1  /*
2   * EAP peer state machine functions (RFC 4137)
3   * Copyright (c) 2004-2012, Jouni Malinen <j@w1.fi>
4   *
5   * This software may be distributed under the terms of the BSD license.
6   * See README for more details.
7   */
8  
9  #ifndef EAP_H
10  #define EAP_H
11  
12  #include "common/defs.h"
13  #include "eap_common/eap_defs.h"
14  #include "eap_peer/eap_methods.h"
15  
16  struct eap_sm;
17  struct wpa_config_blob;
18  struct wpabuf;
19  struct tls_cert_data;
20  
21  struct eap_method_type {
22  	int vendor;
23  	u32 method;
24  };
25  
26  #ifdef IEEE8021X_EAPOL
27  
28  /**
29   * enum eapol_bool_var - EAPOL boolean state variables for EAP state machine
30   *
31   * These variables are used in the interface between EAP peer state machine and
32   * lower layer. These are defined in RFC 4137, Sect. 4.1. Lower layer code is
33   * expected to maintain these variables and register a callback functions for
34   * EAP state machine to get and set the variables.
35   */
36  enum eapol_bool_var {
37  	/**
38  	 * EAPOL_eapSuccess - EAP SUCCESS state reached
39  	 *
40  	 * EAP state machine reads and writes this value.
41  	 */
42  	EAPOL_eapSuccess,
43  
44  	/**
45  	 * EAPOL_eapRestart - Lower layer request to restart authentication
46  	 *
47  	 * Set to true in lower layer, false in EAP state machine.
48  	 */
49  	EAPOL_eapRestart,
50  
51  	/**
52  	 * EAPOL_eapFail - EAP FAILURE state reached
53  	 *
54  	 * EAP state machine writes this value.
55  	 */
56  	EAPOL_eapFail,
57  
58  	/**
59  	 * EAPOL_eapResp - Response to send
60  	 *
61  	 * Set to true in EAP state machine, false in lower layer.
62  	 */
63  	EAPOL_eapResp,
64  
65  	/**
66  	 * EAPOL_eapNoResp - Request has been process; no response to send
67  	 *
68  	 * Set to true in EAP state machine, false in lower layer.
69  	 */
70  	EAPOL_eapNoResp,
71  
72  	/**
73  	 * EAPOL_eapReq - EAP request available from lower layer
74  	 *
75  	 * Set to true in lower layer, false in EAP state machine.
76  	 */
77  	EAPOL_eapReq,
78  
79  	/**
80  	 * EAPOL_portEnabled - Lower layer is ready for communication
81  	 *
82  	 * EAP state machines reads this value.
83  	 */
84  	EAPOL_portEnabled,
85  
86  	/**
87  	 * EAPOL_altAccept - Alternate indication of success (RFC3748)
88  	 *
89  	 * EAP state machines reads this value.
90  	 */
91  	EAPOL_altAccept,
92  
93  	/**
94  	 * EAPOL_altReject - Alternate indication of failure (RFC3748)
95  	 *
96  	 * EAP state machines reads this value.
97  	 */
98  	EAPOL_altReject,
99  
100  	/**
101  	 * EAPOL_eapTriggerStart - EAP-based trigger to send EAPOL-Start
102  	 *
103  	 * EAP state machine writes this value.
104  	 */
105  	EAPOL_eapTriggerStart
106  };
107  
108  /**
109   * enum eapol_int_var - EAPOL integer state variables for EAP state machine
110   *
111   * These variables are used in the interface between EAP peer state machine and
112   * lower layer. These are defined in RFC 4137, Sect. 4.1. Lower layer code is
113   * expected to maintain these variables and register a callback functions for
114   * EAP state machine to get and set the variables.
115   */
116  enum eapol_int_var {
117  	/**
118  	 * EAPOL_idleWhile - Outside time for EAP peer timeout
119  	 *
120  	 * This integer variable is used to provide an outside timer that the
121  	 * external (to EAP state machine) code must decrement by one every
122  	 * second until the value reaches zero. This is used in the same way as
123  	 * EAPOL state machine timers. EAP state machine reads and writes this
124  	 * value.
125  	 */
126  	EAPOL_idleWhile
127  };
128  
129  /**
130   * struct eapol_callbacks - Callback functions from EAP to lower layer
131   *
132   * This structure defines the callback functions that EAP state machine
133   * requires from the lower layer (usually EAPOL state machine) for updating
134   * state variables and requesting information. eapol_ctx from
135   * eap_peer_sm_init() call will be used as the ctx parameter for these
136   * callback functions.
137   */
138  struct eapol_callbacks {
139  	/**
140  	 * get_config - Get pointer to the current network configuration
141  	 * @ctx: eapol_ctx from eap_peer_sm_init() call
142  	 */
143  	struct eap_peer_config * (*get_config)(void *ctx);
144  
145  	/**
146  	 * get_bool - Get a boolean EAPOL state variable
147  	 * @variable: EAPOL boolean variable to get
148  	 * Returns: Value of the EAPOL variable
149  	 */
150  	bool (*get_bool)(void *ctx, enum eapol_bool_var variable);
151  
152  	/**
153  	 * set_bool - Set a boolean EAPOL state variable
154  	 * @ctx: eapol_ctx from eap_peer_sm_init() call
155  	 * @variable: EAPOL boolean variable to set
156  	 * @value: Value for the EAPOL variable
157  	 */
158  	void (*set_bool)(void *ctx, enum eapol_bool_var variable, bool value);
159  
160  	/**
161  	 * get_int - Get an integer EAPOL state variable
162  	 * @ctx: eapol_ctx from eap_peer_sm_init() call
163  	 * @variable: EAPOL integer variable to get
164  	 * Returns: Value of the EAPOL variable
165  	 */
166  	unsigned int (*get_int)(void *ctx, enum eapol_int_var variable);
167  
168  	/**
169  	 * set_int - Set an integer EAPOL state variable
170  	 * @ctx: eapol_ctx from eap_peer_sm_init() call
171  	 * @variable: EAPOL integer variable to set
172  	 * @value: Value for the EAPOL variable
173  	 */
174  	void (*set_int)(void *ctx, enum eapol_int_var variable,
175  			unsigned int value);
176  
177  	/**
178  	 * get_eapReqData - Get EAP-Request data
179  	 * @ctx: eapol_ctx from eap_peer_sm_init() call
180  	 * @len: Pointer to variable that will be set to eapReqDataLen
181  	 * Returns: Reference to eapReqData (EAP state machine will not free
182  	 * this) or %NULL if eapReqData not available.
183  	 */
184  	struct wpabuf * (*get_eapReqData)(void *ctx);
185  
186  	/**
187  	 * set_config_blob - Set named configuration blob
188  	 * @ctx: eapol_ctx from eap_peer_sm_init() call
189  	 * @blob: New value for the blob
190  	 *
191  	 * Adds a new configuration blob or replaces the current value of an
192  	 * existing blob.
193  	 */
194  	void (*set_config_blob)(void *ctx, struct wpa_config_blob *blob);
195  
196  	/**
197  	 * get_config_blob - Get a named configuration blob
198  	 * @ctx: eapol_ctx from eap_peer_sm_init() call
199  	 * @name: Name of the blob
200  	 * Returns: Pointer to blob data or %NULL if not found
201  	 */
202  	const struct wpa_config_blob * (*get_config_blob)(void *ctx,
203  							  const char *name);
204  
205  	/**
206  	 * notify_pending - Notify that a pending request can be retried
207  	 * @ctx: eapol_ctx from eap_peer_sm_init() call
208  	 *
209  	 * An EAP method can perform a pending operation (e.g., to get a
210  	 * response from an external process). Once the response is available,
211  	 * this callback function can be used to request EAPOL state machine to
212  	 * retry delivering the previously received (and still unanswered) EAP
213  	 * request to EAP state machine.
214  	 */
215  	void (*notify_pending)(void *ctx);
216  
217  	/**
218  	 * eap_param_needed - Notify that EAP parameter is needed
219  	 * @ctx: eapol_ctx from eap_peer_sm_init() call
220  	 * @field: Field indicator (e.g., WPA_CTRL_REQ_EAP_IDENTITY)
221  	 * @txt: User readable text describing the required parameter
222  	 */
223  	void (*eap_param_needed)(void *ctx, enum wpa_ctrl_req_type field,
224  				 const char *txt);
225  
226  	/**
227  	 * notify_cert - Notification of a peer certificate
228  	 * @ctx: eapol_ctx from eap_peer_sm_init() call
229  	 * @cert: Certificate information
230  	 * @cert_hash: SHA-256 hash of the certificate
231  	 */
232  	void (*notify_cert)(void *ctx, struct tls_cert_data *cert,
233  			    const char *cert_hash);
234  
235  	/**
236  	 * notify_status - Notification of the current EAP state
237  	 * @ctx: eapol_ctx from eap_peer_sm_init() call
238  	 * @status: Step in the process of EAP authentication
239  	 * @parameter: Step-specific parameter, e.g., EAP method name
240  	 */
241  	void (*notify_status)(void *ctx, const char *status,
242  			      const char *parameter);
243  
244  	/**
245  	 * notify_eap_error - Report EAP method error code
246  	 * @ctx: eapol_ctx from eap_peer_sm_init() call
247  	 * @error_code: Error code from the used EAP method
248  	 */
249  	void (*notify_eap_error)(void *ctx, int error_code);
250  
251  #ifdef CONFIG_EAP_PROXY
252  	/**
253  	 * eap_proxy_cb - Callback signifying any updates from eap_proxy
254  	 * @ctx: eapol_ctx from eap_peer_sm_init() call
255  	 */
256  	void (*eap_proxy_cb)(void *ctx);
257  
258  	/**
259  	 * eap_proxy_notify_sim_status - Notification of SIM status change
260  	 * @ctx: eapol_ctx from eap_peer_sm_init() call
261  	 * @sim_state: One of enum value from sim_state
262  	 */
263  	void (*eap_proxy_notify_sim_status)(void *ctx,
264  					    enum eap_proxy_sim_state sim_state);
265  
266  	/**
267  	 * get_imsi - Get the IMSI value from eap_proxy
268  	 * @ctx: eapol_ctx from eap_peer_sm_init() call
269  	 * @sim_num: SIM/USIM number to get the IMSI value for
270  	 * @imsi: Buffer for IMSI value
271  	 * @len: Buffer for returning IMSI length in octets
272  	 * Returns: MNC length (2 or 3) or -1 on error
273  	 */
274  	int (*get_imsi)(void *ctx, int sim_num, char *imsi, size_t *len);
275  #endif /* CONFIG_EAP_PROXY */
276  
277  	/**
278  	 * set_anon_id - Set or add anonymous identity
279  	 * @ctx: eapol_ctx from eap_peer_sm_init() call
280  	 * @id: Anonymous identity (e.g., EAP-SIM pseudonym) or %NULL to clear
281  	 * @len: Length of anonymous identity in octets
282  	 */
283  	void (*set_anon_id)(void *ctx, const u8 *id, size_t len);
284  };
285  
286  /**
287   * struct eap_config - Configuration for EAP state machine
288   */
289  struct eap_config {
290  	/**
291  	 * opensc_engine_path - OpenSC engine for OpenSSL engine support
292  	 *
293  	 * Usually, path to engine_opensc.so.
294  	 */
295  	const char *opensc_engine_path;
296  	/**
297  	 * pkcs11_engine_path - PKCS#11 engine for OpenSSL engine support
298  	 *
299  	 * Usually, path to engine_pkcs11.so.
300  	 */
301  	const char *pkcs11_engine_path;
302  	/**
303  	 * pkcs11_module_path - OpenSC PKCS#11 module for OpenSSL engine
304  	 *
305  	 * Usually, path to opensc-pkcs11.so.
306  	 */
307  	const char *pkcs11_module_path;
308  	/**
309  	 * openssl_ciphers - OpenSSL cipher string
310  	 *
311  	 * This is an OpenSSL specific configuration option for configuring the
312  	 * default ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the
313  	 * default.
314  	 */
315  	const char *openssl_ciphers;
316  	/**
317  	 * wps - WPS context data
318  	 *
319  	 * This is only used by EAP-WSC and can be left %NULL if not available.
320  	 */
321  	struct wps_context *wps;
322  
323  	/**
324  	 * cert_in_cb - Include server certificates in callback
325  	 */
326  	int cert_in_cb;
327  };
328  
329  struct eap_sm * eap_peer_sm_init(void *eapol_ctx,
330  				 const struct eapol_callbacks *eapol_cb,
331  				 void *msg_ctx, struct eap_config *conf);
332  void eap_peer_sm_deinit(struct eap_sm *sm);
333  int eap_peer_sm_step(struct eap_sm *sm);
334  void eap_sm_abort(struct eap_sm *sm);
335  int eap_sm_get_status(struct eap_sm *sm, char *buf, size_t buflen,
336  		      int verbose);
337  const char * eap_sm_get_method_name(struct eap_sm *sm);
338  struct wpabuf * eap_sm_buildIdentity(struct eap_sm *sm, int id, int encrypted);
339  void eap_sm_request_identity(struct eap_sm *sm);
340  void eap_sm_request_password(struct eap_sm *sm);
341  void eap_sm_request_new_password(struct eap_sm *sm);
342  void eap_sm_request_pin(struct eap_sm *sm);
343  void eap_sm_request_otp(struct eap_sm *sm, const char *msg, size_t msg_len);
344  void eap_sm_request_passphrase(struct eap_sm *sm);
345  void eap_sm_request_sim(struct eap_sm *sm, const char *req);
346  void eap_sm_notify_ctrl_attached(struct eap_sm *sm);
347  u32 eap_get_phase2_type(const char *name, int *vendor);
348  struct eap_method_type * eap_get_phase2_types(struct eap_peer_config *config,
349  					      size_t *count);
350  void eap_set_fast_reauth(struct eap_sm *sm, int enabled);
351  void eap_set_workaround(struct eap_sm *sm, unsigned int workaround);
352  void eap_set_force_disabled(struct eap_sm *sm, int disabled);
353  void eap_set_external_sim(struct eap_sm *sm, int external_sim);
354  int eap_key_available(struct eap_sm *sm);
355  void eap_notify_success(struct eap_sm *sm);
356  void eap_notify_lower_layer_success(struct eap_sm *sm);
357  const u8 * eap_get_eapSessionId(struct eap_sm *sm, size_t *len);
358  const u8 * eap_get_eapKeyData(struct eap_sm *sm, size_t *len);
359  struct wpabuf * eap_get_eapRespData(struct eap_sm *sm);
360  void eap_register_scard_ctx(struct eap_sm *sm, void *ctx);
361  void eap_invalidate_cached_session(struct eap_sm *sm);
362  
363  int eap_is_wps_pbc_enrollee(struct eap_peer_config *conf);
364  int eap_is_wps_pin_enrollee(struct eap_peer_config *conf);
365  
366  struct ext_password_data;
367  void eap_sm_set_ext_pw_ctx(struct eap_sm *sm, struct ext_password_data *ext);
368  void eap_set_anon_id(struct eap_sm *sm, const u8 *id, size_t len);
369  int eap_peer_was_failure_expected(struct eap_sm *sm);
370  void eap_peer_erp_free_keys(struct eap_sm *sm);
371  struct wpabuf * eap_peer_build_erp_reauth_start(struct eap_sm *sm, u8 eap_id);
372  void eap_peer_finish(struct eap_sm *sm, const struct eap_hdr *hdr, size_t len);
373  int eap_peer_get_erp_info(struct eap_sm *sm, struct eap_peer_config *config,
374  			  const u8 **username, size_t *username_len,
375  			  const u8 **realm, size_t *realm_len, u16 *erp_seq_num,
376  			  const u8 **rrk, size_t *rrk_len);
377  int eap_peer_update_erp_next_seq_num(struct eap_sm *sm, u16 seq_num);
378  void eap_peer_erp_init(struct eap_sm *sm, u8 *ext_session_id,
379  		       size_t ext_session_id_len, u8 *ext_emsk,
380  		       size_t ext_emsk_len);
381  
382  #endif /* IEEE8021X_EAPOL */
383  
384  #endif /* EAP_H */
385