aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2019-08-18 12:23:12 (GMT)
committerJouni Malinen <j@w1.fi>2019-08-18 14:36:32 (GMT)
commit822e7c66ae36691d6b82a82542177665ff06276b (patch)
tree3454d7cc54520c0ec29f39428be3684d7c69c048
parent8315c1ef5baa4ae0f462e005096d04d5ffdd74ed (diff)
downloadhostap-822e7c66ae36691d6b82a82542177665ff06276b.zip
hostap-822e7c66ae36691d6b82a82542177665ff06276b.tar.gz
hostap-822e7c66ae36691d6b82a82542177665ff06276b.tar.bz2
EAP server: Use struct eap_config to avoid duplicated definitions
Use struct eap_config as-is within struct eap_sm and EAPOL authenticator to avoid having to duplicate all the configuration variables at each interface. Split the couple of session specific variables into a separate struct to allow a single const struct eap_config to be used. Signed-off-by: Jouni Malinen <j@w1.fi>
-rw-r--r--eap_example/eap_example_server.c6
-rw-r--r--src/ap/hostapd.h1
-rw-r--r--src/ap/ieee802_1x.c87
-rw-r--r--src/eap_server/eap.h126
-rw-r--r--src/eap_server/eap_i.h36
-rw-r--r--src/eap_server/eap_server.c120
-rw-r--r--src/eap_server/eap_server_aka.c46
-rw-r--r--src/eap_server/eap_server_eke.c19
-rw-r--r--src/eap_server/eap_server_fast.c49
-rw-r--r--src/eap_server/eap_server_gpsk.c21
-rw-r--r--src/eap_server/eap_server_ikev2.c10
-rw-r--r--src/eap_server/eap_server_mschapv2.c4
-rw-r--r--src/eap_server/eap_server_peap.c17
-rw-r--r--src/eap_server/eap_server_psk.c16
-rw-r--r--src/eap_server/eap_server_pwd.c4
-rw-r--r--src/eap_server/eap_server_sake.c14
-rw-r--r--src/eap_server/eap_server_sim.c36
-rw-r--r--src/eap_server/eap_server_teap.c67
-rw-r--r--src/eap_server/eap_server_tls.c11
-rw-r--r--src/eap_server/eap_server_tls_common.c37
-rw-r--r--src/eap_server/eap_server_tnc.c6
-rw-r--r--src/eap_server/eap_server_ttls.c13
-rw-r--r--src/eap_server/eap_server_wsc.c10
-rw-r--r--src/eapol_auth/eapol_auth_sm.c90
-rw-r--r--src/eapol_auth/eapol_auth_sm.h27
-rw-r--r--src/radius/radius_server.c250
26 files changed, 486 insertions, 637 deletions
diff --git a/eap_example/eap_example_server.c b/eap_example/eap_example_server.c
index 145bb9f..1e91fa8 100644
--- a/eap_example/eap_example_server.c
+++ b/eap_example/eap_example_server.c
@@ -207,6 +207,8 @@ static int eap_server_register_methods(void)
int eap_example_server_init(void)
{
+ struct eap_session_data eap_sess;
+
if (eap_server_register_methods() < 0)
return -1;
@@ -223,7 +225,9 @@ int eap_example_server_init(void)
eap_conf.eap_server = 1;
eap_conf.ssl_ctx = eap_ctx.tls_ctx;
- eap_ctx.eap = eap_server_sm_init(&eap_ctx, &eap_cb, &eap_conf);
+ os_memset(&eap_sess, 0, sizeof(eap_sess));
+ eap_ctx.eap = eap_server_sm_init(&eap_ctx, &eap_cb, &eap_conf,
+ &eap_sess);
if (eap_ctx.eap == NULL)
return -1;
diff --git a/src/ap/hostapd.h b/src/ap/hostapd.h
index 518c7f1..5ae36e1 100644
--- a/src/ap/hostapd.h
+++ b/src/ap/hostapd.h
@@ -186,6 +186,7 @@ struct hostapd_data {
struct wpa_authenticator *wpa_auth;
struct eapol_authenticator *eapol_auth;
+ struct eap_config *eap_cfg;
struct rsn_preauth_interface *preauth_iface;
struct os_reltime michael_mic_failure;
diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index a7a0901..34637f3 100644
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -2403,6 +2403,56 @@ static int ieee802_1x_erp_add_key(void *ctx, struct eap_server_erp_key *erp)
#endif /* CONFIG_ERP */
+static struct eap_config * ieee802_1x_eap_config(struct hostapd_data *hapd)
+{
+ struct eap_config *cfg;
+
+ cfg = os_zalloc(sizeof(*cfg));
+ if (!cfg)
+ return NULL;
+
+ cfg->eap_server = hapd->conf->eap_server;
+ cfg->ssl_ctx = hapd->ssl_ctx;
+ cfg->msg_ctx = hapd->msg_ctx;
+ cfg->eap_sim_db_priv = hapd->eap_sim_db_priv;
+ cfg->tls_session_lifetime = hapd->conf->tls_session_lifetime;
+ cfg->tls_flags = hapd->conf->tls_flags;
+ if (hapd->conf->pac_opaque_encr_key)
+ cfg->pac_opaque_encr_key =
+ os_memdup(hapd->conf->pac_opaque_encr_key, 16);
+ if (hapd->conf->eap_fast_a_id) {
+ cfg->eap_fast_a_id = os_memdup(hapd->conf->eap_fast_a_id,
+ hapd->conf->eap_fast_a_id_len);
+ cfg->eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len;
+ }
+ if (hapd->conf->eap_fast_a_id_info)
+ cfg->eap_fast_a_id_info =
+ os_strdup(hapd->conf->eap_fast_a_id_info);
+ cfg->eap_fast_prov = hapd->conf->eap_fast_prov;
+ cfg->pac_key_lifetime = hapd->conf->pac_key_lifetime;
+ cfg->pac_key_refresh_time = hapd->conf->pac_key_refresh_time;
+ cfg->eap_teap_auth = hapd->conf->eap_teap_auth;
+ cfg->eap_teap_separate_result = hapd->conf->eap_teap_separate_result;
+ cfg->eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind;
+ cfg->eap_sim_id = hapd->conf->eap_sim_id;
+ cfg->tnc = hapd->conf->tnc;
+ cfg->wps = hapd->wps;
+ cfg->fragment_size = hapd->conf->fragment_size;
+ cfg->pwd_group = hapd->conf->pwd_group;
+ cfg->pbc_in_m1 = hapd->conf->pbc_in_m1;
+ if (hapd->conf->server_id) {
+ cfg->server_id = (u8 *) os_strdup(hapd->conf->server_id);
+ cfg->server_id_len = os_strlen(hapd->conf->server_id);
+ } else {
+ cfg->server_id = (u8 *) os_strdup("hostapd");
+ cfg->server_id_len = 7;
+ }
+ cfg->erp = hapd->conf->eap_server_erp;
+
+ return cfg;
+}
+
+
int ieee802_1x_init(struct hostapd_data *hapd)
{
int i;
@@ -2411,45 +2461,19 @@ int ieee802_1x_init(struct hostapd_data *hapd)
dl_list_init(&hapd->erp_keys);
+ hapd->eap_cfg = ieee802_1x_eap_config(hapd);
+ if (!hapd->eap_cfg)
+ return -1;
os_memset(&conf, 0, sizeof(conf));
+ conf.eap_cfg = hapd->eap_cfg;
conf.ctx = hapd;
conf.eap_reauth_period = hapd->conf->eap_reauth_period;
conf.wpa = hapd->conf->wpa;
conf.individual_wep_key_len = hapd->conf->individual_wep_key_len;
- conf.eap_server = hapd->conf->eap_server;
- conf.ssl_ctx = hapd->ssl_ctx;
- conf.msg_ctx = hapd->msg_ctx;
- conf.eap_sim_db_priv = hapd->eap_sim_db_priv;
conf.eap_req_id_text = hapd->conf->eap_req_id_text;
conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len;
conf.erp_send_reauth_start = hapd->conf->erp_send_reauth_start;
conf.erp_domain = hapd->conf->erp_domain;
- conf.erp = hapd->conf->eap_server_erp;
- conf.tls_session_lifetime = hapd->conf->tls_session_lifetime;
- conf.tls_flags = hapd->conf->tls_flags;
- conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key;
- conf.eap_fast_a_id = hapd->conf->eap_fast_a_id;
- conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len;
- conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info;
- conf.eap_fast_prov = hapd->conf->eap_fast_prov;
- conf.pac_key_lifetime = hapd->conf->pac_key_lifetime;
- conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time;
- conf.eap_teap_auth = hapd->conf->eap_teap_auth;
- conf.eap_teap_separate_result = hapd->conf->eap_teap_separate_result;
- conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind;
- conf.eap_sim_id = hapd->conf->eap_sim_id;
- conf.tnc = hapd->conf->tnc;
- conf.wps = hapd->wps;
- conf.fragment_size = hapd->conf->fragment_size;
- conf.pwd_group = hapd->conf->pwd_group;
- conf.pbc_in_m1 = hapd->conf->pbc_in_m1;
- if (hapd->conf->server_id) {
- conf.server_id = (const u8 *) hapd->conf->server_id;
- conf.server_id_len = os_strlen(hapd->conf->server_id);
- } else {
- conf.server_id = (const u8 *) "hostapd";
- conf.server_id_len = 7;
- }
os_memset(&cb, 0, sizeof(cb));
cb.eapol_send = ieee802_1x_eapol_send;
@@ -2520,6 +2544,9 @@ void ieee802_1x_deinit(struct hostapd_data *hapd)
eapol_auth_deinit(hapd->eapol_auth);
hapd->eapol_auth = NULL;
+ eap_server_config_free(hapd->eap_cfg);
+ hapd->eap_cfg = NULL;
+
ieee802_1x_erp_flush(hapd);
}
diff --git a/src/eap_server/eap.h b/src/eap_server/eap.h
index 8ce499a..6988e0b 100644
--- a/src/eap_server/eap.h
+++ b/src/eap_server/eap.h
@@ -108,39 +108,151 @@ struct eapol_callbacks {
};
struct eap_config {
+ /**
+ * ssl_ctx - TLS context
+ *
+ * This is passed to the EAP server implementation as a callback
+ * context for TLS operations.
+ */
void *ssl_ctx;
void *msg_ctx;
+
+ /**
+ * eap_sim_db_priv - EAP-SIM/AKA database context
+ *
+ * This is passed to the EAP-SIM/AKA server implementation as a
+ * callback context.
+ */
void *eap_sim_db_priv;
Boolean backend_auth;
int eap_server;
+
+ /**
+ * pwd_group - The D-H group assigned for EAP-pwd
+ *
+ * If EAP-pwd is not used it can be set to zero.
+ */
u16 pwd_group;
+
+ /**
+ * pac_opaque_encr_key - PAC-Opaque encryption key for EAP-FAST
+ *
+ * This parameter is used to set a key for EAP-FAST to encrypt the
+ * PAC-Opaque data. It can be set to %NULL if EAP-FAST is not used. If
+ * set, must point to a 16-octet key.
+ */
u8 *pac_opaque_encr_key;
+
+ /**
+ * eap_fast_a_id - EAP-FAST authority identity (A-ID)
+ *
+ * If EAP-FAST is not used, this can be set to %NULL. In theory, this
+ * is a variable length field, but due to some existing implementations
+ * requiring A-ID to be 16 octets in length, it is recommended to use
+ * that length for the field to provide interoperability with deployed
+ * peer implementations.
+ */
u8 *eap_fast_a_id;
+
+ /**
+ * eap_fast_a_id_len - Length of eap_fast_a_id buffer in octets
+ */
size_t eap_fast_a_id_len;
+ /**
+ * eap_fast_a_id_info - EAP-FAST authority identifier information
+ *
+ * This A-ID-Info contains a user-friendly name for the A-ID. For
+ * example, this could be the enterprise and server names in
+ * human-readable format. This field is encoded as UTF-8. If EAP-FAST
+ * is not used, this can be set to %NULL.
+ */
char *eap_fast_a_id_info;
- int eap_fast_prov;
+
+ /**
+ * eap_fast_prov - EAP-FAST provisioning modes
+ *
+ * 0 = provisioning disabled, 1 = only anonymous provisioning allowed,
+ * 2 = only authenticated provisioning allowed, 3 = both provisioning
+ * modes allowed.
+ */
+ enum {
+ NO_PROV, ANON_PROV, AUTH_PROV, BOTH_PROV
+ } eap_fast_prov;
+
+ /**
+ * pac_key_lifetime - EAP-FAST PAC-Key lifetime in seconds
+ *
+ * This is the hard limit on how long a provisioned PAC-Key can be
+ * used.
+ */
int pac_key_lifetime;
+
+ /**
+ * pac_key_refresh_time - EAP-FAST PAC-Key refresh time in seconds
+ *
+ * This is a soft limit on the PAC-Key. The server will automatically
+ * generate a new PAC-Key when this number of seconds (or fewer) of the
+ * lifetime remains.
+ */
int pac_key_refresh_time;
int eap_teap_auth;
int eap_teap_pac_no_inner;
int eap_teap_separate_result;
+
+ /**
+ * eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication
+ *
+ * This controls whether the protected success/failure indication
+ * (AT_RESULT_IND) is used with EAP-SIM and EAP-AKA.
+ */
int eap_sim_aka_result_ind;
int eap_sim_id;
+
+ /**
+ * tnc - Trusted Network Connect (TNC)
+ *
+ * This controls whether TNC is enabled and will be required before the
+ * peer is allowed to connect. Note: This is only used with EAP-TTLS
+ * and EAP-FAST. If any other EAP method is enabled, the peer will be
+ * allowed to connect without TNC.
+ */
int tnc;
+
+ /**
+ * wps - Wi-Fi Protected Setup context
+ *
+ * If WPS is used with an external RADIUS server (which is quite
+ * unlikely configuration), this is used to provide a pointer to WPS
+ * context data. Normally, this can be set to %NULL.
+ */
struct wps_context *wps;
- const struct wpabuf *assoc_wps_ie;
- const struct wpabuf *assoc_p2p_ie;
- const u8 *peer_addr;
int fragment_size;
int pbc_in_m1;
- const u8 *server_id;
+ /**
+ * server_id - Server identity
+ */
+ u8 *server_id;
size_t server_id_len;
+
+ /**
+ * erp - Whether EAP Re-authentication Protocol (ERP) is enabled
+ *
+ * This controls whether the authentication server derives ERP key
+ * hierarchy (rRK and rIK) from full EAP authentication and allows
+ * these keys to be used to perform ERP to derive rMSK instead of full
+ * EAP authentication to derive MSK.
+ */
int erp;
unsigned int tls_session_lifetime;
unsigned int tls_flags;
+};
+struct eap_session_data {
+ const struct wpabuf *assoc_wps_ie;
+ const struct wpabuf *assoc_p2p_ie;
+ const u8 *peer_addr;
#ifdef CONFIG_TESTING_OPTIONS
u32 tls_test_flags;
#endif /* CONFIG_TESTING_OPTIONS */
@@ -149,7 +261,8 @@ struct eap_config {
struct eap_sm * eap_server_sm_init(void *eapol_ctx,
const struct eapol_callbacks *eapol_cb,
- struct eap_config *eap_conf);
+ const struct eap_config *conf,
+ const struct eap_session_data *sess);
void eap_server_sm_deinit(struct eap_sm *sm);
int eap_server_sm_step(struct eap_sm *sm);
void eap_sm_notify_cached(struct eap_sm *sm);
@@ -166,5 +279,6 @@ void eap_server_mschap_rx_callback(struct eap_sm *sm, const char *source,
const u8 *challenge, const u8 *response);
void eap_erp_update_identity(struct eap_sm *sm, const u8 *eap, size_t len);
void eap_user_free(struct eap_user *user);
+void eap_server_config_free(struct eap_config *cfg);
#endif /* EAP_H */
diff --git a/src/eap_server/eap_i.h b/src/eap_server/eap_i.h
index 4cad1f2..cbdad5f 100644
--- a/src/eap_server/eap_i.h
+++ b/src/eap_server/eap_i.h
@@ -154,7 +154,7 @@ struct eap_sm {
const struct eap_method *m; /* selected EAP method */
/* not defined in RFC 4137 */
Boolean changed;
- void *eapol_ctx, *msg_ctx;
+ void *eapol_ctx;
const struct eapol_callbacks *eapol_cb;
void *eap_method_priv;
u8 *identity;
@@ -167,11 +167,9 @@ struct eap_sm {
struct eap_user *user;
int user_eap_method_index;
int init_phase2;
- void *ssl_ctx;
- struct eap_sim_db_data *eap_sim_db_priv;
- Boolean backend_auth;
+ const struct eap_config *cfg;
+ struct eap_config cfg_buf;
Boolean update_user;
- int eap_server;
int num_rounds;
enum {
@@ -181,23 +179,6 @@ struct eap_sm {
u8 *auth_challenge;
u8 *peer_challenge;
- u8 *pac_opaque_encr_key;
- u8 *eap_fast_a_id;
- size_t eap_fast_a_id_len;
- char *eap_fast_a_id_info;
- enum {
- NO_PROV, ANON_PROV, AUTH_PROV, BOTH_PROV
- } eap_fast_prov;
- int pac_key_lifetime;
- int pac_key_refresh_time;
- int eap_teap_auth;
- int eap_teap_pac_no_inner;
- int eap_teap_separate_result;
- int eap_sim_aka_result_ind;
- int eap_sim_id;
- int tnc;
- u16 pwd_group;
- struct wps_context *wps;
struct wpabuf *assoc_wps_ie;
struct wpabuf *assoc_p2p_ie;
@@ -205,19 +186,8 @@ struct eap_sm {
u8 peer_addr[ETH_ALEN];
- /* Fragmentation size for EAP method init() handler */
- int fragment_size;
-
- int pbc_in_m1;
-
- const u8 *server_id;
- size_t server_id_len;
-
Boolean initiate_reauth_start_sent;
Boolean try_initiate_reauth;
- int erp;
- unsigned int tls_session_lifetime;
- unsigned int tls_flags;
#ifdef CONFIG_TESTING_OPTIONS
u32 tls_test_flags;
diff --git a/src/eap_server/eap_server.c b/src/eap_server/eap_server.c
index 8085394..4c6ba6d 100644
--- a/src/eap_server/eap_server.c
+++ b/src/eap_server/eap_server.c
@@ -223,7 +223,7 @@ SM_STATE(EAP, INITIALIZE)
{
SM_ENTRY(EAP, INITIALIZE);
- if (sm->eap_if.eapRestart && !sm->eap_server && sm->identity) {
+ if (sm->eap_if.eapRestart && !sm->cfg->eap_server && sm->identity) {
/*
* Need to allow internal Identity method to be used instead
* of passthrough at the beginning of reauthentication.
@@ -257,7 +257,7 @@ SM_STATE(EAP, INITIALIZE)
sm->m = NULL;
sm->user_eap_method_index = 0;
- if (sm->backend_auth) {
+ if (sm->cfg->backend_auth) {
sm->currentMethod = EAP_TYPE_NONE;
/* parse rxResp, respId, respMethod */
eap_sm_parseEapResp(sm, sm->eap_if.eapRespData);
@@ -268,7 +268,7 @@ SM_STATE(EAP, INITIALIZE)
sm->num_rounds = 0;
sm->method_pending = METHOD_PENDING_NONE;
- wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_STARTED
+ wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_STARTED
MACSTR, MAC2STR(sm->peer_addr));
}
@@ -300,7 +300,7 @@ SM_STATE(EAP, PICK_UP_METHOD)
}
}
- wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_PROPOSED_METHOD
+ wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_PROPOSED_METHOD
"method=%u", sm->currentMethod);
}
@@ -325,7 +325,7 @@ SM_STATE(EAP, RETRANSMIT)
sm->eap_if.eapReq = TRUE;
}
- wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_RETRANSMIT MACSTR,
+ wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_RETRANSMIT MACSTR,
MAC2STR(sm->peer_addr));
}
@@ -530,7 +530,7 @@ SM_STATE(EAP, METHOD_RESPONSE)
sm->eap_if.eapSessionId,
sm->eap_if.eapSessionIdLen);
}
- if (sm->erp && sm->m->get_emsk && sm->eap_if.eapSessionId)
+ if (sm->cfg->erp && sm->m->get_emsk && sm->eap_if.eapSessionId)
eap_server_erp_init(sm);
sm->methodState = METHOD_END;
} else {
@@ -580,7 +580,7 @@ try_another_method:
else
sm->methodState = METHOD_PROPOSED;
- wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_PROPOSED_METHOD
+ wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_PROPOSED_METHOD
"vendor=%u method=%u", vendor, sm->currentMethod);
eap_log_msg(sm, "Propose EAP method vendor=%u method=%u",
vendor, sm->currentMethod);
@@ -636,8 +636,8 @@ SM_STATE(EAP, TIMEOUT_FAILURE)
sm->eap_if.eapTimeout = TRUE;
- wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_TIMEOUT_FAILURE MACSTR,
- MAC2STR(sm->peer_addr));
+ wpa_msg(sm->cfg->msg_ctx, MSG_INFO,
+ WPA_EVENT_EAP_TIMEOUT_FAILURE MACSTR, MAC2STR(sm->peer_addr));
}
@@ -651,7 +651,7 @@ SM_STATE(EAP, FAILURE)
sm->lastReqData = NULL;
sm->eap_if.eapFail = TRUE;
- wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE
+ wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE
MACSTR, MAC2STR(sm->peer_addr));
}
@@ -668,7 +668,7 @@ SM_STATE(EAP, SUCCESS)
sm->eap_if.eapKeyAvailable = TRUE;
sm->eap_if.eapSuccess = TRUE;
- wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS
+ wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS
MACSTR, MAC2STR(sm->peer_addr));
}
@@ -755,7 +755,7 @@ static void erp_send_finish_reauth(struct eap_sm *sm,
if ((flags & 0x80) || !erp) {
sm->eap_if.eapFail = TRUE;
- wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE
+ wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE
MACSTR, MAC2STR(sm->peer_addr));
return;
}
@@ -783,7 +783,7 @@ static void erp_send_finish_reauth(struct eap_sm *sm,
sm->eap_if.eapKeyData, sm->eap_if.eapKeyDataLen);
sm->eap_if.eapSuccess = TRUE;
- wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS
+ wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS
MACSTR, MAC2STR(sm->peer_addr));
}
@@ -855,7 +855,7 @@ SM_STATE(EAP, INITIATE_RECEIVED)
os_memcpy(nai, parse.keyname, parse.keyname_len);
nai[parse.keyname_len] = '\0';
- if (!sm->eap_server) {
+ if (!sm->cfg->eap_server) {
/*
* In passthrough case, EAP-Initiate/Re-auth replaces
* EAP Identity exchange. Use keyName-NAI as the user identity
@@ -1018,7 +1018,7 @@ SM_STATE(EAP, RETRANSMIT2)
sm->eap_if.eapReq = TRUE;
}
- wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_RETRANSMIT2 MACSTR,
+ wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_RETRANSMIT2 MACSTR,
MAC2STR(sm->peer_addr));
}
@@ -1111,8 +1111,8 @@ SM_STATE(EAP, TIMEOUT_FAILURE2)
sm->eap_if.eapTimeout = TRUE;
- wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_TIMEOUT_FAILURE2 MACSTR,
- MAC2STR(sm->peer_addr));
+ wpa_msg(sm->cfg->msg_ctx, MSG_INFO,
+ WPA_EVENT_EAP_TIMEOUT_FAILURE2 MACSTR, MAC2STR(sm->peer_addr));
}
@@ -1123,7 +1123,7 @@ SM_STATE(EAP, FAILURE2)
eap_copy_buf(&sm->eap_if.eapReqData, sm->eap_if.aaaEapReqData);
sm->eap_if.eapFail = TRUE;
- wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE2 MACSTR,
+ wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE2 MACSTR,
MAC2STR(sm->peer_addr));
}
@@ -1152,7 +1152,7 @@ SM_STATE(EAP, SUCCESS2)
*/
sm->start_reauth = TRUE;
- wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS2 MACSTR,
+ wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS2 MACSTR,
MAC2STR(sm->peer_addr));
}
@@ -1173,7 +1173,7 @@ SM_STEP(EAP)
}
} else switch (sm->EAP_state) {
case EAP_INITIALIZE:
- if (sm->backend_auth) {
+ if (sm->cfg->backend_auth) {
if (!sm->rxResp)
SM_ENTER(EAP, SELECT_ACTION);
else if (sm->rxResp &&
@@ -1336,7 +1336,7 @@ SM_STEP(EAP)
else if (sm->decision == DECISION_INITIATE_REAUTH_START)
SM_ENTER(EAP, INITIATE_REAUTH_START);
#ifdef CONFIG_ERP
- else if (sm->eap_server && sm->erp && sm->rxInitiate)
+ else if (sm->cfg->eap_server && sm->cfg->erp && sm->rxInitiate)
SM_ENTER(EAP, INITIATE_RECEIVED);
#endif /* CONFIG_ERP */
else
@@ -1346,7 +1346,7 @@ SM_STEP(EAP)
SM_ENTER(EAP, SEND_REQUEST);
break;
case EAP_INITIATE_RECEIVED:
- if (!sm->eap_server)
+ if (!sm->cfg->eap_server)
SM_ENTER(EAP, SELECT_ACTION);
break;
case EAP_TIMEOUT_FAILURE:
@@ -1706,7 +1706,7 @@ static enum eap_type eap_sm_Policy_getNextMethod(struct eap_sm *sm, int *vendor)
static int eap_sm_Policy_getDecision(struct eap_sm *sm)
{
- if (!sm->eap_server && sm->identity && !sm->start_reauth) {
+ if (!sm->cfg->eap_server && sm->identity && !sm->start_reauth) {
wpa_printf(MSG_DEBUG, "EAP: getDecision: -> PASSTHROUGH");
return DECISION_PASSTHROUGH;
}
@@ -1837,7 +1837,8 @@ void eap_user_free(struct eap_user *user)
*/
struct eap_sm * eap_server_sm_init(void *eapol_ctx,
const struct eapol_callbacks *eapol_cb,
- struct eap_config *conf)
+ const struct eap_config *conf,
+ const struct eap_session_data *sess)
{
struct eap_sm *sm;
@@ -1847,55 +1848,15 @@ struct eap_sm * eap_server_sm_init(void *eapol_ctx,
sm->eapol_ctx = eapol_ctx;
sm->eapol_cb = eapol_cb;
sm->MaxRetrans = 5; /* RFC 3748: max 3-5 retransmissions suggested */
- sm->ssl_ctx = conf->ssl_ctx;
- sm->msg_ctx = conf->msg_ctx;
- sm->eap_sim_db_priv = conf->eap_sim_db_priv;
- sm->backend_auth = conf->backend_auth;
- sm->eap_server = conf->eap_server;
- if (conf->pac_opaque_encr_key) {
- sm->pac_opaque_encr_key = os_malloc(16);
- if (sm->pac_opaque_encr_key) {
- os_memcpy(sm->pac_opaque_encr_key,
- conf->pac_opaque_encr_key, 16);
- }
- }
- if (conf->eap_fast_a_id) {
- sm->eap_fast_a_id = os_malloc(conf->eap_fast_a_id_len);
- if (sm->eap_fast_a_id) {
- os_memcpy(sm->eap_fast_a_id, conf->eap_fast_a_id,
- conf->eap_fast_a_id_len);
- sm->eap_fast_a_id_len = conf->eap_fast_a_id_len;
- }
- }
- if (conf->eap_fast_a_id_info)
- sm->eap_fast_a_id_info = os_strdup(conf->eap_fast_a_id_info);
- sm->eap_fast_prov = conf->eap_fast_prov;
- sm->pac_key_lifetime = conf->pac_key_lifetime;
- sm->pac_key_refresh_time = conf->pac_key_refresh_time;
- sm->eap_teap_auth = conf->eap_teap_auth;
- sm->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner;
- sm->eap_teap_separate_result = conf->eap_teap_separate_result;
- sm->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
- sm->eap_sim_id = conf->eap_sim_id;
- sm->tnc = conf->tnc;
- sm->wps = conf->wps;
- if (conf->assoc_wps_ie)
- sm->assoc_wps_ie = wpabuf_dup(conf->assoc_wps_ie);
- if (conf->assoc_p2p_ie)
- sm->assoc_p2p_ie = wpabuf_dup(conf->assoc_p2p_ie);
- if (conf->peer_addr)
- os_memcpy(sm->peer_addr, conf->peer_addr, ETH_ALEN);
- sm->fragment_size = conf->fragment_size;
- sm->pwd_group = conf->pwd_group;
- sm->pbc_in_m1 = conf->pbc_in_m1;
- sm->server_id = conf->server_id;
- sm->server_id_len = conf->server_id_len;
- sm->erp = conf->erp;
- sm->tls_session_lifetime = conf->tls_session_lifetime;
- sm->tls_flags = conf->tls_flags;
-
+ sm->cfg = conf;
+ if (sess->assoc_wps_ie)
+ sm->assoc_wps_ie = wpabuf_dup(sess->assoc_wps_ie);
+ if (sess->assoc_p2p_ie)
+ sm->assoc_p2p_ie = wpabuf_dup(sess->assoc_p2p_ie);
+ if (sess->peer_addr)
+ os_memcpy(sm->peer_addr, sess->peer_addr, ETH_ALEN);
#ifdef CONFIG_TESTING_OPTIONS
- sm->tls_test_flags = conf->tls_test_flags;
+ sm->tls_test_flags = sess->tls_test_flags;
#endif /* CONFIG_TESTING_OPTIONS */
wpa_printf(MSG_DEBUG, "EAP: Server state machine created");
@@ -1925,9 +1886,6 @@ void eap_server_sm_deinit(struct eap_sm *sm)
wpabuf_free(sm->eap_if.eapRespData);
os_free(sm->identity);
os_free(sm->serial_num);
- os_free(sm->pac_opaque_encr_key);
- os_free(sm->eap_fast_a_id);
- os_free(sm->eap_fast_a_id_info);
wpabuf_free(sm->eap_if.aaaEapReqData);
wpabuf_free(sm->eap_if.aaaEapRespData);
bin_clear_free(sm->eap_if.aaaEapKeyData, sm->eap_if.aaaEapKeyDataLen);
@@ -2117,3 +2075,15 @@ void eap_server_mschap_rx_callback(struct eap_sm *sm, const char *source,
source, user, hex_challenge, hex_response);
}
#endif /* CONFIG_TESTING_OPTIONS */
+
+
+void eap_server_config_free(struct eap_config *cfg)
+{
+ if (!cfg)
+ return;
+ os_free(cfg->pac_opaque_encr_key);
+ os_free(cfg->eap_fast_a_id);
+ os_free(cfg->eap_fast_a_id_info);
+ os_free(cfg->server_id);
+ os_free(cfg);
+}
diff --git a/src/eap_server/eap_server_aka.c b/src/eap_server/eap_server_aka.c
index 4dadfe1..22dd965 100644
--- a/src/eap_server/eap_server_aka.c
+++ b/src/eap_server/eap_server_aka.c
@@ -100,7 +100,7 @@ static int eap_aka_check_identity_reauth(struct eap_sm *sm,
return 0;
wpa_printf(MSG_DEBUG, "EAP-AKA: Reauth username '%s'", username);
- data->reauth = eap_sim_db_get_reauth_entry(sm->eap_sim_db_priv,
+ data->reauth = eap_sim_db_get_reauth_entry(sm->cfg->eap_sim_db_priv,
username);
if (data->reauth == NULL) {
wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown reauth identity - "
@@ -157,7 +157,7 @@ static void eap_aka_check_identity(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, "EAP-AKA: Pseudonym username '%s'",
username);
permanent = eap_sim_db_get_permanent(
- sm->eap_sim_db_priv, username);
+ sm->cfg->eap_sim_db_priv, username);
if (permanent == NULL) {
os_free(username);
wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown pseudonym "
@@ -182,7 +182,7 @@ static void * eap_aka_init(struct eap_sm *sm)
{
struct eap_aka_data *data;
- if (sm->eap_sim_db_priv == NULL) {
+ if (!sm->cfg->eap_sim_db_priv) {
wpa_printf(MSG_WARNING, "EAP-AKA: eap_sim_db not configured");
return NULL;
}
@@ -208,7 +208,7 @@ static void * eap_aka_prime_init(struct eap_sm *sm)
/* TODO: make ANID configurable; see 3GPP TS 24.302 */
char *network_name = "WLAN";
- if (sm->eap_sim_db_priv == NULL) {
+ if (sm->cfg->eap_sim_db_priv == NULL) {
wpa_printf(MSG_WARNING, "EAP-AKA: eap_sim_db not configured");
return NULL;
}
@@ -393,13 +393,13 @@ static int eap_aka_build_encr(struct eap_sm *sm, struct eap_aka_data *data,
const u8 *nonce_s)
{
os_free(data->next_pseudonym);
- if (!(sm->eap_sim_id & 0x01)) {
+ if (!(sm->cfg->eap_sim_id & 0x01)) {
/* Use of pseudonyms disabled in configuration */
data->next_pseudonym = NULL;
} else if (!nonce_s) {
data->next_pseudonym =
eap_sim_db_get_next_pseudonym(
- sm->eap_sim_db_priv,
+ sm->cfg->eap_sim_db_priv,
data->eap_method == EAP_TYPE_AKA_PRIME ?
EAP_SIM_DB_AKA_PRIME : EAP_SIM_DB_AKA);
} else {
@@ -407,13 +407,13 @@ static int eap_aka_build_encr(struct eap_sm *sm, struct eap_aka_data *data,
data->next_pseudonym = NULL;
}
os_free(data->next_reauth_id);
- if (!(sm->eap_sim_id & 0x02)) {
+ if (!(sm->cfg->eap_sim_id & 0x02)) {
/* Use of fast reauth disabled in configuration */
data->next_reauth_id = NULL;
} else if (data->counter <= EAP_AKA_MAX_FAST_REAUTHS) {
data->next_reauth_id =
eap_sim_db_get_next_reauth_id(
- sm->eap_sim_db_priv,
+ sm->cfg->eap_sim_db_priv,
data->eap_method == EAP_TYPE_AKA_PRIME ?
EAP_SIM_DB_AKA_PRIME : EAP_SIM_DB_AKA);
} else {
@@ -505,7 +505,7 @@ static struct wpabuf * eap_aka_build_challenge(struct eap_sm *sm,
eap_aka_add_checkcode(data, msg);
- if (sm->eap_sim_aka_result_ind) {
+ if (sm->cfg->eap_sim_aka_result_ind) {
wpa_printf(MSG_DEBUG, " AT_RESULT_IND");
eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0);
}
@@ -582,7 +582,7 @@ static struct wpabuf * eap_aka_build_reauth(struct eap_sm *sm,
eap_aka_add_checkcode(data, msg);
- if (sm->eap_sim_aka_result_ind) {
+ if (sm->cfg->eap_sim_aka_result_ind) {
wpa_printf(MSG_DEBUG, " AT_RESULT_IND");
eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0);
}
@@ -767,7 +767,7 @@ static void eap_aka_determine_identity(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, "EAP-AKA: Pseudonym username '%s'",
username);
permanent = eap_sim_db_get_permanent(
- sm->eap_sim_db_priv, username);
+ sm->cfg->eap_sim_db_priv, username);
os_free(username);
if (permanent == NULL) {
wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown pseudonym "
@@ -803,7 +803,7 @@ static void eap_aka_fullauth(struct eap_sm *sm, struct eap_aka_data *data)
size_t identity_len;
int res;
- res = eap_sim_db_get_aka_auth(sm->eap_sim_db_priv, data->permanent,
+ res = eap_sim_db_get_aka_auth(sm->cfg->eap_sim_db_priv, data->permanent,
data->rand, data->autn, data->ik,
data->ck, data->res, &data->res_len, sm);
if (res == EAP_SIM_DB_PENDING) {
@@ -998,7 +998,7 @@ static void eap_aka_process_challenge(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, "EAP-AKA: Challenge response includes the "
"correct AT_MAC");
- if (sm->eap_sim_aka_result_ind && attr->result_ind) {
+ if (sm->cfg->eap_sim_aka_result_ind && attr->result_ind) {
data->use_result_ind = 1;
data->notification = EAP_SIM_SUCCESS;
eap_aka_state(data, NOTIFICATION);
@@ -1006,14 +1006,15 @@ static void eap_aka_process_challenge(struct eap_sm *sm,
eap_aka_state(data, SUCCESS);
if (data->next_pseudonym) {
- eap_sim_db_add_pseudonym(sm->eap_sim_db_priv, data->permanent,
+ eap_sim_db_add_pseudonym(sm->cfg->eap_sim_db_priv,
+ data->permanent,
data->next_pseudonym);
data->next_pseudonym = NULL;
}
if (data->next_reauth_id) {
if (data->eap_method == EAP_TYPE_AKA_PRIME) {
#ifdef EAP_SERVER_AKA_PRIME
- eap_sim_db_add_reauth_prime(sm->eap_sim_db_priv,
+ eap_sim_db_add_reauth_prime(sm->cfg->eap_sim_db_priv,
data->permanent,
data->next_reauth_id,
data->counter + 1,
@@ -1021,7 +1022,7 @@ static void eap_aka_process_challenge(struct eap_sm *sm,
data->k_re);
#endif /* EAP_SERVER_AKA_PRIME */
} else {
- eap_sim_db_add_reauth(sm->eap_sim_db_priv,
+ eap_sim_db_add_reauth(sm->cfg->eap_sim_db_priv,
data->permanent,
data->next_reauth_id,
data->counter + 1,
@@ -1051,7 +1052,7 @@ static void eap_aka_process_sync_failure(struct eap_sm *sm,
* maintaining a local flag stating whether this AUTS has already been
* reported. */
if (!data->auts_reported &&
- eap_sim_db_resynchronize(sm->eap_sim_db_priv, data->permanent,
+ eap_sim_db_resynchronize(sm->cfg->eap_sim_db_priv, data->permanent,
attr->auts, data->rand)) {
wpa_printf(MSG_WARNING, "EAP-AKA: Resynchronization failed");
data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
@@ -1118,7 +1119,7 @@ static void eap_aka_process_reauth(struct eap_sm *sm,
return;
}
- if (sm->eap_sim_aka_result_ind && attr->result_ind) {
+ if (sm->cfg->eap_sim_aka_result_ind && attr->result_ind) {
data->use_result_ind = 1;
data->notification = EAP_SIM_SUCCESS;
eap_aka_state(data, NOTIFICATION);
@@ -1128,7 +1129,7 @@ static void eap_aka_process_reauth(struct eap_sm *sm,
if (data->next_reauth_id) {
if (data->eap_method == EAP_TYPE_AKA_PRIME) {
#ifdef EAP_SERVER_AKA_PRIME
- eap_sim_db_add_reauth_prime(sm->eap_sim_db_priv,
+ eap_sim_db_add_reauth_prime(sm->cfg->eap_sim_db_priv,
data->permanent,
data->next_reauth_id,
data->counter + 1,
@@ -1136,7 +1137,7 @@ static void eap_aka_process_reauth(struct eap_sm *sm,
data->k_re);
#endif /* EAP_SERVER_AKA_PRIME */
} else {
- eap_sim_db_add_reauth(sm->eap_sim_db_priv,
+ eap_sim_db_add_reauth(sm->cfg->eap_sim_db_priv,
data->permanent,
data->next_reauth_id,
data->counter + 1,
@@ -1144,7 +1145,8 @@ static void eap_aka_process_reauth(struct eap_sm *sm,
}
data->next_reauth_id = NULL;
} else {
- eap_sim_db_remove_reauth(sm->eap_sim_db_priv, data->reauth);
+ eap_sim_db_remove_reauth(sm->cfg->eap_sim_db_priv,
+ data->reauth);
data->reauth = NULL;
}
@@ -1153,7 +1155,7 @@ static void eap_aka_process_reauth(struct eap_sm *sm,
fail:
data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
eap_aka_state(data, NOTIFICATION);
- eap_sim_db_remove_reauth(sm->eap_sim_db_priv, data->reauth);
+ eap_sim_db_remove_reauth(sm->cfg->eap_sim_db_priv, data->reauth);
data->reauth = NULL;
os_free(decrypted);
}
diff --git a/src/eap_server/eap_server_eke.c b/src/eap_server/eap_server_eke.c
index 71580bf..71fab96 100644
--- a/src/eap_server/eap_server_eke.c
+++ b/src/eap_server/eap_server_eke.c
@@ -84,11 +84,11 @@ static void * eap_eke_init(struct eap_sm *sm)
eap_eke_state(data, IDENTITY);
data->serverid_type = EAP_EKE_ID_OPAQUE;
- for (i = 0; i < sm->server_id_len; i++) {
- if (sm->server_id[i] == '.' &&
+ for (i = 0; i < sm->cfg->server_id_len; i++) {
+ if (sm->cfg->server_id[i] == '.' &&
data->serverid_type == EAP_EKE_ID_OPAQUE)
data->serverid_type = EAP_EKE_ID_FQDN;
- if (sm->server_id[i] == '@')
+ if (sm->cfg->server_id[i] == '@')
data->serverid_type = EAP_EKE_ID_NAI;
}
@@ -186,7 +186,7 @@ static struct wpabuf * eap_eke_build_identity(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, "EAP-EKE: Request/Identity");
- plen = 2 + 4 * 4 + 1 + sm->server_id_len;
+ plen = 2 + 4 * 4 + 1 + sm->cfg->server_id_len;
msg = eap_eke_build_msg(data, id, plen, EAP_EKE_ID);
if (msg == NULL)
return NULL;
@@ -223,7 +223,7 @@ static struct wpabuf * eap_eke_build_identity(struct eap_sm *sm,
/* Server IDType + Identity */
wpabuf_put_u8(msg, data->serverid_type);
- wpabuf_put_data(msg, sm->server_id, sm->server_id_len);
+ wpabuf_put_data(msg, sm->cfg->server_id, sm->cfg->server_id_len);
wpabuf_free(data->msgs);
data->msgs = wpabuf_dup(msg);
@@ -252,7 +252,7 @@ static struct wpabuf * eap_eke_build_commit(struct eap_sm *sm,
if (eap_eke_derive_key(&data->sess, sm->user->password,
sm->user->password_len,
- sm->server_id, sm->server_id_len,
+ sm->cfg->server_id, sm->cfg->server_id_len,
data->peerid, data->peerid_len, data->key) < 0) {
wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive key");
eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
@@ -338,7 +338,7 @@ static struct wpabuf * eap_eke_build_confirm(struct eap_sm *sm,
wpabuf_put(msg, prot_len);
if (eap_eke_derive_ka(&data->sess,
- sm->server_id, sm->server_id_len,
+ sm->cfg->server_id, sm->cfg->server_id_len,
data->peerid, data->peerid_len,
data->nonce_p, data->nonce_s) < 0) {
wpabuf_free(msg);
@@ -552,7 +552,7 @@ static void eap_eke_process_commit(struct eap_sm *sm,
}
if (eap_eke_derive_ke_ki(&data->sess,
- sm->server_id, sm->server_id_len,
+ sm->cfg->server_id, sm->cfg->server_id_len,
data->peerid, data->peerid_len) < 0) {
wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive Ke/Ki");
eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
@@ -641,7 +641,8 @@ static void eap_eke_process_confirm(struct eap_sm *sm,
return;
}
- if (eap_eke_derive_msk(&data->sess, sm->server_id, sm->server_id_len,
+ if (eap_eke_derive_msk(&data->sess, sm->cfg->server_id,
+ sm->cfg->server_id_len,
data->peerid, data->peerid_len,
data->nonce_s, data->nonce_p,
data->msk, data->emsk) < 0) {
diff --git a/src/eap_server/eap_server_fast.c b/src/eap_server/eap_server_fast.c
index 98142db..0270821 100644
--- a/src/eap_server/eap_server_fast.c
+++ b/src/eap_server/eap_server_fast.c
@@ -278,7 +278,7 @@ static void eap_fast_derive_key_auth(struct eap_sm *sm,
* Extra key material after TLS key_block: session_key_seed[40]
*/
- sks = eap_fast_derive_key(sm->ssl_ctx, data->ssl.conn,
+ sks = eap_fast_derive_key(sm->cfg->ssl_ctx, data->ssl.conn,
EAP_FAST_SKS_LEN);
if (sks == NULL) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive "
@@ -304,7 +304,7 @@ static void eap_fast_derive_key_provisioning(struct eap_sm *sm,
{
os_free(data->key_block_p);
data->key_block_p = (struct eap_fast_key_block_provisioning *)
- eap_fast_derive_key(sm->ssl_ctx, data->ssl.conn,
+ eap_fast_derive_key(sm->cfg->ssl_ctx, data->ssl.conn,
sizeof(*data->key_block_p));
if (data->key_block_p == NULL) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive key block");
@@ -440,7 +440,7 @@ static void * eap_fast_init(struct eap_sm *sm)
return NULL;
}
- if (tls_connection_set_cipher_list(sm->ssl_ctx, data->ssl.conn,
+ if (tls_connection_set_cipher_list(sm->cfg->ssl_ctx, data->ssl.conn,
ciphers) < 0) {
wpa_printf(MSG_INFO, "EAP-FAST: Failed to set TLS cipher "
"suites");
@@ -448,7 +448,8 @@ static void * eap_fast_init(struct eap_sm *sm)
return NULL;
}
- if (tls_connection_set_session_ticket_cb(sm->ssl_ctx, data->ssl.conn,
+ if (tls_connection_set_session_ticket_cb(sm->cfg->ssl_ctx,
+ data->ssl.conn,
eap_fast_session_ticket_cb,
data) < 0) {
wpa_printf(MSG_INFO, "EAP-FAST: Failed to set SessionTicket "
@@ -457,47 +458,48 @@ static void * eap_fast_init(struct eap_sm *sm)
return NULL;
}
- if (sm->pac_opaque_encr_key == NULL) {
+ if (sm->cfg->pac_opaque_encr_key == NULL) {
wpa_printf(MSG_INFO, "EAP-FAST: No PAC-Opaque encryption key "
"configured");
eap_fast_reset(sm, data);
return NULL;
}
- os_memcpy(data->pac_opaque_encr, sm->pac_opaque_encr_key,
+ os_memcpy(data->pac_opaque_encr, sm->cfg->pac_opaque_encr_key,
sizeof(data->pac_opaque_encr));
- if (sm->eap_fast_a_id == NULL) {
+ if (sm->cfg->eap_fast_a_id == NULL) {
wpa_printf(MSG_INFO, "EAP-FAST: No A-ID configured");
eap_fast_reset(sm, data);
return NULL;
}
- data->srv_id = os_memdup(sm->eap_fast_a_id, sm->eap_fast_a_id_len);
+ data->srv_id = os_memdup(sm->cfg->eap_fast_a_id,
+ sm->cfg->eap_fast_a_id_len);
if (data->srv_id == NULL) {
eap_fast_reset(sm, data);
return NULL;
}
- data->srv_id_len = sm->eap_fast_a_id_len;
+ data->srv_id_len = sm->cfg->eap_fast_a_id_len;
- if (sm->eap_fast_a_id_info == NULL) {
+ if (sm->cfg->eap_fast_a_id_info == NULL) {
wpa_printf(MSG_INFO, "EAP-FAST: No A-ID-Info configured");
eap_fast_reset(sm, data);
return NULL;
}
- data->srv_id_info = os_strdup(sm->eap_fast_a_id_info);
+ data->srv_id_info = os_strdup(sm->cfg->eap_fast_a_id_info);
if (data->srv_id_info == NULL) {
eap_fast_reset(sm, data);
return NULL;
}
/* PAC-Key lifetime in seconds (hard limit) */
- data->pac_key_lifetime = sm->pac_key_lifetime;
+ data->pac_key_lifetime = sm->cfg->pac_key_lifetime;
/*
* PAC-Key refresh time in seconds (soft limit on remaining hard
* limit). The server will generate a new PAC-Key when this number of
* seconds (or fewer) of the lifetime remains.
*/
- data->pac_key_refresh_time = sm->pac_key_refresh_time;
+ data->pac_key_refresh_time = sm->cfg->pac_key_refresh_time;
return data;
}
@@ -552,8 +554,8 @@ static int eap_fast_phase1_done(struct eap_sm *sm, struct eap_fast_data *data)
wpa_printf(MSG_DEBUG, "EAP-FAST: Phase1 done, starting Phase2");
- if (tls_get_cipher(sm->ssl_ctx, data->ssl.conn, cipher, sizeof(cipher))
- < 0) {
+ if (tls_get_cipher(sm->cfg->ssl_ctx, data->ssl.conn,
+ cipher, sizeof(cipher)) < 0) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to get cipher "
"information");
eap_fast_state(data, FAILURE);
@@ -872,7 +874,8 @@ static struct wpabuf * eap_fast_buildReq(struct eap_sm *sm, void *priv, u8 id)
case START:
return eap_fast_build_start(sm, data, id);
case PHASE1:
- if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
+ if (tls_connection_established(sm->cfg->ssl_ctx,
+ data->ssl.conn)) {
if (eap_fast_phase1_done(sm, data) < 0)
return NULL;
if (data->state == PHASE2_START) {
@@ -1082,7 +1085,7 @@ static void eap_fast_process_phase2_response(struct eap_sm *sm,
next_vendor = EAP_VENDOR_IETF;
next_type = EAP_TYPE_NONE;
#ifdef EAP_SERVER_TNC
- if (sm->tnc && !data->tnc_started) {
+ if (sm->cfg->tnc && !data->tnc_started) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Initialize TNC");
next_vendor = EAP_VENDOR_IETF;
next_type = EAP_TYPE_TNC;
@@ -1346,8 +1349,8 @@ static void eap_fast_process_phase2_tlvs(struct eap_sm *sm,
}
if (data->anon_provisioning &&
- sm->eap_fast_prov != ANON_PROV &&
- sm->eap_fast_prov != BOTH_PROV) {
+ sm->cfg->eap_fast_prov != ANON_PROV &&
+ sm->cfg->eap_fast_prov != BOTH_PROV) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Client is trying to "
"use unauthenticated provisioning which is "
"disabled");
@@ -1355,8 +1358,8 @@ static void eap_fast_process_phase2_tlvs(struct eap_sm *sm,
return;
}
- if (sm->eap_fast_prov != AUTH_PROV &&
- sm->eap_fast_prov != BOTH_PROV &&
+ if (sm->cfg->eap_fast_prov != AUTH_PROV &&
+ sm->cfg->eap_fast_prov != BOTH_PROV &&
tlv.request_action == EAP_TLV_ACTION_PROCESS_TLV &&
eap_fast_pac_type(tlv.pac, tlv.pac_len,
PAC_TYPE_TUNNEL_PAC)) {
@@ -1408,7 +1411,7 @@ static void eap_fast_process_phase2(struct eap_sm *sm,
return;
}
- in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
+ in_decrypted = tls_connection_decrypt(sm->cfg->ssl_ctx, data->ssl.conn,
in_buf);
if (in_decrypted == NULL) {
wpa_printf(MSG_INFO, "EAP-FAST: Failed to decrypt Phase 2 "
@@ -1468,7 +1471,7 @@ static int eap_fast_process_phase1(struct eap_sm *sm,
return -1;
}
- if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) ||
+ if (!tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn) ||
wpabuf_len(data->ssl.tls_out) > 0)
return 1;
diff --git a/src/eap_server/eap_server_gpsk.c b/src/eap_server/eap_server_gpsk.c
index bebb17f..a774275 100644
--- a/src/eap_server/eap_server_gpsk.c
+++ b/src/eap_server/eap_server_gpsk.c
@@ -117,7 +117,7 @@ static struct wpabuf * eap_gpsk_build_gpsk_1(struct eap_sm *sm,
wpa_hexdump(MSG_MSGDUMP, "EAP-GPSK: RAND_Server",
data->rand_server, EAP_GPSK_RAND_LEN);
- len = 1 + 2 + sm->server_id_len + EAP_GPSK_RAND_LEN + 2 +
+ len = 1 + 2 + sm->cfg->server_id_len + EAP_GPSK_RAND_LEN + 2 +
data->csuite_count * sizeof(struct eap_gpsk_csuite);
req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_GPSK, len,
EAP_CODE_REQUEST, id);
@@ -129,8 +129,8 @@ static struct wpabuf * eap_gpsk_build_gpsk_1(struct eap_sm *sm,
}
wpabuf_put_u8(req, EAP_GPSK_OPCODE_GPSK_1);
- wpabuf_put_be16(req, sm->server_id_len);
- wpabuf_put_data(req, sm->server_id, sm->server_id_len);
+ wpabuf_put_be16(req, sm->cfg->server_id_len);
+ wpabuf_put_data(req, sm->cfg->server_id, sm->cfg->server_id_len);
wpabuf_put_data(req, data->rand_server, EAP_GPSK_RAND_LEN);
wpabuf_put_be16(req,
data->csuite_count * sizeof(struct eap_gpsk_csuite));
@@ -152,7 +152,7 @@ static struct wpabuf * eap_gpsk_build_gpsk_3(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, "EAP-GPSK: Request/GPSK-3");
miclen = eap_gpsk_mic_len(data->vendor, data->specifier);
- len = 1 + 2 * EAP_GPSK_RAND_LEN + 2 + sm->server_id_len +
+ len = 1 + 2 * EAP_GPSK_RAND_LEN + 2 + sm->cfg->server_id_len +
sizeof(struct eap_gpsk_csuite) + 2 + miclen;
req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_GPSK, len,
EAP_CODE_REQUEST, id);
@@ -168,8 +168,8 @@ static struct wpabuf * eap_gpsk_build_gpsk_3(struct eap_sm *sm,
wpabuf_put_data(req, data->rand_peer, EAP_GPSK_RAND_LEN);
wpabuf_put_data(req, data->rand_server, EAP_GPSK_RAND_LEN);
- wpabuf_put_be16(req, sm->server_id_len);
- wpabuf_put_data(req, sm->server_id, sm->server_id_len);
+ wpabuf_put_be16(req, sm->cfg->server_id_len);
+ wpabuf_put_data(req, sm->cfg->server_id, sm->cfg->server_id_len);
csuite = wpabuf_put(req, sizeof(*csuite));
WPA_PUT_BE32(csuite->vendor, data->vendor);
WPA_PUT_BE16(csuite->specifier, data->specifier);
@@ -294,8 +294,8 @@ static void eap_gpsk_process_gpsk_2(struct eap_sm *sm,
eap_gpsk_state(data, FAILURE);
return;
}
- if (alen != sm->server_id_len ||
- os_memcmp(pos, sm->server_id, alen) != 0) {
+ if (alen != sm->cfg->server_id_len ||
+ os_memcmp(pos, sm->cfg->server_id, alen) != 0) {
wpa_printf(MSG_DEBUG, "EAP-GPSK: ID_Server in GPSK-1 and "
"GPSK-2 did not match");
eap_gpsk_state(data, FAILURE);
@@ -409,7 +409,7 @@ static void eap_gpsk_process_gpsk_2(struct eap_sm *sm,
data->vendor, data->specifier,
data->rand_peer, data->rand_server,
data->id_peer, data->id_peer_len,
- sm->server_id, sm->server_id_len,
+ sm->cfg->server_id, sm->cfg->server_id_len,
data->msk, data->emsk,
data->sk, &data->sk_len,
data->pk, &data->pk_len) < 0) {
@@ -423,7 +423,8 @@ static void eap_gpsk_process_gpsk_2(struct eap_sm *sm,
data->vendor, data->specifier,
data->rand_peer, data->rand_server,
data->id_peer, data->id_peer_len,
- sm->server_id, sm->server_id_len,
+ sm->cfg->server_id,
+ sm->cfg->server_id_len,
EAP_TYPE_GPSK,
data->session_id, &data->id_len) < 0) {
wpa_printf(MSG_DEBUG, "EAP-GPSK: Failed to derive Session-Id");
diff --git a/src/eap_server/eap_server_ikev2.c b/src/eap_server/eap_server_ikev2.c
index 32e6872..897637e 100644
--- a/src/eap_server/eap_server_ikev2.c
+++ b/src/eap_server/eap_server_ikev2.c
@@ -87,8 +87,8 @@ static void * eap_ikev2_init(struct eap_sm *sm)
if (data == NULL)
return NULL;
data->state = MSG;
- data->fragment_size = sm->fragment_size > 0 ? sm->fragment_size :
- IKEV2_FRAGMENT_SIZE;
+ data->fragment_size = sm->cfg->fragment_size > 0 ?
+ sm->cfg->fragment_size : IKEV2_FRAGMENT_SIZE;
data->ikev2.state = SA_INIT;
data->ikev2.peer_auth = PEER_AUTH_SECRET;
data->ikev2.key_pad = (u8 *) os_strdup("Key Pad for EAP-IKEv2");
@@ -103,10 +103,10 @@ static void * eap_ikev2_init(struct eap_sm *sm)
data->ikev2.proposal.encr = ENCR_AES_CBC;
data->ikev2.proposal.dh = DH_GROUP2_1024BIT_MODP;
- data->ikev2.IDi = os_memdup(sm->server_id, sm->server_id_len);
+ data->ikev2.IDi = os_memdup(sm->cfg->server_id, sm->cfg->server_id_len);
if (data->ikev2.IDi == NULL)
goto failed;
- data->ikev2.IDi_len = sm->server_id_len;
+ data->ikev2.IDi_len = sm->cfg->server_id_len;
data->ikev2.get_shared_secret = eap_ikev2_get_shared_secret;
data->ikev2.cb_ctx = sm;
@@ -414,7 +414,7 @@ static void eap_ikev2_process(struct eap_sm *sm, void *priv,
eap_ikev2_state(data, FAIL);
return;
}
-
+
if (flags & IKEV2_FLAGS_MORE_FRAGMENTS) {
if (eap_ikev2_process_fragment(data, flags, message_length,
pos, end - pos) < 0)
diff --git a/src/eap_server/eap_server_mschapv2.c b/src/eap_server/eap_server_mschapv2.c
index e9e03b0..8a1621a 100644
--- a/src/eap_server/eap_server_mschapv2.c
+++ b/src/eap_server/eap_server_mschapv2.c
@@ -109,7 +109,7 @@ static struct wpabuf * eap_mschapv2_build_challenge(
return NULL;
}
- ms_len = sizeof(*ms) + 1 + CHALLENGE_LEN + sm->server_id_len;
+ ms_len = sizeof(*ms) + 1 + CHALLENGE_LEN + sm->cfg->server_id_len;
req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_MSCHAPV2, ms_len,
EAP_CODE_REQUEST, id);
if (req == NULL) {
@@ -131,7 +131,7 @@ static struct wpabuf * eap_mschapv2_build_challenge(
wpabuf_put(req, CHALLENGE_LEN);
wpa_hexdump(MSG_MSGDUMP, "EAP-MSCHAPV2: Challenge",
data->auth_challenge, CHALLENGE_LEN);
- wpabuf_put_data(req, sm->server_id, sm->server_id_len);
+ wpabuf_put_data(req, sm->cfg->server_id, sm->cfg->server_id_len);
return req;
}
diff --git a/src/eap_server/eap_server_peap.c b/src/eap_server/eap_server_peap.c
index 697460b..02d8b8e 100644
--- a/src/eap_server/eap_server_peap.c
+++ b/src/eap_server/eap_server_peap.c
@@ -105,8 +105,8 @@ static void eap_peap_valid_session(struct eap_sm *sm,
{
struct wpabuf *buf;
- if (!sm->tls_session_lifetime ||
- tls_connection_resumed(sm->ssl_ctx, data->ssl.conn))
+ if (!sm->cfg->tls_session_lifetime ||
+ tls_connection_resumed(sm->cfg->ssl_ctx, data->ssl.conn))
return;
buf = wpabuf_alloc(1 + 1 + sm->identity_len);
@@ -336,7 +336,7 @@ static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data)
return -1;
wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TK", tk, 60);
- if (tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) {
+ if (tls_connection_resumed(sm->cfg->ssl_ctx, data->ssl.conn)) {
/* Fast-connect: IPMK|CMK = TK */
os_memcpy(data->ipmk, tk, 40);
wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK from TK",
@@ -521,7 +521,8 @@ static struct wpabuf * eap_peap_buildReq(struct eap_sm *sm, void *priv, u8 id)
return eap_peap_build_start(sm, data, id);
case PHASE1:
case PHASE1_ID2:
- if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
+ if (tls_connection_established(sm->cfg->ssl_ctx,
+ data->ssl.conn)) {
wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase1 done, "
"starting Phase2");
eap_peap_state(data, PHASE2_START);
@@ -1020,7 +1021,7 @@ static void eap_peap_process_phase2_response(struct eap_sm *sm,
}
#ifdef EAP_SERVER_TNC
- if (data->state != PHASE2_SOH && sm->tnc &&
+ if (data->state != PHASE2_SOH && sm->cfg->tnc &&
data->peap_version == 0) {
eap_peap_state(data, PHASE2_SOH);
wpa_printf(MSG_DEBUG, "EAP-PEAP: Try to initialize "
@@ -1077,7 +1078,7 @@ static void eap_peap_process_phase2(struct eap_sm *sm,
return;
}
- in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
+ in_decrypted = tls_connection_decrypt(sm->cfg->ssl_ctx, data->ssl.conn,
in_buf);
if (in_decrypted == NULL) {
wpa_printf(MSG_INFO, "EAP-PEAP: Failed to decrypt Phase 2 "
@@ -1237,8 +1238,8 @@ static void eap_peap_process(struct eap_sm *sm, void *priv,
}
if (data->state == SUCCESS ||
- !tls_connection_established(sm->ssl_ctx, data->ssl.conn) ||
- !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn))
+ !tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn) ||
+ !tls_connection_resumed(sm->cfg->ssl_ctx, data->ssl.conn))
return;
buf = tls_connection_get_success_data(data->ssl.conn);
diff --git a/src/eap_server/eap_server_psk.c b/src/eap_server/eap_server_psk.c
index 0eab893..511973c 100644
--- a/src/eap_server/eap_server_psk.c
+++ b/src/eap_server/eap_server_psk.c
@@ -68,7 +68,7 @@ static struct wpabuf * eap_psk_build_1(struct eap_sm *sm,
data->rand_s, EAP_PSK_RAND_LEN);
req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PSK,
- sizeof(*psk) + sm->server_id_len,
+ sizeof(*psk) + sm->cfg->server_id_len,
EAP_CODE_REQUEST, id);
if (req == NULL) {
wpa_printf(MSG_ERROR, "EAP-PSK: Failed to allocate memory "
@@ -80,7 +80,7 @@ static struct wpabuf * eap_psk_build_1(struct eap_sm *sm,
psk = wpabuf_put(req, sizeof(*psk));
psk->flags = EAP_PSK_FLAGS_SET_T(0); /* T=0 */
os_memcpy(psk->rand_s, data->rand_s, EAP_PSK_RAND_LEN);
- wpabuf_put_data(req, sm->server_id, sm->server_id_len);
+ wpabuf_put_data(req, sm->cfg->server_id, sm->cfg->server_id_len);
return req;
}
@@ -110,13 +110,13 @@ static struct wpabuf * eap_psk_build_3(struct eap_sm *sm,
os_memcpy(psk->rand_s, data->rand_s, EAP_PSK_RAND_LEN);
/* MAC_S = OMAC1-AES-128(AK, ID_S||RAND_P) */
- buflen = sm->server_id_len + EAP_PSK_RAND_LEN;
+ buflen = sm->cfg->server_id_len + EAP_PSK_RAND_LEN;
buf = os_malloc(buflen);
if (buf == NULL)
goto fail;
- os_memcpy(buf, sm->server_id, sm->server_id_len);
- os_memcpy(buf + sm->server_id_len, data->rand_p, EAP_PSK_RAND_LEN);
+ os_memcpy(buf, sm->cfg->server_id, sm->cfg->server_id_len);
+ os_memcpy(buf + sm->cfg->server_id_len, data->rand_p, EAP_PSK_RAND_LEN);
if (omac1_aes_128(data->ak, buf, buflen, psk->mac_s)) {
os_free(buf);
goto fail;
@@ -293,7 +293,7 @@ static void eap_psk_process_2(struct eap_sm *sm,
os_memcpy(data->rand_p, resp->rand_p, EAP_PSK_RAND_LEN);
/* MAC_P = OMAC1-AES-128(AK, ID_P||ID_S||RAND_S||RAND_P) */
- buflen = data->id_p_len + sm->server_id_len + 2 * EAP_PSK_RAND_LEN;
+ buflen = data->id_p_len + sm->cfg->server_id_len + 2 * EAP_PSK_RAND_LEN;
buf = os_malloc(buflen);
if (buf == NULL) {
data->state = FAILURE;
@@ -301,8 +301,8 @@ static void eap_psk_process_2(struct eap_sm *sm,
}
os_memcpy(buf, data->id_p, data->id_p_len);
pos = buf + data->id_p_len;
- os_memcpy(pos, sm->server_id, sm->server_id_len);
- pos += sm->server_id_len;
+ os_memcpy(pos, sm->cfg->server_id, sm->cfg->server_id_len);
+ pos += sm->cfg->server_id_len;
os_memcpy(pos, data->rand_s, EAP_PSK_RAND_LEN);
pos += EAP_PSK_RAND_LEN;
os_memcpy(pos, data->rand_p, EAP_PSK_RAND_LEN);
diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
index a8087c1..6bf3a23 100644
--- a/src/eap_server/eap_server_pwd.c
+++ b/src/eap_server/eap_server_pwd.c
@@ -97,7 +97,7 @@ static void * eap_pwd_init(struct eap_sm *sm)
if (data == NULL)
return NULL;
- data->group_num = sm->pwd_group;
+ data->group_num = sm->cfg->pwd_group;
wpa_printf(MSG_DEBUG, "EAP-pwd: Selected group number %d",
data->group_num);
data->state = PWD_ID_Req;
@@ -134,7 +134,7 @@ static void * eap_pwd_init(struct eap_sm *sm)
data->in_frag_pos = data->out_frag_pos = 0;
data->inbuf = data->outbuf = NULL;
/* use default MTU from RFC 5931 if not configured otherwise */
- data->mtu = sm->fragment_size > 0 ? sm->fragment_size : 1020;
+ data->mtu = sm->cfg->fragment_size > 0 ? sm->cfg->fragment_size : 1020;
return data;
}
diff --git a/src/eap_server/eap_server_sake.c b/src/eap_server/eap_server_sake.c
index 2fc2c05..56cfbfb 100644
--- a/src/eap_server/eap_server_sake.c
+++ b/src/eap_server/eap_server_sake.c
@@ -123,7 +123,7 @@ static struct wpabuf * eap_sake_build_identity(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, "EAP-SAKE: Request/Identity");
plen = 4;
- plen += 2 + sm->server_id_len;
+ plen += 2 + sm->cfg->server_id_len;
msg = eap_sake_build_msg(data, id, plen, EAP_SAKE_SUBTYPE_IDENTITY);
if (msg == NULL) {
data->state = FAILURE;
@@ -135,7 +135,7 @@ static struct wpabuf * eap_sake_build_identity(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_SERVERID");
eap_sake_add_attr(msg, EAP_SAKE_AT_SERVERID,
- sm->server_id, sm->server_id_len);
+ sm->cfg->server_id, sm->cfg->server_id_len);
return msg;
}
@@ -158,7 +158,7 @@ static struct wpabuf * eap_sake_build_challenge(struct eap_sm *sm,
wpa_hexdump(MSG_MSGDUMP, "EAP-SAKE: RAND_S (server rand)",
data->rand_s, EAP_SAKE_RAND_LEN);
- plen = 2 + EAP_SAKE_RAND_LEN + 2 + sm->server_id_len;
+ plen = 2 + EAP_SAKE_RAND_LEN + 2 + sm->cfg->server_id_len;
msg = eap_sake_build_msg(data, id, plen, EAP_SAKE_SUBTYPE_CHALLENGE);
if (msg == NULL) {
data->state = FAILURE;
@@ -171,7 +171,7 @@ static struct wpabuf * eap_sake_build_challenge(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_SERVERID");
eap_sake_add_attr(msg, EAP_SAKE_AT_SERVERID,
- sm->server_id, sm->server_id_len);
+ sm->cfg->server_id, sm->cfg->server_id_len);
return msg;
}
@@ -198,7 +198,7 @@ static struct wpabuf * eap_sake_build_confirm(struct eap_sm *sm,
wpabuf_put_u8(msg, 2 + EAP_SAKE_MIC_LEN);
mic = wpabuf_put(msg, EAP_SAKE_MIC_LEN);
if (eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p,
- sm->server_id, sm->server_id_len,
+ sm->cfg->server_id, sm->cfg->server_id_len,
data->peerid, data->peerid_len, 0,
wpabuf_head(msg), wpabuf_len(msg), mic, mic))
{
@@ -351,7 +351,7 @@ static void eap_sake_process_challenge(struct eap_sm *sm,
}
if (eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p,
- sm->server_id, sm->server_id_len,
+ sm->cfg->server_id, sm->cfg->server_id_len,
data->peerid, data->peerid_len, 1,
wpabuf_head(respData), wpabuf_len(respData),
attr.mic_p, mic_p) < 0) {
@@ -392,7 +392,7 @@ static void eap_sake_process_confirm(struct eap_sm *sm,
}
if (eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p,
- sm->server_id, sm->server_id_len,
+ sm->cfg->server_id, sm->cfg->server_id_len,
data->peerid, data->peerid_len, 1,
wpabuf_head(respData), wpabuf_len(respData),
attr.mic_p, mic_p) < 0) {
diff --git a/src/eap_server/eap_server_sim.c b/src/eap_server/eap_server_sim.c
index 5243568..d7ac87c 100644
--- a/src/eap_server/eap_server_sim.c
+++ b/src/eap_server/eap_server_sim.c
@@ -76,7 +76,7 @@ static void * eap_sim_init(struct eap_sm *sm)
{
struct eap_sim_data *data;
- if (sm->eap_sim_db_priv == NULL) {
+ if (!sm->cfg->eap_sim_db_priv) {
wpa_printf(MSG_WARNING, "EAP-SIM: eap_sim_db not configured");
return NULL;
}
@@ -150,24 +150,24 @@ static int eap_sim_build_encr(struct eap_sm *sm, struct eap_sim_data *data,
const u8 *nonce_s)
{
os_free(data->next_pseudonym);
- if (!(sm->eap_sim_id & 0x01)) {
+ if (!(sm->cfg->eap_sim_id & 0x01)) {
/* Use of pseudonyms disabled in configuration */
data->next_pseudonym = NULL;
} else if (!nonce_s) {
data->next_pseudonym =
- eap_sim_db_get_next_pseudonym(sm->eap_sim_db_priv,
+ eap_sim_db_get_next_pseudonym(sm->cfg->eap_sim_db_priv,
EAP_SIM_DB_SIM);
} else {
/* Do not update pseudonym during re-authentication */
data->next_pseudonym = NULL;
}
os_free(data->next_reauth_id);
- if (!(sm->eap_sim_id & 0x02)) {
+ if (!(sm->cfg->eap_sim_id & 0x02)) {
/* Use of fast reauth disabled in configuration */
data->next_reauth_id = NULL;
} else if (data->counter <= EAP_SIM_MAX_FAST_REAUTHS) {
data->next_reauth_id =
- eap_sim_db_get_next_reauth_id(sm->eap_sim_db_priv,
+ eap_sim_db_get_next_reauth_id(sm->cfg->eap_sim_db_priv,
EAP_SIM_DB_SIM);
} else {
wpa_printf(MSG_DEBUG, "EAP-SIM: Max fast re-authentication "
@@ -240,7 +240,7 @@ static struct wpabuf * eap_sim_build_challenge(struct eap_sm *sm,
return NULL;
}
- if (sm->eap_sim_aka_result_ind) {
+ if (sm->cfg->eap_sim_aka_result_ind) {
wpa_printf(MSG_DEBUG, " AT_RESULT_IND");
eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0);
}
@@ -279,7 +279,7 @@ static struct wpabuf * eap_sim_build_reauth(struct eap_sm *sm,
return NULL;
}
- if (sm->eap_sim_aka_result_ind) {
+ if (sm->cfg->eap_sim_aka_result_ind) {
wpa_printf(MSG_DEBUG, " AT_RESULT_IND");
eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0);
}
@@ -475,7 +475,7 @@ static void eap_sim_process_start(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, "EAP-SIM: Reauth username '%s'",
username);
data->reauth = eap_sim_db_get_reauth_entry(
- sm->eap_sim_db_priv, username);
+ sm->cfg->eap_sim_db_priv, username);
os_free(username);
if (data->reauth == NULL) {
wpa_printf(MSG_DEBUG, "EAP-SIM: Unknown reauth "
@@ -497,7 +497,7 @@ static void eap_sim_process_start(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, "EAP-SIM: Pseudonym username '%s'",
username);
permanent = eap_sim_db_get_permanent(
- sm->eap_sim_db_priv, username);
+ sm->cfg->eap_sim_db_priv, username);
os_free(username);
if (permanent == NULL) {
wpa_printf(MSG_DEBUG, "EAP-SIM: Unknown pseudonym "
@@ -538,7 +538,7 @@ skip_id_update:
data->reauth = NULL;
data->num_chal = eap_sim_db_get_gsm_triplets(
- sm->eap_sim_db_priv, data->permanent, EAP_SIM_MAX_CHAL,
+ sm->cfg->eap_sim_db_priv, data->permanent, EAP_SIM_MAX_CHAL,
(u8 *) data->rand, (u8 *) data->kc, (u8 *) data->sres, sm);
if (data->num_chal == EAP_SIM_DB_PENDING) {
wpa_printf(MSG_DEBUG, "EAP-SIM: GSM authentication triplets "
@@ -599,7 +599,7 @@ static void eap_sim_process_challenge(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, "EAP-SIM: Challenge response includes the "
"correct AT_MAC");
- if (sm->eap_sim_aka_result_ind && attr->result_ind) {
+ if (sm->cfg->eap_sim_aka_result_ind && attr->result_ind) {
data->use_result_ind = 1;
data->notification = EAP_SIM_SUCCESS;
eap_sim_state(data, NOTIFICATION);
@@ -607,12 +607,13 @@ static void eap_sim_process_challenge(struct eap_sm *sm,
eap_sim_state(data, SUCCESS);
if (data->next_pseudonym) {
- eap_sim_db_add_pseudonym(sm->eap_sim_db_priv, data->permanent,
+ eap_sim_db_add_pseudonym(sm->cfg->eap_sim_db_priv,
+ data->permanent,
data->next_pseudonym);
data->next_pseudonym = NULL;
}
if (data->next_reauth_id) {
- eap_sim_db_add_reauth(sm->eap_sim_db_priv, data->permanent,
+ eap_sim_db_add_reauth(sm->cfg->eap_sim_db_priv, data->permanent,
data->next_reauth_id, data->counter + 1,
data->mk);
data->next_reauth_id = NULL;
@@ -672,7 +673,7 @@ static void eap_sim_process_reauth(struct eap_sm *sm,
return;
}
- if (sm->eap_sim_aka_result_ind && attr->result_ind) {
+ if (sm->cfg->eap_sim_aka_result_ind && attr->result_ind) {
data->use_result_ind = 1;
data->notification = EAP_SIM_SUCCESS;
eap_sim_state(data, NOTIFICATION);
@@ -680,12 +681,13 @@ static void eap_sim_process_reauth(struct eap_sm *sm,
eap_sim_state(data, SUCCESS);
if (data->next_reauth_id) {
- eap_sim_db_add_reauth(sm->eap_sim_db_priv, data->permanent,
+ eap_sim_db_add_reauth(sm->cfg->eap_sim_db_priv, data->permanent,
data->next_reauth_id,
data->counter + 1, data->mk);
data->next_reauth_id = NULL;
} else {
- eap_sim_db_remove_reauth(sm->eap_sim_db_priv, data->reauth);
+ eap_sim_db_remove_reauth(sm->cfg->eap_sim_db_priv,
+ data->reauth);
data->reauth = NULL;
}
@@ -694,7 +696,7 @@ static void eap_sim_process_reauth(struct eap_sm *sm,
fail:
data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
eap_sim_state(data, NOTIFICATION);
- eap_sim_db_remove_reauth(sm->eap_sim_db_priv, data->reauth);
+ eap_sim_db_remove_reauth(sm->cfg->eap_sim_db_priv, data->reauth);
data->reauth = NULL;
os_free(decrypted);
}
diff --git a/src/eap_server/eap_server_teap.c b/src/eap_server/eap_server_teap.c
index 34a0d4c..f2f917b 100644
--- a/src/eap_server/eap_server_teap.c
+++ b/src/eap_server/eap_server_teap.c
@@ -287,7 +287,7 @@ static int eap_teap_derive_key_auth(struct eap_sm *sm,
int res;
/* RFC 7170, Section 5.1 */
- res = tls_connection_export_key(sm->ssl_ctx, data->ssl.conn,
+ res = tls_connection_export_key(sm->cfg->ssl_ctx, data->ssl.conn,
TEAP_TLS_EXPORTER_LABEL_SKS, NULL, 0,
data->simck_msk, EAP_TEAP_SIMCK_LEN);
if (res)
@@ -310,7 +310,7 @@ static int eap_teap_update_icmk(struct eap_sm *sm, struct eap_teap_data *data)
wpa_printf(MSG_DEBUG, "EAP-TEAP: Deriving ICMK[%d] (S-IMCK and CMK)",
data->simck_idx + 1);
- if (sm->eap_teap_auth == 1)
+ if (sm->cfg->eap_teap_auth == 1)
return eap_teap_derive_cmk_basic_pw_auth(data->tls_cs,
data->simck_msk,
data->cmk_msk);
@@ -370,7 +370,8 @@ static void * eap_teap_init(struct eap_sm *sm)
/* TODO: Add anon-DH TLS cipher suites (and if one is negotiated,
* enforce inner EAP with mutual authentication to be used) */
- if (tls_connection_set_session_ticket_cb(sm->ssl_ctx, data->ssl.conn,
+ if (tls_connection_set_session_ticket_cb(sm->cfg->ssl_ctx,
+ data->ssl.conn,
eap_teap_session_ticket_cb,
data) < 0) {
wpa_printf(MSG_INFO,
@@ -379,48 +380,49 @@ static void * eap_teap_init(struct eap_sm *sm)
return NULL;
}
- if (!sm->pac_opaque_encr_key) {
+ if (!sm->cfg->pac_opaque_encr_key) {
wpa_printf(MSG_INFO,
"EAP-TEAP: No PAC-Opaque encryption key configured");
eap_teap_reset(sm, data);
return NULL;
}
- os_memcpy(data->pac_opaque_encr, sm->pac_opaque_encr_key,
+ os_memcpy(data->pac_opaque_encr, sm->cfg->pac_opaque_encr_key,
sizeof(data->pac_opaque_encr));
- if (!sm->eap_fast_a_id) {
+ if (!sm->cfg->eap_fast_a_id) {
wpa_printf(MSG_INFO, "EAP-TEAP: No A-ID configured");
eap_teap_reset(sm, data);
return NULL;
}
- data->srv_id = os_malloc(sm->eap_fast_a_id_len);
+ data->srv_id = os_malloc(sm->cfg->eap_fast_a_id_len);
if (!data->srv_id) {
eap_teap_reset(sm, data);
return NULL;
}
- os_memcpy(data->srv_id, sm->eap_fast_a_id, sm->eap_fast_a_id_len);
- data->srv_id_len = sm->eap_fast_a_id_len;
+ os_memcpy(data->srv_id, sm->cfg->eap_fast_a_id,
+ sm->cfg->eap_fast_a_id_len);
+ data->srv_id_len = sm->cfg->eap_fast_a_id_len;
- if (!sm->eap_fast_a_id_info) {
+ if (!sm->cfg->eap_fast_a_id_info) {
wpa_printf(MSG_INFO, "EAP-TEAP: No A-ID-Info configured");
eap_teap_reset(sm, data);
return NULL;
}
- data->srv_id_info = os_strdup(sm->eap_fast_a_id_info);
+ data->srv_id_info = os_strdup(sm->cfg->eap_fast_a_id_info);
if (!data->srv_id_info) {
eap_teap_reset(sm, data);
return NULL;
}
/* PAC-Key lifetime in seconds (hard limit) */
- data->pac_key_lifetime = sm->pac_key_lifetime;
+ data->pac_key_lifetime = sm->cfg->pac_key_lifetime;
/*
* PAC-Key refresh time in seconds (soft limit on remaining hard
* limit). The server will generate a new PAC-Key when this number of
* seconds (or fewer) of the lifetime remains.
*/
- data->pac_key_refresh_time = sm->pac_key_refresh_time;
+ data->pac_key_refresh_time = sm->cfg->pac_key_refresh_time;
return data;
}
@@ -500,8 +502,8 @@ static int eap_teap_phase1_done(struct eap_sm *sm, struct eap_teap_data *data)
wpa_printf(MSG_DEBUG, "EAP-TEAP: TLS cipher suite 0x%04x",
data->tls_cs);
- if (tls_get_cipher(sm->ssl_ctx, data->ssl.conn, cipher, sizeof(cipher))
- < 0) {
+ if (tls_get_cipher(sm->cfg->ssl_ctx, data->ssl.conn,
+ cipher, sizeof(cipher)) < 0) {
wpa_printf(MSG_DEBUG,
"EAP-TEAP: Failed to get cipher information");
eap_teap_state(data, FAILURE);
@@ -529,7 +531,7 @@ static struct wpabuf * eap_teap_build_phase2_req(struct eap_sm *sm,
{
struct wpabuf *req;
- if (sm->eap_teap_auth == 1) {
+ if (sm->cfg->eap_teap_auth == 1) {
wpa_printf(MSG_DEBUG, "EAP-TEAP: Initiate Basic-Password-Auth");
req = wpabuf_alloc(sizeof(struct teap_tlv_hdr));
if (!req)
@@ -567,7 +569,7 @@ static struct wpabuf * eap_teap_build_crypto_binding(
return NULL;
if (data->send_new_pac || data->anon_provisioning ||
- data->phase2_method || sm->eap_teap_separate_result)
+ data->phase2_method || sm->cfg->eap_teap_separate_result)
data->final_result = 0;
else
data->final_result = 1;
@@ -846,7 +848,8 @@ static struct wpabuf * eap_teap_buildReq(struct eap_sm *sm, void *priv, u8 id)
case START:
return eap_teap_build_start(sm, data, id);
case PHASE1B:
- if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
+ if (tls_connection_established(sm->cfg->ssl_ctx,
+ data->ssl.conn)) {
if (eap_teap_phase1_done(sm, data) < 0)
return NULL;
if (data->state == PHASE2_START) {
@@ -1072,7 +1075,7 @@ static void eap_teap_process_phase2_response(struct eap_sm *sm,
next_vendor = EAP_VENDOR_IETF;
next_type = EAP_TYPE_NONE;
#ifdef EAP_SERVER_TNC
- if (sm->tnc && !data->tnc_started) {
+ if (sm->cfg->tnc && !data->tnc_started) {
wpa_printf(MSG_DEBUG, "EAP-TEAP: Initialize TNC");
next_vendor = EAP_VENDOR_IETF;
next_type = EAP_TYPE_TNC;
@@ -1463,7 +1466,7 @@ static void eap_teap_process_phase2_tlvs(struct eap_sm *sm,
return;
}
- if (sm->eap_teap_auth != 1 &&
+ if (sm->cfg->eap_teap_auth != 1 &&
tlv.iresult != TEAP_STATUS_SUCCESS) {
wpa_printf(MSG_DEBUG,
"EAP-TEAP: Crypto-Binding TLV without intermediate Success Result");
@@ -1485,16 +1488,16 @@ static void eap_teap_process_phase2_tlvs(struct eap_sm *sm,
}
if (data->anon_provisioning &&
- sm->eap_fast_prov != ANON_PROV &&
- sm->eap_fast_prov != BOTH_PROV) {
+ sm->cfg->eap_fast_prov != ANON_PROV &&
+ sm->cfg->eap_fast_prov != BOTH_PROV) {
wpa_printf(MSG_DEBUG,
"EAP-TEAP: Client is trying to use unauthenticated provisioning which is disabled");
eap_teap_state(data, FAILURE);
return;
}
- if (sm->eap_fast_prov != AUTH_PROV &&
- sm->eap_fast_prov != BOTH_PROV &&
+ if (sm->cfg->eap_fast_prov != AUTH_PROV &&
+ sm->cfg->eap_fast_prov != BOTH_PROV &&
tlv.request_action == TEAP_REQUEST_ACTION_PROCESS_TLV &&
eap_teap_pac_type(tlv.pac, tlv.pac_len,
PAC_TYPE_TUNNEL_PAC)) {
@@ -1517,13 +1520,13 @@ static void eap_teap_process_phase2_tlvs(struct eap_sm *sm,
eap_teap_state(data, REQUEST_PAC);
} else if (data->final_result) {
eap_teap_state(data, SUCCESS);
- } else if (sm->eap_teap_separate_result) {
+ } else if (sm->cfg->eap_teap_separate_result) {
eap_teap_state(data, SUCCESS_SEND_RESULT);
}
}
if (tlv.basic_auth_resp) {
- if (sm->eap_teap_auth != 1) {
+ if (sm->cfg->eap_teap_auth != 1) {
wpa_printf(MSG_DEBUG,
"EAP-TEAP: Unexpected Basic-Password-Auth-Resp when trying to use inner EAP");
eap_teap_state(data, FAILURE);
@@ -1534,7 +1537,7 @@ static void eap_teap_process_phase2_tlvs(struct eap_sm *sm,
}
if (tlv.eap_payload_tlv) {
- if (sm->eap_teap_auth == 1) {
+ if (sm->cfg->eap_teap_auth == 1) {
wpa_printf(MSG_DEBUG,
"EAP-TEAP: Unexpected EAP Payload TLV when trying to use Basic-Password-Auth");
eap_teap_state(data, FAILURE);
@@ -1573,7 +1576,7 @@ static void eap_teap_process_phase2(struct eap_sm *sm,
return;
}
- in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
+ in_decrypted = tls_connection_decrypt(sm->cfg->ssl_ctx, data->ssl.conn,
in_buf);
if (!in_decrypted) {
wpa_printf(MSG_INFO,
@@ -1634,7 +1637,7 @@ static int eap_teap_process_phase1(struct eap_sm *sm,
return -1;
}
- if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) ||
+ if (!tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn) ||
wpabuf_len(data->ssl.tls_out) > 0)
return 1;
@@ -1668,7 +1671,7 @@ static int eap_teap_process_phase2_start(struct eap_sm *sm,
next_vendor = EAP_VENDOR_IETF;
next_type = EAP_TYPE_NONE;
eap_teap_state(data, PHASE2_METHOD);
- } else if (sm->eap_teap_pac_no_inner) {
+ } else if (sm->cfg->eap_teap_pac_no_inner) {
wpa_printf(MSG_DEBUG,
"EAP-TEAP: Used PAC and identity already known - skip inner auth");
/* FIX: Need to derive CMK here. However, how is that
@@ -1679,7 +1682,7 @@ static int eap_teap_process_phase2_start(struct eap_sm *sm,
data->cmk_msk);
eap_teap_state(data, CRYPTO_BINDING);
return 1;
- } else if (sm->eap_teap_auth == 1) {
+ } else if (sm->cfg->eap_teap_auth == 1) {
eap_teap_state(data, PHASE2_BASIC_AUTH);
return 1;
} else {
@@ -1691,7 +1694,7 @@ static int eap_teap_process_phase2_start(struct eap_sm *sm,
eap_teap_state(data, PHASE2_METHOD);
}
- } else if (sm->eap_teap_auth == 1) {
+ } else if (sm->cfg->eap_teap_auth == 1) {
eap_teap_state(data, PHASE2_BASIC_AUTH);
return 0;
} else {
diff --git a/src/eap_server/eap_server_tls.c b/src/eap_server/eap_server_tls.c
index 0712d4c..c64cebb 100644
--- a/src/eap_server/eap_server_tls.c
+++ b/src/eap_server/eap_server_tls.c
@@ -58,7 +58,7 @@ static void eap_tls_valid_session(struct eap_sm *sm, struct eap_tls_data *data)
{
struct wpabuf *buf;
- if (!sm->tls_session_lifetime)
+ if (!sm->cfg->tls_session_lifetime)
return;
buf = wpabuf_alloc(1);
@@ -187,7 +187,8 @@ static struct wpabuf * eap_tls_buildReq(struct eap_sm *sm, void *priv, u8 id)
case START:
return eap_tls_build_start(sm, data, id);
case CONTINUE:
- if (tls_connection_established(sm->ssl_ctx, data->ssl.conn))
+ if (tls_connection_established(sm->cfg->ssl_ctx,
+ data->ssl.conn))
data->established = 1;
break;
default:
@@ -267,7 +268,7 @@ static void eap_tls_process_msg(struct eap_sm *sm, void *priv,
}
if (data->ssl.tls_v13 &&
- tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
+ tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn)) {
struct wpabuf *plain, *encr;
wpa_printf(MSG_DEBUG,
@@ -315,8 +316,8 @@ static void eap_tls_process(struct eap_sm *sm, void *priv,
return;
}
- if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) ||
- !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn))
+ if (!tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn) ||
+ !tls_connection_resumed(sm->cfg->ssl_ctx, data->ssl.conn))
return;
buf = tls_connection_get_success_data(data->ssl.conn);
diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c
index 5daee90..b38f1e0 100644
--- a/src/eap_server/eap_server_tls_common.c
+++ b/src/eap_server/eap_server_tls_common.c
@@ -47,9 +47,9 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
int verify_peer, int eap_type)
{
u8 session_ctx[8];
- unsigned int flags = sm->tls_flags;
+ unsigned int flags = sm->cfg->tls_flags;
- if (sm->ssl_ctx == NULL) {
+ if (!sm->cfg->ssl_ctx) {
wpa_printf(MSG_ERROR, "TLS context not initialized - cannot use TLS-based EAP method");
return -1;
}
@@ -57,7 +57,7 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
data->eap = sm;
data->phase2 = sm->init_phase2;
- data->conn = tls_connection_init(sm->ssl_ctx);
+ data->conn = tls_connection_init(sm->cfg->ssl_ctx);
if (data->conn == NULL) {
wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "
"connection");
@@ -75,17 +75,18 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
flags |= TLS_CONN_DISABLE_SESSION_TICKET;
os_memcpy(session_ctx, "hostapd", 7);
session_ctx[7] = (u8) eap_type;
- if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer,
+ if (tls_connection_set_verify(sm->cfg->ssl_ctx, data->conn, verify_peer,
flags, session_ctx,
sizeof(session_ctx))) {
wpa_printf(MSG_INFO, "SSL: Failed to configure verification "
"of TLS peer certificate");
- tls_connection_deinit(sm->ssl_ctx, data->conn);
+ tls_connection_deinit(sm->cfg->ssl_ctx, data->conn);
data->conn = NULL;
return -1;
}
- data->tls_out_limit = sm->fragment_size > 0 ? sm->fragment_size : 1398;
+ data->tls_out_limit = sm->cfg->fragment_size > 0 ?
+ sm->cfg->fragment_size : 1398;
if (data->phase2) {
/* Limit the fragment size in the inner TLS authentication
* since the outer authentication with EAP-PEAP does not yet
@@ -99,7 +100,7 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
void eap_server_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data)
{
- tls_connection_deinit(sm->ssl_ctx, data->conn);
+ tls_connection_deinit(sm->cfg->ssl_ctx, data->conn);
eap_server_tls_free_in_buf(data);
wpabuf_free(data->tls_out);
data->tls_out = NULL;
@@ -116,7 +117,7 @@ u8 * eap_server_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data,
if (out == NULL)
return NULL;
- if (tls_connection_export_key(sm->ssl_ctx, data->conn, label,
+ if (tls_connection_export_key(sm->cfg->ssl_ctx, data->conn, label,
context, context_len, out, len)) {
os_free(out);
return NULL;
@@ -170,7 +171,7 @@ u8 * eap_server_tls_derive_session_id(struct eap_sm *sm,
return id;
}
- if (tls_connection_get_random(sm->ssl_ctx, data->conn, &keys))
+ if (tls_connection_get_random(sm->cfg->ssl_ctx, data->conn, &keys))
return NULL;
if (keys.client_random == NULL || keys.server_random == NULL)
@@ -340,29 +341,30 @@ int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data)
WPA_ASSERT(data->tls_out == NULL);
}
- data->tls_out = tls_connection_server_handshake(sm->ssl_ctx,
+ data->tls_out = tls_connection_server_handshake(sm->cfg->ssl_ctx,
data->conn,
data->tls_in, NULL);
if (data->tls_out == NULL) {
wpa_printf(MSG_INFO, "SSL: TLS processing failed");
return -1;
}
- if (tls_connection_get_failed(sm->ssl_ctx, data->conn)) {
+ if (tls_connection_get_failed(sm->cfg->ssl_ctx, data->conn)) {
/* TLS processing has failed - return error */
wpa_printf(MSG_DEBUG, "SSL: Failed - tls_out available to "
"report error");
return -1;
}
- if (tls_get_version(sm->ssl_ctx, data->conn, buf, sizeof(buf)) == 0) {
+ if (tls_get_version(sm->cfg->ssl_ctx, data->conn,
+ buf, sizeof(buf)) == 0) {
wpa_printf(MSG_DEBUG, "SSL: Using TLS version %s", buf);
data->tls_v13 = os_strcmp(buf, "TLSv1.3") == 0;
}
if (!sm->serial_num &&
- tls_connection_established(sm->ssl_ctx, data->conn))
- sm->serial_num = tls_connection_peer_serial_num(sm->ssl_ctx,
- data->conn);
+ tls_connection_established(sm->cfg->ssl_ctx, data->conn))
+ sm->serial_num = tls_connection_peer_serial_num(
+ sm->cfg->ssl_ctx, data->conn);
return 0;
}
@@ -451,8 +453,7 @@ struct wpabuf * eap_server_tls_encrypt(struct eap_sm *sm,
{
struct wpabuf *buf;
- buf = tls_connection_encrypt(sm->ssl_ctx, data->conn,
- plain);
+ buf = tls_connection_encrypt(sm->cfg->ssl_ctx, data->conn, plain);
if (buf == NULL) {
wpa_printf(MSG_INFO, "SSL: Failed to encrypt Phase 2 data");
return NULL;
@@ -506,7 +507,7 @@ int eap_server_tls_process(struct eap_sm *sm, struct eap_ssl_data *data,
if (proc_msg)
proc_msg(sm, priv, respData);
- if (tls_connection_get_write_alerts(sm->ssl_ctx, data->conn) > 1) {
+ if (tls_connection_get_write_alerts(sm->cfg->ssl_ctx, data->conn) > 1) {
wpa_printf(MSG_INFO, "SSL: Locally detected fatal error in "
"TLS processing");
res = -1;
diff --git a/src/eap_server/eap_server_tnc.c b/src/eap_server/eap_server_tnc.c
index b568558..f6cdcb1 100644
--- a/src/eap_server/eap_server_tnc.c
+++ b/src/eap_server/eap_server_tnc.c
@@ -84,8 +84,8 @@ static void * eap_tnc_init(struct eap_sm *sm)
return NULL;
}
- data->fragment_size = sm->fragment_size > 100 ?
- sm->fragment_size - 98 : 1300;
+ data->fragment_size = sm->cfg->fragment_size > 100 ?
+ sm->cfg->fragment_size - 98 : 1300;
return data;
}
@@ -508,7 +508,7 @@ static void eap_tnc_process(struct eap_sm *sm, void *priv,
eap_tnc_set_state(data, FAIL);
return;
}
-
+
if (flags & EAP_TNC_FLAGS_MORE_FRAGMENTS) {
if (eap_tnc_process_fragment(data, flags, message_length,
pos, end - pos) < 0)
diff --git a/src/eap_server/eap_server_ttls.c b/src/eap_server/eap_server_ttls.c
index caeef35..721835d 100644
--- a/src/eap_server/eap_server_ttls.c
+++ b/src/eap_server/eap_server_ttls.c
@@ -81,7 +81,7 @@ static void eap_ttls_valid_session(struct eap_sm *sm,
{
struct wpabuf *buf;
- if (!sm->tls_session_lifetime)
+ if (!sm->cfg->tls_session_lifetime)
return;
buf = wpabuf_alloc(1 + 1 + sm->identity_len);
@@ -480,7 +480,8 @@ static struct wpabuf * eap_ttls_buildReq(struct eap_sm *sm, void *priv, u8 id)
case START:
return eap_ttls_build_start(sm, data, id);
case PHASE1:
- if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
+ if (tls_connection_established(sm->cfg->ssl_ctx,
+ data->ssl.conn)) {
wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase1 done, "
"starting Phase2");
eap_ttls_state(data, PHASE2_START);
@@ -1029,7 +1030,7 @@ static void eap_ttls_process_phase2(struct eap_sm *sm,
return;
}
- in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
+ in_decrypted = tls_connection_decrypt(sm->cfg->ssl_ctx, data->ssl.conn,
in_buf);
if (in_decrypted == NULL) {
wpa_printf(MSG_INFO, "EAP-TTLS: Failed to decrypt Phase 2 "
@@ -1119,7 +1120,7 @@ done:
static void eap_ttls_start_tnc(struct eap_sm *sm, struct eap_ttls_data *data)
{
#ifdef EAP_SERVER_TNC
- if (!sm->tnc || data->state != SUCCESS || data->tnc_started)
+ if (!sm->cfg->tnc || data->state != SUCCESS || data->tnc_started)
return;
wpa_printf(MSG_DEBUG, "EAP-TTLS: Initialize TNC");
@@ -1209,8 +1210,8 @@ static void eap_ttls_process(struct eap_sm *sm, void *priv,
return;
}
- if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) ||
- !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn))
+ if (!tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn) ||
+ !tls_connection_resumed(sm->cfg->ssl_ctx, data->ssl.conn))
return;
buf = tls_connection_get_success_data(data->ssl.conn);
diff --git a/src/eap_server/eap_server_wsc.c b/src/eap_server/eap_server_wsc.c
index 4a5cb98..364c089 100644
--- a/src/eap_server/eap_server_wsc.c
+++ b/src/eap_server/eap_server_wsc.c
@@ -103,10 +103,10 @@ static void * eap_wsc_init(struct eap_sm *sm)
data->registrar = registrar;
os_memset(&cfg, 0, sizeof(cfg));
- cfg.wps = sm->wps;
+ cfg.wps = sm->cfg->wps;
cfg.registrar = registrar;
if (registrar) {
- if (sm->wps == NULL || sm->wps->registrar == NULL) {
+ if (!sm->cfg->wps || !sm->cfg->wps->registrar) {
wpa_printf(MSG_INFO, "EAP-WSC: WPS Registrar not "
"initialized");
os_free(data);
@@ -138,14 +138,14 @@ static void * eap_wsc_init(struct eap_sm *sm)
cfg.p2p_dev_addr = p2p_get_go_dev_addr(sm->assoc_p2p_ie);
}
#endif /* CONFIG_P2P */
- cfg.pbc_in_m1 = sm->pbc_in_m1;
+ cfg.pbc_in_m1 = sm->cfg->pbc_in_m1;
data->wps = wps_init(&cfg);
if (data->wps == NULL) {
os_free(data);
return NULL;
}
- data->fragment_size = sm->fragment_size > 0 ? sm->fragment_size :
- WSC_FRAGMENT_SIZE;
+ data->fragment_size = sm->cfg->fragment_size > 0 ?
+ sm->cfg->fragment_size : WSC_FRAGMENT_SIZE;
return data;
}
diff --git a/src/eapol_auth/eapol_auth_sm.c b/src/eapol_auth/eapol_auth_sm.c
index 5a2abb5..5a2ba26 100644
--- a/src/eapol_auth/eapol_auth_sm.c
+++ b/src/eapol_auth/eapol_auth_sm.c
@@ -775,7 +775,7 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr,
const char *identity, const char *radius_cui)
{
struct eapol_state_machine *sm;
- struct eap_config eap_conf;
+ struct eap_session_data eap_sess;
if (eapol == NULL)
return NULL;
@@ -823,38 +823,12 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr,
else
sm->portValid = TRUE;
- os_memset(&eap_conf, 0, sizeof(eap_conf));
- eap_conf.eap_server = eapol->conf.eap_server;
- eap_conf.ssl_ctx = eapol->conf.ssl_ctx;
- eap_conf.msg_ctx = eapol->conf.msg_ctx;
- eap_conf.eap_sim_db_priv = eapol->conf.eap_sim_db_priv;
- eap_conf.pac_opaque_encr_key = eapol->conf.pac_opaque_encr_key;
- eap_conf.eap_fast_a_id = eapol->conf.eap_fast_a_id;
- eap_conf.eap_fast_a_id_len = eapol->conf.eap_fast_a_id_len;
- eap_conf.eap_fast_a_id_info = eapol->conf.eap_fast_a_id_info;
- eap_conf.eap_fast_prov = eapol->conf.eap_fast_prov;
- eap_conf.pac_key_lifetime = eapol->conf.pac_key_lifetime;
- eap_conf.pac_key_refresh_time = eapol->conf.pac_key_refresh_time;
- eap_conf.eap_teap_auth = eapol->conf.eap_teap_auth;
- eap_conf.eap_teap_pac_no_inner = eapol->conf.eap_teap_pac_no_inner;
- eap_conf.eap_teap_separate_result =
- eapol->conf.eap_teap_separate_result;
- eap_conf.eap_sim_aka_result_ind = eapol->conf.eap_sim_aka_result_ind;
- eap_conf.eap_sim_id = eapol->conf.eap_sim_id;
- eap_conf.tnc = eapol->conf.tnc;
- eap_conf.wps = eapol->conf.wps;
- eap_conf.assoc_wps_ie = assoc_wps_ie;
- eap_conf.assoc_p2p_ie = assoc_p2p_ie;
- eap_conf.peer_addr = addr;
- eap_conf.fragment_size = eapol->conf.fragment_size;
- eap_conf.pwd_group = eapol->conf.pwd_group;
- eap_conf.pbc_in_m1 = eapol->conf.pbc_in_m1;
- eap_conf.server_id = eapol->conf.server_id;
- eap_conf.server_id_len = eapol->conf.server_id_len;
- eap_conf.erp = eapol->conf.erp;
- eap_conf.tls_session_lifetime = eapol->conf.tls_session_lifetime;
- eap_conf.tls_flags = eapol->conf.tls_flags;
- sm->eap = eap_server_sm_init(sm, &eapol_cb, &eap_conf);
+ os_memset(&eap_sess, 0, sizeof(eap_sess));
+ eap_sess.assoc_wps_ie = assoc_wps_ie;
+ eap_sess.assoc_p2p_ie = assoc_p2p_ie;
+ eap_sess.peer_addr = addr;
+ sm->eap = eap_server_sm_init(sm, &eapol_cb, eapol->conf.eap_cfg,
+ &eap_sess);
if (sm->eap == NULL) {
eapol_auth_free(sm);
return NULL;
@@ -1189,19 +1163,12 @@ int eapol_auth_set_conf(struct eapol_state_machine *sm, const char *param,
static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
struct eapol_auth_config *src)
{
+ dst->eap_cfg = src->eap_cfg;
dst->ctx = src->ctx;
dst->eap_reauth_period = src->eap_reauth_period;
dst->wpa = src->wpa;
dst->individual_wep_key_len = src->individual_wep_key_len;
- dst->eap_server = src->eap_server;
- dst->ssl_ctx = src->ssl_ctx;
- dst->msg_ctx = src->msg_ctx;
- dst->eap_sim_db_priv = src->eap_sim_db_priv;
os_free(dst->eap_req_id_text);
- dst->pwd_group = src->pwd_group;
- dst->pbc_in_m1 = src->pbc_in_m1;
- dst->server_id = src->server_id;
- dst->server_id_len = src->server_id_len;
if (src->eap_req_id_text) {
dst->eap_req_id_text = os_memdup(src->eap_req_id_text,
src->eap_req_id_text_len);
@@ -1212,38 +1179,6 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
dst->eap_req_id_text = NULL;
dst->eap_req_id_text_len = 0;
}
- if (src->pac_opaque_encr_key) {
- dst->pac_opaque_encr_key = os_memdup(src->pac_opaque_encr_key,
- 16);
- if (dst->pac_opaque_encr_key == NULL)
- goto fail;
- } else
- dst->pac_opaque_encr_key = NULL;
- if (src->eap_fast_a_id) {
- dst->eap_fast_a_id = os_memdup(src->eap_fast_a_id,
- src->eap_fast_a_id_len);
- if (dst->eap_fast_a_id == NULL)
- goto fail;
- dst->eap_fast_a_id_len = src->eap_fast_a_id_len;
- } else
- dst->eap_fast_a_id = NULL;
- if (src->eap_fast_a_id_info) {
- dst->eap_fast_a_id_info = os_strdup(src->eap_fast_a_id_info);
- if (dst->eap_fast_a_id_info == NULL)
- goto fail;
- } else
- dst->eap_fast_a_id_info = NULL;
- dst->eap_fast_prov = src->eap_fast_prov;
- dst->pac_key_lifetime = src->pac_key_lifetime;
- dst->pac_key_refresh_time = src->pac_key_refresh_time;
- dst->eap_teap_auth = src->eap_teap_auth;
- dst->eap_teap_pac_no_inner = src->eap_teap_pac_no_inner;
- dst->eap_teap_separate_result = src->eap_teap_separate_result;
- dst->eap_sim_aka_result_ind = src->eap_sim_aka_result_ind;
- dst->eap_sim_id = src->eap_sim_id;
- dst->tnc = src->tnc;
- dst->wps = src->wps;
- dst->fragment_size = src->fragment_size;
os_free(dst->erp_domain);
if (src->erp_domain) {
@@ -1254,9 +1189,6 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
dst->erp_domain = NULL;
}
dst->erp_send_reauth_start = src->erp_send_reauth_start;
- dst->erp = src->erp;
- dst->tls_session_lifetime = src->tls_session_lifetime;
- dst->tls_flags = src->tls_flags;
return 0;
@@ -1270,12 +1202,6 @@ static void eapol_auth_conf_free(struct eapol_auth_config *conf)
{
os_free(conf->eap_req_id_text);
conf->eap_req_id_text = NULL;
- os_free(conf->pac_opaque_encr_key);
- conf->pac_opaque_encr_key = NULL;
- os_free(conf->eap_fast_a_id);
- conf->eap_fast_a_id = NULL;
- os_free(conf->eap_fast_a_id_info);
- conf->eap_fast_a_id_info = NULL;
os_free(conf->erp_domain);
conf->erp_domain = NULL;
}
diff --git a/src/eapol_auth/eapol_auth_sm.h b/src/eapol_auth/eapol_auth_sm.h
index fc467da..5fe89c6 100644
--- a/src/eapol_auth/eapol_auth_sm.h
+++ b/src/eapol_auth/eapol_auth_sm.h
@@ -15,39 +15,14 @@
#define EAPOL_SM_FROM_PMKSA_CACHE BIT(3)
struct eapol_auth_config {
+ const struct eap_config *eap_cfg;
int eap_reauth_period;
int wpa;
int individual_wep_key_len;
- int eap_server;
- void *ssl_ctx;
- void *msg_ctx;
- void *eap_sim_db_priv;
char *eap_req_id_text; /* a copy of this will be allocated */
size_t eap_req_id_text_len;
int erp_send_reauth_start;
char *erp_domain; /* a copy of this will be allocated */
- int erp; /* Whether ERP is enabled on authentication server */
- unsigned int tls_session_lifetime;
- unsigned int tls_flags;
- u8 *pac_opaque_encr_key;
- u8 *eap_fast_a_id;
- size_t eap_fast_a_id_len;
- char *eap_fast_a_id_info;
- int eap_fast_prov;
- int pac_key_lifetime;
- int pac_key_refresh_time;
- int eap_teap_auth;
- int eap_teap_pac_no_inner;
- int eap_teap_separate_result;
- int eap_sim_aka_result_ind;
- int eap_sim_id;
- int tnc;
- struct wps_context *wps;
- int fragment_size;
- u16 pwd_group;
- int pbc_in_m1;
- const u8 *server_id;
- size_t server_id_len;
/* Opaque context pointer to owner data for callback functions */
void *ctx;
diff --git a/src/radius/radius_server.c b/src/radius/radius_server.c
index 100cf52..a24caec 100644
--- a/src/radius/radius_server.c
+++ b/src/radius/radius_server.c
@@ -161,146 +161,10 @@ struct radius_server_data {
*/
int num_sess;
- /**
- * eap_sim_db_priv - EAP-SIM/AKA database context
- *
- * This is passed to the EAP-SIM/AKA server implementation as a
- * callback context.
- */
- void *eap_sim_db_priv;
-
- /**
- * ssl_ctx - TLS context
- *
- * This is passed to the EAP server implementation as a callback
- * context for TLS operations.
- */
- void *ssl_ctx;
-
- /**
- * pac_opaque_encr_key - PAC-Opaque encryption key for EAP-FAST
- *
- * This parameter is used to set a key for EAP-FAST to encrypt the
- * PAC-Opaque data. It can be set to %NULL if EAP-FAST is not used. If
- * set, must point to a 16-octet key.
- */
- u8 *pac_opaque_encr_key;
-
- /**
- * eap_fast_a_id - EAP-FAST authority identity (A-ID)
- *
- * If EAP-FAST is not used, this can be set to %NULL. In theory, this
- * is a variable length field, but due to some existing implementations
- * requiring A-ID to be 16 octets in length, it is recommended to use
- * that length for the field to provide interoperability with deployed
- * peer implementations.
- */
- u8 *eap_fast_a_id;
-
- /**
- * eap_fast_a_id_len - Length of eap_fast_a_id buffer in octets
- */
- size_t eap_fast_a_id_len;
-
- /**
- * eap_fast_a_id_info - EAP-FAST authority identifier information
- *
- * This A-ID-Info contains a user-friendly name for the A-ID. For
- * example, this could be the enterprise and server names in
- * human-readable format. This field is encoded as UTF-8. If EAP-FAST
- * is not used, this can be set to %NULL.
- */
- char *eap_fast_a_id_info;
-
- /**
- * eap_fast_prov - EAP-FAST provisioning modes
- *
- * 0 = provisioning disabled, 1 = only anonymous provisioning allowed,
- * 2 = only authenticated provisioning allowed, 3 = both provisioning
- * modes allowed.
- */
- int eap_fast_prov;
-
- /**
- * pac_key_lifetime - EAP-FAST PAC-Key lifetime in seconds
- *
- * This is the hard limit on how long a provisioned PAC-Key can be
- * used.
- */
- int pac_key_lifetime;
-
- /**
- * pac_key_refresh_time - EAP-FAST PAC-Key refresh time in seconds
- *
- * This is a soft limit on the PAC-Key. The server will automatically
- * generate a new PAC-Key when this number of seconds (or fewer) of the
- * lifetime remains.
- */
- int pac_key_refresh_time;
-
- int eap_teap_auth;
- int eap_teap_pac_no_inner;
- int eap_teap_separate_result;
-
- /**
- * eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication
- *
- * This controls whether the protected success/failure indication
- * (AT_RESULT_IND) is used with EAP-SIM and EAP-AKA.
- */
- int eap_sim_aka_result_ind;
-
- int eap_sim_id;
-
- /**
- * tnc - Trusted Network Connect (TNC)
- *
- * This controls whether TNC is enabled and will be required before the
- * peer is allowed to connect. Note: This is only used with EAP-TTLS
- * and EAP-FAST. If any other EAP method is enabled, the peer will be
- * allowed to connect without TNC.
- */
- int tnc;
-
- /**
- * pwd_group - The D-H group assigned for EAP-pwd
- *
- * If EAP-pwd is not used it can be set to zero.
- */
- u16 pwd_group;
-
- /**
- * server_id - Server identity
- */
- const char *server_id;
-
- /**
- * erp - Whether EAP Re-authentication Protocol (ERP) is enabled
- *
- * This controls whether the authentication server derives ERP key
- * hierarchy (rRK and rIK) from full EAP authentication and allows
- * these keys to be used to perform ERP to derive rMSK instead of full
- * EAP authentication to derive MSK.
- */
- int erp;
-
const char *erp_domain;
struct dl_list erp_keys; /* struct eap_server_erp_key */
- unsigned int tls_session_lifetime;
-
- unsigned int tls_flags;
-
- /**
- * wps - Wi-Fi Protected Setup context
- *
- * If WPS is used with an external RADIUS server (which is quite
- * unlikely configuration), this is used to provide a pointer to WPS
- * context data. Normally, this can be set to %NULL.
- */
- struct wps_context *wps;
-
/**
* ipv6 - Whether to enable IPv6 support in the RADIUS server
*/
@@ -352,11 +216,6 @@ struct radius_server_data {
*/
size_t eap_req_id_text_len;
- /*
- * msg_ctx - Context data for wpa_msg() calls
- */
- void *msg_ctx;
-
#ifdef CONFIG_RADIUS_TEST
char *dump_msk_file;
#endif /* CONFIG_RADIUS_TEST */
@@ -370,6 +229,8 @@ struct radius_server_data {
#ifdef CONFIG_SQLITE
sqlite3 *db;
#endif /* CONFIG_SQLITE */
+
+ struct eap_config *eap_cfg;
};
@@ -620,7 +481,7 @@ radius_server_new_session(struct radius_server_data *data,
#ifdef CONFIG_TESTING_OPTIONS
static void radius_server_testing_options_tls(struct radius_session *sess,
const char *tls,
- struct eap_config *eap_conf)
+ struct eap_session_data *eap_conf)
{
int test = atoi(tls);
@@ -665,7 +526,7 @@ static void radius_server_testing_options_tls(struct radius_session *sess,
#endif /* CONFIG_TESTING_OPTIONS */
static void radius_server_testing_options(struct radius_session *sess,
- struct eap_config *eap_conf)
+ struct eap_session_data *eap_conf)
{
#ifdef CONFIG_TESTING_OPTIONS
const char *pos;
@@ -708,7 +569,7 @@ radius_server_get_new_session(struct radius_server_data *data,
size_t user_len, id_len;
int res;
struct radius_session *sess;
- struct eap_config eap_conf;
+ struct eap_session_data eap_sess;
struct eap_user *tmp;
RADIUS_DEBUG("Creating a new session");
@@ -726,7 +587,7 @@ radius_server_get_new_session(struct radius_server_data *data,
res = data->get_eap_user(data->conf_ctx, user, user_len, 0, tmp);
#ifdef CONFIG_ERP
- if (res != 0 && data->erp) {
+ if (res != 0 && data->eap_cfg->erp) {
char *username;
username = os_zalloc(user_len + 1);
@@ -785,35 +646,10 @@ radius_server_get_new_session(struct radius_server_data *data,
srv_log(sess, "New session created");
- os_memset(&eap_conf, 0, sizeof(eap_conf));
- eap_conf.ssl_ctx = data->ssl_ctx;
- eap_conf.msg_ctx = data->msg_ctx;
- eap_conf.eap_sim_db_priv = data->eap_sim_db_priv;
- eap_conf.backend_auth = TRUE;
- eap_conf.eap_server = 1;
- eap_conf.pac_opaque_encr_key = data->pac_opaque_encr_key;
- eap_conf.eap_fast_a_id = data->eap_fast_a_id;
- eap_conf.eap_fast_a_id_len = data->eap_fast_a_id_len;
- eap_conf.eap_fast_a_id_info = data->eap_fast_a_id_info;
- eap_conf.eap_fast_prov = data->eap_fast_prov;
- eap_conf.pac_key_lifetime = data->pac_key_lifetime;
- eap_conf.pac_key_refresh_time = data->pac_key_refresh_time;
- eap_conf.eap_teap_auth = data->eap_teap_auth;
- eap_conf.eap_teap_pac_no_inner = data->eap_teap_pac_no_inner;
- eap_conf.eap_teap_separate_result = data->eap_teap_separate_result;
- eap_conf.eap_sim_aka_result_ind = data->eap_sim_aka_result_ind;
- eap_conf.eap_sim_id = data->eap_sim_id;
- eap_conf.tnc = data->tnc;
- eap_conf.wps = data->wps;
- eap_conf.pwd_group = data->pwd_group;
- eap_conf.server_id = (const u8 *) data->server_id;
- eap_conf.server_id_len = os_strlen(data->server_id);
- eap_conf.erp = data->erp;
- eap_conf.tls_session_lifetime = data->tls_session_lifetime;
- eap_conf.tls_flags = data->tls_flags;
- radius_server_testing_options(sess, &eap_conf);
+ os_memset(&eap_sess, 0, sizeof(eap_sess));
+ radius_server_testing_options(sess, &eap_sess);
sess->eap = eap_server_sm_init(sess, &radius_server_eapol_cb,
- &eap_conf);
+ data->eap_cfg, &eap_sess);
if (sess->eap == NULL) {
RADIUS_DEBUG("Failed to initialize EAP state machine for the "
"new session");
@@ -2353,6 +2189,7 @@ struct radius_server_data *
radius_server_init(struct radius_server_conf *conf)
{
struct radius_server_data *data;
+ struct eap_config *eap_cfg;
#ifndef CONFIG_IPV6
if (conf->ipv6) {
@@ -2365,45 +2202,56 @@ radius_server_init(struct radius_server_conf *conf)
if (data == NULL)
return NULL;
+ eap_cfg = data->eap_cfg = os_zalloc(sizeof(*eap_cfg));
+ if (!eap_cfg) {
+ os_free(data);
+ return NULL;
+ }
data->auth_sock = -1;
data->acct_sock = -1;
dl_list_init(&data->erp_keys);
os_get_reltime(&data->start_time);
data->conf_ctx = conf->conf_ctx;
- data->eap_sim_db_priv = conf->eap_sim_db_priv;
- data->ssl_ctx = conf->ssl_ctx;
- data->msg_ctx = conf->msg_ctx;
+ eap_cfg->backend_auth = TRUE;
+ eap_cfg->eap_server = 1;
+ eap_cfg->eap_sim_db_priv = conf->eap_sim_db_priv;
+ eap_cfg->ssl_ctx = conf->ssl_ctx;
+ eap_cfg->msg_ctx = conf->msg_ctx;
data->ipv6 = conf->ipv6;
if (conf->pac_opaque_encr_key) {
- data->pac_opaque_encr_key = os_malloc(16);
- if (data->pac_opaque_encr_key) {
- os_memcpy(data->pac_opaque_encr_key,
+ eap_cfg->pac_opaque_encr_key = os_malloc(16);
+ if (eap_cfg->pac_opaque_encr_key) {
+ os_memcpy(eap_cfg->pac_opaque_encr_key,
conf->pac_opaque_encr_key, 16);
}
}
if (conf->eap_fast_a_id) {
- data->eap_fast_a_id = os_malloc(conf->eap_fast_a_id_len);
- if (data->eap_fast_a_id) {
- os_memcpy(data->eap_fast_a_id, conf->eap_fast_a_id,
+ eap_cfg->eap_fast_a_id = os_malloc(conf->eap_fast_a_id_len);
+ if (eap_cfg->eap_fast_a_id) {
+ os_memcpy(eap_cfg->eap_fast_a_id, conf->eap_fast_a_id,
conf->eap_fast_a_id_len);
- data->eap_fast_a_id_len = conf->eap_fast_a_id_len;
+ eap_cfg->eap_fast_a_id_len = conf->eap_fast_a_id_len;
}
}
if (conf->eap_fast_a_id_info)
- data->eap_fast_a_id_info = os_strdup(conf->eap_fast_a_id_info);
- data->eap_fast_prov = conf->eap_fast_prov;
- data->pac_key_lifetime = conf->pac_key_lifetime;
- data->pac_key_refresh_time = conf->pac_key_refresh_time;
- data->eap_teap_auth = conf->eap_teap_auth;
- data->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner;
- data->eap_teap_separate_result = conf->eap_teap_separate_result;
+ eap_cfg->eap_fast_a_id_info =
+ os_strdup(conf->eap_fast_a_id_info);
+ eap_cfg->eap_fast_prov = conf->eap_fast_prov;
+ eap_cfg->pac_key_lifetime = conf->pac_key_lifetime;
+ eap_cfg->pac_key_refresh_time = conf->pac_key_refresh_time;
+ eap_cfg->eap_teap_auth = conf->eap_teap_auth;
+ eap_cfg->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner;
+ eap_cfg->eap_teap_separate_result = conf->eap_teap_separate_result;
data->get_eap_user = conf->get_eap_user;
- data->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
- data->eap_sim_id = conf->eap_sim_id;
- data->tnc = conf->tnc;
- data->wps = conf->wps;
- data->pwd_group = conf->pwd_group;
- data->server_id = conf->server_id;
+ eap_cfg->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
+ eap_cfg->eap_sim_id = conf->eap_sim_id;
+ eap_cfg->tnc = conf->tnc;
+ eap_cfg->wps = conf->wps;
+ eap_cfg->pwd_group = conf->pwd_group;
+ if (conf->server_id) {
+ eap_cfg->server_id = (u8 *) os_strdup(conf->server_id);
+ eap_cfg->server_id_len = os_strlen(conf->server_id);
+ }
if (conf->eap_req_id_text) {
data->eap_req_id_text = os_malloc(conf->eap_req_id_text_len);
if (data->eap_req_id_text) {
@@ -2412,10 +2260,10 @@ radius_server_init(struct radius_server_conf *conf)
data->eap_req_id_text_len = conf->eap_req_id_text_len;
}
}
- data->erp = conf->erp;
+ eap_cfg->erp = conf->erp;
data->erp_domain = conf->erp_domain;
- data->tls_session_lifetime = conf->tls_session_lifetime;
- data->tls_flags = conf->tls_flags;
+ eap_cfg->tls_session_lifetime = conf->tls_session_lifetime;
+ eap_cfg->tls_flags = conf->tls_flags;
if (conf->subscr_remediation_url) {
data->subscr_remediation_url =
@@ -2537,9 +2385,6 @@ void radius_server_deinit(struct radius_server_data *data)
radius_server_free_clients(data, data->clients);
- os_free(data->pac_opaque_encr_key);
- os_free(data->eap_fast_a_id);
- os_free(data->eap_fast_a_id_info);
os_free(data->eap_req_id_text);
#ifdef CONFIG_RADIUS_TEST
os_free(data->dump_msk_file);
@@ -2554,6 +2399,7 @@ void radius_server_deinit(struct radius_server_data *data)
#endif /* CONFIG_SQLITE */
radius_server_erp_flush(data);
+ eap_server_config_free(data->eap_cfg);
os_free(data);
}