xref: /freebsd/contrib/wpa/src/eap_server/eap.h (revision c66ec88fed842fbaad62c30d510644ceb7bd2d71)
1 /*
2  * hostapd / EAP Full Authenticator state machine (RFC 4137)
3  * Copyright (c) 2004-2014, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #ifndef EAP_H
10 #define EAP_H
11 
12 #include "common/defs.h"
13 #include "utils/list.h"
14 #include "eap_common/eap_defs.h"
15 #include "eap_server/eap_methods.h"
16 #include "wpabuf.h"
17 
18 struct eap_sm;
19 
20 #define EAP_TTLS_AUTH_PAP 1
21 #define EAP_TTLS_AUTH_CHAP 2
22 #define EAP_TTLS_AUTH_MSCHAP 4
23 #define EAP_TTLS_AUTH_MSCHAPV2 8
24 
25 struct eap_user {
26 	struct {
27 		int vendor;
28 		u32 method;
29 	} methods[EAP_MAX_METHODS];
30 	u8 *password;
31 	size_t password_len;
32 	int password_hash; /* whether password is hashed with
33 			    * nt_password_hash() */
34 	u8 *salt;
35 	size_t salt_len;
36 	int phase2;
37 	int force_version;
38 	unsigned int remediation:1;
39 	unsigned int macacl:1;
40 	int ttls_auth; /* bitfield of
41 			* EAP_TTLS_AUTH_{PAP,CHAP,MSCHAP,MSCHAPV2} */
42 	struct hostapd_radius_attr *accept_attr;
43 	u32 t_c_timestamp;
44 };
45 
46 struct eap_eapol_interface {
47 	/* Lower layer to full authenticator variables */
48 	Boolean eapResp; /* shared with EAPOL Backend Authentication */
49 	struct wpabuf *eapRespData;
50 	Boolean portEnabled;
51 	int retransWhile;
52 	Boolean eapRestart; /* shared with EAPOL Authenticator PAE */
53 	int eapSRTT;
54 	int eapRTTVAR;
55 
56 	/* Full authenticator to lower layer variables */
57 	Boolean eapReq; /* shared with EAPOL Backend Authentication */
58 	Boolean eapNoReq; /* shared with EAPOL Backend Authentication */
59 	Boolean eapSuccess;
60 	Boolean eapFail;
61 	Boolean eapTimeout;
62 	struct wpabuf *eapReqData;
63 	u8 *eapKeyData;
64 	size_t eapKeyDataLen;
65 	u8 *eapSessionId;
66 	size_t eapSessionIdLen;
67 	Boolean eapKeyAvailable; /* called keyAvailable in IEEE 802.1X-2004 */
68 
69 	/* AAA interface to full authenticator variables */
70 	Boolean aaaEapReq;
71 	Boolean aaaEapNoReq;
72 	Boolean aaaSuccess;
73 	Boolean aaaFail;
74 	struct wpabuf *aaaEapReqData;
75 	u8 *aaaEapKeyData;
76 	size_t aaaEapKeyDataLen;
77 	Boolean aaaEapKeyAvailable;
78 	int aaaMethodTimeout;
79 
80 	/* Full authenticator to AAA interface variables */
81 	Boolean aaaEapResp;
82 	struct wpabuf *aaaEapRespData;
83 	/* aaaIdentity -> eap_get_identity() */
84 	Boolean aaaTimeout;
85 };
86 
87 struct eap_server_erp_key {
88 	struct dl_list list;
89 	size_t rRK_len;
90 	size_t rIK_len;
91 	u8 rRK[ERP_MAX_KEY_LEN];
92 	u8 rIK[ERP_MAX_KEY_LEN];
93 	u32 recv_seq;
94 	u8 cryptosuite;
95 	char keyname_nai[];
96 };
97 
98 struct eapol_callbacks {
99 	int (*get_eap_user)(void *ctx, const u8 *identity, size_t identity_len,
100 			    int phase2, struct eap_user *user);
101 	const char * (*get_eap_req_id_text)(void *ctx, size_t *len);
102 	void (*log_msg)(void *ctx, const char *msg);
103 	int (*get_erp_send_reauth_start)(void *ctx);
104 	const char * (*get_erp_domain)(void *ctx);
105 	struct eap_server_erp_key * (*erp_get_key)(void *ctx,
106 						   const char *keyname);
107 	int (*erp_add_key)(void *ctx, struct eap_server_erp_key *erp);
108 };
109 
110 struct eap_config {
111 	void *ssl_ctx;
112 	void *msg_ctx;
113 	void *eap_sim_db_priv;
114 	Boolean backend_auth;
115 	int eap_server;
116 	u16 pwd_group;
117 	u8 *pac_opaque_encr_key;
118 	u8 *eap_fast_a_id;
119 	size_t eap_fast_a_id_len;
120 	char *eap_fast_a_id_info;
121 	int eap_fast_prov;
122 	int pac_key_lifetime;
123 	int pac_key_refresh_time;
124 	int eap_teap_auth;
125 	int eap_teap_pac_no_inner;
126 	int eap_sim_aka_result_ind;
127 	int eap_sim_id;
128 	int tnc;
129 	struct wps_context *wps;
130 	const struct wpabuf *assoc_wps_ie;
131 	const struct wpabuf *assoc_p2p_ie;
132 	const u8 *peer_addr;
133 	int fragment_size;
134 
135 	int pbc_in_m1;
136 
137 	const u8 *server_id;
138 	size_t server_id_len;
139 	int erp;
140 	unsigned int tls_session_lifetime;
141 	unsigned int tls_flags;
142 
143 #ifdef CONFIG_TESTING_OPTIONS
144 	u32 tls_test_flags;
145 #endif /* CONFIG_TESTING_OPTIONS */
146 };
147 
148 
149 struct eap_sm * eap_server_sm_init(void *eapol_ctx,
150 				   const struct eapol_callbacks *eapol_cb,
151 				   struct eap_config *eap_conf);
152 void eap_server_sm_deinit(struct eap_sm *sm);
153 int eap_server_sm_step(struct eap_sm *sm);
154 void eap_sm_notify_cached(struct eap_sm *sm);
155 void eap_sm_pending_cb(struct eap_sm *sm);
156 int eap_sm_method_pending(struct eap_sm *sm);
157 const u8 * eap_get_identity(struct eap_sm *sm, size_t *len);
158 const char * eap_get_serial_num(struct eap_sm *sm);
159 const char * eap_get_method(struct eap_sm *sm);
160 const char * eap_get_imsi(struct eap_sm *sm);
161 struct eap_eapol_interface * eap_get_interface(struct eap_sm *sm);
162 void eap_server_clear_identity(struct eap_sm *sm);
163 void eap_server_mschap_rx_callback(struct eap_sm *sm, const char *source,
164 				   const u8 *username, size_t username_len,
165 				   const u8 *challenge, const u8 *response);
166 void eap_erp_update_identity(struct eap_sm *sm, const u8 *eap, size_t len);
167 void eap_user_free(struct eap_user *user);
168 
169 #endif /* EAP_H */
170