]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/eap.h
projects / apple / ipsec.git / blob
? search:


eff068ad3dd4f94f8466bf9fb2ec35ba8cb3f097
[apple/ipsec.git] / ipsec-tools / racoon / eap.h
1 /*
2 * Copyright (c) 2012 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23 /*
24 * eap.h - Extensible Authentication Protocol definitions.
25 *
26 * Redistribution and use in source and binary forms are permitted
27 * provided that the above copyright notice and this paragraph are
28 * duplicated in all such forms and that any documentation,
29 * advertising materials, and other materials related to such
30 * distribution and use acknowledge that the software was developed
31 * by the author.
32 *
33 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
34 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
35 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
36 *
37 * $Id: eap.h,v 1.7 2004/08/03 23:11:15 lindak Exp $
38 */
39
40 #ifndef __EAP_H__
41 #define __EAP_H__
42
43 #include "vmbuf.h"
44 #include <CoreFoundation/CoreFoundation.h>
45
46 /*
47 * Challenge lengths (for challenges we send) and other limits.
48 */
49 #define MAX_EAP_RESPONSE_LENGTH 1024 /* Max len for the EAP data part */
50 #define MAX_NAME_LENGTH 256
51
52 /* Code + ID + length */
53 #define EAP_HEADERLEN 4
54
55 /*
56 * EAP codes.
57 */
58
59 /* support for request types 1..4 is mandatory */
60 #define EAP_TYPE_NONE 0 /* No EAP type */
61 #define EAP_TYPE_IDENTITY 1 /* request for identity */
62 #define EAP_TYPE_NOTIFICATION 2 /* notification message */
63 #define EAP_TYPE_NAK 3 /* nak (response only) */
64 #define EAP_TYPE_MD5CHALLENGE 4 /* password MD5 coded */
65
66 #define EAP_TYPE_OTP 5 /* One Time Password (OTP) */
67 #define EAP_TYPE_TOKEN 6 /* Generic Token Card */
68
69 #define EAP_TYPE_RSA 9 /* RSA Public Key Authentication */
70 #define EAP_TYPE_DSS 10 /* DSS Unilateral */
71 #define EAP_TYPE_KEA 11 /* KEA */
72 #define EAP_TYPE_KEA_VALIDATE 12 /* KEA-VALIDATE */
73 #define EAP_TYPE_TLS 13 /* EAP-TLS */
74 #define EAP_TYPE_AXENT 14 /* Defender Token (AXENT) */
75 #define EAP_TYPE_RSA_SECURID 15 /* RSA Security SecurID EAP */
76 #define EAP_TYPE_ARCOT 16 /* Arcot Systems EAP */
77 #define EAP_TYPE_CISCO 17 /* EAP-Cisco Wireless */
78 #define EAP_TYPE_SIM 18 /* EAP-SIM */
79 #define EAP_TYPE_SRP_SHA1_1 19 /* SRP-SHA1 Part 1 */
80 #define EAP_TYPE_SRP_SHA1_2 20 /* SRP-SHA1 Part 2 */
81 #define EAP_TYPE_TTLS 21 /* EAP-TTLS */
82 #define EAP_TYPE_RAS 22 /* Remote Access Service */
83 #define EAP_TYPE_AKA 23 /* EAP-AKA */
84 #define EAP_TYPE_3COM 24 /* EAP-3Com Wireless */
85 #define EAP_TYPE_PEAP 25 /* PEAP */
86 #define EAP_TYPE_MS 26 /* MS-EAP-Authentication */
87 #define EAP_TYPE_MAKE 27 /* Mutual Authentication w/Key Exchange (MAKE) */
88 #define EAP_TYPE_CRYPTO 28 /* CRYPTOCard */
89 #define EAP_TYPE_MSCHAP_V2 29 /* EAP-MSCHAP-V2 */
90 #define EAP_TYPE_DYNAM_ID 30 /* DynamID */
91 #define EAP_TYPE_ROB 31 /* Rob EAP */
92 #define EAP_TYPE_SECUR_ID 32 /* SecurID EAP */
93 #define EAP_TYPE_MS_TLV 33 /* MS-Authentication-TLV */
94 #define EAP_TYPE_SENTRINET 34 /* SentriNET */
95 #define EAP_TYPE_ACTIONTEC 35 /* EAP-Actiontec Wireless */
96 #define EAP_TYPE_COGENT 36 /* Cogent Systems Biometrics Authentication EAP */
97
98 #define kEAPPropertiesTypeEAPSIM CFSTR("EAPSIMProperties")
99 #define kEAPPropertiesTypeEAPAKA CFSTR("EAPAKAProperties")
100
101 #define EAP_REQUEST 1
102 #define EAP_RESPONSE 2
103 #define EAP_SUCCESS 3
104 #define EAP_FAILURE 4
105
106
107 struct EAP_Packet
108 {
109 u_int8_t code; // packet type : 1 = Request, 2 = Response, 3 = Success, 4 = Failure
110 u_int8_t id; // packet id
111 u_int16_t len; // packet len (network order)
112 u_int8_t data[1]; // packet data
113 } __attribute__((__packed__));
114
115 #define EAP_NOTIFICATION_NONE 0
116 #define EAP_NOTIFICATION_START 1
117 #define EAP_NOTIFICATION_RESTART 2
118 #define EAP_NOTIFICATION_SUCCESS 3
119 #define EAP_NOTIFICATION_PACKET 4
120 #define EAP_NOTIFICATION_DATA_FROM_UI 5
121 #define EAP_NOTIFICATION_TIMEOUT 6
122
123 typedef struct EAP_Input {
124 u_int16_t size; // size of the structure (for future extension)
125 u_int8_t mode; // 0 for client, 1 for server
126 u_int8_t initial_id; // initial EAP ID
127 u_int16_t mtu; // mtu wll determine the maximum packet size to send
128 u_int16_t notification; // notification the EAP engine sends to the module
129 u_int16_t data_len; // len of the data
130 void *data; // data to be consumed depending on the notification
131 char *identity; // authenticatee identity
132 char *username; // authenticatee user name
133 char *password; // authenticatee password
134 } EAP_Input_t;
135
136 #define EAP_ACTION_NONE 0
137 #define EAP_ACTION_SEND 1
138 #define EAP_ACTION_INVOKE_UI 2
139 #define EAP_ACTION_ACCESS_GRANTED 3
140 #define EAP_ACTION_ACCESS_DENIED 4
141 #define EAP_ACTION_SEND_WITH_TIMEOUT 5
142 #define EAP_ACTION_SEND_AND_DONE 6
143 #define EAP_ACTION_CANCEL 7
144
145
146 typedef struct EAP_Output {
147 u_int16_t size; // size of the structure (for future extension)
148 u_int16_t action; // action the EAP engine needs to perform
149 u_int16_t data_len; // len of the data
150 void *data; // data to be consumed depending on the action
151 char *username; // authenticatee user name (useful in server mode)
152 } EAP_Output_t;
153
154 enum {
155 EAP_NO_ERROR = 0,
156 EAP_ERROR_GENERIC,
157 EAP_ERROR_INVALID_PACKET
158 };
159
160 /* attribute information returned upon successful authentication */
161
162 #define EAP_ATTRIBUTE_NONE 0
163 #define EAP_ATTRIBUTE_MPPE_SEND_KEY 1
164 #define EAP_ATTRIBUTE_MPPE_RECV_KEY 2
165
166 typedef struct EAP_Attribute {
167 u_int16_t type; // type of the attribute
168 u_int16_t data_len; // len of the data
169 void *data; // data to be consumed depending on the type
170 /* data follow according to the size */
171 } __attribute__((__packed__)) EAP_Attribute_t;
172
173 /*
174 * Extension structure for eap types.
175 */
176
177 #define EAP_EXT_CLIENT 0x1 // support client mode
178
179 typedef struct eap_ext {
180 struct eap_ext *next; // next extensiopn structure
181 u_int8_t type; // eap type
182 char *name; // extension name
183 u_int32_t flags; // support flags
184 void *plugin; // used to keep ref of the plugin
185 int (*init) (EAP_Input_t *eap_in, void **context, CFDictionaryRef options);
186 //int (*reinit) (void *context);
187 int (*dispose) (void *context);
188 int (*process) (void *context, EAP_Input_t *eap_in, EAP_Output_t *eap_out);
189 int (*free) (void *context, EAP_Output_t *eap_out);
190 int (*attribute) (void *context, EAP_Attribute_t *eap_attr);
191 int (*identity) (char *identity, int maxlen);
192
193 } eap_ext_t;
194
195 typedef struct eap_state {
196 int clientstate; /* Client state */
197
198 char *our_identity; /* Our identity name */
199 char *username; /* the user name (only for client mode) */
200 char *password; /* the password (only for client mode) */
201 char peer_identity[MAX_NAME_LENGTH]; /* peer name discovered with identity request */
202
203 u_char req_id; /* ID of last challenge */
204 u_char resp_id; /* ID of last response */
205 u_char req_type; /* last request type */
206 vchar_t *rcvd_msg;
207 vchar_t *send_key;
208 vchar_t *recv_key;
209
210 eap_ext_t *client_ext; /* client eap extension */
211 void *client_ext_ctx; /* client eap extension context */
212 EAP_Input_t *client_ext_input; /* client eap extension input structure */
213 EAP_Output_t *client_ext_output; /* client eap extension output structure */
214
215 struct etypes *supported_eap_types;
216 CFDictionaryRef extra_options;
217 } eap_state_t;
218
219 #define MPPE_MAX_KEY_LEN 16 /* largest key length (128-bit) */
220
221 int EapExtAdd(eap_ext_t *newext);
222
223 /*
224 * Client (peer) states.
225 */
226 #define EAPCS_INITIAL 0 /* Lower layer down, not opened */
227 #define EAPCS_CLOSED 1 /* Lower layer up, not opened */
228 #define EAPCS_PENDING 2 /* Auth us to peer when lower up */
229 #define EAPCS_LISTEN 3 /* Listening for a challenge */
230 #define EAPCS_OPEN 4 /* We've received Success */
231
232 int EapAuthWithPeer (eap_state_t *, vchar_t *, vchar_t *);
233 void EapLostFailure (eap_state_t *state);
234
235 int EAPLoad(eap_state_t *cstate);
236
237 void EapInit(eap_state_t *cstate);
238
239 void EapStart(eap_state_t *cstate, int);
240
241 void EapStop(eap_state_t *cstate);
242
243 int EapInput(eap_state_t *cstate, u_char *inpacket, int packet_len);
244
245 #endif
mirror of ipsec