From f791b5bbc7ec65403506dd62cf3220b98b0e0217 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Thu, 1 Dec 2022 17:00:56 +0200 Subject: [PATCH] EAP-TEAP peer: Process Crypto-Binding TLV before EAP Payload TLV When using the optimized EAP method sequence within the tunnel, crypto binding for the previous EAP method can be performed in the same message with the start of the next EAP method. The Crypto-Binding TLV needs to be processed before moving to the next EAP method for IMSK to be derived correctly, so swap the order of these processing steps. Signed-off-by: Jouni Malinen --- src/eap_peer/eap_teap.c | 54 ++++++++++++++++++++--------------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/src/eap_peer/eap_teap.c b/src/eap_peer/eap_teap.c index 85b089ad4..ced7b1642 100644 --- a/src/eap_peer/eap_teap.c +++ b/src/eap_peer/eap_teap.c @@ -1305,6 +1305,33 @@ static int eap_teap_process_decrypted(struct eap_sm *sm, goto done; } + if (tlv.crypto_binding) { + if (tlv.iresult != TEAP_STATUS_SUCCESS && + tlv.result != TEAP_STATUS_SUCCESS) { + wpa_printf(MSG_DEBUG, + "EAP-TEAP: Unexpected Crypto-Binding TLV without Result TLV or Intermediate-Result TLV indicating success"); + failed = 1; + error = TEAP_ERROR_UNEXPECTED_TLVS_EXCHANGED; + goto done; + } + + tmp = eap_teap_process_crypto_binding(sm, data, ret, + tlv.crypto_binding, + tlv.crypto_binding_len); + if (!tmp) { + failed = 1; + error = TEAP_ERROR_TUNNEL_COMPROMISE_ERROR; + } else { + resp = wpabuf_concat(resp, tmp); + if (tlv.result == TEAP_STATUS_SUCCESS && !failed) + data->result_success_done = 1; + if (tlv.iresult == TEAP_STATUS_SUCCESS && !failed) { + data->inner_method_done = 0; + data->iresult_verified = 1; + } + } + } + if (tlv.identity_type == TEAP_IDENTITY_TYPE_MACHINE) { struct eap_peer_config *config = eap_get_config(sm); @@ -1360,33 +1387,6 @@ static int eap_teap_process_decrypted(struct eap_sm *sm, } } - if (tlv.crypto_binding) { - if (tlv.iresult != TEAP_STATUS_SUCCESS && - tlv.result != TEAP_STATUS_SUCCESS) { - wpa_printf(MSG_DEBUG, - "EAP-TEAP: Unexpected Crypto-Binding TLV without Result TLV or Intermediate-Result TLV indicating success"); - failed = 1; - error = TEAP_ERROR_UNEXPECTED_TLVS_EXCHANGED; - goto done; - } - - tmp = eap_teap_process_crypto_binding(sm, data, ret, - tlv.crypto_binding, - tlv.crypto_binding_len); - if (!tmp) { - failed = 1; - error = TEAP_ERROR_TUNNEL_COMPROMISE_ERROR; - } else { - resp = wpabuf_concat(resp, tmp); - if (tlv.result == TEAP_STATUS_SUCCESS && !failed) - data->result_success_done = 1; - if (tlv.iresult == TEAP_STATUS_SUCCESS && !failed) { - data->inner_method_done = 0; - data->iresult_verified = 1; - } - } - } - if (data->result_success_done && data->session_ticket_used && eap_teap_derive_msk(data) == 0) { /* Assume the server might accept authentication without going