} else if (os_strcmp(buf, "imsi_privacy_key") == 0) {
os_free(bss->imsi_privacy_key);
bss->imsi_privacy_key = os_strdup(pos);
+ } else if (os_strcmp(buf, "eap_sim_aka_fast_reauth_limit") == 0) {
+ bss->eap_sim_aka_fast_reauth_limit = atoi(pos);
#endif /* EAP_SERVER_SIM */
#ifdef EAP_SERVER_TNC
} else if (os_strcmp(buf, "tnc") == 0) {
# permanent identity when using EAP-SIM/AKA/AKA'.
#imsi_privacy_key=imsi-privacy-key.pem
+# EAP-SIM and EAP-AKA fast re-authentication limit
+# Maximum number of fast re-authentications allowed after each full
+# authentication.
+#eap_sim_aka_fast_reauth_limit=1000
+
# Trusted Network Connect (TNC)
# If enabled, TNC validation will be required before the peer is allowed to
# connect. Note: This is only used with EAP-TTLS and EAP-FAST. If any other
bss->radius_server_auth_port = 1812;
bss->eap_sim_db_timeout = 1;
bss->eap_sim_id = 3;
+ bss->eap_sim_aka_fast_reauth_limit = 1000;
bss->ap_max_inactivity = AP_MAX_INACTIVITY;
bss->eapol_version = EAPOL_VERSION;
int eap_sim_aka_result_ind;
int eap_sim_id;
char *imsi_privacy_key;
+ int eap_sim_aka_fast_reauth_limit;
int tnc;
int fragment_size;
u16 pwd_group;
cfg->eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind;
cfg->eap_sim_id = hapd->conf->eap_sim_id;
cfg->imsi_privacy_key = hapd->imsi_privacy_key;
+ cfg->eap_sim_aka_fast_reauth_limit =
+ hapd->conf->eap_sim_aka_fast_reauth_limit;
cfg->tnc = hapd->conf->tnc;
cfg->wps = hapd->wps;
cfg->fragment_size = hapd->conf->fragment_size;
int eap_sim_aka_result_ind;
int eap_sim_id;
+ /* Maximum number of fast re-authentications allowed after each full
+ * EAP-SIM/AKA authentication. */
+ int eap_sim_aka_fast_reauth_limit;
+
/**
* tnc - Trusted Network Connect (TNC)
*
return 0;
}
- wpa_printf(MSG_DEBUG, "EAP-AKA: Using fast re-authentication");
+ if (data->reauth->counter > sm->cfg->eap_sim_aka_fast_reauth_limit) {
+ wpa_printf(MSG_DEBUG,
+ "EAP-AKA: Too many fast re-authentication attemps - fall back to full authentication");
+ if (sm->cfg->eap_sim_id & 0x04) {
+ wpa_printf(MSG_DEBUG,
+ "EAP-AKA: Permanent identity recognized - skip AKA-Identity exchange");
+ os_strlcpy(data->permanent, data->reauth->permanent,
+ sizeof(data->permanent));
+ os_strlcpy(sm->sim_aka_permanent,
+ data->reauth->permanent,
+ sizeof(sm->sim_aka_permanent));
+ eap_sim_db_remove_reauth(sm->cfg->eap_sim_db_priv,
+ data->reauth);
+ data->reauth = NULL;
+ eap_aka_fullauth(sm, data);
+ return 1;
+ }
+ return 0;
+ }
+
+ wpa_printf(MSG_DEBUG,
+ "EAP-AKA: Using fast re-authentication (counter=%d)",
+ data->reauth->counter);
os_strlcpy(data->permanent, data->reauth->permanent,
sizeof(data->permanent));
data->counter = data->reauth->counter;
/* Remain in START state for another round */
return;
}
- wpa_printf(MSG_DEBUG, "EAP-SIM: Using fast re-authentication");
+
+ if (data->reauth->counter >
+ sm->cfg->eap_sim_aka_fast_reauth_limit &&
+ (sm->cfg->eap_sim_id & 0x04)) {
+ wpa_printf(MSG_DEBUG,
+ "EAP-SIM: Too many fast re-authentication attemps - fall back to full authentication");
+ wpa_printf(MSG_DEBUG,
+ "EAP-SIM: Permanent identity recognized - skip new Identity query");
+ os_strlcpy(data->permanent,
+ data->reauth->permanent,
+ sizeof(data->permanent));
+ os_strlcpy(sm->sim_aka_permanent,
+ data->reauth->permanent,
+ sizeof(sm->sim_aka_permanent));
+ eap_sim_db_remove_reauth(
+ sm->cfg->eap_sim_db_priv,
+ data->reauth);
+ data->reauth = NULL;
+ goto skip_id_update;
+ }
+
+ wpa_printf(MSG_DEBUG,
+ "EAP-SIM: Using fast re-authentication (counter=%d)",
+ data->reauth->counter);
os_strlcpy(data->permanent, data->reauth->permanent,
sizeof(data->permanent));
data->counter = data->reauth->counter;
projects / thirdparty / hostap.git / commitdiff
