|
1 /* |
|
2 * Copyright (c) 2001-2006 Nokia Corporation and/or its subsidiary(-ies). |
|
3 * All rights reserved. |
|
4 * This component and the accompanying materials are made available |
|
5 * under the terms of the License "Eclipse Public License v1.0" |
|
6 * which accompanies this distribution, and is available |
|
7 * at the URL "http://www.eclipse.org/legal/epl-v10.html". |
|
8 * |
|
9 * Initial Contributors: |
|
10 * Nokia Corporation - initial contribution. |
|
11 * |
|
12 * Contributors: |
|
13 * |
|
14 * Description: EAP and WLAN authentication protocols. |
|
15 * |
|
16 */ |
|
17 |
|
18 |
|
19 |
|
20 #ifndef _MSCHAPV2_CORE_H_ |
|
21 #define _MSCHAPV2_CORE_H_ |
|
22 |
|
23 #include "eap_base_type.h" |
|
24 #include "eap_crypto_api.h" |
|
25 #include "eap_type_mschapv2_state.h" |
|
26 |
|
27 #include "eap_am_network_id.h" |
|
28 #include "abs_eap_am_type_mschapv2.h" |
|
29 #include "eap_am_type_mschapv2.h" |
|
30 #include "eap_type_mschapv2_header.h" |
|
31 |
|
32 |
|
33 /// This class is implementation of MS-CHAP-v2 EAP-type. |
|
34 class EAP_EXPORT eap_type_mschapv2_c |
|
35 : public abs_eap_am_type_mschapv2_c |
|
36 , public eap_base_type_c |
|
37 { |
|
38 |
|
39 private: |
|
40 |
|
41 /// This is pointer to adaptation module of MS-Chap-v2 EAP type. |
|
42 eap_am_type_mschapv2_c * const m_am_type_mschapv2; |
|
43 |
|
44 /// This is pointer to the tools class. |
|
45 abs_eap_am_tools_c * const m_am_tools; |
|
46 |
|
47 /// When eap_session_core_c is used. Each EAP type object does handle only one session. |
|
48 eap_type_mschapv2_state_c m_session; |
|
49 |
|
50 eap_am_network_id_c m_send_network_id; |
|
51 |
|
52 crypto_random_c m_rand; |
|
53 |
|
54 /// This is username and identity (UTF8) |
|
55 eap_variable_data_c m_username_utf8; |
|
56 |
|
57 eap_variable_data_c m_password_utf8; |
|
58 |
|
59 eap_variable_data_c m_old_password_utf8; |
|
60 |
|
61 eap_variable_data_c m_password_hash; |
|
62 |
|
63 eap_variable_data_c m_password_hash_hash; |
|
64 |
|
65 |
|
66 #if defined(USE_FAST_EAP_TYPE) |
|
67 eap_variable_data_c m_client_EAP_FAST_challenge; |
|
68 |
|
69 eap_variable_data_c m_server_EAP_FAST_challenge; |
|
70 #endif //#if defined(USE_FAST_EAP_TYPE) |
|
71 |
|
72 |
|
73 u8_t m_authenticator_challenge[EAP_MSCHAPV2_AUTHENTICATOR_CHALLENGE_SIZE]; |
|
74 |
|
75 u8_t m_peer_challenge[EAP_MSCHAPV2_PEER_CHALLENGE_SIZE]; |
|
76 |
|
77 u8_t m_nt_response[EAP_MSCHAPV2_NT_RESPONSE_SIZE]; |
|
78 |
|
79 u32_t m_offset; |
|
80 |
|
81 u32_t m_mtu_length; |
|
82 |
|
83 u32_t m_trailer_length; |
|
84 |
|
85 u32_t m_error_code; |
|
86 |
|
87 /// This indicates whether this object was generated successfully. |
|
88 bool m_is_valid; |
|
89 |
|
90 /// This indicates whether this object is client (true) or server (false). |
|
91 /// In terms of EAP-protocol whether this network entity is EAP-supplicant (true) or EAP-authenticator (false). |
|
92 bool m_is_client; |
|
93 |
|
94 bool m_free_am_type_mschapv2; |
|
95 |
|
96 bool m_is_pending; |
|
97 |
|
98 bool m_identity_asked; |
|
99 |
|
100 bool m_wait_eap_success; |
|
101 |
|
102 bool m_wait_eap_success_packet; |
|
103 |
|
104 bool m_is_reauthentication; |
|
105 |
|
106 bool m_is_notification_sent; |
|
107 |
|
108 bool m_shutdown_was_called; |
|
109 |
|
110 bool m_password_prompt_enabled; |
|
111 |
|
112 u8_t m_identifier; |
|
113 |
|
114 u8_t m_mschapv2id; |
|
115 |
|
116 #if defined(EAP_USE_TTLS_PLAIN_MS_CHAP_V2_HACK) |
|
117 bool m_use_implicit_challenge; |
|
118 #endif //#if defined(EAP_USE_TTLS_PLAIN_MS_CHAP_V2_HACK) |
|
119 |
|
120 #if defined(EAP_MSCHAPV2_SERVER) |
|
121 bool m_do_password_expiration_tests; |
|
122 |
|
123 bool m_password_expired; |
|
124 #endif //#if defined(EAP_MSCHAPV2_SERVER) |
|
125 |
|
126 bool m_do_wrong_password_tests; |
|
127 |
|
128 bool m_use_eap_expanded_type; |
|
129 |
|
130 #if defined(USE_FAST_EAP_TYPE) |
|
131 |
|
132 bool m_use_EAP_FAST_full_key; |
|
133 |
|
134 bool m_use_EAP_FAST_challenge; |
|
135 |
|
136 #endif //#if defined(USE_FAST_EAP_TYPE) |
|
137 |
|
138 // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
|
139 |
|
140 void send_error_notification(const eap_status_e error); |
|
141 |
|
142 eap_status_e finish_successful_authentication(); |
|
143 |
|
144 eap_status_e finish_unsuccessful_authentication( |
|
145 const bool authentication_cancelled); |
|
146 |
|
147 eap_status_e complete_eap_identity_query(); |
|
148 |
|
149 eap_status_e complete_failure_retry_response(); |
|
150 |
|
151 eap_status_e complete_change_password_query(); |
|
152 |
|
153 eap_status_e client_packet_process( |
|
154 eap_header_wr_c * const eap, ///< This is pointer to EAP header and data. |
|
155 const u32_t eap_packet_length ///< This is length of received EAP packet. |
|
156 ); |
|
157 |
|
158 eap_status_e client_mschapv2_packet_process( |
|
159 eap_header_wr_c * const received_eap, |
|
160 const u32_t eap_packet_length); |
|
161 |
|
162 eap_status_e client_handle_challenge_request(mschapv2_header_c &challenge_request); |
|
163 |
|
164 eap_status_e client_handle_success_request(mschapv2_header_c &success_request); |
|
165 |
|
166 eap_status_e client_handle_failure_request(mschapv2_header_c &success_request); |
|
167 |
|
168 eap_status_e client_send_challenge_response(); |
|
169 |
|
170 |
|
171 /** |
|
172 * This function processes the MS-CHAP-V2 packets. |
|
173 */ |
|
174 eap_status_e mschapv2_packet_process( |
|
175 eap_header_wr_c * const eap, ///< This is pointer to EAP header and data. |
|
176 const u32_t eap_packet_length ///< This is length of received EAP packet. |
|
177 ); |
|
178 |
|
179 /** |
|
180 * This function tells if the object is a client or a server.. |
|
181 */ |
|
182 bool get_is_client(); |
|
183 |
|
184 eap_buf_chain_wr_c * create_send_packet(u32_t length); |
|
185 |
|
186 eap_status_e packet_send( |
|
187 eap_buf_chain_wr_c * const data, |
|
188 const u32_t data_length); |
|
189 |
|
190 eap_status_e send_success_failure_response(bool is_success_response); |
|
191 |
|
192 eap_status_e mschapv2_convert_unicode_to_ascii(eap_variable_data_c & dest_ascii, const eap_variable_data_c & src_unicode); |
|
193 |
|
194 eap_status_e mschapv2_convert_ascii_to_unicode(eap_variable_data_c & dest_unicode, const eap_variable_data_c & src_ascii); |
|
195 |
|
196 /* From Ms-CHAP-v2 RFC */ |
|
197 |
|
198 eap_status_e generate_nt_response( |
|
199 const u8_t * const authenticator_challenge, |
|
200 const u8_t * const peer_challenge, |
|
201 const u8_t * const username_utf8, |
|
202 const u32_t username_size, |
|
203 const eap_variable_data_c * const password_hash, |
|
204 u8_t * const response); |
|
205 |
|
206 eap_status_e challenge_hash( |
|
207 const u8_t * const peer_challenge, |
|
208 const u8_t * const authenticator_challenge, |
|
209 const u8_t * const username_utf8, |
|
210 const u32_t username_size, |
|
211 u8_t * const challenge); |
|
212 |
|
213 eap_status_e challenge_response( |
|
214 const u8_t * const challenge, |
|
215 const u8_t * const password_hash, |
|
216 u8_t * const response); |
|
217 |
|
218 eap_status_e des_crypt( |
|
219 const u8_t * const data_in, |
|
220 const u8_t * const key, |
|
221 u8_t * const data_out, |
|
222 const bool is_encrypt); |
|
223 |
|
224 eap_status_e des_encrypt( |
|
225 const u8_t * const clear, |
|
226 const u8_t * const block, |
|
227 u8_t * const cypher) |
|
228 { |
|
229 return des_crypt(clear, block, cypher, true); |
|
230 } |
|
231 |
|
232 eap_status_e des_decrypt( |
|
233 u8_t * const clear, |
|
234 const u8_t * const block, |
|
235 const u8_t * const cypher) |
|
236 { |
|
237 return des_crypt(cypher, block, clear, false); |
|
238 } |
|
239 |
|
240 eap_status_e generate_authenticator_response( |
|
241 const u8_t * const password_hash_hash, |
|
242 const u8_t * const nt_response, |
|
243 const u8_t * const peer_challenge, |
|
244 const u8_t * const authenticator_challenge, |
|
245 const u8_t * const username, |
|
246 const u32_t username_size, |
|
247 u8_t * const authenticator_response); |
|
248 |
|
249 eap_status_e check_authenticator_response( |
|
250 const eap_variable_data_c * const password_hash_hash, |
|
251 const u8_t * const nt_response, |
|
252 const u8_t * const peer_challenge, |
|
253 const u8_t * const authenticator_challenge, |
|
254 const u8_t * const username, |
|
255 const u32_t username_size, |
|
256 const u8_t * const received_response, |
|
257 bool & response_ok); |
|
258 |
|
259 eap_status_e new_password_encrypted_with_old_nt_password_hash( |
|
260 const eap_variable_data_c * const new_password_utf8, |
|
261 const eap_variable_data_c * const old_password_hash, |
|
262 u8_t * encrypted_pw_block); |
|
263 |
|
264 eap_status_e encrypt_pw_block_with_password_hash( |
|
265 const eap_variable_data_c * const new_password_utf8, |
|
266 const u8_t * const password_hash, |
|
267 u8_t * pw_block); |
|
268 |
|
269 eap_status_e rc4_encrypt( |
|
270 const u8_t * const clear, |
|
271 const u32_t clear_length, |
|
272 const u8_t * const key, |
|
273 const u32_t key_length, |
|
274 u8_t * const cypher); |
|
275 |
|
276 eap_status_e old_nt_password_hash_encrypted_with_new_nt_password_hash( |
|
277 const eap_variable_data_c * const new_password_hash, |
|
278 const eap_variable_data_c * const old_password_hash, |
|
279 eap_variable_data_c * const encrypted_password_hash); |
|
280 |
|
281 eap_status_e nt_password_hash_encrypted_with_block( |
|
282 const eap_variable_data_c * const password_hash, |
|
283 const eap_variable_data_c * const block, |
|
284 eap_variable_data_c * const cypher); |
|
285 |
|
286 eap_status_e generate_session_key( |
|
287 eap_master_session_key_c * const key); |
|
288 |
|
289 /***************************/ |
|
290 |
|
291 #if defined(EAP_MSCHAPV2_SERVER) |
|
292 |
|
293 eap_status_e server_packet_process( |
|
294 eap_header_wr_c * const received_eap, |
|
295 const u32_t eap_packet_length); |
|
296 |
|
297 eap_status_e server_mschapv2_packet_process( |
|
298 eap_header_wr_c * const received_eap, |
|
299 const u32_t eap_packet_length); |
|
300 |
|
301 bool check_expired_password(); |
|
302 |
|
303 eap_status_e server_handle_challenge_response(mschapv2_header_c &machapv2_packet); |
|
304 |
|
305 eap_status_e server_handle_success_response(); |
|
306 |
|
307 eap_status_e server_handle_failure_response(); |
|
308 |
|
309 eap_status_e server_handle_password_change(mschapv2_header_c &machapv2_packet); |
|
310 |
|
311 /** |
|
312 * This function parses all payloads of the whole MSCHAPV2 EAP packet. |
|
313 */ |
|
314 eap_status_e parse_mschapv2_packet( |
|
315 eap_header_wr_c * const eap, ///< This is pointer to EAP header and data. |
|
316 const u32_t eap_packet_length ///< This is length of received EAP packet. |
|
317 ); |
|
318 |
|
319 |
|
320 eap_status_e parse_mschapv2_payload( |
|
321 eap_header_wr_c * const eap, ///< This is pointer to EAP header and data. |
|
322 const u32_t eap_packet_length ///< This is length of received EAP packet. |
|
323 ); |
|
324 |
|
325 eap_status_e send_failure_request( |
|
326 const bool retry_allowed, |
|
327 const u8_t * const message, |
|
328 const u32_t message_length); |
|
329 |
|
330 eap_status_e send_success_request( |
|
331 const u8_t * const message, |
|
332 const u32_t message_length); |
|
333 |
|
334 /** |
|
335 * This function handles the received EAP-Response/Identity message and chenge challenge request to client. |
|
336 */ |
|
337 eap_status_e handle_identity_response_message(); |
|
338 |
|
339 eap_status_e rc4_decrypt( |
|
340 const u8_t * const cypher, |
|
341 const u32_t cypher_length, |
|
342 const u8_t * const key, |
|
343 const u32_t key_length, |
|
344 u8_t * const clear); |
|
345 |
|
346 #endif //#if defined(EAP_MSCHAPV2_SERVER) |
|
347 |
|
348 /******************************/ |
|
349 |
|
350 protected: |
|
351 |
|
352 public: |
|
353 |
|
354 /** |
|
355 * Destructor cancels all timers and deletes member attributes. |
|
356 */ |
|
357 EAP_FUNC_IMPORT virtual ~eap_type_mschapv2_c(); |
|
358 |
|
359 /** |
|
360 * Constructor initializes all member attributes. |
|
361 */ |
|
362 EAP_FUNC_IMPORT eap_type_mschapv2_c( |
|
363 abs_eap_am_tools_c * const tools, |
|
364 abs_eap_base_type_c * const partner, |
|
365 eap_am_type_mschapv2_c * const am_type_mschapv2, |
|
366 const bool free_am_type_mschapv2, |
|
367 const bool is_client_when_true, |
|
368 const eap_am_network_id_c * const receive_network_id); |
|
369 |
|
370 /** |
|
371 * The partner class calls this function when EAP/MS-CHAP-v2 packet is received. |
|
372 * see also eap_base_type_c::packet_process(). |
|
373 */ |
|
374 EAP_FUNC_IMPORT eap_status_e packet_process( |
|
375 const eap_am_network_id_c * const receive_network_id, ///< This is the network identity of the received EAP packet. |
|
376 eap_header_wr_c * const eap, ///< This is pointer to EAP header and data. |
|
377 const u32_t eap_packet_length ///< This is length of received EAP packet. |
|
378 ); |
|
379 |
|
380 // This is commented in eap_base_type_c::get_is_valid(). |
|
381 EAP_FUNC_IMPORT bool get_is_valid(); |
|
382 |
|
383 EAP_FUNC_IMPORT void set_is_valid(); |
|
384 |
|
385 /** |
|
386 * This function resets the reused eap_type_mschapv2_c object. |
|
387 */ |
|
388 EAP_FUNC_IMPORT eap_status_e reset(); |
|
389 |
|
390 EAP_FUNC_IMPORT eap_status_e shutdown(); |
|
391 |
|
392 EAP_FUNC_IMPORT eap_status_e set_initial_eap_identifier( |
|
393 const eap_am_network_id_c * const receive_network_id, |
|
394 const u8_t initial_identifier); |
|
395 |
|
396 // This is commented in eap_base_type_c::eap_acknowledge(). |
|
397 EAP_FUNC_IMPORT eap_status_e eap_acknowledge( |
|
398 const eap_am_network_id_c * const receive_network_id); |
|
399 |
|
400 EAP_FUNC_IMPORT eap_status_e configure(); |
|
401 |
|
402 // This is commented in eap_base_type_c::query_eap_identity(). |
|
403 EAP_FUNC_IMPORT eap_status_e query_eap_identity( |
|
404 const bool must_be_synchronous, |
|
405 eap_variable_data_c * const identity, |
|
406 const eap_am_network_id_c * const receive_network_id, |
|
407 const u8_t eap_identifier); |
|
408 |
|
409 }; // class eap_type_mschap_c |
|
410 |
|
411 #endif // _MSCHAPV2_CORE_H_ |