|
1 /* |
|
2 * Copyright (c) 2001-2006 Nokia Corporation and/or its subsidiary(-ies). |
|
3 * All rights reserved. |
|
4 * This component and the accompanying materials are made available |
|
5 * under the terms of the License "Eclipse Public License v1.0" |
|
6 * which accompanies this distribution, and is available |
|
7 * at the URL "http://www.eclipse.org/legal/epl-v10.html". |
|
8 * |
|
9 * Initial Contributors: |
|
10 * Nokia Corporation - initial contribution. |
|
11 * |
|
12 * Contributors: |
|
13 * |
|
14 * Description: EAP and WLAN authentication protocols. |
|
15 * |
|
16 */ |
|
17 |
|
18 |
|
19 |
|
20 |
|
21 /** |
|
22 * @mainpage EAP Core documentation. |
|
23 * |
|
24 * @section intro Introduction |
|
25 * This is a EAP Core documentation generated by doxygen. |
|
26 * First read <a href="../S60_3_1_EAP_Core.doc">S60_3_1_EAP_Core.doc</a> |
|
27 * file from <a href="..">EAPOL/documentation</a> directory. |
|
28 * Release notes are in file <a href="../../../../../wlan_linux/wlaneapol_linux/release_notes.txt">release_notes.txt</a> |
|
29 * |
|
30 * @section install Installation |
|
31 * Installation instructions are in file <a href="../../../../../wlan_linux/wlaneapol_linux/readme.txt">EAPOL/readme.txt</a>. |
|
32 * |
|
33 * @section classes Most crucial classes |
|
34 * The most crucial classes are eap_core_c, abs_eap_core_c, |
|
35 * eap_base_type_c and abs_eap_base_type_c. |
|
36 * |
|
37 * Header files are stored to a directory <a href="../../../include">EAPOL/include</a>. |
|
38 * Implementation of eap_core_c class is in a file <a href="../../../core/eap_core.cpp"> |
|
39 * EAPOL/core/eap_core.cpp</a>. Implementation of eap_base_type_c class is in a file |
|
40 * <a href="../../../common/eap_base_type.cpp">EAPOL/common/eap_base_type.cpp</a>. |
|
41 * |
|
42 * @section eap_types Implemented EAP-types |
|
43 * |
|
44 * @subsection GSMSIM EAP/SIM |
|
45 * EAP/SIM implementation is in a directory |
|
46 * <a href="../../../type/gsmsim">EAPOL/type/gsmsim</a>. |
|
47 * EAP/SIM is specified in draft-haverinen-pppext-eap-sim-xx.txt. |
|
48 * The most current is |
|
49 * <a href="../../type/gsmsim/doc/rfc4186.txt"> |
|
50 * RFC 4186</a>. |
|
51 * IETF drafts and RFC are stored to a directory <a href="../../type/gsmsim/doc"> |
|
52 * EAPOL/type/gsmsim/documentation</a>. |
|
53 * The document |
|
54 * <a href="../../type/gsmsim/doc/GSMSIM.doc">GSMSIM.doc</a> |
|
55 * includes implementation notes of GSMSIM. |
|
56 * |
|
57 * @subsection EAP_AKA EAP/AKA |
|
58 * EAP/AKA implementation is in a directory |
|
59 * <a href="../../../type/aka">EAPOL/type/aka</a>. |
|
60 * EAP/AKA is specified in draft-arkko-pppext-eap-aka-xx.txt. |
|
61 * The most current is |
|
62 * <a href="../../type/aka/doc/rfc4187.txt"> |
|
63 * RFC 4187</a>. |
|
64 * IETF drafts are stored to a directory <a href="../../type/aka/doc"> |
|
65 * EAPOL/type/aka/documentation</a>. |
|
66 * |
|
67 * @subsection EAP_TLS_PEAP EAP/TLS, PEAP and TTLS |
|
68 * Implementation design and architecture of EAP/TLS, PEAP and TTLS is in |
|
69 * <a href="../../type/tls_peap/doc/EAP_TLS_PEAP.doc">EAP_TLS_PEAP.doc</a> |
|
70 * file in <a href="../../type/tls_peap/doc">EAPOL/type/tls_peap/documentation</a> directory. |
|
71 * EAP/TLS and PEAP implementation will be in a directory |
|
72 * <a href="../../../type/tls_peap">EAPOL/type/tls_peap</a>. |
|
73 * TLS is specified in <a href="../../type/tls_peap/doc/rfc2246.txt">rfc2246.txt</a>. |
|
74 * EAP/TLS is specified in <a href="../../type/tls_peap/doc/rfc2716.txt">rfc2716.txt</a>. |
|
75 * PEAPv2 is specified in <a href="../../type/tls_peap/doc/draft-josefsson-pppext-eap-tls-eap-08.txt">draft-josefsson-pppext-eap-tls-eap-08.txt</a>. |
|
76 * PEAPv1 is specified in <a href="../../type/tls_peap/doc/draft-josefsson-pppext-eap-tls-eap-05.txt">draft-josefsson-pppext-eap-tls-eap-05.txt</a>. |
|
77 * Windows XP- PEAPv0 is specified in <a href="../../type/tls_peap/doc/draft-kamath-pppext-peapv0-00.txt">draft-kamath-pppext-peapv0-00.txt</a>. |
|
78 * TTLS is specified in <a href="../../type/tls_peap/doc/draft-ietf-pppext-eap-ttls-04.txt">draft-ietf-pppext-eap-ttls-04.txt</a>. |
|
79 * |
|
80 * @subsection EAP_MsChapv2 EAP/MsChapv2 |
|
81 * EAP/MsChapv2 implementation is in a directory |
|
82 * <a href="../../../type/mschapv2">EAPOL/type/mschapv2</a>. |
|
83 * EAP/MsChapv2 is specified in draft-kamath-pppext-eap-mschapv2-XX.txt, rfc2433.txt and rfc2759.txt. |
|
84 * The most current is |
|
85 * <a href="../../type/mschapv2/doc/draft-kamath-pppext-eap-mschapv2-01.txt"> |
|
86 * EAP/MsChapv2 draft version 2</a>. |
|
87 * See also <a href="../../type/mschapv2/doc/rfc2433.txt">rfc2433.txt</a> |
|
88 * and <a href="../../type/mschapv2/doc/rfc2759.txt">rfc2759.txt</a>. |
|
89 * IETF drafts are stored to a directory <a href="../../type/mschapv2/doc"> |
|
90 * EAPOL/type/mschapv2/doc</a>. |
|
91 * |
|
92 * @subsection EAP_SecurID_GTC EAP/SecurID and GTC |
|
93 * EAP/SecurID implementation is in a directory |
|
94 * <a href="../../../type/securid">EAPOL/type/securid</a>. |
|
95 * EAP/SecurID is specified in draft-josefsson-eap-securid-XX.txt. |
|
96 * The most current is |
|
97 * <a href="../../type/securid/doc/draft-josefsson-eap-securid-01.txt"> |
|
98 * EAP/SecurID draft version 1</a>. |
|
99 * IETF drafts are stored to a directory <a href="../../type/securid/doc"> |
|
100 * EAPOL/type/securid/documentation</a>. |
|
101 * |
|
102 * @subsection EAP_LEAP EAP/LEAP |
|
103 * EAP/LEAP implementation is in a directory |
|
104 * <a href="../../../type/leap">EAPOL/type/leap</a>. |
|
105 * EAP/LEAP documentation is not included here. |
|
106 * |
|
107 * @subsection SAE Experimental Security Association for EAPOL (not used) |
|
108 * SAE implementation is in a directory <a href="../../../../../wlan_testing/wlaneapol_testing/SAE">EAPOL/SAE</a>. |
|
109 * Document defining SAE is <a href="../../../../../wlan_testing/wlaneapol_testing/SAE/documentation/EAPOL_SA.doc">EAPOL_SA.doc</a>. |
|
110 * This is a very experimental test implementation. |
|
111 * Idea is to use Diffie-Hellman to create keys for a anonymous EAPOL tunnel. |
|
112 * Any EAP-type could then run inside the tunnel. |
|
113 * This fixes the problem of current EAPOL over WLAN. |
|
114 * EAP was designed for poin to point environment and EAPOL to non-shared environment. |
|
115 * |
|
116 * NOTE SAE is not used anywhere. |
|
117 * |
|
118 * @section Symbian Symbian Plug-in |
|
119 * EAP Type Plug-in Architecture for Symbian is specified in |
|
120 * <a href="../../am/type/symbian/plugin/doc/eap_plugin_architecture.doc"> |
|
121 * eap_plugin_architecture.doc</a>. |
|
122 * |
|
123 */ |
|
124 |
|
125 |
|
126 #if !defined(_EAP_CORE_H_) |
|
127 #define _EAP_CORE_H_ |
|
128 |
|
129 #include "eap_am_export.h" |
|
130 #include "abs_eap_base_type.h" |
|
131 #include "eap_core_map.h" |
|
132 #include "eap_am_network_id.h" |
|
133 #include "abs_eap_stack_interface.h" |
|
134 #include "eap_configuration_field.h" |
|
135 #include "abs_eap_core_map.h" |
|
136 |
|
137 class abs_eap_core_c; |
|
138 class abs_eap_am_tools_c; |
|
139 class eap_core_retransmission_c; |
|
140 class eap_base_type_c; |
|
141 class eap_variable_data_c; |
|
142 |
|
143 //-------------------------------------------------------------------------------------------------- |
|
144 |
|
145 /** |
|
146 * @defgroup EAP_Core_config_options Configuration options of EAP Core. |
|
147 * The following configuration options are read through abs_eap_base_type_c::read_configure() function. |
|
148 * @{ |
|
149 */ |
|
150 |
|
151 /** |
|
152 * This is u32_t configuration option. |
|
153 * This is the maximum count EAP CORE Authenticator resents message again. |
|
154 * This is used in simulator testing. |
|
155 */ |
|
156 EAP_CONFIGURATION_FIELD( |
|
157 cf_str_EAP_CORE_retransmission_counter, |
|
158 "EAP_CORE_retransmission_counter", |
|
159 eap_configure_type_u32_t, |
|
160 false); |
|
161 |
|
162 /** |
|
163 * This is u32_t configuration option. |
|
164 * This is the time after EAP CORE Authenticator resents message again. |
|
165 * This is used in simulator testing. |
|
166 */ |
|
167 EAP_CONFIGURATION_FIELD( |
|
168 cf_str_EAP_CORE_retransmission_time, |
|
169 "EAP_CORE_retransmission_time", |
|
170 eap_configure_type_u32_t, |
|
171 false); |
|
172 |
|
173 /** |
|
174 * This is u32_t configuration option. |
|
175 * This is the maximum time EAP authentication could succeed. |
|
176 * This timeout is same for every EAP-type. |
|
177 * You must define EAP-type spesific configuration |
|
178 * if you need different timeout for your EAP-type. |
|
179 * Authentication is terminated after this time elapses. |
|
180 * Time is in milli secons. |
|
181 */ |
|
182 EAP_CONFIGURATION_FIELD( |
|
183 cf_str_EAP_CORE_session_timeout, |
|
184 "EAP_CORE_session_timeout", |
|
185 eap_configure_type_u32_t, |
|
186 false); |
|
187 |
|
188 /** |
|
189 * This is optional and only valid for server. |
|
190 * This allows different values for client and server. |
|
191 * This is u32_t configuration option. |
|
192 * This is the maximum time EAP authentication could succeed. |
|
193 * This timeout is same for every EAP-type. |
|
194 * You must define EAP-type spesific configuration |
|
195 * if you need different timeout for your EAP-type. |
|
196 * Authentication is terminated after this time elapses. |
|
197 * Time is in milli secons. |
|
198 */ |
|
199 EAP_CONFIGURATION_FIELD( |
|
200 cf_str_EAP_CORE_server_session_timeout, |
|
201 "EAP_CORE_server_session_timeout", |
|
202 eap_configure_type_u32_t, |
|
203 false); |
|
204 |
|
205 |
|
206 /** |
|
207 * This is optional and only valid for server. |
|
208 * This is boolean configuration option. |
|
209 * This flag selects whether EAP-Success is send after state notification is forwarded to lower layer (true) |
|
210 * or EAP-Success is send before state notification is forwarded to lower layer (false). |
|
211 * Default value is false. |
|
212 */ |
|
213 EAP_CONFIGURATION_FIELD( |
|
214 cf_str_EAP_CORE_send_eap_success_after_notification, |
|
215 "EAP_CORE_send_eap_success_after_notification", |
|
216 eap_configure_type_boolean, |
|
217 false); |
|
218 |
|
219 |
|
220 /** |
|
221 * This is u32_t configuration option. |
|
222 * This is the time after EAP-Failure is handled. |
|
223 * Zero means EAP-Failure is handled immediately. |
|
224 * Time is in milli secons. |
|
225 * The default value is EAP_CORE_FAILURE_RECEIVED_TIMEOUT. |
|
226 */ |
|
227 EAP_CONFIGURATION_FIELD( |
|
228 cf_str_EAP_CORE_failure_received_timeout, |
|
229 "EAP_CORE_failure_received_timeout", |
|
230 eap_configure_type_u32_t, |
|
231 false); |
|
232 |
|
233 |
|
234 #if defined(USE_EAP_CORE_WAIT_REQUEST_TYPE_TIMER) |
|
235 /** |
|
236 * This is u32_t configuration option. |
|
237 * This is the maximum time client wait EAP-Request/Identity and EAP-Request/type packets. |
|
238 * See EAP_CORE_WAIT_EAP_REQUEST_TYPE_ID. |
|
239 * Time is in milli seconds. |
|
240 * The default value is EAP_CORE_WAIT_EAP_REQUEST_TYPE_TIMEOUT. |
|
241 */ |
|
242 EAP_CONFIGURATION_FIELD( |
|
243 cf_str_EAP_CORE_wait_eap_request_type_timeout, |
|
244 "EAP_CORE_wait_eap_request_type_timeout", |
|
245 eap_configure_type_u32_t, |
|
246 false); |
|
247 |
|
248 /** |
|
249 * This is optional and only valid for server. |
|
250 * This is boolean configuration option. |
|
251 * This flag selects whether EAP-Request/Identity is send (true) or not (false). |
|
252 * Default value is false. |
|
253 */ |
|
254 EAP_CONFIGURATION_FIELD( |
|
255 cf_str_EAP_CORE_skip_eap_request_identity, |
|
256 "EAP_CORE_skip_eap_request_identity", |
|
257 eap_configure_type_boolean, |
|
258 false); |
|
259 |
|
260 #endif //#if defined(USE_EAP_CORE_WAIT_REQUEST_TYPE_TIMER) |
|
261 |
|
262 |
|
263 /** @} */ // End of group EAP_Core_config_options. |
|
264 |
|
265 //-------------------------------------------------------------------------------------------------- |
|
266 |
|
267 |
|
268 /** |
|
269 * This is the timer ID used with abs_eap_am_tools_c::set_timer() and abs_eap_am_tools_c::cancel_timer(). |
|
270 */ |
|
271 enum eap_core_timer_id |
|
272 { |
|
273 EAP_CORE_TIMER_RETRANSMISSION_ID, ///< This is time after a EAP-Request message is resent again. This is for testing purposes. See USE_EAP_CORE_RETRANSMISSION compilation flag. |
|
274 #if defined(USE_EAP_CORE_SERVER) |
|
275 EAP_CORE_DELAYED_EAP_NAK_PROCESS_ID, ///< See EAP_CORE_DELAYED_EAP_NAK_PROCESS_TIMEOUT. |
|
276 #endif //#if defined(USE_EAP_CORE_SERVER) |
|
277 EAP_CORE_SESSION_TIMEOUT_ID, ///< See EAP_CORE_TIMER_HANDLER_TIMEOUT_TIMEOUT. |
|
278 EAP_CORE_FAILURE_RECEIVED_ID, ///< See EAP_CORE_FAILURE_RECEIVED_TIMEOUT. |
|
279 EAP_CORE_REMOVE_SESSION_TIMEOUT_ID, ///< See EAP_CORE_REMOVE_SESSION_TIMEOUT. |
|
280 #if defined(USE_EAP_CORE_WAIT_REQUEST_TYPE_TIMER) |
|
281 EAP_CORE_WAIT_EAP_REQUEST_TYPE_ID, ///< See EAP_CORE_WAIT_EAP_REQUEST_TYPE_TIMEOUT. |
|
282 #endif //#if defined(USE_EAP_CORE_WAIT_REQUEST_TYPE_TIMER) |
|
283 }; |
|
284 |
|
285 /** |
|
286 * This is time after a EAP-Failure message is handled. |
|
287 */ |
|
288 const u32_t EAP_CORE_FAILURE_RECEIVED_TIMEOUT = 2000ul; |
|
289 |
|
290 #if defined(USE_EAP_CORE_SERVER) |
|
291 /** |
|
292 * This is time after a EAP-Response/Nak message is processes. |
|
293 * We could wait if more suitable message is received. |
|
294 */ |
|
295 const u32_t EAP_CORE_DELAYED_EAP_NAK_PROCESS_TIMEOUT = 2000u; |
|
296 #endif //#if defined(USE_EAP_CORE_SERVER) |
|
297 |
|
298 /** |
|
299 * This is the size of the local send buffer. Please use atleast minimum ethernet packet length 60 bytes. |
|
300 */ |
|
301 const u32_t EAP_CORE_PACKET_BUFFER_LENGTH = 512u; |
|
302 |
|
303 |
|
304 /** |
|
305 * Re-transmission is used to test protocols. |
|
306 * This is the maximum count EAP message is resent again. |
|
307 * This is used in simulator testing. |
|
308 * This is configurable parameter. See eap.conf EAP_CORE_retransmission_counter. |
|
309 */ |
|
310 const u32_t EAP_CORE_RETRANSMISSION_COUNTER = 5; |
|
311 |
|
312 /** |
|
313 * Re-transmission is used to test protocols. |
|
314 * This is the time after EAP message is resent again. |
|
315 * This is used in simulator testing. |
|
316 * This is configurable parameter. See eap.conf EAP_CORE_retransmission_time. |
|
317 */ |
|
318 const u32_t EAP_CORE_RETRANSMISSION_TIME = 1000u; /* milli seconds */ |
|
319 |
|
320 /** |
|
321 * This is the maximum time EAP authentication could succeed. |
|
322 * Authentication is terminated after this time elapses. |
|
323 * This is configurable parameter. See eap.conf EAP_CORE_session_timeout. |
|
324 * See EAP_CORE_SESSION_TIMEOUT_ID. |
|
325 * Time is in milli seconds. |
|
326 */ |
|
327 const u32_t EAP_CORE_SESSION_TIMEOUT = 120000u; /* milli seconds */ |
|
328 |
|
329 /** |
|
330 * This is the delay time after EAP-session is removed after authentication finished. |
|
331 * This is configurable parameter. |
|
332 * See EAP_CORE_REMOVE_SESSION_TIMEOUT_ID. |
|
333 * Time is in milli seconds. |
|
334 */ |
|
335 const u32_t EAP_CORE_REMOVE_SESSION_TIMEOUT = 10000ul; /* milli seconds */ |
|
336 |
|
337 #if defined(USE_EAP_CORE_WAIT_REQUEST_TYPE_TIMER) |
|
338 /** |
|
339 * This is the maximum time client wait EAP-Request/Identity and EAP-Request/type packets. |
|
340 * See EAP_CORE_WAIT_EAP_REQUEST_TYPE_ID. |
|
341 * Time is in milli seconds. |
|
342 */ |
|
343 const u32_t EAP_CORE_WAIT_EAP_REQUEST_TYPE_TIMEOUT = 5000ul; /* milli seconds */ |
|
344 #endif //#if defined(USE_EAP_CORE_WAIT_REQUEST_TYPE_TIMER) |
|
345 |
|
346 #if defined(USE_EAP_CORE_SERVER) |
|
347 /** |
|
348 * This is default policy of EAP-Nak message. |
|
349 * False value means EAP-Nak is prosessed after a timeout. |
|
350 * True value means EAP-NAk is prosessed immediately. |
|
351 */ |
|
352 const bool EAP_CORE_PROCESS_EAP_NAK_IMMEDIATELY = true; |
|
353 #endif //#if defined(USE_EAP_CORE_SERVER) |
|
354 |
|
355 |
|
356 |
|
357 /// A eap_core_c class implements the basic functionality of EAP-type. |
|
358 class EAP_EXPORT eap_core_c |
|
359 : public abs_eap_core_map_c |
|
360 , public abs_eap_base_type_c |
|
361 , public abs_eap_base_timer_c |
|
362 , public abs_eap_stack_interface_c |
|
363 { |
|
364 private: |
|
365 //-------------------------------------------------- |
|
366 |
|
367 /// This is back pointer to object which created this object. |
|
368 /// Packets are sent to the partner. |
|
369 abs_eap_core_c *m_partner; |
|
370 |
|
371 /// This is pointer to the tools class. |
|
372 abs_eap_am_tools_c * const m_am_tools; |
|
373 |
|
374 /// This stores eap_base_type objects using eap_variable_data selector. |
|
375 eap_core_map_c<eap_base_type_c, abs_eap_core_map_c, eap_variable_data_c> m_type_map; |
|
376 |
|
377 /// This stores the current EAP-type. When requested, we send our ID using |
|
378 /// our default EAP-type. This is our best quess of other peer's EAP-type. |
|
379 /// Other peer will sent the real EAP-type later and we can NAK it then |
|
380 /// and send our own EAP-type. This is due the limitations of EAP-protocol. |
|
381 eap_type_value_e m_current_eap_type; |
|
382 |
|
383 /// This is our default EAP-type. |
|
384 eap_type_value_e m_default_eap_type; |
|
385 |
|
386 /// This is the queried EAP-identity. |
|
387 /// This is saved because other EAP-types may be load afterwards |
|
388 /// and they may query EAP-identity. |
|
389 eap_variable_data_c m_eap_identity; |
|
390 |
|
391 /// This is offset in bytes of the EAP-type header. |
|
392 u32_t m_eap_header_offset; |
|
393 |
|
394 /// This is maximum transfer unit in bytes. |
|
395 u32_t m_MTU; |
|
396 |
|
397 /// This is length of the trailer in bytes. |
|
398 u32_t m_trailer_length; |
|
399 |
|
400 /// This is network identity of the received packet. |
|
401 eap_am_network_id_c m_receive_network_id; |
|
402 |
|
403 /// Re-transmission is used to test protocols. |
|
404 /// This stores the information to resent a message. This is used for testing purposes. |
|
405 eap_core_retransmission_c *m_retransmission; |
|
406 |
|
407 /// Re-transmission is used to test protocols. |
|
408 /// This is the time after resent a message. This is used for testing purposes. |
|
409 u32_t m_retransmission_time; |
|
410 |
|
411 /// Re-transmission is used to test protocols. |
|
412 /// This is the maximum count of retransmission of one message. This is used for testing purposes. |
|
413 u32_t m_retransmission_counter; |
|
414 |
|
415 /// This is the maximum time authentication could succeed. |
|
416 /// Authentication is terminated after this time elapses. |
|
417 /// The EAP-type could change the timeout by calling set_session_timeout() function. |
|
418 u32_t m_session_timeout; |
|
419 |
|
420 u32_t m_eap_core_failure_received_timeout; |
|
421 |
|
422 u32_t m_remove_session_timeout; |
|
423 |
|
424 #if defined(USE_EAP_CORE_WAIT_REQUEST_TYPE_TIMER) |
|
425 u32_t m_wait_eap_request_type_timeout; |
|
426 bool m_wait_eap_request_type_timeout_set; |
|
427 #endif //#if defined(USE_EAP_CORE_WAIT_REQUEST_TYPE_TIMER) |
|
428 |
|
429 /// Latest received EAP-identifier. Used only for EAP-Request/Identity handling in client. |
|
430 /// Ensures that the EAP-Response/Identity is sent with the latest EAP-identifier. |
|
431 u8_t m_eap_identity_request_identifier_client; |
|
432 |
|
433 /// This indicates whether this object is client (true) or server (false). |
|
434 /// In terms of EAP-protocol whether this network entity is EAP-supplicant (true) or EAP-authenticator (false). |
|
435 bool m_is_client; |
|
436 |
|
437 /// This indicates whether the authentication role of this object is client (true) or server (false). |
|
438 /// In terms of EAP-protocol whether this network entitys authentication role is EAP-supplicant (true) or EAP-authenticator (false). |
|
439 /// NOTE the LEAP type changes authentication role during the authentication session. |
|
440 bool m_is_client_role; |
|
441 |
|
442 /// This indicates whether this object was generated successfully. |
|
443 bool m_is_valid; |
|
444 |
|
445 /// Client has initiated restart. |
|
446 bool m_client_restart_authentication_initiated; |
|
447 |
|
448 /// This flag indicates that this object is marked to removed asynchronously. |
|
449 /// The very same object could be taken use before the removing timer elapses. |
|
450 bool m_marked_removed; |
|
451 |
|
452 /// This flag prevents server receiving of multiple EAP-Response/Identity message. |
|
453 /// This is set true after the server accepts EAP-Response/Identity message. |
|
454 bool m_eap_identity_response_accepted; |
|
455 |
|
456 /// Function shutdown() is called already. |
|
457 bool m_shutdown_was_called; |
|
458 |
|
459 /// Server received EAP-Response from client. Server must not sent any other EAP-type. Server could send EAP-Failure or EAP-Success. |
|
460 /// Client sent a response. Client must not accept any other EAP-type. |
|
461 bool m_eap_type_response_sent; |
|
462 |
|
463 /// Tells whether this is tunneled EAP-session. For example inside PEAP or TTLS tunnel. |
|
464 /// This causes some changes to timeouts. |
|
465 bool m_is_tunneled_eap; |
|
466 |
|
467 #if defined(USE_EAP_CORE_SERVER) |
|
468 /// If this flag is true EAP-Response/Nak is processed immediately. |
|
469 /// If this flag is false EAP-Response/Nak is processed after a timeout. |
|
470 /// There might be received more suitable EAP-Response. |
|
471 bool m_process_eap_nak_immediately; |
|
472 |
|
473 /// EAP-Response/Nak is initiated. |
|
474 bool m_nak_process_timer_active; |
|
475 |
|
476 /// This flag prevents server sending of multiple EAP-Request/Identity message. |
|
477 bool m_eap_identity_request_send; |
|
478 |
|
479 /// This is set true after the server receives EAP-Response/Identity message. |
|
480 bool m_eap_identity_response_received; |
|
481 |
|
482 /// This flag is set true after a EAP-Failure is sent. |
|
483 bool m_eap_failure_sent; |
|
484 |
|
485 /// This flag selects whether EAP-Success is send after state notification is forwarded to lower layer (true) |
|
486 /// or EAP-Success is send before state notification is forwarded to lower layer (false). |
|
487 bool m_send_eap_success_after_notification; |
|
488 |
|
489 #if defined(USE_EAP_CORE_WAIT_REQUEST_TYPE_TIMER) |
|
490 // This flag selects whether EAP-Request/Identity is send (true) or not (false). |
|
491 bool m_skip_eap_request_identity; |
|
492 #endif //#if defined(USE_EAP_CORE_WAIT_REQUEST_TYPE_TIMER) |
|
493 #endif //#if defined(USE_EAP_CORE_SERVER) |
|
494 |
|
495 bool m_use_eap_expanded_type; |
|
496 |
|
497 /// Some of the protocols terminates with EAP-Failure. This flag tells to ignore EAP-Failure. |
|
498 bool m_ignore_eap_failure; |
|
499 |
|
500 bool m_ignore_notifications; |
|
501 |
|
502 // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
|
503 |
|
504 /** |
|
505 * Re-transmission is used to test protocols. |
|
506 * This function resends the packet. |
|
507 */ |
|
508 EAP_FUNC_IMPORT eap_status_e resend_packet( |
|
509 const eap_am_network_id_c * const send_network_id, |
|
510 eap_buf_chain_wr_c * const sent_packet, |
|
511 const u32_t header_offset, |
|
512 const u32_t data_length, |
|
513 const u32_t buffer_free, |
|
514 const u32_t retransmission_counter |
|
515 ); |
|
516 |
|
517 /** |
|
518 * Re-transmission is used to test protocols. |
|
519 * This function cancels retransmissions. |
|
520 */ |
|
521 EAP_FUNC_IMPORT eap_status_e cancel_retransmission(); |
|
522 |
|
523 /** |
|
524 * Re-transmission is used to test protocols. |
|
525 * This function inits retransmission of sent packet. |
|
526 */ |
|
527 EAP_FUNC_IMPORT eap_status_e init_retransmission( |
|
528 const eap_am_network_id_c * const send_network_id, |
|
529 eap_buf_chain_wr_c * const sent_packet, |
|
530 const u32_t header_offset, |
|
531 const u32_t data_length, |
|
532 const eap_code_value_e eap_code, |
|
533 const u8_t eap_identifier, |
|
534 const eap_type_value_e eap_type |
|
535 ); |
|
536 |
|
537 /** |
|
538 * This function cancels previous session timeout and initializes new timeout for the session. |
|
539 */ |
|
540 EAP_FUNC_IMPORT eap_status_e initialize_session_timeout( |
|
541 const u32_t session_timeout_ms); |
|
542 |
|
543 /** |
|
544 * This function cancels timeout for a session. |
|
545 */ |
|
546 EAP_FUNC_IMPORT eap_status_e cancel_session_timeout(); |
|
547 |
|
548 /** |
|
549 * This function calls shutdown() for one eap_base_type_c object. |
|
550 */ |
|
551 EAP_FUNC_IMPORT static eap_status_e shutdown_operation( |
|
552 eap_base_type_c * const value, |
|
553 abs_eap_am_tools_c * const m_am_tools); |
|
554 |
|
555 /** |
|
556 * This function calls reset() for one eap_base_type_c object. |
|
557 */ |
|
558 EAP_FUNC_IMPORT static eap_status_e reset_operation( |
|
559 eap_base_type_c * const handler, |
|
560 abs_eap_am_tools_c * const m_am_tools); |
|
561 |
|
562 EAP_FUNC_IMPORT eap_status_e client_proposes_eap_types( |
|
563 const eap_am_network_id_c * const receive_network_id, |
|
564 const u8_t eap_identifier); |
|
565 |
|
566 /** |
|
567 * This function processes EAP-packet with known EAP-type. |
|
568 */ |
|
569 EAP_FUNC_IMPORT eap_status_e packet_process_type( |
|
570 const eap_type_value_e used_eap_type, |
|
571 const eap_am_network_id_c * const receive_network_id, |
|
572 eap_general_header_base_c * const packet_data, |
|
573 const u32_t packet_length); |
|
574 |
|
575 #if defined(USE_EAP_CORE_SERVER) |
|
576 /** |
|
577 * This function re-starts authentication with new EAP-type. |
|
578 * Only server calls this function. |
|
579 */ |
|
580 EAP_FUNC_IMPORT eap_status_e restart_with_new_type( |
|
581 const eap_type_value_e used_eap_type, |
|
582 const eap_am_network_id_c * const receive_network_id, |
|
583 const u8_t eap_identifier); |
|
584 #endif //#if defined(USE_EAP_CORE_SERVER) |
|
585 |
|
586 #if defined(USE_EAP_CORE_SERVER) |
|
587 EAP_FUNC_IMPORT eap_status_e handle_eap_identity_response( |
|
588 eap_base_type_c * const handler, |
|
589 const eap_type_value_e used_eap_type, |
|
590 const eap_am_network_id_c * const receive_network_id, |
|
591 eap_header_wr_c * const eap, |
|
592 const u32_t packet_length); |
|
593 #endif //#if defined(USE_EAP_CORE_SERVER) |
|
594 |
|
595 /** |
|
596 * This function handles EAP-Request/Identity. |
|
597 */ |
|
598 EAP_FUNC_IMPORT eap_status_e handle_eap_identity_request( |
|
599 const eap_type_value_e used_eap_type, |
|
600 const u8_t eap_identifier, |
|
601 const eap_am_network_id_c * const receive_network_id); |
|
602 |
|
603 /** |
|
604 * This function creates EAP-Response/Identity. |
|
605 */ |
|
606 EAP_FUNC_IMPORT eap_status_e create_eap_identity_response( |
|
607 eap_buf_chain_wr_c * const response_packet, |
|
608 const eap_variable_data_c * const identity, |
|
609 const u8_t eap_identifier |
|
610 ); |
|
611 |
|
612 /** |
|
613 * This function sends EAP-Response/Identity. |
|
614 */ |
|
615 EAP_FUNC_IMPORT eap_status_e send_eap_identity_response( |
|
616 const eap_am_network_id_c * const send_network_id, |
|
617 const eap_variable_data_c * const identity, |
|
618 const u8_t eap_identifier); |
|
619 |
|
620 /** |
|
621 * This function sends EAP-Response/Notification. |
|
622 */ |
|
623 EAP_FUNC_IMPORT eap_status_e send_eap_notification_response( |
|
624 const eap_am_network_id_c * const send_network_id, |
|
625 const u8_t eap_identifier); |
|
626 |
|
627 /** |
|
628 * This function initializes timeout for received EAP-Failure. |
|
629 */ |
|
630 EAP_FUNC_IMPORT eap_status_e set_eap_failure_timeout(); |
|
631 |
|
632 /** |
|
633 * This function cancels timeout for received EAP-Failure. |
|
634 */ |
|
635 EAP_FUNC_IMPORT eap_status_e cancel_eap_failure_timeout(); |
|
636 |
|
637 #if defined(USE_EAP_CORE_WAIT_REQUEST_TYPE_TIMER) |
|
638 eap_status_e set_wait_eap_request_type_timeout(); |
|
639 |
|
640 eap_status_e cancel_wait_eap_request_type_timeout(); |
|
641 #endif //#if defined(USE_EAP_CORE_WAIT_REQUEST_TYPE_TIMER) |
|
642 |
|
643 EAP_FUNC_IMPORT eap_status_e asynchronous_init_remove_eap_session(); |
|
644 |
|
645 EAP_FUNC_IMPORT eap_status_e initialize_asynchronous_init_remove_eap_session( |
|
646 const u32_t remove_session_timeout); |
|
647 |
|
648 EAP_FUNC_IMPORT eap_status_e cancel_asynchronous_init_remove_eap_session(); |
|
649 |
|
650 eap_status_e init_end_of_session( |
|
651 const abs_eap_state_notification_c * const state); |
|
652 |
|
653 eap_status_e set_eap_identity_routing_info_and_nai_decoration( |
|
654 eap_variable_data_c * const identity); |
|
655 |
|
656 //-------------------------------------------------- |
|
657 protected: |
|
658 //-------------------------------------------------- |
|
659 |
|
660 //-------------------------------------------------- |
|
661 public: |
|
662 //-------------------------------------------------- |
|
663 |
|
664 /** |
|
665 * The destructor of the eap_core class does nothing special. |
|
666 */ |
|
667 EAP_FUNC_IMPORT virtual ~eap_core_c(); |
|
668 |
|
669 /** |
|
670 * The constructor initializes member attributes using parameters passed to it. |
|
671 * @param tools is pointer to the tools class. @see abs_eap_am_tools_c. |
|
672 * @param partner is back pointer to object which created this object. |
|
673 * @param is_client_when_true indicates whether the network entity should act |
|
674 * @param is_tunneled_eap tells the EAP is run in tunnel (PEAP or other). |
|
675 * as a client (true) or server (false), in terms of EAP-protocol |
|
676 * whether this network entity is EAP-supplicant (true) or EAP-authenticator (false). |
|
677 */ |
|
678 EAP_FUNC_IMPORT eap_core_c( |
|
679 abs_eap_am_tools_c * const tools, |
|
680 abs_eap_core_c * const partner, |
|
681 const bool is_client_when_true, |
|
682 const eap_am_network_id_c * const receive_network_id, |
|
683 const bool is_tunneled_eap); |
|
684 |
|
685 /** |
|
686 * The load_type() function function indicates the lower level to load |
|
687 * new module including EAP-type. The type parameter is the requested EAP-type. |
|
688 * @param type is the identifier of the required EAP type. |
|
689 * @return Function returns pointer to the EAP type object. |
|
690 */ |
|
691 EAP_FUNC_IMPORT eap_base_type_c * load_type( |
|
692 const eap_type_value_e type, |
|
693 const eap_type_value_e tunneling_type, |
|
694 const eap_am_network_id_c * const receive_network_id); |
|
695 |
|
696 EAP_FUNC_IMPORT void trace_eap_packet( |
|
697 eap_const_string prefix, |
|
698 const eap_header_wr_c * const eap_header); |
|
699 |
|
700 // This is documented in abs_eap_stack_interface_c::packet_process(). |
|
701 EAP_FUNC_IMPORT eap_status_e packet_process( |
|
702 const eap_am_network_id_c * const receive_network_id, |
|
703 eap_general_header_base_c * const packet_data, |
|
704 const u32_t packet_length); |
|
705 |
|
706 // This is documented in abs_eap_base_type_c::packet_send(). |
|
707 EAP_FUNC_IMPORT eap_status_e packet_send( |
|
708 const eap_am_network_id_c * const send_network_id, |
|
709 eap_buf_chain_wr_c * const sent_packet, |
|
710 const u32_t header_offset, |
|
711 const u32_t data_length, |
|
712 const u32_t buffer_length); |
|
713 |
|
714 /** |
|
715 * The get_partner() function returns pointer to partner class. |
|
716 */ |
|
717 EAP_FUNC_IMPORT abs_eap_core_c * get_partner(); |
|
718 |
|
719 /** |
|
720 * The set_partner() function sets pointer to partner class. |
|
721 */ |
|
722 EAP_FUNC_IMPORT void set_partner(abs_eap_core_c * const partner); |
|
723 |
|
724 // This is documented in abs_eap_base_type_c::get_header_offset(). |
|
725 EAP_FUNC_IMPORT u32_t get_header_offset( |
|
726 u32_t * const MTU, |
|
727 u32_t * const trailer_length); |
|
728 |
|
729 // This is documented in abs_eap_base_type_c::load_module(). |
|
730 EAP_FUNC_IMPORT eap_status_e load_module( |
|
731 const eap_type_value_e type, |
|
732 const eap_type_value_e /* tunneling_type */, |
|
733 abs_eap_base_type_c * const partner, |
|
734 eap_base_type_c ** const eap_type, |
|
735 const bool is_client_when_true, |
|
736 const eap_am_network_id_c * const receive_network_id); |
|
737 |
|
738 // This is documented in abs_eap_base_type_c::unload_module(). |
|
739 EAP_FUNC_IMPORT eap_status_e unload_module( |
|
740 const eap_type_value_e type); |
|
741 |
|
742 /** |
|
743 * The adaptation module calls the eap_acknowledge() function after |
|
744 * any Network Protocol packet is received. This is used as a success indication. |
|
745 * This is described in RFC 2284 "PPP Extensible Authentication Protocol (EAP)". |
|
746 * Mostly there is only one session in the client. |
|
747 * The server does not need eap_acknowledge() function because |
|
748 * server (EAP-authenticator) sends the EAP-success message. |
|
749 */ |
|
750 EAP_FUNC_IMPORT eap_status_e eap_acknowledge( |
|
751 const eap_am_network_id_c * const receive_network_id); |
|
752 |
|
753 // This is documented in abs_eap_base_type_c::restart_authentication(). |
|
754 EAP_FUNC_IMPORT eap_status_e restart_authentication( |
|
755 const eap_am_network_id_c * const send_network_id, |
|
756 const bool is_client_when_true); |
|
757 |
|
758 /** |
|
759 * The EAP Core calls the send_eap_nak_response() function |
|
760 * when EAP-authentication with requested EAP type is not possible. |
|
761 * @param receive_network_id includes the addresses (network identity) and packet type. |
|
762 * @param eap_identifier is the EAP-Identifier to be used with EAP-Nak message. |
|
763 * @param preferred_eap_type is the acceptable EAP-Type to be informed with an other peer. |
|
764 */ |
|
765 EAP_FUNC_IMPORT eap_status_e send_eap_nak_response( |
|
766 const eap_am_network_id_c * const receive_network_id, |
|
767 const u8_t eap_identifier, |
|
768 const eap_array_c<eap_type_value_e> * const eap_type_list); |
|
769 |
|
770 |
|
771 #if defined(USE_EAP_CORE_SERVER) |
|
772 |
|
773 /** |
|
774 * The EAP Core calls the send_eap_identity_request() function |
|
775 * when EAP-authentication is needed with another peer. |
|
776 * @param network_id includes the addresses (network identity) and packet type. |
|
777 */ |
|
778 EAP_FUNC_IMPORT eap_status_e send_eap_identity_request( |
|
779 const eap_am_network_id_c * const network_id); |
|
780 |
|
781 /** |
|
782 * This function sends EAP-Success. |
|
783 */ |
|
784 EAP_FUNC_IMPORT eap_status_e send_eap_success( |
|
785 const eap_am_network_id_c * const send_network_id, |
|
786 const u8_t eap_identifier); |
|
787 |
|
788 /** |
|
789 * This function sends EAP-Failure. |
|
790 */ |
|
791 EAP_FUNC_IMPORT eap_status_e send_eap_failure( |
|
792 const eap_am_network_id_c * const send_network_id, |
|
793 const u8_t eap_identifier); |
|
794 |
|
795 #endif //#if defined(USE_EAP_CORE_SERVER) |
|
796 |
|
797 |
|
798 // This is documented in abs_eap_base_type_c::packet_data_crypto_keys(). |
|
799 EAP_FUNC_IMPORT eap_status_e packet_data_crypto_keys( |
|
800 const eap_am_network_id_c * const send_network_id, |
|
801 const eap_master_session_key_c * const master_session_key |
|
802 ); |
|
803 |
|
804 // This is documented in abs_eap_stack_interface_c::configure(). |
|
805 EAP_FUNC_IMPORT eap_status_e configure(); |
|
806 |
|
807 // This is documented in abs_eap_stack_interface_c::shutdown(). |
|
808 EAP_FUNC_IMPORT eap_status_e shutdown(); |
|
809 |
|
810 // This is documented in abs_eap_base_type_c::read_configure(). |
|
811 EAP_FUNC_IMPORT virtual eap_status_e read_configure( |
|
812 const eap_configuration_field_c * const field, |
|
813 eap_variable_data_c * const data); |
|
814 |
|
815 // This is documented in abs_eap_base_type_c::write_configure(). |
|
816 EAP_FUNC_IMPORT virtual eap_status_e write_configure( |
|
817 const eap_configuration_field_c * const field, |
|
818 eap_variable_data_c * const data); |
|
819 |
|
820 // This is documented in abs_eap_stack_interface_c::set_is_valid(). |
|
821 EAP_FUNC_IMPORT void set_is_valid(); |
|
822 |
|
823 // This is documented in abs_eap_stack_interface_c::get_is_valid(). |
|
824 EAP_FUNC_IMPORT bool get_is_valid(); |
|
825 |
|
826 // This is documented in abs_eap_base_type_c::state_notification(). |
|
827 EAP_FUNC_IMPORT void state_notification( |
|
828 const abs_eap_state_notification_c * const state); |
|
829 |
|
830 // See abs_eap_base_timer_c::timer_expired(). |
|
831 EAP_FUNC_IMPORT eap_status_e timer_expired( |
|
832 const u32_t id, void *data); |
|
833 |
|
834 // See abs_eap_base_timer_c::timer_delete_data(). |
|
835 EAP_FUNC_IMPORT eap_status_e timer_delete_data( |
|
836 const u32_t id, void *data); |
|
837 |
|
838 /** |
|
839 * eap_core_map_c class increases reference count each time reference to stored object is get. |
|
840 * Here is always just one state for one session so no references are used. |
|
841 */ |
|
842 EAP_FUNC_IMPORT void object_increase_reference_count(); |
|
843 |
|
844 /** |
|
845 * eap_core_map_c class increases reference count each time reference to stored object is get. |
|
846 * Here is always just one state for one session so no references are used. |
|
847 */ |
|
848 EAP_FUNC_IMPORT u32_t object_decrease_reference_count(); |
|
849 |
|
850 /** |
|
851 * @{ Add configuration of accepted EAP-types. } |
|
852 */ |
|
853 // This is documented in abs_eap_base_type_c::check_is_valid_eap_type(). |
|
854 EAP_FUNC_IMPORT eap_status_e check_is_valid_eap_type(const eap_type_value_e eap_type); |
|
855 |
|
856 // This is commented in abs_eap_base_type_c::get_eap_type_list(). |
|
857 EAP_FUNC_IMPORT eap_status_e get_eap_type_list( |
|
858 eap_array_c<eap_type_value_e> * const eap_type_list); |
|
859 |
|
860 /** |
|
861 * Gets flag whether this session is marked removed. |
|
862 * Session is removed later if it is not reused. |
|
863 */ |
|
864 EAP_FUNC_IMPORT bool get_marked_removed(); |
|
865 |
|
866 /** |
|
867 * Marks this session removed. |
|
868 * Session is removed later if it is not reused. |
|
869 */ |
|
870 EAP_FUNC_IMPORT void set_marked_removed(); |
|
871 |
|
872 /** |
|
873 * Marks this session not removed. |
|
874 * Session is not removed it is reused. |
|
875 */ |
|
876 EAP_FUNC_IMPORT void unset_marked_removed(); |
|
877 |
|
878 /** |
|
879 * Prevents all notifications. |
|
880 */ |
|
881 EAP_FUNC_IMPORT void ignore_notifications(); |
|
882 |
|
883 /** |
|
884 * This function must reset the state of object to same as |
|
885 * state was after the configure() function call. |
|
886 * If object reset succeeds this function must return eap_status_ok. |
|
887 * If object reset fails this function must return corresponding error status. |
|
888 * @return This function returns the status of reset operation. |
|
889 */ |
|
890 EAP_FUNC_IMPORT eap_status_e reset(); |
|
891 |
|
892 // This is documented in abs_eap_base_type_c::complete_eap_identity_query(). |
|
893 EAP_FUNC_IMPORT eap_status_e complete_eap_identity_query( |
|
894 const eap_am_network_id_c * const send_network_id, |
|
895 const eap_variable_data_c * const identity, |
|
896 const u8_t eap_identifier); |
|
897 |
|
898 // This is documented in abs_eap_base_type_c::get_saved_eap_identity(). |
|
899 EAP_FUNC_IMPORT eap_status_e get_saved_eap_identity(eap_variable_data_c * const identity); |
|
900 |
|
901 // This is documented in abs_eap_base_type_c::set_session_timeout(). |
|
902 EAP_FUNC_IMPORT eap_status_e set_session_timeout( |
|
903 const u32_t session_timeout_ms); |
|
904 |
|
905 // This is documented in abs_eap_base_type_c::set_timer(). |
|
906 EAP_FUNC_IMPORT eap_status_e set_timer( |
|
907 abs_eap_base_timer_c * const p_initializer, |
|
908 const u32_t p_id, |
|
909 void * const p_data, |
|
910 const u32_t p_time_ms); |
|
911 |
|
912 // This is documented in abs_eap_base_type_c::cancel_timer(). |
|
913 EAP_FUNC_IMPORT eap_status_e cancel_timer( |
|
914 abs_eap_base_timer_c * const p_initializer, |
|
915 const u32_t p_id); |
|
916 |
|
917 // This is documented in abs_eap_base_type_c::cancel_all_timers(). |
|
918 EAP_FUNC_IMPORT eap_status_e cancel_all_timers(); |
|
919 |
|
920 // This is documented in abs_eap_base_type_c::set_authentication_role(). |
|
921 EAP_FUNC_IMPORT eap_status_e set_authentication_role(const bool when_true_set_client); |
|
922 |
|
923 // This is documented in abs_eap_base_type_c::add_rogue_ap(). |
|
924 EAP_FUNC_IMPORT eap_status_e add_rogue_ap(eap_array_c<eap_rogue_ap_entry_c> & rogue_ap_list); |
|
925 |
|
926 // This is documented in abs_eap_base_type_c::get_is_tunneled(). |
|
927 EAP_FUNC_IMPORT bool get_is_tunneled_eap() const; |
|
928 |
|
929 //-------------------------------------------------- |
|
930 }; // class eap_core_c |
|
931 |
|
932 |
|
933 #endif //#if !defined(_EAP_CORE_H_) |
|
934 |
|
935 //-------------------------------------------------- |
|
936 |
|
937 |
|
938 |
|
939 // End. |