EAP-SIM/AKA server: Allow pseudonym/fast reauth to be disabled

The new hostapd configuration option eap_sim_id can now be used to
disable use of pseudonym and/or fast reauthentication with EAP-SIM,
EAP-AKA, and EAP-AKA'.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2019-08-01 00:02:02 +03:00 committed by Jouni Malinen
parent c1b2365214
commit 6bb11c7a40
15 changed files with 41 additions and 4 deletions

View file

@ -2629,6 +2629,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
bss->eap_sim_db_timeout = atoi(pos); bss->eap_sim_db_timeout = atoi(pos);
} else if (os_strcmp(buf, "eap_sim_aka_result_ind") == 0) { } else if (os_strcmp(buf, "eap_sim_aka_result_ind") == 0) {
bss->eap_sim_aka_result_ind = atoi(pos); bss->eap_sim_aka_result_ind = atoi(pos);
} else if (os_strcmp(buf, "eap_sim_id") == 0) {
bss->eap_sim_id = atoi(pos);
#endif /* EAP_SERVER_SIM */ #endif /* EAP_SERVER_SIM */
#ifdef EAP_SERVER_TNC #ifdef EAP_SERVER_TNC
} else if (os_strcmp(buf, "tnc") == 0) { } else if (os_strcmp(buf, "tnc") == 0) {

View file

@ -1205,6 +1205,13 @@ eap_server=0
# (default: 0 = disabled). # (default: 0 = disabled).
#eap_sim_aka_result_ind=1 #eap_sim_aka_result_ind=1
# EAP-SIM and EAP-AKA identity options
# 0 = do not use pseudonyms or fast reauthentication
# 1 = use pseudonyms, but not fast reauthentication
# 2 = do not use pseudonyms, but use fast reauthentication
# 3 = use pseudonyms and use fast reauthentication (default)
#eap_sim_id=3
# Trusted Network Connect (TNC) # Trusted Network Connect (TNC)
# If enabled, TNC validation will be required before the peer is allowed to # If enabled, TNC validation will be required before the peer is allowed to
# connect. Note: This is only used with EAP-TTLS and EAP-FAST. If any other # connect. Note: This is only used with EAP-TTLS and EAP-FAST. If any other

View file

@ -78,6 +78,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
bss->radius_server_auth_port = 1812; bss->radius_server_auth_port = 1812;
bss->eap_sim_db_timeout = 1; bss->eap_sim_db_timeout = 1;
bss->eap_sim_id = 3;
bss->ap_max_inactivity = AP_MAX_INACTIVITY; bss->ap_max_inactivity = AP_MAX_INACTIVITY;
bss->eapol_version = EAPOL_VERSION; bss->eapol_version = EAPOL_VERSION;

View file

@ -430,6 +430,7 @@ struct hostapd_bss_config {
int eap_teap_auth; int eap_teap_auth;
int eap_teap_pac_no_inner; int eap_teap_pac_no_inner;
int eap_sim_aka_result_ind; int eap_sim_aka_result_ind;
int eap_sim_id;
int tnc; int tnc;
int fragment_size; int fragment_size;
u16 pwd_group; u16 pwd_group;

View file

@ -123,6 +123,7 @@ static int hostapd_setup_radius_srv(struct hostapd_data *hapd)
srv.eap_teap_auth = conf->eap_teap_auth; srv.eap_teap_auth = conf->eap_teap_auth;
srv.eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner; srv.eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner;
srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
srv.eap_sim_id = conf->eap_sim_id;
srv.tnc = conf->tnc; srv.tnc = conf->tnc;
srv.wps = hapd->wps; srv.wps = hapd->wps;
srv.ipv6 = conf->radius_server_ipv6; srv.ipv6 = conf->radius_server_ipv6;

View file

@ -2437,6 +2437,7 @@ int ieee802_1x_init(struct hostapd_data *hapd)
conf.eap_teap_auth = hapd->conf->eap_teap_auth; conf.eap_teap_auth = hapd->conf->eap_teap_auth;
conf.eap_teap_pac_no_inner = hapd->conf->eap_teap_pac_no_inner; conf.eap_teap_pac_no_inner = hapd->conf->eap_teap_pac_no_inner;
conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind;
conf.eap_sim_id = hapd->conf->eap_sim_id;
conf.tnc = hapd->conf->tnc; conf.tnc = hapd->conf->tnc;
conf.wps = hapd->wps; conf.wps = hapd->wps;
conf.fragment_size = hapd->conf->fragment_size; conf.fragment_size = hapd->conf->fragment_size;

View file

@ -124,6 +124,7 @@ struct eap_config {
int eap_teap_auth; int eap_teap_auth;
int eap_teap_pac_no_inner; int eap_teap_pac_no_inner;
int eap_sim_aka_result_ind; int eap_sim_aka_result_ind;
int eap_sim_id;
int tnc; int tnc;
struct wps_context *wps; struct wps_context *wps;
const struct wpabuf *assoc_wps_ie; const struct wpabuf *assoc_wps_ie;

View file

@ -193,6 +193,7 @@ struct eap_sm {
int eap_teap_auth; int eap_teap_auth;
int eap_teap_pac_no_inner; int eap_teap_pac_no_inner;
int eap_sim_aka_result_ind; int eap_sim_aka_result_ind;
int eap_sim_id;
int tnc; int tnc;
u16 pwd_group; u16 pwd_group;
struct wps_context *wps; struct wps_context *wps;

View file

@ -1872,6 +1872,7 @@ struct eap_sm * eap_server_sm_init(void *eapol_ctx,
sm->eap_teap_auth = conf->eap_teap_auth; sm->eap_teap_auth = conf->eap_teap_auth;
sm->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner; sm->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner;
sm->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; sm->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
sm->eap_sim_id = conf->eap_sim_id;
sm->tnc = conf->tnc; sm->tnc = conf->tnc;
sm->wps = conf->wps; sm->wps = conf->wps;
if (conf->assoc_wps_ie) if (conf->assoc_wps_ie)

View file

@ -393,7 +393,10 @@ static int eap_aka_build_encr(struct eap_sm *sm, struct eap_aka_data *data,
const u8 *nonce_s) const u8 *nonce_s)
{ {
os_free(data->next_pseudonym); os_free(data->next_pseudonym);
if (nonce_s == NULL) { if (!(sm->eap_sim_id & 0x01)) {
/* Use of pseudonyms disabled in configuration */
data->next_pseudonym = NULL;
} else if (!nonce_s) {
data->next_pseudonym = data->next_pseudonym =
eap_sim_db_get_next_pseudonym( eap_sim_db_get_next_pseudonym(
sm->eap_sim_db_priv, sm->eap_sim_db_priv,
@ -404,7 +407,10 @@ static int eap_aka_build_encr(struct eap_sm *sm, struct eap_aka_data *data,
data->next_pseudonym = NULL; data->next_pseudonym = NULL;
} }
os_free(data->next_reauth_id); os_free(data->next_reauth_id);
if (data->counter <= EAP_AKA_MAX_FAST_REAUTHS) { if (!(sm->eap_sim_id & 0x02)) {
/* Use of fast reauth disabled in configuration */
data->next_reauth_id = NULL;
} else if (data->counter <= EAP_AKA_MAX_FAST_REAUTHS) {
data->next_reauth_id = data->next_reauth_id =
eap_sim_db_get_next_reauth_id( eap_sim_db_get_next_reauth_id(
sm->eap_sim_db_priv, sm->eap_sim_db_priv,

View file

@ -150,7 +150,10 @@ static int eap_sim_build_encr(struct eap_sm *sm, struct eap_sim_data *data,
const u8 *nonce_s) const u8 *nonce_s)
{ {
os_free(data->next_pseudonym); os_free(data->next_pseudonym);
if (nonce_s == NULL) { if (!(sm->eap_sim_id & 0x01)) {
/* Use of pseudonyms disabled in configuration */
data->next_pseudonym = NULL;
} else if (!nonce_s) {
data->next_pseudonym = data->next_pseudonym =
eap_sim_db_get_next_pseudonym(sm->eap_sim_db_priv, eap_sim_db_get_next_pseudonym(sm->eap_sim_db_priv,
EAP_SIM_DB_SIM); EAP_SIM_DB_SIM);
@ -159,7 +162,10 @@ static int eap_sim_build_encr(struct eap_sm *sm, struct eap_sim_data *data,
data->next_pseudonym = NULL; data->next_pseudonym = NULL;
} }
os_free(data->next_reauth_id); os_free(data->next_reauth_id);
if (data->counter <= EAP_SIM_MAX_FAST_REAUTHS) { if (!(sm->eap_sim_id & 0x02)) {
/* Use of fast reauth disabled in configuration */
data->next_reauth_id = NULL;
} else if (data->counter <= EAP_SIM_MAX_FAST_REAUTHS) {
data->next_reauth_id = data->next_reauth_id =
eap_sim_db_get_next_reauth_id(sm->eap_sim_db_priv, eap_sim_db_get_next_reauth_id(sm->eap_sim_db_priv,
EAP_SIM_DB_SIM); EAP_SIM_DB_SIM);

View file

@ -838,6 +838,7 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr,
eap_conf.eap_teap_auth = eapol->conf.eap_teap_auth; eap_conf.eap_teap_auth = eapol->conf.eap_teap_auth;
eap_conf.eap_teap_pac_no_inner = eapol->conf.eap_teap_pac_no_inner; eap_conf.eap_teap_pac_no_inner = eapol->conf.eap_teap_pac_no_inner;
eap_conf.eap_sim_aka_result_ind = eapol->conf.eap_sim_aka_result_ind; eap_conf.eap_sim_aka_result_ind = eapol->conf.eap_sim_aka_result_ind;
eap_conf.eap_sim_id = eapol->conf.eap_sim_id;
eap_conf.tnc = eapol->conf.tnc; eap_conf.tnc = eapol->conf.tnc;
eap_conf.wps = eapol->conf.wps; eap_conf.wps = eapol->conf.wps;
eap_conf.assoc_wps_ie = assoc_wps_ie; eap_conf.assoc_wps_ie = assoc_wps_ie;
@ -1236,6 +1237,7 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
dst->eap_teap_auth = src->eap_teap_auth; dst->eap_teap_auth = src->eap_teap_auth;
dst->eap_teap_pac_no_inner = src->eap_teap_pac_no_inner; dst->eap_teap_pac_no_inner = src->eap_teap_pac_no_inner;
dst->eap_sim_aka_result_ind = src->eap_sim_aka_result_ind; dst->eap_sim_aka_result_ind = src->eap_sim_aka_result_ind;
dst->eap_sim_id = src->eap_sim_id;
dst->tnc = src->tnc; dst->tnc = src->tnc;
dst->wps = src->wps; dst->wps = src->wps;
dst->fragment_size = src->fragment_size; dst->fragment_size = src->fragment_size;

View file

@ -39,6 +39,7 @@ struct eapol_auth_config {
int eap_teap_auth; int eap_teap_auth;
int eap_teap_pac_no_inner; int eap_teap_pac_no_inner;
int eap_sim_aka_result_ind; int eap_sim_aka_result_ind;
int eap_sim_id;
int tnc; int tnc;
struct wps_context *wps; struct wps_context *wps;
int fragment_size; int fragment_size;

View file

@ -249,6 +249,8 @@ struct radius_server_data {
*/ */
int eap_sim_aka_result_ind; int eap_sim_aka_result_ind;
int eap_sim_id;
/** /**
* tnc - Trusted Network Connect (TNC) * tnc - Trusted Network Connect (TNC)
* *
@ -798,6 +800,7 @@ radius_server_get_new_session(struct radius_server_data *data,
eap_conf.eap_teap_auth = data->eap_teap_auth; eap_conf.eap_teap_auth = data->eap_teap_auth;
eap_conf.eap_teap_pac_no_inner = data->eap_teap_pac_no_inner; eap_conf.eap_teap_pac_no_inner = data->eap_teap_pac_no_inner;
eap_conf.eap_sim_aka_result_ind = data->eap_sim_aka_result_ind; eap_conf.eap_sim_aka_result_ind = data->eap_sim_aka_result_ind;
eap_conf.eap_sim_id = data->eap_sim_id;
eap_conf.tnc = data->tnc; eap_conf.tnc = data->tnc;
eap_conf.wps = data->wps; eap_conf.wps = data->wps;
eap_conf.pwd_group = data->pwd_group; eap_conf.pwd_group = data->pwd_group;
@ -2393,6 +2396,7 @@ radius_server_init(struct radius_server_conf *conf)
data->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner; data->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner;
data->get_eap_user = conf->get_eap_user; data->get_eap_user = conf->get_eap_user;
data->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; data->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
data->eap_sim_id = conf->eap_sim_id;
data->tnc = conf->tnc; data->tnc = conf->tnc;
data->wps = conf->wps; data->wps = conf->wps;
data->pwd_group = conf->pwd_group; data->pwd_group = conf->pwd_group;

View file

@ -139,6 +139,8 @@ struct radius_server_conf {
*/ */
int eap_sim_aka_result_ind; int eap_sim_aka_result_ind;
int eap_sim_id;
/** /**
* tnc - Trusted Network Connect (TNC) * tnc - Trusted Network Connect (TNC)
* *