diff --git a/eap_example/eap_example_server.c b/eap_example/eap_example_server.c index 145bb9f7e..1e91fa8ed 100644 --- a/eap_example/eap_example_server.c +++ b/eap_example/eap_example_server.c @@ -207,6 +207,8 @@ static int eap_server_register_methods(void) int eap_example_server_init(void) { + struct eap_session_data eap_sess; + if (eap_server_register_methods() < 0) return -1; @@ -223,7 +225,9 @@ int eap_example_server_init(void) eap_conf.eap_server = 1; eap_conf.ssl_ctx = eap_ctx.tls_ctx; - eap_ctx.eap = eap_server_sm_init(&eap_ctx, &eap_cb, &eap_conf); + os_memset(&eap_sess, 0, sizeof(eap_sess)); + eap_ctx.eap = eap_server_sm_init(&eap_ctx, &eap_cb, &eap_conf, + &eap_sess); if (eap_ctx.eap == NULL) return -1; diff --git a/src/ap/hostapd.h b/src/ap/hostapd.h index 518c7f10b..5ae36e1f1 100644 --- a/src/ap/hostapd.h +++ b/src/ap/hostapd.h @@ -186,6 +186,7 @@ struct hostapd_data { struct wpa_authenticator *wpa_auth; struct eapol_authenticator *eapol_auth; + struct eap_config *eap_cfg; struct rsn_preauth_interface *preauth_iface; struct os_reltime michael_mic_failure; diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c index a7a090190..34637f35e 100644 --- a/src/ap/ieee802_1x.c +++ b/src/ap/ieee802_1x.c @@ -2403,6 +2403,56 @@ static int ieee802_1x_erp_add_key(void *ctx, struct eap_server_erp_key *erp) #endif /* CONFIG_ERP */ +static struct eap_config * ieee802_1x_eap_config(struct hostapd_data *hapd) +{ + struct eap_config *cfg; + + cfg = os_zalloc(sizeof(*cfg)); + if (!cfg) + return NULL; + + cfg->eap_server = hapd->conf->eap_server; + cfg->ssl_ctx = hapd->ssl_ctx; + cfg->msg_ctx = hapd->msg_ctx; + cfg->eap_sim_db_priv = hapd->eap_sim_db_priv; + cfg->tls_session_lifetime = hapd->conf->tls_session_lifetime; + cfg->tls_flags = hapd->conf->tls_flags; + if (hapd->conf->pac_opaque_encr_key) + cfg->pac_opaque_encr_key = + os_memdup(hapd->conf->pac_opaque_encr_key, 16); + if (hapd->conf->eap_fast_a_id) { + cfg->eap_fast_a_id = os_memdup(hapd->conf->eap_fast_a_id, + hapd->conf->eap_fast_a_id_len); + cfg->eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len; + } + if (hapd->conf->eap_fast_a_id_info) + cfg->eap_fast_a_id_info = + os_strdup(hapd->conf->eap_fast_a_id_info); + cfg->eap_fast_prov = hapd->conf->eap_fast_prov; + cfg->pac_key_lifetime = hapd->conf->pac_key_lifetime; + cfg->pac_key_refresh_time = hapd->conf->pac_key_refresh_time; + cfg->eap_teap_auth = hapd->conf->eap_teap_auth; + cfg->eap_teap_separate_result = hapd->conf->eap_teap_separate_result; + cfg->eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; + cfg->eap_sim_id = hapd->conf->eap_sim_id; + cfg->tnc = hapd->conf->tnc; + cfg->wps = hapd->wps; + cfg->fragment_size = hapd->conf->fragment_size; + cfg->pwd_group = hapd->conf->pwd_group; + cfg->pbc_in_m1 = hapd->conf->pbc_in_m1; + if (hapd->conf->server_id) { + cfg->server_id = (u8 *) os_strdup(hapd->conf->server_id); + cfg->server_id_len = os_strlen(hapd->conf->server_id); + } else { + cfg->server_id = (u8 *) os_strdup("hostapd"); + cfg->server_id_len = 7; + } + cfg->erp = hapd->conf->eap_server_erp; + + return cfg; +} + + int ieee802_1x_init(struct hostapd_data *hapd) { int i; @@ -2411,45 +2461,19 @@ int ieee802_1x_init(struct hostapd_data *hapd) dl_list_init(&hapd->erp_keys); + hapd->eap_cfg = ieee802_1x_eap_config(hapd); + if (!hapd->eap_cfg) + return -1; os_memset(&conf, 0, sizeof(conf)); + conf.eap_cfg = hapd->eap_cfg; conf.ctx = hapd; conf.eap_reauth_period = hapd->conf->eap_reauth_period; conf.wpa = hapd->conf->wpa; conf.individual_wep_key_len = hapd->conf->individual_wep_key_len; - conf.eap_server = hapd->conf->eap_server; - conf.ssl_ctx = hapd->ssl_ctx; - conf.msg_ctx = hapd->msg_ctx; - conf.eap_sim_db_priv = hapd->eap_sim_db_priv; conf.eap_req_id_text = hapd->conf->eap_req_id_text; conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len; conf.erp_send_reauth_start = hapd->conf->erp_send_reauth_start; conf.erp_domain = hapd->conf->erp_domain; - conf.erp = hapd->conf->eap_server_erp; - conf.tls_session_lifetime = hapd->conf->tls_session_lifetime; - conf.tls_flags = hapd->conf->tls_flags; - conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key; - conf.eap_fast_a_id = hapd->conf->eap_fast_a_id; - conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len; - conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info; - conf.eap_fast_prov = hapd->conf->eap_fast_prov; - conf.pac_key_lifetime = hapd->conf->pac_key_lifetime; - conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time; - conf.eap_teap_auth = hapd->conf->eap_teap_auth; - conf.eap_teap_separate_result = hapd->conf->eap_teap_separate_result; - conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; - conf.eap_sim_id = hapd->conf->eap_sim_id; - conf.tnc = hapd->conf->tnc; - conf.wps = hapd->wps; - conf.fragment_size = hapd->conf->fragment_size; - conf.pwd_group = hapd->conf->pwd_group; - conf.pbc_in_m1 = hapd->conf->pbc_in_m1; - if (hapd->conf->server_id) { - conf.server_id = (const u8 *) hapd->conf->server_id; - conf.server_id_len = os_strlen(hapd->conf->server_id); - } else { - conf.server_id = (const u8 *) "hostapd"; - conf.server_id_len = 7; - } os_memset(&cb, 0, sizeof(cb)); cb.eapol_send = ieee802_1x_eapol_send; @@ -2520,6 +2544,9 @@ void ieee802_1x_deinit(struct hostapd_data *hapd) eapol_auth_deinit(hapd->eapol_auth); hapd->eapol_auth = NULL; + eap_server_config_free(hapd->eap_cfg); + hapd->eap_cfg = NULL; + ieee802_1x_erp_flush(hapd); } diff --git a/src/eap_server/eap.h b/src/eap_server/eap.h index 8ce499aea..6988e0b0f 100644 --- a/src/eap_server/eap.h +++ b/src/eap_server/eap.h @@ -108,39 +108,151 @@ struct eapol_callbacks { }; struct eap_config { + /** + * ssl_ctx - TLS context + * + * This is passed to the EAP server implementation as a callback + * context for TLS operations. + */ void *ssl_ctx; void *msg_ctx; + + /** + * eap_sim_db_priv - EAP-SIM/AKA database context + * + * This is passed to the EAP-SIM/AKA server implementation as a + * callback context. + */ void *eap_sim_db_priv; Boolean backend_auth; int eap_server; + + /** + * pwd_group - The D-H group assigned for EAP-pwd + * + * If EAP-pwd is not used it can be set to zero. + */ u16 pwd_group; + + /** + * pac_opaque_encr_key - PAC-Opaque encryption key for EAP-FAST + * + * This parameter is used to set a key for EAP-FAST to encrypt the + * PAC-Opaque data. It can be set to %NULL if EAP-FAST is not used. If + * set, must point to a 16-octet key. + */ u8 *pac_opaque_encr_key; + + /** + * eap_fast_a_id - EAP-FAST authority identity (A-ID) + * + * If EAP-FAST is not used, this can be set to %NULL. In theory, this + * is a variable length field, but due to some existing implementations + * requiring A-ID to be 16 octets in length, it is recommended to use + * that length for the field to provide interoperability with deployed + * peer implementations. + */ u8 *eap_fast_a_id; + + /** + * eap_fast_a_id_len - Length of eap_fast_a_id buffer in octets + */ size_t eap_fast_a_id_len; + /** + * eap_fast_a_id_info - EAP-FAST authority identifier information + * + * This A-ID-Info contains a user-friendly name for the A-ID. For + * example, this could be the enterprise and server names in + * human-readable format. This field is encoded as UTF-8. If EAP-FAST + * is not used, this can be set to %NULL. + */ char *eap_fast_a_id_info; - int eap_fast_prov; + + /** + * eap_fast_prov - EAP-FAST provisioning modes + * + * 0 = provisioning disabled, 1 = only anonymous provisioning allowed, + * 2 = only authenticated provisioning allowed, 3 = both provisioning + * modes allowed. + */ + enum { + NO_PROV, ANON_PROV, AUTH_PROV, BOTH_PROV + } eap_fast_prov; + + /** + * pac_key_lifetime - EAP-FAST PAC-Key lifetime in seconds + * + * This is the hard limit on how long a provisioned PAC-Key can be + * used. + */ int pac_key_lifetime; + + /** + * pac_key_refresh_time - EAP-FAST PAC-Key refresh time in seconds + * + * This is a soft limit on the PAC-Key. The server will automatically + * generate a new PAC-Key when this number of seconds (or fewer) of the + * lifetime remains. + */ int pac_key_refresh_time; int eap_teap_auth; int eap_teap_pac_no_inner; int eap_teap_separate_result; + + /** + * eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication + * + * This controls whether the protected success/failure indication + * (AT_RESULT_IND) is used with EAP-SIM and EAP-AKA. + */ int eap_sim_aka_result_ind; int eap_sim_id; + + /** + * tnc - Trusted Network Connect (TNC) + * + * This controls whether TNC is enabled and will be required before the + * peer is allowed to connect. Note: This is only used with EAP-TTLS + * and EAP-FAST. If any other EAP method is enabled, the peer will be + * allowed to connect without TNC. + */ int tnc; + + /** + * wps - Wi-Fi Protected Setup context + * + * If WPS is used with an external RADIUS server (which is quite + * unlikely configuration), this is used to provide a pointer to WPS + * context data. Normally, this can be set to %NULL. + */ struct wps_context *wps; - const struct wpabuf *assoc_wps_ie; - const struct wpabuf *assoc_p2p_ie; - const u8 *peer_addr; int fragment_size; int pbc_in_m1; - const u8 *server_id; + /** + * server_id - Server identity + */ + u8 *server_id; size_t server_id_len; + + /** + * erp - Whether EAP Re-authentication Protocol (ERP) is enabled + * + * This controls whether the authentication server derives ERP key + * hierarchy (rRK and rIK) from full EAP authentication and allows + * these keys to be used to perform ERP to derive rMSK instead of full + * EAP authentication to derive MSK. + */ int erp; unsigned int tls_session_lifetime; unsigned int tls_flags; +}; +struct eap_session_data { + const struct wpabuf *assoc_wps_ie; + const struct wpabuf *assoc_p2p_ie; + const u8 *peer_addr; #ifdef CONFIG_TESTING_OPTIONS u32 tls_test_flags; #endif /* CONFIG_TESTING_OPTIONS */ @@ -149,7 +261,8 @@ struct eap_config { struct eap_sm * eap_server_sm_init(void *eapol_ctx, const struct eapol_callbacks *eapol_cb, - struct eap_config *eap_conf); + const struct eap_config *conf, + const struct eap_session_data *sess); void eap_server_sm_deinit(struct eap_sm *sm); int eap_server_sm_step(struct eap_sm *sm); void eap_sm_notify_cached(struct eap_sm *sm); @@ -166,5 +279,6 @@ void eap_server_mschap_rx_callback(struct eap_sm *sm, const char *source, const u8 *challenge, const u8 *response); void eap_erp_update_identity(struct eap_sm *sm, const u8 *eap, size_t len); void eap_user_free(struct eap_user *user); +void eap_server_config_free(struct eap_config *cfg); #endif /* EAP_H */ diff --git a/src/eap_server/eap_i.h b/src/eap_server/eap_i.h index 4cad1f235..cbdad5f19 100644 --- a/src/eap_server/eap_i.h +++ b/src/eap_server/eap_i.h @@ -154,7 +154,7 @@ struct eap_sm { const struct eap_method *m; /* selected EAP method */ /* not defined in RFC 4137 */ Boolean changed; - void *eapol_ctx, *msg_ctx; + void *eapol_ctx; const struct eapol_callbacks *eapol_cb; void *eap_method_priv; u8 *identity; @@ -167,11 +167,9 @@ struct eap_sm { struct eap_user *user; int user_eap_method_index; int init_phase2; - void *ssl_ctx; - struct eap_sim_db_data *eap_sim_db_priv; - Boolean backend_auth; + const struct eap_config *cfg; + struct eap_config cfg_buf; Boolean update_user; - int eap_server; int num_rounds; enum { @@ -181,23 +179,6 @@ struct eap_sm { u8 *auth_challenge; u8 *peer_challenge; - u8 *pac_opaque_encr_key; - u8 *eap_fast_a_id; - size_t eap_fast_a_id_len; - char *eap_fast_a_id_info; - enum { - NO_PROV, ANON_PROV, AUTH_PROV, BOTH_PROV - } eap_fast_prov; - int pac_key_lifetime; - int pac_key_refresh_time; - int eap_teap_auth; - int eap_teap_pac_no_inner; - int eap_teap_separate_result; - int eap_sim_aka_result_ind; - int eap_sim_id; - int tnc; - u16 pwd_group; - struct wps_context *wps; struct wpabuf *assoc_wps_ie; struct wpabuf *assoc_p2p_ie; @@ -205,19 +186,8 @@ struct eap_sm { u8 peer_addr[ETH_ALEN]; - /* Fragmentation size for EAP method init() handler */ - int fragment_size; - - int pbc_in_m1; - - const u8 *server_id; - size_t server_id_len; - Boolean initiate_reauth_start_sent; Boolean try_initiate_reauth; - int erp; - unsigned int tls_session_lifetime; - unsigned int tls_flags; #ifdef CONFIG_TESTING_OPTIONS u32 tls_test_flags; diff --git a/src/eap_server/eap_server.c b/src/eap_server/eap_server.c index 8085394c9..4c6ba6d34 100644 --- a/src/eap_server/eap_server.c +++ b/src/eap_server/eap_server.c @@ -223,7 +223,7 @@ SM_STATE(EAP, INITIALIZE) { SM_ENTRY(EAP, INITIALIZE); - if (sm->eap_if.eapRestart && !sm->eap_server && sm->identity) { + if (sm->eap_if.eapRestart && !sm->cfg->eap_server && sm->identity) { /* * Need to allow internal Identity method to be used instead * of passthrough at the beginning of reauthentication. @@ -257,7 +257,7 @@ SM_STATE(EAP, INITIALIZE) sm->m = NULL; sm->user_eap_method_index = 0; - if (sm->backend_auth) { + if (sm->cfg->backend_auth) { sm->currentMethod = EAP_TYPE_NONE; /* parse rxResp, respId, respMethod */ eap_sm_parseEapResp(sm, sm->eap_if.eapRespData); @@ -268,7 +268,7 @@ SM_STATE(EAP, INITIALIZE) sm->num_rounds = 0; sm->method_pending = METHOD_PENDING_NONE; - wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_STARTED + wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_STARTED MACSTR, MAC2STR(sm->peer_addr)); } @@ -300,7 +300,7 @@ SM_STATE(EAP, PICK_UP_METHOD) } } - wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_PROPOSED_METHOD + wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_PROPOSED_METHOD "method=%u", sm->currentMethod); } @@ -325,7 +325,7 @@ SM_STATE(EAP, RETRANSMIT) sm->eap_if.eapReq = TRUE; } - wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_RETRANSMIT MACSTR, + wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_RETRANSMIT MACSTR, MAC2STR(sm->peer_addr)); } @@ -530,7 +530,7 @@ SM_STATE(EAP, METHOD_RESPONSE) sm->eap_if.eapSessionId, sm->eap_if.eapSessionIdLen); } - if (sm->erp && sm->m->get_emsk && sm->eap_if.eapSessionId) + if (sm->cfg->erp && sm->m->get_emsk && sm->eap_if.eapSessionId) eap_server_erp_init(sm); sm->methodState = METHOD_END; } else { @@ -580,7 +580,7 @@ try_another_method: else sm->methodState = METHOD_PROPOSED; - wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_PROPOSED_METHOD + wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_PROPOSED_METHOD "vendor=%u method=%u", vendor, sm->currentMethod); eap_log_msg(sm, "Propose EAP method vendor=%u method=%u", vendor, sm->currentMethod); @@ -636,8 +636,8 @@ SM_STATE(EAP, TIMEOUT_FAILURE) sm->eap_if.eapTimeout = TRUE; - wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_TIMEOUT_FAILURE MACSTR, - MAC2STR(sm->peer_addr)); + wpa_msg(sm->cfg->msg_ctx, MSG_INFO, + WPA_EVENT_EAP_TIMEOUT_FAILURE MACSTR, MAC2STR(sm->peer_addr)); } @@ -651,7 +651,7 @@ SM_STATE(EAP, FAILURE) sm->lastReqData = NULL; sm->eap_if.eapFail = TRUE; - wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE + wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE MACSTR, MAC2STR(sm->peer_addr)); } @@ -668,7 +668,7 @@ SM_STATE(EAP, SUCCESS) sm->eap_if.eapKeyAvailable = TRUE; sm->eap_if.eapSuccess = TRUE; - wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS + wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS MACSTR, MAC2STR(sm->peer_addr)); } @@ -755,7 +755,7 @@ static void erp_send_finish_reauth(struct eap_sm *sm, if ((flags & 0x80) || !erp) { sm->eap_if.eapFail = TRUE; - wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE + wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE MACSTR, MAC2STR(sm->peer_addr)); return; } @@ -783,7 +783,7 @@ static void erp_send_finish_reauth(struct eap_sm *sm, sm->eap_if.eapKeyData, sm->eap_if.eapKeyDataLen); sm->eap_if.eapSuccess = TRUE; - wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS + wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS MACSTR, MAC2STR(sm->peer_addr)); } @@ -855,7 +855,7 @@ SM_STATE(EAP, INITIATE_RECEIVED) os_memcpy(nai, parse.keyname, parse.keyname_len); nai[parse.keyname_len] = '\0'; - if (!sm->eap_server) { + if (!sm->cfg->eap_server) { /* * In passthrough case, EAP-Initiate/Re-auth replaces * EAP Identity exchange. Use keyName-NAI as the user identity @@ -1018,7 +1018,7 @@ SM_STATE(EAP, RETRANSMIT2) sm->eap_if.eapReq = TRUE; } - wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_RETRANSMIT2 MACSTR, + wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_RETRANSMIT2 MACSTR, MAC2STR(sm->peer_addr)); } @@ -1111,8 +1111,8 @@ SM_STATE(EAP, TIMEOUT_FAILURE2) sm->eap_if.eapTimeout = TRUE; - wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_TIMEOUT_FAILURE2 MACSTR, - MAC2STR(sm->peer_addr)); + wpa_msg(sm->cfg->msg_ctx, MSG_INFO, + WPA_EVENT_EAP_TIMEOUT_FAILURE2 MACSTR, MAC2STR(sm->peer_addr)); } @@ -1123,7 +1123,7 @@ SM_STATE(EAP, FAILURE2) eap_copy_buf(&sm->eap_if.eapReqData, sm->eap_if.aaaEapReqData); sm->eap_if.eapFail = TRUE; - wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE2 MACSTR, + wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE2 MACSTR, MAC2STR(sm->peer_addr)); } @@ -1152,7 +1152,7 @@ SM_STATE(EAP, SUCCESS2) */ sm->start_reauth = TRUE; - wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS2 MACSTR, + wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS2 MACSTR, MAC2STR(sm->peer_addr)); } @@ -1173,7 +1173,7 @@ SM_STEP(EAP) } } else switch (sm->EAP_state) { case EAP_INITIALIZE: - if (sm->backend_auth) { + if (sm->cfg->backend_auth) { if (!sm->rxResp) SM_ENTER(EAP, SELECT_ACTION); else if (sm->rxResp && @@ -1336,7 +1336,7 @@ SM_STEP(EAP) else if (sm->decision == DECISION_INITIATE_REAUTH_START) SM_ENTER(EAP, INITIATE_REAUTH_START); #ifdef CONFIG_ERP - else if (sm->eap_server && sm->erp && sm->rxInitiate) + else if (sm->cfg->eap_server && sm->cfg->erp && sm->rxInitiate) SM_ENTER(EAP, INITIATE_RECEIVED); #endif /* CONFIG_ERP */ else @@ -1346,7 +1346,7 @@ SM_STEP(EAP) SM_ENTER(EAP, SEND_REQUEST); break; case EAP_INITIATE_RECEIVED: - if (!sm->eap_server) + if (!sm->cfg->eap_server) SM_ENTER(EAP, SELECT_ACTION); break; case EAP_TIMEOUT_FAILURE: @@ -1706,7 +1706,7 @@ static enum eap_type eap_sm_Policy_getNextMethod(struct eap_sm *sm, int *vendor) static int eap_sm_Policy_getDecision(struct eap_sm *sm) { - if (!sm->eap_server && sm->identity && !sm->start_reauth) { + if (!sm->cfg->eap_server && sm->identity && !sm->start_reauth) { wpa_printf(MSG_DEBUG, "EAP: getDecision: -> PASSTHROUGH"); return DECISION_PASSTHROUGH; } @@ -1837,7 +1837,8 @@ void eap_user_free(struct eap_user *user) */ struct eap_sm * eap_server_sm_init(void *eapol_ctx, const struct eapol_callbacks *eapol_cb, - struct eap_config *conf) + const struct eap_config *conf, + const struct eap_session_data *sess) { struct eap_sm *sm; @@ -1847,55 +1848,15 @@ struct eap_sm * eap_server_sm_init(void *eapol_ctx, sm->eapol_ctx = eapol_ctx; sm->eapol_cb = eapol_cb; sm->MaxRetrans = 5; /* RFC 3748: max 3-5 retransmissions suggested */ - sm->ssl_ctx = conf->ssl_ctx; - sm->msg_ctx = conf->msg_ctx; - sm->eap_sim_db_priv = conf->eap_sim_db_priv; - sm->backend_auth = conf->backend_auth; - sm->eap_server = conf->eap_server; - if (conf->pac_opaque_encr_key) { - sm->pac_opaque_encr_key = os_malloc(16); - if (sm->pac_opaque_encr_key) { - os_memcpy(sm->pac_opaque_encr_key, - conf->pac_opaque_encr_key, 16); - } - } - if (conf->eap_fast_a_id) { - sm->eap_fast_a_id = os_malloc(conf->eap_fast_a_id_len); - if (sm->eap_fast_a_id) { - os_memcpy(sm->eap_fast_a_id, conf->eap_fast_a_id, - conf->eap_fast_a_id_len); - sm->eap_fast_a_id_len = conf->eap_fast_a_id_len; - } - } - if (conf->eap_fast_a_id_info) - sm->eap_fast_a_id_info = os_strdup(conf->eap_fast_a_id_info); - sm->eap_fast_prov = conf->eap_fast_prov; - sm->pac_key_lifetime = conf->pac_key_lifetime; - sm->pac_key_refresh_time = conf->pac_key_refresh_time; - sm->eap_teap_auth = conf->eap_teap_auth; - sm->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner; - sm->eap_teap_separate_result = conf->eap_teap_separate_result; - sm->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; - sm->eap_sim_id = conf->eap_sim_id; - sm->tnc = conf->tnc; - sm->wps = conf->wps; - if (conf->assoc_wps_ie) - sm->assoc_wps_ie = wpabuf_dup(conf->assoc_wps_ie); - if (conf->assoc_p2p_ie) - sm->assoc_p2p_ie = wpabuf_dup(conf->assoc_p2p_ie); - if (conf->peer_addr) - os_memcpy(sm->peer_addr, conf->peer_addr, ETH_ALEN); - sm->fragment_size = conf->fragment_size; - sm->pwd_group = conf->pwd_group; - sm->pbc_in_m1 = conf->pbc_in_m1; - sm->server_id = conf->server_id; - sm->server_id_len = conf->server_id_len; - sm->erp = conf->erp; - sm->tls_session_lifetime = conf->tls_session_lifetime; - sm->tls_flags = conf->tls_flags; - + sm->cfg = conf; + if (sess->assoc_wps_ie) + sm->assoc_wps_ie = wpabuf_dup(sess->assoc_wps_ie); + if (sess->assoc_p2p_ie) + sm->assoc_p2p_ie = wpabuf_dup(sess->assoc_p2p_ie); + if (sess->peer_addr) + os_memcpy(sm->peer_addr, sess->peer_addr, ETH_ALEN); #ifdef CONFIG_TESTING_OPTIONS - sm->tls_test_flags = conf->tls_test_flags; + sm->tls_test_flags = sess->tls_test_flags; #endif /* CONFIG_TESTING_OPTIONS */ wpa_printf(MSG_DEBUG, "EAP: Server state machine created"); @@ -1925,9 +1886,6 @@ void eap_server_sm_deinit(struct eap_sm *sm) wpabuf_free(sm->eap_if.eapRespData); os_free(sm->identity); os_free(sm->serial_num); - os_free(sm->pac_opaque_encr_key); - os_free(sm->eap_fast_a_id); - os_free(sm->eap_fast_a_id_info); wpabuf_free(sm->eap_if.aaaEapReqData); wpabuf_free(sm->eap_if.aaaEapRespData); bin_clear_free(sm->eap_if.aaaEapKeyData, sm->eap_if.aaaEapKeyDataLen); @@ -2117,3 +2075,15 @@ void eap_server_mschap_rx_callback(struct eap_sm *sm, const char *source, source, user, hex_challenge, hex_response); } #endif /* CONFIG_TESTING_OPTIONS */ + + +void eap_server_config_free(struct eap_config *cfg) +{ + if (!cfg) + return; + os_free(cfg->pac_opaque_encr_key); + os_free(cfg->eap_fast_a_id); + os_free(cfg->eap_fast_a_id_info); + os_free(cfg->server_id); + os_free(cfg); +} diff --git a/src/eap_server/eap_server_aka.c b/src/eap_server/eap_server_aka.c index 4dadfe197..22dd965d6 100644 --- a/src/eap_server/eap_server_aka.c +++ b/src/eap_server/eap_server_aka.c @@ -100,7 +100,7 @@ static int eap_aka_check_identity_reauth(struct eap_sm *sm, return 0; wpa_printf(MSG_DEBUG, "EAP-AKA: Reauth username '%s'", username); - data->reauth = eap_sim_db_get_reauth_entry(sm->eap_sim_db_priv, + data->reauth = eap_sim_db_get_reauth_entry(sm->cfg->eap_sim_db_priv, username); if (data->reauth == NULL) { wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown reauth identity - " @@ -157,7 +157,7 @@ static void eap_aka_check_identity(struct eap_sm *sm, wpa_printf(MSG_DEBUG, "EAP-AKA: Pseudonym username '%s'", username); permanent = eap_sim_db_get_permanent( - sm->eap_sim_db_priv, username); + sm->cfg->eap_sim_db_priv, username); if (permanent == NULL) { os_free(username); wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown pseudonym " @@ -182,7 +182,7 @@ static void * eap_aka_init(struct eap_sm *sm) { struct eap_aka_data *data; - if (sm->eap_sim_db_priv == NULL) { + if (!sm->cfg->eap_sim_db_priv) { wpa_printf(MSG_WARNING, "EAP-AKA: eap_sim_db not configured"); return NULL; } @@ -208,7 +208,7 @@ static void * eap_aka_prime_init(struct eap_sm *sm) /* TODO: make ANID configurable; see 3GPP TS 24.302 */ char *network_name = "WLAN"; - if (sm->eap_sim_db_priv == NULL) { + if (sm->cfg->eap_sim_db_priv == NULL) { wpa_printf(MSG_WARNING, "EAP-AKA: eap_sim_db not configured"); return NULL; } @@ -393,13 +393,13 @@ static int eap_aka_build_encr(struct eap_sm *sm, struct eap_aka_data *data, const u8 *nonce_s) { os_free(data->next_pseudonym); - if (!(sm->eap_sim_id & 0x01)) { + if (!(sm->cfg->eap_sim_id & 0x01)) { /* Use of pseudonyms disabled in configuration */ data->next_pseudonym = NULL; } else if (!nonce_s) { data->next_pseudonym = eap_sim_db_get_next_pseudonym( - sm->eap_sim_db_priv, + sm->cfg->eap_sim_db_priv, data->eap_method == EAP_TYPE_AKA_PRIME ? EAP_SIM_DB_AKA_PRIME : EAP_SIM_DB_AKA); } else { @@ -407,13 +407,13 @@ static int eap_aka_build_encr(struct eap_sm *sm, struct eap_aka_data *data, data->next_pseudonym = NULL; } os_free(data->next_reauth_id); - if (!(sm->eap_sim_id & 0x02)) { + if (!(sm->cfg->eap_sim_id & 0x02)) { /* Use of fast reauth disabled in configuration */ data->next_reauth_id = NULL; } else if (data->counter <= EAP_AKA_MAX_FAST_REAUTHS) { data->next_reauth_id = eap_sim_db_get_next_reauth_id( - sm->eap_sim_db_priv, + sm->cfg->eap_sim_db_priv, data->eap_method == EAP_TYPE_AKA_PRIME ? EAP_SIM_DB_AKA_PRIME : EAP_SIM_DB_AKA); } else { @@ -505,7 +505,7 @@ static struct wpabuf * eap_aka_build_challenge(struct eap_sm *sm, eap_aka_add_checkcode(data, msg); - if (sm->eap_sim_aka_result_ind) { + if (sm->cfg->eap_sim_aka_result_ind) { wpa_printf(MSG_DEBUG, " AT_RESULT_IND"); eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0); } @@ -582,7 +582,7 @@ static struct wpabuf * eap_aka_build_reauth(struct eap_sm *sm, eap_aka_add_checkcode(data, msg); - if (sm->eap_sim_aka_result_ind) { + if (sm->cfg->eap_sim_aka_result_ind) { wpa_printf(MSG_DEBUG, " AT_RESULT_IND"); eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0); } @@ -767,7 +767,7 @@ static void eap_aka_determine_identity(struct eap_sm *sm, wpa_printf(MSG_DEBUG, "EAP-AKA: Pseudonym username '%s'", username); permanent = eap_sim_db_get_permanent( - sm->eap_sim_db_priv, username); + sm->cfg->eap_sim_db_priv, username); os_free(username); if (permanent == NULL) { wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown pseudonym " @@ -803,7 +803,7 @@ static void eap_aka_fullauth(struct eap_sm *sm, struct eap_aka_data *data) size_t identity_len; int res; - res = eap_sim_db_get_aka_auth(sm->eap_sim_db_priv, data->permanent, + res = eap_sim_db_get_aka_auth(sm->cfg->eap_sim_db_priv, data->permanent, data->rand, data->autn, data->ik, data->ck, data->res, &data->res_len, sm); if (res == EAP_SIM_DB_PENDING) { @@ -998,7 +998,7 @@ static void eap_aka_process_challenge(struct eap_sm *sm, wpa_printf(MSG_DEBUG, "EAP-AKA: Challenge response includes the " "correct AT_MAC"); - if (sm->eap_sim_aka_result_ind && attr->result_ind) { + if (sm->cfg->eap_sim_aka_result_ind && attr->result_ind) { data->use_result_ind = 1; data->notification = EAP_SIM_SUCCESS; eap_aka_state(data, NOTIFICATION); @@ -1006,14 +1006,15 @@ static void eap_aka_process_challenge(struct eap_sm *sm, eap_aka_state(data, SUCCESS); if (data->next_pseudonym) { - eap_sim_db_add_pseudonym(sm->eap_sim_db_priv, data->permanent, + eap_sim_db_add_pseudonym(sm->cfg->eap_sim_db_priv, + data->permanent, data->next_pseudonym); data->next_pseudonym = NULL; } if (data->next_reauth_id) { if (data->eap_method == EAP_TYPE_AKA_PRIME) { #ifdef EAP_SERVER_AKA_PRIME - eap_sim_db_add_reauth_prime(sm->eap_sim_db_priv, + eap_sim_db_add_reauth_prime(sm->cfg->eap_sim_db_priv, data->permanent, data->next_reauth_id, data->counter + 1, @@ -1021,7 +1022,7 @@ static void eap_aka_process_challenge(struct eap_sm *sm, data->k_re); #endif /* EAP_SERVER_AKA_PRIME */ } else { - eap_sim_db_add_reauth(sm->eap_sim_db_priv, + eap_sim_db_add_reauth(sm->cfg->eap_sim_db_priv, data->permanent, data->next_reauth_id, data->counter + 1, @@ -1051,7 +1052,7 @@ static void eap_aka_process_sync_failure(struct eap_sm *sm, * maintaining a local flag stating whether this AUTS has already been * reported. */ if (!data->auts_reported && - eap_sim_db_resynchronize(sm->eap_sim_db_priv, data->permanent, + eap_sim_db_resynchronize(sm->cfg->eap_sim_db_priv, data->permanent, attr->auts, data->rand)) { wpa_printf(MSG_WARNING, "EAP-AKA: Resynchronization failed"); data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH; @@ -1118,7 +1119,7 @@ static void eap_aka_process_reauth(struct eap_sm *sm, return; } - if (sm->eap_sim_aka_result_ind && attr->result_ind) { + if (sm->cfg->eap_sim_aka_result_ind && attr->result_ind) { data->use_result_ind = 1; data->notification = EAP_SIM_SUCCESS; eap_aka_state(data, NOTIFICATION); @@ -1128,7 +1129,7 @@ static void eap_aka_process_reauth(struct eap_sm *sm, if (data->next_reauth_id) { if (data->eap_method == EAP_TYPE_AKA_PRIME) { #ifdef EAP_SERVER_AKA_PRIME - eap_sim_db_add_reauth_prime(sm->eap_sim_db_priv, + eap_sim_db_add_reauth_prime(sm->cfg->eap_sim_db_priv, data->permanent, data->next_reauth_id, data->counter + 1, @@ -1136,7 +1137,7 @@ static void eap_aka_process_reauth(struct eap_sm *sm, data->k_re); #endif /* EAP_SERVER_AKA_PRIME */ } else { - eap_sim_db_add_reauth(sm->eap_sim_db_priv, + eap_sim_db_add_reauth(sm->cfg->eap_sim_db_priv, data->permanent, data->next_reauth_id, data->counter + 1, @@ -1144,7 +1145,8 @@ static void eap_aka_process_reauth(struct eap_sm *sm, } data->next_reauth_id = NULL; } else { - eap_sim_db_remove_reauth(sm->eap_sim_db_priv, data->reauth); + eap_sim_db_remove_reauth(sm->cfg->eap_sim_db_priv, + data->reauth); data->reauth = NULL; } @@ -1153,7 +1155,7 @@ static void eap_aka_process_reauth(struct eap_sm *sm, fail: data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH; eap_aka_state(data, NOTIFICATION); - eap_sim_db_remove_reauth(sm->eap_sim_db_priv, data->reauth); + eap_sim_db_remove_reauth(sm->cfg->eap_sim_db_priv, data->reauth); data->reauth = NULL; os_free(decrypted); } diff --git a/src/eap_server/eap_server_eke.c b/src/eap_server/eap_server_eke.c index 71580bf7b..71fab9624 100644 --- a/src/eap_server/eap_server_eke.c +++ b/src/eap_server/eap_server_eke.c @@ -84,11 +84,11 @@ static void * eap_eke_init(struct eap_sm *sm) eap_eke_state(data, IDENTITY); data->serverid_type = EAP_EKE_ID_OPAQUE; - for (i = 0; i < sm->server_id_len; i++) { - if (sm->server_id[i] == '.' && + for (i = 0; i < sm->cfg->server_id_len; i++) { + if (sm->cfg->server_id[i] == '.' && data->serverid_type == EAP_EKE_ID_OPAQUE) data->serverid_type = EAP_EKE_ID_FQDN; - if (sm->server_id[i] == '@') + if (sm->cfg->server_id[i] == '@') data->serverid_type = EAP_EKE_ID_NAI; } @@ -186,7 +186,7 @@ static struct wpabuf * eap_eke_build_identity(struct eap_sm *sm, wpa_printf(MSG_DEBUG, "EAP-EKE: Request/Identity"); - plen = 2 + 4 * 4 + 1 + sm->server_id_len; + plen = 2 + 4 * 4 + 1 + sm->cfg->server_id_len; msg = eap_eke_build_msg(data, id, plen, EAP_EKE_ID); if (msg == NULL) return NULL; @@ -223,7 +223,7 @@ static struct wpabuf * eap_eke_build_identity(struct eap_sm *sm, /* Server IDType + Identity */ wpabuf_put_u8(msg, data->serverid_type); - wpabuf_put_data(msg, sm->server_id, sm->server_id_len); + wpabuf_put_data(msg, sm->cfg->server_id, sm->cfg->server_id_len); wpabuf_free(data->msgs); data->msgs = wpabuf_dup(msg); @@ -252,7 +252,7 @@ static struct wpabuf * eap_eke_build_commit(struct eap_sm *sm, if (eap_eke_derive_key(&data->sess, sm->user->password, sm->user->password_len, - sm->server_id, sm->server_id_len, + sm->cfg->server_id, sm->cfg->server_id_len, data->peerid, data->peerid_len, data->key) < 0) { wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive key"); eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); @@ -338,7 +338,7 @@ static struct wpabuf * eap_eke_build_confirm(struct eap_sm *sm, wpabuf_put(msg, prot_len); if (eap_eke_derive_ka(&data->sess, - sm->server_id, sm->server_id_len, + sm->cfg->server_id, sm->cfg->server_id_len, data->peerid, data->peerid_len, data->nonce_p, data->nonce_s) < 0) { wpabuf_free(msg); @@ -552,7 +552,7 @@ static void eap_eke_process_commit(struct eap_sm *sm, } if (eap_eke_derive_ke_ki(&data->sess, - sm->server_id, sm->server_id_len, + sm->cfg->server_id, sm->cfg->server_id_len, data->peerid, data->peerid_len) < 0) { wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive Ke/Ki"); eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); @@ -641,7 +641,8 @@ static void eap_eke_process_confirm(struct eap_sm *sm, return; } - if (eap_eke_derive_msk(&data->sess, sm->server_id, sm->server_id_len, + if (eap_eke_derive_msk(&data->sess, sm->cfg->server_id, + sm->cfg->server_id_len, data->peerid, data->peerid_len, data->nonce_s, data->nonce_p, data->msk, data->emsk) < 0) { diff --git a/src/eap_server/eap_server_fast.c b/src/eap_server/eap_server_fast.c index 98142db6e..0270821cc 100644 --- a/src/eap_server/eap_server_fast.c +++ b/src/eap_server/eap_server_fast.c @@ -278,7 +278,7 @@ static void eap_fast_derive_key_auth(struct eap_sm *sm, * Extra key material after TLS key_block: session_key_seed[40] */ - sks = eap_fast_derive_key(sm->ssl_ctx, data->ssl.conn, + sks = eap_fast_derive_key(sm->cfg->ssl_ctx, data->ssl.conn, EAP_FAST_SKS_LEN); if (sks == NULL) { wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive " @@ -304,7 +304,7 @@ static void eap_fast_derive_key_provisioning(struct eap_sm *sm, { os_free(data->key_block_p); data->key_block_p = (struct eap_fast_key_block_provisioning *) - eap_fast_derive_key(sm->ssl_ctx, data->ssl.conn, + eap_fast_derive_key(sm->cfg->ssl_ctx, data->ssl.conn, sizeof(*data->key_block_p)); if (data->key_block_p == NULL) { wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive key block"); @@ -440,7 +440,7 @@ static void * eap_fast_init(struct eap_sm *sm) return NULL; } - if (tls_connection_set_cipher_list(sm->ssl_ctx, data->ssl.conn, + if (tls_connection_set_cipher_list(sm->cfg->ssl_ctx, data->ssl.conn, ciphers) < 0) { wpa_printf(MSG_INFO, "EAP-FAST: Failed to set TLS cipher " "suites"); @@ -448,7 +448,8 @@ static void * eap_fast_init(struct eap_sm *sm) return NULL; } - if (tls_connection_set_session_ticket_cb(sm->ssl_ctx, data->ssl.conn, + if (tls_connection_set_session_ticket_cb(sm->cfg->ssl_ctx, + data->ssl.conn, eap_fast_session_ticket_cb, data) < 0) { wpa_printf(MSG_INFO, "EAP-FAST: Failed to set SessionTicket " @@ -457,47 +458,48 @@ static void * eap_fast_init(struct eap_sm *sm) return NULL; } - if (sm->pac_opaque_encr_key == NULL) { + if (sm->cfg->pac_opaque_encr_key == NULL) { wpa_printf(MSG_INFO, "EAP-FAST: No PAC-Opaque encryption key " "configured"); eap_fast_reset(sm, data); return NULL; } - os_memcpy(data->pac_opaque_encr, sm->pac_opaque_encr_key, + os_memcpy(data->pac_opaque_encr, sm->cfg->pac_opaque_encr_key, sizeof(data->pac_opaque_encr)); - if (sm->eap_fast_a_id == NULL) { + if (sm->cfg->eap_fast_a_id == NULL) { wpa_printf(MSG_INFO, "EAP-FAST: No A-ID configured"); eap_fast_reset(sm, data); return NULL; } - data->srv_id = os_memdup(sm->eap_fast_a_id, sm->eap_fast_a_id_len); + data->srv_id = os_memdup(sm->cfg->eap_fast_a_id, + sm->cfg->eap_fast_a_id_len); if (data->srv_id == NULL) { eap_fast_reset(sm, data); return NULL; } - data->srv_id_len = sm->eap_fast_a_id_len; + data->srv_id_len = sm->cfg->eap_fast_a_id_len; - if (sm->eap_fast_a_id_info == NULL) { + if (sm->cfg->eap_fast_a_id_info == NULL) { wpa_printf(MSG_INFO, "EAP-FAST: No A-ID-Info configured"); eap_fast_reset(sm, data); return NULL; } - data->srv_id_info = os_strdup(sm->eap_fast_a_id_info); + data->srv_id_info = os_strdup(sm->cfg->eap_fast_a_id_info); if (data->srv_id_info == NULL) { eap_fast_reset(sm, data); return NULL; } /* PAC-Key lifetime in seconds (hard limit) */ - data->pac_key_lifetime = sm->pac_key_lifetime; + data->pac_key_lifetime = sm->cfg->pac_key_lifetime; /* * PAC-Key refresh time in seconds (soft limit on remaining hard * limit). The server will generate a new PAC-Key when this number of * seconds (or fewer) of the lifetime remains. */ - data->pac_key_refresh_time = sm->pac_key_refresh_time; + data->pac_key_refresh_time = sm->cfg->pac_key_refresh_time; return data; } @@ -552,8 +554,8 @@ static int eap_fast_phase1_done(struct eap_sm *sm, struct eap_fast_data *data) wpa_printf(MSG_DEBUG, "EAP-FAST: Phase1 done, starting Phase2"); - if (tls_get_cipher(sm->ssl_ctx, data->ssl.conn, cipher, sizeof(cipher)) - < 0) { + if (tls_get_cipher(sm->cfg->ssl_ctx, data->ssl.conn, + cipher, sizeof(cipher)) < 0) { wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to get cipher " "information"); eap_fast_state(data, FAILURE); @@ -872,7 +874,8 @@ static struct wpabuf * eap_fast_buildReq(struct eap_sm *sm, void *priv, u8 id) case START: return eap_fast_build_start(sm, data, id); case PHASE1: - if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { + if (tls_connection_established(sm->cfg->ssl_ctx, + data->ssl.conn)) { if (eap_fast_phase1_done(sm, data) < 0) return NULL; if (data->state == PHASE2_START) { @@ -1082,7 +1085,7 @@ static void eap_fast_process_phase2_response(struct eap_sm *sm, next_vendor = EAP_VENDOR_IETF; next_type = EAP_TYPE_NONE; #ifdef EAP_SERVER_TNC - if (sm->tnc && !data->tnc_started) { + if (sm->cfg->tnc && !data->tnc_started) { wpa_printf(MSG_DEBUG, "EAP-FAST: Initialize TNC"); next_vendor = EAP_VENDOR_IETF; next_type = EAP_TYPE_TNC; @@ -1346,8 +1349,8 @@ static void eap_fast_process_phase2_tlvs(struct eap_sm *sm, } if (data->anon_provisioning && - sm->eap_fast_prov != ANON_PROV && - sm->eap_fast_prov != BOTH_PROV) { + sm->cfg->eap_fast_prov != ANON_PROV && + sm->cfg->eap_fast_prov != BOTH_PROV) { wpa_printf(MSG_DEBUG, "EAP-FAST: Client is trying to " "use unauthenticated provisioning which is " "disabled"); @@ -1355,8 +1358,8 @@ static void eap_fast_process_phase2_tlvs(struct eap_sm *sm, return; } - if (sm->eap_fast_prov != AUTH_PROV && - sm->eap_fast_prov != BOTH_PROV && + if (sm->cfg->eap_fast_prov != AUTH_PROV && + sm->cfg->eap_fast_prov != BOTH_PROV && tlv.request_action == EAP_TLV_ACTION_PROCESS_TLV && eap_fast_pac_type(tlv.pac, tlv.pac_len, PAC_TYPE_TUNNEL_PAC)) { @@ -1408,7 +1411,7 @@ static void eap_fast_process_phase2(struct eap_sm *sm, return; } - in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn, + in_decrypted = tls_connection_decrypt(sm->cfg->ssl_ctx, data->ssl.conn, in_buf); if (in_decrypted == NULL) { wpa_printf(MSG_INFO, "EAP-FAST: Failed to decrypt Phase 2 " @@ -1468,7 +1471,7 @@ static int eap_fast_process_phase1(struct eap_sm *sm, return -1; } - if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) || + if (!tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn) || wpabuf_len(data->ssl.tls_out) > 0) return 1; diff --git a/src/eap_server/eap_server_gpsk.c b/src/eap_server/eap_server_gpsk.c index bebb17f40..a7742751a 100644 --- a/src/eap_server/eap_server_gpsk.c +++ b/src/eap_server/eap_server_gpsk.c @@ -117,7 +117,7 @@ static struct wpabuf * eap_gpsk_build_gpsk_1(struct eap_sm *sm, wpa_hexdump(MSG_MSGDUMP, "EAP-GPSK: RAND_Server", data->rand_server, EAP_GPSK_RAND_LEN); - len = 1 + 2 + sm->server_id_len + EAP_GPSK_RAND_LEN + 2 + + len = 1 + 2 + sm->cfg->server_id_len + EAP_GPSK_RAND_LEN + 2 + data->csuite_count * sizeof(struct eap_gpsk_csuite); req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_GPSK, len, EAP_CODE_REQUEST, id); @@ -129,8 +129,8 @@ static struct wpabuf * eap_gpsk_build_gpsk_1(struct eap_sm *sm, } wpabuf_put_u8(req, EAP_GPSK_OPCODE_GPSK_1); - wpabuf_put_be16(req, sm->server_id_len); - wpabuf_put_data(req, sm->server_id, sm->server_id_len); + wpabuf_put_be16(req, sm->cfg->server_id_len); + wpabuf_put_data(req, sm->cfg->server_id, sm->cfg->server_id_len); wpabuf_put_data(req, data->rand_server, EAP_GPSK_RAND_LEN); wpabuf_put_be16(req, data->csuite_count * sizeof(struct eap_gpsk_csuite)); @@ -152,7 +152,7 @@ static struct wpabuf * eap_gpsk_build_gpsk_3(struct eap_sm *sm, wpa_printf(MSG_DEBUG, "EAP-GPSK: Request/GPSK-3"); miclen = eap_gpsk_mic_len(data->vendor, data->specifier); - len = 1 + 2 * EAP_GPSK_RAND_LEN + 2 + sm->server_id_len + + len = 1 + 2 * EAP_GPSK_RAND_LEN + 2 + sm->cfg->server_id_len + sizeof(struct eap_gpsk_csuite) + 2 + miclen; req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_GPSK, len, EAP_CODE_REQUEST, id); @@ -168,8 +168,8 @@ static struct wpabuf * eap_gpsk_build_gpsk_3(struct eap_sm *sm, wpabuf_put_data(req, data->rand_peer, EAP_GPSK_RAND_LEN); wpabuf_put_data(req, data->rand_server, EAP_GPSK_RAND_LEN); - wpabuf_put_be16(req, sm->server_id_len); - wpabuf_put_data(req, sm->server_id, sm->server_id_len); + wpabuf_put_be16(req, sm->cfg->server_id_len); + wpabuf_put_data(req, sm->cfg->server_id, sm->cfg->server_id_len); csuite = wpabuf_put(req, sizeof(*csuite)); WPA_PUT_BE32(csuite->vendor, data->vendor); WPA_PUT_BE16(csuite->specifier, data->specifier); @@ -294,8 +294,8 @@ static void eap_gpsk_process_gpsk_2(struct eap_sm *sm, eap_gpsk_state(data, FAILURE); return; } - if (alen != sm->server_id_len || - os_memcmp(pos, sm->server_id, alen) != 0) { + if (alen != sm->cfg->server_id_len || + os_memcmp(pos, sm->cfg->server_id, alen) != 0) { wpa_printf(MSG_DEBUG, "EAP-GPSK: ID_Server in GPSK-1 and " "GPSK-2 did not match"); eap_gpsk_state(data, FAILURE); @@ -409,7 +409,7 @@ static void eap_gpsk_process_gpsk_2(struct eap_sm *sm, data->vendor, data->specifier, data->rand_peer, data->rand_server, data->id_peer, data->id_peer_len, - sm->server_id, sm->server_id_len, + sm->cfg->server_id, sm->cfg->server_id_len, data->msk, data->emsk, data->sk, &data->sk_len, data->pk, &data->pk_len) < 0) { @@ -423,7 +423,8 @@ static void eap_gpsk_process_gpsk_2(struct eap_sm *sm, data->vendor, data->specifier, data->rand_peer, data->rand_server, data->id_peer, data->id_peer_len, - sm->server_id, sm->server_id_len, + sm->cfg->server_id, + sm->cfg->server_id_len, EAP_TYPE_GPSK, data->session_id, &data->id_len) < 0) { wpa_printf(MSG_DEBUG, "EAP-GPSK: Failed to derive Session-Id"); diff --git a/src/eap_server/eap_server_ikev2.c b/src/eap_server/eap_server_ikev2.c index 32e687204..897637e8e 100644 --- a/src/eap_server/eap_server_ikev2.c +++ b/src/eap_server/eap_server_ikev2.c @@ -87,8 +87,8 @@ static void * eap_ikev2_init(struct eap_sm *sm) if (data == NULL) return NULL; data->state = MSG; - data->fragment_size = sm->fragment_size > 0 ? sm->fragment_size : - IKEV2_FRAGMENT_SIZE; + data->fragment_size = sm->cfg->fragment_size > 0 ? + sm->cfg->fragment_size : IKEV2_FRAGMENT_SIZE; data->ikev2.state = SA_INIT; data->ikev2.peer_auth = PEER_AUTH_SECRET; data->ikev2.key_pad = (u8 *) os_strdup("Key Pad for EAP-IKEv2"); @@ -103,10 +103,10 @@ static void * eap_ikev2_init(struct eap_sm *sm) data->ikev2.proposal.encr = ENCR_AES_CBC; data->ikev2.proposal.dh = DH_GROUP2_1024BIT_MODP; - data->ikev2.IDi = os_memdup(sm->server_id, sm->server_id_len); + data->ikev2.IDi = os_memdup(sm->cfg->server_id, sm->cfg->server_id_len); if (data->ikev2.IDi == NULL) goto failed; - data->ikev2.IDi_len = sm->server_id_len; + data->ikev2.IDi_len = sm->cfg->server_id_len; data->ikev2.get_shared_secret = eap_ikev2_get_shared_secret; data->ikev2.cb_ctx = sm; @@ -414,7 +414,7 @@ static void eap_ikev2_process(struct eap_sm *sm, void *priv, eap_ikev2_state(data, FAIL); return; } - + if (flags & IKEV2_FLAGS_MORE_FRAGMENTS) { if (eap_ikev2_process_fragment(data, flags, message_length, pos, end - pos) < 0) diff --git a/src/eap_server/eap_server_mschapv2.c b/src/eap_server/eap_server_mschapv2.c index e9e03b0af..8a1621aff 100644 --- a/src/eap_server/eap_server_mschapv2.c +++ b/src/eap_server/eap_server_mschapv2.c @@ -109,7 +109,7 @@ static struct wpabuf * eap_mschapv2_build_challenge( return NULL; } - ms_len = sizeof(*ms) + 1 + CHALLENGE_LEN + sm->server_id_len; + ms_len = sizeof(*ms) + 1 + CHALLENGE_LEN + sm->cfg->server_id_len; req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_MSCHAPV2, ms_len, EAP_CODE_REQUEST, id); if (req == NULL) { @@ -131,7 +131,7 @@ static struct wpabuf * eap_mschapv2_build_challenge( wpabuf_put(req, CHALLENGE_LEN); wpa_hexdump(MSG_MSGDUMP, "EAP-MSCHAPV2: Challenge", data->auth_challenge, CHALLENGE_LEN); - wpabuf_put_data(req, sm->server_id, sm->server_id_len); + wpabuf_put_data(req, sm->cfg->server_id, sm->cfg->server_id_len); return req; } diff --git a/src/eap_server/eap_server_peap.c b/src/eap_server/eap_server_peap.c index 697460bac..02d8b8e88 100644 --- a/src/eap_server/eap_server_peap.c +++ b/src/eap_server/eap_server_peap.c @@ -105,8 +105,8 @@ static void eap_peap_valid_session(struct eap_sm *sm, { struct wpabuf *buf; - if (!sm->tls_session_lifetime || - tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) + if (!sm->cfg->tls_session_lifetime || + tls_connection_resumed(sm->cfg->ssl_ctx, data->ssl.conn)) return; buf = wpabuf_alloc(1 + 1 + sm->identity_len); @@ -336,7 +336,7 @@ static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data) return -1; wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TK", tk, 60); - if (tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) { + if (tls_connection_resumed(sm->cfg->ssl_ctx, data->ssl.conn)) { /* Fast-connect: IPMK|CMK = TK */ os_memcpy(data->ipmk, tk, 40); wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK from TK", @@ -521,7 +521,8 @@ static struct wpabuf * eap_peap_buildReq(struct eap_sm *sm, void *priv, u8 id) return eap_peap_build_start(sm, data, id); case PHASE1: case PHASE1_ID2: - if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { + if (tls_connection_established(sm->cfg->ssl_ctx, + data->ssl.conn)) { wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase1 done, " "starting Phase2"); eap_peap_state(data, PHASE2_START); @@ -1020,7 +1021,7 @@ static void eap_peap_process_phase2_response(struct eap_sm *sm, } #ifdef EAP_SERVER_TNC - if (data->state != PHASE2_SOH && sm->tnc && + if (data->state != PHASE2_SOH && sm->cfg->tnc && data->peap_version == 0) { eap_peap_state(data, PHASE2_SOH); wpa_printf(MSG_DEBUG, "EAP-PEAP: Try to initialize " @@ -1077,7 +1078,7 @@ static void eap_peap_process_phase2(struct eap_sm *sm, return; } - in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn, + in_decrypted = tls_connection_decrypt(sm->cfg->ssl_ctx, data->ssl.conn, in_buf); if (in_decrypted == NULL) { wpa_printf(MSG_INFO, "EAP-PEAP: Failed to decrypt Phase 2 " @@ -1237,8 +1238,8 @@ static void eap_peap_process(struct eap_sm *sm, void *priv, } if (data->state == SUCCESS || - !tls_connection_established(sm->ssl_ctx, data->ssl.conn) || - !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) + !tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn) || + !tls_connection_resumed(sm->cfg->ssl_ctx, data->ssl.conn)) return; buf = tls_connection_get_success_data(data->ssl.conn); diff --git a/src/eap_server/eap_server_psk.c b/src/eap_server/eap_server_psk.c index 0eab89339..511973c94 100644 --- a/src/eap_server/eap_server_psk.c +++ b/src/eap_server/eap_server_psk.c @@ -68,7 +68,7 @@ static struct wpabuf * eap_psk_build_1(struct eap_sm *sm, data->rand_s, EAP_PSK_RAND_LEN); req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PSK, - sizeof(*psk) + sm->server_id_len, + sizeof(*psk) + sm->cfg->server_id_len, EAP_CODE_REQUEST, id); if (req == NULL) { wpa_printf(MSG_ERROR, "EAP-PSK: Failed to allocate memory " @@ -80,7 +80,7 @@ static struct wpabuf * eap_psk_build_1(struct eap_sm *sm, psk = wpabuf_put(req, sizeof(*psk)); psk->flags = EAP_PSK_FLAGS_SET_T(0); /* T=0 */ os_memcpy(psk->rand_s, data->rand_s, EAP_PSK_RAND_LEN); - wpabuf_put_data(req, sm->server_id, sm->server_id_len); + wpabuf_put_data(req, sm->cfg->server_id, sm->cfg->server_id_len); return req; } @@ -110,13 +110,13 @@ static struct wpabuf * eap_psk_build_3(struct eap_sm *sm, os_memcpy(psk->rand_s, data->rand_s, EAP_PSK_RAND_LEN); /* MAC_S = OMAC1-AES-128(AK, ID_S||RAND_P) */ - buflen = sm->server_id_len + EAP_PSK_RAND_LEN; + buflen = sm->cfg->server_id_len + EAP_PSK_RAND_LEN; buf = os_malloc(buflen); if (buf == NULL) goto fail; - os_memcpy(buf, sm->server_id, sm->server_id_len); - os_memcpy(buf + sm->server_id_len, data->rand_p, EAP_PSK_RAND_LEN); + os_memcpy(buf, sm->cfg->server_id, sm->cfg->server_id_len); + os_memcpy(buf + sm->cfg->server_id_len, data->rand_p, EAP_PSK_RAND_LEN); if (omac1_aes_128(data->ak, buf, buflen, psk->mac_s)) { os_free(buf); goto fail; @@ -293,7 +293,7 @@ static void eap_psk_process_2(struct eap_sm *sm, os_memcpy(data->rand_p, resp->rand_p, EAP_PSK_RAND_LEN); /* MAC_P = OMAC1-AES-128(AK, ID_P||ID_S||RAND_S||RAND_P) */ - buflen = data->id_p_len + sm->server_id_len + 2 * EAP_PSK_RAND_LEN; + buflen = data->id_p_len + sm->cfg->server_id_len + 2 * EAP_PSK_RAND_LEN; buf = os_malloc(buflen); if (buf == NULL) { data->state = FAILURE; @@ -301,8 +301,8 @@ static void eap_psk_process_2(struct eap_sm *sm, } os_memcpy(buf, data->id_p, data->id_p_len); pos = buf + data->id_p_len; - os_memcpy(pos, sm->server_id, sm->server_id_len); - pos += sm->server_id_len; + os_memcpy(pos, sm->cfg->server_id, sm->cfg->server_id_len); + pos += sm->cfg->server_id_len; os_memcpy(pos, data->rand_s, EAP_PSK_RAND_LEN); pos += EAP_PSK_RAND_LEN; os_memcpy(pos, data->rand_p, EAP_PSK_RAND_LEN); diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c index a8087c1d8..6bf3a23d0 100644 --- a/src/eap_server/eap_server_pwd.c +++ b/src/eap_server/eap_server_pwd.c @@ -97,7 +97,7 @@ static void * eap_pwd_init(struct eap_sm *sm) if (data == NULL) return NULL; - data->group_num = sm->pwd_group; + data->group_num = sm->cfg->pwd_group; wpa_printf(MSG_DEBUG, "EAP-pwd: Selected group number %d", data->group_num); data->state = PWD_ID_Req; @@ -134,7 +134,7 @@ static void * eap_pwd_init(struct eap_sm *sm) data->in_frag_pos = data->out_frag_pos = 0; data->inbuf = data->outbuf = NULL; /* use default MTU from RFC 5931 if not configured otherwise */ - data->mtu = sm->fragment_size > 0 ? sm->fragment_size : 1020; + data->mtu = sm->cfg->fragment_size > 0 ? sm->cfg->fragment_size : 1020; return data; } diff --git a/src/eap_server/eap_server_sake.c b/src/eap_server/eap_server_sake.c index 2fc2c0575..56cfbfb32 100644 --- a/src/eap_server/eap_server_sake.c +++ b/src/eap_server/eap_server_sake.c @@ -123,7 +123,7 @@ static struct wpabuf * eap_sake_build_identity(struct eap_sm *sm, wpa_printf(MSG_DEBUG, "EAP-SAKE: Request/Identity"); plen = 4; - plen += 2 + sm->server_id_len; + plen += 2 + sm->cfg->server_id_len; msg = eap_sake_build_msg(data, id, plen, EAP_SAKE_SUBTYPE_IDENTITY); if (msg == NULL) { data->state = FAILURE; @@ -135,7 +135,7 @@ static struct wpabuf * eap_sake_build_identity(struct eap_sm *sm, wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_SERVERID"); eap_sake_add_attr(msg, EAP_SAKE_AT_SERVERID, - sm->server_id, sm->server_id_len); + sm->cfg->server_id, sm->cfg->server_id_len); return msg; } @@ -158,7 +158,7 @@ static struct wpabuf * eap_sake_build_challenge(struct eap_sm *sm, wpa_hexdump(MSG_MSGDUMP, "EAP-SAKE: RAND_S (server rand)", data->rand_s, EAP_SAKE_RAND_LEN); - plen = 2 + EAP_SAKE_RAND_LEN + 2 + sm->server_id_len; + plen = 2 + EAP_SAKE_RAND_LEN + 2 + sm->cfg->server_id_len; msg = eap_sake_build_msg(data, id, plen, EAP_SAKE_SUBTYPE_CHALLENGE); if (msg == NULL) { data->state = FAILURE; @@ -171,7 +171,7 @@ static struct wpabuf * eap_sake_build_challenge(struct eap_sm *sm, wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_SERVERID"); eap_sake_add_attr(msg, EAP_SAKE_AT_SERVERID, - sm->server_id, sm->server_id_len); + sm->cfg->server_id, sm->cfg->server_id_len); return msg; } @@ -198,7 +198,7 @@ static struct wpabuf * eap_sake_build_confirm(struct eap_sm *sm, wpabuf_put_u8(msg, 2 + EAP_SAKE_MIC_LEN); mic = wpabuf_put(msg, EAP_SAKE_MIC_LEN); if (eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p, - sm->server_id, sm->server_id_len, + sm->cfg->server_id, sm->cfg->server_id_len, data->peerid, data->peerid_len, 0, wpabuf_head(msg), wpabuf_len(msg), mic, mic)) { @@ -351,7 +351,7 @@ static void eap_sake_process_challenge(struct eap_sm *sm, } if (eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p, - sm->server_id, sm->server_id_len, + sm->cfg->server_id, sm->cfg->server_id_len, data->peerid, data->peerid_len, 1, wpabuf_head(respData), wpabuf_len(respData), attr.mic_p, mic_p) < 0) { @@ -392,7 +392,7 @@ static void eap_sake_process_confirm(struct eap_sm *sm, } if (eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p, - sm->server_id, sm->server_id_len, + sm->cfg->server_id, sm->cfg->server_id_len, data->peerid, data->peerid_len, 1, wpabuf_head(respData), wpabuf_len(respData), attr.mic_p, mic_p) < 0) { diff --git a/src/eap_server/eap_server_sim.c b/src/eap_server/eap_server_sim.c index 5243568e7..d7ac87ce5 100644 --- a/src/eap_server/eap_server_sim.c +++ b/src/eap_server/eap_server_sim.c @@ -76,7 +76,7 @@ static void * eap_sim_init(struct eap_sm *sm) { struct eap_sim_data *data; - if (sm->eap_sim_db_priv == NULL) { + if (!sm->cfg->eap_sim_db_priv) { wpa_printf(MSG_WARNING, "EAP-SIM: eap_sim_db not configured"); return NULL; } @@ -150,24 +150,24 @@ static int eap_sim_build_encr(struct eap_sm *sm, struct eap_sim_data *data, const u8 *nonce_s) { os_free(data->next_pseudonym); - if (!(sm->eap_sim_id & 0x01)) { + if (!(sm->cfg->eap_sim_id & 0x01)) { /* Use of pseudonyms disabled in configuration */ data->next_pseudonym = NULL; } else if (!nonce_s) { data->next_pseudonym = - eap_sim_db_get_next_pseudonym(sm->eap_sim_db_priv, + eap_sim_db_get_next_pseudonym(sm->cfg->eap_sim_db_priv, EAP_SIM_DB_SIM); } else { /* Do not update pseudonym during re-authentication */ data->next_pseudonym = NULL; } os_free(data->next_reauth_id); - if (!(sm->eap_sim_id & 0x02)) { + if (!(sm->cfg->eap_sim_id & 0x02)) { /* Use of fast reauth disabled in configuration */ data->next_reauth_id = NULL; } else if (data->counter <= EAP_SIM_MAX_FAST_REAUTHS) { data->next_reauth_id = - eap_sim_db_get_next_reauth_id(sm->eap_sim_db_priv, + eap_sim_db_get_next_reauth_id(sm->cfg->eap_sim_db_priv, EAP_SIM_DB_SIM); } else { wpa_printf(MSG_DEBUG, "EAP-SIM: Max fast re-authentication " @@ -240,7 +240,7 @@ static struct wpabuf * eap_sim_build_challenge(struct eap_sm *sm, return NULL; } - if (sm->eap_sim_aka_result_ind) { + if (sm->cfg->eap_sim_aka_result_ind) { wpa_printf(MSG_DEBUG, " AT_RESULT_IND"); eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0); } @@ -279,7 +279,7 @@ static struct wpabuf * eap_sim_build_reauth(struct eap_sm *sm, return NULL; } - if (sm->eap_sim_aka_result_ind) { + if (sm->cfg->eap_sim_aka_result_ind) { wpa_printf(MSG_DEBUG, " AT_RESULT_IND"); eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0); } @@ -475,7 +475,7 @@ static void eap_sim_process_start(struct eap_sm *sm, wpa_printf(MSG_DEBUG, "EAP-SIM: Reauth username '%s'", username); data->reauth = eap_sim_db_get_reauth_entry( - sm->eap_sim_db_priv, username); + sm->cfg->eap_sim_db_priv, username); os_free(username); if (data->reauth == NULL) { wpa_printf(MSG_DEBUG, "EAP-SIM: Unknown reauth " @@ -497,7 +497,7 @@ static void eap_sim_process_start(struct eap_sm *sm, wpa_printf(MSG_DEBUG, "EAP-SIM: Pseudonym username '%s'", username); permanent = eap_sim_db_get_permanent( - sm->eap_sim_db_priv, username); + sm->cfg->eap_sim_db_priv, username); os_free(username); if (permanent == NULL) { wpa_printf(MSG_DEBUG, "EAP-SIM: Unknown pseudonym " @@ -538,7 +538,7 @@ skip_id_update: data->reauth = NULL; data->num_chal = eap_sim_db_get_gsm_triplets( - sm->eap_sim_db_priv, data->permanent, EAP_SIM_MAX_CHAL, + sm->cfg->eap_sim_db_priv, data->permanent, EAP_SIM_MAX_CHAL, (u8 *) data->rand, (u8 *) data->kc, (u8 *) data->sres, sm); if (data->num_chal == EAP_SIM_DB_PENDING) { wpa_printf(MSG_DEBUG, "EAP-SIM: GSM authentication triplets " @@ -599,7 +599,7 @@ static void eap_sim_process_challenge(struct eap_sm *sm, wpa_printf(MSG_DEBUG, "EAP-SIM: Challenge response includes the " "correct AT_MAC"); - if (sm->eap_sim_aka_result_ind && attr->result_ind) { + if (sm->cfg->eap_sim_aka_result_ind && attr->result_ind) { data->use_result_ind = 1; data->notification = EAP_SIM_SUCCESS; eap_sim_state(data, NOTIFICATION); @@ -607,12 +607,13 @@ static void eap_sim_process_challenge(struct eap_sm *sm, eap_sim_state(data, SUCCESS); if (data->next_pseudonym) { - eap_sim_db_add_pseudonym(sm->eap_sim_db_priv, data->permanent, + eap_sim_db_add_pseudonym(sm->cfg->eap_sim_db_priv, + data->permanent, data->next_pseudonym); data->next_pseudonym = NULL; } if (data->next_reauth_id) { - eap_sim_db_add_reauth(sm->eap_sim_db_priv, data->permanent, + eap_sim_db_add_reauth(sm->cfg->eap_sim_db_priv, data->permanent, data->next_reauth_id, data->counter + 1, data->mk); data->next_reauth_id = NULL; @@ -672,7 +673,7 @@ static void eap_sim_process_reauth(struct eap_sm *sm, return; } - if (sm->eap_sim_aka_result_ind && attr->result_ind) { + if (sm->cfg->eap_sim_aka_result_ind && attr->result_ind) { data->use_result_ind = 1; data->notification = EAP_SIM_SUCCESS; eap_sim_state(data, NOTIFICATION); @@ -680,12 +681,13 @@ static void eap_sim_process_reauth(struct eap_sm *sm, eap_sim_state(data, SUCCESS); if (data->next_reauth_id) { - eap_sim_db_add_reauth(sm->eap_sim_db_priv, data->permanent, + eap_sim_db_add_reauth(sm->cfg->eap_sim_db_priv, data->permanent, data->next_reauth_id, data->counter + 1, data->mk); data->next_reauth_id = NULL; } else { - eap_sim_db_remove_reauth(sm->eap_sim_db_priv, data->reauth); + eap_sim_db_remove_reauth(sm->cfg->eap_sim_db_priv, + data->reauth); data->reauth = NULL; } @@ -694,7 +696,7 @@ static void eap_sim_process_reauth(struct eap_sm *sm, fail: data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH; eap_sim_state(data, NOTIFICATION); - eap_sim_db_remove_reauth(sm->eap_sim_db_priv, data->reauth); + eap_sim_db_remove_reauth(sm->cfg->eap_sim_db_priv, data->reauth); data->reauth = NULL; os_free(decrypted); } diff --git a/src/eap_server/eap_server_teap.c b/src/eap_server/eap_server_teap.c index 34a0d4c2e..f2f917b77 100644 --- a/src/eap_server/eap_server_teap.c +++ b/src/eap_server/eap_server_teap.c @@ -287,7 +287,7 @@ static int eap_teap_derive_key_auth(struct eap_sm *sm, int res; /* RFC 7170, Section 5.1 */ - res = tls_connection_export_key(sm->ssl_ctx, data->ssl.conn, + res = tls_connection_export_key(sm->cfg->ssl_ctx, data->ssl.conn, TEAP_TLS_EXPORTER_LABEL_SKS, NULL, 0, data->simck_msk, EAP_TEAP_SIMCK_LEN); if (res) @@ -310,7 +310,7 @@ static int eap_teap_update_icmk(struct eap_sm *sm, struct eap_teap_data *data) wpa_printf(MSG_DEBUG, "EAP-TEAP: Deriving ICMK[%d] (S-IMCK and CMK)", data->simck_idx + 1); - if (sm->eap_teap_auth == 1) + if (sm->cfg->eap_teap_auth == 1) return eap_teap_derive_cmk_basic_pw_auth(data->tls_cs, data->simck_msk, data->cmk_msk); @@ -370,7 +370,8 @@ static void * eap_teap_init(struct eap_sm *sm) /* TODO: Add anon-DH TLS cipher suites (and if one is negotiated, * enforce inner EAP with mutual authentication to be used) */ - if (tls_connection_set_session_ticket_cb(sm->ssl_ctx, data->ssl.conn, + if (tls_connection_set_session_ticket_cb(sm->cfg->ssl_ctx, + data->ssl.conn, eap_teap_session_ticket_cb, data) < 0) { wpa_printf(MSG_INFO, @@ -379,48 +380,49 @@ static void * eap_teap_init(struct eap_sm *sm) return NULL; } - if (!sm->pac_opaque_encr_key) { + if (!sm->cfg->pac_opaque_encr_key) { wpa_printf(MSG_INFO, "EAP-TEAP: No PAC-Opaque encryption key configured"); eap_teap_reset(sm, data); return NULL; } - os_memcpy(data->pac_opaque_encr, sm->pac_opaque_encr_key, + os_memcpy(data->pac_opaque_encr, sm->cfg->pac_opaque_encr_key, sizeof(data->pac_opaque_encr)); - if (!sm->eap_fast_a_id) { + if (!sm->cfg->eap_fast_a_id) { wpa_printf(MSG_INFO, "EAP-TEAP: No A-ID configured"); eap_teap_reset(sm, data); return NULL; } - data->srv_id = os_malloc(sm->eap_fast_a_id_len); + data->srv_id = os_malloc(sm->cfg->eap_fast_a_id_len); if (!data->srv_id) { eap_teap_reset(sm, data); return NULL; } - os_memcpy(data->srv_id, sm->eap_fast_a_id, sm->eap_fast_a_id_len); - data->srv_id_len = sm->eap_fast_a_id_len; + os_memcpy(data->srv_id, sm->cfg->eap_fast_a_id, + sm->cfg->eap_fast_a_id_len); + data->srv_id_len = sm->cfg->eap_fast_a_id_len; - if (!sm->eap_fast_a_id_info) { + if (!sm->cfg->eap_fast_a_id_info) { wpa_printf(MSG_INFO, "EAP-TEAP: No A-ID-Info configured"); eap_teap_reset(sm, data); return NULL; } - data->srv_id_info = os_strdup(sm->eap_fast_a_id_info); + data->srv_id_info = os_strdup(sm->cfg->eap_fast_a_id_info); if (!data->srv_id_info) { eap_teap_reset(sm, data); return NULL; } /* PAC-Key lifetime in seconds (hard limit) */ - data->pac_key_lifetime = sm->pac_key_lifetime; + data->pac_key_lifetime = sm->cfg->pac_key_lifetime; /* * PAC-Key refresh time in seconds (soft limit on remaining hard * limit). The server will generate a new PAC-Key when this number of * seconds (or fewer) of the lifetime remains. */ - data->pac_key_refresh_time = sm->pac_key_refresh_time; + data->pac_key_refresh_time = sm->cfg->pac_key_refresh_time; return data; } @@ -500,8 +502,8 @@ static int eap_teap_phase1_done(struct eap_sm *sm, struct eap_teap_data *data) wpa_printf(MSG_DEBUG, "EAP-TEAP: TLS cipher suite 0x%04x", data->tls_cs); - if (tls_get_cipher(sm->ssl_ctx, data->ssl.conn, cipher, sizeof(cipher)) - < 0) { + if (tls_get_cipher(sm->cfg->ssl_ctx, data->ssl.conn, + cipher, sizeof(cipher)) < 0) { wpa_printf(MSG_DEBUG, "EAP-TEAP: Failed to get cipher information"); eap_teap_state(data, FAILURE); @@ -529,7 +531,7 @@ static struct wpabuf * eap_teap_build_phase2_req(struct eap_sm *sm, { struct wpabuf *req; - if (sm->eap_teap_auth == 1) { + if (sm->cfg->eap_teap_auth == 1) { wpa_printf(MSG_DEBUG, "EAP-TEAP: Initiate Basic-Password-Auth"); req = wpabuf_alloc(sizeof(struct teap_tlv_hdr)); if (!req) @@ -567,7 +569,7 @@ static struct wpabuf * eap_teap_build_crypto_binding( return NULL; if (data->send_new_pac || data->anon_provisioning || - data->phase2_method || sm->eap_teap_separate_result) + data->phase2_method || sm->cfg->eap_teap_separate_result) data->final_result = 0; else data->final_result = 1; @@ -846,7 +848,8 @@ static struct wpabuf * eap_teap_buildReq(struct eap_sm *sm, void *priv, u8 id) case START: return eap_teap_build_start(sm, data, id); case PHASE1B: - if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { + if (tls_connection_established(sm->cfg->ssl_ctx, + data->ssl.conn)) { if (eap_teap_phase1_done(sm, data) < 0) return NULL; if (data->state == PHASE2_START) { @@ -1072,7 +1075,7 @@ static void eap_teap_process_phase2_response(struct eap_sm *sm, next_vendor = EAP_VENDOR_IETF; next_type = EAP_TYPE_NONE; #ifdef EAP_SERVER_TNC - if (sm->tnc && !data->tnc_started) { + if (sm->cfg->tnc && !data->tnc_started) { wpa_printf(MSG_DEBUG, "EAP-TEAP: Initialize TNC"); next_vendor = EAP_VENDOR_IETF; next_type = EAP_TYPE_TNC; @@ -1463,7 +1466,7 @@ static void eap_teap_process_phase2_tlvs(struct eap_sm *sm, return; } - if (sm->eap_teap_auth != 1 && + if (sm->cfg->eap_teap_auth != 1 && tlv.iresult != TEAP_STATUS_SUCCESS) { wpa_printf(MSG_DEBUG, "EAP-TEAP: Crypto-Binding TLV without intermediate Success Result"); @@ -1485,16 +1488,16 @@ static void eap_teap_process_phase2_tlvs(struct eap_sm *sm, } if (data->anon_provisioning && - sm->eap_fast_prov != ANON_PROV && - sm->eap_fast_prov != BOTH_PROV) { + sm->cfg->eap_fast_prov != ANON_PROV && + sm->cfg->eap_fast_prov != BOTH_PROV) { wpa_printf(MSG_DEBUG, "EAP-TEAP: Client is trying to use unauthenticated provisioning which is disabled"); eap_teap_state(data, FAILURE); return; } - if (sm->eap_fast_prov != AUTH_PROV && - sm->eap_fast_prov != BOTH_PROV && + if (sm->cfg->eap_fast_prov != AUTH_PROV && + sm->cfg->eap_fast_prov != BOTH_PROV && tlv.request_action == TEAP_REQUEST_ACTION_PROCESS_TLV && eap_teap_pac_type(tlv.pac, tlv.pac_len, PAC_TYPE_TUNNEL_PAC)) { @@ -1517,13 +1520,13 @@ static void eap_teap_process_phase2_tlvs(struct eap_sm *sm, eap_teap_state(data, REQUEST_PAC); } else if (data->final_result) { eap_teap_state(data, SUCCESS); - } else if (sm->eap_teap_separate_result) { + } else if (sm->cfg->eap_teap_separate_result) { eap_teap_state(data, SUCCESS_SEND_RESULT); } } if (tlv.basic_auth_resp) { - if (sm->eap_teap_auth != 1) { + if (sm->cfg->eap_teap_auth != 1) { wpa_printf(MSG_DEBUG, "EAP-TEAP: Unexpected Basic-Password-Auth-Resp when trying to use inner EAP"); eap_teap_state(data, FAILURE); @@ -1534,7 +1537,7 @@ static void eap_teap_process_phase2_tlvs(struct eap_sm *sm, } if (tlv.eap_payload_tlv) { - if (sm->eap_teap_auth == 1) { + if (sm->cfg->eap_teap_auth == 1) { wpa_printf(MSG_DEBUG, "EAP-TEAP: Unexpected EAP Payload TLV when trying to use Basic-Password-Auth"); eap_teap_state(data, FAILURE); @@ -1573,7 +1576,7 @@ static void eap_teap_process_phase2(struct eap_sm *sm, return; } - in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn, + in_decrypted = tls_connection_decrypt(sm->cfg->ssl_ctx, data->ssl.conn, in_buf); if (!in_decrypted) { wpa_printf(MSG_INFO, @@ -1634,7 +1637,7 @@ static int eap_teap_process_phase1(struct eap_sm *sm, return -1; } - if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) || + if (!tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn) || wpabuf_len(data->ssl.tls_out) > 0) return 1; @@ -1668,7 +1671,7 @@ static int eap_teap_process_phase2_start(struct eap_sm *sm, next_vendor = EAP_VENDOR_IETF; next_type = EAP_TYPE_NONE; eap_teap_state(data, PHASE2_METHOD); - } else if (sm->eap_teap_pac_no_inner) { + } else if (sm->cfg->eap_teap_pac_no_inner) { wpa_printf(MSG_DEBUG, "EAP-TEAP: Used PAC and identity already known - skip inner auth"); /* FIX: Need to derive CMK here. However, how is that @@ -1679,7 +1682,7 @@ static int eap_teap_process_phase2_start(struct eap_sm *sm, data->cmk_msk); eap_teap_state(data, CRYPTO_BINDING); return 1; - } else if (sm->eap_teap_auth == 1) { + } else if (sm->cfg->eap_teap_auth == 1) { eap_teap_state(data, PHASE2_BASIC_AUTH); return 1; } else { @@ -1691,7 +1694,7 @@ static int eap_teap_process_phase2_start(struct eap_sm *sm, eap_teap_state(data, PHASE2_METHOD); } - } else if (sm->eap_teap_auth == 1) { + } else if (sm->cfg->eap_teap_auth == 1) { eap_teap_state(data, PHASE2_BASIC_AUTH); return 0; } else { diff --git a/src/eap_server/eap_server_tls.c b/src/eap_server/eap_server_tls.c index 0712d4ccd..c64cebb40 100644 --- a/src/eap_server/eap_server_tls.c +++ b/src/eap_server/eap_server_tls.c @@ -58,7 +58,7 @@ static void eap_tls_valid_session(struct eap_sm *sm, struct eap_tls_data *data) { struct wpabuf *buf; - if (!sm->tls_session_lifetime) + if (!sm->cfg->tls_session_lifetime) return; buf = wpabuf_alloc(1); @@ -187,7 +187,8 @@ static struct wpabuf * eap_tls_buildReq(struct eap_sm *sm, void *priv, u8 id) case START: return eap_tls_build_start(sm, data, id); case CONTINUE: - if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) + if (tls_connection_established(sm->cfg->ssl_ctx, + data->ssl.conn)) data->established = 1; break; default: @@ -267,7 +268,7 @@ static void eap_tls_process_msg(struct eap_sm *sm, void *priv, } if (data->ssl.tls_v13 && - tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { + tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn)) { struct wpabuf *plain, *encr; wpa_printf(MSG_DEBUG, @@ -315,8 +316,8 @@ static void eap_tls_process(struct eap_sm *sm, void *priv, return; } - if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) || - !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) + if (!tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn) || + !tls_connection_resumed(sm->cfg->ssl_ctx, data->ssl.conn)) return; buf = tls_connection_get_success_data(data->ssl.conn); diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c index 5daee9081..b38f1e0ba 100644 --- a/src/eap_server/eap_server_tls_common.c +++ b/src/eap_server/eap_server_tls_common.c @@ -47,9 +47,9 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data, int verify_peer, int eap_type) { u8 session_ctx[8]; - unsigned int flags = sm->tls_flags; + unsigned int flags = sm->cfg->tls_flags; - if (sm->ssl_ctx == NULL) { + if (!sm->cfg->ssl_ctx) { wpa_printf(MSG_ERROR, "TLS context not initialized - cannot use TLS-based EAP method"); return -1; } @@ -57,7 +57,7 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data, data->eap = sm; data->phase2 = sm->init_phase2; - data->conn = tls_connection_init(sm->ssl_ctx); + data->conn = tls_connection_init(sm->cfg->ssl_ctx); if (data->conn == NULL) { wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS " "connection"); @@ -75,17 +75,18 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data, flags |= TLS_CONN_DISABLE_SESSION_TICKET; os_memcpy(session_ctx, "hostapd", 7); session_ctx[7] = (u8) eap_type; - if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer, + if (tls_connection_set_verify(sm->cfg->ssl_ctx, data->conn, verify_peer, flags, session_ctx, sizeof(session_ctx))) { wpa_printf(MSG_INFO, "SSL: Failed to configure verification " "of TLS peer certificate"); - tls_connection_deinit(sm->ssl_ctx, data->conn); + tls_connection_deinit(sm->cfg->ssl_ctx, data->conn); data->conn = NULL; return -1; } - data->tls_out_limit = sm->fragment_size > 0 ? sm->fragment_size : 1398; + data->tls_out_limit = sm->cfg->fragment_size > 0 ? + sm->cfg->fragment_size : 1398; if (data->phase2) { /* Limit the fragment size in the inner TLS authentication * since the outer authentication with EAP-PEAP does not yet @@ -99,7 +100,7 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data, void eap_server_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data) { - tls_connection_deinit(sm->ssl_ctx, data->conn); + tls_connection_deinit(sm->cfg->ssl_ctx, data->conn); eap_server_tls_free_in_buf(data); wpabuf_free(data->tls_out); data->tls_out = NULL; @@ -116,7 +117,7 @@ u8 * eap_server_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data, if (out == NULL) return NULL; - if (tls_connection_export_key(sm->ssl_ctx, data->conn, label, + if (tls_connection_export_key(sm->cfg->ssl_ctx, data->conn, label, context, context_len, out, len)) { os_free(out); return NULL; @@ -170,7 +171,7 @@ u8 * eap_server_tls_derive_session_id(struct eap_sm *sm, return id; } - if (tls_connection_get_random(sm->ssl_ctx, data->conn, &keys)) + if (tls_connection_get_random(sm->cfg->ssl_ctx, data->conn, &keys)) return NULL; if (keys.client_random == NULL || keys.server_random == NULL) @@ -340,29 +341,30 @@ int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data) WPA_ASSERT(data->tls_out == NULL); } - data->tls_out = tls_connection_server_handshake(sm->ssl_ctx, + data->tls_out = tls_connection_server_handshake(sm->cfg->ssl_ctx, data->conn, data->tls_in, NULL); if (data->tls_out == NULL) { wpa_printf(MSG_INFO, "SSL: TLS processing failed"); return -1; } - if (tls_connection_get_failed(sm->ssl_ctx, data->conn)) { + if (tls_connection_get_failed(sm->cfg->ssl_ctx, data->conn)) { /* TLS processing has failed - return error */ wpa_printf(MSG_DEBUG, "SSL: Failed - tls_out available to " "report error"); return -1; } - if (tls_get_version(sm->ssl_ctx, data->conn, buf, sizeof(buf)) == 0) { + if (tls_get_version(sm->cfg->ssl_ctx, data->conn, + buf, sizeof(buf)) == 0) { wpa_printf(MSG_DEBUG, "SSL: Using TLS version %s", buf); data->tls_v13 = os_strcmp(buf, "TLSv1.3") == 0; } if (!sm->serial_num && - tls_connection_established(sm->ssl_ctx, data->conn)) - sm->serial_num = tls_connection_peer_serial_num(sm->ssl_ctx, - data->conn); + tls_connection_established(sm->cfg->ssl_ctx, data->conn)) + sm->serial_num = tls_connection_peer_serial_num( + sm->cfg->ssl_ctx, data->conn); return 0; } @@ -451,8 +453,7 @@ struct wpabuf * eap_server_tls_encrypt(struct eap_sm *sm, { struct wpabuf *buf; - buf = tls_connection_encrypt(sm->ssl_ctx, data->conn, - plain); + buf = tls_connection_encrypt(sm->cfg->ssl_ctx, data->conn, plain); if (buf == NULL) { wpa_printf(MSG_INFO, "SSL: Failed to encrypt Phase 2 data"); return NULL; @@ -506,7 +507,7 @@ int eap_server_tls_process(struct eap_sm *sm, struct eap_ssl_data *data, if (proc_msg) proc_msg(sm, priv, respData); - if (tls_connection_get_write_alerts(sm->ssl_ctx, data->conn) > 1) { + if (tls_connection_get_write_alerts(sm->cfg->ssl_ctx, data->conn) > 1) { wpa_printf(MSG_INFO, "SSL: Locally detected fatal error in " "TLS processing"); res = -1; diff --git a/src/eap_server/eap_server_tnc.c b/src/eap_server/eap_server_tnc.c index b568558fd..f6cdcb1ef 100644 --- a/src/eap_server/eap_server_tnc.c +++ b/src/eap_server/eap_server_tnc.c @@ -84,8 +84,8 @@ static void * eap_tnc_init(struct eap_sm *sm) return NULL; } - data->fragment_size = sm->fragment_size > 100 ? - sm->fragment_size - 98 : 1300; + data->fragment_size = sm->cfg->fragment_size > 100 ? + sm->cfg->fragment_size - 98 : 1300; return data; } @@ -508,7 +508,7 @@ static void eap_tnc_process(struct eap_sm *sm, void *priv, eap_tnc_set_state(data, FAIL); return; } - + if (flags & EAP_TNC_FLAGS_MORE_FRAGMENTS) { if (eap_tnc_process_fragment(data, flags, message_length, pos, end - pos) < 0) diff --git a/src/eap_server/eap_server_ttls.c b/src/eap_server/eap_server_ttls.c index caeef35cb..721835dbf 100644 --- a/src/eap_server/eap_server_ttls.c +++ b/src/eap_server/eap_server_ttls.c @@ -81,7 +81,7 @@ static void eap_ttls_valid_session(struct eap_sm *sm, { struct wpabuf *buf; - if (!sm->tls_session_lifetime) + if (!sm->cfg->tls_session_lifetime) return; buf = wpabuf_alloc(1 + 1 + sm->identity_len); @@ -480,7 +480,8 @@ static struct wpabuf * eap_ttls_buildReq(struct eap_sm *sm, void *priv, u8 id) case START: return eap_ttls_build_start(sm, data, id); case PHASE1: - if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { + if (tls_connection_established(sm->cfg->ssl_ctx, + data->ssl.conn)) { wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase1 done, " "starting Phase2"); eap_ttls_state(data, PHASE2_START); @@ -1029,7 +1030,7 @@ static void eap_ttls_process_phase2(struct eap_sm *sm, return; } - in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn, + in_decrypted = tls_connection_decrypt(sm->cfg->ssl_ctx, data->ssl.conn, in_buf); if (in_decrypted == NULL) { wpa_printf(MSG_INFO, "EAP-TTLS: Failed to decrypt Phase 2 " @@ -1119,7 +1120,7 @@ done: static void eap_ttls_start_tnc(struct eap_sm *sm, struct eap_ttls_data *data) { #ifdef EAP_SERVER_TNC - if (!sm->tnc || data->state != SUCCESS || data->tnc_started) + if (!sm->cfg->tnc || data->state != SUCCESS || data->tnc_started) return; wpa_printf(MSG_DEBUG, "EAP-TTLS: Initialize TNC"); @@ -1209,8 +1210,8 @@ static void eap_ttls_process(struct eap_sm *sm, void *priv, return; } - if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) || - !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) + if (!tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn) || + !tls_connection_resumed(sm->cfg->ssl_ctx, data->ssl.conn)) return; buf = tls_connection_get_success_data(data->ssl.conn); diff --git a/src/eap_server/eap_server_wsc.c b/src/eap_server/eap_server_wsc.c index 4a5cb980a..364c089aa 100644 --- a/src/eap_server/eap_server_wsc.c +++ b/src/eap_server/eap_server_wsc.c @@ -103,10 +103,10 @@ static void * eap_wsc_init(struct eap_sm *sm) data->registrar = registrar; os_memset(&cfg, 0, sizeof(cfg)); - cfg.wps = sm->wps; + cfg.wps = sm->cfg->wps; cfg.registrar = registrar; if (registrar) { - if (sm->wps == NULL || sm->wps->registrar == NULL) { + if (!sm->cfg->wps || !sm->cfg->wps->registrar) { wpa_printf(MSG_INFO, "EAP-WSC: WPS Registrar not " "initialized"); os_free(data); @@ -138,14 +138,14 @@ static void * eap_wsc_init(struct eap_sm *sm) cfg.p2p_dev_addr = p2p_get_go_dev_addr(sm->assoc_p2p_ie); } #endif /* CONFIG_P2P */ - cfg.pbc_in_m1 = sm->pbc_in_m1; + cfg.pbc_in_m1 = sm->cfg->pbc_in_m1; data->wps = wps_init(&cfg); if (data->wps == NULL) { os_free(data); return NULL; } - data->fragment_size = sm->fragment_size > 0 ? sm->fragment_size : - WSC_FRAGMENT_SIZE; + data->fragment_size = sm->cfg->fragment_size > 0 ? + sm->cfg->fragment_size : WSC_FRAGMENT_SIZE; return data; } diff --git a/src/eapol_auth/eapol_auth_sm.c b/src/eapol_auth/eapol_auth_sm.c index 5a2abb518..5a2ba261d 100644 --- a/src/eapol_auth/eapol_auth_sm.c +++ b/src/eapol_auth/eapol_auth_sm.c @@ -775,7 +775,7 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr, const char *identity, const char *radius_cui) { struct eapol_state_machine *sm; - struct eap_config eap_conf; + struct eap_session_data eap_sess; if (eapol == NULL) return NULL; @@ -823,38 +823,12 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr, else sm->portValid = TRUE; - os_memset(&eap_conf, 0, sizeof(eap_conf)); - eap_conf.eap_server = eapol->conf.eap_server; - eap_conf.ssl_ctx = eapol->conf.ssl_ctx; - eap_conf.msg_ctx = eapol->conf.msg_ctx; - eap_conf.eap_sim_db_priv = eapol->conf.eap_sim_db_priv; - eap_conf.pac_opaque_encr_key = eapol->conf.pac_opaque_encr_key; - eap_conf.eap_fast_a_id = eapol->conf.eap_fast_a_id; - eap_conf.eap_fast_a_id_len = eapol->conf.eap_fast_a_id_len; - eap_conf.eap_fast_a_id_info = eapol->conf.eap_fast_a_id_info; - eap_conf.eap_fast_prov = eapol->conf.eap_fast_prov; - eap_conf.pac_key_lifetime = eapol->conf.pac_key_lifetime; - eap_conf.pac_key_refresh_time = eapol->conf.pac_key_refresh_time; - eap_conf.eap_teap_auth = eapol->conf.eap_teap_auth; - eap_conf.eap_teap_pac_no_inner = eapol->conf.eap_teap_pac_no_inner; - eap_conf.eap_teap_separate_result = - eapol->conf.eap_teap_separate_result; - eap_conf.eap_sim_aka_result_ind = eapol->conf.eap_sim_aka_result_ind; - eap_conf.eap_sim_id = eapol->conf.eap_sim_id; - eap_conf.tnc = eapol->conf.tnc; - eap_conf.wps = eapol->conf.wps; - eap_conf.assoc_wps_ie = assoc_wps_ie; - eap_conf.assoc_p2p_ie = assoc_p2p_ie; - eap_conf.peer_addr = addr; - eap_conf.fragment_size = eapol->conf.fragment_size; - eap_conf.pwd_group = eapol->conf.pwd_group; - eap_conf.pbc_in_m1 = eapol->conf.pbc_in_m1; - eap_conf.server_id = eapol->conf.server_id; - eap_conf.server_id_len = eapol->conf.server_id_len; - eap_conf.erp = eapol->conf.erp; - eap_conf.tls_session_lifetime = eapol->conf.tls_session_lifetime; - eap_conf.tls_flags = eapol->conf.tls_flags; - sm->eap = eap_server_sm_init(sm, &eapol_cb, &eap_conf); + os_memset(&eap_sess, 0, sizeof(eap_sess)); + eap_sess.assoc_wps_ie = assoc_wps_ie; + eap_sess.assoc_p2p_ie = assoc_p2p_ie; + eap_sess.peer_addr = addr; + sm->eap = eap_server_sm_init(sm, &eapol_cb, eapol->conf.eap_cfg, + &eap_sess); if (sm->eap == NULL) { eapol_auth_free(sm); return NULL; @@ -1189,19 +1163,12 @@ int eapol_auth_set_conf(struct eapol_state_machine *sm, const char *param, static int eapol_auth_conf_clone(struct eapol_auth_config *dst, struct eapol_auth_config *src) { + dst->eap_cfg = src->eap_cfg; dst->ctx = src->ctx; dst->eap_reauth_period = src->eap_reauth_period; dst->wpa = src->wpa; dst->individual_wep_key_len = src->individual_wep_key_len; - dst->eap_server = src->eap_server; - dst->ssl_ctx = src->ssl_ctx; - dst->msg_ctx = src->msg_ctx; - dst->eap_sim_db_priv = src->eap_sim_db_priv; os_free(dst->eap_req_id_text); - dst->pwd_group = src->pwd_group; - dst->pbc_in_m1 = src->pbc_in_m1; - dst->server_id = src->server_id; - dst->server_id_len = src->server_id_len; if (src->eap_req_id_text) { dst->eap_req_id_text = os_memdup(src->eap_req_id_text, src->eap_req_id_text_len); @@ -1212,38 +1179,6 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst, dst->eap_req_id_text = NULL; dst->eap_req_id_text_len = 0; } - if (src->pac_opaque_encr_key) { - dst->pac_opaque_encr_key = os_memdup(src->pac_opaque_encr_key, - 16); - if (dst->pac_opaque_encr_key == NULL) - goto fail; - } else - dst->pac_opaque_encr_key = NULL; - if (src->eap_fast_a_id) { - dst->eap_fast_a_id = os_memdup(src->eap_fast_a_id, - src->eap_fast_a_id_len); - if (dst->eap_fast_a_id == NULL) - goto fail; - dst->eap_fast_a_id_len = src->eap_fast_a_id_len; - } else - dst->eap_fast_a_id = NULL; - if (src->eap_fast_a_id_info) { - dst->eap_fast_a_id_info = os_strdup(src->eap_fast_a_id_info); - if (dst->eap_fast_a_id_info == NULL) - goto fail; - } else - dst->eap_fast_a_id_info = NULL; - dst->eap_fast_prov = src->eap_fast_prov; - dst->pac_key_lifetime = src->pac_key_lifetime; - dst->pac_key_refresh_time = src->pac_key_refresh_time; - dst->eap_teap_auth = src->eap_teap_auth; - dst->eap_teap_pac_no_inner = src->eap_teap_pac_no_inner; - dst->eap_teap_separate_result = src->eap_teap_separate_result; - dst->eap_sim_aka_result_ind = src->eap_sim_aka_result_ind; - dst->eap_sim_id = src->eap_sim_id; - dst->tnc = src->tnc; - dst->wps = src->wps; - dst->fragment_size = src->fragment_size; os_free(dst->erp_domain); if (src->erp_domain) { @@ -1254,9 +1189,6 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst, dst->erp_domain = NULL; } dst->erp_send_reauth_start = src->erp_send_reauth_start; - dst->erp = src->erp; - dst->tls_session_lifetime = src->tls_session_lifetime; - dst->tls_flags = src->tls_flags; return 0; @@ -1270,12 +1202,6 @@ static void eapol_auth_conf_free(struct eapol_auth_config *conf) { os_free(conf->eap_req_id_text); conf->eap_req_id_text = NULL; - os_free(conf->pac_opaque_encr_key); - conf->pac_opaque_encr_key = NULL; - os_free(conf->eap_fast_a_id); - conf->eap_fast_a_id = NULL; - os_free(conf->eap_fast_a_id_info); - conf->eap_fast_a_id_info = NULL; os_free(conf->erp_domain); conf->erp_domain = NULL; } diff --git a/src/eapol_auth/eapol_auth_sm.h b/src/eapol_auth/eapol_auth_sm.h index fc467da59..5fe89c64b 100644 --- a/src/eapol_auth/eapol_auth_sm.h +++ b/src/eapol_auth/eapol_auth_sm.h @@ -15,39 +15,14 @@ #define EAPOL_SM_FROM_PMKSA_CACHE BIT(3) struct eapol_auth_config { + const struct eap_config *eap_cfg; int eap_reauth_period; int wpa; int individual_wep_key_len; - int eap_server; - void *ssl_ctx; - void *msg_ctx; - void *eap_sim_db_priv; char *eap_req_id_text; /* a copy of this will be allocated */ size_t eap_req_id_text_len; int erp_send_reauth_start; char *erp_domain; /* a copy of this will be allocated */ - int erp; /* Whether ERP is enabled on authentication server */ - unsigned int tls_session_lifetime; - unsigned int tls_flags; - u8 *pac_opaque_encr_key; - u8 *eap_fast_a_id; - size_t eap_fast_a_id_len; - char *eap_fast_a_id_info; - int eap_fast_prov; - int pac_key_lifetime; - int pac_key_refresh_time; - int eap_teap_auth; - int eap_teap_pac_no_inner; - int eap_teap_separate_result; - int eap_sim_aka_result_ind; - int eap_sim_id; - int tnc; - struct wps_context *wps; - int fragment_size; - u16 pwd_group; - int pbc_in_m1; - const u8 *server_id; - size_t server_id_len; /* Opaque context pointer to owner data for callback functions */ void *ctx; diff --git a/src/radius/radius_server.c b/src/radius/radius_server.c index 100cf52ae..a24caec11 100644 --- a/src/radius/radius_server.c +++ b/src/radius/radius_server.c @@ -161,146 +161,10 @@ struct radius_server_data { */ int num_sess; - /** - * eap_sim_db_priv - EAP-SIM/AKA database context - * - * This is passed to the EAP-SIM/AKA server implementation as a - * callback context. - */ - void *eap_sim_db_priv; - - /** - * ssl_ctx - TLS context - * - * This is passed to the EAP server implementation as a callback - * context for TLS operations. - */ - void *ssl_ctx; - - /** - * pac_opaque_encr_key - PAC-Opaque encryption key for EAP-FAST - * - * This parameter is used to set a key for EAP-FAST to encrypt the - * PAC-Opaque data. It can be set to %NULL if EAP-FAST is not used. If - * set, must point to a 16-octet key. - */ - u8 *pac_opaque_encr_key; - - /** - * eap_fast_a_id - EAP-FAST authority identity (A-ID) - * - * If EAP-FAST is not used, this can be set to %NULL. In theory, this - * is a variable length field, but due to some existing implementations - * requiring A-ID to be 16 octets in length, it is recommended to use - * that length for the field to provide interoperability with deployed - * peer implementations. - */ - u8 *eap_fast_a_id; - - /** - * eap_fast_a_id_len - Length of eap_fast_a_id buffer in octets - */ - size_t eap_fast_a_id_len; - - /** - * eap_fast_a_id_info - EAP-FAST authority identifier information - * - * This A-ID-Info contains a user-friendly name for the A-ID. For - * example, this could be the enterprise and server names in - * human-readable format. This field is encoded as UTF-8. If EAP-FAST - * is not used, this can be set to %NULL. - */ - char *eap_fast_a_id_info; - - /** - * eap_fast_prov - EAP-FAST provisioning modes - * - * 0 = provisioning disabled, 1 = only anonymous provisioning allowed, - * 2 = only authenticated provisioning allowed, 3 = both provisioning - * modes allowed. - */ - int eap_fast_prov; - - /** - * pac_key_lifetime - EAP-FAST PAC-Key lifetime in seconds - * - * This is the hard limit on how long a provisioned PAC-Key can be - * used. - */ - int pac_key_lifetime; - - /** - * pac_key_refresh_time - EAP-FAST PAC-Key refresh time in seconds - * - * This is a soft limit on the PAC-Key. The server will automatically - * generate a new PAC-Key when this number of seconds (or fewer) of the - * lifetime remains. - */ - int pac_key_refresh_time; - - int eap_teap_auth; - int eap_teap_pac_no_inner; - int eap_teap_separate_result; - - /** - * eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication - * - * This controls whether the protected success/failure indication - * (AT_RESULT_IND) is used with EAP-SIM and EAP-AKA. - */ - int eap_sim_aka_result_ind; - - int eap_sim_id; - - /** - * tnc - Trusted Network Connect (TNC) - * - * This controls whether TNC is enabled and will be required before the - * peer is allowed to connect. Note: This is only used with EAP-TTLS - * and EAP-FAST. If any other EAP method is enabled, the peer will be - * allowed to connect without TNC. - */ - int tnc; - - /** - * pwd_group - The D-H group assigned for EAP-pwd - * - * If EAP-pwd is not used it can be set to zero. - */ - u16 pwd_group; - - /** - * server_id - Server identity - */ - const char *server_id; - - /** - * erp - Whether EAP Re-authentication Protocol (ERP) is enabled - * - * This controls whether the authentication server derives ERP key - * hierarchy (rRK and rIK) from full EAP authentication and allows - * these keys to be used to perform ERP to derive rMSK instead of full - * EAP authentication to derive MSK. - */ - int erp; - const char *erp_domain; struct dl_list erp_keys; /* struct eap_server_erp_key */ - unsigned int tls_session_lifetime; - - unsigned int tls_flags; - - /** - * wps - Wi-Fi Protected Setup context - * - * If WPS is used with an external RADIUS server (which is quite - * unlikely configuration), this is used to provide a pointer to WPS - * context data. Normally, this can be set to %NULL. - */ - struct wps_context *wps; - /** * ipv6 - Whether to enable IPv6 support in the RADIUS server */ @@ -352,11 +216,6 @@ struct radius_server_data { */ size_t eap_req_id_text_len; - /* - * msg_ctx - Context data for wpa_msg() calls - */ - void *msg_ctx; - #ifdef CONFIG_RADIUS_TEST char *dump_msk_file; #endif /* CONFIG_RADIUS_TEST */ @@ -370,6 +229,8 @@ struct radius_server_data { #ifdef CONFIG_SQLITE sqlite3 *db; #endif /* CONFIG_SQLITE */ + + struct eap_config *eap_cfg; }; @@ -620,7 +481,7 @@ radius_server_new_session(struct radius_server_data *data, #ifdef CONFIG_TESTING_OPTIONS static void radius_server_testing_options_tls(struct radius_session *sess, const char *tls, - struct eap_config *eap_conf) + struct eap_session_data *eap_conf) { int test = atoi(tls); @@ -665,7 +526,7 @@ static void radius_server_testing_options_tls(struct radius_session *sess, #endif /* CONFIG_TESTING_OPTIONS */ static void radius_server_testing_options(struct radius_session *sess, - struct eap_config *eap_conf) + struct eap_session_data *eap_conf) { #ifdef CONFIG_TESTING_OPTIONS const char *pos; @@ -708,7 +569,7 @@ radius_server_get_new_session(struct radius_server_data *data, size_t user_len, id_len; int res; struct radius_session *sess; - struct eap_config eap_conf; + struct eap_session_data eap_sess; struct eap_user *tmp; RADIUS_DEBUG("Creating a new session"); @@ -726,7 +587,7 @@ radius_server_get_new_session(struct radius_server_data *data, res = data->get_eap_user(data->conf_ctx, user, user_len, 0, tmp); #ifdef CONFIG_ERP - if (res != 0 && data->erp) { + if (res != 0 && data->eap_cfg->erp) { char *username; username = os_zalloc(user_len + 1); @@ -785,35 +646,10 @@ radius_server_get_new_session(struct radius_server_data *data, srv_log(sess, "New session created"); - os_memset(&eap_conf, 0, sizeof(eap_conf)); - eap_conf.ssl_ctx = data->ssl_ctx; - eap_conf.msg_ctx = data->msg_ctx; - eap_conf.eap_sim_db_priv = data->eap_sim_db_priv; - eap_conf.backend_auth = TRUE; - eap_conf.eap_server = 1; - eap_conf.pac_opaque_encr_key = data->pac_opaque_encr_key; - eap_conf.eap_fast_a_id = data->eap_fast_a_id; - eap_conf.eap_fast_a_id_len = data->eap_fast_a_id_len; - eap_conf.eap_fast_a_id_info = data->eap_fast_a_id_info; - eap_conf.eap_fast_prov = data->eap_fast_prov; - eap_conf.pac_key_lifetime = data->pac_key_lifetime; - eap_conf.pac_key_refresh_time = data->pac_key_refresh_time; - eap_conf.eap_teap_auth = data->eap_teap_auth; - eap_conf.eap_teap_pac_no_inner = data->eap_teap_pac_no_inner; - eap_conf.eap_teap_separate_result = data->eap_teap_separate_result; - eap_conf.eap_sim_aka_result_ind = data->eap_sim_aka_result_ind; - eap_conf.eap_sim_id = data->eap_sim_id; - eap_conf.tnc = data->tnc; - eap_conf.wps = data->wps; - eap_conf.pwd_group = data->pwd_group; - eap_conf.server_id = (const u8 *) data->server_id; - eap_conf.server_id_len = os_strlen(data->server_id); - eap_conf.erp = data->erp; - eap_conf.tls_session_lifetime = data->tls_session_lifetime; - eap_conf.tls_flags = data->tls_flags; - radius_server_testing_options(sess, &eap_conf); + os_memset(&eap_sess, 0, sizeof(eap_sess)); + radius_server_testing_options(sess, &eap_sess); sess->eap = eap_server_sm_init(sess, &radius_server_eapol_cb, - &eap_conf); + data->eap_cfg, &eap_sess); if (sess->eap == NULL) { RADIUS_DEBUG("Failed to initialize EAP state machine for the " "new session"); @@ -2353,6 +2189,7 @@ struct radius_server_data * radius_server_init(struct radius_server_conf *conf) { struct radius_server_data *data; + struct eap_config *eap_cfg; #ifndef CONFIG_IPV6 if (conf->ipv6) { @@ -2365,45 +2202,56 @@ radius_server_init(struct radius_server_conf *conf) if (data == NULL) return NULL; + eap_cfg = data->eap_cfg = os_zalloc(sizeof(*eap_cfg)); + if (!eap_cfg) { + os_free(data); + return NULL; + } data->auth_sock = -1; data->acct_sock = -1; dl_list_init(&data->erp_keys); os_get_reltime(&data->start_time); data->conf_ctx = conf->conf_ctx; - data->eap_sim_db_priv = conf->eap_sim_db_priv; - data->ssl_ctx = conf->ssl_ctx; - data->msg_ctx = conf->msg_ctx; + eap_cfg->backend_auth = TRUE; + eap_cfg->eap_server = 1; + eap_cfg->eap_sim_db_priv = conf->eap_sim_db_priv; + eap_cfg->ssl_ctx = conf->ssl_ctx; + eap_cfg->msg_ctx = conf->msg_ctx; data->ipv6 = conf->ipv6; if (conf->pac_opaque_encr_key) { - data->pac_opaque_encr_key = os_malloc(16); - if (data->pac_opaque_encr_key) { - os_memcpy(data->pac_opaque_encr_key, + eap_cfg->pac_opaque_encr_key = os_malloc(16); + if (eap_cfg->pac_opaque_encr_key) { + os_memcpy(eap_cfg->pac_opaque_encr_key, conf->pac_opaque_encr_key, 16); } } if (conf->eap_fast_a_id) { - data->eap_fast_a_id = os_malloc(conf->eap_fast_a_id_len); - if (data->eap_fast_a_id) { - os_memcpy(data->eap_fast_a_id, conf->eap_fast_a_id, + eap_cfg->eap_fast_a_id = os_malloc(conf->eap_fast_a_id_len); + if (eap_cfg->eap_fast_a_id) { + os_memcpy(eap_cfg->eap_fast_a_id, conf->eap_fast_a_id, conf->eap_fast_a_id_len); - data->eap_fast_a_id_len = conf->eap_fast_a_id_len; + eap_cfg->eap_fast_a_id_len = conf->eap_fast_a_id_len; } } if (conf->eap_fast_a_id_info) - data->eap_fast_a_id_info = os_strdup(conf->eap_fast_a_id_info); - data->eap_fast_prov = conf->eap_fast_prov; - data->pac_key_lifetime = conf->pac_key_lifetime; - data->pac_key_refresh_time = conf->pac_key_refresh_time; - data->eap_teap_auth = conf->eap_teap_auth; - data->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner; - data->eap_teap_separate_result = conf->eap_teap_separate_result; + eap_cfg->eap_fast_a_id_info = + os_strdup(conf->eap_fast_a_id_info); + eap_cfg->eap_fast_prov = conf->eap_fast_prov; + eap_cfg->pac_key_lifetime = conf->pac_key_lifetime; + eap_cfg->pac_key_refresh_time = conf->pac_key_refresh_time; + eap_cfg->eap_teap_auth = conf->eap_teap_auth; + eap_cfg->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner; + eap_cfg->eap_teap_separate_result = conf->eap_teap_separate_result; data->get_eap_user = conf->get_eap_user; - data->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; - data->eap_sim_id = conf->eap_sim_id; - data->tnc = conf->tnc; - data->wps = conf->wps; - data->pwd_group = conf->pwd_group; - data->server_id = conf->server_id; + eap_cfg->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; + eap_cfg->eap_sim_id = conf->eap_sim_id; + eap_cfg->tnc = conf->tnc; + eap_cfg->wps = conf->wps; + eap_cfg->pwd_group = conf->pwd_group; + if (conf->server_id) { + eap_cfg->server_id = (u8 *) os_strdup(conf->server_id); + eap_cfg->server_id_len = os_strlen(conf->server_id); + } if (conf->eap_req_id_text) { data->eap_req_id_text = os_malloc(conf->eap_req_id_text_len); if (data->eap_req_id_text) { @@ -2412,10 +2260,10 @@ radius_server_init(struct radius_server_conf *conf) data->eap_req_id_text_len = conf->eap_req_id_text_len; } } - data->erp = conf->erp; + eap_cfg->erp = conf->erp; data->erp_domain = conf->erp_domain; - data->tls_session_lifetime = conf->tls_session_lifetime; - data->tls_flags = conf->tls_flags; + eap_cfg->tls_session_lifetime = conf->tls_session_lifetime; + eap_cfg->tls_flags = conf->tls_flags; if (conf->subscr_remediation_url) { data->subscr_remediation_url = @@ -2537,9 +2385,6 @@ void radius_server_deinit(struct radius_server_data *data) radius_server_free_clients(data, data->clients); - os_free(data->pac_opaque_encr_key); - os_free(data->eap_fast_a_id); - os_free(data->eap_fast_a_id_info); os_free(data->eap_req_id_text); #ifdef CONFIG_RADIUS_TEST os_free(data->dump_msk_file); @@ -2554,6 +2399,7 @@ void radius_server_deinit(struct radius_server_data *data) #endif /* CONFIG_SQLITE */ radius_server_erp_flush(data); + eap_server_config_free(data->eap_cfg); os_free(data); }