| yuezonghe | 824eb0c | 2024-06-27 02:32:26 -0700 | [diff] [blame] | 1 | /* |
| 2 | * hostapd / EAP Full Authenticator state machine (RFC 4137) |
| 3 | * Copyright (c) 2004-2014, Jouni Malinen <j@w1.fi> |
| 4 | * |
| 5 | * This software may be distributed under the terms of the BSD license. |
| 6 | * See README for more details. |
| 7 | */ |
| 8 | |
| 9 | #ifndef EAP_H |
| 10 | #define EAP_H |
| 11 | |
| 12 | #include "common/defs.h" |
| 13 | #include "utils/list.h" |
| 14 | #include "eap_common/eap_defs.h" |
| 15 | #include "eap_server/eap_methods.h" |
| 16 | #include "wpabuf.h" |
| 17 | |
| 18 | struct eap_sm; |
| 19 | |
| 20 | #define EAP_TTLS_AUTH_PAP 1 |
| 21 | #define EAP_TTLS_AUTH_CHAP 2 |
| 22 | #define EAP_TTLS_AUTH_MSCHAP 4 |
| 23 | #define EAP_TTLS_AUTH_MSCHAPV2 8 |
| 24 | |
| 25 | struct eap_user { |
| 26 | struct { |
| 27 | int vendor; |
| 28 | u32 method; |
| 29 | } methods[EAP_MAX_METHODS]; |
| 30 | u8 *password; |
| 31 | size_t password_len; |
| 32 | int password_hash; /* whether password is hashed with |
| 33 | * nt_password_hash() */ |
| 34 | int phase2; |
| 35 | int force_version; |
| 36 | unsigned int remediation:1; |
| 37 | unsigned int macacl:1; |
| 38 | int ttls_auth; /* bitfield of |
| 39 | * EAP_TTLS_AUTH_{PAP,CHAP,MSCHAP,MSCHAPV2} */ |
| 40 | struct hostapd_radius_attr *accept_attr; |
| 41 | }; |
| 42 | |
| 43 | struct eap_eapol_interface { |
| 44 | /* Lower layer to full authenticator variables */ |
| 45 | Boolean eapResp; /* shared with EAPOL Backend Authentication */ |
| 46 | struct wpabuf *eapRespData; |
| 47 | Boolean portEnabled; |
| 48 | int retransWhile; |
| 49 | Boolean eapRestart; /* shared with EAPOL Authenticator PAE */ |
| 50 | int eapSRTT; |
| 51 | int eapRTTVAR; |
| 52 | |
| 53 | /* Full authenticator to lower layer variables */ |
| 54 | Boolean eapReq; /* shared with EAPOL Backend Authentication */ |
| 55 | Boolean eapNoReq; /* shared with EAPOL Backend Authentication */ |
| 56 | Boolean eapSuccess; |
| 57 | Boolean eapFail; |
| 58 | Boolean eapTimeout; |
| 59 | struct wpabuf *eapReqData; |
| 60 | u8 *eapKeyData; |
| 61 | size_t eapKeyDataLen; |
| 62 | u8 *eapSessionId; |
| 63 | size_t eapSessionIdLen; |
| 64 | Boolean eapKeyAvailable; /* called keyAvailable in IEEE 802.1X-2004 */ |
| 65 | |
| 66 | /* AAA interface to full authenticator variables */ |
| 67 | Boolean aaaEapReq; |
| 68 | Boolean aaaEapNoReq; |
| 69 | Boolean aaaSuccess; |
| 70 | Boolean aaaFail; |
| 71 | struct wpabuf *aaaEapReqData; |
| 72 | u8 *aaaEapKeyData; |
| 73 | size_t aaaEapKeyDataLen; |
| 74 | Boolean aaaEapKeyAvailable; |
| 75 | int aaaMethodTimeout; |
| 76 | |
| 77 | /* Full authenticator to AAA interface variables */ |
| 78 | Boolean aaaEapResp; |
| 79 | struct wpabuf *aaaEapRespData; |
| 80 | /* aaaIdentity -> eap_get_identity() */ |
| 81 | Boolean aaaTimeout; |
| 82 | }; |
| 83 | |
| 84 | struct eap_server_erp_key { |
| 85 | struct dl_list list; |
| 86 | size_t rRK_len; |
| 87 | size_t rIK_len; |
| 88 | u8 rRK[ERP_MAX_KEY_LEN]; |
| 89 | u8 rIK[ERP_MAX_KEY_LEN]; |
| 90 | u32 recv_seq; |
| 91 | u8 cryptosuite; |
| 92 | char keyname_nai[]; |
| 93 | }; |
| 94 | |
| 95 | struct eapol_callbacks { |
| 96 | int (*get_eap_user)(void *ctx, const u8 *identity, size_t identity_len, |
| 97 | int phase2, struct eap_user *user); |
| 98 | const char * (*get_eap_req_id_text)(void *ctx, size_t *len); |
| 99 | void (*log_msg)(void *ctx, const char *msg); |
| 100 | int (*get_erp_send_reauth_start)(void *ctx); |
| 101 | const char * (*get_erp_domain)(void *ctx); |
| 102 | struct eap_server_erp_key * (*erp_get_key)(void *ctx, |
| 103 | const char *keyname); |
| 104 | int (*erp_add_key)(void *ctx, struct eap_server_erp_key *erp); |
| 105 | }; |
| 106 | |
| 107 | struct eap_config { |
| 108 | void *ssl_ctx; |
| 109 | void *msg_ctx; |
| 110 | void *eap_sim_db_priv; |
| 111 | Boolean backend_auth; |
| 112 | int eap_server; |
| 113 | u16 pwd_group; |
| 114 | u8 *pac_opaque_encr_key; |
| 115 | u8 *eap_fast_a_id; |
| 116 | size_t eap_fast_a_id_len; |
| 117 | char *eap_fast_a_id_info; |
| 118 | int eap_fast_prov; |
| 119 | int pac_key_lifetime; |
| 120 | int pac_key_refresh_time; |
| 121 | int eap_sim_aka_result_ind; |
| 122 | int tnc; |
| 123 | struct wps_context *wps; |
| 124 | const struct wpabuf *assoc_wps_ie; |
| 125 | const struct wpabuf *assoc_p2p_ie; |
| 126 | const u8 *peer_addr; |
| 127 | int fragment_size; |
| 128 | |
| 129 | int pbc_in_m1; |
| 130 | |
| 131 | const u8 *server_id; |
| 132 | size_t server_id_len; |
| 133 | int erp; |
| 134 | unsigned int tls_session_lifetime; |
| 135 | |
| 136 | #ifdef CONFIG_TESTING_OPTIONS |
| 137 | u32 tls_test_flags; |
| 138 | #endif /* CONFIG_TESTING_OPTIONS */ |
| 139 | }; |
| 140 | |
| 141 | |
| 142 | struct eap_sm * eap_server_sm_init(void *eapol_ctx, |
| 143 | const struct eapol_callbacks *eapol_cb, |
| 144 | struct eap_config *eap_conf); |
| 145 | void eap_server_sm_deinit(struct eap_sm *sm); |
| 146 | int eap_server_sm_step(struct eap_sm *sm); |
| 147 | void eap_sm_notify_cached(struct eap_sm *sm); |
| 148 | void eap_sm_pending_cb(struct eap_sm *sm); |
| 149 | int eap_sm_method_pending(struct eap_sm *sm); |
| 150 | const u8 * eap_get_identity(struct eap_sm *sm, size_t *len); |
| 151 | struct eap_eapol_interface * eap_get_interface(struct eap_sm *sm); |
| 152 | void eap_server_clear_identity(struct eap_sm *sm); |
| 153 | void eap_server_mschap_rx_callback(struct eap_sm *sm, const char *source, |
| 154 | const u8 *username, size_t username_len, |
| 155 | const u8 *challenge, const u8 *response); |
| 156 | |
| 157 | #endif /* EAP_H */ |