EAP-FAST: Make PAC-Key lifetime values configurable

The hardcoded values in eap_fast.c were replaced with values read from
hostapd.conf.
This commit is contained in:
Jouni Malinen 2008-10-08 17:25:47 +03:00 committed by Jouni Malinen
parent 378eae5e9b
commit a11c90a64a
13 changed files with 56 additions and 14 deletions

View file

@ -189,6 +189,8 @@ static void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
#ifdef EAP_FAST #ifdef EAP_FAST
/* both anonymous and authenticated provisioning */ /* both anonymous and authenticated provisioning */
bss->eap_fast_prov = 3; bss->eap_fast_prov = 3;
bss->pac_key_lifetime = 7 * 24 * 60 * 60;
bss->pac_key_refresh_time = 1 * 24 * 60 * 60;
#endif /* EAP_FAST */ #endif /* EAP_FAST */
} }
@ -1511,6 +1513,10 @@ struct hostapd_config * hostapd_config_read(const char *fname)
bss->eap_fast_a_id = os_strdup(pos); bss->eap_fast_a_id = os_strdup(pos);
} else if (os_strcmp(buf, "eap_fast_prov") == 0) { } else if (os_strcmp(buf, "eap_fast_prov") == 0) {
bss->eap_fast_prov = atoi(pos); bss->eap_fast_prov = atoi(pos);
} else if (os_strcmp(buf, "pac_key_lifetime") == 0) {
bss->pac_key_lifetime = atoi(pos);
} else if (os_strcmp(buf, "pac_key_refresh_time") == 0) {
bss->pac_key_refresh_time = atoi(pos);
#endif /* EAP_FAST */ #endif /* EAP_FAST */
#ifdef EAP_SIM #ifdef EAP_SIM
} else if (os_strcmp(buf, "eap_sim_db") == 0) { } else if (os_strcmp(buf, "eap_sim_db") == 0) {

View file

@ -252,6 +252,8 @@ struct hostapd_bss_config {
u8 *pac_opaque_encr_key; u8 *pac_opaque_encr_key;
char *eap_fast_a_id; char *eap_fast_a_id;
int eap_fast_prov; int eap_fast_prov;
int pac_key_lifetime;
int pac_key_refresh_time;
int eap_sim_aka_result_ind; int eap_sim_aka_result_ind;
int tnc; int tnc;

View file

@ -806,6 +806,8 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr,
eap_conf.pac_opaque_encr_key = eapol->conf.pac_opaque_encr_key; eap_conf.pac_opaque_encr_key = eapol->conf.pac_opaque_encr_key;
eap_conf.eap_fast_a_id = eapol->conf.eap_fast_a_id; eap_conf.eap_fast_a_id = eapol->conf.eap_fast_a_id;
eap_conf.eap_fast_prov = eapol->conf.eap_fast_prov; eap_conf.eap_fast_prov = eapol->conf.eap_fast_prov;
eap_conf.pac_key_lifetime = eapol->conf.pac_key_lifetime;
eap_conf.pac_key_refresh_time = eapol->conf.pac_key_refresh_time;
eap_conf.eap_sim_aka_result_ind = eapol->conf.eap_sim_aka_result_ind; eap_conf.eap_sim_aka_result_ind = eapol->conf.eap_sim_aka_result_ind;
eap_conf.tnc = eapol->conf.tnc; eap_conf.tnc = eapol->conf.tnc;
sm->eap = eap_server_sm_init(sm, &eapol_cb, &eap_conf); sm->eap = eap_server_sm_init(sm, &eapol_cb, &eap_conf);
@ -1239,6 +1241,8 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
else else
dst->eap_fast_a_id = NULL; dst->eap_fast_a_id = NULL;
dst->eap_fast_prov = src->eap_fast_prov; dst->eap_fast_prov = src->eap_fast_prov;
dst->pac_key_lifetime = src->pac_key_lifetime;
dst->pac_key_refresh_time = src->pac_key_refresh_time;
dst->eap_sim_aka_result_ind = src->eap_sim_aka_result_ind; dst->eap_sim_aka_result_ind = src->eap_sim_aka_result_ind;
dst->tnc = src->tnc; dst->tnc = src->tnc;
return 0; return 0;

View file

@ -50,6 +50,8 @@ struct eapol_auth_config {
u8 *pac_opaque_encr_key; u8 *pac_opaque_encr_key;
char *eap_fast_a_id; char *eap_fast_a_id;
int eap_fast_prov; int eap_fast_prov;
int pac_key_lifetime;
int pac_key_refresh_time;
int eap_sim_aka_result_ind; int eap_sim_aka_result_ind;
int tnc; int tnc;

View file

@ -1171,6 +1171,8 @@ static int hostapd_setup_radius_srv(struct hostapd_data *hapd,
srv.pac_opaque_encr_key = conf->pac_opaque_encr_key; srv.pac_opaque_encr_key = conf->pac_opaque_encr_key;
srv.eap_fast_a_id = conf->eap_fast_a_id; srv.eap_fast_a_id = conf->eap_fast_a_id;
srv.eap_fast_prov = conf->eap_fast_prov; srv.eap_fast_prov = conf->eap_fast_prov;
srv.pac_key_lifetime = conf->pac_key_lifetime;
srv.pac_key_refresh_time = conf->pac_key_refresh_time;
srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
srv.tnc = conf->tnc; srv.tnc = conf->tnc;
srv.ipv6 = conf->radius_server_ipv6; srv.ipv6 = conf->radius_server_ipv6;

View file

@ -515,6 +515,14 @@ eap_server=0
#3 = both provisioning modes allowed (default) #3 = both provisioning modes allowed (default)
#eap_fast_prov=3 #eap_fast_prov=3
# EAP-FAST PAC-Key lifetime in seconds (hard limit)
#pac_key_lifetime=604800
# EAP-FAST PAC-Key refresh time in seconds (soft limit on remaining hard
# limit). The server will generate a new PAC-Key when this number of seconds
# (or fewer) of the lifetime remains.
#pac_key_refresh_time=86400
# EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND # EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND
# (default: 0 = disabled). # (default: 0 = disabled).
#eap_sim_aka_result_ind=1 #eap_sim_aka_result_ind=1

View file

@ -1606,6 +1606,8 @@ int ieee802_1x_init(struct hostapd_data *hapd)
conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key; conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key;
conf.eap_fast_a_id = hapd->conf->eap_fast_a_id; conf.eap_fast_a_id = hapd->conf->eap_fast_a_id;
conf.eap_fast_prov = hapd->conf->eap_fast_prov; conf.eap_fast_prov = hapd->conf->eap_fast_prov;
conf.pac_key_lifetime = hapd->conf->pac_key_lifetime;
conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time;
conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind;
conf.tnc = hapd->conf->tnc; conf.tnc = hapd->conf->tnc;

View file

@ -1154,6 +1154,8 @@ struct eap_sm * eap_server_sm_init(void *eapol_ctx,
if (conf->eap_fast_a_id) if (conf->eap_fast_a_id)
sm->eap_fast_a_id = os_strdup(conf->eap_fast_a_id); sm->eap_fast_a_id = os_strdup(conf->eap_fast_a_id);
sm->eap_fast_prov = conf->eap_fast_prov; sm->eap_fast_prov = conf->eap_fast_prov;
sm->pac_key_lifetime = conf->pac_key_lifetime;
sm->pac_key_refresh_time = conf->pac_key_refresh_time;
sm->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; sm->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
sm->tnc = conf->tnc; sm->tnc = conf->tnc;

View file

@ -97,6 +97,8 @@ struct eap_config {
u8 *pac_opaque_encr_key; u8 *pac_opaque_encr_key;
char *eap_fast_a_id; char *eap_fast_a_id;
int eap_fast_prov; int eap_fast_prov;
int pac_key_lifetime;
int pac_key_refresh_time;
int eap_sim_aka_result_ind; int eap_sim_aka_result_ind;
int tnc; int tnc;
}; };

View file

@ -33,17 +33,6 @@ static void eap_fast_reset(struct eap_sm *sm, void *priv);
#define PAC_OPAQUE_TYPE_LIFETIME 2 #define PAC_OPAQUE_TYPE_LIFETIME 2
#define PAC_OPAQUE_TYPE_IDENTITY 3 #define PAC_OPAQUE_TYPE_IDENTITY 3
/* PAC-Key lifetime in seconds (hard limit) */
#define PAC_KEY_LIFETIME (7 * 24 * 60 * 60)
/*
* PAC-Key refresh time in seconds (soft limit on remaining hard limit). The
* server will generate a new PAC-Key when this number of seconds (or fewer)
* of the lifetime.
*/
#define PAC_KEY_REFRESH_TIME (1 * 24 * 60 * 60)
struct eap_fast_data { struct eap_fast_data {
struct eap_ssl_data ssl; struct eap_ssl_data ssl;
enum { enum {
@ -76,6 +65,9 @@ struct eap_fast_data {
size_t identity_len; size_t identity_len;
int eap_seq; int eap_seq;
int tnc_started; int tnc_started;
int pac_key_lifetime;
int pac_key_refresh_time;
}; };
@ -251,7 +243,7 @@ static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len,
return 0; return 0;
} }
if (lifetime - now.sec < PAC_KEY_REFRESH_TIME) if (lifetime - now.sec < data->pac_key_refresh_time)
data->send_new_pac = 1; data->send_new_pac = 1;
eap_fast_derive_master_secret(pac_key, server_random, client_random, eap_fast_derive_master_secret(pac_key, server_random, client_random,
@ -459,6 +451,16 @@ static void * eap_fast_init(struct eap_sm *sm)
return NULL; return NULL;
} }
/* PAC-Key lifetime in seconds (hard limit) */
data->pac_key_lifetime = sm->pac_key_lifetime;
/*
* PAC-Key refresh time in seconds (soft limit on remaining hard
* limit). The server will generate a new PAC-Key when this number of
* seconds (or fewer) of the lifetime remains.
*/
data->pac_key_refresh_time = sm->pac_key_refresh_time;
return data; return data;
} }
@ -674,7 +676,7 @@ static struct wpabuf * eap_fast_build_pac(struct eap_sm *sm,
*pos++ = PAC_OPAQUE_TYPE_LIFETIME; *pos++ = PAC_OPAQUE_TYPE_LIFETIME;
*pos++ = 4; *pos++ = 4;
WPA_PUT_BE32(pos, now.sec + PAC_KEY_LIFETIME); WPA_PUT_BE32(pos, now.sec + data->pac_key_lifetime);
pos += 4; pos += 4;
if (sm->identity) { if (sm->identity) {
@ -744,7 +746,7 @@ static struct wpabuf * eap_fast_build_pac(struct eap_sm *sm,
/* PAC-Lifetime (inside PAC-Info) */ /* PAC-Lifetime (inside PAC-Info) */
eap_fast_put_tlv_hdr(buf, PAC_TYPE_CRED_LIFETIME, 4); eap_fast_put_tlv_hdr(buf, PAC_TYPE_CRED_LIFETIME, 4);
wpabuf_put_be32(buf, now.sec + PAC_KEY_LIFETIME); wpabuf_put_be32(buf, now.sec + data->pac_key_lifetime);
/* A-ID (inside PAC-Info) */ /* A-ID (inside PAC-Info) */
eap_fast_put_tlv(buf, PAC_TYPE_A_ID, data->srv_id, srv_id_len); eap_fast_put_tlv(buf, PAC_TYPE_A_ID, data->srv_id, srv_id_len);

View file

@ -175,6 +175,8 @@ struct eap_sm {
enum { enum {
NO_PROV, ANON_PROV, AUTH_PROV, BOTH_PROV NO_PROV, ANON_PROV, AUTH_PROV, BOTH_PROV
} eap_fast_prov; } eap_fast_prov;
int pac_key_lifetime;
int pac_key_refresh_time;
int eap_sim_aka_result_ind; int eap_sim_aka_result_ind;
int tnc; int tnc;
}; };

View file

@ -87,6 +87,8 @@ struct radius_server_data {
u8 *pac_opaque_encr_key; u8 *pac_opaque_encr_key;
char *eap_fast_a_id; char *eap_fast_a_id;
int eap_fast_prov; int eap_fast_prov;
int pac_key_lifetime;
int pac_key_refresh_time;
int eap_sim_aka_result_ind; int eap_sim_aka_result_ind;
int tnc; int tnc;
int ipv6; int ipv6;
@ -313,6 +315,8 @@ radius_server_get_new_session(struct radius_server_data *data,
eap_conf.pac_opaque_encr_key = data->pac_opaque_encr_key; eap_conf.pac_opaque_encr_key = data->pac_opaque_encr_key;
eap_conf.eap_fast_a_id = data->eap_fast_a_id; eap_conf.eap_fast_a_id = data->eap_fast_a_id;
eap_conf.eap_fast_prov = data->eap_fast_prov; eap_conf.eap_fast_prov = data->eap_fast_prov;
eap_conf.pac_key_lifetime = data->pac_key_lifetime;
eap_conf.pac_key_refresh_time = data->pac_key_refresh_time;
eap_conf.eap_sim_aka_result_ind = data->eap_sim_aka_result_ind; eap_conf.eap_sim_aka_result_ind = data->eap_sim_aka_result_ind;
eap_conf.tnc = data->tnc; eap_conf.tnc = data->tnc;
sess->eap = eap_server_sm_init(sess, &radius_server_eapol_cb, sess->eap = eap_server_sm_init(sess, &radius_server_eapol_cb,
@ -1019,6 +1023,8 @@ radius_server_init(struct radius_server_conf *conf)
if (conf->eap_fast_a_id) if (conf->eap_fast_a_id)
data->eap_fast_a_id = os_strdup(conf->eap_fast_a_id); data->eap_fast_a_id = os_strdup(conf->eap_fast_a_id);
data->eap_fast_prov = conf->eap_fast_prov; data->eap_fast_prov = conf->eap_fast_prov;
data->pac_key_lifetime = conf->pac_key_lifetime;
data->pac_key_refresh_time = conf->pac_key_refresh_time;
data->get_eap_user = conf->get_eap_user; data->get_eap_user = conf->get_eap_user;
data->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; data->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
data->tnc = conf->tnc; data->tnc = conf->tnc;

View file

@ -27,6 +27,8 @@ struct radius_server_conf {
u8 *pac_opaque_encr_key; u8 *pac_opaque_encr_key;
char *eap_fast_a_id; char *eap_fast_a_id;
int eap_fast_prov; int eap_fast_prov;
int pac_key_lifetime;
int pac_key_refresh_time;
int eap_sim_aka_result_ind; int eap_sim_aka_result_ind;
int tnc; int tnc;
int ipv6; int ipv6;