xref: /freebsd/contrib/wpa/src/eapol_auth/eapol_auth_sm.c (revision a90b9d0159070121c221b966469c3e36d912bf82)
1 /*
2  * IEEE 802.1X-2004 Authenticator - EAPOL state machine
3  * Copyright (c) 2002-2015, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "eloop.h"
13 #include "state_machine.h"
14 #include "common/eapol_common.h"
15 #include "eap_common/eap_defs.h"
16 #include "eap_common/eap_common.h"
17 #include "eap_server/eap.h"
18 #include "eapol_auth_sm.h"
19 #include "eapol_auth_sm_i.h"
20 
21 #define STATE_MACHINE_DATA struct eapol_state_machine
22 #define STATE_MACHINE_DEBUG_PREFIX "IEEE 802.1X"
23 #define STATE_MACHINE_ADDR sm->addr
24 
25 static const struct eapol_callbacks eapol_cb;
26 
27 /* EAPOL state machines are described in IEEE Std 802.1X-2004, Chap. 8.2 */
28 
29 #define setPortAuthorized() \
30 sm->eapol->cb.set_port_authorized(sm->eapol->conf.ctx, sm->sta, 1)
31 #define setPortUnauthorized() \
32 sm->eapol->cb.set_port_authorized(sm->eapol->conf.ctx, sm->sta, 0)
33 
34 /* procedures */
35 #define txCannedFail() eapol_auth_tx_canned_eap(sm, 0)
36 #define txCannedSuccess() eapol_auth_tx_canned_eap(sm, 1)
37 #define txReq() eapol_auth_tx_req(sm)
38 #define abortAuth() sm->eapol->cb.abort_auth(sm->eapol->conf.ctx, sm->sta)
39 #define txKey() sm->eapol->cb.tx_key(sm->eapol->conf.ctx, sm->sta)
40 #define processKey() do { } while (0)
41 
42 
43 static void eapol_sm_step_run(struct eapol_state_machine *sm);
44 static void eapol_sm_step_cb(void *eloop_ctx, void *timeout_ctx);
45 static void eapol_auth_initialize(struct eapol_state_machine *sm);
46 static void eapol_auth_conf_free(struct eapol_auth_config *conf);
47 
48 
eapol_auth_logger(struct eapol_authenticator * eapol,const u8 * addr,eapol_logger_level level,const char * txt)49 static void eapol_auth_logger(struct eapol_authenticator *eapol,
50 			      const u8 *addr, eapol_logger_level level,
51 			      const char *txt)
52 {
53 	if (eapol->cb.logger == NULL)
54 		return;
55 	eapol->cb.logger(eapol->conf.ctx, addr, level, txt);
56 }
57 
58 
59 PRINTF_FORMAT(4, 5)
eapol_auth_vlogger(struct eapol_authenticator * eapol,const u8 * addr,eapol_logger_level level,const char * fmt,...)60 static void eapol_auth_vlogger(struct eapol_authenticator *eapol,
61 			       const u8 *addr, eapol_logger_level level,
62 			       const char *fmt, ...)
63 {
64 	char *format;
65 	int maxlen;
66 	va_list ap;
67 
68 	if (eapol->cb.logger == NULL)
69 		return;
70 
71 	maxlen = os_strlen(fmt) + 100;
72 	format = os_malloc(maxlen);
73 	if (!format)
74 		return;
75 
76 	va_start(ap, fmt);
77 	vsnprintf(format, maxlen, fmt, ap);
78 	va_end(ap);
79 
80 	eapol_auth_logger(eapol, addr, level, format);
81 
82 	os_free(format);
83 }
84 
85 
eapol_auth_tx_canned_eap(struct eapol_state_machine * sm,int success)86 static void eapol_auth_tx_canned_eap(struct eapol_state_machine *sm,
87 				     int success)
88 {
89 	struct eap_hdr eap;
90 
91 	os_memset(&eap, 0, sizeof(eap));
92 
93 	eap.code = success ? EAP_CODE_SUCCESS : EAP_CODE_FAILURE;
94 	eap.identifier = ++sm->last_eap_id;
95 	eap.length = host_to_be16(sizeof(eap));
96 
97 	eapol_auth_vlogger(sm->eapol, sm->addr, EAPOL_LOGGER_DEBUG,
98 			   "Sending canned EAP packet %s (identifier %d)",
99 			   success ? "SUCCESS" : "FAILURE", eap.identifier);
100 	sm->eapol->cb.eapol_send(sm->eapol->conf.ctx, sm->sta,
101 				 IEEE802_1X_TYPE_EAP_PACKET,
102 				 (u8 *) &eap, sizeof(eap));
103 	sm->dot1xAuthEapolFramesTx++;
104 }
105 
106 
eapol_auth_tx_req(struct eapol_state_machine * sm)107 static void eapol_auth_tx_req(struct eapol_state_machine *sm)
108 {
109 	if (sm->eap_if->eapReqData == NULL ||
110 	    wpabuf_len(sm->eap_if->eapReqData) < sizeof(struct eap_hdr)) {
111 		eapol_auth_logger(sm->eapol, sm->addr,
112 				  EAPOL_LOGGER_DEBUG,
113 				  "TxReq called, but there is no EAP request "
114 				  "from authentication server");
115 		return;
116 	}
117 
118 	if (sm->flags & EAPOL_SM_WAIT_START) {
119 		wpa_printf(MSG_DEBUG, "EAPOL: Drop EAPOL TX to " MACSTR
120 			   " while waiting for EAPOL-Start",
121 			   MAC2STR(sm->addr));
122 		return;
123 	}
124 
125 	sm->last_eap_id = eap_get_id(sm->eap_if->eapReqData);
126 	eapol_auth_vlogger(sm->eapol, sm->addr, EAPOL_LOGGER_DEBUG,
127 			   "Sending EAP Packet (identifier %d)",
128 			   sm->last_eap_id);
129 	sm->eapol->cb.eapol_send(sm->eapol->conf.ctx, sm->sta,
130 				 IEEE802_1X_TYPE_EAP_PACKET,
131 				 wpabuf_head(sm->eap_if->eapReqData),
132 				 wpabuf_len(sm->eap_if->eapReqData));
133 	sm->dot1xAuthEapolFramesTx++;
134 	if (eap_get_type(sm->eap_if->eapReqData) == EAP_TYPE_IDENTITY)
135 		sm->dot1xAuthEapolReqIdFramesTx++;
136 	else
137 		sm->dot1xAuthEapolReqFramesTx++;
138 }
139 
140 
141 /**
142  * eapol_port_timers_tick - Port Timers state machine
143  * @eloop_ctx: struct eapol_state_machine *
144  * @timeout_ctx: Not used
145  *
146  * This statemachine is implemented as a function that will be called
147  * once a second as a registered event loop timeout.
148  */
eapol_port_timers_tick(void * eloop_ctx,void * timeout_ctx)149 static void eapol_port_timers_tick(void *eloop_ctx, void *timeout_ctx)
150 {
151 	struct eapol_state_machine *state = timeout_ctx;
152 
153 	if (state->aWhile > 0) {
154 		state->aWhile--;
155 		if (state->aWhile == 0) {
156 			wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR
157 				   " - aWhile --> 0",
158 				   MAC2STR(state->addr));
159 		}
160 	}
161 
162 	if (state->quietWhile > 0) {
163 		state->quietWhile--;
164 		if (state->quietWhile == 0) {
165 			wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR
166 				   " - quietWhile --> 0",
167 				   MAC2STR(state->addr));
168 		}
169 	}
170 
171 	if (state->reAuthWhen > 0) {
172 		state->reAuthWhen--;
173 		if (state->reAuthWhen == 0) {
174 			wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR
175 				   " - reAuthWhen --> 0",
176 				   MAC2STR(state->addr));
177 		}
178 	}
179 
180 	if (state->eap_if->retransWhile > 0) {
181 		state->eap_if->retransWhile--;
182 		if (state->eap_if->retransWhile == 0) {
183 			wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR
184 				   " - (EAP) retransWhile --> 0",
185 				   MAC2STR(state->addr));
186 		}
187 	}
188 
189 	eapol_sm_step_run(state);
190 
191 	eloop_register_timeout(1, 0, eapol_port_timers_tick, eloop_ctx, state);
192 }
193 
194 
195 
196 /* Authenticator PAE state machine */
197 
SM_STATE(AUTH_PAE,INITIALIZE)198 SM_STATE(AUTH_PAE, INITIALIZE)
199 {
200 	SM_ENTRY_MA(AUTH_PAE, INITIALIZE, auth_pae);
201 	sm->portMode = Auto;
202 
203 	/*
204 	 * Clearing keyRun here is not specified in IEEE Std 802.1X-2004, but
205 	 * it looks like this would be logical thing to do here since the
206 	 * EAPOL-Key exchange is not possible in this state. It is possible to
207 	 * get here on disconnection event without advancing to the
208 	 * AUTHENTICATING state to clear keyRun before the IEEE 802.11 RSN
209 	 * authenticator state machine runs and that may advance from
210 	 * AUTHENTICATION2 to INITPMK if keyRun = true has been left from the
211 	 * last association. This can be avoided by clearing keyRun here.
212 	 */
213 	sm->keyRun = false;
214 }
215 
216 
SM_STATE(AUTH_PAE,DISCONNECTED)217 SM_STATE(AUTH_PAE, DISCONNECTED)
218 {
219 	int from_initialize = sm->auth_pae_state == AUTH_PAE_INITIALIZE;
220 	bool pre_auth_logoff = sm->auth_pae_state == AUTH_PAE_ABORTING &&
221 		sm->eapolLogoff && !sm->authenticated;
222 	bool logoff = sm->eapolLogoff;
223 
224 	if (sm->eapolLogoff) {
225 		if (sm->auth_pae_state == AUTH_PAE_CONNECTING)
226 			sm->authEapLogoffsWhileConnecting++;
227 		else if (sm->auth_pae_state == AUTH_PAE_AUTHENTICATED)
228 			sm->authAuthEapLogoffWhileAuthenticated++;
229 	}
230 
231 	SM_ENTRY_MA(AUTH_PAE, DISCONNECTED, auth_pae);
232 
233 	sm->authPortStatus = Unauthorized;
234 	setPortUnauthorized();
235 	sm->reAuthCount = 0;
236 	sm->eapolLogoff = false;
237 	if (!from_initialize && !pre_auth_logoff) {
238 		if (sm->eapol->cb.finished(sm->eapol->conf.ctx, sm->sta, 0,
239 					   sm->flags & EAPOL_SM_PREAUTH,
240 					   sm->remediation, logoff)) {
241 			wpa_printf(MSG_DEBUG,
242 				   "EAPOL: Do not restart since lower layers will disconnect the port after EAPOL-Logoff");
243 			sm->stopped = true;
244 		}
245 	}
246 }
247 
248 
SM_STATE(AUTH_PAE,RESTART)249 SM_STATE(AUTH_PAE, RESTART)
250 {
251 	if (sm->auth_pae_state == AUTH_PAE_AUTHENTICATED) {
252 		if (sm->reAuthenticate)
253 			sm->authAuthReauthsWhileAuthenticated++;
254 		if (sm->eapolStart)
255 			sm->authAuthEapStartsWhileAuthenticated++;
256 		if (sm->eapolLogoff)
257 			sm->authAuthEapLogoffWhileAuthenticated++;
258 	}
259 
260 	SM_ENTRY_MA(AUTH_PAE, RESTART, auth_pae);
261 
262 	sm->eap_if->eapRestart = true;
263 }
264 
265 
SM_STATE(AUTH_PAE,CONNECTING)266 SM_STATE(AUTH_PAE, CONNECTING)
267 {
268 	if (sm->auth_pae_state != AUTH_PAE_CONNECTING)
269 		sm->authEntersConnecting++;
270 
271 	SM_ENTRY_MA(AUTH_PAE, CONNECTING, auth_pae);
272 
273 	sm->reAuthenticate = false;
274 	sm->reAuthCount++;
275 }
276 
277 
SM_STATE(AUTH_PAE,HELD)278 SM_STATE(AUTH_PAE, HELD)
279 {
280 	if (sm->auth_pae_state == AUTH_PAE_AUTHENTICATING && sm->authFail)
281 		sm->authAuthFailWhileAuthenticating++;
282 
283 	SM_ENTRY_MA(AUTH_PAE, HELD, auth_pae);
284 
285 	sm->authPortStatus = Unauthorized;
286 	setPortUnauthorized();
287 	sm->quietWhile = sm->quietPeriod;
288 	sm->eapolLogoff = false;
289 
290 	eapol_auth_vlogger(sm->eapol, sm->addr, EAPOL_LOGGER_WARNING,
291 			   "authentication failed - EAP type: %d (%s)",
292 			   sm->eap_type_authsrv,
293 			   eap_server_get_name(0, sm->eap_type_authsrv));
294 	if (sm->eap_type_authsrv != sm->eap_type_supp) {
295 		eapol_auth_vlogger(sm->eapol, sm->addr, EAPOL_LOGGER_INFO,
296 				   "Supplicant used different EAP type: "
297 				   "%d (%s)", sm->eap_type_supp,
298 				   eap_server_get_name(0, sm->eap_type_supp));
299 	}
300 	sm->eapol->cb.finished(sm->eapol->conf.ctx, sm->sta, 0,
301 			       sm->flags & EAPOL_SM_PREAUTH, sm->remediation,
302 			       false);
303 }
304 
305 
SM_STATE(AUTH_PAE,AUTHENTICATED)306 SM_STATE(AUTH_PAE, AUTHENTICATED)
307 {
308 	char *extra = "";
309 
310 	if (sm->auth_pae_state == AUTH_PAE_AUTHENTICATING && sm->authSuccess)
311 		sm->authAuthSuccessesWhileAuthenticating++;
312 
313 	SM_ENTRY_MA(AUTH_PAE, AUTHENTICATED, auth_pae);
314 
315 	sm->authPortStatus = Authorized;
316 	setPortAuthorized();
317 	sm->reAuthCount = 0;
318 	if (sm->flags & EAPOL_SM_PREAUTH)
319 		extra = " (pre-authentication)";
320 	else if (sm->flags & EAPOL_SM_FROM_PMKSA_CACHE)
321 		extra = " (PMKSA cache)";
322 	eapol_auth_vlogger(sm->eapol, sm->addr, EAPOL_LOGGER_INFO,
323 			   "authenticated - EAP type: %d (%s)%s",
324 			   sm->eap_type_authsrv,
325 			   eap_server_get_name(0, sm->eap_type_authsrv),
326 			   extra);
327 	if (sm->authSuccess)
328 		sm->authenticated++;
329 	sm->eapol->cb.finished(sm->eapol->conf.ctx, sm->sta, 1,
330 			       sm->flags & EAPOL_SM_PREAUTH, sm->remediation,
331 			       false);
332 }
333 
334 
SM_STATE(AUTH_PAE,AUTHENTICATING)335 SM_STATE(AUTH_PAE, AUTHENTICATING)
336 {
337 	SM_ENTRY_MA(AUTH_PAE, AUTHENTICATING, auth_pae);
338 
339 	sm->eapolStart = false;
340 	sm->authSuccess = false;
341 	sm->authFail = false;
342 	sm->authTimeout = false;
343 	sm->authStart = true;
344 	sm->keyRun = false;
345 	sm->keyDone = false;
346 }
347 
348 
SM_STATE(AUTH_PAE,ABORTING)349 SM_STATE(AUTH_PAE, ABORTING)
350 {
351 	if (sm->auth_pae_state == AUTH_PAE_AUTHENTICATING) {
352 		if (sm->authTimeout)
353 			sm->authAuthTimeoutsWhileAuthenticating++;
354 		if (sm->eapolStart)
355 			sm->authAuthEapStartsWhileAuthenticating++;
356 		if (sm->eapolLogoff)
357 			sm->authAuthEapLogoffWhileAuthenticating++;
358 	}
359 
360 	SM_ENTRY_MA(AUTH_PAE, ABORTING, auth_pae);
361 
362 	sm->authAbort = true;
363 	sm->keyRun = false;
364 	sm->keyDone = false;
365 }
366 
367 
SM_STATE(AUTH_PAE,FORCE_AUTH)368 SM_STATE(AUTH_PAE, FORCE_AUTH)
369 {
370 	SM_ENTRY_MA(AUTH_PAE, FORCE_AUTH, auth_pae);
371 
372 	sm->authPortStatus = Authorized;
373 	setPortAuthorized();
374 	sm->portMode = ForceAuthorized;
375 	sm->eapolStart = false;
376 	txCannedSuccess();
377 }
378 
379 
SM_STATE(AUTH_PAE,FORCE_UNAUTH)380 SM_STATE(AUTH_PAE, FORCE_UNAUTH)
381 {
382 	SM_ENTRY_MA(AUTH_PAE, FORCE_UNAUTH, auth_pae);
383 
384 	sm->authPortStatus = Unauthorized;
385 	setPortUnauthorized();
386 	sm->portMode = ForceUnauthorized;
387 	sm->eapolStart = false;
388 	txCannedFail();
389 }
390 
391 
SM_STEP(AUTH_PAE)392 SM_STEP(AUTH_PAE)
393 {
394 	if ((sm->portControl == Auto && sm->portMode != sm->portControl) ||
395 	    sm->initialize || !sm->eap_if->portEnabled)
396 		SM_ENTER_GLOBAL(AUTH_PAE, INITIALIZE);
397 	else if (sm->portControl == ForceAuthorized &&
398 		 sm->portMode != sm->portControl &&
399 		 !(sm->initialize || !sm->eap_if->portEnabled))
400 		SM_ENTER_GLOBAL(AUTH_PAE, FORCE_AUTH);
401 	else if (sm->portControl == ForceUnauthorized &&
402 		 sm->portMode != sm->portControl &&
403 		 !(sm->initialize || !sm->eap_if->portEnabled))
404 		SM_ENTER_GLOBAL(AUTH_PAE, FORCE_UNAUTH);
405 	else {
406 		switch (sm->auth_pae_state) {
407 		case AUTH_PAE_INITIALIZE:
408 			SM_ENTER(AUTH_PAE, DISCONNECTED);
409 			break;
410 		case AUTH_PAE_DISCONNECTED:
411 			if (!sm->stopped)
412 				SM_ENTER(AUTH_PAE, RESTART);
413 			break;
414 		case AUTH_PAE_RESTART:
415 			if (!sm->eap_if->eapRestart)
416 				SM_ENTER(AUTH_PAE, CONNECTING);
417 			break;
418 		case AUTH_PAE_HELD:
419 			if (sm->quietWhile == 0)
420 				SM_ENTER(AUTH_PAE, RESTART);
421 			break;
422 		case AUTH_PAE_CONNECTING:
423 			if (sm->eapolLogoff || sm->reAuthCount > sm->reAuthMax)
424 				SM_ENTER(AUTH_PAE, DISCONNECTED);
425 			else if ((sm->eap_if->eapReq &&
426 				  sm->reAuthCount <= sm->reAuthMax) ||
427 				 sm->eap_if->eapSuccess || sm->eap_if->eapFail)
428 				SM_ENTER(AUTH_PAE, AUTHENTICATING);
429 			break;
430 		case AUTH_PAE_AUTHENTICATED:
431 			if (sm->eapolStart || sm->reAuthenticate)
432 				SM_ENTER(AUTH_PAE, RESTART);
433 			else if (sm->eapolLogoff || !sm->portValid)
434 				SM_ENTER(AUTH_PAE, DISCONNECTED);
435 			break;
436 		case AUTH_PAE_AUTHENTICATING:
437 			if (sm->authSuccess && sm->portValid)
438 				SM_ENTER(AUTH_PAE, AUTHENTICATED);
439 			else if (sm->authFail ||
440 				 (sm->keyDone && !sm->portValid))
441 				SM_ENTER(AUTH_PAE, HELD);
442 			else if (sm->eapolStart || sm->eapolLogoff ||
443 				 sm->authTimeout)
444 				SM_ENTER(AUTH_PAE, ABORTING);
445 			break;
446 		case AUTH_PAE_ABORTING:
447 			if (sm->eapolLogoff && !sm->authAbort)
448 				SM_ENTER(AUTH_PAE, DISCONNECTED);
449 			else if (!sm->eapolLogoff && !sm->authAbort)
450 				SM_ENTER(AUTH_PAE, RESTART);
451 			break;
452 		case AUTH_PAE_FORCE_AUTH:
453 			if (sm->eapolStart)
454 				SM_ENTER(AUTH_PAE, FORCE_AUTH);
455 			break;
456 		case AUTH_PAE_FORCE_UNAUTH:
457 			if (sm->eapolStart)
458 				SM_ENTER(AUTH_PAE, FORCE_UNAUTH);
459 			break;
460 		}
461 	}
462 }
463 
464 
465 
466 /* Backend Authentication state machine */
467 
SM_STATE(BE_AUTH,INITIALIZE)468 SM_STATE(BE_AUTH, INITIALIZE)
469 {
470 	SM_ENTRY_MA(BE_AUTH, INITIALIZE, be_auth);
471 
472 	abortAuth();
473 	sm->eap_if->eapNoReq = false;
474 	sm->authAbort = false;
475 }
476 
477 
SM_STATE(BE_AUTH,REQUEST)478 SM_STATE(BE_AUTH, REQUEST)
479 {
480 	SM_ENTRY_MA(BE_AUTH, REQUEST, be_auth);
481 
482 	txReq();
483 	sm->eap_if->eapReq = false;
484 	sm->backendOtherRequestsToSupplicant++;
485 
486 	/*
487 	 * Clearing eapolEap here is not specified in IEEE Std 802.1X-2004, but
488 	 * it looks like this would be logical thing to do there since the old
489 	 * EAP response would not be valid anymore after the new EAP request
490 	 * was sent out.
491 	 *
492 	 * A race condition has been reported, in which hostapd ended up
493 	 * sending out EAP-Response/Identity as a response to the first
494 	 * EAP-Request from the main EAP method. This can be avoided by
495 	 * clearing eapolEap here.
496 	 */
497 	sm->eapolEap = false;
498 }
499 
500 
SM_STATE(BE_AUTH,RESPONSE)501 SM_STATE(BE_AUTH, RESPONSE)
502 {
503 	SM_ENTRY_MA(BE_AUTH, RESPONSE, be_auth);
504 
505 	sm->authTimeout = false;
506 	sm->eapolEap = false;
507 	sm->eap_if->eapNoReq = false;
508 	sm->aWhile = sm->serverTimeout;
509 	sm->eap_if->eapResp = true;
510 	/* sendRespToServer(); */
511 	sm->backendResponses++;
512 }
513 
514 
SM_STATE(BE_AUTH,SUCCESS)515 SM_STATE(BE_AUTH, SUCCESS)
516 {
517 	SM_ENTRY_MA(BE_AUTH, SUCCESS, be_auth);
518 
519 	txReq();
520 	sm->authSuccess = true;
521 	sm->keyRun = true;
522 }
523 
524 
SM_STATE(BE_AUTH,FAIL)525 SM_STATE(BE_AUTH, FAIL)
526 {
527 	SM_ENTRY_MA(BE_AUTH, FAIL, be_auth);
528 
529 	txReq();
530 	sm->authFail = true;
531 }
532 
533 
SM_STATE(BE_AUTH,TIMEOUT)534 SM_STATE(BE_AUTH, TIMEOUT)
535 {
536 	SM_ENTRY_MA(BE_AUTH, TIMEOUT, be_auth);
537 
538 	sm->authTimeout = true;
539 }
540 
541 
SM_STATE(BE_AUTH,IDLE)542 SM_STATE(BE_AUTH, IDLE)
543 {
544 	SM_ENTRY_MA(BE_AUTH, IDLE, be_auth);
545 
546 	sm->authStart = false;
547 }
548 
549 
SM_STATE(BE_AUTH,IGNORE)550 SM_STATE(BE_AUTH, IGNORE)
551 {
552 	SM_ENTRY_MA(BE_AUTH, IGNORE, be_auth);
553 
554 	sm->eap_if->eapNoReq = false;
555 }
556 
557 
SM_STEP(BE_AUTH)558 SM_STEP(BE_AUTH)
559 {
560 	if (sm->portControl != Auto || sm->initialize || sm->authAbort) {
561 		SM_ENTER_GLOBAL(BE_AUTH, INITIALIZE);
562 		return;
563 	}
564 
565 	switch (sm->be_auth_state) {
566 	case BE_AUTH_INITIALIZE:
567 		SM_ENTER(BE_AUTH, IDLE);
568 		break;
569 	case BE_AUTH_REQUEST:
570 		if (sm->eapolEap)
571 			SM_ENTER(BE_AUTH, RESPONSE);
572 		else if (sm->eap_if->eapReq)
573 			SM_ENTER(BE_AUTH, REQUEST);
574 		else if (sm->eap_if->eapTimeout)
575 			SM_ENTER(BE_AUTH, TIMEOUT);
576 		break;
577 	case BE_AUTH_RESPONSE:
578 		if (sm->eap_if->eapNoReq)
579 			SM_ENTER(BE_AUTH, IGNORE);
580 		if (sm->eap_if->eapReq) {
581 			sm->backendAccessChallenges++;
582 			SM_ENTER(BE_AUTH, REQUEST);
583 		} else if (sm->aWhile == 0)
584 			SM_ENTER(BE_AUTH, TIMEOUT);
585 		else if (sm->eap_if->eapFail) {
586 			sm->backendAuthFails++;
587 			SM_ENTER(BE_AUTH, FAIL);
588 		} else if (sm->eap_if->eapSuccess) {
589 			sm->backendAuthSuccesses++;
590 			SM_ENTER(BE_AUTH, SUCCESS);
591 		}
592 		break;
593 	case BE_AUTH_SUCCESS:
594 		SM_ENTER(BE_AUTH, IDLE);
595 		break;
596 	case BE_AUTH_FAIL:
597 		SM_ENTER(BE_AUTH, IDLE);
598 		break;
599 	case BE_AUTH_TIMEOUT:
600 		SM_ENTER(BE_AUTH, IDLE);
601 		break;
602 	case BE_AUTH_IDLE:
603 		if (sm->eap_if->eapFail && sm->authStart)
604 			SM_ENTER(BE_AUTH, FAIL);
605 		else if (sm->eap_if->eapReq && sm->authStart)
606 			SM_ENTER(BE_AUTH, REQUEST);
607 		else if (sm->eap_if->eapSuccess && sm->authStart)
608 			SM_ENTER(BE_AUTH, SUCCESS);
609 		break;
610 	case BE_AUTH_IGNORE:
611 		if (sm->eapolEap)
612 			SM_ENTER(BE_AUTH, RESPONSE);
613 		else if (sm->eap_if->eapReq)
614 			SM_ENTER(BE_AUTH, REQUEST);
615 		else if (sm->eap_if->eapTimeout)
616 			SM_ENTER(BE_AUTH, TIMEOUT);
617 		break;
618 	}
619 }
620 
621 
622 
623 /* Reauthentication Timer state machine */
624 
SM_STATE(REAUTH_TIMER,INITIALIZE)625 SM_STATE(REAUTH_TIMER, INITIALIZE)
626 {
627 	SM_ENTRY_MA(REAUTH_TIMER, INITIALIZE, reauth_timer);
628 
629 	sm->reAuthWhen = sm->reAuthPeriod;
630 }
631 
632 
SM_STATE(REAUTH_TIMER,REAUTHENTICATE)633 SM_STATE(REAUTH_TIMER, REAUTHENTICATE)
634 {
635 	SM_ENTRY_MA(REAUTH_TIMER, REAUTHENTICATE, reauth_timer);
636 
637 	sm->reAuthenticate = true;
638 	sm->eapol->cb.eapol_event(sm->eapol->conf.ctx, sm->sta,
639 				  EAPOL_AUTH_REAUTHENTICATE);
640 }
641 
642 
SM_STEP(REAUTH_TIMER)643 SM_STEP(REAUTH_TIMER)
644 {
645 	if (sm->portControl != Auto || sm->initialize ||
646 	    sm->authPortStatus == Unauthorized || !sm->reAuthEnabled) {
647 		SM_ENTER_GLOBAL(REAUTH_TIMER, INITIALIZE);
648 		return;
649 	}
650 
651 	switch (sm->reauth_timer_state) {
652 	case REAUTH_TIMER_INITIALIZE:
653 		if (sm->reAuthWhen == 0)
654 			SM_ENTER(REAUTH_TIMER, REAUTHENTICATE);
655 		break;
656 	case REAUTH_TIMER_REAUTHENTICATE:
657 		SM_ENTER(REAUTH_TIMER, INITIALIZE);
658 		break;
659 	}
660 }
661 
662 
663 
664 #ifdef CONFIG_WEP
665 
666 /* Authenticator Key Transmit state machine */
667 
SM_STATE(AUTH_KEY_TX,NO_KEY_TRANSMIT)668 SM_STATE(AUTH_KEY_TX, NO_KEY_TRANSMIT)
669 {
670 	SM_ENTRY_MA(AUTH_KEY_TX, NO_KEY_TRANSMIT, auth_key_tx);
671 }
672 
673 
SM_STATE(AUTH_KEY_TX,KEY_TRANSMIT)674 SM_STATE(AUTH_KEY_TX, KEY_TRANSMIT)
675 {
676 	SM_ENTRY_MA(AUTH_KEY_TX, KEY_TRANSMIT, auth_key_tx);
677 
678 	txKey();
679 	sm->eap_if->eapKeyAvailable = false;
680 	sm->keyDone = true;
681 }
682 
683 
SM_STEP(AUTH_KEY_TX)684 SM_STEP(AUTH_KEY_TX)
685 {
686 	if (sm->initialize || sm->portControl != Auto) {
687 		SM_ENTER_GLOBAL(AUTH_KEY_TX, NO_KEY_TRANSMIT);
688 		return;
689 	}
690 
691 	switch (sm->auth_key_tx_state) {
692 	case AUTH_KEY_TX_NO_KEY_TRANSMIT:
693 		if (sm->keyTxEnabled && sm->eap_if->eapKeyAvailable &&
694 		    sm->keyRun && !(sm->flags & EAPOL_SM_USES_WPA))
695 			SM_ENTER(AUTH_KEY_TX, KEY_TRANSMIT);
696 		break;
697 	case AUTH_KEY_TX_KEY_TRANSMIT:
698 		if (!sm->keyTxEnabled || !sm->keyRun)
699 			SM_ENTER(AUTH_KEY_TX, NO_KEY_TRANSMIT);
700 		else if (sm->eap_if->eapKeyAvailable)
701 			SM_ENTER(AUTH_KEY_TX, KEY_TRANSMIT);
702 		break;
703 	}
704 }
705 
706 
707 
708 /* Key Receive state machine */
709 
SM_STATE(KEY_RX,NO_KEY_RECEIVE)710 SM_STATE(KEY_RX, NO_KEY_RECEIVE)
711 {
712 	SM_ENTRY_MA(KEY_RX, NO_KEY_RECEIVE, key_rx);
713 }
714 
715 
SM_STATE(KEY_RX,KEY_RECEIVE)716 SM_STATE(KEY_RX, KEY_RECEIVE)
717 {
718 	SM_ENTRY_MA(KEY_RX, KEY_RECEIVE, key_rx);
719 
720 	processKey();
721 	sm->rxKey = false;
722 }
723 
724 
SM_STEP(KEY_RX)725 SM_STEP(KEY_RX)
726 {
727 	if (sm->initialize || !sm->eap_if->portEnabled) {
728 		SM_ENTER_GLOBAL(KEY_RX, NO_KEY_RECEIVE);
729 		return;
730 	}
731 
732 	switch (sm->key_rx_state) {
733 	case KEY_RX_NO_KEY_RECEIVE:
734 		if (sm->rxKey)
735 			SM_ENTER(KEY_RX, KEY_RECEIVE);
736 		break;
737 	case KEY_RX_KEY_RECEIVE:
738 		if (sm->rxKey)
739 			SM_ENTER(KEY_RX, KEY_RECEIVE);
740 		break;
741 	}
742 }
743 
744 #endif /* CONFIG_WEP */
745 
746 
747 
748 /* Controlled Directions state machine */
749 
SM_STATE(CTRL_DIR,FORCE_BOTH)750 SM_STATE(CTRL_DIR, FORCE_BOTH)
751 {
752 	SM_ENTRY_MA(CTRL_DIR, FORCE_BOTH, ctrl_dir);
753 	sm->operControlledDirections = Both;
754 }
755 
756 
SM_STATE(CTRL_DIR,IN_OR_BOTH)757 SM_STATE(CTRL_DIR, IN_OR_BOTH)
758 {
759 	SM_ENTRY_MA(CTRL_DIR, IN_OR_BOTH, ctrl_dir);
760 	sm->operControlledDirections = sm->adminControlledDirections;
761 }
762 
763 
SM_STEP(CTRL_DIR)764 SM_STEP(CTRL_DIR)
765 {
766 	if (sm->initialize) {
767 		SM_ENTER_GLOBAL(CTRL_DIR, IN_OR_BOTH);
768 		return;
769 	}
770 
771 	switch (sm->ctrl_dir_state) {
772 	case CTRL_DIR_FORCE_BOTH:
773 		if (sm->eap_if->portEnabled && sm->operEdge)
774 			SM_ENTER(CTRL_DIR, IN_OR_BOTH);
775 		break;
776 	case CTRL_DIR_IN_OR_BOTH:
777 		if (sm->operControlledDirections !=
778 		    sm->adminControlledDirections)
779 			SM_ENTER(CTRL_DIR, IN_OR_BOTH);
780 		if (!sm->eap_if->portEnabled || !sm->operEdge)
781 			SM_ENTER(CTRL_DIR, FORCE_BOTH);
782 		break;
783 	}
784 }
785 
786 
787 
788 struct eapol_state_machine *
eapol_auth_alloc(struct eapol_authenticator * eapol,const u8 * addr,int flags,const struct wpabuf * assoc_wps_ie,const struct wpabuf * assoc_p2p_ie,void * sta_ctx,const char * identity,const char * radius_cui)789 eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr,
790 		 int flags, const struct wpabuf *assoc_wps_ie,
791 		 const struct wpabuf *assoc_p2p_ie, void *sta_ctx,
792 		 const char *identity, const char *radius_cui)
793 {
794 	struct eapol_state_machine *sm;
795 	struct eap_session_data eap_sess;
796 
797 	if (eapol == NULL)
798 		return NULL;
799 
800 	sm = os_zalloc(sizeof(*sm));
801 	if (sm == NULL) {
802 		wpa_printf(MSG_DEBUG, "IEEE 802.1X state machine allocation "
803 			   "failed");
804 		return NULL;
805 	}
806 	sm->radius_identifier = -1;
807 	os_memcpy(sm->addr, addr, ETH_ALEN);
808 	sm->flags = flags;
809 
810 	sm->eapol = eapol;
811 	sm->sta = sta_ctx;
812 
813 	/* Set default values for state machine constants */
814 	sm->auth_pae_state = AUTH_PAE_INITIALIZE;
815 	sm->quietPeriod = AUTH_PAE_DEFAULT_quietPeriod;
816 	sm->reAuthMax = AUTH_PAE_DEFAULT_reAuthMax;
817 
818 	sm->be_auth_state = BE_AUTH_INITIALIZE;
819 	sm->serverTimeout = BE_AUTH_DEFAULT_serverTimeout;
820 
821 	sm->reauth_timer_state = REAUTH_TIMER_INITIALIZE;
822 	sm->reAuthPeriod = eapol->conf.eap_reauth_period;
823 	sm->reAuthEnabled = eapol->conf.eap_reauth_period > 0;
824 
825 	sm->auth_key_tx_state = AUTH_KEY_TX_NO_KEY_TRANSMIT;
826 
827 	sm->key_rx_state = KEY_RX_NO_KEY_RECEIVE;
828 
829 	sm->ctrl_dir_state = CTRL_DIR_IN_OR_BOTH;
830 
831 	sm->portControl = Auto;
832 
833 #ifdef CONFIG_WEP
834 	if (!eapol->conf.wpa &&
835 	    (eapol->default_wep_key || eapol->conf.individual_wep_key_len > 0))
836 		sm->keyTxEnabled = true;
837 	else
838 #endif /* CONFIG_WEP */
839 		sm->keyTxEnabled = false;
840 	if (eapol->conf.wpa)
841 		sm->portValid = false;
842 	else
843 		sm->portValid = true;
844 
845 	os_memset(&eap_sess, 0, sizeof(eap_sess));
846 	eap_sess.assoc_wps_ie = assoc_wps_ie;
847 	eap_sess.assoc_p2p_ie = assoc_p2p_ie;
848 	eap_sess.peer_addr = addr;
849 	sm->eap = eap_server_sm_init(sm, &eapol_cb, eapol->conf.eap_cfg,
850 				     &eap_sess);
851 	if (sm->eap == NULL) {
852 		eapol_auth_free(sm);
853 		return NULL;
854 	}
855 	sm->eap_if = eap_get_interface(sm->eap);
856 
857 	eapol_auth_initialize(sm);
858 
859 	if (identity) {
860 		sm->identity = (u8 *) os_strdup(identity);
861 		if (sm->identity)
862 			sm->identity_len = os_strlen(identity);
863 	}
864 	if (radius_cui)
865 		sm->radius_cui = wpabuf_alloc_copy(radius_cui,
866 						   os_strlen(radius_cui));
867 
868 #ifndef CONFIG_NO_RADIUS
869 	if (radius_gen_session_id((u8 *) &sm->acct_multi_session_id,
870 				  sizeof(sm->acct_multi_session_id)) < 0) {
871 		eapol_auth_free(sm);
872 		return NULL;
873 	}
874 #endif /* CONFIG_NO_RADIUS */
875 
876 	return sm;
877 }
878 
879 
eapol_auth_free(struct eapol_state_machine * sm)880 void eapol_auth_free(struct eapol_state_machine *sm)
881 {
882 	if (sm == NULL)
883 		return;
884 
885 	eloop_cancel_timeout(eapol_port_timers_tick, NULL, sm);
886 	eloop_cancel_timeout(eapol_sm_step_cb, sm, NULL);
887 	if (sm->eap)
888 		eap_server_sm_deinit(sm->eap);
889 
890 	wpabuf_free(sm->radius_cui);
891 	os_free(sm->identity);
892 	os_free(sm);
893 }
894 
895 
eapol_sm_sta_entry_alive(struct eapol_authenticator * eapol,const u8 * addr)896 static int eapol_sm_sta_entry_alive(struct eapol_authenticator *eapol,
897 				    const u8 *addr)
898 {
899 	return eapol->cb.sta_entry_alive(eapol->conf.ctx, addr);
900 }
901 
902 
eapol_sm_step_run(struct eapol_state_machine * sm)903 static void eapol_sm_step_run(struct eapol_state_machine *sm)
904 {
905 	struct eapol_authenticator *eapol = sm->eapol;
906 	u8 addr[ETH_ALEN];
907 	unsigned int prev_auth_pae, prev_be_auth, prev_reauth_timer,
908 		prev_auth_key_tx, prev_key_rx, prev_ctrl_dir;
909 	int max_steps = 100;
910 
911 	os_memcpy(addr, sm->addr, ETH_ALEN);
912 
913 	/*
914 	 * Allow EAPOL state machines to run as long as there are state
915 	 * changes, but exit and return here through event loop if more than
916 	 * 100 steps is needed as a precaution against infinite loops inside
917 	 * eloop callback.
918 	 */
919 restart:
920 	prev_auth_pae = sm->auth_pae_state;
921 	prev_be_auth = sm->be_auth_state;
922 	prev_reauth_timer = sm->reauth_timer_state;
923 	prev_auth_key_tx = sm->auth_key_tx_state;
924 	prev_key_rx = sm->key_rx_state;
925 	prev_ctrl_dir = sm->ctrl_dir_state;
926 
927 	SM_STEP_RUN(AUTH_PAE);
928 	if (sm->initializing || eapol_sm_sta_entry_alive(eapol, addr))
929 		SM_STEP_RUN(BE_AUTH);
930 	if (sm->initializing || eapol_sm_sta_entry_alive(eapol, addr))
931 		SM_STEP_RUN(REAUTH_TIMER);
932 #ifdef CONFIG_WEP
933 	if (sm->initializing || eapol_sm_sta_entry_alive(eapol, addr))
934 		SM_STEP_RUN(AUTH_KEY_TX);
935 	if (sm->initializing || eapol_sm_sta_entry_alive(eapol, addr))
936 		SM_STEP_RUN(KEY_RX);
937 #endif /* CONFIG_WEP */
938 	if (sm->initializing || eapol_sm_sta_entry_alive(eapol, addr))
939 		SM_STEP_RUN(CTRL_DIR);
940 
941 	if (prev_auth_pae != sm->auth_pae_state ||
942 	    prev_be_auth != sm->be_auth_state ||
943 	    prev_reauth_timer != sm->reauth_timer_state ||
944 	    prev_auth_key_tx != sm->auth_key_tx_state ||
945 	    prev_key_rx != sm->key_rx_state ||
946 	    prev_ctrl_dir != sm->ctrl_dir_state) {
947 		if (--max_steps > 0)
948 			goto restart;
949 		/* Re-run from eloop timeout */
950 		eapol_auth_step(sm);
951 		return;
952 	}
953 
954 	if (eapol_sm_sta_entry_alive(eapol, addr) && sm->eap) {
955 		if (eap_server_sm_step(sm->eap)) {
956 			if (--max_steps > 0)
957 				goto restart;
958 			/* Re-run from eloop timeout */
959 			eapol_auth_step(sm);
960 			return;
961 		}
962 
963 		/* TODO: find a better location for this */
964 		if (sm->eap_if->aaaEapResp) {
965 			sm->eap_if->aaaEapResp = false;
966 			if (sm->eap_if->aaaEapRespData == NULL) {
967 				wpa_printf(MSG_DEBUG, "EAPOL: aaaEapResp set, "
968 					   "but no aaaEapRespData available");
969 				return;
970 			}
971 			sm->eapol->cb.aaa_send(
972 				sm->eapol->conf.ctx, sm->sta,
973 				wpabuf_head(sm->eap_if->aaaEapRespData),
974 				wpabuf_len(sm->eap_if->aaaEapRespData));
975 		}
976 	}
977 
978 	if (eapol_sm_sta_entry_alive(eapol, addr))
979 		sm->eapol->cb.eapol_event(sm->eapol->conf.ctx, sm->sta,
980 					  EAPOL_AUTH_SM_CHANGE);
981 }
982 
983 
eapol_sm_step_cb(void * eloop_ctx,void * timeout_ctx)984 static void eapol_sm_step_cb(void *eloop_ctx, void *timeout_ctx)
985 {
986 	struct eapol_state_machine *sm = eloop_ctx;
987 	eapol_sm_step_run(sm);
988 }
989 
990 
991 /**
992  * eapol_auth_step - Advance EAPOL state machines
993  * @sm: EAPOL state machine
994  *
995  * This function is called to advance EAPOL state machines after any change
996  * that could affect their state.
997  */
eapol_auth_step(struct eapol_state_machine * sm)998 void eapol_auth_step(struct eapol_state_machine *sm)
999 {
1000 	/*
1001 	 * Run eapol_sm_step_run from a registered timeout to make sure that
1002 	 * other possible timeouts/events are processed and to avoid long
1003 	 * function call chains.
1004 	 */
1005 
1006 	eloop_register_timeout(0, 0, eapol_sm_step_cb, sm, NULL);
1007 }
1008 
1009 
eapol_auth_initialize(struct eapol_state_machine * sm)1010 static void eapol_auth_initialize(struct eapol_state_machine *sm)
1011 {
1012 	sm->initializing = true;
1013 	/* Initialize the state machines by asserting initialize and then
1014 	 * deasserting it after one step */
1015 	sm->initialize = true;
1016 	eapol_sm_step_run(sm);
1017 	sm->initialize = false;
1018 	eapol_sm_step_run(sm);
1019 	sm->initializing = false;
1020 
1021 	/* Start one second tick for port timers state machine */
1022 	eloop_cancel_timeout(eapol_port_timers_tick, NULL, sm);
1023 	eloop_register_timeout(1, 0, eapol_port_timers_tick, NULL, sm);
1024 }
1025 
1026 
eapol_sm_get_eap_user(void * ctx,const u8 * identity,size_t identity_len,int phase2,struct eap_user * user)1027 static int eapol_sm_get_eap_user(void *ctx, const u8 *identity,
1028 				 size_t identity_len, int phase2,
1029 				 struct eap_user *user)
1030 {
1031 	struct eapol_state_machine *sm = ctx;
1032 	int ret;
1033 
1034 	ret = sm->eapol->cb.get_eap_user(sm->eapol->conf.ctx, identity,
1035 					 identity_len, phase2, user);
1036 	if (user->remediation)
1037 		sm->remediation = 1;
1038 	return ret;
1039 }
1040 
1041 
eapol_sm_get_eap_req_id_text(void * ctx,size_t * len)1042 static const char * eapol_sm_get_eap_req_id_text(void *ctx, size_t *len)
1043 {
1044 	struct eapol_state_machine *sm = ctx;
1045 	*len = sm->eapol->conf.eap_req_id_text_len;
1046 	return sm->eapol->conf.eap_req_id_text;
1047 }
1048 
1049 
eapol_sm_get_erp_send_reauth_start(void * ctx)1050 static int eapol_sm_get_erp_send_reauth_start(void *ctx)
1051 {
1052 	struct eapol_state_machine *sm = ctx;
1053 	return sm->eapol->conf.erp_send_reauth_start;
1054 }
1055 
1056 
eapol_sm_get_erp_domain(void * ctx)1057 static const char * eapol_sm_get_erp_domain(void *ctx)
1058 {
1059 	struct eapol_state_machine *sm = ctx;
1060 	return sm->eapol->conf.erp_domain;
1061 }
1062 
1063 
eapol_sm_erp_get_key(void * ctx,const char * keyname)1064 static struct eap_server_erp_key * eapol_sm_erp_get_key(void *ctx,
1065 							const char *keyname)
1066 {
1067 	struct eapol_state_machine *sm = ctx;
1068 	return sm->eapol->cb.erp_get_key(sm->eapol->conf.ctx, keyname);
1069 }
1070 
1071 
eapol_sm_erp_add_key(void * ctx,struct eap_server_erp_key * erp)1072 static int eapol_sm_erp_add_key(void *ctx, struct eap_server_erp_key *erp)
1073 {
1074 	struct eapol_state_machine *sm = ctx;
1075 	return sm->eapol->cb.erp_add_key(sm->eapol->conf.ctx, erp);
1076 }
1077 
1078 
1079 static const struct eapol_callbacks eapol_cb =
1080 {
1081 	eapol_sm_get_eap_user,
1082 	eapol_sm_get_eap_req_id_text,
1083 	NULL,
1084 	eapol_sm_get_erp_send_reauth_start,
1085 	eapol_sm_get_erp_domain,
1086 	eapol_sm_erp_get_key,
1087 	eapol_sm_erp_add_key,
1088 };
1089 
1090 
eapol_auth_eap_pending_cb(struct eapol_state_machine * sm,void * ctx)1091 int eapol_auth_eap_pending_cb(struct eapol_state_machine *sm, void *ctx)
1092 {
1093 	if (sm == NULL || ctx == NULL || ctx != sm->eap)
1094 		return -1;
1095 
1096 	eap_sm_pending_cb(sm->eap);
1097 	eapol_auth_step(sm);
1098 
1099 	return 0;
1100 }
1101 
1102 
eapol_auth_reauthenticate(struct eapol_state_machine * sm)1103 void eapol_auth_reauthenticate(struct eapol_state_machine *sm)
1104 {
1105 	wpa_printf(MSG_DEBUG, "EAPOL: External reauthentication trigger for "
1106 		   MACSTR, MAC2STR(sm->addr));
1107 	sm->reAuthenticate = true;
1108 	eapol_auth_step(sm);
1109 }
1110 
1111 
eapol_auth_set_conf(struct eapol_state_machine * sm,const char * param,const char * value)1112 int eapol_auth_set_conf(struct eapol_state_machine *sm, const char *param,
1113 			const char *value)
1114 {
1115 	wpa_printf(MSG_DEBUG, "EAPOL: External configuration operation for "
1116 		   MACSTR " - param=%s value=%s",
1117 		   MAC2STR(sm->addr), param, value);
1118 
1119 	if (os_strcasecmp(param, "AdminControlledDirections") == 0) {
1120 		if (os_strcmp(value, "Both") == 0)
1121 			sm->adminControlledDirections = Both;
1122 		else if (os_strcmp(value, "In") == 0)
1123 			sm->adminControlledDirections = In;
1124 		else
1125 			return -1;
1126 		eapol_auth_step(sm);
1127 		return 0;
1128 	}
1129 
1130 	if (os_strcasecmp(param, "AdminControlledPortControl") == 0) {
1131 		if (os_strcmp(value, "ForceAuthorized") == 0)
1132 			sm->portControl = ForceAuthorized;
1133 		else if (os_strcmp(value, "ForceUnauthorized") == 0)
1134 			sm->portControl = ForceUnauthorized;
1135 		else if (os_strcmp(value, "Auto") == 0)
1136 			sm->portControl = Auto;
1137 		else
1138 			return -1;
1139 		eapol_auth_step(sm);
1140 		return 0;
1141 	}
1142 
1143 	if (os_strcasecmp(param, "quietPeriod") == 0) {
1144 		sm->quietPeriod = atoi(value);
1145 		return 0;
1146 	}
1147 
1148 	if (os_strcasecmp(param, "serverTimeout") == 0) {
1149 		sm->serverTimeout = atoi(value);
1150 		return 0;
1151 	}
1152 
1153 	if (os_strcasecmp(param, "reAuthPeriod") == 0) {
1154 		sm->reAuthPeriod = atoi(value);
1155 		return 0;
1156 	}
1157 
1158 	if (os_strcasecmp(param, "reAuthEnabled") == 0) {
1159 		if (os_strcmp(value, "TRUE") == 0)
1160 			sm->reAuthEnabled = true;
1161 		else if (os_strcmp(value, "FALSE") == 0)
1162 			sm->reAuthEnabled = false;
1163 		else
1164 			return -1;
1165 		eapol_auth_step(sm);
1166 		return 0;
1167 	}
1168 
1169 	if (os_strcasecmp(param, "KeyTransmissionEnabled") == 0) {
1170 		if (os_strcmp(value, "TRUE") == 0)
1171 			sm->keyTxEnabled = true;
1172 		else if (os_strcmp(value, "FALSE") == 0)
1173 			sm->keyTxEnabled = false;
1174 		else
1175 			return -1;
1176 		eapol_auth_step(sm);
1177 		return 0;
1178 	}
1179 
1180 	return -1;
1181 }
1182 
1183 
eapol_auth_conf_clone(struct eapol_auth_config * dst,struct eapol_auth_config * src)1184 static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
1185 				 struct eapol_auth_config *src)
1186 {
1187 	dst->eap_cfg = src->eap_cfg;
1188 	dst->ctx = src->ctx;
1189 	dst->eap_reauth_period = src->eap_reauth_period;
1190 	dst->wpa = src->wpa;
1191 #ifdef CONFIG_WEP
1192 	dst->individual_wep_key_len = src->individual_wep_key_len;
1193 #endif /* CONFIG_WEP */
1194 	os_free(dst->eap_req_id_text);
1195 	if (src->eap_req_id_text) {
1196 		dst->eap_req_id_text = os_memdup(src->eap_req_id_text,
1197 						 src->eap_req_id_text_len);
1198 		if (dst->eap_req_id_text == NULL)
1199 			return -1;
1200 		dst->eap_req_id_text_len = src->eap_req_id_text_len;
1201 	} else {
1202 		dst->eap_req_id_text = NULL;
1203 		dst->eap_req_id_text_len = 0;
1204 	}
1205 
1206 	os_free(dst->erp_domain);
1207 	if (src->erp_domain) {
1208 		dst->erp_domain = os_strdup(src->erp_domain);
1209 		if (dst->erp_domain == NULL)
1210 			goto fail;
1211 	} else {
1212 		dst->erp_domain = NULL;
1213 	}
1214 	dst->erp_send_reauth_start = src->erp_send_reauth_start;
1215 
1216 	return 0;
1217 
1218 fail:
1219 	eapol_auth_conf_free(dst);
1220 	return -1;
1221 }
1222 
1223 
eapol_auth_conf_free(struct eapol_auth_config * conf)1224 static void eapol_auth_conf_free(struct eapol_auth_config *conf)
1225 {
1226 	os_free(conf->eap_req_id_text);
1227 	conf->eap_req_id_text = NULL;
1228 	os_free(conf->erp_domain);
1229 	conf->erp_domain = NULL;
1230 }
1231 
1232 
eapol_auth_init(struct eapol_auth_config * conf,struct eapol_auth_cb * cb)1233 struct eapol_authenticator * eapol_auth_init(struct eapol_auth_config *conf,
1234 					     struct eapol_auth_cb *cb)
1235 {
1236 	struct eapol_authenticator *eapol;
1237 
1238 	eapol = os_zalloc(sizeof(*eapol));
1239 	if (eapol == NULL)
1240 		return NULL;
1241 
1242 	if (eapol_auth_conf_clone(&eapol->conf, conf) < 0) {
1243 		os_free(eapol);
1244 		return NULL;
1245 	}
1246 
1247 #ifdef CONFIG_WEP
1248 	if (conf->individual_wep_key_len > 0) {
1249 		/* use key0 in individual key and key1 in broadcast key */
1250 		eapol->default_wep_key_idx = 1;
1251 	}
1252 #endif /* CONFIG_WEP */
1253 
1254 	eapol->cb.eapol_send = cb->eapol_send;
1255 	eapol->cb.aaa_send = cb->aaa_send;
1256 	eapol->cb.finished = cb->finished;
1257 	eapol->cb.get_eap_user = cb->get_eap_user;
1258 	eapol->cb.sta_entry_alive = cb->sta_entry_alive;
1259 	eapol->cb.logger = cb->logger;
1260 	eapol->cb.set_port_authorized = cb->set_port_authorized;
1261 	eapol->cb.abort_auth = cb->abort_auth;
1262 	eapol->cb.tx_key = cb->tx_key;
1263 	eapol->cb.eapol_event = cb->eapol_event;
1264 	eapol->cb.erp_get_key = cb->erp_get_key;
1265 	eapol->cb.erp_add_key = cb->erp_add_key;
1266 
1267 	return eapol;
1268 }
1269 
1270 
eapol_auth_deinit(struct eapol_authenticator * eapol)1271 void eapol_auth_deinit(struct eapol_authenticator *eapol)
1272 {
1273 	if (eapol == NULL)
1274 		return;
1275 
1276 	eapol_auth_conf_free(&eapol->conf);
1277 #ifdef CONFIG_WEP
1278 	os_free(eapol->default_wep_key);
1279 #endif /* CONFIG_WEP */
1280 	os_free(eapol);
1281 }
1282