diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 14:11:00 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 14:11:00 +0000 |
commit | af754e596a8dbb05ed8580c342e7fe02e08b28e0 (patch) | |
tree | b2f334c2b55ede42081aa6710a72da784547d8ea /src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.h | |
parent | Initial commit. (diff) | |
download | freeradius-upstream/3.2.3+dfsg.tar.xz freeradius-upstream/3.2.3+dfsg.zip |
Adding upstream version 3.2.3+dfsg.upstream/3.2.3+dfsg
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.h')
-rw-r--r-- | src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.h | 260 |
1 files changed, 260 insertions, 0 deletions
diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.h b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.h new file mode 100644 index 0000000..8a88bd6 --- /dev/null +++ b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.h @@ -0,0 +1,260 @@ +/* + * eap_fast.h + * + * Version: $Id$ + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA + * + * Copyright 2003 Alan DeKok <aland@freeradius.org> + * Copyright 2006 The FreeRADIUS server project + */ +#ifndef _EAP_FAST_H +#define _EAP_FAST_H + +RCSIDH(eap_fast_h, "$Id$") + +#include "eap_tls.h" + +#define EAP_FAST_VERSION 1 + +#define EAP_FAST_KEY_LEN 64 +#define EAP_EMSK_LEN 64 +#define EAP_FAST_SKS_LEN 40 +#define EAP_FAST_SIMCK_LEN 40 +#define EAP_FAST_CMK_LEN 20 + +#define EAP_FAST_TLV_MANDATORY 0x8000 +#define EAP_FAST_TLV_TYPE 0x3fff + +#define EAP_FAST_FATAL_ERROR 2000 +#define EAP_FAST_ERR_TUNNEL_COMPROMISED 2001 +#define EAP_FAST_ERR_UNEXPECTED_TLV 2002 + +#define EAP_FAST_TLV_RESULT_SUCCESS 1 +#define EAP_FAST_TLV_RESULT_FAILURE 2 + +typedef enum eap_fast_stage_t { + TLS_SESSION_HANDSHAKE = 0, + AUTHENTICATION, + CRYPTOBIND_CHECK, + PROVISIONING, + COMPLETE +} eap_fast_stage_t; + +typedef enum eap_fast_auth_type { + EAP_FAST_UNKNOWN = 0, + EAP_FAST_PROVISIONING_ANON, + EAP_FAST_PROVISIONING_AUTH, + EAP_FAST_NORMAL_AUTH +} eap_fast_auth_type_t; + +typedef enum eap_fast_pac_info_attr_type_t { + PAC_INFO_PAC_KEY = 1, // 1 + PAC_INFO_PAC_OPAQUE, // 2 + PAC_INFO_PAC_LIFETIME, // 3 + PAC_INFO_A_ID, // 4 + PAC_INFO_I_ID, // 5 + PAC_INFO_PAC_RESERVED6, // 6 + PAC_INFO_A_ID_INFO, // 7 + PAC_INFO_PAC_ACK, // 8 + PAC_INFO_PAC_INFO, // 9 + PAC_INFO_PAC_TYPE, // 10 + PAC_INFO_MAX +} eap_fast_pac_info_attr_type_t; + +typedef enum eap_fast_pac_type_t { + PAC_TYPE_TUNNEL = 1, // 1 + PAC_TYPE_MACHINE_AUTH, // 2 + PAC_TYPE_USER_AUTHZ, // 3 + PAC_TYPE_MAX +} eap_fast_pac_type_t; + +#define PAC_KEY_LENGTH 32 +#define PAC_A_ID_LENGTH 16 +#define PAC_I_ID_LENGTH 16 +#define PAC_A_ID_INFO_LENGTH 32 + +typedef struct eap_fast_pac_attr_hdr_t { + uint16_t type; + uint16_t length; +} CC_HINT(__packed__) eap_fast_pac_attr_hdr_t; + +typedef struct eap_fast_pac_attr_lifetime_t { + eap_fast_pac_attr_hdr_t hdr; + uint32_t data; // secs since epoch +} CC_HINT(__packed__) eap_fast_pac_attr_lifetime_t; + +typedef struct eap_fast_pac_attr_a_id_t { + eap_fast_pac_attr_hdr_t hdr; + uint8_t data[PAC_A_ID_LENGTH]; +} CC_HINT(__packed__) eap_fast_pac_attr_a_id_t; + +typedef struct eap_fast_pac_attr_i_id_t { + eap_fast_pac_attr_hdr_t hdr; + uint8_t data[PAC_I_ID_LENGTH]; +} CC_HINT(__packed__) eap_fast_pac_attr_i_id_t; + +typedef struct eap_fast_pac_attr_a_id_info_t { + eap_fast_pac_attr_hdr_t hdr; + uint8_t data[PAC_A_ID_INFO_LENGTH]; +} CC_HINT(__packed__) eap_fast_pac_attr_a_id_info_t; + +typedef struct eap_fast_pac_attr_pac_type_t { + eap_fast_pac_attr_hdr_t hdr; + uint16_t data; +} CC_HINT(__packed__) eap_fast_pac_attr_pac_type_t; + +typedef struct eap_fast_pac_attr_pac_key_t { + eap_fast_pac_attr_hdr_t hdr; + uint8_t data[PAC_KEY_LENGTH]; +} CC_HINT(__packed__) eap_fast_pac_attr_pac_key_t; + +typedef struct eap_fast_attr_pac_opaque_plaintext_t { + eap_fast_pac_attr_pac_type_t type; + eap_fast_pac_attr_lifetime_t lifetime; + eap_fast_pac_attr_pac_key_t key; +} CC_HINT(__packed__) eap_fast_attr_pac_opaque_plaintext_t; + +typedef struct eap_fast_attr_pac_opaque_t { + eap_fast_pac_attr_hdr_t hdr; + unsigned char aad[PAC_A_ID_LENGTH]; + unsigned char iv[EVP_MAX_IV_LENGTH]; + unsigned char tag[EVP_GCM_TLS_TAG_LEN]; + uint8_t data[sizeof(eap_fast_attr_pac_opaque_plaintext_t) * 2]; // space for EVP +} CC_HINT(__packed__) eap_fast_attr_pac_opaque_t; + +typedef struct eap_fast_attr_pac_info_t { + eap_fast_pac_attr_hdr_t hdr; + eap_fast_pac_attr_lifetime_t lifetime; + eap_fast_pac_attr_a_id_t a_id; + eap_fast_pac_attr_a_id_info_t a_id_info; + eap_fast_pac_attr_pac_type_t type; +} CC_HINT(__packed__) eap_fast_attr_pac_info_t; + +typedef struct eap_fast_pac_t { + eap_fast_pac_attr_pac_key_t key; + eap_fast_attr_pac_info_t info; + eap_fast_attr_pac_opaque_t opaque; // has to be last! +} CC_HINT(__packed__) eap_fast_pac_t; + +/* RFC 4851, Section 4.2.8 - Crypto-Binding TLV */ +typedef struct eap_tlv_crypto_binding_tlv_t { + uint16_t tlv_type; + uint16_t length; + uint8_t reserved; + uint8_t version; + uint8_t received_version; + uint8_t subtype; + uint8_t nonce[32]; + uint8_t compound_mac[20]; +} CC_HINT(__packed__) eap_tlv_crypto_binding_tlv_t; + +typedef enum eap_fast_tlv_type_t { + EAP_FAST_TLV_RESERVED_0 = 0, // 0 + EAP_FAST_TLV_RESERVED_1, // 1 + EAP_FAST_TLV_RESERVED_2, // 2 + EAP_FAST_TLV_RESULT, // 3 + EAP_FAST_TLV_NAK, // 4 + EAP_FAST_TLV_ERROR, // 5 + EAP_FAST_TLV_RESERVED6, // 6 + EAP_FAST_TLV_VENDOR_SPECIFIC, // 7 + EAP_FAST_TLV_RESERVED8, // 8 + EAP_FAST_TLV_EAP_PAYLOAD, // 9 + EAP_FAST_TLV_INTERMED_RESULT, // 10 + EAP_FAST_TLV_PAC, // 11 + EAP_FAST_TLV_CRYPTO_BINDING, // 12 + EAP_FAST_TLV_RESERVED_13, // 13 + EAP_FAST_TLV_RESERVED_14, // 14 + EAP_FAST_TLV_RESERVED_15, // 15 + EAP_FAST_TLV_RESERVED_16, // 16 + EAP_FAST_TLV_RESERVED_17, // 17 + EAP_FAST_TLV_TRUSTED_ROOT, // 18 + EAP_FAST_TLV_REQ_ACTION, // 19 + EAP_FAST_TLV_PKCS, // 20 + EAP_FAST_TLV_MAX +} eap_fast_tlv_type_t; + +typedef enum eap_fast_tlv_crypto_binding_tlv_subtype_t { + EAP_FAST_TLV_CRYPTO_BINDING_SUBTYPE_REQUEST = 0, // 0 + EAP_FAST_TLV_CRYPTO_BINDING_SUBTYPE_RESPONSE // 1 +} eap_fast_tlv_crypto_binding_tlv_subtype_t; + +/* RFC 5422: Section 3.3 - Key Derivations Used in the EAP-FAST Provisioning Exchange */ +typedef struct eap_fast_keyblock_t { + uint8_t session_key_seed[EAP_FAST_SKS_LEN]; + uint8_t server_challenge[CHAP_VALUE_LENGTH]; + uint8_t client_challenge[CHAP_VALUE_LENGTH]; +} CC_HINT(__packed__) eap_fast_keyblock_t; + +typedef struct eap_fast_tunnel_t { + VALUE_PAIR *username; + VALUE_PAIR *state; + VALUE_PAIR *accept_vps; + bool copy_request_to_tunnel; + bool use_tunneled_reply; + + bool authenticated; + + int mode; + eap_fast_stage_t stage; + eap_fast_keyblock_t *keyblock; + uint8_t *simck; + uint8_t *cmk; + int imckc; + struct { + uint8_t mppe_send[CHAP_VALUE_LENGTH]; + uint8_t mppe_recv[CHAP_VALUE_LENGTH]; + } CC_HINT(__packed__) isk; + uint8_t *msk; + uint8_t *emsk; + + int default_method; + + uint32_t pac_lifetime; + char const *authority_identity; + uint8_t const *a_id; + uint8_t const *pac_opaque_key; + + struct { + uint8_t *key; + eap_fast_pac_type_t type; + uint32_t expires; + bool expired; + bool send; + } pac; + + bool result_final; + +#ifdef WITH_PROXY + bool proxy_tunneled_request_as_eap; //!< Proxy tunneled session as EAP, or as de-capsulated + //!< protocol. +#endif + char const *virtual_server; +} eap_fast_tunnel_t; + +/* + * Process the FAST portion of an EAP-FAST request. + */ +void eap_fast_tlv_append(tls_session_t *tls_session, int tlv, bool mandatory, + int length, const void *data) CC_HINT(nonnull); +PW_CODE eap_fast_process(eap_handler_t *eap_session, tls_session_t *tls_session) CC_HINT(nonnull); + +/* + * A bunch of EAP-FAST helper functions. + */ +VALUE_PAIR *eap_fast_fast2vp(REQUEST *request, UNUSED SSL *ssl, uint8_t const *data, + size_t data_len, DICT_ATTR const *fast_da, vp_cursor_t *out); + +#endif /* _EAP_FAST_H */ |