57 lines
2.7 KiB
Text
57 lines
2.7 KiB
Text
|
/**
|
||
|
\page eap_module EAP server implementation
|
||
|
|
||
|
Extensible Authentication Protocol (EAP) is an authentication framework
|
||
|
defined in RFC 3748. hostapd uses a separate code module for EAP server
|
||
|
implementation. This module was designed to use only a minimal set of
|
||
|
direct function calls (mainly, to debug/event functions) in order for
|
||
|
it to be usable in other programs. The design of the EAP
|
||
|
implementation is based loosely on RFC 4137. The state machine is
|
||
|
defined in this RFC and so is the interface between the server state
|
||
|
machine and methods. As such, this RFC provides useful information for
|
||
|
understanding the EAP server implementation in hostapd.
|
||
|
|
||
|
Some of the terminology used in EAP state machine is referring to
|
||
|
EAPOL (IEEE 802.1X), but there is no strict requirement on the lower
|
||
|
layer being IEEE 802.1X if EAP module is built for other programs than
|
||
|
%wpa_supplicant. These terms should be understood to refer to the
|
||
|
lower layer as defined in RFC 4137.
|
||
|
|
||
|
|
||
|
\section adding_eap_methods Adding EAP methods
|
||
|
|
||
|
Each EAP method is implemented as a separate module, usually as one C
|
||
|
file named eap_<name of the method>.c, e.g., eap_md5.c. All EAP
|
||
|
methods use the same interface between the server state machine and
|
||
|
method specific functions. This allows new EAP methods to be added
|
||
|
without modifying the core EAP state machine implementation.
|
||
|
|
||
|
New EAP methods need to be registered by adding them into the build
|
||
|
(Makefile) and the EAP method registration list in the
|
||
|
eap_server_register_methods() function of eap_methods.c. Each EAP
|
||
|
method should use a build-time configuration option, e.g., EAP_TLS, in
|
||
|
order to make it possible to select which of the methods are included
|
||
|
in the build.
|
||
|
|
||
|
EAP methods must implement the interface defined in eap_i.h. struct
|
||
|
eap_method defines the needed function pointers that each EAP method
|
||
|
must provide. In addition, the EAP type and name are registered using
|
||
|
this structure. This interface is based on section 4.4 of RFC 4137.
|
||
|
|
||
|
It is recommended that the EAP methods would use generic helper
|
||
|
functions, eap_msg_alloc() and eap_hdr_validate() when processing
|
||
|
messages. This allows code sharing and can avoid missing some of the
|
||
|
needed validation steps for received packets. In addition, these
|
||
|
functions make it easier to change between expanded and legacy EAP
|
||
|
header, if needed.
|
||
|
|
||
|
When adding an EAP method that uses a vendor specific EAP type
|
||
|
(Expanded Type as defined in RFC 3748, Chapter 5.7), the new method
|
||
|
must be registered by passing vendor id instead of EAP_VENDOR_IETF to
|
||
|
eap_server_method_alloc(). These methods must not try to emulate
|
||
|
expanded types by registering a legacy EAP method for type 254. See
|
||
|
eap_vendor_test.c for an example of an EAP method implementation that
|
||
|
is implemented as an expanded type.
|
||
|
|
||
|
*/
|