From 378eae5e9b4e23d533ae1eb0820e8d9cee28a94a Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Wed, 8 Oct 2008 16:55:23 +0300 Subject: [PATCH] EAP-FAST: Added support for disabling anonymous/authenticated provisioning eap_fast_prov config parameter can now be used to enable/disable different EAP-FAST provisioning modes: 0 = provisioning disabled 1 = only anonymous provisioning allowed 2 = only authenticated provisioning allowed 3 = both provisioning modes allowed --- hostapd/config.c | 6 ++++++ hostapd/config.h | 1 + hostapd/eapol_sm.c | 2 ++ hostapd/eapol_sm.h | 1 + hostapd/hostapd.c | 1 + hostapd/hostapd.conf | 7 +++++++ hostapd/ieee802_1x.c | 1 + src/eap_server/eap.c | 1 + src/eap_server/eap.h | 1 + src/eap_server/eap_fast.c | 22 ++++++++++++++++++++++ src/eap_server/eap_i.h | 3 +++ src/radius/radius_server.c | 3 +++ src/radius/radius_server.h | 1 + 13 files changed, 50 insertions(+) diff --git a/hostapd/config.c b/hostapd/config.c index d92296212..953fb9e41 100644 --- a/hostapd/config.c +++ b/hostapd/config.c @@ -186,6 +186,10 @@ static void hostapd_config_defaults_bss(struct hostapd_bss_config *bss) bss->assoc_ping_timeout = 1000; bss->assoc_ping_attempts = 3; #endif /* CONFIG_IEEE80211W */ +#ifdef EAP_FAST + /* both anonymous and authenticated provisioning */ + bss->eap_fast_prov = 3; +#endif /* EAP_FAST */ } @@ -1505,6 +1509,8 @@ struct hostapd_config * hostapd_config_read(const char *fname) } else if (os_strcmp(buf, "eap_fast_a_id") == 0) { os_free(bss->eap_fast_a_id); bss->eap_fast_a_id = os_strdup(pos); + } else if (os_strcmp(buf, "eap_fast_prov") == 0) { + bss->eap_fast_prov = atoi(pos); #endif /* EAP_FAST */ #ifdef EAP_SIM } else if (os_strcmp(buf, "eap_sim_db") == 0) { diff --git a/hostapd/config.h b/hostapd/config.h index 237dec24a..984dfa415 100644 --- a/hostapd/config.h +++ b/hostapd/config.h @@ -251,6 +251,7 @@ struct hostapd_bss_config { char *dh_file; u8 *pac_opaque_encr_key; char *eap_fast_a_id; + int eap_fast_prov; int eap_sim_aka_result_ind; int tnc; diff --git a/hostapd/eapol_sm.c b/hostapd/eapol_sm.c index 2b3d16ef0..ce50efba4 100644 --- a/hostapd/eapol_sm.c +++ b/hostapd/eapol_sm.c @@ -805,6 +805,7 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr, eap_conf.eap_sim_db_priv = eapol->conf.eap_sim_db_priv; eap_conf.pac_opaque_encr_key = eapol->conf.pac_opaque_encr_key; eap_conf.eap_fast_a_id = eapol->conf.eap_fast_a_id; + eap_conf.eap_fast_prov = eapol->conf.eap_fast_prov; eap_conf.eap_sim_aka_result_ind = eapol->conf.eap_sim_aka_result_ind; eap_conf.tnc = eapol->conf.tnc; sm->eap = eap_server_sm_init(sm, &eapol_cb, &eap_conf); @@ -1237,6 +1238,7 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst, dst->eap_fast_a_id = os_strdup(src->eap_fast_a_id); else dst->eap_fast_a_id = NULL; + dst->eap_fast_prov = src->eap_fast_prov; dst->eap_sim_aka_result_ind = src->eap_sim_aka_result_ind; dst->tnc = src->tnc; return 0; diff --git a/hostapd/eapol_sm.h b/hostapd/eapol_sm.h index df0ddd0bd..51ebc4c37 100644 --- a/hostapd/eapol_sm.h +++ b/hostapd/eapol_sm.h @@ -49,6 +49,7 @@ struct eapol_auth_config { size_t eap_req_id_text_len; u8 *pac_opaque_encr_key; char *eap_fast_a_id; + int eap_fast_prov; int eap_sim_aka_result_ind; int tnc; diff --git a/hostapd/hostapd.c b/hostapd/hostapd.c index 69780a4df..5990cf0ac 100644 --- a/hostapd/hostapd.c +++ b/hostapd/hostapd.c @@ -1170,6 +1170,7 @@ static int hostapd_setup_radius_srv(struct hostapd_data *hapd, srv.ssl_ctx = hapd->ssl_ctx; srv.pac_opaque_encr_key = conf->pac_opaque_encr_key; srv.eap_fast_a_id = conf->eap_fast_a_id; + srv.eap_fast_prov = conf->eap_fast_prov; srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; srv.tnc = conf->tnc; srv.ipv6 = conf->radius_server_ipv6; diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index 874a1595f..c1e1288f2 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -508,6 +508,13 @@ eap_server=0 # EAP-FAST authority identity (A-ID) #eap_fast_a_id=test server +# Enable/disable different EAP-FAST provisioning modes: +#0 = provisioning disabled +#1 = only anonymous provisioning allowed +#2 = only authenticated provisioning allowed +#3 = both provisioning modes allowed (default) +#eap_fast_prov=3 + # EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND # (default: 0 = disabled). #eap_sim_aka_result_ind=1 diff --git a/hostapd/ieee802_1x.c b/hostapd/ieee802_1x.c index f8e421a52..2e291f157 100644 --- a/hostapd/ieee802_1x.c +++ b/hostapd/ieee802_1x.c @@ -1605,6 +1605,7 @@ int ieee802_1x_init(struct hostapd_data *hapd) conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len; conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key; conf.eap_fast_a_id = hapd->conf->eap_fast_a_id; + conf.eap_fast_prov = hapd->conf->eap_fast_prov; conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; conf.tnc = hapd->conf->tnc; diff --git a/src/eap_server/eap.c b/src/eap_server/eap.c index 0fa8132a1..2c9eb30ca 100644 --- a/src/eap_server/eap.c +++ b/src/eap_server/eap.c @@ -1153,6 +1153,7 @@ struct eap_sm * eap_server_sm_init(void *eapol_ctx, } if (conf->eap_fast_a_id) sm->eap_fast_a_id = os_strdup(conf->eap_fast_a_id); + sm->eap_fast_prov = conf->eap_fast_prov; sm->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; sm->tnc = conf->tnc; diff --git a/src/eap_server/eap.h b/src/eap_server/eap.h index ed84baea7..1d28557af 100644 --- a/src/eap_server/eap.h +++ b/src/eap_server/eap.h @@ -96,6 +96,7 @@ struct eap_config { int eap_server; u8 *pac_opaque_encr_key; char *eap_fast_a_id; + int eap_fast_prov; int eap_sim_aka_result_ind; int tnc; }; diff --git a/src/eap_server/eap_fast.c b/src/eap_server/eap_fast.c index 30df86cac..d440c2f2c 100644 --- a/src/eap_server/eap_fast.c +++ b/src/eap_server/eap_fast.c @@ -1241,6 +1241,28 @@ static void eap_fast_process_phase2_tlvs(struct eap_sm *sm, "completed successfully"); } + if (data->anon_provisioning && + sm->eap_fast_prov != ANON_PROV && + sm->eap_fast_prov != BOTH_PROV) { + wpa_printf(MSG_DEBUG, "EAP-FAST: Client is trying to " + "use unauthenticated provisioning which is " + "disabled"); + eap_fast_state(data, FAILURE); + return; + } + + if (sm->eap_fast_prov != AUTH_PROV && + sm->eap_fast_prov != BOTH_PROV && + tlv.request_action == EAP_TLV_ACTION_PROCESS_TLV && + eap_fast_pac_type(tlv.pac, tlv.pac_len, + PAC_TYPE_TUNNEL_PAC)) { + wpa_printf(MSG_DEBUG, "EAP-FAST: Client is trying to " + "use authenticated provisioning which is " + "disabled"); + eap_fast_state(data, FAILURE); + return; + } + if (data->anon_provisioning || (tlv.request_action == EAP_TLV_ACTION_PROCESS_TLV && eap_fast_pac_type(tlv.pac, tlv.pac_len, diff --git a/src/eap_server/eap_i.h b/src/eap_server/eap_i.h index 6ff823583..e9c384193 100644 --- a/src/eap_server/eap_i.h +++ b/src/eap_server/eap_i.h @@ -172,6 +172,9 @@ struct eap_sm { u8 *pac_opaque_encr_key; char *eap_fast_a_id; + enum { + NO_PROV, ANON_PROV, AUTH_PROV, BOTH_PROV + } eap_fast_prov; int eap_sim_aka_result_ind; int tnc; }; diff --git a/src/radius/radius_server.c b/src/radius/radius_server.c index 0d18d8caa..b8cc3dfc7 100644 --- a/src/radius/radius_server.c +++ b/src/radius/radius_server.c @@ -86,6 +86,7 @@ struct radius_server_data { void *ssl_ctx; u8 *pac_opaque_encr_key; char *eap_fast_a_id; + int eap_fast_prov; int eap_sim_aka_result_ind; int tnc; int ipv6; @@ -311,6 +312,7 @@ radius_server_get_new_session(struct radius_server_data *data, eap_conf.eap_server = 1; eap_conf.pac_opaque_encr_key = data->pac_opaque_encr_key; eap_conf.eap_fast_a_id = data->eap_fast_a_id; + eap_conf.eap_fast_prov = data->eap_fast_prov; eap_conf.eap_sim_aka_result_ind = data->eap_sim_aka_result_ind; eap_conf.tnc = data->tnc; sess->eap = eap_server_sm_init(sess, &radius_server_eapol_cb, @@ -1016,6 +1018,7 @@ radius_server_init(struct radius_server_conf *conf) } if (conf->eap_fast_a_id) data->eap_fast_a_id = os_strdup(conf->eap_fast_a_id); + data->eap_fast_prov = conf->eap_fast_prov; data->get_eap_user = conf->get_eap_user; data->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; data->tnc = conf->tnc; diff --git a/src/radius/radius_server.h b/src/radius/radius_server.h index 1012a1453..c1807e21d 100644 --- a/src/radius/radius_server.h +++ b/src/radius/radius_server.h @@ -26,6 +26,7 @@ struct radius_server_conf { void *ssl_ctx; u8 *pac_opaque_encr_key; char *eap_fast_a_id; + int eap_fast_prov; int eap_sim_aka_result_ind; int tnc; int ipv6;