1 | /* |
---|
2 | * EAP peer state machine functions (RFC 4137) |
---|
3 | * Copyright (c) 2004-2012, Jouni Malinen <j@w1.fi> |
---|
4 | * |
---|
5 | * This software may be distributed under the terms of the BSD license. |
---|
6 | * See README for more details. |
---|
7 | */ |
---|
8 | |
---|
9 | #ifndef EAP_H |
---|
10 | #define EAP_H |
---|
11 | |
---|
12 | #include "common/defs.h" |
---|
13 | #include "eap_common/eap_defs.h" |
---|
14 | #include "eap_peer/eap_methods.h" |
---|
15 | |
---|
16 | struct eap_sm; |
---|
17 | struct wpa_config_blob; |
---|
18 | struct wpabuf; |
---|
19 | |
---|
20 | struct eap_method_type { |
---|
21 | int vendor; |
---|
22 | u32 method; |
---|
23 | }; |
---|
24 | |
---|
25 | #ifdef IEEE8021X_EAPOL |
---|
26 | |
---|
27 | /** |
---|
28 | * enum eapol_bool_var - EAPOL boolean state variables for EAP state machine |
---|
29 | * |
---|
30 | * These variables are used in the interface between EAP peer state machine and |
---|
31 | * lower layer. These are defined in RFC 4137, Sect. 4.1. Lower layer code is |
---|
32 | * expected to maintain these variables and register a callback functions for |
---|
33 | * EAP state machine to get and set the variables. |
---|
34 | */ |
---|
35 | enum eapol_bool_var { |
---|
36 | /** |
---|
37 | * EAPOL_eapSuccess - EAP SUCCESS state reached |
---|
38 | * |
---|
39 | * EAP state machine reads and writes this value. |
---|
40 | */ |
---|
41 | EAPOL_eapSuccess, |
---|
42 | |
---|
43 | /** |
---|
44 | * EAPOL_eapRestart - Lower layer request to restart authentication |
---|
45 | * |
---|
46 | * Set to TRUE in lower layer, FALSE in EAP state machine. |
---|
47 | */ |
---|
48 | EAPOL_eapRestart, |
---|
49 | |
---|
50 | /** |
---|
51 | * EAPOL_eapFail - EAP FAILURE state reached |
---|
52 | * |
---|
53 | * EAP state machine writes this value. |
---|
54 | */ |
---|
55 | EAPOL_eapFail, |
---|
56 | |
---|
57 | /** |
---|
58 | * EAPOL_eapResp - Response to send |
---|
59 | * |
---|
60 | * Set to TRUE in EAP state machine, FALSE in lower layer. |
---|
61 | */ |
---|
62 | EAPOL_eapResp, |
---|
63 | |
---|
64 | /** |
---|
65 | * EAPOL_eapNoResp - Request has been process; no response to send |
---|
66 | * |
---|
67 | * Set to TRUE in EAP state machine, FALSE in lower layer. |
---|
68 | */ |
---|
69 | EAPOL_eapNoResp, |
---|
70 | |
---|
71 | /** |
---|
72 | * EAPOL_eapReq - EAP request available from lower layer |
---|
73 | * |
---|
74 | * Set to TRUE in lower layer, FALSE in EAP state machine. |
---|
75 | */ |
---|
76 | EAPOL_eapReq, |
---|
77 | |
---|
78 | /** |
---|
79 | * EAPOL_portEnabled - Lower layer is ready for communication |
---|
80 | * |
---|
81 | * EAP state machines reads this value. |
---|
82 | */ |
---|
83 | EAPOL_portEnabled, |
---|
84 | |
---|
85 | /** |
---|
86 | * EAPOL_altAccept - Alternate indication of success (RFC3748) |
---|
87 | * |
---|
88 | * EAP state machines reads this value. |
---|
89 | */ |
---|
90 | EAPOL_altAccept, |
---|
91 | |
---|
92 | /** |
---|
93 | * EAPOL_altReject - Alternate indication of failure (RFC3748) |
---|
94 | * |
---|
95 | * EAP state machines reads this value. |
---|
96 | */ |
---|
97 | EAPOL_altReject, |
---|
98 | |
---|
99 | /** |
---|
100 | * EAPOL_eapTriggerStart - EAP-based trigger to send EAPOL-Start |
---|
101 | * |
---|
102 | * EAP state machine writes this value. |
---|
103 | */ |
---|
104 | EAPOL_eapTriggerStart |
---|
105 | }; |
---|
106 | |
---|
107 | /** |
---|
108 | * enum eapol_int_var - EAPOL integer state variables for EAP state machine |
---|
109 | * |
---|
110 | * These variables are used in the interface between EAP peer state machine and |
---|
111 | * lower layer. These are defined in RFC 4137, Sect. 4.1. Lower layer code is |
---|
112 | * expected to maintain these variables and register a callback functions for |
---|
113 | * EAP state machine to get and set the variables. |
---|
114 | */ |
---|
115 | enum eapol_int_var { |
---|
116 | /** |
---|
117 | * EAPOL_idleWhile - Outside time for EAP peer timeout |
---|
118 | * |
---|
119 | * This integer variable is used to provide an outside timer that the |
---|
120 | * external (to EAP state machine) code must decrement by one every |
---|
121 | * second until the value reaches zero. This is used in the same way as |
---|
122 | * EAPOL state machine timers. EAP state machine reads and writes this |
---|
123 | * value. |
---|
124 | */ |
---|
125 | EAPOL_idleWhile |
---|
126 | }; |
---|
127 | |
---|
128 | /** |
---|
129 | * struct eapol_callbacks - Callback functions from EAP to lower layer |
---|
130 | * |
---|
131 | * This structure defines the callback functions that EAP state machine |
---|
132 | * requires from the lower layer (usually EAPOL state machine) for updating |
---|
133 | * state variables and requesting information. eapol_ctx from |
---|
134 | * eap_peer_sm_init() call will be used as the ctx parameter for these |
---|
135 | * callback functions. |
---|
136 | */ |
---|
137 | struct eapol_callbacks { |
---|
138 | /** |
---|
139 | * get_config - Get pointer to the current network configuration |
---|
140 | * @ctx: eapol_ctx from eap_peer_sm_init() call |
---|
141 | */ |
---|
142 | struct eap_peer_config * (*get_config)(void *ctx); |
---|
143 | |
---|
144 | /** |
---|
145 | * get_bool - Get a boolean EAPOL state variable |
---|
146 | * @variable: EAPOL boolean variable to get |
---|
147 | * Returns: Value of the EAPOL variable |
---|
148 | */ |
---|
149 | Boolean (*get_bool)(void *ctx, enum eapol_bool_var variable); |
---|
150 | |
---|
151 | /** |
---|
152 | * set_bool - Set a boolean EAPOL state variable |
---|
153 | * @ctx: eapol_ctx from eap_peer_sm_init() call |
---|
154 | * @variable: EAPOL boolean variable to set |
---|
155 | * @value: Value for the EAPOL variable |
---|
156 | */ |
---|
157 | void (*set_bool)(void *ctx, enum eapol_bool_var variable, |
---|
158 | Boolean value); |
---|
159 | |
---|
160 | /** |
---|
161 | * get_int - Get an integer EAPOL state variable |
---|
162 | * @ctx: eapol_ctx from eap_peer_sm_init() call |
---|
163 | * @variable: EAPOL integer variable to get |
---|
164 | * Returns: Value of the EAPOL variable |
---|
165 | */ |
---|
166 | unsigned int (*get_int)(void *ctx, enum eapol_int_var variable); |
---|
167 | |
---|
168 | /** |
---|
169 | * set_int - Set an integer EAPOL state variable |
---|
170 | * @ctx: eapol_ctx from eap_peer_sm_init() call |
---|
171 | * @variable: EAPOL integer variable to set |
---|
172 | * @value: Value for the EAPOL variable |
---|
173 | */ |
---|
174 | void (*set_int)(void *ctx, enum eapol_int_var variable, |
---|
175 | unsigned int value); |
---|
176 | |
---|
177 | /** |
---|
178 | * get_eapReqData - Get EAP-Request data |
---|
179 | * @ctx: eapol_ctx from eap_peer_sm_init() call |
---|
180 | * @len: Pointer to variable that will be set to eapReqDataLen |
---|
181 | * Returns: Reference to eapReqData (EAP state machine will not free |
---|
182 | * this) or %NULL if eapReqData not available. |
---|
183 | */ |
---|
184 | struct wpabuf * (*get_eapReqData)(void *ctx); |
---|
185 | |
---|
186 | /** |
---|
187 | * set_config_blob - Set named configuration blob |
---|
188 | * @ctx: eapol_ctx from eap_peer_sm_init() call |
---|
189 | * @blob: New value for the blob |
---|
190 | * |
---|
191 | * Adds a new configuration blob or replaces the current value of an |
---|
192 | * existing blob. |
---|
193 | */ |
---|
194 | void (*set_config_blob)(void *ctx, struct wpa_config_blob *blob); |
---|
195 | |
---|
196 | /** |
---|
197 | * get_config_blob - Get a named configuration blob |
---|
198 | * @ctx: eapol_ctx from eap_peer_sm_init() call |
---|
199 | * @name: Name of the blob |
---|
200 | * Returns: Pointer to blob data or %NULL if not found |
---|
201 | */ |
---|
202 | const struct wpa_config_blob * (*get_config_blob)(void *ctx, |
---|
203 | const char *name); |
---|
204 | |
---|
205 | /** |
---|
206 | * notify_pending - Notify that a pending request can be retried |
---|
207 | * @ctx: eapol_ctx from eap_peer_sm_init() call |
---|
208 | * |
---|
209 | * An EAP method can perform a pending operation (e.g., to get a |
---|
210 | * response from an external process). Once the response is available, |
---|
211 | * this callback function can be used to request EAPOL state machine to |
---|
212 | * retry delivering the previously received (and still unanswered) EAP |
---|
213 | * request to EAP state machine. |
---|
214 | */ |
---|
215 | void (*notify_pending)(void *ctx); |
---|
216 | |
---|
217 | /** |
---|
218 | * eap_param_needed - Notify that EAP parameter is needed |
---|
219 | * @ctx: eapol_ctx from eap_peer_sm_init() call |
---|
220 | * @field: Field indicator (e.g., WPA_CTRL_REQ_EAP_IDENTITY) |
---|
221 | * @txt: User readable text describing the required parameter |
---|
222 | */ |
---|
223 | void (*eap_param_needed)(void *ctx, enum wpa_ctrl_req_type field, |
---|
224 | const char *txt); |
---|
225 | |
---|
226 | /** |
---|
227 | * notify_cert - Notification of a peer certificate |
---|
228 | * @ctx: eapol_ctx from eap_peer_sm_init() call |
---|
229 | * @depth: Depth in certificate chain (0 = server) |
---|
230 | * @subject: Subject of the peer certificate |
---|
231 | * @altsubject: Select fields from AltSubject of the peer certificate |
---|
232 | * @num_altsubject: Number of altsubject values |
---|
233 | * @cert_hash: SHA-256 hash of the certificate |
---|
234 | * @cert: Peer certificate |
---|
235 | */ |
---|
236 | void (*notify_cert)(void *ctx, int depth, const char *subject, |
---|
237 | const char *altsubject[], int num_altsubject, |
---|
238 | const char *cert_hash, const struct wpabuf *cert); |
---|
239 | |
---|
240 | /** |
---|
241 | * notify_status - Notification of the current EAP state |
---|
242 | * @ctx: eapol_ctx from eap_peer_sm_init() call |
---|
243 | * @status: Step in the process of EAP authentication |
---|
244 | * @parameter: Step-specific parameter, e.g., EAP method name |
---|
245 | */ |
---|
246 | void (*notify_status)(void *ctx, const char *status, |
---|
247 | const char *parameter); |
---|
248 | |
---|
249 | #ifdef CONFIG_EAP_PROXY |
---|
250 | /** |
---|
251 | * eap_proxy_cb - Callback signifying any updates from eap_proxy |
---|
252 | * @ctx: eapol_ctx from eap_peer_sm_init() call |
---|
253 | */ |
---|
254 | void (*eap_proxy_cb)(void *ctx); |
---|
255 | #endif /* CONFIG_EAP_PROXY */ |
---|
256 | |
---|
257 | /** |
---|
258 | * set_anon_id - Set or add anonymous identity |
---|
259 | * @ctx: eapol_ctx from eap_peer_sm_init() call |
---|
260 | * @id: Anonymous identity (e.g., EAP-SIM pseudonym) or %NULL to clear |
---|
261 | * @len: Length of anonymous identity in octets |
---|
262 | */ |
---|
263 | void (*set_anon_id)(void *ctx, const u8 *id, size_t len); |
---|
264 | }; |
---|
265 | |
---|
266 | /** |
---|
267 | * struct eap_config - Configuration for EAP state machine |
---|
268 | */ |
---|
269 | struct eap_config { |
---|
270 | /** |
---|
271 | * opensc_engine_path - OpenSC engine for OpenSSL engine support |
---|
272 | * |
---|
273 | * Usually, path to engine_opensc.so. |
---|
274 | */ |
---|
275 | const char *opensc_engine_path; |
---|
276 | /** |
---|
277 | * pkcs11_engine_path - PKCS#11 engine for OpenSSL engine support |
---|
278 | * |
---|
279 | * Usually, path to engine_pkcs11.so. |
---|
280 | */ |
---|
281 | const char *pkcs11_engine_path; |
---|
282 | /** |
---|
283 | * pkcs11_module_path - OpenSC PKCS#11 module for OpenSSL engine |
---|
284 | * |
---|
285 | * Usually, path to opensc-pkcs11.so. |
---|
286 | */ |
---|
287 | const char *pkcs11_module_path; |
---|
288 | /** |
---|
289 | * openssl_ciphers - OpenSSL cipher string |
---|
290 | * |
---|
291 | * This is an OpenSSL specific configuration option for configuring the |
---|
292 | * default ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the |
---|
293 | * default. |
---|
294 | */ |
---|
295 | const char *openssl_ciphers; |
---|
296 | /** |
---|
297 | * wps - WPS context data |
---|
298 | * |
---|
299 | * This is only used by EAP-WSC and can be left %NULL if not available. |
---|
300 | */ |
---|
301 | struct wps_context *wps; |
---|
302 | |
---|
303 | /** |
---|
304 | * cert_in_cb - Include server certificates in callback |
---|
305 | */ |
---|
306 | int cert_in_cb; |
---|
307 | }; |
---|
308 | |
---|
309 | struct eap_sm * eap_peer_sm_init(void *eapol_ctx, |
---|
310 | const struct eapol_callbacks *eapol_cb, |
---|
311 | void *msg_ctx, struct eap_config *conf); |
---|
312 | void eap_peer_sm_deinit(struct eap_sm *sm); |
---|
313 | int eap_peer_sm_step(struct eap_sm *sm); |
---|
314 | void eap_sm_abort(struct eap_sm *sm); |
---|
315 | int eap_sm_get_status(struct eap_sm *sm, char *buf, size_t buflen, |
---|
316 | int verbose); |
---|
317 | const char * eap_sm_get_method_name(struct eap_sm *sm); |
---|
318 | struct wpabuf * eap_sm_buildIdentity(struct eap_sm *sm, int id, int encrypted); |
---|
319 | void eap_sm_request_identity(struct eap_sm *sm); |
---|
320 | void eap_sm_request_password(struct eap_sm *sm); |
---|
321 | void eap_sm_request_new_password(struct eap_sm *sm); |
---|
322 | void eap_sm_request_pin(struct eap_sm *sm); |
---|
323 | void eap_sm_request_otp(struct eap_sm *sm, const char *msg, size_t msg_len); |
---|
324 | void eap_sm_request_passphrase(struct eap_sm *sm); |
---|
325 | void eap_sm_request_sim(struct eap_sm *sm, const char *req); |
---|
326 | void eap_sm_notify_ctrl_attached(struct eap_sm *sm); |
---|
327 | u32 eap_get_phase2_type(const char *name, int *vendor); |
---|
328 | struct eap_method_type * eap_get_phase2_types(struct eap_peer_config *config, |
---|
329 | size_t *count); |
---|
330 | void eap_set_fast_reauth(struct eap_sm *sm, int enabled); |
---|
331 | void eap_set_workaround(struct eap_sm *sm, unsigned int workaround); |
---|
332 | void eap_set_force_disabled(struct eap_sm *sm, int disabled); |
---|
333 | void eap_set_external_sim(struct eap_sm *sm, int external_sim); |
---|
334 | int eap_key_available(struct eap_sm *sm); |
---|
335 | void eap_notify_success(struct eap_sm *sm); |
---|
336 | void eap_notify_lower_layer_success(struct eap_sm *sm); |
---|
337 | const u8 * eap_get_eapSessionId(struct eap_sm *sm, size_t *len); |
---|
338 | const u8 * eap_get_eapKeyData(struct eap_sm *sm, size_t *len); |
---|
339 | struct wpabuf * eap_get_eapRespData(struct eap_sm *sm); |
---|
340 | void eap_register_scard_ctx(struct eap_sm *sm, void *ctx); |
---|
341 | void eap_invalidate_cached_session(struct eap_sm *sm); |
---|
342 | |
---|
343 | int eap_is_wps_pbc_enrollee(struct eap_peer_config *conf); |
---|
344 | int eap_is_wps_pin_enrollee(struct eap_peer_config *conf); |
---|
345 | |
---|
346 | struct ext_password_data; |
---|
347 | void eap_sm_set_ext_pw_ctx(struct eap_sm *sm, struct ext_password_data *ext); |
---|
348 | void eap_set_anon_id(struct eap_sm *sm, const u8 *id, size_t len); |
---|
349 | int eap_peer_was_failure_expected(struct eap_sm *sm); |
---|
350 | void eap_peer_erp_free_keys(struct eap_sm *sm); |
---|
351 | |
---|
352 | #endif /* IEEE8021X_EAPOL */ |
---|
353 | |
---|
354 | #endif /* EAP_H */ |
---|