1 /* 2 * EAP peer: EAP-TLS/PEAP/TTLS/FAST common functions 3 * Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/sha1.h" 13 #include "crypto/tls.h" 14 #include "eap_i.h" 15 #include "eap_tls_common.h" 16 #include "eap_config.h" 17 18 19 static struct wpabuf * eap_tls_msg_alloc(enum eap_type type, size_t payload_len, 20 u8 code, u8 identifier) 21 { 22 if (type == EAP_UNAUTH_TLS_TYPE) 23 return eap_msg_alloc(EAP_VENDOR_UNAUTH_TLS, 24 EAP_VENDOR_TYPE_UNAUTH_TLS, payload_len, 25 code, identifier); 26 if (type == EAP_WFA_UNAUTH_TLS_TYPE) 27 return eap_msg_alloc(EAP_VENDOR_WFA_NEW, 28 EAP_VENDOR_WFA_UNAUTH_TLS, payload_len, 29 code, identifier); 30 return eap_msg_alloc(EAP_VENDOR_IETF, type, payload_len, code, 31 identifier); 32 } 33 34 35 static int eap_tls_check_blob(struct eap_sm *sm, const char **name, 36 const u8 **data, size_t *data_len) 37 { 38 const struct wpa_config_blob *blob; 39 40 if (*name == NULL || os_strncmp(*name, "blob://", 7) != 0) 41 return 0; 42 43 blob = eap_get_config_blob(sm, *name + 7); 44 if (blob == NULL) { 45 wpa_printf(MSG_ERROR, "%s: Named configuration blob '%s' not " 46 "found", __func__, *name + 7); 47 return -1; 48 } 49 50 *name = NULL; 51 *data = blob->data; 52 *data_len = blob->len; 53 54 return 0; 55 } 56 57 58 static void eap_tls_params_flags(struct tls_connection_params *params, 59 const char *txt) 60 { 61 if (txt == NULL) 62 return; 63 if (os_strstr(txt, "tls_allow_md5=1")) 64 params->flags |= TLS_CONN_ALLOW_SIGN_RSA_MD5; 65 if (os_strstr(txt, "tls_disable_time_checks=1")) 66 params->flags |= TLS_CONN_DISABLE_TIME_CHECKS; 67 if (os_strstr(txt, "tls_disable_session_ticket=1")) 68 params->flags |= TLS_CONN_DISABLE_SESSION_TICKET; 69 if (os_strstr(txt, "tls_disable_session_ticket=0")) 70 params->flags &= ~TLS_CONN_DISABLE_SESSION_TICKET; 71 if (os_strstr(txt, "tls_disable_tlsv1_0=1")) 72 params->flags |= TLS_CONN_DISABLE_TLSv1_0; 73 if (os_strstr(txt, "tls_disable_tlsv1_0=0")) { 74 params->flags &= ~TLS_CONN_DISABLE_TLSv1_0; 75 params->flags |= TLS_CONN_ENABLE_TLSv1_0; 76 } 77 if (os_strstr(txt, "tls_disable_tlsv1_1=1")) 78 params->flags |= TLS_CONN_DISABLE_TLSv1_1; 79 if (os_strstr(txt, "tls_disable_tlsv1_1=0")) { 80 params->flags &= ~TLS_CONN_DISABLE_TLSv1_1; 81 params->flags |= TLS_CONN_ENABLE_TLSv1_1; 82 } 83 if (os_strstr(txt, "tls_disable_tlsv1_2=1")) 84 params->flags |= TLS_CONN_DISABLE_TLSv1_2; 85 if (os_strstr(txt, "tls_disable_tlsv1_2=0")) { 86 params->flags &= ~TLS_CONN_DISABLE_TLSv1_2; 87 params->flags |= TLS_CONN_ENABLE_TLSv1_2; 88 } 89 if (os_strstr(txt, "tls_disable_tlsv1_3=1")) 90 params->flags |= TLS_CONN_DISABLE_TLSv1_3; 91 if (os_strstr(txt, "tls_disable_tlsv1_3=0")) 92 params->flags &= ~TLS_CONN_DISABLE_TLSv1_3; 93 if (os_strstr(txt, "tls_ext_cert_check=1")) 94 params->flags |= TLS_CONN_EXT_CERT_CHECK; 95 if (os_strstr(txt, "tls_ext_cert_check=0")) 96 params->flags &= ~TLS_CONN_EXT_CERT_CHECK; 97 if (os_strstr(txt, "tls_suiteb=1")) 98 params->flags |= TLS_CONN_SUITEB; 99 if (os_strstr(txt, "tls_suiteb=0")) 100 params->flags &= ~TLS_CONN_SUITEB; 101 if (os_strstr(txt, "tls_suiteb_no_ecdh=1")) 102 params->flags |= TLS_CONN_SUITEB_NO_ECDH; 103 if (os_strstr(txt, "tls_suiteb_no_ecdh=0")) 104 params->flags &= ~TLS_CONN_SUITEB_NO_ECDH; 105 if (os_strstr(txt, "allow_unsafe_renegotiation=1")) 106 params->flags |= TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION; 107 if (os_strstr(txt, "allow_unsafe_renegotiation=0")) 108 params->flags &= ~TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION; 109 } 110 111 112 static void eap_tls_cert_params_from_conf(struct tls_connection_params *params, 113 struct eap_peer_cert_config *config) 114 { 115 params->ca_cert = config->ca_cert; 116 params->ca_path = config->ca_path; 117 params->client_cert = config->client_cert; 118 params->private_key = config->private_key; 119 params->private_key_passwd = config->private_key_passwd; 120 params->subject_match = config->subject_match; 121 params->altsubject_match = config->altsubject_match; 122 params->check_cert_subject = config->check_cert_subject; 123 params->suffix_match = config->domain_suffix_match; 124 params->domain_match = config->domain_match; 125 params->engine = config->engine; 126 params->engine_id = config->engine_id; 127 params->pin = config->pin; 128 params->key_id = config->key_id; 129 params->cert_id = config->cert_id; 130 params->ca_cert_id = config->ca_cert_id; 131 if (config->ocsp) 132 params->flags |= TLS_CONN_REQUEST_OCSP; 133 if (config->ocsp >= 2) 134 params->flags |= TLS_CONN_REQUIRE_OCSP; 135 if (config->ocsp == 3) 136 params->flags |= TLS_CONN_REQUIRE_OCSP_ALL; 137 } 138 139 140 static void eap_tls_params_from_conf1(struct tls_connection_params *params, 141 struct eap_peer_config *config) 142 { 143 eap_tls_cert_params_from_conf(params, &config->cert); 144 eap_tls_params_flags(params, config->phase1); 145 } 146 147 148 static void eap_tls_params_from_conf2(struct tls_connection_params *params, 149 struct eap_peer_config *config) 150 { 151 eap_tls_cert_params_from_conf(params, &config->phase2_cert); 152 eap_tls_params_flags(params, config->phase2); 153 } 154 155 156 static void eap_tls_params_from_conf2m(struct tls_connection_params *params, 157 struct eap_peer_config *config) 158 { 159 eap_tls_cert_params_from_conf(params, &config->machine_cert); 160 eap_tls_params_flags(params, config->machine_phase2); 161 } 162 163 164 static int eap_tls_params_from_conf(struct eap_sm *sm, 165 struct eap_ssl_data *data, 166 struct tls_connection_params *params, 167 struct eap_peer_config *config, int phase2) 168 { 169 os_memset(params, 0, sizeof(*params)); 170 if (sm->workaround && data->eap_type != EAP_TYPE_FAST && 171 data->eap_type != EAP_TYPE_TEAP) { 172 /* 173 * Some deployed authentication servers seem to be unable to 174 * handle the TLS Session Ticket extension (they are supposed 175 * to ignore unrecognized TLS extensions, but end up rejecting 176 * the ClientHello instead). As a workaround, disable use of 177 * TLS Sesson Ticket extension for EAP-TLS, EAP-PEAP, and 178 * EAP-TTLS (EAP-FAST uses session ticket, so any server that 179 * supports EAP-FAST does not need this workaround). 180 */ 181 params->flags |= TLS_CONN_DISABLE_SESSION_TICKET; 182 } 183 if (data->eap_type == EAP_TYPE_TEAP) { 184 /* RFC 7170 requires TLS v1.2 or newer to be used with TEAP */ 185 params->flags |= TLS_CONN_DISABLE_TLSv1_0 | 186 TLS_CONN_DISABLE_TLSv1_1; 187 if (config->teap_anon_dh) 188 params->flags |= TLS_CONN_TEAP_ANON_DH; 189 } 190 if (data->eap_type == EAP_TYPE_FAST || 191 data->eap_type == EAP_TYPE_TEAP || 192 data->eap_type == EAP_TYPE_TTLS || 193 data->eap_type == EAP_TYPE_PEAP) { 194 /* The current EAP peer implementation is not yet ready for the 195 * TLS v1.3 changes, so disable this by default for now. */ 196 params->flags |= TLS_CONN_DISABLE_TLSv1_3; 197 } 198 #ifndef EAP_TLSV1_3 199 if (data->eap_type == EAP_TYPE_TLS || 200 data->eap_type == EAP_UNAUTH_TLS_TYPE || 201 data->eap_type == EAP_WFA_UNAUTH_TLS_TYPE) { 202 /* While the current EAP-TLS implementation is more or less 203 * complete for TLS v1.3, there has been only minimal 204 * interoperability testing with other implementations, so 205 * disable it by default for now until there has been chance to 206 * confirm that no significant interoperability issues show up 207 * with TLS version update. 208 */ 209 params->flags |= TLS_CONN_DISABLE_TLSv1_3; 210 } 211 #endif /* EAP_TLSV1_3 */ 212 if (phase2 && sm->use_machine_cred) { 213 wpa_printf(MSG_DEBUG, "TLS: using machine config options"); 214 eap_tls_params_from_conf2m(params, config); 215 } else if (phase2) { 216 wpa_printf(MSG_DEBUG, "TLS: using phase2 config options"); 217 eap_tls_params_from_conf2(params, config); 218 } else { 219 wpa_printf(MSG_DEBUG, "TLS: using phase1 config options"); 220 eap_tls_params_from_conf1(params, config); 221 if (data->eap_type == EAP_TYPE_FAST) 222 params->flags |= TLS_CONN_EAP_FAST; 223 } 224 225 /* 226 * Use blob data, if available. Otherwise, leave reference to external 227 * file as-is. 228 */ 229 if (eap_tls_check_blob(sm, ¶ms->ca_cert, ¶ms->ca_cert_blob, 230 ¶ms->ca_cert_blob_len) || 231 eap_tls_check_blob(sm, ¶ms->client_cert, 232 ¶ms->client_cert_blob, 233 ¶ms->client_cert_blob_len) || 234 eap_tls_check_blob(sm, ¶ms->private_key, 235 ¶ms->private_key_blob, 236 ¶ms->private_key_blob_len)) { 237 wpa_printf(MSG_INFO, "SSL: Failed to get configuration blobs"); 238 return -1; 239 } 240 241 params->openssl_ciphers = config->openssl_ciphers; 242 243 sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK); 244 245 if (!phase2) 246 data->client_cert_conf = params->client_cert || 247 params->client_cert_blob || 248 params->private_key || 249 params->private_key_blob; 250 251 return 0; 252 } 253 254 255 static int eap_tls_init_connection(struct eap_sm *sm, 256 struct eap_ssl_data *data, 257 struct eap_peer_config *config, 258 struct tls_connection_params *params) 259 { 260 int res; 261 262 data->conn = tls_connection_init(data->ssl_ctx); 263 if (data->conn == NULL) { 264 wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS " 265 "connection"); 266 return -1; 267 } 268 269 res = tls_connection_set_params(data->ssl_ctx, data->conn, params); 270 if (res == TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN) { 271 /* 272 * At this point with the pkcs11 engine the PIN is wrong. We 273 * reset the PIN in the configuration to be sure to not use it 274 * again and the calling function must request a new one. 275 */ 276 wpa_printf(MSG_INFO, 277 "TLS: Bad PIN provided, requesting a new one"); 278 os_free(config->cert.pin); 279 config->cert.pin = NULL; 280 eap_sm_request_pin(sm); 281 sm->ignore = true; 282 } else if (res == TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED) { 283 wpa_printf(MSG_INFO, "TLS: Failed to initialize engine"); 284 } else if (res == TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED) { 285 wpa_printf(MSG_INFO, "TLS: Failed to load private key"); 286 sm->ignore = true; 287 } 288 if (res) { 289 wpa_printf(MSG_INFO, "TLS: Failed to set TLS connection " 290 "parameters"); 291 tls_connection_deinit(data->ssl_ctx, data->conn); 292 data->conn = NULL; 293 return -1; 294 } 295 296 return 0; 297 } 298 299 300 /** 301 * eap_peer_tls_ssl_init - Initialize shared TLS functionality 302 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 303 * @data: Data for TLS processing 304 * @config: Pointer to the network configuration 305 * @eap_type: EAP method used in Phase 1 (EAP_TYPE_TLS/PEAP/TTLS/FAST) 306 * Returns: 0 on success, -1 on failure 307 * 308 * This function is used to initialize shared TLS functionality for EAP-TLS, 309 * EAP-PEAP, EAP-TTLS, and EAP-FAST. 310 */ 311 int eap_peer_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data, 312 struct eap_peer_config *config, u8 eap_type) 313 { 314 struct tls_connection_params params; 315 316 if (config == NULL) 317 return -1; 318 319 data->eap = sm; 320 data->eap_type = eap_type; 321 data->phase2 = sm->init_phase2; 322 data->ssl_ctx = sm->init_phase2 && sm->ssl_ctx2 ? sm->ssl_ctx2 : 323 sm->ssl_ctx; 324 if (eap_tls_params_from_conf(sm, data, ¶ms, config, data->phase2) < 325 0) 326 return -1; 327 328 if (eap_tls_init_connection(sm, data, config, ¶ms) < 0) 329 return -1; 330 331 data->tls_out_limit = config->fragment_size; 332 if (data->phase2) { 333 /* Limit the fragment size in the inner TLS authentication 334 * since the outer authentication with EAP-PEAP does not yet 335 * support fragmentation */ 336 if (data->tls_out_limit > 100) 337 data->tls_out_limit -= 100; 338 } 339 340 if (config->phase1 && 341 os_strstr(config->phase1, "include_tls_length=1")) { 342 wpa_printf(MSG_DEBUG, "TLS: Include TLS Message Length in " 343 "unfragmented packets"); 344 data->include_tls_length = 1; 345 } 346 347 return 0; 348 } 349 350 351 /** 352 * eap_peer_tls_ssl_deinit - Deinitialize shared TLS functionality 353 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 354 * @data: Data for TLS processing 355 * 356 * This function deinitializes shared TLS functionality that was initialized 357 * with eap_peer_tls_ssl_init(). 358 */ 359 void eap_peer_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data) 360 { 361 tls_connection_deinit(data->ssl_ctx, data->conn); 362 eap_peer_tls_reset_input(data); 363 eap_peer_tls_reset_output(data); 364 } 365 366 367 /** 368 * eap_peer_tls_derive_key - Derive a key based on TLS session data 369 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 370 * @data: Data for TLS processing 371 * @label: Label string for deriving the keys, e.g., "client EAP encryption" 372 * @context: Optional extra upper-layer context (max len 2^16) 373 * @context_len: The length of the context value 374 * @len: Length of the key material to generate (usually 64 for MSK) 375 * Returns: Pointer to allocated key on success or %NULL on failure 376 * 377 * This function uses TLS-PRF to generate pseudo-random data based on the TLS 378 * session data (client/server random and master key). Each key type may use a 379 * different label to bind the key usage into the generated material. 380 * 381 * The caller is responsible for freeing the returned buffer. 382 * 383 * Note: To provide the RFC 5705 context, the context variable must be non-NULL. 384 */ 385 u8 * eap_peer_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data, 386 const char *label, const u8 *context, 387 size_t context_len, size_t len) 388 { 389 u8 *out; 390 391 out = os_malloc(len); 392 if (out == NULL) 393 return NULL; 394 395 if (tls_connection_export_key(data->ssl_ctx, data->conn, label, 396 context, context_len, out, len)) { 397 os_free(out); 398 return NULL; 399 } 400 401 return out; 402 } 403 404 405 /** 406 * eap_peer_tls_derive_session_id - Derive a Session-Id based on TLS data 407 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 408 * @data: Data for TLS processing 409 * @eap_type: EAP method used in Phase 1 (EAP_TYPE_TLS/PEAP/TTLS/FAST) 410 * @len: Pointer to length of the session ID generated 411 * Returns: Pointer to allocated Session-Id on success or %NULL on failure 412 * 413 * This function derive the Session-Id based on the TLS session data 414 * (client/server random and method type). 415 * 416 * The caller is responsible for freeing the returned buffer. 417 */ 418 u8 * eap_peer_tls_derive_session_id(struct eap_sm *sm, 419 struct eap_ssl_data *data, u8 eap_type, 420 size_t *len) 421 { 422 struct tls_random keys; 423 u8 *out; 424 425 if (data->tls_v13) { 426 u8 *id, *method_id; 427 const u8 context[] = { eap_type }; 428 429 /* Session-Id = <EAP-Type> || Method-Id 430 * Method-Id = TLS-Exporter("EXPORTER_EAP_TLS_Method-Id", 431 * Type-Code, 64) 432 */ 433 *len = 1 + 64; 434 id = os_malloc(*len); 435 if (!id) 436 return NULL; 437 method_id = eap_peer_tls_derive_key( 438 sm, data, "EXPORTER_EAP_TLS_Method-Id", context, 1, 64); 439 if (!method_id) { 440 os_free(id); 441 return NULL; 442 } 443 id[0] = eap_type; 444 os_memcpy(id + 1, method_id, 64); 445 os_free(method_id); 446 return id; 447 } 448 449 if (tls_connection_get_random(sm->ssl_ctx, data->conn, &keys) || 450 keys.client_random == NULL || keys.server_random == NULL) 451 return NULL; 452 453 *len = 1 + keys.client_random_len + keys.server_random_len; 454 out = os_malloc(*len); 455 if (out == NULL) 456 return NULL; 457 458 /* Session-Id = EAP type || client.random || server.random */ 459 out[0] = eap_type; 460 os_memcpy(out + 1, keys.client_random, keys.client_random_len); 461 os_memcpy(out + 1 + keys.client_random_len, keys.server_random, 462 keys.server_random_len); 463 464 return out; 465 } 466 467 468 /** 469 * eap_peer_tls_reassemble_fragment - Reassemble a received fragment 470 * @data: Data for TLS processing 471 * @in_data: Next incoming TLS segment 472 * Returns: 0 on success, 1 if more data is needed for the full message, or 473 * -1 on error 474 */ 475 static int eap_peer_tls_reassemble_fragment(struct eap_ssl_data *data, 476 const struct wpabuf *in_data) 477 { 478 size_t tls_in_len, in_len; 479 480 tls_in_len = data->tls_in ? wpabuf_len(data->tls_in) : 0; 481 in_len = in_data ? wpabuf_len(in_data) : 0; 482 483 if (tls_in_len + in_len == 0) { 484 /* No message data received?! */ 485 wpa_printf(MSG_WARNING, "SSL: Invalid reassembly state: " 486 "tls_in_left=%lu tls_in_len=%lu in_len=%lu", 487 (unsigned long) data->tls_in_left, 488 (unsigned long) tls_in_len, 489 (unsigned long) in_len); 490 eap_peer_tls_reset_input(data); 491 return -1; 492 } 493 494 if (tls_in_len + in_len > 65536) { 495 /* 496 * Limit length to avoid rogue servers from causing large 497 * memory allocations. 498 */ 499 wpa_printf(MSG_INFO, "SSL: Too long TLS fragment (size over " 500 "64 kB)"); 501 eap_peer_tls_reset_input(data); 502 return -1; 503 } 504 505 if (in_len > data->tls_in_left) { 506 /* Sender is doing something odd - reject message */ 507 wpa_printf(MSG_INFO, "SSL: more data than TLS message length " 508 "indicated"); 509 eap_peer_tls_reset_input(data); 510 return -1; 511 } 512 513 if (wpabuf_resize(&data->tls_in, in_len) < 0) { 514 wpa_printf(MSG_INFO, "SSL: Could not allocate memory for TLS " 515 "data"); 516 eap_peer_tls_reset_input(data); 517 return -1; 518 } 519 if (in_data) 520 wpabuf_put_buf(data->tls_in, in_data); 521 data->tls_in_left -= in_len; 522 523 if (data->tls_in_left > 0) { 524 wpa_printf(MSG_DEBUG, "SSL: Need %lu bytes more input " 525 "data", (unsigned long) data->tls_in_left); 526 return 1; 527 } 528 529 return 0; 530 } 531 532 533 /** 534 * eap_peer_tls_data_reassemble - Reassemble TLS data 535 * @data: Data for TLS processing 536 * @in_data: Next incoming TLS segment 537 * @need_more_input: Variable for returning whether more input data is needed 538 * to reassemble this TLS packet 539 * Returns: Pointer to output data, %NULL on error or when more data is needed 540 * for the full message (in which case, *need_more_input is also set to 1). 541 * 542 * This function reassembles TLS fragments. Caller must not free the returned 543 * data buffer since an internal pointer to it is maintained. 544 */ 545 static const struct wpabuf * eap_peer_tls_data_reassemble( 546 struct eap_ssl_data *data, const struct wpabuf *in_data, 547 int *need_more_input) 548 { 549 *need_more_input = 0; 550 551 if (data->tls_in_left > wpabuf_len(in_data) || data->tls_in) { 552 /* Message has fragments */ 553 int res = eap_peer_tls_reassemble_fragment(data, in_data); 554 if (res) { 555 if (res == 1) 556 *need_more_input = 1; 557 return NULL; 558 } 559 560 /* Message is now fully reassembled. */ 561 } else { 562 /* No fragments in this message, so just make a copy of it. */ 563 data->tls_in_left = 0; 564 data->tls_in = wpabuf_dup(in_data); 565 if (data->tls_in == NULL) 566 return NULL; 567 } 568 569 return data->tls_in; 570 } 571 572 573 /** 574 * eap_tls_process_input - Process incoming TLS message 575 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 576 * @data: Data for TLS processing 577 * @in_data: Message received from the server 578 * @out_data: Buffer for returning a pointer to application data (if available) 579 * Returns: 0 on success, 1 if more input data is needed, 2 if application data 580 * is available, -1 on failure 581 */ 582 static int eap_tls_process_input(struct eap_sm *sm, struct eap_ssl_data *data, 583 const struct wpabuf *in_data, 584 struct wpabuf **out_data) 585 { 586 const struct wpabuf *msg; 587 int need_more_input; 588 struct wpabuf *appl_data; 589 590 msg = eap_peer_tls_data_reassemble(data, in_data, &need_more_input); 591 if (msg == NULL) 592 return need_more_input ? 1 : -1; 593 594 /* Full TLS message reassembled - continue handshake processing */ 595 if (data->tls_out) { 596 /* This should not happen.. */ 597 wpa_printf(MSG_INFO, "SSL: eap_tls_process_input - pending " 598 "tls_out data even though tls_out_len = 0"); 599 wpabuf_free(data->tls_out); 600 WPA_ASSERT(data->tls_out == NULL); 601 } 602 appl_data = NULL; 603 data->tls_out = tls_connection_handshake(data->ssl_ctx, data->conn, 604 msg, &appl_data); 605 606 eap_peer_tls_reset_input(data); 607 608 if (appl_data && 609 tls_connection_established(data->ssl_ctx, data->conn) && 610 !tls_connection_get_failed(data->ssl_ctx, data->conn)) { 611 wpa_hexdump_buf_key(MSG_MSGDUMP, "SSL: Application data", 612 appl_data); 613 *out_data = appl_data; 614 return 2; 615 } 616 617 wpabuf_free(appl_data); 618 619 return 0; 620 } 621 622 623 /** 624 * eap_tls_process_output - Process outgoing TLS message 625 * @data: Data for TLS processing 626 * @eap_type: EAP type (EAP_TYPE_TLS, EAP_TYPE_PEAP, ...) 627 * @peap_version: Version number for EAP-PEAP/TTLS 628 * @id: EAP identifier for the response 629 * @ret: Return value to use on success 630 * @out_data: Buffer for returning the allocated output buffer 631 * Returns: ret (0 or 1) on success, -1 on failure 632 */ 633 static int eap_tls_process_output(struct eap_ssl_data *data, 634 enum eap_type eap_type, 635 int peap_version, u8 id, int ret, 636 struct wpabuf **out_data) 637 { 638 size_t len; 639 u8 *flags; 640 int more_fragments, length_included; 641 642 if (data->tls_out == NULL) 643 return -1; 644 len = wpabuf_len(data->tls_out) - data->tls_out_pos; 645 wpa_printf(MSG_DEBUG, "SSL: %lu bytes left to be sent out (of total " 646 "%lu bytes)", 647 (unsigned long) len, 648 (unsigned long) wpabuf_len(data->tls_out)); 649 650 /* 651 * Limit outgoing message to the configured maximum size. Fragment 652 * message if needed. 653 */ 654 if (len > data->tls_out_limit) { 655 more_fragments = 1; 656 len = data->tls_out_limit; 657 wpa_printf(MSG_DEBUG, "SSL: sending %lu bytes, more fragments " 658 "will follow", (unsigned long) len); 659 } else 660 more_fragments = 0; 661 662 length_included = data->tls_out_pos == 0 && 663 (wpabuf_len(data->tls_out) > data->tls_out_limit || 664 data->include_tls_length); 665 if (!length_included && 666 eap_type == EAP_TYPE_PEAP && peap_version == 0 && 667 !tls_connection_established(data->eap->ssl_ctx, data->conn)) { 668 /* 669 * Windows Server 2008 NPS really wants to have the TLS Message 670 * length included in phase 0 even for unfragmented frames or 671 * it will get very confused with Compound MAC calculation and 672 * Outer TLVs. 673 */ 674 length_included = 1; 675 } 676 677 *out_data = eap_tls_msg_alloc(eap_type, 1 + length_included * 4 + len, 678 EAP_CODE_RESPONSE, id); 679 if (*out_data == NULL) 680 return -1; 681 682 flags = wpabuf_put(*out_data, 1); 683 *flags = peap_version; 684 if (more_fragments) 685 *flags |= EAP_TLS_FLAGS_MORE_FRAGMENTS; 686 if (length_included) { 687 *flags |= EAP_TLS_FLAGS_LENGTH_INCLUDED; 688 wpabuf_put_be32(*out_data, wpabuf_len(data->tls_out)); 689 } 690 691 wpabuf_put_data(*out_data, 692 wpabuf_head_u8(data->tls_out) + data->tls_out_pos, 693 len); 694 data->tls_out_pos += len; 695 696 if (!more_fragments) 697 eap_peer_tls_reset_output(data); 698 699 return ret; 700 } 701 702 703 /** 704 * eap_peer_tls_process_helper - Process TLS handshake message 705 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 706 * @data: Data for TLS processing 707 * @eap_type: EAP type (EAP_TYPE_TLS, EAP_TYPE_PEAP, ...) 708 * @peap_version: Version number for EAP-PEAP/TTLS 709 * @id: EAP identifier for the response 710 * @in_data: Message received from the server 711 * @out_data: Buffer for returning a pointer to the response message 712 * Returns: 0 on success, 1 if more input data is needed, 2 if application data 713 * is available, or -1 on failure 714 * 715 * This function can be used to process TLS handshake messages. It reassembles 716 * the received fragments and uses a TLS library to process the messages. The 717 * response data from the TLS library is fragmented to suitable output messages 718 * that the caller can send out. 719 * 720 * out_data is used to return the response message if the return value of this 721 * function is 0, 2, or -1. In case of failure, the message is likely a TLS 722 * alarm message. The caller is responsible for freeing the allocated buffer if 723 * *out_data is not %NULL. 724 * 725 * This function is called for each received TLS message during the TLS 726 * handshake after eap_peer_tls_process_init() call and possible processing of 727 * TLS Flags field. Once the handshake has been completed, i.e., when 728 * tls_connection_established() returns 1, EAP method specific decrypting of 729 * the tunneled data is used. 730 */ 731 int eap_peer_tls_process_helper(struct eap_sm *sm, struct eap_ssl_data *data, 732 enum eap_type eap_type, int peap_version, 733 u8 id, const struct wpabuf *in_data, 734 struct wpabuf **out_data) 735 { 736 int ret = 0; 737 738 *out_data = NULL; 739 740 if (data->tls_out && wpabuf_len(data->tls_out) > 0 && 741 wpabuf_len(in_data) > 0) { 742 wpa_printf(MSG_DEBUG, "SSL: Received non-ACK when output " 743 "fragments are waiting to be sent out"); 744 return -1; 745 } 746 747 if (data->tls_out == NULL || wpabuf_len(data->tls_out) == 0) { 748 /* 749 * No more data to send out - expect to receive more data from 750 * the AS. 751 */ 752 int res = eap_tls_process_input(sm, data, in_data, out_data); 753 char buf[20]; 754 755 if (res) { 756 /* 757 * Input processing failed (res = -1) or more data is 758 * needed (res = 1). 759 */ 760 return res; 761 } 762 763 /* 764 * The incoming message has been reassembled and processed. The 765 * response was allocated into data->tls_out buffer. 766 */ 767 768 if (tls_get_version(data->ssl_ctx, data->conn, 769 buf, sizeof(buf)) == 0) { 770 wpa_printf(MSG_DEBUG, "SSL: Using TLS version %s", buf); 771 data->tls_v13 = os_strcmp(buf, "TLSv1.3") == 0; 772 } 773 } 774 775 if (data->tls_out == NULL) { 776 /* 777 * No outgoing fragments remaining from the previous message 778 * and no new message generated. This indicates an error in TLS 779 * processing. 780 */ 781 eap_peer_tls_reset_output(data); 782 return -1; 783 } 784 785 if (tls_connection_get_failed(data->ssl_ctx, data->conn)) { 786 /* TLS processing has failed - return error */ 787 wpa_printf(MSG_DEBUG, "SSL: Failed - tls_out available to " 788 "report error (len=%u)", 789 (unsigned int) wpabuf_len(data->tls_out)); 790 ret = -1; 791 /* TODO: clean pin if engine used? */ 792 if (wpabuf_len(data->tls_out) == 0) { 793 wpabuf_free(data->tls_out); 794 data->tls_out = NULL; 795 return -1; 796 } 797 } 798 799 if (wpabuf_len(data->tls_out) == 0) { 800 /* 801 * TLS negotiation should now be complete since all other cases 802 * needing more data should have been caught above based on 803 * the TLS Message Length field. 804 */ 805 wpa_printf(MSG_DEBUG, "SSL: No data to be sent out"); 806 wpabuf_free(data->tls_out); 807 data->tls_out = NULL; 808 return 1; 809 } 810 811 /* Send the pending message (in fragments, if needed). */ 812 return eap_tls_process_output(data, eap_type, peap_version, id, ret, 813 out_data); 814 } 815 816 817 /** 818 * eap_peer_tls_build_ack - Build a TLS ACK frame 819 * @id: EAP identifier for the response 820 * @eap_type: EAP type (EAP_TYPE_TLS, EAP_TYPE_PEAP, ...) 821 * @peap_version: Version number for EAP-PEAP/TTLS 822 * Returns: Pointer to the allocated ACK frame or %NULL on failure 823 */ 824 struct wpabuf * eap_peer_tls_build_ack(u8 id, enum eap_type eap_type, 825 int peap_version) 826 { 827 struct wpabuf *resp; 828 829 resp = eap_tls_msg_alloc(eap_type, 1, EAP_CODE_RESPONSE, id); 830 if (resp == NULL) 831 return NULL; 832 wpa_printf(MSG_DEBUG, "SSL: Building ACK (type=%d id=%d ver=%d)", 833 (int) eap_type, id, peap_version); 834 wpabuf_put_u8(resp, peap_version); /* Flags */ 835 return resp; 836 } 837 838 839 /** 840 * eap_peer_tls_reauth_init - Re-initialize shared TLS for session resumption 841 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 842 * @data: Data for TLS processing 843 * Returns: 0 on success, -1 on failure 844 */ 845 int eap_peer_tls_reauth_init(struct eap_sm *sm, struct eap_ssl_data *data) 846 { 847 eap_peer_tls_reset_input(data); 848 eap_peer_tls_reset_output(data); 849 return tls_connection_shutdown(data->ssl_ctx, data->conn); 850 } 851 852 853 /** 854 * eap_peer_tls_status - Get TLS status 855 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 856 * @data: Data for TLS processing 857 * @buf: Buffer for status information 858 * @buflen: Maximum buffer length 859 * @verbose: Whether to include verbose status information 860 * Returns: Number of bytes written to buf. 861 */ 862 int eap_peer_tls_status(struct eap_sm *sm, struct eap_ssl_data *data, 863 char *buf, size_t buflen, int verbose) 864 { 865 char version[20], name[128]; 866 int len = 0, ret; 867 868 if (tls_get_version(data->ssl_ctx, data->conn, version, 869 sizeof(version)) < 0) 870 version[0] = '\0'; 871 if (tls_get_cipher(data->ssl_ctx, data->conn, name, sizeof(name)) < 0) 872 name[0] = '\0'; 873 874 ret = os_snprintf(buf + len, buflen - len, 875 "eap_tls_version=%s\n" 876 "EAP TLS cipher=%s\n" 877 "tls_session_reused=%d\n", 878 version, name, 879 tls_connection_resumed(data->ssl_ctx, data->conn)); 880 if (os_snprintf_error(buflen - len, ret)) 881 return len; 882 len += ret; 883 884 return len; 885 } 886 887 888 /** 889 * eap_peer_tls_process_init - Initial validation/processing of EAP requests 890 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 891 * @data: Data for TLS processing 892 * @eap_type: EAP type (EAP_TYPE_TLS, EAP_TYPE_PEAP, ...) 893 * @ret: Return values from EAP request validation and processing 894 * @reqData: EAP request to be processed (eapReqData) 895 * @len: Buffer for returning length of the remaining payload 896 * @flags: Buffer for returning TLS flags 897 * Returns: Pointer to payload after TLS flags and length or %NULL on failure 898 * 899 * This function validates the EAP header and processes the optional TLS 900 * Message Length field. If this is the first fragment of a TLS message, the 901 * TLS reassembly code is initialized to receive the indicated number of bytes. 902 * 903 * EAP-TLS, EAP-PEAP, EAP-TTLS, and EAP-FAST methods are expected to use this 904 * function as the first step in processing received messages. They will need 905 * to process the flags (apart from Message Length Included) that are returned 906 * through the flags pointer and the message payload that will be returned (and 907 * the length is returned through the len pointer). Return values (ret) are set 908 * for continuation of EAP method processing. The caller is responsible for 909 * setting these to indicate completion (either success or failure) based on 910 * the authentication result. 911 */ 912 const u8 * eap_peer_tls_process_init(struct eap_sm *sm, 913 struct eap_ssl_data *data, 914 enum eap_type eap_type, 915 struct eap_method_ret *ret, 916 const struct wpabuf *reqData, 917 size_t *len, u8 *flags) 918 { 919 const u8 *pos; 920 size_t left; 921 unsigned int tls_msg_len; 922 923 if (tls_get_errors(data->ssl_ctx)) { 924 wpa_printf(MSG_INFO, "SSL: TLS errors detected"); 925 ret->ignore = true; 926 return NULL; 927 } 928 929 if (eap_type == EAP_UNAUTH_TLS_TYPE) 930 pos = eap_hdr_validate(EAP_VENDOR_UNAUTH_TLS, 931 EAP_VENDOR_TYPE_UNAUTH_TLS, reqData, 932 &left); 933 else if (eap_type == EAP_WFA_UNAUTH_TLS_TYPE) 934 pos = eap_hdr_validate(EAP_VENDOR_WFA_NEW, 935 EAP_VENDOR_WFA_UNAUTH_TLS, reqData, 936 &left); 937 else 938 pos = eap_hdr_validate(EAP_VENDOR_IETF, eap_type, reqData, 939 &left); 940 if (pos == NULL) { 941 ret->ignore = true; 942 return NULL; 943 } 944 if (left == 0) { 945 wpa_printf(MSG_DEBUG, "SSL: Invalid TLS message: no Flags " 946 "octet included"); 947 if (!sm->workaround) { 948 ret->ignore = true; 949 return NULL; 950 } 951 952 wpa_printf(MSG_DEBUG, "SSL: Workaround - assume no Flags " 953 "indicates ACK frame"); 954 *flags = 0; 955 } else { 956 *flags = *pos++; 957 left--; 958 } 959 wpa_printf(MSG_DEBUG, "SSL: Received packet(len=%lu) - " 960 "Flags 0x%02x", (unsigned long) wpabuf_len(reqData), 961 *flags); 962 if (*flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) { 963 if (left < 4) { 964 wpa_printf(MSG_INFO, "SSL: Short frame with TLS " 965 "length"); 966 ret->ignore = true; 967 return NULL; 968 } 969 tls_msg_len = WPA_GET_BE32(pos); 970 wpa_printf(MSG_DEBUG, "SSL: TLS Message Length: %d", 971 tls_msg_len); 972 if (data->tls_in_left == 0) { 973 data->tls_in_total = tls_msg_len; 974 data->tls_in_left = tls_msg_len; 975 wpabuf_free(data->tls_in); 976 data->tls_in = NULL; 977 } 978 pos += 4; 979 left -= 4; 980 981 if (left > tls_msg_len) { 982 wpa_printf(MSG_INFO, "SSL: TLS Message Length (%d " 983 "bytes) smaller than this fragment (%d " 984 "bytes)", (int) tls_msg_len, (int) left); 985 ret->ignore = true; 986 return NULL; 987 } 988 } 989 990 ret->ignore = false; 991 ret->methodState = METHOD_MAY_CONT; 992 ret->decision = DECISION_FAIL; 993 ret->allowNotifications = true; 994 995 *len = left; 996 return pos; 997 } 998 999 1000 /** 1001 * eap_peer_tls_reset_input - Reset input buffers 1002 * @data: Data for TLS processing 1003 * 1004 * This function frees any allocated memory for input buffers and resets input 1005 * state. 1006 */ 1007 void eap_peer_tls_reset_input(struct eap_ssl_data *data) 1008 { 1009 data->tls_in_left = data->tls_in_total = 0; 1010 wpabuf_free(data->tls_in); 1011 data->tls_in = NULL; 1012 } 1013 1014 1015 /** 1016 * eap_peer_tls_reset_output - Reset output buffers 1017 * @data: Data for TLS processing 1018 * 1019 * This function frees any allocated memory for output buffers and resets 1020 * output state. 1021 */ 1022 void eap_peer_tls_reset_output(struct eap_ssl_data *data) 1023 { 1024 data->tls_out_pos = 0; 1025 wpabuf_free(data->tls_out); 1026 data->tls_out = NULL; 1027 } 1028 1029 1030 /** 1031 * eap_peer_tls_decrypt - Decrypt received phase 2 TLS message 1032 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 1033 * @data: Data for TLS processing 1034 * @in_data: Message received from the server 1035 * @in_decrypted: Buffer for returning a pointer to the decrypted message 1036 * Returns: 0 on success, 1 if more input data is needed, or -1 on failure 1037 */ 1038 int eap_peer_tls_decrypt(struct eap_sm *sm, struct eap_ssl_data *data, 1039 const struct wpabuf *in_data, 1040 struct wpabuf **in_decrypted) 1041 { 1042 const struct wpabuf *msg; 1043 int need_more_input; 1044 1045 msg = eap_peer_tls_data_reassemble(data, in_data, &need_more_input); 1046 if (msg == NULL) 1047 return need_more_input ? 1 : -1; 1048 1049 *in_decrypted = tls_connection_decrypt(data->ssl_ctx, data->conn, msg); 1050 eap_peer_tls_reset_input(data); 1051 if (*in_decrypted == NULL) { 1052 wpa_printf(MSG_INFO, "SSL: Failed to decrypt Phase 2 data"); 1053 return -1; 1054 } 1055 return 0; 1056 } 1057 1058 1059 /** 1060 * eap_peer_tls_encrypt - Encrypt phase 2 TLS message 1061 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 1062 * @data: Data for TLS processing 1063 * @eap_type: EAP type (EAP_TYPE_TLS, EAP_TYPE_PEAP, ...) 1064 * @peap_version: Version number for EAP-PEAP/TTLS 1065 * @id: EAP identifier for the response 1066 * @in_data: Plaintext phase 2 data to encrypt or %NULL to continue fragments 1067 * @out_data: Buffer for returning a pointer to the encrypted response message 1068 * Returns: 0 on success, -1 on failure 1069 */ 1070 int eap_peer_tls_encrypt(struct eap_sm *sm, struct eap_ssl_data *data, 1071 enum eap_type eap_type, int peap_version, u8 id, 1072 const struct wpabuf *in_data, 1073 struct wpabuf **out_data) 1074 { 1075 if (in_data) { 1076 eap_peer_tls_reset_output(data); 1077 data->tls_out = tls_connection_encrypt(data->ssl_ctx, 1078 data->conn, in_data); 1079 if (data->tls_out == NULL) { 1080 wpa_printf(MSG_INFO, "SSL: Failed to encrypt Phase 2 " 1081 "data (in_len=%lu)", 1082 (unsigned long) wpabuf_len(in_data)); 1083 eap_peer_tls_reset_output(data); 1084 return -1; 1085 } 1086 } 1087 1088 return eap_tls_process_output(data, eap_type, peap_version, id, 0, 1089 out_data); 1090 } 1091 1092 1093 /** 1094 * eap_peer_select_phase2_methods - Select phase 2 EAP method 1095 * @config: Pointer to the network configuration 1096 * @prefix: 'phase2' configuration prefix, e.g., "auth=" 1097 * @types: Buffer for returning allocated list of allowed EAP methods 1098 * @num_types: Buffer for returning number of allocated EAP methods 1099 * Returns: 0 on success, -1 on failure 1100 * 1101 * This function is used to parse EAP method list and select allowed methods 1102 * for Phase2 authentication. 1103 */ 1104 int eap_peer_select_phase2_methods(struct eap_peer_config *config, 1105 const char *prefix, 1106 struct eap_method_type **types, 1107 size_t *num_types, int use_machine_cred) 1108 { 1109 char *start, *pos, *buf; 1110 struct eap_method_type *methods = NULL, *_methods; 1111 u32 method; 1112 size_t num_methods = 0, prefix_len; 1113 const char *phase2; 1114 1115 if (!config) 1116 goto get_defaults; 1117 phase2 = use_machine_cred ? config->machine_phase2 : config->phase2; 1118 if (!phase2) 1119 goto get_defaults; 1120 1121 start = buf = os_strdup(phase2); 1122 if (buf == NULL) 1123 return -1; 1124 1125 prefix_len = os_strlen(prefix); 1126 1127 while (start && *start != '\0') { 1128 int vendor; 1129 pos = os_strstr(start, prefix); 1130 if (pos == NULL) 1131 break; 1132 if (start != pos && *(pos - 1) != ' ') { 1133 start = pos + prefix_len; 1134 continue; 1135 } 1136 1137 start = pos + prefix_len; 1138 pos = os_strchr(start, ' '); 1139 if (pos) 1140 *pos++ = '\0'; 1141 method = eap_get_phase2_type(start, &vendor); 1142 if (vendor == EAP_VENDOR_IETF && method == EAP_TYPE_NONE) { 1143 wpa_printf(MSG_ERROR, "TLS: Unsupported Phase2 EAP " 1144 "method '%s'", start); 1145 os_free(methods); 1146 os_free(buf); 1147 return -1; 1148 } else { 1149 num_methods++; 1150 _methods = os_realloc_array(methods, num_methods, 1151 sizeof(*methods)); 1152 if (_methods == NULL) { 1153 os_free(methods); 1154 os_free(buf); 1155 return -1; 1156 } 1157 methods = _methods; 1158 methods[num_methods - 1].vendor = vendor; 1159 methods[num_methods - 1].method = method; 1160 } 1161 1162 start = pos; 1163 } 1164 1165 os_free(buf); 1166 1167 get_defaults: 1168 if (methods == NULL) 1169 methods = eap_get_phase2_types(config, &num_methods); 1170 1171 if (methods == NULL) { 1172 wpa_printf(MSG_ERROR, "TLS: No Phase2 EAP methods available"); 1173 return -1; 1174 } 1175 wpa_hexdump(MSG_DEBUG, "TLS: Phase2 EAP types", 1176 (u8 *) methods, 1177 num_methods * sizeof(struct eap_method_type)); 1178 1179 *types = methods; 1180 *num_types = num_methods; 1181 1182 return 0; 1183 } 1184 1185 1186 /** 1187 * eap_peer_tls_phase2_nak - Generate EAP-Nak for Phase 2 1188 * @types: Buffer for returning allocated list of allowed EAP methods 1189 * @num_types: Buffer for returning number of allocated EAP methods 1190 * @hdr: EAP-Request header (and the following EAP type octet) 1191 * @resp: Buffer for returning the EAP-Nak message 1192 * Returns: 0 on success, -1 on failure 1193 */ 1194 int eap_peer_tls_phase2_nak(struct eap_method_type *types, size_t num_types, 1195 struct eap_hdr *hdr, struct wpabuf **resp) 1196 { 1197 u8 *pos = (u8 *) (hdr + 1); 1198 size_t i; 1199 1200 /* TODO: add support for expanded Nak */ 1201 wpa_printf(MSG_DEBUG, "TLS: Phase 2 Request: Nak type=%d", *pos); 1202 wpa_hexdump(MSG_DEBUG, "TLS: Allowed Phase2 EAP types", 1203 (u8 *) types, num_types * sizeof(struct eap_method_type)); 1204 *resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_NAK, num_types, 1205 EAP_CODE_RESPONSE, hdr->identifier); 1206 if (*resp == NULL) 1207 return -1; 1208 1209 for (i = 0; i < num_types; i++) { 1210 if (types[i].vendor == EAP_VENDOR_IETF && 1211 types[i].method < 256) 1212 wpabuf_put_u8(*resp, types[i].method); 1213 } 1214 1215 eap_update_len(*resp); 1216 1217 return 0; 1218 } 1219