hostap/src/eap_server/eap.h

/*
 * hostapd / EAP Full Authenticator state machine (RFC 4137)
 * Copyright (c) 2004-2014, Jouni Malinen <j@w1.fi>
 *
 * This software may be distributed under the terms of the BSD license.
 * See README for more details.
 */

#ifndef EAP_H
#define EAP_H

#include "common/defs.h"
#include "utils/list.h"
#include "eap_common/eap_defs.h"
#include "eap_server/eap_methods.h"
#include "wpabuf.h"

struct eap_sm;

#define EAP_TTLS_AUTH_PAP 1
#define EAP_TTLS_AUTH_CHAP 2
#define EAP_TTLS_AUTH_MSCHAP 4
#define EAP_TTLS_AUTH_MSCHAPV2 8

struct eap_user {
	struct {
		int vendor;
		u32 method;
	} methods[EAP_MAX_METHODS];
	u8 *password;
	size_t password_len;
	int password_hash; /* whether password is hashed with
			    * nt_password_hash() */
	int phase2;
	int force_version;
	unsigned int remediation:1;
	unsigned int macacl:1;
	int ttls_auth; /* bitfield of
			* EAP_TTLS_AUTH_{PAP,CHAP,MSCHAP,MSCHAPV2} */
	struct hostapd_radius_attr *accept_attr;
};

struct eap_eapol_interface {
	/* Lower layer to full authenticator variables */
	Boolean eapResp; /* shared with EAPOL Backend Authentication */
	struct wpabuf *eapRespData;
	Boolean portEnabled;
	int retransWhile;
	Boolean eapRestart; /* shared with EAPOL Authenticator PAE */
	int eapSRTT;
	int eapRTTVAR;

	/* Full authenticator to lower layer variables */
	Boolean eapReq; /* shared with EAPOL Backend Authentication */
	Boolean eapNoReq; /* shared with EAPOL Backend Authentication */
	Boolean eapSuccess;
	Boolean eapFail;
	Boolean eapTimeout;
	struct wpabuf *eapReqData;
	u8 *eapKeyData;
	size_t eapKeyDataLen;
	u8 *eapSessionId;
	size_t eapSessionIdLen;
	Boolean eapKeyAvailable; /* called keyAvailable in IEEE 802.1X-2004 */

	/* AAA interface to full authenticator variables */
	Boolean aaaEapReq;
	Boolean aaaEapNoReq;
	Boolean aaaSuccess;
	Boolean aaaFail;
	struct wpabuf *aaaEapReqData;
	u8 *aaaEapKeyData;
	size_t aaaEapKeyDataLen;
	Boolean aaaEapKeyAvailable;
	int aaaMethodTimeout;

	/* Full authenticator to AAA interface variables */
	Boolean aaaEapResp;
	struct wpabuf *aaaEapRespData;
	/* aaaIdentity -> eap_get_identity() */
	Boolean aaaTimeout;
};

struct eap_server_erp_key {
	struct dl_list list;
	size_t rRK_len;
	size_t rIK_len;
	u8 rRK[ERP_MAX_KEY_LEN];
	u8 rIK[ERP_MAX_KEY_LEN];
	u32 recv_seq;
	u8 cryptosuite;
	char keyname_nai[];
};

struct eapol_callbacks {
	int (*get_eap_user)(void *ctx, const u8 *identity, size_t identity_len,
			    int phase2, struct eap_user *user);
	const char * (*get_eap_req_id_text)(void *ctx, size_t *len);
	void (*log_msg)(void *ctx, const char *msg);
	int (*get_erp_send_reauth_start)(void *ctx);
	const char * (*get_erp_domain)(void *ctx);
	struct eap_server_erp_key * (*erp_get_key)(void *ctx,
						   const char *keyname);
	int (*erp_add_key)(void *ctx, struct eap_server_erp_key *erp);
};

struct eap_config {
	void *ssl_ctx;
	void *msg_ctx;
	void *eap_sim_db_priv;
	Boolean backend_auth;
	int eap_server;
	u16 pwd_group;
	u8 *pac_opaque_encr_key;
	u8 *eap_fast_a_id;
	size_t eap_fast_a_id_len;
	char *eap_fast_a_id_info;
	int eap_fast_prov;
	int pac_key_lifetime;
	int pac_key_refresh_time;
	int eap_sim_aka_result_ind;
	int tnc;
	struct wps_context *wps;
	const struct wpabuf *assoc_wps_ie;
	const struct wpabuf *assoc_p2p_ie;
	const u8 *peer_addr;
	int fragment_size;

	int pbc_in_m1;

	const u8 *server_id;
	size_t server_id_len;
	int erp;

#ifdef CONFIG_TESTING_OPTIONS
	u32 tls_test_flags;
#endif /* CONFIG_TESTING_OPTIONS */
};


struct eap_sm * eap_server_sm_init(void *eapol_ctx,
				   struct eapol_callbacks *eapol_cb,
				   struct eap_config *eap_conf);
void eap_server_sm_deinit(struct eap_sm *sm);
int eap_server_sm_step(struct eap_sm *sm);
void eap_sm_notify_cached(struct eap_sm *sm);
void eap_sm_pending_cb(struct eap_sm *sm);
int eap_sm_method_pending(struct eap_sm *sm);
const u8 * eap_get_identity(struct eap_sm *sm, size_t *len);
struct eap_eapol_interface * eap_get_interface(struct eap_sm *sm);
void eap_server_clear_identity(struct eap_sm *sm);

#endif /* EAP_H */
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-28 02:34:43 +01:00			`/*`
			`* hostapd / EAP Full Authenticator state machine (RFC 4137)`
ERP: Add support for ERP on EAP server and authenticator Derive rRK and rIK on EAP server if ERP is enabled and use these keys to allow EAP re-authentication to be used and to derive rMSK. The new hostapd configuration parameter eap_server_erp=1 can now be used to configure the integrated EAP server to derive EMSK, rRK, and rIK at the successful completion of an EAP authentication method. This functionality is not included in the default build and can be enabled with CONFIG_ERP=y. Signed-off-by: Jouni Malinen <j@w1.fi> 2014-11-29 20:28:24 +01:00			`* Copyright (c) 2004-2014, Jouni Malinen <j@w1.fi>`
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-28 02:34:43 +01:00			`*`
Remove the GPL notification from files contributed by Jouni Malinen Remove the GPL notification text from the files that were initially contributed by myself. Signed-hostap: Jouni Malinen <j@w1.fi> 2012-02-11 15:46:35 +01:00			`* This software may be distributed under the terms of the BSD license.`
			`* See README for more details.`
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-28 02:34:43 +01:00			`*/`

			`#ifndef EAP_H`
			`#define EAP_H`

Remove src/common from default header file path This makes it clearer which files are including header from src/common. Some of these cases should probably be cleaned up in the future not to do that. In addition, src/common/nl80211_copy.h and wireless_copy.h were moved into src/drivers since they are only used by driver wrappers and do not need to live in src/common. 2009-11-29 16:51:55 +01:00			`#include "common/defs.h"`
ERP: Add support for ERP on EAP server and authenticator Derive rRK and rIK on EAP server if ERP is enabled and use these keys to allow EAP re-authentication to be used and to derive rMSK. The new hostapd configuration parameter eap_server_erp=1 can now be used to configure the integrated EAP server to derive EMSK, rRK, and rIK at the successful completion of an EAP authentication method. This functionality is not included in the default build and can be enabled with CONFIG_ERP=y. Signed-off-by: Jouni Malinen <j@w1.fi> 2014-11-29 20:28:24 +01:00			`#include "utils/list.h"`
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-28 02:34:43 +01:00			`#include "eap_common/eap_defs.h"`
			`#include "eap_server/eap_methods.h"`
			`#include "wpabuf.h"`

			`struct eap_sm;`

			`#define EAP_TTLS_AUTH_PAP 1`
			`#define EAP_TTLS_AUTH_CHAP 2`
			`#define EAP_TTLS_AUTH_MSCHAP 4`
			`#define EAP_TTLS_AUTH_MSCHAPV2 8`

			`struct eap_user {`
			`struct {`
			`int vendor;`
			`u32 method;`
			`} methods[EAP_MAX_METHODS];`
			`u8 *password;`
			`size_t password_len;`
			`int password_hash; /* whether password is hashed with`
			`* nt_password_hash() */`
			`int phase2;`
			`int force_version;`
HS 2.0R2: RADIUS server support to request Subscr Remediation The new hostapd.conf parameter subscr_remediation_url can be used to define the URL of the Subscription Remediation Server that will be added in a WFA VSA to Access-Accept message if the SQLite user database indicates that the user need subscription remediation. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com> 2012-11-21 16:04:21 +01:00			`unsigned int remediation:1;`
RADIUS server: Add support for MAC ACL "user" MACACL "password" style lines in the eap_user file can now be used to configured user entries for RADIUS-based MAC ACL. Signed-off-by: Jouni Malinen <j@w1.fi> 2014-03-29 18:31:56 +01:00			`unsigned int macacl:1;`
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-28 02:34:43 +01:00			`int ttls_auth; /* bitfield of`
			`* EAP_TTLS_AUTH_{PAP,CHAP,MSCHAP,MSCHAPV2} */`
Allow arbitrary RADIUS attributes to be added into Access-Accept This extends the design already available for Access-Request packets to the RADIUS server and Access-Accept messages. Each user entry can be configured to add arbitrary RADIUS attributes. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> 2014-03-07 22:19:52 +01:00			`struct hostapd_radius_attr *accept_attr;`
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-28 02:34:43 +01:00			`};`

			`struct eap_eapol_interface {`
			`/* Lower layer to full authenticator variables */`
			`Boolean eapResp; /* shared with EAPOL Backend Authentication */`
			`struct wpabuf *eapRespData;`
			`Boolean portEnabled;`
			`int retransWhile;`
			`Boolean eapRestart; /* shared with EAPOL Authenticator PAE */`
			`int eapSRTT;`
			`int eapRTTVAR;`

			`/* Full authenticator to lower layer variables */`
			`Boolean eapReq; /* shared with EAPOL Backend Authentication */`
			`Boolean eapNoReq; /* shared with EAPOL Backend Authentication */`
			`Boolean eapSuccess;`
			`Boolean eapFail;`
			`Boolean eapTimeout;`
			`struct wpabuf *eapReqData;`
			`u8 *eapKeyData;`
			`size_t eapKeyDataLen;`
EAP server: Add getSessionId This extends EAP server implementation to derive Session-Id similarly to the existing EAP peer implementation. Signed-off-by: Jouni Malinen <j@w1.fi> 2014-11-29 22:46:45 +01:00			`u8 *eapSessionId;`
			`size_t eapSessionIdLen;`
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-28 02:34:43 +01:00			`Boolean eapKeyAvailable; /* called keyAvailable in IEEE 802.1X-2004 */`

			`/* AAA interface to full authenticator variables */`
			`Boolean aaaEapReq;`
			`Boolean aaaEapNoReq;`
			`Boolean aaaSuccess;`
			`Boolean aaaFail;`
			`struct wpabuf *aaaEapReqData;`
			`u8 *aaaEapKeyData;`
			`size_t aaaEapKeyDataLen;`
			`Boolean aaaEapKeyAvailable;`
			`int aaaMethodTimeout;`

			`/* Full authenticator to AAA interface variables */`
			`Boolean aaaEapResp;`
			`struct wpabuf *aaaEapRespData;`
			`/* aaaIdentity -> eap_get_identity() */`
			`Boolean aaaTimeout;`
			`};`

ERP: Add support for ERP on EAP server and authenticator Derive rRK and rIK on EAP server if ERP is enabled and use these keys to allow EAP re-authentication to be used and to derive rMSK. The new hostapd configuration parameter eap_server_erp=1 can now be used to configure the integrated EAP server to derive EMSK, rRK, and rIK at the successful completion of an EAP authentication method. This functionality is not included in the default build and can be enabled with CONFIG_ERP=y. Signed-off-by: Jouni Malinen <j@w1.fi> 2014-11-29 20:28:24 +01:00			`struct eap_server_erp_key {`
			`struct dl_list list;`
			`size_t rRK_len;`
			`size_t rIK_len;`
			`u8 rRK[ERP_MAX_KEY_LEN];`
			`u8 rIK[ERP_MAX_KEY_LEN];`
			`u32 recv_seq;`
			`u8 cryptosuite;`
			`char keyname_nai[];`
			`};`

Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-28 02:34:43 +01:00			`struct eapol_callbacks {`
			`int (get_eap_user)(void ctx, const u8 *identity, size_t identity_len,`
			`int phase2, struct eap_user *user);`
			`const char * (get_eap_req_id_text)(void ctx, size_t *len);`
RADIUS server: Allow EAP methods to log into SQLite DB This extends RADIUS server logging capabilities to allow EAP server methods to add log entries. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> 2014-02-28 13:41:42 +01:00			`void (log_msg)(void ctx, const char *msg);`
ERP: Add optional EAP-Initiate/Re-auth-Start transmission hostapd can now be configured to transmit EAP-Initiate/Re-auth-Start before EAP-Request/Identity to try to initiate ERP. This is disabled by default and can be enabled with erp_send_reauth_start=1 and optional erp_reauth_start_domain=<domain>. Signed-off-by: Jouni Malinen <j@w1.fi> 2014-11-29 19:33:09 +01:00			`int (get_erp_send_reauth_start)(void ctx);`
			`const char * (get_erp_domain)(void ctx);`
ERP: Add support for ERP on EAP server and authenticator Derive rRK and rIK on EAP server if ERP is enabled and use these keys to allow EAP re-authentication to be used and to derive rMSK. The new hostapd configuration parameter eap_server_erp=1 can now be used to configure the integrated EAP server to derive EMSK, rRK, and rIK at the successful completion of an EAP authentication method. This functionality is not included in the default build and can be enabled with CONFIG_ERP=y. Signed-off-by: Jouni Malinen <j@w1.fi> 2014-11-29 20:28:24 +01:00			`struct eap_server_erp_key * (erp_get_key)(void ctx,`
			`const char *keyname);`
			`int (erp_add_key)(void ctx, struct eap_server_erp_key *erp);`
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-28 02:34:43 +01:00			`};`

			`struct eap_config {`
			`void *ssl_ctx;`
AP: Add wpa_msg() events for EAP server state machine 2010-04-07 10:13:14 +02:00			`void *msg_ctx;`
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-28 02:34:43 +01:00			`void *eap_sim_db_priv;`
			`Boolean backend_auth;`
			`int eap_server;`
EAP-pwd: Add support for EAP-pwd server and peer functionality This adds an initial EAP-pwd (RFC 5931) implementation. For now, this requires OpenSSL. 2010-09-15 09:51:40 +02:00			`u16 pwd_group;`
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-28 02:34:43 +01:00			`u8 *pac_opaque_encr_key;`
EAP-FAST: Allow A-ID and A-ID-Info to be configured separately Changed EAP-FAST configuration to use separate fields for A-ID and A-ID-Info (eap_fast_a_id_info) to allow A-ID to be set to a fixed 16-octet len binary value for better interoperability with some peer implementations; eap_fast_a_id is now configured as a hex string. 2008-10-19 08:55:59 +02:00			`u8 *eap_fast_a_id;`
			`size_t eap_fast_a_id_len;`
			`char *eap_fast_a_id_info;`
EAP-FAST: Added support for disabling anonymous/authenticated provisioning eap_fast_prov config parameter can now be used to enable/disable different EAP-FAST provisioning modes: 0 = provisioning disabled 1 = only anonymous provisioning allowed 2 = only authenticated provisioning allowed 3 = both provisioning modes allowed 2008-10-08 15:55:23 +02:00			`int eap_fast_prov;`
EAP-FAST: Make PAC-Key lifetime values configurable The hardcoded values in eap_fast.c were replaced with values read from hostapd.conf. 2008-10-08 16:25:47 +02:00			`int pac_key_lifetime;`
			`int pac_key_refresh_time;`
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-28 02:34:43 +01:00			`int eap_sim_aka_result_ind;`
TNC: Provide 'tnc' configuration option for EAP server and methods 2008-03-09 09:42:53 +01:00			`int tnc;`
Added preliminary Wi-Fi Protected Setup (WPS) implementation This adds WPS support for both hostapd and wpa_supplicant. Both programs can be configured to act as WPS Enrollee and Registrar. Both PBC and PIN methods are supported. Currently, hostapd has more complete configuration option for WPS parameters and wpa_supplicant configuration style will likely change in the future. External Registrars are not yet supported in hostapd or wpa_supplicant. While wpa_supplicant has initial support for acting as an Registrar to configure an AP, this is still using number of hardcoded parameters which will need to be made configurable for proper operation. 2008-11-23 18:34:26 +01:00			`struct wps_context *wps;`
WPS: Parse Request Type from WPS IE in (Re)AssocReq and derive mgmt keys WPS IE is now passed from hostapd association processing into EAP-WSC and WPS processing. Request Type attribute is parsed from this information and if the request is for a WLAN Manager Registrar, additional management keys are derived (to be used with UPnP). 2008-11-29 11:11:56 +01:00			`const struct wpabuf *assoc_wps_ie;`
P2P: Use PSK format in WPS Credential 2010-07-18 23:30:25 +02:00			`const struct wpabuf *assoc_p2p_ie;`
WPS: Store device info and make it available through AP ctrl_iface Store a copy of device attributes during WPS protocol run and make it available for external programs via the control interface STA MIB command for associated stations. This gives access to device name and type which can be useful when showing user information about associated stations. 2009-09-07 21:09:13 +02:00			`const u8 *peer_addr;`
EAP server: Add support for configuring fragment size 2010-07-19 04:28:53 +02:00			`int fragment_size;`
WPS: Add a workaround for Windows 7 capability discovery for PBC Windows 7 uses incorrect way of figuring out AP's WPS capabilities by acting as a Registrar and using M1 from the AP. The config methods attribute in that message is supposed to indicate only the configuration method supported by the AP in Enrollee role, i.e., to add an external Registrar. For that case, PBC shall not be used and as such, the PushButton config method is removed from M1 by default. If pbc_in_m1=1 is included in the configuration file, the PushButton config method is left in M1 (if included in config_methods parameter) to allow Windows 7 to use PBC instead of PIN (e.g., from a label in the AP). 2011-05-17 18:53:02 +02:00
			`int pbc_in_m1;`
Add server identity configuration for EAP server The new server_id parameter in hostapd.conf can now be used to specify which identity is delivered to the EAP peer with EAP methods that support authenticated server identity. Signed-hostap: Jouni Malinen <j@w1.fi> 2013-07-06 17:17:15 +02:00
			`const u8 *server_id;`
			`size_t server_id_len;`
ERP: Add support for ERP on EAP server and authenticator Derive rRK and rIK on EAP server if ERP is enabled and use these keys to allow EAP re-authentication to be used and to derive rMSK. The new hostapd configuration parameter eap_server_erp=1 can now be used to configure the integrated EAP server to derive EMSK, rRK, and rIK at the successful completion of an EAP authentication method. This functionality is not included in the default build and can be enabled with CONFIG_ERP=y. Signed-off-by: Jouni Malinen <j@w1.fi> 2014-11-29 20:28:24 +01:00			`int erp;`
TLS testing: Allow hostapd to be used as a TLS testing tool The internal TLS server implementation and RADIUS server implementation in hostapd can be configured to allow EAP clients to be tested to perform TLS validation steps correctly. This functionality is not included in the default build; CONFIG_TESTING_OPTIONS=y in hostapd/.config can be used to enable this. When enabled, the RADIUS server will configure special TLS test modes based on the received User-Name attribute value in this format: <user>@test-tls-<id>.<rest-of-realm>. For example, anonymous@test-tls-1.example.com. When this special format is used, TLS test modes are enabled. For other cases, the RADIUS server works normally. The following TLS test cases are enabled in this commit: 1 - break verify_data in the server Finished message 2 - break signed_params hash in ServerKeyExchange 3 - break Signature in ServerKeyExchange Correctly behaving TLS client must abort connection if any of these failures is detected and as such, shall not transmit continue the session. Signed-off-by: Jouni Malinen <j@w1.fi> 2014-03-01 23:43:59 +01:00
			`#ifdef CONFIG_TESTING_OPTIONS`
			`u32 tls_test_flags;`
			`#endif /* CONFIG_TESTING_OPTIONS */`
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-28 02:34:43 +01:00			`};`


			`struct eap_sm * eap_server_sm_init(void *eapol_ctx,`
			`struct eapol_callbacks *eapol_cb,`
			`struct eap_config *eap_conf);`
			`void eap_server_sm_deinit(struct eap_sm *sm);`
			`int eap_server_sm_step(struct eap_sm *sm);`
			`void eap_sm_notify_cached(struct eap_sm *sm);`
			`void eap_sm_pending_cb(struct eap_sm *sm);`
			`int eap_sm_method_pending(struct eap_sm *sm);`
			`const u8 * eap_get_identity(struct eap_sm sm, size_t len);`
			`struct eap_eapol_interface * eap_get_interface(struct eap_sm *sm);`
Fix EAP standalone server Commit c3fc47ea8e1d3730e11eb9978d13831212727902 fixed EAP passthrough server to allow Logoff/Re-authentication to be used. However, it broke EAP standalone server while doing that. Fix this by reverting the earlier fix and by clearing the EAP Identity information in the EAP server code whenever an EAPOL-Start or EAPOL-Logoff packet is received. 2010-11-07 15:25:35 +01:00			`void eap_server_clear_identity(struct eap_sm *sm);`
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-28 02:34:43 +01:00
			`#endif /* EAP_H */`