1/* 2 * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23/* 24 * eap.h - Extensible Authentication Protocol definitions. 25 * 26 * Redistribution and use in source and binary forms are permitted 27 * provided that the above copyright notice and this paragraph are 28 * duplicated in all such forms and that any documentation, 29 * advertising materials, and other materials related to such 30 * distribution and use acknowledge that the software was developed 31 * by the author. 32 * 33 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 34 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 35 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 36 * 37 * $Id: eap.h,v 1.7 2004/08/03 23:11:15 lindak Exp $ 38 */ 39 40#ifndef __EAP_H__ 41#define __EAP_H__ 42 43#include "vmbuf.h" 44#include <CoreFoundation/CoreFoundation.h> 45 46/* 47 * Challenge lengths (for challenges we send) and other limits. 48 */ 49#define MAX_EAP_RESPONSE_LENGTH 1024 /* Max len for the EAP data part */ 50#define MAX_NAME_LENGTH 256 51 52/* Code + ID + length */ 53#define EAP_HEADERLEN 4 54 55/* 56 * EAP codes. 57 */ 58 59/* support for request types 1..4 is mandatory */ 60#define EAP_TYPE_NONE 0 /* No EAP type */ 61#define EAP_TYPE_IDENTITY 1 /* request for identity */ 62#define EAP_TYPE_NOTIFICATION 2 /* notification message */ 63#define EAP_TYPE_NAK 3 /* nak (response only) */ 64#define EAP_TYPE_MD5CHALLENGE 4 /* password MD5 coded */ 65 66#define EAP_TYPE_OTP 5 /* One Time Password (OTP) */ 67#define EAP_TYPE_TOKEN 6 /* Generic Token Card */ 68 69#define EAP_TYPE_RSA 9 /* RSA Public Key Authentication */ 70#define EAP_TYPE_DSS 10 /* DSS Unilateral */ 71#define EAP_TYPE_KEA 11 /* KEA */ 72#define EAP_TYPE_KEA_VALIDATE 12 /* KEA-VALIDATE */ 73#define EAP_TYPE_TLS 13 /* EAP-TLS */ 74#define EAP_TYPE_AXENT 14 /* Defender Token (AXENT) */ 75#define EAP_TYPE_RSA_SECURID 15 /* RSA Security SecurID EAP */ 76#define EAP_TYPE_ARCOT 16 /* Arcot Systems EAP */ 77#define EAP_TYPE_CISCO 17 /* EAP-Cisco Wireless */ 78#define EAP_TYPE_SIM 18 /* EAP-SIM */ 79#define EAP_TYPE_SRP_SHA1_1 19 /* SRP-SHA1 Part 1 */ 80#define EAP_TYPE_SRP_SHA1_2 20 /* SRP-SHA1 Part 2 */ 81#define EAP_TYPE_TTLS 21 /* EAP-TTLS */ 82#define EAP_TYPE_RAS 22 /* Remote Access Service */ 83#define EAP_TYPE_AKA 23 /* EAP-AKA */ 84#define EAP_TYPE_3COM 24 /* EAP-3Com Wireless */ 85#define EAP_TYPE_PEAP 25 /* PEAP */ 86#define EAP_TYPE_MS 26 /* MS-EAP-Authentication */ 87#define EAP_TYPE_MAKE 27 /* Mutual Authentication w/Key Exchange (MAKE) */ 88#define EAP_TYPE_CRYPTO 28 /* CRYPTOCard */ 89#define EAP_TYPE_MSCHAP_V2 29 /* EAP-MSCHAP-V2 */ 90#define EAP_TYPE_DYNAM_ID 30 /* DynamID */ 91#define EAP_TYPE_ROB 31 /* Rob EAP */ 92#define EAP_TYPE_SECUR_ID 32 /* SecurID EAP */ 93#define EAP_TYPE_MS_TLV 33 /* MS-Authentication-TLV */ 94#define EAP_TYPE_SENTRINET 34 /* SentriNET */ 95#define EAP_TYPE_ACTIONTEC 35 /* EAP-Actiontec Wireless */ 96#define EAP_TYPE_COGENT 36 /* Cogent Systems Biometrics Authentication EAP */ 97 98#define kEAPPropertiesTypeEAPSIM CFSTR("EAPSIMProperties") 99#define kEAPPropertiesTypeEAPAKA CFSTR("EAPAKAProperties") 100 101#define EAP_REQUEST 1 102#define EAP_RESPONSE 2 103#define EAP_SUCCESS 3 104#define EAP_FAILURE 4 105 106 107struct EAP_Packet 108{ 109 u_int8_t code; // packet type : 1 = Request, 2 = Response, 3 = Success, 4 = Failure 110 u_int8_t id; // packet id 111 u_int16_t len; // packet len (network order) 112 u_int8_t data[1]; // packet data 113} __attribute__((__packed__)); 114 115#define EAP_NOTIFICATION_NONE 0 116#define EAP_NOTIFICATION_START 1 117#define EAP_NOTIFICATION_RESTART 2 118#define EAP_NOTIFICATION_SUCCESS 3 119#define EAP_NOTIFICATION_PACKET 4 120#define EAP_NOTIFICATION_DATA_FROM_UI 5 121#define EAP_NOTIFICATION_TIMEOUT 6 122 123typedef struct EAP_Input { 124 u_int16_t size; // size of the structure (for future extension) 125 u_int8_t mode; // 0 for client, 1 for server 126 u_int8_t initial_id; // initial EAP ID 127 u_int16_t mtu; // mtu wll determine the maximum packet size to send 128 u_int16_t notification; // notification the EAP engine sends to the module 129 u_int16_t data_len; // len of the data 130 void *data; // data to be consumed depending on the notification 131 char *identity; // authenticatee identity 132 char *username; // authenticatee user name 133 char *password; // authenticatee password 134} EAP_Input_t; 135 136#define EAP_ACTION_NONE 0 137#define EAP_ACTION_SEND 1 138#define EAP_ACTION_INVOKE_UI 2 139#define EAP_ACTION_ACCESS_GRANTED 3 140#define EAP_ACTION_ACCESS_DENIED 4 141#define EAP_ACTION_SEND_WITH_TIMEOUT 5 142#define EAP_ACTION_SEND_AND_DONE 6 143#define EAP_ACTION_CANCEL 7 144 145 146typedef struct EAP_Output { 147 u_int16_t size; // size of the structure (for future extension) 148 u_int16_t action; // action the EAP engine needs to perform 149 u_int16_t data_len; // len of the data 150 void *data; // data to be consumed depending on the action 151 char *username; // authenticatee user name (useful in server mode) 152} EAP_Output_t; 153 154enum { 155 EAP_NO_ERROR = 0, 156 EAP_ERROR_GENERIC, 157 EAP_ERROR_INVALID_PACKET 158}; 159 160/* attribute information returned upon successful authentication */ 161 162#define EAP_ATTRIBUTE_NONE 0 163#define EAP_ATTRIBUTE_MPPE_SEND_KEY 1 164#define EAP_ATTRIBUTE_MPPE_RECV_KEY 2 165 166typedef struct EAP_Attribute { 167 u_int16_t type; // type of the attribute 168 u_int16_t data_len; // len of the data 169 void *data; // data to be consumed depending on the type 170 /* data follow according to the size */ 171} __attribute__((__packed__)) EAP_Attribute_t; 172 173/* 174 * Extension structure for eap types. 175 */ 176 177#define EAP_EXT_CLIENT 0x1 // support client mode 178 179typedef struct eap_ext { 180 struct eap_ext *next; // next extensiopn structure 181 u_int8_t type; // eap type 182 char *name; // extension name 183 u_int32_t flags; // support flags 184 void *plugin; // used to keep ref of the plugin 185 int (*init) (EAP_Input_t *eap_in, void **context, CFDictionaryRef options); 186 //int (*reinit) (void *context); 187 int (*dispose) (void *context); 188 int (*process) (void *context, EAP_Input_t *eap_in, EAP_Output_t *eap_out); 189 int (*free) (void *context, EAP_Output_t *eap_out); 190 int (*attribute) (void *context, EAP_Attribute_t *eap_attr); 191 int (*identity) (char *identity, int maxlen); 192 193} eap_ext_t; 194 195typedef struct eap_state { 196 int clientstate; /* Client state */ 197 198 char *our_identity; /* Our identity name */ 199 char *username; /* the user name (only for client mode) */ 200 char *password; /* the password (only for client mode) */ 201 char peer_identity[MAX_NAME_LENGTH]; /* peer name discovered with identity request */ 202 203 u_char req_id; /* ID of last challenge */ 204 u_char resp_id; /* ID of last response */ 205 u_char req_type; /* last request type */ 206 vchar_t *rcvd_msg; 207 vchar_t *send_key; 208 vchar_t *recv_key; 209 210 eap_ext_t *client_ext; /* client eap extension */ 211 void *client_ext_ctx; /* client eap extension context */ 212 EAP_Input_t *client_ext_input; /* client eap extension input structure */ 213 EAP_Output_t *client_ext_output; /* client eap extension output structure */ 214 215 struct etypes *supported_eap_types; 216 CFDictionaryRef extra_options; 217} eap_state_t; 218 219#define MPPE_MAX_KEY_LEN 16 /* largest key length (128-bit) */ 220 221int EapExtAdd(eap_ext_t *newext); 222 223/* 224 * Client (peer) states. 225 */ 226#define EAPCS_INITIAL 0 /* Lower layer down, not opened */ 227#define EAPCS_CLOSED 1 /* Lower layer up, not opened */ 228#define EAPCS_PENDING 2 /* Auth us to peer when lower up */ 229#define EAPCS_LISTEN 3 /* Listening for a challenge */ 230#define EAPCS_OPEN 4 /* We've received Success */ 231 232int EapAuthWithPeer (eap_state_t *, vchar_t *, vchar_t *); 233void EapLostFailure (eap_state_t *state); 234 235int EAPLoad(eap_state_t *cstate); 236 237void EapInit(eap_state_t *cstate); 238 239void EapStart(eap_state_t *cstate, int); 240 241void EapStop(eap_state_t *cstate); 242 243int EapInput(eap_state_t *cstate, u_char *inpacket, int packet_len); 244 245#endif 246