jouni Malinen <j@w1.fi> |
| 3 | Date: Sat, 8 Jul 2023 19:55:32 +0300 |
| 4 | Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements |
| 5 | |
| 6 | The previous PEAP client behavior allowed the server to skip Phase 2 |
| 7 | authentication with the expectation that the server was authenticated |
| 8 | during Phase 1 through TLS server certificate validation. Various PEAP |
| 9 | specifications are not exactly clear on what the behavior on this front |
| 10 | is supposed to be and as such, this ended up being more flexible than |
| 11 | the TTLS/FAST/TEAP cases. However, this is not really ideal when |
| 12 | unfortunately common misconfiguration of PEAP is used in deployed |
| 13 | devices where the server trust root (ca_cert) is not configured or the |
| 14 | user has an easy option for allowing this validation step to be skipped. |
| 15 | |
| 16 | Change the default PEAP client behavior to be to require Phase 2 |
| 17 | authentication to be successfully completed for cases where TLS session |
| 18 | resumption is not used and the client certificate has not been |
| 19 | configured. Those two exceptions are the main cases where a deployed |
| 20 | authentication server might skip Phase 2 and as such, where a more |
| 21 | strict default behavior could result in undesired interoperability |
| 22 | issues. Requiring Phase 2 authentication will end up disabling TLS |
| 23 | session resumption automatically to avoid interoperability issues. |
| 24 | |
| 25 | Allow Phase 2 authentication behavior to be configured with a new phase1 |
| 26 | configuration parameter option: |
| 27 | 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS |
| 28 | tunnel) behavior for PEAP: |
| 29 | * 0 = do not require Phase 2 authentication |
| 30 | * 1 = require Phase 2 authentication when client certificate |
| 31 | (private_key/client_cert) is no used and TLS session resumption was |
| 32 | not used (default) |
| 33 | * 2 = require Phase 2 authentication in all cases |
| 34 | |
| 35 | Signed-off-by: Jouni Malinen <j@w1.fi> |
| 36 | --- |
| 37 | src/eap_peer/eap_config.h | 8 ++++++ |
| 38 | src/eap_peer/eap_peap.c | 40 +++++++++++++++++++++++++++--- |
| 39 | src/eap_peer/eap_tls_common.c | 6 +++++ |
| 40 | src/eap_peer/eap_tls_common.h | 5 ++++ |
| 41 | wpa_supplicant/wpa_supplicant.conf | 7 ++++++ |
| 42 | 5 files changed, 63 insertions(+), 3 deletions(-) |
| 43 | |
| 44 | diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h |
| 45 | index 26744ab68..58d5a1359 100644 |
| 46 | --- a/src/eap_peer/eap_config.h |
| 47 | +++ b/src/eap_peer/eap_config.h |
| 48 | @@ -471,6 +471,14 @@ struct eap_peer_config { |
| 49 | * 1 = use cryptobinding if server supports it |
| 50 | * 2 = require cryptobinding |
| 51 | * |
| 52 | + * phase2_auth option can be used to control Phase 2 (i.e., within TLS |
| 53 | + * tunnel) behavior for PEAP: |
| 54 | + * 0 = do not require Phase 2 authentication |
| 55 | + * 1 = require Phase 2 authentication when client certificate |
| 56 | + * (private_key/client_cert) is no used and TLS session resumption was |
| 57 | + * not used (default) |
| 58 | + * 2 = require Phase 2 authentication in all cases |
| 59 | + * |
| 60 | * EAP-WSC (WPS) uses following options: pin=Device_Password and |
| 61 | * uuid=Device_UUID |
| 62 | * |
| 63 | diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c |
| 64 | index 12e30df29..608069719 100644 |
| 65 | --- a/src/eap_peer/eap_peap.c |
| 66 | +++ b/src/eap_peer/eap_peap.c |
| 67 | @@ -67,6 +67,7 @@ struct eap_peap_data { |
| 68 | u8 cmk[20]; |
| 69 | int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP) |
| 70 | * is enabled. */ |
| 71 | + enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth; |
| 72 | }; |
| 73 | |
| 74 | |
| 75 | @@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data, |
| 76 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding"); |
| 77 | } |
| 78 | |
| 79 | + if (os_strstr(phase1, "phase2_auth=0")) { |
| 80 | + data->phase2_auth = NO_AUTH; |
| 81 | + wpa_printf(MSG_DEBUG, |
| 82 | + "EAP-PEAP: Do not require Phase 2 authentication"); |
| 83 | + } else if (os_strstr(phase1, "phase2_auth=1")) { |
| 84 | + data->phase2_auth = FOR_INITIAL; |
| 85 | + wpa_printf(MSG_DEBUG, |
| 86 | + "EAP-PEAP: Require Phase 2 authentication for initial connection"); |
| 87 | + } else if (os_strstr(phase1, "phase2_auth=2")) { |
| 88 | + data->phase2_auth = ALWAYS; |
| 89 | + wpa_printf(MSG_DEBUG, |
| 90 | + "EAP-PEAP: Require Phase 2 authentication for all cases"); |
| 91 | + } |
| 92 | #ifdef EAP_TNC |
| 93 | if (os_strstr(phase1, "tnc=soh2")) { |
| 94 | data->soh = 2; |
| 95 | @@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm) |
| 96 | data->force_peap_version = -1; |
| 97 | data->peap_outer_success = 2; |
| 98 | data->crypto_binding = OPTIONAL_BINDING; |
| 99 | + data->phase2_auth = FOR_INITIAL; |
| 100 | |
| 101 | if (config && config->phase1) |
| 102 | eap_peap_parse_phase1(data, config->phase1); |
| 103 | @@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm, |
| 104 | } |
| 105 | |
| 106 | |
| 107 | +static bool peap_phase2_sufficient(struct eap_sm *sm, |
| 108 | + struct eap_peap_data *data) |
| 109 | +{ |
| 110 | + if ((data->phase2_auth == ALWAYS || |
| 111 | + (data->phase2_auth == FOR_INITIAL && |
| 112 | + !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) && |
| 113 | + !data->ssl.client_cert_conf) || |
| 114 | + data->phase2_eap_started) && |
| 115 | + !data->phase2_eap_success) |
| 116 | + return false; |
| 117 | + return true; |
| 118 | +} |
| 119 | + |
| 120 | + |
| 121 | /** |
| 122 | * eap_tlv_process - Process a received EAP-TLV message and generate a response |
| 123 | * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() |
| 124 | @@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data, |
| 125 | " - force failed Phase 2"); |
| 126 | resp_status = EAP_TLV_RESULT_FAILURE; |
| 127 | ret->decision = DECISION_FAIL; |
| 128 | + } else if (!peap_phase2_sufficient(sm, data)) { |
| 129 | + wpa_printf(MSG_INFO, |
| 130 | + "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed"); |
| 131 | + resp_status = EAP_TLV_RESULT_FAILURE; |
| 132 | + ret->decision = DECISION_FAIL; |
| 133 | } else { |
| 134 | resp_status = EAP_TLV_RESULT_SUCCESS; |
| 135 | ret->decision = DECISION_UNCOND_SUCC; |
| 136 | @@ -887,8 +921,7 @@ continue_req: |
| 137 | /* EAP-Success within TLS tunnel is used to indicate |
| 138 | * shutdown of the TLS channel. The authentication has |
| 139 | * been completed. */ |
| 140 | - if (data->phase2_eap_started && |
| 141 | - !data->phase2_eap_success) { |
| 142 | + if (!peap_phase2_sufficient(sm, data)) { |
| 143 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 " |
| 144 | "Success used to indicate success, " |
| 145 | "but Phase 2 EAP was not yet " |
| 146 | @@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv, |
| 147 | static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv) |
| 148 | { |
| 149 | struct eap_peap_data *data = priv; |
| 150 | + |
| 151 | return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && |
| 152 | - data->phase2_success; |
| 153 | + data->phase2_success && data->phase2_auth != ALWAYS; |
| 154 | } |
| 155 | |
| 156 | |
| 157 | diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c |
| 158 | index 6193b4bdb..966cbd6c7 100644 |
| 159 | --- a/src/eap_peer/eap_tls_common.c |
| 160 | +++ b/src/eap_peer/eap_tls_common.c |
| 161 | @@ -242,6 +242,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm, |
| 162 | |
| 163 | sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK); |
| 164 | |
| 165 | + if (!phase2) |
| 166 | + data->client_cert_conf = params->client_cert || |
| 167 | + params->client_cert_blob || |
| 168 | + params->private_key || |
| 169 | + params->private_key_blob; |
| 170 | + |
| 171 | return 0; |
| 172 | } |
| 173 | |
| 174 | diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h |
| 175 | index 9ac00121f..334863413 100644 |
| 176 | --- a/src/eap_peer/eap_tls_common.h |
| 177 | +++ b/src/eap_peer/eap_tls_common.h |
| 178 | @@ -79,6 +79,11 @@ struct eap_ssl_data { |
| 179 | * tls_v13 - Whether TLS v1.3 or newer is used |
| 180 | */ |
| 181 | int tls_v13; |
| 182 | + |
| 183 | + /** |
| 184 | + * client_cert_conf: Whether client certificate has been configured |
| 185 | + */ |
| 186 | + bool client_cert_conf; |
| 187 | }; |
| 188 | |
| 189 | |
| 190 | diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf |
| 191 | index f0b82443e..1b09f57d3 100644 |
| 192 | --- a/wpa_supplicant/wpa_supplicant.conf |
| 193 | +++ b/wpa_supplicant/wpa_supplicant.conf |
| 194 | @@ -1370,6 +1370,13 @@ fast_reauth=1 |
| 195 | # * 0 = do not use cryptobinding (default) |
| 196 | # * 1 = use cryptobinding if server supports it |
| 197 | # * 2 = require cryptobinding |
| 198 | +# 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS |
| 199 | +# tunnel) behavior for PEAP: |
| 200 | +# * 0 = do not require Phase 2 authentication |
| 201 | +# * 1 = require Phase 2 authentication when client certificate |
| 202 | +# (private_key/client_cert) is no used and TLS session resumption was |
| 203 | +# not used (default) |
| 204 | +# * 2 = require Phase 2 authentication in all cases |
| 205 | # EAP-WSC (WPS) uses following options: pin=<Device Password> or |
| 206 | # pbc=1. |
| 207 | # |
| 208 | -- |
| 209 | 2.18.0 |
| 210 | |