1From 8e6485a1bcb0baffdea9e55255a81270b768439c Mon Sep 17 00:00:00 20012From: Jouni Malinen <j@w1.fi>3Date: Sat, 8 Jul 2023 19:55:32 +03004Subject: PEAP client: Update Phase 2 authentication requirements56The previous PEAP client behavior allowed the server to skip Phase 27authentication with the expectation that the server was authenticated8during Phase 1 through TLS server certificate validation. Various PEAP9specifications are not exactly clear on what the behavior on this front10is supposed to be and as such, this ended up being more flexible than11the TTLS/FAST/TEAP cases. However, this is not really ideal when12unfortunately common misconfiguration of PEAP is used in deployed13devices where the server trust root (ca_cert) is not configured or the14user has an easy option for allowing this validation step to be skipped.1516Change the default PEAP client behavior to be to require Phase 217authentication to be successfully completed for cases where TLS session18resumption is not used and the client certificate has not been19configured. Those two exceptions are the main cases where a deployed20authentication server might skip Phase 2 and as such, where a more21strict default behavior could result in undesired interoperability22issues. Requiring Phase 2 authentication will end up disabling TLS23session resumption automatically to avoid interoperability issues.2425Allow Phase 2 authentication behavior to be configured with a new phase126configuration parameter option:27'phase2_auth' option can be used to control Phase 2 (i.e., within TLS28tunnel) behavior for PEAP:29 * 0 = do not require Phase 2 authentication30 * 1 = require Phase 2 authentication when client certificate31 (private_key/client_cert) is no used and TLS session resumption was32 not used (default)33 * 2 = require Phase 2 authentication in all cases3435Signed-off-by: Jouni Malinen <j@w1.fi>36---37 src/eap_peer/eap_config.h | 8 ++++++++38 src/eap_peer/eap_peap.c | 40 +++++++++++++++++++++++++++++++++++---39 src/eap_peer/eap_tls_common.c | 6 ++++++40 src/eap_peer/eap_tls_common.h | 5 +++++41 wpa_supplicant/wpa_supplicant.conf | 7 +++++++42 5 files changed, 63 insertions(+), 3 deletions(-)4344diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h45index 26744ab68..58d5a1359 10064446--- a/src/eap_peer/eap_config.h47+++ b/src/eap_peer/eap_config.h48@@ -471,6 +471,14 @@ struct eap_peer_config {49 * 1 = use cryptobinding if server supports it50 * 2 = require cryptobinding51 *52+ * phase2_auth option can be used to control Phase 2 (i.e., within TLS53+ * tunnel) behavior for PEAP:54+ * 0 = do not require Phase 2 authentication55+ * 1 = require Phase 2 authentication when client certificate56+ * (private_key/client_cert) is no used and TLS session resumption was57+ * not used (default)58+ * 2 = require Phase 2 authentication in all cases59+ *60 * EAP-WSC (WPS) uses following options: pin=Device_Password and61 * uuid=Device_UUID62 *63diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c64index 12e30df29..608069719 10064465--- a/src/eap_peer/eap_peap.c66+++ b/src/eap_peer/eap_peap.c67@@ -67,6 +67,7 @@ struct eap_peap_data {68 u8 cmk[20];69 int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP)70 * is enabled. */71+ enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth;72 };737475@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data,76 wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding");77 }7879+ if (os_strstr(phase1, "phase2_auth=0")) {80+ data->phase2_auth = NO_AUTH;81+ wpa_printf(MSG_DEBUG,82+ "EAP-PEAP: Do not require Phase 2 authentication");83+ } else if (os_strstr(phase1, "phase2_auth=1")) {84+ data->phase2_auth = FOR_INITIAL;85+ wpa_printf(MSG_DEBUG,86+ "EAP-PEAP: Require Phase 2 authentication for initial connection");87+ } else if (os_strstr(phase1, "phase2_auth=2")) {88+ data->phase2_auth = ALWAYS;89+ wpa_printf(MSG_DEBUG,90+ "EAP-PEAP: Require Phase 2 authentication for all cases");91+ }92 #ifdef EAP_TNC93 if (os_strstr(phase1, "tnc=soh2")) {94 data->soh = 2;95@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm)96 data->force_peap_version = -1;97 data->peap_outer_success = 2;98 data->crypto_binding = OPTIONAL_BINDING;99+ data->phase2_auth = FOR_INITIAL;100101 if (config && config->phase1)102 eap_peap_parse_phase1(data, config->phase1);103@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm,104 }105106107+static bool peap_phase2_sufficient(struct eap_sm *sm,108+ struct eap_peap_data *data)109+{110+ if ((data->phase2_auth == ALWAYS ||111+ (data->phase2_auth == FOR_INITIAL &&112+ !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) &&113+ !data->ssl.client_cert_conf) ||114+ data->phase2_eap_started) &&115+ !data->phase2_eap_success)116+ return false;117+ return true;118+}119+120+121 /**122 * eap_tlv_process - Process a received EAP-TLV message and generate a response123 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()124@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data,125 " - force failed Phase 2");126 resp_status = EAP_TLV_RESULT_FAILURE;127 ret->decision = DECISION_FAIL;128+ } else if (!peap_phase2_sufficient(sm, data)) {129+ wpa_printf(MSG_INFO,130+ "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed");131+ resp_status = EAP_TLV_RESULT_FAILURE;132+ ret->decision = DECISION_FAIL;133 } else {134 resp_status = EAP_TLV_RESULT_SUCCESS;135 ret->decision = DECISION_UNCOND_SUCC;136@@ -887,8 +921,7 @@ continue_req:137 /* EAP-Success within TLS tunnel is used to indicate138 * shutdown of the TLS channel. The authentication has139 * been completed. */140- if (data->phase2_eap_started &&141- !data->phase2_eap_success) {142+ if (!peap_phase2_sufficient(sm, data)) {143 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 "144 "Success used to indicate success, "145 "but Phase 2 EAP was not yet "146@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv,147 static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv)148 {149 struct eap_peap_data *data = priv;150+151 return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&152- data->phase2_success;153+ data->phase2_success && data->phase2_auth != ALWAYS;154 }155156157diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c158index 6193b4bdb..966cbd6c7 100644159--- a/src/eap_peer/eap_tls_common.c160+++ b/src/eap_peer/eap_tls_common.c161@@ -242,6 +242,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,162163 sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK);164165+ if (!phase2)166+ data->client_cert_conf = params->client_cert ||167+ params->client_cert_blob ||168+ params->private_key ||169+ params->private_key_blob;170+171 return 0;172 }173174diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h175index 9ac00121f..334863413 100644176--- a/src/eap_peer/eap_tls_common.h177+++ b/src/eap_peer/eap_tls_common.h178@@ -79,6 +79,11 @@ struct eap_ssl_data {179 * tls_v13 - Whether TLS v1.3 or newer is used180 */181 int tls_v13;182+183+ /**184+ * client_cert_conf: Whether client certificate has been configured185+ */186+ bool client_cert_conf;187 };188189190diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf191index f0b82443e..1b09f57d3 100644192--- a/wpa_supplicant/wpa_supplicant.conf193+++ b/wpa_supplicant/wpa_supplicant.conf194@@ -1370,6 +1370,13 @@ fast_reauth=1195 # * 0 = do not use cryptobinding (default)196 # * 1 = use cryptobinding if server supports it197 # * 2 = require cryptobinding198+# 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS199+# tunnel) behavior for PEAP:200+# * 0 = do not require Phase 2 authentication201+# * 1 = require Phase 2 authentication when client certificate202+# (private_key/client_cert) is no used and TLS session resumption was203+# not used (default)204+# * 2 = require Phase 2 authentication in all cases205 # EAP-WSC (WPS) uses following options: pin=<Device Password> or206 # pbc=1.207 #208--209cgit v1.2.3-18-g5258210