Cumulative patch from commit 2c0efd9e49b15da163cee659409eee85390620c3
2c0efd9 P2P: Fix stopping on search after SD callback
db3168d OpenSSL: Use SSL_cache_hit() when available
68ae477 OpenSSL: Use library wrapper functions to access cert store
abe96d0 P2P: Clean up Listen channel optimization debug prints
d2ca6ba Fix hostapd obss_interval documentation
d027c7b Fix 20/40 MHz co-ex report processing with obss_interval=0
93eca61 P2PS: Do not remove pending interface on p2p_stop_find
ae2dd83 P2PS: Allow PD retry in SEARCH and LISTEN_ONLY also
87d5ef5 P2PS: Add commands to control interface redir list
0cf12b3 P2PS: Send P2P_FIND_STOPPED event during P2P SD also
306aaf4 P2PS: Start WPS registrar upon GO formation
9e96e46 P2PS: PD Response processing
ab8ee77 P2PS: Provision Discovery fail event
1300cc8 P2PS: PD Request processing and PD Response building
5fefce2 P2PS: Callback to send P2PS provisioning events
9a58e52 P2PS: Callback to create pending group after sending PD Response
895d94d P2PS: Callback to remove stale persistent groups
f309c18 P2PS: ASP provisioning commands to control interface
6d90851 P2PS: Process P2PS provisioning commands
369678a P2PS: Add P2PS attributes into PD Request if requested
59fec34 P2PS: Allow p2p_build_ssid() to use pre-set SSID
d4b43b5 P2PS: Add support to send ASP-RESP events
6df08d0 P2PS: Logic to parse GAS requests for ASP services
5a4102c P2PS: Add support to send ASP service requests
095b3c4 P2PS: Add Application Service Info to device found events
4660e73 P2PS: Add Advertised Service Info into Probe Response frames
9e7321e P2PS: Parse Probe Request frames for matching ASP hashes
ae9d45f P2PS: Extend add/del services logic to support ASP
ea8e033 P2P: Allow p2p_get_group_num_members() to be called with NULL
4f88fc0 P2PS: WPS changes needed for P2PS default PIN
1a94b0a P2PS: Add service hash to Probe Request frames
5177509 P2PS: Add option to specify seek strings into P2P_FIND
5f18501 P2PS: Helper functions to build new P2P attributes
60d1148 P2PS: Add parsing of new P2P attributes
b9348be P2PS: Add new P2P identifier assignments from P2P spec v1.5
c3d6c71 Add helper functions for escaping and unescaping UTF-8
66eaf8a Fix driver-offloaded offchannel TX done processing
c5e154c P2P: Add P2P state into p2p_send_action_cb() debug entry
f2dc06e P2P: Ignore remain-on-channel callback event if not waiting for one
6a6569b HS 2.0R2: Add password to DB in case of machine managed subscription
f0d0a5d Improve BSS selection with default noise floor values
7f7bfba Add an option allow canned EAP-Success for wired IEEE 802.1X
49fcc32 EAP-MSCHAPv2 peer: Add option to disable password retry query
66bc683 hostapd: Simplify vlan_add_dynamic error paths
99805a0 Interworking: Convert wpa_printf() to wpa_msg()
b42f539 Add a variable to handle extra CFLAGS values
e6dd819 Work around Linux packet socket regression
7650f9e Fix resource leaks on rsn_preauth_init() error paths
a565e03 dhcp_snoop: Make IPv4 addresses human readable in debug log
2dd4f3a Fix STA re-bind to another VLAN on reauthentication
4437f8f Free old eap_user_file data on configuration change
1180dd6 WPA auth: Disconnect STA if MSK cannot be fetched
40aaa64 WPA auth: Clear temporary MSK storage from stack explicitly
01b481a Convert couple of remaining printf to wpa_printf in ap_list
bfaefd5 EAP-PEAP server: Fix Phase 2 TLV length in error case
745d936 mesh: Create new station entry on popen frames
41bff86 mesh: Always free the station if peering failed
871ff0b mesh: Sync plink state with kernel
ba42261 Simplify eapol_sm_notify_pmkid_attempt()
993a865 Add eap_session_id to wpa_supplicant STATUS output
f19c907 OpenSSL: Implement aes_wrap() and aes_unwrap()
fee31f7 OpenSSL: Remove support for versions older than 0.9.8
8bf3030 OpenSSL: Use a common helper function for HMAC
983c6a6 OpenSSL: Replace internal HMAC-MD5 implementation
Change-Id: I5743003f14efae324537f7dc2c5e6ada892a33a7
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c
index 62cd4a1..35433f3 100644
--- a/src/eap_peer/eap.c
+++ b/src/eap_peer/eap.c
@@ -934,6 +934,15 @@
}
+static int eap_peer_sm_allow_canned(struct eap_sm *sm)
+{
+ struct eap_peer_config *config = eap_get_config(sm);
+
+ return config && config->phase1 &&
+ os_strstr(config->phase1, "allow_canned_success=1");
+}
+
+
static void eap_peer_sm_step_received(struct eap_sm *sm)
{
int duplicate = eap_peer_req_is_duplicate(sm);
@@ -947,6 +956,17 @@
(sm->reqId == sm->lastId ||
eap_success_workaround(sm, sm->reqId, sm->lastId)))
SM_ENTER(EAP, SUCCESS);
+ else if (sm->workaround && sm->lastId == -1 && sm->rxSuccess &&
+ !sm->rxFailure && !sm->rxReq && eap_peer_sm_allow_canned(sm))
+ SM_ENTER(EAP, SUCCESS); /* EAP-Success prior any EAP method */
+ else if (sm->workaround && sm->lastId == -1 && sm->rxFailure &&
+ !sm->rxReq && sm->methodState != METHOD_CONT &&
+ eap_peer_sm_allow_canned(sm))
+ SM_ENTER(EAP, FAILURE); /* EAP-Failure prior any EAP method */
+ else if (sm->workaround && sm->rxSuccess && !sm->rxFailure &&
+ !sm->rxReq && sm->methodState != METHOD_CONT &&
+ eap_peer_sm_allow_canned(sm))
+ SM_ENTER(EAP, SUCCESS); /* EAP-Success after Identity */
else if (sm->methodState != METHOD_CONT &&
((sm->rxFailure &&
sm->decision != DECISION_UNCOND_SUCC) ||
diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
index 903412d..2b1a1d5 100644
--- a/src/eap_peer/eap_config.h
+++ b/src/eap_peer/eap_config.h
@@ -418,6 +418,16 @@
*
* EAP-WSC (WPS) uses following options: pin=Device_Password and
* uuid=Device_UUID
+ *
+ * For wired IEEE 802.1X authentication, "allow_canned_success=1" can be
+ * used to configure a mode that allows EAP-Success (and EAP-Failure)
+ * without going through authentication step. Some switches use such
+ * sequence when forcing the port to be authorized/unauthorized or as a
+ * fallback option if the authentication server is unreachable. By
+ * default, wpa_supplicant discards such frames to protect against
+ * potential attacks by rogue devices, but this option can be used to
+ * disable that protection for cases where the server/authenticator does
+ * not need to be authenticated.
*/
char *phase1;
@@ -425,7 +435,9 @@
* phase2 - Phase2 (inner authentication with TLS tunnel) parameters
*
* String with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
- * "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS.
+ * "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS. "mschapv2_retry=0" can
+ * be used to disable MSCHAPv2 password retry in authentication failure
+ * cases.
*/
char *phase2;
diff --git a/src/eap_peer/eap_mschapv2.c b/src/eap_peer/eap_mschapv2.c
index 430c501..9e486e7 100644
--- a/src/eap_peer/eap_mschapv2.c
+++ b/src/eap_peer/eap_mschapv2.c
@@ -472,6 +472,13 @@
pos += 2;
msg = pos;
}
+ if (data->prev_error == ERROR_AUTHENTICATION_FAILURE && retry &&
+ config && config->phase2 &&
+ os_strstr(config->phase2, "mschapv2_retry=0")) {
+ wpa_printf(MSG_DEBUG,
+ "EAP-MSCHAPV2: mark password retry disabled based on local configuration");
+ retry = 0;
+ }
wpa_msg(sm->msg_ctx, MSG_WARNING,
"EAP-MSCHAPV2: failure message: '%s' (retry %sallowed, error "
"%d)",
diff --git a/src/eap_peer/eap_vendor_test.c b/src/eap_peer/eap_vendor_test.c
index 040d1e7..b61057e 100644
--- a/src/eap_peer/eap_vendor_test.c
+++ b/src/eap_peer/eap_vendor_test.c
@@ -1,6 +1,6 @@
/*
* EAP peer method: Test method for vendor specific (expanded) EAP type
- * Copyright (c) 2005-2006, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2005-2015, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
@@ -14,31 +14,36 @@
#include "common.h"
#include "eap_i.h"
-#ifdef TEST_PENDING_REQUEST
#include "eloop.h"
-#endif /* TEST_PENDING_REQUEST */
#define EAP_VENDOR_ID EAP_VENDOR_HOSTAP
#define EAP_VENDOR_TYPE 0xfcfbfaf9
-/* #define TEST_PENDING_REQUEST */
-
struct eap_vendor_test_data {
enum { INIT, CONFIRM, SUCCESS } state;
int first_try;
+ int test_pending_req;
};
static void * eap_vendor_test_init(struct eap_sm *sm)
{
struct eap_vendor_test_data *data;
+ const u8 *password;
+ size_t password_len;
+
data = os_zalloc(sizeof(*data));
if (data == NULL)
return NULL;
data->state = INIT;
data->first_try = 1;
+
+ password = eap_get_config_password(sm, &password_len);
+ data->test_pending_req = password && password_len == 7 &&
+ os_memcmp(password, "pending", 7) == 0;
+
return data;
}
@@ -50,7 +55,6 @@
}
-#ifdef TEST_PENDING_REQUEST
static void eap_vendor_ready(void *eloop_ctx, void *timeout_ctx)
{
struct eap_sm *sm = eloop_ctx;
@@ -58,7 +62,6 @@
"request");
eap_notify_pending(sm);
}
-#endif /* TEST_PENDING_REQUEST */
static struct wpabuf * eap_vendor_test_process(struct eap_sm *sm, void *priv,
@@ -98,8 +101,7 @@
}
if (data->state == CONFIRM) {
-#ifdef TEST_PENDING_REQUEST
- if (data->first_try) {
+ if (data->test_pending_req && data->first_try) {
data->first_try = 0;
wpa_printf(MSG_DEBUG, "EAP-VENDOR-TEST: Testing "
"pending request");
@@ -108,7 +110,6 @@
NULL);
return NULL;
}
-#endif /* TEST_PENDING_REQUEST */
}
ret->ignore = FALSE;