• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * hostapd / EAP Full Authenticator state machine (RFC 4137)
3  * Copyright (c) 2004-2007, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  *
8  * This state machine is based on the full authenticator state machine defined
9  * in RFC 4137. However, to support backend authentication in RADIUS
10  * authentication server functionality, parts of backend authenticator (also
11  * from RFC 4137) are mixed in. This functionality is enabled by setting
12  * backend_auth configuration variable to TRUE.
13  */
14 
15 #include "includes.h"
16 
17 #include "common.h"
18 #include "eap_i.h"
19 #include "state_machine.h"
20 #include "common/wpa_ctrl.h"
21 
22 #define STATE_MACHINE_DATA struct eap_sm
23 #define STATE_MACHINE_DEBUG_PREFIX "EAP"
24 
25 #define EAP_MAX_AUTH_ROUNDS 50
26 
27 static void eap_user_free(struct eap_user *user);
28 
29 
30 /* EAP state machines are described in RFC 4137 */
31 
32 static int eap_sm_calculateTimeout(struct eap_sm *sm, int retransCount,
33 				   int eapSRTT, int eapRTTVAR,
34 				   int methodTimeout);
35 static void eap_sm_parseEapResp(struct eap_sm *sm, const struct wpabuf *resp);
36 static int eap_sm_getId(const struct wpabuf *data);
37 static struct wpabuf * eap_sm_buildSuccess(struct eap_sm *sm, u8 id);
38 static struct wpabuf * eap_sm_buildFailure(struct eap_sm *sm, u8 id);
39 static int eap_sm_nextId(struct eap_sm *sm, int id);
40 static void eap_sm_Policy_update(struct eap_sm *sm, const u8 *nak_list,
41 				 size_t len);
42 static EapType eap_sm_Policy_getNextMethod(struct eap_sm *sm, int *vendor);
43 static int eap_sm_Policy_getDecision(struct eap_sm *sm);
44 static Boolean eap_sm_Policy_doPickUp(struct eap_sm *sm, EapType method);
45 
46 
eap_copy_buf(struct wpabuf ** dst,const struct wpabuf * src)47 static int eap_copy_buf(struct wpabuf **dst, const struct wpabuf *src)
48 {
49 	if (src == NULL)
50 		return -1;
51 
52 	wpabuf_free(*dst);
53 	*dst = wpabuf_dup(src);
54 	return *dst ? 0 : -1;
55 }
56 
57 
eap_copy_data(u8 ** dst,size_t * dst_len,const u8 * src,size_t src_len)58 static int eap_copy_data(u8 **dst, size_t *dst_len,
59 			 const u8 *src, size_t src_len)
60 {
61 	if (src == NULL)
62 		return -1;
63 
64 	os_free(*dst);
65 	*dst = os_malloc(src_len);
66 	if (*dst) {
67 		os_memcpy(*dst, src, src_len);
68 		*dst_len = src_len;
69 		return 0;
70 	} else {
71 		*dst_len = 0;
72 		return -1;
73 	}
74 }
75 
76 #define EAP_COPY(dst, src) \
77 	eap_copy_data((dst), (dst ## Len), (src), (src ## Len))
78 
79 
80 /**
81  * eap_user_get - Fetch user information from the database
82  * @sm: Pointer to EAP state machine allocated with eap_server_sm_init()
83  * @identity: Identity (User-Name) of the user
84  * @identity_len: Length of identity in bytes
85  * @phase2: 0 = EAP phase1 user, 1 = EAP phase2 (tunneled) user
86  * Returns: 0 on success, or -1 on failure
87  *
88  * This function is used to fetch user information for EAP. The user will be
89  * selected based on the specified identity. sm->user and
90  * sm->user_eap_method_index are updated for the new user when a matching user
91  * is found. sm->user can be used to get user information (e.g., password).
92  */
eap_user_get(struct eap_sm * sm,const u8 * identity,size_t identity_len,int phase2)93 int eap_user_get(struct eap_sm *sm, const u8 *identity, size_t identity_len,
94 		 int phase2)
95 {
96 	struct eap_user *user;
97 
98 	if (sm == NULL || sm->eapol_cb == NULL ||
99 	    sm->eapol_cb->get_eap_user == NULL)
100 		return -1;
101 
102 	eap_user_free(sm->user);
103 	sm->user = NULL;
104 
105 	user = os_zalloc(sizeof(*user));
106 	if (user == NULL)
107 	    return -1;
108 
109 	if (sm->eapol_cb->get_eap_user(sm->eapol_ctx, identity,
110 				       identity_len, phase2, user) != 0) {
111 		eap_user_free(user);
112 		return -1;
113 	}
114 
115 	sm->user = user;
116 	sm->user_eap_method_index = 0;
117 
118 	return 0;
119 }
120 
121 
eap_log_msg(struct eap_sm * sm,const char * fmt,...)122 void eap_log_msg(struct eap_sm *sm, const char *fmt, ...)
123 {
124 	va_list ap;
125 	char *buf;
126 	int buflen;
127 
128 	if (sm == NULL || sm->eapol_cb == NULL || sm->eapol_cb->log_msg == NULL)
129 		return;
130 
131 	va_start(ap, fmt);
132 	buflen = vsnprintf(NULL, 0, fmt, ap) + 1;
133 	va_end(ap);
134 
135 	buf = os_malloc(buflen);
136 	if (buf == NULL)
137 		return;
138 	va_start(ap, fmt);
139 	vsnprintf(buf, buflen, fmt, ap);
140 	va_end(ap);
141 
142 	sm->eapol_cb->log_msg(sm->eapol_ctx, buf);
143 
144 	os_free(buf);
145 }
146 
147 
SM_STATE(EAP,DISABLED)148 SM_STATE(EAP, DISABLED)
149 {
150 	SM_ENTRY(EAP, DISABLED);
151 	sm->num_rounds = 0;
152 }
153 
154 
SM_STATE(EAP,INITIALIZE)155 SM_STATE(EAP, INITIALIZE)
156 {
157 	SM_ENTRY(EAP, INITIALIZE);
158 
159 	if (sm->eap_if.eapRestart && !sm->eap_server && sm->identity) {
160 		/*
161 		 * Need to allow internal Identity method to be used instead
162 		 * of passthrough at the beginning of reauthentication.
163 		 */
164 		eap_server_clear_identity(sm);
165 	}
166 
167 	sm->currentId = -1;
168 	sm->eap_if.eapSuccess = FALSE;
169 	sm->eap_if.eapFail = FALSE;
170 	sm->eap_if.eapTimeout = FALSE;
171 	bin_clear_free(sm->eap_if.eapKeyData, sm->eap_if.eapKeyDataLen);
172 	sm->eap_if.eapKeyData = NULL;
173 	sm->eap_if.eapKeyDataLen = 0;
174 	sm->eap_if.eapKeyAvailable = FALSE;
175 	sm->eap_if.eapRestart = FALSE;
176 
177 	/*
178 	 * This is not defined in RFC 4137, but method state needs to be
179 	 * reseted here so that it does not remain in success state when
180 	 * re-authentication starts.
181 	 */
182 	if (sm->m && sm->eap_method_priv) {
183 		sm->m->reset(sm, sm->eap_method_priv);
184 		sm->eap_method_priv = NULL;
185 	}
186 	sm->m = NULL;
187 	sm->user_eap_method_index = 0;
188 
189 	if (sm->backend_auth) {
190 		sm->currentMethod = EAP_TYPE_NONE;
191 		/* parse rxResp, respId, respMethod */
192 		eap_sm_parseEapResp(sm, sm->eap_if.eapRespData);
193 		if (sm->rxResp) {
194 			sm->currentId = sm->respId;
195 		}
196 	}
197 	sm->num_rounds = 0;
198 	sm->method_pending = METHOD_PENDING_NONE;
199 
200 	wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_STARTED
201 		MACSTR, MAC2STR(sm->peer_addr));
202 }
203 
204 
SM_STATE(EAP,PICK_UP_METHOD)205 SM_STATE(EAP, PICK_UP_METHOD)
206 {
207 	SM_ENTRY(EAP, PICK_UP_METHOD);
208 
209 	if (eap_sm_Policy_doPickUp(sm, sm->respMethod)) {
210 		sm->currentMethod = sm->respMethod;
211 		if (sm->m && sm->eap_method_priv) {
212 			sm->m->reset(sm, sm->eap_method_priv);
213 			sm->eap_method_priv = NULL;
214 		}
215 		sm->m = eap_server_get_eap_method(EAP_VENDOR_IETF,
216 						  sm->currentMethod);
217 		if (sm->m && sm->m->initPickUp) {
218 			sm->eap_method_priv = sm->m->initPickUp(sm);
219 			if (sm->eap_method_priv == NULL) {
220 				wpa_printf(MSG_DEBUG, "EAP: Failed to "
221 					   "initialize EAP method %d",
222 					   sm->currentMethod);
223 				sm->m = NULL;
224 				sm->currentMethod = EAP_TYPE_NONE;
225 			}
226 		} else {
227 			sm->m = NULL;
228 			sm->currentMethod = EAP_TYPE_NONE;
229 		}
230 	}
231 
232 	wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_PROPOSED_METHOD
233 		"method=%u", sm->currentMethod);
234 }
235 
236 
SM_STATE(EAP,IDLE)237 SM_STATE(EAP, IDLE)
238 {
239 	SM_ENTRY(EAP, IDLE);
240 
241 	sm->eap_if.retransWhile = eap_sm_calculateTimeout(
242 		sm, sm->retransCount, sm->eap_if.eapSRTT, sm->eap_if.eapRTTVAR,
243 		sm->methodTimeout);
244 }
245 
246 
SM_STATE(EAP,RETRANSMIT)247 SM_STATE(EAP, RETRANSMIT)
248 {
249 	SM_ENTRY(EAP, RETRANSMIT);
250 
251 	sm->retransCount++;
252 	if (sm->retransCount <= sm->MaxRetrans && sm->lastReqData) {
253 		if (eap_copy_buf(&sm->eap_if.eapReqData, sm->lastReqData) == 0)
254 			sm->eap_if.eapReq = TRUE;
255 	}
256 }
257 
258 
SM_STATE(EAP,RECEIVED)259 SM_STATE(EAP, RECEIVED)
260 {
261 	SM_ENTRY(EAP, RECEIVED);
262 
263 	/* parse rxResp, respId, respMethod */
264 	eap_sm_parseEapResp(sm, sm->eap_if.eapRespData);
265 	sm->num_rounds++;
266 }
267 
268 
SM_STATE(EAP,DISCARD)269 SM_STATE(EAP, DISCARD)
270 {
271 	SM_ENTRY(EAP, DISCARD);
272 	sm->eap_if.eapResp = FALSE;
273 	sm->eap_if.eapNoReq = TRUE;
274 }
275 
276 
SM_STATE(EAP,SEND_REQUEST)277 SM_STATE(EAP, SEND_REQUEST)
278 {
279 	SM_ENTRY(EAP, SEND_REQUEST);
280 
281 	sm->retransCount = 0;
282 	if (sm->eap_if.eapReqData) {
283 		if (eap_copy_buf(&sm->lastReqData, sm->eap_if.eapReqData) == 0)
284 		{
285 			sm->eap_if.eapResp = FALSE;
286 			sm->eap_if.eapReq = TRUE;
287 		} else {
288 			sm->eap_if.eapResp = FALSE;
289 			sm->eap_if.eapReq = FALSE;
290 		}
291 	} else {
292 		wpa_printf(MSG_INFO, "EAP: SEND_REQUEST - no eapReqData");
293 		sm->eap_if.eapResp = FALSE;
294 		sm->eap_if.eapReq = FALSE;
295 		sm->eap_if.eapNoReq = TRUE;
296 	}
297 }
298 
299 
SM_STATE(EAP,INTEGRITY_CHECK)300 SM_STATE(EAP, INTEGRITY_CHECK)
301 {
302 	SM_ENTRY(EAP, INTEGRITY_CHECK);
303 
304 	if (!eap_hdr_len_valid(sm->eap_if.eapRespData, 1)) {
305 		sm->ignore = TRUE;
306 		return;
307 	}
308 
309 	if (sm->m->check) {
310 		sm->ignore = sm->m->check(sm, sm->eap_method_priv,
311 					  sm->eap_if.eapRespData);
312 	}
313 }
314 
315 
SM_STATE(EAP,METHOD_REQUEST)316 SM_STATE(EAP, METHOD_REQUEST)
317 {
318 	SM_ENTRY(EAP, METHOD_REQUEST);
319 
320 	if (sm->m == NULL) {
321 		wpa_printf(MSG_DEBUG, "EAP: method not initialized");
322 		return;
323 	}
324 
325 	sm->currentId = eap_sm_nextId(sm, sm->currentId);
326 	wpa_printf(MSG_DEBUG, "EAP: building EAP-Request: Identifier %d",
327 		   sm->currentId);
328 	sm->lastId = sm->currentId;
329 	wpabuf_free(sm->eap_if.eapReqData);
330 	sm->eap_if.eapReqData = sm->m->buildReq(sm, sm->eap_method_priv,
331 						sm->currentId);
332 	if (sm->m->getTimeout)
333 		sm->methodTimeout = sm->m->getTimeout(sm, sm->eap_method_priv);
334 	else
335 		sm->methodTimeout = 0;
336 }
337 
338 
SM_STATE(EAP,METHOD_RESPONSE)339 SM_STATE(EAP, METHOD_RESPONSE)
340 {
341 	SM_ENTRY(EAP, METHOD_RESPONSE);
342 
343 	if (!eap_hdr_len_valid(sm->eap_if.eapRespData, 1))
344 		return;
345 
346 	sm->m->process(sm, sm->eap_method_priv, sm->eap_if.eapRespData);
347 	if (sm->m->isDone(sm, sm->eap_method_priv)) {
348 		eap_sm_Policy_update(sm, NULL, 0);
349 		bin_clear_free(sm->eap_if.eapKeyData, sm->eap_if.eapKeyDataLen);
350 		if (sm->m->getKey) {
351 			sm->eap_if.eapKeyData = sm->m->getKey(
352 				sm, sm->eap_method_priv,
353 				&sm->eap_if.eapKeyDataLen);
354 		} else {
355 			sm->eap_if.eapKeyData = NULL;
356 			sm->eap_if.eapKeyDataLen = 0;
357 		}
358 		sm->methodState = METHOD_END;
359 	} else {
360 		sm->methodState = METHOD_CONTINUE;
361 	}
362 }
363 
364 
SM_STATE(EAP,PROPOSE_METHOD)365 SM_STATE(EAP, PROPOSE_METHOD)
366 {
367 	int vendor;
368 	EapType type;
369 
370 	SM_ENTRY(EAP, PROPOSE_METHOD);
371 
372 try_another_method:
373 	type = eap_sm_Policy_getNextMethod(sm, &vendor);
374 	if (vendor == EAP_VENDOR_IETF)
375 		sm->currentMethod = type;
376 	else
377 		sm->currentMethod = EAP_TYPE_EXPANDED;
378 	if (sm->m && sm->eap_method_priv) {
379 		sm->m->reset(sm, sm->eap_method_priv);
380 		sm->eap_method_priv = NULL;
381 	}
382 	sm->m = eap_server_get_eap_method(vendor, type);
383 	if (sm->m) {
384 		sm->eap_method_priv = sm->m->init(sm);
385 		if (sm->eap_method_priv == NULL) {
386 			wpa_printf(MSG_DEBUG, "EAP: Failed to initialize EAP "
387 				   "method %d", sm->currentMethod);
388 			sm->m = NULL;
389 			sm->currentMethod = EAP_TYPE_NONE;
390 			goto try_another_method;
391 		}
392 	}
393 	if (sm->m == NULL) {
394 		wpa_printf(MSG_DEBUG, "EAP: Could not find suitable EAP method");
395 		eap_log_msg(sm, "Could not find suitable EAP method");
396 		sm->decision = DECISION_FAILURE;
397 		return;
398 	}
399 	if (sm->currentMethod == EAP_TYPE_IDENTITY ||
400 	    sm->currentMethod == EAP_TYPE_NOTIFICATION)
401 		sm->methodState = METHOD_CONTINUE;
402 	else
403 		sm->methodState = METHOD_PROPOSED;
404 
405 	wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_PROPOSED_METHOD
406 		"vendor=%u method=%u", vendor, sm->currentMethod);
407 	eap_log_msg(sm, "Propose EAP method vendor=%u method=%u",
408 		    vendor, sm->currentMethod);
409 }
410 
411 
SM_STATE(EAP,NAK)412 SM_STATE(EAP, NAK)
413 {
414 	const struct eap_hdr *nak;
415 	size_t len = 0;
416 	const u8 *pos;
417 	const u8 *nak_list = NULL;
418 
419 	SM_ENTRY(EAP, NAK);
420 
421 	if (sm->eap_method_priv) {
422 		sm->m->reset(sm, sm->eap_method_priv);
423 		sm->eap_method_priv = NULL;
424 	}
425 	sm->m = NULL;
426 
427 	if (!eap_hdr_len_valid(sm->eap_if.eapRespData, 1))
428 		return;
429 
430 	nak = wpabuf_head(sm->eap_if.eapRespData);
431 	if (nak && wpabuf_len(sm->eap_if.eapRespData) > sizeof(*nak)) {
432 		len = be_to_host16(nak->length);
433 		if (len > wpabuf_len(sm->eap_if.eapRespData))
434 			len = wpabuf_len(sm->eap_if.eapRespData);
435 		pos = (const u8 *) (nak + 1);
436 		len -= sizeof(*nak);
437 		if (*pos == EAP_TYPE_NAK) {
438 			pos++;
439 			len--;
440 			nak_list = pos;
441 		}
442 	}
443 	eap_sm_Policy_update(sm, nak_list, len);
444 }
445 
446 
SM_STATE(EAP,SELECT_ACTION)447 SM_STATE(EAP, SELECT_ACTION)
448 {
449 	SM_ENTRY(EAP, SELECT_ACTION);
450 
451 	sm->decision = eap_sm_Policy_getDecision(sm);
452 }
453 
454 
SM_STATE(EAP,TIMEOUT_FAILURE)455 SM_STATE(EAP, TIMEOUT_FAILURE)
456 {
457 	SM_ENTRY(EAP, TIMEOUT_FAILURE);
458 
459 	sm->eap_if.eapTimeout = TRUE;
460 }
461 
462 
SM_STATE(EAP,FAILURE)463 SM_STATE(EAP, FAILURE)
464 {
465 	SM_ENTRY(EAP, FAILURE);
466 
467 	wpabuf_free(sm->eap_if.eapReqData);
468 	sm->eap_if.eapReqData = eap_sm_buildFailure(sm, sm->currentId);
469 	wpabuf_free(sm->lastReqData);
470 	sm->lastReqData = NULL;
471 	sm->eap_if.eapFail = TRUE;
472 
473 	wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE
474 		MACSTR, MAC2STR(sm->peer_addr));
475 }
476 
477 
SM_STATE(EAP,SUCCESS)478 SM_STATE(EAP, SUCCESS)
479 {
480 	SM_ENTRY(EAP, SUCCESS);
481 
482 	wpabuf_free(sm->eap_if.eapReqData);
483 	sm->eap_if.eapReqData = eap_sm_buildSuccess(sm, sm->currentId);
484 	wpabuf_free(sm->lastReqData);
485 	sm->lastReqData = NULL;
486 	if (sm->eap_if.eapKeyData)
487 		sm->eap_if.eapKeyAvailable = TRUE;
488 	sm->eap_if.eapSuccess = TRUE;
489 
490 	wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS
491 		MACSTR, MAC2STR(sm->peer_addr));
492 }
493 
494 
SM_STATE(EAP,INITIALIZE_PASSTHROUGH)495 SM_STATE(EAP, INITIALIZE_PASSTHROUGH)
496 {
497 	SM_ENTRY(EAP, INITIALIZE_PASSTHROUGH);
498 
499 	wpabuf_free(sm->eap_if.aaaEapRespData);
500 	sm->eap_if.aaaEapRespData = NULL;
501 }
502 
503 
SM_STATE(EAP,IDLE2)504 SM_STATE(EAP, IDLE2)
505 {
506 	SM_ENTRY(EAP, IDLE2);
507 
508 	sm->eap_if.retransWhile = eap_sm_calculateTimeout(
509 		sm, sm->retransCount, sm->eap_if.eapSRTT, sm->eap_if.eapRTTVAR,
510 		sm->methodTimeout);
511 }
512 
513 
SM_STATE(EAP,RETRANSMIT2)514 SM_STATE(EAP, RETRANSMIT2)
515 {
516 	SM_ENTRY(EAP, RETRANSMIT2);
517 
518 	sm->retransCount++;
519 	if (sm->retransCount <= sm->MaxRetrans && sm->lastReqData) {
520 		if (eap_copy_buf(&sm->eap_if.eapReqData, sm->lastReqData) == 0)
521 			sm->eap_if.eapReq = TRUE;
522 	}
523 }
524 
525 
SM_STATE(EAP,RECEIVED2)526 SM_STATE(EAP, RECEIVED2)
527 {
528 	SM_ENTRY(EAP, RECEIVED2);
529 
530 	/* parse rxResp, respId, respMethod */
531 	eap_sm_parseEapResp(sm, sm->eap_if.eapRespData);
532 }
533 
534 
SM_STATE(EAP,DISCARD2)535 SM_STATE(EAP, DISCARD2)
536 {
537 	SM_ENTRY(EAP, DISCARD2);
538 	sm->eap_if.eapResp = FALSE;
539 	sm->eap_if.eapNoReq = TRUE;
540 }
541 
542 
SM_STATE(EAP,SEND_REQUEST2)543 SM_STATE(EAP, SEND_REQUEST2)
544 {
545 	SM_ENTRY(EAP, SEND_REQUEST2);
546 
547 	sm->retransCount = 0;
548 	if (sm->eap_if.eapReqData) {
549 		if (eap_copy_buf(&sm->lastReqData, sm->eap_if.eapReqData) == 0)
550 		{
551 			sm->eap_if.eapResp = FALSE;
552 			sm->eap_if.eapReq = TRUE;
553 		} else {
554 			sm->eap_if.eapResp = FALSE;
555 			sm->eap_if.eapReq = FALSE;
556 		}
557 	} else {
558 		wpa_printf(MSG_INFO, "EAP: SEND_REQUEST2 - no eapReqData");
559 		sm->eap_if.eapResp = FALSE;
560 		sm->eap_if.eapReq = FALSE;
561 		sm->eap_if.eapNoReq = TRUE;
562 	}
563 }
564 
565 
SM_STATE(EAP,AAA_REQUEST)566 SM_STATE(EAP, AAA_REQUEST)
567 {
568 	SM_ENTRY(EAP, AAA_REQUEST);
569 
570 	if (sm->eap_if.eapRespData == NULL) {
571 		wpa_printf(MSG_INFO, "EAP: AAA_REQUEST - no eapRespData");
572 		return;
573 	}
574 
575 	/*
576 	 * if (respMethod == IDENTITY)
577 	 *	aaaIdentity = eapRespData
578 	 * This is already taken care of by the EAP-Identity method which
579 	 * stores the identity into sm->identity.
580 	 */
581 
582 	eap_copy_buf(&sm->eap_if.aaaEapRespData, sm->eap_if.eapRespData);
583 }
584 
585 
SM_STATE(EAP,AAA_RESPONSE)586 SM_STATE(EAP, AAA_RESPONSE)
587 {
588 	SM_ENTRY(EAP, AAA_RESPONSE);
589 
590 	eap_copy_buf(&sm->eap_if.eapReqData, sm->eap_if.aaaEapReqData);
591 	sm->currentId = eap_sm_getId(sm->eap_if.eapReqData);
592 	sm->methodTimeout = sm->eap_if.aaaMethodTimeout;
593 }
594 
595 
SM_STATE(EAP,AAA_IDLE)596 SM_STATE(EAP, AAA_IDLE)
597 {
598 	SM_ENTRY(EAP, AAA_IDLE);
599 
600 	sm->eap_if.aaaFail = FALSE;
601 	sm->eap_if.aaaSuccess = FALSE;
602 	sm->eap_if.aaaEapReq = FALSE;
603 	sm->eap_if.aaaEapNoReq = FALSE;
604 	sm->eap_if.aaaEapResp = TRUE;
605 }
606 
607 
SM_STATE(EAP,TIMEOUT_FAILURE2)608 SM_STATE(EAP, TIMEOUT_FAILURE2)
609 {
610 	SM_ENTRY(EAP, TIMEOUT_FAILURE2);
611 
612 	sm->eap_if.eapTimeout = TRUE;
613 }
614 
615 
SM_STATE(EAP,FAILURE2)616 SM_STATE(EAP, FAILURE2)
617 {
618 	SM_ENTRY(EAP, FAILURE2);
619 
620 	eap_copy_buf(&sm->eap_if.eapReqData, sm->eap_if.aaaEapReqData);
621 	sm->eap_if.eapFail = TRUE;
622 }
623 
624 
SM_STATE(EAP,SUCCESS2)625 SM_STATE(EAP, SUCCESS2)
626 {
627 	SM_ENTRY(EAP, SUCCESS2);
628 
629 	eap_copy_buf(&sm->eap_if.eapReqData, sm->eap_if.aaaEapReqData);
630 
631 	sm->eap_if.eapKeyAvailable = sm->eap_if.aaaEapKeyAvailable;
632 	if (sm->eap_if.aaaEapKeyAvailable) {
633 		EAP_COPY(&sm->eap_if.eapKeyData, sm->eap_if.aaaEapKeyData);
634 	} else {
635 		bin_clear_free(sm->eap_if.eapKeyData, sm->eap_if.eapKeyDataLen);
636 		sm->eap_if.eapKeyData = NULL;
637 		sm->eap_if.eapKeyDataLen = 0;
638 	}
639 
640 	sm->eap_if.eapSuccess = TRUE;
641 
642 	/*
643 	 * Start reauthentication with identity request even though we know the
644 	 * previously used identity. This is needed to get reauthentication
645 	 * started properly.
646 	 */
647 	sm->start_reauth = TRUE;
648 }
649 
650 
SM_STEP(EAP)651 SM_STEP(EAP)
652 {
653 	if (sm->eap_if.eapRestart && sm->eap_if.portEnabled)
654 		SM_ENTER_GLOBAL(EAP, INITIALIZE);
655 	else if (!sm->eap_if.portEnabled)
656 		SM_ENTER_GLOBAL(EAP, DISABLED);
657 	else if (sm->num_rounds > EAP_MAX_AUTH_ROUNDS) {
658 		if (sm->num_rounds == EAP_MAX_AUTH_ROUNDS + 1) {
659 			wpa_printf(MSG_DEBUG, "EAP: more than %d "
660 				   "authentication rounds - abort",
661 				   EAP_MAX_AUTH_ROUNDS);
662 			sm->num_rounds++;
663 			SM_ENTER_GLOBAL(EAP, FAILURE);
664 		}
665 	} else switch (sm->EAP_state) {
666 	case EAP_INITIALIZE:
667 		if (sm->backend_auth) {
668 			if (!sm->rxResp)
669 				SM_ENTER(EAP, SELECT_ACTION);
670 			else if (sm->rxResp &&
671 				 (sm->respMethod == EAP_TYPE_NAK ||
672 				  (sm->respMethod == EAP_TYPE_EXPANDED &&
673 				   sm->respVendor == EAP_VENDOR_IETF &&
674 				   sm->respVendorMethod == EAP_TYPE_NAK)))
675 				SM_ENTER(EAP, NAK);
676 			else
677 				SM_ENTER(EAP, PICK_UP_METHOD);
678 		} else {
679 			SM_ENTER(EAP, SELECT_ACTION);
680 		}
681 		break;
682 	case EAP_PICK_UP_METHOD:
683 		if (sm->currentMethod == EAP_TYPE_NONE) {
684 			SM_ENTER(EAP, SELECT_ACTION);
685 		} else {
686 			SM_ENTER(EAP, METHOD_RESPONSE);
687 		}
688 		break;
689 	case EAP_DISABLED:
690 		if (sm->eap_if.portEnabled)
691 			SM_ENTER(EAP, INITIALIZE);
692 		break;
693 	case EAP_IDLE:
694 		if (sm->eap_if.retransWhile == 0)
695 			SM_ENTER(EAP, RETRANSMIT);
696 		else if (sm->eap_if.eapResp)
697 			SM_ENTER(EAP, RECEIVED);
698 		break;
699 	case EAP_RETRANSMIT:
700 		if (sm->retransCount > sm->MaxRetrans)
701 			SM_ENTER(EAP, TIMEOUT_FAILURE);
702 		else
703 			SM_ENTER(EAP, IDLE);
704 		break;
705 	case EAP_RECEIVED:
706 		if (sm->rxResp && (sm->respId == sm->currentId) &&
707 		    (sm->respMethod == EAP_TYPE_NAK ||
708 		     (sm->respMethod == EAP_TYPE_EXPANDED &&
709 		      sm->respVendor == EAP_VENDOR_IETF &&
710 		      sm->respVendorMethod == EAP_TYPE_NAK))
711 		    && (sm->methodState == METHOD_PROPOSED))
712 			SM_ENTER(EAP, NAK);
713 		else if (sm->rxResp && (sm->respId == sm->currentId) &&
714 			 ((sm->respMethod == sm->currentMethod) ||
715 			  (sm->respMethod == EAP_TYPE_EXPANDED &&
716 			   sm->respVendor == EAP_VENDOR_IETF &&
717 			   sm->respVendorMethod == sm->currentMethod)))
718 			SM_ENTER(EAP, INTEGRITY_CHECK);
719 		else {
720 			wpa_printf(MSG_DEBUG, "EAP: RECEIVED->DISCARD: "
721 				   "rxResp=%d respId=%d currentId=%d "
722 				   "respMethod=%d currentMethod=%d",
723 				   sm->rxResp, sm->respId, sm->currentId,
724 				   sm->respMethod, sm->currentMethod);
725 			eap_log_msg(sm, "Discard received EAP message");
726 			SM_ENTER(EAP, DISCARD);
727 		}
728 		break;
729 	case EAP_DISCARD:
730 		SM_ENTER(EAP, IDLE);
731 		break;
732 	case EAP_SEND_REQUEST:
733 		SM_ENTER(EAP, IDLE);
734 		break;
735 	case EAP_INTEGRITY_CHECK:
736 		if (sm->ignore)
737 			SM_ENTER(EAP, DISCARD);
738 		else
739 			SM_ENTER(EAP, METHOD_RESPONSE);
740 		break;
741 	case EAP_METHOD_REQUEST:
742 		if (sm->m == NULL) {
743 			/*
744 			 * This transition is not mentioned in RFC 4137, but it
745 			 * is needed to handle cleanly a case where EAP method
746 			 * initialization fails.
747 			 */
748 			SM_ENTER(EAP, FAILURE);
749 			break;
750 		}
751 		SM_ENTER(EAP, SEND_REQUEST);
752 		break;
753 	case EAP_METHOD_RESPONSE:
754 		/*
755 		 * Note: Mechanism to allow EAP methods to wait while going
756 		 * through pending processing is an extension to RFC 4137
757 		 * which only defines the transits to SELECT_ACTION and
758 		 * METHOD_REQUEST from this METHOD_RESPONSE state.
759 		 */
760 		if (sm->methodState == METHOD_END)
761 			SM_ENTER(EAP, SELECT_ACTION);
762 		else if (sm->method_pending == METHOD_PENDING_WAIT) {
763 			wpa_printf(MSG_DEBUG, "EAP: Method has pending "
764 				   "processing - wait before proceeding to "
765 				   "METHOD_REQUEST state");
766 		} else if (sm->method_pending == METHOD_PENDING_CONT) {
767 			wpa_printf(MSG_DEBUG, "EAP: Method has completed "
768 				   "pending processing - reprocess pending "
769 				   "EAP message");
770 			sm->method_pending = METHOD_PENDING_NONE;
771 			SM_ENTER(EAP, METHOD_RESPONSE);
772 		} else
773 			SM_ENTER(EAP, METHOD_REQUEST);
774 		break;
775 	case EAP_PROPOSE_METHOD:
776 		/*
777 		 * Note: Mechanism to allow EAP methods to wait while going
778 		 * through pending processing is an extension to RFC 4137
779 		 * which only defines the transit to METHOD_REQUEST from this
780 		 * PROPOSE_METHOD state.
781 		 */
782 		if (sm->method_pending == METHOD_PENDING_WAIT) {
783 			wpa_printf(MSG_DEBUG, "EAP: Method has pending "
784 				   "processing - wait before proceeding to "
785 				   "METHOD_REQUEST state");
786 			if (sm->user_eap_method_index > 0)
787 				sm->user_eap_method_index--;
788 		} else if (sm->method_pending == METHOD_PENDING_CONT) {
789 			wpa_printf(MSG_DEBUG, "EAP: Method has completed "
790 				   "pending processing - reprocess pending "
791 				   "EAP message");
792 			sm->method_pending = METHOD_PENDING_NONE;
793 			SM_ENTER(EAP, PROPOSE_METHOD);
794 		} else
795 			SM_ENTER(EAP, METHOD_REQUEST);
796 		break;
797 	case EAP_NAK:
798 		SM_ENTER(EAP, SELECT_ACTION);
799 		break;
800 	case EAP_SELECT_ACTION:
801 		if (sm->decision == DECISION_FAILURE)
802 			SM_ENTER(EAP, FAILURE);
803 		else if (sm->decision == DECISION_SUCCESS)
804 			SM_ENTER(EAP, SUCCESS);
805 		else if (sm->decision == DECISION_PASSTHROUGH)
806 			SM_ENTER(EAP, INITIALIZE_PASSTHROUGH);
807 		else
808 			SM_ENTER(EAP, PROPOSE_METHOD);
809 		break;
810 	case EAP_TIMEOUT_FAILURE:
811 		break;
812 	case EAP_FAILURE:
813 		break;
814 	case EAP_SUCCESS:
815 		break;
816 
817 	case EAP_INITIALIZE_PASSTHROUGH:
818 		if (sm->currentId == -1)
819 			SM_ENTER(EAP, AAA_IDLE);
820 		else
821 			SM_ENTER(EAP, AAA_REQUEST);
822 		break;
823 	case EAP_IDLE2:
824 		if (sm->eap_if.eapResp)
825 			SM_ENTER(EAP, RECEIVED2);
826 		else if (sm->eap_if.retransWhile == 0)
827 			SM_ENTER(EAP, RETRANSMIT2);
828 		break;
829 	case EAP_RETRANSMIT2:
830 		if (sm->retransCount > sm->MaxRetrans)
831 			SM_ENTER(EAP, TIMEOUT_FAILURE2);
832 		else
833 			SM_ENTER(EAP, IDLE2);
834 		break;
835 	case EAP_RECEIVED2:
836 		if (sm->rxResp && (sm->respId == sm->currentId))
837 			SM_ENTER(EAP, AAA_REQUEST);
838 		else
839 			SM_ENTER(EAP, DISCARD2);
840 		break;
841 	case EAP_DISCARD2:
842 		SM_ENTER(EAP, IDLE2);
843 		break;
844 	case EAP_SEND_REQUEST2:
845 		SM_ENTER(EAP, IDLE2);
846 		break;
847 	case EAP_AAA_REQUEST:
848 		SM_ENTER(EAP, AAA_IDLE);
849 		break;
850 	case EAP_AAA_RESPONSE:
851 		SM_ENTER(EAP, SEND_REQUEST2);
852 		break;
853 	case EAP_AAA_IDLE:
854 		if (sm->eap_if.aaaFail)
855 			SM_ENTER(EAP, FAILURE2);
856 		else if (sm->eap_if.aaaSuccess)
857 			SM_ENTER(EAP, SUCCESS2);
858 		else if (sm->eap_if.aaaEapReq)
859 			SM_ENTER(EAP, AAA_RESPONSE);
860 		else if (sm->eap_if.aaaTimeout)
861 			SM_ENTER(EAP, TIMEOUT_FAILURE2);
862 		break;
863 	case EAP_TIMEOUT_FAILURE2:
864 		break;
865 	case EAP_FAILURE2:
866 		break;
867 	case EAP_SUCCESS2:
868 		break;
869 	}
870 }
871 
872 
eap_sm_calculateTimeout(struct eap_sm * sm,int retransCount,int eapSRTT,int eapRTTVAR,int methodTimeout)873 static int eap_sm_calculateTimeout(struct eap_sm *sm, int retransCount,
874 				   int eapSRTT, int eapRTTVAR,
875 				   int methodTimeout)
876 {
877 	int rto, i;
878 
879 	if (methodTimeout) {
880 		/*
881 		 * EAP method (either internal or through AAA server, provided
882 		 * timeout hint. Use that as-is as a timeout for retransmitting
883 		 * the EAP request if no response is received.
884 		 */
885 		wpa_printf(MSG_DEBUG, "EAP: retransmit timeout %d seconds "
886 			   "(from EAP method hint)", methodTimeout);
887 		return methodTimeout;
888 	}
889 
890 	/*
891 	 * RFC 3748 recommends algorithms described in RFC 2988 for estimation
892 	 * of the retransmission timeout. This should be implemented once
893 	 * round-trip time measurements are available. For nowm a simple
894 	 * backoff mechanism is used instead if there are no EAP method
895 	 * specific hints.
896 	 *
897 	 * SRTT = smoothed round-trip time
898 	 * RTTVAR = round-trip time variation
899 	 * RTO = retransmission timeout
900 	 */
901 
902 	/*
903 	 * RFC 2988, 2.1: before RTT measurement, set RTO to 3 seconds for
904 	 * initial retransmission and then double the RTO to provide back off
905 	 * per 5.5. Limit the maximum RTO to 20 seconds per RFC 3748, 4.3
906 	 * modified RTOmax.
907 	 */
908 	rto = 3;
909 	for (i = 0; i < retransCount; i++) {
910 		rto *= 2;
911 		if (rto >= 20) {
912 			rto = 20;
913 			break;
914 		}
915 	}
916 
917 	wpa_printf(MSG_DEBUG, "EAP: retransmit timeout %d seconds "
918 		   "(from dynamic back off; retransCount=%d)",
919 		   rto, retransCount);
920 
921 	return rto;
922 }
923 
924 
eap_sm_parseEapResp(struct eap_sm * sm,const struct wpabuf * resp)925 static void eap_sm_parseEapResp(struct eap_sm *sm, const struct wpabuf *resp)
926 {
927 	const struct eap_hdr *hdr;
928 	size_t plen;
929 
930 	/* parse rxResp, respId, respMethod */
931 	sm->rxResp = FALSE;
932 	sm->respId = -1;
933 	sm->respMethod = EAP_TYPE_NONE;
934 	sm->respVendor = EAP_VENDOR_IETF;
935 	sm->respVendorMethod = EAP_TYPE_NONE;
936 
937 	if (resp == NULL || wpabuf_len(resp) < sizeof(*hdr)) {
938 		wpa_printf(MSG_DEBUG, "EAP: parseEapResp: invalid resp=%p "
939 			   "len=%lu", resp,
940 			   resp ? (unsigned long) wpabuf_len(resp) : 0);
941 		return;
942 	}
943 
944 	hdr = wpabuf_head(resp);
945 	plen = be_to_host16(hdr->length);
946 	if (plen > wpabuf_len(resp)) {
947 		wpa_printf(MSG_DEBUG, "EAP: Ignored truncated EAP-Packet "
948 			   "(len=%lu plen=%lu)",
949 			   (unsigned long) wpabuf_len(resp),
950 			   (unsigned long) plen);
951 		return;
952 	}
953 
954 	sm->respId = hdr->identifier;
955 
956 	if (hdr->code == EAP_CODE_RESPONSE)
957 		sm->rxResp = TRUE;
958 
959 	if (plen > sizeof(*hdr)) {
960 		u8 *pos = (u8 *) (hdr + 1);
961 		sm->respMethod = *pos++;
962 		if (sm->respMethod == EAP_TYPE_EXPANDED) {
963 			if (plen < sizeof(*hdr) + 8) {
964 				wpa_printf(MSG_DEBUG, "EAP: Ignored truncated "
965 					   "expanded EAP-Packet (plen=%lu)",
966 					   (unsigned long) plen);
967 				return;
968 			}
969 			sm->respVendor = WPA_GET_BE24(pos);
970 			pos += 3;
971 			sm->respVendorMethod = WPA_GET_BE32(pos);
972 		}
973 	}
974 
975 	wpa_printf(MSG_DEBUG, "EAP: parseEapResp: rxResp=%d respId=%d "
976 		   "respMethod=%u respVendor=%u respVendorMethod=%u",
977 		   sm->rxResp, sm->respId, sm->respMethod, sm->respVendor,
978 		   sm->respVendorMethod);
979 }
980 
981 
eap_sm_getId(const struct wpabuf * data)982 static int eap_sm_getId(const struct wpabuf *data)
983 {
984 	const struct eap_hdr *hdr;
985 
986 	if (data == NULL || wpabuf_len(data) < sizeof(*hdr))
987 		return -1;
988 
989 	hdr = wpabuf_head(data);
990 	wpa_printf(MSG_DEBUG, "EAP: getId: id=%d", hdr->identifier);
991 	return hdr->identifier;
992 }
993 
994 
eap_sm_buildSuccess(struct eap_sm * sm,u8 id)995 static struct wpabuf * eap_sm_buildSuccess(struct eap_sm *sm, u8 id)
996 {
997 	struct wpabuf *msg;
998 	struct eap_hdr *resp;
999 	wpa_printf(MSG_DEBUG, "EAP: Building EAP-Success (id=%d)", id);
1000 
1001 	msg = wpabuf_alloc(sizeof(*resp));
1002 	if (msg == NULL)
1003 		return NULL;
1004 	resp = wpabuf_put(msg, sizeof(*resp));
1005 	resp->code = EAP_CODE_SUCCESS;
1006 	resp->identifier = id;
1007 	resp->length = host_to_be16(sizeof(*resp));
1008 
1009 	return msg;
1010 }
1011 
1012 
eap_sm_buildFailure(struct eap_sm * sm,u8 id)1013 static struct wpabuf * eap_sm_buildFailure(struct eap_sm *sm, u8 id)
1014 {
1015 	struct wpabuf *msg;
1016 	struct eap_hdr *resp;
1017 	wpa_printf(MSG_DEBUG, "EAP: Building EAP-Failure (id=%d)", id);
1018 
1019 	msg = wpabuf_alloc(sizeof(*resp));
1020 	if (msg == NULL)
1021 		return NULL;
1022 	resp = wpabuf_put(msg, sizeof(*resp));
1023 	resp->code = EAP_CODE_FAILURE;
1024 	resp->identifier = id;
1025 	resp->length = host_to_be16(sizeof(*resp));
1026 
1027 	return msg;
1028 }
1029 
1030 
eap_sm_nextId(struct eap_sm * sm,int id)1031 static int eap_sm_nextId(struct eap_sm *sm, int id)
1032 {
1033 	if (id < 0) {
1034 		/* RFC 3748 Ch 4.1: recommended to initialize Identifier with a
1035 		 * random number */
1036 		id = rand() & 0xff;
1037 		if (id != sm->lastId)
1038 			return id;
1039 	}
1040 	return (id + 1) & 0xff;
1041 }
1042 
1043 
1044 /**
1045  * eap_sm_process_nak - Process EAP-Response/Nak
1046  * @sm: Pointer to EAP state machine allocated with eap_server_sm_init()
1047  * @nak_list: Nak list (allowed methods) from the supplicant
1048  * @len: Length of nak_list in bytes
1049  *
1050  * This function is called when EAP-Response/Nak is received from the
1051  * supplicant. This can happen for both phase 1 and phase 2 authentications.
1052  */
eap_sm_process_nak(struct eap_sm * sm,const u8 * nak_list,size_t len)1053 void eap_sm_process_nak(struct eap_sm *sm, const u8 *nak_list, size_t len)
1054 {
1055 	int i;
1056 	size_t j;
1057 
1058 	if (sm->user == NULL)
1059 		return;
1060 
1061 	wpa_printf(MSG_MSGDUMP, "EAP: processing NAK (current EAP method "
1062 		   "index %d)", sm->user_eap_method_index);
1063 
1064 	wpa_hexdump(MSG_MSGDUMP, "EAP: configured methods",
1065 		    (u8 *) sm->user->methods,
1066 		    EAP_MAX_METHODS * sizeof(sm->user->methods[0]));
1067 	wpa_hexdump(MSG_MSGDUMP, "EAP: list of methods supported by the peer",
1068 		    nak_list, len);
1069 
1070 	i = sm->user_eap_method_index;
1071 	while (i < EAP_MAX_METHODS &&
1072 	       (sm->user->methods[i].vendor != EAP_VENDOR_IETF ||
1073 		sm->user->methods[i].method != EAP_TYPE_NONE)) {
1074 		if (sm->user->methods[i].vendor != EAP_VENDOR_IETF)
1075 			goto not_found;
1076 		for (j = 0; j < len; j++) {
1077 			if (nak_list[j] == sm->user->methods[i].method) {
1078 				break;
1079 			}
1080 		}
1081 
1082 		if (j < len) {
1083 			/* found */
1084 			i++;
1085 			continue;
1086 		}
1087 
1088 	not_found:
1089 		/* not found - remove from the list */
1090 		if (i + 1 < EAP_MAX_METHODS) {
1091 			os_memmove(&sm->user->methods[i],
1092 				   &sm->user->methods[i + 1],
1093 				   (EAP_MAX_METHODS - i - 1) *
1094 				   sizeof(sm->user->methods[0]));
1095 		}
1096 		sm->user->methods[EAP_MAX_METHODS - 1].vendor =
1097 			EAP_VENDOR_IETF;
1098 		sm->user->methods[EAP_MAX_METHODS - 1].method = EAP_TYPE_NONE;
1099 	}
1100 
1101 	wpa_hexdump(MSG_MSGDUMP, "EAP: new list of configured methods",
1102 		    (u8 *) sm->user->methods, EAP_MAX_METHODS *
1103 		    sizeof(sm->user->methods[0]));
1104 }
1105 
1106 
eap_sm_Policy_update(struct eap_sm * sm,const u8 * nak_list,size_t len)1107 static void eap_sm_Policy_update(struct eap_sm *sm, const u8 *nak_list,
1108 				 size_t len)
1109 {
1110 	if (nak_list == NULL || sm == NULL || sm->user == NULL)
1111 		return;
1112 
1113 	if (sm->user->phase2) {
1114 		wpa_printf(MSG_DEBUG, "EAP: EAP-Nak received after Phase2 user"
1115 			   " info was selected - reject");
1116 		sm->decision = DECISION_FAILURE;
1117 		return;
1118 	}
1119 
1120 	eap_sm_process_nak(sm, nak_list, len);
1121 }
1122 
1123 
eap_sm_Policy_getNextMethod(struct eap_sm * sm,int * vendor)1124 static EapType eap_sm_Policy_getNextMethod(struct eap_sm *sm, int *vendor)
1125 {
1126 	EapType next;
1127 	int idx = sm->user_eap_method_index;
1128 
1129 	/* In theory, there should be no problems with starting
1130 	 * re-authentication with something else than EAP-Request/Identity and
1131 	 * this does indeed work with wpa_supplicant. However, at least Funk
1132 	 * Supplicant seemed to ignore re-auth if it skipped
1133 	 * EAP-Request/Identity.
1134 	 * Re-auth sets currentId == -1, so that can be used here to select
1135 	 * whether Identity needs to be requested again. */
1136 	if (sm->identity == NULL || sm->currentId == -1) {
1137 		*vendor = EAP_VENDOR_IETF;
1138 		next = EAP_TYPE_IDENTITY;
1139 		sm->update_user = TRUE;
1140 	} else if (sm->user && idx < EAP_MAX_METHODS &&
1141 		   (sm->user->methods[idx].vendor != EAP_VENDOR_IETF ||
1142 		    sm->user->methods[idx].method != EAP_TYPE_NONE)) {
1143 		*vendor = sm->user->methods[idx].vendor;
1144 		next = sm->user->methods[idx].method;
1145 		sm->user_eap_method_index++;
1146 	} else {
1147 		*vendor = EAP_VENDOR_IETF;
1148 		next = EAP_TYPE_NONE;
1149 	}
1150 	wpa_printf(MSG_DEBUG, "EAP: getNextMethod: vendor %d type %d",
1151 		   *vendor, next);
1152 	return next;
1153 }
1154 
1155 
eap_sm_Policy_getDecision(struct eap_sm * sm)1156 static int eap_sm_Policy_getDecision(struct eap_sm *sm)
1157 {
1158 	if (!sm->eap_server && sm->identity && !sm->start_reauth) {
1159 		wpa_printf(MSG_DEBUG, "EAP: getDecision: -> PASSTHROUGH");
1160 		return DECISION_PASSTHROUGH;
1161 	}
1162 
1163 	if (sm->m && sm->currentMethod != EAP_TYPE_IDENTITY &&
1164 	    sm->m->isSuccess(sm, sm->eap_method_priv)) {
1165 		wpa_printf(MSG_DEBUG, "EAP: getDecision: method succeeded -> "
1166 			   "SUCCESS");
1167 		sm->update_user = TRUE;
1168 		return DECISION_SUCCESS;
1169 	}
1170 
1171 	if (sm->m && sm->m->isDone(sm, sm->eap_method_priv) &&
1172 	    !sm->m->isSuccess(sm, sm->eap_method_priv)) {
1173 		wpa_printf(MSG_DEBUG, "EAP: getDecision: method failed -> "
1174 			   "FAILURE");
1175 		sm->update_user = TRUE;
1176 		return DECISION_FAILURE;
1177 	}
1178 
1179 	if ((sm->user == NULL || sm->update_user) && sm->identity &&
1180 	    !sm->start_reauth) {
1181 		/*
1182 		 * Allow Identity method to be started once to allow identity
1183 		 * selection hint to be sent from the authentication server,
1184 		 * but prevent a loop of Identity requests by only allowing
1185 		 * this to happen once.
1186 		 */
1187 		int id_req = 0;
1188 		if (sm->user && sm->currentMethod == EAP_TYPE_IDENTITY &&
1189 		    sm->user->methods[0].vendor == EAP_VENDOR_IETF &&
1190 		    sm->user->methods[0].method == EAP_TYPE_IDENTITY)
1191 			id_req = 1;
1192 		if (eap_user_get(sm, sm->identity, sm->identity_len, 0) != 0) {
1193 			wpa_printf(MSG_DEBUG, "EAP: getDecision: user not "
1194 				   "found from database -> FAILURE");
1195 			return DECISION_FAILURE;
1196 		}
1197 		if (id_req && sm->user &&
1198 		    sm->user->methods[0].vendor == EAP_VENDOR_IETF &&
1199 		    sm->user->methods[0].method == EAP_TYPE_IDENTITY) {
1200 			wpa_printf(MSG_DEBUG, "EAP: getDecision: stop "
1201 				   "identity request loop -> FAILURE");
1202 			sm->update_user = TRUE;
1203 			return DECISION_FAILURE;
1204 		}
1205 		sm->update_user = FALSE;
1206 	}
1207 	sm->start_reauth = FALSE;
1208 
1209 	if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
1210 	    (sm->user->methods[sm->user_eap_method_index].vendor !=
1211 	     EAP_VENDOR_IETF ||
1212 	     sm->user->methods[sm->user_eap_method_index].method !=
1213 	     EAP_TYPE_NONE)) {
1214 		wpa_printf(MSG_DEBUG, "EAP: getDecision: another method "
1215 			   "available -> CONTINUE");
1216 		return DECISION_CONTINUE;
1217 	}
1218 
1219 	if (sm->identity == NULL || sm->currentId == -1) {
1220 		wpa_printf(MSG_DEBUG, "EAP: getDecision: no identity known "
1221 			   "yet -> CONTINUE");
1222 		return DECISION_CONTINUE;
1223 	}
1224 
1225 	wpa_printf(MSG_DEBUG, "EAP: getDecision: no more methods available -> "
1226 		   "FAILURE");
1227 	return DECISION_FAILURE;
1228 }
1229 
1230 
eap_sm_Policy_doPickUp(struct eap_sm * sm,EapType method)1231 static Boolean eap_sm_Policy_doPickUp(struct eap_sm *sm, EapType method)
1232 {
1233 	return method == EAP_TYPE_IDENTITY ? TRUE : FALSE;
1234 }
1235 
1236 
1237 /**
1238  * eap_server_sm_step - Step EAP server state machine
1239  * @sm: Pointer to EAP state machine allocated with eap_server_sm_init()
1240  * Returns: 1 if EAP state was changed or 0 if not
1241  *
1242  * This function advances EAP state machine to a new state to match with the
1243  * current variables. This should be called whenever variables used by the EAP
1244  * state machine have changed.
1245  */
eap_server_sm_step(struct eap_sm * sm)1246 int eap_server_sm_step(struct eap_sm *sm)
1247 {
1248 	int res = 0;
1249 	do {
1250 		sm->changed = FALSE;
1251 		SM_STEP_RUN(EAP);
1252 		if (sm->changed)
1253 			res = 1;
1254 	} while (sm->changed);
1255 	return res;
1256 }
1257 
1258 
eap_user_free(struct eap_user * user)1259 static void eap_user_free(struct eap_user *user)
1260 {
1261 	if (user == NULL)
1262 		return;
1263 	bin_clear_free(user->password, user->password_len);
1264 	user->password = NULL;
1265 	os_free(user);
1266 }
1267 
1268 
1269 /**
1270  * eap_server_sm_init - Allocate and initialize EAP server state machine
1271  * @eapol_ctx: Context data to be used with eapol_cb calls
1272  * @eapol_cb: Pointer to EAPOL callback functions
1273  * @conf: EAP configuration
1274  * Returns: Pointer to the allocated EAP state machine or %NULL on failure
1275  *
1276  * This function allocates and initializes an EAP state machine.
1277  */
eap_server_sm_init(void * eapol_ctx,struct eapol_callbacks * eapol_cb,struct eap_config * conf)1278 struct eap_sm * eap_server_sm_init(void *eapol_ctx,
1279 				   struct eapol_callbacks *eapol_cb,
1280 				   struct eap_config *conf)
1281 {
1282 	struct eap_sm *sm;
1283 
1284 	sm = os_zalloc(sizeof(*sm));
1285 	if (sm == NULL)
1286 		return NULL;
1287 	sm->eapol_ctx = eapol_ctx;
1288 	sm->eapol_cb = eapol_cb;
1289 	sm->MaxRetrans = 5; /* RFC 3748: max 3-5 retransmissions suggested */
1290 	sm->ssl_ctx = conf->ssl_ctx;
1291 	sm->msg_ctx = conf->msg_ctx;
1292 	sm->eap_sim_db_priv = conf->eap_sim_db_priv;
1293 	sm->backend_auth = conf->backend_auth;
1294 	sm->eap_server = conf->eap_server;
1295 	if (conf->pac_opaque_encr_key) {
1296 		sm->pac_opaque_encr_key = os_malloc(16);
1297 		if (sm->pac_opaque_encr_key) {
1298 			os_memcpy(sm->pac_opaque_encr_key,
1299 				  conf->pac_opaque_encr_key, 16);
1300 		}
1301 	}
1302 	if (conf->eap_fast_a_id) {
1303 		sm->eap_fast_a_id = os_malloc(conf->eap_fast_a_id_len);
1304 		if (sm->eap_fast_a_id) {
1305 			os_memcpy(sm->eap_fast_a_id, conf->eap_fast_a_id,
1306 				  conf->eap_fast_a_id_len);
1307 			sm->eap_fast_a_id_len = conf->eap_fast_a_id_len;
1308 		}
1309 	}
1310 	if (conf->eap_fast_a_id_info)
1311 		sm->eap_fast_a_id_info = os_strdup(conf->eap_fast_a_id_info);
1312 	sm->eap_fast_prov = conf->eap_fast_prov;
1313 	sm->pac_key_lifetime = conf->pac_key_lifetime;
1314 	sm->pac_key_refresh_time = conf->pac_key_refresh_time;
1315 	sm->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
1316 	sm->tnc = conf->tnc;
1317 	sm->wps = conf->wps;
1318 	if (conf->assoc_wps_ie)
1319 		sm->assoc_wps_ie = wpabuf_dup(conf->assoc_wps_ie);
1320 	if (conf->assoc_p2p_ie)
1321 		sm->assoc_p2p_ie = wpabuf_dup(conf->assoc_p2p_ie);
1322 	if (conf->peer_addr)
1323 		os_memcpy(sm->peer_addr, conf->peer_addr, ETH_ALEN);
1324 	sm->fragment_size = conf->fragment_size;
1325 	sm->pwd_group = conf->pwd_group;
1326 	sm->pbc_in_m1 = conf->pbc_in_m1;
1327 	sm->server_id = conf->server_id;
1328 	sm->server_id_len = conf->server_id_len;
1329 
1330 #ifdef CONFIG_TESTING_OPTIONS
1331 	sm->tls_test_flags = conf->tls_test_flags;
1332 #endif /* CONFIG_TESTING_OPTIONS */
1333 
1334 	wpa_printf(MSG_DEBUG, "EAP: Server state machine created");
1335 
1336 	return sm;
1337 }
1338 
1339 
1340 /**
1341  * eap_server_sm_deinit - Deinitialize and free an EAP server state machine
1342  * @sm: Pointer to EAP state machine allocated with eap_server_sm_init()
1343  *
1344  * This function deinitializes EAP state machine and frees all allocated
1345  * resources.
1346  */
eap_server_sm_deinit(struct eap_sm * sm)1347 void eap_server_sm_deinit(struct eap_sm *sm)
1348 {
1349 	if (sm == NULL)
1350 		return;
1351 	wpa_printf(MSG_DEBUG, "EAP: Server state machine removed");
1352 	if (sm->m && sm->eap_method_priv)
1353 		sm->m->reset(sm, sm->eap_method_priv);
1354 	wpabuf_free(sm->eap_if.eapReqData);
1355 	bin_clear_free(sm->eap_if.eapKeyData, sm->eap_if.eapKeyDataLen);
1356 	wpabuf_free(sm->lastReqData);
1357 	wpabuf_free(sm->eap_if.eapRespData);
1358 	os_free(sm->identity);
1359 	os_free(sm->pac_opaque_encr_key);
1360 	os_free(sm->eap_fast_a_id);
1361 	os_free(sm->eap_fast_a_id_info);
1362 	wpabuf_free(sm->eap_if.aaaEapReqData);
1363 	wpabuf_free(sm->eap_if.aaaEapRespData);
1364 	bin_clear_free(sm->eap_if.aaaEapKeyData, sm->eap_if.aaaEapKeyDataLen);
1365 	eap_user_free(sm->user);
1366 	wpabuf_free(sm->assoc_wps_ie);
1367 	wpabuf_free(sm->assoc_p2p_ie);
1368 	os_free(sm);
1369 }
1370 
1371 
1372 /**
1373  * eap_sm_notify_cached - Notify EAP state machine of cached PMK
1374  * @sm: Pointer to EAP state machine allocated with eap_server_sm_init()
1375  *
1376  * This function is called when PMKSA caching is used to skip EAP
1377  * authentication.
1378  */
eap_sm_notify_cached(struct eap_sm * sm)1379 void eap_sm_notify_cached(struct eap_sm *sm)
1380 {
1381 	if (sm == NULL)
1382 		return;
1383 
1384 	sm->EAP_state = EAP_SUCCESS;
1385 }
1386 
1387 
1388 /**
1389  * eap_sm_pending_cb - EAP state machine callback for a pending EAP request
1390  * @sm: Pointer to EAP state machine allocated with eap_server_sm_init()
1391  *
1392  * This function is called when data for a pending EAP-Request is received.
1393  */
eap_sm_pending_cb(struct eap_sm * sm)1394 void eap_sm_pending_cb(struct eap_sm *sm)
1395 {
1396 	if (sm == NULL)
1397 		return;
1398 	wpa_printf(MSG_DEBUG, "EAP: Callback for pending request received");
1399 	if (sm->method_pending == METHOD_PENDING_WAIT)
1400 		sm->method_pending = METHOD_PENDING_CONT;
1401 }
1402 
1403 
1404 /**
1405  * eap_sm_method_pending - Query whether EAP method is waiting for pending data
1406  * @sm: Pointer to EAP state machine allocated with eap_server_sm_init()
1407  * Returns: 1 if method is waiting for pending data or 0 if not
1408  */
eap_sm_method_pending(struct eap_sm * sm)1409 int eap_sm_method_pending(struct eap_sm *sm)
1410 {
1411 	if (sm == NULL)
1412 		return 0;
1413 	return sm->method_pending == METHOD_PENDING_WAIT;
1414 }
1415 
1416 
1417 /**
1418  * eap_get_identity - Get the user identity (from EAP-Response/Identity)
1419  * @sm: Pointer to EAP state machine allocated with eap_server_sm_init()
1420  * @len: Buffer for returning identity length
1421  * Returns: Pointer to the user identity or %NULL if not available
1422  */
eap_get_identity(struct eap_sm * sm,size_t * len)1423 const u8 * eap_get_identity(struct eap_sm *sm, size_t *len)
1424 {
1425 	*len = sm->identity_len;
1426 	return sm->identity;
1427 }
1428 
1429 
1430 /**
1431  * eap_get_interface - Get pointer to EAP-EAPOL interface data
1432  * @sm: Pointer to EAP state machine allocated with eap_server_sm_init()
1433  * Returns: Pointer to the EAP-EAPOL interface data
1434  */
eap_get_interface(struct eap_sm * sm)1435 struct eap_eapol_interface * eap_get_interface(struct eap_sm *sm)
1436 {
1437 	return &sm->eap_if;
1438 }
1439 
1440 
1441 /**
1442  * eap_server_clear_identity - Clear EAP identity information
1443  * @sm: Pointer to EAP state machine allocated with eap_server_sm_init()
1444  *
1445  * This function can be used to clear the EAP identity information in the EAP
1446  * server context. This allows the EAP/Identity method to be used again after
1447  * EAPOL-Start or EAPOL-Logoff.
1448  */
eap_server_clear_identity(struct eap_sm * sm)1449 void eap_server_clear_identity(struct eap_sm *sm)
1450 {
1451 	os_free(sm->identity);
1452 	sm->identity = NULL;
1453 }
1454