wpa_supplicant / hostapd  2.5
 All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Pages
Data Structures | Macros | Functions
eap_tls_common.h File Reference

EAP peer: EAP-TLS/PEAP/TTLS/FAST common functions. More...

Go to the source code of this file.

Data Structures

struct  eap_ssl_data
 TLS data for EAP methods. More...
 

Macros

#define EAP_TLS_FLAGS_LENGTH_INCLUDED   0x80
 
#define EAP_TLS_FLAGS_MORE_FRAGMENTS   0x40
 
#define EAP_TLS_FLAGS_START   0x20
 
#define EAP_TLS_VERSION_MASK   0x07
 
#define EAP_TLS_KEY_LEN   64
 
#define EAP_UNAUTH_TLS_TYPE   255
 
#define EAP_WFA_UNAUTH_TLS_TYPE   254
 

Functions

int eap_peer_tls_ssl_init (struct eap_sm *sm, struct eap_ssl_data *data, struct eap_peer_config *config, u8 eap_type)
 Initialize shared TLS functionality. More...
 
void eap_peer_tls_ssl_deinit (struct eap_sm *sm, struct eap_ssl_data *data)
 Deinitialize shared TLS functionality. More...
 
u8 * eap_peer_tls_derive_key (struct eap_sm *sm, struct eap_ssl_data *data, const char *label, size_t len)
 Derive a key based on TLS session data. More...
 
u8 * eap_peer_tls_derive_session_id (struct eap_sm *sm, struct eap_ssl_data *data, u8 eap_type, size_t *len)
 Derive a Session-Id based on TLS data. More...
 
int eap_peer_tls_process_helper (struct eap_sm *sm, struct eap_ssl_data *data, EapType eap_type, int peap_version, u8 id, const struct wpabuf *in_data, struct wpabuf **out_data)
 Process TLS handshake message. More...
 
struct wpabufeap_peer_tls_build_ack (u8 id, EapType eap_type, int peap_version)
 Build a TLS ACK frame. More...
 
int eap_peer_tls_reauth_init (struct eap_sm *sm, struct eap_ssl_data *data)
 Re-initialize shared TLS for session resumption. More...
 
int eap_peer_tls_status (struct eap_sm *sm, struct eap_ssl_data *data, char *buf, size_t buflen, int verbose)
 Get TLS status. More...
 
const u8 * eap_peer_tls_process_init (struct eap_sm *sm, struct eap_ssl_data *data, EapType eap_type, struct eap_method_ret *ret, const struct wpabuf *reqData, size_t *len, u8 *flags)
 Initial validation/processing of EAP requests. More...
 
void eap_peer_tls_reset_input (struct eap_ssl_data *data)
 Reset input buffers. More...
 
void eap_peer_tls_reset_output (struct eap_ssl_data *data)
 Reset output buffers. More...
 
int eap_peer_tls_decrypt (struct eap_sm *sm, struct eap_ssl_data *data, const struct wpabuf *in_data, struct wpabuf **in_decrypted)
 Decrypt received phase 2 TLS message. More...
 
int eap_peer_tls_encrypt (struct eap_sm *sm, struct eap_ssl_data *data, EapType eap_type, int peap_version, u8 id, const struct wpabuf *in_data, struct wpabuf **out_data)
 Encrypt phase 2 TLS message. More...
 
int eap_peer_select_phase2_methods (struct eap_peer_config *config, const char *prefix, struct eap_method_type **types, size_t *num_types)
 Select phase 2 EAP method. More...
 
int eap_peer_tls_phase2_nak (struct eap_method_type *types, size_t num_types, struct eap_hdr *hdr, struct wpabuf **resp)
 Generate EAP-Nak for Phase 2. More...
 

Detailed Description

EAP peer: EAP-TLS/PEAP/TTLS/FAST common functions.

Function Documentation

int eap_peer_select_phase2_methods ( struct eap_peer_config config,
const char *  prefix,
struct eap_method_type **  types,
size_t *  num_types 
)

Select phase 2 EAP method.

Parameters
configPointer to the network configuration
prefix'phase2' configuration prefix, e.g., "auth="
typesBuffer for returning allocated list of allowed EAP methods
num_typesBuffer for returning number of allocated EAP methods
Returns
0 on success, -1 on failure

This function is used to parse EAP method list and select allowed methods for Phase2 authentication.

struct wpabuf* eap_peer_tls_build_ack ( u8  id,
EapType  eap_type,
int  peap_version 
)

Build a TLS ACK frame.

Parameters
idEAP identifier for the response
eap_typeEAP type (EAP_TYPE_TLS, EAP_TYPE_PEAP, ...)
peap_versionVersion number for EAP-PEAP/TTLS
Returns
Pointer to the allocated ACK frame or NULL on failure
int eap_peer_tls_decrypt ( struct eap_sm sm,
struct eap_ssl_data data,
const struct wpabuf in_data,
struct wpabuf **  in_decrypted 
)

Decrypt received phase 2 TLS message.

Parameters
smPointer to EAP state machine allocated with eap_peer_sm_init()
dataData for TLS processing
in_dataMessage received from the server
in_decryptedBuffer for returning a pointer to the decrypted message
Returns
0 on success, 1 if more input data is needed, or -1 on failure
u8* eap_peer_tls_derive_key ( struct eap_sm sm,
struct eap_ssl_data data,
const char *  label,
size_t  len 
)

Derive a key based on TLS session data.

Parameters
smPointer to EAP state machine allocated with eap_peer_sm_init()
dataData for TLS processing
labelLabel string for deriving the keys, e.g., "client EAP encryption"
lenLength of the key material to generate (usually 64 for MSK)
Returns
Pointer to allocated key on success or NULL on failure

This function uses TLS-PRF to generate pseudo-random data based on the TLS session data (client/server random and master key). Each key type may use a different label to bind the key usage into the generated material.

The caller is responsible for freeing the returned buffer.

u8* eap_peer_tls_derive_session_id ( struct eap_sm sm,
struct eap_ssl_data data,
u8  eap_type,
size_t *  len 
)

Derive a Session-Id based on TLS data.

Parameters
smPointer to EAP state machine allocated with eap_peer_sm_init()
dataData for TLS processing
eap_typeEAP method used in Phase 1 (EAP_TYPE_TLS/PEAP/TTLS/FAST)
lenPointer to length of the session ID generated
Returns
Pointer to allocated Session-Id on success or NULL on failure

This function derive the Session-Id based on the TLS session data (client/server random and method type).

The caller is responsible for freeing the returned buffer.

int eap_peer_tls_encrypt ( struct eap_sm sm,
struct eap_ssl_data data,
EapType  eap_type,
int  peap_version,
u8  id,
const struct wpabuf in_data,
struct wpabuf **  out_data 
)

Encrypt phase 2 TLS message.

Parameters
smPointer to EAP state machine allocated with eap_peer_sm_init()
dataData for TLS processing
eap_typeEAP type (EAP_TYPE_TLS, EAP_TYPE_PEAP, ...)
peap_versionVersion number for EAP-PEAP/TTLS
idEAP identifier for the response
in_dataPlaintext phase 2 data to encrypt or NULL to continue fragments
out_dataBuffer for returning a pointer to the encrypted response message
Returns
0 on success, -1 on failure
int eap_peer_tls_phase2_nak ( struct eap_method_type types,
size_t  num_types,
struct eap_hdr hdr,
struct wpabuf **  resp 
)

Generate EAP-Nak for Phase 2.

Parameters
typesBuffer for returning allocated list of allowed EAP methods
num_typesBuffer for returning number of allocated EAP methods
hdrEAP-Request header (and the following EAP type octet)
respBuffer for returning the EAP-Nak message
Returns
0 on success, -1 on failure
int eap_peer_tls_process_helper ( struct eap_sm sm,
struct eap_ssl_data data,
EapType  eap_type,
int  peap_version,
u8  id,
const struct wpabuf in_data,
struct wpabuf **  out_data 
)

Process TLS handshake message.

Parameters
smPointer to EAP state machine allocated with eap_peer_sm_init()
dataData for TLS processing
eap_typeEAP type (EAP_TYPE_TLS, EAP_TYPE_PEAP, ...)
peap_versionVersion number for EAP-PEAP/TTLS
idEAP identifier for the response
in_dataMessage received from the server
out_dataBuffer for returning a pointer to the response message
Returns
0 on success, 1 if more input data is needed, 2 if application data is available, or -1 on failure

This function can be used to process TLS handshake messages. It reassembles the received fragments and uses a TLS library to process the messages. The response data from the TLS library is fragmented to suitable output messages that the caller can send out.

out_data is used to return the response message if the return value of this function is 0, 2, or -1. In case of failure, the message is likely a TLS alarm message. The caller is responsible for freeing the allocated buffer if *out_data is not NULL.

This function is called for each received TLS message during the TLS handshake after eap_peer_tls_process_init() call and possible processing of TLS Flags field. Once the handshake has been completed, i.e., when tls_connection_established() returns 1, EAP method specific decrypting of the tunneled data is used.

const u8* eap_peer_tls_process_init ( struct eap_sm sm,
struct eap_ssl_data data,
EapType  eap_type,
struct eap_method_ret ret,
const struct wpabuf reqData,
size_t *  len,
u8 *  flags 
)

Initial validation/processing of EAP requests.

Parameters
smPointer to EAP state machine allocated with eap_peer_sm_init()
dataData for TLS processing
eap_typeEAP type (EAP_TYPE_TLS, EAP_TYPE_PEAP, ...)
retReturn values from EAP request validation and processing
reqDataEAP request to be processed (eapReqData)
lenBuffer for returning length of the remaining payload
flagsBuffer for returning TLS flags
Returns
Pointer to payload after TLS flags and length or NULL on failure

This function validates the EAP header and processes the optional TLS Message Length field. If this is the first fragment of a TLS message, the TLS reassembly code is initialized to receive the indicated number of bytes.

EAP-TLS, EAP-PEAP, EAP-TTLS, and EAP-FAST methods are expected to use this function as the first step in processing received messages. They will need to process the flags (apart from Message Length Included) that are returned through the flags pointer and the message payload that will be returned (and the length is returned through the len pointer). Return values (ret) are set for continuation of EAP method processing. The caller is responsible for setting these to indicate completion (either success or failure) based on the authentication result.

int eap_peer_tls_reauth_init ( struct eap_sm sm,
struct eap_ssl_data data 
)

Re-initialize shared TLS for session resumption.

Parameters
smPointer to EAP state machine allocated with eap_peer_sm_init()
dataData for TLS processing
Returns
0 on success, -1 on failure
void eap_peer_tls_reset_input ( struct eap_ssl_data data)

Reset input buffers.

Parameters
dataData for TLS processing

This function frees any allocated memory for input buffers and resets input state.

void eap_peer_tls_reset_output ( struct eap_ssl_data data)

Reset output buffers.

Parameters
dataData for TLS processing

This function frees any allocated memory for output buffers and resets output state.

void eap_peer_tls_ssl_deinit ( struct eap_sm sm,
struct eap_ssl_data data 
)

Deinitialize shared TLS functionality.

Parameters
smPointer to EAP state machine allocated with eap_peer_sm_init()
dataData for TLS processing

This function deinitializes shared TLS functionality that was initialized with eap_peer_tls_ssl_init().

int eap_peer_tls_ssl_init ( struct eap_sm sm,
struct eap_ssl_data data,
struct eap_peer_config config,
u8  eap_type 
)

Initialize shared TLS functionality.

Parameters
smPointer to EAP state machine allocated with eap_peer_sm_init()
dataData for TLS processing
configPointer to the network configuration
eap_typeEAP method used in Phase 1 (EAP_TYPE_TLS/PEAP/TTLS/FAST)
Returns
0 on success, -1 on failure

This function is used to initialize shared TLS functionality for EAP-TLS, EAP-PEAP, EAP-TTLS, and EAP-FAST.

int eap_peer_tls_status ( struct eap_sm sm,
struct eap_ssl_data data,
char *  buf,
size_t  buflen,
int  verbose 
)

Get TLS status.

Parameters
smPointer to EAP state machine allocated with eap_peer_sm_init()
dataData for TLS processing
bufBuffer for status information
buflenMaximum buffer length
verboseWhether to include verbose status information
Returns
Number of bytes written to buf.