From 6bb11c7a405616de9a2b3af395117ebe7bdc7047 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Thu, 1 Aug 2019 00:02:02 +0300 Subject: [PATCH] EAP-SIM/AKA server: Allow pseudonym/fast reauth to be disabled The new hostapd configuration option eap_sim_id can now be used to disable use of pseudonym and/or fast reauthentication with EAP-SIM, EAP-AKA, and EAP-AKA'. Signed-off-by: Jouni Malinen --- hostapd/config_file.c | 2 ++ hostapd/hostapd.conf | 7 +++++++ src/ap/ap_config.c | 1 + src/ap/ap_config.h | 1 + src/ap/authsrv.c | 1 + src/ap/ieee802_1x.c | 1 + src/eap_server/eap.h | 1 + src/eap_server/eap_i.h | 1 + src/eap_server/eap_server.c | 1 + src/eap_server/eap_server_aka.c | 10 ++++++++-- src/eap_server/eap_server_sim.c | 10 ++++++++-- src/eapol_auth/eapol_auth_sm.c | 2 ++ src/eapol_auth/eapol_auth_sm.h | 1 + src/radius/radius_server.c | 4 ++++ src/radius/radius_server.h | 2 ++ 15 files changed, 41 insertions(+), 4 deletions(-) diff --git a/hostapd/config_file.c b/hostapd/config_file.c index 1f2c56583..e09e6e141 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -2629,6 +2629,8 @@ static int hostapd_config_fill(struct hostapd_config *conf, bss->eap_sim_db_timeout = atoi(pos); } else if (os_strcmp(buf, "eap_sim_aka_result_ind") == 0) { bss->eap_sim_aka_result_ind = atoi(pos); + } else if (os_strcmp(buf, "eap_sim_id") == 0) { + bss->eap_sim_id = atoi(pos); #endif /* EAP_SERVER_SIM */ #ifdef EAP_SERVER_TNC } else if (os_strcmp(buf, "tnc") == 0) { diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index 5138aeebc..ce3ecdddf 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -1205,6 +1205,13 @@ eap_server=0 # (default: 0 = disabled). #eap_sim_aka_result_ind=1 +# EAP-SIM and EAP-AKA identity options +# 0 = do not use pseudonyms or fast reauthentication +# 1 = use pseudonyms, but not fast reauthentication +# 2 = do not use pseudonyms, but use fast reauthentication +# 3 = use pseudonyms and use fast reauthentication (default) +#eap_sim_id=3 + # Trusted Network Connect (TNC) # If enabled, TNC validation will be required before the peer is allowed to # connect. Note: This is only used with EAP-TTLS and EAP-FAST. If any other diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c index 968eb65a6..90348e1dd 100644 --- a/src/ap/ap_config.c +++ b/src/ap/ap_config.c @@ -78,6 +78,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss) bss->radius_server_auth_port = 1812; bss->eap_sim_db_timeout = 1; + bss->eap_sim_id = 3; bss->ap_max_inactivity = AP_MAX_INACTIVITY; bss->eapol_version = EAPOL_VERSION; diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index 0a1d49b71..ea581a822 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -430,6 +430,7 @@ struct hostapd_bss_config { int eap_teap_auth; int eap_teap_pac_no_inner; int eap_sim_aka_result_ind; + int eap_sim_id; int tnc; int fragment_size; u16 pwd_group; diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c index b3d910742..4f5fe7db4 100644 --- a/src/ap/authsrv.c +++ b/src/ap/authsrv.c @@ -123,6 +123,7 @@ static int hostapd_setup_radius_srv(struct hostapd_data *hapd) srv.eap_teap_auth = conf->eap_teap_auth; srv.eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner; srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; + srv.eap_sim_id = conf->eap_sim_id; srv.tnc = conf->tnc; srv.wps = hapd->wps; srv.ipv6 = conf->radius_server_ipv6; diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c index ab6989b0d..e0614710f 100644 --- a/src/ap/ieee802_1x.c +++ b/src/ap/ieee802_1x.c @@ -2437,6 +2437,7 @@ int ieee802_1x_init(struct hostapd_data *hapd) conf.eap_teap_auth = hapd->conf->eap_teap_auth; conf.eap_teap_pac_no_inner = hapd->conf->eap_teap_pac_no_inner; conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; + conf.eap_sim_id = hapd->conf->eap_sim_id; conf.tnc = hapd->conf->tnc; conf.wps = hapd->wps; conf.fragment_size = hapd->conf->fragment_size; diff --git a/src/eap_server/eap.h b/src/eap_server/eap.h index a32c8835c..a9cf5c97b 100644 --- a/src/eap_server/eap.h +++ b/src/eap_server/eap.h @@ -124,6 +124,7 @@ struct eap_config { int eap_teap_auth; int eap_teap_pac_no_inner; int eap_sim_aka_result_ind; + int eap_sim_id; int tnc; struct wps_context *wps; const struct wpabuf *assoc_wps_ie; diff --git a/src/eap_server/eap_i.h b/src/eap_server/eap_i.h index 8e6ac4649..f9ab32d69 100644 --- a/src/eap_server/eap_i.h +++ b/src/eap_server/eap_i.h @@ -193,6 +193,7 @@ struct eap_sm { int eap_teap_auth; int eap_teap_pac_no_inner; int eap_sim_aka_result_ind; + int eap_sim_id; int tnc; u16 pwd_group; struct wps_context *wps; diff --git a/src/eap_server/eap_server.c b/src/eap_server/eap_server.c index 724ec154f..568eebd7e 100644 --- a/src/eap_server/eap_server.c +++ b/src/eap_server/eap_server.c @@ -1872,6 +1872,7 @@ struct eap_sm * eap_server_sm_init(void *eapol_ctx, sm->eap_teap_auth = conf->eap_teap_auth; sm->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner; sm->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; + sm->eap_sim_id = conf->eap_sim_id; sm->tnc = conf->tnc; sm->wps = conf->wps; if (conf->assoc_wps_ie) diff --git a/src/eap_server/eap_server_aka.c b/src/eap_server/eap_server_aka.c index e145a12a5..4dadfe197 100644 --- a/src/eap_server/eap_server_aka.c +++ b/src/eap_server/eap_server_aka.c @@ -393,7 +393,10 @@ static int eap_aka_build_encr(struct eap_sm *sm, struct eap_aka_data *data, const u8 *nonce_s) { os_free(data->next_pseudonym); - if (nonce_s == NULL) { + if (!(sm->eap_sim_id & 0x01)) { + /* Use of pseudonyms disabled in configuration */ + data->next_pseudonym = NULL; + } else if (!nonce_s) { data->next_pseudonym = eap_sim_db_get_next_pseudonym( sm->eap_sim_db_priv, @@ -404,7 +407,10 @@ static int eap_aka_build_encr(struct eap_sm *sm, struct eap_aka_data *data, data->next_pseudonym = NULL; } os_free(data->next_reauth_id); - if (data->counter <= EAP_AKA_MAX_FAST_REAUTHS) { + if (!(sm->eap_sim_id & 0x02)) { + /* Use of fast reauth disabled in configuration */ + data->next_reauth_id = NULL; + } else if (data->counter <= EAP_AKA_MAX_FAST_REAUTHS) { data->next_reauth_id = eap_sim_db_get_next_reauth_id( sm->eap_sim_db_priv, diff --git a/src/eap_server/eap_server_sim.c b/src/eap_server/eap_server_sim.c index f8aa508ec..5243568e7 100644 --- a/src/eap_server/eap_server_sim.c +++ b/src/eap_server/eap_server_sim.c @@ -150,7 +150,10 @@ static int eap_sim_build_encr(struct eap_sm *sm, struct eap_sim_data *data, const u8 *nonce_s) { os_free(data->next_pseudonym); - if (nonce_s == NULL) { + if (!(sm->eap_sim_id & 0x01)) { + /* Use of pseudonyms disabled in configuration */ + data->next_pseudonym = NULL; + } else if (!nonce_s) { data->next_pseudonym = eap_sim_db_get_next_pseudonym(sm->eap_sim_db_priv, EAP_SIM_DB_SIM); @@ -159,7 +162,10 @@ static int eap_sim_build_encr(struct eap_sm *sm, struct eap_sim_data *data, data->next_pseudonym = NULL; } os_free(data->next_reauth_id); - if (data->counter <= EAP_SIM_MAX_FAST_REAUTHS) { + if (!(sm->eap_sim_id & 0x02)) { + /* Use of fast reauth disabled in configuration */ + data->next_reauth_id = NULL; + } else if (data->counter <= EAP_SIM_MAX_FAST_REAUTHS) { data->next_reauth_id = eap_sim_db_get_next_reauth_id(sm->eap_sim_db_priv, EAP_SIM_DB_SIM); diff --git a/src/eapol_auth/eapol_auth_sm.c b/src/eapol_auth/eapol_auth_sm.c index b7423d135..7206d32d7 100644 --- a/src/eapol_auth/eapol_auth_sm.c +++ b/src/eapol_auth/eapol_auth_sm.c @@ -838,6 +838,7 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr, eap_conf.eap_teap_auth = eapol->conf.eap_teap_auth; eap_conf.eap_teap_pac_no_inner = eapol->conf.eap_teap_pac_no_inner; eap_conf.eap_sim_aka_result_ind = eapol->conf.eap_sim_aka_result_ind; + eap_conf.eap_sim_id = eapol->conf.eap_sim_id; eap_conf.tnc = eapol->conf.tnc; eap_conf.wps = eapol->conf.wps; eap_conf.assoc_wps_ie = assoc_wps_ie; @@ -1236,6 +1237,7 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst, dst->eap_teap_auth = src->eap_teap_auth; dst->eap_teap_pac_no_inner = src->eap_teap_pac_no_inner; dst->eap_sim_aka_result_ind = src->eap_sim_aka_result_ind; + dst->eap_sim_id = src->eap_sim_id; dst->tnc = src->tnc; dst->wps = src->wps; dst->fragment_size = src->fragment_size; diff --git a/src/eapol_auth/eapol_auth_sm.h b/src/eapol_auth/eapol_auth_sm.h index 41b6b1b1a..bcdd50971 100644 --- a/src/eapol_auth/eapol_auth_sm.h +++ b/src/eapol_auth/eapol_auth_sm.h @@ -39,6 +39,7 @@ struct eapol_auth_config { int eap_teap_auth; int eap_teap_pac_no_inner; int eap_sim_aka_result_ind; + int eap_sim_id; int tnc; struct wps_context *wps; int fragment_size; diff --git a/src/radius/radius_server.c b/src/radius/radius_server.c index 1b605c7f0..70efd11b4 100644 --- a/src/radius/radius_server.c +++ b/src/radius/radius_server.c @@ -249,6 +249,8 @@ struct radius_server_data { */ int eap_sim_aka_result_ind; + int eap_sim_id; + /** * tnc - Trusted Network Connect (TNC) * @@ -798,6 +800,7 @@ radius_server_get_new_session(struct radius_server_data *data, eap_conf.eap_teap_auth = data->eap_teap_auth; eap_conf.eap_teap_pac_no_inner = data->eap_teap_pac_no_inner; eap_conf.eap_sim_aka_result_ind = data->eap_sim_aka_result_ind; + eap_conf.eap_sim_id = data->eap_sim_id; eap_conf.tnc = data->tnc; eap_conf.wps = data->wps; eap_conf.pwd_group = data->pwd_group; @@ -2393,6 +2396,7 @@ radius_server_init(struct radius_server_conf *conf) data->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner; data->get_eap_user = conf->get_eap_user; data->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; + data->eap_sim_id = conf->eap_sim_id; data->tnc = conf->tnc; data->wps = conf->wps; data->pwd_group = conf->pwd_group; diff --git a/src/radius/radius_server.h b/src/radius/radius_server.h index 88c22db86..54896946e 100644 --- a/src/radius/radius_server.h +++ b/src/radius/radius_server.h @@ -139,6 +139,8 @@ struct radius_server_conf { */ int eap_sim_aka_result_ind; + int eap_sim_id; + /** * tnc - Trusted Network Connect (TNC) *