2 * EAP peer state machines internal structures (RFC 4137)
3 * Copyright (c) 2004-2007, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
19 #include "eap_peer/eap.h"
20 #include "eap_common/eap_common.h"
26 /* RFC 4137 - EAP Peer state machine */
29 DECISION_FAIL, DECISION_COND_SUCC, DECISION_UNCOND_SUCC
33 METHOD_NONE, METHOD_INIT, METHOD_CONT, METHOD_MAY_CONT, METHOD_DONE
37 * struct eap_method_ret - EAP return values from struct eap_method::process()
39 * These structure contains OUT variables for the interface between peer state
40 * machine and methods (RFC 4137, Sect. 4.2). eapRespData will be returned as
41 * the return value of struct eap_method::process() so it is not included in
44 struct eap_method_ret {
46 * ignore - Whether method decided to drop the current packed (OUT)
51 * methodState - Method-specific state (IN/OUT)
53 EapMethodState methodState;
56 * decision - Authentication decision (OUT)
61 * allowNotifications - Whether method allows notifications (OUT)
63 Boolean allowNotifications;
68 * struct eap_method - EAP method interface
69 * This structure defines the EAP method interface. Each method will need to
70 * register its own EAP type, EAP name, and set of function pointers for method
71 * specific operations. This interface is based on section 4.4 of RFC 4137.
75 * vendor - EAP Vendor-ID (EAP_VENDOR_*) (0 = IETF)
80 * method - EAP type number (EAP_TYPE_*)
85 * name - Name of the method (e.g., "TLS")
90 * init - Initialize an EAP method
91 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
92 * Returns: Pointer to allocated private data, or %NULL on failure
94 * This function is used to initialize the EAP method explicitly
95 * instead of using METHOD_INIT state as specific in RFC 4137. The
96 * method is expected to initialize it method-specific state and return
97 * a pointer that will be used as the priv argument to other calls.
99 void * (*init)(struct eap_sm *sm);
102 * deinit - Deinitialize an EAP method
103 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
104 * @priv: Pointer to private EAP method data from eap_method::init()
106 * Deinitialize the EAP method and free any allocated private data.
108 void (*deinit)(struct eap_sm *sm, void *priv);
111 * process - Process an EAP request
112 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
113 * @priv: Pointer to private EAP method data from eap_method::init()
114 * @ret: Return values from EAP request validation and processing
115 * @reqData: EAP request to be processed (eapReqData)
116 * Returns: Pointer to allocated EAP response packet (eapRespData)
118 * This function is a combination of m.check(), m.process(), and
119 * m.buildResp() procedures defined in section 4.4 of RFC 4137 In other
120 * words, this function validates the incoming request, processes it,
121 * and build a response packet. m.check() and m.process() return values
122 * are returned through struct eap_method_ret *ret variable. Caller is
123 * responsible for freeing the returned EAP response packet.
125 struct wpabuf * (*process)(struct eap_sm *sm, void *priv,
126 struct eap_method_ret *ret,
127 const struct wpabuf *reqData);
130 * isKeyAvailable - Find out whether EAP method has keying material
131 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
132 * @priv: Pointer to private EAP method data from eap_method::init()
133 * Returns: %TRUE if key material (eapKeyData) is available
135 Boolean (*isKeyAvailable)(struct eap_sm *sm, void *priv);
138 * getKey - Get EAP method specific keying material (eapKeyData)
139 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
140 * @priv: Pointer to private EAP method data from eap_method::init()
141 * @len: Pointer to variable to store key length (eapKeyDataLen)
142 * Returns: Keying material (eapKeyData) or %NULL if not available
144 * This function can be used to get the keying material from the EAP
145 * method. The key may already be stored in the method-specific private
146 * data or this function may derive the key.
148 u8 * (*getKey)(struct eap_sm *sm, void *priv, size_t *len);
151 * get_status - Get EAP method status
152 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
153 * @priv: Pointer to private EAP method data from eap_method::init()
154 * @buf: Buffer for status information
155 * @buflen: Maximum buffer length
156 * @verbose: Whether to include verbose status information
157 * Returns: Number of bytes written to buf
159 * Query EAP method for status information. This function fills in a
160 * text area with current status information from the EAP method. If
161 * the buffer (buf) is not large enough, status information will be
162 * truncated to fit the buffer.
164 int (*get_status)(struct eap_sm *sm, void *priv, char *buf,
165 size_t buflen, int verbose);
168 * has_reauth_data - Whether method is ready for fast reauthentication
169 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
170 * @priv: Pointer to private EAP method data from eap_method::init()
171 * Returns: %TRUE or %FALSE based on whether fast reauthentication is
174 * This function is an optional handler that only EAP methods
175 * supporting fast re-authentication need to implement.
177 Boolean (*has_reauth_data)(struct eap_sm *sm, void *priv);
180 * deinit_for_reauth - Release data that is not needed for fast re-auth
181 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
182 * @priv: Pointer to private EAP method data from eap_method::init()
184 * This function is an optional handler that only EAP methods
185 * supporting fast re-authentication need to implement. This is called
186 * when authentication has been completed and EAP state machine is
187 * requesting that enough state information is maintained for fast
190 void (*deinit_for_reauth)(struct eap_sm *sm, void *priv);
193 * init_for_reauth - Prepare for start of fast re-authentication
194 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
195 * @priv: Pointer to private EAP method data from eap_method::init()
197 * This function is an optional handler that only EAP methods
198 * supporting fast re-authentication need to implement. This is called
199 * when EAP authentication is started and EAP state machine is
200 * requesting fast re-authentication to be used.
202 void * (*init_for_reauth)(struct eap_sm *sm, void *priv);
205 * get_identity - Get method specific identity for re-authentication
206 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
207 * @priv: Pointer to private EAP method data from eap_method::init()
208 * @len: Length of the returned identity
209 * Returns: Pointer to the method specific identity or %NULL if default
210 * identity is to be used
212 * This function is an optional handler that only EAP methods
213 * that use method specific identity need to implement.
215 const u8 * (*get_identity)(struct eap_sm *sm, void *priv, size_t *len);
218 * free - Free EAP method data
219 * @method: Pointer to the method data registered with
220 * eap_peer_method_register().
222 * This function will be called when the EAP method is being
223 * unregistered. If the EAP method allocated resources during
224 * registration (e.g., allocated struct eap_method), they should be
225 * freed in this function. No other method functions will be called
226 * after this call. If this function is not defined (i.e., function
227 * pointer is %NULL), a default handler is used to release the method
228 * data with free(method). This is suitable for most cases.
230 void (*free)(struct eap_method *method);
232 #define EAP_PEER_METHOD_INTERFACE_VERSION 1
234 * version - Version of the EAP peer method interface
236 * The EAP peer method implementation should set this variable to
237 * EAP_PEER_METHOD_INTERFACE_VERSION. This is used to verify that the
238 * EAP method is using supported API version when using dynamically
239 * loadable EAP methods.
244 * next - Pointer to the next EAP method
246 * This variable is used internally in the EAP method registration code
247 * to create a linked list of registered EAP methods.
249 struct eap_method *next;
251 #ifdef CONFIG_DYNAMIC_EAP_METHODS
253 * dl_handle - Handle for the dynamic library
255 * This variable is used internally in the EAP method registration code
256 * to store a handle for the dynamic library. If the method is linked
257 * in statically, this is %NULL.
260 #endif /* CONFIG_DYNAMIC_EAP_METHODS */
263 * get_emsk - Get EAP method specific keying extended material (EMSK)
264 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
265 * @priv: Pointer to private EAP method data from eap_method::init()
266 * @len: Pointer to a variable to store EMSK length
267 * Returns: EMSK or %NULL if not available
269 * This function can be used to get the extended keying material from
270 * the EAP method. The key may already be stored in the method-specific
271 * private data or this function may derive the key.
273 u8 * (*get_emsk)(struct eap_sm *sm, void *priv, size_t *len);
278 * struct eap_sm - EAP state machine data
282 EAP_INITIALIZE, EAP_DISABLED, EAP_IDLE, EAP_RECEIVED,
283 EAP_GET_METHOD, EAP_METHOD, EAP_SEND_RESPONSE, EAP_DISCARD,
284 EAP_IDENTITY, EAP_NOTIFICATION, EAP_RETRANSMIT, EAP_SUCCESS,
287 /* Long-term local variables */
288 EapType selectedMethod;
289 EapMethodState methodState;
291 struct wpabuf *lastRespData;
292 EapDecision decision;
293 /* Short-term local variables */
305 /* Miscellaneous variables */
306 Boolean allowNotifications; /* peer state machine <-> methods */
307 struct wpabuf *eapRespData; /* peer to lower layer */
308 Boolean eapKeyAvailable; /* peer to lower layer */
309 u8 *eapKeyData; /* peer to lower layer */
310 size_t eapKeyDataLen; /* peer to lower layer */
311 const struct eap_method *m; /* selected EAP method */
312 /* not defined in RFC 4137 */
315 struct eapol_callbacks *eapol_cb;
316 void *eap_method_priv;
320 Boolean rxResp /* LEAP only */;
323 u8 req_md5[16]; /* MD5() of the current EAP packet */
324 u8 last_md5[16]; /* MD5() of the previously received EAP packet; used
325 * in duplicate request detection. */
331 unsigned int workaround;
333 /* Optional challenges generated in Phase 1 (EAP-FAST) */
334 u8 *peer_challenge, *auth_challenge;
339 struct wps_context *wps;
344 const u8 * eap_get_config_identity(struct eap_sm *sm, size_t *len);
345 const u8 * eap_get_config_password(struct eap_sm *sm, size_t *len);
346 const u8 * eap_get_config_password2(struct eap_sm *sm, size_t *len, int *hash);
347 const u8 * eap_get_config_new_password(struct eap_sm *sm, size_t *len);
348 const u8 * eap_get_config_otp(struct eap_sm *sm, size_t *len);
349 void eap_clear_config_otp(struct eap_sm *sm);
350 const char * eap_get_config_phase1(struct eap_sm *sm);
351 const char * eap_get_config_phase2(struct eap_sm *sm);
352 int eap_get_config_fragment_size(struct eap_sm *sm);
353 struct eap_peer_config * eap_get_config(struct eap_sm *sm);
354 void eap_set_config_blob(struct eap_sm *sm, struct wpa_config_blob *blob);
355 const struct wpa_config_blob *
356 eap_get_config_blob(struct eap_sm *sm, const char *name);
357 void eap_notify_pending(struct eap_sm *sm);
358 int eap_allowed_method(struct eap_sm *sm, int vendor, u32 method);