1 /* 2 * EAP peer state machines internal structures (RFC 4137) 3 * Copyright (c) 2004-2007, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #ifndef EAP_I_H 10 #define EAP_I_H 11 12 #include "utils/wpabuf.h" 13 #include "eap.h" 14 #include "eap_common.h" 15 #include "eap_config.h" 16 17 /* RFC 4137 - EAP Peer state machine */ 18 19 typedef enum { 20 DECISION_FAIL, DECISION_COND_SUCC, DECISION_UNCOND_SUCC 21 } EapDecision; 22 23 typedef enum { 24 METHOD_NONE, METHOD_INIT, METHOD_CONT, METHOD_MAY_CONT, METHOD_DONE 25 } EapMethodState; 26 27 /** 28 * struct eap_method_ret - EAP return values from struct eap_method::process() 29 * 30 * These structure contains OUT variables for the interface between peer state 31 * machine and methods (RFC 4137, Sect. 4.2). eapRespData will be returned as 32 * the return value of struct eap_method::process() so it is not included in 33 * this structure. 34 */ 35 struct eap_method_ret { 36 /** 37 * ignore - Whether method decided to drop the current packed (OUT) 38 */ 39 Boolean ignore; 40 41 /** 42 * methodState - Method-specific state (IN/OUT) 43 */ 44 EapMethodState methodState; 45 46 /** 47 * decision - Authentication decision (OUT) 48 */ 49 EapDecision decision; 50 51 /** 52 * allowNotifications - Whether method allows notifications (OUT) 53 */ 54 Boolean allowNotifications; 55 }; 56 57 struct eap_sm; 58 59 /** 60 * struct eap_method - EAP method interface 61 * This structure defines the EAP method interface. Each method will need to 62 * register its own EAP type, EAP name, and set of function pointers for method 63 * specific operations. This interface is based on section 4.4 of RFC 4137. 64 */ 65 struct eap_method { 66 /** 67 * vendor - EAP Vendor-ID (EAP_VENDOR_*) (0 = IETF) 68 */ 69 int vendor; 70 71 /** 72 * method - EAP type number (EAP_TYPE_*) 73 */ 74 EapType method; 75 76 /** 77 * name - Name of the method (e.g., "TLS") 78 */ 79 const char *name; 80 81 /** 82 * init - Initialize an EAP method 83 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 84 * Returns: Pointer to allocated private data, or %NULL on failure 85 * 86 * This function is used to initialize the EAP method explicitly 87 * instead of using METHOD_INIT state as specific in RFC 4137. The 88 * method is expected to initialize it method-specific state and return 89 * a pointer that will be used as the priv argument to other calls. 90 */ 91 void * (*init)(struct eap_sm *sm); 92 93 /** 94 * deinit - Deinitialize an EAP method 95 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 96 * @priv: Pointer to private EAP method data from eap_method::init() 97 * 98 * Deinitialize the EAP method and free any allocated private data. 99 */ 100 void (*deinit)(struct eap_sm *sm, void *priv); 101 102 /** 103 * process - Process an EAP request 104 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 105 * @priv: Pointer to private EAP method data from eap_method::init() 106 * @ret: Return values from EAP request validation and processing 107 * @reqData: EAP request to be processed (eapReqData) 108 * Returns: Pointer to allocated EAP response packet (eapRespData) 109 * 110 * This function is a combination of m.check(), m.process(), and 111 * m.buildResp() procedures defined in section 4.4 of RFC 4137 In other 112 * words, this function validates the incoming request, processes it, 113 * and build a response packet. m.check() and m.process() return values 114 * are returned through struct eap_method_ret *ret variable. Caller is 115 * responsible for freeing the returned EAP response packet. 116 */ 117 struct wpabuf * (*process)(struct eap_sm *sm, void *priv, 118 struct eap_method_ret *ret, 119 const struct wpabuf *reqData); 120 bool (*isKeyAvailable)(struct eap_sm *sm, void *priv); 121 u8 * (*getKey)(struct eap_sm *sm, void *priv, size_t *len); 122 123 /** 124 * get_status - Get EAP method status 125 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 126 * @priv: Pointer to private EAP method data from eap_method::init() 127 * @buf: Buffer for status information 128 * @buflen: Maximum buffer length 129 * @verbose: Whether to include verbose status information 130 * Returns: Number of bytes written to buf 131 * 132 * Query EAP method for status information. This function fills in a 133 * text area with current status information from the EAP method. If 134 * the buffer (buf) is not large enough, status information will be 135 * truncated to fit the buffer. 136 */ 137 int (*get_status)(struct eap_sm *sm, void *priv, char *buf, 138 size_t buflen, int verbose); 139 140 /** 141 * has_reauth_data - Whether method is ready for fast reauthentication 142 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 143 * @priv: Pointer to private EAP method data from eap_method::init() 144 * Returns: %TRUE or %FALSE based on whether fast reauthentication is 145 * possible 146 * 147 * This function is an optional handler that only EAP methods 148 * supporting fast re-authentication need to implement. 149 */ 150 bool (*has_reauth_data)(struct eap_sm *sm, void *priv); 151 152 /** 153 * deinit_for_reauth - Release data that is not needed for fast re-auth 154 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 155 * @priv: Pointer to private EAP method data from eap_method::init() 156 * 157 * This function is an optional handler that only EAP methods 158 * supporting fast re-authentication need to implement. This is called 159 * when authentication has been completed and EAP state machine is 160 * requesting that enough state information is maintained for fast 161 * re-authentication 162 */ 163 void (*deinit_for_reauth)(struct eap_sm *sm, void *priv); 164 165 /** 166 * init_for_reauth - Prepare for start of fast re-authentication 167 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 168 * @priv: Pointer to private EAP method data from eap_method::init() 169 * 170 * This function is an optional handler that only EAP methods 171 * supporting fast re-authentication need to implement. This is called 172 * when EAP authentication is started and EAP state machine is 173 * requesting fast re-authentication to be used. 174 */ 175 void * (*init_for_reauth)(struct eap_sm *sm, void *priv); 176 177 /** 178 * get_identity - Get method specific identity for re-authentication 179 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 180 * @priv: Pointer to private EAP method data from eap_method::init() 181 * @len: Length of the returned identity 182 * Returns: Pointer to the method specific identity or %NULL if default 183 * identity is to be used 184 * 185 * This function is an optional handler that only EAP methods 186 * that use method specific identity need to implement. 187 */ 188 const u8 * (*get_identity)(struct eap_sm *sm, void *priv, size_t *len); 189 190 /** 191 * free - Free EAP method data 192 * @method: Pointer to the method data registered with 193 * eap_peer_method_register(). 194 * 195 * This function will be called when the EAP method is being 196 * unregistered. If the EAP method allocated resources during 197 * registration (e.g., allocated struct eap_method), they should be 198 * freed in this function. No other method functions will be called 199 * after this call. If this function is not defined (i.e., function 200 * pointer is %NULL), a default handler is used to release the method 201 * data with free(method). This is suitable for most cases. 202 */ 203 void (*free)(struct eap_method *method); 204 205 #define EAP_PEER_METHOD_INTERFACE_VERSION 1 206 /** 207 * version - Version of the EAP peer method interface 208 * 209 * The EAP peer method implementation should set this variable to 210 * EAP_PEER_METHOD_INTERFACE_VERSION. This is used to verify that the 211 * EAP method is using supported API version when using dynamically 212 * loadable EAP methods. 213 */ 214 int version; 215 216 /** 217 * next - Pointer to the next EAP method 218 * 219 * This variable is used internally in the EAP method registration code 220 * to create a linked list of registered EAP methods. 221 */ 222 struct eap_method *next; 223 224 #ifdef CONFIG_DYNAMIC_EAP_METHODS 225 /** 226 * dl_handle - Handle for the dynamic library 227 * 228 * This variable is used internally in the EAP method registration code 229 * to store a handle for the dynamic library. If the method is linked 230 * in statically, this is %NULL. 231 */ 232 void *dl_handle; 233 #endif /* CONFIG_DYNAMIC_EAP_METHODS */ 234 235 /** 236 * get_emsk - Get EAP method specific keying extended material (EMSK) 237 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 238 * @priv: Pointer to private EAP method data from eap_method::init() 239 * @len: Pointer to a variable to store EMSK length 240 * Returns: EMSK or %NULL if not available 241 * 242 * This function can be used to get the extended keying material from 243 * the EAP method. The key may already be stored in the method-specific 244 * private data or this function may derive the key. 245 */ 246 u8 * (*get_emsk)(struct eap_sm *sm, void *priv, size_t *len); 247 248 /** 249 * getSessionId - Get EAP method specific Session-Id 250 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 251 * @priv: Pointer to private EAP method data from eap_method::init() 252 * @len: Pointer to a variable to store Session-Id length 253 * Returns: Session-Id or %NULL if not available 254 * 255 * This function can be used to get the Session-Id from the EAP method. 256 * The Session-Id may already be stored in the method-specific private 257 * data or this function may derive the Session-Id. 258 */ 259 u8 * (*getSessionId)(struct eap_sm *sm, void *priv, size_t *len); 260 }; 261 262 #define CLIENT_CERT_NAME "CLC" 263 #define CA_CERT_NAME "CAC" 264 #define PRIVATE_KEY_NAME "PVK" 265 #define PAC_FILE_NAME "PAC" 266 #define BLOB_NAME_LEN 3 267 #define BLOB_NUM 4 268 269 enum SIG_WPA2 { 270 SIG_WPA2_START = 0, 271 SIG_WPA2_RX, 272 SIG_WPA2_TASK_DEL, 273 SIG_WPA2_MAX, 274 }; 275 276 /** 277 * struct eap_sm - EAP state machine data 278 */ 279 struct eap_sm { 280 /* not defined in RFC 4137 */ 281 Boolean changed; 282 void *eapol_ctx; 283 const struct eapol_callbacks *eapol_cb; 284 void *eap_method_priv; 285 int init_phase2; 286 287 void *msg_ctx; 288 void *ssl_ctx; 289 290 unsigned int workaround; 291 ///////////////////////////////////////////////// 292 struct pbuf *outbuf; 293 struct wpa_config_blob blob[BLOB_NUM]; 294 struct eap_peer_config config; 295 u8 current_identifier; 296 u8 ownaddr[ETH_ALEN]; 297 #ifdef USE_WPA2_TASK 298 u8 wpa2_sig_cnt[SIG_WPA2_MAX]; 299 #endif 300 u8 finish_state; 301 302 /* Optional challenges generated in Phase 1 (EAP-FAST) */ 303 u8 *peer_challenge, *auth_challenge; 304 305 unsigned int expected_failure:1; 306 unsigned int ext_cert_check:1; 307 unsigned int waiting_ext_cert_check:1; 308 bool peap_done; 309 310 u8 *eapKeyData; 311 size_t eapKeyDataLen; 312 struct wpabuf *lastRespData; 313 const struct eap_method *m; 314 }; 315 316 typedef enum { 317 WPA2_STATE_ENABLED = 0, 318 WPA2_STATE_DISABLED, 319 } wpa2_state_t; 320 321 const u8 * eap_get_config_identity(struct eap_sm *sm, size_t *len); 322 const u8 * eap_get_config_password(struct eap_sm *sm, size_t *len); 323 const u8 * eap_get_config_password2(struct eap_sm *sm, size_t *len, int *hash); 324 const u8 * eap_get_config_new_password(struct eap_sm *sm, size_t *len); 325 const u8 * eap_get_config_otp(struct eap_sm *sm, size_t *len); 326 void eap_clear_config_otp(struct eap_sm *sm); 327 const char * eap_get_config_phase1(struct eap_sm *sm); 328 const char * eap_get_config_phase2(struct eap_sm *sm); 329 int eap_get_config_fragment_size(struct eap_sm *sm); 330 struct eap_peer_config * eap_get_config(struct eap_sm *sm); 331 void eap_set_config_blob(struct eap_sm *sm, struct wpa_config_blob *blob); 332 const struct wpa_config_blob * eap_get_config_blob(struct eap_sm *sm, const char *name); 333 int eap_allowed_method(struct eap_sm *sm, int vendor, u32 method); 334 bool wifi_sta_get_enterprise_disable_time_check(void); 335 336 struct wpabuf * eap_sm_build_identity_resp(struct eap_sm *sm, u8 id, int encrypted); 337 338 #endif /* EAP_I_H */ 339
