2 * EAP-TEAP definitions (RFC 7170)
3 * Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #define EAP_TEAP_VERSION 1
13 #define EAP_TEAP_KEY_LEN 64
14 #define EAP_TEAP_IMCK_LEN 60
15 #define EAP_TEAP_SIMCK_LEN 40
16 #define EAP_TEAP_CMK_LEN 20
17 #define EAP_TEAP_COMPOUND_MAC_LEN 20
18 #define EAP_TEAP_NONCE_LEN 32
20 #define TEAP_TLS_EXPORTER_LABEL_SKS "EXPORTER: teap session key seed"
22 #define TLS_EXT_PAC_OPAQUE 35
25 * RFC 7170: Section 4.2.12.1 - Formats for PAC Attributes
26 * Note: bit 0x8000 (Mandatory) and bit 0x4000 (Reserved) are also defined
27 * in the general TLV format (Section 4.2.1).
29 #define PAC_TYPE_PAC_KEY 1
30 #define PAC_TYPE_PAC_OPAQUE 2
31 #define PAC_TYPE_CRED_LIFETIME 3
32 #define PAC_TYPE_A_ID 4
33 #define PAC_TYPE_I_ID 5
35 #define PAC_TYPE_A_ID_INFO 7
36 #define PAC_TYPE_PAC_ACKNOWLEDGEMENT 8
37 #define PAC_TYPE_PAC_INFO 9
38 #define PAC_TYPE_PAC_TYPE 10
54 /* Result TLV and Intermediate-Result TLV */
55 struct teap_tlv_result
{
59 /* for Intermediate-Result TLV, followed by optional TLVs */
67 /* followed by optional TLVs */
70 struct teap_tlv_crypto_binding
{
71 be16 tlv_type
; /* TLV Type[14b] and M/R flags */
76 u8 subtype
; /* Flags[4b] and Sub-Type[4b] */
77 u8 nonce
[EAP_TEAP_NONCE_LEN
];
78 u8 emsk_compound_mac
[EAP_TEAP_COMPOUND_MAC_LEN
];
79 u8 msk_compound_mac
[EAP_TEAP_COMPOUND_MAC_LEN
];
82 struct teap_tlv_request_action
{
87 /* followed by optional TLVs */
90 enum teap_request_action
{
91 TEAP_REQUEST_ACTION_PROCESS_TLV
= 1,
92 TEAP_REQUEST_ACTION_NEGOTIATE_EAP
= 2,
95 /* PAC TLV with PAC-Acknowledgement TLV attribute */
96 struct teap_tlv_pac_ack
{
104 struct teap_attr_pac_type
{
105 be16 type
; /* PAC_TYPE_PAC_TYPE */
112 #endif /* _MSC_VER */
114 #define TEAP_CRYPTO_BINDING_SUBTYPE_REQUEST 0
115 #define TEAP_CRYPTO_BINDING_SUBTYPE_RESPONSE 1
117 #define TEAP_CRYPTO_BINDING_EMSK_CMAC 1
118 #define TEAP_CRYPTO_BINDING_MSK_CMAC 2
119 #define TEAP_CRYPTO_BINDING_EMSK_AND_MSK_CMAC 3
122 #define EAP_TEAP_PAC_KEY_LEN 48
124 /* RFC 7170: 4.2.12.6 PAC-Type TLV */
125 #define PAC_TYPE_TUNNEL_PAC 1
128 /* RFC 7170, 4.2.1: General TLV Format */
129 enum teap_tlv_types
{
130 TEAP_TLV_AUTHORITY_ID
= 1,
131 TEAP_TLV_IDENTITY_TYPE
= 2,
135 TEAP_TLV_CHANNEL_BINDING
= 6,
136 TEAP_TLV_VENDOR_SPECIFIC
= 7,
137 TEAP_TLV_REQUEST_ACTION
= 8,
138 TEAP_TLV_EAP_PAYLOAD
= 9,
139 TEAP_TLV_INTERMEDIATE_RESULT
= 10,
141 TEAP_TLV_CRYPTO_BINDING
= 12,
142 TEAP_TLV_BASIC_PASSWORD_AUTH_REQ
= 13,
143 TEAP_TLV_BASIC_PASSWORD_AUTH_RESP
= 14,
145 TEAP_TLV_PKCS10
= 16,
146 TEAP_TLV_TRUSTED_SERVER_ROOT
= 17,
149 enum teap_tlv_result_status
{
150 TEAP_STATUS_SUCCESS
= 1,
151 TEAP_STATUS_FAILURE
= 2
154 /* Identity-Type values within Identity-Type TLV */
155 enum teap_identity_types
{
156 TEAP_IDENTITY_TYPE_USER
= 1,
157 TEAP_IDENTITY_TYPE_MACHINE
= 2,
160 #define TEAP_TLV_MANDATORY 0x8000
161 #define TEAP_TLV_TYPE_MASK 0x3fff
163 /* RFC 7170, 4.2.6: Error TLV */
164 enum teap_error_codes
{
165 TEAP_ERROR_INNER_METHOD
= 1001,
166 TEAP_ERROR_UNSPEC_AUTH_INFRA_PROBLEM
= 1002,
167 TEAP_ERROR_UNSPEC_AUTHENTICATION_FAILURE
= 1003,
168 TEAP_ERROR_UNSPEC_AUTHORIZATION_FAILURE
= 1004,
169 TEAP_ERROR_USER_ACCOUNT_CRED_UNAVAILABLE
= 1005,
170 TEAP_ERROR_USER_ACCOUNT_EXPIRED
= 1006,
171 TEAP_ERROR_USER_ACCOUNT_LOCKED_TRY_AGAIN_LATER
= 1007,
172 TEAP_ERROR_USER_ACCOUNT_LOCKED_ADMIN_REQ
= 1008,
173 TEAP_ERROR_TUNNEL_COMPROMISE_ERROR
= 2001,
174 TEAP_ERROR_UNEXPECTED_TLVS_EXCHANGED
= 2002,
178 struct tls_connection
;
180 struct eap_teap_tlv_parse
{
182 size_t eap_payload_tlv_len
;
183 struct teap_tlv_crypto_binding
*crypto_binding
;
184 size_t crypto_binding_len
;
190 u8 request_action_status
;
194 size_t basic_auth_req_len
;
196 size_t basic_auth_resp_len
;
201 void eap_teap_put_tlv_hdr(struct wpabuf
*buf
, u16 type
, u16 len
);
202 void eap_teap_put_tlv(struct wpabuf
*buf
, u16 type
, const void *data
, u16 len
);
203 void eap_teap_put_tlv_buf(struct wpabuf
*buf
, u16 type
,
204 const struct wpabuf
*data
);
205 struct wpabuf
* eap_teap_tlv_eap_payload(struct wpabuf
*buf
);
206 int eap_teap_derive_eap_msk(u16 tls_cs
, const u8
*simck
, u8
*msk
);
207 int eap_teap_derive_eap_emsk(u16 tls_cs
, const u8
*simck
, u8
*emsk
);
208 int eap_teap_derive_cmk_basic_pw_auth(u16 tls_cs
, const u8
*s_imck_msk
,
210 int eap_teap_derive_imck(u16 tls_cs
,
211 const u8
*prev_s_imck_msk
, const u8
*prev_s_imck_emsk
,
212 const u8
*msk
, size_t msk_len
,
213 const u8
*emsk
, size_t emsk_len
,
214 u8
*s_imck_msk
, u8
*cmk_msk
,
215 u8
*s_imck_emsk
, u8
*cmk_emsk
);
216 int eap_teap_compound_mac(u16 tls_cs
, const struct teap_tlv_crypto_binding
*cb
,
217 const struct wpabuf
*server_outer_tlvs
,
218 const struct wpabuf
*peer_outer_tlvs
,
219 const u8
*cmk
, u8
*compound_mac
);
220 int eap_teap_parse_tlv(struct eap_teap_tlv_parse
*tlv
,
221 int tlv_type
, u8
*pos
, size_t len
);
222 const char * eap_teap_tlv_type_str(enum teap_tlv_types type
);
223 struct wpabuf
* eap_teap_tlv_result(int status
, int intermediate
);
224 struct wpabuf
* eap_teap_tlv_error(enum teap_error_codes error
);
225 struct wpabuf
* eap_teap_tlv_identity_type(enum teap_identity_types id
);
227 int eap_teap_allowed_anon_prov_phase2_method(int vendor
, enum eap_type type
);
228 int eap_teap_allowed_anon_prov_cipher_suite(u16 cs
);
230 #endif /* EAP_TEAP_H */