Kernel
/
iwd
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git
3
0
Fork 0
Code Releases Activity
iwd/src/eap.h

98 lines
3.0 KiB
C
Raw Normal View History

eap: Add initial EAP API Adds eap.c/eap.h with the initial EAP API definitions. No actual EAP methods are added in this patch.
2015-10-30 11:12:13 +01:00
/*
*
* Wireless daemon for Linux
*
* Copyright (C) 2013-2014 Intel Corporation. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*
*/
#include <stdint.h>
#include <stdbool.h>
#include <asm/byteorder.h>
#include <linux/types.h>
struct eap_state;
enum eap_result {
EAP_RESULT_SUCCESS,
EAP_RESULT_FAIL,
EAP_RESULT_TIMEOUT,
};
eap: Validate settings, report passwords needed With the goal of requesting the required passwords/passphrases, such as the TLS private key passphrase, from the agent, add a static method eap_check_settings to validate the settings and calculate what passwords are needed for those settings, if any. This is separate from eap_load_settings because that can only be called later, once we've got an eap state machine object. We need to get all the needed EAP credentials from the user before we even start connecting. While we do this, we also validate the settings and output any error messages through l_error (this could be changed so the messages go somewhere else in the future), so I removed the error messages from eap_load_settings and that method now assumes that eap_check_settings has been called before. eap_check_settings calls the appropriate method's .check_settings method if the settings are complete enough to contain the method name. The policy is that any data can be provided inside the l_settings object (from the network provisioning/config file), but some of the more sensitive fields, like private key passwords, can be optionally omitted and then the UI will ask for them and iwd will be careful with caching them. Within struct eap_secret_info, "id" is mainly for the EAP method to locate the info in the list. "value" is the actual value returned by agent. "parameter" is an optional string to be passed to the agent. For a private key passphrase it may be the path to the key file, for a password it may be the username for which the password is requested.
2018-04-18 07:03:22 +02:00
enum eap_secret_type {
EAP_SECRET_LOCAL_PKEY_PASSPHRASE,
EAP_SECRET_REMOTE_PASSWORD,
EAP_SECRET_REMOTE_USER_PASSWORD,
};
eap: Add secret cache policy types eap_append_secret now takes a new cache_policy parameter which can be used by the EAP method to signal that the value received from the agent is to never be cached, i.e. each value can only be used once. The parameter value should be EAP_CACHE_NEVER for this and we use this in value EAP-GTC where the secret tokens are one time use. The EAP_CACHE_TEMPORARY value is used in other methods, it preserves the default behaviour where a secret can be cached for as long as the network stays in range (this is the current implementation more than a design choice I believe, I didn't go for a more specific enum name as this may still change I suppose).
2018-08-09 02:33:16 +02:00
enum eap_secret_cache_policy {
EAP_CACHE_NEVER,
EAP_CACHE_TEMPORARY,
};
eap: Validate settings, report passwords needed With the goal of requesting the required passwords/passphrases, such as the TLS private key passphrase, from the agent, add a static method eap_check_settings to validate the settings and calculate what passwords are needed for those settings, if any. This is separate from eap_load_settings because that can only be called later, once we've got an eap state machine object. We need to get all the needed EAP credentials from the user before we even start connecting. While we do this, we also validate the settings and output any error messages through l_error (this could be changed so the messages go somewhere else in the future), so I removed the error messages from eap_load_settings and that method now assumes that eap_check_settings has been called before. eap_check_settings calls the appropriate method's .check_settings method if the settings are complete enough to contain the method name. The policy is that any data can be provided inside the l_settings object (from the network provisioning/config file), but some of the more sensitive fields, like private key passwords, can be optionally omitted and then the UI will ask for them and iwd will be careful with caching them. Within struct eap_secret_info, "id" is mainly for the EAP method to locate the info in the list. "value" is the actual value returned by agent. "parameter" is an optional string to be passed to the agent. For a private key passphrase it may be the path to the key file, for a password it may be the username for which the password is requested.
2018-04-18 07:03:22 +02:00
struct eap_secret_info {
char *id;
eap: Accept a second id parameter in eap_append_secret Accept two setting IDs in eap_append_secret, first for the username and second for the password in case of the EAP_SECRET_REMOTE_USER_PASSWORD EAP secret type. In all other cases only the first setting is used. Until now for EAP_SECRET_REMOTE_USER_PASSWORD secrets we'd generate the two setting names by adding different suffixes to the ID parameter. Using the two different setting names automatically fixes the issues with using the EAP Identity returned by the agent in EAP-MSCHAPv2 and EAP-PWD.
2018-06-14 03:45:23 +02:00
char *id2;
eap: Validate settings, report passwords needed With the goal of requesting the required passwords/passphrases, such as the TLS private key passphrase, from the agent, add a static method eap_check_settings to validate the settings and calculate what passwords are needed for those settings, if any. This is separate from eap_load_settings because that can only be called later, once we've got an eap state machine object. We need to get all the needed EAP credentials from the user before we even start connecting. While we do this, we also validate the settings and output any error messages through l_error (this could be changed so the messages go somewhere else in the future), so I removed the error messages from eap_load_settings and that method now assumes that eap_check_settings has been called before. eap_check_settings calls the appropriate method's .check_settings method if the settings are complete enough to contain the method name. The policy is that any data can be provided inside the l_settings object (from the network provisioning/config file), but some of the more sensitive fields, like private key passwords, can be optionally omitted and then the UI will ask for them and iwd will be careful with caching them. Within struct eap_secret_info, "id" is mainly for the EAP method to locate the info in the list. "value" is the actual value returned by agent. "parameter" is an optional string to be passed to the agent. For a private key passphrase it may be the path to the key file, for a password it may be the username for which the password is requested.
2018-04-18 07:03:22 +02:00
enum eap_secret_type type;
char *parameter;
char *value;
eap: Add secret cache policy types eap_append_secret now takes a new cache_policy parameter which can be used by the EAP method to signal that the value received from the agent is to never be cached, i.e. each value can only be used once. The parameter value should be EAP_CACHE_NEVER for this and we use this in value EAP-GTC where the secret tokens are one time use. The EAP_CACHE_TEMPORARY value is used in other methods, it preserves the default behaviour where a secret can be cached for as long as the network stays in range (this is the current implementation more than a design choice I believe, I didn't go for a more specific enum name as this may still change I suppose).
2018-08-09 02:33:16 +02:00
enum eap_secret_cache_policy cache_policy;
eap: Validate settings, report passwords needed With the goal of requesting the required passwords/passphrases, such as the TLS private key passphrase, from the agent, add a static method eap_check_settings to validate the settings and calculate what passwords are needed for those settings, if any. This is separate from eap_load_settings because that can only be called later, once we've got an eap state machine object. We need to get all the needed EAP credentials from the user before we even start connecting. While we do this, we also validate the settings and output any error messages through l_error (this could be changed so the messages go somewhere else in the future), so I removed the error messages from eap_load_settings and that method now assumes that eap_check_settings has been called before. eap_check_settings calls the appropriate method's .check_settings method if the settings are complete enough to contain the method name. The policy is that any data can be provided inside the l_settings object (from the network provisioning/config file), but some of the more sensitive fields, like private key passwords, can be optionally omitted and then the UI will ask for them and iwd will be careful with caching them. Within struct eap_secret_info, "id" is mainly for the EAP method to locate the info in the list. "value" is the actual value returned by agent. "parameter" is an optional string to be passed to the agent. For a private key passphrase it may be the path to the key file, for a password it may be the username for which the password is requested.
2018-04-18 07:03:22 +02:00
};
eap: Add initial EAP API Adds eap.c/eap.h with the initial EAP API definitions. No actual EAP methods are added in this patch.
2015-10-30 11:12:13 +01:00
typedef void (*eap_tx_packet_func_t)(const uint8_t *eap_data, size_t len,
void *user_data);
typedef void (*eap_key_material_func_t)(const uint8_t *msk_data, size_t msk_len,
const uint8_t *emsk_data, size_t emsk_len,
const uint8_t *iv, size_t iv_len,
eap: export session ID as key materials ERP/FILS requires the session ID which is derived internally to an EAP method.
2019-04-10 23:52:26 +02:00
const uint8_t *session_id, size_t session_len,
eap: Add initial EAP API Adds eap.c/eap.h with the initial EAP API definitions. No actual EAP methods are added in this patch.
2015-10-30 11:12:13 +01:00
void *user_data);
typedef void (*eap_complete_func_t)(enum eap_result result, void *user_data);
eap: Add eap event_func This is used to get arbitrary information out of the EAP method. Needed for EAP-WSC to signal credential information obtained from the peer. Other uses include signaling why EAP-WSC failed (e.g. invalid PIN, etc) and processing of M2D discovery messages. The information in M2Ds might be useful to external clients.
2016-09-12 22:26:03 +02:00
typedef void (*eap_event_func_t)(unsigned int event, const void *event_data,
void *user_data);
eap: Add initial EAP API Adds eap.c/eap.h with the initial EAP API definitions. No actual EAP methods are added in this patch.
2015-10-30 11:12:13 +01:00
eap: Separate private bits into eap-private.h
2018-06-15 02:57:24 +02:00
bool eap_secret_info_match(const void *a, const void *b);
void eap_secret_info_free(void *data);
eap: Add initial EAP API Adds eap.c/eap.h with the initial EAP API definitions. No actual EAP methods are added in this patch.
2015-10-30 11:12:13 +01:00
struct eap_state *eap_new(eap_tx_packet_func_t tx_packet,
eap_complete_func_t complete, void *user_data);
void eap_free(struct eap_state *eap);
eap: Validate settings, report passwords needed With the goal of requesting the required passwords/passphrases, such as the TLS private key passphrase, from the agent, add a static method eap_check_settings to validate the settings and calculate what passwords are needed for those settings, if any. This is separate from eap_load_settings because that can only be called later, once we've got an eap state machine object. We need to get all the needed EAP credentials from the user before we even start connecting. While we do this, we also validate the settings and output any error messages through l_error (this could be changed so the messages go somewhere else in the future), so I removed the error messages from eap_load_settings and that method now assumes that eap_check_settings has been called before. eap_check_settings calls the appropriate method's .check_settings method if the settings are complete enough to contain the method name. The policy is that any data can be provided inside the l_settings object (from the network provisioning/config file), but some of the more sensitive fields, like private key passwords, can be optionally omitted and then the UI will ask for them and iwd will be careful with caching them. Within struct eap_secret_info, "id" is mainly for the EAP method to locate the info in the list. "value" is the actual value returned by agent. "parameter" is an optional string to be passed to the agent. For a private key passphrase it may be the path to the key file, for a password it may be the username for which the password is requested.
2018-04-18 07:03:22 +02:00
void eap_append_secret(struct l_queue **out_missing, enum eap_secret_type type,
eap: Add secret cache policy types eap_append_secret now takes a new cache_policy parameter which can be used by the EAP method to signal that the value received from the agent is to never be cached, i.e. each value can only be used once. The parameter value should be EAP_CACHE_NEVER for this and we use this in value EAP-GTC where the secret tokens are one time use. The EAP_CACHE_TEMPORARY value is used in other methods, it preserves the default behaviour where a secret can be cached for as long as the network stays in range (this is the current implementation more than a design choice I believe, I didn't go for a more specific enum name as this may still change I suppose).
2018-08-09 02:33:16 +02:00
const char *id, const char *id2, const char *parameter,
enum eap_secret_cache_policy cache_policy);
eap: Validate settings, report passwords needed With the goal of requesting the required passwords/passphrases, such as the TLS private key passphrase, from the agent, add a static method eap_check_settings to validate the settings and calculate what passwords are needed for those settings, if any. This is separate from eap_load_settings because that can only be called later, once we've got an eap state machine object. We need to get all the needed EAP credentials from the user before we even start connecting. While we do this, we also validate the settings and output any error messages through l_error (this could be changed so the messages go somewhere else in the future), so I removed the error messages from eap_load_settings and that method now assumes that eap_check_settings has been called before. eap_check_settings calls the appropriate method's .check_settings method if the settings are complete enough to contain the method name. The policy is that any data can be provided inside the l_settings object (from the network provisioning/config file), but some of the more sensitive fields, like private key passwords, can be optionally omitted and then the UI will ask for them and iwd will be careful with caching them. Within struct eap_secret_info, "id" is mainly for the EAP method to locate the info in the list. "value" is the actual value returned by agent. "parameter" is an optional string to be passed to the agent. For a private key passphrase it may be the path to the key file, for a password it may be the username for which the password is requested.
2018-04-18 07:03:22 +02:00
eap: Return specific error when check_settings fails Change the check_settings eap functions to return a negative errno and return more granular Dbus error from the Connect method.
2018-04-28 04:28:44 +02:00
int eap_check_settings(struct l_settings *settings, struct l_queue *secrets,
eap: Validate settings, report passwords needed With the goal of requesting the required passwords/passphrases, such as the TLS private key passphrase, from the agent, add a static method eap_check_settings to validate the settings and calculate what passwords are needed for those settings, if any. This is separate from eap_load_settings because that can only be called later, once we've got an eap state machine object. We need to get all the needed EAP credentials from the user before we even start connecting. While we do this, we also validate the settings and output any error messages through l_error (this could be changed so the messages go somewhere else in the future), so I removed the error messages from eap_load_settings and that method now assumes that eap_check_settings has been called before. eap_check_settings calls the appropriate method's .check_settings method if the settings are complete enough to contain the method name. The policy is that any data can be provided inside the l_settings object (from the network provisioning/config file), but some of the more sensitive fields, like private key passwords, can be optionally omitted and then the UI will ask for them and iwd will be careful with caching them. Within struct eap_secret_info, "id" is mainly for the EAP method to locate the info in the list. "value" is the actual value returned by agent. "parameter" is an optional string to be passed to the agent. For a private key passphrase it may be the path to the key file, for a password it may be the username for which the password is requested.
2018-04-18 07:03:22 +02:00
const char *prefix, bool set_key_material,
struct l_queue **out_missing);
eap: Add initial EAP API Adds eap.c/eap.h with the initial EAP API definitions. No actual EAP methods are added in this patch.
2015-10-30 11:12:13 +01:00
bool eap_load_settings(struct eap_state *eap, struct l_settings *settings,
const char *prefix);
eap: Introduce state reset This is meant to reset the EAP state back to its original state without affecting any state variables obtained through load_settings. This can be useful for EAP Reauthentication triggered by the AP.
2018-05-30 21:52:22 +02:00
bool eap_reset(struct eap_state *eap);
eap: Add initial EAP API Adds eap.c/eap.h with the initial EAP API definitions. No actual EAP methods are added in this patch.
2015-10-30 11:12:13 +01:00
void eap_set_key_material_func(struct eap_state *eap,
eap_key_material_func_t func);
eap: Add eap event_func This is used to get arbitrary information out of the EAP method. Needed for EAP-WSC to signal credential information obtained from the peer. Other uses include signaling why EAP-WSC failed (e.g. invalid PIN, etc) and processing of M2D discovery messages. The information in M2Ds might be useful to external clients.
2016-09-12 22:26:03 +02:00
void eap_set_event_func(struct eap_state *eap, eap_event_func_t func);
eap: Add initial EAP API Adds eap.c/eap.h with the initial EAP API definitions. No actual EAP methods are added in this patch.
2015-10-30 11:12:13 +01:00
void eap_set_mtu(struct eap_state *eap, size_t mtu);
size_t eap_get_mtu(struct eap_state *eap);
eap: add eap_get_identity
2019-04-10 23:52:31 +02:00
const char *eap_get_identity(struct eap_state *eap);
eap: Add initial EAP API Adds eap.c/eap.h with the initial EAP API definitions. No actual EAP methods are added in this patch.
2015-10-30 11:12:13 +01:00
void eap_rx_packet(struct eap_state *eap, const uint8_t *pkt, size_t len);
eap: Load MTU settings from iwd.conf
2016-11-15 23:44:07 +01:00
void eap_init(uint32_t default_mtu);
eap: Add initial EAP API Adds eap.c/eap.h with the initial EAP API definitions. No actual EAP methods are added in this patch.
2015-10-30 11:12:13 +01:00
void eap_exit(void);