path: root/src/eapol_auth/eapol_auth_sm.c
Commit message (Collapse)AuthorAgeFilesLines
* RADIUS: Share a single function for generating session IDsJouni Malinen2016-02-061-7/+4
| | | | | | | There is no need to maintain three copies of this functionality even if it is currently implemented as a single function call. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS: Use more likely unique accounting Acct-{,Multi-}Session-IdNick Lowe2016-02-061-11/+10
| | | | | | | | | | | | | | | | Rework the Acct-Session-Id and Acct-Multi-Session-Id implementation to give better global and temporal uniqueness. Previously, only 32-bits of the Acct-Session-Id would contain random data, the other 32-bits would be incremented. Previously, the Acct-Multi-Session-Id would not use random data. Switch from two u32 variables to a single u64 for the Acct-Session-Id and Acct-Multi-Session-Id. Do not increment, this serves no legitimate purpose. Exclusively use os_get_random() to get quality random numbers, do not use or mix in the time. Inherently take a dependency on /dev/urandom working properly therefore. Remove the global Acct-Session-Id and Acct-Multi-Session-Id values that serve no legitimate purpose. Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
* EAPOL auth: Move radius_cui/identity freeing to eapol_auth_free()Jouni Malinen2016-02-061-0/+3
| | | | | | | | These can get allocated within eapol_auth_alloc(), so it is more logical to free them in eapol_auth_free() instead of ieee802_1x_free_station() that ends up calling eapol_auth_free(). Signed-off-by: Jouni Malinen <j@w1.fi>
* EAPOL auth: clear keyRun in AUTH_PAE INITIALIZEJouni Malinen2015-08-281-0/+12
| | | | | | | | | | | | | | | | | | | Clearing keyRun here is not specified in IEEE Std 802.1X-2004, but it looks like this would be logical thing to do here since the EAPOL-Key exchange is not possible in this state. It is possible to get here on disconnection event without advancing to the AUTHENTICATING state to clear keyRun before the IEEE 802.11 RSN authenticator state machine runs and that may advance from AUTHENTICATION2 to INITPMK if keyRun = TRUE has been left from the last association. This can be avoided by clearing keyRun here. It was possible to hit this corner case in the hwsim test case ap_wpa2_eap_eke_server_oom in the case getKey operation was forced to fail memory allocation. The following association resulted in the station getting disconnected when entering INITPMK without going through EAP authentication. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* EAP server: Add tls_session_lifetime configurationJouni Malinen2015-08-231-0/+2
| | | | | | | | | | This new hostapd configuration parameter can be used to enable TLS session resumption. This commit adds the configuration parameter through the configuration system and RADIUS/EAPOL/EAP server components. The actual changes to enable session caching will be addressed in followup commits. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add EAPOL_SET hostapd command to configure EAPOL parametersJouni Malinen2015-07-121-0/+72
| | | | | | | | This new control interface command "EAPOL_REAUTH <MAC address> <parameter> <value>" can be used to implement the IEEE 802.1X PAE Set Authenticator Configuration operation. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add EAPOL_REAUTH hostapd command to trigger EAPOL reauthenticationJouni Malinen2015-07-121-1/+10
| | | | | | | This new control interface command "EAPOL_REAUTH <MAC address>" can be used to implement the IEEE 802.1X PAE Reauthenticate operation. Signed-off-by: Jouni Malinen <j@w1.fi>
* Declare all read only data structures as constMikael Kanstrup2015-04-251-2/+2
| | | | | | | | By analysing objdump output some read only structures were found in .data section. To help compiler further optimize code declare these as const. Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
* ERP: Add support for ERP on EAP server and authenticatorJouni Malinen2014-12-041-0/+21
| | | | | | | | | | | | | Derive rRK and rIK on EAP server if ERP is enabled and use these keys to allow EAP re-authentication to be used and to derive rMSK. The new hostapd configuration parameter eap_server_erp=1 can now be used to configure the integrated EAP server to derive EMSK, rRK, and rIK at the successful completion of an EAP authentication method. This functionality is not included in the default build and can be enabled with CONFIG_ERP=y. Signed-off-by: Jouni Malinen <j@w1.fi>
* ERP: Add optional EAP-Initiate/Re-auth-Start transmissionJouni Malinen2014-12-041-17/+42
| | | | | | | | | hostapd can now be configured to transmit EAP-Initiate/Re-auth-Start before EAP-Request/Identity to try to initiate ERP. This is disabled by default and can be enabled with erp_send_reauth_start=1 and optional erp_reauth_start_domain=<domain>. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add Acct-Multi-Session-Id into RADIUS Accounting messagesJouni Malinen2014-10-181-0/+12
| | | | | | | | | This allows multiple sessions using the same PMKSA cache entry to be combined more easily at the server side. Acct-Session-Id is still a unique identifier for each association, while Acct-Multi-Session-Id will maintain its value for all associations that use the same PMKSA. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS server: Allow EAP methods to log into SQLite DBJouni Malinen2014-03-091-1/+2
| | | | | | | This extends RADIUS server logging capabilities to allow EAP server methods to add log entries. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* HS 2.0R2: RADIUS server support to request Subscr RemediationJouni Malinen2014-02-251-5/+11
| | | | | | | | | The new hostapd.conf parameter subscr_remediation_url can be used to define the URL of the Subscription Remediation Server that will be added in a WFA VSA to Access-Accept message if the SQLite user database indicates that the user need subscription remediation. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* EAPOL: Fix static analyzer warnings for pac_opaque_encr_keyAdriana Reus2013-11-051-0/+6
| | | | | | | The allocation was not verified to complete successfully and the allocated memory was not freed on error paths. Signed-hostap: Adriana Reus <adriana.reus@intel.com>
* Add server identity configuration for EAP serverJouni Malinen2013-07-071-0/+4
| | | | | | | | The new server_id parameter in hostapd.conf can now be used to specify which identity is delivered to the EAP peer with EAP methods that support authenticated server identity. Signed-hostap: Jouni Malinen <j@w1.fi>
* Initialize EAPOL auth identity/cui with STA entry dataMichael Braun2012-08-191-1/+11
| | | | | | | If RADIUS ACL was used for the STA, identity/cui may already be known at this point. Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
* Remove the GPL notification from files contributed by Jouni MalinenJouni Malinen2012-02-111-8/+2
| | | | | | | Remove the GPL notification text from the files that were initially contributed by myself. Signed-hostap: Jouni Malinen <j@w1.fi>
* Make sure that EAP callbacks are not done if state machine has been removedJouni Malinen2011-08-121-1/+1
| | | | | | | It is possible to get a response for a pending EAP callback after the EAP state machine has already completed its work or has timed out. For those cases, make sure that the callback function is not delivered since it could result in NULL pointer dereferences.
* WPS: Add a workaround for Windows 7 capability discovery for PBCJouni Malinen2011-05-171-0/+2
| | | | | | | | | | | | Windows 7 uses incorrect way of figuring out AP's WPS capabilities by acting as a Registrar and using M1 from the AP. The config methods attribute in that message is supposed to indicate only the configuration method supported by the AP in Enrollee role, i.e., to add an external Registrar. For that case, PBC shall not be used and as such, the PushButton config method is removed from M1 by default. If pbc_in_m1=1 is included in the configuration file, the PushButton config method is left in M1 (if included in config_methods parameter) to allow Windows 7 to use PBC instead of PIN (e.g., from a label in the AP).
* EAP-pwd: Add support for EAP-pwd server and peer functionalityDan Harkins2010-09-151-0/+2
| | | | | This adds an initial EAP-pwd (RFC 5931) implementation. For now, this requires OpenSSL.
* P2P: Use PSK format in WPS CredentialJouni Malinen2010-09-091-1/+3
* EAP server: Add support for configuring fragment sizeJouni Malinen2010-07-211-0/+2
* AP: Add wpa_msg() events for EAP server state machineGregory Detal2010-04-071-0/+2
* Make EAPOL Authenticator buildable with Microsoft compilerJouni Malinen2010-02-191-2/+2
* Move internal EAPOL authenticator defines into their own fileJouni Malinen2009-11-291-3/+5
| | | | | | | | This is an initial step in further cleaning up the EAPOL authenticator use to avoid requiring direct accesses to the internal data structures. For now, number of external files are still including the internal definitions from eapol_auth_sm_i.h, but eventually, these direct references should be removed.
* Make HOSTAPD_DUMP_STATE configurable with CONFIG_NO_DUMP_STATEJouni Malinen2009-11-291-214/+0
| | | | | | This removes the hardcoded definition from Makefile and cleans up source code by moving the mail HOSTAPD_DUMP_STATE blocks into separate files to avoid conditional compilation within files.
* Move EAPOL authenticator state machine into src/eapol_authJouni Malinen2009-11-291-0/+1349
This is now completely independent from hostapd-specific code, so it can be moved to be under the src tree.