EAP-FAST: Added support for disabling anonymous/authenticated provisioning

eap_fast_prov config parameter can now be used to enable/disable different
EAP-FAST provisioning modes:
0 = provisioning disabled
1 = only anonymous provisioning allowed
2 = only authenticated provisioning allowed
3 = both provisioning modes allowed

hostapd/config.c

@@ -186,6 +186,10 @@ static void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
 	bss->assoc_ping_timeout = 1000;
 	bss->assoc_ping_attempts = 3;
 #endif /* CONFIG_IEEE80211W */
+#ifdef EAP_FAST
+	 /* both anonymous and authenticated provisioning */
+	bss->eap_fast_prov = 3;
+#endif /* EAP_FAST */
 }
 
 
@@ -1505,6 +1509,8 @@ struct hostapd_config * hostapd_config_read(const char *fname)
 		} else if (os_strcmp(buf, "eap_fast_a_id") == 0) {
 			os_free(bss->eap_fast_a_id);
 			bss->eap_fast_a_id = os_strdup(pos);
+		} else if (os_strcmp(buf, "eap_fast_prov") == 0) {
+			bss->eap_fast_prov = atoi(pos);
 #endif /* EAP_FAST */
 #ifdef EAP_SIM
 		} else if (os_strcmp(buf, "eap_sim_db") == 0) {

hostapd/config.h

@@ -251,6 +251,7 @@ struct hostapd_bss_config {
 	char *dh_file;
 	u8 *pac_opaque_encr_key;
 	char *eap_fast_a_id;
+	int eap_fast_prov;
 	int eap_sim_aka_result_ind;
 	int tnc;
 

hostapd/eapol_sm.c

@@ -805,6 +805,7 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr,
 	eap_conf.eap_sim_db_priv = eapol->conf.eap_sim_db_priv;
 	eap_conf.pac_opaque_encr_key = eapol->conf.pac_opaque_encr_key;
 	eap_conf.eap_fast_a_id = eapol->conf.eap_fast_a_id;
+	eap_conf.eap_fast_prov = eapol->conf.eap_fast_prov;
 	eap_conf.eap_sim_aka_result_ind = eapol->conf.eap_sim_aka_result_ind;
 	eap_conf.tnc = eapol->conf.tnc;
 	sm->eap = eap_server_sm_init(sm, &eapol_cb, &eap_conf);
@@ -1237,6 +1238,7 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
 		dst->eap_fast_a_id = os_strdup(src->eap_fast_a_id);
 	else
 		dst->eap_fast_a_id = NULL;
+	dst->eap_fast_prov = src->eap_fast_prov;
 	dst->eap_sim_aka_result_ind = src->eap_sim_aka_result_ind;
 	dst->tnc = src->tnc;
 	return 0;

hostapd/eapol_sm.h

@@ -49,6 +49,7 @@ struct eapol_auth_config {
 	size_t eap_req_id_text_len;
 	u8 *pac_opaque_encr_key;
 	char *eap_fast_a_id;
+	int eap_fast_prov;
 	int eap_sim_aka_result_ind;
 	int tnc;
 

hostapd/hostapd.c

@@ -1170,6 +1170,7 @@ static int hostapd_setup_radius_srv(struct hostapd_data *hapd,
 	srv.ssl_ctx = hapd->ssl_ctx;
 	srv.pac_opaque_encr_key = conf->pac_opaque_encr_key;
 	srv.eap_fast_a_id = conf->eap_fast_a_id;
+	srv.eap_fast_prov = conf->eap_fast_prov;
 	srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
 	srv.tnc = conf->tnc;
 	srv.ipv6 = conf->radius_server_ipv6;

hostapd/hostapd.conf

@@ -508,6 +508,13 @@ eap_server=0
 # EAP-FAST authority identity (A-ID)
 #eap_fast_a_id=test server
 
+# Enable/disable different EAP-FAST provisioning modes:
+#0 = provisioning disabled
+#1 = only anonymous provisioning allowed
+#2 = only authenticated provisioning allowed
+#3 = both provisioning modes allowed (default)
+#eap_fast_prov=3
+
 # EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND
 # (default: 0 = disabled).
 #eap_sim_aka_result_ind=1

hostapd/ieee802_1x.c

@@ -1605,6 +1605,7 @@ int ieee802_1x_init(struct hostapd_data *hapd)
 	conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len;
 	conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key;
 	conf.eap_fast_a_id = hapd->conf->eap_fast_a_id;
+	conf.eap_fast_prov = hapd->conf->eap_fast_prov;
 	conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind;
 	conf.tnc = hapd->conf->tnc;
 

src/eap_server/eap.c

@@ -1153,6 +1153,7 @@ struct eap_sm * eap_server_sm_init(void *eapol_ctx,
 	}
 	if (conf->eap_fast_a_id)
 		sm->eap_fast_a_id = os_strdup(conf->eap_fast_a_id);
+	sm->eap_fast_prov = conf->eap_fast_prov;
 	sm->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
 	sm->tnc = conf->tnc;
 

src/eap_server/eap.h

@@ -96,6 +96,7 @@ struct eap_config {
 	int eap_server;
 	u8 *pac_opaque_encr_key;
 	char *eap_fast_a_id;
+	int eap_fast_prov;
 	int eap_sim_aka_result_ind;
 	int tnc;
 };

src/eap_server/eap_fast.c

@@ -1241,6 +1241,28 @@ static void eap_fast_process_phase2_tlvs(struct eap_sm *sm,
 				   "completed successfully");
 		}
 
+		if (data->anon_provisioning &&
+		    sm->eap_fast_prov != ANON_PROV &&
+		    sm->eap_fast_prov != BOTH_PROV) {
+			wpa_printf(MSG_DEBUG, "EAP-FAST: Client is trying to "
+				   "use unauthenticated provisioning which is "
+				   "disabled");
+			eap_fast_state(data, FAILURE);
+			return;
+		}
+
+		if (sm->eap_fast_prov != AUTH_PROV &&
+		    sm->eap_fast_prov != BOTH_PROV &&
+		    tlv.request_action == EAP_TLV_ACTION_PROCESS_TLV &&
+		    eap_fast_pac_type(tlv.pac, tlv.pac_len,
+				      PAC_TYPE_TUNNEL_PAC)) {
+			wpa_printf(MSG_DEBUG, "EAP-FAST: Client is trying to "
+				   "use authenticated provisioning which is "
+				   "disabled");
+			eap_fast_state(data, FAILURE);
+			return;
+		}
+
 		if (data->anon_provisioning ||
 		    (tlv.request_action == EAP_TLV_ACTION_PROCESS_TLV &&
 		     eap_fast_pac_type(tlv.pac, tlv.pac_len,

src/eap_server/eap_i.h

@@ -172,6 +172,9 @@ struct eap_sm {
 
 	u8 *pac_opaque_encr_key;
 	char *eap_fast_a_id;
+	enum {
+		NO_PROV, ANON_PROV, AUTH_PROV, BOTH_PROV
+	} eap_fast_prov;
 	int eap_sim_aka_result_ind;
 	int tnc;
 };

src/radius/radius_server.c

@@ -86,6 +86,7 @@ struct radius_server_data {
 	void *ssl_ctx;
 	u8 *pac_opaque_encr_key;
 	char *eap_fast_a_id;
+	int eap_fast_prov;
 	int eap_sim_aka_result_ind;
 	int tnc;
 	int ipv6;
@@ -311,6 +312,7 @@ radius_server_get_new_session(struct radius_server_data *data,
 	eap_conf.eap_server = 1;
 	eap_conf.pac_opaque_encr_key = data->pac_opaque_encr_key;
 	eap_conf.eap_fast_a_id = data->eap_fast_a_id;
+	eap_conf.eap_fast_prov = data->eap_fast_prov;
 	eap_conf.eap_sim_aka_result_ind = data->eap_sim_aka_result_ind;
 	eap_conf.tnc = data->tnc;
 	sess->eap = eap_server_sm_init(sess, &radius_server_eapol_cb,
@@ -1016,6 +1018,7 @@ radius_server_init(struct radius_server_conf *conf)
 	}
 	if (conf->eap_fast_a_id)
 		data->eap_fast_a_id = os_strdup(conf->eap_fast_a_id);
+	data->eap_fast_prov = conf->eap_fast_prov;
 	data->get_eap_user = conf->get_eap_user;
 	data->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
 	data->tnc = conf->tnc;

src/radius/radius_server.h

@@ -26,6 +26,7 @@ struct radius_server_conf {
 	void *ssl_ctx;
 	u8 *pac_opaque_encr_key;
 	char *eap_fast_a_id;
+	int eap_fast_prov;
 	int eap_sim_aka_result_ind;
 	int tnc;
 	int ipv6;