EAP State Machine: eap_tls.hxx Source File

00001 /* BEGIN_COPYRIGHT                                                        */
00002 /*                                                                        */
00003 /* Open Diameter: Open-source software for the Diameter and               */
00004 /*                Diameter related protocols                              */
00005 /*                                                                        */
00006 /* Copyright (C) 2002-2004 Open Diameter Project                          */
00007 /*                                                                        */
00008 /* This program is free software; you can redistribute it and/or modify   */
00009 /* it under the terms of the GNU General Public License as published by   */
00010 /* the Free Software Foundation; either version 2 of the License, or      */
00011 /* (at your option) any later version.                                    */
00012 /*                                                                        */          
00013 /* This program is distributed in the hope that it will be useful,        */
00014 /* but WITHOUT ANY WARRANTY; without even the implied warranty of         */
00015 /* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          */
00016 /* GNU General Public License for more details.                           */
00017 /*                                                                        */
00018 /* You should have received a copy of the GNU General Public License      */
00019 /* along with this program; if not, write to the Free Software            */
00020 /* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307    */
00021 /* USA.                                                                   */
00022 /*                                                                        */
00023 /* In addition, when you copy and redistribute some or the entire part of */
00024 /* the source code of this software with or without modification, you     */
00025 /* MUST include this copyright notice in each copy.                       */
00026 /*                                                                        */
00027 /* If you make any changes that are appeared to be useful, please send    */
00028 /* sources that include the changed part to                               */
00029 /* diameter-developers@lists.sourceforge.net so that we can reflect your  */
00030 /* changes to one unified version of this software.                       */
00031 /*                                                                        */
00032 /* END_COPYRIGHT                                                          */
00033 /***************************************************************************
00034                           eap_tls.hxx  -  description
00035                              -------------------
00036     begin                : lun mar 8 2004
00037     copyright            : (C) 2004 by 
00038     email                : 
00039  ***************************************************************************/
00040 
00041 /***************************************************************************
00042  *                                                                         *
00043  *   This program is free software; you can redistribute it and/or modify  *
00044  *   it under the terms of the GNU General Public License as published by  *
00045  *   the Free Software Foundation; either version 2 of the License, or     *
00046  *   (at your option) any later version.                                   *
00047  *                                                                         *
00048  ***************************************************************************/
00049 
00050 #ifndef __EAP_TLS_HXX__
00051 #define __EAP_TLS_HXX__
00052 
00053 
00054 #include <ace/Basic_Types.h>
00055 #include "eap.hxx"
00056 #include "eap_log.hxx"
00057 
00058 
00059 #ifdef WIN32
00060    #if defined(EAP_TLS_EXPORT)
00061        #define EAP_TLS_EXPORTS __declspec(dllexport)
00062    #else
00063        #define EAP_TLS_EXPORTS __declspec(dllimport)
00064    #endif
00065 #else
00066    #define EAP_TLS_EXPORTS
00067    #define EAP_TLS_IMPORTS
00068 #endif
00069 
00070 #ifndef NO_OPENSSL
00071 #include <openssl/err.h>
00072 #if HAVE_OPENSSL_ENGINE_H
00073 #include <openssl/engine.h>
00074 #endif
00075 #include <openssl/ssl.h>
00076 #include <openssl/rand.h>
00077 #endif /* !defined(NO_OPENSSL) */
00078 
00079 #define BUFFER_SIZE 1024
00080 #define MAX_RECORD_SIZE 16384
00081 
00082 #define EAP_TLS_START           1
00083 #define EAP_TLS_ACK             2
00084 #define EAP_TLS_SUCCESS         3
00085 #define EAP_TLS_FAIL            4
00086 #define EAP_TLS_ALERT           9
00087 
00088 #define TLS_HEADER_LEN          4
00089 
00090 #define TLS_START(x)            (((x) & 0x20) >> 5)
00091 #define TLS_MORE_FRAGMENTS(x)   (((x) & 0x40) >> 6)
00092 #define TLS_LENGTH_INCLUDED(x)  (((x) & 0x80) >> 7)
00093 
00094 #define TLS_CHANGE_CIPHER_SPEC(x)       (((x) & 0x0014) == 0x0014)
00095 #define TLS_ALERT(x)                    (((x) & 0x0015) == 0x0015)
00096 #define TLS_HANDSHAKE(x)                (((x) & 0x0016) == 0x0016)
00097 
00098 #define SET_START(x)            ((x) | (0x20))
00099 #define SET_MORE_FRAGMENTS(x)   ((x) | (0x40))
00100 #define SET_LENGTH_INCLUDED(x)  ((x) | (0x80))
00101 
00102 #define TLS_MAX_MASTER_KEY_LENGTH               48
00103 
00106 #define TLS_METHOD_TYPE  13
00107 
00108 
00109 typedef enum {
00110         EAPTLS_INVALID = 0,             /* invalid, don't reply */
00111         EAPTLS_REQUEST,                 /* request, ok to send, invalid to receive */
00112         EAPTLS_RESPONSE,                /* response, ok to receive, invalid to send */
00113         EAPTLS_SUCCESS,                 /* success, send success */
00114         EAPTLS_FAIL,                    /* fail, send fail */
00115         EAPTLS_NOOP,                    /* noop, continue */
00116 
00117         EAPTLS_START,                   /* start, ok to send, invalid to receive */
00118         EAPTLS_OK,                      /* ok, continue */
00119         EAPTLS_ACK,                     /* acknowledge, continue */
00120         EAPTLS_FIRST_FRAGMENT,          /* first fragment */
00121         EAPTLS_MORE_FRAGMENTS,          /* more fragments, to send/receive */
00122         EAPTLS_LENGTH_INCLUDED,                 /* length included */
00123         EAPTLS_MORE_FRAGMENTS_WITH_LENGTH    /* more fragments with length */
00124 } eaptls_status_t;
00125 
00126 /* Following enums from rfc2246 */
00127  typedef      enum {
00128            change_cipher_spec = 20,
00129            alert = 21,
00130            handshake = 22,
00131            application_data = 23
00132        } ContentType;
00133 
00134 typedef       enum { warning = 1, fatal = 2 } AlertLevel;
00135 
00136 typedef       enum {
00137            close_notify = 0,
00138            unexpected_message = 10,
00139            bad_record_mac = 20,
00140            decryption_failed = 21,
00141            record_overflow = 22,
00142            decompression_failure = 30,
00143            handshake_failure = 40,
00144            bad_certificate = 42,
00145            unsupported_certificate = 43,
00146            certificate_revoked = 44,
00147            certificate_expired = 45,
00148            certificate_unknown = 46,
00149            illegal_parameter = 47,
00150            unknown_ca = 48,
00151            access_denied = 49,
00152            decode_error = 50,
00153            decrypt_error = 51,
00154            export_restriction = 60,
00155            protocol_version = 70,
00156            insufficient_security = 71,
00157            internal_error = 80,
00158            user_canceled = 90,
00159            no_renegotiation = 100
00160        } AlertDescription;
00161 
00162 typedef       enum {
00163            hello_request = 0,
00164            client_hello = 1,
00165            server_hello = 2,
00166            certificate = 11,
00167            server_key_exchange  = 12,
00168            certificate_request = 13,
00169            server_hello_done = 14,
00170            certificate_verify = 15,
00171            client_key_exchange = 16,
00172            finished = 20
00173        } HandshakeType;
00174 
00175 
00176 typedef SSL TLS_data;
00177 typedef SSL_CTX TLS_context;
00178 typedef SSL_METHOD TLS_method;
00179 typedef BIO BufferTLS;
00180 typedef DH DH_params;
00181 typedef AAAMessageBlock EAPTLS_record_t ;
00182 
00183 class EAPTLS_info_t
00184 {
00185 
00186   public:
00187 
00188   EAPTLS_info_t():origin(0),content_type(0),
00189                            handshake_type(0),alert_level(0),alert_description(0),
00190                            info_description(""),record_len(0),version(0){};
00191   EAPTLS_info_t(ACE_Byte origin,
00192                            ACE_Byte content_type,
00193                            ACE_Byte handshake_type,
00194                            ACE_Byte alert_level,
00195                            ACE_Byte alert_description,
00196                            std::string info_description,
00197                            ACE_UINT32 record_len,
00198                            ACE_UINT32 version):origin(origin),content_type(content_type),handshake_type(handshake_type),alert_level(alert_level),alert_description(alert_description),
00199                                                               info_description(info_description),record_len(record_len),version(version){};
00200 
00201   void set_origin(ACE_Byte origin) { this->origin = origin;}
00202   void set_content_type(ACE_Byte content_type){ this->content_type = content_type;}
00203   void set_handshake_type(ACE_Byte handshake_type) {this->handshake_type = handshake_type;};
00204   void set_alert_level(ACE_Byte alert_level){ this->alert_level = alert_level;};
00205   void set_alert_description(ACE_Byte alert_description){this-> alert_description = alert_description;};
00206   void set_info_description(std::string &info_description){this->info_description = info_description;};
00207   void set_record_len(ACE_INT32 record_len){this->record_len = record_len;};
00208   void set_version(ACE_INT32 version){this->version = version;};
00209 
00210 
00211   ACE_Byte get_origin() { return origin;};
00212   ACE_Byte get_content_type() { return content_type;};
00213   ACE_Byte get_handshake_type() {return handshake_type;};
00214   ACE_Byte get_alert_level(){ return alert_level;};
00215   ACE_Byte get_alert_description(){return alert_description;};
00216   std::string &get_info_description(){return info_description;};
00217   ACE_INT32 get_record_len(){return record_len;};
00218   ACE_INT32 get_version(){return version;};
00219 
00220   
00221   protected:
00222   ACE_Byte origin;
00223   ACE_Byte content_type;
00224   ACE_Byte handshake_type;
00225   ACE_Byte alert_level;
00226   ACE_Byte alert_description;
00227   std::string info_description;
00228   ACE_INT32 record_len;
00229   ACE_INT32 version;
00230 };
00231 
00232 class EAPTLS_config
00233 {
00234     public:
00235     EAPTLS_config(std::string &private_key_password,
00236                               std::string &private_key_file,
00237                               std::string &certificate_file,
00238                               std::string &random_file,
00239                               std::string &ca_path,
00240                               std::string &ca_file,                            
00241                               std::string &dh_file,
00242                               ACE_INT32 rsa_key,
00243                               ACE_INT32 dh_key,
00244                               ACE_INT32 rsa_key_length,
00245                               ACE_INT32 dh_key_length,
00246                               ACE_INT32 verify_depth,
00247                               ACE_INT32 file_type,
00248                               bool include_length,
00249                               ACE_INT32 fragment_size)
00250     {
00251           this->private_key_password = private_key_password;
00252           this->private_key_file = private_key_file;
00253           this->certificate_file = certificate_file;
00254           this->random_file = random_file;
00255           this->ca_path = ca_path;
00256           this->ca_file = ca_file;
00257           this->dh_file = dh_file;
00258           this->rsa_key = rsa_key;
00259           this->dh_key = dh_key;
00260           this->rsa_key_length = rsa_key_length;
00261           this->dh_key_length = dh_key_length;
00262           this->verify_depth = verify_depth;
00263           this->file_type = file_type;
00264           this->include_length = include_length;
00265           this->fragment_size = fragment_size;
00266     }
00267 
00268     void read_config(std::string &config_file){};    //TODO: Read from a XML file all these params.
00269     std::string &get_private_key_password() {return private_key_password;};
00270     std::string &get_private_key_file() { return private_key_file;};
00271     std::string &get_certificate_file() {return certificate_file;};
00272     std::string &get_random_file(){return random_file;};
00273     std::string &get_ca_path(){return ca_path;};
00274     std::string &get_ca_file() {return ca_file;};
00275     std::string &get_dh_file() {return dh_file;};
00276     ACE_INT32 get_rsa_key() {return rsa_key;};
00277     ACE_INT32 get_dh_key() {return dh_key;};
00278     ACE_INT32 get_rsa_key_length() {return rsa_key_length;};
00279     ACE_INT32 get_dh_key_length() {return dh_key_length;};
00280     ACE_INT32 get_verify_depth() {return verify_depth;};
00281     ACE_INT32 get_file_type() {return file_type;};
00282     bool get_include_length() {return include_length;};
00283     ACE_INT32 get_fragment_size() {return fragment_size;};
00284 
00285     protected:
00286           std::string private_key_password;
00287           std::string private_key_file;
00288           std::string certificate_file;
00289           std::string random_file;
00290           std::string ca_path;
00291           std::string ca_file;
00292           std::string dh_file;
00293           ACE_INT32 rsa_key;
00294           ACE_INT32 dh_key;
00295           ACE_INT32 rsa_key_length;
00296           ACE_INT32 dh_key_length;
00297           ACE_INT32 verify_depth;
00298           ACE_INT32 file_type;
00299           bool include_length;
00300           ACE_INT32 fragment_size;
00301 };
00302 
00303 
00304 /* This class gets stored in arg */
00305 class EAPTLS_tls_t
00306 {
00307   public:
00308   EAPTLS_tls_t() {this->conf = NULL; this->ctx = NULL;};
00309   EAPTLS_tls_t(EAPTLS_config *conf,TLS_context *ctx){this->conf = conf; this->ctx = ctx;};
00310   virtual ~EAPTLS_tls_t() {if (conf !=NULL) delete conf; if (ctx != NULL) delete ctx;};
00311   EAPTLS_config *get_config() {return conf;};
00312   TLS_context *get_tls_context() {return ctx;};
00313   protected:
00314   EAPTLS_config *conf;
00315   TLS_context *ctx;
00316 };
00317 
00318 /*
00319  * From rfc
00320    Flags
00321 
00322       0 1 2 3 4 5 6 7 8
00323       +-+-+-+-+-+-+-+-+
00324       |L M S R R R R R|
00325       +-+-+-+-+-+-+-+-+
00326 
00327       L = Length included
00328       M = More fragments
00329       S = EAP-TLS start
00330       R = Reserved
00331 
00332       The L bit (length included) is set to indicate the presence of the
00333       four octet TLS Message Length field, and MUST be set for the first
00334       fragment of a fragmented TLS message or set of messages. The M bit
00335       (more fragments) is set on all but the last fragment. The S bit
00336       (EAP-TLS start) is set in an EAP-TLS Start message.  This
00337       differentiates the EAP-TLS Start message from a fragment
00338       acknowledgement.
00339 
00340    TLS Message Length
00341 
00342       The TLS Message Length field is four octets, and is present only
00343       if the L bit is set. This field provides the total length of the
00344       TLS message or set of messages that is being fragmented.
00345 
00346    TLS data
00347 
00348       The TLS data consists of the encapsulated TLS packet in TLS record
00349       format.
00350  *
00351  * The data structures present here
00352  * maps only to the typedata in the EAP packet
00353  *
00354  * Based on the L bit flag, first 4 bytes of data indicate the length
00355  */
00356 
00357 
00359 class EAP_TLS_EXPORTS EapRequestTls: public EapRequest
00360 {
00361 public:
00362   EapRequestTls(ACE_Byte flags) : EapRequest(EapType(TLS_METHOD_TYPE)), flags(flags) {this->data=NULL;is_ack=false;};
00363 
00365   ACE_Byte get_flags() { return flags; };
00367   ACE_UINT32 get_tls_message_length() { return tls_message_length;};
00369   AAAMessageBlock *get_data() {return this->data;};
00370   bool get_is_ack(){return is_ack;};
00372   void set_flags(ACE_Byte flags) { this->flags=flags;};
00373   void set_is_ack(bool is_ack) {this->is_ack = is_ack;};
00375   void set_tls_message_length(ACE_UINT32 tls_message_length) { this->tls_message_length = tls_message_length;};
00377   void  set_data(AAAMessageBlock *data)
00378   {
00379     if (this->data) this->data->release();
00380     this->data = data;
00381   };
00382 
00383 protected:
00384   bool is_ack;
00386   ACE_Byte flags;
00388   ACE_UINT32 tls_message_length;
00390   AAAMessageBlock *data;
00391 };
00392 
00394 class EAP_TLS_EXPORTS EapResponseTls: public EapRequestTls
00395 {                                                                                                                                                                                                        
00396 public:
00397   EapResponseTls(ACE_Byte flags) : EapRequestTls(flags) {}
00398 };
00399 
00400 #endif // __EAP_TLS_HXX__
00401 
00402 
00403 
00404 
00405