[apple/ipsec.git] / ipsec-tools / racoon / eap.h

/*
 * Copyright (c) 2012 Apple Computer, Inc. All rights reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */
/*
 * eap.h - Extensible Authentication Protocol definitions.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that the above copyright notice and this paragraph are
 * duplicated in all such forms and that any documentation,
 * advertising materials, and other materials related to such
 * distribution and use acknowledge that the software was developed
 * by the author.
 *
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 *
 * $Id: eap.h,v 1.7 2004/08/03 23:11:15 lindak Exp $
 */

#ifndef __EAP_H__
#define __EAP_H__

#include "vmbuf.h"
#include <CoreFoundation/CoreFoundation.h>

/*
 *  Challenge lengths (for challenges we send) and other limits.
 */
#define MAX_EAP_RESPONSE_LENGTH	1024	/* Max len for the EAP data part */
#define MAX_NAME_LENGTH		256

/* Code + ID + length */
#define EAP_HEADERLEN		4

/*
 * EAP codes.
 */

/* support for request types 1..4 is mandatory */
#define EAP_TYPE_NONE       0	/* No EAP type */
#define EAP_TYPE_IDENTITY	1	/* request for identity */
#define EAP_TYPE_NOTIFICATION	2	/* notification message */
#define EAP_TYPE_NAK		3	/* nak (response only) */
#define EAP_TYPE_MD5CHALLENGE	4	/* password MD5 coded */

#define EAP_TYPE_OTP		5	/* One Time Password (OTP) */
#define EAP_TYPE_TOKEN		6	/* Generic Token Card */

#define EAP_TYPE_RSA		9	/* RSA Public Key Authentication */
#define EAP_TYPE_DSS		10	/* DSS Unilateral */
#define EAP_TYPE_KEA		11	/* KEA */
#define EAP_TYPE_KEA_VALIDATE	12	/* KEA-VALIDATE */
#define EAP_TYPE_TLS		13	/* EAP-TLS */
#define EAP_TYPE_AXENT		14	/* Defender Token (AXENT) */
#define EAP_TYPE_RSA_SECURID	15	/* RSA Security SecurID EAP */
#define EAP_TYPE_ARCOT		16	/* Arcot Systems EAP */
#define EAP_TYPE_CISCO		17	/* EAP-Cisco Wireless */
#define EAP_TYPE_SIM		18	/* EAP-SIM */
#define EAP_TYPE_SRP_SHA1_1	19	/* SRP-SHA1 Part 1 */
#define EAP_TYPE_SRP_SHA1_2	20	/* SRP-SHA1 Part 2 */
#define EAP_TYPE_TTLS		21	/* EAP-TTLS */
#define EAP_TYPE_RAS		22	/* Remote Access Service */
#define EAP_TYPE_AKA		23	/* EAP-AKA */
#define EAP_TYPE_3COM		24	/* EAP-3Com Wireless */
#define EAP_TYPE_PEAP		25	/* PEAP */
#define EAP_TYPE_MS		26	/* MS-EAP-Authentication */
#define EAP_TYPE_MAKE		27	/* Mutual Authentication w/Key Exchange (MAKE) */
#define EAP_TYPE_CRYPTO		28	/* CRYPTOCard */
#define EAP_TYPE_MSCHAP_V2	29	/* EAP-MSCHAP-V2 */
#define EAP_TYPE_DYNAM_ID	30	/* DynamID */
#define EAP_TYPE_ROB		31	/* Rob EAP */
#define EAP_TYPE_SECUR_ID	32	/* SecurID EAP */
#define EAP_TYPE_MS_TLV		33	/* MS-Authentication-TLV  */
#define EAP_TYPE_SENTRINET	34	/* SentriNET */
#define EAP_TYPE_ACTIONTEC	35	/* EAP-Actiontec Wireless */
#define EAP_TYPE_COGENT		36	/* Cogent Systems Biometrics Authentication EAP */

#define kEAPPropertiesTypeEAPSIM        CFSTR("EAPSIMProperties")
#define kEAPPropertiesTypeEAPAKA        CFSTR("EAPAKAProperties")

#define EAP_REQUEST		1
#define EAP_RESPONSE		2
#define EAP_SUCCESS		3
#define EAP_FAILURE    		4


struct EAP_Packet
{
	u_int8_t    code;       	// packet type : 1 = Request, 2 = Response, 3 = Success, 4 = Failure
	u_int8_t    id;         	// packet id
	u_int16_t   len;  		// packet len (network order)
	u_int8_t    data[1];    	// packet data
} __attribute__((__packed__));

#define EAP_NOTIFICATION_NONE 		0
#define EAP_NOTIFICATION_START		1
#define EAP_NOTIFICATION_RESTART	2
#define EAP_NOTIFICATION_SUCCESS	3
#define EAP_NOTIFICATION_PACKET		4
#define EAP_NOTIFICATION_DATA_FROM_UI	5
#define EAP_NOTIFICATION_TIMEOUT	6

typedef struct EAP_Input {
	u_int16_t 	size; 		// size of the structure (for future extension)
	u_int8_t 	mode;		// 0 for client, 1 for server
	u_int8_t 	initial_id;	// initial EAP ID
	u_int16_t	mtu;		// mtu wll determine the maximum packet size to send
	u_int16_t	notification;	// notification the EAP engine sends to the module
	u_int16_t	data_len;	// len of the data
	void	*data;		// data to be consumed depending on the notification
	char 	*identity;	// authenticatee identity
	char 	*username;	// authenticatee user name
	char 	*password;	// authenticatee password
} EAP_Input_t;

#define EAP_ACTION_NONE			0
#define EAP_ACTION_SEND			1
#define EAP_ACTION_INVOKE_UI		2
#define EAP_ACTION_ACCESS_GRANTED	3
#define EAP_ACTION_ACCESS_DENIED	4
#define EAP_ACTION_SEND_WITH_TIMEOUT	5
#define EAP_ACTION_SEND_AND_DONE	6
#define EAP_ACTION_CANCEL		7


typedef struct EAP_Output {
	u_int16_t 	size; 		// size of the structure (for future extension)
	u_int16_t	action;		// action the EAP engine needs to perform
	u_int16_t	data_len;	// len of the data
	void	*data;		// data to be consumed depending on the action
	char 	*username;	// authenticatee user name (useful in server mode)
} EAP_Output_t;

enum {
	EAP_NO_ERROR = 0,
	EAP_ERROR_GENERIC,
	EAP_ERROR_INVALID_PACKET
};

/* attribute information returned upon successful authentication */

#define EAP_ATTRIBUTE_NONE		0
#define EAP_ATTRIBUTE_MPPE_SEND_KEY	1
#define EAP_ATTRIBUTE_MPPE_RECV_KEY	2

typedef struct EAP_Attribute {
	u_int16_t	type;		// type of the attribute
	u_int16_t	data_len;	// len of the data
	void	*data;		// data to be consumed depending on the type
	/* data follow according to the size */
} __attribute__((__packed__)) EAP_Attribute_t;

/*
 * Extension structure for eap types.
 */

#define EAP_EXT_CLIENT		0x1	// support client mode  

typedef struct eap_ext {
    struct eap_ext 	*next;		// next extensiopn structure
    u_int8_t 		type;		// eap type
    char 		*name;		// extension name
    u_int32_t 		flags;		// support flags
    void		*plugin;	// used to keep ref of the plugin
    int (*init) (EAP_Input_t *eap_in, void **context, CFDictionaryRef options);
    //int (*reinit) (void *context);
    int (*dispose) (void *context);
    int (*process) (void *context, EAP_Input_t *eap_in, EAP_Output_t *eap_out);
    int (*free) (void *context, EAP_Output_t *eap_out);
    int (*attribute) (void *context, EAP_Attribute_t *eap_attr);
    int (*identity) (char *identity, int maxlen);
	
} eap_ext_t;

typedef struct eap_state {
    int clientstate;		/* Client state */
	
    char *our_identity;		/* Our identity name */
    char *username;		/* the user name (only for client mode) */
    char *password;		/* the password (only for client mode) */
    char peer_identity[MAX_NAME_LENGTH];	/* peer name discovered with identity request */
	
    u_char req_id;		/* ID of last challenge */
    u_char resp_id;		/* ID of last response */
    u_char req_type;		/* last request type  */
	vchar_t *rcvd_msg;
    vchar_t *send_key;
    vchar_t *recv_key;
    
    eap_ext_t *client_ext;	/* client eap extension */
    void *client_ext_ctx;	/* client eap extension context */
    EAP_Input_t *client_ext_input;	/* client eap extension input structure */
    EAP_Output_t *client_ext_output;	/* client eap extension output structure */
    
    struct etypes *supported_eap_types;
    CFDictionaryRef extra_options;
} eap_state_t;

#define MPPE_MAX_KEY_LEN        16      /* largest key length (128-bit) */

int EapExtAdd(eap_ext_t *newext);

/*
 * Client (peer) states.
 */
#define EAPCS_INITIAL		0	/* Lower layer down, not opened */
#define EAPCS_CLOSED		1	/* Lower layer up, not opened */
#define EAPCS_PENDING		2	/* Auth us to peer when lower up */
#define EAPCS_LISTEN		3	/* Listening for a challenge */
#define EAPCS_OPEN		4	/* We've received Success */

int EapAuthWithPeer (eap_state_t *, vchar_t *, vchar_t *);
void EapLostFailure (eap_state_t *state);

int EAPLoad(eap_state_t *cstate);

void EapInit(eap_state_t *cstate);

void EapStart(eap_state_t *cstate, int);

void EapStop(eap_state_t *cstate);

int EapInput(eap_state_t *cstate, u_char *inpacket, int packet_len);

#endif
Commit	Line	Data
65c25746 A	1	/*
	2	* Copyright (c) 2012 Apple Computer, Inc. All rights reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23	/*
	24	* eap.h - Extensible Authentication Protocol definitions.
	25	*
	26	* Redistribution and use in source and binary forms are permitted
	27	* provided that the above copyright notice and this paragraph are
	28	* duplicated in all such forms and that any documentation,
	29	* advertising materials, and other materials related to such
	30	* distribution and use acknowledge that the software was developed
	31	* by the author.
	32	*
	33	* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
	34	* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
	35	* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
	36	*
	37	* $Id: eap.h,v 1.7 2004/08/03 23:11:15 lindak Exp $
	38	*/
	39
	40	#ifndef __EAP_H__
	41	#define __EAP_H__
	42
	43	#include "vmbuf.h"
	44	#include <CoreFoundation/CoreFoundation.h>
	45
	46	/*
	47	* Challenge lengths (for challenges we send) and other limits.
	48	*/
	49	#define MAX_EAP_RESPONSE_LENGTH 1024 /* Max len for the EAP data part */
	50	#define MAX_NAME_LENGTH 256
	51
	52	/* Code + ID + length */
	53	#define EAP_HEADERLEN 4
	54
	55	/*
	56	* EAP codes.
	57	*/
	58
	59	/* support for request types 1..4 is mandatory */
	60	#define EAP_TYPE_NONE 0 /* No EAP type */
	61	#define EAP_TYPE_IDENTITY 1 /* request for identity */
	62	#define EAP_TYPE_NOTIFICATION 2 /* notification message */
	63	#define EAP_TYPE_NAK 3 /* nak (response only) */
	64	#define EAP_TYPE_MD5CHALLENGE 4 /* password MD5 coded */
65
66	#define EAP_TYPE_OTP 5 /* One Time Password (OTP) */
67	#define EAP_TYPE_TOKEN 6 /* Generic Token Card */
68
69	#define EAP_TYPE_RSA 9 /* RSA Public Key Authentication */
70	#define EAP_TYPE_DSS 10 /* DSS Unilateral */
71	#define EAP_TYPE_KEA 11 /* KEA */
72	#define EAP_TYPE_KEA_VALIDATE 12 /* KEA-VALIDATE */
73	#define EAP_TYPE_TLS 13 /* EAP-TLS */
74	#define EAP_TYPE_AXENT 14 /* Defender Token (AXENT) */
75	#define EAP_TYPE_RSA_SECURID 15 /* RSA Security SecurID EAP */
76	#define EAP_TYPE_ARCOT 16 /* Arcot Systems EAP */
77	#define EAP_TYPE_CISCO 17 /* EAP-Cisco Wireless */
78	#define EAP_TYPE_SIM 18 /* EAP-SIM */
79	#define EAP_TYPE_SRP_SHA1_1 19 /* SRP-SHA1 Part 1 */
80	#define EAP_TYPE_SRP_SHA1_2 20 /* SRP-SHA1 Part 2 */
81	#define EAP_TYPE_TTLS 21 /* EAP-TTLS */
82	#define EAP_TYPE_RAS 22 /* Remote Access Service */
83	#define EAP_TYPE_AKA 23 /* EAP-AKA */
84	#define EAP_TYPE_3COM 24 /* EAP-3Com Wireless */
85	#define EAP_TYPE_PEAP 25 /* PEAP */
86	#define EAP_TYPE_MS 26 /* MS-EAP-Authentication */
87	#define EAP_TYPE_MAKE 27 /* Mutual Authentication w/Key Exchange (MAKE) */
88	#define EAP_TYPE_CRYPTO 28 /* CRYPTOCard */
89	#define EAP_TYPE_MSCHAP_V2 29 /* EAP-MSCHAP-V2 */
90	#define EAP_TYPE_DYNAM_ID 30 /* DynamID */
91	#define EAP_TYPE_ROB 31 /* Rob EAP */
92	#define EAP_TYPE_SECUR_ID 32 /* SecurID EAP */
93	#define EAP_TYPE_MS_TLV 33 /* MS-Authentication-TLV */
94	#define EAP_TYPE_SENTRINET 34 /* SentriNET */
95	#define EAP_TYPE_ACTIONTEC 35 /* EAP-Actiontec Wireless */
96	#define EAP_TYPE_COGENT 36 /* Cogent Systems Biometrics Authentication EAP */
97
98	#define kEAPPropertiesTypeEAPSIM CFSTR("EAPSIMProperties")
99	#define kEAPPropertiesTypeEAPAKA CFSTR("EAPAKAProperties")
100
101	#define EAP_REQUEST 1
102	#define EAP_RESPONSE 2
103	#define EAP_SUCCESS 3
104	#define EAP_FAILURE 4
105
106
107	struct EAP_Packet
108	{
109	u_int8_t code; // packet type : 1 = Request, 2 = Response, 3 = Success, 4 = Failure
110	u_int8_t id; // packet id
111	u_int16_t len; // packet len (network order)
112	u_int8_t data[1]; // packet data
113	} __attribute__((__packed__));
114
115	#define EAP_NOTIFICATION_NONE 0
116	#define EAP_NOTIFICATION_START 1
117	#define EAP_NOTIFICATION_RESTART 2
118	#define EAP_NOTIFICATION_SUCCESS 3
119	#define EAP_NOTIFICATION_PACKET 4
120	#define EAP_NOTIFICATION_DATA_FROM_UI 5
121	#define EAP_NOTIFICATION_TIMEOUT 6
122
123	typedef struct EAP_Input {
124	u_int16_t size; // size of the structure (for future extension)
125	u_int8_t mode; // 0 for client, 1 for server
126	u_int8_t initial_id; // initial EAP ID
127	u_int16_t mtu; // mtu wll determine the maximum packet size to send
128	u_int16_t notification; // notification the EAP engine sends to the module
129	u_int16_t data_len; // len of the data
130	void *data; // data to be consumed depending on the notification
131	char *identity; // authenticatee identity
132	char *username; // authenticatee user name
133	char *password; // authenticatee password
134	} EAP_Input_t;
135
136	#define EAP_ACTION_NONE 0
137	#define EAP_ACTION_SEND 1
138	#define EAP_ACTION_INVOKE_UI 2
139	#define EAP_ACTION_ACCESS_GRANTED 3
140	#define EAP_ACTION_ACCESS_DENIED 4
141	#define EAP_ACTION_SEND_WITH_TIMEOUT 5
142	#define EAP_ACTION_SEND_AND_DONE 6
143	#define EAP_ACTION_CANCEL 7
144
145
146	typedef struct EAP_Output {
147	u_int16_t size; // size of the structure (for future extension)
148	u_int16_t action; // action the EAP engine needs to perform
149	u_int16_t data_len; // len of the data
150	void *data; // data to be consumed depending on the action
151	char *username; // authenticatee user name (useful in server mode)
152	} EAP_Output_t;
153
154	enum {
155	EAP_NO_ERROR = 0,
156	EAP_ERROR_GENERIC,
157	EAP_ERROR_INVALID_PACKET
158	};
159
160	/* attribute information returned upon successful authentication */
161
162	#define EAP_ATTRIBUTE_NONE 0
163	#define EAP_ATTRIBUTE_MPPE_SEND_KEY 1
164	#define EAP_ATTRIBUTE_MPPE_RECV_KEY 2
165
166	typedef struct EAP_Attribute {
167	u_int16_t type; // type of the attribute
168	u_int16_t data_len; // len of the data
169	void *data; // data to be consumed depending on the type
170	/* data follow according to the size */
171	} __attribute__((__packed__)) EAP_Attribute_t;
172
173	/*
174	* Extension structure for eap types.
175	*/
176
177	#define EAP_EXT_CLIENT 0x1 // support client mode
178
179	typedef struct eap_ext {
180	struct eap_ext *next; // next extensiopn structure
181	u_int8_t type; // eap type
182	char *name; // extension name
183	u_int32_t flags; // support flags
184	void *plugin; // used to keep ref of the plugin
185	int (init) (EAP_Input_t eap_in, void **context, CFDictionaryRef options);
186	//int (reinit) (void context);
187	int (dispose) (void context);
188	int (process) (void context, EAP_Input_t eap_in, EAP_Output_t eap_out);
189	int (free) (void context, EAP_Output_t *eap_out);
190	int (attribute) (void context, EAP_Attribute_t *eap_attr);
191	int (identity) (char identity, int maxlen);
192
193	} eap_ext_t;
194
195	typedef struct eap_state {
196	int clientstate; /* Client state */
197
198	char our_identity; / Our identity name */
199	char username; / the user name (only for client mode) */
200	char password; / the password (only for client mode) */
201	char peer_identity[MAX_NAME_LENGTH]; /* peer name discovered with identity request */
202
203	u_char req_id; /* ID of last challenge */
204	u_char resp_id; /* ID of last response */
205	u_char req_type; /* last request type */
206	vchar_t *rcvd_msg;
207	vchar_t *send_key;
208	vchar_t *recv_key;
209
210	eap_ext_t client_ext; / client eap extension */
211	void client_ext_ctx; / client eap extension context */
212	EAP_Input_t client_ext_input; / client eap extension input structure */
213	EAP_Output_t client_ext_output; / client eap extension output structure */
214
215	struct etypes *supported_eap_types;
216	CFDictionaryRef extra_options;
217	} eap_state_t;
218
219	#define MPPE_MAX_KEY_LEN 16 /* largest key length (128-bit) */
220
221	int EapExtAdd(eap_ext_t *newext);
222
223	/*
224	* Client (peer) states.
225	*/
226	#define EAPCS_INITIAL 0 /* Lower layer down, not opened */
227	#define EAPCS_CLOSED 1 /* Lower layer up, not opened */
228	#define EAPCS_PENDING 2 /* Auth us to peer when lower up */
229	#define EAPCS_LISTEN 3 /* Listening for a challenge */
230	#define EAPCS_OPEN 4 /* We've received Success */
231
232	int EapAuthWithPeer (eap_state_t , vchar_t , vchar_t *);
233	void EapLostFailure (eap_state_t *state);
234
235	int EAPLoad(eap_state_t *cstate);
236
237	void EapInit(eap_state_t *cstate);
238
239	void EapStart(eap_state_t *cstate, int);
240
241	void EapStop(eap_state_t *cstate);
242
243	int EapInput(eap_state_t cstate, u_char inpacket, int packet_len);
244
245	#endif