aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <jouni@codeaurora.org>2019-07-31 21:02:02 (GMT)
committerJouni Malinen <j@w1.fi>2019-08-01 07:36:11 (GMT)
commit6bb11c7a405616de9a2b3af395117ebe7bdc7047 (patch)
tree18da671f57314bee1c5d7e6614b146d3722de16c
parentc1b2365214beacd834811fad2774e03177e008ce (diff)
downloadhostap-6bb11c7a405616de9a2b3af395117ebe7bdc7047.zip
hostap-6bb11c7a405616de9a2b3af395117ebe7bdc7047.tar.gz
hostap-6bb11c7a405616de9a2b3af395117ebe7bdc7047.tar.bz2
EAP-SIM/AKA server: Allow pseudonym/fast reauth to be disabled
The new hostapd configuration option eap_sim_id can now be used to disable use of pseudonym and/or fast reauthentication with EAP-SIM, EAP-AKA, and EAP-AKA'. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-rw-r--r--hostapd/config_file.c2
-rw-r--r--hostapd/hostapd.conf7
-rw-r--r--src/ap/ap_config.c1
-rw-r--r--src/ap/ap_config.h1
-rw-r--r--src/ap/authsrv.c1
-rw-r--r--src/ap/ieee802_1x.c1
-rw-r--r--src/eap_server/eap.h1
-rw-r--r--src/eap_server/eap_i.h1
-rw-r--r--src/eap_server/eap_server.c1
-rw-r--r--src/eap_server/eap_server_aka.c10
-rw-r--r--src/eap_server/eap_server_sim.c10
-rw-r--r--src/eapol_auth/eapol_auth_sm.c2
-rw-r--r--src/eapol_auth/eapol_auth_sm.h1
-rw-r--r--src/radius/radius_server.c4
-rw-r--r--src/radius/radius_server.h2
15 files changed, 41 insertions, 4 deletions
diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 1f2c565..e09e6e1 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2629,6 +2629,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
bss->eap_sim_db_timeout = atoi(pos);
} else if (os_strcmp(buf, "eap_sim_aka_result_ind") == 0) {
bss->eap_sim_aka_result_ind = atoi(pos);
+ } else if (os_strcmp(buf, "eap_sim_id") == 0) {
+ bss->eap_sim_id = atoi(pos);
#endif /* EAP_SERVER_SIM */
#ifdef EAP_SERVER_TNC
} else if (os_strcmp(buf, "tnc") == 0) {
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 5138aee..ce3ecdd 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1205,6 +1205,13 @@ eap_server=0
# (default: 0 = disabled).
#eap_sim_aka_result_ind=1
+# EAP-SIM and EAP-AKA identity options
+# 0 = do not use pseudonyms or fast reauthentication
+# 1 = use pseudonyms, but not fast reauthentication
+# 2 = do not use pseudonyms, but use fast reauthentication
+# 3 = use pseudonyms and use fast reauthentication (default)
+#eap_sim_id=3
+
# Trusted Network Connect (TNC)
# If enabled, TNC validation will be required before the peer is allowed to
# connect. Note: This is only used with EAP-TTLS and EAP-FAST. If any other
diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index 968eb65..90348e1 100644
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -78,6 +78,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
bss->radius_server_auth_port = 1812;
bss->eap_sim_db_timeout = 1;
+ bss->eap_sim_id = 3;
bss->ap_max_inactivity = AP_MAX_INACTIVITY;
bss->eapol_version = EAPOL_VERSION;
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 0a1d49b..ea581a8 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -430,6 +430,7 @@ struct hostapd_bss_config {
int eap_teap_auth;
int eap_teap_pac_no_inner;
int eap_sim_aka_result_ind;
+ int eap_sim_id;
int tnc;
int fragment_size;
u16 pwd_group;
diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c
index b3d9107..4f5fe7d 100644
--- a/src/ap/authsrv.c
+++ b/src/ap/authsrv.c
@@ -123,6 +123,7 @@ static int hostapd_setup_radius_srv(struct hostapd_data *hapd)
srv.eap_teap_auth = conf->eap_teap_auth;
srv.eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner;
srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
+ srv.eap_sim_id = conf->eap_sim_id;
srv.tnc = conf->tnc;
srv.wps = hapd->wps;
srv.ipv6 = conf->radius_server_ipv6;
diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index ab6989b..e061471 100644
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -2437,6 +2437,7 @@ int ieee802_1x_init(struct hostapd_data *hapd)
conf.eap_teap_auth = hapd->conf->eap_teap_auth;
conf.eap_teap_pac_no_inner = hapd->conf->eap_teap_pac_no_inner;
conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind;
+ conf.eap_sim_id = hapd->conf->eap_sim_id;
conf.tnc = hapd->conf->tnc;
conf.wps = hapd->wps;
conf.fragment_size = hapd->conf->fragment_size;
diff --git a/src/eap_server/eap.h b/src/eap_server/eap.h
index a32c883..a9cf5c9 100644
--- a/src/eap_server/eap.h
+++ b/src/eap_server/eap.h
@@ -124,6 +124,7 @@ struct eap_config {
int eap_teap_auth;
int eap_teap_pac_no_inner;
int eap_sim_aka_result_ind;
+ int eap_sim_id;
int tnc;
struct wps_context *wps;
const struct wpabuf *assoc_wps_ie;
diff --git a/src/eap_server/eap_i.h b/src/eap_server/eap_i.h
index 8e6ac46..f9ab32d 100644
--- a/src/eap_server/eap_i.h
+++ b/src/eap_server/eap_i.h
@@ -193,6 +193,7 @@ struct eap_sm {
int eap_teap_auth;
int eap_teap_pac_no_inner;
int eap_sim_aka_result_ind;
+ int eap_sim_id;
int tnc;
u16 pwd_group;
struct wps_context *wps;
diff --git a/src/eap_server/eap_server.c b/src/eap_server/eap_server.c
index 724ec15..568eebd 100644
--- a/src/eap_server/eap_server.c
+++ b/src/eap_server/eap_server.c
@@ -1872,6 +1872,7 @@ struct eap_sm * eap_server_sm_init(void *eapol_ctx,
sm->eap_teap_auth = conf->eap_teap_auth;
sm->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner;
sm->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
+ sm->eap_sim_id = conf->eap_sim_id;
sm->tnc = conf->tnc;
sm->wps = conf->wps;
if (conf->assoc_wps_ie)
diff --git a/src/eap_server/eap_server_aka.c b/src/eap_server/eap_server_aka.c
index e145a12..4dadfe1 100644
--- a/src/eap_server/eap_server_aka.c
+++ b/src/eap_server/eap_server_aka.c
@@ -393,7 +393,10 @@ static int eap_aka_build_encr(struct eap_sm *sm, struct eap_aka_data *data,
const u8 *nonce_s)
{
os_free(data->next_pseudonym);
- if (nonce_s == NULL) {
+ if (!(sm->eap_sim_id & 0x01)) {
+ /* Use of pseudonyms disabled in configuration */
+ data->next_pseudonym = NULL;
+ } else if (!nonce_s) {
data->next_pseudonym =
eap_sim_db_get_next_pseudonym(
sm->eap_sim_db_priv,
@@ -404,7 +407,10 @@ static int eap_aka_build_encr(struct eap_sm *sm, struct eap_aka_data *data,
data->next_pseudonym = NULL;
}
os_free(data->next_reauth_id);
- if (data->counter <= EAP_AKA_MAX_FAST_REAUTHS) {
+ if (!(sm->eap_sim_id & 0x02)) {
+ /* Use of fast reauth disabled in configuration */
+ data->next_reauth_id = NULL;
+ } else if (data->counter <= EAP_AKA_MAX_FAST_REAUTHS) {
data->next_reauth_id =
eap_sim_db_get_next_reauth_id(
sm->eap_sim_db_priv,
diff --git a/src/eap_server/eap_server_sim.c b/src/eap_server/eap_server_sim.c
index f8aa508..5243568 100644
--- a/src/eap_server/eap_server_sim.c
+++ b/src/eap_server/eap_server_sim.c
@@ -150,7 +150,10 @@ static int eap_sim_build_encr(struct eap_sm *sm, struct eap_sim_data *data,
const u8 *nonce_s)
{
os_free(data->next_pseudonym);
- if (nonce_s == NULL) {
+ if (!(sm->eap_sim_id & 0x01)) {
+ /* Use of pseudonyms disabled in configuration */
+ data->next_pseudonym = NULL;
+ } else if (!nonce_s) {
data->next_pseudonym =
eap_sim_db_get_next_pseudonym(sm->eap_sim_db_priv,
EAP_SIM_DB_SIM);
@@ -159,7 +162,10 @@ static int eap_sim_build_encr(struct eap_sm *sm, struct eap_sim_data *data,
data->next_pseudonym = NULL;
}
os_free(data->next_reauth_id);
- if (data->counter <= EAP_SIM_MAX_FAST_REAUTHS) {
+ if (!(sm->eap_sim_id & 0x02)) {
+ /* Use of fast reauth disabled in configuration */
+ data->next_reauth_id = NULL;
+ } else if (data->counter <= EAP_SIM_MAX_FAST_REAUTHS) {
data->next_reauth_id =
eap_sim_db_get_next_reauth_id(sm->eap_sim_db_priv,
EAP_SIM_DB_SIM);
diff --git a/src/eapol_auth/eapol_auth_sm.c b/src/eapol_auth/eapol_auth_sm.c
index b7423d1..7206d32 100644
--- a/src/eapol_auth/eapol_auth_sm.c
+++ b/src/eapol_auth/eapol_auth_sm.c
@@ -838,6 +838,7 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr,
eap_conf.eap_teap_auth = eapol->conf.eap_teap_auth;
eap_conf.eap_teap_pac_no_inner = eapol->conf.eap_teap_pac_no_inner;
eap_conf.eap_sim_aka_result_ind = eapol->conf.eap_sim_aka_result_ind;
+ eap_conf.eap_sim_id = eapol->conf.eap_sim_id;
eap_conf.tnc = eapol->conf.tnc;
eap_conf.wps = eapol->conf.wps;
eap_conf.assoc_wps_ie = assoc_wps_ie;
@@ -1236,6 +1237,7 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
dst->eap_teap_auth = src->eap_teap_auth;
dst->eap_teap_pac_no_inner = src->eap_teap_pac_no_inner;
dst->eap_sim_aka_result_ind = src->eap_sim_aka_result_ind;
+ dst->eap_sim_id = src->eap_sim_id;
dst->tnc = src->tnc;
dst->wps = src->wps;
dst->fragment_size = src->fragment_size;
diff --git a/src/eapol_auth/eapol_auth_sm.h b/src/eapol_auth/eapol_auth_sm.h
index 41b6b1b..bcdd509 100644
--- a/src/eapol_auth/eapol_auth_sm.h
+++ b/src/eapol_auth/eapol_auth_sm.h
@@ -39,6 +39,7 @@ struct eapol_auth_config {
int eap_teap_auth;
int eap_teap_pac_no_inner;
int eap_sim_aka_result_ind;
+ int eap_sim_id;
int tnc;
struct wps_context *wps;
int fragment_size;
diff --git a/src/radius/radius_server.c b/src/radius/radius_server.c
index 1b605c7..70efd11 100644
--- a/src/radius/radius_server.c
+++ b/src/radius/radius_server.c
@@ -249,6 +249,8 @@ struct radius_server_data {
*/
int eap_sim_aka_result_ind;
+ int eap_sim_id;
+
/**
* tnc - Trusted Network Connect (TNC)
*
@@ -798,6 +800,7 @@ radius_server_get_new_session(struct radius_server_data *data,
eap_conf.eap_teap_auth = data->eap_teap_auth;
eap_conf.eap_teap_pac_no_inner = data->eap_teap_pac_no_inner;
eap_conf.eap_sim_aka_result_ind = data->eap_sim_aka_result_ind;
+ eap_conf.eap_sim_id = data->eap_sim_id;
eap_conf.tnc = data->tnc;
eap_conf.wps = data->wps;
eap_conf.pwd_group = data->pwd_group;
@@ -2393,6 +2396,7 @@ radius_server_init(struct radius_server_conf *conf)
data->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner;
data->get_eap_user = conf->get_eap_user;
data->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
+ data->eap_sim_id = conf->eap_sim_id;
data->tnc = conf->tnc;
data->wps = conf->wps;
data->pwd_group = conf->pwd_group;
diff --git a/src/radius/radius_server.h b/src/radius/radius_server.h
index 88c22db..5489694 100644
--- a/src/radius/radius_server.h
+++ b/src/radius/radius_server.h
@@ -139,6 +139,8 @@ struct radius_server_conf {
*/
int eap_sim_aka_result_ind;
+ int eap_sim_id;
+
/**
* tnc - Trusted Network Connect (TNC)
*