Gitiles
Code Review Sign In
LeafOS / LeafOS-Project / android_external_wpa_supplicant_8 / e45d2dc09a2b0973ded25305ef2d866af138c12b^! / .
commite45d2dc09a2b0973ded25305ef2d866af138c12b[log] [tgz]
authorJouni Malinen <quic_jouni@quicinc.com>Mon Jul 17 21:20:37 2023 +0300
committerSunil Ravi <sunilravi@google.com>Fri Aug 04 16:52:07 2023 +0000
tree817563a463b319629fa9ac2e092e0dbfdafffcc0
parentab31d325fb3d8b4cde6ddb0e9e734a534f606962 [diff]
TTLS client: Support phase2_auth=2

Allow the phase2_auth=2 parameter (in phase1 configuration item) to be
used with EAP-TTLS to require Phase 2 authentication. In practice, this
disables TLS session resumption since EAP-TTLS is defined to skip Phase
2 when resuming a session.

Bug: 287119604
Test: Manual - WPA/WPA2 & WPA3 Enterprise connection
Test: Regression test b/289297084
BYPASS_INCLUSIVE_LANGUAGE_REASON=Merged from open source

Change-Id: I8a434e543749b56fbc74dfcd85ab658247c9f832
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/src/eap_peer/eap_ttls.c b/src/eap_peer/eap_ttls.c
index c8e2de0..6adc222 100644
--- a/src/eap_peer/eap_ttls.c
+++ b/src/eap_peer/eap_ttls.c

@@ -65,9 +65,30 @@
 	int ready_for_tnc;
 	int tnc_started;
 #endif /* EAP_TNC */
+
+	enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth;
 };
 
 
+static void eap_ttls_parse_phase1(struct eap_ttls_data *data,
+				  const char *phase1)
+{
+	if (os_strstr(phase1, "phase2_auth=0")) {
+		data->phase2_auth = NO_AUTH;
+		wpa_printf(MSG_DEBUG,
+			   "EAP-TTLS: Do not require Phase 2 authentication");
+	} else if (os_strstr(phase1, "phase2_auth=1")) {
+		data->phase2_auth = FOR_INITIAL;
+		wpa_printf(MSG_DEBUG,
+			   "EAP-TTLS: Require Phase 2 authentication for initial connection");
+	} else if (os_strstr(phase1, "phase2_auth=2")) {
+		data->phase2_auth = ALWAYS;
+		wpa_printf(MSG_DEBUG,
+			   "EAP-TTLS: Require Phase 2 authentication for all cases");
+	}
+}
+
+
 static void * eap_ttls_init(struct eap_sm *sm)
 {
 	struct eap_ttls_data *data;
@@ -82,6 +103,10 @@
 	selected = "EAP";
 	selected_non_eap = 0;
 	data->phase2_type = EAP_TTLS_PHASE2_EAP;
+	data->phase2_auth = FOR_INITIAL;
+
+	if (config && config->phase1)
+		eap_ttls_parse_phase1(data, config->phase1);
 
 	/*
 	 * Either one auth= type or one or more autheap= methods can be
@@ -1703,8 +1728,9 @@
 static bool eap_ttls_has_reauth_data(struct eap_sm *sm, void *priv)
 {
 	struct eap_ttls_data *data = priv;
+
 	return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
-		data->phase2_success;
+		data->phase2_success && data->phase2_auth != ALWAYS;
 }