Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP6:Update
wpa_supplicant
CVE-2023-52160.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2023-52160.patch of Package wpa_supplicant
From 8e6485a1bcb0baffdea9e55255a81270b768439c Mon Sep 17 00:00:00 2001 From: Jouni Malinen <j@w1.fi> Date: Sat, 8 Jul 2023 19:55:32 +0300 Subject: PEAP client: Update Phase 2 authentication requirements The previous PEAP client behavior allowed the server to skip Phase 2 authentication with the expectation that the server was authenticated during Phase 1 through TLS server certificate validation. Various PEAP specifications are not exactly clear on what the behavior on this front is supposed to be and as such, this ended up being more flexible than the TTLS/FAST/TEAP cases. However, this is not really ideal when unfortunately common misconfiguration of PEAP is used in deployed devices where the server trust root (ca_cert) is not configured or the user has an easy option for allowing this validation step to be skipped. Change the default PEAP client behavior to be to require Phase 2 authentication to be successfully completed for cases where TLS session resumption is not used and the client certificate has not been configured. Those two exceptions are the main cases where a deployed authentication server might skip Phase 2 and as such, where a more strict default behavior could result in undesired interoperability issues. Requiring Phase 2 authentication will end up disabling TLS session resumption automatically to avoid interoperability issues. Allow Phase 2 authentication behavior to be configured with a new phase1 configuration parameter option: 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS tunnel) behavior for PEAP: * 0 = do not require Phase 2 authentication * 1 = require Phase 2 authentication when client certificate (private_key/client_cert) is no used and TLS session resumption was not used (default) * 2 = require Phase 2 authentication in all cases Signed-off-by: Jouni Malinen <j@w1.fi> --- src/eap_peer/eap_config.h | 8 ++++++++ src/eap_peer/eap_peap.c | 40 +++++++++++++++++++++++++++++++++++--- src/eap_peer/eap_tls_common.c | 6 ++++++ src/eap_peer/eap_tls_common.h | 5 +++++ wpa_supplicant/wpa_supplicant.conf | 7 +++++++ 5 files changed, 63 insertions(+), 3 deletions(-) diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h index 26744ab68..58d5a1359 100644 --- a/src/eap_peer/eap_config.h +++ b/src/eap_peer/eap_config.h @@ -471,6 +471,14 @@ struct eap_peer_config { * 1 = use cryptobinding if server supports it * 2 = require cryptobinding * + * phase2_auth option can be used to control Phase 2 (i.e., within TLS + * tunnel) behavior for PEAP: + * 0 = do not require Phase 2 authentication + * 1 = require Phase 2 authentication when client certificate + * (private_key/client_cert) is no used and TLS session resumption was + * not used (default) + * 2 = require Phase 2 authentication in all cases + * * EAP-WSC (WPS) uses following options: pin=Device_Password and * uuid=Device_UUID * diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c index 12e30df29..608069719 100644 --- a/src/eap_peer/eap_peap.c +++ b/src/eap_peer/eap_peap.c @@ -67,6 +67,7 @@ struct eap_peap_data { u8 cmk[20]; int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP) * is enabled. */ + enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth; }; @@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data, wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding"); } + if (os_strstr(phase1, "phase2_auth=0")) { + data->phase2_auth = NO_AUTH; + wpa_printf(MSG_DEBUG, + "EAP-PEAP: Do not require Phase 2 authentication"); + } else if (os_strstr(phase1, "phase2_auth=1")) { + data->phase2_auth = FOR_INITIAL; + wpa_printf(MSG_DEBUG, + "EAP-PEAP: Require Phase 2 authentication for initial connection"); + } else if (os_strstr(phase1, "phase2_auth=2")) { + data->phase2_auth = ALWAYS; + wpa_printf(MSG_DEBUG, + "EAP-PEAP: Require Phase 2 authentication for all cases"); + } #ifdef EAP_TNC if (os_strstr(phase1, "tnc=soh2")) { data->soh = 2; @@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm) data->force_peap_version = -1; data->peap_outer_success = 2; data->crypto_binding = OPTIONAL_BINDING; + data->phase2_auth = FOR_INITIAL; if (config && config->phase1) eap_peap_parse_phase1(data, config->phase1); @@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm, } +static bool peap_phase2_sufficient(struct eap_sm *sm, + struct eap_peap_data *data) +{ + if ((data->phase2_auth == ALWAYS || + (data->phase2_auth == FOR_INITIAL && + !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) && + !data->ssl.client_cert_conf) || + data->phase2_eap_started) && + !data->phase2_eap_success) + return false; + return true; +} + + /** * eap_tlv_process - Process a received EAP-TLV message and generate a response * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() @@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data, " - force failed Phase 2"); resp_status = EAP_TLV_RESULT_FAILURE; ret->decision = DECISION_FAIL; + } else if (!peap_phase2_sufficient(sm, data)) { + wpa_printf(MSG_INFO, + "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed"); + resp_status = EAP_TLV_RESULT_FAILURE; + ret->decision = DECISION_FAIL; } else { resp_status = EAP_TLV_RESULT_SUCCESS; ret->decision = DECISION_UNCOND_SUCC; @@ -887,8 +921,7 @@ continue_req: /* EAP-Success within TLS tunnel is used to indicate * shutdown of the TLS channel. The authentication has * been completed. */ - if (data->phase2_eap_started && - !data->phase2_eap_success) { + if (!peap_phase2_sufficient(sm, data)) { wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 " "Success used to indicate success, " "but Phase 2 EAP was not yet " @@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv, static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv) { struct eap_peap_data *data = priv; + return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && - data->phase2_success; + data->phase2_success && data->phase2_auth != ALWAYS; } diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c index 6193b4bdb..966cbd6c7 100644 --- a/src/eap_peer/eap_tls_common.c +++ b/src/eap_peer/eap_tls_common.c @@ -242,6 +242,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm, sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK); + if (!phase2) + data->client_cert_conf = params->client_cert || + params->client_cert_blob || + params->private_key || + params->private_key_blob; + return 0; } diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h index 9ac00121f..334863413 100644 --- a/src/eap_peer/eap_tls_common.h +++ b/src/eap_peer/eap_tls_common.h @@ -79,6 +79,11 @@ struct eap_ssl_data { * tls_v13 - Whether TLS v1.3 or newer is used */ int tls_v13; + + /** + * client_cert_conf: Whether client certificate has been configured + */ + bool client_cert_conf; }; diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf index f0b82443e..1b09f57d3 100644 --- a/wpa_supplicant/wpa_supplicant.conf +++ b/wpa_supplicant/wpa_supplicant.conf @@ -1370,6 +1370,13 @@ fast_reauth=1 # * 0 = do not use cryptobinding (default) # * 1 = use cryptobinding if server supports it # * 2 = require cryptobinding +# 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS +# tunnel) behavior for PEAP: +# * 0 = do not require Phase 2 authentication +# * 1 = require Phase 2 authentication when client certificate +# (private_key/client_cert) is no used and TLS session resumption was +# not used (default) +# * 2 = require Phase 2 authentication in all cases # EAP-WSC (WPS) uses following options: pin=<Device Password> or # pbc=1. # -- cgit v1.2.3-18-g5258
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor