Lines Matching refs:EAP
2 * EAP peer state machines (RFC 4137)
33 #define STATE_MACHINE_DEBUG_PREFIX "EAP"
91 wpa_printf(MSG_DEBUG, "EAP: Status notification: %s (param=%s)",
115 wpa_printf(MSG_DEBUG, "EAP: deinitialize previously used EAP method "
124 * eap_allowed_method - Check whether EAP method is allowed
125 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
127 * @method: EAP type
128 * Returns: 1 = allowed EAP method, 0 = not allowed
154 SM_STATE(EAP, INITIALIZE)
156 SM_ENTRY(EAP, INITIALIZE);
161 wpa_printf(MSG_DEBUG, "EAP: maintaining EAP method data for "
182 * the first EAP-Packet */
214 SM_STATE(EAP, DISABLED)
216 SM_ENTRY(EAP, DISABLED);
220 * allows the timer tick to be stopped more quickly when EAP is not in
232 SM_STATE(EAP, IDLE)
234 SM_ENTRY(EAP, IDLE);
239 * This state is entered when an EAP packet is received (eapReq == TRUE) to
242 SM_STATE(EAP, RECEIVED)
246 SM_ENTRY(EAP, RECEIVED);
258 SM_STATE(EAP, GET_METHOD)
264 SM_ENTRY(EAP, GET_METHOD);
274 wpa_printf(MSG_DEBUG, "EAP: vendor %u method %u not allowed",
302 wpa_printf(MSG_DEBUG, "EAP: Using previous method data"
314 wpa_printf(MSG_DEBUG, "EAP: Could not find selected method: "
322 wpa_printf(MSG_DEBUG, "EAP: Initialize selected EAP method: "
337 "EAP: Failed to initialize EAP method: vendor %u "
349 * current EAP packet.
351 wpa_printf(MSG_DEBUG, "EAP: Pending PIN/passphrase "
361 "EAP vendor %u method %u (%s) selected",
466 wpa_printf(MSG_DEBUG, "EAP: Delete old ERP key %s",
502 wpa_printf(MSG_DEBUG, "EAP: Realm for ERP keyName-NAI: %s", realm);
512 "EAP: Too long realm for ERP keyName-NAI maximum length");
523 "EAP: No suitable EMSK available for ERP");
527 wpa_hexdump_key(MSG_DEBUG, "EAP: EMSK", emsk, emsk_len);
533 wpa_printf(MSG_DEBUG, "EAP: Could not derive EMSKname");
536 wpa_hexdump(MSG_DEBUG, "EAP: EMSKname", EMSKname, EAP_EMSK_NAME_LEN);
545 "EAP Re-authentication Root Key@ietf.org",
547 wpa_printf(MSG_DEBUG, "EAP: Could not derive rRK for ERP");
551 wpa_hexdump_key(MSG_DEBUG, "EAP: ERP rRK", erp->rRK, erp->rRK_len);
558 wpa_printf(MSG_DEBUG, "EAP: Could not derive rIK for ERP");
562 wpa_hexdump_key(MSG_DEBUG, "EAP: ERP rIK", erp->rIK, erp->rIK_len);
564 wpa_printf(MSG_DEBUG, "EAP: Stored ERP keys %s", erp->keyname_nai);
598 EAP: Valid ERP key found %s (SEQ=%u)",
626 wpa_hexdump_buf(MSG_DEBUG, "ERP: EAP-Initiate/Re-auth", msg);
640 wpa_printf(MSG_DEBUG, "EAP: Sending EAP-Initiate/Re-auth");
653 SM_STATE(EAP, METHOD)
659 SM_ENTRY(EAP, METHOD);
661 wpa_printf(MSG_WARNING, "EAP::METHOD - method not selected");
667 min_len = 0; /* LEAP uses EAP-Success without payload */
675 * a single function call to m->process() in order to optimize EAP
694 wpa_printf(MSG_DEBUG, "EAP: method process -> ignore=%s "
721 wpa_hexdump(MSG_DEBUG, "EAP: Session-Id",
734 SM_STATE(EAP, SEND_RESPONSE)
736 SM_ENTRY(EAP, SEND_RESPONSE);
745 wpa_printf(MSG_DEBUG, "EAP: No eapRespData available");
758 SM_STATE(EAP, DISCARD)
760 SM_ENTRY(EAP, DISCARD);
769 SM_STATE(EAP, IDENTITY)
773 SM_ENTRY(EAP, IDENTITY);
787 SM_STATE(EAP, NOTIFICATION)
791 SM_ENTRY(EAP, NOTIFICATION);
805 SM_STATE(EAP, RETRANSMIT)
807 SM_ENTRY(EAP, RETRANSMIT);
818 * and state machine waits here until port is disabled or EAP authentication is
821 SM_STATE(EAP, SUCCESS)
823 SM_ENTRY(EAP, SUCCESS);
839 * processing the received EAP frame.
844 "EAP authentication completed successfully");
850 * until port is disabled or EAP authentication is restarted.
852 SM_STATE(EAP, FAILURE)
854 SM_ENTRY(EAP, FAILURE);
866 * eapNoResp is required to be set after processing the received EAP
872 "EAP authentication failed");
882 * EAP-Success/Failure with lastId + 1 even though RFC 3748 and
884 * Ringmaster v2.1.2.0 would be using lastId + 2 in EAP-Success.
886 * Accept this kind of Id if EAP workarounds are enabled. These are
888 * security implications (bit easier to fake EAP-Success/Failure).
892 wpa_printf(MSG_DEBUG, "EAP: Workaround for unexpected "
893 "identifier field in EAP Success: "
898 wpa_printf(MSG_DEBUG, "EAP: EAP-Success Id mismatch - reqId=%d "
905 * RFC 4137 - Appendix A.1: EAP Peer State Machine - State transitions
913 * not sending EAP-Success in some cases.
916 SM_ENTER(EAP, RECEIVED);
921 SM_ENTER(EAP, SUCCESS);
928 SM_ENTER(EAP, FAILURE);
932 SM_ENTER(EAP, SUCCESS);
936 SM_ENTER(EAP, SUCCESS);
949 * duplicate EAP requests. However, this misses cases where the
955 wpa_printf(MSG_DEBUG, "EAP: AS used the same Id again, but "
956 "EAP packets were not identical");
957 wpa_printf(MSG_DEBUG, "EAP: workaround - assume this is not a "
981 * odd LEAP behavior (EAP-Success in the middle of authentication and
987 SM_ENTER(EAP, SUCCESS);
990 SM_ENTER(EAP, SUCCESS); /* EAP-Success prior any EAP method */
994 SM_ENTER(EAP, FAILURE); /* EAP-Failure prior any EAP method */
998 SM_ENTER(EAP, SUCCESS); /* EAP-Success after Identity */
1007 SM_ENTER(EAP, FAILURE);
1009 SM_ENTER(EAP, RETRANSMIT);
1013 SM_ENTER(EAP, NOTIFICATION);
1017 SM_ENTER(EAP, IDENTITY);
1022 SM_ENTER(EAP, GET_METHOD);
1026 SM_ENTER(EAP, METHOD);
1029 SM_ENTER(EAP, METHOD);
1031 SM_ENTER(EAP, SEND_RESPONSE);
1033 SM_ENTER(EAP, DISCARD);
1041 SM_ENTER(EAP, IDLE);
1046 SM_ENTER(EAP, INITIALIZE);
1056 SM_ENTER(EAP, METHOD);
1058 SM_ENTER(EAP, SEND_RESPONSE);
1064 * final EAP method response to be sent without having to change
1067 * expected response is EAP-Failure.
1070 SM_ENTER(EAP, DISCARD);
1073 SM_ENTER(EAP, FAILURE);
1075 SM_ENTER(EAP, SEND_RESPONSE);
1078 SM_ENTER(EAP, IDLE);
1081 SM_ENTER(EAP, IDLE);
1084 SM_ENTER(EAP, SEND_RESPONSE);
1087 SM_ENTER(EAP, SEND_RESPONSE);
1090 SM_ENTER(EAP, SEND_RESPONSE);
1100 SM_STEP(EAP)
1105 SM_ENTER_GLOBAL(EAP, INITIALIZE);
1107 SM_ENTER_GLOBAL(EAP, DISABLED);
1109 /* RFC 4137 does not place any limit on number of EAP messages
1111 * ended up in a state were EAP messages were sent between the
1114 * total number of EAP round-trips and abort authentication if
1118 wpa_msg(sm->msg_ctx, MSG_INFO, "EAP: more than %d "
1122 SM_ENTER_GLOBAL(EAP, FAILURE);
1135 wpa_printf(MSG_DEBUG, "EAP: configuration does not allow: "
1141 wpa_printf(MSG_DEBUG, "EAP: not included in build: "
1155 wpa_printf(MSG_DEBUG, "EAP: Building expanded EAP-Nak");
1171 wpa_printf(MSG_DEBUG, "EAP: allowed type: "
1182 wpa_printf(MSG_DEBUG, "EAP: no more allowed methods");
1202 wpa_printf(MSG_DEBUG, "EAP: Building EAP-Nak (requested type %u "
1235 wpa_hexdump(MSG_DEBUG, "EAP: allowed methods", start, found);
1249 "EAP authentication started");
1261 * displayed. Some EAP implementasitons may piggy-back additional
1266 wpa_hexdump_ascii(MSG_DEBUG, "EAP: EAP-Request Identity data",
1438 * eap_sm_buildIdentity - Build EAP-Identity/Response for the current network
1439 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
1440 * @id: EAP identifier for the packet
1441 * @encrypted: Whether the packet is for encrypted tunnel (EAP phase 2)
1442 * Returns: Pointer to the allocated EAP-Identity/Response packet or %NULL on
1445 * This function allocates and builds an EAP-Identity/Response packet for the
1456 wpa_printf(MSG_WARNING, "EAP: buildIdentity: configuration "
1464 wpa_hexdump_ascii(MSG_DEBUG, "EAP: using method re-auth "
1469 wpa_hexdump_ascii(MSG_DEBUG, "EAP: using anonymous identity",
1474 wpa_hexdump_ascii(MSG_DEBUG, "EAP: using real identity",
1496 "EAP: buildIdentity: identity configuration was not available");
1522 wpa_hexdump_ascii(MSG_DEBUG, "EAP: EAP-Request Notification data",
1539 wpa_printf(MSG_DEBUG, "EAP: Generating EAP-Response Notification");
1554 wpa_printf(MSG_DEBUG, "EAP: Ignored too short EAP-Initiate");
1560 "EAP: Ignored unexpected EAP-Initiate Type=%u",
1568 "EAP: Too short EAP-Initiate/Re-auth-Start");
1572 wpa_hexdump(MSG_DEBUG, "EAP: EAP-Initiate/Re-auth-Start TVs/TLVs",
1580 "EAP: EAP-Initiate/Re-auth-Start - Domain name",
1591 "EAP: EAP-Initiate/Re-auth-Start - No suitable ERP keys available - try to start full EAP authentication");
1614 wpa_printf(MSG_DEBUG, "EAP: Ignored too short EAP-Finish");
1620 "EAP: Ignored unexpected EAP-Finish Type=%u", *pos);
1626 "EAP: Ignored too short EAP-Finish/Re-auth");
1634 wpa_printf(MSG_DEBUG, "EAP: Flags=0x%x SEQ=%u", flags, seq);
1638 "EAP: Unexpected EAP-Finish/Re-auth SEQ=%u", seq);
1653 "EAP: No keyName-NAI in EAP-Finish/Re-auth Packet");
1657 wpa_hexdump_ascii(MSG_DEBUG, "EAP: EAP-Finish/Re-auth - keyName-NAI",
1661 "EAP: Too long keyName-NAI in EAP-Finish/Re-auth");
1669 wpa_printf(MSG_DEBUG, "EAP: No matching ERP key found for %s",
1680 "EAP: Not enough room for Authentication Tag");
1686 wpa_printf(MSG_DEBUG, "EAP: Different Cryptosuite used");
1697 "EAP: Authentication Tag mismatch");
1708 wpa_hexdump(MSG_DEBUG, "EAP: EAP-Finish/Re-Auth TVs/TLVs",
1715 "EAP: EAP-Finish/Re-auth indicated failure");
1720 "EAP authentication failed");
1723 "EAP: Drop ERP key to try full authentication on next attempt");
1741 wpa_printf(MSG_DEBUG, "EAP: Could not derive rMSK for ERP");
1745 wpa_hexdump_key(MSG_DEBUG, "EAP: ERP rMSK",
1752 "EAP re-authentication completed successfully");
1775 wpa_printf(MSG_DEBUG, "EAP: Ignored truncated EAP-Packet "
1793 wpa_printf(MSG_DEBUG, "EAP: Too short EAP-Request - "
1802 wpa_printf(MSG_DEBUG, "EAP: Ignored truncated "
1803 "expanded EAP-Packet (plen=%lu)",
1811 wpa_printf(MSG_DEBUG, "EAP: Received EAP-Request id=%d "
1821 * need to accept EAP-Response frames if LEAP is used.
1824 wpa_printf(MSG_DEBUG, "EAP: Too short "
1825 "EAP-Response - no Type field");
1831 wpa_printf(MSG_DEBUG, "EAP: Received EAP-Response for "
1836 wpa_printf(MSG_DEBUG, "EAP: Ignored EAP-Response");
1839 wpa_printf(MSG_DEBUG, "EAP: Received EAP-Success");
1844 wpa_printf(MSG_DEBUG, "EAP: Received EAP-Failure");
1855 wpa_printf(MSG_DEBUG, "EAP: Ignored EAP-Packet with unknown "
1924 * eap_peer_sm_init - Allocate and initialize EAP peer state machine
1928 * @conf: EAP configuration
1929 * Returns: Pointer to the allocated EAP state machine or %NULL on failure
1931 * This function allocates and initializes an EAP state machine. In addition,
1932 * this initializes TLS library for the new EAP state machine. eapol_cb pointer
1933 * will be in use until eap_peer_sm_deinit() is used to deinitialize this EAP
1935 * structure remains alive while the EAP state machine is active.
1985 * eap_peer_sm_deinit - Deinitialize and free an EAP peer state machine
1986 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
1988 * This function deinitializes EAP state machine and frees all allocated
1995 eap_deinit_prev_method(sm, "EAP deinit");
2006 * eap_peer_sm_step - Step EAP peer state machine
2007 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2008 * Returns: 1 if EAP state was changed or 0 if not
2010 * This function advances EAP state machine to a new state to match with the
2011 * current variables. This should be called whenever variables used by the EAP
2019 SM_STEP_RUN(EAP);
2028 * eap_sm_abort - Abort EAP authentication
2029 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2032 * session without fully deinitializing the EAP state machine.
2044 /* This is not clearly specified in the EAP statemachines draft, but
2127 * eap_sm_get_status - Get EAP state machine status
2128 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2134 * Query EAP state machine for status information. This function fills in a
2147 "EAP state=%s\n",
2166 "selectedMethod=%d (EAP-%s)\n",
2274 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2276 * EAP methods can call this function to request identity information for the
2289 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2291 * EAP methods can call this function to request password information for the
2304 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2306 * EAP methods can call this function to request new password information for
2307 * the current network. This is normally called when the EAP method indicates
2319 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2321 * EAP methods can call this function to request SIM or smart card PIN
2334 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2338 * EAP methods can call this function to request open time password (OTP) for
2350 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2352 * EAP methods can call this function to request passphrase for a private key
2365 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2366 * @req: EAP method specific request
2376 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2378 * Notify EAP state machines that a monitor was attached to the control
2389 * interface was added. This handles cases where the EAP authentication
2417 * eap_get_phase2_type - Get EAP type for the given EAP phase 2 method name
2418 * @name: EAP method name, e.g., MD5
2419 * @vendor: Buffer for returning EAP Vendor-Id
2420 * Returns: EAP method type or %EAP_TYPE_NONE if not found
2422 * This function maps EAP type names into EAP type numbers that are allowed for
2424 * EAP-PEAP, EAP-TTLS, and EAP-FAST.
2440 * eap_get_phase2_types - Get list of allowed EAP phase 2 types
2442 * @count: Pointer to a variable to be filled with number of returned EAP types
2445 * This function generates an array of allowed EAP phase 2 (tunneled) types for
2485 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2495 * eap_set_workaround - Update EAP workarounds setting
2496 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2497 * @workaround: 1 = Enable EAP workarounds, 0 = Disable EAP workarounds
2507 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2510 * EAP peer methods should avoid using this function if they can use other
2523 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2560 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2584 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2615 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2631 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2647 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2667 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2681 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2704 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2705 * Returns: 1 if EAP keying material is available, 0 if not
2714 * eap_notify_success - Notify EAP state machine about external success trigger
2715 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2718 * WPA-PSK key handshake, is indicating that EAP state machine should move to
2719 * success state. This is mainly used with security modes that do not use EAP
2733 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2735 * Notify EAP state machines that a lower layer has detected a successful
2736 * authentication. This is used to recover from dropped EAP-Success messages.
2753 "EAP authentication completed successfully (based on lower "
2759 * eap_get_eapSessionId - Get Session-Id from EAP state machine
2760 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2762 * Returns: Pointer to the EAP Session-Id or %NULL on failure
2764 * Fetch EAP Session-Id from the EAP state machine. The Session-Id is available
2765 * only after a successful authentication. EAP state machine continues to manage
2781 * eap_get_eapKeyData - Get master session key (MSK) from EAP state machine
2782 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2784 * Returns: Pointer to the EAP keying data or %NULL on failure
2786 * Fetch EAP keying material (MSK, eapKeyData) from the EAP state machine. The
2787 * key is available only after a successful authentication. EAP state machine
2804 * eap_get_eapKeyData - Get EAP response data
2805 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2806 * Returns: Pointer to the EAP response (eapRespData) or %NULL on failure
2808 * Fetch EAP response (eapRespData) from the EAP state machine. This data is
2809 * available when EAP state machine has processed an incoming EAP request. The
2810 * EAP state machine does not maintain a reference to the response after this
2829 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2832 * Notify EAP state machines of context data for smart card operations. This
2844 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2860 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2877 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2878 * @disabled: 1 = EAP disabled, 0 = EAP enabled
2880 * This function is used to force EAP state machine to be disabled when it is
2891 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2901 * eap_notify_pending - Notify that EAP method is ready to re-process a request
2902 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2904 * An EAP method can perform a pending operation (e.g., to get a response from
2907 * received (and still unanswered) EAP request to EAP state machine.
2917 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2962 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2963 * @id: Anonymous identity (e.g., EAP-SIM pseudonym) or %NULL to clear
