Re: [PATCH 1/1] Don't complain about missing PAC when teap_provisioning=0

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Dec 26, 2024, at 5:47 PM, Jouni Malinen <j@xxxxx> wrote:
> 
> On Wed, Dec 25, 2024 at 12:46:42PM -0500, Alan DeKok wrote:
>> If we're not provisioning, then we don't need the PAC.
> 
> Well, we might not need a PAC, but one could still be configured through
> out-of-band means. This is the EAP-FAST design from where this came to
> EAP-TEAP..

  TEAP no longer supports a PAC:

https://datatracker.ietf.org/doc/html/draft-ietf-emu-rfc7170bis-19#section-4.2.12

...
[RFC7170] defined a Protected Access Credential (PAC) to mirror EAP-FAST [RFC4851]. However, implementation experience and analysis determined that the PAC was not necessary. Instead, TEAP performs session resumption using the NewSessionTicket message as defined in [RFC9190] Section 2.1.2 and Section 2.1.3. As such, the PAC TLV has been deprecated.

As the PAC TLV is deprecated, an entity receiving it SHOULD send a Result TLV indicating failure, and an Error TLV of Unexpected TLVs Exchanged.
...

  I guess it's possible to pre-provision a PAC, but I don't see it as being used by anything.

  I suppose this is one more thing to update in 7170bis, to add something like "The PAC is not used, even if it is pre-provisioned"
  
>> diff --git a/src/eap_peer/eap_teap.c b/src/eap_peer/eap_teap.c
>> @@ -205,6 +205,8 @@ static void * eap_teap_init(struct eap_sm *sm)
> 
>> + if (!data->provisioning_allowed) return data;
>> +
>> if (!config->pac_file) {
>> wpa_printf(MSG_INFO, "EAP-TEAP: No PAC file configured");
>> eap_teap_deinit(sm, data);
> 
> This should not just return from the function without reading the PAC
> file, if one were configured. Instead, that combination of
> !data->provisioning_allow && !config->pac_file should allow EAP-TEAP to
> be used, i.e., not error out from here.

  I've attached an updated patch with that change.

  With this patch, TEAP works against FreeRADIUS and the head of v3.2.x.  The configuration in FreeRADIUS 3.2 is now substantially simpler than before.

  A sample configuration file for eapol_test is in https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/src/tests/eap-teap-mschapv2.conf

  Alan DeKok.

Attachment: 0001-Don-t-complain-about-missing-PAC-when-teap_provision.patch
Description: Binary data

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux