Lines Matching defs:EAP
2 * EAP peer state machines (RFC 4137)
33 #define STATE_MACHINE_DEBUG_PREFIX "EAP"
92 wpa_printf(MSG_DEBUG, "EAP: Status notification: %s (param=%s)",
101 wpa_printf(MSG_DEBUG, "EAP: Error notification: %d", error_code);
124 wpa_printf(MSG_DEBUG, "EAP: deinitialize previously used EAP method "
133 * eap_config_allowed_method - Check whether EAP method is allowed
134 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
135 * @config: EAP configuration
137 * @method: EAP type
138 * Returns: 1 = allowed EAP method, 0 = not allowed
161 * eap_allowed_method - Check whether EAP method is allowed
162 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
164 * @method: EAP type
165 * Returns: 1 = allowed EAP method, 0 = not allowed
216 SM_STATE(EAP, INITIALIZE)
218 SM_ENTRY(EAP, INITIALIZE);
223 wpa_printf(MSG_DEBUG, "EAP: maintaining EAP method data for "
244 * the first EAP-Packet */
279 SM_STATE(EAP, DISABLED)
281 SM_ENTRY(EAP, DISABLED);
286 * allows the timer tick to be stopped more quickly when EAP is not in
298 SM_STATE(EAP, IDLE)
300 SM_ENTRY(EAP, IDLE);
305 * This state is entered when an EAP packet is received (eapReq == true) to
308 SM_STATE(EAP, RECEIVED)
312 SM_ENTRY(EAP, RECEIVED);
328 SM_STATE(EAP, GET_METHOD)
334 SM_ENTRY(EAP, GET_METHOD);
344 wpa_printf(MSG_DEBUG, "EAP: vendor %u method %u not allowed",
372 wpa_printf(MSG_DEBUG, "EAP: Using previous method data"
384 wpa_printf(MSG_DEBUG, "EAP: Could not find selected method: "
392 wpa_printf(MSG_DEBUG, "EAP: Initialize selected EAP method: "
407 "EAP: Failed to initialize EAP method: vendor %u "
419 * current EAP packet.
421 wpa_printf(MSG_DEBUG, "EAP: Pending PIN/passphrase "
431 "EAP vendor %u method %u (%s) selected",
501 wpa_printf(MSG_DEBUG, "EAP: Build realm from IMSI (eap_proxy)");
518 wpa_printf(MSG_DEBUG, "EAP: Generated realm '%s'", realm);
579 wpa_printf(MSG_DEBUG, "EAP: Delete old ERP key %s",
600 "EAP: Failed to find ERP key for realm: %s",
705 wpa_printf(MSG_DEBUG, "EAP: Realm for ERP keyName-NAI: %s", realm);
715 "EAP: Too long realm for ERP keyName-NAI maximum length");
732 "EAP: No suitable EMSK available for ERP");
736 wpa_hexdump_key(MSG_DEBUG, "EAP: EMSK", emsk, emsk_len);
748 "EAP: No suitable session id available for ERP");
755 wpa_printf(MSG_DEBUG, "EAP: Could not derive EMSKname");
758 wpa_hexdump(MSG_DEBUG, "EAP: EMSKname", EMSKname, EAP_EMSK_NAME_LEN);
767 "EAP Re-authentication Root Key@ietf.org",
769 wpa_printf(MSG_DEBUG, "EAP: Could not derive rRK for ERP");
773 wpa_hexdump_key(MSG_DEBUG, "EAP: ERP rRK", erp->rRK, erp->rRK_len);
780 wpa_printf(MSG_DEBUG, "EAP: Could not derive rIK for ERP");
784 wpa_hexdump_key(MSG_DEBUG, "EAP: ERP rIK", erp->rIK, erp->rIK_len);
786 wpa_printf(MSG_DEBUG, "EAP: Stored ERP keys %s", erp->keyname_nai);
824 wpa_printf(MSG_DEBUG, "EAP: Valid ERP key found %s (SEQ=%u)",
853 wpa_hexdump_buf(MSG_DEBUG, "ERP: EAP-Initiate/Re-auth", msg);
867 wpa_printf(MSG_DEBUG, "EAP: Sending EAP-Initiate/Re-auth");
880 SM_STATE(EAP, METHOD)
886 SM_ENTRY(EAP, METHOD);
888 wpa_printf(MSG_WARNING, "EAP::METHOD - method not selected");
894 min_len = 0; /* LEAP uses EAP-Success without payload */
902 * a single function call to m->process() in order to optimize EAP
921 wpa_printf(MSG_DEBUG, "EAP: method process -> ignore=%s "
946 wpa_hexdump(MSG_DEBUG, "EAP: Session-Id",
957 SM_STATE(EAP, SEND_RESPONSE)
959 SM_ENTRY(EAP, SEND_RESPONSE);
970 wpa_printf(MSG_DEBUG, "EAP: No eapRespData available");
983 SM_STATE(EAP, DISCARD)
985 SM_ENTRY(EAP, DISCARD);
994 SM_STATE(EAP, IDENTITY)
998 SM_ENTRY(EAP, IDENTITY);
1012 SM_STATE(EAP, NOTIFICATION)
1016 SM_ENTRY(EAP, NOTIFICATION);
1030 SM_STATE(EAP, RETRANSMIT)
1032 SM_ENTRY(EAP, RETRANSMIT);
1043 * and state machine waits here until port is disabled or EAP authentication is
1046 SM_STATE(EAP, SUCCESS)
1050 SM_ENTRY(EAP, SUCCESS);
1066 * processing the received EAP frame.
1071 "EAP authentication completed successfully");
1077 * EAP-Success could end up getting delivered to the state
1080 * eapol_sm_notify_config() having been used to clear EAP
1084 "EAP: State machine not configured - cannot initialize ERP");
1096 * until port is disabled or EAP authentication is restarted.
1098 SM_STATE(EAP, FAILURE)
1100 SM_ENTRY(EAP, FAILURE);
1112 * eapNoResp is required to be set after processing the received EAP
1118 "EAP authentication failed");
1128 * EAP-Success/Failure with lastId + 1 even though RFC 3748 and
1130 * Ringmaster v2.1.2.0 would be using lastId + 2 in EAP-Success.
1132 * Accept this kind of Id if EAP workarounds are enabled. These are
1134 * security implications (bit easier to fake EAP-Success/Failure).
1138 wpa_printf(MSG_DEBUG, "EAP: Workaround for unexpected "
1139 "identifier field in EAP Success: "
1144 wpa_printf(MSG_DEBUG, "EAP: EAP-Success Id mismatch - reqId=%d "
1151 * RFC 4137 - Appendix A.1: EAP Peer State Machine - State transitions
1159 * not sending EAP-Success in some cases.
1162 SM_ENTER(EAP, RECEIVED);
1167 SM_ENTER(EAP, SUCCESS);
1174 SM_ENTER(EAP, FAILURE);
1178 SM_ENTER(EAP, SUCCESS);
1182 SM_ENTER(EAP, SUCCESS);
1195 * duplicate EAP requests. However, this misses cases where the
1201 wpa_printf(MSG_DEBUG, "EAP: AS used the same Id again, but "
1202 "EAP packets were not identical");
1203 wpa_printf(MSG_DEBUG, "EAP: workaround - assume this is not a "
1227 * odd LEAP behavior (EAP-Success in the middle of authentication and
1233 SM_ENTER(EAP, SUCCESS);
1236 SM_ENTER(EAP, SUCCESS); /* EAP-Success prior any EAP method */
1240 SM_ENTER(EAP, FAILURE); /* EAP-Failure prior any EAP method */
1244 SM_ENTER(EAP, SUCCESS); /* EAP-Success after Identity */
1253 SM_ENTER(EAP, FAILURE);
1255 SM_ENTER(EAP, RETRANSMIT);
1259 SM_ENTER(EAP, NOTIFICATION);
1263 SM_ENTER(EAP, IDENTITY);
1268 SM_ENTER(EAP, GET_METHOD);
1272 SM_ENTER(EAP, METHOD);
1275 SM_ENTER(EAP, METHOD);
1277 SM_ENTER(EAP, SEND_RESPONSE);
1279 SM_ENTER(EAP, DISCARD);
1287 SM_ENTER(EAP, IDLE);
1292 SM_ENTER(EAP, INITIALIZE);
1302 SM_ENTER(EAP, METHOD);
1304 SM_ENTER(EAP, SEND_RESPONSE);
1310 * final EAP method response to be sent without having to change
1313 * expected response is EAP-Failure.
1316 SM_ENTER(EAP, DISCARD);
1319 SM_ENTER(EAP, FAILURE);
1321 SM_ENTER(EAP, SEND_RESPONSE);
1324 SM_ENTER(EAP, IDLE);
1327 SM_ENTER(EAP, IDLE);
1330 SM_ENTER(EAP, SEND_RESPONSE);
1333 SM_ENTER(EAP, SEND_RESPONSE);
1336 SM_ENTER(EAP, SEND_RESPONSE);
1346 SM_STEP(EAP)
1351 SM_ENTER_GLOBAL(EAP, INITIALIZE);
1353 SM_ENTER_GLOBAL(EAP, DISABLED);
1355 /* RFC 4137 does not place any limit on number of EAP messages
1357 * ended up in a state were EAP messages were sent between the
1360 * total number of EAP round-trips and abort authentication if
1364 wpa_msg(sm->msg_ctx, MSG_INFO, "EAP: more than %d "
1368 SM_ENTER_GLOBAL(EAP, FAILURE);
1373 "EAP: more than %d authentication rounds (short) - abort",
1376 SM_ENTER_GLOBAL(EAP, FAILURE);
1389 wpa_printf(MSG_DEBUG, "EAP: configuration does not allow: "
1395 wpa_printf(MSG_DEBUG, "EAP: not included in build: "
1409 wpa_printf(MSG_DEBUG, "EAP: Building expanded EAP-Nak");
1425 wpa_printf(MSG_DEBUG, "EAP: allowed type: "
1436 wpa_printf(MSG_DEBUG, "EAP: no more allowed methods");
1456 wpa_printf(MSG_DEBUG, "EAP: Building EAP-Nak (requested type %u "
1489 wpa_hexdump(MSG_DEBUG, "EAP: allowed methods", start, found);
1503 "EAP authentication started");
1515 * displayed. Some EAP implementasitons may piggy-back additional
1520 wpa_hexdump_ascii(MSG_DEBUG, "EAP: EAP-Request Identity data",
1661 * eap_sm_buildIdentity - Build EAP-Identity/Response for the current network
1662 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
1663 * @id: EAP identifier for the packet
1664 * @encrypted: Whether the packet is for encrypted tunnel (EAP phase 2)
1665 * Returns: Pointer to the allocated EAP-Identity/Response packet or %NULL on
1668 * This function allocates and builds an EAP-Identity/Response packet for the
1680 wpa_printf(MSG_WARNING, "EAP: buildIdentity: configuration "
1688 wpa_hexdump_ascii(MSG_DEBUG, "EAP: using method re-auth "
1693 wpa_hexdump_ascii(MSG_DEBUG, "EAP: using anonymous identity",
1698 wpa_hexdump_ascii(MSG_DEBUG, "EAP: using machine identity",
1722 "EAP: using IMSI privacy anonymous identity",
1727 wpa_hexdump_ascii(MSG_DEBUG, "EAP: using real identity",
1749 "EAP: buildIdentity: identity configuration was not available");
1781 wpa_hexdump_ascii(MSG_DEBUG, "EAP: EAP-Request Notification data",
1798 wpa_printf(MSG_DEBUG, "EAP: Generating EAP-Response Notification");
1813 wpa_printf(MSG_DEBUG, "EAP: Ignored too short EAP-Initiate");
1819 "EAP: Ignored unexpected EAP-Initiate Type=%u",
1827 "EAP: Too short EAP-Initiate/Re-auth-Start");
1831 wpa_hexdump(MSG_DEBUG, "EAP: EAP-Initiate/Re-auth-Start TVs/TLVs",
1839 "EAP: EAP-Initiate/Re-auth-Start - Domain name",
1850 "EAP: EAP-Initiate/Re-auth-Start - No suitable ERP keys available - try to start full EAP authentication");
1873 wpa_printf(MSG_DEBUG, "EAP: Ignored too short EAP-Finish");
1879 "EAP: Ignored unexpected EAP-Finish Type=%u", *pos);
1885 "EAP: Ignored too short EAP-Finish/Re-auth");
1893 wpa_printf(MSG_DEBUG, "EAP: Flags=0x%x SEQ=%u", flags, seq);
1897 "EAP: Unexpected EAP-Finish/Re-auth SEQ=%u", seq);
1912 "EAP: No keyName-NAI in EAP-Finish/Re-auth Packet");
1916 wpa_hexdump_ascii(MSG_DEBUG, "EAP: EAP-Finish/Re-auth - keyName-NAI",
1920 "EAP: Too long keyName-NAI in EAP-Finish/Re-auth");
1928 wpa_printf(MSG_DEBUG, "EAP: No matching ERP key found for %s",
1939 "EAP: Not enough room for Authentication Tag");
1945 wpa_printf(MSG_DEBUG, "EAP: Different Cryptosuite used");
1956 "EAP: Authentication Tag mismatch");
1967 wpa_hexdump(MSG_DEBUG, "EAP: EAP-Finish/Re-Auth TVs/TLVs",
1974 "EAP: EAP-Finish/Re-auth indicated failure");
1979 "EAP authentication failed");
1982 "EAP: Drop ERP key to try full authentication on next attempt");
2000 wpa_printf(MSG_DEBUG, "EAP: Could not derive rMSK for ERP");
2004 wpa_hexdump_key(MSG_DEBUG, "EAP: ERP rMSK",
2011 "EAP re-authentication completed successfully");
2034 wpa_printf(MSG_DEBUG, "EAP: Ignored truncated EAP-Packet "
2052 wpa_printf(MSG_DEBUG, "EAP: Too short EAP-Request - "
2061 wpa_printf(MSG_DEBUG, "EAP: Ignored truncated "
2062 "expanded EAP-Packet (plen=%lu)",
2070 wpa_printf(MSG_DEBUG, "EAP: Received EAP-Request id=%d "
2080 * need to accept EAP-Response frames if LEAP is used.
2083 wpa_printf(MSG_DEBUG, "EAP: Too short "
2084 "EAP-Response - no Type field");
2090 wpa_printf(MSG_DEBUG, "EAP: Received EAP-Response for "
2095 wpa_printf(MSG_DEBUG, "EAP: Ignored EAP-Response");
2098 wpa_printf(MSG_DEBUG, "EAP: Received EAP-Success");
2103 wpa_printf(MSG_DEBUG, "EAP: Received EAP-Failure");
2123 wpa_printf(MSG_DEBUG, "EAP: Ignored EAP-Packet with unknown "
2193 * eap_peer_sm_init - Allocate and initialize EAP peer state machine
2197 * @conf: EAP configuration
2198 * Returns: Pointer to the allocated EAP state machine or %NULL on failure
2200 * This function allocates and initializes an EAP state machine. In addition,
2201 * this initializes TLS library for the new EAP state machine. eapol_cb pointer
2202 * will be in use until eap_peer_sm_deinit() is used to deinitialize this EAP
2204 * structure remains alive while the EAP state machine is active.
2260 * eap_peer_sm_deinit - Deinitialize and free an EAP peer state machine
2261 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2263 * This function deinitializes EAP state machine and frees all allocated
2270 eap_deinit_prev_method(sm, "EAP deinit");
2282 * eap_peer_sm_step - Step EAP peer state machine
2283 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2284 * Returns: 1 if EAP state was changed or 0 if not
2286 * This function advances EAP state machine to a new state to match with the
2287 * current variables. This should be called whenever variables used by the EAP
2295 SM_STEP_RUN(EAP);
2304 * eap_sm_abort - Abort EAP authentication
2305 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2308 * session without fully deinitializing the EAP state machine.
2320 /* This is not clearly specified in the EAP statemachines draft, but
2403 * eap_sm_get_status - Get EAP state machine status
2404 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2410 * Query EAP state machine for status information. This function fills in a
2423 "EAP state=%s\n",
2442 "selectedMethod=%d (EAP-%s)\n",
2550 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2552 * EAP methods can call this function to request identity information for the
2565 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2567 * EAP methods can call this function to request password information for the
2580 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2582 * EAP methods can call this function to request new password information for
2583 * the current network. This is normally called when the EAP method indicates
2595 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2597 * EAP methods can call this function to request SIM or smart card PIN
2610 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2614 * EAP methods can call this function to request open time password (OTP) for
2626 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2628 * EAP methods can call this function to request passphrase for a private key
2641 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2642 * @req: EAP method specific request
2652 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2654 * Notify EAP state machines that a monitor was attached to the control
2665 * interface was added. This handles cases where the EAP authentication
2695 * eap_get_phase2_type - Get EAP type for the given EAP phase 2 method name
2696 * @name: EAP method name, e.g., MD5
2697 * @vendor: Buffer for returning EAP Vendor-Id
2698 * Returns: EAP method type or %EAP_TYPE_NONE if not found
2700 * This function maps EAP type names into EAP type numbers that are allowed for
2702 * EAP-PEAP, EAP-TTLS, and EAP-FAST.
2718 * eap_get_phase2_types - Get list of allowed EAP phase 2 types
2720 * @count: Pointer to a variable to be filled with number of returned EAP types
2723 * This function generates an array of allowed EAP phase 2 (tunneled) types for
2763 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2773 * eap_set_workaround - Update EAP workarounds setting
2774 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2775 * @workaround: 1 = Enable EAP workarounds, 0 = Disable EAP workarounds
2785 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2788 * EAP peer methods should avoid using this function if they can use other
2801 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2855 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2888 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2931 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2947 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2963 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2983 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2997 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
3020 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
3021 * Returns: 1 if EAP keying material is available, 0 if not
3030 * eap_notify_success - Notify EAP state machine about external success trigger
3031 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
3034 * WPA-PSK key handshake, is indicating that EAP state machine should move to
3035 * success state. This is mainly used with security modes that do not use EAP
3049 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
3051 * Notify EAP state machines that a lower layer has detected a successful
3052 * authentication. This is used to recover from dropped EAP-Success messages.
3069 "EAP authentication completed successfully (based on lower "
3075 * eap_get_eapSessionId - Get Session-Id from EAP state machine
3076 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
3078 * Returns: Pointer to the EAP Session-Id or %NULL on failure
3080 * Fetch EAP Session-Id from the EAP state machine. The Session-Id is available
3081 * only after a successful authentication. EAP state machine continues to manage
3097 * eap_get_eapKeyData - Get master session key (MSK) from EAP state machine
3098 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
3100 * Returns: Pointer to the EAP keying data or %NULL on failure
3102 * Fetch EAP keying material (MSK, eapKeyData) from the EAP state machine. The
3103 * key is available only after a successful authentication. EAP state machine
3120 * eap_get_eapKeyData - Get EAP response data
3121 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
3122 * Returns: Pointer to the EAP response (eapRespData) or %NULL on failure
3124 * Fetch EAP response (eapRespData) from the EAP state machine. This data is
3125 * available when EAP state machine has processed an incoming EAP request. The
3126 * EAP state machine does not maintain a reference to the response after this
3145 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
3148 * Notify EAP state machines of context data for smart card operations. This
3160 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
3176 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
3193 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
3194 * @disabled: 1 = EAP disabled, 0 = EAP enabled
3196 * This function is used to force EAP state machine to be disabled when it is
3207 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
3217 * eap_notify_pending - Notify that EAP method is ready to re-process a request
3218 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
3220 * An EAP method can perform a pending operation (e.g., to get a response from
3223 * received (and still unanswered) EAP request to EAP state machine.
3233 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
3278 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
3279 * @id: Anonymous identity (e.g., EAP-SIM pseudonym) or %NULL to clear