1/*
2 * hostapd / EAP Authenticator state machine internal structures (RFC 4137)
3 * Copyright (c) 2004-2007, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#ifndef EAP_I_H
10#define EAP_I_H
11
12#include "wpabuf.h"
13#include "eap_server/eap.h"
14#include "eap_common/eap_common.h"
15
16/* RFC 4137 - EAP Standalone Authenticator */
17
18/**
19 * struct eap_method - EAP method interface
20 * This structure defines the EAP method interface. Each method will need to
21 * register its own EAP type, EAP name, and set of function pointers for method
22 * specific operations. This interface is based on section 5.4 of RFC 4137.
23 */
24struct eap_method {
25	int vendor;
26	EapType method;
27	const char *name;
28
29	void * (*init)(struct eap_sm *sm);
30	void * (*initPickUp)(struct eap_sm *sm);
31	void (*reset)(struct eap_sm *sm, void *priv);
32
33	struct wpabuf * (*buildReq)(struct eap_sm *sm, void *priv, u8 id);
34	int (*getTimeout)(struct eap_sm *sm, void *priv);
35	Boolean (*check)(struct eap_sm *sm, void *priv,
36			 struct wpabuf *respData);
37	void (*process)(struct eap_sm *sm, void *priv,
38			struct wpabuf *respData);
39	Boolean (*isDone)(struct eap_sm *sm, void *priv);
40	u8 * (*getKey)(struct eap_sm *sm, void *priv, size_t *len);
41	/* isSuccess is not specified in draft-ietf-eap-statemachine-05.txt,
42	 * but it is useful in implementing Policy.getDecision() */
43	Boolean (*isSuccess)(struct eap_sm *sm, void *priv);
44
45	/**
46	 * free - Free EAP method data
47	 * @method: Pointer to the method data registered with
48	 * eap_server_method_register().
49	 *
50	 * This function will be called when the EAP method is being
51	 * unregistered. If the EAP method allocated resources during
52	 * registration (e.g., allocated struct eap_method), they should be
53	 * freed in this function. No other method functions will be called
54	 * after this call. If this function is not defined (i.e., function
55	 * pointer is %NULL), a default handler is used to release the method
56	 * data with free(method). This is suitable for most cases.
57	 */
58	void (*free)(struct eap_method *method);
59
60#define EAP_SERVER_METHOD_INTERFACE_VERSION 1
61	/**
62	 * version - Version of the EAP server method interface
63	 *
64	 * The EAP server method implementation should set this variable to
65	 * EAP_SERVER_METHOD_INTERFACE_VERSION. This is used to verify that the
66	 * EAP method is using supported API version when using dynamically
67	 * loadable EAP methods.
68	 */
69	int version;
70
71	/**
72	 * next - Pointer to the next EAP method
73	 *
74	 * This variable is used internally in the EAP method registration code
75	 * to create a linked list of registered EAP methods.
76	 */
77	struct eap_method *next;
78
79	/**
80	 * get_emsk - Get EAP method specific keying extended material (EMSK)
81	 * @sm: Pointer to EAP state machine allocated with eap_sm_init()
82	 * @priv: Pointer to private EAP method data from eap_method::init()
83	 * @len: Pointer to a variable to store EMSK length
84	 * Returns: EMSK or %NULL if not available
85	 *
86	 * This function can be used to get the extended keying material from
87	 * the EAP method. The key may already be stored in the method-specific
88	 * private data or this function may derive the key.
89	 */
90	u8 * (*get_emsk)(struct eap_sm *sm, void *priv, size_t *len);
91
92	/**
93	 * getSessionId - Get EAP method specific Session-Id
94	 * @sm: Pointer to EAP state machine allocated with eap_server_sm_init()
95	 * @priv: Pointer to private EAP method data from eap_method::init()
96	 * @len: Pointer to a variable to store Session-Id length
97	 * Returns: Session-Id or %NULL if not available
98	 *
99	 * This function can be used to get the Session-Id from the EAP method.
100	 * The Session-Id may already be stored in the method-specific private
101	 * data or this function may derive the Session-Id.
102	 */
103	u8 * (*getSessionId)(struct eap_sm *sm, void *priv, size_t *len);
104};
105
106/**
107 * struct eap_sm - EAP server state machine data
108 */
109struct eap_sm {
110	enum {
111		EAP_DISABLED, EAP_INITIALIZE, EAP_IDLE, EAP_RECEIVED,
112		EAP_INTEGRITY_CHECK, EAP_METHOD_RESPONSE, EAP_METHOD_REQUEST,
113		EAP_PROPOSE_METHOD, EAP_SELECT_ACTION, EAP_SEND_REQUEST,
114		EAP_DISCARD, EAP_NAK, EAP_RETRANSMIT, EAP_SUCCESS, EAP_FAILURE,
115		EAP_TIMEOUT_FAILURE, EAP_PICK_UP_METHOD,
116		EAP_INITIALIZE_PASSTHROUGH, EAP_IDLE2, EAP_RETRANSMIT2,
117		EAP_RECEIVED2, EAP_DISCARD2, EAP_SEND_REQUEST2,
118		EAP_AAA_REQUEST, EAP_AAA_RESPONSE, EAP_AAA_IDLE,
119		EAP_TIMEOUT_FAILURE2, EAP_FAILURE2, EAP_SUCCESS2,
120		EAP_INITIATE_REAUTH_START, EAP_INITIATE_RECEIVED
121	} EAP_state;
122
123	/* Constants */
124	int MaxRetrans;
125
126	struct eap_eapol_interface eap_if;
127
128	/* Full authenticator state machine local variables */
129
130	/* Long-term (maintained between packets) */
131	EapType currentMethod;
132	int currentId;
133	enum {
134		METHOD_PROPOSED, METHOD_CONTINUE, METHOD_END
135	} methodState;
136	int retransCount;
137	struct wpabuf *lastReqData;
138	int methodTimeout;
139
140	/* Short-term (not maintained between packets) */
141	Boolean rxResp;
142	Boolean rxInitiate;
143	int respId;
144	EapType respMethod;
145	int respVendor;
146	u32 respVendorMethod;
147	Boolean ignore;
148	enum {
149		DECISION_SUCCESS, DECISION_FAILURE, DECISION_CONTINUE,
150		DECISION_PASSTHROUGH, DECISION_INITIATE_REAUTH_START
151	} decision;
152
153	/* Miscellaneous variables */
154	const struct eap_method *m; /* selected EAP method */
155	/* not defined in RFC 4137 */
156	Boolean changed;
157	void *eapol_ctx, *msg_ctx;
158	const struct eapol_callbacks *eapol_cb;
159	void *eap_method_priv;
160	u8 *identity;
161	size_t identity_len;
162	/* Whether Phase 2 method should validate identity match */
163	int require_identity_match;
164	int lastId; /* Identifier used in the last EAP-Packet */
165	struct eap_user *user;
166	int user_eap_method_index;
167	int init_phase2;
168	void *ssl_ctx;
169	struct eap_sim_db_data *eap_sim_db_priv;
170	Boolean backend_auth;
171	Boolean update_user;
172	int eap_server;
173
174	int num_rounds;
175	enum {
176		METHOD_PENDING_NONE, METHOD_PENDING_WAIT, METHOD_PENDING_CONT
177	} method_pending;
178
179	u8 *auth_challenge;
180	u8 *peer_challenge;
181
182	u8 *pac_opaque_encr_key;
183	u8 *eap_fast_a_id;
184	size_t eap_fast_a_id_len;
185	char *eap_fast_a_id_info;
186	enum {
187		NO_PROV, ANON_PROV, AUTH_PROV, BOTH_PROV
188	} eap_fast_prov;
189	int pac_key_lifetime;
190	int pac_key_refresh_time;
191	int eap_sim_aka_result_ind;
192	int tnc;
193	u16 pwd_group;
194	struct wps_context *wps;
195	struct wpabuf *assoc_wps_ie;
196	struct wpabuf *assoc_p2p_ie;
197
198	Boolean start_reauth;
199
200	u8 peer_addr[ETH_ALEN];
201
202	/* Fragmentation size for EAP method init() handler */
203	int fragment_size;
204
205	int pbc_in_m1;
206
207	const u8 *server_id;
208	size_t server_id_len;
209
210	Boolean initiate_reauth_start_sent;
211	Boolean try_initiate_reauth;
212	int erp;
213
214#ifdef CONFIG_TESTING_OPTIONS
215	u32 tls_test_flags;
216#endif /* CONFIG_TESTING_OPTIONS */
217};
218
219int eap_user_get(struct eap_sm *sm, const u8 *identity, size_t identity_len,
220		 int phase2);
221void eap_log_msg(struct eap_sm *sm, const char *fmt, ...)
222PRINTF_FORMAT(2, 3);
223void eap_sm_process_nak(struct eap_sm *sm, const u8 *nak_list, size_t len);
224
225#endif /* EAP_I_H */
226