1 /*
2  * eap.h - Extensible Authentication Protocol for PPP (RFC 2284)
3  *
4  * Copyright (c) 2001 by Sun Microsystems, Inc.
5  * All rights reserved.
6  *
7  * Non-exclusive rights to redistribute, modify, translate, and use
8  * this software in source and binary forms, in whole or in part, is
9  * hereby granted, provided that the above copyright notice is
10  * duplicated in any source form, and that neither the name of the
11  * copyright holder nor the author is used to endorse or promote
12  * products derived from this software.
13  *
14  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
15  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
16  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
17  *
18  * Original version by James Carlson
19  *
20  * $Id: eap.h,v 1.2 2003/06/11 23:56:26 paulus Exp $
21  */
22 
23 #ifndef PPP_EAP_H
24 #define	PPP_EAP_H
25 
26 #ifdef	__cplusplus
27 extern "C" {
28 #endif
29 
30 /*
31  * Packet header = Code, id, length.
32  */
33 #define	EAP_HEADERLEN	4
34 
35 
36 /* EAP message codes. */
37 #define	EAP_REQUEST	1
38 #define	EAP_RESPONSE	2
39 #define	EAP_SUCCESS	3
40 #define	EAP_FAILURE	4
41 
42 /* EAP types */
43 #define	EAPT_IDENTITY		1
44 #define	EAPT_NOTIFICATION	2
45 #define	EAPT_NAK		3	/* (response only) */
46 #define	EAPT_MD5CHAP		4
47 #define	EAPT_OTP		5	/* One-Time Password; RFC 1938 */
48 #define	EAPT_TOKEN		6	/* Generic Token Card */
49 /* 7 and 8 are unassigned. */
50 #define	EAPT_RSA		9	/* RSA Public Key Authentication */
51 #define	EAPT_DSS		10	/* DSS Unilateral */
52 #define	EAPT_KEA		11	/* KEA */
53 #define	EAPT_KEA_VALIDATE	12	/* KEA-VALIDATE	*/
54 #define	EAPT_TLS		13	/* EAP-TLS */
55 #define	EAPT_DEFENDER		14	/* Defender Token (AXENT) */
56 #define	EAPT_W2K		15	/* Windows 2000 EAP */
57 #define	EAPT_ARCOT		16	/* Arcot Systems */
58 #define	EAPT_CISCOWIRELESS	17	/* Cisco Wireless */
59 #define	EAPT_NOKIACARD		18	/* Nokia IP smart card */
60 #define	EAPT_SRP		19	/* Secure Remote Password */
61 /* 20 is deprecated */
62 
63 /* EAP SRP-SHA1 Subtypes */
64 #define	EAPSRP_CHALLENGE	1	/* Request 1 - Challenge */
65 #define	EAPSRP_CKEY		1	/* Response 1 - Client Key */
66 #define	EAPSRP_SKEY		2	/* Request 2 - Server Key */
67 #define	EAPSRP_CVALIDATOR	2	/* Response 2 - Client Validator */
68 #define	EAPSRP_SVALIDATOR	3	/* Request 3 - Server Validator */
69 #define	EAPSRP_ACK		3	/* Response 3 - final ack */
70 #define	EAPSRP_LWRECHALLENGE	4	/* Req/resp 4 - Lightweight rechal */
71 
72 #define	SRPVAL_EBIT	0x00000001	/* Use shared key for ECP */
73 
74 #define	SRP_PSEUDO_ID	"pseudo_"
75 #define	SRP_PSEUDO_LEN	7
76 
77 #define MD5_SIGNATURE_SIZE	16
78 #define MIN_CHALLENGE_LENGTH	16
79 #define MAX_CHALLENGE_LENGTH	24
80 
81 enum eap_state_code {
82 	eapInitial = 0,	/* No EAP authentication yet requested */
83 	eapPending,	/* Waiting for LCP (no timer) */
84 	eapClosed,	/* Authentication not in use */
85 	eapListen,	/* Client ready (and timer running) */
86 	eapIdentify,	/* EAP Identify sent */
87 	eapSRP1,	/* Sent EAP SRP-SHA1 Subtype 1 */
88 	eapSRP2,	/* Sent EAP SRP-SHA1 Subtype 2 */
89 	eapSRP3,	/* Sent EAP SRP-SHA1 Subtype 3 */
90 	eapMD5Chall,	/* Sent MD5-Challenge */
91 	eapOpen,	/* Completed authentication */
92 	eapSRP4,	/* Sent EAP SRP-SHA1 Subtype 4 */
93 	eapBadAuth	/* Failed authentication */
94 };
95 
96 #define	EAP_STATES	\
97 	"Initial", "Pending", "Closed", "Listen", "Identify", \
98 	"SRP1", "SRP2", "SRP3", "MD5Chall", "Open", "SRP4", "BadAuth"
99 
100 #define	eap_client_active(esp)	((esp)->es_client.ea_state == eapListen)
101 #define	eap_server_active(esp)	\
102 	((esp)->es_server.ea_state >= eapIdentify && \
103 	 (esp)->es_server.ea_state <= eapMD5Chall)
104 
105 struct eap_auth {
106 	char *ea_name;		/* Our name */
107 	char *ea_peer;		/* Peer's name */
108 	void *ea_session;	/* Authentication library linkage */
109 	u_char *ea_skey;	/* Shared encryption key */
110 	int ea_timeout;		/* Time to wait (for retransmit/fail) */
111 	int ea_maxrequests;	/* Max Requests allowed */
112 	u_short ea_namelen;	/* Length of our name */
113 	u_short ea_peerlen;	/* Length of peer's name */
114 	enum eap_state_code ea_state;
115 	u_char ea_id;		/* Current id */
116 	u_char ea_requests;	/* Number of Requests sent/received */
117 	u_char ea_responses;	/* Number of Responses */
118 	u_char ea_type;		/* One of EAPT_* */
119 	u_int32_t ea_keyflags;	/* SRP shared key usage flags */
120 };
121 
122 /*
123  * Complete EAP state for one PPP session.
124  */
125 typedef struct eap_state {
126 	int es_unit;			/* Interface unit number */
127 	struct eap_auth es_client;	/* Client (authenticatee) data */
128 	struct eap_auth es_server;	/* Server (authenticator) data */
129 	int es_savedtime;		/* Saved timeout */
130 	int es_rechallenge;		/* EAP rechallenge interval */
131 	int es_lwrechallenge;		/* SRP lightweight rechallenge inter */
132 	bool es_usepseudo;		/* Use SRP Pseudonym if offered one */
133 	int es_usedpseudo;		/* Set if we already sent PN */
134 	int es_challen;			/* Length of challenge string */
135 	u_char es_challenge[MAX_CHALLENGE_LENGTH];
136 } eap_state;
137 
138 /*
139  * Timeouts.
140  */
141 #define	EAP_DEFTIMEOUT		3	/* Timeout (seconds) for rexmit */
142 #define	EAP_DEFTRANSMITS	10	/* max # times to transmit */
143 #define	EAP_DEFREQTIME		20	/* Time to wait for peer request */
144 #define	EAP_DEFALLOWREQ		20	/* max # times to accept requests */
145 
146 extern eap_state eap_states[];
147 
148 void eap_authwithpeer __P((int unit, char *localname));
149 void eap_authpeer __P((int unit, char *localname));
150 
151 extern struct protent eap_protent;
152 
153 #ifdef	__cplusplus
154 }
155 #endif
156 
157 #endif /* PPP_EAP_H */
158 
159