#ifdef EAP_FAST
/* both anonymous and authenticated provisioning */
bss->eap_fast_prov = 3;
+ bss->pac_key_lifetime = 7 * 24 * 60 * 60;
+ bss->pac_key_refresh_time = 1 * 24 * 60 * 60;
#endif /* EAP_FAST */
}
bss->eap_fast_a_id = os_strdup(pos);
} else if (os_strcmp(buf, "eap_fast_prov") == 0) {
bss->eap_fast_prov = atoi(pos);
+ } else if (os_strcmp(buf, "pac_key_lifetime") == 0) {
+ bss->pac_key_lifetime = atoi(pos);
+ } else if (os_strcmp(buf, "pac_key_refresh_time") == 0) {
+ bss->pac_key_refresh_time = atoi(pos);
#endif /* EAP_FAST */
#ifdef EAP_SIM
} else if (os_strcmp(buf, "eap_sim_db") == 0) {
u8 *pac_opaque_encr_key;
char *eap_fast_a_id;
int eap_fast_prov;
+ int pac_key_lifetime;
+ int pac_key_refresh_time;
int eap_sim_aka_result_ind;
int tnc;
eap_conf.pac_opaque_encr_key = eapol->conf.pac_opaque_encr_key;
eap_conf.eap_fast_a_id = eapol->conf.eap_fast_a_id;
eap_conf.eap_fast_prov = eapol->conf.eap_fast_prov;
+ eap_conf.pac_key_lifetime = eapol->conf.pac_key_lifetime;
+ eap_conf.pac_key_refresh_time = eapol->conf.pac_key_refresh_time;
eap_conf.eap_sim_aka_result_ind = eapol->conf.eap_sim_aka_result_ind;
eap_conf.tnc = eapol->conf.tnc;
sm->eap = eap_server_sm_init(sm, &eapol_cb, &eap_conf);
else
dst->eap_fast_a_id = NULL;
dst->eap_fast_prov = src->eap_fast_prov;
+ dst->pac_key_lifetime = src->pac_key_lifetime;
+ dst->pac_key_refresh_time = src->pac_key_refresh_time;
dst->eap_sim_aka_result_ind = src->eap_sim_aka_result_ind;
dst->tnc = src->tnc;
return 0;
u8 *pac_opaque_encr_key;
char *eap_fast_a_id;
int eap_fast_prov;
+ int pac_key_lifetime;
+ int pac_key_refresh_time;
int eap_sim_aka_result_ind;
int tnc;
srv.pac_opaque_encr_key = conf->pac_opaque_encr_key;
srv.eap_fast_a_id = conf->eap_fast_a_id;
srv.eap_fast_prov = conf->eap_fast_prov;
+ srv.pac_key_lifetime = conf->pac_key_lifetime;
+ srv.pac_key_refresh_time = conf->pac_key_refresh_time;
srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
srv.tnc = conf->tnc;
srv.ipv6 = conf->radius_server_ipv6;
#3 = both provisioning modes allowed (default)
#eap_fast_prov=3
+# EAP-FAST PAC-Key lifetime in seconds (hard limit)
+#pac_key_lifetime=604800
+
+# EAP-FAST PAC-Key refresh time in seconds (soft limit on remaining hard
+# limit). The server will generate a new PAC-Key when this number of seconds
+# (or fewer) of the lifetime remains.
+#pac_key_refresh_time=86400
+
# EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND
# (default: 0 = disabled).
#eap_sim_aka_result_ind=1
conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key;
conf.eap_fast_a_id = hapd->conf->eap_fast_a_id;
conf.eap_fast_prov = hapd->conf->eap_fast_prov;
+ conf.pac_key_lifetime = hapd->conf->pac_key_lifetime;
+ conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time;
conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind;
conf.tnc = hapd->conf->tnc;
if (conf->eap_fast_a_id)
sm->eap_fast_a_id = os_strdup(conf->eap_fast_a_id);
sm->eap_fast_prov = conf->eap_fast_prov;
+ sm->pac_key_lifetime = conf->pac_key_lifetime;
+ sm->pac_key_refresh_time = conf->pac_key_refresh_time;
sm->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
sm->tnc = conf->tnc;
u8 *pac_opaque_encr_key;
char *eap_fast_a_id;
int eap_fast_prov;
+ int pac_key_lifetime;
+ int pac_key_refresh_time;
int eap_sim_aka_result_ind;
int tnc;
};
#define PAC_OPAQUE_TYPE_LIFETIME 2
#define PAC_OPAQUE_TYPE_IDENTITY 3
-/* PAC-Key lifetime in seconds (hard limit) */
-#define PAC_KEY_LIFETIME (7 * 24 * 60 * 60)
-
-/*
- * PAC-Key refresh time in seconds (soft limit on remaining hard limit). The
- * server will generate a new PAC-Key when this number of seconds (or fewer)
- * of the lifetime.
- */
-#define PAC_KEY_REFRESH_TIME (1 * 24 * 60 * 60)
-
-
struct eap_fast_data {
struct eap_ssl_data ssl;
enum {
size_t identity_len;
int eap_seq;
int tnc_started;
+
+ int pac_key_lifetime;
+ int pac_key_refresh_time;
};
return 0;
}
- if (lifetime - now.sec < PAC_KEY_REFRESH_TIME)
+ if (lifetime - now.sec < data->pac_key_refresh_time)
data->send_new_pac = 1;
eap_fast_derive_master_secret(pac_key, server_random, client_random,
return NULL;
}
+ /* PAC-Key lifetime in seconds (hard limit) */
+ data->pac_key_lifetime = sm->pac_key_lifetime;
+
+ /*
+ * PAC-Key refresh time in seconds (soft limit on remaining hard
+ * limit). The server will generate a new PAC-Key when this number of
+ * seconds (or fewer) of the lifetime remains.
+ */
+ data->pac_key_refresh_time = sm->pac_key_refresh_time;
+
return data;
}
*pos++ = PAC_OPAQUE_TYPE_LIFETIME;
*pos++ = 4;
- WPA_PUT_BE32(pos, now.sec + PAC_KEY_LIFETIME);
+ WPA_PUT_BE32(pos, now.sec + data->pac_key_lifetime);
pos += 4;
if (sm->identity) {
/* PAC-Lifetime (inside PAC-Info) */
eap_fast_put_tlv_hdr(buf, PAC_TYPE_CRED_LIFETIME, 4);
- wpabuf_put_be32(buf, now.sec + PAC_KEY_LIFETIME);
+ wpabuf_put_be32(buf, now.sec + data->pac_key_lifetime);
/* A-ID (inside PAC-Info) */
eap_fast_put_tlv(buf, PAC_TYPE_A_ID, data->srv_id, srv_id_len);
enum {
NO_PROV, ANON_PROV, AUTH_PROV, BOTH_PROV
} eap_fast_prov;
+ int pac_key_lifetime;
+ int pac_key_refresh_time;
int eap_sim_aka_result_ind;
int tnc;
};
u8 *pac_opaque_encr_key;
char *eap_fast_a_id;
int eap_fast_prov;
+ int pac_key_lifetime;
+ int pac_key_refresh_time;
int eap_sim_aka_result_ind;
int tnc;
int ipv6;
eap_conf.pac_opaque_encr_key = data->pac_opaque_encr_key;
eap_conf.eap_fast_a_id = data->eap_fast_a_id;
eap_conf.eap_fast_prov = data->eap_fast_prov;
+ eap_conf.pac_key_lifetime = data->pac_key_lifetime;
+ eap_conf.pac_key_refresh_time = data->pac_key_refresh_time;
eap_conf.eap_sim_aka_result_ind = data->eap_sim_aka_result_ind;
eap_conf.tnc = data->tnc;
sess->eap = eap_server_sm_init(sess, &radius_server_eapol_cb,
if (conf->eap_fast_a_id)
data->eap_fast_a_id = os_strdup(conf->eap_fast_a_id);
data->eap_fast_prov = conf->eap_fast_prov;
+ data->pac_key_lifetime = conf->pac_key_lifetime;
+ data->pac_key_refresh_time = conf->pac_key_refresh_time;
data->get_eap_user = conf->get_eap_user;
data->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
data->tnc = conf->tnc;
u8 *pac_opaque_encr_key;
char *eap_fast_a_id;
int eap_fast_prov;
+ int pac_key_lifetime;
+ int pac_key_refresh_time;
int eap_sim_aka_result_ind;
int tnc;
int ipv6;