1 /*
2  * EAP peer state machine functions (RFC 4137)
3  * Copyright (c) 2004-2012, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #ifndef EAP_H
10 #define EAP_H
11 
12 #include "common/defs.h"
13 #include "eap_common/eap_defs.h"
14 #include "eap_peer/eap_methods.h"
15 
16 struct eap_sm;
17 struct wpa_config_blob;
18 struct wpabuf;
19 struct tls_cert_data;
20 
21 struct eap_method_type {
22 	int vendor;
23 	u32 method;
24 };
25 
26 #ifdef IEEE8021X_EAPOL
27 
28 /**
29  * enum eapol_bool_var - EAPOL boolean state variables for EAP state machine
30  *
31  * These variables are used in the interface between EAP peer state machine and
32  * lower layer. These are defined in RFC 4137, Sect. 4.1. Lower layer code is
33  * expected to maintain these variables and register a callback functions for
34  * EAP state machine to get and set the variables.
35  */
36 enum eapol_bool_var {
37 	/**
38 	 * EAPOL_eapSuccess - EAP SUCCESS state reached
39 	 *
40 	 * EAP state machine reads and writes this value.
41 	 */
42 	EAPOL_eapSuccess,
43 
44 	/**
45 	 * EAPOL_eapRestart - Lower layer request to restart authentication
46 	 *
47 	 * Set to true in lower layer, false in EAP state machine.
48 	 */
49 	EAPOL_eapRestart,
50 
51 	/**
52 	 * EAPOL_eapFail - EAP FAILURE state reached
53 	 *
54 	 * EAP state machine writes this value.
55 	 */
56 	EAPOL_eapFail,
57 
58 	/**
59 	 * EAPOL_eapResp - Response to send
60 	 *
61 	 * Set to true in EAP state machine, false in lower layer.
62 	 */
63 	EAPOL_eapResp,
64 
65 	/**
66 	 * EAPOL_eapNoResp - Request has been process; no response to send
67 	 *
68 	 * Set to true in EAP state machine, false in lower layer.
69 	 */
70 	EAPOL_eapNoResp,
71 
72 	/**
73 	 * EAPOL_eapReq - EAP request available from lower layer
74 	 *
75 	 * Set to true in lower layer, false in EAP state machine.
76 	 */
77 	EAPOL_eapReq,
78 
79 	/**
80 	 * EAPOL_portEnabled - Lower layer is ready for communication
81 	 *
82 	 * EAP state machines reads this value.
83 	 */
84 	EAPOL_portEnabled,
85 
86 	/**
87 	 * EAPOL_altAccept - Alternate indication of success (RFC3748)
88 	 *
89 	 * EAP state machines reads this value.
90 	 */
91 	EAPOL_altAccept,
92 
93 	/**
94 	 * EAPOL_altReject - Alternate indication of failure (RFC3748)
95 	 *
96 	 * EAP state machines reads this value.
97 	 */
98 	EAPOL_altReject,
99 
100 	/**
101 	 * EAPOL_eapTriggerStart - EAP-based trigger to send EAPOL-Start
102 	 *
103 	 * EAP state machine writes this value.
104 	 */
105 	EAPOL_eapTriggerStart
106 };
107 
108 /**
109  * enum eapol_int_var - EAPOL integer state variables for EAP state machine
110  *
111  * These variables are used in the interface between EAP peer state machine and
112  * lower layer. These are defined in RFC 4137, Sect. 4.1. Lower layer code is
113  * expected to maintain these variables and register a callback functions for
114  * EAP state machine to get and set the variables.
115  */
116 enum eapol_int_var {
117 	/**
118 	 * EAPOL_idleWhile - Outside time for EAP peer timeout
119 	 *
120 	 * This integer variable is used to provide an outside timer that the
121 	 * external (to EAP state machine) code must decrement by one every
122 	 * second until the value reaches zero. This is used in the same way as
123 	 * EAPOL state machine timers. EAP state machine reads and writes this
124 	 * value.
125 	 */
126 	EAPOL_idleWhile
127 };
128 
129 /**
130  * struct eapol_callbacks - Callback functions from EAP to lower layer
131  *
132  * This structure defines the callback functions that EAP state machine
133  * requires from the lower layer (usually EAPOL state machine) for updating
134  * state variables and requesting information. eapol_ctx from
135  * eap_peer_sm_init() call will be used as the ctx parameter for these
136  * callback functions.
137  */
138 struct eapol_callbacks {
139 	/**
140 	 * get_config - Get pointer to the current network configuration
141 	 * @ctx: eapol_ctx from eap_peer_sm_init() call
142 	 */
143 	struct eap_peer_config * (*get_config)(void *ctx);
144 
145 	/**
146 	 * get_bool - Get a boolean EAPOL state variable
147 	 * @variable: EAPOL boolean variable to get
148 	 * Returns: Value of the EAPOL variable
149 	 */
150 	bool (*get_bool)(void *ctx, enum eapol_bool_var variable);
151 
152 	/**
153 	 * set_bool - Set a boolean EAPOL state variable
154 	 * @ctx: eapol_ctx from eap_peer_sm_init() call
155 	 * @variable: EAPOL boolean variable to set
156 	 * @value: Value for the EAPOL variable
157 	 */
158 	void (*set_bool)(void *ctx, enum eapol_bool_var variable, bool value);
159 
160 	/**
161 	 * get_int - Get an integer EAPOL state variable
162 	 * @ctx: eapol_ctx from eap_peer_sm_init() call
163 	 * @variable: EAPOL integer variable to get
164 	 * Returns: Value of the EAPOL variable
165 	 */
166 	unsigned int (*get_int)(void *ctx, enum eapol_int_var variable);
167 
168 	/**
169 	 * set_int - Set an integer EAPOL state variable
170 	 * @ctx: eapol_ctx from eap_peer_sm_init() call
171 	 * @variable: EAPOL integer variable to set
172 	 * @value: Value for the EAPOL variable
173 	 */
174 	void (*set_int)(void *ctx, enum eapol_int_var variable,
175 			unsigned int value);
176 
177 	/**
178 	 * get_eapReqData - Get EAP-Request data
179 	 * @ctx: eapol_ctx from eap_peer_sm_init() call
180 	 * @len: Pointer to variable that will be set to eapReqDataLen
181 	 * Returns: Reference to eapReqData (EAP state machine will not free
182 	 * this) or %NULL if eapReqData not available.
183 	 */
184 	struct wpabuf * (*get_eapReqData)(void *ctx);
185 
186 	/**
187 	 * set_config_blob - Set named configuration blob
188 	 * @ctx: eapol_ctx from eap_peer_sm_init() call
189 	 * @blob: New value for the blob
190 	 *
191 	 * Adds a new configuration blob or replaces the current value of an
192 	 * existing blob.
193 	 */
194 	void (*set_config_blob)(void *ctx, struct wpa_config_blob *blob);
195 
196 	/**
197 	 * get_config_blob - Get a named configuration blob
198 	 * @ctx: eapol_ctx from eap_peer_sm_init() call
199 	 * @name: Name of the blob
200 	 * Returns: Pointer to blob data or %NULL if not found
201 	 */
202 	const struct wpa_config_blob * (*get_config_blob)(void *ctx,
203 							  const char *name);
204 
205 	/**
206 	 * notify_pending - Notify that a pending request can be retried
207 	 * @ctx: eapol_ctx from eap_peer_sm_init() call
208 	 *
209 	 * An EAP method can perform a pending operation (e.g., to get a
210 	 * response from an external process). Once the response is available,
211 	 * this callback function can be used to request EAPOL state machine to
212 	 * retry delivering the previously received (and still unanswered) EAP
213 	 * request to EAP state machine.
214 	 */
215 	void (*notify_pending)(void *ctx);
216 
217 	/**
218 	 * eap_param_needed - Notify that EAP parameter is needed
219 	 * @ctx: eapol_ctx from eap_peer_sm_init() call
220 	 * @field: Field indicator (e.g., WPA_CTRL_REQ_EAP_IDENTITY)
221 	 * @txt: User readable text describing the required parameter
222 	 */
223 	void (*eap_param_needed)(void *ctx, enum wpa_ctrl_req_type field,
224 				 const char *txt);
225 
226 	/**
227 	 * notify_cert - Notification of a peer certificate
228 	 * @ctx: eapol_ctx from eap_peer_sm_init() call
229 	 * @cert: Certificate information
230 	 * @cert_hash: SHA-256 hash of the certificate
231 	 */
232 	void (*notify_cert)(void *ctx, struct tls_cert_data *cert,
233 			    const char *cert_hash);
234 
235 	/**
236 	 * notify_status - Notification of the current EAP state
237 	 * @ctx: eapol_ctx from eap_peer_sm_init() call
238 	 * @status: Step in the process of EAP authentication
239 	 * @parameter: Step-specific parameter, e.g., EAP method name
240 	 */
241 	void (*notify_status)(void *ctx, const char *status,
242 			      const char *parameter);
243 
244 	/**
245 	 * notify_eap_error - Report EAP method error code
246 	 * @ctx: eapol_ctx from eap_peer_sm_init() call
247 	 * @error_code: Error code from the used EAP method
248 	 */
249 	void (*notify_eap_error)(void *ctx, int error_code);
250 
251 #ifdef CONFIG_EAP_PROXY
252 	/**
253 	 * eap_proxy_cb - Callback signifying any updates from eap_proxy
254 	 * @ctx: eapol_ctx from eap_peer_sm_init() call
255 	 */
256 	void (*eap_proxy_cb)(void *ctx);
257 
258 	/**
259 	 * eap_proxy_notify_sim_status - Notification of SIM status change
260 	 * @ctx: eapol_ctx from eap_peer_sm_init() call
261 	 * @sim_state: One of enum value from sim_state
262 	 */
263 	void (*eap_proxy_notify_sim_status)(void *ctx,
264 					    enum eap_proxy_sim_state sim_state);
265 
266 	/**
267 	 * get_imsi - Get the IMSI value from eap_proxy
268 	 * @ctx: eapol_ctx from eap_peer_sm_init() call
269 	 * @sim_num: SIM/USIM number to get the IMSI value for
270 	 * @imsi: Buffer for IMSI value
271 	 * @len: Buffer for returning IMSI length in octets
272 	 * Returns: MNC length (2 or 3) or -1 on error
273 	 */
274 	int (*get_imsi)(void *ctx, int sim_num, char *imsi, size_t *len);
275 #endif /* CONFIG_EAP_PROXY */
276 
277 	/**
278 	 * set_anon_id - Set or add anonymous identity
279 	 * @ctx: eapol_ctx from eap_peer_sm_init() call
280 	 * @id: Anonymous identity (e.g., EAP-SIM pseudonym) or %NULL to clear
281 	 * @len: Length of anonymous identity in octets
282 	 */
283 	void (*set_anon_id)(void *ctx, const u8 *id, size_t len);
284 };
285 
286 /**
287  * struct eap_config - Configuration for EAP state machine
288  */
289 struct eap_config {
290 	/**
291 	 * opensc_engine_path - OpenSC engine for OpenSSL engine support
292 	 *
293 	 * Usually, path to engine_opensc.so.
294 	 */
295 	const char *opensc_engine_path;
296 	/**
297 	 * pkcs11_engine_path - PKCS#11 engine for OpenSSL engine support
298 	 *
299 	 * Usually, path to engine_pkcs11.so.
300 	 */
301 	const char *pkcs11_engine_path;
302 	/**
303 	 * pkcs11_module_path - OpenSC PKCS#11 module for OpenSSL engine
304 	 *
305 	 * Usually, path to opensc-pkcs11.so.
306 	 */
307 	const char *pkcs11_module_path;
308 	/**
309 	 * openssl_ciphers - OpenSSL cipher string
310 	 *
311 	 * This is an OpenSSL specific configuration option for configuring the
312 	 * default ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the
313 	 * default.
314 	 */
315 	const char *openssl_ciphers;
316 	/**
317 	 * wps - WPS context data
318 	 *
319 	 * This is only used by EAP-WSC and can be left %NULL if not available.
320 	 */
321 	struct wps_context *wps;
322 
323 	/**
324 	 * cert_in_cb - Include server certificates in callback
325 	 */
326 	int cert_in_cb;
327 };
328 
329 struct eap_sm * eap_peer_sm_init(void *eapol_ctx,
330 				 const struct eapol_callbacks *eapol_cb,
331 				 void *msg_ctx, struct eap_config *conf);
332 void eap_peer_sm_deinit(struct eap_sm *sm);
333 int eap_peer_sm_step(struct eap_sm *sm);
334 void eap_sm_abort(struct eap_sm *sm);
335 int eap_sm_get_status(struct eap_sm *sm, char *buf, size_t buflen,
336 		      int verbose);
337 const char * eap_sm_get_method_name(struct eap_sm *sm);
338 struct wpabuf * eap_sm_buildIdentity(struct eap_sm *sm, int id, int encrypted);
339 void eap_sm_request_identity(struct eap_sm *sm);
340 void eap_sm_request_password(struct eap_sm *sm);
341 void eap_sm_request_new_password(struct eap_sm *sm);
342 void eap_sm_request_pin(struct eap_sm *sm);
343 void eap_sm_request_otp(struct eap_sm *sm, const char *msg, size_t msg_len);
344 void eap_sm_request_passphrase(struct eap_sm *sm);
345 void eap_sm_request_sim(struct eap_sm *sm, const char *req);
346 void eap_sm_notify_ctrl_attached(struct eap_sm *sm);
347 u32 eap_get_phase2_type(const char *name, int *vendor);
348 struct eap_method_type * eap_get_phase2_types(struct eap_peer_config *config,
349 					      size_t *count);
350 void eap_set_fast_reauth(struct eap_sm *sm, int enabled);
351 void eap_set_workaround(struct eap_sm *sm, unsigned int workaround);
352 void eap_set_force_disabled(struct eap_sm *sm, int disabled);
353 void eap_set_external_sim(struct eap_sm *sm, int external_sim);
354 int eap_key_available(struct eap_sm *sm);
355 void eap_notify_success(struct eap_sm *sm);
356 void eap_notify_lower_layer_success(struct eap_sm *sm);
357 const u8 * eap_get_eapSessionId(struct eap_sm *sm, size_t *len);
358 const u8 * eap_get_eapKeyData(struct eap_sm *sm, size_t *len);
359 struct wpabuf * eap_get_eapRespData(struct eap_sm *sm);
360 void eap_register_scard_ctx(struct eap_sm *sm, void *ctx);
361 void eap_invalidate_cached_session(struct eap_sm *sm);
362 
363 int eap_is_wps_pbc_enrollee(struct eap_peer_config *conf);
364 int eap_is_wps_pin_enrollee(struct eap_peer_config *conf);
365 
366 struct ext_password_data;
367 void eap_sm_set_ext_pw_ctx(struct eap_sm *sm, struct ext_password_data *ext);
368 void eap_set_anon_id(struct eap_sm *sm, const u8 *id, size_t len);
369 int eap_peer_was_failure_expected(struct eap_sm *sm);
370 void eap_peer_erp_free_keys(struct eap_sm *sm);
371 struct wpabuf * eap_peer_build_erp_reauth_start(struct eap_sm *sm, u8 eap_id);
372 void eap_peer_finish(struct eap_sm *sm, const struct eap_hdr *hdr, size_t len);
373 int eap_peer_get_erp_info(struct eap_sm *sm, struct eap_peer_config *config,
374 			  const u8 **username, size_t *username_len,
375 			  const u8 **realm, size_t *realm_len, u16 *erp_seq_num,
376 			  const u8 **rrk, size_t *rrk_len);
377 int eap_peer_update_erp_next_seq_num(struct eap_sm *sm, u16 seq_num);
378 void eap_peer_erp_init(struct eap_sm *sm, u8 *ext_session_id,
379 		       size_t ext_session_id_len, u8 *ext_emsk,
380 		       size_t ext_emsk_len);
381 
382 #endif /* IEEE8021X_EAPOL */
383 
384 #endif /* EAP_H */
385