792
799
int eapSRTT, int eapRTTVAR,
793
800
int methodTimeout)
795
/* For now, retransmission is done in EAPOL state machines, so make
796
* sure EAP state machine does not end up trying to retransmit packets.
806
* EAP method (either internal or through AAA server, provided
807
* timeout hint. Use that as-is as a timeout for retransmitting
808
* the EAP request if no response is received.
810
wpa_printf(MSG_DEBUG, "EAP: retransmit timeout %d seconds "
811
"(from EAP method hint)", methodTimeout);
812
return methodTimeout;
816
* RFC 3748 recommends algorithms described in RFC 2988 for estimation
817
* of the retransmission timeout. This should be implemented once
818
* round-trip time measurements are available. For nowm a simple
819
* backoff mechanism is used instead if there are no EAP method
822
* SRTT = smoothed round-trip time
823
* RTTVAR = round-trip time variation
824
* RTO = retransmission timeout
828
* RFC 2988, 2.1: before RTT measurement, set RTO to 3 seconds for
829
* initial retransmission and then double the RTO to provide back off
830
* per 5.5. Limit the maximum RTO to 20 seconds per RFC 3748, 4.3
834
for (i = 0; i < retransCount; i++) {
842
wpa_printf(MSG_DEBUG, "EAP: retransmit timeout %d seconds "
843
"(from dynamic back off; retransCount=%d)",
1030
1078
static int eap_sm_Policy_getDecision(struct eap_sm *sm)
1032
if (!sm->eap_server && sm->identity) {
1080
if (!sm->eap_server && sm->identity && !sm->start_reauth) {
1033
1081
wpa_printf(MSG_DEBUG, "EAP: getDecision: -> PASSTHROUGH");
1034
1082
return DECISION_PASSTHROUGH;
1050
1098
return DECISION_FAILURE;
1053
if ((sm->user == NULL || sm->update_user) && sm->identity) {
1101
if ((sm->user == NULL || sm->update_user) && sm->identity &&
1102
!sm->start_reauth) {
1104
* Allow Identity method to be started once to allow identity
1105
* selection hint to be sent from the authentication server,
1106
* but prevent a loop of Identity requests by only allowing
1107
* this to happen once.
1110
if (sm->user && sm->currentMethod == EAP_TYPE_IDENTITY &&
1111
sm->user->methods[0].vendor == EAP_VENDOR_IETF &&
1112
sm->user->methods[0].method == EAP_TYPE_IDENTITY)
1054
1114
if (eap_user_get(sm, sm->identity, sm->identity_len, 0) != 0) {
1055
1115
wpa_printf(MSG_DEBUG, "EAP: getDecision: user not "
1056
1116
"found from database -> FAILURE");
1057
1117
return DECISION_FAILURE;
1119
if (id_req && sm->user &&
1120
sm->user->methods[0].vendor == EAP_VENDOR_IETF &&
1121
sm->user->methods[0].method == EAP_TYPE_IDENTITY) {
1122
wpa_printf(MSG_DEBUG, "EAP: getDecision: stop "
1123
"identity request loop -> FAILURE");
1124
sm->update_user = TRUE;
1125
return DECISION_FAILURE;
1059
1127
sm->update_user = FALSE;
1129
sm->start_reauth = FALSE;
1062
1131
if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
1063
1132
(sm->user->methods[sm->user_eap_method_index].vendor !=
1140
1209
sm->eapol_ctx = eapol_ctx;
1141
1210
sm->eapol_cb = eapol_cb;
1142
sm->MaxRetrans = 10;
1211
sm->MaxRetrans = 5; /* RFC 3748: max 3-5 retransmissions suggested */
1143
1212
sm->ssl_ctx = conf->ssl_ctx;
1144
1213
sm->eap_sim_db_priv = conf->eap_sim_db_priv;
1145
1214
sm->backend_auth = conf->backend_auth;
1151
1220
conf->pac_opaque_encr_key, 16);
1154
if (conf->eap_fast_a_id)
1155
sm->eap_fast_a_id = os_strdup(conf->eap_fast_a_id);
1223
if (conf->eap_fast_a_id) {
1224
sm->eap_fast_a_id = os_malloc(conf->eap_fast_a_id_len);
1225
if (sm->eap_fast_a_id) {
1226
os_memcpy(sm->eap_fast_a_id, conf->eap_fast_a_id,
1227
conf->eap_fast_a_id_len);
1228
sm->eap_fast_a_id_len = conf->eap_fast_a_id_len;
1231
if (conf->eap_fast_a_id_info)
1232
sm->eap_fast_a_id_info = os_strdup(conf->eap_fast_a_id_info);
1233
sm->eap_fast_prov = conf->eap_fast_prov;
1234
sm->pac_key_lifetime = conf->pac_key_lifetime;
1235
sm->pac_key_refresh_time = conf->pac_key_refresh_time;
1156
1236
sm->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
1157
1237
sm->tnc = conf->tnc;
1238
sm->wps = conf->wps;
1239
if (conf->assoc_wps_ie)
1240
sm->assoc_wps_ie = wpabuf_dup(conf->assoc_wps_ie);
1159
1242
wpa_printf(MSG_DEBUG, "EAP: Server state machine created");
1183
1266
os_free(sm->identity);
1184
1267
os_free(sm->pac_opaque_encr_key);
1185
1268
os_free(sm->eap_fast_a_id);
1269
os_free(sm->eap_fast_a_id_info);
1186
1270
wpabuf_free(sm->eap_if.aaaEapReqData);
1187
1271
wpabuf_free(sm->eap_if.aaaEapRespData);
1188
1272
os_free(sm->eap_if.aaaEapKeyData);
1189
1273
eap_user_free(sm->user);
1274
wpabuf_free(sm->assoc_wps_ie);