--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/eapol/eapol_framework/eapol_common/type/tls_peap/tls/include/tls_record.h Thu Dec 17 08:47:43 2009 +0200
@@ -0,0 +1,1671 @@
+/*
+* Copyright (c) 2001-2006 Nokia Corporation and/or its subsidiary(-ies).
+* All rights reserved.
+* This component and the accompanying materials are made available
+* under the terms of the License "Eclipse Public License v1.0"
+* which accompanies this distribution, and is available
+* at the URL "http://www.eclipse.org/legal/epl-v10.html".
+*
+* Initial Contributors:
+* Nokia Corporation - initial contribution.
+*
+* Contributors:
+*
+* Description: EAP and WLAN authentication protocols.
+*
+*/
+
+
+
+
+#if !defined(_TLS_RECORD_H_)
+#define _TLS_RECORD_H_
+
+
+#include "abs_tls_am_services.h"
+#include "tls_base_record.h"
+#include "eap_array_algorithms.h"
+#include "tls_message.h"
+#include "tls_peap_types.h"
+#include "abs_tls_message_hash.h"
+#include "tls_completion.h"
+#include "abs_tls_change_cipher_spec.h"
+#include "abs_tls_base_application.h"
+#include "tls_base_application.h"
+#include "eap_protocol_layer.h"
+#include "eap_am_network_id.h"
+#include "eap_automatic_variable.h"
+#include "eap_master_session_key.h"
+
+
+class abs_tls_base_record_c;
+class abs_eap_am_tools_c;
+class eap_am_network_id_c;
+class tls_record_header_c;
+class tls_am_services_c;
+class tls_handshake_header_c;
+class tls_record_message_c;
+class tls_handshake_message_c;
+class abs_crypto_cbc_block_algorithm_c;
+class abs_crypto_block_algorithm_c;
+class abs_crypto_stream_algorithm_c;
+
+#if defined(USE_FAST_EAP_TYPE)
+#if !defined(USE_EAP_TLS_SESSION_TICKET)
+#error ERROR: With USE_FAST_EAP_TYPE you must use USE_EAP_TLS_SESSION_TICKET flag too.
+#endif //#if !defined(USE_EAP_TLS_SESSION_TICKET)
+#endif //#if defined(USE_FAST_EAP_TYPE)
+
+//--------------------------------------------------------------------
+
+/**
+ * The tls_record_c class implements tls_base_record_c.
+ * See more detailed design and architecture document <a href="../../type/tls_peap/documentation/EAP_TLS_PEAP.doc">EAP_TLS_PEAP.doc</a>
+ * and <a href="../../type/tls_peap/documentation/rfc2246.txt">RFC 2246</a>.
+ */
+class EAP_EXPORT tls_record_c
+: public tls_base_record_c
+, public abs_tls_am_services_c
+, public abs_tls_message_hash_c
+, public abs_tls_change_cipher_spec_c
+, public abs_tls_apply_cipher_spec_c
+, public abs_tls_base_application_c
+{
+private:
+ //--------------------------------------------------
+
+ /// This is pointer to the tools class. @see abs_eap_am_tools_c.
+ abs_eap_am_tools_c * const m_am_tools;
+
+ /// This is pointer to adaptation module of TLS.
+ tls_am_services_c * m_am_tls_services;
+
+ /// This flag tells whether the m_am_tls_services must be freed in destructor.
+ const bool m_free_am_tls_services;
+
+ /// This is pointer to application object. Mostly this is used in PEAP and the application is tls_application_eap_core_c object.
+ tls_base_application_c * m_application;
+
+ /// This flag tells whether the m_application must be freed in destructor.
+ const bool m_free_application;
+
+
+
+ /// This object includes pending asyncronous actions or it may be empty.
+ /// The check_sent_tls_message() function call will check and complete pending actions.
+ eap_array_c<tls_completion_c> m_completion_queue;
+
+
+
+ /// This object includes received message in parsed tree.
+ tls_message_c m_received_tls_message;
+
+ /// This object includes the new created message in parsed tree.
+ /// The send message will be generated from this.
+ tls_message_c m_new_tls_message;
+
+
+
+ /// This object includes MD5 HASH of received handshake messages.
+ crypto_md5_c m_message_hash_md5;
+
+ /// This object includes SHA1 HASH of received handshake messages.
+ crypto_sha1_c m_message_hash_sha1;
+
+ /// This object includes MD5 HASH for certificate verify message.
+ eap_variable_data_c m_message_hash_md5_certificate_verify;
+
+ /// This object includes SHA1 HASH for certificate verify message.
+ eap_variable_data_c m_message_hash_sha1_certificate_verify;
+
+ /// This object includes MD5 HASH of Finished message of client.
+ eap_variable_data_c m_client_message_hash_md5_finished;
+
+ /// This object includes SHA1 HASH of Finished message of client.
+ eap_variable_data_c m_client_message_hash_sha1_finished;
+
+ /// This object includes MD5 HASH of Finished message of server.
+ eap_variable_data_c m_server_message_hash_md5_finished;
+
+ /// This object includes SHA1 HASH of Finished message of server.
+ eap_variable_data_c m_server_message_hash_sha1_finished;
+
+
+
+ /// This object includes client random value for client handshake message.
+ eap_variable_data_c m_client_handshake_random_value;
+
+ /// This object includes server random value for server handshake message.
+ eap_variable_data_c m_server_handshake_random_value;
+
+ /// This object includes session ID.
+ eap_variable_data_c m_session_id;
+
+ /// This object includes master secret.
+ eap_variable_data_c m_master_secret;
+
+ /// This object includes EAP-TLS master session key.
+ eap_master_session_key_c m_eap_master_session_key;
+
+
+
+ /// This object includes shared secret key for MAC of send packets.
+ eap_variable_data_c m_new_send_mac_key;
+
+ /// This object includes shared secret key for MAC of received packets.
+ eap_variable_data_c m_new_receive_mac_key;
+
+ /// This object includes shared secret key for encryption of send packets.
+ eap_variable_data_c m_new_send_encryption_key;
+
+ /// This object includes shared secret key for decryption of received packets.
+ eap_variable_data_c m_new_receive_encryption_key;
+
+ /// This object includes initialization vector for block encryption of send packets.
+ eap_variable_data_c m_new_send_iv;
+
+ /// This object includes initialization vector for decryption of received packets.
+ eap_variable_data_c m_new_receive_iv;
+
+
+
+ /// This object includes shared secret key for MAC of send packets.
+ eap_variable_data_c m_send_mac_key;
+
+ /// This object includes shared secret key for MAC of received packets.
+ eap_variable_data_c m_receive_mac_key;
+
+ /// This object includes shared secret key for encryption of send packets.
+ eap_variable_data_c m_send_encryption_key;
+
+ /// This object includes shared secret key for decryption of received packets.
+ eap_variable_data_c m_receive_encryption_key;
+
+ /// This object includes initialization vector for block encryption of send packets.
+ eap_variable_data_c m_send_iv;
+
+ /// This object includes initialization vector for decryption of received packets.
+ eap_variable_data_c m_receive_iv;
+
+
+
+ /// This object includes session key seed for EAP-FAST.
+ eap_variable_data_c m_session_key_seed;
+
+ /// This object includes MsChapv2 challenges for EAP-FAST.
+ eap_variable_data_c m_mschapv2_challenges;
+
+
+ /// This object includes Diffie-Hellman private key of this TLS end point.
+ eap_variable_data_c m_own_private_dhe_key;
+
+ /// This object includes Diffie-Hellman public key of this TLS end point.
+ eap_variable_data_c m_own_public_dhe_key;
+
+ /// This object includes Diffie-Hellman public key of other TLS end point.
+ eap_variable_data_c m_peer_public_dhe_key;
+
+ /// This object includes Diffie-Hellman shared key of the TLS session.
+ eap_variable_data_c m_shared_dh_key;
+
+ /// This object includes Diffie-Hellman prime of the TLS session.
+ eap_variable_data_c m_dhe_prime;
+
+ /// This object includes Diffie-Hellman group generator of the TLS session.
+ eap_variable_data_c m_dhe_group_generator;
+
+
+ /// This object includes signed HASH. This is needed to store asyncronously completed signature creation.
+ eap_variable_data_c m_signed_message_hash;
+
+ /// This object includes the premaster secret.
+ /// In RSA cipher suite client generates this and and encrypts with server public key.
+ /// Server decrypts this within the client key exchange message and decrypts this with private key.
+ /// In DHE cipher suite this is the shared Diffie-Hellman secret.
+ eap_variable_data_c m_premaster_secret;
+
+ /// This object includes encrypted premaster secret of this TLS end point.
+ /// This is needed to store asyncronously completed result of encryption.
+ eap_variable_data_c m_own_encrypted_premaster_secret;
+
+#if defined(USE_FAST_EAP_TYPE)
+ /// This object includes PAC-Key of EAP-FAST.
+ /// PAC-Key is stored here before master secret can be generated.
+ eap_variable_data_c m_eap_fast_pac_key;
+#endif //#if defined(USE_FAST_EAP_TYPE)
+
+ /// This object includes the proposed cipher suites.
+ /// Objects are in host network order.
+ /// Client creates this list and server receives the list in client hello handshake message.
+ eap_array_c<u16_t> m_proposed_cipher_suites;
+
+ /// This object includes the proposed compression methods.
+ /// Client creates this list and server receives the list in client hello handshake message.
+ eap_array_c<u8_t> m_proposed_compression_methods;
+
+#if defined(USE_EAP_TLS_SESSION_TICKET)
+ /// All supported TLS extensions.
+ eap_array_c<tls_extension_c> m_supported_tls_extensions;
+
+ /// All received TLS extensions.
+ eap_array_c<tls_extension_c> m_received_tls_extensions;
+#endif // #if defined(USE_EAP_TLS_SESSION_TICKET)
+
+
+ /// This is the realm part of the NAI of the client.
+ eap_variable_data_c m_NAI_realm;
+
+ /// This is network identity of the sent packet from this authentication session.
+ eap_am_network_id_c m_send_network_id;
+
+ /// This object includes certificate chain of this TLS end point.
+ /// This is needed to store asyncronously completed result of certificate chain qyery.
+ eap_array_c<eap_variable_data_c> m_own_certificate_chain;
+
+ /// This object includes certificate types required by this TLS end point.
+ /// This is needed to store asyncronously completed result of certificate type qyery.
+ eap_array_c<u8_t> m_own_certificate_types;
+
+ /// This object includes certificate authorities required by this TLS end point.
+ /// This is needed to store asyncronously completed result of certificate authorities qyery.
+ eap_array_c<eap_variable_data_c> m_own_certificate_authorities;
+
+ /// This object includes certificate chain of the other TLS end point.
+ eap_array_c<eap_variable_data_c> m_peer_certificate_chain;
+
+ /// This variable includes validity result of certificate chain of the other TLS end point.
+ eap_status_e m_peer_certificate_chain_result;
+
+ /// This variable includes validity result of signature verification of the received message that includes signature.
+ eap_status_e m_verify_signature;
+
+ /// This object includes certificate types of the other TLS end point.
+ eap_array_c<u8_t> m_peer_certificate_types;
+
+ /// This object includes certificate authorities of the other TLS end point.
+ eap_array_c<eap_variable_data_c> m_peer_certificate_authorities;
+
+
+
+ /// This is the resumed cipher suite from previous TLS session.
+ tls_cipher_suites_e m_resumed_cipher_suite;
+
+ /// This is the selected cipher suite for this TLS session.
+ tls_cipher_suites_e m_selected_cipher_suite;
+
+ /// This is the selected compression method for this TLS session.
+ /// NOTE this is always null compression.
+ tls_compression_method_e m_selected_compression_method;
+
+ /// This is the active cipher suite of received packets for this TLS session.
+ tls_cipher_suites_e m_receive_cipher_suite;
+
+ /// This is the active compression method of received packets for this TLS session.
+ /// NOTE this is always null compression.
+ tls_compression_method_e m_receive_compression_method;
+
+ /// This is the active cipher suite of send packets for this TLS session.
+ tls_cipher_suites_e m_send_cipher_suite;
+
+ /// This is the active compression method of send packets for this TLS session.
+ /// NOTE this is always null compression.
+ tls_compression_method_e m_send_compression_method;
+
+
+
+ /// This is pointer to CBC block cipher algorithm of send packets when cipher suite uses block cipher.
+ abs_crypto_cbc_block_algorithm_c *m_send_block_cipher;
+
+ /// This is pointer to CBC block cipher algorithm of received packets when cipher suite uses block cipher.
+ abs_crypto_cbc_block_algorithm_c *m_receive_block_cipher;
+
+ /// This is pointer to stream cipher algorithm of send packets when cipher suite uses block cipher.
+ abs_crypto_stream_algorithm_c *m_send_stream_cipher;
+
+ /// This is pointer to stream cipher algorithm of received packets when cipher suite uses block cipher.
+ abs_crypto_stream_algorithm_c *m_receive_stream_cipher;
+
+
+
+ /// This is pointer to HMAC algorithm of send packets.
+ abs_crypto_hmac_algorithm_c *m_send_hmac_algorithm;
+
+ /// This is pointer to HMAC algorithm of received packets.
+ abs_crypto_hmac_algorithm_c *m_receive_hmac_algorithm;
+
+
+
+ /// This is the counter of send TLS-records. See chapters "6.2.3. Record payload protection"
+ /// and "6.1. Connection states" from <a href="../../type/tls_peap/documentation/rfc2246.txt">RFC 2246</a>.
+ /// Sequence number is initialized to zero and incrmented after each record is processed.
+ u64_t m_send_record_sequence_number;
+
+ /// This is the counter of received TLS-records. See chapters "6.2.3. Record payload protection"
+ /// and "6.1. Connection states" from <a href="../../type/tls_peap/documentation/rfc2246.txt">RFC 2246</a>.
+ /// Sequence number is initialized to zero and incrmented after each record is processed.
+ u64_t m_receive_record_sequence_number;
+
+
+
+ /// This variable stored the internal state of TLS-session. See tls_peap_state_e.
+ tls_peap_state_e m_tls_peap_state;
+
+ /// This flag tells which TLS session type is selected,
+ /// full authentication, original session resumption or stateless session resumption (RFC 4507).
+ tls_session_type_e m_tls_session_type;
+
+
+ /// This is the EAP-type (TLS, PEAP or TTLS).
+ eap_type_value_e m_eap_type;
+
+ /// This separates different PEAP versions (PEAPv2, PEAPv1 or XP PEAPv0).
+ peap_version_e m_peap_version;
+
+ /// This variable stores the state of tunneled EAP-authentication.
+ eap_state_variable_e m_tunneled_eap_type_authentication_state;
+
+ /// This variable saves the EAP-identifier of the last received EAP-message.
+ u8_t m_received_eap_identifier;
+
+ /// This indicates whether this object was generated successfully.
+ bool m_is_valid;
+
+ /// This indicates whether this object is client (true) or server (false).
+ const bool m_is_client;
+
+ /// This flag tells whether messages could be send in the check_sent_tls_message() function.
+ bool m_allow_message_send;
+
+ /// This flag prevents recursive calls of the completion_action_check() function.
+ bool m_already_in_completion_action_check;
+
+ /// This flag prevents recursive calls of the process_tls_records() function.
+ bool m_already_in_process_tls_records;
+
+
+
+ /// This flag tells whether this function call is pending (true value).
+ /// After this function call is completed with appropriate completion function flag is set to false value.
+ bool m_pending_query_certificate_authorities_and_types;
+
+ /// This flag tells whether this function call is pending (true value).
+ /// After this function call is completed with appropriate completion function flag is set to false value.
+ bool m_pending_query_certificate_chain;
+
+ /// This flag tells whether this function call is pending (true value).
+ /// After this function call is completed with appropriate completion function flag is set to false value.
+ bool m_pending_query_cipher_suites_and_previous_session;
+
+ /// This flag tells whether this function call is pending (true value).
+ /// After this function call is completed with appropriate completion function flag is set to false value.
+ bool m_pending_query_dh_parameters;
+
+ /// This flag tells whether this function call is pending (true value).
+ /// After this function call is completed with appropriate completion function flag is set to false value.
+ bool m_pending_query_realm;
+
+ /// This flag tells whether this function call is pending (true value).
+ /// After this function call is completed with appropriate completion function flag is set to false value.
+ bool m_pending_select_cipher_suite_and_check_session_id;
+
+ /// This flag tells whether this function call is pending (true value).
+ /// After this function call is completed with appropriate completion function flag is set to false value.
+ bool m_pending_verify_certificate_chain;
+
+ /// This flag tells whether this function call is pending (true value).
+ /// After this function call is completed with appropriate completion function flag is set to false value.
+ bool m_pending_rsa_decrypt_with_private_key;
+
+ /// This flag tells whether this function call is pending (true value).
+ /// After this function call is completed with appropriate completion function flag is set to false value.
+ bool m_pending_rsa_encrypt_with_public_key;
+
+ /// This flag tells whether this function call is pending (true value).
+ /// After this function call is completed with appropriate completion function flag is set to false value.
+ bool m_pending_sign_with_private_key;
+
+ /// This flag tells whether this function call is pending (true value).
+ /// After this function call is completed with appropriate completion function flag is set to false value.
+ bool m_pending_verify_with_public_key;
+
+ /// This flag tells whether this function call is pending (true value).
+ /// After this function call is completed with appropriate completion function flag is set to false value.
+ bool m_pending_query_tunnel_PAC;
+
+
+ /// This flag tells whether this instance is test version (true) or real version (false).
+ /// Test version allows many subsequent TLS-sessions.
+ bool m_tls_peap_test_version;
+
+ /// The flag prevents multiple call of generate_key_material() function.
+ bool m_key_material_generated;
+
+ /// This flag tells whether the server authenticates client (true) or not (false).
+ /// NOTE: Server and client read this value from it's configuration.
+ /// Server acts as this flag says.
+ /// Client does allow only client and server mutual authentication when this flag is true.
+ /// Client does allow server authentication too when this flag is false.
+ bool m_tls_peap_server_authenticates_client_policy_flag;
+
+ /// Server reads this from configure.
+ /// Server initiates mutual authentication when value is true.
+ /// Server initiates server authentication when value is false.
+ bool m_tls_peap_server_authenticates_client_config_server;
+
+ /// Client and server set this flag to indicate the current function.
+ /// Action is mutual authentication when value is true.
+ /// Action is server authentication when value is false.
+ bool m_tls_peap_server_authenticates_client_action;
+
+ /// Client uses this flag to remember the the certificate request message.
+ bool m_tls_peap_server_requested_client_certificate;
+
+ /// This flag tells whether we could send fatal TLS-alert message (true) or not (false).
+ /// This is set false after we receive one TLS-alert message.
+ bool m_could_send_fatal_alert_message;
+
+ /// This flag tells whether we could send warning TLS-alert message (true) or not (false).
+ /// This is set false after we receive one TLS-alert message.
+ bool m_could_send_warning_alert_message;
+
+ /// This flag tells whether the check_sent_tls_message() must send TLS-alert message (true) or not (false).
+ /// This flag is set after the TLS-alert message is generated. This flag forses send of the TLS-alert message.
+ bool m_force_tls_message_send;
+
+ /// This flag tells whether the shutdown() function was called (true) or not (false).
+ bool m_shutdown_was_called;
+
+ /// This flag tells whether TLS-messages should be set to separate TLS-records (true) or TLS-message should
+ /// be packed to same TLS-record if it is possible (false).
+ bool m_use_separate_tls_record;
+
+ /// This flag tells whether extra padding of block cipher should be used.
+ bool m_use_extra_padding_length;
+
+ /// NOTE this is against the RFC 2246 The TLS Protocol Version 1.0.
+ /// Look at chapter 7.4.4. Certificate request.
+ bool m_client_allows_empty_certificate_authorities_list;
+
+ /// NOTE this is against the RFC 2246 The TLS Protocol Version 1.0.
+ /// Look at chapter 7.4.4. Certificate request.
+ bool m_server_sends_empty_certificate_authorities_list;
+
+ /// This configurable option selects whether the special TLS/PEAP style
+ /// is used, the length field is added to all message fragments
+ /// even the message fits to one fragment except EAP-TLS-start, EAP-TLS-Acknowledge and
+ /// PEAP-application data. The client acknowledges tunneled EAP-Success message
+ /// with empty PEAP message.
+ bool m_use_tppd_tls_peap;
+
+ /// On fast session resume server does not send tunneled EAP-Success.
+ /// Instead it sends plain EAP-Success.
+ /// True value of this flag allows this plain EAP-Success.
+ bool m_use_tppd_peapv1_acknowledge_hack;
+
+ /// This configuration flag tells the server will offer new session ID to client.
+ bool m_server_offers_new_session_id;
+
+ /// Client will receive a new session ticket in NewSessionTicket message.
+ bool m_will_receive_new_session_ticket;
+
+ /// True value means EAP-FAST server sends piggypacked EAP-Identity/Request.
+ /// False value means EAP-FAST server does not send piggypacked EAP-Identity/Request, instead it waits empty Ack-message from client.
+ bool m_send_piggypacked_eap_identity_request;
+
+#if defined(USE_EAP_TLS_IDENTITY_PRIVACY)
+ /// Flag causes TLS client to use privacy.
+ bool m_tls_use_identity_privacy;
+
+ /// Variable tells state of TLS identity privacy handshake.
+ tls_identity_privacy_handshake_state_e m_tls_identity_privacy_handshake_state;
+#endif //#if defined(USE_EAP_TLS_IDENTITY_PRIVACY)
+
+#if defined(USE_FAST_EAP_TYPE)
+ /// This flag allows use of dynamic provisioning of PAC in Server-Unauthenticated Mode.
+ /// This is called also Authenticated Diffie-Hellman Protocol (ADHP).
+ bool m_eap_fast_allow_server_unauthenticated_provisioning_mode_ADHP;
+
+ /// This flag allows use of dynamic provisioning of PAC in Server-Authenticated Mode.
+ bool m_fast_allow_server_authenticated_provisioning_mode;
+
+ bool m_remove_tunnel_pac;
+#endif //#if defined(USE_FAST_EAP_TYPE)
+
+ //--------------------------------------------------
+
+ /**
+ * The set_is_valid() function sets the state of the object valid.
+ * The creator of this object calls this function after it is initialized.
+ */
+ EAP_FUNC_IMPORT void set_is_valid();
+
+ EAP_FUNC_IMPORT eap_status_e allocate_handshake_message(
+ tls_handshake_message_c ** const tls_handshake_message,
+ eap_automatic_variable_c<tls_handshake_message_c> * const automatic_tls_handshake_message,
+ const tls_handshake_type_e handshake_type);
+
+ EAP_FUNC_IMPORT eap_status_e allocate_handshake_message_copy(
+ tls_handshake_message_c ** const tls_handshake_message,
+ eap_automatic_variable_c<tls_handshake_message_c> * const automatic_tls_handshake_message,
+ tls_handshake_header_c * const tls_handshake_header);
+
+ /**
+ * This function creates TLS Handshake/HelloRequest message.
+ */
+ EAP_FUNC_IMPORT eap_status_e create_handshake_type_hello_request();
+
+ /**
+ * This function creates TLS Handshake/ClientHello message.
+ */
+ EAP_FUNC_IMPORT eap_status_e create_handshake_type_client_hello();
+
+ /**
+ * This function creates TLS Handshake/ServerHello message.
+ */
+ EAP_FUNC_IMPORT eap_status_e create_handshake_type_server_hello(
+ const u16_t selected_cipher_suite,
+ const u8_t selected_compression_method);
+
+ /**
+ * This function creates TLS Handshake/Certificate message.
+ */
+ EAP_FUNC_IMPORT eap_status_e create_handshake_type_certificate(
+ EAP_TEMPLATE_CONST eap_array_c<eap_variable_data_c> * const certificate_chain);
+
+ /**
+ * This function creates TLS Handshake/CertificateRequest message.
+ */
+ EAP_FUNC_IMPORT eap_status_e create_handshake_type_certificate_request(
+ EAP_TEMPLATE_CONST eap_array_c<u8_t> * const certificate_types,
+ EAP_TEMPLATE_CONST eap_array_c<eap_variable_data_c> * const certificate_authorities);
+
+ /**
+ * This function creates TLS Handshake/ServerHelloDone message.
+ */
+ EAP_FUNC_IMPORT eap_status_e create_handshake_type_server_hello_done();
+
+ /**
+ * This function completes creation of TLS Handshake/ServerKeyExchange message.
+ */
+ EAP_FUNC_IMPORT eap_status_e complete_create_handshake_type_server_key_exchange();
+
+ /**
+ * This function creates TLS Handshake/ServerKeyExchange message.
+ * NOTE: this function is asyncronous. complete_create_handshake_type_server_key_exchange()
+ * completes this operation.
+ */
+ EAP_FUNC_IMPORT eap_status_e create_handshake_type_server_key_exchange();
+
+ /**
+ * This function completes creation of TLS Handshake/ClientKeyExchange message.
+ */
+ EAP_FUNC_IMPORT eap_status_e complete_create_handshake_type_client_key_exchange();
+
+ /**
+ * This function creates TLS Handshake/ClientKeyExchange message.
+ * NOTE: this function is asyncronous. complete_create_handshake_type_client_key_exchange()
+ * completes this operation.
+ */
+ EAP_FUNC_IMPORT eap_status_e create_handshake_type_client_key_exchange();
+
+ /**
+ * This function completes creation of TLS Handshake/CertificateVerify message.
+ */
+ EAP_FUNC_IMPORT eap_status_e complete_create_handshake_type_certificate_verify();
+
+ /**
+ * This function creates TLS Handshake/CertificateVerify message.
+ * NOTE: this function is asyncronous.
+ */
+ EAP_FUNC_IMPORT eap_status_e create_handshake_type_certificate_verify();
+
+ /**
+ * This function creates TLS Handshake/Finished message.
+ */
+ EAP_FUNC_IMPORT eap_status_e create_handshake_type_finished();
+
+ /**
+ * This function creates TLS Handshake/NewSessionTicket message.
+ */
+ EAP_FUNC_IMPORT eap_status_e create_handshake_type_new_session_ticket();
+
+ /**
+ * This function creates TLS ChangeCipherSpec/ChangeCipherSpec message.
+ */
+ EAP_FUNC_IMPORT eap_status_e create_change_cipher_spec_type_change_cipher_spec();
+
+ /**
+ * This function finish TLS handshake.
+ */
+ EAP_FUNC_IMPORT eap_status_e finish_handshake();
+
+ /**
+ * This function creates TLS Alert/Alert message.
+ */
+ EAP_FUNC_IMPORT eap_status_e create_tls_protocol_alert(
+ const tls_alert_description_e alert_description,
+ const tls_alert_level_e alert_level,
+ const eap_status_e result);
+
+ /**
+ * This function creates TLS ApplicationData message.
+ */
+ EAP_FUNC_IMPORT eap_status_e create_tls_application_data(
+ eap_buf_chain_wr_c * const sent_packet,
+ const u32_t header_offset);
+
+ /**
+ * This function starts tunneled authentication.
+ */
+ EAP_FUNC_IMPORT eap_status_e start_peap_tunneled_authentication(
+ const eap_am_network_id_c * const receive_network_id,
+ const u8_t received_eap_identifier,
+ const tls_session_type_e tls_session_type);
+
+ /**
+ * This function parses TLS extension list, see RFC 4366.
+ */
+ EAP_FUNC_IMPORT eap_status_e parse_tls_extension_list(
+ const u32_t handshake_data_length,
+ u32_t * const data_offset,
+ const tls_handshake_header_c * const tls_handshake_header,
+ tls_handshake_message_c * const tls_handshake_message);
+
+ /**
+ * This function parses TLS Handshake/HelloRequest message.
+ */
+ EAP_FUNC_IMPORT eap_status_e parse_handshake_type_hello_request(
+ tls_record_message_c * const received_tls_record_message,
+ tls_handshake_header_c * const tls_handshake_header,
+ const u32_t handshake_data_length);
+
+
+ /**
+ * This function parses TLS Handshake/ClientHello message.
+ */
+ EAP_FUNC_IMPORT eap_status_e parse_handshake_type_client_hello(
+ tls_record_message_c * const received_tls_record_message,
+ tls_handshake_header_c * const tls_handshake_header,
+ const u32_t handshake_data_length);
+
+ /**
+ * This function parses TLS Handshake/ServerHello message.
+ */
+ EAP_FUNC_IMPORT eap_status_e parse_handshake_type_server_hello(
+ tls_record_message_c * const received_tls_record_message,
+ tls_handshake_header_c * const tls_handshake_header,
+ const u32_t handshake_data_length);
+
+ /**
+ * This function parses TLS Handshake/Certificate message.
+ */
+ EAP_FUNC_IMPORT eap_status_e parse_handshake_type_certificate(
+ tls_record_message_c * const received_tls_record_message,
+ tls_handshake_header_c * const tls_handshake_header,
+ const u32_t handshake_data_length);
+
+ /**
+ * This function parses TLS Handshake/CertificateRequest message.
+ */
+ EAP_FUNC_IMPORT eap_status_e parse_handshake_type_certificate_request(
+ tls_record_message_c * const received_tls_record_message,
+ tls_handshake_header_c * const tls_handshake_header,
+ const u32_t handshake_data_length);
+
+ /**
+ * This function parses TLS Handshake/ServerHelloDone message.
+ */
+ EAP_FUNC_IMPORT eap_status_e parse_handshake_type_server_hello_done(
+ tls_record_message_c * const received_tls_record_message,
+ tls_handshake_header_c * const tls_handshake_header,
+ const u32_t handshake_data_length);
+
+ /**
+ * This function parses TLS Handshake/ServerKeyExchange message.
+ */
+ EAP_FUNC_IMPORT eap_status_e parse_handshake_type_server_key_exchange(
+ tls_record_message_c * const received_tls_record_message,
+ tls_handshake_header_c * const tls_handshake_header,
+ const u32_t handshake_data_length);
+
+ /**
+ * This function parses TLS Handshake/ClientKeyExchange message.
+ */
+ EAP_FUNC_IMPORT eap_status_e parse_handshake_type_client_key_exchange(
+ tls_record_message_c * const received_tls_record_message,
+ tls_handshake_header_c * const tls_handshake_header,
+ const u32_t handshake_data_length);
+
+ /**
+ * This function parses TLS Handshake/CertificateVerify message.
+ */
+ EAP_FUNC_IMPORT eap_status_e parse_handshake_type_certificate_verify(
+ tls_record_message_c * const received_tls_record_message,
+ tls_handshake_header_c * const tls_handshake_header,
+ const u32_t handshake_data_length);
+
+ /**
+ * This function parses TLS Handshake/Finished message.
+ */
+ EAP_FUNC_IMPORT eap_status_e parse_handshake_type_finished(
+ tls_record_message_c * const received_tls_record_message,
+ tls_handshake_header_c * const tls_handshake_header,
+ const u32_t handshake_data_length);
+
+
+#if defined(USE_EAP_TLS_SESSION_TICKET)
+
+ /**
+ * This function parses TLS Handshake/NewSessionTicket message.
+ */
+ EAP_FUNC_IMPORT eap_status_e parse_handshake_type_new_session_ticket(
+ tls_record_message_c * const received_tls_record_message,
+ tls_handshake_header_c * const tls_handshake_header,
+ const u32_t handshake_data_length);
+
+#endif // #if defined(USE_EAP_TLS_SESSION_TICKET)
+
+
+ /**
+ * This function parses TLS ChangeCipherSpec protocol.
+ */
+ EAP_FUNC_IMPORT eap_status_e parse_tls_protocol_change_cipher_spec(
+ tls_record_message_c * const tls_record_message,
+ eap_variable_data_c * const tls_protocols_messages_buffer);
+
+ /**
+ * This function parses TLS Alert protocol.
+ */
+ EAP_FUNC_IMPORT eap_status_e parse_tls_protocol_alert(
+ tls_record_message_c * const tls_record_message,
+ eap_variable_data_c * const tls_protocols_messages_buffer);
+
+ /**
+ * This function parses TLS Handshake protocol.
+ */
+ EAP_FUNC_IMPORT eap_status_e parse_tls_protocol_handshake(
+ tls_record_message_c * const tls_record_message,
+ eap_variable_data_c * const tls_protocols_messages_buffer);
+
+ /**
+ * This function parses TLS ApplicationData protocol.
+ */
+ EAP_FUNC_IMPORT eap_status_e parse_tls_protocol_application_data(
+ tls_record_message_c * const tls_record_message,
+ eap_variable_data_c * const tls_protocols_messages_buffer);
+
+ /**
+ * This function reassembles data of received consecutive TLS-records with same protocol to tls_record_message.
+ */
+ EAP_FUNC_IMPORT eap_status_e reassemble_tls_records(
+ tls_record_message_c * const tls_record_message,
+ tls_record_header_c * const next_tls_record_header);
+
+ /**
+ * This function processes received TLS records.
+ */
+ EAP_FUNC_IMPORT eap_status_e process_tls_records();
+
+ /**
+ * This function processes received TLS message.
+ */
+ EAP_FUNC_IMPORT eap_status_e process_tls_message();
+
+ EAP_FUNC_IMPORT tls_record_protocol_e get_next_tls_record_message_protocol();
+
+ EAP_FUNC_IMPORT tls_handshake_type_e get_next_tls_handshake_message_type();
+
+ /**
+ * This function analyses TLS Handshake/HelloRequest message.
+ */
+ EAP_FUNC_IMPORT eap_status_e analyse_handshake_type_hello_request(
+ EAP_TEMPLATE_CONST tls_handshake_message_c * const handshake_message);
+
+ /**
+ * This function analyses TLS Handshake/ClientHello message.
+ */
+ EAP_FUNC_IMPORT eap_status_e analyse_handshake_type_client_hello(
+ EAP_TEMPLATE_CONST tls_handshake_message_c * const handshake_message);
+
+ /**
+ * This function analyses TLS Handshake/ServerHello message.
+ */
+ EAP_FUNC_IMPORT eap_status_e analyse_handshake_type_server_hello(
+ EAP_TEMPLATE_CONST tls_handshake_message_c * const handshake_message);
+
+ /**
+ * This function analyses TLS Handshake/Certificate message.
+ */
+ EAP_FUNC_IMPORT eap_status_e analyse_handshake_type_certificate(
+ EAP_TEMPLATE_CONST tls_handshake_message_c * const handshake_message);
+
+ /**
+ * This function analyses TLS Handshake/CertificateRequest message.
+ */
+ EAP_FUNC_IMPORT eap_status_e analyse_handshake_type_certificate_request(
+ EAP_TEMPLATE_CONST tls_handshake_message_c * const handshake_message);
+
+ /**
+ * This function analyses TLS Handshake/ServerHelloDone message.
+ */
+ EAP_FUNC_IMPORT eap_status_e analyse_handshake_type_server_hello_done(
+ EAP_TEMPLATE_CONST tls_handshake_message_c * const handshake_message);
+
+ /**
+ * This function analyses TLS Handshake/ServerKeyExchange message.
+ */
+ EAP_FUNC_IMPORT eap_status_e analyse_handshake_type_server_key_exchange(
+ EAP_TEMPLATE_CONST tls_handshake_message_c * const handshake_message);
+
+ /**
+ * This function analyses TLS Handshake/ClientKeyExchange message.
+ */
+ EAP_FUNC_IMPORT eap_status_e analyse_handshake_type_client_key_exchange(
+ EAP_TEMPLATE_CONST tls_handshake_message_c * const handshake_message);
+
+ /**
+ * This function analyses TLS Handshake/CertificateVerify message.
+ */
+ EAP_FUNC_IMPORT eap_status_e analyse_handshake_type_certificate_verify(
+ EAP_TEMPLATE_CONST tls_handshake_message_c * const handshake_message);
+
+ /**
+ * This function analyses TLS Handshake/Finished message.
+ */
+ EAP_FUNC_IMPORT eap_status_e analyse_handshake_type_finished(
+ EAP_TEMPLATE_CONST tls_handshake_message_c * const handshake_message,
+ const u8_t received_eap_identifier);
+
+#if defined(USE_EAP_TLS_SESSION_TICKET)
+
+ /**
+ * This function analyses TLS Handshake/NewSessionTicket message.
+ */
+ EAP_FUNC_IMPORT eap_status_e analyse_handshake_type_new_session_ticket(
+ EAP_TEMPLATE_CONST tls_handshake_message_c * const handshake_message,
+ const u8_t received_eap_identifier);
+
+#endif // #if defined(USE_EAP_TLS_SESSION_TICKET)
+
+ /**
+ * This function analyses TLS ChangeCipherSpec protocol.
+ */
+ EAP_FUNC_IMPORT eap_status_e analyse_tls_protocol_change_cipher_spec(
+ const tls_record_message_c * const record);
+
+ /**
+ * This function analyses TLS Alert protocol.
+ */
+ EAP_FUNC_IMPORT eap_status_e analyse_tls_protocol_alert(
+ const tls_record_message_c * const record);
+
+ /**
+ * This function analyses TLS Handshake protocol.
+ */
+ EAP_FUNC_IMPORT eap_status_e analyse_tls_protocol_handshake(
+ tls_record_message_c * const record,
+ const u8_t received_eap_identifier);
+
+ /**
+ * This function analyses TLS ApplicationData protocol.
+ */
+ EAP_FUNC_IMPORT eap_status_e analyse_tls_protocol_application_data(
+ const tls_record_message_c * const record,
+ const u8_t received_eap_identifier);
+
+ /**
+ * This function checks whether all pending queries are completed.
+ */
+ EAP_FUNC_IMPORT eap_status_e are_pending_queries_completed();
+
+ /**
+ * This function indicates state to lower layer.
+ */
+ EAP_FUNC_IMPORT eap_status_e indicate_state_to_lower_layer(
+ const tls_peap_state_e indicated_state);
+
+ /**
+ * This function indicates all message processed to lower layer.
+ */
+ EAP_FUNC_IMPORT eap_status_e indicate_messages_processed();
+
+ /**
+ * This function combines TLS-protocols data to a buffer and sends TLS-message.
+ */
+ EAP_FUNC_IMPORT eap_status_e send_tls_message();
+
+ /**
+ * This function checks all queries are completed.
+ * If all queries are completed this function send the pending LS-messages.
+ */
+ EAP_FUNC_IMPORT eap_status_e check_sent_tls_message();
+
+ /**
+ * This function check the selected cipher suite is one of the proposed cipher suites.
+ */
+ EAP_FUNC_IMPORT eap_status_e check_selected_cipher_suite(
+ const tls_cipher_suites_e selected_cipher_suite);
+
+ /**
+ * This function check the selected compression method is one of the proposed compression method.
+ */
+ EAP_FUNC_IMPORT eap_status_e check_selected_compression_method(
+ const tls_compression_method_e selected_compression_method);
+
+ /**
+ * This function changes one 16-bit value pointed by parameter value from network order to host order.
+ */
+ EAP_FUNC_IMPORT static eap_status_e u16_t_to_host_order(
+ u16_t * const value,
+ abs_eap_am_tools_c * const m_am_tools);
+
+ /**
+ * This function changes one 16-bit value pointed by parameter value from host order to network order.
+ */
+ EAP_FUNC_IMPORT static eap_status_e u16_t_to_network_order(
+ u16_t * const value,
+ abs_eap_am_tools_c * const m_am_tools);
+
+ /**
+ * This function initializes MD5 and SHA hashes.
+ */
+ EAP_FUNC_IMPORT eap_status_e message_hash_init();
+
+ /**
+ * This function adds the send and received TLS-handshake message to MD5 and SHA hashes.
+ * @param eap includes the buffer of the whole reassembled TLS-packet.
+ * @param packet_length is length in bytes of the TLS-packet.
+ */
+ EAP_FUNC_IMPORT eap_status_e message_hash_update(
+ const bool true_when_parse_message,
+ const tls_handshake_type_e type,
+ u8_t * const tls_packet,
+ const u32_t tls_packet_length);
+
+ /**
+ * This function obtains and concatenates the message digest of MD5 and SHA hashes.
+ * @param type tells the handshake type where the message digest is used.
+ * @param message_hash includes the buffer of the message digest. The message_hash_create() function initializes the buffer.
+ * @param client_originated is boolean flag. When client calls this function value is true, when server calls this function value is false.
+ */
+ EAP_FUNC_IMPORT eap_status_e message_hash_create(
+ const bool true_when_parse_message,
+ const tls_handshake_type_e type,
+ eap_variable_data_c * const message_hash,
+ const bool client_originated);
+
+ EAP_FUNC_IMPORT eap_status_e message_hash_final(
+ eap_variable_data_c * const md5_digest,
+ eap_variable_data_c * const sha1_digest);
+
+ /**
+ * This function saves MD5 and SHA hashes for certificate verify message to
+ * member attributes m_message_hash_md5_certificate_verify and m_message_hash_sha1_certificate_verify.
+ */
+ EAP_FUNC_IMPORT eap_status_e message_hash_save_certificate_verify();
+
+ /**
+ * This function saves MD5 and SHA hashes for finished message to
+ * member attributes message_hash_md5_finished and message_hash_sha1_finished.
+ */
+ EAP_FUNC_IMPORT eap_status_e message_hash_save_finished(
+ const bool client_originated);
+
+ /**
+ * This function creates certificate verfy message hash.
+ */
+ EAP_FUNC_IMPORT eap_status_e message_hash_create_certificate_verify(
+ const bool client_originated);
+
+ /**
+ * This function creates finished message hash.
+ * @param signed_message_hash is pointer to buffer of the message hash.
+ */
+ EAP_FUNC_IMPORT eap_status_e message_hash_create_finished(
+ const bool client_originated_message,
+ eap_variable_data_c * const signed_message_hash);
+
+
+ /**
+ * This function creates SHA1 HASH of server key exchange message when DHE cipher suite is used.
+ */
+ EAP_FUNC_IMPORT eap_status_e create_server_key_exchange_sha1_hash(
+ const eap_variable_data_c * const dhe_prime,
+ const eap_variable_data_c * const dhe_group_generator,
+ const eap_variable_data_c * const public_dhe_key,
+ eap_variable_data_c * const hash);
+
+ /**
+ * This function creates MD5 HASH of server key exchange message when DHE cipher suite is used.
+ */
+ EAP_FUNC_IMPORT eap_status_e create_server_key_exchange_md5_hash(
+ const eap_variable_data_c * const dhe_prime,
+ const eap_variable_data_c * const dhe_group_generator,
+ const eap_variable_data_c * const public_dhe_key,
+ eap_variable_data_c * const hash);
+
+ /**
+ * This function verifies the HASH of server key exchange message is valid.
+ */
+ EAP_FUNC_IMPORT eap_status_e verify_signature_of_server_key_exchange(
+ const eap_variable_data_c * const signed_server_key_exchange_hash);
+
+
+
+ /**
+ * This function verifies the cipher suite is one of using 3DES_EDE_CBC_SHA.
+ */
+ EAP_FUNC_IMPORT bool cipher_suite_is_3DES_EDE_CBC_SHA(tls_cipher_suites_e cipher_suite) const;
+
+ /**
+ * This function verifies the cipher suite is one of using AES_128_CBC_SHA.
+ */
+ EAP_FUNC_IMPORT bool cipher_suite_is_AES_128_CBC_SHA(tls_cipher_suites_e cipher_suite) const;
+
+ /**
+ * This function verifies the cipher suite is one of using RC4_128_MD5.
+ */
+ EAP_FUNC_IMPORT bool cipher_suite_is_RC4_128_MD5(tls_cipher_suites_e cipher_suite) const;
+
+ /**
+ * This function verifies the cipher suite is one of using RC4_128_SHA.
+ */
+ EAP_FUNC_IMPORT bool cipher_suite_is_RC4_128_SHA(tls_cipher_suites_e cipher_suite) const;
+
+
+
+ /**
+ * This function verifies the current cipher suite is one of using TLS_RSA.
+ */
+ EAP_FUNC_IMPORT bool cipher_suite_is_TLS_RSA() const;
+
+ /**
+ * This function verifies the current cipher suite is one of using TLS_DHE_RSA.
+ */
+ EAP_FUNC_IMPORT bool cipher_suite_is_TLS_DHE_RSA() const;
+
+ /**
+ * This function verifies the current cipher suite is one of using TLS_DHE_DSS.
+ */
+ EAP_FUNC_IMPORT bool cipher_suite_is_TLS_DHE_DSS() const;
+
+#if defined(USE_FAST_EAP_TYPE)
+ /**
+ * This function verifies the current cipher suite is one of using TLS_DH_anon.
+ */
+ EAP_FUNC_IMPORT bool cipher_suite_is_TLS_DH_anon() const;
+#endif //#if defined(USE_FAST_EAP_TYPE)
+
+
+#if EAP_TLS_NOT_SUPPORTED_CIPHER_SUITE
+ This is not implemented yet
+ EAP_FUNC_IMPORT bool cipher_suite_is_TLS_DH_DSS() const;
+#endif
+
+
+
+ /**
+ * This function generates ephemeral Diffie-Hellman keys.
+ * Keys are stored to m_own_private_dhe_key and m_own_public_dhe_key.
+ */
+ EAP_FUNC_IMPORT eap_status_e generate_dhe_keys();
+
+ /**
+ * This function generates master secret.
+ */
+ EAP_FUNC_IMPORT eap_status_e generate_master_secret();
+
+ /**
+ * This function generates premaster secret.
+ */
+ EAP_FUNC_IMPORT eap_status_e generate_premaster_secret();
+
+#if defined(USE_FAST_EAP_TYPE)
+ /**
+ * This function generates master secret from EAP-FAST PAC-Key.
+ */
+ EAP_FUNC_IMPORT eap_status_e generate_eap_fast_master_secret_from_pac_key(
+ const eap_variable_data_c * const pac_key);
+#endif //#if defined(USE_FAST_EAP_TYPE)
+
+
+ EAP_FUNC_IMPORT void send_error_notification(const eap_status_e error);
+
+ /**
+ * This function adds new completion action to the end of the m_completion_queue.
+ */
+ EAP_FUNC_IMPORT eap_status_e completion_action_add(
+ tls_completion_action_e action);
+
+ /**
+ * This function verifies all completion actions are completed.
+ */
+ EAP_FUNC_IMPORT eap_status_e completion_action_clenup();
+
+ /**
+ * This function checks and completes completion actions.
+ * This function could return eap_status_pending_request if the
+ * first completion action cannot be completed yet.
+ */
+ EAP_FUNC_IMPORT eap_status_e completion_action_check();
+
+
+
+
+ /**
+ * This function generates random padding length. See chapter "6.2.3.2. CBC block cipher" in <a href="../../type/tls_peap/documentation/rfc2246.txt">RFC 2246</a>.
+ */
+ EAP_FUNC_IMPORT u8_t get_extra_padding_length(const u8_t padding_length, const u32_t block_size);
+
+ /**
+ * This function applies the current block cipher suite to send TLS-record.
+ */
+ EAP_FUNC_IMPORT eap_status_e apply_send_block_cipher_suite(
+ eap_variable_data_c * const tls_record_message_buffer,
+ abs_crypto_cbc_block_algorithm_c * const encrypt,
+ abs_crypto_hmac_algorithm_c * const mac);
+
+ /**
+ * This function applies the current block cipher suite to received TLS-record.
+ */
+ EAP_FUNC_IMPORT eap_status_e apply_receive_block_cipher_suite(
+ eap_variable_data_c * const tls_record_message_buffer,
+ abs_crypto_cbc_block_algorithm_c * const decrypt,
+ abs_crypto_hmac_algorithm_c * const mac);
+
+ /**
+ * This function applies the current stream cipher suite to send TLS-record.
+ */
+ EAP_FUNC_IMPORT eap_status_e apply_send_stream_cipher_suite(
+ eap_variable_data_c * const tls_record_message_buffer,
+ abs_crypto_stream_algorithm_c * const encrypt,
+ abs_crypto_hmac_algorithm_c * const mac);
+
+ /**
+ * This function applies the current stream cipher suite to received TLS-record.
+ */
+ EAP_FUNC_IMPORT eap_status_e apply_receive_stream_cipher_suite(
+ eap_variable_data_c * const tls_record_message_buffer,
+ abs_crypto_stream_algorithm_c * const decrypt,
+ abs_crypto_hmac_algorithm_c * const mac);
+
+ /**
+ * This function applies the current cipher suite to send TLS-record.
+ */
+ EAP_FUNC_IMPORT eap_status_e apply_send_cipher_suite(
+ eap_variable_data_c * const tls_record_message_buffer);
+
+ /**
+ * This function applies the current cipher suite to received TLS-record.
+ */
+ EAP_FUNC_IMPORT eap_status_e apply_receive_cipher_suite(
+ eap_variable_data_c * const tls_record_message_buffer);
+
+ /** This function hides create_tls_protocol_alert() call.
+ */
+ EAP_FUNC_IMPORT eap_status_e eap_status_return_and_create_tls_protocol_alert(
+ const eap_status_e status);
+
+
+ /**
+ * This function sets the state of TLS.
+ */
+ EAP_FUNC_IMPORT tls_peap_state_e get_state() const;
+
+ /**
+ * This function gets the state of TLS.
+ */
+ EAP_FUNC_IMPORT void set_state(const tls_peap_state_e state);
+
+ /**
+ * This function verified the current state of TLS and parameter state are equal.
+ */
+ EAP_FUNC_IMPORT bool verify_state(const tls_peap_state_e state);
+
+
+
+ /**
+ * This function initializes encryption and decryption objects for block cipher suite.
+ */
+ EAP_FUNC_IMPORT eap_status_e cipher_suite_initialization_cbc(
+ abs_crypto_cbc_block_algorithm_c ** const cbc_crypto_block_algorithm,
+ abs_crypto_block_algorithm_c * const crypto_block_algorithm,
+ const eap_variable_data_c * const iv,
+ const eap_variable_data_c * const key,
+ const bool true_when_encrypt);
+
+ /**
+ * This function initializes HMAC algorithm objects.
+ */
+ EAP_FUNC_IMPORT eap_status_e cipher_suite_initialization_hmac(
+ abs_crypto_hmac_algorithm_c * const hmac_algorithm,
+ const eap_variable_data_c * const key);
+
+ /**
+ * This function initializes encryption and decryption objects for stream cipher suite.
+ */
+ EAP_FUNC_IMPORT eap_status_e cipher_suite_initialization_stream(
+ abs_crypto_stream_algorithm_c * const crypto_stream_algorithm,
+ const eap_variable_data_c * const key,
+ const bool true_when_encrypt);
+
+ /**
+ * This function initializes HMAC-SHA1 objects for current cipher suite.
+ */
+ EAP_FUNC_IMPORT eap_status_e cipher_suite_initialization_hmac_sha1(const bool send_when_true);
+
+ /**
+ * This function initializes HMAC-MD5 objects for current cipher suite.
+ */
+ EAP_FUNC_IMPORT eap_status_e cipher_suite_initialization_hmac_md5(const bool send_when_true);
+
+ /**
+ * This function initializes encryption and decryption objects for current cipher suite.
+ */
+ EAP_FUNC_IMPORT eap_status_e cipher_suite_initialization(
+ const bool send_when_true);
+
+
+
+ /**
+ * This function creates a new TLS-record message or returns tha last one if
+ * parameter protocol and ther last TLS-record message match.
+ */
+ EAP_FUNC_IMPORT eap_status_e new_record_message(
+ tls_record_message_c ** const tls_record_message,
+ const tls_record_protocol_e protocol);
+
+ /**
+ * This function creates a new TLS-record including handshake protocol message.
+ */
+ EAP_FUNC_IMPORT eap_status_e add_record_message(
+ tls_handshake_message_c * const tls_handshake_message);
+
+ /**
+ * This function creates a new TLS-record including change cipher spec protocol message.
+ */
+ EAP_FUNC_IMPORT eap_status_e add_record_message(
+ tls_change_cipher_spec_message_c * const change_cipher_spec_message);
+
+ /**
+ * This function creates a new TLS-record including alert protocol message.
+ */
+ EAP_FUNC_IMPORT eap_status_e add_record_message(
+ tls_alert_message_c * const alert_message);
+
+ /**
+ * This function creates a new TLS-record including application data protocol message.
+ */
+ EAP_FUNC_IMPORT eap_status_e add_record_message(
+ tls_application_data_message_c * const application_data_message);
+
+ EAP_FUNC_IMPORT void reset_block_ciphers(const bool send_when_true);
+
+ EAP_FUNC_IMPORT void reset_stream_ciphers(const bool send_when_true);
+
+ EAP_FUNC_IMPORT void reset_hmac_algorithms(const bool send_when_true);
+
+ EAP_FUNC_IMPORT eap_status_e get_tls_prf_data(
+ const eap_variable_data_c * const master_secret,
+ const eap_variable_data_c * const client_random,
+ const eap_variable_data_c * const server_random,
+ const eap_variable_data_c * const label,
+ eap_variable_data_c * const prf_data,
+ const u32_t required_prf_data_length);
+
+ EAP_FUNC_IMPORT eap_status_e set_tls_session_type(const tls_session_type_e tls_session_type);
+
+ EAP_FUNC_IMPORT tls_session_type_e get_tls_session_type();
+
+ EAP_FUNC_IMPORT void set_tls_identity_privacy_handshake_state(const tls_identity_privacy_handshake_state_e state);
+
+ EAP_FUNC_IMPORT void set_selected_cipher_suite(const tls_cipher_suites_e cipher_suite);
+
+ EAP_FUNC_IMPORT eap_status_e set_receive_cipher_suite(const tls_cipher_suites_e cipher_suite);
+
+ EAP_FUNC_IMPORT eap_status_e set_send_cipher_suite(const tls_cipher_suites_e cipher_suite);
+
+ //--------------------------------------------------
+protected:
+ //--------------------------------------------------
+
+ //--------------------------------------------------
+public:
+ //--------------------------------------------------
+
+ /**
+ * The destructor of the tls_record_c class does nothing special.
+ */
+ EAP_FUNC_IMPORT virtual ~tls_record_c();
+
+ /**
+ * The constructor of the tls_record_c class simply initializes the attributes.
+ * The tls_record_c object sends packets to the network using tls_base_record_c::get_type_partner() object.
+ */
+ EAP_FUNC_IMPORT tls_record_c(
+ abs_eap_am_tools_c * const tools, ///< tools is pointer to the tools class. @see abs_eap_am_tools_c.
+ tls_am_services_c * const am_tls_services, ///< This is pointer to adaoptation module of TLS.
+ const bool free_am_tls_services,
+ tls_base_application_c * const application, ///< application is pointer to application object.
+ const bool free_application,
+ const bool is_client_when_true, ///< Indicates whether this is client (true) or server (false).
+ const eap_type_value_e eap_type,
+ const eap_am_network_id_c * const receive_network_id);
+
+ /**
+ * This function returns true when EAP-type is TTLS or PEAP.
+ */
+ EAP_FUNC_IMPORT bool get_is_tunneled_tls();
+
+ /**
+ * This function sets the tunnel type.
+ */
+ void set_peap_version(
+ const peap_version_e peap_version, ///< This is the PEAP version (PEAPv2, PEAPv1, XP PEAPv0), yes very nice to have many different versions.
+ const bool use_tppd_tls_peap, ///< Of course some vendors have own TLS/PEAP quirks.
+ const bool use_tppd_peapv1_acknowledge_hack);
+
+ /**
+ * The configure() function is called after the constructor of the
+ * object is successfully executed. During the function call the object
+ * could query the configuration. Each derived class must define this function.
+ */
+ EAP_FUNC_IMPORT eap_status_e configure();
+
+ /**
+ * The shutdown() function is called before the destructor of the
+ * object is executed. During the function call the object
+ * could shutdown the operations, for example cancel timers.
+ * Each derived class must define this function.
+ */
+ EAP_FUNC_IMPORT eap_status_e shutdown();
+
+ EAP_FUNC_IMPORT eap_status_e get_ttls_implicit_challenge(
+ eap_variable_data_c * const ttls_implicit_challenge,
+ const u32_t required_ttls_implicit_challenge_length);
+
+ /**
+ * This function sets the NAI realm.
+ */
+ EAP_FUNC_IMPORT eap_status_e set_nai_realm(
+ const eap_variable_data_c * const NAI_realm ///< This is the full NAI realm.
+ );
+
+ // This is commented in abs_tls_base_application_c.
+ EAP_FUNC_IMPORT eap_status_e packet_send(
+ eap_buf_chain_wr_c * const sent_packet,
+ const u32_t header_offset,
+ const u32_t data_length,
+ const u32_t buffer_length);
+
+ // This is commented in abs_tls_base_application_c.
+ EAP_FUNC_IMPORT u32_t get_header_offset(
+ u32_t * const MTU_length,
+ u32_t * const trailer_length);
+
+ // This is commented in abs_tls_base_application_c.
+ EAP_FUNC_IMPORT eap_status_e read_configure(
+ const eap_configuration_field_c * const field,
+ eap_variable_data_c * const data);
+
+ // This is commented in abs_tls_base_application_c.
+ EAP_FUNC_IMPORT eap_status_e write_configure(
+ const eap_configuration_field_c * const field,
+ eap_variable_data_c * const data);
+
+ // This is commented in abs_tls_base_application_c.
+ EAP_FUNC_IMPORT void state_notification(
+ const abs_eap_state_notification_c * const state);
+
+ // This is commented in abs_tls_base_application_c.
+ EAP_FUNC_IMPORT eap_status_e set_timer(
+ abs_eap_base_timer_c * const initializer,
+ const u32_t id,
+ void * const data,
+ const u32_t p_time_ms);
+
+ // This is commented in abs_tls_base_application_c.
+ EAP_FUNC_IMPORT eap_status_e cancel_timer(
+ abs_eap_base_timer_c * const initializer,
+ const u32_t id);
+
+ // This is commented in abs_tls_base_application_c.
+ EAP_FUNC_IMPORT eap_status_e cancel_all_timers();
+
+ // This is commented in abs_tls_base_application_c.
+ EAP_FUNC_IMPORT eap_status_e load_module(
+ const eap_type_value_e type,
+ const eap_type_value_e /* tunneling_type */,
+ abs_eap_base_type_c * const partner,
+ eap_base_type_c ** const eap_type,
+ const bool is_client_when_true,
+ const eap_am_network_id_c * const receive_network_id);
+
+ // This is commented in abs_tls_base_application_c.
+ EAP_FUNC_IMPORT eap_status_e unload_module(const eap_type_value_e type);
+
+ // This is commented in abs_tls_base_application_c.
+ EAP_FUNC_IMPORT eap_status_e restart_authentication(
+ const eap_am_network_id_c * const receive_network_id,
+ const bool is_client_when_true,
+ const bool force_clean_restart,
+ const bool from_timer);
+
+ // This is commented in abs_tls_base_application_c.
+ EAP_FUNC_IMPORT eap_status_e packet_data_crypto_keys(
+ const eap_am_network_id_c * const send_network_id,
+ const eap_master_session_key_c * const master_session_key);
+
+ // This is commented in abs_tls_base_application_c.
+ EAP_FUNC_IMPORT eap_status_e check_is_valid_eap_type(const eap_type_value_e eap_type);
+
+ // This is commented in abs_tls_base_application_c::get_eap_type_list().
+ EAP_FUNC_IMPORT eap_status_e get_eap_type_list(
+ eap_array_c<eap_type_value_e> * const eap_type_list);
+
+ /**
+ * This function sends starts EAP-TLS/PEAP after a start message is received.
+ */
+ EAP_FUNC_IMPORT eap_status_e start_tls_peap_authentication(
+ const eap_variable_data_c * const received_authority_identity
+ );
+
+ /**
+ * This function processes the received packet.
+ * @param tls_packet includes the buffer of the whole reassembled TLS-packet.
+ */
+ EAP_FUNC_IMPORT eap_status_e packet_process(
+ eap_variable_data_c * const tls_packet,
+ const u8_t received_eap_identifier);
+
+ /**
+ * This function indicates the plain text EAP-Success or EAP-Failure packet is received.
+ * @param receive_network_id includes the addresses (network identity) and packet type.
+ * @param received_eap_identifier is the EAP-Identifier of the received EAP-Success packet.
+ */
+ EAP_FUNC_IMPORT eap_status_e plain_eap_success_failure_packet_received(
+ const eap_am_network_id_c * const receive_network_id,
+ const eap_code_value_e received_eap_code,
+ const u8_t received_eap_identifier);
+
+ /**
+ * This function indicates the empty Ack packet is received.
+ * This is used in TTLS.
+ * @param receive_network_id includes the addresses (network identity) and packet type.
+ * @param received_eap_identifier is the EAP-Identifier of the received EAP-Success packet.
+ */
+ EAP_FUNC_IMPORT eap_status_e empty_ack_packet_received(
+ const eap_am_network_id_c * const receive_network_id,
+ const u8_t received_eap_identifier);
+
+ /**
+ * Object must indicate it's validity.
+ * If object initialization fails this function must return false.
+ * @return This function returns the validity of this object.
+ */
+ EAP_FUNC_IMPORT bool get_is_valid();
+
+ /**
+ * This function must reset the state of object to same as
+ * state was after the configure() function call.
+ * If object reset succeeds this function must return eap_status_ok.
+ * If object reset fails this function must return corresponding error status.
+ * @return This function returns the status of reset operation.
+ */
+ EAP_FUNC_IMPORT eap_status_e reset();
+
+ /**
+ * This function calculates the required key lengths. This function consults current cipher suite.
+ */
+ EAP_FUNC_IMPORT u32_t get_key_expansion_size(
+ u32_t * const mac_key_length,
+ u32_t * const encryption_key_length,
+ u32_t * const iv_length,
+ u32_t * const session_key_seed_length,
+ u32_t * const mschapv2_challenges_length);
+
+ /**
+ * This function generates the key material for the current cipher suite.
+ */
+ EAP_FUNC_IMPORT eap_status_e generate_key_material();
+
+ EAP_FUNC_IMPORT eap_status_e set_tls_master_secret(
+ const eap_variable_data_c * const master_secret,
+ const eap_variable_data_c * const client_random,
+ const eap_variable_data_c * const server_random);
+
+ /**
+ * This function changes the current cipher suite to negotiated cipher suite.
+ * Parameter send_when_true tells whether the send cipher suite (true) or receive cipher suite (false)
+ * is acquired to be changed.
+ */
+ EAP_FUNC_IMPORT eap_status_e change_cipher_spec(const bool send_when_true);
+
+
+ // This is commented in tls_base_record_c::read_authority_identity().
+ EAP_FUNC_IMPORT eap_status_e read_authority_identity(eap_variable_data_c * const authority_identity_payload);
+
+
+ // This is commented in abs_tls_am_services_c::complete_query_cipher_suites_and_previous_session().
+ EAP_FUNC_IMPORT eap_status_e complete_query_cipher_suites_and_previous_session(
+ const tls_session_type_e session_type,
+ EAP_TEMPLATE_CONST eap_array_c<u16_t> * const cipher_suites,
+ EAP_TEMPLATE_CONST eap_array_c<u8_t> * const compression_methods,
+#if defined(USE_EAP_TLS_SESSION_TICKET)
+ EAP_TEMPLATE_CONST eap_array_c<tls_extension_c> * const tls_extensions,
+#endif // #if defined(USE_EAP_TLS_SESSION_TICKET)
+ const eap_variable_data_c * const resumed_session_id,
+ const eap_variable_data_c * const resumed_master_secret,
+ const tls_cipher_suites_e resumed_cipher_suite,
+ const eap_status_e completion_status);
+
+ // This is commented in abs_tls_am_services_c::complete_select_cipher_suite_and_check_session_id().
+ EAP_FUNC_IMPORT eap_status_e complete_select_cipher_suite_and_check_session_id(
+ const tls_session_type_e session_type,
+ const u16_t selected_cipher_suite,
+ const eap_variable_data_c * const session_id,
+ const eap_variable_data_c * const master_secret,
+#if defined(USE_EAP_TLS_SESSION_TICKET)
+ const tls_extension_c * const new_session_ticket_or_null,
+#endif //#if defined(USE_EAP_TLS_SESSION_TICKET)
+ const eap_status_e completion_status);
+
+#if defined(USE_EAP_TLS_SESSION_TICKET)
+ // This is commented in abs_tls_am_services_c::complete_query_new_session_ticket().
+ EAP_FUNC_IMPORT eap_status_e complete_query_new_session_ticket(
+ const tls_extension_c * const new_session_ticket_or_null);
+#endif //#if defined(USE_EAP_TLS_SESSION_TICKET)
+
+ // This is commented in abs_tls_am_services_c::complete_verify_certificate_chain().
+ EAP_FUNC_IMPORT eap_status_e complete_verify_certificate_chain(
+ const eap_status_e result);
+
+ // This is commented in abs_tls_am_services_c::complete_query_certificate_chain().
+ EAP_FUNC_IMPORT eap_status_e complete_query_certificate_chain(
+ EAP_TEMPLATE_CONST eap_array_c<eap_variable_data_c> * const certificate_chain,
+ const eap_status_e completion_status);
+
+ // This is commented in abs_tls_am_services_c::complete_query_certificate_authorities_and_types().
+ EAP_FUNC_IMPORT eap_status_e complete_query_certificate_authorities_and_types(
+ EAP_TEMPLATE_CONST eap_array_c<eap_variable_data_c> * const authorities,
+ EAP_TEMPLATE_CONST eap_array_c<u8_t> * const types,
+ const eap_status_e completion_status);
+
+ // This is commented in abs_tls_am_services_c::complete_query_dh_parameters().
+ EAP_FUNC_IMPORT eap_status_e complete_query_dh_parameters(
+ const eap_variable_data_c * const dhe_prime,
+ const eap_variable_data_c * const dhe_group_generator,
+ const eap_status_e completion_status);
+
+ // This is commented in abs_tls_am_services_c::complete_query_realm().
+ EAP_FUNC_IMPORT eap_status_e complete_query_realm(
+ const eap_variable_data_c * const realm,
+ const eap_status_e completion_status);
+
+ // This is commented in abs_tls_am_services_c::complete_rsa_encrypt_with_public_key().
+ EAP_FUNC_IMPORT eap_status_e complete_rsa_encrypt_with_public_key(
+ const eap_variable_data_c * const encrypted_premaster_secret,
+ const eap_status_e completion_status);
+
+ // This is commented in abs_tls_am_services_c::complete_rsa_decrypt_with_private_key().
+ EAP_FUNC_IMPORT eap_status_e complete_rsa_decrypt_with_private_key(
+ const eap_variable_data_c * const premaster_secret,
+ const eap_status_e completion_status);
+
+ // This is commented in abs_tls_am_services_c::complete_sign_with_private_key().
+ EAP_FUNC_IMPORT eap_status_e complete_sign_with_private_key(
+ const eap_variable_data_c * const message_hash,
+ const eap_status_e completion_status);
+
+ // This is commented in abs_tls_am_services_c::complete_verify_with_public_key().
+ EAP_FUNC_IMPORT eap_status_e complete_verify_with_public_key(
+ const eap_status_e verify_status);
+
+ // See abs_tls_base_application_c::get_eap_tls_master_session_key().
+ EAP_FUNC_IMPORT eap_status_e get_eap_tls_master_session_key(
+ eap_variable_data_c * const eap_tls_master_session_key,
+ eap_variable_data_c * const mschapv2_challenges
+ );
+
+ EAP_FUNC_IMPORT eap_status_e add_rogue_ap(eap_array_c<eap_rogue_ap_entry_c> & rogue_ap_list);
+
+ // This is documented in abs_tls_base_application_c::set_session_timeout().
+ EAP_FUNC_IMPORT eap_status_e set_session_timeout(
+ const u32_t session_timeout_ms);
+
+#if defined(USE_FAST_EAP_TYPE)
+
+ EAP_FUNC_IMPORT eap_status_e complete_query_tunnel_PAC(
+ const eap_status_e in_completion_status,
+ const eap_fast_pac_type_e in_pac_type,
+ const eap_fast_variable_data_c * const in_tunnel_PAC_key_tlv,
+ const eap_fast_variable_data_c * const in_tunnel_PAC_opaque_tlv);
+
+#endif //#if defined(USE_FAST_EAP_TYPE)
+
+ EAP_FUNC_IMPORT eap_status_e query_ttls_pap_username_and_password(
+ const eap_variable_data_c * const reply_message);
+
+ EAP_FUNC_IMPORT eap_status_e complete_query_ttls_pap_username_and_password(
+ const eap_variable_data_c * const ttls_pap_username,
+ const eap_variable_data_c * const ttls_pap_password,
+ const eap_status_e query_result);
+
+ EAP_FUNC_IMPORT eap_status_e verify_ttls_pap_username_and_password(
+ const eap_variable_data_c * const user_name,
+ const eap_variable_data_c * const user_password);
+
+ EAP_FUNC_IMPORT eap_status_e complete_verify_ttls_pap_username_and_password(
+ const eap_status_e authentication_result,
+ const eap_variable_data_c * const ttls_pap_reply_message);
+
+ //--------------------------------------------------
+}; // class tls_record_c
+
+#endif //#if !defined(_TLS_RECORD_H_)
+
+//--------------------------------------------------
+
+
+
+// End.