/* * hostapd / EAP Full Authenticator state machine (RFC 4137) * Copyright (c) 2004-2014, Jouni Malinen * * This software may be distributed under the terms of the BSD license. * See README for more details. */ #ifndef EAP_H #define EAP_H #include "common/defs.h" #include "utils/list.h" #include "eap_common/eap_defs.h" #include "eap_server/eap_methods.h" #include "wpabuf.h" struct eap_sm; #define EAP_TTLS_AUTH_PAP 1 #define EAP_TTLS_AUTH_CHAP 2 #define EAP_TTLS_AUTH_MSCHAP 4 #define EAP_TTLS_AUTH_MSCHAPV2 8 struct eap_user { struct { int vendor; u32 method; } methods[EAP_MAX_METHODS]; u8 *password; size_t password_len; int password_hash; /* whether password is hashed with * nt_password_hash() */ u8 *salt; size_t salt_len; int phase2; int force_version; unsigned int remediation:1; unsigned int macacl:1; int ttls_auth; /* bitfield of * EAP_TTLS_AUTH_{PAP,CHAP,MSCHAP,MSCHAPV2} */ struct hostapd_radius_attr *accept_attr; u32 t_c_timestamp; }; struct eap_eapol_interface { /* Lower layer to full authenticator variables */ bool eapResp; /* shared with EAPOL Backend Authentication */ struct wpabuf *eapRespData; bool portEnabled; int retransWhile; bool eapRestart; /* shared with EAPOL Authenticator PAE */ int eapSRTT; int eapRTTVAR; /* Full authenticator to lower layer variables */ bool eapReq; /* shared with EAPOL Backend Authentication */ bool eapNoReq; /* shared with EAPOL Backend Authentication */ bool eapSuccess; bool eapFail; bool eapTimeout; struct wpabuf *eapReqData; u8 *eapKeyData; size_t eapKeyDataLen; u8 *eapSessionId; size_t eapSessionIdLen; bool eapKeyAvailable; /* called keyAvailable in IEEE 802.1X-2004 */ /* AAA interface to full authenticator variables */ bool aaaEapReq; bool aaaEapNoReq; bool aaaSuccess; bool aaaFail; struct wpabuf *aaaEapReqData; u8 *aaaEapKeyData; size_t aaaEapKeyDataLen; bool aaaEapKeyAvailable; int aaaMethodTimeout; /* Full authenticator to AAA interface variables */ bool aaaEapResp; struct wpabuf *aaaEapRespData; /* aaaIdentity -> eap_get_identity() */ bool aaaTimeout; }; struct eap_server_erp_key { struct dl_list list; size_t rRK_len; size_t rIK_len; u8 rRK[ERP_MAX_KEY_LEN]; u8 rIK[ERP_MAX_KEY_LEN]; u32 recv_seq; u8 cryptosuite; char keyname_nai[]; }; struct eapol_callbacks { int (*get_eap_user)(void *ctx, const u8 *identity, size_t identity_len, int phase2, struct eap_user *user); const char * (*get_eap_req_id_text)(void *ctx, size_t *len); void (*log_msg)(void *ctx, const char *msg); int (*get_erp_send_reauth_start)(void *ctx); const char * (*get_erp_domain)(void *ctx); struct eap_server_erp_key * (*erp_get_key)(void *ctx, const char *keyname); int (*erp_add_key)(void *ctx, struct eap_server_erp_key *erp); }; struct eap_config { /** * ssl_ctx - TLS context * * This is passed to the EAP server implementation as a callback * context for TLS operations. */ void *ssl_ctx; void *msg_ctx; /** * eap_sim_db_priv - EAP-SIM/AKA database context * * This is passed to the EAP-SIM/AKA server implementation as a * callback context. */ void *eap_sim_db_priv; struct crypto_rsa_key *imsi_privacy_key; bool backend_auth; int eap_server; /** * pwd_group - The D-H group assigned for EAP-pwd * * If EAP-pwd is not used it can be set to zero. */ u16 pwd_group; /** * pac_opaque_encr_key - PAC-Opaque encryption key for EAP-FAST * * This parameter is used to set a key for EAP-FAST to encrypt the * PAC-Opaque data. It can be set to %NULL if EAP-FAST is not used. If * set, must point to a 16-octet key. */ u8 *pac_opaque_encr_key; /** * eap_fast_a_id - EAP-FAST authority identity (A-ID) * * If EAP-FAST is not used, this can be set to %NULL. In theory, this * is a variable length field, but due to some existing implementations * requiring A-ID to be 16 octets in length, it is recommended to use * that length for the field to provide interoperability with deployed * peer implementations. */ u8 *eap_fast_a_id; /** * eap_fast_a_id_len - Length of eap_fast_a_id buffer in octets */ size_t eap_fast_a_id_len; /** * eap_fast_a_id_info - EAP-FAST authority identifier information * * This A-ID-Info contains a user-friendly name for the A-ID. For * example, this could be the enterprise and server names in * human-readable format. This field is encoded as UTF-8. If EAP-FAST * is not used, this can be set to %NULL. */ char *eap_fast_a_id_info; /** * eap_fast_prov - EAP-FAST provisioning modes * * 0 = provisioning disabled, 1 = only anonymous provisioning allowed, * 2 = only authenticated provisioning allowed, 3 = both provisioning * modes allowed. */ enum { NO_PROV, ANON_PROV, AUTH_PROV, BOTH_PROV } eap_fast_prov; /** * pac_key_lifetime - EAP-FAST PAC-Key lifetime in seconds * * This is the hard limit on how long a provisioned PAC-Key can be * used. */ int pac_key_lifetime; /** * pac_key_refresh_time - EAP-FAST PAC-Key refresh time in seconds * * This is a soft limit on the PAC-Key. The server will automatically * generate a new PAC-Key when this number of seconds (or fewer) of the * lifetime remains. */ int pac_key_refresh_time; int eap_teap_auth; int eap_teap_pac_no_inner; int eap_teap_separate_result; enum eap_teap_id { EAP_TEAP_ID_ALLOW_ANY = 0, EAP_TEAP_ID_REQUIRE_USER = 1, EAP_TEAP_ID_REQUIRE_MACHINE = 2, EAP_TEAP_ID_REQUEST_USER_ACCEPT_MACHINE = 3, EAP_TEAP_ID_REQUEST_MACHINE_ACCEPT_USER = 4, EAP_TEAP_ID_REQUIRE_USER_AND_MACHINE = 5, } eap_teap_id; int eap_teap_method_sequence; /** * eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication * * This controls whether the protected success/failure indication * (AT_RESULT_IND) is used with EAP-SIM and EAP-AKA. */ int eap_sim_aka_result_ind; int eap_sim_id; /** * tnc - Trusted Network Connect (TNC) * * This controls whether TNC is enabled and will be required before the * peer is allowed to connect. Note: This is only used with EAP-TTLS * and EAP-FAST. If any other EAP method is enabled, the peer will be * allowed to connect without TNC. */ int tnc; /** * wps - Wi-Fi Protected Setup context * * If WPS is used with an external RADIUS server (which is quite * unlikely configuration), this is used to provide a pointer to WPS * context data. Normally, this can be set to %NULL. */ struct wps_context *wps; int fragment_size; int pbc_in_m1; /** * server_id - Server identity */ u8 *server_id; size_t server_id_len; /** * erp - Whether EAP Re-authentication Protocol (ERP) is enabled * * This controls whether the authentication server derives ERP key * hierarchy (rRK and rIK) from full EAP authentication and allows * these keys to be used to perform ERP to derive rMSK instead of full * EAP authentication to derive MSK. */ int erp; unsigned int tls_session_lifetime; unsigned int tls_flags; unsigned int max_auth_rounds; unsigned int max_auth_rounds_short; #ifdef CONFIG_TESTING_OPTIONS bool skip_prot_success; #endif /* CONFIG_TESTING_OPTIONS */ }; struct eap_session_data { const struct wpabuf *assoc_wps_ie; const struct wpabuf *assoc_p2p_ie; const u8 *peer_addr; #ifdef CONFIG_TESTING_OPTIONS u32 tls_test_flags; #endif /* CONFIG_TESTING_OPTIONS */ }; struct eap_sm * eap_server_sm_init(void *eapol_ctx, const struct eapol_callbacks *eapol_cb, const struct eap_config *conf, const struct eap_session_data *sess); void eap_server_sm_deinit(struct eap_sm *sm); int eap_server_sm_step(struct eap_sm *sm); void eap_sm_notify_cached(struct eap_sm *sm); void eap_sm_pending_cb(struct eap_sm *sm); int eap_sm_method_pending(struct eap_sm *sm); const u8 * eap_get_identity(struct eap_sm *sm, size_t *len); const char * eap_get_serial_num(struct eap_sm *sm); const char * eap_get_method(struct eap_sm *sm); const char * eap_get_imsi(struct eap_sm *sm); struct eap_eapol_interface * eap_get_interface(struct eap_sm *sm); void eap_server_clear_identity(struct eap_sm *sm); void eap_server_mschap_rx_callback(struct eap_sm *sm, const char *source, const u8 *username, size_t username_len, const u8 *challenge, const u8 *response); void eap_erp_update_identity(struct eap_sm *sm, const u8 *eap, size_t len); void eap_user_free(struct eap_user *user); void eap_server_config_free(struct eap_config *cfg); #endif /* EAP_H */