Home | History | Annotate | Download | only in eap_server 
      1 /*
      2  * hostapd / EAP Full Authenticator state machine (RFC 4137)
      3  * Copyright (c) 2004-2014, Jouni Malinen <j (at) w1.fi>
      4  *
      5  * This software may be distributed under the terms of the BSD license.
      6  * See README for more details.
      7  */
      8 
      9 #ifndef EAP_H
     10 #define EAP_H
     11 
     12 #include "common/defs.h"
     13 #include "utils/list.h"
     14 #include "eap_common/eap_defs.h"
     15 #include "eap_server/eap_methods.h"
     16 #include "wpabuf.h"
     17 
     18 struct eap_sm;
     19 
     20 #define EAP_TTLS_AUTH_PAP 1
     21 #define EAP_TTLS_AUTH_CHAP 2
     22 #define EAP_TTLS_AUTH_MSCHAP 4
     23 #define EAP_TTLS_AUTH_MSCHAPV2 8
     24 
     25 struct eap_user {
     26 	struct {
     27 		int vendor;
     28 		u32 method;
     29 	} methods[EAP_MAX_METHODS];
     30 	u8 *password;
     31 	size_t password_len;
     32 	int password_hash; /* whether password is hashed with
     33 			    * nt_password_hash() */
     34 	u8 *salt;
     35 	size_t salt_len;
     36 	int phase2;
     37 	int force_version;
     38 	unsigned int remediation:1;
     39 	unsigned int macacl:1;
     40 	int ttls_auth; /* bitfield of
     41 			* EAP_TTLS_AUTH_{PAP,CHAP,MSCHAP,MSCHAPV2} */
     42 	struct hostapd_radius_attr *accept_attr;
     43 	u32 t_c_timestamp;
     44 };
     45 
     46 struct eap_eapol_interface {
     47 	/* Lower layer to full authenticator variables */
     48 	Boolean eapResp; /* shared with EAPOL Backend Authentication */
     49 	struct wpabuf *eapRespData;
     50 	Boolean portEnabled;
     51 	int retransWhile;
     52 	Boolean eapRestart; /* shared with EAPOL Authenticator PAE */
     53 	int eapSRTT;
     54 	int eapRTTVAR;
     55 
     56 	/* Full authenticator to lower layer variables */
     57 	Boolean eapReq; /* shared with EAPOL Backend Authentication */
     58 	Boolean eapNoReq; /* shared with EAPOL Backend Authentication */
     59 	Boolean eapSuccess;
     60 	Boolean eapFail;
     61 	Boolean eapTimeout;
     62 	struct wpabuf *eapReqData;
     63 	u8 *eapKeyData;
     64 	size_t eapKeyDataLen;
     65 	u8 *eapSessionId;
     66 	size_t eapSessionIdLen;
     67 	Boolean eapKeyAvailable; /* called keyAvailable in IEEE 802.1X-2004 */
     68 
     69 	/* AAA interface to full authenticator variables */
     70 	Boolean aaaEapReq;
     71 	Boolean aaaEapNoReq;
     72 	Boolean aaaSuccess;
     73 	Boolean aaaFail;
     74 	struct wpabuf *aaaEapReqData;
     75 	u8 *aaaEapKeyData;
     76 	size_t aaaEapKeyDataLen;
     77 	Boolean aaaEapKeyAvailable;
     78 	int aaaMethodTimeout;
     79 
     80 	/* Full authenticator to AAA interface variables */
     81 	Boolean aaaEapResp;
     82 	struct wpabuf *aaaEapRespData;
     83 	/* aaaIdentity -> eap_get_identity() */
     84 	Boolean aaaTimeout;
     85 };
     86 
     87 struct eap_server_erp_key {
     88 	struct dl_list list;
     89 	size_t rRK_len;
     90 	size_t rIK_len;
     91 	u8 rRK[ERP_MAX_KEY_LEN];
     92 	u8 rIK[ERP_MAX_KEY_LEN];
     93 	u32 recv_seq;
     94 	u8 cryptosuite;
     95 	char keyname_nai[];
     96 };
     97 
     98 struct eapol_callbacks {
     99 	int (*get_eap_user)(void *ctx, const u8 *identity, size_t identity_len,
    100 			    int phase2, struct eap_user *user);
    101 	const char * (*get_eap_req_id_text)(void *ctx, size_t *len);
    102 	void (*log_msg)(void *ctx, const char *msg);
    103 	int (*get_erp_send_reauth_start)(void *ctx);
    104 	const char * (*get_erp_domain)(void *ctx);
    105 	struct eap_server_erp_key * (*erp_get_key)(void *ctx,
    106 						   const char *keyname);
    107 	int (*erp_add_key)(void *ctx, struct eap_server_erp_key *erp);
    108 };
    109 
    110 struct eap_config {
    111 	void *ssl_ctx;
    112 	void *msg_ctx;
    113 	void *eap_sim_db_priv;
    114 	Boolean backend_auth;
    115 	int eap_server;
    116 	u16 pwd_group;
    117 	u8 *pac_opaque_encr_key;
    118 	u8 *eap_fast_a_id;
    119 	size_t eap_fast_a_id_len;
    120 	char *eap_fast_a_id_info;
    121 	int eap_fast_prov;
    122 	int pac_key_lifetime;
    123 	int pac_key_refresh_time;
    124 	int eap_sim_aka_result_ind;
    125 	int tnc;
    126 	struct wps_context *wps;
    127 	const struct wpabuf *assoc_wps_ie;
    128 	const struct wpabuf *assoc_p2p_ie;
    129 	const u8 *peer_addr;
    130 	int fragment_size;
    131 
    132 	int pbc_in_m1;
    133 
    134 	const u8 *server_id;
    135 	size_t server_id_len;
    136 	int erp;
    137 	unsigned int tls_session_lifetime;
    138 	unsigned int tls_flags;
    139 
    140 #ifdef CONFIG_TESTING_OPTIONS
    141 	u32 tls_test_flags;
    142 #endif /* CONFIG_TESTING_OPTIONS */
    143 };
    144 
    145 
    146 struct eap_sm * eap_server_sm_init(void *eapol_ctx,
    147 				   const struct eapol_callbacks *eapol_cb,
    148 				   struct eap_config *eap_conf);
    149 void eap_server_sm_deinit(struct eap_sm *sm);
    150 int eap_server_sm_step(struct eap_sm *sm);
    151 void eap_sm_notify_cached(struct eap_sm *sm);
    152 void eap_sm_pending_cb(struct eap_sm *sm);
    153 int eap_sm_method_pending(struct eap_sm *sm);
    154 const u8 * eap_get_identity(struct eap_sm *sm, size_t *len);
    155 const char * eap_get_serial_num(struct eap_sm *sm);
    156 const char * eap_get_method(struct eap_sm *sm);
    157 const char * eap_get_imsi(struct eap_sm *sm);
    158 struct eap_eapol_interface * eap_get_interface(struct eap_sm *sm);
    159 void eap_server_clear_identity(struct eap_sm *sm);
    160 void eap_server_mschap_rx_callback(struct eap_sm *sm, const char *source,
    161 				   const u8 *username, size_t username_len,
    162 				   const u8 *challenge, const u8 *response);
    163 void eap_erp_update_identity(struct eap_sm *sm, const u8 *eap, size_t len);
    164 void eap_user_free(struct eap_user *user);
    165 
    166 #endif /* EAP_H */
    167