1  /*
2   * hostapd / EAP Full Authenticator state machine (RFC 4137)
3   * Copyright (c) 2004-2014, Jouni Malinen <j@w1.fi>
4   *
5   * This software may be distributed under the terms of the BSD license.
6   * See README for more details.
7   */
8  
9  #ifndef EAP_H
10  #define EAP_H
11  
12  #include "common/defs.h"
13  #include "utils/list.h"
14  #include "eap_common/eap_defs.h"
15  #include "eap_server/eap_methods.h"
16  #include "wpabuf.h"
17  
18  struct eap_sm;
19  
20  #define EAP_TTLS_AUTH_PAP 1
21  #define EAP_TTLS_AUTH_CHAP 2
22  #define EAP_TTLS_AUTH_MSCHAP 4
23  #define EAP_TTLS_AUTH_MSCHAPV2 8
24  
25  struct eap_user {
26  	struct {
27  		int vendor;
28  		u32 method;
29  	} methods[EAP_MAX_METHODS];
30  	u8 *password;
31  	size_t password_len;
32  	int password_hash; /* whether password is hashed with
33  			    * nt_password_hash() */
34  	u8 *salt;
35  	size_t salt_len;
36  	int phase2;
37  	int force_version;
38  	unsigned int macacl:1;
39  	int ttls_auth; /* bitfield of
40  			* EAP_TTLS_AUTH_{PAP,CHAP,MSCHAP,MSCHAPV2} */
41  	struct hostapd_radius_attr *accept_attr;
42  	u32 t_c_timestamp;
43  };
44  
45  struct eap_eapol_interface {
46  	/* Lower layer to full authenticator variables */
47  	bool eapResp; /* shared with EAPOL Backend Authentication */
48  	struct wpabuf *eapRespData;
49  	bool portEnabled;
50  	int retransWhile;
51  	bool eapRestart; /* shared with EAPOL Authenticator PAE */
52  	int eapSRTT;
53  	int eapRTTVAR;
54  
55  	/* Full authenticator to lower layer variables */
56  	bool eapReq; /* shared with EAPOL Backend Authentication */
57  	bool eapNoReq; /* shared with EAPOL Backend Authentication */
58  	bool eapSuccess;
59  	bool eapFail;
60  	bool eapTimeout;
61  	struct wpabuf *eapReqData;
62  	u8 *eapKeyData;
63  	size_t eapKeyDataLen;
64  	u8 *eapSessionId;
65  	size_t eapSessionIdLen;
66  	bool eapKeyAvailable; /* called keyAvailable in IEEE 802.1X-2004 */
67  
68  	/* AAA interface to full authenticator variables */
69  	bool aaaEapReq;
70  	bool aaaEapNoReq;
71  	bool aaaSuccess;
72  	bool aaaFail;
73  	struct wpabuf *aaaEapReqData;
74  	u8 *aaaEapKeyData;
75  	size_t aaaEapKeyDataLen;
76  	bool aaaEapKeyAvailable;
77  	int aaaMethodTimeout;
78  
79  	/* Full authenticator to AAA interface variables */
80  	bool aaaEapResp;
81  	struct wpabuf *aaaEapRespData;
82  	/* aaaIdentity -> eap_get_identity() */
83  	bool aaaTimeout;
84  };
85  
86  struct eap_server_erp_key {
87  	struct dl_list list;
88  	size_t rRK_len;
89  	size_t rIK_len;
90  	u8 rRK[ERP_MAX_KEY_LEN];
91  	u8 rIK[ERP_MAX_KEY_LEN];
92  	u32 recv_seq;
93  	u8 cryptosuite;
94  	char keyname_nai[];
95  };
96  
97  struct eapol_callbacks {
98  	int (*get_eap_user)(void *ctx, const u8 *identity, size_t identity_len,
99  			    int phase2, struct eap_user *user);
100  	const char * (*get_eap_req_id_text)(void *ctx, size_t *len);
101  	void (*log_msg)(void *ctx, const char *msg);
102  	int (*get_erp_send_reauth_start)(void *ctx);
103  	const char * (*get_erp_domain)(void *ctx);
104  	struct eap_server_erp_key * (*erp_get_key)(void *ctx,
105  						   const char *keyname);
106  	int (*erp_add_key)(void *ctx, struct eap_server_erp_key *erp);
107  };
108  
109  struct eap_config {
110  	/**
111  	 * ssl_ctx - TLS context
112  	 *
113  	 * This is passed to the EAP server implementation as a callback
114  	 * context for TLS operations.
115  	 */
116  	void *ssl_ctx;
117  	void *msg_ctx;
118  
119  	/**
120  	 * eap_sim_db_priv - EAP-SIM/AKA database context
121  	 *
122  	 * This is passed to the EAP-SIM/AKA server implementation as a
123  	 * callback context.
124  	 */
125  	void *eap_sim_db_priv;
126  
127  	struct crypto_rsa_key *imsi_privacy_key;
128  
129  	bool backend_auth;
130  	int eap_server;
131  
132  	/**
133  	 * pwd_group - The D-H group assigned for EAP-pwd
134  	 *
135  	 * If EAP-pwd is not used it can be set to zero.
136  	 */
137  	u16 pwd_group;
138  
139  	/**
140  	 * pac_opaque_encr_key - PAC-Opaque encryption key for EAP-FAST
141  	 *
142  	 * This parameter is used to set a key for EAP-FAST to encrypt the
143  	 * PAC-Opaque data. It can be set to %NULL if EAP-FAST is not used. If
144  	 * set, must point to a 16-octet key.
145  	 */
146  	u8 *pac_opaque_encr_key;
147  
148  	/**
149  	 * eap_fast_a_id - EAP-FAST authority identity (A-ID)
150  	 *
151  	 * If EAP-FAST is not used, this can be set to %NULL. In theory, this
152  	 * is a variable length field, but due to some existing implementations
153  	 * requiring A-ID to be 16 octets in length, it is recommended to use
154  	 * that length for the field to provide interoperability with deployed
155  	 * peer implementations.
156  	 */
157  	u8 *eap_fast_a_id;
158  
159  	/**
160  	 * eap_fast_a_id_len - Length of eap_fast_a_id buffer in octets
161  	 */
162  	size_t eap_fast_a_id_len;
163  	/**
164  	 * eap_fast_a_id_info - EAP-FAST authority identifier information
165  	 *
166  	 * This A-ID-Info contains a user-friendly name for the A-ID. For
167  	 * example, this could be the enterprise and server names in
168  	 * human-readable format. This field is encoded as UTF-8. If EAP-FAST
169  	 * is not used, this can be set to %NULL.
170  	 */
171  	char *eap_fast_a_id_info;
172  
173  	/**
174  	 * eap_fast_prov - EAP-FAST provisioning modes
175  	 *
176  	 * 0 = provisioning disabled, 1 = only anonymous provisioning allowed,
177  	 * 2 = only authenticated provisioning allowed, 3 = both provisioning
178  	 * modes allowed.
179  	 */
180  	enum {
181  		NO_PROV, ANON_PROV, AUTH_PROV, BOTH_PROV
182  	} eap_fast_prov;
183  
184  	/**
185  	 * pac_key_lifetime - EAP-FAST PAC-Key lifetime in seconds
186  	 *
187  	 * This is the hard limit on how long a provisioned PAC-Key can be
188  	 * used.
189  	 */
190  	int pac_key_lifetime;
191  
192  	/**
193  	 * pac_key_refresh_time - EAP-FAST PAC-Key refresh time in seconds
194  	 *
195  	 * This is a soft limit on the PAC-Key. The server will automatically
196  	 * generate a new PAC-Key when this number of seconds (or fewer) of the
197  	 * lifetime remains.
198  	 */
199  	int pac_key_refresh_time;
200  	int eap_teap_auth;
201  	int eap_teap_separate_result;
202  	enum eap_teap_id {
203  		EAP_TEAP_ID_ALLOW_ANY = 0,
204  		EAP_TEAP_ID_REQUIRE_USER = 1,
205  		EAP_TEAP_ID_REQUIRE_MACHINE = 2,
206  		EAP_TEAP_ID_REQUEST_USER_ACCEPT_MACHINE = 3,
207  		EAP_TEAP_ID_REQUEST_MACHINE_ACCEPT_USER = 4,
208  		EAP_TEAP_ID_REQUIRE_USER_AND_MACHINE = 5,
209  	} eap_teap_id;
210  	int eap_teap_method_sequence;
211  
212  	/**
213  	 * eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication
214  	 *
215  	 * This controls whether the protected success/failure indication
216  	 * (AT_RESULT_IND) is used with EAP-SIM and EAP-AKA.
217  	 */
218  	int eap_sim_aka_result_ind;
219  	int eap_sim_id;
220  
221  	/* Maximum number of fast re-authentications allowed after each full
222  	 * EAP-SIM/AKA authentication. */
223  	int eap_sim_aka_fast_reauth_limit;
224  
225  	/**
226  	 * tnc - Trusted Network Connect (TNC)
227  	 *
228  	 * This controls whether TNC is enabled and will be required before the
229  	 * peer is allowed to connect. Note: This is only used with EAP-TTLS
230  	 * and EAP-FAST. If any other EAP method is enabled, the peer will be
231  	 * allowed to connect without TNC.
232  	 */
233  	int tnc;
234  
235  	/**
236  	 * wps - Wi-Fi Protected Setup context
237  	 *
238  	 * If WPS is used with an external RADIUS server (which is quite
239  	 * unlikely configuration), this is used to provide a pointer to WPS
240  	 * context data. Normally, this can be set to %NULL.
241  	 */
242  	struct wps_context *wps;
243  	int fragment_size;
244  
245  	int pbc_in_m1;
246  
247  	/**
248  	 * server_id - Server identity
249  	 */
250  	u8 *server_id;
251  	size_t server_id_len;
252  
253  	/**
254  	 * erp - Whether EAP Re-authentication Protocol (ERP) is enabled
255  	 *
256  	 * This controls whether the authentication server derives ERP key
257  	 * hierarchy (rRK and rIK) from full EAP authentication and allows
258  	 * these keys to be used to perform ERP to derive rMSK instead of full
259  	 * EAP authentication to derive MSK.
260  	 */
261  	int erp;
262  	unsigned int tls_session_lifetime;
263  	unsigned int tls_flags;
264  
265  	unsigned int max_auth_rounds;
266  	unsigned int max_auth_rounds_short;
267  
268  #ifdef CONFIG_TESTING_OPTIONS
269  	bool skip_prot_success;
270  #endif /* CONFIG_TESTING_OPTIONS */
271  };
272  
273  struct eap_session_data {
274  	const struct wpabuf *assoc_wps_ie;
275  	const struct wpabuf *assoc_p2p_ie;
276  	const u8 *peer_addr;
277  #ifdef CONFIG_TESTING_OPTIONS
278  	u32 tls_test_flags;
279  #endif /* CONFIG_TESTING_OPTIONS */
280  };
281  
282  
283  struct eap_sm * eap_server_sm_init(void *eapol_ctx,
284  				   const struct eapol_callbacks *eapol_cb,
285  				   const struct eap_config *conf,
286  				   const struct eap_session_data *sess);
287  void eap_server_sm_deinit(struct eap_sm *sm);
288  int eap_server_sm_step(struct eap_sm *sm);
289  void eap_sm_notify_cached(struct eap_sm *sm);
290  void eap_sm_pending_cb(struct eap_sm *sm);
291  int eap_sm_method_pending(struct eap_sm *sm);
292  const u8 * eap_get_identity(struct eap_sm *sm, size_t *len);
293  const char * eap_get_serial_num(struct eap_sm *sm);
294  const char * eap_get_method(struct eap_sm *sm);
295  const char * eap_get_imsi(struct eap_sm *sm);
296  struct eap_eapol_interface * eap_get_interface(struct eap_sm *sm);
297  void eap_server_clear_identity(struct eap_sm *sm);
298  void eap_server_mschap_rx_callback(struct eap_sm *sm, const char *source,
299  				   const u8 *username, size_t username_len,
300  				   const u8 *challenge, const u8 *response);
301  void eap_erp_update_identity(struct eap_sm *sm, const u8 *eap, size_t len);
302  void eap_user_free(struct eap_user *user);
303  void eap_server_config_free(struct eap_config *cfg);
304  
305  #endif /* EAP_H */
306