16d49e1aeSJan Lentfer /* 26d49e1aeSJan Lentfer * EAP peer: EAP-TLS/PEAP/TTLS/FAST common functions 33ff40c12SJohn Marino * Copyright (c) 2004-2009, 2012, Jouni Malinen <j@w1.fi> 46d49e1aeSJan Lentfer * 53ff40c12SJohn Marino * This software may be distributed under the terms of the BSD license. 63ff40c12SJohn Marino * See README for more details. 76d49e1aeSJan Lentfer */ 86d49e1aeSJan Lentfer 96d49e1aeSJan Lentfer #ifndef EAP_TLS_COMMON_H 106d49e1aeSJan Lentfer #define EAP_TLS_COMMON_H 116d49e1aeSJan Lentfer 126d49e1aeSJan Lentfer /** 136d49e1aeSJan Lentfer * struct eap_ssl_data - TLS data for EAP methods 146d49e1aeSJan Lentfer */ 156d49e1aeSJan Lentfer struct eap_ssl_data { 166d49e1aeSJan Lentfer /** 176d49e1aeSJan Lentfer * conn - TLS connection context data from tls_connection_init() 186d49e1aeSJan Lentfer */ 196d49e1aeSJan Lentfer struct tls_connection *conn; 206d49e1aeSJan Lentfer 216d49e1aeSJan Lentfer /** 226d49e1aeSJan Lentfer * tls_out - TLS message to be sent out in fragments 236d49e1aeSJan Lentfer */ 243ff40c12SJohn Marino struct wpabuf *tls_out; 256d49e1aeSJan Lentfer 266d49e1aeSJan Lentfer /** 276d49e1aeSJan Lentfer * tls_out_pos - The current position in the outgoing TLS message 286d49e1aeSJan Lentfer */ 296d49e1aeSJan Lentfer size_t tls_out_pos; 306d49e1aeSJan Lentfer 316d49e1aeSJan Lentfer /** 326d49e1aeSJan Lentfer * tls_out_limit - Maximum fragment size for outgoing TLS messages 336d49e1aeSJan Lentfer */ 346d49e1aeSJan Lentfer size_t tls_out_limit; 356d49e1aeSJan Lentfer 366d49e1aeSJan Lentfer /** 376d49e1aeSJan Lentfer * tls_in - Received TLS message buffer for re-assembly 386d49e1aeSJan Lentfer */ 393ff40c12SJohn Marino struct wpabuf *tls_in; 406d49e1aeSJan Lentfer 416d49e1aeSJan Lentfer /** 426d49e1aeSJan Lentfer * tls_in_left - Number of remaining bytes in the incoming TLS message 436d49e1aeSJan Lentfer */ 446d49e1aeSJan Lentfer size_t tls_in_left; 456d49e1aeSJan Lentfer 466d49e1aeSJan Lentfer /** 476d49e1aeSJan Lentfer * tls_in_total - Total number of bytes in the incoming TLS message 486d49e1aeSJan Lentfer */ 496d49e1aeSJan Lentfer size_t tls_in_total; 506d49e1aeSJan Lentfer 516d49e1aeSJan Lentfer /** 526d49e1aeSJan Lentfer * phase2 - Whether this TLS connection is used in EAP phase 2 (tunnel) 536d49e1aeSJan Lentfer */ 546d49e1aeSJan Lentfer int phase2; 556d49e1aeSJan Lentfer 566d49e1aeSJan Lentfer /** 576d49e1aeSJan Lentfer * include_tls_length - Whether the TLS length field is included even 586d49e1aeSJan Lentfer * if the TLS data is not fragmented 596d49e1aeSJan Lentfer */ 606d49e1aeSJan Lentfer int include_tls_length; 616d49e1aeSJan Lentfer 626d49e1aeSJan Lentfer /** 633ff40c12SJohn Marino * eap - EAP state machine allocated with eap_peer_sm_init() 646d49e1aeSJan Lentfer */ 656d49e1aeSJan Lentfer struct eap_sm *eap; 663ff40c12SJohn Marino 673ff40c12SJohn Marino /** 683ff40c12SJohn Marino * ssl_ctx - TLS library context to use for the connection 693ff40c12SJohn Marino */ 703ff40c12SJohn Marino void *ssl_ctx; 713ff40c12SJohn Marino 723ff40c12SJohn Marino /** 73*a1157835SDaniel Fojt * eap_type - EAP method used in Phase 1 74*a1157835SDaniel Fojt * (EAP_TYPE_TLS/PEAP/TTLS/FAST/TEAP) 753ff40c12SJohn Marino */ 763ff40c12SJohn Marino u8 eap_type; 77*a1157835SDaniel Fojt 78*a1157835SDaniel Fojt /** 79*a1157835SDaniel Fojt * tls_v13 - Whether TLS v1.3 or newer is used 80*a1157835SDaniel Fojt */ 81*a1157835SDaniel Fojt int tls_v13; 826d49e1aeSJan Lentfer }; 836d49e1aeSJan Lentfer 846d49e1aeSJan Lentfer 856d49e1aeSJan Lentfer /* EAP TLS Flags */ 866d49e1aeSJan Lentfer #define EAP_TLS_FLAGS_LENGTH_INCLUDED 0x80 876d49e1aeSJan Lentfer #define EAP_TLS_FLAGS_MORE_FRAGMENTS 0x40 886d49e1aeSJan Lentfer #define EAP_TLS_FLAGS_START 0x20 89*a1157835SDaniel Fojt #define EAP_TEAP_FLAGS_OUTER_TLV_LEN 0x10 903ff40c12SJohn Marino #define EAP_TLS_VERSION_MASK 0x07 916d49e1aeSJan Lentfer 926d49e1aeSJan Lentfer /* could be up to 128 bytes, but only the first 64 bytes are used */ 936d49e1aeSJan Lentfer #define EAP_TLS_KEY_LEN 64 946d49e1aeSJan Lentfer 953ff40c12SJohn Marino /* dummy type used as a flag for UNAUTH-TLS */ 963ff40c12SJohn Marino #define EAP_UNAUTH_TLS_TYPE 255 97*a1157835SDaniel Fojt #define EAP_WFA_UNAUTH_TLS_TYPE 254 983ff40c12SJohn Marino 996d49e1aeSJan Lentfer 1006d49e1aeSJan Lentfer int eap_peer_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data, 1013ff40c12SJohn Marino struct eap_peer_config *config, u8 eap_type); 1026d49e1aeSJan Lentfer void eap_peer_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data); 1036d49e1aeSJan Lentfer u8 * eap_peer_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data, 104*a1157835SDaniel Fojt const char *label, const u8 *context, 105*a1157835SDaniel Fojt size_t context_len, size_t len); 1063ff40c12SJohn Marino u8 * eap_peer_tls_derive_session_id(struct eap_sm *sm, 1073ff40c12SJohn Marino struct eap_ssl_data *data, u8 eap_type, 1083ff40c12SJohn Marino size_t *len); 1096d49e1aeSJan Lentfer int eap_peer_tls_process_helper(struct eap_sm *sm, struct eap_ssl_data *data, 1106d49e1aeSJan Lentfer EapType eap_type, int peap_version, 111*a1157835SDaniel Fojt u8 id, const struct wpabuf *in_data, 1126d49e1aeSJan Lentfer struct wpabuf **out_data); 1136d49e1aeSJan Lentfer struct wpabuf * eap_peer_tls_build_ack(u8 id, EapType eap_type, 1146d49e1aeSJan Lentfer int peap_version); 1156d49e1aeSJan Lentfer int eap_peer_tls_reauth_init(struct eap_sm *sm, struct eap_ssl_data *data); 1166d49e1aeSJan Lentfer int eap_peer_tls_status(struct eap_sm *sm, struct eap_ssl_data *data, 1176d49e1aeSJan Lentfer char *buf, size_t buflen, int verbose); 1186d49e1aeSJan Lentfer const u8 * eap_peer_tls_process_init(struct eap_sm *sm, 1196d49e1aeSJan Lentfer struct eap_ssl_data *data, 1206d49e1aeSJan Lentfer EapType eap_type, 1216d49e1aeSJan Lentfer struct eap_method_ret *ret, 1226d49e1aeSJan Lentfer const struct wpabuf *reqData, 1236d49e1aeSJan Lentfer size_t *len, u8 *flags); 1246d49e1aeSJan Lentfer void eap_peer_tls_reset_input(struct eap_ssl_data *data); 1256d49e1aeSJan Lentfer void eap_peer_tls_reset_output(struct eap_ssl_data *data); 1266d49e1aeSJan Lentfer int eap_peer_tls_decrypt(struct eap_sm *sm, struct eap_ssl_data *data, 1276d49e1aeSJan Lentfer const struct wpabuf *in_data, 1286d49e1aeSJan Lentfer struct wpabuf **in_decrypted); 1296d49e1aeSJan Lentfer int eap_peer_tls_encrypt(struct eap_sm *sm, struct eap_ssl_data *data, 1306d49e1aeSJan Lentfer EapType eap_type, int peap_version, u8 id, 1316d49e1aeSJan Lentfer const struct wpabuf *in_data, 1326d49e1aeSJan Lentfer struct wpabuf **out_data); 1336d49e1aeSJan Lentfer int eap_peer_select_phase2_methods(struct eap_peer_config *config, 1346d49e1aeSJan Lentfer const char *prefix, 1356d49e1aeSJan Lentfer struct eap_method_type **types, 1366d49e1aeSJan Lentfer size_t *num_types); 1376d49e1aeSJan Lentfer int eap_peer_tls_phase2_nak(struct eap_method_type *types, size_t num_types, 1386d49e1aeSJan Lentfer struct eap_hdr *hdr, struct wpabuf **resp); 1396d49e1aeSJan Lentfer 1406d49e1aeSJan Lentfer #endif /* EAP_TLS_COMMON_H */ 141