aboutsummaryrefslogtreecommitdiffstats
path: root/hostapd
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2019-07-09 13:56:02 (GMT)
committerJouni Malinen <j@w1.fi>2019-07-09 13:56:02 (GMT)
commit0ed57c5ea8cf1ec32698b1a876bb014ebfc1136f (patch)
tree9af821327604e40c3a6d8fa07140344e74491552 /hostapd
parent7c6f1c5e4a24d0e7e0bd71222df56d7e2a7149fa (diff)
downloadhostap-0ed57c5ea8cf1ec32698b1a876bb014ebfc1136f.zip
hostap-0ed57c5ea8cf1ec32698b1a876bb014ebfc1136f.tar.gz
hostap-0ed57c5ea8cf1ec32698b1a876bb014ebfc1136f.tar.bz2
EAP-TEAP server and peer implementation (RFC 7170)
This adds support for a new EAP method: EAP-TEAP (Tunnel Extensible Authentication Protocol). This should be considered experimental since RFC 7170 has number of conflicting statements and missing details to allow unambiguous interpretation. As such, there may be interoperability issues with other implementations and this version should not be deployed for production purposes until those unclear areas are resolved. This does not yet support use of NewSessionTicket message to deliver a new PAC (either in the server or peer implementation). In other words, only the in-tunnel distribution of PAC-Opaque is supported for now. Use of the NewSessionTicket mechanism would require TLS library support to allow arbitrary data to be specified as the contents of the message. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'hostapd')
-rw-r--r--hostapd/Android.mk10
-rw-r--r--hostapd/Makefile10
-rw-r--r--hostapd/config_file.c14
-rw-r--r--hostapd/defconfig10
-rw-r--r--hostapd/eap_register.c5
-rw-r--r--hostapd/hostapd.conf10
6 files changed, 59 insertions, 0 deletions
diff --git a/hostapd/Android.mk b/hostapd/Android.mk
index e082cab..79b8a48 100644
--- a/hostapd/Android.mk
+++ b/hostapd/Android.mk
@@ -487,6 +487,16 @@ NEED_T_PRF=y
NEED_AES_UNWRAP=y
endif
+ifdef CONFIG_EAP_TEAP
+L_CFLAGS += -DEAP_SERVER_TEAP
+OBJS += src/eap_server/eap_server_teap.c
+OBJS += src/eap_common/eap_teap_common.c
+TLS_FUNCS=y
+NEED_T_PRF=y
+NEED_SHA384=y
+NEED_AES_UNWRAP=y
+endif
+
ifdef CONFIG_WPS
L_CFLAGS += -DCONFIG_WPS -DEAP_SERVER_WSC
OBJS += src/utils/uuid.c
diff --git a/hostapd/Makefile b/hostapd/Makefile
index a8d77fe..2a6bd7a 100644
--- a/hostapd/Makefile
+++ b/hostapd/Makefile
@@ -526,6 +526,16 @@ NEED_T_PRF=y
NEED_AES_UNWRAP=y
endif
+ifdef CONFIG_EAP_TEAP
+CFLAGS += -DEAP_SERVER_TEAP
+OBJS += ../src/eap_server/eap_server_teap.o
+OBJS += ../src/eap_common/eap_teap_common.o
+TLS_FUNCS=y
+NEED_T_PRF=y
+NEED_SHA384=y
+NEED_AES_UNWRAP=y
+endif
+
ifdef CONFIG_WPS
CFLAGS += -DCONFIG_WPS -DEAP_SERVER_WSC
OBJS += ../src/utils/uuid.o
diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index c4106c1..3a29438 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2675,6 +2675,20 @@ static int hostapd_config_fill(struct hostapd_config *conf,
} else if (os_strcmp(buf, "pac_key_refresh_time") == 0) {
bss->pac_key_refresh_time = atoi(pos);
#endif /* EAP_SERVER_FAST */
+#ifdef EAP_SERVER_TEAP
+ } else if (os_strcmp(buf, "eap_teap_auth") == 0) {
+ int val = atoi(pos);
+
+ if (val < 0 || val > 1) {
+ wpa_printf(MSG_ERROR,
+ "Line %d: Invalid eap_teap_auth value",
+ line);
+ return 1;
+ }
+ bss->eap_teap_auth = val;
+ } else if (os_strcmp(buf, "eap_teap_pac_no_inner") == 0) {
+ bss->eap_teap_pac_no_inner = atoi(pos);
+#endif /* EAP_SERVER_TEAP */
#ifdef EAP_SERVER_SIM
} else if (os_strcmp(buf, "eap_sim_db") == 0) {
os_free(bss->eap_sim_db);
diff --git a/hostapd/defconfig b/hostapd/defconfig
index 891ed68..01871c9 100644
--- a/hostapd/defconfig
+++ b/hostapd/defconfig
@@ -110,6 +110,16 @@ CONFIG_EAP_TTLS=y
# EAP-FAST for the integrated EAP server
#CONFIG_EAP_FAST=y
+# EAP-TEAP for the integrated EAP server
+# Note: The current EAP-TEAP implementation is experimental and should not be
+# enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
+# of conflicting statements and missing details and the implementation has
+# vendor specific workarounds for those and as such, may not interoperate with
+# any other implementation. This should not be used for anything else than
+# experimentation and interoperability testing until those issues has been
+# resolved.
+#CONFIG_EAP_TEAP=y
+
# Wi-Fi Protected Setup (WPS)
#CONFIG_WPS=y
# Enable UPnP support for external WPS Registrars
diff --git a/hostapd/eap_register.c b/hostapd/eap_register.c
index 8477c21..3e870c7 100644
--- a/hostapd/eap_register.c
+++ b/hostapd/eap_register.c
@@ -121,6 +121,11 @@ int eap_server_register_methods(void)
ret = eap_server_fast_register();
#endif /* EAP_SERVER_FAST */
+#ifdef EAP_SERVER_TEAP
+ if (ret == 0)
+ ret = eap_server_teap_register();
+#endif /* EAP_SERVER_TEAP */
+
#ifdef EAP_SERVER_WSC
if (ret == 0)
ret = eap_server_wsc_register();
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 71e577a..d67a405 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1174,6 +1174,16 @@ eap_server=0
# (or fewer) of the lifetime remains.
#pac_key_refresh_time=86400
+# EAP-TEAP authentication type
+# 0 = inner EAP (default)
+# 1 = Basic-Password-Auth
+#eap_teap_auth=0
+
+# EAP-TEAP authentication behavior when using PAC
+# 0 = perform inner authentication (default)
+# 1 = skip inner authentication (inner EAP/Basic-Password-Auth)
+#eap_teap_pac_no_inner=0
+
# EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND
# (default: 0 = disabled).
#eap_sim_aka_result_ind=1