| /* |
| * EAP-TEAP definitions (RFC 7170) |
| * Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi> |
| * |
| * This software may be distributed under the terms of the BSD license. |
| * See README for more details. |
| */ |
| |
| #ifndef EAP_TEAP_H |
| #define EAP_TEAP_H |
| |
| #define EAP_TEAP_VERSION 1 |
| #define EAP_TEAP_KEY_LEN 64 |
| #define EAP_TEAP_IMCK_LEN 60 |
| #define EAP_TEAP_SIMCK_LEN 40 |
| #define EAP_TEAP_CMK_LEN 20 |
| #define EAP_TEAP_COMPOUND_MAC_LEN 20 |
| #define EAP_TEAP_NONCE_LEN 32 |
| |
| #define TEAP_TLS_EXPORTER_LABEL_SKS "EXPORTER: teap session key seed" |
| |
| #define TLS_EXT_PAC_OPAQUE 35 |
| |
| /* |
| * RFC 7170: Section 4.2.12.1 - Formats for PAC Attributes |
| * Note: bit 0x8000 (Mandatory) and bit 0x4000 (Reserved) are also defined |
| * in the general TLV format (Section 4.2.1). |
| */ |
| #define PAC_TYPE_PAC_KEY 1 |
| #define PAC_TYPE_PAC_OPAQUE 2 |
| #define PAC_TYPE_CRED_LIFETIME 3 |
| #define PAC_TYPE_A_ID 4 |
| #define PAC_TYPE_I_ID 5 |
| /* 6 - Reserved */ |
| #define PAC_TYPE_A_ID_INFO 7 |
| #define PAC_TYPE_PAC_ACKNOWLEDGEMENT 8 |
| #define PAC_TYPE_PAC_INFO 9 |
| #define PAC_TYPE_PAC_TYPE 10 |
| |
| #ifdef _MSC_VER |
| #pragma pack(push, 1) |
| #endif /* _MSC_VER */ |
| |
| struct pac_attr_hdr { |
| be16 type; |
| be16 len; |
| } STRUCT_PACKED; |
| |
| struct teap_tlv_hdr { |
| be16 tlv_type; |
| be16 length; |
| } STRUCT_PACKED; |
| |
| /* Result TLV and Intermediate-Result TLV */ |
| struct teap_tlv_result { |
| be16 tlv_type; |
| be16 length; |
| be16 status; |
| /* for Intermediate-Result TLV, followed by optional TLVs */ |
| } STRUCT_PACKED; |
| |
| struct teap_tlv_nak { |
| be16 tlv_type; |
| be16 length; |
| be32 vendor_id; |
| be16 nak_type; |
| /* followed by optional TLVs */ |
| } STRUCT_PACKED; |
| |
| struct teap_tlv_crypto_binding { |
| be16 tlv_type; /* TLV Type[14b] and M/R flags */ |
| be16 length; |
| u8 reserved; |
| u8 version; |
| u8 received_version; |
| u8 subtype; /* Flags[4b] and Sub-Type[4b] */ |
| u8 nonce[EAP_TEAP_NONCE_LEN]; |
| u8 emsk_compound_mac[EAP_TEAP_COMPOUND_MAC_LEN]; |
| u8 msk_compound_mac[EAP_TEAP_COMPOUND_MAC_LEN]; |
| } STRUCT_PACKED; |
| |
| struct teap_tlv_request_action { |
| be16 tlv_type; |
| be16 length; |
| u8 status; |
| u8 action; |
| /* followed by optional TLVs */ |
| } STRUCT_PACKED; |
| |
| enum teap_request_action { |
| TEAP_REQUEST_ACTION_PROCESS_TLV = 1, |
| TEAP_REQUEST_ACTION_NEGOTIATE_EAP = 2, |
| }; |
| |
| /* PAC TLV with PAC-Acknowledgement TLV attribute */ |
| struct teap_tlv_pac_ack { |
| be16 tlv_type; |
| be16 length; |
| be16 pac_type; |
| be16 pac_len; |
| be16 result; |
| } STRUCT_PACKED; |
| |
| struct teap_attr_pac_type { |
| be16 type; /* PAC_TYPE_PAC_TYPE */ |
| be16 length; /* 2 */ |
| be16 pac_type; |
| } STRUCT_PACKED; |
| |
| #ifdef _MSC_VER |
| #pragma pack(pop) |
| #endif /* _MSC_VER */ |
| |
| #define TEAP_CRYPTO_BINDING_SUBTYPE_REQUEST 0 |
| #define TEAP_CRYPTO_BINDING_SUBTYPE_RESPONSE 1 |
| |
| #define TEAP_CRYPTO_BINDING_EMSK_CMAC 1 |
| #define TEAP_CRYPTO_BINDING_MSK_CMAC 2 |
| #define TEAP_CRYPTO_BINDING_EMSK_AND_MSK_CMAC 3 |
| |
| |
| #define EAP_TEAP_PAC_KEY_LEN 48 |
| |
| /* RFC 7170: 4.2.12.6 PAC-Type TLV */ |
| #define PAC_TYPE_TUNNEL_PAC 1 |
| |
| |
| /* RFC 7170, 4.2.1: General TLV Format */ |
| enum teap_tlv_types { |
| TEAP_TLV_AUTHORITY_ID = 1, |
| TEAP_TLV_IDENTITY_TYPE = 2, |
| TEAP_TLV_RESULT = 3, |
| TEAP_TLV_NAK = 4, |
| TEAP_TLV_ERROR = 5, |
| TEAP_TLV_CHANNEL_BINDING = 6, |
| TEAP_TLV_VENDOR_SPECIFIC = 7, |
| TEAP_TLV_REQUEST_ACTION = 8, |
| TEAP_TLV_EAP_PAYLOAD = 9, |
| TEAP_TLV_INTERMEDIATE_RESULT = 10, |
| TEAP_TLV_PAC = 11, |
| TEAP_TLV_CRYPTO_BINDING = 12, |
| TEAP_TLV_BASIC_PASSWORD_AUTH_REQ = 13, |
| TEAP_TLV_BASIC_PASSWORD_AUTH_RESP = 14, |
| TEAP_TLV_PKCS7 = 15, |
| TEAP_TLV_PKCS10 = 16, |
| TEAP_TLV_TRUSTED_SERVER_ROOT = 17, |
| }; |
| |
| enum teap_tlv_result_status { |
| TEAP_STATUS_SUCCESS = 1, |
| TEAP_STATUS_FAILURE = 2 |
| }; |
| |
| /* Identity-Type values within Identity-Type TLV */ |
| enum teap_identity_types { |
| TEAP_IDENTITY_TYPE_USER = 1, |
| TEAP_IDENTITY_TYPE_MACHINE = 2, |
| }; |
| |
| #define TEAP_TLV_MANDATORY 0x8000 |
| #define TEAP_TLV_TYPE_MASK 0x3fff |
| |
| /* RFC 7170, 4.2.6: Error TLV */ |
| enum teap_error_codes { |
| TEAP_ERROR_INNER_METHOD = 1001, |
| TEAP_ERROR_UNSPEC_AUTH_INFRA_PROBLEM = 1002, |
| TEAP_ERROR_UNSPEC_AUTHENTICATION_FAILURE = 1003, |
| TEAP_ERROR_UNSPEC_AUTHORIZATION_FAILURE = 1004, |
| TEAP_ERROR_USER_ACCOUNT_CRED_UNAVAILABLE = 1005, |
| TEAP_ERROR_USER_ACCOUNT_EXPIRED = 1006, |
| TEAP_ERROR_USER_ACCOUNT_LOCKED_TRY_AGAIN_LATER = 1007, |
| TEAP_ERROR_USER_ACCOUNT_LOCKED_ADMIN_REQ = 1008, |
| TEAP_ERROR_TUNNEL_COMPROMISE_ERROR = 2001, |
| TEAP_ERROR_UNEXPECTED_TLVS_EXCHANGED = 2002, |
| }; |
| |
| struct wpabuf; |
| struct tls_connection; |
| |
| struct eap_teap_tlv_parse { |
| u8 *eap_payload_tlv; |
| size_t eap_payload_tlv_len; |
| struct teap_tlv_crypto_binding *crypto_binding; |
| size_t crypto_binding_len; |
| int iresult; |
| int result; |
| u8 *nak; |
| size_t nak_len; |
| u8 request_action; |
| u8 request_action_status; |
| u8 *pac; |
| size_t pac_len; |
| u8 *basic_auth_req; |
| size_t basic_auth_req_len; |
| u8 *basic_auth_resp; |
| size_t basic_auth_resp_len; |
| u32 error_code; |
| u16 identity_type; |
| }; |
| |
| void eap_teap_put_tlv_hdr(struct wpabuf *buf, u16 type, u16 len); |
| void eap_teap_put_tlv(struct wpabuf *buf, u16 type, const void *data, u16 len); |
| void eap_teap_put_tlv_buf(struct wpabuf *buf, u16 type, |
| const struct wpabuf *data); |
| struct wpabuf * eap_teap_tlv_eap_payload(struct wpabuf *buf); |
| int eap_teap_derive_eap_msk(u16 tls_cs, const u8 *simck, u8 *msk); |
| int eap_teap_derive_eap_emsk(u16 tls_cs, const u8 *simck, u8 *emsk); |
| int eap_teap_derive_cmk_basic_pw_auth(u16 tls_cs, const u8 *s_imck_msk, |
| u8 *cmk); |
| int eap_teap_derive_imck(u16 tls_cs, |
| const u8 *prev_s_imck_msk, const u8 *prev_s_imck_emsk, |
| const u8 *msk, size_t msk_len, |
| const u8 *emsk, size_t emsk_len, |
| u8 *s_imck_msk, u8 *cmk_msk, |
| u8 *s_imck_emsk, u8 *cmk_emsk); |
| int eap_teap_compound_mac(u16 tls_cs, const struct teap_tlv_crypto_binding *cb, |
| const struct wpabuf *server_outer_tlvs, |
| const struct wpabuf *peer_outer_tlvs, |
| const u8 *cmk, u8 *compound_mac); |
| int eap_teap_parse_tlv(struct eap_teap_tlv_parse *tlv, |
| int tlv_type, u8 *pos, size_t len); |
| const char * eap_teap_tlv_type_str(enum teap_tlv_types type); |
| struct wpabuf * eap_teap_tlv_result(int status, int intermediate); |
| struct wpabuf * eap_teap_tlv_error(enum teap_error_codes error); |
| struct wpabuf * eap_teap_tlv_identity_type(enum teap_identity_types id); |
| enum eap_type; |
| int eap_teap_allowed_anon_prov_phase2_method(int vendor, enum eap_type type); |
| int eap_teap_allowed_anon_prov_cipher_suite(u16 cs); |
| |
| #endif /* EAP_TEAP_H */ |