Home | History | Annotate | Download | only in eapol_auth
      1 /*
      2  * IEEE 802.1X-2004 Authenticator - EAPOL state machine
      3  * Copyright (c) 2002-2009, Jouni Malinen <j (at) w1.fi>
      4  *
      5  * This software may be distributed under the terms of the BSD license.
      6  * See README for more details.
      7  */
      8 
      9 #include "includes.h"
     10 
     11 #include "common.h"
     12 #include "eloop.h"
     13 #include "state_machine.h"
     14 #include "common/eapol_common.h"
     15 #include "eap_common/eap_defs.h"
     16 #include "eap_common/eap_common.h"
     17 #include "eap_server/eap.h"
     18 #include "eapol_auth_sm.h"
     19 #include "eapol_auth_sm_i.h"
     20 
     21 #define STATE_MACHINE_DATA struct eapol_state_machine
     22 #define STATE_MACHINE_DEBUG_PREFIX "IEEE 802.1X"
     23 #define STATE_MACHINE_ADDR sm->addr
     24 
     25 static struct eapol_callbacks eapol_cb;
     26 
     27 /* EAPOL state machines are described in IEEE Std 802.1X-2004, Chap. 8.2 */
     28 
     29 #define setPortAuthorized() \
     30 sm->eapol->cb.set_port_authorized(sm->eapol->conf.ctx, sm->sta, 1)
     31 #define setPortUnauthorized() \
     32 sm->eapol->cb.set_port_authorized(sm->eapol->conf.ctx, sm->sta, 0)
     33 
     34 /* procedures */
     35 #define txCannedFail() eapol_auth_tx_canned_eap(sm, 0)
     36 #define txCannedSuccess() eapol_auth_tx_canned_eap(sm, 1)
     37 #define txReq() eapol_auth_tx_req(sm)
     38 #define abortAuth() sm->eapol->cb.abort_auth(sm->eapol->conf.ctx, sm->sta)
     39 #define txKey() sm->eapol->cb.tx_key(sm->eapol->conf.ctx, sm->sta)
     40 #define processKey() do { } while (0)
     41 
     42 
     43 static void eapol_sm_step_run(struct eapol_state_machine *sm);
     44 static void eapol_sm_step_cb(void *eloop_ctx, void *timeout_ctx);
     45 static void eapol_auth_initialize(struct eapol_state_machine *sm);
     46 
     47 
     48 static void eapol_auth_logger(struct eapol_authenticator *eapol,
     49 			      const u8 *addr, eapol_logger_level level,
     50 			      const char *txt)
     51 {
     52 	if (eapol->cb.logger == NULL)
     53 		return;
     54 	eapol->cb.logger(eapol->conf.ctx, addr, level, txt);
     55 }
     56 
     57 
     58 static void eapol_auth_vlogger(struct eapol_authenticator *eapol,
     59 			       const u8 *addr, eapol_logger_level level,
     60 			       const char *fmt, ...)
     61 {
     62 	char *format;
     63 	int maxlen;
     64 	va_list ap;
     65 
     66 	if (eapol->cb.logger == NULL)
     67 		return;
     68 
     69 	maxlen = os_strlen(fmt) + 100;
     70 	format = os_malloc(maxlen);
     71 	if (!format)
     72 		return;
     73 
     74 	va_start(ap, fmt);
     75 	vsnprintf(format, maxlen, fmt, ap);
     76 	va_end(ap);
     77 
     78 	eapol_auth_logger(eapol, addr, level, format);
     79 
     80 	os_free(format);
     81 }
     82 
     83 
     84 static void eapol_auth_tx_canned_eap(struct eapol_state_machine *sm,
     85 				     int success)
     86 {
     87 	struct eap_hdr eap;
     88 
     89 	os_memset(&eap, 0, sizeof(eap));
     90 
     91 	eap.code = success ? EAP_CODE_SUCCESS : EAP_CODE_FAILURE;
     92 	eap.identifier = ++sm->last_eap_id;
     93 	eap.length = host_to_be16(sizeof(eap));
     94 
     95 	eapol_auth_vlogger(sm->eapol, sm->addr, EAPOL_LOGGER_DEBUG,
     96 			   "Sending canned EAP packet %s (identifier %d)",
     97 			   success ? "SUCCESS" : "FAILURE", eap.identifier);
     98 	sm->eapol->cb.eapol_send(sm->eapol->conf.ctx, sm->sta,
     99 				 IEEE802_1X_TYPE_EAP_PACKET,
    100 				 (u8 *) &eap, sizeof(eap));
    101 	sm->dot1xAuthEapolFramesTx++;
    102 }
    103 
    104 
    105 static void eapol_auth_tx_req(struct eapol_state_machine *sm)
    106 {
    107 	if (sm->eap_if->eapReqData == NULL ||
    108 	    wpabuf_len(sm->eap_if->eapReqData) < sizeof(struct eap_hdr)) {
    109 		eapol_auth_logger(sm->eapol, sm->addr,
    110 				  EAPOL_LOGGER_DEBUG,
    111 				  "TxReq called, but there is no EAP request "
    112 				  "from authentication server");
    113 		return;
    114 	}
    115 
    116 	if (sm->flags & EAPOL_SM_WAIT_START) {
    117 		wpa_printf(MSG_DEBUG, "EAPOL: Drop EAPOL TX to " MACSTR
    118 			   " while waiting for EAPOL-Start",
    119 			   MAC2STR(sm->addr));
    120 		return;
    121 	}
    122 
    123 	sm->last_eap_id = eap_get_id(sm->eap_if->eapReqData);
    124 	eapol_auth_vlogger(sm->eapol, sm->addr, EAPOL_LOGGER_DEBUG,
    125 			   "Sending EAP Packet (identifier %d)",
    126 			   sm->last_eap_id);
    127 	sm->eapol->cb.eapol_send(sm->eapol->conf.ctx, sm->sta,
    128 				 IEEE802_1X_TYPE_EAP_PACKET,
    129 				 wpabuf_head(sm->eap_if->eapReqData),
    130 				 wpabuf_len(sm->eap_if->eapReqData));
    131 	sm->dot1xAuthEapolFramesTx++;
    132 	if (eap_get_type(sm->eap_if->eapReqData) == EAP_TYPE_IDENTITY)
    133 		sm->dot1xAuthEapolReqIdFramesTx++;
    134 	else
    135 		sm->dot1xAuthEapolReqFramesTx++;
    136 }
    137 
    138 
    139 /**
    140  * eapol_port_timers_tick - Port Timers state machine
    141  * @eloop_ctx: struct eapol_state_machine *
    142  * @timeout_ctx: Not used
    143  *
    144  * This statemachine is implemented as a function that will be called
    145  * once a second as a registered event loop timeout.
    146  */
    147 static void eapol_port_timers_tick(void *eloop_ctx, void *timeout_ctx)
    148 {
    149 	struct eapol_state_machine *state = timeout_ctx;
    150 
    151 	if (state->aWhile > 0) {
    152 		state->aWhile--;
    153 		if (state->aWhile == 0) {
    154 			wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR
    155 				   " - aWhile --> 0",
    156 				   MAC2STR(state->addr));
    157 		}
    158 	}
    159 
    160 	if (state->quietWhile > 0) {
    161 		state->quietWhile--;
    162 		if (state->quietWhile == 0) {
    163 			wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR
    164 				   " - quietWhile --> 0",
    165 				   MAC2STR(state->addr));
    166 		}
    167 	}
    168 
    169 	if (state->reAuthWhen > 0) {
    170 		state->reAuthWhen--;
    171 		if (state->reAuthWhen == 0) {
    172 			wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR
    173 				   " - reAuthWhen --> 0",
    174 				   MAC2STR(state->addr));
    175 		}
    176 	}
    177 
    178 	if (state->eap_if->retransWhile > 0) {
    179 		state->eap_if->retransWhile--;
    180 		if (state->eap_if->retransWhile == 0) {
    181 			wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR
    182 				   " - (EAP) retransWhile --> 0",
    183 				   MAC2STR(state->addr));
    184 		}
    185 	}
    186 
    187 	eapol_sm_step_run(state);
    188 
    189 	eloop_register_timeout(1, 0, eapol_port_timers_tick, eloop_ctx, state);
    190 }
    191 
    192 
    193 
    194 /* Authenticator PAE state machine */
    195 
    196 SM_STATE(AUTH_PAE, INITIALIZE)
    197 {
    198 	SM_ENTRY_MA(AUTH_PAE, INITIALIZE, auth_pae);
    199 	sm->portMode = Auto;
    200 }
    201 
    202 
    203 SM_STATE(AUTH_PAE, DISCONNECTED)
    204 {
    205 	int from_initialize = sm->auth_pae_state == AUTH_PAE_INITIALIZE;
    206 
    207 	if (sm->eapolLogoff) {
    208 		if (sm->auth_pae_state == AUTH_PAE_CONNECTING)
    209 			sm->authEapLogoffsWhileConnecting++;
    210 		else if (sm->auth_pae_state == AUTH_PAE_AUTHENTICATED)
    211 			sm->authAuthEapLogoffWhileAuthenticated++;
    212 	}
    213 
    214 	SM_ENTRY_MA(AUTH_PAE, DISCONNECTED, auth_pae);
    215 
    216 	sm->authPortStatus = Unauthorized;
    217 	setPortUnauthorized();
    218 	sm->reAuthCount = 0;
    219 	sm->eapolLogoff = FALSE;
    220 	if (!from_initialize) {
    221 		sm->eapol->cb.finished(sm->eapol->conf.ctx, sm->sta, 0,
    222 				       sm->flags & EAPOL_SM_PREAUTH,
    223 				       sm->remediation);
    224 	}
    225 }
    226 
    227 
    228 SM_STATE(AUTH_PAE, RESTART)
    229 {
    230 	if (sm->auth_pae_state == AUTH_PAE_AUTHENTICATED) {
    231 		if (sm->reAuthenticate)
    232 			sm->authAuthReauthsWhileAuthenticated++;
    233 		if (sm->eapolStart)
    234 			sm->authAuthEapStartsWhileAuthenticated++;
    235 		if (sm->eapolLogoff)
    236 			sm->authAuthEapLogoffWhileAuthenticated++;
    237 	}
    238 
    239 	SM_ENTRY_MA(AUTH_PAE, RESTART, auth_pae);
    240 
    241 	sm->eap_if->eapRestart = TRUE;
    242 }
    243 
    244 
    245 SM_STATE(AUTH_PAE, CONNECTING)
    246 {
    247 	if (sm->auth_pae_state != AUTH_PAE_CONNECTING)
    248 		sm->authEntersConnecting++;
    249 
    250 	SM_ENTRY_MA(AUTH_PAE, CONNECTING, auth_pae);
    251 
    252 	sm->reAuthenticate = FALSE;
    253 	sm->reAuthCount++;
    254 }
    255 
    256 
    257 SM_STATE(AUTH_PAE, HELD)
    258 {
    259 	if (sm->auth_pae_state == AUTH_PAE_AUTHENTICATING && sm->authFail)
    260 		sm->authAuthFailWhileAuthenticating++;
    261 
    262 	SM_ENTRY_MA(AUTH_PAE, HELD, auth_pae);
    263 
    264 	sm->authPortStatus = Unauthorized;
    265 	setPortUnauthorized();
    266 	sm->quietWhile = sm->quietPeriod;
    267 	sm->eapolLogoff = FALSE;
    268 
    269 	eapol_auth_vlogger(sm->eapol, sm->addr, EAPOL_LOGGER_WARNING,
    270 			   "authentication failed - EAP type: %d (%s)",
    271 			   sm->eap_type_authsrv,
    272 			   eap_server_get_name(0, sm->eap_type_authsrv));
    273 	if (sm->eap_type_authsrv != sm->eap_type_supp) {
    274 		eapol_auth_vlogger(sm->eapol, sm->addr, EAPOL_LOGGER_INFO,
    275 				   "Supplicant used different EAP type: "
    276 				   "%d (%s)", sm->eap_type_supp,
    277 				   eap_server_get_name(0, sm->eap_type_supp));
    278 	}
    279 	sm->eapol->cb.finished(sm->eapol->conf.ctx, sm->sta, 0,
    280 			       sm->flags & EAPOL_SM_PREAUTH, sm->remediation);
    281 }
    282 
    283 
    284 SM_STATE(AUTH_PAE, AUTHENTICATED)
    285 {
    286 	char *extra = "";
    287 
    288 	if (sm->auth_pae_state == AUTH_PAE_AUTHENTICATING && sm->authSuccess)
    289 		sm->authAuthSuccessesWhileAuthenticating++;
    290 
    291 	SM_ENTRY_MA(AUTH_PAE, AUTHENTICATED, auth_pae);
    292 
    293 	sm->authPortStatus = Authorized;
    294 	setPortAuthorized();
    295 	sm->reAuthCount = 0;
    296 	if (sm->flags & EAPOL_SM_PREAUTH)
    297 		extra = " (pre-authentication)";
    298 	else if (sm->flags & EAPOL_SM_FROM_PMKSA_CACHE)
    299 		extra = " (PMKSA cache)";
    300 	eapol_auth_vlogger(sm->eapol, sm->addr, EAPOL_LOGGER_INFO,
    301 			   "authenticated - EAP type: %d (%s)%s",
    302 			   sm->eap_type_authsrv,
    303 			   eap_server_get_name(0, sm->eap_type_authsrv),
    304 			   extra);
    305 	sm->eapol->cb.finished(sm->eapol->conf.ctx, sm->sta, 1,
    306 			       sm->flags & EAPOL_SM_PREAUTH, sm->remediation);
    307 }
    308 
    309 
    310 SM_STATE(AUTH_PAE, AUTHENTICATING)
    311 {
    312 	SM_ENTRY_MA(AUTH_PAE, AUTHENTICATING, auth_pae);
    313 
    314 	sm->eapolStart = FALSE;
    315 	sm->authSuccess = FALSE;
    316 	sm->authFail = FALSE;
    317 	sm->authTimeout = FALSE;
    318 	sm->authStart = TRUE;
    319 	sm->keyRun = FALSE;
    320 	sm->keyDone = FALSE;
    321 }
    322 
    323 
    324 SM_STATE(AUTH_PAE, ABORTING)
    325 {
    326 	if (sm->auth_pae_state == AUTH_PAE_AUTHENTICATING) {
    327 		if (sm->authTimeout)
    328 			sm->authAuthTimeoutsWhileAuthenticating++;
    329 		if (sm->eapolStart)
    330 			sm->authAuthEapStartsWhileAuthenticating++;
    331 		if (sm->eapolLogoff)
    332 			sm->authAuthEapLogoffWhileAuthenticating++;
    333 	}
    334 
    335 	SM_ENTRY_MA(AUTH_PAE, ABORTING, auth_pae);
    336 
    337 	sm->authAbort = TRUE;
    338 	sm->keyRun = FALSE;
    339 	sm->keyDone = FALSE;
    340 }
    341 
    342 
    343 SM_STATE(AUTH_PAE, FORCE_AUTH)
    344 {
    345 	SM_ENTRY_MA(AUTH_PAE, FORCE_AUTH, auth_pae);
    346 
    347 	sm->authPortStatus = Authorized;
    348 	setPortAuthorized();
    349 	sm->portMode = ForceAuthorized;
    350 	sm->eapolStart = FALSE;
    351 	txCannedSuccess();
    352 }
    353 
    354 
    355 SM_STATE(AUTH_PAE, FORCE_UNAUTH)
    356 {
    357 	SM_ENTRY_MA(AUTH_PAE, FORCE_UNAUTH, auth_pae);
    358 
    359 	sm->authPortStatus = Unauthorized;
    360 	setPortUnauthorized();
    361 	sm->portMode = ForceUnauthorized;
    362 	sm->eapolStart = FALSE;
    363 	txCannedFail();
    364 }
    365 
    366 
    367 SM_STEP(AUTH_PAE)
    368 {
    369 	if ((sm->portControl == Auto && sm->portMode != sm->portControl) ||
    370 	    sm->initialize || !sm->eap_if->portEnabled)
    371 		SM_ENTER_GLOBAL(AUTH_PAE, INITIALIZE);
    372 	else if (sm->portControl == ForceAuthorized &&
    373 		 sm->portMode != sm->portControl &&
    374 		 !(sm->initialize || !sm->eap_if->portEnabled))
    375 		SM_ENTER_GLOBAL(AUTH_PAE, FORCE_AUTH);
    376 	else if (sm->portControl == ForceUnauthorized &&
    377 		 sm->portMode != sm->portControl &&
    378 		 !(sm->initialize || !sm->eap_if->portEnabled))
    379 		SM_ENTER_GLOBAL(AUTH_PAE, FORCE_UNAUTH);
    380 	else {
    381 		switch (sm->auth_pae_state) {
    382 		case AUTH_PAE_INITIALIZE:
    383 			SM_ENTER(AUTH_PAE, DISCONNECTED);
    384 			break;
    385 		case AUTH_PAE_DISCONNECTED:
    386 			SM_ENTER(AUTH_PAE, RESTART);
    387 			break;
    388 		case AUTH_PAE_RESTART:
    389 			if (!sm->eap_if->eapRestart)
    390 				SM_ENTER(AUTH_PAE, CONNECTING);
    391 			break;
    392 		case AUTH_PAE_HELD:
    393 			if (sm->quietWhile == 0)
    394 				SM_ENTER(AUTH_PAE, RESTART);
    395 			break;
    396 		case AUTH_PAE_CONNECTING:
    397 			if (sm->eapolLogoff || sm->reAuthCount > sm->reAuthMax)
    398 				SM_ENTER(AUTH_PAE, DISCONNECTED);
    399 			else if ((sm->eap_if->eapReq &&
    400 				  sm->reAuthCount <= sm->reAuthMax) ||
    401 				 sm->eap_if->eapSuccess || sm->eap_if->eapFail)
    402 				SM_ENTER(AUTH_PAE, AUTHENTICATING);
    403 			break;
    404 		case AUTH_PAE_AUTHENTICATED:
    405 			if (sm->eapolStart || sm->reAuthenticate)
    406 				SM_ENTER(AUTH_PAE, RESTART);
    407 			else if (sm->eapolLogoff || !sm->portValid)
    408 				SM_ENTER(AUTH_PAE, DISCONNECTED);
    409 			break;
    410 		case AUTH_PAE_AUTHENTICATING:
    411 			if (sm->authSuccess && sm->portValid)
    412 				SM_ENTER(AUTH_PAE, AUTHENTICATED);
    413 			else if (sm->authFail ||
    414 				 (sm->keyDone && !sm->portValid))
    415 				SM_ENTER(AUTH_PAE, HELD);
    416 			else if (sm->eapolStart || sm->eapolLogoff ||
    417 				 sm->authTimeout)
    418 				SM_ENTER(AUTH_PAE, ABORTING);
    419 			break;
    420 		case AUTH_PAE_ABORTING:
    421 			if (sm->eapolLogoff && !sm->authAbort)
    422 				SM_ENTER(AUTH_PAE, DISCONNECTED);
    423 			else if (!sm->eapolLogoff && !sm->authAbort)
    424 				SM_ENTER(AUTH_PAE, RESTART);
    425 			break;
    426 		case AUTH_PAE_FORCE_AUTH:
    427 			if (sm->eapolStart)
    428 				SM_ENTER(AUTH_PAE, FORCE_AUTH);
    429 			break;
    430 		case AUTH_PAE_FORCE_UNAUTH:
    431 			if (sm->eapolStart)
    432 				SM_ENTER(AUTH_PAE, FORCE_UNAUTH);
    433 			break;
    434 		}
    435 	}
    436 }
    437 
    438 
    439 
    440 /* Backend Authentication state machine */
    441 
    442 SM_STATE(BE_AUTH, INITIALIZE)
    443 {
    444 	SM_ENTRY_MA(BE_AUTH, INITIALIZE, be_auth);
    445 
    446 	abortAuth();
    447 	sm->eap_if->eapNoReq = FALSE;
    448 	sm->authAbort = FALSE;
    449 }
    450 
    451 
    452 SM_STATE(BE_AUTH, REQUEST)
    453 {
    454 	SM_ENTRY_MA(BE_AUTH, REQUEST, be_auth);
    455 
    456 	txReq();
    457 	sm->eap_if->eapReq = FALSE;
    458 	sm->backendOtherRequestsToSupplicant++;
    459 
    460 	/*
    461 	 * Clearing eapolEap here is not specified in IEEE Std 802.1X-2004, but
    462 	 * it looks like this would be logical thing to do there since the old
    463 	 * EAP response would not be valid anymore after the new EAP request
    464 	 * was sent out.
    465 	 *
    466 	 * A race condition has been reported, in which hostapd ended up
    467 	 * sending out EAP-Response/Identity as a response to the first
    468 	 * EAP-Request from the main EAP method. This can be avoided by
    469 	 * clearing eapolEap here.
    470 	 */
    471 	sm->eapolEap = FALSE;
    472 }
    473 
    474 
    475 SM_STATE(BE_AUTH, RESPONSE)
    476 {
    477 	SM_ENTRY_MA(BE_AUTH, RESPONSE, be_auth);
    478 
    479 	sm->authTimeout = FALSE;
    480 	sm->eapolEap = FALSE;
    481 	sm->eap_if->eapNoReq = FALSE;
    482 	sm->aWhile = sm->serverTimeout;
    483 	sm->eap_if->eapResp = TRUE;
    484 	/* sendRespToServer(); */
    485 	sm->backendResponses++;
    486 }
    487 
    488 
    489 SM_STATE(BE_AUTH, SUCCESS)
    490 {
    491 	SM_ENTRY_MA(BE_AUTH, SUCCESS, be_auth);
    492 
    493 	txReq();
    494 	sm->authSuccess = TRUE;
    495 	sm->keyRun = TRUE;
    496 }
    497 
    498 
    499 SM_STATE(BE_AUTH, FAIL)
    500 {
    501 	SM_ENTRY_MA(BE_AUTH, FAIL, be_auth);
    502 
    503 	txReq();
    504 	sm->authFail = TRUE;
    505 }
    506 
    507 
    508 SM_STATE(BE_AUTH, TIMEOUT)
    509 {
    510 	SM_ENTRY_MA(BE_AUTH, TIMEOUT, be_auth);
    511 
    512 	sm->authTimeout = TRUE;
    513 }
    514 
    515 
    516 SM_STATE(BE_AUTH, IDLE)
    517 {
    518 	SM_ENTRY_MA(BE_AUTH, IDLE, be_auth);
    519 
    520 	sm->authStart = FALSE;
    521 }
    522 
    523 
    524 SM_STATE(BE_AUTH, IGNORE)
    525 {
    526 	SM_ENTRY_MA(BE_AUTH, IGNORE, be_auth);
    527 
    528 	sm->eap_if->eapNoReq = FALSE;
    529 }
    530 
    531 
    532 SM_STEP(BE_AUTH)
    533 {
    534 	if (sm->portControl != Auto || sm->initialize || sm->authAbort) {
    535 		SM_ENTER_GLOBAL(BE_AUTH, INITIALIZE);
    536 		return;
    537 	}
    538 
    539 	switch (sm->be_auth_state) {
    540 	case BE_AUTH_INITIALIZE:
    541 		SM_ENTER(BE_AUTH, IDLE);
    542 		break;
    543 	case BE_AUTH_REQUEST:
    544 		if (sm->eapolEap)
    545 			SM_ENTER(BE_AUTH, RESPONSE);
    546 		else if (sm->eap_if->eapReq)
    547 			SM_ENTER(BE_AUTH, REQUEST);
    548 		else if (sm->eap_if->eapTimeout)
    549 			SM_ENTER(BE_AUTH, TIMEOUT);
    550 		break;
    551 	case BE_AUTH_RESPONSE:
    552 		if (sm->eap_if->eapNoReq)
    553 			SM_ENTER(BE_AUTH, IGNORE);
    554 		if (sm->eap_if->eapReq) {
    555 			sm->backendAccessChallenges++;
    556 			SM_ENTER(BE_AUTH, REQUEST);
    557 		} else if (sm->aWhile == 0)
    558 			SM_ENTER(BE_AUTH, TIMEOUT);
    559 		else if (sm->eap_if->eapFail) {
    560 			sm->backendAuthFails++;
    561 			SM_ENTER(BE_AUTH, FAIL);
    562 		} else if (sm->eap_if->eapSuccess) {
    563 			sm->backendAuthSuccesses++;
    564 			SM_ENTER(BE_AUTH, SUCCESS);
    565 		}
    566 		break;
    567 	case BE_AUTH_SUCCESS:
    568 		SM_ENTER(BE_AUTH, IDLE);
    569 		break;
    570 	case BE_AUTH_FAIL:
    571 		SM_ENTER(BE_AUTH, IDLE);
    572 		break;
    573 	case BE_AUTH_TIMEOUT:
    574 		SM_ENTER(BE_AUTH, IDLE);
    575 		break;
    576 	case BE_AUTH_IDLE:
    577 		if (sm->eap_if->eapFail && sm->authStart)
    578 			SM_ENTER(BE_AUTH, FAIL);
    579 		else if (sm->eap_if->eapReq && sm->authStart)
    580 			SM_ENTER(BE_AUTH, REQUEST);
    581 		else if (sm->eap_if->eapSuccess && sm->authStart)
    582 			SM_ENTER(BE_AUTH, SUCCESS);
    583 		break;
    584 	case BE_AUTH_IGNORE:
    585 		if (sm->eapolEap)
    586 			SM_ENTER(BE_AUTH, RESPONSE);
    587 		else if (sm->eap_if->eapReq)
    588 			SM_ENTER(BE_AUTH, REQUEST);
    589 		else if (sm->eap_if->eapTimeout)
    590 			SM_ENTER(BE_AUTH, TIMEOUT);
    591 		break;
    592 	}
    593 }
    594 
    595 
    596 
    597 /* Reauthentication Timer state machine */
    598 
    599 SM_STATE(REAUTH_TIMER, INITIALIZE)
    600 {
    601 	SM_ENTRY_MA(REAUTH_TIMER, INITIALIZE, reauth_timer);
    602 
    603 	sm->reAuthWhen = sm->reAuthPeriod;
    604 }
    605 
    606 
    607 SM_STATE(REAUTH_TIMER, REAUTHENTICATE)
    608 {
    609 	SM_ENTRY_MA(REAUTH_TIMER, REAUTHENTICATE, reauth_timer);
    610 
    611 	sm->reAuthenticate = TRUE;
    612 	sm->eapol->cb.eapol_event(sm->eapol->conf.ctx, sm->sta,
    613 				  EAPOL_AUTH_REAUTHENTICATE);
    614 }
    615 
    616 
    617 SM_STEP(REAUTH_TIMER)
    618 {
    619 	if (sm->portControl != Auto || sm->initialize ||
    620 	    sm->authPortStatus == Unauthorized || !sm->reAuthEnabled) {
    621 		SM_ENTER_GLOBAL(REAUTH_TIMER, INITIALIZE);
    622 		return;
    623 	}
    624 
    625 	switch (sm->reauth_timer_state) {
    626 	case REAUTH_TIMER_INITIALIZE:
    627 		if (sm->reAuthWhen == 0)
    628 			SM_ENTER(REAUTH_TIMER, REAUTHENTICATE);
    629 		break;
    630 	case REAUTH_TIMER_REAUTHENTICATE:
    631 		SM_ENTER(REAUTH_TIMER, INITIALIZE);
    632 		break;
    633 	}
    634 }
    635 
    636 
    637 
    638 /* Authenticator Key Transmit state machine */
    639 
    640 SM_STATE(AUTH_KEY_TX, NO_KEY_TRANSMIT)
    641 {
    642 	SM_ENTRY_MA(AUTH_KEY_TX, NO_KEY_TRANSMIT, auth_key_tx);
    643 }
    644 
    645 
    646 SM_STATE(AUTH_KEY_TX, KEY_TRANSMIT)
    647 {
    648 	SM_ENTRY_MA(AUTH_KEY_TX, KEY_TRANSMIT, auth_key_tx);
    649 
    650 	txKey();
    651 	sm->eap_if->eapKeyAvailable = FALSE;
    652 	sm->keyDone = TRUE;
    653 }
    654 
    655 
    656 SM_STEP(AUTH_KEY_TX)
    657 {
    658 	if (sm->initialize || sm->portControl != Auto) {
    659 		SM_ENTER_GLOBAL(AUTH_KEY_TX, NO_KEY_TRANSMIT);
    660 		return;
    661 	}
    662 
    663 	switch (sm->auth_key_tx_state) {
    664 	case AUTH_KEY_TX_NO_KEY_TRANSMIT:
    665 		if (sm->keyTxEnabled && sm->eap_if->eapKeyAvailable &&
    666 		    sm->keyRun && !(sm->flags & EAPOL_SM_USES_WPA))
    667 			SM_ENTER(AUTH_KEY_TX, KEY_TRANSMIT);
    668 		break;
    669 	case AUTH_KEY_TX_KEY_TRANSMIT:
    670 		if (!sm->keyTxEnabled || !sm->keyRun)
    671 			SM_ENTER(AUTH_KEY_TX, NO_KEY_TRANSMIT);
    672 		else if (sm->eap_if->eapKeyAvailable)
    673 			SM_ENTER(AUTH_KEY_TX, KEY_TRANSMIT);
    674 		break;
    675 	}
    676 }
    677 
    678 
    679 
    680 /* Key Receive state machine */
    681 
    682 SM_STATE(KEY_RX, NO_KEY_RECEIVE)
    683 {
    684 	SM_ENTRY_MA(KEY_RX, NO_KEY_RECEIVE, key_rx);
    685 }
    686 
    687 
    688 SM_STATE(KEY_RX, KEY_RECEIVE)
    689 {
    690 	SM_ENTRY_MA(KEY_RX, KEY_RECEIVE, key_rx);
    691 
    692 	processKey();
    693 	sm->rxKey = FALSE;
    694 }
    695 
    696 
    697 SM_STEP(KEY_RX)
    698 {
    699 	if (sm->initialize || !sm->eap_if->portEnabled) {
    700 		SM_ENTER_GLOBAL(KEY_RX, NO_KEY_RECEIVE);
    701 		return;
    702 	}
    703 
    704 	switch (sm->key_rx_state) {
    705 	case KEY_RX_NO_KEY_RECEIVE:
    706 		if (sm->rxKey)
    707 			SM_ENTER(KEY_RX, KEY_RECEIVE);
    708 		break;
    709 	case KEY_RX_KEY_RECEIVE:
    710 		if (sm->rxKey)
    711 			SM_ENTER(KEY_RX, KEY_RECEIVE);
    712 		break;
    713 	}
    714 }
    715 
    716 
    717 
    718 /* Controlled Directions state machine */
    719 
    720 SM_STATE(CTRL_DIR, FORCE_BOTH)
    721 {
    722 	SM_ENTRY_MA(CTRL_DIR, FORCE_BOTH, ctrl_dir);
    723 	sm->operControlledDirections = Both;
    724 }
    725 
    726 
    727 SM_STATE(CTRL_DIR, IN_OR_BOTH)
    728 {
    729 	SM_ENTRY_MA(CTRL_DIR, IN_OR_BOTH, ctrl_dir);
    730 	sm->operControlledDirections = sm->adminControlledDirections;
    731 }
    732 
    733 
    734 SM_STEP(CTRL_DIR)
    735 {
    736 	if (sm->initialize) {
    737 		SM_ENTER_GLOBAL(CTRL_DIR, IN_OR_BOTH);
    738 		return;
    739 	}
    740 
    741 	switch (sm->ctrl_dir_state) {
    742 	case CTRL_DIR_FORCE_BOTH:
    743 		if (sm->eap_if->portEnabled && sm->operEdge)
    744 			SM_ENTER(CTRL_DIR, IN_OR_BOTH);
    745 		break;
    746 	case CTRL_DIR_IN_OR_BOTH:
    747 		if (sm->operControlledDirections !=
    748 		    sm->adminControlledDirections)
    749 			SM_ENTER(CTRL_DIR, IN_OR_BOTH);
    750 		if (!sm->eap_if->portEnabled || !sm->operEdge)
    751 			SM_ENTER(CTRL_DIR, FORCE_BOTH);
    752 		break;
    753 	}
    754 }
    755 
    756 
    757 
    758 struct eapol_state_machine *
    759 eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr,
    760 		 int flags, const struct wpabuf *assoc_wps_ie,
    761 		 const struct wpabuf *assoc_p2p_ie, void *sta_ctx,
    762 		 const char *identity, const char *radius_cui)
    763 {
    764 	struct eapol_state_machine *sm;
    765 	struct eap_config eap_conf;
    766 
    767 	if (eapol == NULL)
    768 		return NULL;
    769 
    770 	sm = os_zalloc(sizeof(*sm));
    771 	if (sm == NULL) {
    772 		wpa_printf(MSG_DEBUG, "IEEE 802.1X state machine allocation "
    773 			   "failed");
    774 		return NULL;
    775 	}
    776 	sm->radius_identifier = -1;
    777 	os_memcpy(sm->addr, addr, ETH_ALEN);
    778 	sm->flags = flags;
    779 
    780 	sm->eapol = eapol;
    781 	sm->sta = sta_ctx;
    782 
    783 	/* Set default values for state machine constants */
    784 	sm->auth_pae_state = AUTH_PAE_INITIALIZE;
    785 	sm->quietPeriod = AUTH_PAE_DEFAULT_quietPeriod;
    786 	sm->reAuthMax = AUTH_PAE_DEFAULT_reAuthMax;
    787 
    788 	sm->be_auth_state = BE_AUTH_INITIALIZE;
    789 	sm->serverTimeout = BE_AUTH_DEFAULT_serverTimeout;
    790 
    791 	sm->reauth_timer_state = REAUTH_TIMER_INITIALIZE;
    792 	sm->reAuthPeriod = eapol->conf.eap_reauth_period;
    793 	sm->reAuthEnabled = eapol->conf.eap_reauth_period > 0 ? TRUE : FALSE;
    794 
    795 	sm->auth_key_tx_state = AUTH_KEY_TX_NO_KEY_TRANSMIT;
    796 
    797 	sm->key_rx_state = KEY_RX_NO_KEY_RECEIVE;
    798 
    799 	sm->ctrl_dir_state = CTRL_DIR_IN_OR_BOTH;
    800 
    801 	sm->portControl = Auto;
    802 
    803 	if (!eapol->conf.wpa &&
    804 	    (eapol->default_wep_key || eapol->conf.individual_wep_key_len > 0))
    805 		sm->keyTxEnabled = TRUE;
    806 	else
    807 		sm->keyTxEnabled = FALSE;
    808 	if (eapol->conf.wpa)
    809 		sm->portValid = FALSE;
    810 	else
    811 		sm->portValid = TRUE;
    812 
    813 	os_memset(&eap_conf, 0, sizeof(eap_conf));
    814 	eap_conf.eap_server = eapol->conf.eap_server;
    815 	eap_conf.ssl_ctx = eapol->conf.ssl_ctx;
    816 	eap_conf.msg_ctx = eapol->conf.msg_ctx;
    817 	eap_conf.eap_sim_db_priv = eapol->conf.eap_sim_db_priv;
    818 	eap_conf.pac_opaque_encr_key = eapol->conf.pac_opaque_encr_key;
    819 	eap_conf.eap_fast_a_id = eapol->conf.eap_fast_a_id;
    820 	eap_conf.eap_fast_a_id_len = eapol->conf.eap_fast_a_id_len;
    821 	eap_conf.eap_fast_a_id_info = eapol->conf.eap_fast_a_id_info;
    822 	eap_conf.eap_fast_prov = eapol->conf.eap_fast_prov;
    823 	eap_conf.pac_key_lifetime = eapol->conf.pac_key_lifetime;
    824 	eap_conf.pac_key_refresh_time = eapol->conf.pac_key_refresh_time;
    825 	eap_conf.eap_sim_aka_result_ind = eapol->conf.eap_sim_aka_result_ind;
    826 	eap_conf.tnc = eapol->conf.tnc;
    827 	eap_conf.wps = eapol->conf.wps;
    828 	eap_conf.assoc_wps_ie = assoc_wps_ie;
    829 	eap_conf.assoc_p2p_ie = assoc_p2p_ie;
    830 	eap_conf.peer_addr = addr;
    831 	eap_conf.fragment_size = eapol->conf.fragment_size;
    832 	eap_conf.pwd_group = eapol->conf.pwd_group;
    833 	eap_conf.pbc_in_m1 = eapol->conf.pbc_in_m1;
    834 	eap_conf.server_id = eapol->conf.server_id;
    835 	eap_conf.server_id_len = eapol->conf.server_id_len;
    836 	sm->eap = eap_server_sm_init(sm, &eapol_cb, &eap_conf);
    837 	if (sm->eap == NULL) {
    838 		eapol_auth_free(sm);
    839 		return NULL;
    840 	}
    841 	sm->eap_if = eap_get_interface(sm->eap);
    842 
    843 	eapol_auth_initialize(sm);
    844 
    845 	if (identity) {
    846 		sm->identity = (u8 *) os_strdup(identity);
    847 		if (sm->identity)
    848 			sm->identity_len = os_strlen(identity);
    849 	}
    850 	if (radius_cui)
    851 		sm->radius_cui = wpabuf_alloc_copy(radius_cui,
    852 						   os_strlen(radius_cui));
    853 
    854 	return sm;
    855 }
    856 
    857 
    858 void eapol_auth_free(struct eapol_state_machine *sm)
    859 {
    860 	if (sm == NULL)
    861 		return;
    862 
    863 	eloop_cancel_timeout(eapol_port_timers_tick, NULL, sm);
    864 	eloop_cancel_timeout(eapol_sm_step_cb, sm, NULL);
    865 	if (sm->eap)
    866 		eap_server_sm_deinit(sm->eap);
    867 	os_free(sm);
    868 }
    869 
    870 
    871 static int eapol_sm_sta_entry_alive(struct eapol_authenticator *eapol,
    872 				    const u8 *addr)
    873 {
    874 	return eapol->cb.sta_entry_alive(eapol->conf.ctx, addr);
    875 }
    876 
    877 
    878 static void eapol_sm_step_run(struct eapol_state_machine *sm)
    879 {
    880 	struct eapol_authenticator *eapol = sm->eapol;
    881 	u8 addr[ETH_ALEN];
    882 	unsigned int prev_auth_pae, prev_be_auth, prev_reauth_timer,
    883 		prev_auth_key_tx, prev_key_rx, prev_ctrl_dir;
    884 	int max_steps = 100;
    885 
    886 	os_memcpy(addr, sm->addr, ETH_ALEN);
    887 
    888 	/*
    889 	 * Allow EAPOL state machines to run as long as there are state
    890 	 * changes, but exit and return here through event loop if more than
    891 	 * 100 steps is needed as a precaution against infinite loops inside
    892 	 * eloop callback.
    893 	 */
    894 restart:
    895 	prev_auth_pae = sm->auth_pae_state;
    896 	prev_be_auth = sm->be_auth_state;
    897 	prev_reauth_timer = sm->reauth_timer_state;
    898 	prev_auth_key_tx = sm->auth_key_tx_state;
    899 	prev_key_rx = sm->key_rx_state;
    900 	prev_ctrl_dir = sm->ctrl_dir_state;
    901 
    902 	SM_STEP_RUN(AUTH_PAE);
    903 	if (sm->initializing || eapol_sm_sta_entry_alive(eapol, addr))
    904 		SM_STEP_RUN(BE_AUTH);
    905 	if (sm->initializing || eapol_sm_sta_entry_alive(eapol, addr))
    906 		SM_STEP_RUN(REAUTH_TIMER);
    907 	if (sm->initializing || eapol_sm_sta_entry_alive(eapol, addr))
    908 		SM_STEP_RUN(AUTH_KEY_TX);
    909 	if (sm->initializing || eapol_sm_sta_entry_alive(eapol, addr))
    910 		SM_STEP_RUN(KEY_RX);
    911 	if (sm->initializing || eapol_sm_sta_entry_alive(eapol, addr))
    912 		SM_STEP_RUN(CTRL_DIR);
    913 
    914 	if (prev_auth_pae != sm->auth_pae_state ||
    915 	    prev_be_auth != sm->be_auth_state ||
    916 	    prev_reauth_timer != sm->reauth_timer_state ||
    917 	    prev_auth_key_tx != sm->auth_key_tx_state ||
    918 	    prev_key_rx != sm->key_rx_state ||
    919 	    prev_ctrl_dir != sm->ctrl_dir_state) {
    920 		if (--max_steps > 0)
    921 			goto restart;
    922 		/* Re-run from eloop timeout */
    923 		eapol_auth_step(sm);
    924 		return;
    925 	}
    926 
    927 	if (eapol_sm_sta_entry_alive(eapol, addr) && sm->eap) {
    928 		if (eap_server_sm_step(sm->eap)) {
    929 			if (--max_steps > 0)
    930 				goto restart;
    931 			/* Re-run from eloop timeout */
    932 			eapol_auth_step(sm);
    933 			return;
    934 		}
    935 
    936 		/* TODO: find a better location for this */
    937 		if (sm->eap_if->aaaEapResp) {
    938 			sm->eap_if->aaaEapResp = FALSE;
    939 			if (sm->eap_if->aaaEapRespData == NULL) {
    940 				wpa_printf(MSG_DEBUG, "EAPOL: aaaEapResp set, "
    941 					   "but no aaaEapRespData available");
    942 				return;
    943 			}
    944 			sm->eapol->cb.aaa_send(
    945 				sm->eapol->conf.ctx, sm->sta,
    946 				wpabuf_head(sm->eap_if->aaaEapRespData),
    947 				wpabuf_len(sm->eap_if->aaaEapRespData));
    948 		}
    949 	}
    950 
    951 	if (eapol_sm_sta_entry_alive(eapol, addr))
    952 		sm->eapol->cb.eapol_event(sm->eapol->conf.ctx, sm->sta,
    953 					  EAPOL_AUTH_SM_CHANGE);
    954 }
    955 
    956 
    957 static void eapol_sm_step_cb(void *eloop_ctx, void *timeout_ctx)
    958 {
    959 	struct eapol_state_machine *sm = eloop_ctx;
    960 	eapol_sm_step_run(sm);
    961 }
    962 
    963 
    964 /**
    965  * eapol_auth_step - Advance EAPOL state machines
    966  * @sm: EAPOL state machine
    967  *
    968  * This function is called to advance EAPOL state machines after any change
    969  * that could affect their state.
    970  */
    971 void eapol_auth_step(struct eapol_state_machine *sm)
    972 {
    973 	/*
    974 	 * Run eapol_sm_step_run from a registered timeout to make sure that
    975 	 * other possible timeouts/events are processed and to avoid long
    976 	 * function call chains.
    977 	 */
    978 
    979 	eloop_register_timeout(0, 0, eapol_sm_step_cb, sm, NULL);
    980 }
    981 
    982 
    983 static void eapol_auth_initialize(struct eapol_state_machine *sm)
    984 {
    985 	sm->initializing = TRUE;
    986 	/* Initialize the state machines by asserting initialize and then
    987 	 * deasserting it after one step */
    988 	sm->initialize = TRUE;
    989 	eapol_sm_step_run(sm);
    990 	sm->initialize = FALSE;
    991 	eapol_sm_step_run(sm);
    992 	sm->initializing = FALSE;
    993 
    994 	/* Start one second tick for port timers state machine */
    995 	eloop_cancel_timeout(eapol_port_timers_tick, NULL, sm);
    996 	eloop_register_timeout(1, 0, eapol_port_timers_tick, NULL, sm);
    997 }
    998 
    999 
   1000 static int eapol_sm_get_eap_user(void *ctx, const u8 *identity,
   1001 				 size_t identity_len, int phase2,
   1002 				 struct eap_user *user)
   1003 {
   1004 	struct eapol_state_machine *sm = ctx;
   1005 	int ret;
   1006 
   1007 	ret = sm->eapol->cb.get_eap_user(sm->eapol->conf.ctx, identity,
   1008 					 identity_len, phase2, user);
   1009 	if (user->remediation)
   1010 		sm->remediation = 1;
   1011 	return ret;
   1012 }
   1013 
   1014 
   1015 static const char * eapol_sm_get_eap_req_id_text(void *ctx, size_t *len)
   1016 {
   1017 	struct eapol_state_machine *sm = ctx;
   1018 	*len = sm->eapol->conf.eap_req_id_text_len;
   1019 	return sm->eapol->conf.eap_req_id_text;
   1020 }
   1021 
   1022 
   1023 static struct eapol_callbacks eapol_cb =
   1024 {
   1025 	eapol_sm_get_eap_user,
   1026 	eapol_sm_get_eap_req_id_text,
   1027 	NULL
   1028 };
   1029 
   1030 
   1031 int eapol_auth_eap_pending_cb(struct eapol_state_machine *sm, void *ctx)
   1032 {
   1033 	if (sm == NULL || ctx == NULL || ctx != sm->eap)
   1034 		return -1;
   1035 
   1036 	eap_sm_pending_cb(sm->eap);
   1037 	eapol_auth_step(sm);
   1038 
   1039 	return 0;
   1040 }
   1041 
   1042 
   1043 static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
   1044 				 struct eapol_auth_config *src)
   1045 {
   1046 	dst->ctx = src->ctx;
   1047 	dst->eap_reauth_period = src->eap_reauth_period;
   1048 	dst->wpa = src->wpa;
   1049 	dst->individual_wep_key_len = src->individual_wep_key_len;
   1050 	dst->eap_server = src->eap_server;
   1051 	dst->ssl_ctx = src->ssl_ctx;
   1052 	dst->msg_ctx = src->msg_ctx;
   1053 	dst->eap_sim_db_priv = src->eap_sim_db_priv;
   1054 	os_free(dst->eap_req_id_text);
   1055 	dst->pwd_group = src->pwd_group;
   1056 	dst->pbc_in_m1 = src->pbc_in_m1;
   1057 	dst->server_id = src->server_id;
   1058 	dst->server_id_len = src->server_id_len;
   1059 	if (src->eap_req_id_text) {
   1060 		dst->eap_req_id_text = os_malloc(src->eap_req_id_text_len);
   1061 		if (dst->eap_req_id_text == NULL)
   1062 			return -1;
   1063 		os_memcpy(dst->eap_req_id_text, src->eap_req_id_text,
   1064 			  src->eap_req_id_text_len);
   1065 		dst->eap_req_id_text_len = src->eap_req_id_text_len;
   1066 	} else {
   1067 		dst->eap_req_id_text = NULL;
   1068 		dst->eap_req_id_text_len = 0;
   1069 	}
   1070 	if (src->pac_opaque_encr_key) {
   1071 		dst->pac_opaque_encr_key = os_malloc(16);
   1072 		if (dst->pac_opaque_encr_key == NULL) {
   1073 			os_free(dst->eap_req_id_text);
   1074 			return -1;
   1075 		}
   1076 		os_memcpy(dst->pac_opaque_encr_key, src->pac_opaque_encr_key,
   1077 			  16);
   1078 	} else
   1079 		dst->pac_opaque_encr_key = NULL;
   1080 	if (src->eap_fast_a_id) {
   1081 		dst->eap_fast_a_id = os_malloc(src->eap_fast_a_id_len);
   1082 		if (dst->eap_fast_a_id == NULL) {
   1083 			os_free(dst->eap_req_id_text);
   1084 			os_free(dst->pac_opaque_encr_key);
   1085 			return -1;
   1086 		}
   1087 		os_memcpy(dst->eap_fast_a_id, src->eap_fast_a_id,
   1088 			  src->eap_fast_a_id_len);
   1089 		dst->eap_fast_a_id_len = src->eap_fast_a_id_len;
   1090 	} else
   1091 		dst->eap_fast_a_id = NULL;
   1092 	if (src->eap_fast_a_id_info) {
   1093 		dst->eap_fast_a_id_info = os_strdup(src->eap_fast_a_id_info);
   1094 		if (dst->eap_fast_a_id_info == NULL) {
   1095 			os_free(dst->eap_req_id_text);
   1096 			os_free(dst->pac_opaque_encr_key);
   1097 			os_free(dst->eap_fast_a_id);
   1098 			return -1;
   1099 		}
   1100 	} else
   1101 		dst->eap_fast_a_id_info = NULL;
   1102 	dst->eap_fast_prov = src->eap_fast_prov;
   1103 	dst->pac_key_lifetime = src->pac_key_lifetime;
   1104 	dst->pac_key_refresh_time = src->pac_key_refresh_time;
   1105 	dst->eap_sim_aka_result_ind = src->eap_sim_aka_result_ind;
   1106 	dst->tnc = src->tnc;
   1107 	dst->wps = src->wps;
   1108 	dst->fragment_size = src->fragment_size;
   1109 	return 0;
   1110 }
   1111 
   1112 
   1113 static void eapol_auth_conf_free(struct eapol_auth_config *conf)
   1114 {
   1115 	os_free(conf->eap_req_id_text);
   1116 	conf->eap_req_id_text = NULL;
   1117 	os_free(conf->pac_opaque_encr_key);
   1118 	conf->pac_opaque_encr_key = NULL;
   1119 	os_free(conf->eap_fast_a_id);
   1120 	conf->eap_fast_a_id = NULL;
   1121 	os_free(conf->eap_fast_a_id_info);
   1122 	conf->eap_fast_a_id_info = NULL;
   1123 }
   1124 
   1125 
   1126 struct eapol_authenticator * eapol_auth_init(struct eapol_auth_config *conf,
   1127 					     struct eapol_auth_cb *cb)
   1128 {
   1129 	struct eapol_authenticator *eapol;
   1130 
   1131 	eapol = os_zalloc(sizeof(*eapol));
   1132 	if (eapol == NULL)
   1133 		return NULL;
   1134 
   1135 	if (eapol_auth_conf_clone(&eapol->conf, conf) < 0) {
   1136 		os_free(eapol);
   1137 		return NULL;
   1138 	}
   1139 
   1140 	if (conf->individual_wep_key_len > 0) {
   1141 		/* use key0 in individual key and key1 in broadcast key */
   1142 		eapol->default_wep_key_idx = 1;
   1143 	}
   1144 
   1145 	eapol->cb.eapol_send = cb->eapol_send;
   1146 	eapol->cb.aaa_send = cb->aaa_send;
   1147 	eapol->cb.finished = cb->finished;
   1148 	eapol->cb.get_eap_user = cb->get_eap_user;
   1149 	eapol->cb.sta_entry_alive = cb->sta_entry_alive;
   1150 	eapol->cb.logger = cb->logger;
   1151 	eapol->cb.set_port_authorized = cb->set_port_authorized;
   1152 	eapol->cb.abort_auth = cb->abort_auth;
   1153 	eapol->cb.tx_key = cb->tx_key;
   1154 	eapol->cb.eapol_event = cb->eapol_event;
   1155 
   1156 	return eapol;
   1157 }
   1158 
   1159 
   1160 void eapol_auth_deinit(struct eapol_authenticator *eapol)
   1161 {
   1162 	if (eapol == NULL)
   1163 		return;
   1164 
   1165 	eapol_auth_conf_free(&eapol->conf);
   1166 	os_free(eapol->default_wep_key);
   1167 	os_free(eapol);
   1168 }
   1169