1/*
2 * Copyright (c) 2012 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23/*
24 * eap.h - Extensible Authentication Protocol definitions.
25 *
26 * Redistribution and use in source and binary forms are permitted
27 * provided that the above copyright notice and this paragraph are
28 * duplicated in all such forms and that any documentation,
29 * advertising materials, and other materials related to such
30 * distribution and use acknowledge that the software was developed
31 * by the author.
32 *
33 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
34 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
35 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
36 *
37 * $Id: eap.h,v 1.7 2004/08/03 23:11:15 lindak Exp $
38 */
39
40#ifndef __EAP_H__
41#define __EAP_H__
42
43#include "vmbuf.h"
44#include <CoreFoundation/CoreFoundation.h>
45
46/*
47 *  Challenge lengths (for challenges we send) and other limits.
48 */
49#define MAX_EAP_RESPONSE_LENGTH	1024	/* Max len for the EAP data part */
50#define MAX_NAME_LENGTH		256
51
52/* Code + ID + length */
53#define EAP_HEADERLEN		4
54
55/*
56 * EAP codes.
57 */
58
59/* support for request types 1..4 is mandatory */
60#define EAP_TYPE_NONE       0	/* No EAP type */
61#define EAP_TYPE_IDENTITY	1	/* request for identity */
62#define EAP_TYPE_NOTIFICATION	2	/* notification message */
63#define EAP_TYPE_NAK		3	/* nak (response only) */
64#define EAP_TYPE_MD5CHALLENGE	4	/* password MD5 coded */
65
66#define EAP_TYPE_OTP		5	/* One Time Password (OTP) */
67#define EAP_TYPE_TOKEN		6	/* Generic Token Card */
68
69#define EAP_TYPE_RSA		9	/* RSA Public Key Authentication */
70#define EAP_TYPE_DSS		10	/* DSS Unilateral */
71#define EAP_TYPE_KEA		11	/* KEA */
72#define EAP_TYPE_KEA_VALIDATE	12	/* KEA-VALIDATE */
73#define EAP_TYPE_TLS		13	/* EAP-TLS */
74#define EAP_TYPE_AXENT		14	/* Defender Token (AXENT) */
75#define EAP_TYPE_RSA_SECURID	15	/* RSA Security SecurID EAP */
76#define EAP_TYPE_ARCOT		16	/* Arcot Systems EAP */
77#define EAP_TYPE_CISCO		17	/* EAP-Cisco Wireless */
78#define EAP_TYPE_SIM		18	/* EAP-SIM */
79#define EAP_TYPE_SRP_SHA1_1	19	/* SRP-SHA1 Part 1 */
80#define EAP_TYPE_SRP_SHA1_2	20	/* SRP-SHA1 Part 2 */
81#define EAP_TYPE_TTLS		21	/* EAP-TTLS */
82#define EAP_TYPE_RAS		22	/* Remote Access Service */
83#define EAP_TYPE_AKA		23	/* EAP-AKA */
84#define EAP_TYPE_3COM		24	/* EAP-3Com Wireless */
85#define EAP_TYPE_PEAP		25	/* PEAP */
86#define EAP_TYPE_MS		26	/* MS-EAP-Authentication */
87#define EAP_TYPE_MAKE		27	/* Mutual Authentication w/Key Exchange (MAKE) */
88#define EAP_TYPE_CRYPTO		28	/* CRYPTOCard */
89#define EAP_TYPE_MSCHAP_V2	29	/* EAP-MSCHAP-V2 */
90#define EAP_TYPE_DYNAM_ID	30	/* DynamID */
91#define EAP_TYPE_ROB		31	/* Rob EAP */
92#define EAP_TYPE_SECUR_ID	32	/* SecurID EAP */
93#define EAP_TYPE_MS_TLV		33	/* MS-Authentication-TLV  */
94#define EAP_TYPE_SENTRINET	34	/* SentriNET */
95#define EAP_TYPE_ACTIONTEC	35	/* EAP-Actiontec Wireless */
96#define EAP_TYPE_COGENT		36	/* Cogent Systems Biometrics Authentication EAP */
97
98#define kEAPPropertiesTypeEAPSIM        CFSTR("EAPSIMProperties")
99#define kEAPPropertiesTypeEAPAKA        CFSTR("EAPAKAProperties")
100
101#define EAP_REQUEST		1
102#define EAP_RESPONSE		2
103#define EAP_SUCCESS		3
104#define EAP_FAILURE    		4
105
106
107struct EAP_Packet
108{
109	u_int8_t    code;       	// packet type : 1 = Request, 2 = Response, 3 = Success, 4 = Failure
110	u_int8_t    id;         	// packet id
111	u_int16_t   len;  		// packet len (network order)
112	u_int8_t    data[1];    	// packet data
113} __attribute__((__packed__));
114
115#define EAP_NOTIFICATION_NONE 		0
116#define EAP_NOTIFICATION_START		1
117#define EAP_NOTIFICATION_RESTART	2
118#define EAP_NOTIFICATION_SUCCESS	3
119#define EAP_NOTIFICATION_PACKET		4
120#define EAP_NOTIFICATION_DATA_FROM_UI	5
121#define EAP_NOTIFICATION_TIMEOUT	6
122
123typedef struct EAP_Input {
124	u_int16_t 	size; 		// size of the structure (for future extension)
125	u_int8_t 	mode;		// 0 for client, 1 for server
126	u_int8_t 	initial_id;	// initial EAP ID
127	u_int16_t	mtu;		// mtu wll determine the maximum packet size to send
128	u_int16_t	notification;	// notification the EAP engine sends to the module
129	u_int16_t	data_len;	// len of the data
130	void	*data;		// data to be consumed depending on the notification
131	char 	*identity;	// authenticatee identity
132	char 	*username;	// authenticatee user name
133	char 	*password;	// authenticatee password
134} EAP_Input_t;
135
136#define EAP_ACTION_NONE			0
137#define EAP_ACTION_SEND			1
138#define EAP_ACTION_INVOKE_UI		2
139#define EAP_ACTION_ACCESS_GRANTED	3
140#define EAP_ACTION_ACCESS_DENIED	4
141#define EAP_ACTION_SEND_WITH_TIMEOUT	5
142#define EAP_ACTION_SEND_AND_DONE	6
143#define EAP_ACTION_CANCEL		7
144
145
146typedef struct EAP_Output {
147	u_int16_t 	size; 		// size of the structure (for future extension)
148	u_int16_t	action;		// action the EAP engine needs to perform
149	u_int16_t	data_len;	// len of the data
150	void	*data;		// data to be consumed depending on the action
151	char 	*username;	// authenticatee user name (useful in server mode)
152} EAP_Output_t;
153
154enum {
155	EAP_NO_ERROR = 0,
156	EAP_ERROR_GENERIC,
157	EAP_ERROR_INVALID_PACKET
158};
159
160/* attribute information returned upon successful authentication */
161
162#define EAP_ATTRIBUTE_NONE		0
163#define EAP_ATTRIBUTE_MPPE_SEND_KEY	1
164#define EAP_ATTRIBUTE_MPPE_RECV_KEY	2
165
166typedef struct EAP_Attribute {
167	u_int16_t	type;		// type of the attribute
168	u_int16_t	data_len;	// len of the data
169	void	*data;		// data to be consumed depending on the type
170	/* data follow according to the size */
171} __attribute__((__packed__)) EAP_Attribute_t;
172
173/*
174 * Extension structure for eap types.
175 */
176
177#define EAP_EXT_CLIENT		0x1	// support client mode
178
179typedef struct eap_ext {
180    struct eap_ext 	*next;		// next extensiopn structure
181    u_int8_t 		type;		// eap type
182    char 		*name;		// extension name
183    u_int32_t 		flags;		// support flags
184    void		*plugin;	// used to keep ref of the plugin
185    int (*init) (EAP_Input_t *eap_in, void **context, CFDictionaryRef options);
186    //int (*reinit) (void *context);
187    int (*dispose) (void *context);
188    int (*process) (void *context, EAP_Input_t *eap_in, EAP_Output_t *eap_out);
189    int (*free) (void *context, EAP_Output_t *eap_out);
190    int (*attribute) (void *context, EAP_Attribute_t *eap_attr);
191    int (*identity) (char *identity, int maxlen);
192
193} eap_ext_t;
194
195typedef struct eap_state {
196    int clientstate;		/* Client state */
197
198    char *our_identity;		/* Our identity name */
199    char *username;		/* the user name (only for client mode) */
200    char *password;		/* the password (only for client mode) */
201    char peer_identity[MAX_NAME_LENGTH];	/* peer name discovered with identity request */
202
203    u_char req_id;		/* ID of last challenge */
204    u_char resp_id;		/* ID of last response */
205    u_char req_type;		/* last request type  */
206	vchar_t *rcvd_msg;
207    vchar_t *send_key;
208    vchar_t *recv_key;
209
210    eap_ext_t *client_ext;	/* client eap extension */
211    void *client_ext_ctx;	/* client eap extension context */
212    EAP_Input_t *client_ext_input;	/* client eap extension input structure */
213    EAP_Output_t *client_ext_output;	/* client eap extension output structure */
214
215    struct etypes *supported_eap_types;
216    CFDictionaryRef extra_options;
217} eap_state_t;
218
219#define MPPE_MAX_KEY_LEN        16      /* largest key length (128-bit) */
220
221int EapExtAdd(eap_ext_t *newext);
222
223/*
224 * Client (peer) states.
225 */
226#define EAPCS_INITIAL		0	/* Lower layer down, not opened */
227#define EAPCS_CLOSED		1	/* Lower layer up, not opened */
228#define EAPCS_PENDING		2	/* Auth us to peer when lower up */
229#define EAPCS_LISTEN		3	/* Listening for a challenge */
230#define EAPCS_OPEN		4	/* We've received Success */
231
232int EapAuthWithPeer (eap_state_t *, vchar_t *, vchar_t *);
233void EapLostFailure (eap_state_t *state);
234
235int EAPLoad(eap_state_t *cstate);
236
237void EapInit(eap_state_t *cstate);
238
239void EapStart(eap_state_t *cstate, int);
240
241void EapStop(eap_state_t *cstate);
242
243int EapInput(eap_state_t *cstate, u_char *inpacket, int packet_len);
244
245#endif
246