1 /* 2 * hostapd / EAP Full Authenticator state machine (RFC 4137) 3 * Copyright (c) 2004-2007, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 * 8 * This state machine is based on the full authenticator state machine defined 9 * in RFC 4137. However, to support backend authentication in RADIUS 10 * authentication server functionality, parts of backend authenticator (also 11 * from RFC 4137) are mixed in. This functionality is enabled by setting 12 * backend_auth configuration variable to TRUE. 13 */ 14 15 #include "includes.h" 16 17 #include "common.h" 18 #include "eap_i.h" 19 #include "state_machine.h" 20 #include "common/wpa_ctrl.h" 21 22 #define STATE_MACHINE_DATA struct eap_sm 23 #define STATE_MACHINE_DEBUG_PREFIX "EAP" 24 25 #define EAP_MAX_AUTH_ROUNDS 50 26 27 static void eap_user_free(struct eap_user *user); 28 29 30 /* EAP state machines are described in RFC 4137 */ 31 32 static int eap_sm_calculateTimeout(struct eap_sm *sm, int retransCount, 33 int eapSRTT, int eapRTTVAR, 34 int methodTimeout); 35 static void eap_sm_parseEapResp(struct eap_sm *sm, const struct wpabuf *resp); 36 static int eap_sm_getId(const struct wpabuf *data); 37 static struct wpabuf * eap_sm_buildSuccess(struct eap_sm *sm, u8 id); 38 static struct wpabuf * eap_sm_buildFailure(struct eap_sm *sm, u8 id); 39 static int eap_sm_nextId(struct eap_sm *sm, int id); 40 static void eap_sm_Policy_update(struct eap_sm *sm, const u8 *nak_list, 41 size_t len); 42 static EapType eap_sm_Policy_getNextMethod(struct eap_sm *sm, int *vendor); 43 static int eap_sm_Policy_getDecision(struct eap_sm *sm); 44 static Boolean eap_sm_Policy_doPickUp(struct eap_sm *sm, EapType method); 45 46 47 static int eap_copy_buf(struct wpabuf **dst, const struct wpabuf *src) 48 { 49 if (src == NULL) 50 return -1; 51 52 wpabuf_free(*dst); 53 *dst = wpabuf_dup(src); 54 return *dst ? 0 : -1; 55 } 56 57 58 static int eap_copy_data(u8 **dst, size_t *dst_len, 59 const u8 *src, size_t src_len) 60 { 61 if (src == NULL) 62 return -1; 63 64 os_free(*dst); 65 *dst = os_malloc(src_len); 66 if (*dst) { 67 os_memcpy(*dst, src, src_len); 68 *dst_len = src_len; 69 return 0; 70 } else { 71 *dst_len = 0; 72 return -1; 73 } 74 } 75 76 #define EAP_COPY(dst, src) \ 77 eap_copy_data((dst), (dst ## Len), (src), (src ## Len)) 78 79 80 /** 81 * eap_user_get - Fetch user information from the database 82 * @sm: Pointer to EAP state machine allocated with eap_server_sm_init() 83 * @identity: Identity (User-Name) of the user 84 * @identity_len: Length of identity in bytes 85 * @phase2: 0 = EAP phase1 user, 1 = EAP phase2 (tunneled) user 86 * Returns: 0 on success, or -1 on failure 87 * 88 * This function is used to fetch user information for EAP. The user will be 89 * selected based on the specified identity. sm->user and 90 * sm->user_eap_method_index are updated for the new user when a matching user 91 * is found. sm->user can be used to get user information (e.g., password). 92 */ 93 int eap_user_get(struct eap_sm *sm, const u8 *identity, size_t identity_len, 94 int phase2) 95 { 96 struct eap_user *user; 97 98 if (sm == NULL || sm->eapol_cb == NULL || 99 sm->eapol_cb->get_eap_user == NULL) 100 return -1; 101 102 eap_user_free(sm->user); 103 sm->user = NULL; 104 105 user = os_zalloc(sizeof(*user)); 106 if (user == NULL) 107 return -1; 108 109 if (sm->eapol_cb->get_eap_user(sm->eapol_ctx, identity, 110 identity_len, phase2, user) != 0) { 111 eap_user_free(user); 112 return -1; 113 } 114 115 sm->user = user; 116 sm->user_eap_method_index = 0; 117 118 return 0; 119 } 120 121 122 void eap_log_msg(struct eap_sm *sm, const char *fmt, ...) 123 { 124 va_list ap; 125 char *buf; 126 int buflen; 127 128 if (sm == NULL || sm->eapol_cb == NULL || sm->eapol_cb->log_msg == NULL) 129 return; 130 131 va_start(ap, fmt); 132 buflen = vsnprintf(NULL, 0, fmt, ap) + 1; 133 va_end(ap); 134 135 buf = os_malloc(buflen); 136 if (buf == NULL) 137 return; 138 va_start(ap, fmt); 139 vsnprintf(buf, buflen, fmt, ap); 140 va_end(ap); 141 142 sm->eapol_cb->log_msg(sm->eapol_ctx, buf); 143 144 os_free(buf); 145 } 146 147 148 SM_STATE(EAP, DISABLED) 149 { 150 SM_ENTRY(EAP, DISABLED); 151 sm->num_rounds = 0; 152 } 153 154 155 SM_STATE(EAP, INITIALIZE) 156 { 157 SM_ENTRY(EAP, INITIALIZE); 158 159 if (sm->eap_if.eapRestart && !sm->eap_server && sm->identity) { 160 /* 161 * Need to allow internal Identity method to be used instead 162 * of passthrough at the beginning of reauthentication. 163 */ 164 eap_server_clear_identity(sm); 165 } 166 167 sm->currentId = -1; 168 sm->eap_if.eapSuccess = FALSE; 169 sm->eap_if.eapFail = FALSE; 170 sm->eap_if.eapTimeout = FALSE; 171 bin_clear_free(sm->eap_if.eapKeyData, sm->eap_if.eapKeyDataLen); 172 sm->eap_if.eapKeyData = NULL; 173 sm->eap_if.eapKeyDataLen = 0; 174 sm->eap_if.eapKeyAvailable = FALSE; 175 sm->eap_if.eapRestart = FALSE; 176 177 /* 178 * This is not defined in RFC 4137, but method state needs to be 179 * reseted here so that it does not remain in success state when 180 * re-authentication starts. 181 */ 182 if (sm->m && sm->eap_method_priv) { 183 sm->m->reset(sm, sm->eap_method_priv); 184 sm->eap_method_priv = NULL; 185 } 186 sm->m = NULL; 187 sm->user_eap_method_index = 0; 188 189 if (sm->backend_auth) { 190 sm->currentMethod = EAP_TYPE_NONE; 191 /* parse rxResp, respId, respMethod */ 192 eap_sm_parseEapResp(sm, sm->eap_if.eapRespData); 193 if (sm->rxResp) { 194 sm->currentId = sm->respId; 195 } 196 } 197 sm->num_rounds = 0; 198 sm->method_pending = METHOD_PENDING_NONE; 199 200 wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_STARTED 201 MACSTR, MAC2STR(sm->peer_addr)); 202 } 203 204 205 SM_STATE(EAP, PICK_UP_METHOD) 206 { 207 SM_ENTRY(EAP, PICK_UP_METHOD); 208 209 if (eap_sm_Policy_doPickUp(sm, sm->respMethod)) { 210 sm->currentMethod = sm->respMethod; 211 if (sm->m && sm->eap_method_priv) { 212 sm->m->reset(sm, sm->eap_method_priv); 213 sm->eap_method_priv = NULL; 214 } 215 sm->m = eap_server_get_eap_method(EAP_VENDOR_IETF, 216 sm->currentMethod); 217 if (sm->m && sm->m->initPickUp) { 218 sm->eap_method_priv = sm->m->initPickUp(sm); 219 if (sm->eap_method_priv == NULL) { 220 wpa_printf(MSG_DEBUG, "EAP: Failed to " 221 "initialize EAP method %d", 222 sm->currentMethod); 223 sm->m = NULL; 224 sm->currentMethod = EAP_TYPE_NONE; 225 } 226 } else { 227 sm->m = NULL; 228 sm->currentMethod = EAP_TYPE_NONE; 229 } 230 } 231 232 wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_PROPOSED_METHOD 233 "method=%u", sm->currentMethod); 234 } 235 236 237 SM_STATE(EAP, IDLE) 238 { 239 SM_ENTRY(EAP, IDLE); 240 241 sm->eap_if.retransWhile = eap_sm_calculateTimeout( 242 sm, sm->retransCount, sm->eap_if.eapSRTT, sm->eap_if.eapRTTVAR, 243 sm->methodTimeout); 244 } 245 246 247 SM_STATE(EAP, RETRANSMIT) 248 { 249 SM_ENTRY(EAP, RETRANSMIT); 250 251 sm->retransCount++; 252 if (sm->retransCount <= sm->MaxRetrans && sm->lastReqData) { 253 if (eap_copy_buf(&sm->eap_if.eapReqData, sm->lastReqData) == 0) 254 sm->eap_if.eapReq = TRUE; 255 } 256 } 257 258 259 SM_STATE(EAP, RECEIVED) 260 { 261 SM_ENTRY(EAP, RECEIVED); 262 263 /* parse rxResp, respId, respMethod */ 264 eap_sm_parseEapResp(sm, sm->eap_if.eapRespData); 265 sm->num_rounds++; 266 } 267 268 269 SM_STATE(EAP, DISCARD) 270 { 271 SM_ENTRY(EAP, DISCARD); 272 sm->eap_if.eapResp = FALSE; 273 sm->eap_if.eapNoReq = TRUE; 274 } 275 276 277 SM_STATE(EAP, SEND_REQUEST) 278 { 279 SM_ENTRY(EAP, SEND_REQUEST); 280 281 sm->retransCount = 0; 282 if (sm->eap_if.eapReqData) { 283 if (eap_copy_buf(&sm->lastReqData, sm->eap_if.eapReqData) == 0) 284 { 285 sm->eap_if.eapResp = FALSE; 286 sm->eap_if.eapReq = TRUE; 287 } else { 288 sm->eap_if.eapResp = FALSE; 289 sm->eap_if.eapReq = FALSE; 290 } 291 } else { 292 wpa_printf(MSG_INFO, "EAP: SEND_REQUEST - no eapReqData"); 293 sm->eap_if.eapResp = FALSE; 294 sm->eap_if.eapReq = FALSE; 295 sm->eap_if.eapNoReq = TRUE; 296 } 297 } 298 299 300 SM_STATE(EAP, INTEGRITY_CHECK) 301 { 302 SM_ENTRY(EAP, INTEGRITY_CHECK); 303 304 if (!eap_hdr_len_valid(sm->eap_if.eapRespData, 1)) { 305 sm->ignore = TRUE; 306 return; 307 } 308 309 if (sm->m->check) { 310 sm->ignore = sm->m->check(sm, sm->eap_method_priv, 311 sm->eap_if.eapRespData); 312 } 313 } 314 315 316 SM_STATE(EAP, METHOD_REQUEST) 317 { 318 SM_ENTRY(EAP, METHOD_REQUEST); 319 320 if (sm->m == NULL) { 321 wpa_printf(MSG_DEBUG, "EAP: method not initialized"); 322 return; 323 } 324 325 sm->currentId = eap_sm_nextId(sm, sm->currentId); 326 wpa_printf(MSG_DEBUG, "EAP: building EAP-Request: Identifier %d", 327 sm->currentId); 328 sm->lastId = sm->currentId; 329 wpabuf_free(sm->eap_if.eapReqData); 330 sm->eap_if.eapReqData = sm->m->buildReq(sm, sm->eap_method_priv, 331 sm->currentId); 332 if (sm->m->getTimeout) 333 sm->methodTimeout = sm->m->getTimeout(sm, sm->eap_method_priv); 334 else 335 sm->methodTimeout = 0; 336 } 337 338 339 SM_STATE(EAP, METHOD_RESPONSE) 340 { 341 SM_ENTRY(EAP, METHOD_RESPONSE); 342 343 if (!eap_hdr_len_valid(sm->eap_if.eapRespData, 1)) 344 return; 345 346 sm->m->process(sm, sm->eap_method_priv, sm->eap_if.eapRespData); 347 if (sm->m->isDone(sm, sm->eap_method_priv)) { 348 eap_sm_Policy_update(sm, NULL, 0); 349 bin_clear_free(sm->eap_if.eapKeyData, sm->eap_if.eapKeyDataLen); 350 if (sm->m->getKey) { 351 sm->eap_if.eapKeyData = sm->m->getKey( 352 sm, sm->eap_method_priv, 353 &sm->eap_if.eapKeyDataLen); 354 } else { 355 sm->eap_if.eapKeyData = NULL; 356 sm->eap_if.eapKeyDataLen = 0; 357 } 358 sm->methodState = METHOD_END; 359 } else { 360 sm->methodState = METHOD_CONTINUE; 361 } 362 } 363 364 365 SM_STATE(EAP, PROPOSE_METHOD) 366 { 367 int vendor; 368 EapType type; 369 370 SM_ENTRY(EAP, PROPOSE_METHOD); 371 372 try_another_method: 373 type = eap_sm_Policy_getNextMethod(sm, &vendor); 374 if (vendor == EAP_VENDOR_IETF) 375 sm->currentMethod = type; 376 else 377 sm->currentMethod = EAP_TYPE_EXPANDED; 378 if (sm->m && sm->eap_method_priv) { 379 sm->m->reset(sm, sm->eap_method_priv); 380 sm->eap_method_priv = NULL; 381 } 382 sm->m = eap_server_get_eap_method(vendor, type); 383 if (sm->m) { 384 sm->eap_method_priv = sm->m->init(sm); 385 if (sm->eap_method_priv == NULL) { 386 wpa_printf(MSG_DEBUG, "EAP: Failed to initialize EAP " 387 "method %d", sm->currentMethod); 388 sm->m = NULL; 389 sm->currentMethod = EAP_TYPE_NONE; 390 goto try_another_method; 391 } 392 } 393 if (sm->m == NULL) { 394 wpa_printf(MSG_DEBUG, "EAP: Could not find suitable EAP method"); 395 eap_log_msg(sm, "Could not find suitable EAP method"); 396 sm->decision = DECISION_FAILURE; 397 return; 398 } 399 if (sm->currentMethod == EAP_TYPE_IDENTITY || 400 sm->currentMethod == EAP_TYPE_NOTIFICATION) 401 sm->methodState = METHOD_CONTINUE; 402 else 403 sm->methodState = METHOD_PROPOSED; 404 405 wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_PROPOSED_METHOD 406 "vendor=%u method=%u", vendor, sm->currentMethod); 407 eap_log_msg(sm, "Propose EAP method vendor=%u method=%u", 408 vendor, sm->currentMethod); 409 } 410 411 412 SM_STATE(EAP, NAK) 413 { 414 const struct eap_hdr *nak; 415 size_t len = 0; 416 const u8 *pos; 417 const u8 *nak_list = NULL; 418 419 SM_ENTRY(EAP, NAK); 420 421 if (sm->eap_method_priv) { 422 sm->m->reset(sm, sm->eap_method_priv); 423 sm->eap_method_priv = NULL; 424 } 425 sm->m = NULL; 426 427 if (!eap_hdr_len_valid(sm->eap_if.eapRespData, 1)) 428 return; 429 430 nak = wpabuf_head(sm->eap_if.eapRespData); 431 if (nak && wpabuf_len(sm->eap_if.eapRespData) > sizeof(*nak)) { 432 len = be_to_host16(nak->length); 433 if (len > wpabuf_len(sm->eap_if.eapRespData)) 434 len = wpabuf_len(sm->eap_if.eapRespData); 435 pos = (const u8 *) (nak + 1); 436 len -= sizeof(*nak); 437 if (*pos == EAP_TYPE_NAK) { 438 pos++; 439 len--; 440 nak_list = pos; 441 } 442 } 443 eap_sm_Policy_update(sm, nak_list, len); 444 } 445 446 447 SM_STATE(EAP, SELECT_ACTION) 448 { 449 SM_ENTRY(EAP, SELECT_ACTION); 450 451 sm->decision = eap_sm_Policy_getDecision(sm); 452 } 453 454 455 SM_STATE(EAP, TIMEOUT_FAILURE) 456 { 457 SM_ENTRY(EAP, TIMEOUT_FAILURE); 458 459 sm->eap_if.eapTimeout = TRUE; 460 } 461 462 463 SM_STATE(EAP, FAILURE) 464 { 465 SM_ENTRY(EAP, FAILURE); 466 467 wpabuf_free(sm->eap_if.eapReqData); 468 sm->eap_if.eapReqData = eap_sm_buildFailure(sm, sm->currentId); 469 wpabuf_free(sm->lastReqData); 470 sm->lastReqData = NULL; 471 sm->eap_if.eapFail = TRUE; 472 473 wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE 474 MACSTR, MAC2STR(sm->peer_addr)); 475 } 476 477 478 SM_STATE(EAP, SUCCESS) 479 { 480 SM_ENTRY(EAP, SUCCESS); 481 482 wpabuf_free(sm->eap_if.eapReqData); 483 sm->eap_if.eapReqData = eap_sm_buildSuccess(sm, sm->currentId); 484 wpabuf_free(sm->lastReqData); 485 sm->lastReqData = NULL; 486 if (sm->eap_if.eapKeyData) 487 sm->eap_if.eapKeyAvailable = TRUE; 488 sm->eap_if.eapSuccess = TRUE; 489 490 wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS 491 MACSTR, MAC2STR(sm->peer_addr)); 492 } 493 494 495 SM_STATE(EAP, INITIALIZE_PASSTHROUGH) 496 { 497 SM_ENTRY(EAP, INITIALIZE_PASSTHROUGH); 498 499 wpabuf_free(sm->eap_if.aaaEapRespData); 500 sm->eap_if.aaaEapRespData = NULL; 501 } 502 503 504 SM_STATE(EAP, IDLE2) 505 { 506 SM_ENTRY(EAP, IDLE2); 507 508 sm->eap_if.retransWhile = eap_sm_calculateTimeout( 509 sm, sm->retransCount, sm->eap_if.eapSRTT, sm->eap_if.eapRTTVAR, 510 sm->methodTimeout); 511 } 512 513 514 SM_STATE(EAP, RETRANSMIT2) 515 { 516 SM_ENTRY(EAP, RETRANSMIT2); 517 518 sm->retransCount++; 519 if (sm->retransCount <= sm->MaxRetrans && sm->lastReqData) { 520 if (eap_copy_buf(&sm->eap_if.eapReqData, sm->lastReqData) == 0) 521 sm->eap_if.eapReq = TRUE; 522 } 523 } 524 525 526 SM_STATE(EAP, RECEIVED2) 527 { 528 SM_ENTRY(EAP, RECEIVED2); 529 530 /* parse rxResp, respId, respMethod */ 531 eap_sm_parseEapResp(sm, sm->eap_if.eapRespData); 532 } 533 534 535 SM_STATE(EAP, DISCARD2) 536 { 537 SM_ENTRY(EAP, DISCARD2); 538 sm->eap_if.eapResp = FALSE; 539 sm->eap_if.eapNoReq = TRUE; 540 } 541 542 543 SM_STATE(EAP, SEND_REQUEST2) 544 { 545 SM_ENTRY(EAP, SEND_REQUEST2); 546 547 sm->retransCount = 0; 548 if (sm->eap_if.eapReqData) { 549 if (eap_copy_buf(&sm->lastReqData, sm->eap_if.eapReqData) == 0) 550 { 551 sm->eap_if.eapResp = FALSE; 552 sm->eap_if.eapReq = TRUE; 553 } else { 554 sm->eap_if.eapResp = FALSE; 555 sm->eap_if.eapReq = FALSE; 556 } 557 } else { 558 wpa_printf(MSG_INFO, "EAP: SEND_REQUEST2 - no eapReqData"); 559 sm->eap_if.eapResp = FALSE; 560 sm->eap_if.eapReq = FALSE; 561 sm->eap_if.eapNoReq = TRUE; 562 } 563 } 564 565 566 SM_STATE(EAP, AAA_REQUEST) 567 { 568 SM_ENTRY(EAP, AAA_REQUEST); 569 570 if (sm->eap_if.eapRespData == NULL) { 571 wpa_printf(MSG_INFO, "EAP: AAA_REQUEST - no eapRespData"); 572 return; 573 } 574 575 /* 576 * if (respMethod == IDENTITY) 577 * aaaIdentity = eapRespData 578 * This is already taken care of by the EAP-Identity method which 579 * stores the identity into sm->identity. 580 */ 581 582 eap_copy_buf(&sm->eap_if.aaaEapRespData, sm->eap_if.eapRespData); 583 } 584 585 586 SM_STATE(EAP, AAA_RESPONSE) 587 { 588 SM_ENTRY(EAP, AAA_RESPONSE); 589 590 eap_copy_buf(&sm->eap_if.eapReqData, sm->eap_if.aaaEapReqData); 591 sm->currentId = eap_sm_getId(sm->eap_if.eapReqData); 592 sm->methodTimeout = sm->eap_if.aaaMethodTimeout; 593 } 594 595 596 SM_STATE(EAP, AAA_IDLE) 597 { 598 SM_ENTRY(EAP, AAA_IDLE); 599 600 sm->eap_if.aaaFail = FALSE; 601 sm->eap_if.aaaSuccess = FALSE; 602 sm->eap_if.aaaEapReq = FALSE; 603 sm->eap_if.aaaEapNoReq = FALSE; 604 sm->eap_if.aaaEapResp = TRUE; 605 } 606 607 608 SM_STATE(EAP, TIMEOUT_FAILURE2) 609 { 610 SM_ENTRY(EAP, TIMEOUT_FAILURE2); 611 612 sm->eap_if.eapTimeout = TRUE; 613 } 614 615 616 SM_STATE(EAP, FAILURE2) 617 { 618 SM_ENTRY(EAP, FAILURE2); 619 620 eap_copy_buf(&sm->eap_if.eapReqData, sm->eap_if.aaaEapReqData); 621 sm->eap_if.eapFail = TRUE; 622 } 623 624 625 SM_STATE(EAP, SUCCESS2) 626 { 627 SM_ENTRY(EAP, SUCCESS2); 628 629 eap_copy_buf(&sm->eap_if.eapReqData, sm->eap_if.aaaEapReqData); 630 631 sm->eap_if.eapKeyAvailable = sm->eap_if.aaaEapKeyAvailable; 632 if (sm->eap_if.aaaEapKeyAvailable) { 633 EAP_COPY(&sm->eap_if.eapKeyData, sm->eap_if.aaaEapKeyData); 634 } else { 635 bin_clear_free(sm->eap_if.eapKeyData, sm->eap_if.eapKeyDataLen); 636 sm->eap_if.eapKeyData = NULL; 637 sm->eap_if.eapKeyDataLen = 0; 638 } 639 640 sm->eap_if.eapSuccess = TRUE; 641 642 /* 643 * Start reauthentication with identity request even though we know the 644 * previously used identity. This is needed to get reauthentication 645 * started properly. 646 */ 647 sm->start_reauth = TRUE; 648 } 649 650 651 SM_STEP(EAP) 652 { 653 if (sm->eap_if.eapRestart && sm->eap_if.portEnabled) 654 SM_ENTER_GLOBAL(EAP, INITIALIZE); 655 else if (!sm->eap_if.portEnabled) 656 SM_ENTER_GLOBAL(EAP, DISABLED); 657 else if (sm->num_rounds > EAP_MAX_AUTH_ROUNDS) { 658 if (sm->num_rounds == EAP_MAX_AUTH_ROUNDS + 1) { 659 wpa_printf(MSG_DEBUG, "EAP: more than %d " 660 "authentication rounds - abort", 661 EAP_MAX_AUTH_ROUNDS); 662 sm->num_rounds++; 663 SM_ENTER_GLOBAL(EAP, FAILURE); 664 } 665 } else switch (sm->EAP_state) { 666 case EAP_INITIALIZE: 667 if (sm->backend_auth) { 668 if (!sm->rxResp) 669 SM_ENTER(EAP, SELECT_ACTION); 670 else if (sm->rxResp && 671 (sm->respMethod == EAP_TYPE_NAK || 672 (sm->respMethod == EAP_TYPE_EXPANDED && 673 sm->respVendor == EAP_VENDOR_IETF && 674 sm->respVendorMethod == EAP_TYPE_NAK))) 675 SM_ENTER(EAP, NAK); 676 else 677 SM_ENTER(EAP, PICK_UP_METHOD); 678 } else { 679 SM_ENTER(EAP, SELECT_ACTION); 680 } 681 break; 682 case EAP_PICK_UP_METHOD: 683 if (sm->currentMethod == EAP_TYPE_NONE) { 684 SM_ENTER(EAP, SELECT_ACTION); 685 } else { 686 SM_ENTER(EAP, METHOD_RESPONSE); 687 } 688 break; 689 case EAP_DISABLED: 690 if (sm->eap_if.portEnabled) 691 SM_ENTER(EAP, INITIALIZE); 692 break; 693 case EAP_IDLE: 694 if (sm->eap_if.retransWhile == 0) 695 SM_ENTER(EAP, RETRANSMIT); 696 else if (sm->eap_if.eapResp) 697 SM_ENTER(EAP, RECEIVED); 698 break; 699 case EAP_RETRANSMIT: 700 if (sm->retransCount > sm->MaxRetrans) 701 SM_ENTER(EAP, TIMEOUT_FAILURE); 702 else 703 SM_ENTER(EAP, IDLE); 704 break; 705 case EAP_RECEIVED: 706 if (sm->rxResp && (sm->respId == sm->currentId) && 707 (sm->respMethod == EAP_TYPE_NAK || 708 (sm->respMethod == EAP_TYPE_EXPANDED && 709 sm->respVendor == EAP_VENDOR_IETF && 710 sm->respVendorMethod == EAP_TYPE_NAK)) 711 && (sm->methodState == METHOD_PROPOSED)) 712 SM_ENTER(EAP, NAK); 713 else if (sm->rxResp && (sm->respId == sm->currentId) && 714 ((sm->respMethod == sm->currentMethod) || 715 (sm->respMethod == EAP_TYPE_EXPANDED && 716 sm->respVendor == EAP_VENDOR_IETF && 717 sm->respVendorMethod == sm->currentMethod))) 718 SM_ENTER(EAP, INTEGRITY_CHECK); 719 else { 720 wpa_printf(MSG_DEBUG, "EAP: RECEIVED->DISCARD: " 721 "rxResp=%d respId=%d currentId=%d " 722 "respMethod=%d currentMethod=%d", 723 sm->rxResp, sm->respId, sm->currentId, 724 sm->respMethod, sm->currentMethod); 725 eap_log_msg(sm, "Discard received EAP message"); 726 SM_ENTER(EAP, DISCARD); 727 } 728 break; 729 case EAP_DISCARD: 730 SM_ENTER(EAP, IDLE); 731 break; 732 case EAP_SEND_REQUEST: 733 SM_ENTER(EAP, IDLE); 734 break; 735 case EAP_INTEGRITY_CHECK: 736 if (sm->ignore) 737 SM_ENTER(EAP, DISCARD); 738 else 739 SM_ENTER(EAP, METHOD_RESPONSE); 740 break; 741 case EAP_METHOD_REQUEST: 742 if (sm->m == NULL) { 743 /* 744 * This transition is not mentioned in RFC 4137, but it 745 * is needed to handle cleanly a case where EAP method 746 * initialization fails. 747 */ 748 SM_ENTER(EAP, FAILURE); 749 break; 750 } 751 SM_ENTER(EAP, SEND_REQUEST); 752 break; 753 case EAP_METHOD_RESPONSE: 754 /* 755 * Note: Mechanism to allow EAP methods to wait while going 756 * through pending processing is an extension to RFC 4137 757 * which only defines the transits to SELECT_ACTION and 758 * METHOD_REQUEST from this METHOD_RESPONSE state. 759 */ 760 if (sm->methodState == METHOD_END) 761 SM_ENTER(EAP, SELECT_ACTION); 762 else if (sm->method_pending == METHOD_PENDING_WAIT) { 763 wpa_printf(MSG_DEBUG, "EAP: Method has pending " 764 "processing - wait before proceeding to " 765 "METHOD_REQUEST state"); 766 } else if (sm->method_pending == METHOD_PENDING_CONT) { 767 wpa_printf(MSG_DEBUG, "EAP: Method has completed " 768 "pending processing - reprocess pending " 769 "EAP message"); 770 sm->method_pending = METHOD_PENDING_NONE; 771 SM_ENTER(EAP, METHOD_RESPONSE); 772 } else 773 SM_ENTER(EAP, METHOD_REQUEST); 774 break; 775 case EAP_PROPOSE_METHOD: 776 /* 777 * Note: Mechanism to allow EAP methods to wait while going 778 * through pending processing is an extension to RFC 4137 779 * which only defines the transit to METHOD_REQUEST from this 780 * PROPOSE_METHOD state. 781 */ 782 if (sm->method_pending == METHOD_PENDING_WAIT) { 783 wpa_printf(MSG_DEBUG, "EAP: Method has pending " 784 "processing - wait before proceeding to " 785 "METHOD_REQUEST state"); 786 if (sm->user_eap_method_index > 0) 787 sm->user_eap_method_index--; 788 } else if (sm->method_pending == METHOD_PENDING_CONT) { 789 wpa_printf(MSG_DEBUG, "EAP: Method has completed " 790 "pending processing - reprocess pending " 791 "EAP message"); 792 sm->method_pending = METHOD_PENDING_NONE; 793 SM_ENTER(EAP, PROPOSE_METHOD); 794 } else 795 SM_ENTER(EAP, METHOD_REQUEST); 796 break; 797 case EAP_NAK: 798 SM_ENTER(EAP, SELECT_ACTION); 799 break; 800 case EAP_SELECT_ACTION: 801 if (sm->decision == DECISION_FAILURE) 802 SM_ENTER(EAP, FAILURE); 803 else if (sm->decision == DECISION_SUCCESS) 804 SM_ENTER(EAP, SUCCESS); 805 else if (sm->decision == DECISION_PASSTHROUGH) 806 SM_ENTER(EAP, INITIALIZE_PASSTHROUGH); 807 else 808 SM_ENTER(EAP, PROPOSE_METHOD); 809 break; 810 case EAP_TIMEOUT_FAILURE: 811 break; 812 case EAP_FAILURE: 813 break; 814 case EAP_SUCCESS: 815 break; 816 817 case EAP_INITIALIZE_PASSTHROUGH: 818 if (sm->currentId == -1) 819 SM_ENTER(EAP, AAA_IDLE); 820 else 821 SM_ENTER(EAP, AAA_REQUEST); 822 break; 823 case EAP_IDLE2: 824 if (sm->eap_if.eapResp) 825 SM_ENTER(EAP, RECEIVED2); 826 else if (sm->eap_if.retransWhile == 0) 827 SM_ENTER(EAP, RETRANSMIT2); 828 break; 829 case EAP_RETRANSMIT2: 830 if (sm->retransCount > sm->MaxRetrans) 831 SM_ENTER(EAP, TIMEOUT_FAILURE2); 832 else 833 SM_ENTER(EAP, IDLE2); 834 break; 835 case EAP_RECEIVED2: 836 if (sm->rxResp && (sm->respId == sm->currentId)) 837 SM_ENTER(EAP, AAA_REQUEST); 838 else 839 SM_ENTER(EAP, DISCARD2); 840 break; 841 case EAP_DISCARD2: 842 SM_ENTER(EAP, IDLE2); 843 break; 844 case EAP_SEND_REQUEST2: 845 SM_ENTER(EAP, IDLE2); 846 break; 847 case EAP_AAA_REQUEST: 848 SM_ENTER(EAP, AAA_IDLE); 849 break; 850 case EAP_AAA_RESPONSE: 851 SM_ENTER(EAP, SEND_REQUEST2); 852 break; 853 case EAP_AAA_IDLE: 854 if (sm->eap_if.aaaFail) 855 SM_ENTER(EAP, FAILURE2); 856 else if (sm->eap_if.aaaSuccess) 857 SM_ENTER(EAP, SUCCESS2); 858 else if (sm->eap_if.aaaEapReq) 859 SM_ENTER(EAP, AAA_RESPONSE); 860 else if (sm->eap_if.aaaTimeout) 861 SM_ENTER(EAP, TIMEOUT_FAILURE2); 862 break; 863 case EAP_TIMEOUT_FAILURE2: 864 break; 865 case EAP_FAILURE2: 866 break; 867 case EAP_SUCCESS2: 868 break; 869 } 870 } 871 872 873 static int eap_sm_calculateTimeout(struct eap_sm *sm, int retransCount, 874 int eapSRTT, int eapRTTVAR, 875 int methodTimeout) 876 { 877 int rto, i; 878 879 if (methodTimeout) { 880 /* 881 * EAP method (either internal or through AAA server, provided 882 * timeout hint. Use that as-is as a timeout for retransmitting 883 * the EAP request if no response is received. 884 */ 885 wpa_printf(MSG_DEBUG, "EAP: retransmit timeout %d seconds " 886 "(from EAP method hint)", methodTimeout); 887 return methodTimeout; 888 } 889 890 /* 891 * RFC 3748 recommends algorithms described in RFC 2988 for estimation 892 * of the retransmission timeout. This should be implemented once 893 * round-trip time measurements are available. For nowm a simple 894 * backoff mechanism is used instead if there are no EAP method 895 * specific hints. 896 * 897 * SRTT = smoothed round-trip time 898 * RTTVAR = round-trip time variation 899 * RTO = retransmission timeout 900 */ 901 902 /* 903 * RFC 2988, 2.1: before RTT measurement, set RTO to 3 seconds for 904 * initial retransmission and then double the RTO to provide back off 905 * per 5.5. Limit the maximum RTO to 20 seconds per RFC 3748, 4.3 906 * modified RTOmax. 907 */ 908 rto = 3; 909 for (i = 0; i < retransCount; i++) { 910 rto *= 2; 911 if (rto >= 20) { 912 rto = 20; 913 break; 914 } 915 } 916 917 wpa_printf(MSG_DEBUG, "EAP: retransmit timeout %d seconds " 918 "(from dynamic back off; retransCount=%d)", 919 rto, retransCount); 920 921 return rto; 922 } 923 924 925 static void eap_sm_parseEapResp(struct eap_sm *sm, const struct wpabuf *resp) 926 { 927 const struct eap_hdr *hdr; 928 size_t plen; 929 930 /* parse rxResp, respId, respMethod */ 931 sm->rxResp = FALSE; 932 sm->respId = -1; 933 sm->respMethod = EAP_TYPE_NONE; 934 sm->respVendor = EAP_VENDOR_IETF; 935 sm->respVendorMethod = EAP_TYPE_NONE; 936 937 if (resp == NULL || wpabuf_len(resp) < sizeof(*hdr)) { 938 wpa_printf(MSG_DEBUG, "EAP: parseEapResp: invalid resp=%p " 939 "len=%lu", resp, 940 resp ? (unsigned long) wpabuf_len(resp) : 0); 941 return; 942 } 943 944 hdr = wpabuf_head(resp); 945 plen = be_to_host16(hdr->length); 946 if (plen > wpabuf_len(resp)) { 947 wpa_printf(MSG_DEBUG, "EAP: Ignored truncated EAP-Packet " 948 "(len=%lu plen=%lu)", 949 (unsigned long) wpabuf_len(resp), 950 (unsigned long) plen); 951 return; 952 } 953 954 sm->respId = hdr->identifier; 955 956 if (hdr->code == EAP_CODE_RESPONSE) 957 sm->rxResp = TRUE; 958 959 if (plen > sizeof(*hdr)) { 960 u8 *pos = (u8 *) (hdr + 1); 961 sm->respMethod = *pos++; 962 if (sm->respMethod == EAP_TYPE_EXPANDED) { 963 if (plen < sizeof(*hdr) + 8) { 964 wpa_printf(MSG_DEBUG, "EAP: Ignored truncated " 965 "expanded EAP-Packet (plen=%lu)", 966 (unsigned long) plen); 967 return; 968 } 969 sm->respVendor = WPA_GET_BE24(pos); 970 pos += 3; 971 sm->respVendorMethod = WPA_GET_BE32(pos); 972 } 973 } 974 975 wpa_printf(MSG_DEBUG, "EAP: parseEapResp: rxResp=%d respId=%d " 976 "respMethod=%u respVendor=%u respVendorMethod=%u", 977 sm->rxResp, sm->respId, sm->respMethod, sm->respVendor, 978 sm->respVendorMethod); 979 } 980 981 982 static int eap_sm_getId(const struct wpabuf *data) 983 { 984 const struct eap_hdr *hdr; 985 986 if (data == NULL || wpabuf_len(data) < sizeof(*hdr)) 987 return -1; 988 989 hdr = wpabuf_head(data); 990 wpa_printf(MSG_DEBUG, "EAP: getId: id=%d", hdr->identifier); 991 return hdr->identifier; 992 } 993 994 995 static struct wpabuf * eap_sm_buildSuccess(struct eap_sm *sm, u8 id) 996 { 997 struct wpabuf *msg; 998 struct eap_hdr *resp; 999 wpa_printf(MSG_DEBUG, "EAP: Building EAP-Success (id=%d)", id); 1000 1001 msg = wpabuf_alloc(sizeof(*resp)); 1002 if (msg == NULL) 1003 return NULL; 1004 resp = wpabuf_put(msg, sizeof(*resp)); 1005 resp->code = EAP_CODE_SUCCESS; 1006 resp->identifier = id; 1007 resp->length = host_to_be16(sizeof(*resp)); 1008 1009 return msg; 1010 } 1011 1012 1013 static struct wpabuf * eap_sm_buildFailure(struct eap_sm *sm, u8 id) 1014 { 1015 struct wpabuf *msg; 1016 struct eap_hdr *resp; 1017 wpa_printf(MSG_DEBUG, "EAP: Building EAP-Failure (id=%d)", id); 1018 1019 msg = wpabuf_alloc(sizeof(*resp)); 1020 if (msg == NULL) 1021 return NULL; 1022 resp = wpabuf_put(msg, sizeof(*resp)); 1023 resp->code = EAP_CODE_FAILURE; 1024 resp->identifier = id; 1025 resp->length = host_to_be16(sizeof(*resp)); 1026 1027 return msg; 1028 } 1029 1030 1031 static int eap_sm_nextId(struct eap_sm *sm, int id) 1032 { 1033 if (id < 0) { 1034 /* RFC 3748 Ch 4.1: recommended to initialize Identifier with a 1035 * random number */ 1036 id = rand() & 0xff; 1037 if (id != sm->lastId) 1038 return id; 1039 } 1040 return (id + 1) & 0xff; 1041 } 1042 1043 1044 /** 1045 * eap_sm_process_nak - Process EAP-Response/Nak 1046 * @sm: Pointer to EAP state machine allocated with eap_server_sm_init() 1047 * @nak_list: Nak list (allowed methods) from the supplicant 1048 * @len: Length of nak_list in bytes 1049 * 1050 * This function is called when EAP-Response/Nak is received from the 1051 * supplicant. This can happen for both phase 1 and phase 2 authentications. 1052 */ 1053 void eap_sm_process_nak(struct eap_sm *sm, const u8 *nak_list, size_t len) 1054 { 1055 int i; 1056 size_t j; 1057 1058 if (sm->user == NULL) 1059 return; 1060 1061 wpa_printf(MSG_MSGDUMP, "EAP: processing NAK (current EAP method " 1062 "index %d)", sm->user_eap_method_index); 1063 1064 wpa_hexdump(MSG_MSGDUMP, "EAP: configured methods", 1065 (u8 *) sm->user->methods, 1066 EAP_MAX_METHODS * sizeof(sm->user->methods[0])); 1067 wpa_hexdump(MSG_MSGDUMP, "EAP: list of methods supported by the peer", 1068 nak_list, len); 1069 1070 i = sm->user_eap_method_index; 1071 while (i < EAP_MAX_METHODS && 1072 (sm->user->methods[i].vendor != EAP_VENDOR_IETF || 1073 sm->user->methods[i].method != EAP_TYPE_NONE)) { 1074 if (sm->user->methods[i].vendor != EAP_VENDOR_IETF) 1075 goto not_found; 1076 for (j = 0; j < len; j++) { 1077 if (nak_list[j] == sm->user->methods[i].method) { 1078 break; 1079 } 1080 } 1081 1082 if (j < len) { 1083 /* found */ 1084 i++; 1085 continue; 1086 } 1087 1088 not_found: 1089 /* not found - remove from the list */ 1090 if (i + 1 < EAP_MAX_METHODS) { 1091 os_memmove(&sm->user->methods[i], 1092 &sm->user->methods[i + 1], 1093 (EAP_MAX_METHODS - i - 1) * 1094 sizeof(sm->user->methods[0])); 1095 } 1096 sm->user->methods[EAP_MAX_METHODS - 1].vendor = 1097 EAP_VENDOR_IETF; 1098 sm->user->methods[EAP_MAX_METHODS - 1].method = EAP_TYPE_NONE; 1099 } 1100 1101 wpa_hexdump(MSG_MSGDUMP, "EAP: new list of configured methods", 1102 (u8 *) sm->user->methods, EAP_MAX_METHODS * 1103 sizeof(sm->user->methods[0])); 1104 } 1105 1106 1107 static void eap_sm_Policy_update(struct eap_sm *sm, const u8 *nak_list, 1108 size_t len) 1109 { 1110 if (nak_list == NULL || sm == NULL || sm->user == NULL) 1111 return; 1112 1113 if (sm->user->phase2) { 1114 wpa_printf(MSG_DEBUG, "EAP: EAP-Nak received after Phase2 user" 1115 " info was selected - reject"); 1116 sm->decision = DECISION_FAILURE; 1117 return; 1118 } 1119 1120 eap_sm_process_nak(sm, nak_list, len); 1121 } 1122 1123 1124 static EapType eap_sm_Policy_getNextMethod(struct eap_sm *sm, int *vendor) 1125 { 1126 EapType next; 1127 int idx = sm->user_eap_method_index; 1128 1129 /* In theory, there should be no problems with starting 1130 * re-authentication with something else than EAP-Request/Identity and 1131 * this does indeed work with wpa_supplicant. However, at least Funk 1132 * Supplicant seemed to ignore re-auth if it skipped 1133 * EAP-Request/Identity. 1134 * Re-auth sets currentId == -1, so that can be used here to select 1135 * whether Identity needs to be requested again. */ 1136 if (sm->identity == NULL || sm->currentId == -1) { 1137 *vendor = EAP_VENDOR_IETF; 1138 next = EAP_TYPE_IDENTITY; 1139 sm->update_user = TRUE; 1140 } else if (sm->user && idx < EAP_MAX_METHODS && 1141 (sm->user->methods[idx].vendor != EAP_VENDOR_IETF || 1142 sm->user->methods[idx].method != EAP_TYPE_NONE)) { 1143 *vendor = sm->user->methods[idx].vendor; 1144 next = sm->user->methods[idx].method; 1145 sm->user_eap_method_index++; 1146 } else { 1147 *vendor = EAP_VENDOR_IETF; 1148 next = EAP_TYPE_NONE; 1149 } 1150 wpa_printf(MSG_DEBUG, "EAP: getNextMethod: vendor %d type %d", 1151 *vendor, next); 1152 return next; 1153 } 1154 1155 1156 static int eap_sm_Policy_getDecision(struct eap_sm *sm) 1157 { 1158 if (!sm->eap_server && sm->identity && !sm->start_reauth) { 1159 wpa_printf(MSG_DEBUG, "EAP: getDecision: -> PASSTHROUGH"); 1160 return DECISION_PASSTHROUGH; 1161 } 1162 1163 if (sm->m && sm->currentMethod != EAP_TYPE_IDENTITY && 1164 sm->m->isSuccess(sm, sm->eap_method_priv)) { 1165 wpa_printf(MSG_DEBUG, "EAP: getDecision: method succeeded -> " 1166 "SUCCESS"); 1167 sm->update_user = TRUE; 1168 return DECISION_SUCCESS; 1169 } 1170 1171 if (sm->m && sm->m->isDone(sm, sm->eap_method_priv) && 1172 !sm->m->isSuccess(sm, sm->eap_method_priv)) { 1173 wpa_printf(MSG_DEBUG, "EAP: getDecision: method failed -> " 1174 "FAILURE"); 1175 sm->update_user = TRUE; 1176 return DECISION_FAILURE; 1177 } 1178 1179 if ((sm->user == NULL || sm->update_user) && sm->identity && 1180 !sm->start_reauth) { 1181 /* 1182 * Allow Identity method to be started once to allow identity 1183 * selection hint to be sent from the authentication server, 1184 * but prevent a loop of Identity requests by only allowing 1185 * this to happen once. 1186 */ 1187 int id_req = 0; 1188 if (sm->user && sm->currentMethod == EAP_TYPE_IDENTITY && 1189 sm->user->methods[0].vendor == EAP_VENDOR_IETF && 1190 sm->user->methods[0].method == EAP_TYPE_IDENTITY) 1191 id_req = 1; 1192 if (eap_user_get(sm, sm->identity, sm->identity_len, 0) != 0) { 1193 wpa_printf(MSG_DEBUG, "EAP: getDecision: user not " 1194 "found from database -> FAILURE"); 1195 return DECISION_FAILURE; 1196 } 1197 if (id_req && sm->user && 1198 sm->user->methods[0].vendor == EAP_VENDOR_IETF && 1199 sm->user->methods[0].method == EAP_TYPE_IDENTITY) { 1200 wpa_printf(MSG_DEBUG, "EAP: getDecision: stop " 1201 "identity request loop -> FAILURE"); 1202 sm->update_user = TRUE; 1203 return DECISION_FAILURE; 1204 } 1205 sm->update_user = FALSE; 1206 } 1207 sm->start_reauth = FALSE; 1208 1209 if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS && 1210 (sm->user->methods[sm->user_eap_method_index].vendor != 1211 EAP_VENDOR_IETF || 1212 sm->user->methods[sm->user_eap_method_index].method != 1213 EAP_TYPE_NONE)) { 1214 wpa_printf(MSG_DEBUG, "EAP: getDecision: another method " 1215 "available -> CONTINUE"); 1216 return DECISION_CONTINUE; 1217 } 1218 1219 if (sm->identity == NULL || sm->currentId == -1) { 1220 wpa_printf(MSG_DEBUG, "EAP: getDecision: no identity known " 1221 "yet -> CONTINUE"); 1222 return DECISION_CONTINUE; 1223 } 1224 1225 wpa_printf(MSG_DEBUG, "EAP: getDecision: no more methods available -> " 1226 "FAILURE"); 1227 return DECISION_FAILURE; 1228 } 1229 1230 1231 static Boolean eap_sm_Policy_doPickUp(struct eap_sm *sm, EapType method) 1232 { 1233 return method == EAP_TYPE_IDENTITY ? TRUE : FALSE; 1234 } 1235 1236 1237 /** 1238 * eap_server_sm_step - Step EAP server state machine 1239 * @sm: Pointer to EAP state machine allocated with eap_server_sm_init() 1240 * Returns: 1 if EAP state was changed or 0 if not 1241 * 1242 * This function advances EAP state machine to a new state to match with the 1243 * current variables. This should be called whenever variables used by the EAP 1244 * state machine have changed. 1245 */ 1246 int eap_server_sm_step(struct eap_sm *sm) 1247 { 1248 int res = 0; 1249 do { 1250 sm->changed = FALSE; 1251 SM_STEP_RUN(EAP); 1252 if (sm->changed) 1253 res = 1; 1254 } while (sm->changed); 1255 return res; 1256 } 1257 1258 1259 static void eap_user_free(struct eap_user *user) 1260 { 1261 if (user == NULL) 1262 return; 1263 bin_clear_free(user->password, user->password_len); 1264 user->password = NULL; 1265 os_free(user); 1266 } 1267 1268 1269 /** 1270 * eap_server_sm_init - Allocate and initialize EAP server state machine 1271 * @eapol_ctx: Context data to be used with eapol_cb calls 1272 * @eapol_cb: Pointer to EAPOL callback functions 1273 * @conf: EAP configuration 1274 * Returns: Pointer to the allocated EAP state machine or %NULL on failure 1275 * 1276 * This function allocates and initializes an EAP state machine. 1277 */ 1278 struct eap_sm * eap_server_sm_init(void *eapol_ctx, 1279 struct eapol_callbacks *eapol_cb, 1280 struct eap_config *conf) 1281 { 1282 struct eap_sm *sm; 1283 1284 sm = os_zalloc(sizeof(*sm)); 1285 if (sm == NULL) 1286 return NULL; 1287 sm->eapol_ctx = eapol_ctx; 1288 sm->eapol_cb = eapol_cb; 1289 sm->MaxRetrans = 5; /* RFC 3748: max 3-5 retransmissions suggested */ 1290 sm->ssl_ctx = conf->ssl_ctx; 1291 sm->msg_ctx = conf->msg_ctx; 1292 sm->eap_sim_db_priv = conf->eap_sim_db_priv; 1293 sm->backend_auth = conf->backend_auth; 1294 sm->eap_server = conf->eap_server; 1295 if (conf->pac_opaque_encr_key) { 1296 sm->pac_opaque_encr_key = os_malloc(16); 1297 if (sm->pac_opaque_encr_key) { 1298 os_memcpy(sm->pac_opaque_encr_key, 1299 conf->pac_opaque_encr_key, 16); 1300 } 1301 } 1302 if (conf->eap_fast_a_id) { 1303 sm->eap_fast_a_id = os_malloc(conf->eap_fast_a_id_len); 1304 if (sm->eap_fast_a_id) { 1305 os_memcpy(sm->eap_fast_a_id, conf->eap_fast_a_id, 1306 conf->eap_fast_a_id_len); 1307 sm->eap_fast_a_id_len = conf->eap_fast_a_id_len; 1308 } 1309 } 1310 if (conf->eap_fast_a_id_info) 1311 sm->eap_fast_a_id_info = os_strdup(conf->eap_fast_a_id_info); 1312 sm->eap_fast_prov = conf->eap_fast_prov; 1313 sm->pac_key_lifetime = conf->pac_key_lifetime; 1314 sm->pac_key_refresh_time = conf->pac_key_refresh_time; 1315 sm->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; 1316 sm->tnc = conf->tnc; 1317 sm->wps = conf->wps; 1318 if (conf->assoc_wps_ie) 1319 sm->assoc_wps_ie = wpabuf_dup(conf->assoc_wps_ie); 1320 if (conf->assoc_p2p_ie) 1321 sm->assoc_p2p_ie = wpabuf_dup(conf->assoc_p2p_ie); 1322 if (conf->peer_addr) 1323 os_memcpy(sm->peer_addr, conf->peer_addr, ETH_ALEN); 1324 sm->fragment_size = conf->fragment_size; 1325 sm->pwd_group = conf->pwd_group; 1326 sm->pbc_in_m1 = conf->pbc_in_m1; 1327 sm->server_id = conf->server_id; 1328 sm->server_id_len = conf->server_id_len; 1329 1330 #ifdef CONFIG_TESTING_OPTIONS 1331 sm->tls_test_flags = conf->tls_test_flags; 1332 #endif /* CONFIG_TESTING_OPTIONS */ 1333 1334 wpa_printf(MSG_DEBUG, "EAP: Server state machine created"); 1335 1336 return sm; 1337 } 1338 1339 1340 /** 1341 * eap_server_sm_deinit - Deinitialize and free an EAP server state machine 1342 * @sm: Pointer to EAP state machine allocated with eap_server_sm_init() 1343 * 1344 * This function deinitializes EAP state machine and frees all allocated 1345 * resources. 1346 */ 1347 void eap_server_sm_deinit(struct eap_sm *sm) 1348 { 1349 if (sm == NULL) 1350 return; 1351 wpa_printf(MSG_DEBUG, "EAP: Server state machine removed"); 1352 if (sm->m && sm->eap_method_priv) 1353 sm->m->reset(sm, sm->eap_method_priv); 1354 wpabuf_free(sm->eap_if.eapReqData); 1355 bin_clear_free(sm->eap_if.eapKeyData, sm->eap_if.eapKeyDataLen); 1356 wpabuf_free(sm->lastReqData); 1357 wpabuf_free(sm->eap_if.eapRespData); 1358 os_free(sm->identity); 1359 os_free(sm->pac_opaque_encr_key); 1360 os_free(sm->eap_fast_a_id); 1361 os_free(sm->eap_fast_a_id_info); 1362 wpabuf_free(sm->eap_if.aaaEapReqData); 1363 wpabuf_free(sm->eap_if.aaaEapRespData); 1364 bin_clear_free(sm->eap_if.aaaEapKeyData, sm->eap_if.aaaEapKeyDataLen); 1365 eap_user_free(sm->user); 1366 wpabuf_free(sm->assoc_wps_ie); 1367 wpabuf_free(sm->assoc_p2p_ie); 1368 os_free(sm); 1369 } 1370 1371 1372 /** 1373 * eap_sm_notify_cached - Notify EAP state machine of cached PMK 1374 * @sm: Pointer to EAP state machine allocated with eap_server_sm_init() 1375 * 1376 * This function is called when PMKSA caching is used to skip EAP 1377 * authentication. 1378 */ 1379 void eap_sm_notify_cached(struct eap_sm *sm) 1380 { 1381 if (sm == NULL) 1382 return; 1383 1384 sm->EAP_state = EAP_SUCCESS; 1385 } 1386 1387 1388 /** 1389 * eap_sm_pending_cb - EAP state machine callback for a pending EAP request 1390 * @sm: Pointer to EAP state machine allocated with eap_server_sm_init() 1391 * 1392 * This function is called when data for a pending EAP-Request is received. 1393 */ 1394 void eap_sm_pending_cb(struct eap_sm *sm) 1395 { 1396 if (sm == NULL) 1397 return; 1398 wpa_printf(MSG_DEBUG, "EAP: Callback for pending request received"); 1399 if (sm->method_pending == METHOD_PENDING_WAIT) 1400 sm->method_pending = METHOD_PENDING_CONT; 1401 } 1402 1403 1404 /** 1405 * eap_sm_method_pending - Query whether EAP method is waiting for pending data 1406 * @sm: Pointer to EAP state machine allocated with eap_server_sm_init() 1407 * Returns: 1 if method is waiting for pending data or 0 if not 1408 */ 1409 int eap_sm_method_pending(struct eap_sm *sm) 1410 { 1411 if (sm == NULL) 1412 return 0; 1413 return sm->method_pending == METHOD_PENDING_WAIT; 1414 } 1415 1416 1417 /** 1418 * eap_get_identity - Get the user identity (from EAP-Response/Identity) 1419 * @sm: Pointer to EAP state machine allocated with eap_server_sm_init() 1420 * @len: Buffer for returning identity length 1421 * Returns: Pointer to the user identity or %NULL if not available 1422 */ 1423 const u8 * eap_get_identity(struct eap_sm *sm, size_t *len) 1424 { 1425 *len = sm->identity_len; 1426 return sm->identity; 1427 } 1428 1429 1430 /** 1431 * eap_get_interface - Get pointer to EAP-EAPOL interface data 1432 * @sm: Pointer to EAP state machine allocated with eap_server_sm_init() 1433 * Returns: Pointer to the EAP-EAPOL interface data 1434 */ 1435 struct eap_eapol_interface * eap_get_interface(struct eap_sm *sm) 1436 { 1437 return &sm->eap_if; 1438 } 1439 1440 1441 /** 1442 * eap_server_clear_identity - Clear EAP identity information 1443 * @sm: Pointer to EAP state machine allocated with eap_server_sm_init() 1444 * 1445 * This function can be used to clear the EAP identity information in the EAP 1446 * server context. This allows the EAP/Identity method to be used again after 1447 * EAPOL-Start or EAPOL-Logoff. 1448 */ 1449 void eap_server_clear_identity(struct eap_sm *sm) 1450 { 1451 os_free(sm->identity); 1452 sm->identity = NULL; 1453 } 1454
