EAP-TEAP server: Allow a specific Identity-Type to be requested/required

The new hostapd configuration parameter eap_teap_id can be used to
configure the expected behavior for used identity type.

Signed-off-by: Jouni Malinen <j@w1.fi>

src/eap_server/eap.h

@@ -198,6 +198,13 @@ struct eap_config {
 	int eap_teap_auth;
 	int eap_teap_pac_no_inner;
 	int eap_teap_separate_result;
+	enum eap_teap_id {
+		EAP_TEAP_ID_ALLOW_ANY = 0,
+		EAP_TEAP_ID_REQUIRE_USER = 1,
+		EAP_TEAP_ID_REQUIRE_MACHINE = 2,
+		EAP_TEAP_ID_REQUEST_USER_ACCEPT_MACHINE = 3,
+		EAP_TEAP_ID_REQUEST_MACHINE_ACCEPT_USER = 4,
+	} eap_teap_id;
 
 	/**
 	 * eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication

src/eap_server/eap_server_teap.c

@@ -529,30 +529,56 @@ static struct wpabuf * eap_teap_build_phase2_req(struct eap_sm *sm,
 						 struct eap_teap_data *data,
 						 u8 id)
 {
-	struct wpabuf *req;
+	struct wpabuf *req, *id_tlv = NULL;
+
+	if (sm->cfg->eap_teap_auth == 1 ||
+	    (data->phase2_priv && data->phase2_method &&
+	     data->phase2_method->vendor == EAP_VENDOR_IETF &&
+	     data->phase2_method->method == EAP_TYPE_IDENTITY)) {
+		switch (sm->cfg->eap_teap_id) {
+		case EAP_TEAP_ID_ALLOW_ANY:
+			break;
+		case EAP_TEAP_ID_REQUIRE_USER:
+		case EAP_TEAP_ID_REQUEST_USER_ACCEPT_MACHINE:
+			id_tlv = eap_teap_tlv_identity_type(
+				TEAP_IDENTITY_TYPE_USER);
+			break;
+		case EAP_TEAP_ID_REQUIRE_MACHINE:
+		case EAP_TEAP_ID_REQUEST_MACHINE_ACCEPT_USER:
+			id_tlv = eap_teap_tlv_identity_type(
+				TEAP_IDENTITY_TYPE_MACHINE);
+			break;
+		}
+	}
 
 	if (sm->cfg->eap_teap_auth == 1) {
 		wpa_printf(MSG_DEBUG, "EAP-TEAP: Initiate Basic-Password-Auth");
 		req = wpabuf_alloc(sizeof(struct teap_tlv_hdr));
-		if (!req)
+		if (!req) {
+			wpabuf_free(id_tlv);
 			return NULL;
+		}
 		eap_teap_put_tlv_hdr(req, TEAP_TLV_BASIC_PASSWORD_AUTH_REQ, 0);
-		return req;
+		return wpabuf_concat(req, id_tlv);
 	}
 
 	wpa_printf(MSG_DEBUG, "EAP-TEAP: Initiate inner EAP method");
 	if (!data->phase2_priv) {
 		wpa_printf(MSG_DEBUG,
 			   "EAP-TEAP: Phase 2 method not initialized");
+		wpabuf_free(id_tlv);
 		return NULL;
 	}
 
 	req = data->phase2_method->buildReq(sm, data->phase2_priv, id);
-	if (!req)
+	if (!req) {
+		wpabuf_free(id_tlv);
 		return NULL;
+	}
 
 	wpa_hexdump_buf_key(MSG_MSGDUMP, "EAP-TEAP: Phase 2 EAP-Request", req);
-	return eap_teap_tlv_eap_payload(req);
+
+	return wpabuf_concat(eap_teap_tlv_eap_payload(req), id_tlv);
 }
 
 
@@ -960,9 +986,27 @@ static int eap_teap_phase2_init(struct eap_sm *sm, struct eap_teap_data *data,
 }
 
 
+static int eap_teap_valid_id_type(struct eap_sm *sm,
+				  enum teap_identity_types id_type)
+{
+	if (sm->cfg->eap_teap_id == EAP_TEAP_ID_REQUIRE_USER &&
+	    id_type != TEAP_IDENTITY_TYPE_USER)
+		return 0;
+	if (sm->cfg->eap_teap_id == EAP_TEAP_ID_REQUIRE_MACHINE &&
+	    id_type != TEAP_IDENTITY_TYPE_MACHINE)
+		return 0;
+	if (sm->cfg->eap_teap_id != EAP_TEAP_ID_ALLOW_ANY &&
+	    id_type != TEAP_IDENTITY_TYPE_USER &&
+	    id_type != TEAP_IDENTITY_TYPE_MACHINE)
+		return 0;
+	return 1;
+}
+
+
 static void eap_teap_process_phase2_response(struct eap_sm *sm,
 					     struct eap_teap_data *data,
-					     u8 *in_data, size_t in_len)
+					     u8 *in_data, size_t in_len,
+					     enum teap_identity_types id_type)
 {
 	int next_vendor = EAP_VENDOR_IETF;
 	enum eap_type next_type = EAP_TYPE_NONE;
@@ -1041,6 +1085,13 @@ static void eap_teap_process_phase2_response(struct eap_sm *sm,
 
 	switch (data->state) {
 	case PHASE2_ID:
+		if (!eap_teap_valid_id_type(sm, id_type)) {
+			wpa_printf(MSG_DEBUG,
+				   "EAP-TEAP: Provided Identity-Type %u not allowed",
+				   id_type);
+			eap_teap_req_failure(data, TEAP_ERROR_INNER_METHOD);
+			break;
+		}
 		if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
 			wpa_hexdump_ascii(MSG_DEBUG,
 					  "EAP-TEAP: Phase 2 Identity not found in the user database",
@@ -1097,7 +1148,8 @@ static void eap_teap_process_phase2_response(struct eap_sm *sm,
 
 static void eap_teap_process_phase2_eap(struct eap_sm *sm,
 					struct eap_teap_data *data,
-					u8 *in_data, size_t in_len)
+					u8 *in_data, size_t in_len,
+					enum teap_identity_types id_type)
 {
 	struct eap_hdr *hdr;
 	size_t len;
@@ -1124,7 +1176,8 @@ static void eap_teap_process_phase2_eap(struct eap_sm *sm,
 		   (unsigned long) len);
 	switch (hdr->code) {
 	case EAP_CODE_RESPONSE:
-		eap_teap_process_phase2_response(sm, data, (u8 *) hdr, len);
+		eap_teap_process_phase2_response(sm, data, (u8 *) hdr, len,
+						 id_type);
 		break;
 	default:
 		wpa_printf(MSG_INFO,
@@ -1137,11 +1190,20 @@ static void eap_teap_process_phase2_eap(struct eap_sm *sm,
 
 static void eap_teap_process_basic_auth_resp(struct eap_sm *sm,
 					     struct eap_teap_data *data,
-					     u8 *in_data, size_t in_len)
-{
+					     u8 *in_data, size_t in_len,
+					     enum teap_identity_types id_type)
+				  {
 	u8 *pos, *end, *username, *password, *new_id;
 	u8 userlen, passlen;
 
+	if (!eap_teap_valid_id_type(sm, id_type)) {
+		wpa_printf(MSG_DEBUG,
+			   "EAP-TEAP: Provided Identity-Type %u not allowed",
+			   id_type);
+		eap_teap_req_failure(data, 0);
+		return;
+	}
+
 	pos = in_data;
 	end = pos + in_len;
 
@@ -1533,7 +1595,8 @@ static void eap_teap_process_phase2_tlvs(struct eap_sm *sm,
 			return;
 		}
 		eap_teap_process_basic_auth_resp(sm, data, tlv.basic_auth_resp,
-						 tlv.basic_auth_resp_len);
+						 tlv.basic_auth_resp_len,
+						 tlv.identity_type);
 	}
 
 	if (tlv.eap_payload_tlv) {
@@ -1544,7 +1607,8 @@ static void eap_teap_process_phase2_tlvs(struct eap_sm *sm,
 			return;
 		}
 		eap_teap_process_phase2_eap(sm, data, tlv.eap_payload_tlv,
-					    tlv.eap_payload_tlv_len);
+					    tlv.eap_payload_tlv_len,
+					    tlv.identity_type);
 	}
 
 	if (data->state == SUCCESS_SEND_RESULT &&