* EAP-Success and expect AS to send outer
* (unencrypted) EAP-Success after this */
int resuming; /* starting a resumed session */
+ int reauth; /* reauthentication */
u8 *key_data;
struct wpabuf *pending_phase2_req;
}
#ifdef EAP_TNC
- if (os_strstr(phase1, "tnc=soh")) {
+ if (os_strstr(phase1, "tnc=soh2")) {
+ data->soh = 2;
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 2 enabled");
+ } else if (os_strstr(phase1, "tnc=soh1")) {
data->soh = 1;
- wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH enabled");
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 1 enabled");
+ } else if (os_strstr(phase1, "tnc=soh")) {
+ data->soh = 2;
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 2 enabled");
}
#endif /* EAP_TNC */
data->peap_version = EAP_PEAP_VERSION;
data->force_peap_version = -1;
data->peap_outer_success = 2;
- data->crypto_binding = NO_BINDING;
+ data->crypto_binding = OPTIONAL_BINDING;
if (config && config->phase1 &&
eap_peap_parse_phase1(data, config->phase1) < 0) {
return -1;
}
- if (key_len == 32 &&
- data->phase2_method->vendor == EAP_VENDOR_IETF &&
- data->phase2_method->method == EAP_TYPE_MSCHAPV2) {
- /*
- * Microsoft uses reverse order for MS-MPPE keys in
- * EAP-PEAP when compared to EAP-FAST derivation of
- * ISK. Swap the keys here to get the correct ISK for
- * EAP-PEAPv0 cryptobinding.
- */
- u8 tmp[16];
- os_memcpy(tmp, key, 16);
- os_memcpy(key, key + 16, 16);
- os_memcpy(key + 16, tmp, 16);
- }
-
if (key_len > isk_len)
key_len = isk_len;
os_memcpy(isk, key, key_len);
return -1;
wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TK", tk, 60);
+ if (data->reauth &&
+ tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) {
+ /* Fast-connect: IPMK|CMK = TK */
+ os_memcpy(data->ipmk, tk, 40);
+ wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK from TK",
+ data->ipmk, 40);
+ os_memcpy(data->cmk, tk + 40, 20);
+ wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK from TK",
+ data->cmk, 20);
+ return 0;
+ }
+
if (eap_peap_get_isk(sm, data, isk, sizeof(isk)) < 0)
return -1;
wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: ISK", isk, sizeof(isk));
wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IMCK (IPMKj)",
imck, sizeof(imck));
- /* TODO: fast-connect: IPMK|CMK = TK */
os_memcpy(data->ipmk, imck, 40);
wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK (S-IPMKj)", data->ipmk, 40);
os_memcpy(data->cmk, imck + 40, 20);
struct wpabuf *buf;
wpa_printf(MSG_DEBUG,
"EAP-PEAP: SoH EAP Extensions");
- buf = tncc_process_soh_request(epos, eleft);
+ buf = tncc_process_soh_request(data->soh,
+ epos, eleft);
if (buf) {
*resp = eap_msg_alloc(
EAP_VENDOR_MICROSOFT, 0x21,
data->phase2_type.method);
if (data->phase2_method) {
sm->init_phase2 = 1;
- sm->mschapv2_full_key = 1;
data->phase2_priv =
data->phase2_method->init(sm);
sm->init_phase2 = 0;
- sm->mschapv2_full_key = 0;
}
}
if (data->phase2_priv == NULL || data->phase2_method == NULL) {
data->phase2_eap_success = 0;
data->phase2_eap_started = 0;
data->resuming = 1;
+ data->reauth = 1;
sm->peap_done = FALSE;
return priv;
}