1/*
2 * IEEE 802.1X-2004 Authenticator - EAPOL state machine
3 * Copyright (c) 2002-2009, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#include "includes.h"
10
11#include "common.h"
12#include "eloop.h"
13#include "state_machine.h"
14#include "common/eapol_common.h"
15#include "eap_common/eap_defs.h"
16#include "eap_common/eap_common.h"
17#include "eap_server/eap.h"
18#include "eapol_auth_sm.h"
19#include "eapol_auth_sm_i.h"
20
21#define STATE_MACHINE_DATA struct eapol_state_machine
22#define STATE_MACHINE_DEBUG_PREFIX "IEEE 802.1X"
23#define STATE_MACHINE_ADDR sm->addr
24
25static struct eapol_callbacks eapol_cb;
26
27/* EAPOL state machines are described in IEEE Std 802.1X-2004, Chap. 8.2 */
28
29#define setPortAuthorized() \
30sm->eapol->cb.set_port_authorized(sm->eapol->conf.ctx, sm->sta, 1)
31#define setPortUnauthorized() \
32sm->eapol->cb.set_port_authorized(sm->eapol->conf.ctx, sm->sta, 0)
33
34/* procedures */
35#define txCannedFail() eapol_auth_tx_canned_eap(sm, 0)
36#define txCannedSuccess() eapol_auth_tx_canned_eap(sm, 1)
37#define txReq() eapol_auth_tx_req(sm)
38#define abortAuth() sm->eapol->cb.abort_auth(sm->eapol->conf.ctx, sm->sta)
39#define txKey() sm->eapol->cb.tx_key(sm->eapol->conf.ctx, sm->sta)
40#define processKey() do { } while (0)
41
42
43static void eapol_sm_step_run(struct eapol_state_machine *sm);
44static void eapol_sm_step_cb(void *eloop_ctx, void *timeout_ctx);
45static void eapol_auth_initialize(struct eapol_state_machine *sm);
46
47
48static void eapol_auth_logger(struct eapol_authenticator *eapol,
49			      const u8 *addr, eapol_logger_level level,
50			      const char *txt)
51{
52	if (eapol->cb.logger == NULL)
53		return;
54	eapol->cb.logger(eapol->conf.ctx, addr, level, txt);
55}
56
57
58static void eapol_auth_vlogger(struct eapol_authenticator *eapol,
59			       const u8 *addr, eapol_logger_level level,
60			       const char *fmt, ...)
61{
62	char *format;
63	int maxlen;
64	va_list ap;
65
66	if (eapol->cb.logger == NULL)
67		return;
68
69	maxlen = os_strlen(fmt) + 100;
70	format = os_malloc(maxlen);
71	if (!format)
72		return;
73
74	va_start(ap, fmt);
75	vsnprintf(format, maxlen, fmt, ap);
76	va_end(ap);
77
78	eapol_auth_logger(eapol, addr, level, format);
79
80	os_free(format);
81}
82
83
84static void eapol_auth_tx_canned_eap(struct eapol_state_machine *sm,
85				     int success)
86{
87	struct eap_hdr eap;
88
89	os_memset(&eap, 0, sizeof(eap));
90
91	eap.code = success ? EAP_CODE_SUCCESS : EAP_CODE_FAILURE;
92	eap.identifier = ++sm->last_eap_id;
93	eap.length = host_to_be16(sizeof(eap));
94
95	eapol_auth_vlogger(sm->eapol, sm->addr, EAPOL_LOGGER_DEBUG,
96			   "Sending canned EAP packet %s (identifier %d)",
97			   success ? "SUCCESS" : "FAILURE", eap.identifier);
98	sm->eapol->cb.eapol_send(sm->eapol->conf.ctx, sm->sta,
99				 IEEE802_1X_TYPE_EAP_PACKET,
100				 (u8 *) &eap, sizeof(eap));
101	sm->dot1xAuthEapolFramesTx++;
102}
103
104
105static void eapol_auth_tx_req(struct eapol_state_machine *sm)
106{
107	if (sm->eap_if->eapReqData == NULL ||
108	    wpabuf_len(sm->eap_if->eapReqData) < sizeof(struct eap_hdr)) {
109		eapol_auth_logger(sm->eapol, sm->addr,
110				  EAPOL_LOGGER_DEBUG,
111				  "TxReq called, but there is no EAP request "
112				  "from authentication server");
113		return;
114	}
115
116	if (sm->flags & EAPOL_SM_WAIT_START) {
117		wpa_printf(MSG_DEBUG, "EAPOL: Drop EAPOL TX to " MACSTR
118			   " while waiting for EAPOL-Start",
119			   MAC2STR(sm->addr));
120		return;
121	}
122
123	sm->last_eap_id = eap_get_id(sm->eap_if->eapReqData);
124	eapol_auth_vlogger(sm->eapol, sm->addr, EAPOL_LOGGER_DEBUG,
125			   "Sending EAP Packet (identifier %d)",
126			   sm->last_eap_id);
127	sm->eapol->cb.eapol_send(sm->eapol->conf.ctx, sm->sta,
128				 IEEE802_1X_TYPE_EAP_PACKET,
129				 wpabuf_head(sm->eap_if->eapReqData),
130				 wpabuf_len(sm->eap_if->eapReqData));
131	sm->dot1xAuthEapolFramesTx++;
132	if (eap_get_type(sm->eap_if->eapReqData) == EAP_TYPE_IDENTITY)
133		sm->dot1xAuthEapolReqIdFramesTx++;
134	else
135		sm->dot1xAuthEapolReqFramesTx++;
136}
137
138
139/**
140 * eapol_port_timers_tick - Port Timers state machine
141 * @eloop_ctx: struct eapol_state_machine *
142 * @timeout_ctx: Not used
143 *
144 * This statemachine is implemented as a function that will be called
145 * once a second as a registered event loop timeout.
146 */
147static void eapol_port_timers_tick(void *eloop_ctx, void *timeout_ctx)
148{
149	struct eapol_state_machine *state = timeout_ctx;
150
151	if (state->aWhile > 0) {
152		state->aWhile--;
153		if (state->aWhile == 0) {
154			wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR
155				   " - aWhile --> 0",
156				   MAC2STR(state->addr));
157		}
158	}
159
160	if (state->quietWhile > 0) {
161		state->quietWhile--;
162		if (state->quietWhile == 0) {
163			wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR
164				   " - quietWhile --> 0",
165				   MAC2STR(state->addr));
166		}
167	}
168
169	if (state->reAuthWhen > 0) {
170		state->reAuthWhen--;
171		if (state->reAuthWhen == 0) {
172			wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR
173				   " - reAuthWhen --> 0",
174				   MAC2STR(state->addr));
175		}
176	}
177
178	if (state->eap_if->retransWhile > 0) {
179		state->eap_if->retransWhile--;
180		if (state->eap_if->retransWhile == 0) {
181			wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR
182				   " - (EAP) retransWhile --> 0",
183				   MAC2STR(state->addr));
184		}
185	}
186
187	eapol_sm_step_run(state);
188
189	eloop_register_timeout(1, 0, eapol_port_timers_tick, eloop_ctx, state);
190}
191
192
193
194/* Authenticator PAE state machine */
195
196SM_STATE(AUTH_PAE, INITIALIZE)
197{
198	SM_ENTRY_MA(AUTH_PAE, INITIALIZE, auth_pae);
199	sm->portMode = Auto;
200}
201
202
203SM_STATE(AUTH_PAE, DISCONNECTED)
204{
205	int from_initialize = sm->auth_pae_state == AUTH_PAE_INITIALIZE;
206
207	if (sm->eapolLogoff) {
208		if (sm->auth_pae_state == AUTH_PAE_CONNECTING)
209			sm->authEapLogoffsWhileConnecting++;
210		else if (sm->auth_pae_state == AUTH_PAE_AUTHENTICATED)
211			sm->authAuthEapLogoffWhileAuthenticated++;
212	}
213
214	SM_ENTRY_MA(AUTH_PAE, DISCONNECTED, auth_pae);
215
216	sm->authPortStatus = Unauthorized;
217	setPortUnauthorized();
218	sm->reAuthCount = 0;
219	sm->eapolLogoff = FALSE;
220	if (!from_initialize) {
221		sm->eapol->cb.finished(sm->eapol->conf.ctx, sm->sta, 0,
222				       sm->flags & EAPOL_SM_PREAUTH);
223	}
224}
225
226
227SM_STATE(AUTH_PAE, RESTART)
228{
229	if (sm->auth_pae_state == AUTH_PAE_AUTHENTICATED) {
230		if (sm->reAuthenticate)
231			sm->authAuthReauthsWhileAuthenticated++;
232		if (sm->eapolStart)
233			sm->authAuthEapStartsWhileAuthenticated++;
234		if (sm->eapolLogoff)
235			sm->authAuthEapLogoffWhileAuthenticated++;
236	}
237
238	SM_ENTRY_MA(AUTH_PAE, RESTART, auth_pae);
239
240	sm->eap_if->eapRestart = TRUE;
241}
242
243
244SM_STATE(AUTH_PAE, CONNECTING)
245{
246	if (sm->auth_pae_state != AUTH_PAE_CONNECTING)
247		sm->authEntersConnecting++;
248
249	SM_ENTRY_MA(AUTH_PAE, CONNECTING, auth_pae);
250
251	sm->reAuthenticate = FALSE;
252	sm->reAuthCount++;
253}
254
255
256SM_STATE(AUTH_PAE, HELD)
257{
258	if (sm->auth_pae_state == AUTH_PAE_AUTHENTICATING && sm->authFail)
259		sm->authAuthFailWhileAuthenticating++;
260
261	SM_ENTRY_MA(AUTH_PAE, HELD, auth_pae);
262
263	sm->authPortStatus = Unauthorized;
264	setPortUnauthorized();
265	sm->quietWhile = sm->quietPeriod;
266	sm->eapolLogoff = FALSE;
267
268	eapol_auth_vlogger(sm->eapol, sm->addr, EAPOL_LOGGER_WARNING,
269			   "authentication failed - EAP type: %d (%s)",
270			   sm->eap_type_authsrv,
271			   eap_server_get_name(0, sm->eap_type_authsrv));
272	if (sm->eap_type_authsrv != sm->eap_type_supp) {
273		eapol_auth_vlogger(sm->eapol, sm->addr, EAPOL_LOGGER_INFO,
274				   "Supplicant used different EAP type: "
275				   "%d (%s)", sm->eap_type_supp,
276				   eap_server_get_name(0, sm->eap_type_supp));
277	}
278	sm->eapol->cb.finished(sm->eapol->conf.ctx, sm->sta, 0,
279			       sm->flags & EAPOL_SM_PREAUTH);
280}
281
282
283SM_STATE(AUTH_PAE, AUTHENTICATED)
284{
285	char *extra = "";
286
287	if (sm->auth_pae_state == AUTH_PAE_AUTHENTICATING && sm->authSuccess)
288		sm->authAuthSuccessesWhileAuthenticating++;
289
290	SM_ENTRY_MA(AUTH_PAE, AUTHENTICATED, auth_pae);
291
292	sm->authPortStatus = Authorized;
293	setPortAuthorized();
294	sm->reAuthCount = 0;
295	if (sm->flags & EAPOL_SM_PREAUTH)
296		extra = " (pre-authentication)";
297	else if (sm->flags & EAPOL_SM_FROM_PMKSA_CACHE)
298		extra = " (PMKSA cache)";
299	eapol_auth_vlogger(sm->eapol, sm->addr, EAPOL_LOGGER_INFO,
300			   "authenticated - EAP type: %d (%s)%s",
301			   sm->eap_type_authsrv,
302			   eap_server_get_name(0, sm->eap_type_authsrv),
303			   extra);
304	sm->eapol->cb.finished(sm->eapol->conf.ctx, sm->sta, 1,
305			       sm->flags & EAPOL_SM_PREAUTH);
306}
307
308
309SM_STATE(AUTH_PAE, AUTHENTICATING)
310{
311	SM_ENTRY_MA(AUTH_PAE, AUTHENTICATING, auth_pae);
312
313	sm->eapolStart = FALSE;
314	sm->authSuccess = FALSE;
315	sm->authFail = FALSE;
316	sm->authTimeout = FALSE;
317	sm->authStart = TRUE;
318	sm->keyRun = FALSE;
319	sm->keyDone = FALSE;
320}
321
322
323SM_STATE(AUTH_PAE, ABORTING)
324{
325	if (sm->auth_pae_state == AUTH_PAE_AUTHENTICATING) {
326		if (sm->authTimeout)
327			sm->authAuthTimeoutsWhileAuthenticating++;
328		if (sm->eapolStart)
329			sm->authAuthEapStartsWhileAuthenticating++;
330		if (sm->eapolLogoff)
331			sm->authAuthEapLogoffWhileAuthenticating++;
332	}
333
334	SM_ENTRY_MA(AUTH_PAE, ABORTING, auth_pae);
335
336	sm->authAbort = TRUE;
337	sm->keyRun = FALSE;
338	sm->keyDone = FALSE;
339}
340
341
342SM_STATE(AUTH_PAE, FORCE_AUTH)
343{
344	SM_ENTRY_MA(AUTH_PAE, FORCE_AUTH, auth_pae);
345
346	sm->authPortStatus = Authorized;
347	setPortAuthorized();
348	sm->portMode = ForceAuthorized;
349	sm->eapolStart = FALSE;
350	txCannedSuccess();
351}
352
353
354SM_STATE(AUTH_PAE, FORCE_UNAUTH)
355{
356	SM_ENTRY_MA(AUTH_PAE, FORCE_UNAUTH, auth_pae);
357
358	sm->authPortStatus = Unauthorized;
359	setPortUnauthorized();
360	sm->portMode = ForceUnauthorized;
361	sm->eapolStart = FALSE;
362	txCannedFail();
363}
364
365
366SM_STEP(AUTH_PAE)
367{
368	if ((sm->portControl == Auto && sm->portMode != sm->portControl) ||
369	    sm->initialize || !sm->eap_if->portEnabled)
370		SM_ENTER_GLOBAL(AUTH_PAE, INITIALIZE);
371	else if (sm->portControl == ForceAuthorized &&
372		 sm->portMode != sm->portControl &&
373		 !(sm->initialize || !sm->eap_if->portEnabled))
374		SM_ENTER_GLOBAL(AUTH_PAE, FORCE_AUTH);
375	else if (sm->portControl == ForceUnauthorized &&
376		 sm->portMode != sm->portControl &&
377		 !(sm->initialize || !sm->eap_if->portEnabled))
378		SM_ENTER_GLOBAL(AUTH_PAE, FORCE_UNAUTH);
379	else {
380		switch (sm->auth_pae_state) {
381		case AUTH_PAE_INITIALIZE:
382			SM_ENTER(AUTH_PAE, DISCONNECTED);
383			break;
384		case AUTH_PAE_DISCONNECTED:
385			SM_ENTER(AUTH_PAE, RESTART);
386			break;
387		case AUTH_PAE_RESTART:
388			if (!sm->eap_if->eapRestart)
389				SM_ENTER(AUTH_PAE, CONNECTING);
390			break;
391		case AUTH_PAE_HELD:
392			if (sm->quietWhile == 0)
393				SM_ENTER(AUTH_PAE, RESTART);
394			break;
395		case AUTH_PAE_CONNECTING:
396			if (sm->eapolLogoff || sm->reAuthCount > sm->reAuthMax)
397				SM_ENTER(AUTH_PAE, DISCONNECTED);
398			else if ((sm->eap_if->eapReq &&
399				  sm->reAuthCount <= sm->reAuthMax) ||
400				 sm->eap_if->eapSuccess || sm->eap_if->eapFail)
401				SM_ENTER(AUTH_PAE, AUTHENTICATING);
402			break;
403		case AUTH_PAE_AUTHENTICATED:
404			if (sm->eapolStart || sm->reAuthenticate)
405				SM_ENTER(AUTH_PAE, RESTART);
406			else if (sm->eapolLogoff || !sm->portValid)
407				SM_ENTER(AUTH_PAE, DISCONNECTED);
408			break;
409		case AUTH_PAE_AUTHENTICATING:
410			if (sm->authSuccess && sm->portValid)
411				SM_ENTER(AUTH_PAE, AUTHENTICATED);
412			else if (sm->authFail ||
413				 (sm->keyDone && !sm->portValid))
414				SM_ENTER(AUTH_PAE, HELD);
415			else if (sm->eapolStart || sm->eapolLogoff ||
416				 sm->authTimeout)
417				SM_ENTER(AUTH_PAE, ABORTING);
418			break;
419		case AUTH_PAE_ABORTING:
420			if (sm->eapolLogoff && !sm->authAbort)
421				SM_ENTER(AUTH_PAE, DISCONNECTED);
422			else if (!sm->eapolLogoff && !sm->authAbort)
423				SM_ENTER(AUTH_PAE, RESTART);
424			break;
425		case AUTH_PAE_FORCE_AUTH:
426			if (sm->eapolStart)
427				SM_ENTER(AUTH_PAE, FORCE_AUTH);
428			break;
429		case AUTH_PAE_FORCE_UNAUTH:
430			if (sm->eapolStart)
431				SM_ENTER(AUTH_PAE, FORCE_UNAUTH);
432			break;
433		}
434	}
435}
436
437
438
439/* Backend Authentication state machine */
440
441SM_STATE(BE_AUTH, INITIALIZE)
442{
443	SM_ENTRY_MA(BE_AUTH, INITIALIZE, be_auth);
444
445	abortAuth();
446	sm->eap_if->eapNoReq = FALSE;
447	sm->authAbort = FALSE;
448}
449
450
451SM_STATE(BE_AUTH, REQUEST)
452{
453	SM_ENTRY_MA(BE_AUTH, REQUEST, be_auth);
454
455	txReq();
456	sm->eap_if->eapReq = FALSE;
457	sm->backendOtherRequestsToSupplicant++;
458
459	/*
460	 * Clearing eapolEap here is not specified in IEEE Std 802.1X-2004, but
461	 * it looks like this would be logical thing to do there since the old
462	 * EAP response would not be valid anymore after the new EAP request
463	 * was sent out.
464	 *
465	 * A race condition has been reported, in which hostapd ended up
466	 * sending out EAP-Response/Identity as a response to the first
467	 * EAP-Request from the main EAP method. This can be avoided by
468	 * clearing eapolEap here.
469	 */
470	sm->eapolEap = FALSE;
471}
472
473
474SM_STATE(BE_AUTH, RESPONSE)
475{
476	SM_ENTRY_MA(BE_AUTH, RESPONSE, be_auth);
477
478	sm->authTimeout = FALSE;
479	sm->eapolEap = FALSE;
480	sm->eap_if->eapNoReq = FALSE;
481	sm->aWhile = sm->serverTimeout;
482	sm->eap_if->eapResp = TRUE;
483	/* sendRespToServer(); */
484	sm->backendResponses++;
485}
486
487
488SM_STATE(BE_AUTH, SUCCESS)
489{
490	SM_ENTRY_MA(BE_AUTH, SUCCESS, be_auth);
491
492	txReq();
493	sm->authSuccess = TRUE;
494	sm->keyRun = TRUE;
495}
496
497
498SM_STATE(BE_AUTH, FAIL)
499{
500	SM_ENTRY_MA(BE_AUTH, FAIL, be_auth);
501
502	txReq();
503	sm->authFail = TRUE;
504}
505
506
507SM_STATE(BE_AUTH, TIMEOUT)
508{
509	SM_ENTRY_MA(BE_AUTH, TIMEOUT, be_auth);
510
511	sm->authTimeout = TRUE;
512}
513
514
515SM_STATE(BE_AUTH, IDLE)
516{
517	SM_ENTRY_MA(BE_AUTH, IDLE, be_auth);
518
519	sm->authStart = FALSE;
520}
521
522
523SM_STATE(BE_AUTH, IGNORE)
524{
525	SM_ENTRY_MA(BE_AUTH, IGNORE, be_auth);
526
527	sm->eap_if->eapNoReq = FALSE;
528}
529
530
531SM_STEP(BE_AUTH)
532{
533	if (sm->portControl != Auto || sm->initialize || sm->authAbort) {
534		SM_ENTER_GLOBAL(BE_AUTH, INITIALIZE);
535		return;
536	}
537
538	switch (sm->be_auth_state) {
539	case BE_AUTH_INITIALIZE:
540		SM_ENTER(BE_AUTH, IDLE);
541		break;
542	case BE_AUTH_REQUEST:
543		if (sm->eapolEap)
544			SM_ENTER(BE_AUTH, RESPONSE);
545		else if (sm->eap_if->eapReq)
546			SM_ENTER(BE_AUTH, REQUEST);
547		else if (sm->eap_if->eapTimeout)
548			SM_ENTER(BE_AUTH, TIMEOUT);
549		break;
550	case BE_AUTH_RESPONSE:
551		if (sm->eap_if->eapNoReq)
552			SM_ENTER(BE_AUTH, IGNORE);
553		if (sm->eap_if->eapReq) {
554			sm->backendAccessChallenges++;
555			SM_ENTER(BE_AUTH, REQUEST);
556		} else if (sm->aWhile == 0)
557			SM_ENTER(BE_AUTH, TIMEOUT);
558		else if (sm->eap_if->eapFail) {
559			sm->backendAuthFails++;
560			SM_ENTER(BE_AUTH, FAIL);
561		} else if (sm->eap_if->eapSuccess) {
562			sm->backendAuthSuccesses++;
563			SM_ENTER(BE_AUTH, SUCCESS);
564		}
565		break;
566	case BE_AUTH_SUCCESS:
567		SM_ENTER(BE_AUTH, IDLE);
568		break;
569	case BE_AUTH_FAIL:
570		SM_ENTER(BE_AUTH, IDLE);
571		break;
572	case BE_AUTH_TIMEOUT:
573		SM_ENTER(BE_AUTH, IDLE);
574		break;
575	case BE_AUTH_IDLE:
576		if (sm->eap_if->eapFail && sm->authStart)
577			SM_ENTER(BE_AUTH, FAIL);
578		else if (sm->eap_if->eapReq && sm->authStart)
579			SM_ENTER(BE_AUTH, REQUEST);
580		else if (sm->eap_if->eapSuccess && sm->authStart)
581			SM_ENTER(BE_AUTH, SUCCESS);
582		break;
583	case BE_AUTH_IGNORE:
584		if (sm->eapolEap)
585			SM_ENTER(BE_AUTH, RESPONSE);
586		else if (sm->eap_if->eapReq)
587			SM_ENTER(BE_AUTH, REQUEST);
588		else if (sm->eap_if->eapTimeout)
589			SM_ENTER(BE_AUTH, TIMEOUT);
590		break;
591	}
592}
593
594
595
596/* Reauthentication Timer state machine */
597
598SM_STATE(REAUTH_TIMER, INITIALIZE)
599{
600	SM_ENTRY_MA(REAUTH_TIMER, INITIALIZE, reauth_timer);
601
602	sm->reAuthWhen = sm->reAuthPeriod;
603}
604
605
606SM_STATE(REAUTH_TIMER, REAUTHENTICATE)
607{
608	SM_ENTRY_MA(REAUTH_TIMER, REAUTHENTICATE, reauth_timer);
609
610	sm->reAuthenticate = TRUE;
611	sm->eapol->cb.eapol_event(sm->eapol->conf.ctx, sm->sta,
612				  EAPOL_AUTH_REAUTHENTICATE);
613}
614
615
616SM_STEP(REAUTH_TIMER)
617{
618	if (sm->portControl != Auto || sm->initialize ||
619	    sm->authPortStatus == Unauthorized || !sm->reAuthEnabled) {
620		SM_ENTER_GLOBAL(REAUTH_TIMER, INITIALIZE);
621		return;
622	}
623
624	switch (sm->reauth_timer_state) {
625	case REAUTH_TIMER_INITIALIZE:
626		if (sm->reAuthWhen == 0)
627			SM_ENTER(REAUTH_TIMER, REAUTHENTICATE);
628		break;
629	case REAUTH_TIMER_REAUTHENTICATE:
630		SM_ENTER(REAUTH_TIMER, INITIALIZE);
631		break;
632	}
633}
634
635
636
637/* Authenticator Key Transmit state machine */
638
639SM_STATE(AUTH_KEY_TX, NO_KEY_TRANSMIT)
640{
641	SM_ENTRY_MA(AUTH_KEY_TX, NO_KEY_TRANSMIT, auth_key_tx);
642}
643
644
645SM_STATE(AUTH_KEY_TX, KEY_TRANSMIT)
646{
647	SM_ENTRY_MA(AUTH_KEY_TX, KEY_TRANSMIT, auth_key_tx);
648
649	txKey();
650	sm->eap_if->eapKeyAvailable = FALSE;
651	sm->keyDone = TRUE;
652}
653
654
655SM_STEP(AUTH_KEY_TX)
656{
657	if (sm->initialize || sm->portControl != Auto) {
658		SM_ENTER_GLOBAL(AUTH_KEY_TX, NO_KEY_TRANSMIT);
659		return;
660	}
661
662	switch (sm->auth_key_tx_state) {
663	case AUTH_KEY_TX_NO_KEY_TRANSMIT:
664		if (sm->keyTxEnabled && sm->eap_if->eapKeyAvailable &&
665		    sm->keyRun && !(sm->flags & EAPOL_SM_USES_WPA))
666			SM_ENTER(AUTH_KEY_TX, KEY_TRANSMIT);
667		break;
668	case AUTH_KEY_TX_KEY_TRANSMIT:
669		if (!sm->keyTxEnabled || !sm->keyRun)
670			SM_ENTER(AUTH_KEY_TX, NO_KEY_TRANSMIT);
671		else if (sm->eap_if->eapKeyAvailable)
672			SM_ENTER(AUTH_KEY_TX, KEY_TRANSMIT);
673		break;
674	}
675}
676
677
678
679/* Key Receive state machine */
680
681SM_STATE(KEY_RX, NO_KEY_RECEIVE)
682{
683	SM_ENTRY_MA(KEY_RX, NO_KEY_RECEIVE, key_rx);
684}
685
686
687SM_STATE(KEY_RX, KEY_RECEIVE)
688{
689	SM_ENTRY_MA(KEY_RX, KEY_RECEIVE, key_rx);
690
691	processKey();
692	sm->rxKey = FALSE;
693}
694
695
696SM_STEP(KEY_RX)
697{
698	if (sm->initialize || !sm->eap_if->portEnabled) {
699		SM_ENTER_GLOBAL(KEY_RX, NO_KEY_RECEIVE);
700		return;
701	}
702
703	switch (sm->key_rx_state) {
704	case KEY_RX_NO_KEY_RECEIVE:
705		if (sm->rxKey)
706			SM_ENTER(KEY_RX, KEY_RECEIVE);
707		break;
708	case KEY_RX_KEY_RECEIVE:
709		if (sm->rxKey)
710			SM_ENTER(KEY_RX, KEY_RECEIVE);
711		break;
712	}
713}
714
715
716
717/* Controlled Directions state machine */
718
719SM_STATE(CTRL_DIR, FORCE_BOTH)
720{
721	SM_ENTRY_MA(CTRL_DIR, FORCE_BOTH, ctrl_dir);
722	sm->operControlledDirections = Both;
723}
724
725
726SM_STATE(CTRL_DIR, IN_OR_BOTH)
727{
728	SM_ENTRY_MA(CTRL_DIR, IN_OR_BOTH, ctrl_dir);
729	sm->operControlledDirections = sm->adminControlledDirections;
730}
731
732
733SM_STEP(CTRL_DIR)
734{
735	if (sm->initialize) {
736		SM_ENTER_GLOBAL(CTRL_DIR, IN_OR_BOTH);
737		return;
738	}
739
740	switch (sm->ctrl_dir_state) {
741	case CTRL_DIR_FORCE_BOTH:
742		if (sm->eap_if->portEnabled && sm->operEdge)
743			SM_ENTER(CTRL_DIR, IN_OR_BOTH);
744		break;
745	case CTRL_DIR_IN_OR_BOTH:
746		if (sm->operControlledDirections !=
747		    sm->adminControlledDirections)
748			SM_ENTER(CTRL_DIR, IN_OR_BOTH);
749		if (!sm->eap_if->portEnabled || !sm->operEdge)
750			SM_ENTER(CTRL_DIR, FORCE_BOTH);
751		break;
752	}
753}
754
755
756
757struct eapol_state_machine *
758eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr,
759		 int flags, const struct wpabuf *assoc_wps_ie,
760		 const struct wpabuf *assoc_p2p_ie, void *sta_ctx,
761		 const char *identity, const char *radius_cui)
762{
763	struct eapol_state_machine *sm;
764	struct eap_config eap_conf;
765
766	if (eapol == NULL)
767		return NULL;
768
769	sm = os_zalloc(sizeof(*sm));
770	if (sm == NULL) {
771		wpa_printf(MSG_DEBUG, "IEEE 802.1X state machine allocation "
772			   "failed");
773		return NULL;
774	}
775	sm->radius_identifier = -1;
776	os_memcpy(sm->addr, addr, ETH_ALEN);
777	sm->flags = flags;
778
779	sm->eapol = eapol;
780	sm->sta = sta_ctx;
781
782	/* Set default values for state machine constants */
783	sm->auth_pae_state = AUTH_PAE_INITIALIZE;
784	sm->quietPeriod = AUTH_PAE_DEFAULT_quietPeriod;
785	sm->reAuthMax = AUTH_PAE_DEFAULT_reAuthMax;
786
787	sm->be_auth_state = BE_AUTH_INITIALIZE;
788	sm->serverTimeout = BE_AUTH_DEFAULT_serverTimeout;
789
790	sm->reauth_timer_state = REAUTH_TIMER_INITIALIZE;
791	sm->reAuthPeriod = eapol->conf.eap_reauth_period;
792	sm->reAuthEnabled = eapol->conf.eap_reauth_period > 0 ? TRUE : FALSE;
793
794	sm->auth_key_tx_state = AUTH_KEY_TX_NO_KEY_TRANSMIT;
795
796	sm->key_rx_state = KEY_RX_NO_KEY_RECEIVE;
797
798	sm->ctrl_dir_state = CTRL_DIR_IN_OR_BOTH;
799
800	sm->portControl = Auto;
801
802	if (!eapol->conf.wpa &&
803	    (eapol->default_wep_key || eapol->conf.individual_wep_key_len > 0))
804		sm->keyTxEnabled = TRUE;
805	else
806		sm->keyTxEnabled = FALSE;
807	if (eapol->conf.wpa)
808		sm->portValid = FALSE;
809	else
810		sm->portValid = TRUE;
811
812	os_memset(&eap_conf, 0, sizeof(eap_conf));
813	eap_conf.eap_server = eapol->conf.eap_server;
814	eap_conf.ssl_ctx = eapol->conf.ssl_ctx;
815	eap_conf.msg_ctx = eapol->conf.msg_ctx;
816	eap_conf.eap_sim_db_priv = eapol->conf.eap_sim_db_priv;
817	eap_conf.pac_opaque_encr_key = eapol->conf.pac_opaque_encr_key;
818	eap_conf.eap_fast_a_id = eapol->conf.eap_fast_a_id;
819	eap_conf.eap_fast_a_id_len = eapol->conf.eap_fast_a_id_len;
820	eap_conf.eap_fast_a_id_info = eapol->conf.eap_fast_a_id_info;
821	eap_conf.eap_fast_prov = eapol->conf.eap_fast_prov;
822	eap_conf.pac_key_lifetime = eapol->conf.pac_key_lifetime;
823	eap_conf.pac_key_refresh_time = eapol->conf.pac_key_refresh_time;
824	eap_conf.eap_sim_aka_result_ind = eapol->conf.eap_sim_aka_result_ind;
825	eap_conf.tnc = eapol->conf.tnc;
826	eap_conf.wps = eapol->conf.wps;
827	eap_conf.assoc_wps_ie = assoc_wps_ie;
828	eap_conf.assoc_p2p_ie = assoc_p2p_ie;
829	eap_conf.peer_addr = addr;
830	eap_conf.fragment_size = eapol->conf.fragment_size;
831	eap_conf.pwd_group = eapol->conf.pwd_group;
832	eap_conf.pbc_in_m1 = eapol->conf.pbc_in_m1;
833	eap_conf.server_id = eapol->conf.server_id;
834	eap_conf.server_id_len = eapol->conf.server_id_len;
835	sm->eap = eap_server_sm_init(sm, &eapol_cb, &eap_conf);
836	if (sm->eap == NULL) {
837		eapol_auth_free(sm);
838		return NULL;
839	}
840	sm->eap_if = eap_get_interface(sm->eap);
841
842	eapol_auth_initialize(sm);
843
844	if (identity) {
845		sm->identity = (u8 *) os_strdup(identity);
846		if (sm->identity)
847			sm->identity_len = os_strlen(identity);
848	}
849	if (radius_cui)
850		sm->radius_cui = wpabuf_alloc_copy(radius_cui,
851						   os_strlen(radius_cui));
852
853	return sm;
854}
855
856
857void eapol_auth_free(struct eapol_state_machine *sm)
858{
859	if (sm == NULL)
860		return;
861
862	eloop_cancel_timeout(eapol_port_timers_tick, NULL, sm);
863	eloop_cancel_timeout(eapol_sm_step_cb, sm, NULL);
864	if (sm->eap)
865		eap_server_sm_deinit(sm->eap);
866	os_free(sm);
867}
868
869
870static int eapol_sm_sta_entry_alive(struct eapol_authenticator *eapol,
871				    const u8 *addr)
872{
873	return eapol->cb.sta_entry_alive(eapol->conf.ctx, addr);
874}
875
876
877static void eapol_sm_step_run(struct eapol_state_machine *sm)
878{
879	struct eapol_authenticator *eapol = sm->eapol;
880	u8 addr[ETH_ALEN];
881	unsigned int prev_auth_pae, prev_be_auth, prev_reauth_timer,
882		prev_auth_key_tx, prev_key_rx, prev_ctrl_dir;
883	int max_steps = 100;
884
885	os_memcpy(addr, sm->addr, ETH_ALEN);
886
887	/*
888	 * Allow EAPOL state machines to run as long as there are state
889	 * changes, but exit and return here through event loop if more than
890	 * 100 steps is needed as a precaution against infinite loops inside
891	 * eloop callback.
892	 */
893restart:
894	prev_auth_pae = sm->auth_pae_state;
895	prev_be_auth = sm->be_auth_state;
896	prev_reauth_timer = sm->reauth_timer_state;
897	prev_auth_key_tx = sm->auth_key_tx_state;
898	prev_key_rx = sm->key_rx_state;
899	prev_ctrl_dir = sm->ctrl_dir_state;
900
901	SM_STEP_RUN(AUTH_PAE);
902	if (sm->initializing || eapol_sm_sta_entry_alive(eapol, addr))
903		SM_STEP_RUN(BE_AUTH);
904	if (sm->initializing || eapol_sm_sta_entry_alive(eapol, addr))
905		SM_STEP_RUN(REAUTH_TIMER);
906	if (sm->initializing || eapol_sm_sta_entry_alive(eapol, addr))
907		SM_STEP_RUN(AUTH_KEY_TX);
908	if (sm->initializing || eapol_sm_sta_entry_alive(eapol, addr))
909		SM_STEP_RUN(KEY_RX);
910	if (sm->initializing || eapol_sm_sta_entry_alive(eapol, addr))
911		SM_STEP_RUN(CTRL_DIR);
912
913	if (prev_auth_pae != sm->auth_pae_state ||
914	    prev_be_auth != sm->be_auth_state ||
915	    prev_reauth_timer != sm->reauth_timer_state ||
916	    prev_auth_key_tx != sm->auth_key_tx_state ||
917	    prev_key_rx != sm->key_rx_state ||
918	    prev_ctrl_dir != sm->ctrl_dir_state) {
919		if (--max_steps > 0)
920			goto restart;
921		/* Re-run from eloop timeout */
922		eapol_auth_step(sm);
923		return;
924	}
925
926	if (eapol_sm_sta_entry_alive(eapol, addr) && sm->eap) {
927		if (eap_server_sm_step(sm->eap)) {
928			if (--max_steps > 0)
929				goto restart;
930			/* Re-run from eloop timeout */
931			eapol_auth_step(sm);
932			return;
933		}
934
935		/* TODO: find a better location for this */
936		if (sm->eap_if->aaaEapResp) {
937			sm->eap_if->aaaEapResp = FALSE;
938			if (sm->eap_if->aaaEapRespData == NULL) {
939				wpa_printf(MSG_DEBUG, "EAPOL: aaaEapResp set, "
940					   "but no aaaEapRespData available");
941				return;
942			}
943			sm->eapol->cb.aaa_send(
944				sm->eapol->conf.ctx, sm->sta,
945				wpabuf_head(sm->eap_if->aaaEapRespData),
946				wpabuf_len(sm->eap_if->aaaEapRespData));
947		}
948	}
949
950	if (eapol_sm_sta_entry_alive(eapol, addr))
951		sm->eapol->cb.eapol_event(sm->eapol->conf.ctx, sm->sta,
952					  EAPOL_AUTH_SM_CHANGE);
953}
954
955
956static void eapol_sm_step_cb(void *eloop_ctx, void *timeout_ctx)
957{
958	struct eapol_state_machine *sm = eloop_ctx;
959	eapol_sm_step_run(sm);
960}
961
962
963/**
964 * eapol_auth_step - Advance EAPOL state machines
965 * @sm: EAPOL state machine
966 *
967 * This function is called to advance EAPOL state machines after any change
968 * that could affect their state.
969 */
970void eapol_auth_step(struct eapol_state_machine *sm)
971{
972	/*
973	 * Run eapol_sm_step_run from a registered timeout to make sure that
974	 * other possible timeouts/events are processed and to avoid long
975	 * function call chains.
976	 */
977
978	eloop_register_timeout(0, 0, eapol_sm_step_cb, sm, NULL);
979}
980
981
982static void eapol_auth_initialize(struct eapol_state_machine *sm)
983{
984	sm->initializing = TRUE;
985	/* Initialize the state machines by asserting initialize and then
986	 * deasserting it after one step */
987	sm->initialize = TRUE;
988	eapol_sm_step_run(sm);
989	sm->initialize = FALSE;
990	eapol_sm_step_run(sm);
991	sm->initializing = FALSE;
992
993	/* Start one second tick for port timers state machine */
994	eloop_cancel_timeout(eapol_port_timers_tick, NULL, sm);
995	eloop_register_timeout(1, 0, eapol_port_timers_tick, NULL, sm);
996}
997
998
999static int eapol_sm_get_eap_user(void *ctx, const u8 *identity,
1000				 size_t identity_len, int phase2,
1001				 struct eap_user *user)
1002{
1003	struct eapol_state_machine *sm = ctx;
1004	return sm->eapol->cb.get_eap_user(sm->eapol->conf.ctx, identity,
1005					  identity_len, phase2, user);
1006}
1007
1008
1009static const char * eapol_sm_get_eap_req_id_text(void *ctx, size_t *len)
1010{
1011	struct eapol_state_machine *sm = ctx;
1012	*len = sm->eapol->conf.eap_req_id_text_len;
1013	return sm->eapol->conf.eap_req_id_text;
1014}
1015
1016
1017static struct eapol_callbacks eapol_cb =
1018{
1019	eapol_sm_get_eap_user,
1020	eapol_sm_get_eap_req_id_text
1021};
1022
1023
1024int eapol_auth_eap_pending_cb(struct eapol_state_machine *sm, void *ctx)
1025{
1026	if (sm == NULL || ctx == NULL || ctx != sm->eap)
1027		return -1;
1028
1029	eap_sm_pending_cb(sm->eap);
1030	eapol_auth_step(sm);
1031
1032	return 0;
1033}
1034
1035
1036static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
1037				 struct eapol_auth_config *src)
1038{
1039	dst->ctx = src->ctx;
1040	dst->eap_reauth_period = src->eap_reauth_period;
1041	dst->wpa = src->wpa;
1042	dst->individual_wep_key_len = src->individual_wep_key_len;
1043	dst->eap_server = src->eap_server;
1044	dst->ssl_ctx = src->ssl_ctx;
1045	dst->msg_ctx = src->msg_ctx;
1046	dst->eap_sim_db_priv = src->eap_sim_db_priv;
1047	os_free(dst->eap_req_id_text);
1048	dst->pwd_group = src->pwd_group;
1049	dst->pbc_in_m1 = src->pbc_in_m1;
1050	dst->server_id = src->server_id;
1051	dst->server_id_len = src->server_id_len;
1052	if (src->eap_req_id_text) {
1053		dst->eap_req_id_text = os_malloc(src->eap_req_id_text_len);
1054		if (dst->eap_req_id_text == NULL)
1055			return -1;
1056		os_memcpy(dst->eap_req_id_text, src->eap_req_id_text,
1057			  src->eap_req_id_text_len);
1058		dst->eap_req_id_text_len = src->eap_req_id_text_len;
1059	} else {
1060		dst->eap_req_id_text = NULL;
1061		dst->eap_req_id_text_len = 0;
1062	}
1063	if (src->pac_opaque_encr_key) {
1064		dst->pac_opaque_encr_key = os_malloc(16);
1065		os_memcpy(dst->pac_opaque_encr_key, src->pac_opaque_encr_key,
1066			  16);
1067	} else
1068		dst->pac_opaque_encr_key = NULL;
1069	if (src->eap_fast_a_id) {
1070		dst->eap_fast_a_id = os_malloc(src->eap_fast_a_id_len);
1071		if (dst->eap_fast_a_id == NULL) {
1072			os_free(dst->eap_req_id_text);
1073			return -1;
1074		}
1075		os_memcpy(dst->eap_fast_a_id, src->eap_fast_a_id,
1076			  src->eap_fast_a_id_len);
1077		dst->eap_fast_a_id_len = src->eap_fast_a_id_len;
1078	} else
1079		dst->eap_fast_a_id = NULL;
1080	if (src->eap_fast_a_id_info) {
1081		dst->eap_fast_a_id_info = os_strdup(src->eap_fast_a_id_info);
1082		if (dst->eap_fast_a_id_info == NULL) {
1083			os_free(dst->eap_req_id_text);
1084			os_free(dst->eap_fast_a_id);
1085			return -1;
1086		}
1087	} else
1088		dst->eap_fast_a_id_info = NULL;
1089	dst->eap_fast_prov = src->eap_fast_prov;
1090	dst->pac_key_lifetime = src->pac_key_lifetime;
1091	dst->pac_key_refresh_time = src->pac_key_refresh_time;
1092	dst->eap_sim_aka_result_ind = src->eap_sim_aka_result_ind;
1093	dst->tnc = src->tnc;
1094	dst->wps = src->wps;
1095	dst->fragment_size = src->fragment_size;
1096	return 0;
1097}
1098
1099
1100static void eapol_auth_conf_free(struct eapol_auth_config *conf)
1101{
1102	os_free(conf->eap_req_id_text);
1103	conf->eap_req_id_text = NULL;
1104	os_free(conf->pac_opaque_encr_key);
1105	conf->pac_opaque_encr_key = NULL;
1106	os_free(conf->eap_fast_a_id);
1107	conf->eap_fast_a_id = NULL;
1108	os_free(conf->eap_fast_a_id_info);
1109	conf->eap_fast_a_id_info = NULL;
1110}
1111
1112
1113struct eapol_authenticator * eapol_auth_init(struct eapol_auth_config *conf,
1114					     struct eapol_auth_cb *cb)
1115{
1116	struct eapol_authenticator *eapol;
1117
1118	eapol = os_zalloc(sizeof(*eapol));
1119	if (eapol == NULL)
1120		return NULL;
1121
1122	if (eapol_auth_conf_clone(&eapol->conf, conf) < 0) {
1123		os_free(eapol);
1124		return NULL;
1125	}
1126
1127	if (conf->individual_wep_key_len > 0) {
1128		/* use key0 in individual key and key1 in broadcast key */
1129		eapol->default_wep_key_idx = 1;
1130	}
1131
1132	eapol->cb.eapol_send = cb->eapol_send;
1133	eapol->cb.aaa_send = cb->aaa_send;
1134	eapol->cb.finished = cb->finished;
1135	eapol->cb.get_eap_user = cb->get_eap_user;
1136	eapol->cb.sta_entry_alive = cb->sta_entry_alive;
1137	eapol->cb.logger = cb->logger;
1138	eapol->cb.set_port_authorized = cb->set_port_authorized;
1139	eapol->cb.abort_auth = cb->abort_auth;
1140	eapol->cb.tx_key = cb->tx_key;
1141	eapol->cb.eapol_event = cb->eapol_event;
1142
1143	return eapol;
1144}
1145
1146
1147void eapol_auth_deinit(struct eapol_authenticator *eapol)
1148{
1149	if (eapol == NULL)
1150		return;
1151
1152	eapol_auth_conf_free(&eapol->conf);
1153	os_free(eapol->default_wep_key);
1154	os_free(eapol);
1155}
1156