1 /* 2 * hostapd / EAP Full Authenticator state machine (RFC 4137) 3 * Copyright (c) 2004-2014, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #ifndef EAP_H 10 #define EAP_H 11 12 #include "common/defs.h" 13 #include "utils/list.h" 14 #include "eap_common/eap_defs.h" 15 #include "eap_server/eap_methods.h" 16 #include "wpabuf.h" 17 18 struct eap_sm; 19 20 #define EAP_TTLS_AUTH_PAP 1 21 #define EAP_TTLS_AUTH_CHAP 2 22 #define EAP_TTLS_AUTH_MSCHAP 4 23 #define EAP_TTLS_AUTH_MSCHAPV2 8 24 25 struct eap_user { 26 struct { 27 int vendor; 28 u32 method; 29 } methods[EAP_MAX_METHODS]; 30 u8 *password; 31 size_t password_len; 32 int password_hash; /* whether password is hashed with 33 * nt_password_hash() */ 34 u8 *salt; 35 size_t salt_len; 36 int phase2; 37 int force_version; 38 unsigned int remediation:1; 39 unsigned int macacl:1; 40 int ttls_auth; /* bitfield of 41 * EAP_TTLS_AUTH_{PAP,CHAP,MSCHAP,MSCHAPV2} */ 42 struct hostapd_radius_attr *accept_attr; 43 u32 t_c_timestamp; 44 }; 45 46 struct eap_eapol_interface { 47 /* Lower layer to full authenticator variables */ 48 Boolean eapResp; /* shared with EAPOL Backend Authentication */ 49 struct wpabuf *eapRespData; 50 Boolean portEnabled; 51 int retransWhile; 52 Boolean eapRestart; /* shared with EAPOL Authenticator PAE */ 53 int eapSRTT; 54 int eapRTTVAR; 55 56 /* Full authenticator to lower layer variables */ 57 Boolean eapReq; /* shared with EAPOL Backend Authentication */ 58 Boolean eapNoReq; /* shared with EAPOL Backend Authentication */ 59 Boolean eapSuccess; 60 Boolean eapFail; 61 Boolean eapTimeout; 62 struct wpabuf *eapReqData; 63 u8 *eapKeyData; 64 size_t eapKeyDataLen; 65 u8 *eapSessionId; 66 size_t eapSessionIdLen; 67 Boolean eapKeyAvailable; /* called keyAvailable in IEEE 802.1X-2004 */ 68 69 /* AAA interface to full authenticator variables */ 70 Boolean aaaEapReq; 71 Boolean aaaEapNoReq; 72 Boolean aaaSuccess; 73 Boolean aaaFail; 74 struct wpabuf *aaaEapReqData; 75 u8 *aaaEapKeyData; 76 size_t aaaEapKeyDataLen; 77 Boolean aaaEapKeyAvailable; 78 int aaaMethodTimeout; 79 80 /* Full authenticator to AAA interface variables */ 81 Boolean aaaEapResp; 82 struct wpabuf *aaaEapRespData; 83 /* aaaIdentity -> eap_get_identity() */ 84 Boolean aaaTimeout; 85 }; 86 87 struct eap_server_erp_key { 88 struct dl_list list; 89 size_t rRK_len; 90 size_t rIK_len; 91 u8 rRK[ERP_MAX_KEY_LEN]; 92 u8 rIK[ERP_MAX_KEY_LEN]; 93 u32 recv_seq; 94 u8 cryptosuite; 95 char keyname_nai[]; 96 }; 97 98 struct eapol_callbacks { 99 int (*get_eap_user)(void *ctx, const u8 *identity, size_t identity_len, 100 int phase2, struct eap_user *user); 101 const char * (*get_eap_req_id_text)(void *ctx, size_t *len); 102 void (*log_msg)(void *ctx, const char *msg); 103 int (*get_erp_send_reauth_start)(void *ctx); 104 const char * (*get_erp_domain)(void *ctx); 105 struct eap_server_erp_key * (*erp_get_key)(void *ctx, 106 const char *keyname); 107 int (*erp_add_key)(void *ctx, struct eap_server_erp_key *erp); 108 }; 109 110 struct eap_config { 111 void *ssl_ctx; 112 void *msg_ctx; 113 void *eap_sim_db_priv; 114 Boolean backend_auth; 115 int eap_server; 116 u16 pwd_group; 117 u8 *pac_opaque_encr_key; 118 u8 *eap_fast_a_id; 119 size_t eap_fast_a_id_len; 120 char *eap_fast_a_id_info; 121 int eap_fast_prov; 122 int pac_key_lifetime; 123 int pac_key_refresh_time; 124 int eap_sim_aka_result_ind; 125 int tnc; 126 struct wps_context *wps; 127 const struct wpabuf *assoc_wps_ie; 128 const struct wpabuf *assoc_p2p_ie; 129 const u8 *peer_addr; 130 int fragment_size; 131 132 int pbc_in_m1; 133 134 const u8 *server_id; 135 size_t server_id_len; 136 int erp; 137 unsigned int tls_session_lifetime; 138 unsigned int tls_flags; 139 140 #ifdef CONFIG_TESTING_OPTIONS 141 u32 tls_test_flags; 142 #endif /* CONFIG_TESTING_OPTIONS */ 143 }; 144 145 146 struct eap_sm * eap_server_sm_init(void *eapol_ctx, 147 const struct eapol_callbacks *eapol_cb, 148 struct eap_config *eap_conf); 149 void eap_server_sm_deinit(struct eap_sm *sm); 150 int eap_server_sm_step(struct eap_sm *sm); 151 void eap_sm_notify_cached(struct eap_sm *sm); 152 void eap_sm_pending_cb(struct eap_sm *sm); 153 int eap_sm_method_pending(struct eap_sm *sm); 154 const u8 * eap_get_identity(struct eap_sm *sm, size_t *len); 155 const char * eap_get_serial_num(struct eap_sm *sm); 156 const char * eap_get_method(struct eap_sm *sm); 157 const char * eap_get_imsi(struct eap_sm *sm); 158 struct eap_eapol_interface * eap_get_interface(struct eap_sm *sm); 159 void eap_server_clear_identity(struct eap_sm *sm); 160 void eap_server_mschap_rx_callback(struct eap_sm *sm, const char *source, 161 const u8 *username, size_t username_len, 162 const u8 *challenge, const u8 *response); 163 void eap_erp_update_identity(struct eap_sm *sm, const u8 *eap, size_t len); 164 void eap_user_free(struct eap_user *user); 165 166 #endif /* EAP_H */ 167