EAP-FAST: Added support for disabling anonymous/authenticated provisioning
eap_fast_prov config parameter can now be used to enable/disable different EAP-FAST provisioning modes: 0 = provisioning disabled 1 = only anonymous provisioning allowed 2 = only authenticated provisioning allowed 3 = both provisioning modes allowed
This commit is contained in:
parent
f36f51e403
commit
378eae5e9b
13 changed files with 50 additions and 0 deletions
|
@ -186,6 +186,10 @@ static void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
|
||||||
bss->assoc_ping_timeout = 1000;
|
bss->assoc_ping_timeout = 1000;
|
||||||
bss->assoc_ping_attempts = 3;
|
bss->assoc_ping_attempts = 3;
|
||||||
#endif /* CONFIG_IEEE80211W */
|
#endif /* CONFIG_IEEE80211W */
|
||||||
|
#ifdef EAP_FAST
|
||||||
|
/* both anonymous and authenticated provisioning */
|
||||||
|
bss->eap_fast_prov = 3;
|
||||||
|
#endif /* EAP_FAST */
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -1505,6 +1509,8 @@ struct hostapd_config * hostapd_config_read(const char *fname)
|
||||||
} else if (os_strcmp(buf, "eap_fast_a_id") == 0) {
|
} else if (os_strcmp(buf, "eap_fast_a_id") == 0) {
|
||||||
os_free(bss->eap_fast_a_id);
|
os_free(bss->eap_fast_a_id);
|
||||||
bss->eap_fast_a_id = os_strdup(pos);
|
bss->eap_fast_a_id = os_strdup(pos);
|
||||||
|
} else if (os_strcmp(buf, "eap_fast_prov") == 0) {
|
||||||
|
bss->eap_fast_prov = atoi(pos);
|
||||||
#endif /* EAP_FAST */
|
#endif /* EAP_FAST */
|
||||||
#ifdef EAP_SIM
|
#ifdef EAP_SIM
|
||||||
} else if (os_strcmp(buf, "eap_sim_db") == 0) {
|
} else if (os_strcmp(buf, "eap_sim_db") == 0) {
|
||||||
|
|
|
@ -251,6 +251,7 @@ struct hostapd_bss_config {
|
||||||
char *dh_file;
|
char *dh_file;
|
||||||
u8 *pac_opaque_encr_key;
|
u8 *pac_opaque_encr_key;
|
||||||
char *eap_fast_a_id;
|
char *eap_fast_a_id;
|
||||||
|
int eap_fast_prov;
|
||||||
int eap_sim_aka_result_ind;
|
int eap_sim_aka_result_ind;
|
||||||
int tnc;
|
int tnc;
|
||||||
|
|
||||||
|
|
|
@ -805,6 +805,7 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr,
|
||||||
eap_conf.eap_sim_db_priv = eapol->conf.eap_sim_db_priv;
|
eap_conf.eap_sim_db_priv = eapol->conf.eap_sim_db_priv;
|
||||||
eap_conf.pac_opaque_encr_key = eapol->conf.pac_opaque_encr_key;
|
eap_conf.pac_opaque_encr_key = eapol->conf.pac_opaque_encr_key;
|
||||||
eap_conf.eap_fast_a_id = eapol->conf.eap_fast_a_id;
|
eap_conf.eap_fast_a_id = eapol->conf.eap_fast_a_id;
|
||||||
|
eap_conf.eap_fast_prov = eapol->conf.eap_fast_prov;
|
||||||
eap_conf.eap_sim_aka_result_ind = eapol->conf.eap_sim_aka_result_ind;
|
eap_conf.eap_sim_aka_result_ind = eapol->conf.eap_sim_aka_result_ind;
|
||||||
eap_conf.tnc = eapol->conf.tnc;
|
eap_conf.tnc = eapol->conf.tnc;
|
||||||
sm->eap = eap_server_sm_init(sm, &eapol_cb, &eap_conf);
|
sm->eap = eap_server_sm_init(sm, &eapol_cb, &eap_conf);
|
||||||
|
@ -1237,6 +1238,7 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
|
||||||
dst->eap_fast_a_id = os_strdup(src->eap_fast_a_id);
|
dst->eap_fast_a_id = os_strdup(src->eap_fast_a_id);
|
||||||
else
|
else
|
||||||
dst->eap_fast_a_id = NULL;
|
dst->eap_fast_a_id = NULL;
|
||||||
|
dst->eap_fast_prov = src->eap_fast_prov;
|
||||||
dst->eap_sim_aka_result_ind = src->eap_sim_aka_result_ind;
|
dst->eap_sim_aka_result_ind = src->eap_sim_aka_result_ind;
|
||||||
dst->tnc = src->tnc;
|
dst->tnc = src->tnc;
|
||||||
return 0;
|
return 0;
|
||||||
|
|
|
@ -49,6 +49,7 @@ struct eapol_auth_config {
|
||||||
size_t eap_req_id_text_len;
|
size_t eap_req_id_text_len;
|
||||||
u8 *pac_opaque_encr_key;
|
u8 *pac_opaque_encr_key;
|
||||||
char *eap_fast_a_id;
|
char *eap_fast_a_id;
|
||||||
|
int eap_fast_prov;
|
||||||
int eap_sim_aka_result_ind;
|
int eap_sim_aka_result_ind;
|
||||||
int tnc;
|
int tnc;
|
||||||
|
|
||||||
|
|
|
@ -1170,6 +1170,7 @@ static int hostapd_setup_radius_srv(struct hostapd_data *hapd,
|
||||||
srv.ssl_ctx = hapd->ssl_ctx;
|
srv.ssl_ctx = hapd->ssl_ctx;
|
||||||
srv.pac_opaque_encr_key = conf->pac_opaque_encr_key;
|
srv.pac_opaque_encr_key = conf->pac_opaque_encr_key;
|
||||||
srv.eap_fast_a_id = conf->eap_fast_a_id;
|
srv.eap_fast_a_id = conf->eap_fast_a_id;
|
||||||
|
srv.eap_fast_prov = conf->eap_fast_prov;
|
||||||
srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
|
srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
|
||||||
srv.tnc = conf->tnc;
|
srv.tnc = conf->tnc;
|
||||||
srv.ipv6 = conf->radius_server_ipv6;
|
srv.ipv6 = conf->radius_server_ipv6;
|
||||||
|
|
|
@ -508,6 +508,13 @@ eap_server=0
|
||||||
# EAP-FAST authority identity (A-ID)
|
# EAP-FAST authority identity (A-ID)
|
||||||
#eap_fast_a_id=test server
|
#eap_fast_a_id=test server
|
||||||
|
|
||||||
|
# Enable/disable different EAP-FAST provisioning modes:
|
||||||
|
#0 = provisioning disabled
|
||||||
|
#1 = only anonymous provisioning allowed
|
||||||
|
#2 = only authenticated provisioning allowed
|
||||||
|
#3 = both provisioning modes allowed (default)
|
||||||
|
#eap_fast_prov=3
|
||||||
|
|
||||||
# EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND
|
# EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND
|
||||||
# (default: 0 = disabled).
|
# (default: 0 = disabled).
|
||||||
#eap_sim_aka_result_ind=1
|
#eap_sim_aka_result_ind=1
|
||||||
|
|
|
@ -1605,6 +1605,7 @@ int ieee802_1x_init(struct hostapd_data *hapd)
|
||||||
conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len;
|
conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len;
|
||||||
conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key;
|
conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key;
|
||||||
conf.eap_fast_a_id = hapd->conf->eap_fast_a_id;
|
conf.eap_fast_a_id = hapd->conf->eap_fast_a_id;
|
||||||
|
conf.eap_fast_prov = hapd->conf->eap_fast_prov;
|
||||||
conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind;
|
conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind;
|
||||||
conf.tnc = hapd->conf->tnc;
|
conf.tnc = hapd->conf->tnc;
|
||||||
|
|
||||||
|
|
|
@ -1153,6 +1153,7 @@ struct eap_sm * eap_server_sm_init(void *eapol_ctx,
|
||||||
}
|
}
|
||||||
if (conf->eap_fast_a_id)
|
if (conf->eap_fast_a_id)
|
||||||
sm->eap_fast_a_id = os_strdup(conf->eap_fast_a_id);
|
sm->eap_fast_a_id = os_strdup(conf->eap_fast_a_id);
|
||||||
|
sm->eap_fast_prov = conf->eap_fast_prov;
|
||||||
sm->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
|
sm->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
|
||||||
sm->tnc = conf->tnc;
|
sm->tnc = conf->tnc;
|
||||||
|
|
||||||
|
|
|
@ -96,6 +96,7 @@ struct eap_config {
|
||||||
int eap_server;
|
int eap_server;
|
||||||
u8 *pac_opaque_encr_key;
|
u8 *pac_opaque_encr_key;
|
||||||
char *eap_fast_a_id;
|
char *eap_fast_a_id;
|
||||||
|
int eap_fast_prov;
|
||||||
int eap_sim_aka_result_ind;
|
int eap_sim_aka_result_ind;
|
||||||
int tnc;
|
int tnc;
|
||||||
};
|
};
|
||||||
|
|
|
@ -1241,6 +1241,28 @@ static void eap_fast_process_phase2_tlvs(struct eap_sm *sm,
|
||||||
"completed successfully");
|
"completed successfully");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (data->anon_provisioning &&
|
||||||
|
sm->eap_fast_prov != ANON_PROV &&
|
||||||
|
sm->eap_fast_prov != BOTH_PROV) {
|
||||||
|
wpa_printf(MSG_DEBUG, "EAP-FAST: Client is trying to "
|
||||||
|
"use unauthenticated provisioning which is "
|
||||||
|
"disabled");
|
||||||
|
eap_fast_state(data, FAILURE);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (sm->eap_fast_prov != AUTH_PROV &&
|
||||||
|
sm->eap_fast_prov != BOTH_PROV &&
|
||||||
|
tlv.request_action == EAP_TLV_ACTION_PROCESS_TLV &&
|
||||||
|
eap_fast_pac_type(tlv.pac, tlv.pac_len,
|
||||||
|
PAC_TYPE_TUNNEL_PAC)) {
|
||||||
|
wpa_printf(MSG_DEBUG, "EAP-FAST: Client is trying to "
|
||||||
|
"use authenticated provisioning which is "
|
||||||
|
"disabled");
|
||||||
|
eap_fast_state(data, FAILURE);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
if (data->anon_provisioning ||
|
if (data->anon_provisioning ||
|
||||||
(tlv.request_action == EAP_TLV_ACTION_PROCESS_TLV &&
|
(tlv.request_action == EAP_TLV_ACTION_PROCESS_TLV &&
|
||||||
eap_fast_pac_type(tlv.pac, tlv.pac_len,
|
eap_fast_pac_type(tlv.pac, tlv.pac_len,
|
||||||
|
|
|
@ -172,6 +172,9 @@ struct eap_sm {
|
||||||
|
|
||||||
u8 *pac_opaque_encr_key;
|
u8 *pac_opaque_encr_key;
|
||||||
char *eap_fast_a_id;
|
char *eap_fast_a_id;
|
||||||
|
enum {
|
||||||
|
NO_PROV, ANON_PROV, AUTH_PROV, BOTH_PROV
|
||||||
|
} eap_fast_prov;
|
||||||
int eap_sim_aka_result_ind;
|
int eap_sim_aka_result_ind;
|
||||||
int tnc;
|
int tnc;
|
||||||
};
|
};
|
||||||
|
|
|
@ -86,6 +86,7 @@ struct radius_server_data {
|
||||||
void *ssl_ctx;
|
void *ssl_ctx;
|
||||||
u8 *pac_opaque_encr_key;
|
u8 *pac_opaque_encr_key;
|
||||||
char *eap_fast_a_id;
|
char *eap_fast_a_id;
|
||||||
|
int eap_fast_prov;
|
||||||
int eap_sim_aka_result_ind;
|
int eap_sim_aka_result_ind;
|
||||||
int tnc;
|
int tnc;
|
||||||
int ipv6;
|
int ipv6;
|
||||||
|
@ -311,6 +312,7 @@ radius_server_get_new_session(struct radius_server_data *data,
|
||||||
eap_conf.eap_server = 1;
|
eap_conf.eap_server = 1;
|
||||||
eap_conf.pac_opaque_encr_key = data->pac_opaque_encr_key;
|
eap_conf.pac_opaque_encr_key = data->pac_opaque_encr_key;
|
||||||
eap_conf.eap_fast_a_id = data->eap_fast_a_id;
|
eap_conf.eap_fast_a_id = data->eap_fast_a_id;
|
||||||
|
eap_conf.eap_fast_prov = data->eap_fast_prov;
|
||||||
eap_conf.eap_sim_aka_result_ind = data->eap_sim_aka_result_ind;
|
eap_conf.eap_sim_aka_result_ind = data->eap_sim_aka_result_ind;
|
||||||
eap_conf.tnc = data->tnc;
|
eap_conf.tnc = data->tnc;
|
||||||
sess->eap = eap_server_sm_init(sess, &radius_server_eapol_cb,
|
sess->eap = eap_server_sm_init(sess, &radius_server_eapol_cb,
|
||||||
|
@ -1016,6 +1018,7 @@ radius_server_init(struct radius_server_conf *conf)
|
||||||
}
|
}
|
||||||
if (conf->eap_fast_a_id)
|
if (conf->eap_fast_a_id)
|
||||||
data->eap_fast_a_id = os_strdup(conf->eap_fast_a_id);
|
data->eap_fast_a_id = os_strdup(conf->eap_fast_a_id);
|
||||||
|
data->eap_fast_prov = conf->eap_fast_prov;
|
||||||
data->get_eap_user = conf->get_eap_user;
|
data->get_eap_user = conf->get_eap_user;
|
||||||
data->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
|
data->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
|
||||||
data->tnc = conf->tnc;
|
data->tnc = conf->tnc;
|
||||||
|
|
|
@ -26,6 +26,7 @@ struct radius_server_conf {
|
||||||
void *ssl_ctx;
|
void *ssl_ctx;
|
||||||
u8 *pac_opaque_encr_key;
|
u8 *pac_opaque_encr_key;
|
||||||
char *eap_fast_a_id;
|
char *eap_fast_a_id;
|
||||||
|
int eap_fast_prov;
|
||||||
int eap_sim_aka_result_ind;
|
int eap_sim_aka_result_ind;
|
||||||
int tnc;
|
int tnc;
|
||||||
int ipv6;
|
int ipv6;
|
||||||
|
|
Loading…
Reference in a new issue