aboutsummaryrefslogtreecommitdiffstats
path: root/src/eap_server/eap_server_sim.c
Commit message (Collapse)AuthorAgeFilesLines
* EAP server: Use struct eap_config to avoid duplicated definitionsJouni Malinen2019-08-181-17/+19
| | | | | | | | | Use struct eap_config as-is within struct eap_sm and EAPOL authenticator to avoid having to duplicate all the configuration variables at each interface. Split the couple of session specific variables into a separate struct to allow a single const struct eap_config to be used. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-SIM/AKA server: Allow pseudonym/fast reauth to be disabledJouni Malinen2019-08-011-2/+8
| | | | | | | | The new hostapd configuration option eap_sim_id can now be used to disable use of pseudonym and/or fast reauthentication with EAP-SIM, EAP-AKA, and EAP-AKA'. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-SIM server: Avoid void pointer arithmeticJouni Malinen2019-07-241-1/+1
| | | | | | | | This is a compiler specific extension and not compliant with the C standard. Fixes: 1c16b257a081 ("EAP-SIM: Add Session-Id derivation during fast-reauth") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-SIM: Add Session-Id derivation during fast-reauthMohit Sethi2019-05-251-5/+26
| | | | | | | | | | | | | The Session-Id derivation for EAP-SIM in RFC 5247 only explained how the Session-Id is derived for regular authentication. Jouni reported it as an errata with text explaining how to derive it during fast reauthentication. This patch now exports the Session-Id for EAP-SIM during fast reauthentication based on this Session-Id = 0x12 || NONCE_S || MAC construction. Signed-off-by: Mohit Sethi <mohit.sethi@aalto.fi>
* EAP: Make method and IMSI available from server structuresJouni Malinen2018-12-141-0/+3
| | | | | | | | Expose EAP method and IMSI from the completed (or ongoing) EAP authentication session. These are needed for implementing Hotspot 2.0 SIM provisioning. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Use os_memdup()Johannes Berg2017-03-071-4/+2
| | | | | | | | | | | | | | | | | | | | | | This leads to cleaner code overall, and also reduces the size of the hostapd and wpa_supplicant binaries (in hwsim test build on x86_64) by about 2.5 and 3.5KiB respectively. The mechanical conversions all over the code were done with the following spatch: @@ expression SIZE, SRC; expression a; @@ -a = os_malloc(SIZE); +a = os_memdup(SRC, SIZE); <... if (!a) {...} ...> -os_memcpy(a, SRC, SIZE); Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* EAP server: Simplify EAP method registration callJouni Malinen2016-01-131-5/+1
| | | | | | | | | Free the allocated structure in error cases to remove need for each EAP method to handle the error cases separately. Each registration function can simply do "return eap_server_method_register(eap);" in the end of the function. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* EAP server: Add getSessionIdJouni Malinen2014-11-301-0/+24
| | | | | | | This extends EAP server implementation to derive Session-Id similarly to the existing EAP peer implementation. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP server: Clear keying material on deinitJouni Malinen2014-07-021-1/+1
| | | | | | | | | Reduce the amount of time keying material (MSK, EMSK, temporary private data) remains in memory in EAP methods. This provides additional protection should there be any issues that could expose process memory to external observers. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-SIM/AKA: Pass EAP type as argument to eap_sim_msg_finish()Jouni Malinen2014-07-021-5/+5
| | | | | | | | This makes it easier for static analyzers to figure out which code paths are possible within eap_sim_msg_finish() for EAP-SIM. This will hopefully avoid some false warnings (CID 68110, CID 68113, CID 68114). Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-SIM/AKA server: Fix memory leak in error pathJouni Malinen2012-11-111-0/+1
| | | | | | | If identity round limit is reached, EAP-SIM/AKA session is terminated. This needs to free the allocated message. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-SIM server: Move subtype validation from check into processJouni Malinen2012-09-011-3/+15
| | | | | | | This is needed to be able to use SIM-Notification round to indicate failure per RFC 4186, chapter 6.3.3. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-SIM server: Use Notification before EAP-FailureJouni Malinen2012-09-011-20/+26
| | | | | | | | RFC 4186, chapter 6.3.3 mandates that EAP-Failure is used only after Client-Error and Notification messages. Convert the direct jumps to the FAILURE state with a notification round before sending out EAP-Failure. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-SIM server: Add support for AT_COUNTER_TOO_SMALLJouni Malinen2012-09-011-0/+26
| | | | | | | | If the peer rejects re-authentication with AT_COUNTER_TOO_SMALL, fall back to full authentication to allow the authentication session to be completed. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-SIM DB: Use char* strings instead of u8* pointer and lengthJouni Malinen2012-09-011-27/+11
| | | | | | | | | | | Since the EAP-SIM/AKA identities are ASCII strings, there is no need to use more complex way for storing and passing them. In addition, be more strict about enforcing username (i.e., no realm part) to be used in the EAP-SIM DB API. Similarly, require specific username type instead of any of the types to be used as the key in the pseudonym and reauth operations. This allows simpler lookup operations to be used. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-SIM server: Store permanent username in session dataJouni Malinen2012-09-011-68/+71
| | | | | | This allows identity use to be cleaned up in various operations. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-SIM server: Require SIM/Start response to include identityJouni Malinen2012-09-011-11/+23
| | | | | | | | Since we always request an identity in the request, the response has to include AT_IDENTITY. This allows the SIM/Start response processing to be simplified a bit. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-SIM server: Use simpler SIM/Start identity request determinationJouni Malinen2012-09-011-15/+15
| | | | | | | | | | There is no need to use eap_sim_db_identity_known() here since a new SIM/Start message is built only if the identity in the previous response was not recognized. The first round will always request AT_ANY_ID_REQ to meet the RFC 4186 recommendation on EAP method specific identity request being used. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-SIM/AKA server: Allow pseudonym to be used after unknown reauth idJouni Malinen2012-06-151-2/+11
| | | | | | | | | If the peer uses an unknown reauth id, it would still be possible to use pseudonym instead of permanent id. Allow this by changing the AT_PERMANENT_ID_REQ to AT_FULLAUTH_ID_REQ in case unknown reauth id is used in EAP-Response/Identity. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* EAP-AKA': Update to RFC 5448Jouni Malinen2012-05-021-2/+4
| | | | | | | | | | | | | | | There was a technical change between the last IETF draft version (draft-arkko-eap-aka-kdf-10) and RFC 5448 in the leading characters used in the username (i.e., use unique characters for EAP-AKA' instead of reusing the EAP-AKA ones). This commit updates EAP-AKA' server and peer implementations to use the leading characters based on the final RFC. Note: This will make EAP-AKA' not interoperate between the earlier draft version and the new version. Signed-hostap: Jouni Malinen <j@w1.fi> intended-for: hostap-1
* EAP-SIM/AKA server: Fix re-authentication not to update pseudonymJouni Malinen2012-02-161-7/+7
| | | | | | | | | | | AT_NEXT_PSEUDONYM is supposed to be included only in the Challenge messages, not in the Re-authentication messages. This attribute was incorrectly included in the Re-authentication messages and could have been used to update the pseudonym state on the server without the peer updating its state. Signed-hostap: Jouni Malinen <j@w1.fi> intended-for: hostap-1
* Remove the GPL notification from files contributed by Jouni MalinenJouni Malinen2012-02-111-8/+2
| | | | | | | Remove the GPL notification text from the files that were initially contributed by myself. Signed-hostap: Jouni Malinen <j@w1.fi>
* Annotate places depending on strong random numbersJouni Malinen2010-11-231-1/+2
| | | | | | | | | | | | | This commit adds a new wrapper, random_get_bytes(), that is currently defined to use os_get_random() as is. The places using random_get_bytes() depend on the returned value being strong random number, i.e., something that is infeasible for external device to figure out. These values are used either directly as a key or as nonces/challenges that are used as input for key derivation or authentication. The remaining direct uses of os_get_random() do not need as strong random numbers to function correctly.
* Rename EAP server source files to avoid duplicate namesJouni Malinen2010-02-191-0/+797
This makes it easier to build both EAP peer and server functionality into the same project with some toolchains.