Home | History | Annotate | Download | only in eap_peer
      1 /*
      2  * EAP peer state machines (RFC 4137)
      3  * Copyright (c) 2004-2012, Jouni Malinen <j (at) w1.fi>
      4  *
      5  * This software may be distributed under the terms of the BSD license.
      6  * See README for more details.
      7  *
      8  * This file implements the Peer State Machine as defined in RFC 4137. The used
      9  * states and state transitions match mostly with the RFC. However, there are
     10  * couple of additional transitions for working around small issues noticed
     11  * during testing. These exceptions are explained in comments within the
     12  * functions in this file. The method functions, m.func(), are similar to the
     13  * ones used in RFC 4137, but some small changes have used here to optimize
     14  * operations and to add functionality needed for fast re-authentication
     15  * (session resumption).
     16  */
     17 
     18 #include "includes.h"
     19 
     20 #include "common.h"
     21 #include "pcsc_funcs.h"
     22 #include "state_machine.h"
     23 #include "ext_password.h"
     24 #include "crypto/crypto.h"
     25 #include "crypto/tls.h"
     26 #include "common/wpa_ctrl.h"
     27 #include "eap_common/eap_wsc_common.h"
     28 #include "eap_i.h"
     29 #include "eap_config.h"
     30 
     31 #define STATE_MACHINE_DATA struct eap_sm
     32 #define STATE_MACHINE_DEBUG_PREFIX "EAP"
     33 
     34 #define EAP_MAX_AUTH_ROUNDS 50
     35 #define EAP_CLIENT_TIMEOUT_DEFAULT 60
     36 
     37 
     38 static Boolean eap_sm_allowMethod(struct eap_sm *sm, int vendor,
     39 				  EapType method);
     40 static struct wpabuf * eap_sm_buildNak(struct eap_sm *sm, int id);
     41 static void eap_sm_processIdentity(struct eap_sm *sm,
     42 				   const struct wpabuf *req);
     43 static void eap_sm_processNotify(struct eap_sm *sm, const struct wpabuf *req);
     44 static struct wpabuf * eap_sm_buildNotify(int id);
     45 static void eap_sm_parseEapReq(struct eap_sm *sm, const struct wpabuf *req);
     46 #if defined(CONFIG_CTRL_IFACE) || !defined(CONFIG_NO_STDOUT_DEBUG)
     47 static const char * eap_sm_method_state_txt(EapMethodState state);
     48 static const char * eap_sm_decision_txt(EapDecision decision);
     49 #endif /* CONFIG_CTRL_IFACE || !CONFIG_NO_STDOUT_DEBUG */
     50 
     51 
     52 
     53 static Boolean eapol_get_bool(struct eap_sm *sm, enum eapol_bool_var var)
     54 {
     55 	return sm->eapol_cb->get_bool(sm->eapol_ctx, var);
     56 }
     57 
     58 
     59 static void eapol_set_bool(struct eap_sm *sm, enum eapol_bool_var var,
     60 			   Boolean value)
     61 {
     62 	sm->eapol_cb->set_bool(sm->eapol_ctx, var, value);
     63 }
     64 
     65 
     66 static unsigned int eapol_get_int(struct eap_sm *sm, enum eapol_int_var var)
     67 {
     68 	return sm->eapol_cb->get_int(sm->eapol_ctx, var);
     69 }
     70 
     71 
     72 static void eapol_set_int(struct eap_sm *sm, enum eapol_int_var var,
     73 			  unsigned int value)
     74 {
     75 	sm->eapol_cb->set_int(sm->eapol_ctx, var, value);
     76 }
     77 
     78 
     79 static struct wpabuf * eapol_get_eapReqData(struct eap_sm *sm)
     80 {
     81 	return sm->eapol_cb->get_eapReqData(sm->eapol_ctx);
     82 }
     83 
     84 
     85 static void eap_notify_status(struct eap_sm *sm, const char *status,
     86 				      const char *parameter)
     87 {
     88 	wpa_printf(MSG_DEBUG, "EAP: Status notification: %s (param=%s)",
     89 		   status, parameter);
     90 	if (sm->eapol_cb->notify_status)
     91 		sm->eapol_cb->notify_status(sm->eapol_ctx, status, parameter);
     92 }
     93 
     94 
     95 static void eap_deinit_prev_method(struct eap_sm *sm, const char *txt)
     96 {
     97 	ext_password_free(sm->ext_pw_buf);
     98 	sm->ext_pw_buf = NULL;
     99 
    100 	if (sm->m == NULL || sm->eap_method_priv == NULL)
    101 		return;
    102 
    103 	wpa_printf(MSG_DEBUG, "EAP: deinitialize previously used EAP method "
    104 		   "(%d, %s) at %s", sm->selectedMethod, sm->m->name, txt);
    105 	sm->m->deinit(sm, sm->eap_method_priv);
    106 	sm->eap_method_priv = NULL;
    107 	sm->m = NULL;
    108 }
    109 
    110 
    111 /**
    112  * eap_allowed_method - Check whether EAP method is allowed
    113  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
    114  * @vendor: Vendor-Id for expanded types or 0 = IETF for legacy types
    115  * @method: EAP type
    116  * Returns: 1 = allowed EAP method, 0 = not allowed
    117  */
    118 int eap_allowed_method(struct eap_sm *sm, int vendor, u32 method)
    119 {
    120 	struct eap_peer_config *config = eap_get_config(sm);
    121 	int i;
    122 	struct eap_method_type *m;
    123 
    124 	if (config == NULL || config->eap_methods == NULL)
    125 		return 1;
    126 
    127 	m = config->eap_methods;
    128 	for (i = 0; m[i].vendor != EAP_VENDOR_IETF ||
    129 		     m[i].method != EAP_TYPE_NONE; i++) {
    130 		if (m[i].vendor == vendor && m[i].method == method)
    131 			return 1;
    132 	}
    133 	return 0;
    134 }
    135 
    136 
    137 /*
    138  * This state initializes state machine variables when the machine is
    139  * activated (portEnabled = TRUE). This is also used when re-starting
    140  * authentication (eapRestart == TRUE).
    141  */
    142 SM_STATE(EAP, INITIALIZE)
    143 {
    144 	SM_ENTRY(EAP, INITIALIZE);
    145 	if (sm->fast_reauth && sm->m && sm->m->has_reauth_data &&
    146 	    sm->m->has_reauth_data(sm, sm->eap_method_priv) &&
    147 	    !sm->prev_failure) {
    148 		wpa_printf(MSG_DEBUG, "EAP: maintaining EAP method data for "
    149 			   "fast reauthentication");
    150 		sm->m->deinit_for_reauth(sm, sm->eap_method_priv);
    151 	} else {
    152 		eap_deinit_prev_method(sm, "INITIALIZE");
    153 	}
    154 	sm->selectedMethod = EAP_TYPE_NONE;
    155 	sm->methodState = METHOD_NONE;
    156 	sm->allowNotifications = TRUE;
    157 	sm->decision = DECISION_FAIL;
    158 	sm->ClientTimeout = EAP_CLIENT_TIMEOUT_DEFAULT;
    159 	eapol_set_int(sm, EAPOL_idleWhile, sm->ClientTimeout);
    160 	eapol_set_bool(sm, EAPOL_eapSuccess, FALSE);
    161 	eapol_set_bool(sm, EAPOL_eapFail, FALSE);
    162 	os_free(sm->eapKeyData);
    163 	sm->eapKeyData = NULL;
    164 	os_free(sm->eapSessionId);
    165 	sm->eapSessionId = NULL;
    166 	sm->eapKeyAvailable = FALSE;
    167 	eapol_set_bool(sm, EAPOL_eapRestart, FALSE);
    168 	sm->lastId = -1; /* new session - make sure this does not match with
    169 			  * the first EAP-Packet */
    170 	/*
    171 	 * RFC 4137 does not reset eapResp and eapNoResp here. However, this
    172 	 * seemed to be able to trigger cases where both were set and if EAPOL
    173 	 * state machine uses eapNoResp first, it may end up not sending a real
    174 	 * reply correctly. This occurred when the workaround in FAIL state set
    175 	 * eapNoResp = TRUE.. Maybe that workaround needs to be fixed to do
    176 	 * something else(?)
    177 	 */
    178 	eapol_set_bool(sm, EAPOL_eapResp, FALSE);
    179 	eapol_set_bool(sm, EAPOL_eapNoResp, FALSE);
    180 	sm->num_rounds = 0;
    181 	sm->prev_failure = 0;
    182 }
    183 
    184 
    185 /*
    186  * This state is reached whenever service from the lower layer is interrupted
    187  * or unavailable (portEnabled == FALSE). Immediate transition to INITIALIZE
    188  * occurs when the port becomes enabled.
    189  */
    190 SM_STATE(EAP, DISABLED)
    191 {
    192 	SM_ENTRY(EAP, DISABLED);
    193 	sm->num_rounds = 0;
    194 	/*
    195 	 * RFC 4137 does not describe clearing of idleWhile here, but doing so
    196 	 * allows the timer tick to be stopped more quickly when EAP is not in
    197 	 * use.
    198 	 */
    199 	eapol_set_int(sm, EAPOL_idleWhile, 0);
    200 }
    201 
    202 
    203 /*
    204  * The state machine spends most of its time here, waiting for something to
    205  * happen. This state is entered unconditionally from INITIALIZE, DISCARD, and
    206  * SEND_RESPONSE states.
    207  */
    208 SM_STATE(EAP, IDLE)
    209 {
    210 	SM_ENTRY(EAP, IDLE);
    211 }
    212 
    213 
    214 /*
    215  * This state is entered when an EAP packet is received (eapReq == TRUE) to
    216  * parse the packet header.
    217  */
    218 SM_STATE(EAP, RECEIVED)
    219 {
    220 	const struct wpabuf *eapReqData;
    221 
    222 	SM_ENTRY(EAP, RECEIVED);
    223 	eapReqData = eapol_get_eapReqData(sm);
    224 	/* parse rxReq, rxSuccess, rxFailure, reqId, reqMethod */
    225 	eap_sm_parseEapReq(sm, eapReqData);
    226 	sm->num_rounds++;
    227 }
    228 
    229 
    230 /*
    231  * This state is entered when a request for a new type comes in. Either the
    232  * correct method is started, or a Nak response is built.
    233  */
    234 SM_STATE(EAP, GET_METHOD)
    235 {
    236 	int reinit;
    237 	EapType method;
    238 	const struct eap_method *eap_method;
    239 
    240 	SM_ENTRY(EAP, GET_METHOD);
    241 
    242 	if (sm->reqMethod == EAP_TYPE_EXPANDED)
    243 		method = sm->reqVendorMethod;
    244 	else
    245 		method = sm->reqMethod;
    246 
    247 	eap_method = eap_peer_get_eap_method(sm->reqVendor, method);
    248 
    249 	if (!eap_sm_allowMethod(sm, sm->reqVendor, method)) {
    250 		wpa_printf(MSG_DEBUG, "EAP: vendor %u method %u not allowed",
    251 			   sm->reqVendor, method);
    252 		wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_PROPOSED_METHOD
    253 			"vendor=%u method=%u -> NAK",
    254 			sm->reqVendor, method);
    255 		eap_notify_status(sm, "refuse proposed method",
    256 				  eap_method ?  eap_method->name : "unknown");
    257 		goto nak;
    258 	}
    259 
    260 	wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_PROPOSED_METHOD
    261 		"vendor=%u method=%u", sm->reqVendor, method);
    262 
    263 	eap_notify_status(sm, "accept proposed method",
    264 			  eap_method ?  eap_method->name : "unknown");
    265 	/*
    266 	 * RFC 4137 does not define specific operation for fast
    267 	 * re-authentication (session resumption). The design here is to allow
    268 	 * the previously used method data to be maintained for
    269 	 * re-authentication if the method support session resumption.
    270 	 * Otherwise, the previously used method data is freed and a new method
    271 	 * is allocated here.
    272 	 */
    273 	if (sm->fast_reauth &&
    274 	    sm->m && sm->m->vendor == sm->reqVendor &&
    275 	    sm->m->method == method &&
    276 	    sm->m->has_reauth_data &&
    277 	    sm->m->has_reauth_data(sm, sm->eap_method_priv)) {
    278 		wpa_printf(MSG_DEBUG, "EAP: Using previous method data"
    279 			   " for fast re-authentication");
    280 		reinit = 1;
    281 	} else {
    282 		eap_deinit_prev_method(sm, "GET_METHOD");
    283 		reinit = 0;
    284 	}
    285 
    286 	sm->selectedMethod = sm->reqMethod;
    287 	if (sm->m == NULL)
    288 		sm->m = eap_method;
    289 	if (!sm->m) {
    290 		wpa_printf(MSG_DEBUG, "EAP: Could not find selected method: "
    291 			   "vendor %d method %d",
    292 			   sm->reqVendor, method);
    293 		goto nak;
    294 	}
    295 
    296 	sm->ClientTimeout = EAP_CLIENT_TIMEOUT_DEFAULT;
    297 
    298 	wpa_printf(MSG_DEBUG, "EAP: Initialize selected EAP method: "
    299 		   "vendor %u method %u (%s)",
    300 		   sm->reqVendor, method, sm->m->name);
    301 	if (reinit)
    302 		sm->eap_method_priv = sm->m->init_for_reauth(
    303 			sm, sm->eap_method_priv);
    304 	else
    305 		sm->eap_method_priv = sm->m->init(sm);
    306 
    307 	if (sm->eap_method_priv == NULL) {
    308 		struct eap_peer_config *config = eap_get_config(sm);
    309 		wpa_msg(sm->msg_ctx, MSG_INFO,
    310 			"EAP: Failed to initialize EAP method: vendor %u "
    311 			"method %u (%s)",
    312 			sm->reqVendor, method, sm->m->name);
    313 		sm->m = NULL;
    314 		sm->methodState = METHOD_NONE;
    315 		sm->selectedMethod = EAP_TYPE_NONE;
    316 		if (sm->reqMethod == EAP_TYPE_TLS && config &&
    317 		    (config->pending_req_pin ||
    318 		     config->pending_req_passphrase)) {
    319 			/*
    320 			 * Return without generating Nak in order to allow
    321 			 * entering of PIN code or passphrase to retry the
    322 			 * current EAP packet.
    323 			 */
    324 			wpa_printf(MSG_DEBUG, "EAP: Pending PIN/passphrase "
    325 				   "request - skip Nak");
    326 			return;
    327 		}
    328 
    329 		goto nak;
    330 	}
    331 
    332 	sm->methodState = METHOD_INIT;
    333 	wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_METHOD
    334 		"EAP vendor %u method %u (%s) selected",
    335 		sm->reqVendor, method, sm->m->name);
    336 	return;
    337 
    338 nak:
    339 	wpabuf_free(sm->eapRespData);
    340 	sm->eapRespData = NULL;
    341 	sm->eapRespData = eap_sm_buildNak(sm, sm->reqId);
    342 }
    343 
    344 
    345 /*
    346  * The method processing happens here. The request from the authenticator is
    347  * processed, and an appropriate response packet is built.
    348  */
    349 SM_STATE(EAP, METHOD)
    350 {
    351 	struct wpabuf *eapReqData;
    352 	struct eap_method_ret ret;
    353 	int min_len = 1;
    354 
    355 	SM_ENTRY(EAP, METHOD);
    356 	if (sm->m == NULL) {
    357 		wpa_printf(MSG_WARNING, "EAP::METHOD - method not selected");
    358 		return;
    359 	}
    360 
    361 	eapReqData = eapol_get_eapReqData(sm);
    362 	if (sm->m->vendor == EAP_VENDOR_IETF && sm->m->method == EAP_TYPE_LEAP)
    363 		min_len = 0; /* LEAP uses EAP-Success without payload */
    364 	if (!eap_hdr_len_valid(eapReqData, min_len))
    365 		return;
    366 
    367 	/*
    368 	 * Get ignore, methodState, decision, allowNotifications, and
    369 	 * eapRespData. RFC 4137 uses three separate method procedure (check,
    370 	 * process, and buildResp) in this state. These have been combined into
    371 	 * a single function call to m->process() in order to optimize EAP
    372 	 * method implementation interface a bit. These procedures are only
    373 	 * used from within this METHOD state, so there is no need to keep
    374 	 * these as separate C functions.
    375 	 *
    376 	 * The RFC 4137 procedures return values as follows:
    377 	 * ignore = m.check(eapReqData)
    378 	 * (methodState, decision, allowNotifications) = m.process(eapReqData)
    379 	 * eapRespData = m.buildResp(reqId)
    380 	 */
    381 	os_memset(&ret, 0, sizeof(ret));
    382 	ret.ignore = sm->ignore;
    383 	ret.methodState = sm->methodState;
    384 	ret.decision = sm->decision;
    385 	ret.allowNotifications = sm->allowNotifications;
    386 	wpabuf_free(sm->eapRespData);
    387 	sm->eapRespData = NULL;
    388 	sm->eapRespData = sm->m->process(sm, sm->eap_method_priv, &ret,
    389 					 eapReqData);
    390 	wpa_printf(MSG_DEBUG, "EAP: method process -> ignore=%s "
    391 		   "methodState=%s decision=%s",
    392 		   ret.ignore ? "TRUE" : "FALSE",
    393 		   eap_sm_method_state_txt(ret.methodState),
    394 		   eap_sm_decision_txt(ret.decision));
    395 
    396 	sm->ignore = ret.ignore;
    397 	if (sm->ignore)
    398 		return;
    399 	sm->methodState = ret.methodState;
    400 	sm->decision = ret.decision;
    401 	sm->allowNotifications = ret.allowNotifications;
    402 
    403 	if (sm->m->isKeyAvailable && sm->m->getKey &&
    404 	    sm->m->isKeyAvailable(sm, sm->eap_method_priv)) {
    405 		os_free(sm->eapKeyData);
    406 		sm->eapKeyData = sm->m->getKey(sm, sm->eap_method_priv,
    407 					       &sm->eapKeyDataLen);
    408 		os_free(sm->eapSessionId);
    409 		sm->eapSessionId = sm->m->getSessionId(sm, sm->eap_method_priv,
    410 						       &sm->eapSessionIdLen);
    411 		if (sm->eapSessionId) {
    412 			wpa_hexdump(MSG_DEBUG, "EAP: Session-Id",
    413 				    sm->eapSessionId, sm->eapSessionIdLen);
    414 		}
    415 	}
    416 }
    417 
    418 
    419 /*
    420  * This state signals the lower layer that a response packet is ready to be
    421  * sent.
    422  */
    423 SM_STATE(EAP, SEND_RESPONSE)
    424 {
    425 	SM_ENTRY(EAP, SEND_RESPONSE);
    426 	wpabuf_free(sm->lastRespData);
    427 	if (sm->eapRespData) {
    428 		if (sm->workaround)
    429 			os_memcpy(sm->last_md5, sm->req_md5, 16);
    430 		sm->lastId = sm->reqId;
    431 		sm->lastRespData = wpabuf_dup(sm->eapRespData);
    432 		eapol_set_bool(sm, EAPOL_eapResp, TRUE);
    433 	} else
    434 		sm->lastRespData = NULL;
    435 	eapol_set_bool(sm, EAPOL_eapReq, FALSE);
    436 	eapol_set_int(sm, EAPOL_idleWhile, sm->ClientTimeout);
    437 }
    438 
    439 
    440 /*
    441  * This state signals the lower layer that the request was discarded, and no
    442  * response packet will be sent at this time.
    443  */
    444 SM_STATE(EAP, DISCARD)
    445 {
    446 	SM_ENTRY(EAP, DISCARD);
    447 	eapol_set_bool(sm, EAPOL_eapReq, FALSE);
    448 	eapol_set_bool(sm, EAPOL_eapNoResp, TRUE);
    449 }
    450 
    451 
    452 /*
    453  * Handles requests for Identity method and builds a response.
    454  */
    455 SM_STATE(EAP, IDENTITY)
    456 {
    457 	const struct wpabuf *eapReqData;
    458 
    459 	SM_ENTRY(EAP, IDENTITY);
    460 	eapReqData = eapol_get_eapReqData(sm);
    461 	if (!eap_hdr_len_valid(eapReqData, 1))
    462 		return;
    463 	eap_sm_processIdentity(sm, eapReqData);
    464 	wpabuf_free(sm->eapRespData);
    465 	sm->eapRespData = NULL;
    466 	sm->eapRespData = eap_sm_buildIdentity(sm, sm->reqId, 0);
    467 }
    468 
    469 
    470 /*
    471  * Handles requests for Notification method and builds a response.
    472  */
    473 SM_STATE(EAP, NOTIFICATION)
    474 {
    475 	const struct wpabuf *eapReqData;
    476 
    477 	SM_ENTRY(EAP, NOTIFICATION);
    478 	eapReqData = eapol_get_eapReqData(sm);
    479 	if (!eap_hdr_len_valid(eapReqData, 1))
    480 		return;
    481 	eap_sm_processNotify(sm, eapReqData);
    482 	wpabuf_free(sm->eapRespData);
    483 	sm->eapRespData = NULL;
    484 	sm->eapRespData = eap_sm_buildNotify(sm->reqId);
    485 }
    486 
    487 
    488 /*
    489  * This state retransmits the previous response packet.
    490  */
    491 SM_STATE(EAP, RETRANSMIT)
    492 {
    493 	SM_ENTRY(EAP, RETRANSMIT);
    494 	wpabuf_free(sm->eapRespData);
    495 	if (sm->lastRespData)
    496 		sm->eapRespData = wpabuf_dup(sm->lastRespData);
    497 	else
    498 		sm->eapRespData = NULL;
    499 }
    500 
    501 
    502 /*
    503  * This state is entered in case of a successful completion of authentication
    504  * and state machine waits here until port is disabled or EAP authentication is
    505  * restarted.
    506  */
    507 SM_STATE(EAP, SUCCESS)
    508 {
    509 	SM_ENTRY(EAP, SUCCESS);
    510 	if (sm->eapKeyData != NULL)
    511 		sm->eapKeyAvailable = TRUE;
    512 	eapol_set_bool(sm, EAPOL_eapSuccess, TRUE);
    513 
    514 	/*
    515 	 * RFC 4137 does not clear eapReq here, but this seems to be required
    516 	 * to avoid processing the same request twice when state machine is
    517 	 * initialized.
    518 	 */
    519 	eapol_set_bool(sm, EAPOL_eapReq, FALSE);
    520 
    521 	/*
    522 	 * RFC 4137 does not set eapNoResp here, but this seems to be required
    523 	 * to get EAPOL Supplicant backend state machine into SUCCESS state. In
    524 	 * addition, either eapResp or eapNoResp is required to be set after
    525 	 * processing the received EAP frame.
    526 	 */
    527 	eapol_set_bool(sm, EAPOL_eapNoResp, TRUE);
    528 
    529 	wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS
    530 		"EAP authentication completed successfully");
    531 }
    532 
    533 
    534 /*
    535  * This state is entered in case of a failure and state machine waits here
    536  * until port is disabled or EAP authentication is restarted.
    537  */
    538 SM_STATE(EAP, FAILURE)
    539 {
    540 	SM_ENTRY(EAP, FAILURE);
    541 	eapol_set_bool(sm, EAPOL_eapFail, TRUE);
    542 
    543 	/*
    544 	 * RFC 4137 does not clear eapReq here, but this seems to be required
    545 	 * to avoid processing the same request twice when state machine is
    546 	 * initialized.
    547 	 */
    548 	eapol_set_bool(sm, EAPOL_eapReq, FALSE);
    549 
    550 	/*
    551 	 * RFC 4137 does not set eapNoResp here. However, either eapResp or
    552 	 * eapNoResp is required to be set after processing the received EAP
    553 	 * frame.
    554 	 */
    555 	eapol_set_bool(sm, EAPOL_eapNoResp, TRUE);
    556 
    557 	wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE
    558 		"EAP authentication failed");
    559 
    560 	sm->prev_failure = 1;
    561 }
    562 
    563 
    564 static int eap_success_workaround(struct eap_sm *sm, int reqId, int lastId)
    565 {
    566 	/*
    567 	 * At least Microsoft IAS and Meetinghouse Aegis seem to be sending
    568 	 * EAP-Success/Failure with lastId + 1 even though RFC 3748 and
    569 	 * RFC 4137 require that reqId == lastId. In addition, it looks like
    570 	 * Ringmaster v2.1.2.0 would be using lastId + 2 in EAP-Success.
    571 	 *
    572 	 * Accept this kind of Id if EAP workarounds are enabled. These are
    573 	 * unauthenticated plaintext messages, so this should have minimal
    574 	 * security implications (bit easier to fake EAP-Success/Failure).
    575 	 */
    576 	if (sm->workaround && (reqId == ((lastId + 1) & 0xff) ||
    577 			       reqId == ((lastId + 2) & 0xff))) {
    578 		wpa_printf(MSG_DEBUG, "EAP: Workaround for unexpected "
    579 			   "identifier field in EAP Success: "
    580 			   "reqId=%d lastId=%d (these are supposed to be "
    581 			   "same)", reqId, lastId);
    582 		return 1;
    583 	}
    584 	wpa_printf(MSG_DEBUG, "EAP: EAP-Success Id mismatch - reqId=%d "
    585 		   "lastId=%d", reqId, lastId);
    586 	return 0;
    587 }
    588 
    589 
    590 /*
    591  * RFC 4137 - Appendix A.1: EAP Peer State Machine - State transitions
    592  */
    593 
    594 static void eap_peer_sm_step_idle(struct eap_sm *sm)
    595 {
    596 	/*
    597 	 * The first three transitions are from RFC 4137. The last two are
    598 	 * local additions to handle special cases with LEAP and PEAP server
    599 	 * not sending EAP-Success in some cases.
    600 	 */
    601 	if (eapol_get_bool(sm, EAPOL_eapReq))
    602 		SM_ENTER(EAP, RECEIVED);
    603 	else if ((eapol_get_bool(sm, EAPOL_altAccept) &&
    604 		  sm->decision != DECISION_FAIL) ||
    605 		 (eapol_get_int(sm, EAPOL_idleWhile) == 0 &&
    606 		  sm->decision == DECISION_UNCOND_SUCC))
    607 		SM_ENTER(EAP, SUCCESS);
    608 	else if (eapol_get_bool(sm, EAPOL_altReject) ||
    609 		 (eapol_get_int(sm, EAPOL_idleWhile) == 0 &&
    610 		  sm->decision != DECISION_UNCOND_SUCC) ||
    611 		 (eapol_get_bool(sm, EAPOL_altAccept) &&
    612 		  sm->methodState != METHOD_CONT &&
    613 		  sm->decision == DECISION_FAIL))
    614 		SM_ENTER(EAP, FAILURE);
    615 	else if (sm->selectedMethod == EAP_TYPE_LEAP &&
    616 		 sm->leap_done && sm->decision != DECISION_FAIL &&
    617 		 sm->methodState == METHOD_DONE)
    618 		SM_ENTER(EAP, SUCCESS);
    619 	else if (sm->selectedMethod == EAP_TYPE_PEAP &&
    620 		 sm->peap_done && sm->decision != DECISION_FAIL &&
    621 		 sm->methodState == METHOD_DONE)
    622 		SM_ENTER(EAP, SUCCESS);
    623 }
    624 
    625 
    626 static int eap_peer_req_is_duplicate(struct eap_sm *sm)
    627 {
    628 	int duplicate;
    629 
    630 	duplicate = (sm->reqId == sm->lastId) && sm->rxReq;
    631 	if (sm->workaround && duplicate &&
    632 	    os_memcmp(sm->req_md5, sm->last_md5, 16) != 0) {
    633 		/*
    634 		 * RFC 4137 uses (reqId == lastId) as the only verification for
    635 		 * duplicate EAP requests. However, this misses cases where the
    636 		 * AS is incorrectly using the same id again; and
    637 		 * unfortunately, such implementations exist. Use MD5 hash as
    638 		 * an extra verification for the packets being duplicate to
    639 		 * workaround these issues.
    640 		 */
    641 		wpa_printf(MSG_DEBUG, "EAP: AS used the same Id again, but "
    642 			   "EAP packets were not identical");
    643 		wpa_printf(MSG_DEBUG, "EAP: workaround - assume this is not a "
    644 			   "duplicate packet");
    645 		duplicate = 0;
    646 	}
    647 
    648 	return duplicate;
    649 }
    650 
    651 
    652 static void eap_peer_sm_step_received(struct eap_sm *sm)
    653 {
    654 	int duplicate = eap_peer_req_is_duplicate(sm);
    655 
    656 	/*
    657 	 * Two special cases below for LEAP are local additions to work around
    658 	 * odd LEAP behavior (EAP-Success in the middle of authentication and
    659 	 * then swapped roles). Other transitions are based on RFC 4137.
    660 	 */
    661 	if (sm->rxSuccess && sm->decision != DECISION_FAIL &&
    662 	    (sm->reqId == sm->lastId ||
    663 	     eap_success_workaround(sm, sm->reqId, sm->lastId)))
    664 		SM_ENTER(EAP, SUCCESS);
    665 	else if (sm->methodState != METHOD_CONT &&
    666 		 ((sm->rxFailure &&
    667 		   sm->decision != DECISION_UNCOND_SUCC) ||
    668 		  (sm->rxSuccess && sm->decision == DECISION_FAIL &&
    669 		   (sm->selectedMethod != EAP_TYPE_LEAP ||
    670 		    sm->methodState != METHOD_MAY_CONT))) &&
    671 		 (sm->reqId == sm->lastId ||
    672 		  eap_success_workaround(sm, sm->reqId, sm->lastId)))
    673 		SM_ENTER(EAP, FAILURE);
    674 	else if (sm->rxReq && duplicate)
    675 		SM_ENTER(EAP, RETRANSMIT);
    676 	else if (sm->rxReq && !duplicate &&
    677 		 sm->reqMethod == EAP_TYPE_NOTIFICATION &&
    678 		 sm->allowNotifications)
    679 		SM_ENTER(EAP, NOTIFICATION);
    680 	else if (sm->rxReq && !duplicate &&
    681 		 sm->selectedMethod == EAP_TYPE_NONE &&
    682 		 sm->reqMethod == EAP_TYPE_IDENTITY)
    683 		SM_ENTER(EAP, IDENTITY);
    684 	else if (sm->rxReq && !duplicate &&
    685 		 sm->selectedMethod == EAP_TYPE_NONE &&
    686 		 sm->reqMethod != EAP_TYPE_IDENTITY &&
    687 		 sm->reqMethod != EAP_TYPE_NOTIFICATION)
    688 		SM_ENTER(EAP, GET_METHOD);
    689 	else if (sm->rxReq && !duplicate &&
    690 		 sm->reqMethod == sm->selectedMethod &&
    691 		 sm->methodState != METHOD_DONE)
    692 		SM_ENTER(EAP, METHOD);
    693 	else if (sm->selectedMethod == EAP_TYPE_LEAP &&
    694 		 (sm->rxSuccess || sm->rxResp))
    695 		SM_ENTER(EAP, METHOD);
    696 	else
    697 		SM_ENTER(EAP, DISCARD);
    698 }
    699 
    700 
    701 static void eap_peer_sm_step_local(struct eap_sm *sm)
    702 {
    703 	switch (sm->EAP_state) {
    704 	case EAP_INITIALIZE:
    705 		SM_ENTER(EAP, IDLE);
    706 		break;
    707 	case EAP_DISABLED:
    708 		if (eapol_get_bool(sm, EAPOL_portEnabled) &&
    709 		    !sm->force_disabled)
    710 			SM_ENTER(EAP, INITIALIZE);
    711 		break;
    712 	case EAP_IDLE:
    713 		eap_peer_sm_step_idle(sm);
    714 		break;
    715 	case EAP_RECEIVED:
    716 		eap_peer_sm_step_received(sm);
    717 		break;
    718 	case EAP_GET_METHOD:
    719 		if (sm->selectedMethod == sm->reqMethod)
    720 			SM_ENTER(EAP, METHOD);
    721 		else
    722 			SM_ENTER(EAP, SEND_RESPONSE);
    723 		break;
    724 	case EAP_METHOD:
    725 		if (sm->ignore)
    726 			SM_ENTER(EAP, DISCARD);
    727 		else
    728 			SM_ENTER(EAP, SEND_RESPONSE);
    729 		break;
    730 	case EAP_SEND_RESPONSE:
    731 		SM_ENTER(EAP, IDLE);
    732 		break;
    733 	case EAP_DISCARD:
    734 		SM_ENTER(EAP, IDLE);
    735 		break;
    736 	case EAP_IDENTITY:
    737 		SM_ENTER(EAP, SEND_RESPONSE);
    738 		break;
    739 	case EAP_NOTIFICATION:
    740 		SM_ENTER(EAP, SEND_RESPONSE);
    741 		break;
    742 	case EAP_RETRANSMIT:
    743 		SM_ENTER(EAP, SEND_RESPONSE);
    744 		break;
    745 	case EAP_SUCCESS:
    746 		break;
    747 	case EAP_FAILURE:
    748 		break;
    749 	}
    750 }
    751 
    752 
    753 SM_STEP(EAP)
    754 {
    755 	/* Global transitions */
    756 	if (eapol_get_bool(sm, EAPOL_eapRestart) &&
    757 	    eapol_get_bool(sm, EAPOL_portEnabled))
    758 		SM_ENTER_GLOBAL(EAP, INITIALIZE);
    759 	else if (!eapol_get_bool(sm, EAPOL_portEnabled) || sm->force_disabled)
    760 		SM_ENTER_GLOBAL(EAP, DISABLED);
    761 	else if (sm->num_rounds > EAP_MAX_AUTH_ROUNDS) {
    762 		/* RFC 4137 does not place any limit on number of EAP messages
    763 		 * in an authentication session. However, some error cases have
    764 		 * ended up in a state were EAP messages were sent between the
    765 		 * peer and server in a loop (e.g., TLS ACK frame in both
    766 		 * direction). Since this is quite undesired outcome, limit the
    767 		 * total number of EAP round-trips and abort authentication if
    768 		 * this limit is exceeded.
    769 		 */
    770 		if (sm->num_rounds == EAP_MAX_AUTH_ROUNDS + 1) {
    771 			wpa_msg(sm->msg_ctx, MSG_INFO, "EAP: more than %d "
    772 				"authentication rounds - abort",
    773 				EAP_MAX_AUTH_ROUNDS);
    774 			sm->num_rounds++;
    775 			SM_ENTER_GLOBAL(EAP, FAILURE);
    776 		}
    777 	} else {
    778 		/* Local transitions */
    779 		eap_peer_sm_step_local(sm);
    780 	}
    781 }
    782 
    783 
    784 static Boolean eap_sm_allowMethod(struct eap_sm *sm, int vendor,
    785 				  EapType method)
    786 {
    787 	if (!eap_allowed_method(sm, vendor, method)) {
    788 		wpa_printf(MSG_DEBUG, "EAP: configuration does not allow: "
    789 			   "vendor %u method %u", vendor, method);
    790 		return FALSE;
    791 	}
    792 	if (eap_peer_get_eap_method(vendor, method))
    793 		return TRUE;
    794 	wpa_printf(MSG_DEBUG, "EAP: not included in build: "
    795 		   "vendor %u method %u", vendor, method);
    796 	return FALSE;
    797 }
    798 
    799 
    800 static struct wpabuf * eap_sm_build_expanded_nak(
    801 	struct eap_sm *sm, int id, const struct eap_method *methods,
    802 	size_t count)
    803 {
    804 	struct wpabuf *resp;
    805 	int found = 0;
    806 	const struct eap_method *m;
    807 
    808 	wpa_printf(MSG_DEBUG, "EAP: Building expanded EAP-Nak");
    809 
    810 	/* RFC 3748 - 5.3.2: Expanded Nak */
    811 	resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_EXPANDED,
    812 			     8 + 8 * (count + 1), EAP_CODE_RESPONSE, id);
    813 	if (resp == NULL)
    814 		return NULL;
    815 
    816 	wpabuf_put_be24(resp, EAP_VENDOR_IETF);
    817 	wpabuf_put_be32(resp, EAP_TYPE_NAK);
    818 
    819 	for (m = methods; m; m = m->next) {
    820 		if (sm->reqVendor == m->vendor &&
    821 		    sm->reqVendorMethod == m->method)
    822 			continue; /* do not allow the current method again */
    823 		if (eap_allowed_method(sm, m->vendor, m->method)) {
    824 			wpa_printf(MSG_DEBUG, "EAP: allowed type: "
    825 				   "vendor=%u method=%u",
    826 				   m->vendor, m->method);
    827 			wpabuf_put_u8(resp, EAP_TYPE_EXPANDED);
    828 			wpabuf_put_be24(resp, m->vendor);
    829 			wpabuf_put_be32(resp, m->method);
    830 
    831 			found++;
    832 		}
    833 	}
    834 	if (!found) {
    835 		wpa_printf(MSG_DEBUG, "EAP: no more allowed methods");
    836 		wpabuf_put_u8(resp, EAP_TYPE_EXPANDED);
    837 		wpabuf_put_be24(resp, EAP_VENDOR_IETF);
    838 		wpabuf_put_be32(resp, EAP_TYPE_NONE);
    839 	}
    840 
    841 	eap_update_len(resp);
    842 
    843 	return resp;
    844 }
    845 
    846 
    847 static struct wpabuf * eap_sm_buildNak(struct eap_sm *sm, int id)
    848 {
    849 	struct wpabuf *resp;
    850 	u8 *start;
    851 	int found = 0, expanded_found = 0;
    852 	size_t count;
    853 	const struct eap_method *methods, *m;
    854 
    855 	wpa_printf(MSG_DEBUG, "EAP: Building EAP-Nak (requested type %u "
    856 		   "vendor=%u method=%u not allowed)", sm->reqMethod,
    857 		   sm->reqVendor, sm->reqVendorMethod);
    858 	methods = eap_peer_get_methods(&count);
    859 	if (methods == NULL)
    860 		return NULL;
    861 	if (sm->reqMethod == EAP_TYPE_EXPANDED)
    862 		return eap_sm_build_expanded_nak(sm, id, methods, count);
    863 
    864 	/* RFC 3748 - 5.3.1: Legacy Nak */
    865 	resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_NAK,
    866 			     sizeof(struct eap_hdr) + 1 + count + 1,
    867 			     EAP_CODE_RESPONSE, id);
    868 	if (resp == NULL)
    869 		return NULL;
    870 
    871 	start = wpabuf_put(resp, 0);
    872 	for (m = methods; m; m = m->next) {
    873 		if (m->vendor == EAP_VENDOR_IETF && m->method == sm->reqMethod)
    874 			continue; /* do not allow the current method again */
    875 		if (eap_allowed_method(sm, m->vendor, m->method)) {
    876 			if (m->vendor != EAP_VENDOR_IETF) {
    877 				if (expanded_found)
    878 					continue;
    879 				expanded_found = 1;
    880 				wpabuf_put_u8(resp, EAP_TYPE_EXPANDED);
    881 			} else
    882 				wpabuf_put_u8(resp, m->method);
    883 			found++;
    884 		}
    885 	}
    886 	if (!found)
    887 		wpabuf_put_u8(resp, EAP_TYPE_NONE);
    888 	wpa_hexdump(MSG_DEBUG, "EAP: allowed methods", start, found);
    889 
    890 	eap_update_len(resp);
    891 
    892 	return resp;
    893 }
    894 
    895 
    896 static void eap_sm_processIdentity(struct eap_sm *sm, const struct wpabuf *req)
    897 {
    898 	const u8 *pos;
    899 	size_t msg_len;
    900 
    901 	wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_STARTED
    902 		"EAP authentication started");
    903 	eap_notify_status(sm, "started", "");
    904 
    905 	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_IDENTITY, req,
    906 			       &msg_len);
    907 	if (pos == NULL)
    908 		return;
    909 
    910 	/*
    911 	 * RFC 3748 - 5.1: Identity
    912 	 * Data field may contain a displayable message in UTF-8. If this
    913 	 * includes NUL-character, only the data before that should be
    914 	 * displayed. Some EAP implementasitons may piggy-back additional
    915 	 * options after the NUL.
    916 	 */
    917 	/* TODO: could save displayable message so that it can be shown to the
    918 	 * user in case of interaction is required */
    919 	wpa_hexdump_ascii(MSG_DEBUG, "EAP: EAP-Request Identity data",
    920 			  pos, msg_len);
    921 }
    922 
    923 
    924 #ifdef PCSC_FUNCS
    925 
    926 /*
    927  * Rules for figuring out MNC length based on IMSI for SIM cards that do not
    928  * include MNC length field.
    929  */
    930 static int mnc_len_from_imsi(const char *imsi)
    931 {
    932 	char mcc_str[4];
    933 	unsigned int mcc;
    934 
    935 	os_memcpy(mcc_str, imsi, 3);
    936 	mcc_str[3] = '\0';
    937 	mcc = atoi(mcc_str);
    938 
    939 	if (mcc == 244)
    940 		return 2; /* Networks in Finland use 2-digit MNC */
    941 
    942 	return -1;
    943 }
    944 
    945 
    946 static int eap_sm_append_3gpp_realm(struct eap_sm *sm, char *imsi,
    947 				    size_t max_len, size_t *imsi_len)
    948 {
    949 	int mnc_len;
    950 	char *pos, mnc[4];
    951 
    952 	if (*imsi_len + 36 > max_len) {
    953 		wpa_printf(MSG_WARNING, "No room for realm in IMSI buffer");
    954 		return -1;
    955 	}
    956 
    957 	/* MNC (2 or 3 digits) */
    958 	mnc_len = scard_get_mnc_len(sm->scard_ctx);
    959 	if (mnc_len < 0)
    960 		mnc_len = mnc_len_from_imsi(imsi);
    961 	if (mnc_len < 0) {
    962 		wpa_printf(MSG_INFO, "Failed to get MNC length from (U)SIM "
    963 			   "assuming 3");
    964 		mnc_len = 3;
    965 	}
    966 
    967 	if (mnc_len == 2) {
    968 		mnc[0] = '0';
    969 		mnc[1] = imsi[3];
    970 		mnc[2] = imsi[4];
    971 	} else if (mnc_len == 3) {
    972 		mnc[0] = imsi[3];
    973 		mnc[1] = imsi[4];
    974 		mnc[2] = imsi[5];
    975 	}
    976 	mnc[3] = '\0';
    977 
    978 	pos = imsi + *imsi_len;
    979 	pos += os_snprintf(pos, imsi + max_len - pos,
    980 			   "@wlan.mnc%s.mcc%c%c%c.3gppnetwork.org",
    981 			   mnc, imsi[0], imsi[1], imsi[2]);
    982 	*imsi_len = pos - imsi;
    983 
    984 	return 0;
    985 }
    986 
    987 
    988 static int eap_sm_imsi_identity(struct eap_sm *sm,
    989 				struct eap_peer_config *conf)
    990 {
    991 	enum { EAP_SM_SIM, EAP_SM_AKA, EAP_SM_AKA_PRIME } method = EAP_SM_SIM;
    992 	char imsi[100];
    993 	size_t imsi_len;
    994 	struct eap_method_type *m = conf->eap_methods;
    995 	int i;
    996 
    997 	imsi_len = sizeof(imsi);
    998 	if (scard_get_imsi(sm->scard_ctx, imsi, &imsi_len)) {
    999 		wpa_printf(MSG_WARNING, "Failed to get IMSI from SIM");
   1000 		return -1;
   1001 	}
   1002 
   1003 	wpa_hexdump_ascii(MSG_DEBUG, "IMSI", (u8 *) imsi, imsi_len);
   1004 
   1005 	if (imsi_len < 7) {
   1006 		wpa_printf(MSG_WARNING, "Too short IMSI for SIM identity");
   1007 		return -1;
   1008 	}
   1009 
   1010 	if (eap_sm_append_3gpp_realm(sm, imsi, sizeof(imsi), &imsi_len) < 0) {
   1011 		wpa_printf(MSG_WARNING, "Could not add realm to SIM identity");
   1012 		return -1;
   1013 	}
   1014 	wpa_hexdump_ascii(MSG_DEBUG, "IMSI + realm", (u8 *) imsi, imsi_len);
   1015 
   1016 	for (i = 0; m && (m[i].vendor != EAP_VENDOR_IETF ||
   1017 			  m[i].method != EAP_TYPE_NONE); i++) {
   1018 		if (m[i].vendor == EAP_VENDOR_IETF &&
   1019 		    m[i].method == EAP_TYPE_AKA_PRIME) {
   1020 			method = EAP_SM_AKA_PRIME;
   1021 			break;
   1022 		}
   1023 
   1024 		if (m[i].vendor == EAP_VENDOR_IETF &&
   1025 		    m[i].method == EAP_TYPE_AKA) {
   1026 			method = EAP_SM_AKA;
   1027 			break;
   1028 		}
   1029 	}
   1030 
   1031 	os_free(conf->identity);
   1032 	conf->identity = os_malloc(1 + imsi_len);
   1033 	if (conf->identity == NULL) {
   1034 		wpa_printf(MSG_WARNING, "Failed to allocate buffer for "
   1035 			   "IMSI-based identity");
   1036 		return -1;
   1037 	}
   1038 
   1039 	switch (method) {
   1040 	case EAP_SM_SIM:
   1041 		conf->identity[0] = '1';
   1042 		break;
   1043 	case EAP_SM_AKA:
   1044 		conf->identity[0] = '0';
   1045 		break;
   1046 	case EAP_SM_AKA_PRIME:
   1047 		conf->identity[0] = '6';
   1048 		break;
   1049 	}
   1050 	os_memcpy(conf->identity + 1, imsi, imsi_len);
   1051 	conf->identity_len = 1 + imsi_len;
   1052 
   1053 	return 0;
   1054 }
   1055 
   1056 #endif /* PCSC_FUNCS */
   1057 
   1058 
   1059 static int eap_sm_set_scard_pin(struct eap_sm *sm,
   1060 				struct eap_peer_config *conf)
   1061 {
   1062 #ifdef PCSC_FUNCS
   1063 	if (scard_set_pin(sm->scard_ctx, conf->pin)) {
   1064 		/*
   1065 		 * Make sure the same PIN is not tried again in order to avoid
   1066 		 * blocking SIM.
   1067 		 */
   1068 		os_free(conf->pin);
   1069 		conf->pin = NULL;
   1070 
   1071 		wpa_printf(MSG_WARNING, "PIN validation failed");
   1072 		eap_sm_request_pin(sm);
   1073 		return -1;
   1074 	}
   1075 	return 0;
   1076 #else /* PCSC_FUNCS */
   1077 	return -1;
   1078 #endif /* PCSC_FUNCS */
   1079 }
   1080 
   1081 static int eap_sm_get_scard_identity(struct eap_sm *sm,
   1082 				     struct eap_peer_config *conf)
   1083 {
   1084 #ifdef PCSC_FUNCS
   1085 	if (eap_sm_set_scard_pin(sm, conf))
   1086 		return -1;
   1087 
   1088 	return eap_sm_imsi_identity(sm, conf);
   1089 #else /* PCSC_FUNCS */
   1090 	return -1;
   1091 #endif /* PCSC_FUNCS */
   1092 }
   1093 
   1094 
   1095 /**
   1096  * eap_sm_buildIdentity - Build EAP-Identity/Response for the current network
   1097  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   1098  * @id: EAP identifier for the packet
   1099  * @encrypted: Whether the packet is for encrypted tunnel (EAP phase 2)
   1100  * Returns: Pointer to the allocated EAP-Identity/Response packet or %NULL on
   1101  * failure
   1102  *
   1103  * This function allocates and builds an EAP-Identity/Response packet for the
   1104  * current network. The caller is responsible for freeing the returned data.
   1105  */
   1106 struct wpabuf * eap_sm_buildIdentity(struct eap_sm *sm, int id, int encrypted)
   1107 {
   1108 	struct eap_peer_config *config = eap_get_config(sm);
   1109 	struct wpabuf *resp;
   1110 	const u8 *identity;
   1111 	size_t identity_len;
   1112 
   1113 	if (config == NULL) {
   1114 		wpa_printf(MSG_WARNING, "EAP: buildIdentity: configuration "
   1115 			   "was not available");
   1116 		return NULL;
   1117 	}
   1118 
   1119 	if (sm->m && sm->m->get_identity &&
   1120 	    (identity = sm->m->get_identity(sm, sm->eap_method_priv,
   1121 					    &identity_len)) != NULL) {
   1122 		wpa_hexdump_ascii(MSG_DEBUG, "EAP: using method re-auth "
   1123 				  "identity", identity, identity_len);
   1124 	} else if (!encrypted && config->anonymous_identity) {
   1125 		identity = config->anonymous_identity;
   1126 		identity_len = config->anonymous_identity_len;
   1127 		wpa_hexdump_ascii(MSG_DEBUG, "EAP: using anonymous identity",
   1128 				  identity, identity_len);
   1129 	} else {
   1130 		identity = config->identity;
   1131 		identity_len = config->identity_len;
   1132 		wpa_hexdump_ascii(MSG_DEBUG, "EAP: using real identity",
   1133 				  identity, identity_len);
   1134 	}
   1135 
   1136 	if (identity == NULL) {
   1137 		wpa_printf(MSG_WARNING, "EAP: buildIdentity: identity "
   1138 			   "configuration was not available");
   1139 		if (config->pcsc) {
   1140 			if (eap_sm_get_scard_identity(sm, config) < 0)
   1141 				return NULL;
   1142 			identity = config->identity;
   1143 			identity_len = config->identity_len;
   1144 			wpa_hexdump_ascii(MSG_DEBUG, "permanent identity from "
   1145 					  "IMSI", identity, identity_len);
   1146 		} else {
   1147 			eap_sm_request_identity(sm);
   1148 			return NULL;
   1149 		}
   1150 	} else if (config->pcsc) {
   1151 		if (eap_sm_set_scard_pin(sm, config) < 0)
   1152 			return NULL;
   1153 	}
   1154 
   1155 	resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_IDENTITY, identity_len,
   1156 			     EAP_CODE_RESPONSE, id);
   1157 	if (resp == NULL)
   1158 		return NULL;
   1159 
   1160 	wpabuf_put_data(resp, identity, identity_len);
   1161 
   1162 	return resp;
   1163 }
   1164 
   1165 
   1166 static void eap_sm_processNotify(struct eap_sm *sm, const struct wpabuf *req)
   1167 {
   1168 	const u8 *pos;
   1169 	char *msg;
   1170 	size_t i, msg_len;
   1171 
   1172 	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_NOTIFICATION, req,
   1173 			       &msg_len);
   1174 	if (pos == NULL)
   1175 		return;
   1176 	wpa_hexdump_ascii(MSG_DEBUG, "EAP: EAP-Request Notification data",
   1177 			  pos, msg_len);
   1178 
   1179 	msg = os_malloc(msg_len + 1);
   1180 	if (msg == NULL)
   1181 		return;
   1182 	for (i = 0; i < msg_len; i++)
   1183 		msg[i] = isprint(pos[i]) ? (char) pos[i] : '_';
   1184 	msg[msg_len] = '\0';
   1185 	wpa_msg(sm->msg_ctx, MSG_INFO, "%s%s",
   1186 		WPA_EVENT_EAP_NOTIFICATION, msg);
   1187 	os_free(msg);
   1188 }
   1189 
   1190 
   1191 static struct wpabuf * eap_sm_buildNotify(int id)
   1192 {
   1193 	struct wpabuf *resp;
   1194 
   1195 	wpa_printf(MSG_DEBUG, "EAP: Generating EAP-Response Notification");
   1196 	resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_NOTIFICATION, 0,
   1197 			     EAP_CODE_RESPONSE, id);
   1198 	if (resp == NULL)
   1199 		return NULL;
   1200 
   1201 	return resp;
   1202 }
   1203 
   1204 
   1205 static void eap_sm_parseEapReq(struct eap_sm *sm, const struct wpabuf *req)
   1206 {
   1207 	const struct eap_hdr *hdr;
   1208 	size_t plen;
   1209 	const u8 *pos;
   1210 
   1211 	sm->rxReq = sm->rxResp = sm->rxSuccess = sm->rxFailure = FALSE;
   1212 	sm->reqId = 0;
   1213 	sm->reqMethod = EAP_TYPE_NONE;
   1214 	sm->reqVendor = EAP_VENDOR_IETF;
   1215 	sm->reqVendorMethod = EAP_TYPE_NONE;
   1216 
   1217 	if (req == NULL || wpabuf_len(req) < sizeof(*hdr))
   1218 		return;
   1219 
   1220 	hdr = wpabuf_head(req);
   1221 	plen = be_to_host16(hdr->length);
   1222 	if (plen > wpabuf_len(req)) {
   1223 		wpa_printf(MSG_DEBUG, "EAP: Ignored truncated EAP-Packet "
   1224 			   "(len=%lu plen=%lu)",
   1225 			   (unsigned long) wpabuf_len(req),
   1226 			   (unsigned long) plen);
   1227 		return;
   1228 	}
   1229 
   1230 	sm->reqId = hdr->identifier;
   1231 
   1232 	if (sm->workaround) {
   1233 		const u8 *addr[1];
   1234 		addr[0] = wpabuf_head(req);
   1235 		md5_vector(1, addr, &plen, sm->req_md5);
   1236 	}
   1237 
   1238 	switch (hdr->code) {
   1239 	case EAP_CODE_REQUEST:
   1240 		if (plen < sizeof(*hdr) + 1) {
   1241 			wpa_printf(MSG_DEBUG, "EAP: Too short EAP-Request - "
   1242 				   "no Type field");
   1243 			return;
   1244 		}
   1245 		sm->rxReq = TRUE;
   1246 		pos = (const u8 *) (hdr + 1);
   1247 		sm->reqMethod = *pos++;
   1248 		if (sm->reqMethod == EAP_TYPE_EXPANDED) {
   1249 			if (plen < sizeof(*hdr) + 8) {
   1250 				wpa_printf(MSG_DEBUG, "EAP: Ignored truncated "
   1251 					   "expanded EAP-Packet (plen=%lu)",
   1252 					   (unsigned long) plen);
   1253 				return;
   1254 			}
   1255 			sm->reqVendor = WPA_GET_BE24(pos);
   1256 			pos += 3;
   1257 			sm->reqVendorMethod = WPA_GET_BE32(pos);
   1258 		}
   1259 		wpa_printf(MSG_DEBUG, "EAP: Received EAP-Request id=%d "
   1260 			   "method=%u vendor=%u vendorMethod=%u",
   1261 			   sm->reqId, sm->reqMethod, sm->reqVendor,
   1262 			   sm->reqVendorMethod);
   1263 		break;
   1264 	case EAP_CODE_RESPONSE:
   1265 		if (sm->selectedMethod == EAP_TYPE_LEAP) {
   1266 			/*
   1267 			 * LEAP differs from RFC 4137 by using reversed roles
   1268 			 * for mutual authentication and because of this, we
   1269 			 * need to accept EAP-Response frames if LEAP is used.
   1270 			 */
   1271 			if (plen < sizeof(*hdr) + 1) {
   1272 				wpa_printf(MSG_DEBUG, "EAP: Too short "
   1273 					   "EAP-Response - no Type field");
   1274 				return;
   1275 			}
   1276 			sm->rxResp = TRUE;
   1277 			pos = (const u8 *) (hdr + 1);
   1278 			sm->reqMethod = *pos;
   1279 			wpa_printf(MSG_DEBUG, "EAP: Received EAP-Response for "
   1280 				   "LEAP method=%d id=%d",
   1281 				   sm->reqMethod, sm->reqId);
   1282 			break;
   1283 		}
   1284 		wpa_printf(MSG_DEBUG, "EAP: Ignored EAP-Response");
   1285 		break;
   1286 	case EAP_CODE_SUCCESS:
   1287 		wpa_printf(MSG_DEBUG, "EAP: Received EAP-Success");
   1288 		eap_notify_status(sm, "completion", "success");
   1289 		sm->rxSuccess = TRUE;
   1290 		break;
   1291 	case EAP_CODE_FAILURE:
   1292 		wpa_printf(MSG_DEBUG, "EAP: Received EAP-Failure");
   1293 		eap_notify_status(sm, "completion", "failure");
   1294 		sm->rxFailure = TRUE;
   1295 		break;
   1296 	default:
   1297 		wpa_printf(MSG_DEBUG, "EAP: Ignored EAP-Packet with unknown "
   1298 			   "code %d", hdr->code);
   1299 		break;
   1300 	}
   1301 }
   1302 
   1303 
   1304 static void eap_peer_sm_tls_event(void *ctx, enum tls_event ev,
   1305 				  union tls_event_data *data)
   1306 {
   1307 	struct eap_sm *sm = ctx;
   1308 	char *hash_hex = NULL;
   1309 
   1310 	switch (ev) {
   1311 	case TLS_CERT_CHAIN_SUCCESS:
   1312 		eap_notify_status(sm, "remote certificate verification",
   1313 				  "success");
   1314 		break;
   1315 	case TLS_CERT_CHAIN_FAILURE:
   1316 		wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_TLS_CERT_ERROR
   1317 			"reason=%d depth=%d subject='%s' err='%s'",
   1318 			data->cert_fail.reason,
   1319 			data->cert_fail.depth,
   1320 			data->cert_fail.subject,
   1321 			data->cert_fail.reason_txt);
   1322 		eap_notify_status(sm, "remote certificate verification",
   1323 				  data->cert_fail.reason_txt);
   1324 		break;
   1325 	case TLS_PEER_CERTIFICATE:
   1326 		if (!sm->eapol_cb->notify_cert)
   1327 			break;
   1328 
   1329 		if (data->peer_cert.hash) {
   1330 			size_t len = data->peer_cert.hash_len * 2 + 1;
   1331 			hash_hex = os_malloc(len);
   1332 			if (hash_hex) {
   1333 				wpa_snprintf_hex(hash_hex, len,
   1334 						 data->peer_cert.hash,
   1335 						 data->peer_cert.hash_len);
   1336 			}
   1337 		}
   1338 
   1339 		sm->eapol_cb->notify_cert(sm->eapol_ctx,
   1340 					  data->peer_cert.depth,
   1341 					  data->peer_cert.subject,
   1342 					  hash_hex, data->peer_cert.cert);
   1343 		break;
   1344 	case TLS_ALERT:
   1345 		if (data->alert.is_local)
   1346 			eap_notify_status(sm, "local TLS alert",
   1347 					  data->alert.description);
   1348 		else
   1349 			eap_notify_status(sm, "remote TLS alert",
   1350 					  data->alert.description);
   1351 		break;
   1352 	}
   1353 
   1354 	os_free(hash_hex);
   1355 }
   1356 
   1357 
   1358 /**
   1359  * eap_peer_sm_init - Allocate and initialize EAP peer state machine
   1360  * @eapol_ctx: Context data to be used with eapol_cb calls
   1361  * @eapol_cb: Pointer to EAPOL callback functions
   1362  * @msg_ctx: Context data for wpa_msg() calls
   1363  * @conf: EAP configuration
   1364  * Returns: Pointer to the allocated EAP state machine or %NULL on failure
   1365  *
   1366  * This function allocates and initializes an EAP state machine. In addition,
   1367  * this initializes TLS library for the new EAP state machine. eapol_cb pointer
   1368  * will be in use until eap_peer_sm_deinit() is used to deinitialize this EAP
   1369  * state machine. Consequently, the caller must make sure that this data
   1370  * structure remains alive while the EAP state machine is active.
   1371  */
   1372 struct eap_sm * eap_peer_sm_init(void *eapol_ctx,
   1373 				 struct eapol_callbacks *eapol_cb,
   1374 				 void *msg_ctx, struct eap_config *conf)
   1375 {
   1376 	struct eap_sm *sm;
   1377 	struct tls_config tlsconf;
   1378 
   1379 	sm = os_zalloc(sizeof(*sm));
   1380 	if (sm == NULL)
   1381 		return NULL;
   1382 	sm->eapol_ctx = eapol_ctx;
   1383 	sm->eapol_cb = eapol_cb;
   1384 	sm->msg_ctx = msg_ctx;
   1385 	sm->ClientTimeout = EAP_CLIENT_TIMEOUT_DEFAULT;
   1386 	sm->wps = conf->wps;
   1387 
   1388 	os_memset(&tlsconf, 0, sizeof(tlsconf));
   1389 	tlsconf.opensc_engine_path = conf->opensc_engine_path;
   1390 	tlsconf.pkcs11_engine_path = conf->pkcs11_engine_path;
   1391 	tlsconf.pkcs11_module_path = conf->pkcs11_module_path;
   1392 #ifdef CONFIG_FIPS
   1393 	tlsconf.fips_mode = 1;
   1394 #endif /* CONFIG_FIPS */
   1395 	tlsconf.event_cb = eap_peer_sm_tls_event;
   1396 	tlsconf.cb_ctx = sm;
   1397 	tlsconf.cert_in_cb = conf->cert_in_cb;
   1398 	sm->ssl_ctx = tls_init(&tlsconf);
   1399 	if (sm->ssl_ctx == NULL) {
   1400 		wpa_printf(MSG_WARNING, "SSL: Failed to initialize TLS "
   1401 			   "context.");
   1402 		os_free(sm);
   1403 		return NULL;
   1404 	}
   1405 
   1406 	sm->ssl_ctx2 = tls_init(&tlsconf);
   1407 	if (sm->ssl_ctx2 == NULL) {
   1408 		wpa_printf(MSG_INFO, "SSL: Failed to initialize TLS "
   1409 			   "context (2).");
   1410 		/* Run without separate TLS context within TLS tunnel */
   1411 	}
   1412 
   1413 	return sm;
   1414 }
   1415 
   1416 
   1417 /**
   1418  * eap_peer_sm_deinit - Deinitialize and free an EAP peer state machine
   1419  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   1420  *
   1421  * This function deinitializes EAP state machine and frees all allocated
   1422  * resources.
   1423  */
   1424 void eap_peer_sm_deinit(struct eap_sm *sm)
   1425 {
   1426 	if (sm == NULL)
   1427 		return;
   1428 	eap_deinit_prev_method(sm, "EAP deinit");
   1429 	eap_sm_abort(sm);
   1430 	if (sm->ssl_ctx2)
   1431 		tls_deinit(sm->ssl_ctx2);
   1432 	tls_deinit(sm->ssl_ctx);
   1433 	os_free(sm);
   1434 }
   1435 
   1436 
   1437 /**
   1438  * eap_peer_sm_step - Step EAP peer state machine
   1439  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   1440  * Returns: 1 if EAP state was changed or 0 if not
   1441  *
   1442  * This function advances EAP state machine to a new state to match with the
   1443  * current variables. This should be called whenever variables used by the EAP
   1444  * state machine have changed.
   1445  */
   1446 int eap_peer_sm_step(struct eap_sm *sm)
   1447 {
   1448 	int res = 0;
   1449 	do {
   1450 		sm->changed = FALSE;
   1451 		SM_STEP_RUN(EAP);
   1452 		if (sm->changed)
   1453 			res = 1;
   1454 	} while (sm->changed);
   1455 	return res;
   1456 }
   1457 
   1458 
   1459 /**
   1460  * eap_sm_abort - Abort EAP authentication
   1461  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   1462  *
   1463  * Release system resources that have been allocated for the authentication
   1464  * session without fully deinitializing the EAP state machine.
   1465  */
   1466 void eap_sm_abort(struct eap_sm *sm)
   1467 {
   1468 	wpabuf_free(sm->lastRespData);
   1469 	sm->lastRespData = NULL;
   1470 	wpabuf_free(sm->eapRespData);
   1471 	sm->eapRespData = NULL;
   1472 	os_free(sm->eapKeyData);
   1473 	sm->eapKeyData = NULL;
   1474 	os_free(sm->eapSessionId);
   1475 	sm->eapSessionId = NULL;
   1476 
   1477 	/* This is not clearly specified in the EAP statemachines draft, but
   1478 	 * it seems necessary to make sure that some of the EAPOL variables get
   1479 	 * cleared for the next authentication. */
   1480 	eapol_set_bool(sm, EAPOL_eapSuccess, FALSE);
   1481 }
   1482 
   1483 
   1484 #ifdef CONFIG_CTRL_IFACE
   1485 static const char * eap_sm_state_txt(int state)
   1486 {
   1487 	switch (state) {
   1488 	case EAP_INITIALIZE:
   1489 		return "INITIALIZE";
   1490 	case EAP_DISABLED:
   1491 		return "DISABLED";
   1492 	case EAP_IDLE:
   1493 		return "IDLE";
   1494 	case EAP_RECEIVED:
   1495 		return "RECEIVED";
   1496 	case EAP_GET_METHOD:
   1497 		return "GET_METHOD";
   1498 	case EAP_METHOD:
   1499 		return "METHOD";
   1500 	case EAP_SEND_RESPONSE:
   1501 		return "SEND_RESPONSE";
   1502 	case EAP_DISCARD:
   1503 		return "DISCARD";
   1504 	case EAP_IDENTITY:
   1505 		return "IDENTITY";
   1506 	case EAP_NOTIFICATION:
   1507 		return "NOTIFICATION";
   1508 	case EAP_RETRANSMIT:
   1509 		return "RETRANSMIT";
   1510 	case EAP_SUCCESS:
   1511 		return "SUCCESS";
   1512 	case EAP_FAILURE:
   1513 		return "FAILURE";
   1514 	default:
   1515 		return "UNKNOWN";
   1516 	}
   1517 }
   1518 #endif /* CONFIG_CTRL_IFACE */
   1519 
   1520 
   1521 #if defined(CONFIG_CTRL_IFACE) || !defined(CONFIG_NO_STDOUT_DEBUG)
   1522 static const char * eap_sm_method_state_txt(EapMethodState state)
   1523 {
   1524 	switch (state) {
   1525 	case METHOD_NONE:
   1526 		return "NONE";
   1527 	case METHOD_INIT:
   1528 		return "INIT";
   1529 	case METHOD_CONT:
   1530 		return "CONT";
   1531 	case METHOD_MAY_CONT:
   1532 		return "MAY_CONT";
   1533 	case METHOD_DONE:
   1534 		return "DONE";
   1535 	default:
   1536 		return "UNKNOWN";
   1537 	}
   1538 }
   1539 
   1540 
   1541 static const char * eap_sm_decision_txt(EapDecision decision)
   1542 {
   1543 	switch (decision) {
   1544 	case DECISION_FAIL:
   1545 		return "FAIL";
   1546 	case DECISION_COND_SUCC:
   1547 		return "COND_SUCC";
   1548 	case DECISION_UNCOND_SUCC:
   1549 		return "UNCOND_SUCC";
   1550 	default:
   1551 		return "UNKNOWN";
   1552 	}
   1553 }
   1554 #endif /* CONFIG_CTRL_IFACE || !CONFIG_NO_STDOUT_DEBUG */
   1555 
   1556 
   1557 #ifdef CONFIG_CTRL_IFACE
   1558 
   1559 /**
   1560  * eap_sm_get_status - Get EAP state machine status
   1561  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   1562  * @buf: Buffer for status information
   1563  * @buflen: Maximum buffer length
   1564  * @verbose: Whether to include verbose status information
   1565  * Returns: Number of bytes written to buf.
   1566  *
   1567  * Query EAP state machine for status information. This function fills in a
   1568  * text area with current status information from the EAPOL state machine. If
   1569  * the buffer (buf) is not large enough, status information will be truncated
   1570  * to fit the buffer.
   1571  */
   1572 int eap_sm_get_status(struct eap_sm *sm, char *buf, size_t buflen, int verbose)
   1573 {
   1574 	int len, ret;
   1575 
   1576 	if (sm == NULL)
   1577 		return 0;
   1578 
   1579 	len = os_snprintf(buf, buflen,
   1580 			  "EAP state=%s\n",
   1581 			  eap_sm_state_txt(sm->EAP_state));
   1582 	if (len < 0 || (size_t) len >= buflen)
   1583 		return 0;
   1584 
   1585 	if (sm->selectedMethod != EAP_TYPE_NONE) {
   1586 		const char *name;
   1587 		if (sm->m) {
   1588 			name = sm->m->name;
   1589 		} else {
   1590 			const struct eap_method *m =
   1591 				eap_peer_get_eap_method(EAP_VENDOR_IETF,
   1592 							sm->selectedMethod);
   1593 			if (m)
   1594 				name = m->name;
   1595 			else
   1596 				name = "?";
   1597 		}
   1598 		ret = os_snprintf(buf + len, buflen - len,
   1599 				  "selectedMethod=%d (EAP-%s)\n",
   1600 				  sm->selectedMethod, name);
   1601 		if (ret < 0 || (size_t) ret >= buflen - len)
   1602 			return len;
   1603 		len += ret;
   1604 
   1605 		if (sm->m && sm->m->get_status) {
   1606 			len += sm->m->get_status(sm, sm->eap_method_priv,
   1607 						 buf + len, buflen - len,
   1608 						 verbose);
   1609 		}
   1610 	}
   1611 
   1612 	if (verbose) {
   1613 		ret = os_snprintf(buf + len, buflen - len,
   1614 				  "reqMethod=%d\n"
   1615 				  "methodState=%s\n"
   1616 				  "decision=%s\n"
   1617 				  "ClientTimeout=%d\n",
   1618 				  sm->reqMethod,
   1619 				  eap_sm_method_state_txt(sm->methodState),
   1620 				  eap_sm_decision_txt(sm->decision),
   1621 				  sm->ClientTimeout);
   1622 		if (ret < 0 || (size_t) ret >= buflen - len)
   1623 			return len;
   1624 		len += ret;
   1625 	}
   1626 
   1627 	return len;
   1628 }
   1629 #endif /* CONFIG_CTRL_IFACE */
   1630 
   1631 
   1632 #if defined(CONFIG_CTRL_IFACE) || !defined(CONFIG_NO_STDOUT_DEBUG)
   1633 static void eap_sm_request(struct eap_sm *sm, enum wpa_ctrl_req_type field,
   1634 			   const char *msg, size_t msglen)
   1635 {
   1636 	struct eap_peer_config *config;
   1637 	char *txt = NULL, *tmp;
   1638 
   1639 	if (sm == NULL)
   1640 		return;
   1641 	config = eap_get_config(sm);
   1642 	if (config == NULL)
   1643 		return;
   1644 
   1645 	switch (field) {
   1646 	case WPA_CTRL_REQ_EAP_IDENTITY:
   1647 		config->pending_req_identity++;
   1648 		break;
   1649 	case WPA_CTRL_REQ_EAP_PASSWORD:
   1650 		config->pending_req_password++;
   1651 		break;
   1652 	case WPA_CTRL_REQ_EAP_NEW_PASSWORD:
   1653 		config->pending_req_new_password++;
   1654 		break;
   1655 	case WPA_CTRL_REQ_EAP_PIN:
   1656 		config->pending_req_pin++;
   1657 		break;
   1658 	case WPA_CTRL_REQ_EAP_OTP:
   1659 		if (msg) {
   1660 			tmp = os_malloc(msglen + 3);
   1661 			if (tmp == NULL)
   1662 				return;
   1663 			tmp[0] = '[';
   1664 			os_memcpy(tmp + 1, msg, msglen);
   1665 			tmp[msglen + 1] = ']';
   1666 			tmp[msglen + 2] = '\0';
   1667 			txt = tmp;
   1668 			os_free(config->pending_req_otp);
   1669 			config->pending_req_otp = tmp;
   1670 			config->pending_req_otp_len = msglen + 3;
   1671 		} else {
   1672 			if (config->pending_req_otp == NULL)
   1673 				return;
   1674 			txt = config->pending_req_otp;
   1675 		}
   1676 		break;
   1677 	case WPA_CTRL_REQ_EAP_PASSPHRASE:
   1678 		config->pending_req_passphrase++;
   1679 		break;
   1680 	default:
   1681 		return;
   1682 	}
   1683 
   1684 	if (sm->eapol_cb->eap_param_needed)
   1685 		sm->eapol_cb->eap_param_needed(sm->eapol_ctx, field, txt);
   1686 }
   1687 #else /* CONFIG_CTRL_IFACE || !CONFIG_NO_STDOUT_DEBUG */
   1688 #define eap_sm_request(sm, type, msg, msglen) do { } while (0)
   1689 #endif /* CONFIG_CTRL_IFACE || !CONFIG_NO_STDOUT_DEBUG */
   1690 
   1691 const char * eap_sm_get_method_name(struct eap_sm *sm)
   1692 {
   1693 	if (sm->m == NULL)
   1694 		return "UNKNOWN";
   1695 	return sm->m->name;
   1696 }
   1697 
   1698 
   1699 /**
   1700  * eap_sm_request_identity - Request identity from user (ctrl_iface)
   1701  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   1702  *
   1703  * EAP methods can call this function to request identity information for the
   1704  * current network. This is normally called when the identity is not included
   1705  * in the network configuration. The request will be sent to monitor programs
   1706  * through the control interface.
   1707  */
   1708 void eap_sm_request_identity(struct eap_sm *sm)
   1709 {
   1710 	eap_sm_request(sm, WPA_CTRL_REQ_EAP_IDENTITY, NULL, 0);
   1711 }
   1712 
   1713 
   1714 /**
   1715  * eap_sm_request_password - Request password from user (ctrl_iface)
   1716  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   1717  *
   1718  * EAP methods can call this function to request password information for the
   1719  * current network. This is normally called when the password is not included
   1720  * in the network configuration. The request will be sent to monitor programs
   1721  * through the control interface.
   1722  */
   1723 void eap_sm_request_password(struct eap_sm *sm)
   1724 {
   1725 	eap_sm_request(sm, WPA_CTRL_REQ_EAP_PASSWORD, NULL, 0);
   1726 }
   1727 
   1728 
   1729 /**
   1730  * eap_sm_request_new_password - Request new password from user (ctrl_iface)
   1731  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   1732  *
   1733  * EAP methods can call this function to request new password information for
   1734  * the current network. This is normally called when the EAP method indicates
   1735  * that the current password has expired and password change is required. The
   1736  * request will be sent to monitor programs through the control interface.
   1737  */
   1738 void eap_sm_request_new_password(struct eap_sm *sm)
   1739 {
   1740 	eap_sm_request(sm, WPA_CTRL_REQ_EAP_NEW_PASSWORD, NULL, 0);
   1741 }
   1742 
   1743 
   1744 /**
   1745  * eap_sm_request_pin - Request SIM or smart card PIN from user (ctrl_iface)
   1746  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   1747  *
   1748  * EAP methods can call this function to request SIM or smart card PIN
   1749  * information for the current network. This is normally called when the PIN is
   1750  * not included in the network configuration. The request will be sent to
   1751  * monitor programs through the control interface.
   1752  */
   1753 void eap_sm_request_pin(struct eap_sm *sm)
   1754 {
   1755 	eap_sm_request(sm, WPA_CTRL_REQ_EAP_PIN, NULL, 0);
   1756 }
   1757 
   1758 
   1759 /**
   1760  * eap_sm_request_otp - Request one time password from user (ctrl_iface)
   1761  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   1762  * @msg: Message to be displayed to the user when asking for OTP
   1763  * @msg_len: Length of the user displayable message
   1764  *
   1765  * EAP methods can call this function to request open time password (OTP) for
   1766  * the current network. The request will be sent to monitor programs through
   1767  * the control interface.
   1768  */
   1769 void eap_sm_request_otp(struct eap_sm *sm, const char *msg, size_t msg_len)
   1770 {
   1771 	eap_sm_request(sm, WPA_CTRL_REQ_EAP_OTP, msg, msg_len);
   1772 }
   1773 
   1774 
   1775 /**
   1776  * eap_sm_request_passphrase - Request passphrase from user (ctrl_iface)
   1777  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   1778  *
   1779  * EAP methods can call this function to request passphrase for a private key
   1780  * for the current network. This is normally called when the passphrase is not
   1781  * included in the network configuration. The request will be sent to monitor
   1782  * programs through the control interface.
   1783  */
   1784 void eap_sm_request_passphrase(struct eap_sm *sm)
   1785 {
   1786 	eap_sm_request(sm, WPA_CTRL_REQ_EAP_PASSPHRASE, NULL, 0);
   1787 }
   1788 
   1789 
   1790 /**
   1791  * eap_sm_notify_ctrl_attached - Notification of attached monitor
   1792  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   1793  *
   1794  * Notify EAP state machines that a monitor was attached to the control
   1795  * interface to trigger re-sending of pending requests for user input.
   1796  */
   1797 void eap_sm_notify_ctrl_attached(struct eap_sm *sm)
   1798 {
   1799 	struct eap_peer_config *config = eap_get_config(sm);
   1800 
   1801 	if (config == NULL)
   1802 		return;
   1803 
   1804 	/* Re-send any pending requests for user data since a new control
   1805 	 * interface was added. This handles cases where the EAP authentication
   1806 	 * starts immediately after system startup when the user interface is
   1807 	 * not yet running. */
   1808 	if (config->pending_req_identity)
   1809 		eap_sm_request_identity(sm);
   1810 	if (config->pending_req_password)
   1811 		eap_sm_request_password(sm);
   1812 	if (config->pending_req_new_password)
   1813 		eap_sm_request_new_password(sm);
   1814 	if (config->pending_req_otp)
   1815 		eap_sm_request_otp(sm, NULL, 0);
   1816 	if (config->pending_req_pin)
   1817 		eap_sm_request_pin(sm);
   1818 	if (config->pending_req_passphrase)
   1819 		eap_sm_request_passphrase(sm);
   1820 }
   1821 
   1822 
   1823 static int eap_allowed_phase2_type(int vendor, int type)
   1824 {
   1825 	if (vendor != EAP_VENDOR_IETF)
   1826 		return 0;
   1827 	return type != EAP_TYPE_PEAP && type != EAP_TYPE_TTLS &&
   1828 		type != EAP_TYPE_FAST;
   1829 }
   1830 
   1831 
   1832 /**
   1833  * eap_get_phase2_type - Get EAP type for the given EAP phase 2 method name
   1834  * @name: EAP method name, e.g., MD5
   1835  * @vendor: Buffer for returning EAP Vendor-Id
   1836  * Returns: EAP method type or %EAP_TYPE_NONE if not found
   1837  *
   1838  * This function maps EAP type names into EAP type numbers that are allowed for
   1839  * Phase 2, i.e., for tunneled authentication. Phase 2 is used, e.g., with
   1840  * EAP-PEAP, EAP-TTLS, and EAP-FAST.
   1841  */
   1842 u32 eap_get_phase2_type(const char *name, int *vendor)
   1843 {
   1844 	int v;
   1845 	u8 type = eap_peer_get_type(name, &v);
   1846 	if (eap_allowed_phase2_type(v, type)) {
   1847 		*vendor = v;
   1848 		return type;
   1849 	}
   1850 	*vendor = EAP_VENDOR_IETF;
   1851 	return EAP_TYPE_NONE;
   1852 }
   1853 
   1854 
   1855 /**
   1856  * eap_get_phase2_types - Get list of allowed EAP phase 2 types
   1857  * @config: Pointer to a network configuration
   1858  * @count: Pointer to a variable to be filled with number of returned EAP types
   1859  * Returns: Pointer to allocated type list or %NULL on failure
   1860  *
   1861  * This function generates an array of allowed EAP phase 2 (tunneled) types for
   1862  * the given network configuration.
   1863  */
   1864 struct eap_method_type * eap_get_phase2_types(struct eap_peer_config *config,
   1865 					      size_t *count)
   1866 {
   1867 	struct eap_method_type *buf;
   1868 	u32 method;
   1869 	int vendor;
   1870 	size_t mcount;
   1871 	const struct eap_method *methods, *m;
   1872 
   1873 	methods = eap_peer_get_methods(&mcount);
   1874 	if (methods == NULL)
   1875 		return NULL;
   1876 	*count = 0;
   1877 	buf = os_malloc(mcount * sizeof(struct eap_method_type));
   1878 	if (buf == NULL)
   1879 		return NULL;
   1880 
   1881 	for (m = methods; m; m = m->next) {
   1882 		vendor = m->vendor;
   1883 		method = m->method;
   1884 		if (eap_allowed_phase2_type(vendor, method)) {
   1885 			if (vendor == EAP_VENDOR_IETF &&
   1886 			    method == EAP_TYPE_TLS && config &&
   1887 			    config->private_key2 == NULL)
   1888 				continue;
   1889 			buf[*count].vendor = vendor;
   1890 			buf[*count].method = method;
   1891 			(*count)++;
   1892 		}
   1893 	}
   1894 
   1895 	return buf;
   1896 }
   1897 
   1898 
   1899 /**
   1900  * eap_set_fast_reauth - Update fast_reauth setting
   1901  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   1902  * @enabled: 1 = Fast reauthentication is enabled, 0 = Disabled
   1903  */
   1904 void eap_set_fast_reauth(struct eap_sm *sm, int enabled)
   1905 {
   1906 	sm->fast_reauth = enabled;
   1907 }
   1908 
   1909 
   1910 /**
   1911  * eap_set_workaround - Update EAP workarounds setting
   1912  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   1913  * @workaround: 1 = Enable EAP workarounds, 0 = Disable EAP workarounds
   1914  */
   1915 void eap_set_workaround(struct eap_sm *sm, unsigned int workaround)
   1916 {
   1917 	sm->workaround = workaround;
   1918 }
   1919 
   1920 
   1921 /**
   1922  * eap_get_config - Get current network configuration
   1923  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   1924  * Returns: Pointer to the current network configuration or %NULL if not found
   1925  *
   1926  * EAP peer methods should avoid using this function if they can use other
   1927  * access functions, like eap_get_config_identity() and
   1928  * eap_get_config_password(), that do not require direct access to
   1929  * struct eap_peer_config.
   1930  */
   1931 struct eap_peer_config * eap_get_config(struct eap_sm *sm)
   1932 {
   1933 	return sm->eapol_cb->get_config(sm->eapol_ctx);
   1934 }
   1935 
   1936 
   1937 /**
   1938  * eap_get_config_identity - Get identity from the network configuration
   1939  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   1940  * @len: Buffer for the length of the identity
   1941  * Returns: Pointer to the identity or %NULL if not found
   1942  */
   1943 const u8 * eap_get_config_identity(struct eap_sm *sm, size_t *len)
   1944 {
   1945 	struct eap_peer_config *config = eap_get_config(sm);
   1946 	if (config == NULL)
   1947 		return NULL;
   1948 	*len = config->identity_len;
   1949 	return config->identity;
   1950 }
   1951 
   1952 
   1953 static int eap_get_ext_password(struct eap_sm *sm,
   1954 				struct eap_peer_config *config)
   1955 {
   1956 	char *name;
   1957 
   1958 	if (config->password == NULL)
   1959 		return -1;
   1960 
   1961 	name = os_zalloc(config->password_len + 1);
   1962 	if (name == NULL)
   1963 		return -1;
   1964 	os_memcpy(name, config->password, config->password_len);
   1965 
   1966 	ext_password_free(sm->ext_pw_buf);
   1967 	sm->ext_pw_buf = ext_password_get(sm->ext_pw, name);
   1968 	os_free(name);
   1969 
   1970 	return sm->ext_pw_buf == NULL ? -1 : 0;
   1971 }
   1972 
   1973 
   1974 /**
   1975  * eap_get_config_password - Get password from the network configuration
   1976  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   1977  * @len: Buffer for the length of the password
   1978  * Returns: Pointer to the password or %NULL if not found
   1979  */
   1980 const u8 * eap_get_config_password(struct eap_sm *sm, size_t *len)
   1981 {
   1982 	struct eap_peer_config *config = eap_get_config(sm);
   1983 	if (config == NULL)
   1984 		return NULL;
   1985 
   1986 	if (config->flags & EAP_CONFIG_FLAGS_EXT_PASSWORD) {
   1987 		if (eap_get_ext_password(sm, config) < 0)
   1988 			return NULL;
   1989 		*len = wpabuf_len(sm->ext_pw_buf);
   1990 		return wpabuf_head(sm->ext_pw_buf);
   1991 	}
   1992 
   1993 	*len = config->password_len;
   1994 	return config->password;
   1995 }
   1996 
   1997 
   1998 /**
   1999  * eap_get_config_password2 - Get password from the network configuration
   2000  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   2001  * @len: Buffer for the length of the password
   2002  * @hash: Buffer for returning whether the password is stored as a
   2003  * NtPasswordHash instead of plaintext password; can be %NULL if this
   2004  * information is not needed
   2005  * Returns: Pointer to the password or %NULL if not found
   2006  */
   2007 const u8 * eap_get_config_password2(struct eap_sm *sm, size_t *len, int *hash)
   2008 {
   2009 	struct eap_peer_config *config = eap_get_config(sm);
   2010 	if (config == NULL)
   2011 		return NULL;
   2012 
   2013 	if (config->flags & EAP_CONFIG_FLAGS_EXT_PASSWORD) {
   2014 		if (eap_get_ext_password(sm, config) < 0)
   2015 			return NULL;
   2016 		*len = wpabuf_len(sm->ext_pw_buf);
   2017 		return wpabuf_head(sm->ext_pw_buf);
   2018 	}
   2019 
   2020 	*len = config->password_len;
   2021 	if (hash)
   2022 		*hash = !!(config->flags & EAP_CONFIG_FLAGS_PASSWORD_NTHASH);
   2023 	return config->password;
   2024 }
   2025 
   2026 
   2027 /**
   2028  * eap_get_config_new_password - Get new password from network configuration
   2029  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   2030  * @len: Buffer for the length of the new password
   2031  * Returns: Pointer to the new password or %NULL if not found
   2032  */
   2033 const u8 * eap_get_config_new_password(struct eap_sm *sm, size_t *len)
   2034 {
   2035 	struct eap_peer_config *config = eap_get_config(sm);
   2036 	if (config == NULL)
   2037 		return NULL;
   2038 	*len = config->new_password_len;
   2039 	return config->new_password;
   2040 }
   2041 
   2042 
   2043 /**
   2044  * eap_get_config_otp - Get one-time password from the network configuration
   2045  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   2046  * @len: Buffer for the length of the one-time password
   2047  * Returns: Pointer to the one-time password or %NULL if not found
   2048  */
   2049 const u8 * eap_get_config_otp(struct eap_sm *sm, size_t *len)
   2050 {
   2051 	struct eap_peer_config *config = eap_get_config(sm);
   2052 	if (config == NULL)
   2053 		return NULL;
   2054 	*len = config->otp_len;
   2055 	return config->otp;
   2056 }
   2057 
   2058 
   2059 /**
   2060  * eap_clear_config_otp - Clear used one-time password
   2061  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   2062  *
   2063  * This function clears a used one-time password (OTP) from the current network
   2064  * configuration. This should be called when the OTP has been used and is not
   2065  * needed anymore.
   2066  */
   2067 void eap_clear_config_otp(struct eap_sm *sm)
   2068 {
   2069 	struct eap_peer_config *config = eap_get_config(sm);
   2070 	if (config == NULL)
   2071 		return;
   2072 	os_memset(config->otp, 0, config->otp_len);
   2073 	os_free(config->otp);
   2074 	config->otp = NULL;
   2075 	config->otp_len = 0;
   2076 }
   2077 
   2078 
   2079 /**
   2080  * eap_get_config_phase1 - Get phase1 data from the network configuration
   2081  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   2082  * Returns: Pointer to the phase1 data or %NULL if not found
   2083  */
   2084 const char * eap_get_config_phase1(struct eap_sm *sm)
   2085 {
   2086 	struct eap_peer_config *config = eap_get_config(sm);
   2087 	if (config == NULL)
   2088 		return NULL;
   2089 	return config->phase1;
   2090 }
   2091 
   2092 
   2093 /**
   2094  * eap_get_config_phase2 - Get phase2 data from the network configuration
   2095  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   2096  * Returns: Pointer to the phase1 data or %NULL if not found
   2097  */
   2098 const char * eap_get_config_phase2(struct eap_sm *sm)
   2099 {
   2100 	struct eap_peer_config *config = eap_get_config(sm);
   2101 	if (config == NULL)
   2102 		return NULL;
   2103 	return config->phase2;
   2104 }
   2105 
   2106 
   2107 int eap_get_config_fragment_size(struct eap_sm *sm)
   2108 {
   2109 	struct eap_peer_config *config = eap_get_config(sm);
   2110 	if (config == NULL)
   2111 		return -1;
   2112 	return config->fragment_size;
   2113 }
   2114 
   2115 
   2116 /**
   2117  * eap_key_available - Get key availability (eapKeyAvailable variable)
   2118  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   2119  * Returns: 1 if EAP keying material is available, 0 if not
   2120  */
   2121 int eap_key_available(struct eap_sm *sm)
   2122 {
   2123 	return sm ? sm->eapKeyAvailable : 0;
   2124 }
   2125 
   2126 
   2127 /**
   2128  * eap_notify_success - Notify EAP state machine about external success trigger
   2129  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   2130  *
   2131  * This function is called when external event, e.g., successful completion of
   2132  * WPA-PSK key handshake, is indicating that EAP state machine should move to
   2133  * success state. This is mainly used with security modes that do not use EAP
   2134  * state machine (e.g., WPA-PSK).
   2135  */
   2136 void eap_notify_success(struct eap_sm *sm)
   2137 {
   2138 	if (sm) {
   2139 		sm->decision = DECISION_COND_SUCC;
   2140 		sm->EAP_state = EAP_SUCCESS;
   2141 	}
   2142 }
   2143 
   2144 
   2145 /**
   2146  * eap_notify_lower_layer_success - Notification of lower layer success
   2147  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   2148  *
   2149  * Notify EAP state machines that a lower layer has detected a successful
   2150  * authentication. This is used to recover from dropped EAP-Success messages.
   2151  */
   2152 void eap_notify_lower_layer_success(struct eap_sm *sm)
   2153 {
   2154 	if (sm == NULL)
   2155 		return;
   2156 
   2157 	if (eapol_get_bool(sm, EAPOL_eapSuccess) ||
   2158 	    sm->decision == DECISION_FAIL ||
   2159 	    (sm->methodState != METHOD_MAY_CONT &&
   2160 	     sm->methodState != METHOD_DONE))
   2161 		return;
   2162 
   2163 	if (sm->eapKeyData != NULL)
   2164 		sm->eapKeyAvailable = TRUE;
   2165 	eapol_set_bool(sm, EAPOL_eapSuccess, TRUE);
   2166 	wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS
   2167 		"EAP authentication completed successfully (based on lower "
   2168 		"layer success)");
   2169 }
   2170 
   2171 
   2172 /**
   2173  * eap_get_eapSessionId - Get Session-Id from EAP state machine
   2174  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   2175  * @len: Pointer to variable that will be set to number of bytes in the session
   2176  * Returns: Pointer to the EAP Session-Id or %NULL on failure
   2177  *
   2178  * Fetch EAP Session-Id from the EAP state machine. The Session-Id is available
   2179  * only after a successful authentication. EAP state machine continues to manage
   2180  * the Session-Id and the caller must not change or free the returned data.
   2181  */
   2182 const u8 * eap_get_eapSessionId(struct eap_sm *sm, size_t *len)
   2183 {
   2184 	if (sm == NULL || sm->eapSessionId == NULL) {
   2185 		*len = 0;
   2186 		return NULL;
   2187 	}
   2188 
   2189 	*len = sm->eapSessionIdLen;
   2190 	return sm->eapSessionId;
   2191 }
   2192 
   2193 
   2194 /**
   2195  * eap_get_eapKeyData - Get master session key (MSK) from EAP state machine
   2196  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   2197  * @len: Pointer to variable that will be set to number of bytes in the key
   2198  * Returns: Pointer to the EAP keying data or %NULL on failure
   2199  *
   2200  * Fetch EAP keying material (MSK, eapKeyData) from the EAP state machine. The
   2201  * key is available only after a successful authentication. EAP state machine
   2202  * continues to manage the key data and the caller must not change or free the
   2203  * returned data.
   2204  */
   2205 const u8 * eap_get_eapKeyData(struct eap_sm *sm, size_t *len)
   2206 {
   2207 	if (sm == NULL || sm->eapKeyData == NULL) {
   2208 		*len = 0;
   2209 		return NULL;
   2210 	}
   2211 
   2212 	*len = sm->eapKeyDataLen;
   2213 	return sm->eapKeyData;
   2214 }
   2215 
   2216 
   2217 /**
   2218  * eap_get_eapKeyData - Get EAP response data
   2219  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   2220  * Returns: Pointer to the EAP response (eapRespData) or %NULL on failure
   2221  *
   2222  * Fetch EAP response (eapRespData) from the EAP state machine. This data is
   2223  * available when EAP state machine has processed an incoming EAP request. The
   2224  * EAP state machine does not maintain a reference to the response after this
   2225  * function is called and the caller is responsible for freeing the data.
   2226  */
   2227 struct wpabuf * eap_get_eapRespData(struct eap_sm *sm)
   2228 {
   2229 	struct wpabuf *resp;
   2230 
   2231 	if (sm == NULL || sm->eapRespData == NULL)
   2232 		return NULL;
   2233 
   2234 	resp = sm->eapRespData;
   2235 	sm->eapRespData = NULL;
   2236 
   2237 	return resp;
   2238 }
   2239 
   2240 
   2241 /**
   2242  * eap_sm_register_scard_ctx - Notification of smart card context
   2243  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   2244  * @ctx: Context data for smart card operations
   2245  *
   2246  * Notify EAP state machines of context data for smart card operations. This
   2247  * context data will be used as a parameter for scard_*() functions.
   2248  */
   2249 void eap_register_scard_ctx(struct eap_sm *sm, void *ctx)
   2250 {
   2251 	if (sm)
   2252 		sm->scard_ctx = ctx;
   2253 }
   2254 
   2255 
   2256 /**
   2257  * eap_set_config_blob - Set or add a named configuration blob
   2258  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   2259  * @blob: New value for the blob
   2260  *
   2261  * Adds a new configuration blob or replaces the current value of an existing
   2262  * blob.
   2263  */
   2264 void eap_set_config_blob(struct eap_sm *sm, struct wpa_config_blob *blob)
   2265 {
   2266 #ifndef CONFIG_NO_CONFIG_BLOBS
   2267 	sm->eapol_cb->set_config_blob(sm->eapol_ctx, blob);
   2268 #endif /* CONFIG_NO_CONFIG_BLOBS */
   2269 }
   2270 
   2271 
   2272 /**
   2273  * eap_get_config_blob - Get a named configuration blob
   2274  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   2275  * @name: Name of the blob
   2276  * Returns: Pointer to blob data or %NULL if not found
   2277  */
   2278 const struct wpa_config_blob * eap_get_config_blob(struct eap_sm *sm,
   2279 						   const char *name)
   2280 {
   2281 #ifndef CONFIG_NO_CONFIG_BLOBS
   2282 	return sm->eapol_cb->get_config_blob(sm->eapol_ctx, name);
   2283 #else /* CONFIG_NO_CONFIG_BLOBS */
   2284 	return NULL;
   2285 #endif /* CONFIG_NO_CONFIG_BLOBS */
   2286 }
   2287 
   2288 
   2289 /**
   2290  * eap_set_force_disabled - Set force_disabled flag
   2291  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   2292  * @disabled: 1 = EAP disabled, 0 = EAP enabled
   2293  *
   2294  * This function is used to force EAP state machine to be disabled when it is
   2295  * not in use (e.g., with WPA-PSK or plaintext connections).
   2296  */
   2297 void eap_set_force_disabled(struct eap_sm *sm, int disabled)
   2298 {
   2299 	sm->force_disabled = disabled;
   2300 }
   2301 
   2302 
   2303  /**
   2304  * eap_notify_pending - Notify that EAP method is ready to re-process a request
   2305  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   2306  *
   2307  * An EAP method can perform a pending operation (e.g., to get a response from
   2308  * an external process). Once the response is available, this function can be
   2309  * used to request EAPOL state machine to retry delivering the previously
   2310  * received (and still unanswered) EAP request to EAP state machine.
   2311  */
   2312 void eap_notify_pending(struct eap_sm *sm)
   2313 {
   2314 	sm->eapol_cb->notify_pending(sm->eapol_ctx);
   2315 }
   2316 
   2317 
   2318 /**
   2319  * eap_invalidate_cached_session - Mark cached session data invalid
   2320  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   2321  */
   2322 void eap_invalidate_cached_session(struct eap_sm *sm)
   2323 {
   2324 	if (sm)
   2325 		eap_deinit_prev_method(sm, "invalidate");
   2326 }
   2327 
   2328 
   2329 int eap_is_wps_pbc_enrollee(struct eap_peer_config *conf)
   2330 {
   2331 	if (conf->identity_len != WSC_ID_ENROLLEE_LEN ||
   2332 	    os_memcmp(conf->identity, WSC_ID_ENROLLEE, WSC_ID_ENROLLEE_LEN))
   2333 		return 0; /* Not a WPS Enrollee */
   2334 
   2335 	if (conf->phase1 == NULL || os_strstr(conf->phase1, "pbc=1") == NULL)
   2336 		return 0; /* Not using PBC */
   2337 
   2338 	return 1;
   2339 }
   2340 
   2341 
   2342 int eap_is_wps_pin_enrollee(struct eap_peer_config *conf)
   2343 {
   2344 	if (conf->identity_len != WSC_ID_ENROLLEE_LEN ||
   2345 	    os_memcmp(conf->identity, WSC_ID_ENROLLEE, WSC_ID_ENROLLEE_LEN))
   2346 		return 0; /* Not a WPS Enrollee */
   2347 
   2348 	if (conf->phase1 == NULL || os_strstr(conf->phase1, "pin=") == NULL)
   2349 		return 0; /* Not using PIN */
   2350 
   2351 	return 1;
   2352 }
   2353 
   2354 
   2355 void eap_sm_set_ext_pw_ctx(struct eap_sm *sm, struct ext_password_data *ext)
   2356 {
   2357 	ext_password_free(sm->ext_pw_buf);
   2358 	sm->ext_pw_buf = NULL;
   2359 	sm->ext_pw = ext;
   2360 }
   2361 
   2362 
   2363 /**
   2364  * eap_set_anon_id - Set or add anonymous identity
   2365  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
   2366  * @id: Anonymous identity (e.g., EAP-SIM pseudonym) or %NULL to clear
   2367  * @len: Length of anonymous identity in octets
   2368  */
   2369 void eap_set_anon_id(struct eap_sm *sm, const u8 *id, size_t len)
   2370 {
   2371 	if (sm->eapol_cb->set_anon_id)
   2372 		sm->eapol_cb->set_anon_id(sm->eapol_ctx, id, len);
   2373 }
   2374