jeltz
/
hostap
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

EAP server: Use struct eap_config to avoid duplicated definitions

Browse Source 
Use struct eap_config as-is within struct eap_sm and EAPOL authenticator
to avoid having to duplicate all the configuration variables at each
interface. Split the couple of session specific variables into a
separate struct to allow a single const struct eap_config to be used.

Signed-off-by: Jouni Malinen <j@w1.fi>
master
Jouni Malinen 5 years ago
parent 8315c1ef5b
commit 822e7c66ae
26 changed files with 486 additions and 637 deletions
Show Stats Download Patch File Download Diff File

6
eap_example/eap_example_server.c
Unescape Escape View File

@ -207,6 +207,8 @@ static int eap_server_register_methods(void)
int eap_example_server_init(void)
{
struct eap_session_data eap_sess;
if (eap_server_register_methods() < 0)
return -1;
@ -223,7 +225,9 @@ int eap_example_server_init(void)
eap_conf.eap_server = 1;
eap_conf.ssl_ctx = eap_ctx.tls_ctx;
eap_ctx.eap = eap_server_sm_init(&eap_ctx, &eap_cb, &eap_conf);
os_memset(&eap_sess, 0, sizeof(eap_sess));
eap_ctx.eap = eap_server_sm_init(&eap_ctx, &eap_cb, &eap_conf,
&eap_sess);
if (eap_ctx.eap == NULL)
return -1;

1
src/ap/hostapd.h
Unescape Escape View File

@ -186,6 +186,7 @@ struct hostapd_data {
struct wpa_authenticator *wpa_auth;
struct eapol_authenticator *eapol_auth;
struct eap_config *eap_cfg;
struct rsn_preauth_interface *preauth_iface;
struct os_reltime michael_mic_failure;

87
src/ap/ieee802_1x.c
Unescape Escape View File

@ -2403,6 +2403,56 @@ static int ieee802_1x_erp_add_key(void *ctx, struct eap_server_erp_key *erp)
#endif /* CONFIG_ERP */
static struct eap_config * ieee802_1x_eap_config(struct hostapd_data *hapd)
{
struct eap_config *cfg;
cfg = os_zalloc(sizeof(*cfg));
if (!cfg)
return NULL;
cfg->eap_server = hapd->conf->eap_server;
cfg->ssl_ctx = hapd->ssl_ctx;
cfg->msg_ctx = hapd->msg_ctx;
cfg->eap_sim_db_priv = hapd->eap_sim_db_priv;
cfg->tls_session_lifetime = hapd->conf->tls_session_lifetime;
cfg->tls_flags = hapd->conf->tls_flags;
if (hapd->conf->pac_opaque_encr_key)
cfg->pac_opaque_encr_key =
os_memdup(hapd->conf->pac_opaque_encr_key, 16);
if (hapd->conf->eap_fast_a_id) {
cfg->eap_fast_a_id = os_memdup(hapd->conf->eap_fast_a_id,
hapd->conf->eap_fast_a_id_len);
cfg->eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len;
}
if (hapd->conf->eap_fast_a_id_info)
cfg->eap_fast_a_id_info =
os_strdup(hapd->conf->eap_fast_a_id_info);
cfg->eap_fast_prov = hapd->conf->eap_fast_prov;
cfg->pac_key_lifetime = hapd->conf->pac_key_lifetime;
cfg->pac_key_refresh_time = hapd->conf->pac_key_refresh_time;
cfg->eap_teap_auth = hapd->conf->eap_teap_auth;
cfg->eap_teap_separate_result = hapd->conf->eap_teap_separate_result;
cfg->eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind;
cfg->eap_sim_id = hapd->conf->eap_sim_id;
cfg->tnc = hapd->conf->tnc;
cfg->wps = hapd->wps;
cfg->fragment_size = hapd->conf->fragment_size;
cfg->pwd_group = hapd->conf->pwd_group;
cfg->pbc_in_m1 = hapd->conf->pbc_in_m1;
if (hapd->conf->server_id) {
cfg->server_id = (u8 *) os_strdup(hapd->conf->server_id);
cfg->server_id_len = os_strlen(hapd->conf->server_id);
} else {
cfg->server_id = (u8 *) os_strdup("hostapd");
cfg->server_id_len = 7;
}
cfg->erp = hapd->conf->eap_server_erp;
return cfg;
}
int ieee802_1x_init(struct hostapd_data *hapd)
{
int i;
@ -2411,45 +2461,19 @@ int ieee802_1x_init(struct hostapd_data *hapd)
dl_list_init(&hapd->erp_keys);
hapd->eap_cfg = ieee802_1x_eap_config(hapd);
if (!hapd->eap_cfg)
return -1;
os_memset(&conf, 0, sizeof(conf));
conf.eap_cfg = hapd->eap_cfg;
conf.ctx = hapd;
conf.eap_reauth_period = hapd->conf->eap_reauth_period;
conf.wpa = hapd->conf->wpa;
conf.individual_wep_key_len = hapd->conf->individual_wep_key_len;
conf.eap_server = hapd->conf->eap_server;
conf.ssl_ctx = hapd->ssl_ctx;
conf.msg_ctx = hapd->msg_ctx;
conf.eap_sim_db_priv = hapd->eap_sim_db_priv;
conf.eap_req_id_text = hapd->conf->eap_req_id_text;
conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len;
conf.erp_send_reauth_start = hapd->conf->erp_send_reauth_start;
conf.erp_domain = hapd->conf->erp_domain;
conf.erp = hapd->conf->eap_server_erp;
conf.tls_session_lifetime = hapd->conf->tls_session_lifetime;
conf.tls_flags = hapd->conf->tls_flags;
conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key;
conf.eap_fast_a_id = hapd->conf->eap_fast_a_id;
conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len;
conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info;
conf.eap_fast_prov = hapd->conf->eap_fast_prov;
conf.pac_key_lifetime = hapd->conf->pac_key_lifetime;
conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time;
conf.eap_teap_auth = hapd->conf->eap_teap_auth;
conf.eap_teap_separate_result = hapd->conf->eap_teap_separate_result;
conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind;
conf.eap_sim_id = hapd->conf->eap_sim_id;
conf.tnc = hapd->conf->tnc;
conf.wps = hapd->wps;
conf.fragment_size = hapd->conf->fragment_size;
conf.pwd_group = hapd->conf->pwd_group;
conf.pbc_in_m1 = hapd->conf->pbc_in_m1;
if (hapd->conf->server_id) {
conf.server_id = (const u8 *) hapd->conf->server_id;
conf.server_id_len = os_strlen(hapd->conf->server_id);
} else {
conf.server_id = (const u8 *) "hostapd";
conf.server_id_len = 7;
}
os_memset(&cb, 0, sizeof(cb));
cb.eapol_send = ieee802_1x_eapol_send;
@ -2520,6 +2544,9 @@ void ieee802_1x_deinit(struct hostapd_data *hapd)
eapol_auth_deinit(hapd->eapol_auth);
hapd->eapol_auth = NULL;
eap_server_config_free(hapd->eap_cfg);
hapd->eap_cfg = NULL;
ieee802_1x_erp_flush(hapd);
}

126
src/eap_server/eap.h
Unescape Escape View File

@ -108,39 +108,151 @@ struct eapol_callbacks {
};
struct eap_config {
/**
* ssl_ctx - TLS context
*
* This is passed to the EAP server implementation as a callback
* context for TLS operations.
*/
void *ssl_ctx;
void *msg_ctx;
/**
* eap_sim_db_priv - EAP-SIM/AKA database context
*
* This is passed to the EAP-SIM/AKA server implementation as a
* callback context.
*/
void *eap_sim_db_priv;
Boolean backend_auth;
int eap_server;
/**
* pwd_group - The D-H group assigned for EAP-pwd
*
* If EAP-pwd is not used it can be set to zero.
*/
u16 pwd_group;
/**
* pac_opaque_encr_key - PAC-Opaque encryption key for EAP-FAST
*
* This parameter is used to set a key for EAP-FAST to encrypt the
* PAC-Opaque data. It can be set to %NULL if EAP-FAST is not used. If
* set, must point to a 16-octet key.
*/
u8 *pac_opaque_encr_key;
/**
* eap_fast_a_id - EAP-FAST authority identity (A-ID)
*
* If EAP-FAST is not used, this can be set to %NULL. In theory, this
* is a variable length field, but due to some existing implementations
* requiring A-ID to be 16 octets in length, it is recommended to use
* that length for the field to provide interoperability with deployed
* peer implementations.
*/
u8 *eap_fast_a_id;
/**
* eap_fast_a_id_len - Length of eap_fast_a_id buffer in octets
*/
size_t eap_fast_a_id_len;
/**
* eap_fast_a_id_info - EAP-FAST authority identifier information
*
* This A-ID-Info contains a user-friendly name for the A-ID. For
* example, this could be the enterprise and server names in
* human-readable format. This field is encoded as UTF-8. If EAP-FAST
* is not used, this can be set to %NULL.
*/
char *eap_fast_a_id_info;
int eap_fast_prov;
/**
* eap_fast_prov - EAP-FAST provisioning modes
*
* 0 = provisioning disabled, 1 = only anonymous provisioning allowed,
* 2 = only authenticated provisioning allowed, 3 = both provisioning
* modes allowed.
*/
enum {
NO_PROV, ANON_PROV, AUTH_PROV, BOTH_PROV
} eap_fast_prov;
/**
* pac_key_lifetime - EAP-FAST PAC-Key lifetime in seconds
*
* This is the hard limit on how long a provisioned PAC-Key can be
* used.
*/
int pac_key_lifetime;
/**
* pac_key_refresh_time - EAP-FAST PAC-Key refresh time in seconds
*
* This is a soft limit on the PAC-Key. The server will automatically
* generate a new PAC-Key when this number of seconds (or fewer) of the
* lifetime remains.
*/
int pac_key_refresh_time;
int eap_teap_auth;
int eap_teap_pac_no_inner;
int eap_teap_separate_result;
/**
* eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication
*
* This controls whether the protected success/failure indication
* (AT_RESULT_IND) is used with EAP-SIM and EAP-AKA.
*/
int eap_sim_aka_result_ind;
int eap_sim_id;
/**
* tnc - Trusted Network Connect (TNC)
*
* This controls whether TNC is enabled and will be required before the
* peer is allowed to connect. Note: This is only used with EAP-TTLS
* and EAP-FAST. If any other EAP method is enabled, the peer will be
* allowed to connect without TNC.
*/
int tnc;
/**
* wps - Wi-Fi Protected Setup context
*
* If WPS is used with an external RADIUS server (which is quite
* unlikely configuration), this is used to provide a pointer to WPS
* context data. Normally, this can be set to %NULL.
*/
struct wps_context *wps;
const struct wpabuf *assoc_wps_ie;
const struct wpabuf *assoc_p2p_ie;
const u8 *peer_addr;
int fragment_size;
int pbc_in_m1;
const u8 *server_id;
/**
* server_id - Server identity
*/
u8 *server_id;
size_t server_id_len;
/**
* erp - Whether EAP Re-authentication Protocol (ERP) is enabled
*
* This controls whether the authentication server derives ERP key
* hierarchy (rRK and rIK) from full EAP authentication and allows
* these keys to be used to perform ERP to derive rMSK instead of full
* EAP authentication to derive MSK.
*/
int erp;
unsigned int tls_session_lifetime;
unsigned int tls_flags;
};
struct eap_session_data {
const struct wpabuf *assoc_wps_ie;
const struct wpabuf *assoc_p2p_ie;
const u8 *peer_addr;
#ifdef CONFIG_TESTING_OPTIONS
u32 tls_test_flags;
#endif /* CONFIG_TESTING_OPTIONS */
@ -149,7 +261,8 @@ struct eap_config {
struct eap_sm * eap_server_sm_init(void *eapol_ctx,
const struct eapol_callbacks *eapol_cb,
struct eap_config *eap_conf);
const struct eap_config *conf,
const struct eap_session_data *sess);
void eap_server_sm_deinit(struct eap_sm *sm);
int eap_server_sm_step(struct eap_sm *sm);
void eap_sm_notify_cached(struct eap_sm *sm);
@ -166,5 +279,6 @@ void eap_server_mschap_rx_callback(struct eap_sm *sm, const char *source,
const u8 *challenge, const u8 *response);
void eap_erp_update_identity(struct eap_sm *sm, const u8 *eap, size_t len);
void eap_user_free(struct eap_user *user);
void eap_server_config_free(struct eap_config *cfg);
#endif /* EAP_H */

36
src/eap_server/eap_i.h
Unescape Escape View File

@ -154,7 +154,7 @@ struct eap_sm {
const struct eap_method *m; /* selected EAP method */
/* not defined in RFC 4137 */
Boolean changed;
void *eapol_ctx, *msg_ctx;
void *eapol_ctx;
const struct eapol_callbacks *eapol_cb;
void *eap_method_priv;
u8 *identity;
@ -167,11 +167,9 @@ struct eap_sm {
struct eap_user *user;
int user_eap_method_index;
int init_phase2;
void *ssl_ctx;
struct eap_sim_db_data *eap_sim_db_priv;
Boolean backend_auth;
const struct eap_config *cfg;
struct eap_config cfg_buf;
Boolean update_user;
int eap_server;
int num_rounds;
enum {
@ -181,23 +179,6 @@ struct eap_sm {
u8 *auth_challenge;
u8 *peer_challenge;
u8 *pac_opaque_encr_key;
u8 *eap_fast_a_id;
size_t eap_fast_a_id_len;
char *eap_fast_a_id_info;
enum {
NO_PROV, ANON_PROV, AUTH_PROV, BOTH_PROV
} eap_fast_prov;
int pac_key_lifetime;
int pac_key_refresh_time;
int eap_teap_auth;
int eap_teap_pac_no_inner;
int eap_teap_separate_result;
int eap_sim_aka_result_ind;
int eap_sim_id;
int tnc;
u16 pwd_group;
struct wps_context *wps;
struct wpabuf *assoc_wps_ie;
struct wpabuf *assoc_p2p_ie;
@ -205,19 +186,8 @@ struct eap_sm {
u8 peer_addr[ETH_ALEN];
/* Fragmentation size for EAP method init() handler */
int fragment_size;
int pbc_in_m1;
const u8 *server_id;
size_t server_id_len;
Boolean initiate_reauth_start_sent;
Boolean try_initiate_reauth;
int erp;
unsigned int tls_session_lifetime;
unsigned int tls_flags;
#ifdef CONFIG_TESTING_OPTIONS
u32 tls_test_flags;

120
src/eap_server/eap_server.c
Unescape Escape View File

@ -223,7 +223,7 @@ SM_STATE(EAP, INITIALIZE)
{
SM_ENTRY(EAP, INITIALIZE);
if (sm->eap_if.eapRestart && !sm->eap_server && sm->identity) {
if (sm->eap_if.eapRestart && !sm->cfg->eap_server && sm->identity) {
/*
* Need to allow internal Identity method to be used instead
* of passthrough at the beginning of reauthentication.
@ -257,7 +257,7 @@ SM_STATE(EAP, INITIALIZE)
sm->m = NULL;
sm->user_eap_method_index = 0;
if (sm->backend_auth) {
if (sm->cfg->backend_auth) {
sm->currentMethod = EAP_TYPE_NONE;
/* parse rxResp, respId, respMethod */
eap_sm_parseEapResp(sm, sm->eap_if.eapRespData);
@ -268,7 +268,7 @@ SM_STATE(EAP, INITIALIZE)
sm->num_rounds = 0;
sm->method_pending = METHOD_PENDING_NONE;
wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_STARTED
wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_STARTED
MACSTR, MAC2STR(sm->peer_addr));
}
@ -300,7 +300,7 @@ SM_STATE(EAP, PICK_UP_METHOD)
}
}
wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_PROPOSED_METHOD
wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_PROPOSED_METHOD
"method=%u", sm->currentMethod);
}
@ -325,7 +325,7 @@ SM_STATE(EAP, RETRANSMIT)
sm->eap_if.eapReq = TRUE;
}
wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_RETRANSMIT MACSTR,
wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_RETRANSMIT MACSTR,
MAC2STR(sm->peer_addr));
}
@ -530,7 +530,7 @@ SM_STATE(EAP, METHOD_RESPONSE)
sm->eap_if.eapSessionId,
sm->eap_if.eapSessionIdLen);
}
if (sm->erp && sm->m->get_emsk && sm->eap_if.eapSessionId)
if (sm->cfg->erp && sm->m->get_emsk && sm->eap_if.eapSessionId)
eap_server_erp_init(sm);
sm->methodState = METHOD_END;
} else {
@ -580,7 +580,7 @@ try_another_method:
else
sm->methodState = METHOD_PROPOSED;
wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_PROPOSED_METHOD
wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_PROPOSED_METHOD
"vendor=%u method=%u", vendor, sm->currentMethod);
eap_log_msg(sm, "Propose EAP method vendor=%u method=%u",
vendor, sm->currentMethod);
@ -636,8 +636,8 @@ SM_STATE(EAP, TIMEOUT_FAILURE)
sm->eap_if.eapTimeout = TRUE;
wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_TIMEOUT_FAILURE MACSTR,
MAC2STR(sm->peer_addr));
wpa_msg(sm->cfg->msg_ctx, MSG_INFO,
WPA_EVENT_EAP_TIMEOUT_FAILURE MACSTR, MAC2STR(sm->peer_addr));
}
@ -651,7 +651,7 @@ SM_STATE(EAP, FAILURE)
sm->lastReqData = NULL;
sm->eap_if.eapFail = TRUE;
wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE
wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE
MACSTR, MAC2STR(sm->peer_addr));
}
@ -668,7 +668,7 @@ SM_STATE(EAP, SUCCESS)
sm->eap_if.eapKeyAvailable = TRUE;
sm->eap_if.eapSuccess = TRUE;
wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS
wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS
MACSTR, MAC2STR(sm->peer_addr));
}
@ -755,7 +755,7 @@ static void erp_send_finish_reauth(struct eap_sm *sm,
if ((flags & 0x80) || !erp) {
sm->eap_if.eapFail = TRUE;
wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE
wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE
MACSTR, MAC2STR(sm->peer_addr));
return;
}
@ -783,7 +783,7 @@ static void erp_send_finish_reauth(struct eap_sm *sm,
sm->eap_if.eapKeyData, sm->eap_if.eapKeyDataLen);
sm->eap_if.eapSuccess = TRUE;
wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS
wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS
MACSTR, MAC2STR(sm->peer_addr));
}
@ -855,7 +855,7 @@ SM_STATE(EAP, INITIATE_RECEIVED)
os_memcpy(nai, parse.keyname, parse.keyname_len);
nai[parse.keyname_len] = '\0';
if (!sm->eap_server) {
if (!sm->cfg->eap_server) {
/*
* In passthrough case, EAP-Initiate/Re-auth replaces
* EAP Identity exchange. Use keyName-NAI as the user identity
@ -1018,7 +1018,7 @@ SM_STATE(EAP, RETRANSMIT2)
sm->eap_if.eapReq = TRUE;
}
wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_RETRANSMIT2 MACSTR,
wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_RETRANSMIT2 MACSTR,
MAC2STR(sm->peer_addr));
}
@ -1111,8 +1111,8 @@ SM_STATE(EAP, TIMEOUT_FAILURE2)
sm->eap_if.eapTimeout = TRUE;
wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_TIMEOUT_FAILURE2 MACSTR,
MAC2STR(sm->peer_addr));
wpa_msg(sm->cfg->msg_ctx, MSG_INFO,
WPA_EVENT_EAP_TIMEOUT_FAILURE2 MACSTR, MAC2STR(sm->peer_addr));
}
@ -1123,7 +1123,7 @@ SM_STATE(EAP, FAILURE2)
eap_copy_buf(&sm->eap_if.eapReqData, sm->eap_if.aaaEapReqData);
sm->eap_if.eapFail = TRUE;
wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE2 MACSTR,
wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE2 MACSTR,
MAC2STR(sm->peer_addr));
}
@ -1152,7 +1152,7 @@ SM_STATE(EAP, SUCCESS2)
*/
sm->start_reauth = TRUE;
wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS2 MACSTR,
wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS2 MACSTR,
MAC2STR(sm->peer_addr));
}
@ -1173,7 +1173,7 @@ SM_STEP(EAP)
}
} else switch (sm->EAP_state) {
case EAP_INITIALIZE:
if (sm->backend_auth) {
if (sm->cfg->backend_auth) {
if (!sm->rxResp)
SM_ENTER(EAP, SELECT_ACTION);
else if (sm->rxResp &&
@ -1336,7 +1336,7 @@ SM_STEP(EAP)
else if (sm->decision == DECISION_INITIATE_REAUTH_START)
SM_ENTER(EAP, INITIATE_REAUTH_START);
#ifdef CONFIG_ERP
else if (sm->eap_server && sm->erp && sm->rxInitiate)
else if (sm->cfg->eap_server && sm->cfg->erp && sm->rxInitiate)
SM_ENTER(EAP, INITIATE_RECEIVED);
#endif /* CONFIG_ERP */
else
@ -1346,7 +1346,7 @@ SM_STEP(EAP)
SM_ENTER(EAP, SEND_REQUEST);
break;
case EAP_INITIATE_RECEIVED:
if (!sm->eap_server)
if (!sm->cfg->eap_server)
SM_ENTER(EAP, SELECT_ACTION);
break;
case EAP_TIMEOUT_FAILURE:
@ -1706,7 +1706,7 @@ static enum eap_type eap_sm_Policy_getNextMethod(struct eap_sm *sm, int *vendor)
static int eap_sm_Policy_getDecision(struct eap_sm *sm)
{
if (!sm->eap_server && sm->identity && !sm->start_reauth) {
if (!sm->cfg->eap_server && sm->identity && !sm->start_reauth) {
wpa_printf(MSG_DEBUG, "EAP: getDecision: -> PASSTHROUGH");
return DECISION_PASSTHROUGH;
}
@ -1837,7 +1837,8 @@ void eap_user_free(struct eap_user *user)
*/
struct eap_sm * eap_server_sm_init(void *eapol_ctx,
const struct eapol_callbacks *eapol_cb,
struct eap_config *conf)
const struct eap_config *conf,
const struct eap_session_data *sess)
{
struct eap_sm *sm;
@ -1847,55 +1848,15 @@ struct eap_sm * eap_server_sm_init(void *eapol_ctx,
sm->eapol_ctx = eapol_ctx;
sm->eapol_cb = eapol_cb;
sm->MaxRetrans = 5; /* RFC 3748: max 3-5 retransmissions suggested */
sm->ssl_ctx = conf->ssl_ctx;
sm->msg_ctx = conf->msg_ctx;
sm->eap_sim_db_priv = conf->eap_sim_db_priv;
sm->backend_auth = conf->backend_auth;
sm->eap_server = conf->eap_server;
if (conf->pac_opaque_encr_key) {
sm->pac_opaque_encr_key = os_malloc(16);
if (sm->pac_opaque_encr_key) {
os_memcpy(sm->pac_opaque_encr_key,
conf->pac_opaque_encr_key, 16);
}
}
if (conf->eap_fast_a_id) {
sm->eap_fast_a_id = os_malloc(conf->eap_fast_a_id_len);
if (sm->eap_fast_a_id) {
os_memcpy(sm->eap_fast_a_id, conf->eap_fast_a_id,
conf->eap_fast_a_id_len);
sm->eap_fast_a_id_len = conf->eap_fast_a_id_len;
}
}
if (conf->eap_fast_a_id_info)
sm->eap_fast_a_id_info = os_strdup(conf->eap_fast_a_id_info);
sm->eap_fast_prov = conf->eap_fast_prov;
sm->pac_key_lifetime = conf->pac_key_lifetime;
sm->pac_key_refresh_time = conf->pac_key_refresh_time;
sm->eap_teap_auth = conf->eap_teap_auth;
sm->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner;
sm->eap_teap_separate_result = conf->eap_teap_separate_result;
sm->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
sm->eap_sim_id = conf->eap_sim_id;
sm->tnc = conf->tnc;
sm->wps = conf->wps;
if (conf->assoc_wps_ie)
sm->assoc_wps_ie = wpabuf_dup(conf->assoc_wps_ie);
if (conf->assoc_p2p_ie)
sm->assoc_p2p_ie = wpabuf_dup(conf->assoc_p2p_ie);
if (conf->peer_addr)
os_memcpy(sm->peer_addr, conf->peer_addr, ETH_ALEN);
sm->fragment_size = conf->fragment_size;
sm->pwd_group = conf->pwd_group;
sm->pbc_in_m1 = conf->pbc_in_m1;
sm->server_id = conf->server_id;
sm->server_id_len = conf->server_id_len;
sm->erp = conf->erp;
sm->tls_session_lifetime = conf->tls_session_lifetime;
sm->tls_flags = conf->tls_flags;
sm->cfg = conf;
if (sess->assoc_wps_ie)
sm->assoc_wps_ie = wpabuf_dup(sess->assoc_wps_ie);
if (sess->assoc_p2p_ie)
sm->assoc_p2p_ie = wpabuf_dup(sess->assoc_p2p_ie);
if (sess->peer_addr)
os_memcpy(sm->peer_addr, sess->peer_addr, ETH_ALEN);
#ifdef CONFIG_TESTING_OPTIONS
sm->tls_test_flags = conf->tls_test_flags;
sm->tls_test_flags = sess->tls_test_flags;
#endif /* CONFIG_TESTING_OPTIONS */
wpa_printf(MSG_DEBUG, "EAP: Server state machine created");
@ -1925,9 +1886,6 @@ void eap_server_sm_deinit(struct eap_sm *sm)
wpabuf_free(sm->eap_if.eapRespData);
os_free(sm->identity);
os_free(sm->serial_num);
os_free(sm->pac_opaque_encr_key);
os_free(sm->eap_fast_a_id);
os_free(sm->eap_fast_a_id_info);
wpabuf_free(sm->eap_if.aaaEapReqData);
wpabuf_free(sm->eap_if.aaaEapRespData);
bin_clear_free(sm->eap_if.aaaEapKeyData, sm->eap_if.aaaEapKeyDataLen);
@ -2117,3 +2075,15 @@ void eap_server_mschap_rx_callback(struct eap_sm *sm, const char *source,
source, user, hex_challenge, hex_response);
}
#endif /* CONFIG_TESTING_OPTIONS */
void eap_server_config_free(struct eap_config *cfg)
{
if (!cfg)
return;
os_free(cfg->pac_opaque_encr_key);
os_free(cfg->eap_fast_a_id);
os_free(cfg->eap_fast_a_id_info);
os_free(cfg->server_id);
os_free(cfg);
}

46
src/eap_server/eap_server_aka.c
Unescape Escape View File

@ -100,7 +100,7 @@ static int eap_aka_check_identity_reauth(struct eap_sm *sm,
return 0;
wpa_printf(MSG_DEBUG, "EAP-AKA: Reauth username '%s'", username);
data->reauth = eap_sim_db_get_reauth_entry(sm->eap_sim_db_priv,
data->reauth = eap_sim_db_get_reauth_entry(sm->cfg->eap_sim_db_priv,
username);
if (data->reauth == NULL) {
wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown reauth identity - "
@ -157,7 +157,7 @@ static void eap_aka_check_identity(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, "EAP-AKA: Pseudonym username '%s'",
username);
permanent = eap_sim_db_get_permanent(
sm->eap_sim_db_priv, username);
sm->cfg->eap_sim_db_priv, username);
if (permanent == NULL) {
os_free(username);
wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown pseudonym "
@ -182,7 +182,7 @@ static void * eap_aka_init(struct eap_sm *sm)
{
struct eap_aka_data *data;
if (sm->eap_sim_db_priv == NULL) {
if (!sm->cfg->eap_sim_db_priv) {
wpa_printf(MSG_WARNING, "EAP-AKA: eap_sim_db not configured");
return NULL;
}
@ -208,7 +208,7 @@ static void * eap_aka_prime_init(struct eap_sm *sm)
/* TODO: make ANID configurable; see 3GPP TS 24.302 */
char *network_name = "WLAN";
if (sm->eap_sim_db_priv == NULL) {
if (sm->cfg->eap_sim_db_priv == NULL) {
wpa_printf(MSG_WARNING, "EAP-AKA: eap_sim_db not configured");
return NULL;
}
@ -393,13 +393,13 @@ static int eap_aka_build_encr(struct eap_sm *sm, struct eap_aka_data *data,
const u8 *nonce_s)
{
os_free(data->next_pseudonym);
if (!(sm->eap_sim_id & 0x01)) {
if (!(sm->cfg->eap_sim_id & 0x01)) {
/* Use of pseudonyms disabled in configuration */
data->next_pseudonym = NULL;
} else if (!nonce_s) {
data->next_pseudonym =
eap_sim_db_get_next_pseudonym(
sm->eap_sim_db_priv,
sm->cfg->eap_sim_db_priv,
data->eap_method == EAP_TYPE_AKA_PRIME ?
EAP_SIM_DB_AKA_PRIME : EAP_SIM_DB_AKA);
} else {
@ -407,13 +407,13 @@ static int eap_aka_build_encr(struct eap_sm *sm, struct eap_aka_data *data,
data->next_pseudonym = NULL;
}
os_free(data->next_reauth_id);
if (!(sm->eap_sim_id & 0x02)) {
if (!(sm->cfg->eap_sim_id & 0x02)) {
/* Use of fast reauth disabled in configuration */
data->next_reauth_id = NULL;
} else if (data->counter <= EAP_AKA_MAX_FAST_REAUTHS) {
data->next_reauth_id =
eap_sim_db_get_next_reauth_id(
sm->eap_sim_db_priv,
sm->cfg->eap_sim_db_priv,
data->eap_method == EAP_TYPE_AKA_PRIME ?
EAP_SIM_DB_AKA_PRIME : EAP_SIM_DB_AKA);
} else {
@ -505,7 +505,7 @@ static struct wpabuf * eap_aka_build_challenge(struct eap_sm *sm,
eap_aka_add_checkcode(data, msg);
if (sm->eap_sim_aka_result_ind) {
if (sm->cfg->eap_sim_aka_result_ind) {
wpa_printf(MSG_DEBUG, " AT_RESULT_IND");
eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0);
}
@ -582,7 +582,7 @@ static struct wpabuf * eap_aka_build_reauth(struct eap_sm *sm,
eap_aka_add_checkcode(data, msg);
if (sm->eap_sim_aka_result_ind) {
if (sm->cfg->eap_sim_aka_result_ind) {
wpa_printf(MSG_DEBUG, " AT_RESULT_IND");
eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0);
}
@ -767,7 +767,7 @@ static void eap_aka_determine_identity(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, "EAP-AKA: Pseudonym username '%s'",
username);
permanent = eap_sim_db_get_permanent(
sm->eap_sim_db_priv, username);
sm->cfg->eap_sim_db_priv, username);
os_free(username);
if (permanent == NULL) {
wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown pseudonym "
@ -803,7 +803,7 @@ static void eap_aka_fullauth(struct eap_sm *sm, struct eap_aka_data *data)
size_t identity_len;
int res;
res = eap_sim_db_get_aka_auth(sm->eap_sim_db_priv, data->permanent,
res = eap_sim_db_get_aka_auth(sm->cfg->eap_sim_db_priv, data->permanent,
data->rand, data->autn, data->ik,
data->ck, data->res, &data->res_len, sm);
if (res == EAP_SIM_DB_PENDING) {
@ -998,7 +998,7 @@ static void eap_aka_process_challenge(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, "EAP-AKA: Challenge response includes the "
"correct AT_MAC");
if (sm->eap_sim_aka_result_ind && attr->result_ind) {
if (sm->cfg->eap_sim_aka_result_ind && attr->result_ind) {
data->use_result_ind = 1;
data->notification = EAP_SIM_SUCCESS;
eap_aka_state(data, NOTIFICATION);
@ -1006,14 +1006,15 @@ static void eap_aka_process_challenge(struct eap_sm *sm,
eap_aka_state(data, SUCCESS);
if (data->next_pseudonym) {
eap_sim_db_add_pseudonym(sm->eap_sim_db_priv, data->permanent,
eap_sim_db_add_pseudonym(sm->cfg->eap_sim_db_priv,
data->permanent,
data->next_pseudonym);
data->next_pseudonym = NULL;
}
if (data->next_reauth_id) {
if (data->eap_method == EAP_TYPE_AKA_PRIME) {
#ifdef EAP_SERVER_AKA_PRIME
eap_sim_db_add_reauth_prime(sm->eap_sim_db_priv,
eap_sim_db_add_reauth_prime(sm->cfg->eap_sim_db_priv,
data->permanent,
data->next_reauth_id,
data->counter + 1,
@ -1021,7 +1022,7 @@ static void eap_aka_process_challenge(struct eap_sm *sm,
data->k_re);
#endif /* EAP_SERVER_AKA_PRIME */
} else {
eap_sim_db_add_reauth(sm->eap_sim_db_priv,
eap_sim_db_add_reauth(sm->cfg->eap_sim_db_priv,
data->permanent,
data->next_reauth_id,
data->counter + 1,
@ -1051,7 +1052,7 @@ static void eap_aka_process_sync_failure(struct eap_sm *sm,
* maintaining a local flag stating whether this AUTS has already been
* reported. */
if (!data->auts_reported &&
eap_sim_db_resynchronize(sm->eap_sim_db_priv, data->permanent,
eap_sim_db_resynchronize(sm->cfg->eap_sim_db_priv, data->permanent,
attr->auts, data->rand)) {
wpa_printf(MSG_WARNING, "EAP-AKA: Resynchronization failed");
data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
@ -1118,7 +1119,7 @@ static void eap_aka_process_reauth(struct eap_sm *sm,
return;
}
if (sm->eap_sim_aka_result_ind && attr->result_ind) {
if (sm->cfg->eap_sim_aka_result_ind && attr->result_ind) {
data->use_result_ind = 1;
data->notification = EAP_SIM_SUCCESS;
eap_aka_state(data, NOTIFICATION);
@ -1128,7 +1129,7 @@ static void eap_aka_process_reauth(struct eap_sm *sm,
if (data->next_reauth_id) {
if (data->eap_method == EAP_TYPE_AKA_PRIME) {
#ifdef EAP_SERVER_AKA_PRIME
eap_sim_db_add_reauth_prime(sm->eap_sim_db_priv,
eap_sim_db_add_reauth_prime(sm->cfg->eap_sim_db_priv,
data->permanent,
data->next_reauth_id,
data->counter + 1,
@ -1136,7 +1137,7 @@ static void eap_aka_process_reauth(struct eap_sm *sm,
data->k_re);
#endif /* EAP_SERVER_AKA_PRIME */
} else {
eap_sim_db_add_reauth(sm->eap_sim_db_priv,
eap_sim_db_add_reauth(sm->cfg->eap_sim_db_priv,
data->permanent,
data->next_reauth_id,
data->counter + 1,
@ -1144,7 +1145,8 @@ static void eap_aka_process_reauth(struct eap_sm *sm,
}
data->next_reauth_id = NULL;
} else {
eap_sim_db_remove_reauth(sm->eap_sim_db_priv, data->reauth);
eap_sim_db_remove_reauth(sm->cfg->eap_sim_db_priv,
data->reauth);
data->reauth = NULL;
}
@ -1153,7 +1155,7 @@ static void eap_aka_process_reauth(struct eap_sm *sm,
fail:
data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
eap_aka_state(data, NOTIFICATION);
eap_sim_db_remove_reauth(sm->eap_sim_db_priv, data->reauth);
eap_sim_db_remove_reauth(sm->cfg->eap_sim_db_priv, data->reauth);
data->reauth = NULL;
os_free(decrypted);
}

19
src/eap_server/eap_server_eke.c
Unescape Escape View File

@ -84,11 +84,11 @@ static void * eap_eke_init(struct eap_sm *sm)
eap_eke_state(data, IDENTITY);
data->serverid_type = EAP_EKE_ID_OPAQUE;
for (i = 0; i < sm->server_id_len; i++) {
if (sm->server_id[i] == '.' &&
for (i = 0; i < sm->cfg->server_id_len; i++) {
if (sm->cfg->server_id[i] == '.' &&
data->serverid_type == EAP_EKE_ID_OPAQUE)
data->serverid_type = EAP_EKE_ID_FQDN;
if (sm->server_id[i] == '@')
if (sm->cfg->server_id[i] == '@')
data->serverid_type = EAP_EKE_ID_NAI;
}
@ -186,7 +186,7 @@ static struct wpabuf * eap_eke_build_identity(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, "EAP-EKE: Request/Identity");
plen = 2 + 4 * 4 + 1 + sm->server_id_len;
plen = 2 + 4 * 4 + 1 + sm->cfg->server_id_len;
msg = eap_eke_build_msg(data, id, plen, EAP_EKE_ID);
if (msg == NULL)
return NULL;
@ -223,7 +223,7 @@ static struct wpabuf * eap_eke_build_identity(struct eap_sm *sm,
/* Server IDType + Identity */
wpabuf_put_u8(msg, data->serverid_type);
wpabuf_put_data(msg, sm->server_id, sm->server_id_len);
wpabuf_put_data(msg, sm->cfg->server_id, sm->cfg->server_id_len);
wpabuf_free(data->msgs);
data->msgs = wpabuf_dup(msg);
@ -252,7 +252,7 @@ static struct wpabuf * eap_eke_build_commit(struct eap_sm *sm,
if (eap_eke_derive_key(&data->sess, sm->user->password,
sm->user->password_len,
sm->server_id, sm->server_id_len,
sm->cfg->server_id, sm->cfg->server_id_len,
data->peerid, data->peerid_len, data->key) < 0) {
wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive key");
eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
@ -338,7 +338,7 @@ static struct wpabuf * eap_eke_build_confirm(struct eap_sm *sm,
wpabuf_put(msg, prot_len);
if (eap_eke_derive_ka(&data->sess,
sm->server_id, sm->server_id_len,
sm->cfg->server_id, sm->cfg->server_id_len,
data->peerid, data->peerid_len,
data->nonce_p, data->nonce_s) < 0) {
wpabuf_free(msg);
@ -552,7 +552,7 @@ static void eap_eke_process_commit(struct eap_sm *sm,
}
if (eap_eke_derive_ke_ki(&data->sess,
sm->server_id, sm->server_id_len,
sm->cfg->server_id, sm->cfg->server_id_len,
data->peerid, data->peerid_len) < 0) {
wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive Ke/Ki");
eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
@ -641,7 +641,8 @@ static void eap_eke_process_confirm(struct eap_sm *sm,
return;
}
if (eap_eke_derive_msk(&data->sess, sm->server_id, sm->server_id_len,
if (eap_eke_derive_msk(&data->sess, sm->cfg->server_id,
sm->cfg->server_id_len,
data->peerid, data->peerid_len,
data->nonce_s, data->nonce_p,
data->msk, data->emsk) < 0) {

49
src/eap_server/eap_server_fast.c
Unescape Escape View File

@ -278,7 +278,7 @@ static void eap_fast_derive_key_auth(struct eap_sm *sm,
* Extra key material after TLS key_block: session_key_seed[40]
*/
sks = eap_fast_derive_key(sm->ssl_ctx, data->ssl.conn,
sks = eap_fast_derive_key(sm->cfg->ssl_ctx, data->ssl.conn,
EAP_FAST_SKS_LEN);
if (sks == NULL) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive "
@ -304,7 +304,7 @@ static void eap_fast_derive_key_provisioning(struct eap_sm *sm,
{
os_free(data->key_block_p);
data->key_block_p = (struct eap_fast_key_block_provisioning *)
eap_fast_derive_key(sm->ssl_ctx, data->ssl.conn,
eap_fast_derive_key(sm->cfg->ssl_ctx, data->ssl.conn,
sizeof(*data->key_block_p));
if (data->key_block_p == NULL) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive key block");
@ -440,7 +440,7 @@ static void * eap_fast_init(struct eap_sm *sm)
return NULL;
}
if (tls_connection_set_cipher_list(sm->ssl_ctx, data->ssl.conn,
if (tls_connection_set_cipher_list(sm->cfg->ssl_ctx, data->ssl.conn,
ciphers) < 0) {
wpa_printf(MSG_INFO, "EAP-FAST: Failed to set TLS cipher "
"suites");
@ -448,7 +448,8 @@ static void * eap_fast_init(struct eap_sm *sm)
return NULL;
}
if (tls_connection_set_session_ticket_cb(sm->ssl_ctx, data->ssl.conn,
if (tls_connection_set_session_ticket_cb(sm->cfg->ssl_ctx,
data->ssl.conn,
eap_fast_session_ticket_cb,
data) < 0) {
wpa_printf(MSG_INFO, "EAP-FAST: Failed to set SessionTicket "
@ -457,47 +458,48 @@ static void * eap_fast_init(struct eap_sm *sm)
return NULL;
}
if (sm->pac_opaque_encr_key == NULL) {
if (sm->cfg->pac_opaque_encr_key == NULL) {
wpa_printf(MSG_INFO, "EAP-FAST: No PAC-Opaque encryption key "
"configured");
eap_fast_reset(sm, data);
return NULL;
}
os_memcpy(data->pac_opaque_encr, sm->pac_opaque_encr_key,
os_memcpy(data->pac_opaque_encr, sm->cfg->pac_opaque_encr_key,
sizeof(data->pac_opaque_encr));
if (sm->eap_fast_a_id == NULL) {
if (sm->cfg->eap_fast_a_id == NULL) {
wpa_printf(MSG_INFO, "EAP-FAST: No A-ID configured");
eap_fast_reset(sm, data);
return NULL;
}
data->srv_id = os_memdup(sm->eap_fast_a_id, sm->eap_fast_a_id_len);
data->srv_id = os_memdup(sm->cfg->eap_fast_a_id,
sm->cfg->eap_fast_a_id_len);
if (data->srv_id == NULL) {
eap_fast_reset(sm, data);
return NULL;
}
data->srv_id_len = sm->eap_fast_a_id_len;
data->srv_id_len = sm->cfg->eap_fast_a_id_len;
if (sm->eap_fast_a_id_info == NULL) {
if (sm->cfg->eap_fast_a_id_info == NULL) {
wpa_printf(MSG_INFO, "EAP-FAST: No A-ID-Info configured");
eap_fast_reset(sm, data);
return NULL;
}
data->srv_id_info = os_strdup(sm->eap_fast_a_id_info);
data->srv_id_info = os_strdup(sm->cfg->eap_fast_a_id_info);
if (data->srv_id_info == NULL) {
eap_fast_reset(sm, data);
return NULL;
}
/* PAC-Key lifetime in seconds (hard limit) */
data->pac_key_lifetime = sm->pac_key_lifetime;
data->pac_key_lifetime = sm->cfg->pac_key_lifetime;
/*
* PAC-Key refresh time in seconds (soft limit on remaining hard
* limit). The server will generate a new PAC-Key when this number of
* seconds (or fewer) of the lifetime remains.
*/
data->pac_key_refresh_time = sm->pac_key_refresh_time;
data->pac_key_refresh_time = sm->cfg->pac_key_refresh_time;
return data;
}
@ -552,8 +554,8 @@ static int eap_fast_phase1_done(struct eap_sm *sm, struct eap_fast_data *data)
wpa_printf(MSG_DEBUG, "EAP-FAST: Phase1 done, starting Phase2");
if (tls_get_cipher(sm->ssl_ctx, data->ssl.conn, cipher, sizeof(cipher))
< 0) {
if (tls_get_cipher(sm->cfg->ssl_ctx, data->ssl.conn,
cipher, sizeof(cipher)) < 0) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to get cipher "
"information");
eap_fast_state(data, FAILURE);
@ -872,7 +874,8 @@ static struct wpabuf * eap_fast_buildReq(struct eap_sm *sm, void *priv, u8 id)
case START:
return eap_fast_build_start(sm, data, id);
case PHASE1:
if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
if (tls_connection_established(sm->cfg->ssl_ctx,
data->ssl.conn)) {
if (eap_fast_phase1_done(sm, data) < 0)
return NULL;
if (data->state == PHASE2_START) {
@ -1082,7 +1085,7 @@ static void eap_fast_process_phase2_response(struct eap_sm *sm,
next_vendor = EAP_VENDOR_IETF;
next_type = EAP_TYPE_NONE;
#ifdef EAP_SERVER_TNC
if (sm->tnc && !data->tnc_started) {
if (sm->cfg->tnc && !data->tnc_started) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Initialize TNC");
next_vendor = EAP_VENDOR_IETF;
next_type = EAP_TYPE_TNC;
@ -1346,8 +1349,8 @@ static void eap_fast_process_phase2_tlvs(struct eap_sm *sm,
}
if (data->anon_provisioning &&
sm->eap_fast_prov != ANON_PROV &&
sm->eap_fast_prov != BOTH_PROV) {
sm->cfg->eap_fast_prov != ANON_PROV &&
sm->cfg->eap_fast_prov != BOTH_PROV) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Client is trying to "
"use unauthenticated provisioning which is "
"disabled");
@ -1355,8 +1358,8 @@ static void eap_fast_process_phase2_tlvs(struct eap_sm *sm,
return;
}
if (sm->eap_fast_prov != AUTH_PROV &&
sm->eap_fast_prov != BOTH_PROV &&
if (sm->cfg->eap_fast_prov != AUTH_PROV &&
sm->cfg->eap_fast_prov != BOTH_PROV &&
tlv.request_action == EAP_TLV_ACTION_PROCESS_TLV &&
eap_fast_pac_type(tlv.pac, tlv.pac_len,
PAC_TYPE_TUNNEL_PAC)) {
@ -1408,7 +1411,7 @@ static void eap_fast_process_phase2(struct eap_sm *sm,
return;
}
in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
in_decrypted = tls_connection_decrypt(sm->cfg->ssl_ctx, data->ssl.conn,
in_buf);
if (in_decrypted == NULL) {
wpa_printf(MSG_INFO, "EAP-FAST: Failed to decrypt Phase 2 "
@ -1468,7 +1471,7 @@ static int eap_fast_process_phase1(struct eap_sm *sm,
return -1;
}
if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) ||
if (!tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn) ||
wpabuf_len(data->ssl.tls_out) > 0)
return 1;

21
src/eap_server/eap_server_gpsk.c
Unescape Escape View File

@ -117,7 +117,7 @@ static struct wpabuf * eap_gpsk_build_gpsk_1(struct eap_sm *sm,
wpa_hexdump(MSG_MSGDUMP, "EAP-GPSK: RAND_Server",
data->rand_server, EAP_GPSK_RAND_LEN);
len = 1 + 2 + sm->server_id_len + EAP_GPSK_RAND_LEN + 2 +
len = 1 + 2 + sm->cfg->server_id_len + EAP_GPSK_RAND_LEN + 2 +
data->csuite_count * sizeof(struct eap_gpsk_csuite);
req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_GPSK, len,
EAP_CODE_REQUEST, id);
@ -129,8 +129,8 @@ static struct wpabuf * eap_gpsk_build_gpsk_1(struct eap_sm *sm,
}
wpabuf_put_u8(req, EAP_GPSK_OPCODE_GPSK_1);
wpabuf_put_be16(req, sm->server_id_len);
wpabuf_put_data(req, sm->server_id, sm->server_id_len);
wpabuf_put_be16(req, sm->cfg->server_id_len);
wpabuf_put_data(req, sm->cfg->server_id, sm->cfg->server_id_len);
wpabuf_put_data(req, data->rand_server, EAP_GPSK_RAND_LEN);
wpabuf_put_be16(req,
data->csuite_count * sizeof(struct eap_gpsk_csuite));
@ -152,7 +152,7 @@ static struct wpabuf * eap_gpsk_build_gpsk_3(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, "EAP-GPSK: Request/GPSK-3");
miclen = eap_gpsk_mic_len(data->vendor, data->specifier);
len = 1 + 2 * EAP_GPSK_RAND_LEN + 2 + sm->server_id_len +
len = 1 + 2 * EAP_GPSK_RAND_LEN + 2 + sm->cfg->server_id_len +
sizeof(struct eap_gpsk_csuite) + 2 + miclen;
req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_GPSK, len,
EAP_CODE_REQUEST, id);
@ -168,8 +168,8 @@ static struct wpabuf * eap_gpsk_build_gpsk_3(struct eap_sm *sm,
wpabuf_put_data(req, data->rand_peer, EAP_GPSK_RAND_LEN);
wpabuf_put_data(req, data->rand_server, EAP_GPSK_RAND_LEN);
wpabuf_put_be16(req, sm->server_id_len);
wpabuf_put_data(req, sm->server_id, sm->server_id_len);
wpabuf_put_be16(req, sm->cfg->server_id_len);
wpabuf_put_data(req, sm->cfg->server_id, sm->cfg->server_id_len);
csuite = wpabuf_put(req, sizeof(*csuite));
WPA_PUT_BE32(csuite->vendor, data->vendor);
WPA_PUT_BE16(csuite->specifier, data->specifier);
@ -294,8 +294,8 @@ static void eap_gpsk_process_gpsk_2(struct eap_sm *sm,
eap_gpsk_state(data, FAILURE);
return;
}
if (alen != sm->server_id_len ||
os_memcmp(pos, sm->server_id, alen) != 0) {
if (alen != sm->cfg->server_id_len ||
os_memcmp(pos, sm->cfg->server_id, alen) != 0) {
wpa_printf(MSG_DEBUG, "EAP-GPSK: ID_Server in GPSK-1 and "
"GPSK-2 did not match");
eap_gpsk_state(data, FAILURE);
@ -409,7 +409,7 @@ static void eap_gpsk_process_gpsk_2(struct eap_sm *sm,
data->vendor, data->specifier,
data->rand_peer, data->rand_server,
data->id_peer, data->id_peer_len,
sm->server_id, sm->server_id_len,
sm->cfg->server_id, sm->cfg->server_id_len,
data->msk, data->emsk,
data->sk, &data->sk_len,
data->pk, &data->pk_len) < 0) {
@ -423,7 +423,8 @@ static void eap_gpsk_process_gpsk_2(struct eap_sm *sm,
data->vendor, data->specifier,
data->rand_peer, data->rand_server,
data->id_peer, data->id_peer_len,
sm->server_id, sm->server_id_len,
sm->cfg->server_id,
sm->cfg->server_id_len,
EAP_TYPE_GPSK,
data->session_id, &data->id_len) < 0) {
wpa_printf(MSG_DEBUG, "EAP-GPSK: Failed to derive Session-Id");

10
src/eap_server/eap_server_ikev2.c
Unescape Escape View File

@ -87,8 +87,8 @@ static void * eap_ikev2_init(struct eap_sm *sm)
if (data == NULL)
return NULL;
data->state = MSG;
data->fragment_size = sm->fragment_size > 0 ? sm->fragment_size :
IKEV2_FRAGMENT_SIZE;
data->fragment_size = sm->cfg->fragment_size > 0 ?
sm->cfg->fragment_size : IKEV2_FRAGMENT_SIZE;
data->ikev2.state = SA_INIT;
data->ikev2.peer_auth = PEER_AUTH_SECRET;
data->ikev2.key_pad = (u8 *) os_strdup("Key Pad for EAP-IKEv2");
@ -103,10 +103,10 @@ static void * eap_ikev2_init(struct eap_sm *sm)
data->ikev2.proposal.encr = ENCR_AES_CBC;
data->ikev2.proposal.dh = DH_GROUP2_1024BIT_MODP;
data->ikev2.IDi = os_memdup(sm->server_id, sm->server_id_len);
data->ikev2.IDi = os_memdup(sm->cfg->server_id, sm->cfg->server_id_len);
if (data->ikev2.IDi == NULL)
goto failed;
data->ikev2.IDi_len = sm->server_id_len;
data->ikev2.IDi_len = sm->cfg->server_id_len;
data->ikev2.get_shared_secret = eap_ikev2_get_shared_secret;
data->ikev2.cb_ctx = sm;
@ -414,7 +414,7 @@ static void eap_ikev2_process(struct eap_sm *sm, void *priv,
eap_ikev2_state(data, FAIL);
return;
}
if (flags & IKEV2_FLAGS_MORE_FRAGMENTS) {
if (eap_ikev2_process_fragment(data, flags, message_length,
pos, end - pos) < 0)

4
src/eap_server/eap_server_mschapv2.c
Unescape Escape View File

@ -109,7 +109,7 @@ static struct wpabuf * eap_mschapv2_build_challenge(
return NULL;
}
ms_len = sizeof(*ms) + 1 + CHALLENGE_LEN + sm->server_id_len;
ms_len = sizeof(*ms) + 1 + CHALLENGE_LEN + sm->cfg->server_id_len;
req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_MSCHAPV2, ms_len,
EAP_CODE_REQUEST, id);
if (req == NULL) {
@ -131,7 +131,7 @@ static struct wpabuf * eap_mschapv2_build_challenge(
wpabuf_put(req, CHALLENGE_LEN);
wpa_hexdump(MSG_MSGDUMP, "EAP-MSCHAPV2: Challenge",
data->auth_challenge, CHALLENGE_LEN);
wpabuf_put_data(req, sm->server_id, sm->server_id_len);
wpabuf_put_data(req, sm->cfg->server_id, sm->cfg->server_id_len);
return req;
}

17
src/eap_server/eap_server_peap.c
Unescape Escape View File

@ -105,8 +105,8 @@ static void eap_peap_valid_session(struct eap_sm *sm,
{
struct wpabuf *buf;
if (!sm->tls_session_lifetime ||
tls_connection_resumed(sm->ssl_ctx, data->ssl.conn))
if (!sm->cfg->tls_session_lifetime ||
tls_connection_resumed(sm->cfg->ssl_ctx, data->ssl.conn))
return;
buf = wpabuf_alloc(1 + 1 + sm->identity_len);
@ -336,7 +336,7 @@ static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data)
return -1;
wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TK", tk, 60);
if (tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) {
if (tls_connection_resumed(sm->cfg->ssl_ctx, data->ssl.conn)) {
/* Fast-connect: IPMK|CMK = TK */
os_memcpy(data->ipmk, tk, 40);
wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK from TK",
@ -521,7 +521,8 @@ static struct wpabuf * eap_peap_buildReq(struct eap_sm *sm, void *priv, u8 id)
return eap_peap_build_start(sm, data, id);
case PHASE1:
case PHASE1_ID2:
if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
if (tls_connection_established(sm->cfg->ssl_ctx,
data->ssl.conn)) {
wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase1 done, "
"starting Phase2");
eap_peap_state(data, PHASE2_START);
@ -1020,7 +1021,7 @@ static void eap_peap_process_phase2_response(struct eap_sm *sm,
}
#ifdef EAP_SERVER_TNC
if (data->state != PHASE2_SOH && sm->tnc &&
if (data->state != PHASE2_SOH && sm->cfg->tnc &&
data->peap_version == 0) {
eap_peap_state(data, PHASE2_SOH);
wpa_printf(MSG_DEBUG, "EAP-PEAP: Try to initialize "
@ -1077,7 +1078,7 @@ static void eap_peap_process_phase2(struct eap_sm *sm,
return;
}
in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
in_decrypted = tls_connection_decrypt(sm->cfg->ssl_ctx, data->ssl.conn,
in_buf);
if (in_decrypted == NULL) {
wpa_printf(MSG_INFO, "EAP-PEAP: Failed to decrypt Phase 2 "
@ -1237,8 +1238,8 @@ static void eap_peap_process(struct eap_sm *sm, void *priv,
}
if (data->state == SUCCESS ||
!tls_connection_established(sm->ssl_ctx, data->ssl.conn) ||
!tls_connection_resumed(sm->ssl_ctx, data->ssl.conn))
!tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn) ||
!tls_connection_resumed(sm->cfg->ssl_ctx, data->ssl.conn))
return;
buf = tls_connection_get_success_data(data->ssl.conn);

16
src/eap_server/eap_server_psk.c
Unescape Escape View File

@ -68,7 +68,7 @@ static struct wpabuf * eap_psk_build_1(struct eap_sm *sm,
data->rand_s, EAP_PSK_RAND_LEN);
req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PSK,
sizeof(*psk) + sm->server_id_len,
sizeof(*psk) + sm->cfg->server_id_len,
EAP_CODE_REQUEST, id);
if (req == NULL) {
wpa_printf(MSG_ERROR, "EAP-PSK: Failed to allocate memory "
@ -80,7 +80,7 @@ static struct wpabuf * eap_psk_build_1(struct eap_sm *sm,
psk = wpabuf_put(req, sizeof(*psk));
psk->flags = EAP_PSK_FLAGS_SET_T(0); /* T=0 */
os_memcpy(psk->rand_s, data->rand_s, EAP_PSK_RAND_LEN);
wpabuf_put_data(req, sm->server_id, sm->server_id_len);
wpabuf_put_data(req, sm->cfg->server_id, sm->cfg->server_id_len);
return req;
}
@ -110,13 +110,13 @@ static struct wpabuf * eap_psk_build_3(struct eap_sm *sm,
os_memcpy(psk->rand_s, data->rand_s, EAP_PSK_RAND_LEN);
/* MAC_S = OMAC1-AES-128(AK, ID_S||RAND_P) */
buflen = sm->server_id_len + EAP_PSK_RAND_LEN;
buflen = sm->cfg->server_id_len + EAP_PSK_RAND_LEN;
buf = os_malloc(buflen);
if (buf == NULL)
goto fail;
os_memcpy(buf, sm->server_id, sm->server_id_len);
os_memcpy(buf + sm->server_id_len, data->rand_p, EAP_PSK_RAND_LEN);
os_memcpy(buf, sm->cfg->server_id, sm->cfg->server_id_len);
os_memcpy(buf + sm->cfg->server_id_len, data->rand_p, EAP_PSK_RAND_LEN);
if (omac1_aes_128(data->ak, buf, buflen, psk->mac_s)) {
os_free(buf);
goto fail;
@ -293,7 +293,7 @@ static void eap_psk_process_2(struct eap_sm *sm,
os_memcpy(data->rand_p, resp->rand_p, EAP_PSK_RAND_LEN);
/* MAC_P = OMAC1-AES-128(AK, ID_P||ID_S||RAND_S||RAND_P) */
buflen = data->id_p_len + sm->server_id_len + 2 * EAP_PSK_RAND_LEN;
buflen = data->id_p_len + sm->cfg->server_id_len + 2 * EAP_PSK_RAND_LEN;
buf = os_malloc(buflen);
if (buf == NULL) {
data->state = FAILURE;
@ -301,8 +301,8 @@ static void eap_psk_process_2(struct eap_sm *sm,
}
os_memcpy(buf, data->id_p, data->id_p_len);
pos = buf + data->id_p_len;
os_memcpy(pos, sm->server_id, sm->server_id_len);
pos += sm->server_id_len;
os_memcpy(pos, sm->cfg->server_id, sm->cfg->server_id_len);
pos += sm->cfg->server_id_len;
os_memcpy(pos, data->rand_s, EAP_PSK_RAND_LEN);
pos += EAP_PSK_RAND_LEN;
os_memcpy(pos, data->rand_p, EAP_PSK_RAND_LEN);

4
src/eap_server/eap_server_pwd.c
Unescape Escape View File

@ -97,7 +97,7 @@ static void * eap_pwd_init(struct eap_sm *sm)
if (data == NULL)
return NULL;
data->group_num = sm->pwd_group;
data->group_num = sm->cfg->pwd_group;
wpa_printf(MSG_DEBUG, "EAP-pwd: Selected group number %d",
data->group_num);
data->state = PWD_ID_Req;
@ -134,7 +134,7 @@ static void * eap_pwd_init(struct eap_sm *sm)
data->in_frag_pos = data->out_frag_pos = 0;
data->inbuf = data->outbuf = NULL;
/* use default MTU from RFC 5931 if not configured otherwise */
data->mtu = sm->fragment_size > 0 ? sm->fragment_size : 1020;
data->mtu = sm->cfg->fragment_size > 0 ? sm->cfg->fragment_size : 1020;
return data;
}

14
src/eap_server/eap_server_sake.c
Unescape Escape View File

@ -123,7 +123,7 @@ static struct wpabuf * eap_sake_build_identity(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, "EAP-SAKE: Request/Identity");
plen = 4;
plen += 2 + sm->server_id_len;
plen += 2 + sm->cfg->server_id_len;
msg = eap_sake_build_msg(data, id, plen, EAP_SAKE_SUBTYPE_IDENTITY);
if (msg == NULL) {
data->state = FAILURE;
@ -135,7 +135,7 @@ static struct wpabuf * eap_sake_build_identity(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_SERVERID");
eap_sake_add_attr(msg, EAP_SAKE_AT_SERVERID,
sm->server_id, sm->server_id_len);
sm->cfg->server_id, sm->cfg->server_id_len);
return msg;
}
@ -158,7 +158,7 @@ static struct wpabuf * eap_sake_build_challenge(struct eap_sm *sm,
wpa_hexdump(MSG_MSGDUMP, "EAP-SAKE: RAND_S (server rand)",
data->rand_s, EAP_SAKE_RAND_LEN);
plen = 2 + EAP_SAKE_RAND_LEN + 2 + sm->server_id_len;
plen = 2 + EAP_SAKE_RAND_LEN + 2 + sm->cfg->server_id_len;
msg = eap_sake_build_msg(data, id, plen, EAP_SAKE_SUBTYPE_CHALLENGE);
if (msg == NULL) {
data->state = FAILURE;
@ -171,7 +171,7 @@ static struct wpabuf * eap_sake_build_challenge(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_SERVERID");
eap_sake_add_attr(msg, EAP_SAKE_AT_SERVERID,
sm->server_id, sm->server_id_len);
sm->cfg->server_id, sm->cfg->server_id_len);
return msg;
}
@ -198,7 +198,7 @@ static struct wpabuf * eap_sake_build_confirm(struct eap_sm *sm,
wpabuf_put_u8(msg, 2 + EAP_SAKE_MIC_LEN);
mic = wpabuf_put(msg, EAP_SAKE_MIC_LEN);
if (eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p,
sm->server_id, sm->server_id_len,
sm->cfg->server_id, sm->cfg->server_id_len,
data->peerid, data->peerid_len, 0,
wpabuf_head(msg), wpabuf_len(msg), mic, mic))
{
@ -351,7 +351,7 @@ static void eap_sake_process_challenge(struct eap_sm *sm,
}
if (eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p,
sm->server_id, sm->server_id_len,
sm->cfg->server_id, sm->cfg->server_id_len,
data->peerid, data->peerid_len, 1,
wpabuf_head(respData), wpabuf_len(respData),
attr.mic_p, mic_p) < 0) {
@ -392,7 +392,7 @@ static void eap_sake_process_confirm(struct eap_sm *sm,
}
if (eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p,
sm->server_id, sm->server_id_len,
sm->cfg->server_id, sm->cfg->server_id_len,
data->peerid, data->peerid_len, 1,
wpabuf_head(respData), wpabuf_len(respData),
attr.mic_p, mic_p) < 0) {

36
src/eap_server/eap_server_sim.c
Unescape Escape View File

@ -76,7 +76,7 @@ static void * eap_sim_init(struct eap_sm *sm)
{
struct eap_sim_data *data;
if (sm->eap_sim_db_priv == NULL) {
if (!sm->cfg->eap_sim_db_priv) {
wpa_printf(MSG_WARNING, "EAP-SIM: eap_sim_db not configured");
return NULL;
}
@ -150,24 +150,24 @@ static int eap_sim_build_encr(struct eap_sm *sm, struct eap_sim_data *data,
const u8 *nonce_s)
{
os_free(data->next_pseudonym);
if (!(sm->eap_sim_id & 0x01)) {
if (!(sm->cfg->eap_sim_id & 0x01)) {
/* Use of pseudonyms disabled in configuration */
data->next_pseudonym = NULL;
} else if (!nonce_s) {
data->next_pseudonym =
eap_sim_db_get_next_pseudonym(sm->eap_sim_db_priv,
eap_sim_db_get_next_pseudonym(sm->cfg->eap_sim_db_priv,
EAP_SIM_DB_SIM);
} else {
/* Do not update pseudonym during re-authentication */
data->next_pseudonym = NULL;
}
os_free(data->next_reauth_id);
if (!(sm->eap_sim_id & 0x02)) {
if (!(sm->cfg->eap_sim_id & 0x02)) {
/* Use of fast reauth disabled in configuration */
data->next_reauth_id = NULL;
} else if (data->counter <= EAP_SIM_MAX_FAST_REAUTHS) {
data->next_reauth_id =
eap_sim_db_get_next_reauth_id(sm->eap_sim_db_priv,
eap_sim_db_get_next_reauth_id(sm->cfg->eap_sim_db_priv,
EAP_SIM_DB_SIM);
} else {
wpa_printf(MSG_DEBUG, "EAP-SIM: Max fast re-authentication "
@ -240,7 +240,7 @@ static struct wpabuf * eap_sim_build_challenge(struct eap_sm *sm,
return NULL;
}
if (sm->eap_sim_aka_result_ind) {
if (sm->cfg->eap_sim_aka_result_ind) {
wpa_printf(MSG_DEBUG, " AT_RESULT_IND");
eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0);
}
@ -279,7 +279,7 @@ static struct wpabuf * eap_sim_build_reauth(struct eap_sm *sm,
return NULL;
}
if (sm->eap_sim_aka_result_ind) {
if (sm->cfg->eap_sim_aka_result_ind) {
wpa_printf(MSG_DEBUG, " AT_RESULT_IND");
eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0);
}
@ -475,7 +475,7 @@ static void eap_sim_process_start(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, "EAP-SIM: Reauth username '%s'",
username);
data->reauth = eap_sim_db_get_reauth_entry(
sm->eap_sim_db_priv, username);
sm->cfg->eap_sim_db_priv, username);
os_free(username);
if (data->reauth == NULL) {
wpa_printf(MSG_DEBUG, "EAP-SIM: Unknown reauth "
@ -497,7 +497,7 @@ static void eap_sim_process_start(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, "EAP-SIM: Pseudonym username '%s'",
username);
permanent = eap_sim_db_get_permanent(
sm->eap_sim_db_priv, username);
sm->cfg->eap_sim_db_priv, username);
os_free(username);
if (permanent == NULL) {
wpa_printf(MSG_DEBUG, "EAP-SIM: Unknown pseudonym "
@ -538,7 +538,7 @@ skip_id_update:
data->reauth = NULL;
data->num_chal = eap_sim_db_get_gsm_triplets(
sm->eap_sim_db_priv, data->permanent, EAP_SIM_MAX_CHAL,
sm->cfg->eap_sim_db_priv, data->permanent, EAP_SIM_MAX_CHAL,
(u8 *) data->rand, (u8 *) data->kc, (u8 *) data->sres, sm);
if (data->num_chal == EAP_SIM_DB_PENDING) {
wpa_printf(MSG_DEBUG, "EAP-SIM: GSM authentication triplets "
@ -599,7 +599,7 @@ static void eap_sim_process_challenge(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, "EAP-SIM: Challenge response includes the "
"correct AT_MAC");
if (sm->eap_sim_aka_result_ind && attr->result_ind) {
if (sm->cfg->eap_sim_aka_result_ind && attr->result_ind) {
data->use_result_ind = 1;
data->notification = EAP_SIM_SUCCESS;
eap_sim_state(data, NOTIFICATION);
@ -607,12 +607,13 @@ static void eap_sim_process_challenge(struct eap_sm *sm,
eap_sim_state(data, SUCCESS);
if (data->next_pseudonym) {
eap_sim_db_add_pseudonym(sm->eap_sim_db_priv, data->permanent,
eap_sim_db_add_pseudonym(sm->cfg->eap_sim_db_priv,
data->permanent,
data->next_pseudonym);
data->next_pseudonym = NULL;
}
if (data->next_reauth_id) {
eap_sim_db_add_reauth(sm->eap_sim_db_priv, data->permanent,
eap_sim_db_add_reauth(sm->cfg->eap_sim_db_priv, data->permanent,
data->next_reauth_id, data->counter + 1,
data->mk);
data->next_reauth_id = NULL;
@ -672,7 +673,7 @@ static void eap_sim_process_reauth(struct eap_sm *sm,
return;
}
if (sm->eap_sim_aka_result_ind && attr->result_ind) {
if (sm->cfg->eap_sim_aka_result_ind && attr->result_ind) {
data->use_result_ind = 1;
data->notification = EAP_SIM_SUCCESS;
eap_sim_state(data, NOTIFICATION);
@ -680,12 +681,13 @@ static void eap_sim_process_reauth(struct eap_sm *sm,
eap_sim_state(data, SUCCESS);
if (data->next_reauth_id) {
eap_sim_db_add_reauth(sm->eap_sim_db_priv, data->permanent,
eap_sim_db_add_reauth(sm->cfg->eap_sim_db_priv, data->permanent,
data->next_reauth_id,
data->counter + 1, data->mk);
data->next_reauth_id = NULL;
} else {
eap_sim_db_remove_reauth(sm->eap_sim_db_priv, data->reauth);
eap_sim_db_remove_reauth(sm->cfg->eap_sim_db_priv,
data->reauth);
data->reauth = NULL;
}
@ -694,7 +696,7 @@ static void eap_sim_process_reauth(struct eap_sm *sm,
fail:
data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
eap_sim_state(data, NOTIFICATION);
eap_sim_db_remove_reauth(sm->eap_sim_db_priv, data->reauth);
eap_sim_db_remove_reauth(sm->cfg->eap_sim_db_priv, data->reauth);
data->reauth = NULL;
os_free(decrypted);
}

67
src/eap_server/eap_server_teap.c
Unescape Escape View File

@ -287,7 +287,7 @@ static int eap_teap_derive_key_auth(struct eap_sm *sm,
int res;
/* RFC 7170, Section 5.1 */
res = tls_connection_export_key(sm->ssl_ctx, data->ssl.conn,
res = tls_connection_export_key(sm->cfg->ssl_ctx, data->ssl.conn,
TEAP_TLS_EXPORTER_LABEL_SKS, NULL, 0,
data->simck_msk, EAP_TEAP_SIMCK_LEN);
if (res)
@ -310,7 +310,7 @@ static int eap_teap_update_icmk(struct eap_sm *sm, struct eap_teap_data *data)
wpa_printf(MSG_DEBUG, "EAP-TEAP: Deriving ICMK[%d] (S-IMCK and CMK)",
data->simck_idx + 1);
if (sm->eap_teap_auth == 1)
if (sm->cfg->eap_teap_auth == 1)
return eap_teap_derive_cmk_basic_pw_auth(data->tls_cs,
data->simck_msk,
data->cmk_msk);
@ -370,7 +370,8 @@ static void * eap_teap_init(struct eap_sm *sm)
/* TODO: Add anon-DH TLS cipher suites (and if one is negotiated,
* enforce inner EAP with mutual authentication to be used) */
if (tls_connection_set_session_ticket_cb(sm->ssl_ctx, data->ssl.conn,
if (tls_connection_set_session_ticket_cb(sm->cfg->ssl_ctx,
data->ssl.conn,
eap_teap_session_ticket_cb,
data) < 0) {
wpa_printf(MSG_INFO,
@ -379,48 +380,49 @@ static void * eap_teap_init(struct eap_sm *sm)
return NULL;
}
if (!sm->pac_opaque_encr_key) {
if (!sm->cfg->pac_opaque_encr_key) {
wpa_printf(MSG_INFO,
"EAP-TEAP: No PAC-Opaque encryption key configured");
eap_teap_reset(sm, data);
return NULL;
}
os_memcpy(data->pac_opaque_encr, sm->pac_opaque_encr_key,
os_memcpy(data->pac_opaque_encr, sm->cfg->pac_opaque_encr_key,
sizeof(data->pac_opaque_encr));
if (!sm->eap_fast_a_id) {
if (!sm->cfg->eap_fast_a_id) {
wpa_printf(MSG_INFO, "EAP-TEAP: No A-ID configured");
eap_teap_reset(sm, data);
return NULL;
}
data->srv_id = os_malloc(sm->eap_fast_a_id_len);
data->srv_id = os_malloc(sm->cfg->eap_fast_a_id_len);
if (!data->srv_id) {
eap_teap_reset(sm, data);
return NULL;
}
os_memcpy(data->srv_id, sm->eap_fast_a_id, sm->eap_fast_a_id_len);
data->srv_id_len = sm->eap_fast_a_id_len;
os_memcpy(data->srv_id, sm->cfg->eap_fast_a_id,
sm->cfg->eap_fast_a_id_len);
data->srv_id_len = sm->cfg->eap_fast_a_id_len;
if (!sm->eap_fast_a_id_info) {
if (!sm->cfg->eap_fast_a_id_info) {
wpa_printf(MSG_INFO, "EAP-TEAP: No A-ID-Info configured");
eap_teap_reset(sm, data);
return NULL;
}
data->srv_id_info = os_strdup(sm->eap_fast_a_id_info);
data->srv_id_info = os_strdup(sm->cfg->eap_fast_a_id_info);
if (!data->srv_id_info) {
eap_teap_reset(sm, data);
return NULL;
}
/* PAC-Key lifetime in seconds (hard limit) */
data->pac_key_lifetime = sm->pac_key_lifetime;
data->pac_key_lifetime = sm->cfg->pac_key_lifetime;
/*
* PAC-Key refresh time in seconds (soft limit on remaining hard
* limit). The server will generate a new PAC-Key when this number of
* seconds (or fewer) of the lifetime remains.
*/
data->pac_key_refresh_time = sm->pac_key_refresh_time;
data->pac_key_refresh_time = sm->cfg->pac_key_refresh_time;
return data;
}
@ -500,8 +502,8 @@ static int eap_teap_phase1_done(struct eap_sm *sm, struct eap_teap_data *data)
wpa_printf(MSG_DEBUG, "EAP-TEAP: TLS cipher suite 0x%04x",
data->tls_cs);
if (tls_get_cipher(sm->ssl_ctx, data->ssl.conn, cipher, sizeof(cipher))
< 0) {
if (tls_get_cipher(sm->cfg->ssl_ctx, data->ssl.conn,
cipher, sizeof(cipher)) < 0) {
wpa_printf(MSG_DEBUG,
"EAP-TEAP: Failed to get cipher information");
eap_teap_state(data, FAILURE);
@ -529,7 +531,7 @@ static struct wpabuf * eap_teap_build_phase2_req(struct eap_sm *sm,
{
struct wpabuf *req;
if (sm->eap_teap_auth == 1) {
if (sm->cfg->eap_teap_auth == 1) {
wpa_printf(MSG_DEBUG, "EAP-TEAP: Initiate Basic-Password-Auth");
req = wpabuf_alloc(sizeof(struct teap_tlv_hdr));
if (!req)
@ -567,7 +569,7 @@ static struct wpabuf * eap_teap_build_crypto_binding(
return NULL;
if (data->send_new_pac || data->anon_provisioning ||
data->phase2_method || sm->eap_teap_separate_result)
data->phase2_method || sm->cfg->eap_teap_separate_result)
data->final_result = 0;
else
data->final_result = 1;
@ -846,7 +848,8 @@ static struct wpabuf * eap_teap_buildReq(struct eap_sm *sm, void *priv, u8 id)
case START:
return eap_teap_build_start(sm, data, id);
case PHASE1B:
if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
if (tls_connection_established(sm->cfg->ssl_ctx,
data->ssl.conn)) {
if (eap_teap_phase1_done(sm, data) < 0)
return NULL;
if (data->state == PHASE2_START) {
@ -1072,7 +1075,7 @@ static void eap_teap_process_phase2_response(struct eap_sm *sm,
next_vendor = EAP_VENDOR_IETF;
next_type = EAP_TYPE_NONE;
#ifdef EAP_SERVER_TNC
if (sm->tnc && !data->tnc_started) {
if (sm->cfg->tnc && !data->tnc_started) {
wpa_printf(MSG_DEBUG, "EAP-TEAP: Initialize TNC");
next_vendor = EAP_VENDOR_IETF;
next_type = EAP_TYPE_TNC;
@ -1463,7 +1466,7 @@ static void eap_teap_process_phase2_tlvs(struct eap_sm *sm,
return;
}
if (sm->eap_teap_auth != 1 &&
if (sm->cfg->eap_teap_auth != 1 &&
tlv.iresult != TEAP_STATUS_SUCCESS) {
wpa_printf(MSG_DEBUG,
"EAP-TEAP: Crypto-Binding TLV without intermediate Success Result");
@ -1485,16 +1488,16 @@ static void eap_teap_process_phase2_tlvs(struct eap_sm *sm,
}
if (data->anon_provisioning &&
sm->eap_fast_prov != ANON_PROV &&
sm->eap_fast_prov != BOTH_PROV) {
sm->cfg->eap_fast_prov != ANON_PROV &&
sm->cfg->eap_fast_prov != BOTH_PROV) {
wpa_printf(MSG_DEBUG,
"EAP-TEAP: Client is trying to use unauthenticated provisioning which is disabled");
eap_teap_state(data, FAILURE);
return;
}
if (sm->eap_fast_prov != AUTH_PROV &&
sm->eap_fast_prov != BOTH_PROV &&
if (sm->cfg->eap_fast_prov != AUTH_PROV &&
sm->cfg->eap_fast_prov != BOTH_PROV &&
tlv.request_action == TEAP_REQUEST_ACTION_PROCESS_TLV &&
eap_teap_pac_type(tlv.pac, tlv.pac_len,
PAC_TYPE_TUNNEL_PAC)) {
@ -1517,13 +1520,13 @@ static void eap_teap_process_phase2_tlvs(struct eap_sm *sm,
eap_teap_state(data, REQUEST_PAC);
} else if (data->final_result) {
eap_teap_state(data, SUCCESS);
} else if (sm->eap_teap_separate_result) {
} else if (sm->cfg->eap_teap_separate_result) {
eap_teap_state(data, SUCCESS_SEND_RESULT);
}
}
if (tlv.basic_auth_resp) {
if (sm->eap_teap_auth != 1) {
if (sm->cfg->eap_teap_auth != 1) {
wpa_printf(MSG_DEBUG,
"EAP-TEAP: Unexpected Basic-Password-Auth-Resp when trying to use inner EAP");
eap_teap_state(data, FAILURE);
@ -1534,7 +1537,7 @@ static void eap_teap_process_phase2_tlvs(struct eap_sm *sm,
}
if (tlv.eap_payload_tlv) {
if (sm->eap_teap_auth == 1) {
if (sm->cfg->eap_teap_auth == 1) {
wpa_printf(MSG_DEBUG,
"EAP-TEAP: Unexpected EAP Payload TLV when trying to use Basic-Password-Auth");
eap_teap_state(data, FAILURE);
@ -1573,7 +1576,7 @@ static void eap_teap_process_phase2(struct eap_sm *sm,
return;
}
in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
in_decrypted = tls_connection_decrypt(sm->cfg->ssl_ctx, data->ssl.conn,
in_buf);
if (!in_decrypted) {
wpa_printf(MSG_INFO,
@ -1634,7 +1637,7 @@ static int eap_teap_process_phase1(struct eap_sm *sm,
return -1;
}
if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) ||
if (!tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn) ||
wpabuf_len(data->ssl.tls_out) > 0)
return 1;
@ -1668,7 +1671,7 @@ static int eap_teap_process_phase2_start(struct eap_sm *sm,
next_vendor = EAP_VENDOR_IETF;
next_type = EAP_TYPE_NONE;
eap_teap_state(data, PHASE2_METHOD);
} else if (sm->eap_teap_pac_no_inner) {
} else if (sm->cfg->eap_teap_pac_no_inner) {
wpa_printf(MSG_DEBUG,
"EAP-TEAP: Used PAC and identity already known - skip inner auth");
/* FIX: Need to derive CMK here. However, how is that
@ -1679,7 +1682,7 @@ static int eap_teap_process_phase2_start(struct eap_sm *sm,
data->cmk_msk);
eap_teap_state(data, CRYPTO_BINDING);
return 1;
} else if (sm->eap_teap_auth == 1) {
} else if (sm->cfg->eap_teap_auth == 1) {
eap_teap_state(data, PHASE2_BASIC_AUTH);
return 1;
} else {
@ -1691,7 +1694,7 @@ static int eap_teap_process_phase2_start(struct eap_sm *sm,
eap_teap_state(data, PHASE2_METHOD);
}
} else if (sm->eap_teap_auth == 1) {
} else if (sm->cfg->eap_teap_auth == 1) {
eap_teap_state(data, PHASE2_BASIC_AUTH);
return 0;
} else {

11
src/eap_server/eap_server_tls.c
Unescape Escape View File

@ -58,7 +58,7 @@ static void eap_tls_valid_session(struct eap_sm *sm, struct eap_tls_data *data)
{
struct wpabuf *buf;
if (!sm->tls_session_lifetime)
if (!sm->cfg->tls_session_lifetime)
return;
buf = wpabuf_alloc(1);
@ -187,7 +187,8 @@ static struct wpabuf * eap_tls_buildReq(struct eap_sm *sm, void *priv, u8 id)
case START:
return eap_tls_build_start(sm, data, id);
case CONTINUE:
if (tls_connection_established(sm->ssl_ctx, data->ssl.conn))
if (tls_connection_established(sm->cfg->ssl_ctx,
data->ssl.conn))
data->established = 1;
break;
default:
@ -267,7 +268,7 @@ static void eap_tls_process_msg(struct eap_sm *sm, void *priv,
}
if (data->ssl.tls_v13 &&
tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn)) {
struct wpabuf *plain, *encr;
wpa_printf(MSG_DEBUG,
@ -315,8 +316,8 @@ static void eap_tls_process(struct eap_sm *sm, void *priv,
return;
}
if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) ||
!tls_connection_resumed(sm->ssl_ctx, data->ssl.conn))
if (!tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn) ||
!tls_connection_resumed(sm->cfg->ssl_ctx, data->ssl.conn))
return;
buf = tls_connection_get_success_data(data->ssl.conn);

37
src/eap_server/eap_server_tls_common.c
Unescape Escape View File

@ -47,9 +47,9 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
int verify_peer, int eap_type)
{
u8 session_ctx[8];
unsigned int flags = sm->tls_flags;
unsigned int flags = sm->cfg->tls_flags;
if (sm->ssl_ctx == NULL) {
if (!sm->cfg->ssl_ctx) {
wpa_printf(MSG_ERROR, "TLS context not initialized - cannot use TLS-based EAP method");
return -1;
}
@ -57,7 +57,7 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
data->eap = sm;
data->phase2 = sm->init_phase2;
data->conn = tls_connection_init(sm->ssl_ctx);
data->conn = tls_connection_init(sm->cfg->ssl_ctx);
if (data->conn == NULL) {
wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "
"connection");
@ -75,17 +75,18 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
flags |= TLS_CONN_DISABLE_SESSION_TICKET;
os_memcpy(session_ctx, "hostapd", 7);
session_ctx[7] = (u8) eap_type;
if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer,
if (tls_connection_set_verify(sm->cfg->ssl_ctx, data->conn, verify_peer,
flags, session_ctx,
sizeof(session_ctx))) {
wpa_printf(MSG_INFO, "SSL: Failed to configure verification "
"of TLS peer certificate");
tls_connection_deinit(sm->ssl_ctx, data->conn);
tls_connection_deinit(sm->cfg->ssl_ctx, data->conn);
data->conn = NULL;
return -1;
}
data->tls_out_limit = sm->fragment_size > 0 ? sm->fragment_size : 1398;
data->tls_out_limit = sm->cfg->fragment_size > 0 ?
sm->cfg->fragment_size : 1398;
if (data->phase2) {
/* Limit the fragment size in the inner TLS authentication
* since the outer authentication with EAP-PEAP does not yet
@ -99,7 +100,7 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
void eap_server_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data)
{
tls_connection_deinit(sm->ssl_ctx, data->conn);
tls_connection_deinit(sm->cfg->ssl_ctx, data->conn);
eap_server_tls_free_in_buf(data);
wpabuf_free(data->tls_out);
data->tls_out = NULL;
@ -116,7 +117,7 @@ u8 * eap_server_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data,
if (out == NULL)
return NULL;
if (tls_connection_export_key(sm->ssl_ctx, data->conn, label,
if (tls_connection_export_key(sm->cfg->ssl_ctx, data->conn, label,
context, context_len, out, len)) {
os_free(out);
return NULL;
@ -170,7 +171,7 @@ u8 * eap_server_tls_derive_session_id(struct eap_sm *sm,
return id;
}
if (tls_connection_get_random(sm->ssl_ctx, data->conn, &keys))
if (tls_connection_get_random(sm->cfg->ssl_ctx, data->conn, &keys))
return NULL;
if (keys.client_random == NULL || keys.server_random == NULL)
@ -340,29 +341,30 @@ int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data)
WPA_ASSERT(data->tls_out == NULL);
}
data->tls_out = tls_connection_server_handshake(sm->ssl_ctx,
data->tls_out = tls_connection_server_handshake(sm->cfg->ssl_ctx,
data->conn,
data->tls_in, NULL);
if (data->tls_out == NULL) {
wpa_printf(MSG_INFO, "SSL: TLS processing failed");
return -1;
}
if (tls_connection_get_failed(sm->ssl_ctx, data->conn)) {
if (tls_connection_get_failed(sm->cfg->ssl_ctx, data->conn)) {
/* TLS processing has failed - return error */
wpa_printf(MSG_DEBUG, "SSL: Failed - tls_out available to "
"report error");
return -1;
}
if (tls_get_version(sm->ssl_ctx, data->conn, buf, sizeof(buf)) == 0) {
if (tls_get_version(sm->cfg->ssl_ctx, data->conn,
buf, sizeof(buf)) == 0) {
wpa_printf(MSG_DEBUG, "SSL: Using TLS version %s", buf);
data->tls_v13 = os_strcmp(buf, "TLSv1.3") == 0;
}
if (!sm->serial_num &&
tls_connection_established(sm->ssl_ctx, data->conn))
sm->serial_num = tls_connection_peer_serial_num(sm->ssl_ctx,
data->conn);
tls_connection_established(sm->cfg->ssl_ctx, data->conn))
sm->serial_num = tls_connection_peer_serial_num(
sm->cfg->ssl_ctx, data->conn);
return 0;
}
@ -451,8 +453,7 @@ struct wpabuf * eap_server_tls_encrypt(struct eap_sm *sm,
{
struct wpabuf *buf;
buf = tls_connection_encrypt(sm->ssl_ctx, data->conn,
plain);
buf = tls_connection_encrypt(sm->cfg->ssl_ctx, data->conn, plain);
if (buf == NULL) {
wpa_printf(MSG_INFO, "SSL: Failed to encrypt Phase 2 data");
return NULL;
@ -506,7 +507,7 @@ int eap_server_tls_process(struct eap_sm *sm, struct eap_ssl_data *data,
if (proc_msg)
proc_msg(sm, priv, respData);
if (tls_connection_get_write_alerts(sm->ssl_ctx, data->conn) > 1) {
if (tls_connection_get_write_alerts(sm->cfg->ssl_ctx, data->conn) > 1) {
wpa_printf(MSG_INFO, "SSL: Locally detected fatal error in "
"TLS processing");
res = -1;

6
src/eap_server/eap_server_tnc.c
Unescape Escape View File

@ -84,8 +84,8 @@ static void * eap_tnc_init(struct eap_sm *sm)
return NULL;
}
data->fragment_size = sm->fragment_size > 100 ?
sm->fragment_size - 98 : 1300;
data->fragment_size = sm->cfg->fragment_size > 100 ?
sm->cfg->fragment_size - 98 : 1300;
return data;
}
@ -508,7 +508,7 @@ static void eap_tnc_process(struct eap_sm *sm, void *priv,
eap_tnc_set_state(data, FAIL);
return;
}
if (flags & EAP_TNC_FLAGS_MORE_FRAGMENTS) {
if (eap_tnc_process_fragment(data, flags, message_length,
pos, end - pos) < 0)

13
src/eap_server/eap_server_ttls.c
Unescape Escape View File

@ -81,7 +81,7 @@ static void eap_ttls_valid_session(struct eap_sm *sm,
{
struct wpabuf *buf;
if (!sm->tls_session_lifetime)
if (!sm->cfg->tls_session_lifetime)
return;
buf = wpabuf_alloc(1 + 1 + sm->identity_len);
@ -480,7 +480,8 @@ static struct wpabuf * eap_ttls_buildReq(struct eap_sm *sm, void *priv, u8 id)
case START:
return eap_ttls_build_start(sm, data, id);
case PHASE1:
if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
if (tls_connection_established(sm->cfg->ssl_ctx,
data->ssl.conn)) {
wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase1 done, "
"starting Phase2");
eap_ttls_state(data, PHASE2_START);
@ -1029,7 +1030,7 @@ static void eap_ttls_process_phase2(struct eap_sm *sm,
return;
}
in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
in_decrypted = tls_connection_decrypt(sm->cfg->ssl_ctx, data->ssl.conn,
in_buf);
if (in_decrypted == NULL) {
wpa_printf(MSG_INFO, "EAP-TTLS: Failed to decrypt Phase 2 "
@ -1119,7 +1120,7 @@ done:
static void eap_ttls_start_tnc(struct eap_sm *sm, struct eap_ttls_data *data)
{
#ifdef EAP_SERVER_TNC
if (!sm->tnc || data->state != SUCCESS || data->tnc_started)
if (!sm->cfg->tnc || data->state != SUCCESS || data->tnc_started)
return;
wpa_printf(MSG_DEBUG, "EAP-TTLS: Initialize TNC");
@ -1209,8 +1210,8 @@ static void eap_ttls_process(struct eap_sm *sm, void *priv,
return;
}
if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) ||
!tls_connection_resumed(sm->ssl_ctx, data->ssl.conn))
if (!tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn) ||
!tls_connection_resumed(sm->cfg->ssl_ctx, data->ssl.conn))
return;
buf = tls_connection_get_success_data(data->ssl.conn);

10
src/eap_server/eap_server_wsc.c
Unescape Escape View File

@ -103,10 +103,10 @@ static void * eap_wsc_init(struct eap_sm *sm)
data->registrar = registrar;
os_memset(&cfg, 0, sizeof(cfg));
cfg.wps = sm->wps;
cfg.wps = sm->cfg->wps;
cfg.registrar = registrar;
if (registrar) {
if (sm->wps == NULL || sm->wps->registrar == NULL) {
if (!sm->cfg->wps || !sm->cfg->wps->registrar) {
wpa_printf(MSG_INFO, "EAP-WSC: WPS Registrar not "
"initialized");
os_free(data);
@ -138,14 +138,14 @@ static void * eap_wsc_init(struct eap_sm *sm)
cfg.p2p_dev_addr = p2p_get_go_dev_addr(sm->assoc_p2p_ie);
}
#endif /* CONFIG_P2P */
cfg.pbc_in_m1 = sm->pbc_in_m1;
cfg.pbc_in_m1 = sm->cfg->pbc_in_m1;
data->wps = wps_init(&cfg);
if (data->wps == NULL) {
os_free(data);
return NULL;
}
data->fragment_size = sm->fragment_size > 0 ? sm->fragment_size :
WSC_FRAGMENT_SIZE;
data->fragment_size = sm->cfg->fragment_size > 0 ?
sm->cfg->fragment_size : WSC_FRAGMENT_SIZE;
return data;
}

90
src/eapol_auth/eapol_auth_sm.c
Unescape Escape View File

@ -775,7 +775,7 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr,
const char *identity, const char *radius_cui)
{
struct eapol_state_machine *sm;
struct eap_config eap_conf;
struct eap_session_data eap_sess;
if (eapol == NULL)
return NULL;
@ -823,38 +823,12 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr,
else
sm->portValid = TRUE;
os_memset(&eap_conf, 0, sizeof(eap_conf));
eap_conf.eap_server = eapol->conf.eap_server;
eap_conf.ssl_ctx = eapol->conf.ssl_ctx;
eap_conf.msg_ctx = eapol->conf.msg_ctx;
eap_conf.eap_sim_db_priv = eapol->conf.eap_sim_db_priv;
eap_conf.pac_opaque_encr_key = eapol->conf.pac_opaque_encr_key;
eap_conf.eap_fast_a_id = eapol->conf.eap_fast_a_id;
eap_conf.eap_fast_a_id_len = eapol->conf.eap_fast_a_id_len;
eap_conf.eap_fast_a_id_info = eapol->conf.eap_fast_a_id_info;
eap_conf.eap_fast_prov = eapol->conf.eap_fast_prov;
eap_conf.pac_key_lifetime = eapol->conf.pac_key_lifetime;
eap_conf.pac_key_refresh_time = eapol->conf.pac_key_refresh_time;
eap_conf.eap_teap_auth = eapol->conf.eap_teap_auth;
eap_conf.eap_teap_pac_no_inner = eapol->conf.eap_teap_pac_no_inner;
eap_conf.eap_teap_separate_result =
eapol->conf.eap_teap_separate_result;
eap_conf.eap_sim_aka_result_ind = eapol->conf.eap_sim_aka_result_ind;
eap_conf.eap_sim_id = eapol->conf.eap_sim_id;
eap_conf.tnc = eapol->conf.tnc;
eap_conf.wps = eapol->conf.wps;
eap_conf.assoc_wps_ie = assoc_wps_ie;
eap_conf.assoc_p2p_ie = assoc_p2p_ie;
eap_conf.peer_addr = addr;
eap_conf.fragment_size = eapol->conf.fragment_size;
eap_conf.pwd_group = eapol->conf.pwd_group;
eap_conf.pbc_in_m1 = eapol->conf.pbc_in_m1;
eap_conf.server_id = eapol->conf.server_id;
eap_conf.server_id_len = eapol->conf.server_id_len;
eap_conf.erp = eapol->conf.erp;
eap_conf.tls_session_lifetime = eapol->conf.tls_session_lifetime;
eap_conf.tls_flags = eapol->conf.tls_flags;
sm->eap = eap_server_sm_init(sm, &eapol_cb, &eap_conf);
os_memset(&eap_sess, 0, sizeof(eap_sess));
eap_sess.assoc_wps_ie = assoc_wps_ie;
eap_sess.assoc_p2p_ie = assoc_p2p_ie;
eap_sess.peer_addr = addr;
sm->eap = eap_server_sm_init(sm, &eapol_cb, eapol->conf.eap_cfg,
&eap_sess);
if (sm->eap == NULL) {
eapol_auth_free(sm);
return NULL;
@ -1189,19 +1163,12 @@ int eapol_auth_set_conf(struct eapol_state_machine *sm, const char *param,
static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
struct eapol_auth_config *src)
{
dst->eap_cfg = src->eap_cfg;
dst->ctx = src->ctx;
dst->eap_reauth_period = src->eap_reauth_period;
dst->wpa = src->wpa;
dst->individual_wep_key_len = src->individual_wep_key_len;
dst->eap_server = src->eap_server;
dst->ssl_ctx = src->ssl_ctx;
dst->msg_ctx = src->msg_ctx;
dst->eap_sim_db_priv = src->eap_sim_db_priv;
os_free(dst->eap_req_id_text);
dst->pwd_group = src->pwd_group;
dst->pbc_in_m1 = src->pbc_in_m1;
dst->server_id = src->server_id;
dst->server_id_len = src->server_id_len;
if (src->eap_req_id_text) {
dst->eap_req_id_text = os_memdup(src->eap_req_id_text,
src->eap_req_id_text_len);
@ -1212,38 +1179,6 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
dst->eap_req_id_text = NULL;
dst->eap_req_id_text_len = 0;
}
if (src->pac_opaque_encr_key) {
dst->pac_opaque_encr_key = os_memdup(src->pac_opaque_encr_key,
16);
if (dst->pac_opaque_encr_key == NULL)
goto fail;
} else
dst->pac_opaque_encr_key = NULL;
if (src->eap_fast_a_id) {
dst->eap_fast_a_id = os_memdup(src->eap_fast_a_id,
src->eap_fast_a_id_len);
if (dst->eap_fast_a_id == NULL)
goto fail;
dst->eap_fast_a_id_len = src->eap_fast_a_id_len;
} else
dst->eap_fast_a_id = NULL;
if (src->eap_fast_a_id_info) {
dst->eap_fast_a_id_info = os_strdup(src->eap_fast_a_id_info);
if (dst->eap_fast_a_id_info == NULL)
goto fail;
} else
dst->eap_fast_a_id_info = NULL;
dst->eap_fast_prov = src->eap_fast_prov;
dst->pac_key_lifetime = src->pac_key_lifetime;
dst->pac_key_refresh_time = src->pac_key_refresh_time;
dst->eap_teap_auth = src->eap_teap_auth;
dst->eap_teap_pac_no_inner = src->eap_teap_pac_no_inner;
dst->eap_teap_separate_result = src->eap_teap_separate_result;
dst->eap_sim_aka_result_ind = src->eap_sim_aka_result_ind;
dst->eap_sim_id = src->eap_sim_id;
dst->tnc = src->tnc;
dst->wps = src->wps;
dst->fragment_size = src->fragment_size;
os_free(dst->erp_domain);
if (src->erp_domain) {
@ -1254,9 +1189,6 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
dst->erp_domain = NULL;
}
dst->erp_send_reauth_start = src->erp_send_reauth_start;
dst->erp = src->erp;
dst->tls_session_lifetime = src->tls_session_lifetime;
dst->tls_flags = src->tls_flags;
return 0;
@ -1270,12 +1202,6 @@ static void eapol_auth_conf_free(struct eapol_auth_config *conf)
{
os_free(conf->eap_req_id_text);
conf->eap_req_id_text = NULL;
os_free(conf->pac_opaque_encr_key);
conf->pac_opaque_encr_key = NULL;
os_free(conf->eap_fast_a_id);
conf->eap_fast_a_id = NULL;
os_free(conf->eap_fast_a_id_info);
conf->eap_fast_a_id_info = NULL;
os_free(conf->erp_domain);
conf->erp_domain = NULL;
}

27
src/eapol_auth/eapol_auth_sm.h
Unescape Escape View File

@ -15,39 +15,14 @@
#define EAPOL_SM_FROM_PMKSA_CACHE BIT(3)
struct eapol_auth_config {
const struct eap_config *eap_cfg;
int eap_reauth_period;
int wpa;
int individual_wep_key_len;
int eap_server;
void *ssl_ctx;
void *msg_ctx;
void *eap_sim_db_priv;
char *eap_req_id_text; /* a copy of this will be allocated */
size_t eap_req_id_text_len;
int erp_send_reauth_start;
char *erp_domain; /* a copy of this will be allocated */
int erp; /* Whether ERP is enabled on authentication server */
unsigned int tls_session_lifetime;
unsigned int tls_flags;
u8 *pac_opaque_encr_key;
u8 *eap_fast_a_id;
size_t eap_fast_a_id_len;
char *eap_fast_a_id_info;
int eap_fast_prov;
int pac_key_lifetime;
int pac_key_refresh_time;
int eap_teap_auth;
int eap_teap_pac_no_inner;
int eap_teap_separate_result;
int eap_sim_aka_result_ind;
int eap_sim_id;
int tnc;
struct wps_context *wps;
int fragment_size;
u16 pwd_group;
int pbc_in_m1;
const u8 *server_id;
size_t server_id_len;
/* Opaque context pointer to owner data for callback functions */
void *ctx;

250
src/radius/radius_server.c
Unescape Escape View File

@ -161,146 +161,10 @@ struct radius_server_data {
*/
int num_sess;
/**
* eap_sim_db_priv - EAP-SIM/AKA database context
*
* This is passed to the EAP-SIM/AKA server implementation as a
* callback context.
*/
void *eap_sim_db_priv;
/**
* ssl_ctx - TLS context
*
* This is passed to the EAP server implementation as a callback
* context for TLS operations.
*/
void *ssl_ctx;
/**
* pac_opaque_encr_key - PAC-Opaque encryption key for EAP-FAST
*
* This parameter is used to set a key for EAP-FAST to encrypt the
* PAC-Opaque data. It can be set to %NULL if EAP-FAST is not used. If
* set, must point to a 16-octet key.
*/
u8 *pac_opaque_encr_key;
/**
* eap_fast_a_id - EAP-FAST authority identity (A-ID)
*
* If EAP-FAST is not used, this can be set to %NULL. In theory, this
* is a variable length field, but due to some existing implementations
* requiring A-ID to be 16 octets in length, it is recommended to use
* that length for the field to provide interoperability with deployed
* peer implementations.
*/
u8 *eap_fast_a_id;
/**
* eap_fast_a_id_len - Length of eap_fast_a_id buffer in octets
*/
size_t eap_fast_a_id_len;
/**
* eap_fast_a_id_info - EAP-FAST authority identifier information
*
* This A-ID-Info contains a user-friendly name for the A-ID. For
* example, this could be the enterprise and server names in
* human-readable format. This field is encoded as UTF-8. If EAP-FAST
* is not used, this can be set to %NULL.
*/
char *eap_fast_a_id_info;
/**
* eap_fast_prov - EAP-FAST provisioning modes
*
* 0 = provisioning disabled, 1 = only anonymous provisioning allowed,
* 2 = only authenticated provisioning allowed, 3 = both provisioning
* modes allowed.
*/
int eap_fast_prov;
/**
* pac_key_lifetime - EAP-FAST PAC-Key lifetime in seconds
*
* This is the hard limit on how long a provisioned PAC-Key can be
* used.
*/
int pac_key_lifetime;
/**
* pac_key_refresh_time - EAP-FAST PAC-Key refresh time in seconds
*
* This is a soft limit on the PAC-Key. The server will automatically
* generate a new PAC-Key when this number of seconds (or fewer) of the
* lifetime remains.
*/
int pac_key_refresh_time;
int eap_teap_auth;
int eap_teap_pac_no_inner;
int eap_teap_separate_result;
/**
* eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication
*
* This controls whether the protected success/failure indication
* (AT_RESULT_IND) is used with EAP-SIM and EAP-AKA.
*/
int eap_sim_aka_result_ind;
int eap_sim_id;
/**
* tnc - Trusted Network Connect (TNC)
*
* This controls whether TNC is enabled and will be required before the
* peer is allowed to connect. Note: This is only used with EAP-TTLS
* and EAP-FAST. If any other EAP method is enabled, the peer will be
* allowed to connect without TNC.
*/
int tnc;
/**
* pwd_group - The D-H group assigned for EAP-pwd
*
* If EAP-pwd is not used it can be set to zero.
*/
u16 pwd_group;
/**
* server_id - Server identity
*/
const char *server_id;
/**
* erp - Whether EAP Re-authentication Protocol (ERP) is enabled
*
* This controls whether the authentication server derives ERP key
* hierarchy (rRK and rIK) from full EAP authentication and allows
* these keys to be used to perform ERP to derive rMSK instead of full
* EAP authentication to derive MSK.
*/
int erp;
const char *erp_domain;
struct dl_list erp_keys; /* struct eap_server_erp_key */
unsigned int tls_session_lifetime;
unsigned int tls_flags;
/**
* wps - Wi-Fi Protected Setup context
*
* If WPS is used with an external RADIUS server (which is quite
* unlikely configuration), this is used to provide a pointer to WPS
* context data. Normally, this can be set to %NULL.
*/
struct wps_context *wps;
/**
* ipv6 - Whether to enable IPv6 support in the RADIUS server
*/
@ -352,11 +216,6 @@ struct radius_server_data {
*/
size_t eap_req_id_text_len;
/*
* msg_ctx - Context data for wpa_msg() calls
*/
void *msg_ctx;
#ifdef CONFIG_RADIUS_TEST
char *dump_msk_file;
#endif /* CONFIG_RADIUS_TEST */
@ -370,6 +229,8 @@ struct radius_server_data {
#ifdef CONFIG_SQLITE
sqlite3 *db;
#endif /* CONFIG_SQLITE */
struct eap_config *eap_cfg;
};
@ -620,7 +481,7 @@ radius_server_new_session(struct radius_server_data *data,
#ifdef CONFIG_TESTING_OPTIONS
static void radius_server_testing_options_tls(struct radius_session *sess,
const char *tls,
struct eap_config *eap_conf)
struct eap_session_data *eap_conf)
{
int test = atoi(tls);
@ -665,7 +526,7 @@ static void radius_server_testing_options_tls(struct radius_session *sess,
#endif /* CONFIG_TESTING_OPTIONS */
static void radius_server_testing_options(struct radius_session *sess,
struct eap_config *eap_conf)
struct eap_session_data *eap_conf)
{
#ifdef CONFIG_TESTING_OPTIONS
const char *pos;
@ -708,7 +569,7 @@ radius_server_get_new_session(struct radius_server_data *data,
size_t user_len, id_len;
int res;
struct radius_session *sess;
struct eap_config eap_conf;
struct eap_session_data eap_sess;
struct eap_user *tmp;
RADIUS_DEBUG("Creating a new session");
@ -726,7 +587,7 @@ radius_server_get_new_session(struct radius_server_data *data,
res = data->get_eap_user(data->conf_ctx, user, user_len, 0, tmp);
#ifdef CONFIG_ERP
if (res != 0 && data->erp) {
if (res != 0 && data->eap_cfg->erp) {
char *username;
username = os_zalloc(user_len + 1);
@ -785,35 +646,10 @@ radius_server_get_new_session(struct radius_server_data *data,
srv_log(sess, "New session created");
os_memset(&eap_conf, 0, sizeof(eap_conf));
eap_conf.ssl_ctx = data->ssl_ctx;
eap_conf.msg_ctx = data->msg_ctx;
eap_conf.eap_sim_db_priv = data->eap_sim_db_priv;
eap_conf.backend_auth = TRUE;
eap_conf.eap_server = 1;
eap_conf.pac_opaque_encr_key = data->pac_opaque_encr_key;
eap_conf.eap_fast_a_id = data->eap_fast_a_id;
eap_conf.eap_fast_a_id_len = data->eap_fast_a_id_len;
eap_conf.eap_fast_a_id_info = data->eap_fast_a_id_info;
eap_conf.eap_fast_prov = data->eap_fast_prov;
eap_conf.pac_key_lifetime = data->pac_key_lifetime;
eap_conf.pac_key_refresh_time = data->pac_key_refresh_time;
eap_conf.eap_teap_auth = data->eap_teap_auth;
eap_conf.eap_teap_pac_no_inner = data->eap_teap_pac_no_inner;
eap_conf.eap_teap_separate_result = data->eap_teap_separate_result;
eap_conf.eap_sim_aka_result_ind = data->eap_sim_aka_result_ind;
eap_conf.eap_sim_id = data->eap_sim_id;
eap_conf.tnc = data->tnc;
eap_conf.wps = data->wps;
eap_conf.pwd_group = data->pwd_group;
eap_conf.server_id = (const u8 *) data->server_id;
eap_conf.server_id_len = os_strlen(data->server_id);
eap_conf.erp = data->erp;
eap_conf.tls_session_lifetime = data->tls_session_lifetime;
eap_conf.tls_flags = data->tls_flags;
radius_server_testing_options(sess, &eap_conf);
os_memset(&eap_sess, 0, sizeof(eap_sess));
radius_server_testing_options(sess, &eap_sess);
sess->eap = eap_server_sm_init(sess, &radius_server_eapol_cb,
&eap_conf);
data->eap_cfg, &eap_sess);
if (sess->eap == NULL) {
RADIUS_DEBUG("Failed to initialize EAP state machine for the "
"new session");
@ -2353,6 +2189,7 @@ struct radius_server_data *
radius_server_init(struct radius_server_conf *conf)
{
struct radius_server_data *data;
struct eap_config *eap_cfg;
#ifndef CONFIG_IPV6
if (conf->ipv6) {
@ -2365,45 +2202,56 @@ radius_server_init(struct radius_server_conf *conf)
if (data == NULL)
return NULL;
eap_cfg = data->eap_cfg = os_zalloc(sizeof(*eap_cfg));
if (!eap_cfg) {
os_free(data);
return NULL;
}
data->auth_sock = -1;
data->acct_sock = -1;
dl_list_init(&data->erp_keys);
os_get_reltime(&data->start_time);
data->conf_ctx = conf->conf_ctx;
data->eap_sim_db_priv = conf->eap_sim_db_priv;
data->ssl_ctx = conf->ssl_ctx;
data->msg_ctx = conf->msg_ctx;
eap_cfg->backend_auth = TRUE;
eap_cfg->eap_server = 1;
eap_cfg->eap_sim_db_priv = conf->eap_sim_db_priv;
eap_cfg->ssl_ctx = conf->ssl_ctx;
eap_cfg->msg_ctx = conf->msg_ctx;
data->ipv6 = conf->ipv6;
if (conf->pac_opaque_encr_key) {
data->pac_opaque_encr_key = os_malloc(16);
if (data->pac_opaque_encr_key) {
os_memcpy(data->pac_opaque_encr_key,
eap_cfg->pac_opaque_encr_key = os_malloc(16);
if (eap_cfg->pac_opaque_encr_key) {
os_memcpy(eap_cfg->pac_opaque_encr_key,
conf->pac_opaque_encr_key, 16);
}
}
if (conf->eap_fast_a_id) {
data->eap_fast_a_id = os_malloc(conf->eap_fast_a_id_len);
if (data->eap_fast_a_id) {
os_memcpy(data->eap_fast_a_id, conf->eap_fast_a_id,
eap_cfg->eap_fast_a_id = os_malloc(conf->eap_fast_a_id_len);
if (eap_cfg->eap_fast_a_id) {
os_memcpy(eap_cfg->eap_fast_a_id, conf->eap_fast_a_id,
conf->eap_fast_a_id_len);
data->eap_fast_a_id_len = conf->eap_fast_a_id_len;
eap_cfg->eap_fast_a_id_len = conf->eap_fast_a_id_len;
}
}
if (conf->eap_fast_a_id_info)
data->eap_fast_a_id_info = os_strdup(conf->eap_fast_a_id_info);
data->eap_fast_prov = conf->eap_fast_prov;
data->pac_key_lifetime = conf->pac_key_lifetime;
data->pac_key_refresh_time = conf->pac_key_refresh_time;
data->eap_teap_auth = conf->eap_teap_auth;
data->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner;
data->eap_teap_separate_result = conf->eap_teap_separate_result;
eap_cfg->eap_fast_a_id_info =
os_strdup(conf->eap_fast_a_id_info);
eap_cfg->eap_fast_prov = conf->eap_fast_prov;
eap_cfg->pac_key_lifetime = conf->pac_key_lifetime;
eap_cfg->pac_key_refresh_time = conf->pac_key_refresh_time;
eap_cfg->eap_teap_auth = conf->eap_teap_auth;
eap_cfg->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner;
eap_cfg->eap_teap_separate_result = conf->eap_teap_separate_result;
data->get_eap_user = conf->get_eap_user;
data->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
data->eap_sim_id = conf->eap_sim_id;
data->tnc = conf->tnc;
data->wps = conf->wps;
data->pwd_group = conf->pwd_group;
data->server_id = conf->server_id;
eap_cfg->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
eap_cfg->eap_sim_id = conf->eap_sim_id;
eap_cfg->tnc = conf->tnc;
eap_cfg->wps = conf->wps;
eap_cfg->pwd_group = conf->pwd_group;
if (conf->server_id) {
eap_cfg->server_id = (u8 *) os_strdup(conf->server_id);
eap_cfg->server_id_len = os_strlen(conf->server_id);
}
if (conf->eap_req_id_text) {
data->eap_req_id_text = os_malloc(conf->eap_req_id_text_len);
if (data->eap_req_id_text) {
@ -2412,10 +2260,10 @@ radius_server_init(struct radius_server_conf *conf)
data->eap_req_id_text_len = conf->eap_req_id_text_len;
}
}
data->erp = conf->erp;
eap_cfg->erp = conf->erp;
data->erp_domain = conf->erp_domain;
data->tls_session_lifetime = conf->tls_session_lifetime;
data->tls_flags = conf->tls_flags;
eap_cfg->tls_session_lifetime = conf->tls_session_lifetime;
eap_cfg->tls_flags = conf->tls_flags;
if (conf->subscr_remediation_url) {
data->subscr_remediation_url =
@ -2537,9 +2385,6 @@ void radius_server_deinit(struct radius_server_data *data)
radius_server_free_clients(data, data->clients);
os_free(data->pac_opaque_encr_key);
os_free(data->eap_fast_a_id);
os_free(data->eap_fast_a_id_info);
os_free(data->eap_req_id_text);
#ifdef CONFIG_RADIUS_TEST
os_free(data->dump_msk_file);
@ -2554,6 +2399,7 @@ void radius_server_deinit(struct radius_server_data *data)
#endif /* CONFIG_SQLITE */
radius_server_erp_flush(data);
eap_server_config_free(data->eap_cfg);
os_free(data);
}

Write Preview
Loading…
Cancel
Save