DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

EAP-SIM/AKA server: Allow pseudonym/fast reauth to be disabled

Browse source 
The new hostapd configuration option eap_sim_id can now be used to
disable use of pseudonym and/or fast reauthentication with EAP-SIM,
EAP-AKA, and EAP-AKA'.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2019-08-01 00:02:02 +03:00 committed by Jouni Malinen
parent c1b2365214
commit 6bb11c7a40
15 changed files with 41 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

1
src/eap_server/eap.h
View file

@ -124,6 +124,7 @@ struct eap_config {
int eap_teap_auth;
int eap_teap_pac_no_inner;
int eap_sim_aka_result_ind;
int eap_sim_id;
int tnc;
struct wps_context *wps;
const struct wpabuf *assoc_wps_ie;

1
src/eap_server/eap_i.h
View file

@ -193,6 +193,7 @@ struct eap_sm {
int eap_teap_auth;
int eap_teap_pac_no_inner;
int eap_sim_aka_result_ind;
int eap_sim_id;
int tnc;
u16 pwd_group;
struct wps_context *wps;

1
src/eap_server/eap_server.c
View file

@ -1872,6 +1872,7 @@ struct eap_sm * eap_server_sm_init(void *eapol_ctx,
sm->eap_teap_auth = conf->eap_teap_auth;
sm->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner;
sm->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
sm->eap_sim_id = conf->eap_sim_id;
sm->tnc = conf->tnc;
sm->wps = conf->wps;
if (conf->assoc_wps_ie)

10
src/eap_server/eap_server_aka.c
View file

@ -393,7 +393,10 @@ static int eap_aka_build_encr(struct eap_sm *sm, struct eap_aka_data *data,
const u8 *nonce_s)
{
os_free(data->next_pseudonym);
if (nonce_s == NULL) {
if (!(sm->eap_sim_id & 0x01)) {
/* Use of pseudonyms disabled in configuration */
data->next_pseudonym = NULL;
} else if (!nonce_s) {
data->next_pseudonym =
eap_sim_db_get_next_pseudonym(
sm->eap_sim_db_priv,
@ -404,7 +407,10 @@ static int eap_aka_build_encr(struct eap_sm *sm, struct eap_aka_data *data,
data->next_pseudonym = NULL;
}
os_free(data->next_reauth_id);
if (data->counter <= EAP_AKA_MAX_FAST_REAUTHS) {
if (!(sm->eap_sim_id & 0x02)) {
/* Use of fast reauth disabled in configuration */
data->next_reauth_id = NULL;
} else if (data->counter <= EAP_AKA_MAX_FAST_REAUTHS) {
data->next_reauth_id =
eap_sim_db_get_next_reauth_id(
sm->eap_sim_db_priv,

10
src/eap_server/eap_server_sim.c
View file

@ -150,7 +150,10 @@ static int eap_sim_build_encr(struct eap_sm *sm, struct eap_sim_data *data,
const u8 *nonce_s)
{
os_free(data->next_pseudonym);
if (nonce_s == NULL) {
if (!(sm->eap_sim_id & 0x01)) {
/* Use of pseudonyms disabled in configuration */
data->next_pseudonym = NULL;
} else if (!nonce_s) {
data->next_pseudonym =
eap_sim_db_get_next_pseudonym(sm->eap_sim_db_priv,
EAP_SIM_DB_SIM);
@ -159,7 +162,10 @@ static int eap_sim_build_encr(struct eap_sm *sm, struct eap_sim_data *data,
data->next_pseudonym = NULL;
}
os_free(data->next_reauth_id);
if (data->counter <= EAP_SIM_MAX_FAST_REAUTHS) {
if (!(sm->eap_sim_id & 0x02)) {
/* Use of fast reauth disabled in configuration */
data->next_reauth_id = NULL;
} else if (data->counter <= EAP_SIM_MAX_FAST_REAUTHS) {
data->next_reauth_id =
eap_sim_db_get_next_reauth_id(sm->eap_sim_db_priv,
EAP_SIM_DB_SIM);