aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--hostapd/config_file.c4
-rw-r--r--hostapd/hostapd.conf6
-rw-r--r--src/ap/ap_config.c3
-rw-r--r--src/ap/ap_config.h2
-rw-r--r--src/ap/authsrv.c2
-rw-r--r--src/eap_server/eap.h3
-rw-r--r--src/eap_server/eap_i.h4
-rw-r--r--src/eap_server/eap_server.c16
8 files changed, 29 insertions, 11 deletions
diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 4a2f12d..3ffd1ac 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2547,6 +2547,10 @@ static int hostapd_config_fill(struct hostapd_config *conf,
bss->tls_session_lifetime = atoi(pos);
} else if (os_strcmp(buf, "tls_flags") == 0) {
bss->tls_flags = parse_tls_flags(pos);
+ } else if (os_strcmp(buf, "max_auth_rounds") == 0) {
+ bss->max_auth_rounds = atoi(pos);
+ } else if (os_strcmp(buf, "max_auth_rounds_short") == 0) {
+ bss->max_auth_rounds_short = atoi(pos);
} else if (os_strcmp(buf, "ocsp_stapling_response") == 0) {
os_free(bss->ocsp_stapling_response);
bss->ocsp_stapling_response = os_strdup(pos);
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index b6091a1..6c96a76 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1081,6 +1081,12 @@ eap_server=0
# [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default)
#tls_flags=[flag1][flag2]...
+# Maximum number of EAP message rounds with data (default: 100)
+#max_auth_rounds=100
+
+# Maximum number of short EAP message rounds (default: 50)
+#max_auth_rounds_short=50
+
# Cached OCSP stapling response (DER encoded)
# If set, this file is sent as a certificate status response by the EAP server
# if the EAP peer requests certificate status in the ClientHello message.
diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index 90348e1..80a73d6 100644
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -135,6 +135,9 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
* completed and tested with other implementations. */
bss->tls_flags = TLS_CONN_DISABLE_TLSv1_3;
+ bss->max_auth_rounds = 100;
+ bss->max_auth_rounds_short = 50;
+
bss->send_probe_response = 1;
#ifdef CONFIG_HS20
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 484e1b6..c49b48f 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -415,6 +415,8 @@ struct hostapd_bss_config {
unsigned int crl_reload_interval;
unsigned int tls_session_lifetime;
unsigned int tls_flags;
+ unsigned int max_auth_rounds;
+ unsigned int max_auth_rounds_short;
char *ocsp_stapling_response;
char *ocsp_stapling_response_multi;
char *dh_file;
diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c
index 110c0ca..8e12daf 100644
--- a/src/ap/authsrv.c
+++ b/src/ap/authsrv.c
@@ -187,6 +187,8 @@ static struct eap_config * authsrv_eap_config(struct hostapd_data *hapd)
cfg->eap_sim_db_priv = hapd->eap_sim_db_priv;
cfg->tls_session_lifetime = hapd->conf->tls_session_lifetime;
cfg->tls_flags = hapd->conf->tls_flags;
+ cfg->max_auth_rounds = hapd->conf->max_auth_rounds;
+ cfg->max_auth_rounds_short = hapd->conf->max_auth_rounds_short;
if (hapd->conf->pac_opaque_encr_key)
cfg->pac_opaque_encr_key =
os_memdup(hapd->conf->pac_opaque_encr_key, 16);
diff --git a/src/eap_server/eap.h b/src/eap_server/eap.h
index 9192c1a..540b4e7 100644
--- a/src/eap_server/eap.h
+++ b/src/eap_server/eap.h
@@ -255,6 +255,9 @@ struct eap_config {
int erp;
unsigned int tls_session_lifetime;
unsigned int tls_flags;
+
+ unsigned int max_auth_rounds;
+ unsigned int max_auth_rounds_short;
};
struct eap_session_data {
diff --git a/src/eap_server/eap_i.h b/src/eap_server/eap_i.h
index c560116..44896a6 100644
--- a/src/eap_server/eap_i.h
+++ b/src/eap_server/eap_i.h
@@ -171,8 +171,8 @@ struct eap_sm {
struct eap_config cfg_buf;
Boolean update_user;
- int num_rounds;
- int num_rounds_short;
+ unsigned int num_rounds;
+ unsigned int num_rounds_short;
enum {
METHOD_PENDING_NONE, METHOD_PENDING_WAIT, METHOD_PENDING_CONT
} method_pending;
diff --git a/src/eap_server/eap_server.c b/src/eap_server/eap_server.c
index 677fc4e..34ce239 100644
--- a/src/eap_server/eap_server.c
+++ b/src/eap_server/eap_server.c
@@ -23,9 +23,6 @@
#define STATE_MACHINE_DATA struct eap_sm
#define STATE_MACHINE_DEBUG_PREFIX "EAP"
-#define EAP_MAX_AUTH_ROUNDS 100
-#define EAP_MAX_AUTH_ROUNDS_SHORT 50
-
/* EAP state machines are described in RFC 4137 */
static int eap_sm_calculateTimeout(struct eap_sm *sm, int retransCount,
@@ -1172,19 +1169,20 @@ SM_STEP(EAP)
SM_ENTER_GLOBAL(EAP, INITIALIZE);
else if (!sm->eap_if.portEnabled)
SM_ENTER_GLOBAL(EAP, DISABLED);
- else if (sm->num_rounds > EAP_MAX_AUTH_ROUNDS) {
- if (sm->num_rounds == EAP_MAX_AUTH_ROUNDS + 1) {
+ else if (sm->num_rounds > sm->cfg->max_auth_rounds) {
+ if (sm->num_rounds == sm->cfg->max_auth_rounds + 1) {
wpa_printf(MSG_DEBUG, "EAP: more than %d "
"authentication rounds - abort",
- EAP_MAX_AUTH_ROUNDS);
+ sm->cfg->max_auth_rounds);
sm->num_rounds++;
SM_ENTER_GLOBAL(EAP, FAILURE);
}
- } else if (sm->num_rounds_short > EAP_MAX_AUTH_ROUNDS_SHORT) {
- if (sm->num_rounds_short == EAP_MAX_AUTH_ROUNDS_SHORT + 1) {
+ } else if (sm->num_rounds_short > sm->cfg->max_auth_rounds_short) {
+ if (sm->num_rounds_short ==
+ sm->cfg->max_auth_rounds_short + 1) {
wpa_printf(MSG_DEBUG,
"EAP: more than %d authentication rounds (short) - abort",
- EAP_MAX_AUTH_ROUNDS_SHORT);
+ sm->cfg->max_auth_rounds_short);
sm->num_rounds_short++;
SM_ENTER_GLOBAL(EAP, FAILURE);
}