aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2014-11-29 21:14:40 (GMT)
committerJouni Malinen <j@w1.fi>2014-12-04 10:16:29 (GMT)
commit02a8d45ace2933dd7ecc7509206d170ac6c44357 (patch)
tree0475b8bd1903cdab2e06f1e373325a737f23adb7 /wpa_supplicant
parentd3bddd8b84dc345f7aa0c20536f45a68e0a5ba85 (diff)
downloadhostap-02a8d45ace2933dd7ecc7509206d170ac6c44357.zip
hostap-02a8d45ace2933dd7ecc7509206d170ac6c44357.tar.gz
hostap-02a8d45ace2933dd7ecc7509206d170ac6c44357.tar.bz2
ERP: Add support for ERP on EAP peer
Derive rRK and rIK on EAP peer if ERP is enabled. The new wpa_supplicant network configuration parameter erp=1 can now be used to configure the EAP peer to derive EMSK, rRK, and rIK at the successful completion of an EAP authentication method. This functionality is not included in the default build and can be enabled with CONFIG_ERP=y. If EAP authenticator indicates support for re-authentication protocol, initiate this with EAP-Initiate/Re-auth and complete protocol when receiving EAP-Finish/Re-auth. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'wpa_supplicant')
-rw-r--r--wpa_supplicant/Android.mk9
-rw-r--r--wpa_supplicant/Makefile9
-rw-r--r--wpa_supplicant/config.c1
-rw-r--r--wpa_supplicant/config_file.c1
-rw-r--r--wpa_supplicant/ctrl_iface.c9
-rw-r--r--wpa_supplicant/wpa_supplicant.conf2
6 files changed, 31 insertions, 0 deletions
diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk
index 5ab2996..7d7f1b6 100644
--- a/wpa_supplicant/Android.mk
+++ b/wpa_supplicant/Android.mk
@@ -346,6 +346,12 @@ ifeq ($(CONFIG_L2_PACKET), freebsd)
LIBS += -lpcap
endif
+ifdef CONFIG_ERP
+L_CFLAGS += -DCONFIG_ERP
+NEED_SHA256=y
+NEED_HMAC_SHA256_KDF=y
+endif
+
ifdef CONFIG_EAP_TLS
# EAP-TLS
ifeq ($(CONFIG_EAP_TLS), dyn)
@@ -1243,6 +1249,9 @@ endif
ifdef NEED_TLS_PRF_SHA256
SHA256OBJS += src/crypto/sha256-tlsprf.c
endif
+ifdef NEED_HMAC_SHA256_KDF
+SHA256OBJS += src/crypto/sha256-kdf.c
+endif
OBJS += $(SHA256OBJS)
endif
diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
index 470a85d..c2f8d01 100644
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@@ -348,6 +348,12 @@ ifeq ($(CONFIG_L2_PACKET), freebsd)
LIBS += -lpcap
endif
+ifdef CONFIG_ERP
+CFLAGS += -DCONFIG_ERP
+NEED_SHA256=y
+NEED_HMAC_SHA256_KDF=y
+endif
+
ifdef CONFIG_EAP_TLS
# EAP-TLS
ifeq ($(CONFIG_EAP_TLS), dyn)
@@ -1256,6 +1262,9 @@ endif
ifdef NEED_TLS_PRF_SHA256
SHA256OBJS += ../src/crypto/sha256-tlsprf.o
endif
+ifdef NEED_HMAC_SHA256_KDF
+OBJS += ../src/crypto/sha256-kdf.o
+endif
OBJS += $(SHA256OBJS)
endif
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index 30566f8..5ebc1a8 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -1820,6 +1820,7 @@ static const struct parse_data ssid_fields[] = {
{ INT(eapol_flags) },
{ INTe(sim_num) },
{ STRe(openssl_ciphers) },
+ { INTe(erp) },
#endif /* IEEE8021X_EAPOL */
{ FUNC_KEY(wep_key0) },
{ FUNC_KEY(wep_key1) },
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index 4f2b146..b10d236 100644
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -716,6 +716,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
INTe(engine);
INTe(engine2);
INT_DEF(eapol_flags, DEFAULT_EAPOL_FLAGS);
+ INTe(erp);
#endif /* IEEE8021X_EAPOL */
for (i = 0; i < 4; i++)
write_wep_key(f, i, ssid);
diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index 462460e..02d429f 100644
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -3619,6 +3619,15 @@ static int wpa_supplicant_ctrl_iface_get_capability(
return ctrl_iface_get_capability_tdls(wpa_s, buf, buflen);
#endif /* CONFIG_TDLS */
+#ifdef CONFIG_ERP
+ if (os_strcmp(field, "erp") == 0) {
+ res = os_snprintf(buf, buflen, "ERP");
+ if (res < 0 || (unsigned int) res >= buflen)
+ return -1;
+ return res;
+ }
+#endif /* CONFIG_EPR */
+
wpa_printf(MSG_DEBUG, "CTRL_IFACE: Unknown GET_CAPABILITY field '%s'",
field);
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 91b2da8..95a212d 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -955,6 +955,8 @@ fast_reauth=1
# This can be used to override the global openssl_ciphers configuration
# parameter (see above).
#
+# erp: Whether EAP Re-authentication Protocol (ERP) is enabled
+#
# EAP-FAST variables:
# pac_file: File path for the PAC entries. wpa_supplicant will need to be able
# to create this file and write updates to it when PAC is being