The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
Macros | Functions | Variables
state_machine.c File Reference

Implement a common state machine for EAP-SIM, EAP-AKA, EAP-AKA'. More...

#include <freeradius-devel/eap/base.h>
#include <freeradius-devel/eap/types.h>
#include <freeradius-devel/server/pair.h>
#include <freeradius-devel/unlang/interpret.h>
#include <freeradius-devel/unlang/module.h>
#include <freeradius-devel/util/table.h>
#include <freeradius-devel/util/rand.h>
#include "base.h"
#include "state_machine.h"
#include "attrs.h"
+ Include dependency graph for state_machine.c:

Go to the source code of this file.

Macros

#define CALL_SECTION(_x)
 
#define EAP_TLS_MPPE_KEY_LEN   32
 
#define RESUME(_x)
 
#define RESUME_NO_RESULT(_x)
 
#define SECTION_RCODE_IGNORED
 Warn the user that the rcode they provided is being ignored in this section.
 
#define SECTION_RCODE_PROCESS
 Trigger a state transition to FAILURE-NOTIFICATION if the section returned a failure code.
 
#define STATE(_x)
 
#define STATE_GUARD(_x)
 
#define STATE_GUARD_NO_RESULT(_x)
 
#define STATE_NO_RESULT(_x)
 
#define STATE_SET(_new_state)   state_set(request, talloc_get_type_abort(mctx->rctx, eap_aka_sim_session_t), state_ ## _new_state)
 
#define STATE_TRANSITION(_x)   guard_ ## _x(p_result, mctx, request)
 

Functions

static int _eap_aka_sim_session_free (eap_aka_sim_session_t *eap_aka_sim_session)
 Zero out the eap_aka_sim_session when we free it to clear knowledge of secret keys.
 
static bool after_authentication (eap_aka_sim_session_t *eap_aka_sim_session)
 Determine if we're after authentication.
 
static unlang_action_t aka_challenge_request_send (unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
 Called after 'store session { ... }' and 'store pseudonym { ... }'.
 
return CALL_SECTION (recv_common_identity_response)
 
static int checkcode_validate (request_t *request)
 Check &control.checkcode matches &reply.checkcode.
 
static void client_error_debug (request_t *request)
 Print out the error the client returned.
 
static void common_crypto_export (request_t *request, eap_aka_sim_session_t *eap_aka_sim_session, uint8_t const *hmac_extra_request, size_t hmac_extra_request_len, uint8_t const *hmac_extra_response, size_t hmac_extra_response_len)
 
static unlang_action_t common_reauthentication_request_compose (unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request, eap_aka_sim_session_t *eap_aka_sim_session)
 Send a EAP-Request/(AKA|SIM)-Reauthenticate message to the supplicant.
 
static unlang_action_t common_reauthentication_request_send (unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
 Called after 'store session { ... }' and 'store pseudonym { ... }'.
 
static void common_reply (request_t *request, eap_aka_sim_session_t *eap_aka_sim_session, uint16_t subtype)
 Export EAP-SIM/AKA['] attributes.
 
 crypto_identity_set (request, eap_aka_sim_session,(uint8_t const *) eap_session->identity, talloc_array_length(eap_session->identity) - 1)
 
static void crypto_identity_set (request_t *request, eap_aka_sim_session_t *eap_aka_sim_session, uint8_t const *identity, size_t len)
 Set the crypto identity from a received identity.
 
unlang_action_t eap_aka_sim_state_machine_process (unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
 Resumes the state machine when receiving a new response packet.
 
 fr_assert (0)
 
 fr_pair_value_bstrdup_buffer (vp, eap_session->identity, true)
 
static void identity_hint_pairs_add (fr_aka_sim_id_type_t *type_p, fr_aka_sim_method_hint_t *method_p, request_t *request, char const *identity)
 Based on the hint byte in the identity, add &Identity-Type and &Method-Hint attributes.
 
static int identity_req_pairs_add (request_t *request, eap_aka_sim_session_t *eap_aka_sim_session)
 Add an Identity Request attribute to the reply.
 
static bool identity_req_set_by_user (request_t *request, eap_aka_sim_session_t *eap_aka_sim_session)
 Sync up what identity we're requesting with attributes in the reply.
 
static int identity_to_permanent_identity (request_t *request, fr_pair_t *in, eap_type_t eap_type, bool strip_hint)
 Copy the incoming identity to the permanent identity attribute.
 
 if (!eap_session->identity)
 
 if (!fr_cond_assert(request &&mctx &&eap_aka_sim_session)) RETURN_UNLANG_FAIL
 
 if (!subtype_vp) goto fail
 
 if (type==AKA_SIM_ID_TYPE_PERMANENT)
 
static int mac_validate (request_t *request)
 Check &control.mac matches &reply.mac.
 
 MEM (pair_append_request(&vp, attr_eap_aka_sim_identity) >=0)
 
static void mod_signal (module_ctx_t const *mctx, request_t *request, UNUSED fr_signal_t action)
 Cancel a call to a submodule.
 
 RESUME (clear_pseudonym)
 Resume after 'clear pseudonym { ... }'.
 
 RESUME (clear_session)
 Resume after 'clear session { ... }'.
 
 RESUME (load_pseudonym)
 Resume after 'load pseudonym { ... }'.
 
 RESUME (load_session)
 Resume after 'load session { ... }'.
 
 RESUME (recv_aka_authentication_reject)
 Resume after 'recv Authentication-Reject { ... }'.
 
 RESUME (recv_aka_challenge_response)
 Resume after 'recv Challenge-Response { ... }'.
 
 RESUME (recv_aka_identity_response)
 Resume after 'recv Identity-Response { ... }' or 'recv AKA-Identity { ... }'.
 
 RESUME (recv_aka_synchronization_failure)
 Resume after 'recv Synchronization-Failure { ... }'.
 
 RESUME (recv_common_client_error)
 Resume after 'recv Client-Error { ... }'.
 
 RESUME (recv_common_failure_notification_ack)
 Resume after 'recv Failure-Notification-Ack { ... }'.
 
 RESUME (recv_common_identity_response)
 Resume after 'recv Identity-Response { ... }'.
 
 RESUME (recv_common_reauthentication_response)
 Resume after 'recv Reauthentication-Response { ... }'.
 
 RESUME (recv_common_success_notification_ack)
 Resume after 'recv Success-Notification-Ack { ... }'.
 
 RESUME (recv_sim_challenge_response)
 Resume after 'recv Challenge-Response { ... }'.
 
 RESUME (recv_sim_start_response)
 Resume after 'recv Identity-Response { ... }' or 'recv SIM-Start { ... }'.
 
 RESUME (send_aka_challenge_request)
 Resume after 'send Challenge-Request { ... }'.
 
 RESUME (send_aka_identity_request)
 Resume after 'send Identity-Request { ... }'.
 
 RESUME (send_common_failure_notification)
 Resume after 'send Failure-Notification { ... }'.
 
 RESUME (send_common_reauthentication_request)
 Resume after 'send Reauthentication-Request { ... }'.
 
 RESUME (send_common_success_notification)
 Resume after 'send Success-Notification { ... }'.
 
 RESUME (send_eap_failure)
 Resume after 'send EAP-Failure { ... }'.
 
 RESUME (send_eap_success)
 Resume after 'send EAP-Success { ... }'.
 
 RESUME (send_sim_challenge_request)
 Resume after 'send Challenge-Request { ... }'.
 
 RESUME (send_sim_start)
 Resume after 'send Start { ... }'.
 
 RESUME (store_pseudonym)
 Resume after 'store pseudonym { ... }'.
 
 RESUME (store_session)
 Resume after 'store session { ... }'.
 
static unlang_action_t session_and_pseudonym_clear (unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request, eap_aka_sim_session_t *eap_aka_sim_session, module_method_t next)
 Implements a set of states for clearing out pseudonym and fastauth identities.
 
static unlang_action_t session_and_pseudonym_store (unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request, eap_aka_sim_session_t *eap_aka_sim_session, module_method_t next)
 Implements a set of states for storing pseudonym and fastauth identities.
 
static unlang_action_t sim_challenge_request_send (unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
 Called after 'store session { ... }' and 'store pseudonym { ... }'.
 
static int sim_start_nonce_mt_check (request_t *request, eap_aka_sim_session_t *eap_aka_sim_session)
 Helper function to check for the presence and length of AT_NONCE_MT and copy its value into the keys structure.
 
static int sim_start_selected_version_check (request_t *request, eap_aka_sim_session_t *eap_aka_sim_session)
 Helper function to check for the presence and length of AT_SELECTED_VERSION and copy its value into the keys structure.
 
 STATE_GUARD (aka_challenge)
 Enter the AKA-CHALLENGE state.
 
 STATE_GUARD (aka_identity)
 
 STATE_GUARD (common_challenge)
 Enter the SIM-CHALLENGE or AKA-CHALLENGE state.
 
 STATE_GUARD (common_failure_notification)
 Enter the FAILURE-NOTIFICATION state.
 
 STATE_GUARD (common_identity)
 Enter the SIM-START or AKA-IDENTITY state.
 
 STATE_GUARD (common_reauthentication)
 
 STATE_GUARD (common_success_notification)
 
 STATE_GUARD (eap_failure)
 Enter EAP-FAILURE state.
 
 STATE_GUARD (eap_success)
 
 STATE_GUARD (sim_challenge)
 Enter the SIM-CHALLENGE state.
 
 STATE_GUARD (sim_start)
 
 STATE_GUARD_NO_RESULT (aka_identity)
 Enter the AKA-IDENTITY state.
 
 STATE_GUARD_NO_RESULT (common_reauthentication)
 Enter the REAUTHENTICATION state.
 
 STATE_GUARD_NO_RESULT (common_success_notification)
 Enter the SUCCESS-NOTIFICATION state.
 
 STATE_GUARD_NO_RESULT (eap_success)
 Enter EAP-SUCCESS state.
 
 STATE_GUARD_NO_RESULT (sim_start)
 Enter the SIM-START state.
 
 STATE_NO_RESULT (common_success_notification)
 SUCCESS-NOTIFICATION state - Continue the state machine after receiving a response to our EAP-Request/(AKA|SIM)-Notification.
 
static void state_set (request_t *request, eap_aka_sim_session_t *eap_aka_sim_session, module_method_t new_state)
 Print debugging information, and write new state to eap_aka_sim_session->state.
 
 switch (subtype_vp->vp_uint16)
 

Variables

 aka_challenge
 AKA-CHALLENGE state - Continue the state machine after receiving a response to our EAP-Request/SIM-Challenge.
 
 aka_identity
 AKA-IDENTITY state - Continue the state machine after receiving a response to our EAP-Request/AKA-Identity.
 
static fr_table_ptr_ordered_t const aka_sim_state_table []
 
static size_t aka_sim_state_table_len = NUM_ELEMENTS(aka_sim_state_table)
 
 common_failure_notification
 FAILURE-NOTIFICATION state - Continue the state machine after receiving a response to our EAP-Request/(AKA|SIM)-Notification.
 
 common_reauthentication
 REAUTHENTICATION state - Continue the state machine after receiving a response to our EAP-Request/SIM-Start.
 
 common_success_notification
 
eap_aka_sim_session_teap_aka_sim_session = talloc_get_type_abort(mctx->rctx, eap_aka_sim_session_t)
 
 eap_failure
 FAILURE state - State machine exit point after sending EAP-Failure.
 
 eap_success
 SUCCESS state - State machine exit point after sending EAP-Success.
 
 init
 Enter the EAP-IDENTITY state.
 
eap_aka_sim_process_conf_tinst = talloc_get_type_abort(mctx->mi->data, eap_aka_sim_process_conf_t)
 
 RETURN_UNLANG_FAIL
 
 sim_challenge
 SIM-CHALLENGE state - Continue the state machine after receiving a response to our EAP-Request/SIM-Challenge.
 
 sim_start
 SIM-START state - Continue the state machine after receiving a response to our EAP-Request/SIM-Start.
 
fr_pair_tsubtype_vp = NULL
 
fr_aka_sim_id_type_t type
 
fr_pair_tvp
 

Detailed Description

Implement a common state machine for EAP-SIM, EAP-AKA, EAP-AKA'.

Author
Arran Cudbard-Bell (a.cud.nosp@m.bard.nosp@m.b@fre.nosp@m.erad.nosp@m.ius.o.nosp@m.rg)

Definition in file state_machine.c.

Macro Definition Documentation

◆ CALL_SECTION

#define CALL_SECTION (   _x)
Value:
request, \
inst->actions._x, \
resume_ ## _x, \
talloc_get_type_abort(mctx->rctx, eap_aka_sim_session_t))
@ RLM_MODULE_NOOP
Module succeeded without doing anything.
Definition rcode.h:48
@ FR_SIGNAL_CANCEL
Request has been cancelled.
Definition signal.h:40
unlang_action_t unlang_module_yield_to_section(unlang_result_t *p_result, request_t *request, CONF_SECTION *subcs, rlm_rcode_t default_rcode, module_method_t resume, unlang_module_signal_t signal, fr_signal_t sigmask, void *rctx)
Definition module.c:249
eap_aka_sim_session_t * eap_aka_sim_session
static void mod_signal(module_ctx_t const *mctx, request_t *request, UNUSED fr_signal_t action)
Cancel a call to a submodule.
eap_aka_sim_process_conf_t * inst
unlang_result_t result
The result of the last unlang section we evaluted.
eap_aka_sim_actions_t actions
Pre-compiled virtual server sections.

Definition at line 74 of file state_machine.c.

◆ EAP_TLS_MPPE_KEY_LEN

#define EAP_TLS_MPPE_KEY_LEN   32

Definition at line 41 of file state_machine.c.

◆ RESUME

#define RESUME (   _x)
Value:
static inline unlang_action_t resume_ ## _x(unlang_result_t *p_result, \
module_ctx_t const *mctx, \
request_t *request)
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35
Temporary structure to hold arguments for module calls.
Definition module_ctx.h:41

Definition at line 52 of file state_machine.c.

◆ RESUME_NO_RESULT

#define RESUME_NO_RESULT (   _x)
Value:
static inline unlang_action_t resume_ ## _x(UNUSED unlang_result_t *p_result, \
module_ctx_t const *mctx, \
request_t *request)
#define UNUSED
Definition build.h:317

Definition at line 66 of file state_machine.c.

◆ SECTION_RCODE_IGNORED

#define SECTION_RCODE_IGNORED
Value:
do { \
RWDEBUG("Ignoring rcode (%s)", \
break; \
default: \
break; \
} \
} while(0)
rlm_rcode_t rcode
The current rcode, from executing the instruction or merging the result from a frame.
Definition interpret.h:134
fr_table_num_sorted_t const rcode_table[]
Definition rcode.c:35
#define RLM_MODULE_USER_SECTION_REJECT
Rcodes that translate to a user configurable section failing overall.
Definition rcode.h:74
#define fr_table_str_by_value(_table, _number, _def)
Convert an integer to a string.
Definition table.h:772

Warn the user that the rcode they provided is being ignored in this section.

Definition at line 151 of file state_machine.c.

◆ SECTION_RCODE_PROCESS

#define SECTION_RCODE_PROCESS
Value:
do { \
eap_aka_sim_session->failure_type = FR_NOTIFICATION_VALUE_TEMPORARILY_DENIED; \
eap_aka_sim_session->failure_type = FR_NOTIFICATION_VALUE_NOT_SUBSCRIBED; \
eap_aka_sim_session->failure_type = FR_NOTIFICATION_VALUE_GENERAL_FAILURE_AFTER_AUTHENTICATION;\
default: \
break; \
} \
} else { \
REDEBUG("Section rcode (%s) indicates we should reject the user", \
default: \
break; \
} \
} \
} while(0)
@ RLM_MODULE_INVALID
The module considers the request invalid.
Definition rcode.h:45
@ RLM_MODULE_FAIL
Module failed, don't reply.
Definition rcode.h:42
@ RLM_MODULE_DISALLOW
Reject the request (user is locked out).
Definition rcode.h:46
@ RLM_MODULE_REJECT
Immediately reject the request.
Definition rcode.h:41
@ RLM_MODULE_NOTFOUND
User not found.
Definition rcode.h:47
common_failure_notification
FAILURE-NOTIFICATION state - Continue the state machine after receiving a response to our EAP-Request...
static bool after_authentication(eap_aka_sim_session_t *eap_aka_sim_session)
Determine if we're after authentication.
#define STATE_TRANSITION(_x)
uint16_t failure_type
One of the following values:

Trigger a state transition to FAILURE-NOTIFICATION if the section returned a failure code.

Definition at line 166 of file state_machine.c.

◆ STATE

#define STATE (   _x)
Value:
static inline unlang_action_t state_ ## _x(unlang_result_t *p_result, \
module_ctx_t const *mctx, \
request_t *request)

Definition at line 44 of file state_machine.c.

◆ STATE_GUARD

#define STATE_GUARD (   _x)
Value:
static unlang_action_t guard_ ## _x(unlang_result_t *p_result, \
module_ctx_t const *mctx, \
request_t *request)

Definition at line 48 of file state_machine.c.

◆ STATE_GUARD_NO_RESULT

#define STATE_GUARD_NO_RESULT (   _x)
Value:
static unlang_action_t guard_ ## _x(UNUSED unlang_result_t *p_result, \
module_ctx_t const *mctx, \
request_t *request)

Definition at line 61 of file state_machine.c.

◆ STATE_NO_RESULT

#define STATE_NO_RESULT (   _x)
Value:
static inline unlang_action_t state_ ## _x(UNUSED unlang_result_t *p_result, \
module_ctx_t const *mctx, \
request_t *request)

Definition at line 56 of file state_machine.c.

◆ STATE_SET

#define STATE_SET (   _new_state)    state_set(request, talloc_get_type_abort(mctx->rctx, eap_aka_sim_session_t), state_ ## _new_state)

Definition at line 216 of file state_machine.c.

◆ STATE_TRANSITION

#define STATE_TRANSITION (   _x)    guard_ ## _x(p_result, mctx, request)

Definition at line 72 of file state_machine.c.

Function Documentation

◆ _eap_aka_sim_session_free()

static int _eap_aka_sim_session_free ( eap_aka_sim_session_t eap_aka_sim_session)
static

Zero out the eap_aka_sim_session when we free it to clear knowledge of secret keys.

Parameters
[in]eap_aka_sim_sessionto free.
Returns
0

Definition at line 3699 of file state_machine.c.

+ Here is the caller graph for this function:

◆ after_authentication()

static bool after_authentication ( eap_aka_sim_session_t eap_aka_sim_session)
inlinestatic

Determine if we're after authentication.

Definition at line 221 of file state_machine.c.

+ Here is the caller graph for this function:

◆ aka_challenge_request_send()

static unlang_action_t aka_challenge_request_send ( unlang_result_t p_result,
module_ctx_t const *  mctx,
request_t request 
)
static

Called after 'store session { ... }' and 'store pseudonym { ... }'.

Definition at line 1070 of file state_machine.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ CALL_SECTION()

return CALL_SECTION ( recv_common_identity_response  )

◆ checkcode_validate()

static int checkcode_validate ( request_t request)
static

Check &control.checkcode matches &reply.checkcode.

Parameters
[in]requestThe current request.
Returns
  • 1 if the check was skipped.
  • 0 if the check was successful.
  • -1 if the check failed.

Definition at line 546 of file state_machine.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ client_error_debug()

static void client_error_debug ( request_t request)
inlinestatic

Print out the error the client returned.

Definition at line 229 of file state_machine.c.

+ Here is the call graph for this function:

◆ common_crypto_export()

static void common_crypto_export ( request_t request,
eap_aka_sim_session_t eap_aka_sim_session,
uint8_t const *  hmac_extra_request,
size_t  hmac_extra_request_len,
uint8_t const *  hmac_extra_response,
size_t  hmac_extra_response_len 
)
static

Definition at line 989 of file state_machine.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ common_reauthentication_request_compose()

static unlang_action_t common_reauthentication_request_compose ( unlang_result_t p_result,
module_ctx_t const *  mctx,
request_t request,
eap_aka_sim_session_t eap_aka_sim_session 
)
static

Send a EAP-Request/(AKA|SIM)-Reauthenticate message to the supplicant.

Definition at line 1803 of file state_machine.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ common_reauthentication_request_send()

static unlang_action_t common_reauthentication_request_send ( unlang_result_t p_result,
module_ctx_t const *  mctx,
request_t request 
)
static

Called after 'store session { ... }' and 'store pseudonym { ... }'.

Definition at line 1026 of file state_machine.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ common_reply()

static void common_reply ( request_t request,
eap_aka_sim_session_t eap_aka_sim_session,
uint16_t  subtype 
)
static

Export EAP-SIM/AKA['] attributes.

Makes any internal data available as attributes in the response. This allows test frameworks and the encoder to access any data they need without needing to look at the eap_aka_session_t.

Definition at line 967 of file state_machine.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ crypto_identity_set() [1/2]

crypto_identity_set ( request  ,
eap_aka_sim_session  ,
(uint8_t const *) eap_session->  identity,
talloc_array_length(eap_session->identity) -  1 
)

◆ crypto_identity_set() [2/2]

static void crypto_identity_set ( request_t request,
eap_aka_sim_session_t eap_aka_sim_session,
uint8_t const *  identity,
size_t  len 
)
static

Set the crypto identity from a received identity.

Definition at line 633 of file state_machine.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ eap_aka_sim_state_machine_process()

unlang_action_t eap_aka_sim_state_machine_process ( unlang_result_t p_result,
module_ctx_t const *  mctx,
request_t request 
)

Resumes the state machine when receiving a new response packet.

Definition at line 3708 of file state_machine.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ fr_assert()

fr_assert ( )

◆ fr_pair_value_bstrdup_buffer()

fr_pair_value_bstrdup_buffer ( vp  ,
eap_session->  identity,
true   
)
+ Here is the caller graph for this function:

◆ identity_hint_pairs_add()

static void identity_hint_pairs_add ( fr_aka_sim_id_type_t type_p,
fr_aka_sim_method_hint_t method_p,
request_t request,
char const *  identity 
)
static

Based on the hint byte in the identity, add &Identity-Type and &Method-Hint attributes.

Definition at line 279 of file state_machine.c.

+ Here is the call graph for this function:

◆ identity_req_pairs_add()

static int identity_req_pairs_add ( request_t request,
eap_aka_sim_session_t eap_aka_sim_session 
)
static

Add an Identity Request attribute to the reply.

Verify the progression of identity requests is valid.

Parameters
[in]requestThe current request.
[in]eap_aka_sim_sessionThe current eap_aka_sim_session.
Returns
  • 0 on success.
  • -1 on failure (progression of identities was not valid).

Definition at line 361 of file state_machine.c.

+ Here is the caller graph for this function:

◆ identity_req_set_by_user()

static bool identity_req_set_by_user ( request_t request,
eap_aka_sim_session_t eap_aka_sim_session 
)
static

Sync up what identity we're requesting with attributes in the reply.

Definition at line 244 of file state_machine.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ identity_to_permanent_identity()

static int identity_to_permanent_identity ( request_t request,
fr_pair_t in,
eap_type_t  eap_type,
bool  strip_hint 
)
static

Copy the incoming identity to the permanent identity attribute.

If the incoming ID really looks like a permanent ID, and we were told it was a permanent ID, then (optionally) trim the first byte to form the real permanent ID.

Otherwise copy the entire incoming Identity to the &session-state.Permanent-Identity attribute.

Parameters
[in]requestThe current request.
[in]incurrent identity.
[in]eap_typeThe current eap_type.
[in]strip_hintWhether to strip the hint byte off the permanent identity

Definition at line 456 of file state_machine.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ if() [1/4]

if ( !eap_session->  identity)

Definition at line 3661 of file state_machine.c.

◆ if() [2/4]

if ( fr_cond_assertrequest &&mctx &&eap_aka_sim_session)

◆ if() [3/4]

if ( subtype_vp)

Definition at line 1758 of file state_machine.c.

◆ if() [4/4]

Definition at line 3678 of file state_machine.c.

+ Here is the call graph for this function:

◆ mac_validate()

static int mac_validate ( request_t request)
static

Check &control.mac matches &reply.mac.

Parameters
[in]requestThe current request.
Returns
  • 0 if the check was successful.
  • -1 if the check failed.

Definition at line 591 of file state_machine.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ MEM()

◆ mod_signal()

static void mod_signal ( module_ctx_t const *  mctx,
request_t request,
UNUSED fr_signal_t  action 
)
static

Cancel a call to a submodule.

Parameters
[in]mctxUNUSED.
[in]requestThe current request.
[in]actionto perform.

Definition at line 135 of file state_machine.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ RESUME() [1/26]

RESUME ( clear_pseudonym  )

Resume after 'clear pseudonym { ... }'.

Definition at line 893 of file state_machine.c.

+ Here is the call graph for this function:

◆ RESUME() [2/26]

RESUME ( clear_session  )

Resume after 'clear session { ... }'.

Definition at line 881 of file state_machine.c.

◆ RESUME() [3/26]

RESUME ( load_pseudonym  )

Resume after 'load pseudonym { ... }'.

Definition at line 1990 of file state_machine.c.

+ Here is the call graph for this function:

◆ RESUME() [4/26]

RESUME ( load_session  )

Resume after 'load session { ... }'.

Definition at line 2052 of file state_machine.c.

+ Here is the call graph for this function:

◆ RESUME() [5/26]

RESUME ( recv_aka_authentication_reject  )

Resume after 'recv Authentication-Reject { ... }'.

  • Enter the FAILURE-NOTIFICATION state.

Definition at line 2193 of file state_machine.c.

◆ RESUME() [6/26]

RESUME ( recv_aka_challenge_response  )

Resume after 'recv Challenge-Response { ... }'.

  • If the previous section returned a failure rcode, enter the FAILURE-NOTIFICATION state.
  • ...or call a function to process the contents of the AKA-Challenge message.

Verify that MAC, and RES match what we expect.

Definition at line 2212 of file state_machine.c.

+ Here is the call graph for this function:

◆ RESUME() [7/26]

RESUME ( recv_aka_identity_response  )

Resume after 'recv Identity-Response { ... }' or 'recv AKA-Identity { ... }'.

  • If the previous section returned a failure rcode, enter the FAILURE-NOTIFICATION state.
  • ...or call a function to process the contents of the AKA-Identity message, mainly the AT_IDENTITY value.
  • If the message does not contain AT_IDENTITY, then enter the FAILURE-NOTIFICATION state.
  • If the user requested another identity, re-enter the AKA-Identity state.
  • ...or continue based on the value of &Identity-Type which was added by aka_identity, and possibly modified by the user.
    • Fastauth - Enter the REAUTHENTICATION state.
    • Pseudonym - Call 'load pseudonym { ... }'
    • Permanent - Enter the CHALLENGE state.

Definition at line 2827 of file state_machine.c.

+ Here is the call graph for this function:

◆ RESUME() [8/26]

RESUME ( recv_aka_synchronization_failure  )

Resume after 'recv Synchronization-Failure { ... }'.

  • If 'recv Synchronization-Failure { ... }' returned a failure rcode, enter the FAILURE-NOTIFICATION state.
  • ...or if no 'recv Synchronization-Failure { ... }' section was defined, then enter the FAILURE-NOTIFICATION state.
  • ...or if the user didn't provide a new SQN value in &control.SQN then enter the FAILURE-NOTIFICATION state.
  • ...or enter the AKA-CHALLENGE state.

Definition at line 2147 of file state_machine.c.

+ Here is the call graph for this function:

◆ RESUME() [9/26]

RESUME ( recv_common_client_error  )

Resume after 'recv Client-Error { ... }'.

  • Enter the EAP-FAILURE state.

Definition at line 1669 of file state_machine.c.

◆ RESUME() [10/26]

RESUME ( recv_common_failure_notification_ack  )

Resume after 'recv Failure-Notification-Ack { ... }'.

  • Enter the EAP-FAILURE state.

Definition at line 1283 of file state_machine.c.

◆ RESUME() [11/26]

RESUME ( recv_common_identity_response  )

Resume after 'recv Identity-Response { ... }'.

  • Perform the majority of eap_aka_sim_session_t initialisation.
  • If 'recv Identity-Response { ... }' returned a failure rcode, enter the FAILURE-NOTIFICATION state.
  • ...or continue based on the identity hint byte in the AT_IDENTITY value or EAP-Identity-Response value:
    • If identity is a pseudonym, call load pseudonym { ... }.
    • If identity is a fastauth identity, enter the REAUTHENTICATE state.
    • If identity is a permanent identity, enter the CHALLENGE state.

Definition at line 3481 of file state_machine.c.

+ Here is the call graph for this function:

◆ RESUME() [12/26]

RESUME ( recv_common_reauthentication_response  )

Resume after 'recv Reauthentication-Response { ... }'.

  • If 'recv Reauthentication-Response { ... }' returned a failure rcode, enter the FAILURE-NOTIFICATION state.
  • ...or call the EAP-Request/Reauthentication-Response function to act on the contents of the response.

Definition at line 1685 of file state_machine.c.

+ Here is the call graph for this function:

◆ RESUME() [13/26]

RESUME ( recv_common_success_notification_ack  )

Resume after 'recv Success-Notification-Ack { ... }'.

  • Enter the EAP-SUCCESS state.

Definition at line 1558 of file state_machine.c.

◆ RESUME() [14/26]

RESUME ( recv_sim_challenge_response  )

Resume after 'recv Challenge-Response { ... }'.

  • If the previous section returned a failure rcode, enter the FAILURE-NOTIFICATION state.
  • ...or call a function to process the contents of the SIM-Challenge message.

Verify that MAC, and RES match what we expect.

Definition at line 2589 of file state_machine.c.

+ Here is the call graph for this function:

◆ RESUME() [15/26]

RESUME ( recv_sim_start_response  )

Resume after 'recv Identity-Response { ... }' or 'recv SIM-Start { ... }'.

  • If the previous section returned a failure rcode, enter the FAILURE-NOTIFICATION state.
  • ...or call a function to process the contents of the SIM-Start message, mainly the AT_IDENTITY value.
  • If the message does not contain AT_IDENTITY, then enter the FAILURE-NOTIFICATION state.
  • If the user requested another identity, re-enter the SIM-START state.
  • ...or continue based on the value of &Identity-Type which was added by sim_start, and possibly modified by the user.
    • Fastauth
      • If AT_NONCE_MT or AT_SELECTED_VERSION are present, enter the FAILURE-NOTIFICATION state.
      • ...or enter the REAUTHENTICATION state.
    • Pseudonym - Verify selected version and AT_NONCE_MT, then call 'load pseudonym { ... }'
    • Permanent - Verify selected version and AT_NONCE_MT, then enter the CHALLENGE state.

Definition at line 3096 of file state_machine.c.

+ Here is the call graph for this function:

◆ RESUME() [16/26]

RESUME ( send_aka_challenge_request  )

Resume after 'send Challenge-Request { ... }'.

Definition at line 2380 of file state_machine.c.

+ Here is the call graph for this function:

◆ RESUME() [17/26]

RESUME ( send_aka_identity_request  )

Resume after 'send Identity-Request { ... }'.

There are three types of user identities that can be implemented

  • Permanent identities such as 01234.nosp@m.5678.nosp@m.90987.nosp@m.65@m.nosp@m.yoper.nosp@m.ator.nosp@m..com Permanent identities can be identified by the leading zero followed by by 15 digits (the IMSI number).
  • Ephemeral identities (pseudonyms). These are identities assigned for identity privacy so the user can't be tracked. These can identities can either be generated as per the 3GPP 'Security aspects of non-3GPP accesses' document section 14, where a set of up to 16 encryption keys are used to reversibly encrypt the IMSI. Alternatively the pseudonym can be completely randomised and stored in a datastore.
  • A fast resumption ID which resolves to data used for fast resumption.

In order to perform full authentication the original IMSI is required for forwarding to the HLR. In the case where we can't match/decrypt the pseudonym, or can't perform fast resumption, we need to request the full identity from the supplicant.

Definition at line 3019 of file state_machine.c.

+ Here is the call graph for this function:

◆ RESUME() [18/26]

RESUME ( send_common_failure_notification  )

Resume after 'send Failure-Notification { ... }'.

Ignores return code from send Failure-Notification { ... } section.

Definition at line 1326 of file state_machine.c.

+ Here is the call graph for this function:

◆ RESUME() [19/26]

RESUME ( send_common_reauthentication_request  )

Resume after 'send Reauthentication-Request { ... }'.

Definition at line 1932 of file state_machine.c.

+ Here is the call graph for this function:

◆ RESUME() [20/26]

RESUME ( send_common_success_notification  )

Resume after 'send Success-Notification { ... }'.

Definition at line 1596 of file state_machine.c.

+ Here is the call graph for this function:

◆ RESUME() [21/26]

RESUME ( send_eap_failure  )

Resume after 'send EAP-Failure { ... }'.

Definition at line 1238 of file state_machine.c.

◆ RESUME() [22/26]

RESUME ( send_eap_success  )

Resume after 'send EAP-Success { ... }'.

Add MPPE keys to the request being sent to the supplicant

The only work to be done is the add the appropriate SEND/RECV attributes derived from the MSK.

Definition at line 1492 of file state_machine.c.

+ Here is the call graph for this function:

◆ RESUME() [23/26]

RESUME ( send_sim_challenge_request  )

Resume after 'send Challenge-Request { ... }'.

Definition at line 2679 of file state_machine.c.

+ Here is the call graph for this function:

◆ RESUME() [24/26]

RESUME ( send_sim_start  )

Resume after 'send Start { ... }'.

Send a EAP-Request/SIM-Start message to the supplicant

There are three types of user identities that can be implemented

  • Permanent identities such as 01234.nosp@m.5678.nosp@m.90987.nosp@m.65@m.nosp@m.yoper.nosp@m.ator.nosp@m..com Permanent identities can be identified by the leading zero followed by by 15 digits (the IMSI number).
  • Ephemeral identities (pseudonyms). These are identities assigned for identity privacy so the user can't be tracked. These can identities can either be generated as per the 3GPP 'Security aspects of non-3GPP accesses' document section 14, where a set of up to 16 encryption keys are used to reversibly encrypt the IMSI. Alternatively the pseudonym can be completely randomised and stored in a datastore.
  • A fast resumption ID which resolves to data used for fast resumption.

In order to perform full authentication the original IMSI is required for forwarding to the HLR. In the case where we can't match/decrypt the pseudonym, or can't perform fast resumption, we need to request the full identity from the supplicant.

Definition at line 3358 of file state_machine.c.

+ Here is the call graph for this function:

◆ RESUME() [25/26]

RESUME ( store_pseudonym  )

Resume after 'store pseudonym { ... }'.

Stores session data if required.

Definition at line 672 of file state_machine.c.

+ Here is the call graph for this function:

◆ RESUME() [26/26]

RESUME ( store_session  )

Resume after 'store session { ... }'.

Definition at line 647 of file state_machine.c.

◆ session_and_pseudonym_clear()

static unlang_action_t session_and_pseudonym_clear ( unlang_result_t p_result,
module_ctx_t const *  mctx,
request_t request,
eap_aka_sim_session_t eap_aka_sim_session,
module_method_t  next 
)
static

Implements a set of states for clearing out pseudonym and fastauth identities.

If either a Challenge round or Reauthentication round fail, we need to clear any identities that were provided during those rounds, as the supplicant will have discarded them.

Parameters
[out]p_resultResult of calling the module.
[in]mctxmodule calling ctx.
[in]requestthe current request.
[in]eap_aka_sim_sessionthe current EAP session
[in]nextfunction to call after clearing sessions and pseudonyms.

Definition at line 932 of file state_machine.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ session_and_pseudonym_store()

static unlang_action_t session_and_pseudonym_store ( unlang_result_t p_result,
module_ctx_t const *  mctx,
request_t request,
eap_aka_sim_session_t eap_aka_sim_session,
module_method_t  next 
)
static

Implements a set of states for storing pseudonym and fastauth identities.

At the end of challenge or reauthentication rounds, the user may have specified a pseudonym and fastauth identity to return to the supplicant.

Call the appropriate sections to persist those values.

Parameters
[out]p_resultResult of calling the module.
[in]mctxModule calling ctx.
[in]requestthe current request.
[in]eap_aka_sim_sessionthe EAP session
[in]nextfunction to call after storing sessions and pseudonyms.

Definition at line 816 of file state_machine.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ sim_challenge_request_send()

static unlang_action_t sim_challenge_request_send ( unlang_result_t p_result,
module_ctx_t const *  mctx,
request_t request 
)
static

Called after 'store session { ... }' and 'store pseudonym { ... }'.

Definition at line 1100 of file state_machine.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ sim_start_nonce_mt_check()

static int sim_start_nonce_mt_check ( request_t request,
eap_aka_sim_session_t eap_aka_sim_session 
)
static

Helper function to check for the presence and length of AT_NONCE_MT and copy its value into the keys structure.

Does not actually perform cryptographic validation of AT_NONCE_MT, this is done later.

Definition at line 1196 of file state_machine.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ sim_start_selected_version_check()

static int sim_start_selected_version_check ( request_t request,
eap_aka_sim_session_t eap_aka_sim_session 
)
static

Helper function to check for the presence and length of AT_SELECTED_VERSION and copy its value into the keys structure.

Also checks the version matches one of the ones we advertised in our version list, which is a bit redundant seeing as there's only one version of EAP-SIM.

Definition at line 1143 of file state_machine.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ STATE_GUARD() [1/11]

STATE_GUARD ( aka_challenge  )

Enter the AKA-CHALLENGE state.

Definition at line 2519 of file state_machine.c.

+ Here is the call graph for this function:

◆ STATE_GUARD() [2/11]

STATE_GUARD ( aka_identity  )

◆ STATE_GUARD() [3/11]

STATE_GUARD ( common_challenge  )

Enter the SIM-CHALLENGE or AKA-CHALLENGE state.

Called by functions which are common to both the EAP-SIM and EAP-AKA state machines to enter the correct challenge state.

Definition at line 2795 of file state_machine.c.

◆ STATE_GUARD() [4/11]

STATE_GUARD ( common_failure_notification  )

Enter the FAILURE-NOTIFICATION state.

Definition at line 1436 of file state_machine.c.

+ Here is the call graph for this function:

◆ STATE_GUARD() [5/11]

STATE_GUARD ( common_identity  )

Enter the SIM-START or AKA-IDENTITY state.

Called by functions which are common to both the EAP-SIM and EAP-AKA state machines to enter the correct Identity-Request state.

Definition at line 3452 of file state_machine.c.

◆ STATE_GUARD() [6/11]

STATE_GUARD ( common_reauthentication  )

◆ STATE_GUARD() [7/11]

STATE_GUARD ( common_success_notification  )

◆ STATE_GUARD() [8/11]

STATE_GUARD ( eap_failure  )

Enter EAP-FAILURE state.

Definition at line 1254 of file state_machine.c.

+ Here is the call graph for this function:

◆ STATE_GUARD() [9/11]

STATE_GUARD ( eap_success  )

◆ STATE_GUARD() [10/11]

STATE_GUARD ( sim_challenge  )

Enter the SIM-CHALLENGE state.

Definition at line 2759 of file state_machine.c.

+ Here is the call graph for this function:

◆ STATE_GUARD() [11/11]

STATE_GUARD ( sim_start  )

◆ STATE_GUARD_NO_RESULT() [1/5]

STATE_GUARD_NO_RESULT ( aka_identity  )

Enter the AKA-IDENTITY state.

Definition at line 3058 of file state_machine.c.

+ Here is the call graph for this function:

◆ STATE_GUARD_NO_RESULT() [2/5]

STATE_GUARD_NO_RESULT ( common_reauthentication  )

Enter the REAUTHENTICATION state.

Definition at line 2118 of file state_machine.c.

+ Here is the call graph for this function:

◆ STATE_GUARD_NO_RESULT() [3/5]

STATE_GUARD_NO_RESULT ( common_success_notification  )

Enter the SUCCESS-NOTIFICATION state.

Definition at line 1655 of file state_machine.c.

◆ STATE_GUARD_NO_RESULT() [4/5]

STATE_GUARD_NO_RESULT ( eap_success  )

Enter EAP-SUCCESS state.

Definition at line 1544 of file state_machine.c.

◆ STATE_GUARD_NO_RESULT() [5/5]

STATE_GUARD_NO_RESULT ( sim_start  )

Enter the SIM-START state.

Definition at line 3428 of file state_machine.c.

+ Here is the call graph for this function:

◆ STATE_NO_RESULT()

STATE_NO_RESULT ( common_success_notification  )

SUCCESS-NOTIFICATION state - Continue the state machine after receiving a response to our EAP-Request/(AKA|SIM)-Notification.

  • Call 'recv Success-Notification-Ack { ... }'

Definition at line 1576 of file state_machine.c.

◆ state_set()

static void state_set ( request_t request,
eap_aka_sim_session_t eap_aka_sim_session,
module_method_t  new_state 
)
inlinestatic

Print debugging information, and write new state to eap_aka_sim_session->state.

Definition at line 199 of file state_machine.c.

◆ switch()

switch ( subtype_vp->  vp_uint16)

Definition at line 1310 of file state_machine.c.

Variable Documentation

◆ aka_challenge

aka_challenge
Initial value:

AKA-CHALLENGE state - Continue the state machine after receiving a response to our EAP-Request/SIM-Challenge.

  • Continue based on received AT_SUBTYPE value:
    • EAP-Response/AKA-Challenge - call 'recv Challenge-Response { ... }'.
    • EAP-Response/AKA-Authentication-Reject - call 'recv Authentication-Reject { ... }' and after that send a EAP-Request/SIM-Notification indicating a General Failure.
    • EAP-Response/AKA-Synchronization-Failure - call 'recv Synchronization-Failure { ... }'.
    • EAP-Response/AKA-Client-Error - call 'recv Client-Error { ... }' and after that send a EAP-Request/AKA-Notification indicating a General Failure.
    • Anything else, enter the FAILURE-NOTIFICATION state.

Definition at line 97 of file state_machine.c.

◆ aka_identity

aka_identity
Initial value:
{
eap_aka_sim_process_conf_t *inst = talloc_get_type_abort(mctx->mi->data, eap_aka_sim_process_conf_t)

AKA-IDENTITY state - Continue the state machine after receiving a response to our EAP-Request/AKA-Identity.

  • Continue based on received AT_SUBTYPE value:
    • EAP-Response/AKA-Identity - call either 'recv Identity-Response { ... }' or if provided 'recv AKA-Identity-Response { ... }'. The idea here is that the EAP-Identity-Response is really the first round in identity negotiation and there's no real value distinguishing between the first round and subsequent rounds, but if users do want to run different logic, then give them a way of doing that.
    • EAP-Response/AKA-Client-Error - call 'recv Client-Error { ... }' and after that send a EAP-Request/SIM-Notification indicating a General Failure.
    • Anything else, enter the FAILURE-NOTIFICATION state.

Definition at line 102 of file state_machine.c.

◆ aka_sim_state_table

fr_table_ptr_ordered_t const aka_sim_state_table[]
static
Initial value:
= {
{ L("INIT"), NULL },
{ L("EAP-IDENTITY"), (void *)state_init },
{ L("SIM-START"), (void *)state_sim_start },
{ L("AKA-IDENTITY"), (void *)state_aka_identity },
{ L("SIM-CHALLENGE"), (void *)state_sim_challenge },
{ L("AKA-CHALLENGE"), (void *)state_aka_challenge },
{ L("SUCCESS-NOTIFICATION"), (void *)state_common_success_notification },
{ L("FAILURE-NOTIFICATION"), (void *)state_common_failure_notification },
{ L("REAUTHENTICATION"), (void *)state_common_reauthentication },
{ L("EAP-SUCCESS"), (void *)state_eap_success },
{ L("EAP-FAILURE"), (void *)state_eap_failure }
}
#define L(_str)
Helper for initialising arrays of string literals.
Definition build.h:209

Definition at line 109 of file state_machine.c.

◆ aka_sim_state_table_len

size_t aka_sim_state_table_len = NUM_ELEMENTS(aka_sim_state_table)
static

Definition at line 127 of file state_machine.c.

◆ common_failure_notification

common_failure_notification
Initial value:
{
eap_aka_sim_process_conf_t *inst = talloc_get_type_abort(mctx->mi->data, eap_aka_sim_process_conf_t)

FAILURE-NOTIFICATION state - Continue the state machine after receiving a response to our EAP-Request/(AKA|SIM)-Notification.

  • Continue based on received AT_SUBTYPE value:
    • EAP-Response/SIM-Client-Error - Call 'recv Failure-Notification-Ack { ... }'
    • Anything else, enter the FAILURE-NOTIFICATION state.

Definition at line 89 of file state_machine.c.

◆ common_reauthentication

common_reauthentication
Initial value:
{
eap_aka_sim_process_conf_t *inst = talloc_get_type_abort(mctx->mi->data, eap_aka_sim_process_conf_t)

REAUTHENTICATION state - Continue the state machine after receiving a response to our EAP-Request/SIM-Start.

  • Continue based on received AT_SUBTYPE value:
    • EAP-Response/(SIM|AKA)-Reauthentication - call 'recv Reauthentication-Response { ... }'
    • EAP-Response/(SIM|AKA)-Client-Error - call 'recv Client-Error { ... }' and after that send a EAP-Request/(SIM|AKA)-Notification indicating a General Failure.
    • Anything else, enter the FAILURE-NOTIFICATION state.

Definition at line 95 of file state_machine.c.

◆ common_success_notification

common_success_notification

Definition at line 93 of file state_machine.c.

◆ eap_aka_sim_session

eap_aka_sim_session_t * eap_aka_sim_session = talloc_get_type_abort(mctx->rctx, eap_aka_sim_session_t)

Definition at line 1304 of file state_machine.c.

◆ eap_failure

eap_failure
Initial value:
{
if (!fr_cond_assert(request && mctx && mctx->rctx)) RETURN_UNLANG_FAIL
#define fr_cond_assert(_x)
Calls panic_action ifndef NDEBUG, else logs error and evaluates to value of _x.
Definition debug.h:139
RETURN_UNLANG_FAIL

FAILURE state - State machine exit point after sending EAP-Failure.

Should never actually be called. Is just a placeholder function to represent the FAILURE termination state. Could equally be a NULL pointer, but then on a logic error we'd get a SEGV instead of a more friendly assert/failure rcode.

Definition at line 87 of file state_machine.c.

◆ eap_success

eap_success
Initial value:
{
eap_aka_sim_session_t *eap_aka_sim_session = talloc_get_type_abort(mctx->rctx, eap_aka_sim_session_t)

SUCCESS state - State machine exit point after sending EAP-Success.

Should never actually be called. Is just a placeholder function to represent the SUCCESS termination state. Could equally be a NULL pointer, but then on a logic error we'd get a SEGV instead of a more friendly assert/failure rcode.

Definition at line 91 of file state_machine.c.

◆ init

init
Initial value:
{
eap_session_t *eap_session = eap_session_get(request->parent)
static eap_session_t * eap_session_get(request_t *request)
Definition session.h:83
Tracks the progress of a single session of any EAP method.
Definition session.h:41

Enter the EAP-IDENTITY state.

  • Process the incoming EAP-Identity-Response
  • Start EAP-SIM/EAP-AKA/EAP-AKA' state machine optionally calling 'recv Identity-Response { ... }'

Definition at line 107 of file state_machine.c.

◆ inst

eap_aka_sim_process_conf_t* inst = talloc_get_type_abort(mctx->mi->data, eap_aka_sim_process_conf_t)

Definition at line 3651 of file state_machine.c.

◆ RETURN_UNLANG_FAIL

RETURN_UNLANG_FAIL

Definition at line 1232 of file state_machine.c.

◆ sim_challenge

sim_challenge
Initial value:
{
eap_aka_sim_process_conf_t *inst = talloc_get_type_abort(mctx->mi->data, eap_aka_sim_process_conf_t)

SIM-CHALLENGE state - Continue the state machine after receiving a response to our EAP-Request/SIM-Challenge.

  • Continue based on received AT_SUBTYPE value:
    • EAP-Response/SIM-Challenge - call 'recv Challenge-Response { ... }'.
    • EAP-Response/SIM-Client-Error - call 'recv Client-Error { ... }' and after that send a EAP-Request/SIM-Notification indicating a General Failure.
    • Anything else, enter the FAILURE-NOTIFICATION state.

Definition at line 99 of file state_machine.c.

◆ sim_start

sim_start
Initial value:
{
eap_aka_sim_process_conf_t *inst = talloc_get_type_abort(mctx->mi->data, eap_aka_sim_process_conf_t)

SIM-START state - Continue the state machine after receiving a response to our EAP-Request/SIM-Start.

  • Continue based on received AT_SUBTYPE value:
    • EAP-Response/SIM-Start - call either 'recv Identity-Response { ... }' or if provided 'recv SIM-Start-Response { ... }'. The idea here is that the EAP-Identity-Response is really the first round in identity negotiation and there's no real value distinguishing between the first round and subsequent rounds, but if users do want to run different logic, then give them a way of doing that.
    • EAP-Response/SIM-Client-Error - call 'recv Client-Error { ... }' and after that send a EAP-Request/SIM-Notification indicating a General Failure.
    • Anything else, enter the FAILURE-NOTIFICATION state.

Definition at line 104 of file state_machine.c.

◆ subtype_vp

fr_pair_t * subtype_vp = NULL

Definition at line 1305 of file state_machine.c.

◆ type

Definition at line 3654 of file state_machine.c.

◆ vp

fr_pair_t * vp

Definition at line 2293 of file state_machine.c.