xref: /freebsd/contrib/wpa/src/eap_server/eap.h (revision 7fdf597e96a02165cfe22ff357b857d5fa15ed8a)
1 /*
2  * hostapd / EAP Full Authenticator state machine (RFC 4137)
3  * Copyright (c) 2004-2014, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #ifndef EAP_H
10 #define EAP_H
11 
12 #include "common/defs.h"
13 #include "utils/list.h"
14 #include "eap_common/eap_defs.h"
15 #include "eap_server/eap_methods.h"
16 #include "wpabuf.h"
17 
18 struct eap_sm;
19 
20 #define EAP_TTLS_AUTH_PAP 1
21 #define EAP_TTLS_AUTH_CHAP 2
22 #define EAP_TTLS_AUTH_MSCHAP 4
23 #define EAP_TTLS_AUTH_MSCHAPV2 8
24 
25 struct eap_user {
26 	struct {
27 		int vendor;
28 		u32 method;
29 	} methods[EAP_MAX_METHODS];
30 	u8 *password;
31 	size_t password_len;
32 	int password_hash; /* whether password is hashed with
33 			    * nt_password_hash() */
34 	u8 *salt;
35 	size_t salt_len;
36 	int phase2;
37 	int force_version;
38 	unsigned int remediation:1;
39 	unsigned int macacl:1;
40 	int ttls_auth; /* bitfield of
41 			* EAP_TTLS_AUTH_{PAP,CHAP,MSCHAP,MSCHAPV2} */
42 	struct hostapd_radius_attr *accept_attr;
43 	u32 t_c_timestamp;
44 };
45 
46 struct eap_eapol_interface {
47 	/* Lower layer to full authenticator variables */
48 	bool eapResp; /* shared with EAPOL Backend Authentication */
49 	struct wpabuf *eapRespData;
50 	bool portEnabled;
51 	int retransWhile;
52 	bool eapRestart; /* shared with EAPOL Authenticator PAE */
53 	int eapSRTT;
54 	int eapRTTVAR;
55 
56 	/* Full authenticator to lower layer variables */
57 	bool eapReq; /* shared with EAPOL Backend Authentication */
58 	bool eapNoReq; /* shared with EAPOL Backend Authentication */
59 	bool eapSuccess;
60 	bool eapFail;
61 	bool eapTimeout;
62 	struct wpabuf *eapReqData;
63 	u8 *eapKeyData;
64 	size_t eapKeyDataLen;
65 	u8 *eapSessionId;
66 	size_t eapSessionIdLen;
67 	bool eapKeyAvailable; /* called keyAvailable in IEEE 802.1X-2004 */
68 
69 	/* AAA interface to full authenticator variables */
70 	bool aaaEapReq;
71 	bool aaaEapNoReq;
72 	bool aaaSuccess;
73 	bool aaaFail;
74 	struct wpabuf *aaaEapReqData;
75 	u8 *aaaEapKeyData;
76 	size_t aaaEapKeyDataLen;
77 	bool aaaEapKeyAvailable;
78 	int aaaMethodTimeout;
79 
80 	/* Full authenticator to AAA interface variables */
81 	bool aaaEapResp;
82 	struct wpabuf *aaaEapRespData;
83 	/* aaaIdentity -> eap_get_identity() */
84 	bool aaaTimeout;
85 };
86 
87 struct eap_server_erp_key {
88 	struct dl_list list;
89 	size_t rRK_len;
90 	size_t rIK_len;
91 	u8 rRK[ERP_MAX_KEY_LEN];
92 	u8 rIK[ERP_MAX_KEY_LEN];
93 	u32 recv_seq;
94 	u8 cryptosuite;
95 	char keyname_nai[];
96 };
97 
98 struct eapol_callbacks {
99 	int (*get_eap_user)(void *ctx, const u8 *identity, size_t identity_len,
100 			    int phase2, struct eap_user *user);
101 	const char * (*get_eap_req_id_text)(void *ctx, size_t *len);
102 	void (*log_msg)(void *ctx, const char *msg);
103 	int (*get_erp_send_reauth_start)(void *ctx);
104 	const char * (*get_erp_domain)(void *ctx);
105 	struct eap_server_erp_key * (*erp_get_key)(void *ctx,
106 						   const char *keyname);
107 	int (*erp_add_key)(void *ctx, struct eap_server_erp_key *erp);
108 };
109 
110 struct eap_config {
111 	/**
112 	 * ssl_ctx - TLS context
113 	 *
114 	 * This is passed to the EAP server implementation as a callback
115 	 * context for TLS operations.
116 	 */
117 	void *ssl_ctx;
118 	void *msg_ctx;
119 
120 	/**
121 	 * eap_sim_db_priv - EAP-SIM/AKA database context
122 	 *
123 	 * This is passed to the EAP-SIM/AKA server implementation as a
124 	 * callback context.
125 	 */
126 	void *eap_sim_db_priv;
127 
128 	struct crypto_rsa_key *imsi_privacy_key;
129 
130 	bool backend_auth;
131 	int eap_server;
132 
133 	/**
134 	 * pwd_group - The D-H group assigned for EAP-pwd
135 	 *
136 	 * If EAP-pwd is not used it can be set to zero.
137 	 */
138 	u16 pwd_group;
139 
140 	/**
141 	 * pac_opaque_encr_key - PAC-Opaque encryption key for EAP-FAST
142 	 *
143 	 * This parameter is used to set a key for EAP-FAST to encrypt the
144 	 * PAC-Opaque data. It can be set to %NULL if EAP-FAST is not used. If
145 	 * set, must point to a 16-octet key.
146 	 */
147 	u8 *pac_opaque_encr_key;
148 
149 	/**
150 	 * eap_fast_a_id - EAP-FAST authority identity (A-ID)
151 	 *
152 	 * If EAP-FAST is not used, this can be set to %NULL. In theory, this
153 	 * is a variable length field, but due to some existing implementations
154 	 * requiring A-ID to be 16 octets in length, it is recommended to use
155 	 * that length for the field to provide interoperability with deployed
156 	 * peer implementations.
157 	 */
158 	u8 *eap_fast_a_id;
159 
160 	/**
161 	 * eap_fast_a_id_len - Length of eap_fast_a_id buffer in octets
162 	 */
163 	size_t eap_fast_a_id_len;
164 	/**
165 	 * eap_fast_a_id_info - EAP-FAST authority identifier information
166 	 *
167 	 * This A-ID-Info contains a user-friendly name for the A-ID. For
168 	 * example, this could be the enterprise and server names in
169 	 * human-readable format. This field is encoded as UTF-8. If EAP-FAST
170 	 * is not used, this can be set to %NULL.
171 	 */
172 	char *eap_fast_a_id_info;
173 
174 	/**
175 	 * eap_fast_prov - EAP-FAST provisioning modes
176 	 *
177 	 * 0 = provisioning disabled, 1 = only anonymous provisioning allowed,
178 	 * 2 = only authenticated provisioning allowed, 3 = both provisioning
179 	 * modes allowed.
180 	 */
181 	enum {
182 		NO_PROV, ANON_PROV, AUTH_PROV, BOTH_PROV
183 	} eap_fast_prov;
184 
185 	/**
186 	 * pac_key_lifetime - EAP-FAST PAC-Key lifetime in seconds
187 	 *
188 	 * This is the hard limit on how long a provisioned PAC-Key can be
189 	 * used.
190 	 */
191 	int pac_key_lifetime;
192 
193 	/**
194 	 * pac_key_refresh_time - EAP-FAST PAC-Key refresh time in seconds
195 	 *
196 	 * This is a soft limit on the PAC-Key. The server will automatically
197 	 * generate a new PAC-Key when this number of seconds (or fewer) of the
198 	 * lifetime remains.
199 	 */
200 	int pac_key_refresh_time;
201 	int eap_teap_auth;
202 	int eap_teap_pac_no_inner;
203 	int eap_teap_separate_result;
204 	enum eap_teap_id {
205 		EAP_TEAP_ID_ALLOW_ANY = 0,
206 		EAP_TEAP_ID_REQUIRE_USER = 1,
207 		EAP_TEAP_ID_REQUIRE_MACHINE = 2,
208 		EAP_TEAP_ID_REQUEST_USER_ACCEPT_MACHINE = 3,
209 		EAP_TEAP_ID_REQUEST_MACHINE_ACCEPT_USER = 4,
210 		EAP_TEAP_ID_REQUIRE_USER_AND_MACHINE = 5,
211 	} eap_teap_id;
212 	int eap_teap_method_sequence;
213 
214 	/**
215 	 * eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication
216 	 *
217 	 * This controls whether the protected success/failure indication
218 	 * (AT_RESULT_IND) is used with EAP-SIM and EAP-AKA.
219 	 */
220 	int eap_sim_aka_result_ind;
221 	int eap_sim_id;
222 
223 	/* Maximum number of fast re-authentications allowed after each full
224 	 * EAP-SIM/AKA authentication. */
225 	int eap_sim_aka_fast_reauth_limit;
226 
227 	/**
228 	 * tnc - Trusted Network Connect (TNC)
229 	 *
230 	 * This controls whether TNC is enabled and will be required before the
231 	 * peer is allowed to connect. Note: This is only used with EAP-TTLS
232 	 * and EAP-FAST. If any other EAP method is enabled, the peer will be
233 	 * allowed to connect without TNC.
234 	 */
235 	int tnc;
236 
237 	/**
238 	 * wps - Wi-Fi Protected Setup context
239 	 *
240 	 * If WPS is used with an external RADIUS server (which is quite
241 	 * unlikely configuration), this is used to provide a pointer to WPS
242 	 * context data. Normally, this can be set to %NULL.
243 	 */
244 	struct wps_context *wps;
245 	int fragment_size;
246 
247 	int pbc_in_m1;
248 
249 	/**
250 	 * server_id - Server identity
251 	 */
252 	u8 *server_id;
253 	size_t server_id_len;
254 
255 	/**
256 	 * erp - Whether EAP Re-authentication Protocol (ERP) is enabled
257 	 *
258 	 * This controls whether the authentication server derives ERP key
259 	 * hierarchy (rRK and rIK) from full EAP authentication and allows
260 	 * these keys to be used to perform ERP to derive rMSK instead of full
261 	 * EAP authentication to derive MSK.
262 	 */
263 	int erp;
264 	unsigned int tls_session_lifetime;
265 	unsigned int tls_flags;
266 
267 	unsigned int max_auth_rounds;
268 	unsigned int max_auth_rounds_short;
269 
270 #ifdef CONFIG_TESTING_OPTIONS
271 	bool skip_prot_success;
272 #endif /* CONFIG_TESTING_OPTIONS */
273 };
274 
275 struct eap_session_data {
276 	const struct wpabuf *assoc_wps_ie;
277 	const struct wpabuf *assoc_p2p_ie;
278 	const u8 *peer_addr;
279 #ifdef CONFIG_TESTING_OPTIONS
280 	u32 tls_test_flags;
281 #endif /* CONFIG_TESTING_OPTIONS */
282 };
283 
284 
285 struct eap_sm * eap_server_sm_init(void *eapol_ctx,
286 				   const struct eapol_callbacks *eapol_cb,
287 				   const struct eap_config *conf,
288 				   const struct eap_session_data *sess);
289 void eap_server_sm_deinit(struct eap_sm *sm);
290 int eap_server_sm_step(struct eap_sm *sm);
291 void eap_sm_notify_cached(struct eap_sm *sm);
292 void eap_sm_pending_cb(struct eap_sm *sm);
293 int eap_sm_method_pending(struct eap_sm *sm);
294 const u8 * eap_get_identity(struct eap_sm *sm, size_t *len);
295 const char * eap_get_serial_num(struct eap_sm *sm);
296 const char * eap_get_method(struct eap_sm *sm);
297 const char * eap_get_imsi(struct eap_sm *sm);
298 struct eap_eapol_interface * eap_get_interface(struct eap_sm *sm);
299 void eap_server_clear_identity(struct eap_sm *sm);
300 void eap_server_mschap_rx_callback(struct eap_sm *sm, const char *source,
301 				   const u8 *username, size_t username_len,
302 				   const u8 *challenge, const u8 *response);
303 void eap_erp_update_identity(struct eap_sm *sm, const u8 *eap, size_t len);
304 void eap_user_free(struct eap_user *user);
305 void eap_server_config_free(struct eap_config *cfg);
306 
307 #endif /* EAP_H */
308