Gitiles
Code Review Sign In
192.168.1.100 / T106_DC / 9ed821d7e5d875a3395740a9cc2545671fa429b7 / . / ap / app / hostapd-2.10 / src / eap_server / eap.h
blob: 61032cc016bcbd586f70699b6b883ee73d0dac9a [file] [log] [blame]
lh9ed821d2023-04-07 01:36:19 -0700[diff] [blame^]1/*
2 * hostapd / EAP Full Authenticator state machine (RFC 4137)
3 * Copyright (c) 2004-2014, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#ifndef EAP_H
10#define EAP_H
11
12#include "common/defs.h"
13#include "utils/list.h"
14#include "eap_common/eap_defs.h"
15#include "eap_server/eap_methods.h"
16#include "wpabuf.h"
17
18struct eap_sm;
19
20#define EAP_TTLS_AUTH_PAP 1
21#define EAP_TTLS_AUTH_CHAP 2
22#define EAP_TTLS_AUTH_MSCHAP 4
23#define EAP_TTLS_AUTH_MSCHAPV2 8
24
25struct eap_user {
26 struct {
27 int vendor;
28 u32 method;
29 } methods[EAP_MAX_METHODS];
30 u8 *password;
31 size_t password_len;
32 int password_hash; /* whether password is hashed with
33 * nt_password_hash() */
34 u8 *salt;
35 size_t salt_len;
36 int phase2;
37 int force_version;
38 unsigned int remediation:1;
39 unsigned int macacl:1;
40 int ttls_auth; /* bitfield of
41 * EAP_TTLS_AUTH_{PAP,CHAP,MSCHAP,MSCHAPV2} */
42 struct hostapd_radius_attr *accept_attr;
43 u32 t_c_timestamp;
44};
45
46struct eap_eapol_interface {
47 /* Lower layer to full authenticator variables */
48 bool eapResp; /* shared with EAPOL Backend Authentication */
49 struct wpabuf *eapRespData;
50 bool portEnabled;
51 int retransWhile;
52 bool eapRestart; /* shared with EAPOL Authenticator PAE */
53 int eapSRTT;
54 int eapRTTVAR;
55
56 /* Full authenticator to lower layer variables */
57 bool eapReq; /* shared with EAPOL Backend Authentication */
58 bool eapNoReq; /* shared with EAPOL Backend Authentication */
59 bool eapSuccess;
60 bool eapFail;
61 bool eapTimeout;
62 struct wpabuf *eapReqData;
63 u8 *eapKeyData;
64 size_t eapKeyDataLen;
65 u8 *eapSessionId;
66 size_t eapSessionIdLen;
67 bool eapKeyAvailable; /* called keyAvailable in IEEE 802.1X-2004 */
68
69 /* AAA interface to full authenticator variables */
70 bool aaaEapReq;
71 bool aaaEapNoReq;
72 bool aaaSuccess;
73 bool aaaFail;
74 struct wpabuf *aaaEapReqData;
75 u8 *aaaEapKeyData;
76 size_t aaaEapKeyDataLen;
77 bool aaaEapKeyAvailable;
78 int aaaMethodTimeout;
79
80 /* Full authenticator to AAA interface variables */
81 bool aaaEapResp;
82 struct wpabuf *aaaEapRespData;
83 /* aaaIdentity -> eap_get_identity() */
84 bool aaaTimeout;
85};
86
87struct eap_server_erp_key {
88 struct dl_list list;
89 size_t rRK_len;
90 size_t rIK_len;
91 u8 rRK[ERP_MAX_KEY_LEN];
92 u8 rIK[ERP_MAX_KEY_LEN];
93 u32 recv_seq;
94 u8 cryptosuite;
95 char keyname_nai[];
96};
97
98struct eapol_callbacks {
99 int (*get_eap_user)(void *ctx, const u8 *identity, size_t identity_len,
100 int phase2, struct eap_user *user);
101 const char * (*get_eap_req_id_text)(void *ctx, size_t *len);
102 void (*log_msg)(void *ctx, const char *msg);
103 int (*get_erp_send_reauth_start)(void *ctx);
104 const char * (*get_erp_domain)(void *ctx);
105 struct eap_server_erp_key * (*erp_get_key)(void *ctx,
106 const char *keyname);
107 int (*erp_add_key)(void *ctx, struct eap_server_erp_key *erp);
108};
109
110struct eap_config {
111 /**
112 * ssl_ctx - TLS context
113 *
114 * This is passed to the EAP server implementation as a callback
115 * context for TLS operations.
116 */
117 void *ssl_ctx;
118 void *msg_ctx;
119
120 /**
121 * eap_sim_db_priv - EAP-SIM/AKA database context
122 *
123 * This is passed to the EAP-SIM/AKA server implementation as a
124 * callback context.
125 */
126 void *eap_sim_db_priv;
127 bool backend_auth;
128 int eap_server;
129
130 /**
131 * pwd_group - The D-H group assigned for EAP-pwd
132 *
133 * If EAP-pwd is not used it can be set to zero.
134 */
135 u16 pwd_group;
136
137 /**
138 * pac_opaque_encr_key - PAC-Opaque encryption key for EAP-FAST
139 *
140 * This parameter is used to set a key for EAP-FAST to encrypt the
141 * PAC-Opaque data. It can be set to %NULL if EAP-FAST is not used. If
142 * set, must point to a 16-octet key.
143 */
144 u8 *pac_opaque_encr_key;
145
146 /**
147 * eap_fast_a_id - EAP-FAST authority identity (A-ID)
148 *
149 * If EAP-FAST is not used, this can be set to %NULL. In theory, this
150 * is a variable length field, but due to some existing implementations
151 * requiring A-ID to be 16 octets in length, it is recommended to use
152 * that length for the field to provide interoperability with deployed
153 * peer implementations.
154 */
155 u8 *eap_fast_a_id;
156
157 /**
158 * eap_fast_a_id_len - Length of eap_fast_a_id buffer in octets
159 */
160 size_t eap_fast_a_id_len;
161 /**
162 * eap_fast_a_id_info - EAP-FAST authority identifier information
163 *
164 * This A-ID-Info contains a user-friendly name for the A-ID. For
165 * example, this could be the enterprise and server names in
166 * human-readable format. This field is encoded as UTF-8. If EAP-FAST
167 * is not used, this can be set to %NULL.
168 */
169 char *eap_fast_a_id_info;
170
171 /**
172 * eap_fast_prov - EAP-FAST provisioning modes
173 *
174 * 0 = provisioning disabled, 1 = only anonymous provisioning allowed,
175 * 2 = only authenticated provisioning allowed, 3 = both provisioning
176 * modes allowed.
177 */
178 enum {
179 NO_PROV, ANON_PROV, AUTH_PROV, BOTH_PROV
180 } eap_fast_prov;
181
182 /**
183 * pac_key_lifetime - EAP-FAST PAC-Key lifetime in seconds
184 *
185 * This is the hard limit on how long a provisioned PAC-Key can be
186 * used.
187 */
188 int pac_key_lifetime;
189
190 /**
191 * pac_key_refresh_time - EAP-FAST PAC-Key refresh time in seconds
192 *
193 * This is a soft limit on the PAC-Key. The server will automatically
194 * generate a new PAC-Key when this number of seconds (or fewer) of the
195 * lifetime remains.
196 */
197 int pac_key_refresh_time;
198 int eap_teap_auth;
199 int eap_teap_pac_no_inner;
200 int eap_teap_separate_result;
201 enum eap_teap_id {
202 EAP_TEAP_ID_ALLOW_ANY = 0,
203 EAP_TEAP_ID_REQUIRE_USER = 1,
204 EAP_TEAP_ID_REQUIRE_MACHINE = 2,
205 EAP_TEAP_ID_REQUEST_USER_ACCEPT_MACHINE = 3,
206 EAP_TEAP_ID_REQUEST_MACHINE_ACCEPT_USER = 4,
207 EAP_TEAP_ID_REQUIRE_USER_AND_MACHINE = 5,
208 } eap_teap_id;
209
210 /**
211 * eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication
212 *
213 * This controls whether the protected success/failure indication
214 * (AT_RESULT_IND) is used with EAP-SIM and EAP-AKA.
215 */
216 int eap_sim_aka_result_ind;
217 int eap_sim_id;
218
219 /**
220 * tnc - Trusted Network Connect (TNC)
221 *
222 * This controls whether TNC is enabled and will be required before the
223 * peer is allowed to connect. Note: This is only used with EAP-TTLS
224 * and EAP-FAST. If any other EAP method is enabled, the peer will be
225 * allowed to connect without TNC.
226 */
227 int tnc;
228
229 /**
230 * wps - Wi-Fi Protected Setup context
231 *
232 * If WPS is used with an external RADIUS server (which is quite
233 * unlikely configuration), this is used to provide a pointer to WPS
234 * context data. Normally, this can be set to %NULL.
235 */
236 struct wps_context *wps;
237 int fragment_size;
238
239 int pbc_in_m1;
240
241 /**
242 * server_id - Server identity
243 */
244 u8 *server_id;
245 size_t server_id_len;
246
247 /**
248 * erp - Whether EAP Re-authentication Protocol (ERP) is enabled
249 *
250 * This controls whether the authentication server derives ERP key
251 * hierarchy (rRK and rIK) from full EAP authentication and allows
252 * these keys to be used to perform ERP to derive rMSK instead of full
253 * EAP authentication to derive MSK.
254 */
255 int erp;
256 unsigned int tls_session_lifetime;
257 unsigned int tls_flags;
258
259 unsigned int max_auth_rounds;
260 unsigned int max_auth_rounds_short;
261};
262
263struct eap_session_data {
264 const struct wpabuf *assoc_wps_ie;
265 const struct wpabuf *assoc_p2p_ie;
266 const u8 *peer_addr;
267#ifdef CONFIG_TESTING_OPTIONS
268 u32 tls_test_flags;
269#endif /* CONFIG_TESTING_OPTIONS */
270};
271
272
273struct eap_sm * eap_server_sm_init(void *eapol_ctx,
274 const struct eapol_callbacks *eapol_cb,
275 const struct eap_config *conf,
276 const struct eap_session_data *sess);
277void eap_server_sm_deinit(struct eap_sm *sm);
278int eap_server_sm_step(struct eap_sm *sm);
279void eap_sm_notify_cached(struct eap_sm *sm);
280void eap_sm_pending_cb(struct eap_sm *sm);
281int eap_sm_method_pending(struct eap_sm *sm);
282const u8 * eap_get_identity(struct eap_sm *sm, size_t *len);
283const char * eap_get_serial_num(struct eap_sm *sm);
284const char * eap_get_method(struct eap_sm *sm);
285const char * eap_get_imsi(struct eap_sm *sm);
286struct eap_eapol_interface * eap_get_interface(struct eap_sm *sm);
287void eap_server_clear_identity(struct eap_sm *sm);
288void eap_server_mschap_rx_callback(struct eap_sm *sm, const char *source,
289 const u8 *username, size_t username_len,
290 const u8 *challenge, const u8 *response);
291void eap_erp_update_identity(struct eap_sm *sm, const u8 *eap, size_t len);
292void eap_user_free(struct eap_user *user);
293void eap_server_config_free(struct eap_config *cfg);
294
295#endif /* EAP_H */