1 /* 2 * hostapd / EAP Full Authenticator state machine (RFC 4137) 3 * Copyright (c) 2004-2014, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #ifndef EAP_H 10 #define EAP_H 11 12 #include "common/defs.h" 13 #include "utils/list.h" 14 #include "eap_common/eap_defs.h" 15 #include "eap_server/eap_methods.h" 16 #include "wpabuf.h" 17 18 struct eap_sm; 19 20 #define EAP_TTLS_AUTH_PAP 1 21 #define EAP_TTLS_AUTH_CHAP 2 22 #define EAP_TTLS_AUTH_MSCHAP 4 23 #define EAP_TTLS_AUTH_MSCHAPV2 8 24 25 struct eap_user { 26 struct { 27 int vendor; 28 u32 method; 29 } methods[EAP_MAX_METHODS]; 30 u8 *password; 31 size_t password_len; 32 int password_hash; /* whether password is hashed with 33 * nt_password_hash() */ 34 u8 *salt; 35 size_t salt_len; 36 int phase2; 37 int force_version; 38 unsigned int remediation:1; 39 unsigned int macacl:1; 40 int ttls_auth; /* bitfield of 41 * EAP_TTLS_AUTH_{PAP,CHAP,MSCHAP,MSCHAPV2} */ 42 struct hostapd_radius_attr *accept_attr; 43 u32 t_c_timestamp; 44 }; 45 46 struct eap_eapol_interface { 47 /* Lower layer to full authenticator variables */ 48 bool eapResp; /* shared with EAPOL Backend Authentication */ 49 struct wpabuf *eapRespData; 50 bool portEnabled; 51 int retransWhile; 52 bool eapRestart; /* shared with EAPOL Authenticator PAE */ 53 int eapSRTT; 54 int eapRTTVAR; 55 56 /* Full authenticator to lower layer variables */ 57 bool eapReq; /* shared with EAPOL Backend Authentication */ 58 bool eapNoReq; /* shared with EAPOL Backend Authentication */ 59 bool eapSuccess; 60 bool eapFail; 61 bool eapTimeout; 62 struct wpabuf *eapReqData; 63 u8 *eapKeyData; 64 size_t eapKeyDataLen; 65 u8 *eapSessionId; 66 size_t eapSessionIdLen; 67 bool eapKeyAvailable; /* called keyAvailable in IEEE 802.1X-2004 */ 68 69 /* AAA interface to full authenticator variables */ 70 bool aaaEapReq; 71 bool aaaEapNoReq; 72 bool aaaSuccess; 73 bool aaaFail; 74 struct wpabuf *aaaEapReqData; 75 u8 *aaaEapKeyData; 76 size_t aaaEapKeyDataLen; 77 bool aaaEapKeyAvailable; 78 int aaaMethodTimeout; 79 80 /* Full authenticator to AAA interface variables */ 81 bool aaaEapResp; 82 struct wpabuf *aaaEapRespData; 83 /* aaaIdentity -> eap_get_identity() */ 84 bool aaaTimeout; 85 }; 86 87 struct eap_server_erp_key { 88 struct dl_list list; 89 size_t rRK_len; 90 size_t rIK_len; 91 u8 rRK[ERP_MAX_KEY_LEN]; 92 u8 rIK[ERP_MAX_KEY_LEN]; 93 u32 recv_seq; 94 u8 cryptosuite; 95 char keyname_nai[]; 96 }; 97 98 struct eapol_callbacks { 99 int (*get_eap_user)(void *ctx, const u8 *identity, size_t identity_len, 100 int phase2, struct eap_user *user); 101 const char * (*get_eap_req_id_text)(void *ctx, size_t *len); 102 void (*log_msg)(void *ctx, const char *msg); 103 int (*get_erp_send_reauth_start)(void *ctx); 104 const char * (*get_erp_domain)(void *ctx); 105 struct eap_server_erp_key * (*erp_get_key)(void *ctx, 106 const char *keyname); 107 int (*erp_add_key)(void *ctx, struct eap_server_erp_key *erp); 108 }; 109 110 struct eap_config { 111 /** 112 * ssl_ctx - TLS context 113 * 114 * This is passed to the EAP server implementation as a callback 115 * context for TLS operations. 116 */ 117 void *ssl_ctx; 118 void *msg_ctx; 119 120 /** 121 * eap_sim_db_priv - EAP-SIM/AKA database context 122 * 123 * This is passed to the EAP-SIM/AKA server implementation as a 124 * callback context. 125 */ 126 void *eap_sim_db_priv; 127 128 struct crypto_rsa_key *imsi_privacy_key; 129 130 bool backend_auth; 131 int eap_server; 132 133 /** 134 * pwd_group - The D-H group assigned for EAP-pwd 135 * 136 * If EAP-pwd is not used it can be set to zero. 137 */ 138 u16 pwd_group; 139 140 /** 141 * pac_opaque_encr_key - PAC-Opaque encryption key for EAP-FAST 142 * 143 * This parameter is used to set a key for EAP-FAST to encrypt the 144 * PAC-Opaque data. It can be set to %NULL if EAP-FAST is not used. If 145 * set, must point to a 16-octet key. 146 */ 147 u8 *pac_opaque_encr_key; 148 149 /** 150 * eap_fast_a_id - EAP-FAST authority identity (A-ID) 151 * 152 * If EAP-FAST is not used, this can be set to %NULL. In theory, this 153 * is a variable length field, but due to some existing implementations 154 * requiring A-ID to be 16 octets in length, it is recommended to use 155 * that length for the field to provide interoperability with deployed 156 * peer implementations. 157 */ 158 u8 *eap_fast_a_id; 159 160 /** 161 * eap_fast_a_id_len - Length of eap_fast_a_id buffer in octets 162 */ 163 size_t eap_fast_a_id_len; 164 /** 165 * eap_fast_a_id_info - EAP-FAST authority identifier information 166 * 167 * This A-ID-Info contains a user-friendly name for the A-ID. For 168 * example, this could be the enterprise and server names in 169 * human-readable format. This field is encoded as UTF-8. If EAP-FAST 170 * is not used, this can be set to %NULL. 171 */ 172 char *eap_fast_a_id_info; 173 174 /** 175 * eap_fast_prov - EAP-FAST provisioning modes 176 * 177 * 0 = provisioning disabled, 1 = only anonymous provisioning allowed, 178 * 2 = only authenticated provisioning allowed, 3 = both provisioning 179 * modes allowed. 180 */ 181 enum { 182 NO_PROV, ANON_PROV, AUTH_PROV, BOTH_PROV 183 } eap_fast_prov; 184 185 /** 186 * pac_key_lifetime - EAP-FAST PAC-Key lifetime in seconds 187 * 188 * This is the hard limit on how long a provisioned PAC-Key can be 189 * used. 190 */ 191 int pac_key_lifetime; 192 193 /** 194 * pac_key_refresh_time - EAP-FAST PAC-Key refresh time in seconds 195 * 196 * This is a soft limit on the PAC-Key. The server will automatically 197 * generate a new PAC-Key when this number of seconds (or fewer) of the 198 * lifetime remains. 199 */ 200 int pac_key_refresh_time; 201 int eap_teap_auth; 202 int eap_teap_pac_no_inner; 203 int eap_teap_separate_result; 204 enum eap_teap_id { 205 EAP_TEAP_ID_ALLOW_ANY = 0, 206 EAP_TEAP_ID_REQUIRE_USER = 1, 207 EAP_TEAP_ID_REQUIRE_MACHINE = 2, 208 EAP_TEAP_ID_REQUEST_USER_ACCEPT_MACHINE = 3, 209 EAP_TEAP_ID_REQUEST_MACHINE_ACCEPT_USER = 4, 210 EAP_TEAP_ID_REQUIRE_USER_AND_MACHINE = 5, 211 } eap_teap_id; 212 int eap_teap_method_sequence; 213 214 /** 215 * eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication 216 * 217 * This controls whether the protected success/failure indication 218 * (AT_RESULT_IND) is used with EAP-SIM and EAP-AKA. 219 */ 220 int eap_sim_aka_result_ind; 221 int eap_sim_id; 222 223 /* Maximum number of fast re-authentications allowed after each full 224 * EAP-SIM/AKA authentication. */ 225 int eap_sim_aka_fast_reauth_limit; 226 227 /** 228 * tnc - Trusted Network Connect (TNC) 229 * 230 * This controls whether TNC is enabled and will be required before the 231 * peer is allowed to connect. Note: This is only used with EAP-TTLS 232 * and EAP-FAST. If any other EAP method is enabled, the peer will be 233 * allowed to connect without TNC. 234 */ 235 int tnc; 236 237 /** 238 * wps - Wi-Fi Protected Setup context 239 * 240 * If WPS is used with an external RADIUS server (which is quite 241 * unlikely configuration), this is used to provide a pointer to WPS 242 * context data. Normally, this can be set to %NULL. 243 */ 244 struct wps_context *wps; 245 int fragment_size; 246 247 int pbc_in_m1; 248 249 /** 250 * server_id - Server identity 251 */ 252 u8 *server_id; 253 size_t server_id_len; 254 255 /** 256 * erp - Whether EAP Re-authentication Protocol (ERP) is enabled 257 * 258 * This controls whether the authentication server derives ERP key 259 * hierarchy (rRK and rIK) from full EAP authentication and allows 260 * these keys to be used to perform ERP to derive rMSK instead of full 261 * EAP authentication to derive MSK. 262 */ 263 int erp; 264 unsigned int tls_session_lifetime; 265 unsigned int tls_flags; 266 267 unsigned int max_auth_rounds; 268 unsigned int max_auth_rounds_short; 269 270 #ifdef CONFIG_TESTING_OPTIONS 271 bool skip_prot_success; 272 #endif /* CONFIG_TESTING_OPTIONS */ 273 }; 274 275 struct eap_session_data { 276 const struct wpabuf *assoc_wps_ie; 277 const struct wpabuf *assoc_p2p_ie; 278 const u8 *peer_addr; 279 #ifdef CONFIG_TESTING_OPTIONS 280 u32 tls_test_flags; 281 #endif /* CONFIG_TESTING_OPTIONS */ 282 }; 283 284 285 struct eap_sm * eap_server_sm_init(void *eapol_ctx, 286 const struct eapol_callbacks *eapol_cb, 287 const struct eap_config *conf, 288 const struct eap_session_data *sess); 289 void eap_server_sm_deinit(struct eap_sm *sm); 290 int eap_server_sm_step(struct eap_sm *sm); 291 void eap_sm_notify_cached(struct eap_sm *sm); 292 void eap_sm_pending_cb(struct eap_sm *sm); 293 int eap_sm_method_pending(struct eap_sm *sm); 294 const u8 * eap_get_identity(struct eap_sm *sm, size_t *len); 295 const char * eap_get_serial_num(struct eap_sm *sm); 296 const char * eap_get_method(struct eap_sm *sm); 297 const char * eap_get_imsi(struct eap_sm *sm); 298 struct eap_eapol_interface * eap_get_interface(struct eap_sm *sm); 299 void eap_server_clear_identity(struct eap_sm *sm); 300 void eap_server_mschap_rx_callback(struct eap_sm *sm, const char *source, 301 const u8 *username, size_t username_len, 302 const u8 *challenge, const u8 *response); 303 void eap_erp_update_identity(struct eap_sm *sm, const u8 *eap, size_t len); 304 void eap_user_free(struct eap_user *user); 305 void eap_server_config_free(struct eap_config *cfg); 306 307 #endif /* EAP_H */ 308