#include "includes.h"
#include "common.h"
#include "pcsc_funcs.h"
#include "state_machine.h"
#include "crypto/crypto.h"
#include "crypto/tls.h"
#include "common/wpa_ctrl.h"
#include "eap_common/eap_wsc_common.h"
#include "eap_i.h"
#include "wpabuf.h"
#include "eap_peer/eap.h"
#include "eap_common/eap_common.h"
Go to the source code of this file.
Defines | |
#define | EAP_MAX_AUTH_ROUNDS 50 |
#define | STATE_MACHINE_DATA struct eap_sm |
#define | STATE_MACHINE_DEBUG_PREFIX "EAP" |
Enumerations | |
enum | eap_ctrl_req_type { TYPE_IDENTITY, TYPE_PASSWORD, TYPE_OTP, TYPE_PIN, TYPE_NEW_PASSWORD, TYPE_PASSPHRASE } |
Functions | |
int | eap_allowed_method (struct eap_sm *sm, int vendor, u32 method) |
static int | eap_allowed_phase2_type (int vendor, int type) |
static void | eap_deinit_prev_method (struct eap_sm *sm, const char *txt) |
static int | eap_peer_req_is_duplicate (struct eap_sm *sm) |
void | eap_peer_sm_deinit (struct eap_sm *sm) |
struct eap_sm * | eap_peer_sm_init (void *eapol_ctx, struct eapol_callbacks *eapol_cb, void *msg_ctx, struct eap_config *conf) |
int | eap_peer_sm_step (struct eap_sm *sm) |
static void | eap_peer_sm_step_idle (struct eap_sm *sm) |
static void | eap_peer_sm_step_local (struct eap_sm *sm) |
static void | eap_peer_sm_step_received (struct eap_sm *sm) |
static void | eap_peer_sm_tls_event (void *ctx, enum tls_event ev, union tls_event_data *data) |
void | eap_sm_abort (struct eap_sm *sm) |
static Boolean | eap_sm_allowMethod (struct eap_sm *sm, int vendor, EapType method) |
static struct wpabuf * | eap_sm_build_expanded_nak (struct eap_sm *sm, int id, const struct eap_method *methods, size_t count) |
struct wpabuf * | eap_sm_buildIdentity (struct eap_sm *sm, int id, int encrypted) |
static struct wpabuf * | eap_sm_buildNak (struct eap_sm *sm, int id) |
static struct wpabuf * | eap_sm_buildNotify (int id) |
static const char * | eap_sm_decision_txt (EapDecision decision) |
static int | eap_sm_get_scard_identity (struct eap_sm *sm, struct eap_peer_config *conf) |
static const char * | eap_sm_method_state_txt (EapMethodState state) |
void | eap_sm_notify_ctrl_attached (struct eap_sm *sm) |
static void | eap_sm_parseEapReq (struct eap_sm *sm, const struct wpabuf *req) |
static void | eap_sm_processIdentity (struct eap_sm *sm, const struct wpabuf *req) |
static void | eap_sm_processNotify (struct eap_sm *sm, const struct wpabuf *req) |
static void | eap_sm_request (struct eap_sm *sm, eap_ctrl_req_type type, const char *msg, size_t msglen) |
void | eap_sm_request_identity (struct eap_sm *sm) |
void | eap_sm_request_new_password (struct eap_sm *sm) |
void | eap_sm_request_otp (struct eap_sm *sm, const char *msg, size_t msg_len) |
void | eap_sm_request_passphrase (struct eap_sm *sm) |
void | eap_sm_request_password (struct eap_sm *sm) |
void | eap_sm_request_pin (struct eap_sm *sm) |
static int | eap_sm_set_scard_pin (struct eap_sm *sm, struct eap_peer_config *conf) |
static int | eap_success_workaround (struct eap_sm *sm, int reqId, int lastId) |
static Boolean | eapol_get_bool (struct eap_sm *sm, enum eapol_bool_var var) |
static struct wpabuf * | eapol_get_eapReqData (struct eap_sm *sm) |
static unsigned int | eapol_get_int (struct eap_sm *sm, enum eapol_int_var var) |
static void | eapol_set_bool (struct eap_sm *sm, enum eapol_bool_var var, Boolean value) |
static void | eapol_set_int (struct eap_sm *sm, enum eapol_int_var var, unsigned int value) |
SM_STATE (EAP, FAILURE) | |
SM_STATE (EAP, SUCCESS) | |
SM_STATE (EAP, RETRANSMIT) | |
SM_STATE (EAP, NOTIFICATION) | |
SM_STATE (EAP, IDENTITY) | |
SM_STATE (EAP, DISCARD) | |
SM_STATE (EAP, SEND_RESPONSE) | |
SM_STATE (EAP, METHOD) | |
SM_STATE (EAP, GET_METHOD) | |
SM_STATE (EAP, RECEIVED) | |
SM_STATE (EAP, IDLE) | |
SM_STATE (EAP, DISABLED) | |
SM_STATE (EAP, INITIALIZE) | |
SM_STEP (EAP) | |
: EAP method name, e.g., MD5 | |
eap_get_phase2_type - Get EAP type for the given EAP phase 2 method name : Buffer for returning EAP Vendor-Id Returns: EAP method type or EAP_TYPE_NONE if not found This function maps EAP type names into EAP type numbers that are allowed for Phase 2, i.e., for tunneled authentication. Phase 2 is used, e.g., with EAP-PEAP, EAP-TTLS, and EAP-FAST. | |
void | eap_clear_config_otp (struct eap_sm *sm) |
struct eap_peer_config * | eap_get_config (struct eap_sm *sm) |
const u8 * | eap_get_config_identity (struct eap_sm *sm, size_t *len) |
const u8 * | eap_get_config_new_password (struct eap_sm *sm, size_t *len) |
const u8 * | eap_get_config_otp (struct eap_sm *sm, size_t *len) |
const u8 * | eap_get_config_password (struct eap_sm *sm, size_t *len) |
const u8 * | eap_get_config_password2 (struct eap_sm *sm, size_t *len, int *hash) |
const char * | eap_get_config_phase1 (struct eap_sm *sm) |
const char * | eap_get_config_phase2 (struct eap_sm *sm) |
const u8 * | eap_get_eapKeyData (struct eap_sm *sm, size_t *len) |
struct wpabuf * | eap_get_eapRespData (struct eap_sm *sm) |
u32 | eap_get_phase2_type (const char *name, int *vendor) |
struct eap_method_type * | eap_get_phase2_types (struct eap_peer_config *config, size_t *count) |
int | eap_key_available (struct eap_sm *sm) |
void | eap_notify_lower_layer_success (struct eap_sm *sm) |
void | eap_notify_success (struct eap_sm *sm) |
void | eap_register_scard_ctx (struct eap_sm *sm, void *ctx) |
void | eap_set_config_blob (struct eap_sm *sm, struct wpa_config_blob *blob) |
void | eap_set_fast_reauth (struct eap_sm *sm, int enabled) |
void | eap_set_workaround (struct eap_sm *sm, unsigned int workaround) |
: Name of the blob | |
eap_get_config_blob - Get a named configuration blob : Pointer to EAP state machine allocated with eap_peer_sm_init() Returns: Pointer to blob data or NULL if not found | |
struct wpa_config_blob * | eap_get_config_blob (struct eap_sm *sm, const char *name) |
void | eap_invalidate_cached_session (struct eap_sm *sm) |
int | eap_is_wps_pbc_enrollee (struct eap_peer_config *conf) |
int | eap_is_wps_pin_enrollee (struct eap_peer_config *conf) |
void | eap_notify_pending (struct eap_sm *sm) |
void | eap_set_force_disabled (struct eap_sm *sm, int disabled) |
enum eap_ctrl_req_type |
eap_allowed_method - Check whether EAP method is allowed : Pointer to EAP state machine allocated with eap_peer_sm_init() : Vendor-Id for expanded types or 0 = IETF for legacy types : EAP type Returns: 1 = allowed EAP method, 0 = not allowed
static int eap_allowed_phase2_type | ( | int | vendor, | |
int | type | |||
) | [static] |
void eap_clear_config_otp | ( | struct eap_sm * | sm | ) |
eap_clear_config_otp - Clear used one-time password : Pointer to EAP state machine allocated with eap_peer_sm_init()
This function clears a used one-time password (OTP) from the current network configuration. This should be called when the OTP has been used and is not needed anymore.
static void eap_deinit_prev_method | ( | struct eap_sm * | sm, | |
const char * | txt | |||
) | [static] |
struct eap_peer_config* eap_get_config | ( | struct eap_sm * | sm | ) | [read] |
eap_get_config - Get current network configuration : Pointer to EAP state machine allocated with eap_peer_sm_init() Returns: Pointer to the current network configuration or NULL if not found
EAP peer methods should avoid using this function if they can use other access functions, like eap_get_config_identity() and eap_get_config_password(), that do not require direct access to struct eap_peer_config.
struct wpa_config_blob* eap_get_config_blob | ( | struct eap_sm * | sm, | |
const char * | name | |||
) | [read] |
eap_get_config_identity - Get identity from the network configuration : Pointer to EAP state machine allocated with eap_peer_sm_init() : Buffer for the length of the identity Returns: Pointer to the identity or NULL if not found
eap_get_config_new_password - Get new password from network configuration : Pointer to EAP state machine allocated with eap_peer_sm_init() : Buffer for the length of the new password Returns: Pointer to the new password or NULL if not found
eap_get_config_otp - Get one-time password from the network configuration : Pointer to EAP state machine allocated with eap_peer_sm_init() : Buffer for the length of the one-time password Returns: Pointer to the one-time password or NULL if not found
eap_get_config_password - Get password from the network configuration : Pointer to EAP state machine allocated with eap_peer_sm_init() : Buffer for the length of the password Returns: Pointer to the password or NULL if not found
eap_get_config_password2 - Get password from the network configuration : Pointer to EAP state machine allocated with eap_peer_sm_init() : Buffer for the length of the password : Buffer for returning whether the password is stored as a NtPasswordHash instead of plaintext password; can be NULL if this information is not needed Returns: Pointer to the password or NULL if not found
const char* eap_get_config_phase1 | ( | struct eap_sm * | sm | ) |
eap_get_config_phase1 - Get phase1 data from the network configuration : Pointer to EAP state machine allocated with eap_peer_sm_init() Returns: Pointer to the phase1 data or NULL if not found
const char* eap_get_config_phase2 | ( | struct eap_sm * | sm | ) |
eap_get_config_phase2 - Get phase2 data from the network configuration : Pointer to EAP state machine allocated with eap_peer_sm_init() Returns: Pointer to the phase1 data or NULL if not found
eap_get_eapKeyData - Get master session key (MSK) from EAP state machine : Pointer to EAP state machine allocated with eap_peer_sm_init() : Pointer to variable that will be set to number of bytes in the key Returns: Pointer to the EAP keying data or NULL on failure
Fetch EAP keying material (MSK, eapKeyData) from the EAP state machine. The key is available only after a successful authentication. EAP state machine continues to manage the key data and the caller must not change or free the returned data.
eap_get_eapKeyData - Get EAP response data : Pointer to EAP state machine allocated with eap_peer_sm_init() Returns: Pointer to the EAP response (eapRespData) or NULL on failure
Fetch EAP response (eapRespData) from the EAP state machine. This data is available when EAP state machine has processed an incoming EAP request. The EAP state machine does not maintain a reference to the response after this function is called and the caller is responsible for freeing the data.
struct eap_method_type* eap_get_phase2_types | ( | struct eap_peer_config * | config, | |
size_t * | count | |||
) | [read] |
eap_get_phase2_types - Get list of allowed EAP phase 2 types : Pointer to a network configuration : Pointer to a variable to be filled with number of returned EAP types Returns: Pointer to allocated type list or NULL on failure
This function generates an array of allowed EAP phase 2 (tunneled) types for the given network configuration.
void eap_invalidate_cached_session | ( | struct eap_sm * | sm | ) |
eap_invalidate_cached_session - Mark cached session data invalid : Pointer to EAP state machine allocated with eap_peer_sm_init()
int eap_is_wps_pbc_enrollee | ( | struct eap_peer_config * | conf | ) |
int eap_is_wps_pin_enrollee | ( | struct eap_peer_config * | conf | ) |
int eap_key_available | ( | struct eap_sm * | sm | ) |
eap_key_available - Get key availability (eapKeyAvailable variable) : Pointer to EAP state machine allocated with eap_peer_sm_init() Returns: 1 if EAP keying material is available, 0 if not
void eap_notify_lower_layer_success | ( | struct eap_sm * | sm | ) |
eap_notify_lower_layer_success - Notification of lower layer success : Pointer to EAP state machine allocated with eap_peer_sm_init()
Notify EAP state machines that a lower layer has detected a successful authentication. This is used to recover from dropped EAP-Success messages.
void eap_notify_pending | ( | struct eap_sm * | sm | ) |
eap_notify_pending - Notify that EAP method is ready to re-process a request : Pointer to EAP state machine allocated with eap_peer_sm_init()
An EAP method can perform a pending operation (e.g., to get a response from an external process). Once the response is available, this function can be used to request EAPOL state machine to retry delivering the previously received (and still unanswered) EAP request to EAP state machine.
void eap_notify_success | ( | struct eap_sm * | sm | ) |
eap_notify_success - Notify EAP state machine about external success trigger : Pointer to EAP state machine allocated with eap_peer_sm_init()
This function is called when external event, e.g., successful completion of WPA-PSK key handshake, is indicating that EAP state machine should move to success state. This is mainly used with security modes that do not use EAP state machine (e.g., WPA-PSK).
static int eap_peer_req_is_duplicate | ( | struct eap_sm * | sm | ) | [static] |
void eap_peer_sm_deinit | ( | struct eap_sm * | sm | ) |
eap_peer_sm_deinit - Deinitialize and free an EAP peer state machine : Pointer to EAP state machine allocated with eap_peer_sm_init()
This function deinitializes EAP state machine and frees all allocated resources.
struct eap_sm* eap_peer_sm_init | ( | void * | eapol_ctx, | |
struct eapol_callbacks * | eapol_cb, | |||
void * | msg_ctx, | |||
struct eap_config * | conf | |||
) | [read] |
eap_peer_sm_init - Allocate and initialize EAP peer state machine : Context data to be used with eapol_cb calls : Pointer to EAPOL callback functions : Context data for wpa_msg() calls : EAP configuration Returns: Pointer to the allocated EAP state machine or NULL on failure
This function allocates and initializes an EAP state machine. In addition, this initializes TLS library for the new EAP state machine. eapol_cb pointer will be in use until eap_peer_sm_deinit() is used to deinitialize this EAP state machine. Consequently, the caller must make sure that this data structure remains alive while the EAP state machine is active.
int eap_peer_sm_step | ( | struct eap_sm * | sm | ) |
eap_peer_sm_step - Step EAP peer state machine : Pointer to EAP state machine allocated with eap_peer_sm_init() Returns: 1 if EAP state was changed or 0 if not
This function advances EAP state machine to a new state to match with the current variables. This should be called whenever variables used by the EAP state machine have changed.
static void eap_peer_sm_step_idle | ( | struct eap_sm * | sm | ) | [static] |
static void eap_peer_sm_step_local | ( | struct eap_sm * | sm | ) | [static] |
static void eap_peer_sm_step_received | ( | struct eap_sm * | sm | ) | [static] |
static void eap_peer_sm_tls_event | ( | void * | ctx, | |
enum tls_event | ev, | |||
union tls_event_data * | data | |||
) | [static] |
void eap_register_scard_ctx | ( | struct eap_sm * | sm, | |
void * | ctx | |||
) |
eap_sm_register_scard_ctx - Notification of smart card context : Pointer to EAP state machine allocated with eap_peer_sm_init() : Context data for smart card operations
Notify EAP state machines of context data for smart card operations. This context data will be used as a parameter for scard_*() functions.
void eap_set_config_blob | ( | struct eap_sm * | sm, | |
struct wpa_config_blob * | blob | |||
) |
eap_set_config_blob - Set or add a named configuration blob : Pointer to EAP state machine allocated with eap_peer_sm_init() : New value for the blob
Adds a new configuration blob or replaces the current value of an existing blob.
void eap_set_fast_reauth | ( | struct eap_sm * | sm, | |
int | enabled | |||
) |
eap_set_fast_reauth - Update fast_reauth setting : Pointer to EAP state machine allocated with eap_peer_sm_init() : 1 = Fast reauthentication is enabled, 0 = Disabled
void eap_set_force_disabled | ( | struct eap_sm * | sm, | |
int | disabled | |||
) |
eap_set_force_disabled - Set force_disabled flag : Pointer to EAP state machine allocated with eap_peer_sm_init() : 1 = EAP disabled, 0 = EAP enabled
This function is used to force EAP state machine to be disabled when it is not in use (e.g., with WPA-PSK or plaintext connections).
void eap_set_workaround | ( | struct eap_sm * | sm, | |
unsigned int | workaround | |||
) |
eap_set_workaround - Update EAP workarounds setting : Pointer to EAP state machine allocated with eap_peer_sm_init() : 1 = Enable EAP workarounds, 0 = Disable EAP workarounds
void eap_sm_abort | ( | struct eap_sm * | sm | ) |
eap_sm_abort - Abort EAP authentication : Pointer to EAP state machine allocated with eap_peer_sm_init()
Release system resources that have been allocated for the authentication session without fully deinitializing the EAP state machine.
static struct wpabuf* eap_sm_build_expanded_nak | ( | struct eap_sm * | sm, | |
int | id, | |||
const struct eap_method * | methods, | |||
size_t | count | |||
) | [static, read] |
eap_sm_buildIdentity - Build EAP-Identity/Response for the current network : Pointer to EAP state machine allocated with eap_peer_sm_init() : EAP identifier for the packet : Whether the packet is for encrypted tunnel (EAP phase 2) Returns: Pointer to the allocated EAP-Identity/Response packet or NULL on failure
This function allocates and builds an EAP-Identity/Response packet for the current network. The caller is responsible for freeing the returned data.
static struct wpabuf * eap_sm_buildNotify | ( | int | id | ) | [static, read] |
static const char * eap_sm_decision_txt | ( | EapDecision | decision | ) | [static] |
static int eap_sm_get_scard_identity | ( | struct eap_sm * | sm, | |
struct eap_peer_config * | conf | |||
) | [static] |
static const char * eap_sm_method_state_txt | ( | EapMethodState | state | ) | [static] |
void eap_sm_notify_ctrl_attached | ( | struct eap_sm * | sm | ) |
eap_sm_notify_ctrl_attached - Notification of attached monitor : Pointer to EAP state machine allocated with eap_peer_sm_init()
Notify EAP state machines that a monitor was attached to the control interface to trigger re-sending of pending requests for user input.
static void eap_sm_request | ( | struct eap_sm * | sm, | |
eap_ctrl_req_type | type, | |||
const char * | msg, | |||
size_t | msglen | |||
) | [static] |
void eap_sm_request_identity | ( | struct eap_sm * | sm | ) |
eap_sm_request_identity - Request identity from user (ctrl_iface) : Pointer to EAP state machine allocated with eap_peer_sm_init()
EAP methods can call this function to request identity information for the current network. This is normally called when the identity is not included in the network configuration. The request will be sent to monitor programs through the control interface.
void eap_sm_request_new_password | ( | struct eap_sm * | sm | ) |
eap_sm_request_new_password - Request new password from user (ctrl_iface) : Pointer to EAP state machine allocated with eap_peer_sm_init()
EAP methods can call this function to request new password information for the current network. This is normally called when the EAP method indicates that the current password has expired and password change is required. The request will be sent to monitor programs through the control interface.
void eap_sm_request_otp | ( | struct eap_sm * | sm, | |
const char * | msg, | |||
size_t | msg_len | |||
) |
eap_sm_request_otp - Request one time password from user (ctrl_iface) : Pointer to EAP state machine allocated with eap_peer_sm_init() : Message to be displayed to the user when asking for OTP : Length of the user displayable message
EAP methods can call this function to request open time password (OTP) for the current network. The request will be sent to monitor programs through the control interface.
void eap_sm_request_passphrase | ( | struct eap_sm * | sm | ) |
eap_sm_request_passphrase - Request passphrase from user (ctrl_iface) : Pointer to EAP state machine allocated with eap_peer_sm_init()
EAP methods can call this function to request passphrase for a private key for the current network. This is normally called when the passphrase is not included in the network configuration. The request will be sent to monitor programs through the control interface.
void eap_sm_request_password | ( | struct eap_sm * | sm | ) |
eap_sm_request_password - Request password from user (ctrl_iface) : Pointer to EAP state machine allocated with eap_peer_sm_init()
EAP methods can call this function to request password information for the current network. This is normally called when the password is not included in the network configuration. The request will be sent to monitor programs through the control interface.
void eap_sm_request_pin | ( | struct eap_sm * | sm | ) |
eap_sm_request_pin - Request SIM or smart card PIN from user (ctrl_iface) : Pointer to EAP state machine allocated with eap_peer_sm_init()
EAP methods can call this function to request SIM or smart card PIN information for the current network. This is normally called when the PIN is not included in the network configuration. The request will be sent to monitor programs through the control interface.
static int eap_sm_set_scard_pin | ( | struct eap_sm * | sm, | |
struct eap_peer_config * | conf | |||
) | [static] |
static int eap_success_workaround | ( | struct eap_sm * | sm, | |
int | reqId, | |||
int | lastId | |||
) | [static] |
static unsigned int eapol_get_int | ( | struct eap_sm * | sm, | |
enum eapol_int_var | var | |||
) | [static] |
static void eapol_set_int | ( | struct eap_sm * | sm, | |
enum eapol_int_var | var, | |||
unsigned int | value | |||
) | [static] |