1 /* 2 * hostapd / EAP Authenticator state machine internal structures (RFC 4137) 3 * Copyright (c) 2004-2007, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #ifndef EAP_I_H 10 #define EAP_I_H 11 12 #include "wpabuf.h" 13 #include "eap_server/eap.h" 14 #include "eap_common/eap_common.h" 15 16 /* RFC 4137 - EAP Standalone Authenticator */ 17 18 /** 19 * struct eap_method - EAP method interface 20 * This structure defines the EAP method interface. Each method will need to 21 * register its own EAP type, EAP name, and set of function pointers for method 22 * specific operations. This interface is based on section 5.4 of RFC 4137. 23 */ 24 struct eap_method { 25 int vendor; 26 EapType method; 27 const char *name; 28 29 void * (*init)(struct eap_sm *sm); 30 void * (*initPickUp)(struct eap_sm *sm); 31 void (*reset)(struct eap_sm *sm, void *priv); 32 33 struct wpabuf * (*buildReq)(struct eap_sm *sm, void *priv, u8 id); 34 int (*getTimeout)(struct eap_sm *sm, void *priv); 35 Boolean (*check)(struct eap_sm *sm, void *priv, 36 struct wpabuf *respData); 37 void (*process)(struct eap_sm *sm, void *priv, 38 struct wpabuf *respData); 39 Boolean (*isDone)(struct eap_sm *sm, void *priv); 40 u8 * (*getKey)(struct eap_sm *sm, void *priv, size_t *len); 41 /* isSuccess is not specified in draft-ietf-eap-statemachine-05.txt, 42 * but it is useful in implementing Policy.getDecision() */ 43 Boolean (*isSuccess)(struct eap_sm *sm, void *priv); 44 45 /** 46 * free - Free EAP method data 47 * @method: Pointer to the method data registered with 48 * eap_server_method_register(). 49 * 50 * This function will be called when the EAP method is being 51 * unregistered. If the EAP method allocated resources during 52 * registration (e.g., allocated struct eap_method), they should be 53 * freed in this function. No other method functions will be called 54 * after this call. If this function is not defined (i.e., function 55 * pointer is %NULL), a default handler is used to release the method 56 * data with free(method). This is suitable for most cases. 57 */ 58 void (*free)(struct eap_method *method); 59 60 #define EAP_SERVER_METHOD_INTERFACE_VERSION 1 61 /** 62 * version - Version of the EAP server method interface 63 * 64 * The EAP server method implementation should set this variable to 65 * EAP_SERVER_METHOD_INTERFACE_VERSION. This is used to verify that the 66 * EAP method is using supported API version when using dynamically 67 * loadable EAP methods. 68 */ 69 int version; 70 71 /** 72 * next - Pointer to the next EAP method 73 * 74 * This variable is used internally in the EAP method registration code 75 * to create a linked list of registered EAP methods. 76 */ 77 struct eap_method *next; 78 79 /** 80 * get_emsk - Get EAP method specific keying extended material (EMSK) 81 * @sm: Pointer to EAP state machine allocated with eap_sm_init() 82 * @priv: Pointer to private EAP method data from eap_method::init() 83 * @len: Pointer to a variable to store EMSK length 84 * Returns: EMSK or %NULL if not available 85 * 86 * This function can be used to get the extended keying material from 87 * the EAP method. The key may already be stored in the method-specific 88 * private data or this function may derive the key. 89 */ 90 u8 * (*get_emsk)(struct eap_sm *sm, void *priv, size_t *len); 91 92 /** 93 * getSessionId - Get EAP method specific Session-Id 94 * @sm: Pointer to EAP state machine allocated with eap_server_sm_init() 95 * @priv: Pointer to private EAP method data from eap_method::init() 96 * @len: Pointer to a variable to store Session-Id length 97 * Returns: Session-Id or %NULL if not available 98 * 99 * This function can be used to get the Session-Id from the EAP method. 100 * The Session-Id may already be stored in the method-specific private 101 * data or this function may derive the Session-Id. 102 */ 103 u8 * (*getSessionId)(struct eap_sm *sm, void *priv, size_t *len); 104 }; 105 106 /** 107 * struct eap_sm - EAP server state machine data 108 */ 109 struct eap_sm { 110 enum { 111 EAP_DISABLED, EAP_INITIALIZE, EAP_IDLE, EAP_RECEIVED, 112 EAP_INTEGRITY_CHECK, EAP_METHOD_RESPONSE, EAP_METHOD_REQUEST, 113 EAP_PROPOSE_METHOD, EAP_SELECT_ACTION, EAP_SEND_REQUEST, 114 EAP_DISCARD, EAP_NAK, EAP_RETRANSMIT, EAP_SUCCESS, EAP_FAILURE, 115 EAP_TIMEOUT_FAILURE, EAP_PICK_UP_METHOD, 116 EAP_INITIALIZE_PASSTHROUGH, EAP_IDLE2, EAP_RETRANSMIT2, 117 EAP_RECEIVED2, EAP_DISCARD2, EAP_SEND_REQUEST2, 118 EAP_AAA_REQUEST, EAP_AAA_RESPONSE, EAP_AAA_IDLE, 119 EAP_TIMEOUT_FAILURE2, EAP_FAILURE2, EAP_SUCCESS2, 120 EAP_INITIATE_REAUTH_START, EAP_INITIATE_RECEIVED 121 } EAP_state; 122 123 /* Constants */ 124 int MaxRetrans; 125 126 struct eap_eapol_interface eap_if; 127 128 /* Full authenticator state machine local variables */ 129 130 /* Long-term (maintained between packets) */ 131 EapType currentMethod; 132 int currentId; 133 enum { 134 METHOD_PROPOSED, METHOD_CONTINUE, METHOD_END 135 } methodState; 136 int retransCount; 137 struct wpabuf *lastReqData; 138 int methodTimeout; 139 140 /* Short-term (not maintained between packets) */ 141 Boolean rxResp; 142 Boolean rxInitiate; 143 int respId; 144 EapType respMethod; 145 int respVendor; 146 u32 respVendorMethod; 147 Boolean ignore; 148 enum { 149 DECISION_SUCCESS, DECISION_FAILURE, DECISION_CONTINUE, 150 DECISION_PASSTHROUGH, DECISION_INITIATE_REAUTH_START 151 } decision; 152 153 /* Miscellaneous variables */ 154 const struct eap_method *m; /* selected EAP method */ 155 /* not defined in RFC 4137 */ 156 Boolean changed; 157 void *eapol_ctx, *msg_ctx; 158 const struct eapol_callbacks *eapol_cb; 159 void *eap_method_priv; 160 u8 *identity; 161 size_t identity_len; 162 /* Whether Phase 2 method should validate identity match */ 163 int require_identity_match; 164 int lastId; /* Identifier used in the last EAP-Packet */ 165 struct eap_user *user; 166 int user_eap_method_index; 167 int init_phase2; 168 void *ssl_ctx; 169 struct eap_sim_db_data *eap_sim_db_priv; 170 Boolean backend_auth; 171 Boolean update_user; 172 int eap_server; 173 174 int num_rounds; 175 enum { 176 METHOD_PENDING_NONE, METHOD_PENDING_WAIT, METHOD_PENDING_CONT 177 } method_pending; 178 179 u8 *auth_challenge; 180 u8 *peer_challenge; 181 182 u8 *pac_opaque_encr_key; 183 u8 *eap_fast_a_id; 184 size_t eap_fast_a_id_len; 185 char *eap_fast_a_id_info; 186 enum { 187 NO_PROV, ANON_PROV, AUTH_PROV, BOTH_PROV 188 } eap_fast_prov; 189 int pac_key_lifetime; 190 int pac_key_refresh_time; 191 int eap_sim_aka_result_ind; 192 int tnc; 193 u16 pwd_group; 194 struct wps_context *wps; 195 struct wpabuf *assoc_wps_ie; 196 struct wpabuf *assoc_p2p_ie; 197 198 Boolean start_reauth; 199 200 u8 peer_addr[ETH_ALEN]; 201 202 /* Fragmentation size for EAP method init() handler */ 203 int fragment_size; 204 205 int pbc_in_m1; 206 207 const u8 *server_id; 208 size_t server_id_len; 209 210 Boolean initiate_reauth_start_sent; 211 Boolean try_initiate_reauth; 212 int erp; 213 unsigned int tls_session_lifetime; 214 unsigned int tls_flags; 215 216 #ifdef CONFIG_TESTING_OPTIONS 217 u32 tls_test_flags; 218 #endif /* CONFIG_TESTING_OPTIONS */ 219 }; 220 221 int eap_user_get(struct eap_sm *sm, const u8 *identity, size_t identity_len, 222 int phase2); 223 void eap_log_msg(struct eap_sm *sm, const char *fmt, ...) 224 PRINTF_FORMAT(2, 3); 225 void eap_sm_process_nak(struct eap_sm *sm, const u8 *nak_list, size_t len); 226 227 #endif /* EAP_I_H */ 228
