[PATCH] EAP-TEAP: like EAP-FAST, reverse the order of the MS-MPPE keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This gets us working with FreeRADIUS (which works for Win11).

Signed-off-by: Alexander Clouter <alex@xxxxxxxxxxx>
---
 src/eap_common/eap_teap_common.c | 25 +++++++++++++++++++------
 src/eap_common/eap_teap_common.h |  1 +
 src/eap_peer/eap_teap.c          |  1 +
 src/eap_server/eap_server_teap.c |  1 +
 4 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/src/eap_common/eap_teap_common.c b/src/eap_common/eap_teap_common.c
index ffb9a6234..e58089b74 100644
--- a/src/eap_common/eap_teap_common.c
+++ b/src/eap_common/eap_teap_common.c
@@ -143,6 +143,7 @@ int eap_teap_derive_cmk_basic_pw_auth(u16 tls_cs, const u8 *s_imck_msk, u8 *cmk)
int eap_teap_derive_imck(u16 tls_cs,
+			 const int phase2_vendor, const u32 phase2_method,
 			 const u8 *prev_s_imck_msk, const u8 *prev_s_imck_emsk,
 			 const u8 *msk, size_t msk_len,
 			 const u8 *emsk, size_t emsk_len,
@@ -204,12 +205,24 @@ int eap_teap_derive_imck(u16 tls_cs,
 	}
if (msk && msk_len > 0) {
-		size_t copy_len = msk_len;
-
-		os_memset(imsk, 0, 32); /* zero pad, if needed */
-		if (copy_len > 32)
-			copy_len = 32;
-		os_memcpy(imsk, msk, copy_len);
+		if (msk_len == 32 &&
+		    phase2_vendor == EAP_VENDOR_IETF &&
+		    phase2_method == EAP_TYPE_MSCHAPV2) {
+	                /*
+	                 * EAP-TEAP uses reverse order for MS-MPPE keys when deriving
+	                 * MSK from EAP-MSCHAPv2. Swap the keys here to get the correct
+	                 * ISK for EAP-TEAP cryptobinding.
+	                 */
+	                os_memcpy(imsk, msk + 16, 16);
+	                os_memcpy(imsk + 16, msk, 16);
+		} else {
+			size_t copy_len = msk_len;
+
+			os_memset(imsk, 0, 32); /* zero pad, if needed */
+			if (copy_len > 32)
+				copy_len = 32;
+			os_memcpy(imsk, msk, copy_len);
+		}
 		wpa_hexdump_key(MSG_DEBUG, "EAP-TEAP: IMSK from MSK", imsk, 32);
 	} else {
 		os_memset(imsk, 0, 32);
diff --git a/src/eap_common/eap_teap_common.h b/src/eap_common/eap_teap_common.h
index 3a2587949..382044e7a 100644
--- a/src/eap_common/eap_teap_common.h
+++ b/src/eap_common/eap_teap_common.h
@@ -208,6 +208,7 @@ int eap_teap_derive_eap_emsk(u16 tls_cs, const u8 *simck, u8 *emsk);
 int eap_teap_derive_cmk_basic_pw_auth(u16 tls_cs, const u8 *s_imck_msk,
 				      u8 *cmk);
 int eap_teap_derive_imck(u16 tls_cs,
+			 const int phase2_vendor, const u32 phase2_method,
 			 const u8 *prev_s_imck_msk, const u8 *prev_s_imck_emsk,
 			 const u8 *msk, size_t msk_len,
 			 const u8 *emsk, size_t emsk_len,
diff --git a/src/eap_peer/eap_teap.c b/src/eap_peer/eap_teap.c
index bc7f6f4f5..42769eb64 100644
--- a/src/eap_peer/eap_teap.c
+++ b/src/eap_peer/eap_teap.c
@@ -767,6 +767,7 @@ static int eap_teap_get_cmk(struct eap_sm *sm, struct eap_teap_data *data,
 	}
res = eap_teap_derive_imck(data->tls_cs,
+				   data->phase2_method->vendor, data->phase2_method->method,
 				   data->simck_msk, data->simck_emsk,
 				   msk, msk_len, emsk, emsk_len,
 				   data->simck_msk, cmk_msk,
diff --git a/src/eap_server/eap_server_teap.c b/src/eap_server/eap_server_teap.c
index 691b44a8d..1ef4054f7 100644
--- a/src/eap_server/eap_server_teap.c
+++ b/src/eap_server/eap_server_teap.c
@@ -340,6 +340,7 @@ static int eap_teap_update_icmk(struct eap_sm *sm, struct eap_teap_data *data)
 	}
res = eap_teap_derive_imck(data->tls_cs,
+				   data->phase2_method->vendor, data->phase2_method->method,
 				   data->simck_msk, data->simck_emsk,
 				   msk, msk_len, emsk, emsk_len,
 				   data->simck_msk, data->cmk_msk,
--
2.35.1


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux