ERP: Add support for ERP on EAP server and authenticator
Derive rRK and rIK on EAP server if ERP is enabled and use these keys to allow EAP re-authentication to be used and to derive rMSK. The new hostapd configuration parameter eap_server_erp=1 can now be used to configure the integrated EAP server to derive EMSK, rRK, and rIK at the successful completion of an EAP authentication method. This functionality is not included in the default build and can be enabled with CONFIG_ERP=y. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
e2ee327b19
commit
d3bddd8b84
15 changed files with 676 additions and 13 deletions
|
|
@ -251,6 +251,20 @@ struct radius_server_data {
|
|||
*/
|
||||
const char *server_id;
|
||||
|
||||
/**
|
||||
* erp - Whether EAP Re-authentication Protocol (ERP) is enabled
|
||||
*
|
||||
* This controls whether the authentication server derives ERP key
|
||||
* hierarchy (rRK and rIK) from full EAP authentication and allows
|
||||
* these keys to be used to perform ERP to derive rMSK instead of full
|
||||
* EAP authentication to derive MSK.
|
||||
*/
|
||||
int erp;
|
||||
|
||||
const char *erp_domain;
|
||||
|
||||
struct dl_list erp_keys; /* struct eap_server_erp_key */
|
||||
|
||||
/**
|
||||
* wps - Wi-Fi Protected Setup context
|
||||
*
|
||||
|
|
@ -673,6 +687,7 @@ radius_server_get_new_session(struct radius_server_data *data,
|
|||
eap_conf.pwd_group = data->pwd_group;
|
||||
eap_conf.server_id = (const u8 *) data->server_id;
|
||||
eap_conf.server_id_len = os_strlen(data->server_id);
|
||||
eap_conf.erp = data->erp;
|
||||
radius_server_testing_options(sess, &eap_conf);
|
||||
sess->eap = eap_server_sm_init(sess, &radius_server_eapol_cb,
|
||||
&eap_conf);
|
||||
|
|
@ -1687,6 +1702,7 @@ radius_server_init(struct radius_server_conf *conf)
|
|||
if (data == NULL)
|
||||
return NULL;
|
||||
|
||||
dl_list_init(&data->erp_keys);
|
||||
os_get_reltime(&data->start_time);
|
||||
data->conf_ctx = conf->conf_ctx;
|
||||
data->eap_sim_db_priv = conf->eap_sim_db_priv;
|
||||
|
|
@ -1725,6 +1741,8 @@ radius_server_init(struct radius_server_conf *conf)
|
|||
data->eap_req_id_text_len = conf->eap_req_id_text_len;
|
||||
}
|
||||
}
|
||||
data->erp = conf->erp;
|
||||
data->erp_domain = conf->erp_domain;
|
||||
|
||||
if (conf->subscr_remediation_url) {
|
||||
data->subscr_remediation_url =
|
||||
|
|
@ -1807,6 +1825,8 @@ radius_server_init(struct radius_server_conf *conf)
|
|||
*/
|
||||
void radius_server_deinit(struct radius_server_data *data)
|
||||
{
|
||||
struct eap_server_erp_key *erp;
|
||||
|
||||
if (data == NULL)
|
||||
return;
|
||||
|
||||
|
|
@ -1836,6 +1856,12 @@ void radius_server_deinit(struct radius_server_data *data)
|
|||
sqlite3_close(data->db);
|
||||
#endif /* CONFIG_SQLITE */
|
||||
|
||||
while ((erp = dl_list_first(&data->erp_keys, struct eap_server_erp_key,
|
||||
list)) != NULL) {
|
||||
dl_list_del(&erp->list);
|
||||
bin_clear_free(erp, sizeof(*erp));
|
||||
}
|
||||
|
||||
os_free(data);
|
||||
}
|
||||
|
||||
|
|
@ -2017,13 +2043,57 @@ static void radius_server_log_msg(void *ctx, const char *msg)
|
|||
}
|
||||
|
||||
|
||||
#ifdef CONFIG_ERP
|
||||
|
||||
static const char * radius_server_get_erp_domain(void *ctx)
|
||||
{
|
||||
struct radius_session *sess = ctx;
|
||||
struct radius_server_data *data = sess->server;
|
||||
|
||||
return data->erp_domain;
|
||||
}
|
||||
|
||||
|
||||
static struct eap_server_erp_key *
|
||||
radius_server_erp_get_key(void *ctx, const char *keyname)
|
||||
{
|
||||
struct radius_session *sess = ctx;
|
||||
struct radius_server_data *data = sess->server;
|
||||
struct eap_server_erp_key *erp;
|
||||
|
||||
dl_list_for_each(erp, &data->erp_keys, struct eap_server_erp_key,
|
||||
list) {
|
||||
if (os_strcmp(erp->keyname_nai, keyname) == 0)
|
||||
return erp;
|
||||
}
|
||||
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
||||
static int radius_server_erp_add_key(void *ctx, struct eap_server_erp_key *erp)
|
||||
{
|
||||
struct radius_session *sess = ctx;
|
||||
struct radius_server_data *data = sess->server;
|
||||
|
||||
dl_list_add(&data->erp_keys, &erp->list);
|
||||
return 0;
|
||||
}
|
||||
|
||||
#endif /* CONFIG_ERP */
|
||||
|
||||
|
||||
static struct eapol_callbacks radius_server_eapol_cb =
|
||||
{
|
||||
.get_eap_user = radius_server_get_eap_user,
|
||||
.get_eap_req_id_text = radius_server_get_eap_req_id_text,
|
||||
.log_msg = radius_server_log_msg,
|
||||
NULL,
|
||||
NULL,
|
||||
#ifdef CONFIG_ERP
|
||||
.get_erp_send_reauth_start = NULL,
|
||||
.get_erp_domain = radius_server_get_erp_domain,
|
||||
.erp_get_key = radius_server_erp_get_key,
|
||||
.erp_add_key = radius_server_erp_add_key,
|
||||
#endif /* CONFIG_ERP */
|
||||
};
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -158,6 +158,18 @@ struct radius_server_conf {
|
|||
*/
|
||||
const char *server_id;
|
||||
|
||||
/**
|
||||
* erp - Whether EAP Re-authentication Protocol (ERP) is enabled
|
||||
*
|
||||
* This controls whether the authentication server derives ERP key
|
||||
* hierarchy (rRK and rIK) from full EAP authentication and allows
|
||||
* these keys to be used to perform ERP to derive rMSK instead of full
|
||||
* EAP authentication to derive MSK.
|
||||
*/
|
||||
int erp;
|
||||
|
||||
const char *erp_domain;
|
||||
|
||||
/**
|
||||
* wps - Wi-Fi Protected Setup context
|
||||
*
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue