Add server identity configuration for EAP server

The new server_id parameter in hostapd.conf can now be used to specify
which identity is delivered to the EAP peer with EAP methods that
support authenticated server identity.

Signed-hostap: Jouni Malinen <j@w1.fi>

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 9cc45e9..8e6f35a 100644 (file)
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2634,6 +2634,9 @@ static int hostapd_config_fill(struct hostapd_config *conf,
                        bss->upc = os_strdup(pos);
                } else if (os_strcmp(buf, "pbc_in_m1") == 0) {
                        bss->pbc_in_m1 = atoi(pos);
+               } else if (os_strcmp(buf, "server_id") == 0) {
+                       os_free(bss->server_id);
+                       bss->server_id = os_strdup(pos);
 #ifdef CONFIG_WPS_NFC
                } else if (os_strcmp(buf, "wps_nfc_dev_pw_id") == 0) {
                        bss->wps_nfc_dev_pw_id = atoi(pos);

diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index de10c4e..68c4069 100644 (file)
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -666,6 +666,11 @@ eap_server=0
 # Passphrase for private key
 #private_key_passwd=secret passphrase
 
+# Server identity
+# EAP methods that provide mechanism for authenticated server identity delivery
+# use this value. If not set, "hostapd" is used as a default.
+#server_id=server.example.com
+
 # Enable CRL verification.
 # Note: hostapd does not yet support CRL downloading based on CDP. Thus, a
 # valid CRL signed by the CA is required to be included in the ca_cert file.

diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index c7748da..fbc1ee0 100644 (file)
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -532,6 +532,8 @@ static void hostapd_config_free_bss(struct hostapd_bss_config *conf)
        wpabuf_free(conf->vendor_elements);
 
        os_free(conf->sae_groups);
+
+       os_free(conf->server_id);
 }
 
 

diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 1124920..a744ba6 100644 (file)
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -375,6 +375,7 @@ struct hostapd_bss_config {
        struct wpabuf *wps_nfc_dev_pw;
 #endif /* CONFIG_WPS */
        int pbc_in_m1;
+       char *server_id;
 
 #define P2P_ENABLED BIT(0)
 #define P2P_GROUP_OWNER BIT(1)

diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c
index 597b8dd..68ad4dc 100644 (file)
--- a/src/ap/authsrv.c
+++ b/src/ap/authsrv.c
@@ -111,6 +111,7 @@ static int hostapd_setup_radius_srv(struct hostapd_data *hapd)
        srv.eap_req_id_text = conf->eap_req_id_text;
        srv.eap_req_id_text_len = conf->eap_req_id_text_len;
        srv.pwd_group = conf->pwd_group;
+       srv.server_id = conf->server_id ? conf->server_id : "hostapd";
 #ifdef CONFIG_RADIUS_TEST
        srv.dump_msk_file = conf->dump_msk_file;
 #endif /* CONFIG_RADIUS_TEST */

diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index d3dda14..f758017 100644 (file)
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -1828,6 +1828,13 @@ int ieee802_1x_init(struct hostapd_data *hapd)
        conf.fragment_size = hapd->conf->fragment_size;
        conf.pwd_group = hapd->conf->pwd_group;
        conf.pbc_in_m1 = hapd->conf->pbc_in_m1;
+       if (hapd->conf->server_id) {
+               conf.server_id = (const u8 *) hapd->conf->server_id;
+               conf.server_id_len = os_strlen(hapd->conf->server_id);
+       } else {
+               conf.server_id = (const u8 *) "hostapd";
+               conf.server_id_len = 7;
+       }
 
        os_memset(&cb, 0, sizeof(cb));
        cb.eapol_send = ieee802_1x_eapol_send;

diff --git a/src/eap_server/eap.h b/src/eap_server/eap.h
index f2a7cd7..36b230b 100644 (file)
--- a/src/eap_server/eap.h
+++ b/src/eap_server/eap.h
@@ -104,6 +104,9 @@ struct eap_config {
        int fragment_size;
 
        int pbc_in_m1;
+
+       const u8 *server_id;
+       size_t server_id_len;
 };
 
 

diff --git a/src/eap_server/eap_i.h b/src/eap_server/eap_i.h
index f92704a..003e202 100644 (file)
--- a/src/eap_server/eap_i.h
+++ b/src/eap_server/eap_i.h
@@ -188,6 +188,9 @@ struct eap_sm {
        int fragment_size;
 
        int pbc_in_m1;
+
+       const u8 *server_id;
+       size_t server_id_len;
 };
 
 int eap_user_get(struct eap_sm *sm, const u8 *identity, size_t identity_len,

diff --git a/src/eap_server/eap_server.c b/src/eap_server/eap_server.c
index 15f7e22..54b7533 100644 (file)
--- a/src/eap_server/eap_server.c
+++ b/src/eap_server/eap_server.c
@@ -1278,6 +1278,8 @@ struct eap_sm * eap_server_sm_init(void *eapol_ctx,
        sm->fragment_size = conf->fragment_size;
        sm->pwd_group = conf->pwd_group;
        sm->pbc_in_m1 = conf->pbc_in_m1;
+       sm->server_id = conf->server_id;
+       sm->server_id_len = conf->server_id_len;
 
        wpa_printf(MSG_DEBUG, "EAP: Server state machine created");
 

diff --git a/src/eapol_auth/eapol_auth_sm.c b/src/eapol_auth/eapol_auth_sm.c
index c3ccb46..013d781 100644 (file)
--- a/src/eapol_auth/eapol_auth_sm.c
+++ b/src/eapol_auth/eapol_auth_sm.c
@@ -830,6 +830,8 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr,
        eap_conf.fragment_size = eapol->conf.fragment_size;
        eap_conf.pwd_group = eapol->conf.pwd_group;
        eap_conf.pbc_in_m1 = eapol->conf.pbc_in_m1;
+       eap_conf.server_id = eapol->conf.server_id;
+       eap_conf.server_id_len = eapol->conf.server_id_len;
        sm->eap = eap_server_sm_init(sm, &eapol_cb, &eap_conf);
        if (sm->eap == NULL) {
                eapol_auth_free(sm);
@@ -1045,6 +1047,8 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
        os_free(dst->eap_req_id_text);
        dst->pwd_group = src->pwd_group;
        dst->pbc_in_m1 = src->pbc_in_m1;
+       dst->server_id = src->server_id;
+       dst->server_id_len = src->server_id_len;
        if (src->eap_req_id_text) {
                dst->eap_req_id_text = os_malloc(src->eap_req_id_text_len);
                if (dst->eap_req_id_text == NULL)

diff --git a/src/eapol_auth/eapol_auth_sm.h b/src/eapol_auth/eapol_auth_sm.h
index b50bbdd..3a0f450 100644 (file)
--- a/src/eapol_auth/eapol_auth_sm.h
+++ b/src/eapol_auth/eapol_auth_sm.h
@@ -37,6 +37,8 @@ struct eapol_auth_config {
        int fragment_size;
        u16 pwd_group;
        int pbc_in_m1;
+       const u8 *server_id;
+       size_t server_id_len;
 
        /* Opaque context pointer to owner data for callback functions */
        void *ctx;

diff --git a/src/radius/radius_server.c b/src/radius/radius_server.c
index 5b2d711..0144c9f 100644 (file)
--- a/src/radius/radius_server.c
+++ b/src/radius/radius_server.c
@@ -223,6 +223,11 @@ struct radius_server_data {
        u16 pwd_group;
 
        /**
+        * server_id - Server identity
+        */
+       const char *server_id;
+
+       /**
         * wps - Wi-Fi Protected Setup context
         *
         * If WPS is used with an external RADIUS server (which is quite
@@ -511,6 +516,8 @@ radius_server_get_new_session(struct radius_server_data *data,
        eap_conf.tnc = data->tnc;
        eap_conf.wps = data->wps;
        eap_conf.pwd_group = data->pwd_group;
+       eap_conf.server_id = (const u8 *) data->server_id;
+       eap_conf.server_id_len = os_strlen(data->server_id);
        sess->eap = eap_server_sm_init(sess, &radius_server_eapol_cb,
                                       &eap_conf);
        if (sess->eap == NULL) {
@@ -1280,6 +1287,7 @@ radius_server_init(struct radius_server_conf *conf)
        data->tnc = conf->tnc;
        data->wps = conf->wps;
        data->pwd_group = conf->pwd_group;
+       data->server_id = conf->server_id;
        if (conf->eap_req_id_text) {
                data->eap_req_id_text = os_malloc(conf->eap_req_id_text_len);
                if (data->eap_req_id_text) {

diff --git a/src/radius/radius_server.h b/src/radius/radius_server.h
index 82466c3..284bd59 100644 (file)
--- a/src/radius/radius_server.h
+++ b/src/radius/radius_server.h
@@ -144,6 +144,11 @@ struct radius_server_conf {
        u16 pwd_group;
 
        /**
+        * server_id - Server identity
+        */
+       const char *server_id;
+
+       /**
         * wps - Wi-Fi Protected Setup context
         *
         * If WPS is used with an external RADIUS server (which is quite