1 /* 2 * hostapd / EAP Full Authenticator state machine (RFC 4137) 3 * Copyright (c) 2004-2014, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #ifndef EAP_H 10 #define EAP_H 11 12 #include "common/defs.h" 13 #include "utils/list.h" 14 #include "eap_peer/eap_defs.h" 15 #include "eap_server/eap_methods.h" 16 #include "utils/wpabuf.h" 17 18 struct eap_sm; 19 20 #define EAP_TTLS_AUTH_PAP 1 21 #define EAP_TTLS_AUTH_CHAP 2 22 #define EAP_TTLS_AUTH_MSCHAP 4 23 #define EAP_TTLS_AUTH_MSCHAPV2 8 24 25 struct eap_user { 26 struct { 27 int vendor; 28 u32 method; 29 } methods[EAP_MAX_METHODS]; 30 u8 *password; 31 size_t password_len; 32 int password_hash; /* whether password is hashed with 33 * nt_password_hash() */ 34 u8 *salt; 35 size_t salt_len; 36 int phase2; 37 int force_version; 38 unsigned int remediation:1; 39 unsigned int macacl:1; 40 int ttls_auth; /* bitfield of 41 * EAP_TTLS_AUTH_{PAP,CHAP,MSCHAP,MSCHAPV2} */ 42 struct hostapd_radius_attr *accept_attr; 43 u32 t_c_timestamp; 44 }; 45 46 struct eap_eapol_interface { 47 /* Lower layer to full authenticator variables */ 48 bool eapResp; /* shared with EAPOL Backend Authentication */ 49 struct wpabuf *eapRespData; 50 bool portEnabled; 51 int retransWhile; 52 bool eapRestart; /* shared with EAPOL Authenticator PAE */ 53 int eapSRTT; 54 int eapRTTVAR; 55 56 /* Full authenticator to lower layer variables */ 57 bool eapReq; /* shared with EAPOL Backend Authentication */ 58 bool eapNoReq; /* shared with EAPOL Backend Authentication */ 59 bool eapSuccess; 60 bool eapFail; 61 bool eapTimeout; 62 struct wpabuf *eapReqData; 63 u8 *eapKeyData; 64 size_t eapKeyDataLen; 65 u8 *eapSessionId; 66 size_t eapSessionIdLen; 67 bool eapKeyAvailable; /* called keyAvailable in IEEE 802.1X-2004 */ 68 69 #ifndef ESP_SUPPLICANT 70 /* AAA interface to full authenticator variables */ 71 bool aaaEapReq; 72 bool aaaEapNoReq; 73 bool aaaSuccess; 74 bool aaaFail; 75 struct wpabuf *aaaEapReqData; 76 u8 *aaaEapKeyData; 77 size_t aaaEapKeyDataLen; 78 bool aaaEapKeyAvailable; 79 int aaaMethodTimeout; 80 81 /* Full authenticator to AAA interface variables */ 82 bool aaaEapResp; 83 struct wpabuf *aaaEapRespData; 84 /* aaaIdentity -> eap_get_identity() */ 85 bool aaaTimeout; 86 #endif 87 }; 88 89 struct eap_server_erp_key { 90 struct dl_list list; 91 size_t rRK_len; 92 size_t rIK_len; 93 u8 rRK[ERP_MAX_KEY_LEN]; 94 u8 rIK[ERP_MAX_KEY_LEN]; 95 u32 recv_seq; 96 u8 cryptosuite; 97 char keyname_nai[]; 98 }; 99 100 struct eapol_callbacks { 101 int (*get_eap_user)(void *ctx, const u8 *identity, size_t identity_len, 102 int phase2, struct eap_user *user); 103 const char * (*get_eap_req_id_text)(void *ctx, size_t *len); 104 void (*log_msg)(void *ctx, const char *msg); 105 int (*get_erp_send_reauth_start)(void *ctx); 106 const char * (*get_erp_domain)(void *ctx); 107 struct eap_server_erp_key * (*erp_get_key)(void *ctx, 108 const char *keyname); 109 int (*erp_add_key)(void *ctx, struct eap_server_erp_key *erp); 110 }; 111 112 struct eap_config { 113 /** 114 * ssl_ctx - TLS context 115 * 116 * This is passed to the EAP server implementation as a callback 117 * context for TLS operations. 118 */ 119 void *ssl_ctx; 120 void *msg_ctx; 121 122 /** 123 * eap_sim_db_priv - EAP-SIM/AKA database context 124 * 125 * This is passed to the EAP-SIM/AKA server implementation as a 126 * callback context. 127 */ 128 void *eap_sim_db_priv; 129 bool backend_auth; 130 int eap_server; 131 132 /** 133 * pwd_group - The D-H group assigned for EAP-pwd 134 * 135 * If EAP-pwd is not used it can be set to zero. 136 */ 137 u16 pwd_group; 138 139 /** 140 * pac_opaque_encr_key - PAC-Opaque encryption key for EAP-FAST 141 * 142 * This parameter is used to set a key for EAP-FAST to encrypt the 143 * PAC-Opaque data. It can be set to %NULL if EAP-FAST is not used. If 144 * set, must point to a 16-octet key. 145 */ 146 u8 *pac_opaque_encr_key; 147 148 /** 149 * eap_fast_a_id - EAP-FAST authority identity (A-ID) 150 * 151 * If EAP-FAST is not used, this can be set to %NULL. In theory, this 152 * is a variable length field, but due to some existing implementations 153 * requiring A-ID to be 16 octets in length, it is recommended to use 154 * that length for the field to provide interoperability with deployed 155 * peer implementations. 156 */ 157 u8 *eap_fast_a_id; 158 159 /** 160 * eap_fast_a_id_len - Length of eap_fast_a_id buffer in octets 161 */ 162 size_t eap_fast_a_id_len; 163 /** 164 * eap_fast_a_id_info - EAP-FAST authority identifier information 165 * 166 * This A-ID-Info contains a user-friendly name for the A-ID. For 167 * example, this could be the enterprise and server names in 168 * human-readable format. This field is encoded as UTF-8. If EAP-FAST 169 * is not used, this can be set to %NULL. 170 */ 171 char *eap_fast_a_id_info; 172 173 /** 174 * eap_fast_prov - EAP-FAST provisioning modes 175 * 176 * 0 = provisioning disabled, 1 = only anonymous provisioning allowed, 177 * 2 = only authenticated provisioning allowed, 3 = both provisioning 178 * modes allowed. 179 */ 180 enum { 181 NO_PROV, ANON_PROV, AUTH_PROV, BOTH_PROV 182 } eap_fast_prov; 183 184 /** 185 * pac_key_lifetime - EAP-FAST PAC-Key lifetime in seconds 186 * 187 * This is the hard limit on how long a provisioned PAC-Key can be 188 * used. 189 */ 190 int pac_key_lifetime; 191 192 /** 193 * pac_key_refresh_time - EAP-FAST PAC-Key refresh time in seconds 194 * 195 * This is a soft limit on the PAC-Key. The server will automatically 196 * generate a new PAC-Key when this number of seconds (or fewer) of the 197 * lifetime remains. 198 */ 199 int pac_key_refresh_time; 200 int eap_teap_auth; 201 int eap_teap_pac_no_inner; 202 int eap_teap_separate_result; 203 enum eap_teap_id { 204 EAP_TEAP_ID_ALLOW_ANY = 0, 205 EAP_TEAP_ID_REQUIRE_USER = 1, 206 EAP_TEAP_ID_REQUIRE_MACHINE = 2, 207 EAP_TEAP_ID_REQUEST_USER_ACCEPT_MACHINE = 3, 208 EAP_TEAP_ID_REQUEST_MACHINE_ACCEPT_USER = 4, 209 EAP_TEAP_ID_REQUIRE_USER_AND_MACHINE = 5, 210 } eap_teap_id; 211 212 /** 213 * eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication 214 * 215 * This controls whether the protected success/failure indication 216 * (AT_RESULT_IND) is used with EAP-SIM and EAP-AKA. 217 */ 218 int eap_sim_aka_result_ind; 219 int eap_sim_id; 220 221 /** 222 * tnc - Trusted Network Connect (TNC) 223 * 224 * This controls whether TNC is enabled and will be required before the 225 * peer is allowed to connect. Note: This is only used with EAP-TTLS 226 * and EAP-FAST. If any other EAP method is enabled, the peer will be 227 * allowed to connect without TNC. 228 */ 229 int tnc; 230 231 /** 232 * wps - Wi-Fi Protected Setup context 233 * 234 * If WPS is used with an external RADIUS server (which is quite 235 * unlikely configuration), this is used to provide a pointer to WPS 236 * context data. Normally, this can be set to %NULL. 237 */ 238 struct wps_context *wps; 239 int fragment_size; 240 241 int pbc_in_m1; 242 243 /** 244 * server_id - Server identity 245 */ 246 u8 *server_id; 247 size_t server_id_len; 248 249 /** 250 * erp - Whether EAP Re-authentication Protocol (ERP) is enabled 251 * 252 * This controls whether the authentication server derives ERP key 253 * hierarchy (rRK and rIK) from full EAP authentication and allows 254 * these keys to be used to perform ERP to derive rMSK instead of full 255 * EAP authentication to derive MSK. 256 */ 257 int erp; 258 unsigned int tls_session_lifetime; 259 unsigned int tls_flags; 260 261 unsigned int max_auth_rounds; 262 unsigned int max_auth_rounds_short; 263 }; 264 265 struct eap_session_data { 266 const struct wpabuf *assoc_wps_ie; 267 const struct wpabuf *assoc_p2p_ie; 268 const u8 *peer_addr; 269 #ifdef CONFIG_TESTING_OPTIONS 270 u32 tls_test_flags; 271 #endif /* CONFIG_TESTING_OPTIONS */ 272 }; 273 274 275 struct eap_sm * eap_server_sm_init(void *eapol_ctx, 276 const struct eapol_callbacks *eapol_cb, 277 const struct eap_config *conf, 278 const struct eap_session_data *sess); 279 void eap_server_sm_deinit(struct eap_sm *sm); 280 int eap_server_sm_step(struct eap_sm *sm); 281 void eap_sm_notify_cached(struct eap_sm *sm); 282 void eap_sm_pending_cb(struct eap_sm *sm); 283 int eap_sm_method_pending(struct eap_sm *sm); 284 const u8 * eap_get_identity(struct eap_sm *sm, size_t *len); 285 const char * eap_get_serial_num(struct eap_sm *sm); 286 const char * eap_get_method(struct eap_sm *sm); 287 const char * eap_get_imsi(struct eap_sm *sm); 288 struct eap_eapol_interface * eap_get_interface(struct eap_sm *sm); 289 void eap_server_clear_identity(struct eap_sm *sm); 290 void eap_server_mschap_rx_callback(struct eap_sm *sm, const char *source, 291 const u8 *username, size_t username_len, 292 const u8 *challenge, const u8 *response); 293 void eap_erp_update_identity(struct eap_sm *sm, const u8 *eap, size_t len); 294 void eap_user_free(struct eap_user *user); 295 void eap_server_config_free(struct eap_config *cfg); 296 297 #endif /* EAP_H */ 298
