]>
Commit | Line | Data |
---|---|---|
0ed57c5e JM |
1 | /* |
2 | * EAP-TEAP definitions (RFC 7170) | |
3 | * Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi> | |
4 | * | |
5 | * This software may be distributed under the terms of the BSD license. | |
6 | * See README for more details. | |
7 | */ | |
8 | ||
9 | #ifndef EAP_TEAP_H | |
10 | #define EAP_TEAP_H | |
11 | ||
12 | #define EAP_TEAP_VERSION 1 | |
13 | #define EAP_TEAP_KEY_LEN 64 | |
14 | #define EAP_TEAP_IMCK_LEN 60 | |
15 | #define EAP_TEAP_SIMCK_LEN 40 | |
16 | #define EAP_TEAP_CMK_LEN 20 | |
17 | #define EAP_TEAP_COMPOUND_MAC_LEN 20 | |
18 | #define EAP_TEAP_NONCE_LEN 32 | |
19 | ||
20 | #define TEAP_TLS_EXPORTER_LABEL_SKS "EXPORTER: teap session key seed" | |
21 | ||
22 | #define TLS_EXT_PAC_OPAQUE 35 | |
23 | ||
24 | /* | |
25 | * RFC 7170: Section 4.2.12.1 - Formats for PAC Attributes | |
26 | * Note: bit 0x8000 (Mandatory) and bit 0x4000 (Reserved) are also defined | |
27 | * in the general TLV format (Section 4.2.1). | |
28 | */ | |
29 | #define PAC_TYPE_PAC_KEY 1 | |
30 | #define PAC_TYPE_PAC_OPAQUE 2 | |
31 | #define PAC_TYPE_CRED_LIFETIME 3 | |
32 | #define PAC_TYPE_A_ID 4 | |
33 | #define PAC_TYPE_I_ID 5 | |
34 | /* 6 - Reserved */ | |
35 | #define PAC_TYPE_A_ID_INFO 7 | |
36 | #define PAC_TYPE_PAC_ACKNOWLEDGEMENT 8 | |
37 | #define PAC_TYPE_PAC_INFO 9 | |
38 | #define PAC_TYPE_PAC_TYPE 10 | |
39 | ||
40 | #ifdef _MSC_VER | |
41 | #pragma pack(push, 1) | |
42 | #endif /* _MSC_VER */ | |
43 | ||
44 | struct pac_attr_hdr { | |
45 | be16 type; | |
46 | be16 len; | |
47 | } STRUCT_PACKED; | |
48 | ||
49 | struct teap_tlv_hdr { | |
50 | be16 tlv_type; | |
51 | be16 length; | |
52 | } STRUCT_PACKED; | |
53 | ||
54 | /* Result TLV and Intermediate-Result TLV */ | |
55 | struct teap_tlv_result { | |
56 | be16 tlv_type; | |
57 | be16 length; | |
58 | be16 status; | |
59 | /* for Intermediate-Result TLV, followed by optional TLVs */ | |
60 | } STRUCT_PACKED; | |
61 | ||
62 | struct teap_tlv_nak { | |
63 | be16 tlv_type; | |
64 | be16 length; | |
65 | be32 vendor_id; | |
66 | be16 nak_type; | |
67 | /* followed by optional TLVs */ | |
68 | } STRUCT_PACKED; | |
69 | ||
70 | struct teap_tlv_crypto_binding { | |
71 | be16 tlv_type; /* TLV Type[14b] and M/R flags */ | |
72 | be16 length; | |
73 | u8 reserved; | |
74 | u8 version; | |
75 | u8 received_version; | |
76 | u8 subtype; /* Flags[4b] and Sub-Type[4b] */ | |
77 | u8 nonce[EAP_TEAP_NONCE_LEN]; | |
78 | u8 emsk_compound_mac[EAP_TEAP_COMPOUND_MAC_LEN]; | |
79 | u8 msk_compound_mac[EAP_TEAP_COMPOUND_MAC_LEN]; | |
80 | } STRUCT_PACKED; | |
81 | ||
82 | struct teap_tlv_request_action { | |
83 | be16 tlv_type; | |
84 | be16 length; | |
85 | u8 status; | |
86 | u8 action; | |
87 | /* followed by optional TLVs */ | |
88 | } STRUCT_PACKED; | |
89 | ||
90 | enum teap_request_action { | |
91 | TEAP_REQUEST_ACTION_PROCESS_TLV = 1, | |
92 | TEAP_REQUEST_ACTION_NEGOTIATE_EAP = 2, | |
93 | }; | |
94 | ||
95 | /* PAC TLV with PAC-Acknowledgement TLV attribute */ | |
96 | struct teap_tlv_pac_ack { | |
97 | be16 tlv_type; | |
98 | be16 length; | |
99 | be16 pac_type; | |
100 | be16 pac_len; | |
101 | be16 result; | |
102 | } STRUCT_PACKED; | |
103 | ||
104 | struct teap_attr_pac_type { | |
105 | be16 type; /* PAC_TYPE_PAC_TYPE */ | |
106 | be16 length; /* 2 */ | |
107 | be16 pac_type; | |
108 | } STRUCT_PACKED; | |
109 | ||
110 | #ifdef _MSC_VER | |
111 | #pragma pack(pop) | |
112 | #endif /* _MSC_VER */ | |
113 | ||
114 | #define TEAP_CRYPTO_BINDING_SUBTYPE_REQUEST 0 | |
115 | #define TEAP_CRYPTO_BINDING_SUBTYPE_RESPONSE 1 | |
116 | ||
117 | #define TEAP_CRYPTO_BINDING_EMSK_CMAC 1 | |
118 | #define TEAP_CRYPTO_BINDING_MSK_CMAC 2 | |
119 | #define TEAP_CRYPTO_BINDING_EMSK_AND_MSK_CMAC 3 | |
120 | ||
121 | ||
122 | #define EAP_TEAP_PAC_KEY_LEN 48 | |
123 | ||
124 | /* RFC 7170: 4.2.12.6 PAC-Type TLV */ | |
125 | #define PAC_TYPE_TUNNEL_PAC 1 | |
126 | ||
127 | ||
128 | /* RFC 7170, 4.2.1: General TLV Format */ | |
129 | enum teap_tlv_types { | |
130 | TEAP_TLV_AUTHORITY_ID = 1, | |
131 | TEAP_TLV_IDENTITY_TYPE = 2, | |
132 | TEAP_TLV_RESULT = 3, | |
133 | TEAP_TLV_NAK = 4, | |
134 | TEAP_TLV_ERROR = 5, | |
135 | TEAP_TLV_CHANNEL_BINDING = 6, | |
136 | TEAP_TLV_VENDOR_SPECIFIC = 7, | |
137 | TEAP_TLV_REQUEST_ACTION = 8, | |
138 | TEAP_TLV_EAP_PAYLOAD = 9, | |
139 | TEAP_TLV_INTERMEDIATE_RESULT = 10, | |
140 | TEAP_TLV_PAC = 11, | |
141 | TEAP_TLV_CRYPTO_BINDING = 12, | |
142 | TEAP_TLV_BASIC_PASSWORD_AUTH_REQ = 13, | |
143 | TEAP_TLV_BASIC_PASSWORD_AUTH_RESP = 14, | |
144 | TEAP_TLV_PKCS7 = 15, | |
145 | TEAP_TLV_PKCS10 = 16, | |
146 | TEAP_TLV_TRUSTED_SERVER_ROOT = 17, | |
147 | }; | |
148 | ||
149 | enum teap_tlv_result_status { | |
150 | TEAP_STATUS_SUCCESS = 1, | |
151 | TEAP_STATUS_FAILURE = 2 | |
152 | }; | |
153 | ||
154 | #define TEAP_TLV_MANDATORY 0x8000 | |
155 | #define TEAP_TLV_TYPE_MASK 0x3fff | |
156 | ||
157 | /* RFC 7170, 4.2.6: Error TLV */ | |
158 | enum teap_error_codes { | |
159 | TEAP_ERROR_INNER_METHOD = 1001, | |
160 | TEAP_ERROR_UNSPEC_AUTH_INFRA_PROBLEM = 1002, | |
161 | TEAP_ERROR_UNSPEC_AUTHENTICATION_FAILURE = 1003, | |
162 | TEAP_ERROR_UNSPEC_AUTHORIZATION_FAILURE = 1004, | |
163 | TEAP_ERROR_USER_ACCOUNT_CRED_UNAVAILABLE = 1005, | |
164 | TEAP_ERROR_USER_ACCOUNT_EXPIRED = 1006, | |
165 | TEAP_ERROR_USER_ACCOUNT_LOCKED_TRY_AGAIN_LATER = 1007, | |
166 | TEAP_ERROR_USER_ACCOUNT_LOCKED_ADMIN_REQ = 1008, | |
167 | TEAP_ERROR_TUNNEL_COMPROMISE_ERROR = 2001, | |
168 | TEAP_ERROR_UNEXPECTED_TLVS_EXCHANGED = 2002, | |
169 | }; | |
170 | ||
171 | struct wpabuf; | |
172 | struct tls_connection; | |
173 | ||
174 | struct eap_teap_tlv_parse { | |
175 | u8 *eap_payload_tlv; | |
176 | size_t eap_payload_tlv_len; | |
177 | struct teap_tlv_crypto_binding *crypto_binding; | |
178 | size_t crypto_binding_len; | |
179 | int iresult; | |
180 | int result; | |
181 | u8 *nak; | |
182 | size_t nak_len; | |
183 | u8 request_action; | |
184 | u8 request_action_status; | |
185 | u8 *pac; | |
186 | size_t pac_len; | |
187 | u8 *basic_auth_req; | |
188 | size_t basic_auth_req_len; | |
189 | u8 *basic_auth_resp; | |
190 | size_t basic_auth_resp_len; | |
128d46be | 191 | u32 error_code; |
0ed57c5e JM |
192 | }; |
193 | ||
194 | void eap_teap_put_tlv_hdr(struct wpabuf *buf, u16 type, u16 len); | |
195 | void eap_teap_put_tlv(struct wpabuf *buf, u16 type, const void *data, u16 len); | |
196 | void eap_teap_put_tlv_buf(struct wpabuf *buf, u16 type, | |
197 | const struct wpabuf *data); | |
198 | struct wpabuf * eap_teap_tlv_eap_payload(struct wpabuf *buf); | |
a66e53c4 JM |
199 | int eap_teap_derive_eap_msk(u16 tls_cs, const u8 *simck, u8 *msk); |
200 | int eap_teap_derive_eap_emsk(u16 tls_cs, const u8 *simck, u8 *emsk); | |
201 | int eap_teap_derive_cmk_basic_pw_auth(u16 tls_cs, const u8 *s_imck_msk, | |
202 | u8 *cmk); | |
203 | int eap_teap_derive_imck(u16 tls_cs, | |
204 | const u8 *prev_s_imck_msk, const u8 *prev_s_imck_emsk, | |
0ed57c5e JM |
205 | const u8 *msk, size_t msk_len, |
206 | const u8 *emsk, size_t emsk_len, | |
207 | u8 *s_imck_msk, u8 *cmk_msk, | |
208 | u8 *s_imck_emsk, u8 *cmk_emsk); | |
209 | int eap_teap_compound_mac(u16 tls_cs, const struct teap_tlv_crypto_binding *cb, | |
210 | const struct wpabuf *server_outer_tlvs, | |
211 | const struct wpabuf *peer_outer_tlvs, | |
212 | const u8 *cmk, u8 *compound_mac); | |
213 | int eap_teap_parse_tlv(struct eap_teap_tlv_parse *tlv, | |
214 | int tlv_type, u8 *pos, size_t len); | |
215 | const char * eap_teap_tlv_type_str(enum teap_tlv_types type); | |
216 | struct wpabuf * eap_teap_tlv_result(int status, int intermediate); | |
217 | struct wpabuf * eap_teap_tlv_error(enum teap_error_codes error); | |
62af2b18 JM |
218 | enum eap_type; |
219 | int eap_teap_allowed_anon_prov_phase2_method(int vendor, enum eap_type type); | |
0ed57c5e JM |
220 | int eap_teap_allowed_anon_prov_cipher_suite(u16 cs); |
221 | ||
222 | #endif /* EAP_TEAP_H */ |