Starting EAP sequence

Michel Verhagen mike at
Tue Mar 30 05:04:23 BST 2021

We are running into an issue where calling eapol_sm_init results in a 
write to a null pointer in dl_list_add:

    static inline void dl_list_add(struct dl_list *list, struct dl_list
         item->next = list->next;
         item->prev = list;
         list->next->prev = item;
         list->next = item;

item->next is null in the above when called from function 
eloop_register_timeout through macro dl_list_for_each in line 273:

         /* Maintain timeouts in order of increasing time */
         dl_list_for_each(tmp, &eloop.timeout, struct eloop_timeout, list) {
             if (os_reltime_before(&timeout->time, &tmp->time)) {
                 dl_list_add(tmp->list.prev, &timeout->list);
                 return 0;

    #define dl_list_for_each(item, list, type, member) \
         for (item = dl_list_entry((list)->next, type, member); \
              &item->member != (list); \
              item = dl_list_entry(item->, type, member))

So, the code is:

    for (tmp = dl_list_entry((&loop.timeout)->next, struct
    eloop_timeout, list); \
              &tmp->list != (&loop.timeout); \
              tmp = dl_list_entry(tmp->, struct eloop_timeout,

And is NULL.

We are implementing EAPOL authentication using the hostap eap library 
and eapol state machine code. We only need EAPOL over wired LAN, so no 
WPA or WPS needed. Our initialization looks like this:

             if (ERROR_SUCCESS != EAPRegisterMethods())

             os_memset(&_eap_ctx, 0, sizeof(_eap_ctx));

             _eap_ctx.eap_config.identity = (u8 *)os_strdup("Identity");
             _eap_ctx.eap_config.identity_len = strlen((const
             _eap_ctx.eap_config.password = (u8 *)os_strdup("password");
             _eap_ctx.eap_config.password_len = strlen((const
             _eap_ctx.eap_config.ca_cert = os_strdup("\\Windows\\ca.pem");
             //_eap_ctx.eap_config.ca_path = os_strdup("\\Windows");
             _eap_ctx.eap_config.fragment_size = 1398;

             os_memset(&_eap_cb, 0, sizeof(_eap_cb));
             _eap_cb.get_config = peer_get_config;
             _eap_cb.get_bool = (Boolean(__cdecl *)(void *,
             _eap_cb.set_bool = (void(__cdecl *)(void *, eapol_bool_var,
             _eap_cb.get_int = peer_get_int;
             _eap_cb.set_int = peer_set_int;
             _eap_cb.get_eapReqData = peer_get_eapReqData;
             _eap_cb.set_config_blob = peer_set_config_blob;
             _eap_cb.get_config_blob = peer_get_config_blob;
             _eap_cb.notify_pending = peer_notify_pending;

             os_memset(&_eap_conf, 0, sizeof(_eap_conf));
             _eap_ctx.eap = eap_peer_sm_init(&_eap_ctx, &_eap_cb,
    &_eap_ctx, &_eap_conf);
             if (_eap_ctx.eap == NULL)

             /* Enable "port" to allow authentication */
             _eap_ctx.portEnabled = true;

             os_memset(&_eapol_ctx, 0, sizeof(_eapol_ctx));
             _eapol_ctx.ctx = this;                  // This can be
    pointing to any structure we define as context
             _eapol_ctx.preauth = 0;                 // Not using IEEE
    802.11i/RSN pre-authentication
             _eapol_ctx.cb = NULL;                   // Not using IEEE
    802.11i/RSN pre-authentication, so no need for this callback
             _eapol_ctx.cb_ctx = NULL;               // Not using IEEE
    802.11i/RSN pre-authentication, so no need for context
             _eapol_ctx.msg_ctx = this;              // Callback context
    for wpa_msg() calls
             _eapol_ctx.scard_ctx = NULL;            // Callback context
    for PC/SC scard_*() function calls
             _eapol_ctx.eapol_send_ctx = this;       // Callback context
    for eapol_send() calls
             _eapol_ctx.eapol_done_cb = eapol_done_cb;
             _eapol_ctx.eapol_send = eapol_send;
             _eapol_ctx.set_wep_key = NULL;          // Not using WEP
             _eapol_ctx.set_config_blob = NULL;
             _eapol_ctx.get_config_blob = NULL;
             _eapol_ctx.aborted_cached = NULL;

             _eapol_ctx.opensc_engine_path = NULL;   // No idea what to
    set here
             _eapol_ctx.pkcs11_engine_path = NULL;   // No idea what to
    set here
             _eapol_ctx.pkcs11_module_path = NULL;   // No idea what to
    set here
             _eapol_ctx.openssl_ciphers = NULL;      // No idea what to
    set here

             _eapol_ctx.wps = NULL;                  // Not using WPS

             _eapol_ctx.eap_param_needed = NULL;     // Not using WEP

             _eapol_ctx.port_cb = port_cb;
             _eapol_ctx.cert_cb = cert_cb;
             _eapol_ctx.cert_in_cb = 1;
             _eapol_ctx.status_cb = status_cb;
             _eapol_ctx.eap_error_cb = eap_error_cb;

             _eapol_ctx.set_anon_id = NULL;          // Not sure this is
             _eapol_ctx.confirm_auth_cb = NULL;      // Not sure this is

             _peapol_sm = eapol_sm_init(&_eapol_ctx);
             if (!_peapol_sm)

             os_memset(&_eapol_conf, 0, sizeof(_eapol_conf));
             _eapol_conf.accept_802_1x_keys = 0;
             _eapol_conf.required_keys = 0;          //
             _eapol_conf.fast_reauth = 1;
             _eapol_conf.workaround = 0;
             _eapol_conf.eap_disabled = 0;
             _eapol_conf.external_sim = 0;
             _eapol_conf.wps = 0;
             eapol_sm_notify_config(_peapol_sm, &_eap_ctx.eap_config,

    eapol_sm_notify_portValid(_peapol_sm, false);
    eapol_sm_notify_portEnabled(_peapol_sm, true);

As you can see, not everything is clear so I'm probably just missing 
something. In the above code we don't get past the call to 
eapol_sm_init. Hope somebody can shed some light or point me in the 
right direction...

Many thanks in advance!


Michel Verhagen

On 12/03/2021 10:10, Michel Verhagen wrote:
> Thanks Alan!
> That does make sense indeed. I'll try to use eapol_supp for better 
> handling of the EAPOL layer on top of EAP. I hope this code can be 
> used with just the code I ported for the EAP library to compile.
> Is there any documentation explaining what all the context parameters 
> do (see test_eapol function in eapol_test.c), which are required and 
> for which functionality etc? All I need is to implement an EAPOL 
> client with certificates, so no WPA/WEP or any of the wireless stuff.
> I'll come back with more questions probably, thanks for pointing me in 
> the right direction!
> On 12/03/2021 01:23, Alan DeKok wrote:
>> On Mar 10, 2021, at 11:56 PM, Michel Verhagen <mike at> wrote:
>>> I'm using the EAP library to implement EAPOL on an embedded device. 
>>> Got it to go, with EAP-MD5 and EAP-TTLS and certificates, so all 
>>> good. However, I'm trying to get the library to prepare me an EAPOL 
>>> START packet. I'd like to initiate the start of the EAP handshake, 
>>> because depending on the settings of the authenticator, it can take 
>>> a long time before the EAP handshake sequence is initiated.
>>    I haven't used the library myself, but the problem, here is likely 
>> layering.
>>    i.e. you're using an EAP library.  EAP runs on EAPoL, PPP, PANA, 
>> RADIUS, Diameter, ..., where the library just does EAP.
>>    EAPoL is managed by the IEEE 802.1X state machine.  Which uses 
>> EAP, but isn't part of the EAP library.
>>> I thought setting _eap_ctx.eapRestart to 1 (true) or even 
>>> eapTriggerStart to 1 and calling eap_peer_step would get me the 
>>> packet data to send, but I can't see eapTriggerStart used anywhere 
>>> in the code.
>>    See src/eapol_supp/eapol_supp_sm.c, which runs the EAPoL 
>> supplicant state machine.  It checks eapTriggerStart, and ends up 
>> calling eapol_sm_txStart().
>>> Does anybody know how to get the EAP library to prepare an EAP Start 
>>> packet?
>>    You can't.  EAP isn't the same as the Ethernet layer EAPoL state 
>> machine.
>>> I can of course prepare and send that packet myself, but it looks 
>>> like the EAP library should be able to do this as well...
>>    No.  The EAP library does EAP.  The 802.1X / supplicant state 
>> machine does Ethernet, and EAPoL.
>>    Alan DeKok.
> _______________________________________________
> Hostap mailing list
> Hostap at

More information about the Hostap mailing list