From 8aa13a1797eb7472b763a9b8e60d906261c6b243 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Wed, 1 Mar 2023 15:51:38 +0100 Subject: [PATCH] eap-peap: Initiate Phase 2 immediately for TLS 1.3 Before TLS 1.3, the server sent the last handshake message and had the option to piggyback the EAP-Identity request directly onto the packet with the TLS Finished message, or wait for the empty message by the client that acknowledges the completion of the handshake. With TLS 1.3, the client finishes the handshake after the server. So this option is irrelevant there and we immediately start with Phase 2. --- conf/plugins/eap-peap.opt | 3 ++- src/libcharon/plugins/eap_peap/eap_peap.c | 5 ++++ .../plugins/eap_peap/eap_peap_server.c | 27 ++++++++++++++----- .../plugins/eap_peap/eap_peap_server.h | 9 +++++++ 4 files changed, 37 insertions(+), 7 deletions(-) diff --git a/conf/plugins/eap-peap.opt b/conf/plugins/eap-peap.opt index 6fe88606de..17fb751eeb 100644 --- a/conf/plugins/eap-peap.opt +++ b/conf/plugins/eap-peap.opt @@ -11,7 +11,8 @@ charon.plugins.eap-peap.phase2_method = mschapv2 Phase2 EAP client authentication method. charon.plugins.eap-peap.phase2_piggyback = no - Phase2 EAP Identity request piggybacked by server onto TLS Finished message. + Phase2 EAP Identity request piggybacked by server onto TLS Finished message, + relevant only if TLS 1.2 or earlier is negotiated. charon.plugins.eap-peap.phase2_tnc = no Start phase2 EAP TNC protocol after successful client authentication. diff --git a/src/libcharon/plugins/eap_peap/eap_peap.c b/src/libcharon/plugins/eap_peap/eap_peap.c index 577d747867..3573cba7c6 100644 --- a/src/libcharon/plugins/eap_peap/eap_peap.c +++ b/src/libcharon/plugins/eap_peap/eap_peap.c @@ -181,6 +181,11 @@ static eap_peap_t *eap_peap_create(private_eap_peap_t * this, free(this); return NULL; } + if (is_server) + { + eap_peap_server_t *server = (eap_peap_server_t*)application; + server->set_tls(server, tls); + } return &this->public; } diff --git a/src/libcharon/plugins/eap_peap/eap_peap_server.c b/src/libcharon/plugins/eap_peap/eap_peap_server.c index c5d97a16a1..abf63713e8 100644 --- a/src/libcharon/plugins/eap_peap/eap_peap_server.c +++ b/src/libcharon/plugins/eap_peap/eap_peap_server.c @@ -42,6 +42,11 @@ struct private_eap_peap_server_t { */ identification_t *peer; + /** + * TLS connection + */ + tls_t *tls; + /** * Current EAP-PEAP phase2 state */ @@ -341,16 +346,19 @@ METHOD(tls_application_t, build, status_t, eap_type_t type; pen_t vendor; - if (this->ph2_method == NULL && this->start_phase2 && this->start_phase2_id) + if (!this->ph2_method && this->start_phase2 && + (this->start_phase2_id || + this->tls->get_version_max(this->tls) >= TLS_1_3)) { - /* - * Start Phase 2 with an EAP Identity request either piggybacked right - * onto the TLS Finished payload or delayed after the reception of an - * empty EAP Acknowledge message. + /* for TLS < 1.3, either start Phase 2 with an EAP Identity request + * piggybacked right onto the TLS Finished payload or delayed after the + * reception of an empty EAP Acknowledge message. with TLS 1.3, Phase 2 + * is always started immediately as the client finishes the handshake + * after the server */ this->ph2_method = charon->eap->create_instance(charon->eap, EAP_IDENTITY, 0, EAP_SERVER, this->server, this->peer); - if (this->ph2_method == NULL) + if (!this->ph2_method) { DBG1(DBG_IKE, "%N method not available", eap_type_names, EAP_IDENTITY); @@ -393,6 +401,12 @@ METHOD(tls_application_t, build, status_t, return INVALID_STATE; } +METHOD(eap_peap_server_t, set_tls, void, + private_eap_peap_server_t *this, tls_t *tls) +{ + this->tls = tls; +} + METHOD(tls_application_t, destroy, void, private_eap_peap_server_t *this) { @@ -420,6 +434,7 @@ eap_peap_server_t *eap_peap_server_create(identification_t *server, .build = _build, .destroy = _destroy, }, + .set_tls = _set_tls, }, .server = server->clone(server), .peer = peer->clone(peer), diff --git a/src/libcharon/plugins/eap_peap/eap_peap_server.h b/src/libcharon/plugins/eap_peap/eap_peap_server.h index 8ec95f64b3..3abe88bea6 100644 --- a/src/libcharon/plugins/eap_peap/eap_peap_server.h +++ b/src/libcharon/plugins/eap_peap/eap_peap_server.h @@ -24,6 +24,7 @@ typedef struct eap_peap_server_t eap_peap_server_t; +#include "tls.h" #include "tls_application.h" #include @@ -38,6 +39,14 @@ struct eap_peap_server_t { * Implements the TLS application data handler. */ tls_application_t application; + + /** + * Set a reference to the parent TLS connection this application is + * assigned to. + * + * @param tls TLS connection + */ + void (*set_tls)(eap_peap_server_t *this, tls_t *tls); }; /** -- 2.47.2