fragattacks/src/eap_server/eap.h
Jouni Malinen d3bddd8b84 ERP: Add support for ERP on EAP server and authenticator
Derive rRK and rIK on EAP server if ERP is enabled and use these keys to
allow EAP re-authentication to be used and to derive rMSK.

The new hostapd configuration parameter eap_server_erp=1 can now be used
to configure the integrated EAP server to derive EMSK, rRK, and rIK at
the successful completion of an EAP authentication method. This
functionality is not included in the default build and can be enabled
with CONFIG_ERP=y.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-04 12:16:27 +02:00

154 lines
3.9 KiB
C

/*
* hostapd / EAP Full Authenticator state machine (RFC 4137)
* Copyright (c) 2004-2014, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
#ifndef EAP_H
#define EAP_H
#include "common/defs.h"
#include "utils/list.h"
#include "eap_common/eap_defs.h"
#include "eap_server/eap_methods.h"
#include "wpabuf.h"
struct eap_sm;
#define EAP_TTLS_AUTH_PAP 1
#define EAP_TTLS_AUTH_CHAP 2
#define EAP_TTLS_AUTH_MSCHAP 4
#define EAP_TTLS_AUTH_MSCHAPV2 8
struct eap_user {
struct {
int vendor;
u32 method;
} methods[EAP_MAX_METHODS];
u8 *password;
size_t password_len;
int password_hash; /* whether password is hashed with
* nt_password_hash() */
int phase2;
int force_version;
unsigned int remediation:1;
unsigned int macacl:1;
int ttls_auth; /* bitfield of
* EAP_TTLS_AUTH_{PAP,CHAP,MSCHAP,MSCHAPV2} */
struct hostapd_radius_attr *accept_attr;
};
struct eap_eapol_interface {
/* Lower layer to full authenticator variables */
Boolean eapResp; /* shared with EAPOL Backend Authentication */
struct wpabuf *eapRespData;
Boolean portEnabled;
int retransWhile;
Boolean eapRestart; /* shared with EAPOL Authenticator PAE */
int eapSRTT;
int eapRTTVAR;
/* Full authenticator to lower layer variables */
Boolean eapReq; /* shared with EAPOL Backend Authentication */
Boolean eapNoReq; /* shared with EAPOL Backend Authentication */
Boolean eapSuccess;
Boolean eapFail;
Boolean eapTimeout;
struct wpabuf *eapReqData;
u8 *eapKeyData;
size_t eapKeyDataLen;
u8 *eapSessionId;
size_t eapSessionIdLen;
Boolean eapKeyAvailable; /* called keyAvailable in IEEE 802.1X-2004 */
/* AAA interface to full authenticator variables */
Boolean aaaEapReq;
Boolean aaaEapNoReq;
Boolean aaaSuccess;
Boolean aaaFail;
struct wpabuf *aaaEapReqData;
u8 *aaaEapKeyData;
size_t aaaEapKeyDataLen;
Boolean aaaEapKeyAvailable;
int aaaMethodTimeout;
/* Full authenticator to AAA interface variables */
Boolean aaaEapResp;
struct wpabuf *aaaEapRespData;
/* aaaIdentity -> eap_get_identity() */
Boolean aaaTimeout;
};
struct eap_server_erp_key {
struct dl_list list;
size_t rRK_len;
size_t rIK_len;
u8 rRK[ERP_MAX_KEY_LEN];
u8 rIK[ERP_MAX_KEY_LEN];
u32 recv_seq;
u8 cryptosuite;
char keyname_nai[];
};
struct eapol_callbacks {
int (*get_eap_user)(void *ctx, const u8 *identity, size_t identity_len,
int phase2, struct eap_user *user);
const char * (*get_eap_req_id_text)(void *ctx, size_t *len);
void (*log_msg)(void *ctx, const char *msg);
int (*get_erp_send_reauth_start)(void *ctx);
const char * (*get_erp_domain)(void *ctx);
struct eap_server_erp_key * (*erp_get_key)(void *ctx,
const char *keyname);
int (*erp_add_key)(void *ctx, struct eap_server_erp_key *erp);
};
struct eap_config {
void *ssl_ctx;
void *msg_ctx;
void *eap_sim_db_priv;
Boolean backend_auth;
int eap_server;
u16 pwd_group;
u8 *pac_opaque_encr_key;
u8 *eap_fast_a_id;
size_t eap_fast_a_id_len;
char *eap_fast_a_id_info;
int eap_fast_prov;
int pac_key_lifetime;
int pac_key_refresh_time;
int eap_sim_aka_result_ind;
int tnc;
struct wps_context *wps;
const struct wpabuf *assoc_wps_ie;
const struct wpabuf *assoc_p2p_ie;
const u8 *peer_addr;
int fragment_size;
int pbc_in_m1;
const u8 *server_id;
size_t server_id_len;
int erp;
#ifdef CONFIG_TESTING_OPTIONS
u32 tls_test_flags;
#endif /* CONFIG_TESTING_OPTIONS */
};
struct eap_sm * eap_server_sm_init(void *eapol_ctx,
struct eapol_callbacks *eapol_cb,
struct eap_config *eap_conf);
void eap_server_sm_deinit(struct eap_sm *sm);
int eap_server_sm_step(struct eap_sm *sm);
void eap_sm_notify_cached(struct eap_sm *sm);
void eap_sm_pending_cb(struct eap_sm *sm);
int eap_sm_method_pending(struct eap_sm *sm);
const u8 * eap_get_identity(struct eap_sm *sm, size_t *len);
struct eap_eapol_interface * eap_get_interface(struct eap_sm *sm);
void eap_server_clear_identity(struct eap_sm *sm);
#endif /* EAP_H */