Just a ping, seeing if anyone has looked at this. There was a
discussion with Alan about it, and it was agreed (from my perspective)
the lookup directly from EAPOL_REAUTH and hard coding phase1 seems
incorrect, but still no resolution on how it should be fixed.
On Thu, 2022-05-26 at 15:21 -0700, James Prestwood wrote:
> Hi,
>
> For tunneled methods like PEAP/TTLS, on a reauthentication request,
> hostapd uses the phase2 identity stored in the sm but hard codes the
> phase to 0. This happens in eap_sm_Policy_getDecision().
>
> The reason for this is PEAP/TTLS overwrite sm->identity with the
> phase2
> identity and the phase1 identity is lost forever. The code in
> eap_sm_Policy_getDecision() assumes sm->identity is phase one and
> hard
> codes '0' to the phase parameter, causing the lookup to fail.
>
> I'm not sure how you want this fixed, either save the phase1
> identity,
> or add some flag which tunneled methods can set to signify phase2 has
> completed and set the 'phase2' argument to eap_user_get() dependent
> on
> this flag? Maybe the eap_sm already has some value which can hint at
> the correct phase value?
>
> I have a patch below which hopefully lines out the issue better. I
> don't expect this to get merged, its just (hopefully) showing the
> problem better than I can explain it.
>
> diff --git a/src/eap_server/eap_server.c
> b/src/eap_server/eap_server.c
> index 0b7a5b98c..7c2d33b51 100644
> --- a/src/eap_server/eap_server.c
> +++ b/src/eap_server/eap_server.c
> @@ -1744,6 +1744,13 @@ static int eap_sm_Policy_getDecision(struct
> eap_sm *sm)
>
> if ((sm->user == NULL || sm->update_user) && sm->identity &&
> !sm->start_reauth) {
> + /*
> + * sm->identity may contain a phase2 identity since
> PEAP/TTLS
> + * overwrite the phase1 identity. In this case the
> lookup should
> + * actually be for phase2 (1) rather than phase1 (0).
> + */
> + int phase = ((sm->currentMethod == EAP_TYPE_PEAP ||
> + sm->currentMethod == EAP_TYPE_TTLS))
> ?
> 1 : 0;
> /*
> * Allow Identity method to be started once to allow
> identity
> * selection hint to be sent from the authentication
> server,
> @@ -1755,7 +1762,8 @@ static int eap_sm_Policy_getDecision(struct
> eap_sm *sm)
> sm->user->methods[0].vendor == EAP_VENDOR_IETF &&
> sm->user->methods[0].method == EAP_TYPE_IDENTITY)
> id_req = 1;
> - if (eap_user_get(sm, sm->identity, sm->identity_len,
> 0)
> != 0) {
> +
> + if (eap_user_get(sm, sm->identity, sm->identity_len,
> phase) != 0) {
> wpa_printf(MSG_DEBUG, "EAP: getDecision: user
> not "
> "found from database -> FAILURE");
> return DECISION_FAILURE;
>
>
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
