xref: /freebsd/contrib/wpa/src/eap_server/eap_tls_common.h (revision 87b759f0fa1f7554d50ce640c40138512bbded44)
1 /*
2  * EAP-TLS/PEAP/TTLS/FAST server common functions
3  * Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #ifndef EAP_TLS_COMMON_H
10 #define EAP_TLS_COMMON_H
11 
12 /**
13  * struct eap_ssl_data - TLS data for EAP methods
14  */
15 struct eap_ssl_data {
16 	/**
17 	 * conn - TLS connection context data from tls_connection_init()
18 	 */
19 	struct tls_connection *conn;
20 
21 	/**
22 	 * tls_out - TLS message to be sent out in fragments
23 	 */
24 	struct wpabuf *tls_out;
25 
26 	/**
27 	 * tls_out_pos - The current position in the outgoing TLS message
28 	 */
29 	size_t tls_out_pos;
30 
31 	/**
32 	 * tls_out_limit - Maximum fragment size for outgoing TLS messages
33 	 */
34 	size_t tls_out_limit;
35 
36 	/**
37 	 * tls_in - Received TLS message buffer for re-assembly
38 	 */
39 	struct wpabuf *tls_in;
40 
41 	/**
42 	 * phase2 - Whether this TLS connection is used in EAP phase 2 (tunnel)
43 	 */
44 	int phase2;
45 
46 	/**
47 	 * eap - EAP state machine allocated with eap_server_sm_init()
48 	 */
49 	struct eap_sm *eap;
50 
51 	enum { MSG, FRAG_ACK, WAIT_FRAG_ACK } state;
52 	struct wpabuf tmpbuf;
53 
54 	/**
55 	 * tls_v13 - Whether TLS v1.3 or newer is used
56 	 */
57 	int tls_v13;
58 
59 	bool skip_prot_success; /* testing behavior only for TLS v1.3 */
60 };
61 
62 
63 /* EAP TLS Flags */
64 #define EAP_TLS_FLAGS_LENGTH_INCLUDED 0x80
65 #define EAP_TLS_FLAGS_MORE_FRAGMENTS 0x40
66 #define EAP_TLS_FLAGS_START 0x20
67 #define EAP_TEAP_FLAGS_OUTER_TLV_LEN 0x10
68 #define EAP_TLS_VERSION_MASK 0x07
69 
70  /* could be up to 128 bytes, but only the first 64 bytes are used */
71 #define EAP_TLS_KEY_LEN 64
72 
73 /* stub type used as a flag for UNAUTH-TLS */
74 #define EAP_UNAUTH_TLS_TYPE 255
75 #define EAP_WFA_UNAUTH_TLS_TYPE 254
76 
77 
78 struct wpabuf * eap_tls_msg_alloc(enum eap_type type, size_t payload_len,
79 				  u8 code, u8 identifier);
80 int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
81 			    int verify_peer, int eap_type);
82 void eap_server_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data);
83 u8 * eap_server_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data,
84 			       const char *label, const u8 *context,
85 			       size_t context_len, size_t len);
86 u8 * eap_server_tls_derive_session_id(struct eap_sm *sm,
87 				      struct eap_ssl_data *data, u8 eap_type,
88 				      size_t *len);
89 struct wpabuf * eap_server_tls_build_msg(struct eap_ssl_data *data,
90 					 int eap_type, int version, u8 id);
91 struct wpabuf * eap_server_tls_build_ack(u8 id, int eap_type, int version);
92 int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data);
93 struct wpabuf * eap_server_tls_encrypt(struct eap_sm *sm,
94 				       struct eap_ssl_data *data,
95 				       const struct wpabuf *plain);
96 int eap_server_tls_process(struct eap_sm *sm, struct eap_ssl_data *data,
97 			   struct wpabuf *respData, void *priv, int eap_type,
98 			   int (*proc_version)(struct eap_sm *sm, void *priv,
99 					       int peer_version),
100 			   void (*proc_msg)(struct eap_sm *sm, void *priv,
101 					    const struct wpabuf *respData));
102 
103 #endif /* EAP_TLS_COMMON_H */
104