EAP-FAST: Make PAC-Key lifetime values configurable

The hardcoded values in eap_fast.c were replaced with values read from
hostapd.conf.

diff --git a/hostapd/config.c b/hostapd/config.c
index 953fb9e41cf522b9f04cf0efa6f2f8eaaf229459..65747453e600bbe78449c5a92661d14d3879b026 100644 (file)
--- a/hostapd/config.c
+++ b/hostapd/config.c
@@ -189,6 +189,8 @@ static void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
 #ifdef EAP_FAST
         /* both anonymous and authenticated provisioning */
        bss->eap_fast_prov = 3;
+       bss->pac_key_lifetime = 7 * 24 * 60 * 60;
+       bss->pac_key_refresh_time = 1 * 24 * 60 * 60;
 #endif /* EAP_FAST */
 }
 
@@ -1511,6 +1513,10 @@ struct hostapd_config * hostapd_config_read(const char *fname)
                        bss->eap_fast_a_id = os_strdup(pos);
                } else if (os_strcmp(buf, "eap_fast_prov") == 0) {
                        bss->eap_fast_prov = atoi(pos);
+               } else if (os_strcmp(buf, "pac_key_lifetime") == 0) {
+                       bss->pac_key_lifetime = atoi(pos);
+               } else if (os_strcmp(buf, "pac_key_refresh_time") == 0) {
+                       bss->pac_key_refresh_time = atoi(pos);
 #endif /* EAP_FAST */
 #ifdef EAP_SIM
                } else if (os_strcmp(buf, "eap_sim_db") == 0) {

diff --git a/hostapd/config.h b/hostapd/config.h
index 984dfa41556ee6ad0f906c5ff706e1f38893f6d2..9cabc69ff65952b644d5b481f0e83371bd5f7bba 100644 (file)
--- a/hostapd/config.h
+++ b/hostapd/config.h
@@ -252,6 +252,8 @@ struct hostapd_bss_config {
        u8 *pac_opaque_encr_key;
        char *eap_fast_a_id;
        int eap_fast_prov;
+       int pac_key_lifetime;
+       int pac_key_refresh_time;
        int eap_sim_aka_result_ind;
        int tnc;
 

diff --git a/hostapd/eapol_sm.c b/hostapd/eapol_sm.c
index ce50efba457e2f9fbf628ae82790ecab7a4d72df..40bb23d02dcfd4aba674ab21e21a023fdcfbb222 100644 (file)
--- a/hostapd/eapol_sm.c
+++ b/hostapd/eapol_sm.c
@@ -806,6 +806,8 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr,
        eap_conf.pac_opaque_encr_key = eapol->conf.pac_opaque_encr_key;
        eap_conf.eap_fast_a_id = eapol->conf.eap_fast_a_id;
        eap_conf.eap_fast_prov = eapol->conf.eap_fast_prov;
+       eap_conf.pac_key_lifetime = eapol->conf.pac_key_lifetime;
+       eap_conf.pac_key_refresh_time = eapol->conf.pac_key_refresh_time;
        eap_conf.eap_sim_aka_result_ind = eapol->conf.eap_sim_aka_result_ind;
        eap_conf.tnc = eapol->conf.tnc;
        sm->eap = eap_server_sm_init(sm, &eapol_cb, &eap_conf);
@@ -1239,6 +1241,8 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
        else
                dst->eap_fast_a_id = NULL;
        dst->eap_fast_prov = src->eap_fast_prov;
+       dst->pac_key_lifetime = src->pac_key_lifetime;
+       dst->pac_key_refresh_time = src->pac_key_refresh_time;
        dst->eap_sim_aka_result_ind = src->eap_sim_aka_result_ind;
        dst->tnc = src->tnc;
        return 0;

diff --git a/hostapd/eapol_sm.h b/hostapd/eapol_sm.h
index 51ebc4c373da24b38ac9b025ce17224210541e61..3618b16518337040434d0ed74f6ce90161fb8f00 100644 (file)
--- a/hostapd/eapol_sm.h
+++ b/hostapd/eapol_sm.h
@@ -50,6 +50,8 @@ struct eapol_auth_config {
        u8 *pac_opaque_encr_key;
        char *eap_fast_a_id;
        int eap_fast_prov;
+       int pac_key_lifetime;
+       int pac_key_refresh_time;
        int eap_sim_aka_result_ind;
        int tnc;
 

diff --git a/hostapd/hostapd.c b/hostapd/hostapd.c
index 5990cf0ac464443b2147fa73948b2faf52e89848..22054cf4aa96452fef14788ea0a74ff74d97365b 100644 (file)
--- a/hostapd/hostapd.c
+++ b/hostapd/hostapd.c
@@ -1171,6 +1171,8 @@ static int hostapd_setup_radius_srv(struct hostapd_data *hapd,
        srv.pac_opaque_encr_key = conf->pac_opaque_encr_key;
        srv.eap_fast_a_id = conf->eap_fast_a_id;
        srv.eap_fast_prov = conf->eap_fast_prov;
+       srv.pac_key_lifetime = conf->pac_key_lifetime;
+       srv.pac_key_refresh_time = conf->pac_key_refresh_time;
        srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
        srv.tnc = conf->tnc;
        srv.ipv6 = conf->radius_server_ipv6;

diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index c1e1288f24551175e65ded65947c449a75b62a23..5bb3cec1c8329eba70235bf67aa67bf53539b8f7 100644 (file)
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -515,6 +515,14 @@ eap_server=0
 #3 = both provisioning modes allowed (default)
 #eap_fast_prov=3
 
+# EAP-FAST PAC-Key lifetime in seconds (hard limit)
+#pac_key_lifetime=604800
+
+# EAP-FAST PAC-Key refresh time in seconds (soft limit on remaining hard
+# limit). The server will generate a new PAC-Key when this number of seconds
+# (or fewer) of the lifetime remains.
+#pac_key_refresh_time=86400
+
 # EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND
 # (default: 0 = disabled).
 #eap_sim_aka_result_ind=1

diff --git a/hostapd/ieee802_1x.c b/hostapd/ieee802_1x.c
index 2e291f157ba1dd2125a81df7393af3173c360027..2e4ed1bb445e449ebb482951c5f2310d99482eb1 100644 (file)
--- a/hostapd/ieee802_1x.c
+++ b/hostapd/ieee802_1x.c
@@ -1606,6 +1606,8 @@ int ieee802_1x_init(struct hostapd_data *hapd)
        conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key;
        conf.eap_fast_a_id = hapd->conf->eap_fast_a_id;
        conf.eap_fast_prov = hapd->conf->eap_fast_prov;
+       conf.pac_key_lifetime = hapd->conf->pac_key_lifetime;
+       conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time;
        conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind;
        conf.tnc = hapd->conf->tnc;
 

diff --git a/src/eap_server/eap.c b/src/eap_server/eap.c
index 2c9eb30ca98c7ed7ee005b4437a5633600cd185f..179eaa05c6a124b00de60231b8451da8d0ab2bfe 100644 (file)
--- a/src/eap_server/eap.c
+++ b/src/eap_server/eap.c
@@ -1154,6 +1154,8 @@ struct eap_sm * eap_server_sm_init(void *eapol_ctx,
        if (conf->eap_fast_a_id)
                sm->eap_fast_a_id = os_strdup(conf->eap_fast_a_id);
        sm->eap_fast_prov = conf->eap_fast_prov;
+       sm->pac_key_lifetime = conf->pac_key_lifetime;
+       sm->pac_key_refresh_time = conf->pac_key_refresh_time;
        sm->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
        sm->tnc = conf->tnc;
 

diff --git a/src/eap_server/eap.h b/src/eap_server/eap.h
index 1d28557af4cd65c4f07f506c1a35f01723656780..965d188913436c3c832092407f667f314f94b0fa 100644 (file)
--- a/src/eap_server/eap.h
+++ b/src/eap_server/eap.h
@@ -97,6 +97,8 @@ struct eap_config {
        u8 *pac_opaque_encr_key;
        char *eap_fast_a_id;
        int eap_fast_prov;
+       int pac_key_lifetime;
+       int pac_key_refresh_time;
        int eap_sim_aka_result_ind;
        int tnc;
 };

diff --git a/src/eap_server/eap_fast.c b/src/eap_server/eap_fast.c
index d440c2f2c236a62312dd291dde82c4a15ade79e0..c811fedc71286c61b3a9ff7574ade06939c1a0ac 100644 (file)
--- a/src/eap_server/eap_fast.c
+++ b/src/eap_server/eap_fast.c
@@ -33,17 +33,6 @@ static void eap_fast_reset(struct eap_sm *sm, void *priv);
 #define PAC_OPAQUE_TYPE_LIFETIME 2
 #define PAC_OPAQUE_TYPE_IDENTITY 3
 
-/* PAC-Key lifetime in seconds (hard limit) */
-#define PAC_KEY_LIFETIME (7 * 24 * 60 * 60)
-
-/*
- * PAC-Key refresh time in seconds (soft limit on remaining hard limit). The
- * server will generate a new PAC-Key when this number of seconds (or fewer)
- * of the lifetime.
- */
-#define PAC_KEY_REFRESH_TIME (1 * 24 * 60 * 60)
-
-
 struct eap_fast_data {
        struct eap_ssl_data ssl;
        enum {
@@ -76,6 +65,9 @@ struct eap_fast_data {
        size_t identity_len;
        int eap_seq;
        int tnc_started;
+
+       int pac_key_lifetime;
+       int pac_key_refresh_time;
 };
 
 
@@ -251,7 +243,7 @@ static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len,
                return 0;
        }
 
-       if (lifetime - now.sec < PAC_KEY_REFRESH_TIME)
+       if (lifetime - now.sec < data->pac_key_refresh_time)
                data->send_new_pac = 1;
 
        eap_fast_derive_master_secret(pac_key, server_random, client_random,
@@ -459,6 +451,16 @@ static void * eap_fast_init(struct eap_sm *sm)
                return NULL;
        }
 
+       /* PAC-Key lifetime in seconds (hard limit) */
+       data->pac_key_lifetime = sm->pac_key_lifetime;
+
+       /*
+        * PAC-Key refresh time in seconds (soft limit on remaining hard
+        * limit). The server will generate a new PAC-Key when this number of
+        * seconds (or fewer) of the lifetime remains.
+        */
+       data->pac_key_refresh_time = sm->pac_key_refresh_time;
+
        return data;
 }
 
@@ -674,7 +676,7 @@ static struct wpabuf * eap_fast_build_pac(struct eap_sm *sm,
 
        *pos++ = PAC_OPAQUE_TYPE_LIFETIME;
        *pos++ = 4;
-       WPA_PUT_BE32(pos, now.sec + PAC_KEY_LIFETIME);
+       WPA_PUT_BE32(pos, now.sec + data->pac_key_lifetime);
        pos += 4;
 
        if (sm->identity) {
@@ -744,7 +746,7 @@ static struct wpabuf * eap_fast_build_pac(struct eap_sm *sm,
 
        /* PAC-Lifetime (inside PAC-Info) */
        eap_fast_put_tlv_hdr(buf, PAC_TYPE_CRED_LIFETIME, 4);
-       wpabuf_put_be32(buf, now.sec + PAC_KEY_LIFETIME);
+       wpabuf_put_be32(buf, now.sec + data->pac_key_lifetime);
 
        /* A-ID (inside PAC-Info) */
        eap_fast_put_tlv(buf, PAC_TYPE_A_ID, data->srv_id, srv_id_len);

diff --git a/src/eap_server/eap_i.h b/src/eap_server/eap_i.h
index e9c3841932e46371f2c597eb371e3da4358ee47d..419546694d79f4642e9d1607d4743b4bd8d48285 100644 (file)
--- a/src/eap_server/eap_i.h
+++ b/src/eap_server/eap_i.h
@@ -175,6 +175,8 @@ struct eap_sm {
        enum {
                NO_PROV, ANON_PROV, AUTH_PROV, BOTH_PROV
        } eap_fast_prov;
+       int pac_key_lifetime;
+       int pac_key_refresh_time;
        int eap_sim_aka_result_ind;
        int tnc;
 };

diff --git a/src/radius/radius_server.c b/src/radius/radius_server.c
index b8cc3dfc7b8976c5e4693c5e70b2aaeff2dbd44d..e0c4b21541da6165201b607b5adb9bd4299038e3 100644 (file)
--- a/src/radius/radius_server.c
+++ b/src/radius/radius_server.c
@@ -87,6 +87,8 @@ struct radius_server_data {
        u8 *pac_opaque_encr_key;
        char *eap_fast_a_id;
        int eap_fast_prov;
+       int pac_key_lifetime;
+       int pac_key_refresh_time;
        int eap_sim_aka_result_ind;
        int tnc;
        int ipv6;
@@ -313,6 +315,8 @@ radius_server_get_new_session(struct radius_server_data *data,
        eap_conf.pac_opaque_encr_key = data->pac_opaque_encr_key;
        eap_conf.eap_fast_a_id = data->eap_fast_a_id;
        eap_conf.eap_fast_prov = data->eap_fast_prov;
+       eap_conf.pac_key_lifetime = data->pac_key_lifetime;
+       eap_conf.pac_key_refresh_time = data->pac_key_refresh_time;
        eap_conf.eap_sim_aka_result_ind = data->eap_sim_aka_result_ind;
        eap_conf.tnc = data->tnc;
        sess->eap = eap_server_sm_init(sess, &radius_server_eapol_cb,
@@ -1019,6 +1023,8 @@ radius_server_init(struct radius_server_conf *conf)
        if (conf->eap_fast_a_id)
                data->eap_fast_a_id = os_strdup(conf->eap_fast_a_id);
        data->eap_fast_prov = conf->eap_fast_prov;
+       data->pac_key_lifetime = conf->pac_key_lifetime;
+       data->pac_key_refresh_time = conf->pac_key_refresh_time;
        data->get_eap_user = conf->get_eap_user;
        data->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
        data->tnc = conf->tnc;

diff --git a/src/radius/radius_server.h b/src/radius/radius_server.h
index c1807e21d6cedab955d42d118de1d5f89927818b..8e5145fc6df2d1ef175f0fb846dd11ff909ce2a5 100644 (file)
--- a/src/radius/radius_server.h
+++ b/src/radius/radius_server.h
@@ -27,6 +27,8 @@ struct radius_server_conf {
        u8 *pac_opaque_encr_key;
        char *eap_fast_a_id;
        int eap_fast_prov;
+       int pac_key_lifetime;
+       int pac_key_refresh_time;
        int eap_sim_aka_result_ind;
        int tnc;
        int ipv6;