SM_STATE(REAUTH_TIMER, REAUTHENTICATE) { SM_ENTRY_MA(REAUTH_TIMER, REAUTHENTICATE, reauth_timer); sm->reAuthenticate = TRUE; sm->eapol->cb.eapol_event(sm->eapol->conf.ctx, sm->sta, EAPOL_AUTH_REAUTHENTICATE); }
SM_STATE(AUTH_PAE, HELD) { if (sm->auth_pae_state == AUTH_PAE_AUTHENTICATING && sm->authFail) sm->authAuthFailWhileAuthenticating++; SM_ENTRY_MA(AUTH_PAE, HELD, auth_pae); sm->authPortStatus = Unauthorized; setPortUnauthorized(); sm->quietWhile = sm->quietPeriod; sm->eapolLogoff = FALSE; eapol_auth_vlogger(sm->eapol, sm->addr, EAPOL_LOGGER_WARNING, "authentication failed - EAP type: %d (%s)", sm->eap_type_authsrv, eap_server_get_name(0, sm->eap_type_authsrv)); if (sm->eap_type_authsrv != sm->eap_type_supp) { eapol_auth_vlogger(sm->eapol, sm->addr, EAPOL_LOGGER_INFO, "Supplicant used different EAP type: " "%d (%s)", sm->eap_type_supp, eap_server_get_name(0, sm->eap_type_supp)); } sm->eapol->cb.finished(sm->eapol->conf.ctx, sm->sta, 0, sm->flags & EAPOL_SM_PREAUTH); }
SM_STATE(KEY_RX, KEY_RECEIVE) { SM_ENTRY_MA(KEY_RX, KEY_RECEIVE, key_rx); processKey(); sm->rxKey = FALSE; }
SM_STATE(BE_AUTH, FAIL) { SM_ENTRY_MA(BE_AUTH, FAIL, be_auth); txReq(); sm->authFail = TRUE; }
SM_STATE(BE_AUTH, SUCCESS) { SM_ENTRY_MA(BE_AUTH, SUCCESS, be_auth); txReq(); sm->authSuccess = TRUE; sm->keyRun = TRUE; }
SM_STATE(BE_AUTH, INITIALIZE) { SM_ENTRY_MA(BE_AUTH, INITIALIZE, be_auth); abortAuth(); sm->eap_if->eapNoReq = FALSE; sm->authAbort = FALSE; }
SM_STATE(AUTH_KEY_TX, KEY_TRANSMIT) { SM_ENTRY_MA(AUTH_KEY_TX, KEY_TRANSMIT, auth_key_tx); txKey(); sm->eap_if->eapKeyAvailable = FALSE; sm->keyDone = TRUE; }
SM_STATE(AUTH_PAE, FORCE_UNAUTH) { SM_ENTRY_MA(AUTH_PAE, FORCE_UNAUTH, auth_pae); sm->authPortStatus = Unauthorized; setPortUnauthorized(); sm->portMode = ForceUnauthorized; sm->eapolStart = FALSE; txCannedFail(); }
SM_STATE(AUTH_PAE, FORCE_AUTH) { SM_ENTRY_MA(AUTH_PAE, FORCE_AUTH, auth_pae); sm->authPortStatus = Authorized; setPortAuthorized(); sm->portMode = ForceAuthorized; sm->eapolStart = FALSE; txCannedSuccess(); }
SM_STATE(AUTH_PAE, CONNECTING) { if (sm->auth_pae_state != AUTH_PAE_CONNECTING) sm->authEntersConnecting++; SM_ENTRY_MA(AUTH_PAE, CONNECTING, auth_pae); sm->reAuthenticate = FALSE; sm->reAuthCount++; }
SM_STATE(BE_AUTH, RESPONSE) { SM_ENTRY_MA(BE_AUTH, RESPONSE, be_auth); sm->authTimeout = FALSE; sm->eapolEap = FALSE; sm->eap_if->eapNoReq = FALSE; sm->aWhile = sm->serverTimeout; sm->eap_if->eapResp = TRUE; /* sendRespToServer(); */ sm->backendResponses++; }
SM_STATE(AUTH_PAE, AUTHENTICATING) { SM_ENTRY_MA(AUTH_PAE, AUTHENTICATING, auth_pae); sm->eapolStart = FALSE; sm->authSuccess = FALSE; sm->authFail = FALSE; sm->authTimeout = FALSE; sm->authStart = TRUE; sm->keyRun = FALSE; sm->keyDone = FALSE; }
SM_STATE(AUTH_PAE, RESTART) { if (sm->auth_pae_state == AUTH_PAE_AUTHENTICATED) { if (sm->reAuthenticate) sm->authAuthReauthsWhileAuthenticated++; if (sm->eapolStart) sm->authAuthEapStartsWhileAuthenticated++; if (sm->eapolLogoff) sm->authAuthEapLogoffWhileAuthenticated++; } SM_ENTRY_MA(AUTH_PAE, RESTART, auth_pae); sm->eap_if->eapRestart = TRUE; }
SM_STATE(AUTH_PAE, ABORTING) { if (sm->auth_pae_state == AUTH_PAE_AUTHENTICATING) { if (sm->authTimeout) sm->authAuthTimeoutsWhileAuthenticating++; if (sm->eapolStart) sm->authAuthEapStartsWhileAuthenticating++; if (sm->eapolLogoff) sm->authAuthEapLogoffWhileAuthenticating++; } SM_ENTRY_MA(AUTH_PAE, ABORTING, auth_pae); sm->authAbort = TRUE; sm->keyRun = FALSE; sm->keyDone = FALSE; }
SM_STATE(AUTH_PAE, INITIALIZE) { SM_ENTRY_MA(AUTH_PAE, INITIALIZE, auth_pae); sm->portMode = Auto; /* * Clearing keyRun here is not specified in IEEE Std 802.1X-2004, but * it looks like this would be logical thing to do here since the * EAPOL-Key exchange is not possible in this state. It is possible to * get here on disconnection event without advancing to the * AUTHENTICATING state to clear keyRun before the IEEE 802.11 RSN * authenticator state machine runs and that may advance from * AUTHENTICATION2 to INITPMK if keyRun = TRUE has been left from the * last association. This can be avoided by clearing keyRun here. */ sm->keyRun = FALSE; }
SM_STATE(BE_AUTH, REQUEST) { SM_ENTRY_MA(BE_AUTH, REQUEST, be_auth); txReq(); sm->eap_if->eapReq = FALSE; sm->backendOtherRequestsToSupplicant++; /* * Clearing eapolEap here is not specified in IEEE Std 802.1X-2004, but * it looks like this would be logical thing to do there since the old * EAP response would not be valid anymore after the new EAP request * was sent out. * * A race condition has been reported, in which hostapd ended up * sending out EAP-Response/Identity as a response to the first * EAP-Request from the main EAP method. This can be avoided by * clearing eapolEap here. */ sm->eapolEap = FALSE; }
SM_STATE(AUTH_PAE, AUTHENTICATED) { char *extra = ""; if (sm->auth_pae_state == AUTH_PAE_AUTHENTICATING && sm->authSuccess) { sm->authAuthSuccessesWhileAuthenticating++; } SM_ENTRY_MA(AUTH_PAE, AUTHENTICATED, auth_pae); sm->authPortStatus = Authorized; setPortAuthorized(); sm->reAuthCount = 0; if (sm->flags & EAPOL_SM_PREAUTH) { extra = " (pre-authentication)"; } else if (sm->flags & EAPOL_SM_FROM_PMKSA_CACHE) { extra = " (PMKSA cache)"; } eapol_auth_vlogger(sm->eapol, sm->addr, EAPOL_LOGGER_INFO, "authenticated - EAP type: %d (%s)%s", sm->eap_type_authsrv, eap_server_get_name(0, sm->eap_type_authsrv), extra); sm->eapol->cb.finished(sm->eapol->conf.ctx, sm->sta, 1, sm->flags & EAPOL_SM_PREAUTH, sm->remediation); }
SM_STATE(AUTH_PAE, DISCONNECTED) { int from_initialize = sm->auth_pae_state == AUTH_PAE_INITIALIZE; if (sm->eapolLogoff) { if (sm->auth_pae_state == AUTH_PAE_CONNECTING) sm->authEapLogoffsWhileConnecting++; else if (sm->auth_pae_state == AUTH_PAE_AUTHENTICATED) sm->authAuthEapLogoffWhileAuthenticated++; } SM_ENTRY_MA(AUTH_PAE, DISCONNECTED, auth_pae); sm->authPortStatus = Unauthorized; setPortUnauthorized(); sm->reAuthCount = 0; sm->eapolLogoff = FALSE; if (!from_initialize) { sm->eapol->cb.finished(sm->eapol->conf.ctx, sm->sta, 0, sm->flags & EAPOL_SM_PREAUTH); } }
SM_STATE(CTRL_DIR, IN_OR_BOTH) { SM_ENTRY_MA(CTRL_DIR, IN_OR_BOTH, ctrl_dir); sm->operControlledDirections = sm->adminControlledDirections; }
SM_STATE(CTRL_DIR, FORCE_BOTH) { SM_ENTRY_MA(CTRL_DIR, FORCE_BOTH, ctrl_dir); sm->operControlledDirections = Both; }
SM_STATE(AUTH_PAE, INITIALIZE) { SM_ENTRY_MA(AUTH_PAE, INITIALIZE, auth_pae); sm->portMode = Auto; }
SM_STATE(KEY_RX, NO_KEY_RECEIVE) { SM_ENTRY_MA(KEY_RX, NO_KEY_RECEIVE, key_rx); }
SM_STATE(AUTH_KEY_TX, NO_KEY_TRANSMIT) { SM_ENTRY_MA(AUTH_KEY_TX, NO_KEY_TRANSMIT, auth_key_tx); }
SM_STATE(REAUTH_TIMER, INITIALIZE) { SM_ENTRY_MA(REAUTH_TIMER, INITIALIZE, reauth_timer); sm->reAuthWhen = sm->reAuthPeriod; }
SM_STATE(BE_AUTH, IGNORE) { SM_ENTRY_MA(BE_AUTH, IGNORE, be_auth); sm->eap_if->eapNoReq = FALSE; }
SM_STATE(BE_AUTH, IDLE) { SM_ENTRY_MA(BE_AUTH, IDLE, be_auth); sm->authStart = FALSE; }
SM_STATE(BE_AUTH, TIMEOUT) { SM_ENTRY_MA(BE_AUTH, TIMEOUT, be_auth); sm->authTimeout = TRUE; }