EAP server: Configurable maximum number of authentication message rounds

Allow the previously hardcoded maximum numbers of EAP message rounds to
be configured in hostapd EAP server. This can be used, e.g., to increase
the default limits if very large X.509 certificates are used for EAP
authentication.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2019-09-01 15:58:10 +03:00
parent b99c4cadb7
commit 8d76e0ad7b
8 changed files with 29 additions and 11 deletions

View file

@ -2547,6 +2547,10 @@ static int hostapd_config_fill(struct hostapd_config *conf,
bss->tls_session_lifetime = atoi(pos);
} else if (os_strcmp(buf, "tls_flags") == 0) {
bss->tls_flags = parse_tls_flags(pos);
} else if (os_strcmp(buf, "max_auth_rounds") == 0) {
bss->max_auth_rounds = atoi(pos);
} else if (os_strcmp(buf, "max_auth_rounds_short") == 0) {
bss->max_auth_rounds_short = atoi(pos);
} else if (os_strcmp(buf, "ocsp_stapling_response") == 0) {
os_free(bss->ocsp_stapling_response);
bss->ocsp_stapling_response = os_strdup(pos);

View file

@ -1081,6 +1081,12 @@ eap_server=0
# [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default)
#tls_flags=[flag1][flag2]...
# Maximum number of EAP message rounds with data (default: 100)
#max_auth_rounds=100
# Maximum number of short EAP message rounds (default: 50)
#max_auth_rounds_short=50
# Cached OCSP stapling response (DER encoded)
# If set, this file is sent as a certificate status response by the EAP server
# if the EAP peer requests certificate status in the ClientHello message.

View file

@ -135,6 +135,9 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
* completed and tested with other implementations. */
bss->tls_flags = TLS_CONN_DISABLE_TLSv1_3;
bss->max_auth_rounds = 100;
bss->max_auth_rounds_short = 50;
bss->send_probe_response = 1;
#ifdef CONFIG_HS20

View file

@ -415,6 +415,8 @@ struct hostapd_bss_config {
unsigned int crl_reload_interval;
unsigned int tls_session_lifetime;
unsigned int tls_flags;
unsigned int max_auth_rounds;
unsigned int max_auth_rounds_short;
char *ocsp_stapling_response;
char *ocsp_stapling_response_multi;
char *dh_file;

View file

@ -187,6 +187,8 @@ static struct eap_config * authsrv_eap_config(struct hostapd_data *hapd)
cfg->eap_sim_db_priv = hapd->eap_sim_db_priv;
cfg->tls_session_lifetime = hapd->conf->tls_session_lifetime;
cfg->tls_flags = hapd->conf->tls_flags;
cfg->max_auth_rounds = hapd->conf->max_auth_rounds;
cfg->max_auth_rounds_short = hapd->conf->max_auth_rounds_short;
if (hapd->conf->pac_opaque_encr_key)
cfg->pac_opaque_encr_key =
os_memdup(hapd->conf->pac_opaque_encr_key, 16);

View file

@ -255,6 +255,9 @@ struct eap_config {
int erp;
unsigned int tls_session_lifetime;
unsigned int tls_flags;
unsigned int max_auth_rounds;
unsigned int max_auth_rounds_short;
};
struct eap_session_data {

View file

@ -171,8 +171,8 @@ struct eap_sm {
struct eap_config cfg_buf;
Boolean update_user;
int num_rounds;
int num_rounds_short;
unsigned int num_rounds;
unsigned int num_rounds_short;
enum {
METHOD_PENDING_NONE, METHOD_PENDING_WAIT, METHOD_PENDING_CONT
} method_pending;

View file

@ -23,9 +23,6 @@
#define STATE_MACHINE_DATA struct eap_sm
#define STATE_MACHINE_DEBUG_PREFIX "EAP"
#define EAP_MAX_AUTH_ROUNDS 100
#define EAP_MAX_AUTH_ROUNDS_SHORT 50
/* EAP state machines are described in RFC 4137 */
static int eap_sm_calculateTimeout(struct eap_sm *sm, int retransCount,
@ -1172,19 +1169,20 @@ SM_STEP(EAP)
SM_ENTER_GLOBAL(EAP, INITIALIZE);
else if (!sm->eap_if.portEnabled)
SM_ENTER_GLOBAL(EAP, DISABLED);
else if (sm->num_rounds > EAP_MAX_AUTH_ROUNDS) {
if (sm->num_rounds == EAP_MAX_AUTH_ROUNDS + 1) {
else if (sm->num_rounds > sm->cfg->max_auth_rounds) {
if (sm->num_rounds == sm->cfg->max_auth_rounds + 1) {
wpa_printf(MSG_DEBUG, "EAP: more than %d "
"authentication rounds - abort",
EAP_MAX_AUTH_ROUNDS);
sm->cfg->max_auth_rounds);
sm->num_rounds++;
SM_ENTER_GLOBAL(EAP, FAILURE);
}
} else if (sm->num_rounds_short > EAP_MAX_AUTH_ROUNDS_SHORT) {
if (sm->num_rounds_short == EAP_MAX_AUTH_ROUNDS_SHORT + 1) {
} else if (sm->num_rounds_short > sm->cfg->max_auth_rounds_short) {
if (sm->num_rounds_short ==
sm->cfg->max_auth_rounds_short + 1) {
wpa_printf(MSG_DEBUG,
"EAP: more than %d authentication rounds (short) - abort",
EAP_MAX_AUTH_ROUNDS_SHORT);
sm->cfg->max_auth_rounds_short);
sm->num_rounds_short++;
SM_ENTER_GLOBAL(EAP, FAILURE);
}