xref: /freebsd-src/contrib/wpa/src/eap_peer/eap_tls_common.h (revision a90b9d0159070121c221b966469c3e36d912bf82) 
139beb93cSSam Leffler /*
239beb93cSSam Leffler  * EAP peer: EAP-TLS/PEAP/TTLS/FAST common functions
3f05cddf9SRui Paulo  * Copyright (c) 2004-2009, 2012, Jouni Malinen <j@w1.fi>
439beb93cSSam Leffler  *
5f05cddf9SRui Paulo  * This software may be distributed under the terms of the BSD license.
6f05cddf9SRui Paulo  * See README for more details.
739beb93cSSam Leffler  */
839beb93cSSam Leffler 
939beb93cSSam Leffler #ifndef EAP_TLS_COMMON_H
1039beb93cSSam Leffler #define EAP_TLS_COMMON_H
1139beb93cSSam Leffler 
1239beb93cSSam Leffler /**
1339beb93cSSam Leffler  * struct eap_ssl_data - TLS data for EAP methods
1439beb93cSSam Leffler  */
1539beb93cSSam Leffler struct eap_ssl_data {
1639beb93cSSam Leffler 	/**
1739beb93cSSam Leffler 	 * conn - TLS connection context data from tls_connection_init()
1839beb93cSSam Leffler 	 */
1939beb93cSSam Leffler 	struct tls_connection *conn;
2039beb93cSSam Leffler 
2139beb93cSSam Leffler 	/**
2239beb93cSSam Leffler 	 * tls_out - TLS message to be sent out in fragments
2339beb93cSSam Leffler 	 */
24e28a4053SRui Paulo 	struct wpabuf *tls_out;
2539beb93cSSam Leffler 
2639beb93cSSam Leffler 	/**
2739beb93cSSam Leffler 	 * tls_out_pos - The current position in the outgoing TLS message
2839beb93cSSam Leffler 	 */
2939beb93cSSam Leffler 	size_t tls_out_pos;
3039beb93cSSam Leffler 
3139beb93cSSam Leffler 	/**
3239beb93cSSam Leffler 	 * tls_out_limit - Maximum fragment size for outgoing TLS messages
3339beb93cSSam Leffler 	 */
3439beb93cSSam Leffler 	size_t tls_out_limit;
3539beb93cSSam Leffler 
3639beb93cSSam Leffler 	/**
3739beb93cSSam Leffler 	 * tls_in - Received TLS message buffer for re-assembly
3839beb93cSSam Leffler 	 */
39e28a4053SRui Paulo 	struct wpabuf *tls_in;
4039beb93cSSam Leffler 
4139beb93cSSam Leffler 	/**
4239beb93cSSam Leffler 	 * tls_in_left - Number of remaining bytes in the incoming TLS message
4339beb93cSSam Leffler 	 */
4439beb93cSSam Leffler 	size_t tls_in_left;
4539beb93cSSam Leffler 
4639beb93cSSam Leffler 	/**
4739beb93cSSam Leffler 	 * tls_in_total - Total number of bytes in the incoming TLS message
4839beb93cSSam Leffler 	 */
4939beb93cSSam Leffler 	size_t tls_in_total;
5039beb93cSSam Leffler 
5139beb93cSSam Leffler 	/**
5239beb93cSSam Leffler 	 * phase2 - Whether this TLS connection is used in EAP phase 2 (tunnel)
5339beb93cSSam Leffler 	 */
5439beb93cSSam Leffler 	int phase2;
5539beb93cSSam Leffler 
5639beb93cSSam Leffler 	/**
5739beb93cSSam Leffler 	 * include_tls_length - Whether the TLS length field is included even
5839beb93cSSam Leffler 	 * if the TLS data is not fragmented
5939beb93cSSam Leffler 	 */
6039beb93cSSam Leffler 	int include_tls_length;
6139beb93cSSam Leffler 
6239beb93cSSam Leffler 	/**
63e28a4053SRui Paulo 	 * eap - EAP state machine allocated with eap_peer_sm_init()
6439beb93cSSam Leffler 	 */
6539beb93cSSam Leffler 	struct eap_sm *eap;
66f05cddf9SRui Paulo 
67f05cddf9SRui Paulo 	/**
68f05cddf9SRui Paulo 	 * ssl_ctx - TLS library context to use for the connection
69f05cddf9SRui Paulo 	 */
70f05cddf9SRui Paulo 	void *ssl_ctx;
71f05cddf9SRui Paulo 
72f05cddf9SRui Paulo 	/**
73206b73d0SCy Schubert 	 * eap_type - EAP method used in Phase 1
74206b73d0SCy Schubert 	 * (EAP_TYPE_TLS/PEAP/TTLS/FAST/TEAP)
75f05cddf9SRui Paulo 	 */
76f05cddf9SRui Paulo 	u8 eap_type;
7785732ac8SCy Schubert 
7885732ac8SCy Schubert 	/**
7985732ac8SCy Schubert 	 * tls_v13 - Whether TLS v1.3 or newer is used
8085732ac8SCy Schubert 	 */
8185732ac8SCy Schubert 	int tls_v13;
82*a90b9d01SCy Schubert 
83*a90b9d01SCy Schubert 	/**
84*a90b9d01SCy Schubert 	 * client_cert_conf: Whether client certificate has been configured
85*a90b9d01SCy Schubert 	 */
86*a90b9d01SCy Schubert 	bool client_cert_conf;
8739beb93cSSam Leffler };
8839beb93cSSam Leffler 
8939beb93cSSam Leffler 
9039beb93cSSam Leffler /* EAP TLS Flags */
9139beb93cSSam Leffler #define EAP_TLS_FLAGS_LENGTH_INCLUDED 0x80
9239beb93cSSam Leffler #define EAP_TLS_FLAGS_MORE_FRAGMENTS 0x40
9339beb93cSSam Leffler #define EAP_TLS_FLAGS_START 0x20
94206b73d0SCy Schubert #define EAP_TEAP_FLAGS_OUTER_TLV_LEN 0x10
95e28a4053SRui Paulo #define EAP_TLS_VERSION_MASK 0x07
9639beb93cSSam Leffler 
9739beb93cSSam Leffler  /* could be up to 128 bytes, but only the first 64 bytes are used */
9839beb93cSSam Leffler #define EAP_TLS_KEY_LEN 64
9939beb93cSSam Leffler 
1004b72b91aSCy Schubert /* stub type used as a flag for UNAUTH-TLS */
101f05cddf9SRui Paulo #define EAP_UNAUTH_TLS_TYPE 255
1025b9c547cSRui Paulo #define EAP_WFA_UNAUTH_TLS_TYPE 254
103f05cddf9SRui Paulo 
10439beb93cSSam Leffler 
10539beb93cSSam Leffler int eap_peer_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
106f05cddf9SRui Paulo 			  struct eap_peer_config *config, u8 eap_type);
10739beb93cSSam Leffler void eap_peer_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data);
10839beb93cSSam Leffler u8 * eap_peer_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data,
1094bc52338SCy Schubert 			     const char *label, const u8 *context,
1104bc52338SCy Schubert 			     size_t context_len, size_t len);
1115b9c547cSRui Paulo u8 * eap_peer_tls_derive_session_id(struct eap_sm *sm,
1125b9c547cSRui Paulo 				    struct eap_ssl_data *data, u8 eap_type,
1135b9c547cSRui Paulo 				    size_t *len);
11439beb93cSSam Leffler int eap_peer_tls_process_helper(struct eap_sm *sm, struct eap_ssl_data *data,
115c1d255d3SCy Schubert 				enum eap_type eap_type, int peap_version,
116325151a3SRui Paulo 				u8 id, const struct wpabuf *in_data,
11739beb93cSSam Leffler 				struct wpabuf **out_data);
118c1d255d3SCy Schubert struct wpabuf * eap_peer_tls_build_ack(u8 id, enum eap_type eap_type,
11939beb93cSSam Leffler 				       int peap_version);
12039beb93cSSam Leffler int eap_peer_tls_reauth_init(struct eap_sm *sm, struct eap_ssl_data *data);
12139beb93cSSam Leffler int eap_peer_tls_status(struct eap_sm *sm, struct eap_ssl_data *data,
12239beb93cSSam Leffler 			char *buf, size_t buflen, int verbose);
12339beb93cSSam Leffler const u8 * eap_peer_tls_process_init(struct eap_sm *sm,
12439beb93cSSam Leffler 				     struct eap_ssl_data *data,
125c1d255d3SCy Schubert 				     enum eap_type eap_type,
12639beb93cSSam Leffler 				     struct eap_method_ret *ret,
12739beb93cSSam Leffler 				     const struct wpabuf *reqData,
12839beb93cSSam Leffler 				     size_t *len, u8 *flags);
12939beb93cSSam Leffler void eap_peer_tls_reset_input(struct eap_ssl_data *data);
13039beb93cSSam Leffler void eap_peer_tls_reset_output(struct eap_ssl_data *data);
13139beb93cSSam Leffler int eap_peer_tls_decrypt(struct eap_sm *sm, struct eap_ssl_data *data,
13239beb93cSSam Leffler 			 const struct wpabuf *in_data,
13339beb93cSSam Leffler 			 struct wpabuf **in_decrypted);
13439beb93cSSam Leffler int eap_peer_tls_encrypt(struct eap_sm *sm, struct eap_ssl_data *data,
135c1d255d3SCy Schubert 			 enum eap_type eap_type, int peap_version, u8 id,
13639beb93cSSam Leffler 			 const struct wpabuf *in_data,
13739beb93cSSam Leffler 			 struct wpabuf **out_data);
13839beb93cSSam Leffler int eap_peer_select_phase2_methods(struct eap_peer_config *config,
13939beb93cSSam Leffler 				   const char *prefix,
14039beb93cSSam Leffler 				   struct eap_method_type **types,
141c1d255d3SCy Schubert 				   size_t *num_types, int use_machine_cred);
14239beb93cSSam Leffler int eap_peer_tls_phase2_nak(struct eap_method_type *types, size_t num_types,
14339beb93cSSam Leffler 			    struct eap_hdr *hdr, struct wpabuf **resp);
14439beb93cSSam Leffler 
14539beb93cSSam Leffler #endif /* EAP_TLS_COMMON_H */
146