1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
|
/*
* eap.h - Extensible Authentication Protocol for PPP (RFC 2284)
*
* Copyright (c) 2001 by Sun Microsystems, Inc.
* All rights reserved.
*
* Non-exclusive rights to redistribute, modify, translate, and use
* this software in source and binary forms, in whole or in part, is
* hereby granted, provided that the above copyright notice is
* duplicated in any source form, and that neither the name of the
* copyright holder nor the author is used to endorse or promote
* products derived from this software.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*
* Original version by James Carlson
*
* $Id: eap.h,v 1.2 2003/06/11 23:56:26 paulus Exp $
*/
#include "pppdconf.h"
#ifndef PPP_EAP_H
#define PPP_EAP_H
#ifdef __cplusplus
extern "C" {
#endif
/*
* Packet header = Code, id, length.
*/
#define EAP_HEADERLEN 4
/* EAP message codes. */
#define EAP_REQUEST 1
#define EAP_RESPONSE 2
#define EAP_SUCCESS 3
#define EAP_FAILURE 4
/* EAP types */
#define EAPT_IDENTITY 1
#define EAPT_NOTIFICATION 2
#define EAPT_NAK 3 /* (response only) */
#define EAPT_MD5CHAP 4
#define EAPT_OTP 5 /* One-Time Password; RFC 1938 */
#define EAPT_TOKEN 6 /* Generic Token Card */
/* 7 and 8 are unassigned. */
#define EAPT_RSA 9 /* RSA Public Key Authentication */
#define EAPT_DSS 10 /* DSS Unilateral */
#define EAPT_KEA 11 /* KEA */
#define EAPT_KEA_VALIDATE 12 /* KEA-VALIDATE */
#define EAPT_TLS 13 /* EAP-TLS */
#define EAPT_DEFENDER 14 /* Defender Token (AXENT) */
#define EAPT_W2K 15 /* Windows 2000 EAP */
#define EAPT_ARCOT 16 /* Arcot Systems */
#define EAPT_CISCOWIRELESS 17 /* Cisco Wireless */
#define EAPT_NOKIACARD 18 /* Nokia IP smart card */
#define EAPT_SRP 19 /* Secure Remote Password */
/* 20 is deprecated */
#define EAPT_TTLS 21 /* EAP Tunneled TLS Authentication Protocol RFC5281 */
#define EAPT_RAS 22 /* Remote Access Service */
#define EAPT_AKA 23 /* EAP method for 3rd Generation Authentication and Key Agreement RFC4187 */
#define EAPT_3COM 24 /* EAP-3Com Wireless */
#define EAPT_PEAP 25 /* Protected EAP */
#define EAPT_MSCHAPV2 26 /* EAP-MSCHAPv2 RFC-draft-kamath-pppext-eap-mschapv2-02 */
/* OpCodes for MSCHAPv2 */
#define CHAP_CHALLENGE 1
#define CHAP_RESPONSE 2
#define CHAP_SUCCESS 3
#define CHAP_FAILURE 4
/* EAP SRP-SHA1 Subtypes */
#define EAPSRP_CHALLENGE 1 /* Request 1 - Challenge */
#define EAPSRP_CKEY 1 /* Response 1 - Client Key */
#define EAPSRP_SKEY 2 /* Request 2 - Server Key */
#define EAPSRP_CVALIDATOR 2 /* Response 2 - Client Validator */
#define EAPSRP_SVALIDATOR 3 /* Request 3 - Server Validator */
#define EAPSRP_ACK 3 /* Response 3 - final ack */
#define EAPSRP_LWRECHALLENGE 4 /* Req/resp 4 - Lightweight rechal */
#define SRPVAL_EBIT 0x00000001 /* Use shared key for ECP */
#define SRP_PSEUDO_ID "pseudo_"
#define SRP_PSEUDO_LEN 7
#define MD5_SIGNATURE_SIZE 16
#define MIN_CHALLENGE_LENGTH 16
#define MAX_CHALLENGE_LENGTH 24
enum eap_state_code {
eapInitial = 0, /* No EAP authentication yet requested */
eapPending, /* Waiting for LCP (no timer) */
eapClosed, /* Authentication not in use */
eapListen, /* Client ready (and timer running) */
eapIdentify, /* EAP Identify sent */
eapTlsStart, /* Send EAP-TLS start packet */
eapTlsRecv, /* Receive EAP-TLS tls data */
eapTlsSendAck, /* Send EAP-TLS ack */
eapTlsSend, /* Send EAP-TLS tls data */
eapTlsRecvAck, /* Receive EAP-TLS ack */
eapTlsRecvClient, /* Receive EAP-TLS auth response from client*/
eapTlsSendAlert, /* Send EAP-TLS tls alert (server)*/
eapTlsRecvAlertAck, /* Receive EAP-TLS ack after sending alert */
eapTlsRecvSuccess, /* Receive EAP success */
eapTlsRecvFailure, /* Receive EAP failure */
eapSRP1, /* Sent EAP SRP-SHA1 Subtype 1 */
eapSRP2, /* Sent EAP SRP-SHA1 Subtype 2 */
eapSRP3, /* Sent EAP SRP-SHA1 Subtype 3 */
eapMD5Chall, /* Sent MD5-Challenge */
eapMSCHAPv2Chall, /* Sent MSCHAPv2-Challenge */
eapOpen, /* Completed authentication */
eapSRP4, /* Sent EAP SRP-SHA1 Subtype 4 */
eapBadAuth /* Failed authentication */
};
#define EAP_STATES \
"Initial", "Pending", "Closed", "Listen", "Identify", \
"TlsStart", "TlsRecv", "TlsSendAck", "TlsSend", "TlsRecvAck", "TlsRecvClient",\
"TlsSendAlert", "TlsRecvAlertAck" , "TlsRecvSuccess", "TlsRecvFailure", \
"SRP1", "SRP2", "SRP3", "MD5Chall", "MSCHAPv2Chall", "Open", "SRP4", "BadAuth"
#ifdef USE_EAPTLS
#define eap_client_active(esp) ((esp)->es_client.ea_state != eapInitial &&\
(esp)->es_client.ea_state != eapPending &&\
(esp)->es_client.ea_state != eapClosed)
#else
#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen)
#endif /* USE_EAPTLS */
#define eap_server_active(esp) \
((esp)->es_server.ea_state >= eapIdentify && \
(esp)->es_server.ea_state <= eapMD5Chall)
struct eap_auth {
char *ea_name; /* Our name */
char *ea_peer; /* Peer's name */
void *ea_session; /* Authentication library linkage */
u_char *ea_skey; /* Shared encryption key */
int ea_timeout; /* Time to wait (for retransmit/fail) */
int ea_maxrequests; /* Max Requests allowed */
u_short ea_namelen; /* Length of our name */
u_short ea_peerlen; /* Length of peer's name */
enum eap_state_code ea_state;
#ifdef USE_EAPTLS
enum eap_state_code ea_prev_state;
#endif
#ifdef CHAPMS
struct chap_digest_type *digest;
#endif
u_char ea_id; /* Current id */
u_char ea_requests; /* Number of Requests sent/received */
u_char ea_responses; /* Number of Responses */
u_char ea_type; /* One of EAPT_* */
u_int32_t ea_keyflags; /* SRP shared key usage flags */
#ifdef USE_EAPTLS
bool ea_using_eaptls;
#endif
};
/*
* Complete EAP state for one PPP session.
*/
typedef struct eap_state {
int es_unit; /* Interface unit number */
struct eap_auth es_client; /* Client (authenticatee) data */
struct eap_auth es_server; /* Server (authenticator) data */
#ifdef USE_PEAP
struct peap_state *ea_peap; /* Client PEAP (authenticator) data */
#endif
int es_savedtime; /* Saved timeout */
int es_rechallenge; /* EAP rechallenge interval */
int es_lwrechallenge; /* SRP lightweight rechallenge inter */
bool es_usepseudo; /* Use SRP Pseudonym if offered one */
int es_usedpseudo; /* Set if we already sent PN */
int es_challen; /* Length of challenge string */
u_char es_challenge[MAX_CHALLENGE_LENGTH];
} eap_state;
/*
* Timeouts.
*/
#define EAP_DEFTIMEOUT 3 /* Timeout (seconds) for rexmit */
#ifdef USE_EAPTLS
#define EAP_DEFTRANSMITS 30 /* max # times to transmit */
/* certificates can be long ... */
#else
#define EAP_DEFTRANSMITS 10 /* max # times to transmit */
#endif /* USE_EAPTLS */
#define EAP_DEFREQTIME 20 /* Time to wait for peer request */
#define EAP_DEFALLOWREQ 20 /* max # times to accept requests */
extern eap_state eap_states[];
void eap_authwithpeer (int unit, char *localname);
void eap_authpeer (int unit, char *localname);
extern struct protent eap_protent;
#ifdef __cplusplus
}
#endif
#endif /* PPP_EAP_H */
|