1 files changed, 218 insertions, 0 deletions
diff --git a/src/eap_common/eap_teap_common.h b/src/eap_common/eap_teap_common.h
new file mode 100644
index 000000000000..585ec7c2f69a
--- /dev/null
+++ b/src/eap_common/eap_teap_common.h
@@ -0,0 +1,218 @@
+/*
+ * EAP-TEAP definitions (RFC 7170)
+ * Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi>
+ *
+ * This software may be distributed under the terms of the BSD license.
+ * See README for more details.
+ */
+
+#ifndef EAP_TEAP_H
+#define EAP_TEAP_H
+
+#define EAP_TEAP_VERSION 1
+#define EAP_TEAP_KEY_LEN 64
+#define EAP_TEAP_IMCK_LEN 60
+#define EAP_TEAP_SIMCK_LEN 40
+#define EAP_TEAP_CMK_LEN 20
+#define EAP_TEAP_COMPOUND_MAC_LEN 20
+#define EAP_TEAP_NONCE_LEN 32
+
+#define TEAP_TLS_EXPORTER_LABEL_SKS "EXPORTER: teap session key seed"
+
+#define TLS_EXT_PAC_OPAQUE 35
+
+/*
+ * RFC 7170: Section 4.2.12.1 - Formats for PAC Attributes
+ * Note: bit 0x8000 (Mandatory) and bit 0x4000 (Reserved) are also defined
+ * in the general TLV format (Section 4.2.1).
+ */
+#define PAC_TYPE_PAC_KEY 1
+#define PAC_TYPE_PAC_OPAQUE 2
+#define PAC_TYPE_CRED_LIFETIME 3
+#define PAC_TYPE_A_ID 4
+#define PAC_TYPE_I_ID 5
+/* 6 - Reserved */
+#define PAC_TYPE_A_ID_INFO 7
+#define PAC_TYPE_PAC_ACKNOWLEDGEMENT 8
+#define PAC_TYPE_PAC_INFO 9
+#define PAC_TYPE_PAC_TYPE 10
+
+#ifdef _MSC_VER
+#pragma pack(push, 1)
+#endif /* _MSC_VER */
+
+struct pac_attr_hdr {
+	be16 type;
+	be16 len;
+} STRUCT_PACKED;
+
+struct teap_tlv_hdr {
+	be16 tlv_type;
+	be16 length;
+} STRUCT_PACKED;
+
+/* Result TLV and Intermediate-Result TLV */
+struct teap_tlv_result {
+	be16 tlv_type;
+	be16 length;
+	be16 status;
+	/* for Intermediate-Result TLV, followed by optional TLVs */
+} STRUCT_PACKED;
+
+struct teap_tlv_nak {
+	be16 tlv_type;
+	be16 length;
+	be32 vendor_id;
+	be16 nak_type;
+	/* followed by optional TLVs */
+} STRUCT_PACKED;
+
+struct teap_tlv_crypto_binding {
+	be16 tlv_type; /* TLV Type[14b] and M/R flags */
+	be16 length;
+	u8 reserved;
+	u8 version;
+	u8 received_version;
+	u8 subtype; /* Flags[4b] and Sub-Type[4b] */
+	u8 nonce[EAP_TEAP_NONCE_LEN];
+	u8 emsk_compound_mac[EAP_TEAP_COMPOUND_MAC_LEN];
+	u8 msk_compound_mac[EAP_TEAP_COMPOUND_MAC_LEN];
+} STRUCT_PACKED;
+
+struct teap_tlv_request_action {
+	be16 tlv_type;
+	be16 length;
+	u8 status;
+	u8 action;
+	/* followed by optional TLVs */
+} STRUCT_PACKED;
+
+enum teap_request_action {
+	TEAP_REQUEST_ACTION_PROCESS_TLV = 1,
+	TEAP_REQUEST_ACTION_NEGOTIATE_EAP = 2,
+};
+
+/* PAC TLV with PAC-Acknowledgement TLV attribute */
+struct teap_tlv_pac_ack {
+	be16 tlv_type;
+	be16 length;
+	be16 pac_type;
+	be16 pac_len;
+	be16 result;
+} STRUCT_PACKED;
+
+struct teap_attr_pac_type {
+	be16 type; /* PAC_TYPE_PAC_TYPE */
+	be16 length; /* 2 */
+	be16 pac_type;
+} STRUCT_PACKED;
+
+#ifdef _MSC_VER
+#pragma pack(pop)
+#endif /* _MSC_VER */
+
+#define TEAP_CRYPTO_BINDING_SUBTYPE_REQUEST 0
+#define TEAP_CRYPTO_BINDING_SUBTYPE_RESPONSE 1
+
+#define TEAP_CRYPTO_BINDING_EMSK_CMAC 1
+#define TEAP_CRYPTO_BINDING_MSK_CMAC 2
+#define TEAP_CRYPTO_BINDING_EMSK_AND_MSK_CMAC 3
+
+
+#define EAP_TEAP_PAC_KEY_LEN 48
+
+/* RFC 7170: 4.2.12.6 PAC-Type TLV */
+#define PAC_TYPE_TUNNEL_PAC 1
+
+
+/* RFC 7170, 4.2.1: General TLV Format */
+enum teap_tlv_types {
+	TEAP_TLV_AUTHORITY_ID = 1,
+	TEAP_TLV_IDENTITY_TYPE = 2,
+	TEAP_TLV_RESULT = 3,
+	TEAP_TLV_NAK = 4,
+	TEAP_TLV_ERROR = 5,
+	TEAP_TLV_CHANNEL_BINDING = 6,
+	TEAP_TLV_VENDOR_SPECIFIC = 7,
+	TEAP_TLV_REQUEST_ACTION = 8,
+	TEAP_TLV_EAP_PAYLOAD = 9,
+	TEAP_TLV_INTERMEDIATE_RESULT = 10,
+	TEAP_TLV_PAC = 11,
+	TEAP_TLV_CRYPTO_BINDING = 12,
+	TEAP_TLV_BASIC_PASSWORD_AUTH_REQ = 13,
+	TEAP_TLV_BASIC_PASSWORD_AUTH_RESP = 14,
+	TEAP_TLV_PKCS7 = 15,
+	TEAP_TLV_PKCS10 = 16,
+	TEAP_TLV_TRUSTED_SERVER_ROOT = 17,
+};
+
+enum teap_tlv_result_status {
+	TEAP_STATUS_SUCCESS = 1,
+	TEAP_STATUS_FAILURE = 2
+};
+
+#define TEAP_TLV_MANDATORY 0x8000
+#define TEAP_TLV_TYPE_MASK 0x3fff
+
+/* RFC 7170, 4.2.6: Error TLV */
+enum teap_error_codes {
+	TEAP_ERROR_INNER_METHOD = 1001,
+	TEAP_ERROR_UNSPEC_AUTH_INFRA_PROBLEM = 1002,
+	TEAP_ERROR_UNSPEC_AUTHENTICATION_FAILURE = 1003,
+	TEAP_ERROR_UNSPEC_AUTHORIZATION_FAILURE = 1004,
+	TEAP_ERROR_USER_ACCOUNT_CRED_UNAVAILABLE = 1005,
+	TEAP_ERROR_USER_ACCOUNT_EXPIRED = 1006,
+	TEAP_ERROR_USER_ACCOUNT_LOCKED_TRY_AGAIN_LATER = 1007,
+	TEAP_ERROR_USER_ACCOUNT_LOCKED_ADMIN_REQ = 1008,
+	TEAP_ERROR_TUNNEL_COMPROMISE_ERROR = 2001,
+	TEAP_ERROR_UNEXPECTED_TLVS_EXCHANGED = 2002,
+};
+
+struct wpabuf;
+struct tls_connection;
+
+struct eap_teap_tlv_parse {
+	u8 *eap_payload_tlv;
+	size_t eap_payload_tlv_len;
+	struct teap_tlv_crypto_binding *crypto_binding;
+	size_t crypto_binding_len;
+	int iresult;
+	int result;
+	u8 *nak;
+	size_t nak_len;
+	u8 request_action;
+	u8 request_action_status;
+	u8 *pac;
+	size_t pac_len;
+	u8 *basic_auth_req;
+	size_t basic_auth_req_len;
+	u8 *basic_auth_resp;
+	size_t basic_auth_resp_len;
+};
+
+void eap_teap_put_tlv_hdr(struct wpabuf *buf, u16 type, u16 len);
+void eap_teap_put_tlv(struct wpabuf *buf, u16 type, const void *data, u16 len);
+void eap_teap_put_tlv_buf(struct wpabuf *buf, u16 type,
+			  const struct wpabuf *data);
+struct wpabuf * eap_teap_tlv_eap_payload(struct wpabuf *buf);
+int eap_teap_derive_eap_msk(const u8 *simck, u8 *msk);
+int eap_teap_derive_eap_emsk(const u8 *simck, u8 *emsk);
+int eap_teap_derive_cmk_basic_pw_auth(const u8 *s_imck_msk, u8 *cmk);
+int eap_teap_derive_imck(const u8 *prev_s_imck_msk, const u8 *prev_s_imck_emsk,
+			 const u8 *msk, size_t msk_len,
+			 const u8 *emsk, size_t emsk_len,
+			 u8 *s_imck_msk, u8 *cmk_msk,
+			 u8 *s_imck_emsk, u8 *cmk_emsk);
+int eap_teap_compound_mac(u16 tls_cs, const struct teap_tlv_crypto_binding *cb,
+			  const struct wpabuf *server_outer_tlvs,
+			  const struct wpabuf *peer_outer_tlvs,
+			  const u8 *cmk, u8 *compound_mac);
+int eap_teap_parse_tlv(struct eap_teap_tlv_parse *tlv,
+		       int tlv_type, u8 *pos, size_t len);
+const char * eap_teap_tlv_type_str(enum teap_tlv_types type);
+struct wpabuf * eap_teap_tlv_result(int status, int intermediate);
+struct wpabuf * eap_teap_tlv_error(enum teap_error_codes error);
+int eap_teap_allowed_anon_prov_phase2_method(u8 type);
+int eap_teap_allowed_anon_prov_cipher_suite(u16 cs);
+
+#endif /* EAP_TEAP_H */