EAP-SIM/AKA server: Allow pseudonym/fast reauth to be disabled
The new hostapd configuration option eap_sim_id can now be used to disable use of pseudonym and/or fast reauthentication with EAP-SIM, EAP-AKA, and EAP-AKA'. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
parent
c1b2365214
commit
6bb11c7a40
15 changed files with 41 additions and 4 deletions
|
@ -2629,6 +2629,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
|
|||
bss->eap_sim_db_timeout = atoi(pos);
|
||||
} else if (os_strcmp(buf, "eap_sim_aka_result_ind") == 0) {
|
||||
bss->eap_sim_aka_result_ind = atoi(pos);
|
||||
} else if (os_strcmp(buf, "eap_sim_id") == 0) {
|
||||
bss->eap_sim_id = atoi(pos);
|
||||
#endif /* EAP_SERVER_SIM */
|
||||
#ifdef EAP_SERVER_TNC
|
||||
} else if (os_strcmp(buf, "tnc") == 0) {
|
||||
|
|
|
@ -1205,6 +1205,13 @@ eap_server=0
|
|||
# (default: 0 = disabled).
|
||||
#eap_sim_aka_result_ind=1
|
||||
|
||||
# EAP-SIM and EAP-AKA identity options
|
||||
# 0 = do not use pseudonyms or fast reauthentication
|
||||
# 1 = use pseudonyms, but not fast reauthentication
|
||||
# 2 = do not use pseudonyms, but use fast reauthentication
|
||||
# 3 = use pseudonyms and use fast reauthentication (default)
|
||||
#eap_sim_id=3
|
||||
|
||||
# Trusted Network Connect (TNC)
|
||||
# If enabled, TNC validation will be required before the peer is allowed to
|
||||
# connect. Note: This is only used with EAP-TTLS and EAP-FAST. If any other
|
||||
|
|
|
@ -78,6 +78,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
|
|||
|
||||
bss->radius_server_auth_port = 1812;
|
||||
bss->eap_sim_db_timeout = 1;
|
||||
bss->eap_sim_id = 3;
|
||||
bss->ap_max_inactivity = AP_MAX_INACTIVITY;
|
||||
bss->eapol_version = EAPOL_VERSION;
|
||||
|
||||
|
|
|
@ -430,6 +430,7 @@ struct hostapd_bss_config {
|
|||
int eap_teap_auth;
|
||||
int eap_teap_pac_no_inner;
|
||||
int eap_sim_aka_result_ind;
|
||||
int eap_sim_id;
|
||||
int tnc;
|
||||
int fragment_size;
|
||||
u16 pwd_group;
|
||||
|
|
|
@ -123,6 +123,7 @@ static int hostapd_setup_radius_srv(struct hostapd_data *hapd)
|
|||
srv.eap_teap_auth = conf->eap_teap_auth;
|
||||
srv.eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner;
|
||||
srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
|
||||
srv.eap_sim_id = conf->eap_sim_id;
|
||||
srv.tnc = conf->tnc;
|
||||
srv.wps = hapd->wps;
|
||||
srv.ipv6 = conf->radius_server_ipv6;
|
||||
|
|
|
@ -2437,6 +2437,7 @@ int ieee802_1x_init(struct hostapd_data *hapd)
|
|||
conf.eap_teap_auth = hapd->conf->eap_teap_auth;
|
||||
conf.eap_teap_pac_no_inner = hapd->conf->eap_teap_pac_no_inner;
|
||||
conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind;
|
||||
conf.eap_sim_id = hapd->conf->eap_sim_id;
|
||||
conf.tnc = hapd->conf->tnc;
|
||||
conf.wps = hapd->wps;
|
||||
conf.fragment_size = hapd->conf->fragment_size;
|
||||
|
|
|
@ -124,6 +124,7 @@ struct eap_config {
|
|||
int eap_teap_auth;
|
||||
int eap_teap_pac_no_inner;
|
||||
int eap_sim_aka_result_ind;
|
||||
int eap_sim_id;
|
||||
int tnc;
|
||||
struct wps_context *wps;
|
||||
const struct wpabuf *assoc_wps_ie;
|
||||
|
|
|
@ -193,6 +193,7 @@ struct eap_sm {
|
|||
int eap_teap_auth;
|
||||
int eap_teap_pac_no_inner;
|
||||
int eap_sim_aka_result_ind;
|
||||
int eap_sim_id;
|
||||
int tnc;
|
||||
u16 pwd_group;
|
||||
struct wps_context *wps;
|
||||
|
|
|
@ -1872,6 +1872,7 @@ struct eap_sm * eap_server_sm_init(void *eapol_ctx,
|
|||
sm->eap_teap_auth = conf->eap_teap_auth;
|
||||
sm->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner;
|
||||
sm->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
|
||||
sm->eap_sim_id = conf->eap_sim_id;
|
||||
sm->tnc = conf->tnc;
|
||||
sm->wps = conf->wps;
|
||||
if (conf->assoc_wps_ie)
|
||||
|
|
|
@ -393,7 +393,10 @@ static int eap_aka_build_encr(struct eap_sm *sm, struct eap_aka_data *data,
|
|||
const u8 *nonce_s)
|
||||
{
|
||||
os_free(data->next_pseudonym);
|
||||
if (nonce_s == NULL) {
|
||||
if (!(sm->eap_sim_id & 0x01)) {
|
||||
/* Use of pseudonyms disabled in configuration */
|
||||
data->next_pseudonym = NULL;
|
||||
} else if (!nonce_s) {
|
||||
data->next_pseudonym =
|
||||
eap_sim_db_get_next_pseudonym(
|
||||
sm->eap_sim_db_priv,
|
||||
|
@ -404,7 +407,10 @@ static int eap_aka_build_encr(struct eap_sm *sm, struct eap_aka_data *data,
|
|||
data->next_pseudonym = NULL;
|
||||
}
|
||||
os_free(data->next_reauth_id);
|
||||
if (data->counter <= EAP_AKA_MAX_FAST_REAUTHS) {
|
||||
if (!(sm->eap_sim_id & 0x02)) {
|
||||
/* Use of fast reauth disabled in configuration */
|
||||
data->next_reauth_id = NULL;
|
||||
} else if (data->counter <= EAP_AKA_MAX_FAST_REAUTHS) {
|
||||
data->next_reauth_id =
|
||||
eap_sim_db_get_next_reauth_id(
|
||||
sm->eap_sim_db_priv,
|
||||
|
|
|
@ -150,7 +150,10 @@ static int eap_sim_build_encr(struct eap_sm *sm, struct eap_sim_data *data,
|
|||
const u8 *nonce_s)
|
||||
{
|
||||
os_free(data->next_pseudonym);
|
||||
if (nonce_s == NULL) {
|
||||
if (!(sm->eap_sim_id & 0x01)) {
|
||||
/* Use of pseudonyms disabled in configuration */
|
||||
data->next_pseudonym = NULL;
|
||||
} else if (!nonce_s) {
|
||||
data->next_pseudonym =
|
||||
eap_sim_db_get_next_pseudonym(sm->eap_sim_db_priv,
|
||||
EAP_SIM_DB_SIM);
|
||||
|
@ -159,7 +162,10 @@ static int eap_sim_build_encr(struct eap_sm *sm, struct eap_sim_data *data,
|
|||
data->next_pseudonym = NULL;
|
||||
}
|
||||
os_free(data->next_reauth_id);
|
||||
if (data->counter <= EAP_SIM_MAX_FAST_REAUTHS) {
|
||||
if (!(sm->eap_sim_id & 0x02)) {
|
||||
/* Use of fast reauth disabled in configuration */
|
||||
data->next_reauth_id = NULL;
|
||||
} else if (data->counter <= EAP_SIM_MAX_FAST_REAUTHS) {
|
||||
data->next_reauth_id =
|
||||
eap_sim_db_get_next_reauth_id(sm->eap_sim_db_priv,
|
||||
EAP_SIM_DB_SIM);
|
||||
|
|
|
@ -838,6 +838,7 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr,
|
|||
eap_conf.eap_teap_auth = eapol->conf.eap_teap_auth;
|
||||
eap_conf.eap_teap_pac_no_inner = eapol->conf.eap_teap_pac_no_inner;
|
||||
eap_conf.eap_sim_aka_result_ind = eapol->conf.eap_sim_aka_result_ind;
|
||||
eap_conf.eap_sim_id = eapol->conf.eap_sim_id;
|
||||
eap_conf.tnc = eapol->conf.tnc;
|
||||
eap_conf.wps = eapol->conf.wps;
|
||||
eap_conf.assoc_wps_ie = assoc_wps_ie;
|
||||
|
@ -1236,6 +1237,7 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
|
|||
dst->eap_teap_auth = src->eap_teap_auth;
|
||||
dst->eap_teap_pac_no_inner = src->eap_teap_pac_no_inner;
|
||||
dst->eap_sim_aka_result_ind = src->eap_sim_aka_result_ind;
|
||||
dst->eap_sim_id = src->eap_sim_id;
|
||||
dst->tnc = src->tnc;
|
||||
dst->wps = src->wps;
|
||||
dst->fragment_size = src->fragment_size;
|
||||
|
|
|
@ -39,6 +39,7 @@ struct eapol_auth_config {
|
|||
int eap_teap_auth;
|
||||
int eap_teap_pac_no_inner;
|
||||
int eap_sim_aka_result_ind;
|
||||
int eap_sim_id;
|
||||
int tnc;
|
||||
struct wps_context *wps;
|
||||
int fragment_size;
|
||||
|
|
|
@ -249,6 +249,8 @@ struct radius_server_data {
|
|||
*/
|
||||
int eap_sim_aka_result_ind;
|
||||
|
||||
int eap_sim_id;
|
||||
|
||||
/**
|
||||
* tnc - Trusted Network Connect (TNC)
|
||||
*
|
||||
|
@ -798,6 +800,7 @@ radius_server_get_new_session(struct radius_server_data *data,
|
|||
eap_conf.eap_teap_auth = data->eap_teap_auth;
|
||||
eap_conf.eap_teap_pac_no_inner = data->eap_teap_pac_no_inner;
|
||||
eap_conf.eap_sim_aka_result_ind = data->eap_sim_aka_result_ind;
|
||||
eap_conf.eap_sim_id = data->eap_sim_id;
|
||||
eap_conf.tnc = data->tnc;
|
||||
eap_conf.wps = data->wps;
|
||||
eap_conf.pwd_group = data->pwd_group;
|
||||
|
@ -2393,6 +2396,7 @@ radius_server_init(struct radius_server_conf *conf)
|
|||
data->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner;
|
||||
data->get_eap_user = conf->get_eap_user;
|
||||
data->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
|
||||
data->eap_sim_id = conf->eap_sim_id;
|
||||
data->tnc = conf->tnc;
|
||||
data->wps = conf->wps;
|
||||
data->pwd_group = conf->pwd_group;
|
||||
|
|
|
@ -139,6 +139,8 @@ struct radius_server_conf {
|
|||
*/
|
||||
int eap_sim_aka_result_ind;
|
||||
|
||||
int eap_sim_id;
|
||||
|
||||
/**
|
||||
* tnc - Trusted Network Connect (TNC)
|
||||
*
|
||||
|
|
Loading…
Reference in a new issue