EAP-TEAP peer: Process Crypto-Binding TLV before EAP Payload TLV
When using the optimized EAP method sequence within the tunnel, crypto binding for the previous EAP method can be performed in the same message with the start of the next EAP method. The Crypto-Binding TLV needs to be processed before moving to the next EAP method for IMSK to be derived correctly, so swap the order of these processing steps. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This commit is contained in:
parent
5a9bd8a06a
commit
f791b5bbc7
1 changed files with 27 additions and 27 deletions
|
@ -1305,6 +1305,33 @@ static int eap_teap_process_decrypted(struct eap_sm *sm,
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (tlv.crypto_binding) {
|
||||||
|
if (tlv.iresult != TEAP_STATUS_SUCCESS &&
|
||||||
|
tlv.result != TEAP_STATUS_SUCCESS) {
|
||||||
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"EAP-TEAP: Unexpected Crypto-Binding TLV without Result TLV or Intermediate-Result TLV indicating success");
|
||||||
|
failed = 1;
|
||||||
|
error = TEAP_ERROR_UNEXPECTED_TLVS_EXCHANGED;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
tmp = eap_teap_process_crypto_binding(sm, data, ret,
|
||||||
|
tlv.crypto_binding,
|
||||||
|
tlv.crypto_binding_len);
|
||||||
|
if (!tmp) {
|
||||||
|
failed = 1;
|
||||||
|
error = TEAP_ERROR_TUNNEL_COMPROMISE_ERROR;
|
||||||
|
} else {
|
||||||
|
resp = wpabuf_concat(resp, tmp);
|
||||||
|
if (tlv.result == TEAP_STATUS_SUCCESS && !failed)
|
||||||
|
data->result_success_done = 1;
|
||||||
|
if (tlv.iresult == TEAP_STATUS_SUCCESS && !failed) {
|
||||||
|
data->inner_method_done = 0;
|
||||||
|
data->iresult_verified = 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (tlv.identity_type == TEAP_IDENTITY_TYPE_MACHINE) {
|
if (tlv.identity_type == TEAP_IDENTITY_TYPE_MACHINE) {
|
||||||
struct eap_peer_config *config = eap_get_config(sm);
|
struct eap_peer_config *config = eap_get_config(sm);
|
||||||
|
|
||||||
|
@ -1360,33 +1387,6 @@ static int eap_teap_process_decrypted(struct eap_sm *sm,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (tlv.crypto_binding) {
|
|
||||||
if (tlv.iresult != TEAP_STATUS_SUCCESS &&
|
|
||||||
tlv.result != TEAP_STATUS_SUCCESS) {
|
|
||||||
wpa_printf(MSG_DEBUG,
|
|
||||||
"EAP-TEAP: Unexpected Crypto-Binding TLV without Result TLV or Intermediate-Result TLV indicating success");
|
|
||||||
failed = 1;
|
|
||||||
error = TEAP_ERROR_UNEXPECTED_TLVS_EXCHANGED;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
tmp = eap_teap_process_crypto_binding(sm, data, ret,
|
|
||||||
tlv.crypto_binding,
|
|
||||||
tlv.crypto_binding_len);
|
|
||||||
if (!tmp) {
|
|
||||||
failed = 1;
|
|
||||||
error = TEAP_ERROR_TUNNEL_COMPROMISE_ERROR;
|
|
||||||
} else {
|
|
||||||
resp = wpabuf_concat(resp, tmp);
|
|
||||||
if (tlv.result == TEAP_STATUS_SUCCESS && !failed)
|
|
||||||
data->result_success_done = 1;
|
|
||||||
if (tlv.iresult == TEAP_STATUS_SUCCESS && !failed) {
|
|
||||||
data->inner_method_done = 0;
|
|
||||||
data->iresult_verified = 1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (data->result_success_done && data->session_ticket_used &&
|
if (data->result_success_done && data->session_ticket_used &&
|
||||||
eap_teap_derive_msk(data) == 0) {
|
eap_teap_derive_msk(data) == 0) {
|
||||||
/* Assume the server might accept authentication without going
|
/* Assume the server might accept authentication without going
|
||||||
|
|
Loading…
Reference in a new issue