avoid EAP REQUEST ID

Jouni Malinen j
Fri Mar 7 07:43:35 PST 2008


On Wed, Mar 05, 2008 at 10:14:53PM +0100, fbernal at um.es wrote:

>    EAP-MD5 was illustrated like an example. I'm writing my own EAP  
> method and I'm interested in avoid the EAP REQUEST ID interchange.

As long as you are using the internal authentication server and you know
that all users will be using your EAP method, you can do this by
modifying eap_sm_Policy_getNextMethod() in eap.c to return
EAP_TYPE_<yourEAPtype> and set *vendor. This way you won't be getting
Identity request.

> So,  
> I register my method before EAP REQUEST ID METHOD and then EAP REQUEST  
> ID is registered, I do this because if my method fails (EAP failure) I  
> want start the EAP REQUEST ID method. Then, to performing this I have  
> decided:

Use of Identity request after an attempt to start an authentication
method (type 4 or greater) may end up being problematic.. This is
explicitly not allowed if an authentication method (type >= 4) is
started and peer replies with the same type. In theory, this might work
as long as the initial EAP method is NAK'ed by the peer, but I would
suggest testing this with number of deployed supplicant implementations
before assuming it will work..

> if (sm->identity == NULL || sm->currentId == -1) {
> 		*vendor = EAP_VENDOR_IETF;
> 		next = EAP_TYPE_IDENTITY;
> 		sm->update_user = TRUE;
> 
> To:
> if (sm->identity == NULL || sm->currentId == -1) {
>                  next = sm->user->methods[idx].method;
> 		sm->user_eap_method_index++;
>                  if (next == EAP_TYPE_IDENTITY)
>                       sm->update_user = TRUE;
> 
> Do you think that with this change EAP REQUEST IDENTITY should be  
> selected if the first method fails?

I would expect the sm->user->.. part to trigger a segmentation fault on
NULL pointer dereference.. You may need to hardcode the first method
here. Anyway, this is the correct place for controlling the order of EAP
methods. I have not tested this type of change, though, and no
guarantees on it working without some additional work to handle identity
request after having tried to start an authentication method.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list