1 /* 2 * EAP-FAST server (RFC 4851) 3 * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/aes_wrap.h" 13 #include "crypto/sha1.h" 14 #include "crypto/tls.h" 15 #include "crypto/random.h" 16 #include "eap_common/eap_tlv_common.h" 17 #include "eap_common/eap_fast_common.h" 18 #include "eap_i.h" 19 #include "eap_tls_common.h" 20 21 22 static void eap_fast_reset(struct eap_sm *sm, void *priv); 23 24 25 /* Private PAC-Opaque TLV types */ 26 #define PAC_OPAQUE_TYPE_PAD 0 27 #define PAC_OPAQUE_TYPE_KEY 1 28 #define PAC_OPAQUE_TYPE_LIFETIME 2 29 #define PAC_OPAQUE_TYPE_IDENTITY 3 30 31 struct eap_fast_data { 32 struct eap_ssl_data ssl; 33 enum { 34 START, PHASE1, PHASE2_START, PHASE2_ID, PHASE2_METHOD, 35 CRYPTO_BINDING, REQUEST_PAC, SUCCESS, FAILURE 36 } state; 37 38 int fast_version; 39 const struct eap_method *phase2_method; 40 void *phase2_priv; 41 int force_version; 42 int peer_version; 43 44 u8 crypto_binding_nonce[32]; 45 int final_result; 46 47 struct eap_fast_key_block_provisioning *key_block_p; 48 49 u8 simck[EAP_FAST_SIMCK_LEN]; 50 u8 cmk[EAP_FAST_CMK_LEN]; 51 int simck_idx; 52 53 u8 pac_opaque_encr[16]; 54 u8 *srv_id; 55 size_t srv_id_len; 56 char *srv_id_info; 57 58 int anon_provisioning; 59 int send_new_pac; /* server triggered re-keying of Tunnel PAC */ 60 struct wpabuf *pending_phase2_resp; 61 u8 *identity; /* from PAC-Opaque */ 62 size_t identity_len; 63 int eap_seq; 64 int tnc_started; 65 66 int pac_key_lifetime; 67 int pac_key_refresh_time; 68 }; 69 70 71 static int eap_fast_process_phase2_start(struct eap_sm *sm, 72 struct eap_fast_data *data); 73 74 75 static const char * eap_fast_state_txt(int state) 76 { 77 switch (state) { 78 case START: 79 return "START"; 80 case PHASE1: 81 return "PHASE1"; 82 case PHASE2_START: 83 return "PHASE2_START"; 84 case PHASE2_ID: 85 return "PHASE2_ID"; 86 case PHASE2_METHOD: 87 return "PHASE2_METHOD"; 88 case CRYPTO_BINDING: 89 return "CRYPTO_BINDING"; 90 case REQUEST_PAC: 91 return "REQUEST_PAC"; 92 case SUCCESS: 93 return "SUCCESS"; 94 case FAILURE: 95 return "FAILURE"; 96 default: 97 return "Unknown?!"; 98 } 99 } 100 101 102 static void eap_fast_state(struct eap_fast_data *data, int state) 103 { 104 wpa_printf(MSG_DEBUG, "EAP-FAST: %s -> %s", 105 eap_fast_state_txt(data->state), 106 eap_fast_state_txt(state)); 107 data->state = state; 108 } 109 110 111 static enum eap_type eap_fast_req_failure(struct eap_sm *sm, 112 struct eap_fast_data *data) 113 { 114 /* TODO: send Result TLV(FAILURE) */ 115 eap_fast_state(data, FAILURE); 116 return EAP_TYPE_NONE; 117 } 118 119 120 static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len, 121 const u8 *client_random, 122 const u8 *server_random, 123 u8 *master_secret) 124 { 125 struct eap_fast_data *data = ctx; 126 const u8 *pac_opaque; 127 size_t pac_opaque_len; 128 u8 *buf, *pos, *end, *pac_key = NULL; 129 os_time_t lifetime = 0; 130 struct os_time now; 131 u8 *identity = NULL; 132 size_t identity_len = 0; 133 134 wpa_printf(MSG_DEBUG, "EAP-FAST: SessionTicket callback"); 135 wpa_hexdump(MSG_DEBUG, "EAP-FAST: SessionTicket (PAC-Opaque)", 136 ticket, len); 137 138 if (len < 4 || WPA_GET_BE16(ticket) != PAC_TYPE_PAC_OPAQUE) { 139 wpa_printf(MSG_DEBUG, "EAP-FAST: Ignore invalid " 140 "SessionTicket"); 141 return 0; 142 } 143 144 pac_opaque_len = WPA_GET_BE16(ticket + 2); 145 pac_opaque = ticket + 4; 146 if (pac_opaque_len < 8 || pac_opaque_len % 8 || 147 pac_opaque_len > len - 4) { 148 wpa_printf(MSG_DEBUG, "EAP-FAST: Ignore invalid PAC-Opaque " 149 "(len=%lu left=%lu)", 150 (unsigned long) pac_opaque_len, 151 (unsigned long) len); 152 return 0; 153 } 154 wpa_hexdump(MSG_DEBUG, "EAP-FAST: Received PAC-Opaque", 155 pac_opaque, pac_opaque_len); 156 157 buf = os_malloc(pac_opaque_len - 8); 158 if (buf == NULL) { 159 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to allocate memory " 160 "for decrypting PAC-Opaque"); 161 return 0; 162 } 163 164 if (aes_unwrap(data->pac_opaque_encr, sizeof(data->pac_opaque_encr), 165 (pac_opaque_len - 8) / 8, pac_opaque, buf) < 0) { 166 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to decrypt " 167 "PAC-Opaque"); 168 os_free(buf); 169 /* 170 * This may have been caused by server changing the PAC-Opaque 171 * encryption key, so just ignore this PAC-Opaque instead of 172 * failing the authentication completely. Provisioning can now 173 * be used to provision a new PAC. 174 */ 175 return 0; 176 } 177 178 end = buf + pac_opaque_len - 8; 179 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Decrypted PAC-Opaque", 180 buf, end - buf); 181 182 pos = buf; 183 while (end - pos > 1) { 184 u8 id, elen; 185 186 id = *pos++; 187 elen = *pos++; 188 if (elen > end - pos) 189 break; 190 191 switch (id) { 192 case PAC_OPAQUE_TYPE_PAD: 193 goto done; 194 case PAC_OPAQUE_TYPE_KEY: 195 if (elen != EAP_FAST_PAC_KEY_LEN) { 196 wpa_printf(MSG_DEBUG, 197 "EAP-FAST: Invalid PAC-Key length %d", 198 elen); 199 os_free(buf); 200 return -1; 201 } 202 pac_key = pos; 203 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: PAC-Key from " 204 "decrypted PAC-Opaque", 205 pac_key, EAP_FAST_PAC_KEY_LEN); 206 break; 207 case PAC_OPAQUE_TYPE_LIFETIME: 208 if (elen != 4) { 209 wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid " 210 "PAC-Key lifetime length %d", 211 elen); 212 os_free(buf); 213 return -1; 214 } 215 lifetime = WPA_GET_BE32(pos); 216 break; 217 case PAC_OPAQUE_TYPE_IDENTITY: 218 identity = pos; 219 identity_len = elen; 220 break; 221 } 222 223 pos += elen; 224 } 225 done: 226 227 if (pac_key == NULL) { 228 wpa_printf(MSG_DEBUG, "EAP-FAST: No PAC-Key included in " 229 "PAC-Opaque"); 230 os_free(buf); 231 return -1; 232 } 233 234 if (identity) { 235 wpa_hexdump_ascii(MSG_DEBUG, "EAP-FAST: Identity from " 236 "PAC-Opaque", identity, identity_len); 237 os_free(data->identity); 238 data->identity = os_malloc(identity_len); 239 if (data->identity) { 240 os_memcpy(data->identity, identity, identity_len); 241 data->identity_len = identity_len; 242 } 243 } 244 245 if (os_get_time(&now) < 0 || lifetime <= 0 || now.sec > lifetime) { 246 wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Key not valid anymore " 247 "(lifetime=%ld now=%ld)", lifetime, now.sec); 248 data->send_new_pac = 2; 249 /* 250 * Allow PAC to be used to allow a PAC update with some level 251 * of server authentication (i.e., do not fall back to full TLS 252 * handshake since we cannot be sure that the peer would be 253 * able to validate server certificate now). However, reject 254 * the authentication since the PAC was not valid anymore. Peer 255 * can connect again with the newly provisioned PAC after this. 256 */ 257 } else if (lifetime - now.sec < data->pac_key_refresh_time) { 258 wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Key soft timeout; send " 259 "an update if authentication succeeds"); 260 data->send_new_pac = 1; 261 } 262 263 eap_fast_derive_master_secret(pac_key, server_random, client_random, 264 master_secret); 265 266 os_free(buf); 267 268 return 1; 269 } 270 271 272 static void eap_fast_derive_key_auth(struct eap_sm *sm, 273 struct eap_fast_data *data) 274 { 275 u8 *sks; 276 277 /* RFC 4851, Section 5.1: 278 * Extra key material after TLS key_block: session_key_seed[40] 279 */ 280 281 sks = eap_fast_derive_key(sm->cfg->ssl_ctx, data->ssl.conn, 282 EAP_FAST_SKS_LEN); 283 if (sks == NULL) { 284 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive " 285 "session_key_seed"); 286 return; 287 } 288 289 /* 290 * RFC 4851, Section 5.2: 291 * S-IMCK[0] = session_key_seed 292 */ 293 wpa_hexdump_key(MSG_DEBUG, 294 "EAP-FAST: session_key_seed (SKS = S-IMCK[0])", 295 sks, EAP_FAST_SKS_LEN); 296 data->simck_idx = 0; 297 os_memcpy(data->simck, sks, EAP_FAST_SIMCK_LEN); 298 os_free(sks); 299 } 300 301 302 static void eap_fast_derive_key_provisioning(struct eap_sm *sm, 303 struct eap_fast_data *data) 304 { 305 os_free(data->key_block_p); 306 data->key_block_p = (struct eap_fast_key_block_provisioning *) 307 eap_fast_derive_key(sm->cfg->ssl_ctx, data->ssl.conn, 308 sizeof(*data->key_block_p)); 309 if (data->key_block_p == NULL) { 310 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive key block"); 311 return; 312 } 313 /* 314 * RFC 4851, Section 5.2: 315 * S-IMCK[0] = session_key_seed 316 */ 317 wpa_hexdump_key(MSG_DEBUG, 318 "EAP-FAST: session_key_seed (SKS = S-IMCK[0])", 319 data->key_block_p->session_key_seed, 320 sizeof(data->key_block_p->session_key_seed)); 321 data->simck_idx = 0; 322 os_memcpy(data->simck, data->key_block_p->session_key_seed, 323 EAP_FAST_SIMCK_LEN); 324 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: server_challenge", 325 data->key_block_p->server_challenge, 326 sizeof(data->key_block_p->server_challenge)); 327 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: client_challenge", 328 data->key_block_p->client_challenge, 329 sizeof(data->key_block_p->client_challenge)); 330 } 331 332 333 static int eap_fast_get_phase2_key(struct eap_sm *sm, 334 struct eap_fast_data *data, 335 u8 *isk, size_t isk_len) 336 { 337 u8 *key; 338 size_t key_len; 339 340 os_memset(isk, 0, isk_len); 341 342 if (data->phase2_method == NULL || data->phase2_priv == NULL) { 343 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase 2 method not " 344 "available"); 345 return -1; 346 } 347 348 if (data->phase2_method->getKey == NULL) 349 return 0; 350 351 if ((key = data->phase2_method->getKey(sm, data->phase2_priv, 352 &key_len)) == NULL) { 353 wpa_printf(MSG_DEBUG, "EAP-FAST: Could not get key material " 354 "from Phase 2"); 355 return -1; 356 } 357 358 if (key_len > isk_len) 359 key_len = isk_len; 360 os_memcpy(isk, key, key_len); 361 os_free(key); 362 363 return 0; 364 } 365 366 367 static int eap_fast_update_icmk(struct eap_sm *sm, struct eap_fast_data *data) 368 { 369 u8 isk[32], imck[60]; 370 371 wpa_printf(MSG_DEBUG, "EAP-FAST: Deriving ICMK[%d] (S-IMCK and CMK)", 372 data->simck_idx + 1); 373 374 /* 375 * RFC 4851, Section 5.2: 376 * IMCK[j] = T-PRF(S-IMCK[j-1], "Inner Methods Compound Keys", 377 * MSK[j], 60) 378 * S-IMCK[j] = first 40 octets of IMCK[j] 379 * CMK[j] = last 20 octets of IMCK[j] 380 */ 381 382 if (eap_fast_get_phase2_key(sm, data, isk, sizeof(isk)) < 0) 383 return -1; 384 wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: ISK[j]", isk, sizeof(isk)); 385 sha1_t_prf(data->simck, EAP_FAST_SIMCK_LEN, 386 "Inner Methods Compound Keys", 387 isk, sizeof(isk), imck, sizeof(imck)); 388 data->simck_idx++; 389 os_memcpy(data->simck, imck, EAP_FAST_SIMCK_LEN); 390 wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: S-IMCK[j]", 391 data->simck, EAP_FAST_SIMCK_LEN); 392 os_memcpy(data->cmk, imck + EAP_FAST_SIMCK_LEN, EAP_FAST_CMK_LEN); 393 wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: CMK[j]", 394 data->cmk, EAP_FAST_CMK_LEN); 395 396 return 0; 397 } 398 399 400 static void * eap_fast_init(struct eap_sm *sm) 401 { 402 struct eap_fast_data *data; 403 u8 ciphers[7] = { 404 TLS_CIPHER_ANON_DH_AES128_SHA, 405 TLS_CIPHER_AES128_SHA, 406 TLS_CIPHER_RSA_DHE_AES128_SHA, 407 TLS_CIPHER_RC4_SHA, 408 TLS_CIPHER_RSA_DHE_AES256_SHA, 409 TLS_CIPHER_AES256_SHA, 410 TLS_CIPHER_NONE 411 }; 412 413 data = os_zalloc(sizeof(*data)); 414 if (data == NULL) 415 return NULL; 416 data->fast_version = EAP_FAST_VERSION; 417 data->force_version = -1; 418 if (sm->user && sm->user->force_version >= 0) { 419 data->force_version = sm->user->force_version; 420 wpa_printf(MSG_DEBUG, "EAP-FAST: forcing version %d", 421 data->force_version); 422 data->fast_version = data->force_version; 423 } 424 data->state = START; 425 426 if (eap_server_tls_ssl_init(sm, &data->ssl, 0, EAP_TYPE_FAST)) { 427 wpa_printf(MSG_INFO, "EAP-FAST: Failed to initialize SSL."); 428 eap_fast_reset(sm, data); 429 return NULL; 430 } 431 432 if (tls_connection_set_cipher_list(sm->cfg->ssl_ctx, data->ssl.conn, 433 ciphers) < 0) { 434 wpa_printf(MSG_INFO, "EAP-FAST: Failed to set TLS cipher " 435 "suites"); 436 eap_fast_reset(sm, data); 437 return NULL; 438 } 439 440 if (tls_connection_set_session_ticket_cb(sm->cfg->ssl_ctx, 441 data->ssl.conn, 442 eap_fast_session_ticket_cb, 443 data) < 0) { 444 wpa_printf(MSG_INFO, "EAP-FAST: Failed to set SessionTicket " 445 "callback"); 446 eap_fast_reset(sm, data); 447 return NULL; 448 } 449 450 if (sm->cfg->pac_opaque_encr_key == NULL) { 451 wpa_printf(MSG_INFO, "EAP-FAST: No PAC-Opaque encryption key " 452 "configured"); 453 eap_fast_reset(sm, data); 454 return NULL; 455 } 456 os_memcpy(data->pac_opaque_encr, sm->cfg->pac_opaque_encr_key, 457 sizeof(data->pac_opaque_encr)); 458 459 if (sm->cfg->eap_fast_a_id == NULL) { 460 wpa_printf(MSG_INFO, "EAP-FAST: No A-ID configured"); 461 eap_fast_reset(sm, data); 462 return NULL; 463 } 464 data->srv_id = os_memdup(sm->cfg->eap_fast_a_id, 465 sm->cfg->eap_fast_a_id_len); 466 if (data->srv_id == NULL) { 467 eap_fast_reset(sm, data); 468 return NULL; 469 } 470 data->srv_id_len = sm->cfg->eap_fast_a_id_len; 471 472 if (sm->cfg->eap_fast_a_id_info == NULL) { 473 wpa_printf(MSG_INFO, "EAP-FAST: No A-ID-Info configured"); 474 eap_fast_reset(sm, data); 475 return NULL; 476 } 477 data->srv_id_info = os_strdup(sm->cfg->eap_fast_a_id_info); 478 if (data->srv_id_info == NULL) { 479 eap_fast_reset(sm, data); 480 return NULL; 481 } 482 483 /* PAC-Key lifetime in seconds (hard limit) */ 484 data->pac_key_lifetime = sm->cfg->pac_key_lifetime; 485 486 /* 487 * PAC-Key refresh time in seconds (soft limit on remaining hard 488 * limit). The server will generate a new PAC-Key when this number of 489 * seconds (or fewer) of the lifetime remains. 490 */ 491 data->pac_key_refresh_time = sm->cfg->pac_key_refresh_time; 492 493 return data; 494 } 495 496 497 static void eap_fast_reset(struct eap_sm *sm, void *priv) 498 { 499 struct eap_fast_data *data = priv; 500 if (data == NULL) 501 return; 502 if (data->phase2_priv && data->phase2_method) 503 data->phase2_method->reset(sm, data->phase2_priv); 504 eap_server_tls_ssl_deinit(sm, &data->ssl); 505 os_free(data->srv_id); 506 os_free(data->srv_id_info); 507 os_free(data->key_block_p); 508 wpabuf_free(data->pending_phase2_resp); 509 os_free(data->identity); 510 bin_clear_free(data, sizeof(*data)); 511 } 512 513 514 static struct wpabuf * eap_fast_build_start(struct eap_sm *sm, 515 struct eap_fast_data *data, u8 id) 516 { 517 struct wpabuf *req; 518 519 req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_FAST, 520 1 + sizeof(struct pac_tlv_hdr) + data->srv_id_len, 521 EAP_CODE_REQUEST, id); 522 if (req == NULL) { 523 wpa_printf(MSG_ERROR, "EAP-FAST: Failed to allocate memory for" 524 " request"); 525 eap_fast_state(data, FAILURE); 526 return NULL; 527 } 528 529 wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->fast_version); 530 531 /* RFC 4851, 4.1.1. Authority ID Data */ 532 eap_fast_put_tlv(req, PAC_TYPE_A_ID, data->srv_id, data->srv_id_len); 533 534 eap_fast_state(data, PHASE1); 535 536 return req; 537 } 538 539 540 static int eap_fast_phase1_done(struct eap_sm *sm, struct eap_fast_data *data) 541 { 542 char cipher[64]; 543 544 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase1 done, starting Phase2"); 545 546 if (tls_get_cipher(sm->cfg->ssl_ctx, data->ssl.conn, 547 cipher, sizeof(cipher)) < 0) { 548 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to get cipher " 549 "information"); 550 eap_fast_state(data, FAILURE); 551 return -1; 552 } 553 data->anon_provisioning = os_strstr(cipher, "ADH") != NULL; 554 555 if (data->anon_provisioning) { 556 wpa_printf(MSG_DEBUG, "EAP-FAST: Anonymous provisioning"); 557 eap_fast_derive_key_provisioning(sm, data); 558 } else 559 eap_fast_derive_key_auth(sm, data); 560 561 eap_fast_state(data, PHASE2_START); 562 563 return 0; 564 } 565 566 567 static struct wpabuf * eap_fast_build_phase2_req(struct eap_sm *sm, 568 struct eap_fast_data *data, 569 u8 id) 570 { 571 struct wpabuf *req; 572 573 if (data->phase2_priv == NULL) { 574 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase 2 method not " 575 "initialized"); 576 return NULL; 577 } 578 req = data->phase2_method->buildReq(sm, data->phase2_priv, id); 579 if (req == NULL) 580 return NULL; 581 582 wpa_hexdump_buf_key(MSG_MSGDUMP, "EAP-FAST: Phase 2 EAP-Request", req); 583 return eap_fast_tlv_eap_payload(req); 584 } 585 586 587 static struct wpabuf * eap_fast_build_crypto_binding( 588 struct eap_sm *sm, struct eap_fast_data *data) 589 { 590 struct wpabuf *buf; 591 struct eap_tlv_result_tlv *result; 592 struct eap_tlv_crypto_binding_tlv *binding; 593 594 buf = wpabuf_alloc(2 * sizeof(*result) + sizeof(*binding)); 595 if (buf == NULL) 596 return NULL; 597 598 if (data->send_new_pac || data->anon_provisioning || 599 data->phase2_method) 600 data->final_result = 0; 601 else 602 data->final_result = 1; 603 604 if (!data->final_result || data->eap_seq > 1) { 605 /* Intermediate-Result */ 606 wpa_printf(MSG_DEBUG, "EAP-FAST: Add Intermediate-Result TLV " 607 "(status=SUCCESS)"); 608 result = wpabuf_put(buf, sizeof(*result)); 609 result->tlv_type = host_to_be16( 610 EAP_TLV_TYPE_MANDATORY | 611 EAP_TLV_INTERMEDIATE_RESULT_TLV); 612 result->length = host_to_be16(2); 613 result->status = host_to_be16(EAP_TLV_RESULT_SUCCESS); 614 } 615 616 if (data->final_result) { 617 /* Result TLV */ 618 wpa_printf(MSG_DEBUG, "EAP-FAST: Add Result TLV " 619 "(status=SUCCESS)"); 620 result = wpabuf_put(buf, sizeof(*result)); 621 result->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY | 622 EAP_TLV_RESULT_TLV); 623 result->length = host_to_be16(2); 624 result->status = host_to_be16(EAP_TLV_RESULT_SUCCESS); 625 } 626 627 /* Crypto-Binding TLV */ 628 binding = wpabuf_put(buf, sizeof(*binding)); 629 binding->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY | 630 EAP_TLV_CRYPTO_BINDING_TLV); 631 binding->length = host_to_be16(sizeof(*binding) - 632 sizeof(struct eap_tlv_hdr)); 633 binding->version = EAP_FAST_VERSION; 634 binding->received_version = data->peer_version; 635 binding->subtype = EAP_TLV_CRYPTO_BINDING_SUBTYPE_REQUEST; 636 if (random_get_bytes(binding->nonce, sizeof(binding->nonce)) < 0) { 637 wpabuf_free(buf); 638 return NULL; 639 } 640 641 /* 642 * RFC 4851, Section 4.2.8: 643 * The nonce in a request MUST have its least significant bit set to 0. 644 */ 645 binding->nonce[sizeof(binding->nonce) - 1] &= ~0x01; 646 647 os_memcpy(data->crypto_binding_nonce, binding->nonce, 648 sizeof(binding->nonce)); 649 650 /* 651 * RFC 4851, Section 5.3: 652 * CMK = CMK[j] 653 * Compound-MAC = HMAC-SHA1( CMK, Crypto-Binding TLV ) 654 */ 655 656 hmac_sha1(data->cmk, EAP_FAST_CMK_LEN, 657 (u8 *) binding, sizeof(*binding), 658 binding->compound_mac); 659 660 wpa_printf(MSG_DEBUG, "EAP-FAST: Add Crypto-Binding TLV: Version %d " 661 "Received Version %d SubType %d", 662 binding->version, binding->received_version, 663 binding->subtype); 664 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: NONCE", 665 binding->nonce, sizeof(binding->nonce)); 666 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Compound MAC", 667 binding->compound_mac, sizeof(binding->compound_mac)); 668 669 return buf; 670 } 671 672 673 static struct wpabuf * eap_fast_build_pac(struct eap_sm *sm, 674 struct eap_fast_data *data) 675 { 676 u8 pac_key[EAP_FAST_PAC_KEY_LEN]; 677 u8 *pac_buf, *pac_opaque; 678 struct wpabuf *buf; 679 u8 *pos; 680 size_t buf_len, srv_id_info_len, pac_len; 681 struct eap_tlv_hdr *pac_tlv; 682 struct pac_tlv_hdr *pac_info; 683 struct eap_tlv_result_tlv *result; 684 struct os_time now; 685 686 if (random_get_bytes(pac_key, EAP_FAST_PAC_KEY_LEN) < 0 || 687 os_get_time(&now) < 0) 688 return NULL; 689 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Generated PAC-Key", 690 pac_key, EAP_FAST_PAC_KEY_LEN); 691 692 pac_len = (2 + EAP_FAST_PAC_KEY_LEN) + (2 + 4) + 693 (2 + sm->identity_len) + 8; 694 pac_buf = os_malloc(pac_len); 695 if (pac_buf == NULL) 696 return NULL; 697 698 srv_id_info_len = os_strlen(data->srv_id_info); 699 700 pos = pac_buf; 701 *pos++ = PAC_OPAQUE_TYPE_KEY; 702 *pos++ = EAP_FAST_PAC_KEY_LEN; 703 os_memcpy(pos, pac_key, EAP_FAST_PAC_KEY_LEN); 704 pos += EAP_FAST_PAC_KEY_LEN; 705 706 *pos++ = PAC_OPAQUE_TYPE_LIFETIME; 707 *pos++ = 4; 708 WPA_PUT_BE32(pos, now.sec + data->pac_key_lifetime); 709 pos += 4; 710 711 if (sm->identity) { 712 *pos++ = PAC_OPAQUE_TYPE_IDENTITY; 713 *pos++ = sm->identity_len; 714 os_memcpy(pos, sm->identity, sm->identity_len); 715 pos += sm->identity_len; 716 } 717 718 pac_len = pos - pac_buf; 719 while (pac_len % 8) { 720 *pos++ = PAC_OPAQUE_TYPE_PAD; 721 pac_len++; 722 } 723 724 pac_opaque = os_malloc(pac_len + 8); 725 if (pac_opaque == NULL) { 726 os_free(pac_buf); 727 return NULL; 728 } 729 if (aes_wrap(data->pac_opaque_encr, sizeof(data->pac_opaque_encr), 730 pac_len / 8, pac_buf, pac_opaque) < 0) { 731 os_free(pac_buf); 732 os_free(pac_opaque); 733 return NULL; 734 } 735 os_free(pac_buf); 736 737 pac_len += 8; 738 wpa_hexdump(MSG_DEBUG, "EAP-FAST: PAC-Opaque", 739 pac_opaque, pac_len); 740 741 buf_len = sizeof(*pac_tlv) + 742 sizeof(struct pac_tlv_hdr) + EAP_FAST_PAC_KEY_LEN + 743 sizeof(struct pac_tlv_hdr) + pac_len + 744 data->srv_id_len + srv_id_info_len + 100 + sizeof(*result); 745 buf = wpabuf_alloc(buf_len); 746 if (buf == NULL) { 747 os_free(pac_opaque); 748 return NULL; 749 } 750 751 /* Result TLV */ 752 wpa_printf(MSG_DEBUG, "EAP-FAST: Add Result TLV (status=SUCCESS)"); 753 result = wpabuf_put(buf, sizeof(*result)); 754 WPA_PUT_BE16((u8 *) &result->tlv_type, 755 EAP_TLV_TYPE_MANDATORY | EAP_TLV_RESULT_TLV); 756 WPA_PUT_BE16((u8 *) &result->length, 2); 757 WPA_PUT_BE16((u8 *) &result->status, EAP_TLV_RESULT_SUCCESS); 758 759 /* PAC TLV */ 760 wpa_printf(MSG_DEBUG, "EAP-FAST: Add PAC TLV"); 761 pac_tlv = wpabuf_put(buf, sizeof(*pac_tlv)); 762 pac_tlv->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY | 763 EAP_TLV_PAC_TLV); 764 765 /* PAC-Key */ 766 eap_fast_put_tlv(buf, PAC_TYPE_PAC_KEY, pac_key, EAP_FAST_PAC_KEY_LEN); 767 768 /* PAC-Opaque */ 769 eap_fast_put_tlv(buf, PAC_TYPE_PAC_OPAQUE, pac_opaque, pac_len); 770 os_free(pac_opaque); 771 772 /* PAC-Info */ 773 pac_info = wpabuf_put(buf, sizeof(*pac_info)); 774 pac_info->type = host_to_be16(PAC_TYPE_PAC_INFO); 775 776 /* PAC-Lifetime (inside PAC-Info) */ 777 eap_fast_put_tlv_hdr(buf, PAC_TYPE_CRED_LIFETIME, 4); 778 wpabuf_put_be32(buf, now.sec + data->pac_key_lifetime); 779 780 /* A-ID (inside PAC-Info) */ 781 eap_fast_put_tlv(buf, PAC_TYPE_A_ID, data->srv_id, data->srv_id_len); 782 783 /* Note: headers may be misaligned after A-ID */ 784 785 if (sm->identity) { 786 eap_fast_put_tlv(buf, PAC_TYPE_I_ID, sm->identity, 787 sm->identity_len); 788 } 789 790 /* A-ID-Info (inside PAC-Info) */ 791 eap_fast_put_tlv(buf, PAC_TYPE_A_ID_INFO, data->srv_id_info, 792 srv_id_info_len); 793 794 /* PAC-Type (inside PAC-Info) */ 795 eap_fast_put_tlv_hdr(buf, PAC_TYPE_PAC_TYPE, 2); 796 wpabuf_put_be16(buf, PAC_TYPE_TUNNEL_PAC); 797 798 /* Update PAC-Info and PAC TLV Length fields */ 799 pos = wpabuf_put(buf, 0); 800 pac_info->len = host_to_be16(pos - (u8 *) (pac_info + 1)); 801 pac_tlv->length = host_to_be16(pos - (u8 *) (pac_tlv + 1)); 802 803 return buf; 804 } 805 806 807 static int eap_fast_encrypt_phase2(struct eap_sm *sm, 808 struct eap_fast_data *data, 809 struct wpabuf *plain, int piggyback) 810 { 811 struct wpabuf *encr; 812 813 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-FAST: Encrypting Phase 2 TLVs", 814 plain); 815 encr = eap_server_tls_encrypt(sm, &data->ssl, plain); 816 wpabuf_free(plain); 817 818 if (!encr) 819 return -1; 820 821 if (data->ssl.tls_out && piggyback) { 822 wpa_printf(MSG_DEBUG, "EAP-FAST: Piggyback Phase 2 data " 823 "(len=%d) with last Phase 1 Message (len=%d " 824 "used=%d)", 825 (int) wpabuf_len(encr), 826 (int) wpabuf_len(data->ssl.tls_out), 827 (int) data->ssl.tls_out_pos); 828 if (wpabuf_resize(&data->ssl.tls_out, wpabuf_len(encr)) < 0) { 829 wpa_printf(MSG_WARNING, "EAP-FAST: Failed to resize " 830 "output buffer"); 831 wpabuf_free(encr); 832 return -1; 833 } 834 wpabuf_put_buf(data->ssl.tls_out, encr); 835 wpabuf_free(encr); 836 } else { 837 wpabuf_free(data->ssl.tls_out); 838 data->ssl.tls_out_pos = 0; 839 data->ssl.tls_out = encr; 840 } 841 842 return 0; 843 } 844 845 846 static struct wpabuf * eap_fast_buildReq(struct eap_sm *sm, void *priv, u8 id) 847 { 848 struct eap_fast_data *data = priv; 849 struct wpabuf *req = NULL; 850 int piggyback = 0; 851 852 if (data->ssl.state == FRAG_ACK) { 853 return eap_server_tls_build_ack(id, EAP_TYPE_FAST, 854 data->fast_version); 855 } 856 857 if (data->ssl.state == WAIT_FRAG_ACK) { 858 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_FAST, 859 data->fast_version, id); 860 } 861 862 switch (data->state) { 863 case START: 864 return eap_fast_build_start(sm, data, id); 865 case PHASE1: 866 if (tls_connection_established(sm->cfg->ssl_ctx, 867 data->ssl.conn)) { 868 if (eap_fast_phase1_done(sm, data) < 0) 869 return NULL; 870 if (data->state == PHASE2_START) { 871 /* 872 * Try to generate Phase 2 data to piggyback 873 * with the end of Phase 1 to avoid extra 874 * roundtrip. 875 */ 876 wpa_printf(MSG_DEBUG, "EAP-FAST: Try to start " 877 "Phase 2"); 878 if (eap_fast_process_phase2_start(sm, data)) 879 break; 880 req = eap_fast_build_phase2_req(sm, data, id); 881 piggyback = 1; 882 } 883 } 884 break; 885 case PHASE2_ID: 886 case PHASE2_METHOD: 887 req = eap_fast_build_phase2_req(sm, data, id); 888 break; 889 case CRYPTO_BINDING: 890 req = eap_fast_build_crypto_binding(sm, data); 891 if (data->phase2_method) { 892 /* 893 * Include the start of the next EAP method in the 894 * sequence in the same message with Crypto-Binding to 895 * save a round-trip. 896 */ 897 struct wpabuf *eap; 898 eap = eap_fast_build_phase2_req(sm, data, id); 899 req = wpabuf_concat(req, eap); 900 eap_fast_state(data, PHASE2_METHOD); 901 } 902 break; 903 case REQUEST_PAC: 904 req = eap_fast_build_pac(sm, data); 905 break; 906 default: 907 wpa_printf(MSG_DEBUG, "EAP-FAST: %s - unexpected state %d", 908 __func__, data->state); 909 return NULL; 910 } 911 912 if (req && 913 eap_fast_encrypt_phase2(sm, data, req, piggyback) < 0) 914 return NULL; 915 916 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_FAST, 917 data->fast_version, id); 918 } 919 920 921 static bool eap_fast_check(struct eap_sm *sm, void *priv, 922 struct wpabuf *respData) 923 { 924 const u8 *pos; 925 size_t len; 926 927 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_FAST, respData, &len); 928 if (pos == NULL || len < 1) { 929 wpa_printf(MSG_INFO, "EAP-FAST: Invalid frame"); 930 return true; 931 } 932 933 return false; 934 } 935 936 937 static int eap_fast_phase2_init(struct eap_sm *sm, struct eap_fast_data *data, 938 int vendor, enum eap_type eap_type) 939 { 940 if (data->phase2_priv && data->phase2_method) { 941 data->phase2_method->reset(sm, data->phase2_priv); 942 data->phase2_method = NULL; 943 data->phase2_priv = NULL; 944 } 945 data->phase2_method = eap_server_get_eap_method(vendor, eap_type); 946 if (!data->phase2_method) 947 return -1; 948 949 if (data->key_block_p) { 950 sm->auth_challenge = data->key_block_p->server_challenge; 951 sm->peer_challenge = data->key_block_p->client_challenge; 952 } 953 sm->eap_fast_mschapv2 = true; 954 sm->init_phase2 = 1; 955 data->phase2_priv = data->phase2_method->init(sm); 956 sm->init_phase2 = 0; 957 sm->auth_challenge = NULL; 958 sm->peer_challenge = NULL; 959 960 return data->phase2_priv == NULL ? -1 : 0; 961 } 962 963 964 static void eap_fast_process_phase2_response(struct eap_sm *sm, 965 struct eap_fast_data *data, 966 u8 *in_data, size_t in_len) 967 { 968 int next_vendor = EAP_VENDOR_IETF; 969 enum eap_type next_type = EAP_TYPE_NONE; 970 struct eap_hdr *hdr; 971 u8 *pos; 972 size_t left; 973 struct wpabuf buf; 974 const struct eap_method *m = data->phase2_method; 975 void *priv = data->phase2_priv; 976 977 if (priv == NULL) { 978 wpa_printf(MSG_DEBUG, "EAP-FAST: %s - Phase2 not " 979 "initialized?!", __func__); 980 return; 981 } 982 983 hdr = (struct eap_hdr *) in_data; 984 pos = (u8 *) (hdr + 1); 985 986 if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) { 987 left = in_len - sizeof(*hdr); 988 wpa_hexdump(MSG_DEBUG, "EAP-FAST: Phase2 type Nak'ed; " 989 "allowed types", pos + 1, left - 1); 990 #ifdef EAP_SERVER_TNC 991 if (m && m->vendor == EAP_VENDOR_IETF && 992 m->method == EAP_TYPE_TNC) { 993 wpa_printf(MSG_DEBUG, "EAP-FAST: Peer Nak'ed required " 994 "TNC negotiation"); 995 next_vendor = EAP_VENDOR_IETF; 996 next_type = eap_fast_req_failure(sm, data); 997 eap_fast_phase2_init(sm, data, next_vendor, next_type); 998 return; 999 } 1000 #endif /* EAP_SERVER_TNC */ 1001 eap_sm_process_nak(sm, pos + 1, left - 1); 1002 if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS && 1003 sm->user->methods[sm->user_eap_method_index].method != 1004 EAP_TYPE_NONE) { 1005 next_vendor = sm->user->methods[ 1006 sm->user_eap_method_index].vendor; 1007 next_type = sm->user->methods[ 1008 sm->user_eap_method_index++].method; 1009 wpa_printf(MSG_DEBUG, "EAP-FAST: try EAP type %u:%u", 1010 next_vendor, next_type); 1011 } else { 1012 next_vendor = EAP_VENDOR_IETF; 1013 next_type = eap_fast_req_failure(sm, data); 1014 } 1015 eap_fast_phase2_init(sm, data, next_vendor, next_type); 1016 return; 1017 } 1018 1019 wpabuf_set(&buf, in_data, in_len); 1020 1021 if (m->check(sm, priv, &buf)) { 1022 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 check() asked to " 1023 "ignore the packet"); 1024 eap_fast_req_failure(sm, data); 1025 return; 1026 } 1027 1028 m->process(sm, priv, &buf); 1029 1030 if (!m->isDone(sm, priv)) 1031 return; 1032 1033 if (!m->isSuccess(sm, priv)) { 1034 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 method failed"); 1035 next_vendor = EAP_VENDOR_IETF; 1036 next_type = eap_fast_req_failure(sm, data); 1037 eap_fast_phase2_init(sm, data, next_vendor, next_type); 1038 return; 1039 } 1040 1041 switch (data->state) { 1042 case PHASE2_ID: 1043 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) { 1044 wpa_hexdump_ascii(MSG_DEBUG, "EAP-FAST: Phase2 " 1045 "Identity not found in the user " 1046 "database", 1047 sm->identity, sm->identity_len); 1048 next_vendor = EAP_VENDOR_IETF; 1049 next_type = eap_fast_req_failure(sm, data); 1050 break; 1051 } 1052 1053 eap_fast_state(data, PHASE2_METHOD); 1054 if (data->anon_provisioning) { 1055 /* 1056 * Only EAP-MSCHAPv2 is allowed for anonymous 1057 * provisioning. 1058 */ 1059 next_vendor = EAP_VENDOR_IETF; 1060 next_type = EAP_TYPE_MSCHAPV2; 1061 sm->user_eap_method_index = 0; 1062 } else { 1063 next_vendor = sm->user->methods[0].vendor; 1064 next_type = sm->user->methods[0].method; 1065 sm->user_eap_method_index = 1; 1066 } 1067 wpa_printf(MSG_DEBUG, "EAP-FAST: try EAP type %u:%u", 1068 next_vendor, next_type); 1069 break; 1070 case PHASE2_METHOD: 1071 case CRYPTO_BINDING: 1072 eap_fast_update_icmk(sm, data); 1073 eap_fast_state(data, CRYPTO_BINDING); 1074 data->eap_seq++; 1075 next_vendor = EAP_VENDOR_IETF; 1076 next_type = EAP_TYPE_NONE; 1077 #ifdef EAP_SERVER_TNC 1078 if (sm->cfg->tnc && !data->tnc_started) { 1079 wpa_printf(MSG_DEBUG, "EAP-FAST: Initialize TNC"); 1080 next_vendor = EAP_VENDOR_IETF; 1081 next_type = EAP_TYPE_TNC; 1082 data->tnc_started = 1; 1083 } 1084 #endif /* EAP_SERVER_TNC */ 1085 break; 1086 case FAILURE: 1087 break; 1088 default: 1089 wpa_printf(MSG_DEBUG, "EAP-FAST: %s - unexpected state %d", 1090 __func__, data->state); 1091 break; 1092 } 1093 1094 eap_fast_phase2_init(sm, data, next_vendor, next_type); 1095 } 1096 1097 1098 static void eap_fast_process_phase2_eap(struct eap_sm *sm, 1099 struct eap_fast_data *data, 1100 u8 *in_data, size_t in_len) 1101 { 1102 struct eap_hdr *hdr; 1103 size_t len; 1104 1105 hdr = (struct eap_hdr *) in_data; 1106 if (in_len < (int) sizeof(*hdr)) { 1107 wpa_printf(MSG_INFO, "EAP-FAST: Too short Phase 2 " 1108 "EAP frame (len=%lu)", (unsigned long) in_len); 1109 eap_fast_req_failure(sm, data); 1110 return; 1111 } 1112 len = be_to_host16(hdr->length); 1113 if (len > in_len) { 1114 wpa_printf(MSG_INFO, "EAP-FAST: Length mismatch in " 1115 "Phase 2 EAP frame (len=%lu hdr->length=%lu)", 1116 (unsigned long) in_len, (unsigned long) len); 1117 eap_fast_req_failure(sm, data); 1118 return; 1119 } 1120 wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: code=%d " 1121 "identifier=%d length=%lu", hdr->code, hdr->identifier, 1122 (unsigned long) len); 1123 switch (hdr->code) { 1124 case EAP_CODE_RESPONSE: 1125 eap_fast_process_phase2_response(sm, data, (u8 *) hdr, len); 1126 break; 1127 default: 1128 wpa_printf(MSG_INFO, "EAP-FAST: Unexpected code=%d in " 1129 "Phase 2 EAP header", hdr->code); 1130 break; 1131 } 1132 } 1133 1134 1135 static int eap_fast_parse_tlvs(struct wpabuf *data, 1136 struct eap_fast_tlv_parse *tlv) 1137 { 1138 int mandatory, tlv_type, res; 1139 size_t len; 1140 u8 *pos, *end; 1141 1142 os_memset(tlv, 0, sizeof(*tlv)); 1143 1144 pos = wpabuf_mhead(data); 1145 end = pos + wpabuf_len(data); 1146 while (end - pos > 4) { 1147 mandatory = pos[0] & 0x80; 1148 tlv_type = WPA_GET_BE16(pos) & 0x3fff; 1149 pos += 2; 1150 len = WPA_GET_BE16(pos); 1151 pos += 2; 1152 if (len > (size_t) (end - pos)) { 1153 wpa_printf(MSG_INFO, "EAP-FAST: TLV overflow"); 1154 return -1; 1155 } 1156 wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: " 1157 "TLV type %d length %u%s", 1158 tlv_type, (unsigned int) len, 1159 mandatory ? " (mandatory)" : ""); 1160 1161 res = eap_fast_parse_tlv(tlv, tlv_type, pos, len); 1162 if (res == -2) 1163 break; 1164 if (res < 0) { 1165 if (mandatory) { 1166 wpa_printf(MSG_DEBUG, "EAP-FAST: Nak unknown " 1167 "mandatory TLV type %d", tlv_type); 1168 /* TODO: generate Nak TLV */ 1169 break; 1170 } else { 1171 wpa_printf(MSG_DEBUG, "EAP-FAST: Ignored " 1172 "unknown optional TLV type %d", 1173 tlv_type); 1174 } 1175 } 1176 1177 pos += len; 1178 } 1179 1180 return 0; 1181 } 1182 1183 1184 static int eap_fast_validate_crypto_binding( 1185 struct eap_fast_data *data, struct eap_tlv_crypto_binding_tlv *b, 1186 size_t bind_len) 1187 { 1188 u8 cmac[SHA1_MAC_LEN]; 1189 1190 wpa_printf(MSG_DEBUG, "EAP-FAST: Reply Crypto-Binding TLV: " 1191 "Version %d Received Version %d SubType %d", 1192 b->version, b->received_version, b->subtype); 1193 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: NONCE", 1194 b->nonce, sizeof(b->nonce)); 1195 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Compound MAC", 1196 b->compound_mac, sizeof(b->compound_mac)); 1197 1198 if (b->version != EAP_FAST_VERSION || 1199 b->received_version != EAP_FAST_VERSION) { 1200 wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected version " 1201 "in Crypto-Binding: version %d " 1202 "received_version %d", b->version, 1203 b->received_version); 1204 return -1; 1205 } 1206 1207 if (b->subtype != EAP_TLV_CRYPTO_BINDING_SUBTYPE_RESPONSE) { 1208 wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected subtype in " 1209 "Crypto-Binding: %d", b->subtype); 1210 return -1; 1211 } 1212 1213 if (os_memcmp_const(data->crypto_binding_nonce, b->nonce, 31) != 0 || 1214 (data->crypto_binding_nonce[31] | 1) != b->nonce[31]) { 1215 wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid nonce in " 1216 "Crypto-Binding"); 1217 return -1; 1218 } 1219 1220 os_memcpy(cmac, b->compound_mac, sizeof(cmac)); 1221 os_memset(b->compound_mac, 0, sizeof(cmac)); 1222 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Crypto-Binding TLV for " 1223 "Compound MAC calculation", 1224 (u8 *) b, bind_len); 1225 hmac_sha1(data->cmk, EAP_FAST_CMK_LEN, (u8 *) b, bind_len, 1226 b->compound_mac); 1227 if (os_memcmp_const(cmac, b->compound_mac, sizeof(cmac)) != 0) { 1228 wpa_hexdump(MSG_MSGDUMP, 1229 "EAP-FAST: Calculated Compound MAC", 1230 b->compound_mac, sizeof(cmac)); 1231 wpa_printf(MSG_INFO, "EAP-FAST: Compound MAC did not " 1232 "match"); 1233 return -1; 1234 } 1235 1236 return 0; 1237 } 1238 1239 1240 static int eap_fast_pac_type(u8 *pac, size_t len, u16 type) 1241 { 1242 struct eap_tlv_pac_type_tlv *tlv; 1243 1244 if (pac == NULL || len != sizeof(*tlv)) 1245 return 0; 1246 1247 tlv = (struct eap_tlv_pac_type_tlv *) pac; 1248 1249 return be_to_host16(tlv->tlv_type) == PAC_TYPE_PAC_TYPE && 1250 be_to_host16(tlv->length) == 2 && 1251 be_to_host16(tlv->pac_type) == type; 1252 } 1253 1254 1255 static void eap_fast_process_phase2_tlvs(struct eap_sm *sm, 1256 struct eap_fast_data *data, 1257 struct wpabuf *in_data) 1258 { 1259 struct eap_fast_tlv_parse tlv; 1260 int check_crypto_binding = data->state == CRYPTO_BINDING; 1261 1262 if (eap_fast_parse_tlvs(in_data, &tlv) < 0) { 1263 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to parse received " 1264 "Phase 2 TLVs"); 1265 return; 1266 } 1267 1268 if (tlv.result == EAP_TLV_RESULT_FAILURE) { 1269 wpa_printf(MSG_DEBUG, "EAP-FAST: Result TLV indicated " 1270 "failure"); 1271 eap_fast_state(data, FAILURE); 1272 return; 1273 } 1274 1275 if (data->state == REQUEST_PAC) { 1276 u16 type, len, res; 1277 if (tlv.pac == NULL || tlv.pac_len < 6) { 1278 wpa_printf(MSG_DEBUG, "EAP-FAST: No PAC " 1279 "Acknowledgement received"); 1280 eap_fast_state(data, FAILURE); 1281 return; 1282 } 1283 1284 type = WPA_GET_BE16(tlv.pac); 1285 len = WPA_GET_BE16(tlv.pac + 2); 1286 res = WPA_GET_BE16(tlv.pac + 4); 1287 1288 if (type != PAC_TYPE_PAC_ACKNOWLEDGEMENT || len != 2 || 1289 res != EAP_TLV_RESULT_SUCCESS) { 1290 wpa_printf(MSG_DEBUG, "EAP-FAST: PAC TLV did not " 1291 "contain acknowledgement"); 1292 eap_fast_state(data, FAILURE); 1293 return; 1294 } 1295 1296 wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Acknowledgement received " 1297 "- PAC provisioning succeeded"); 1298 eap_fast_state(data, (data->anon_provisioning || 1299 data->send_new_pac == 2) ? 1300 FAILURE : SUCCESS); 1301 return; 1302 } 1303 1304 if (check_crypto_binding) { 1305 if (tlv.crypto_binding == NULL) { 1306 wpa_printf(MSG_DEBUG, "EAP-FAST: No Crypto-Binding " 1307 "TLV received"); 1308 eap_fast_state(data, FAILURE); 1309 return; 1310 } 1311 1312 if (data->final_result && 1313 tlv.result != EAP_TLV_RESULT_SUCCESS) { 1314 wpa_printf(MSG_DEBUG, "EAP-FAST: Crypto-Binding TLV " 1315 "without Success Result"); 1316 eap_fast_state(data, FAILURE); 1317 return; 1318 } 1319 1320 if (!data->final_result && 1321 tlv.iresult != EAP_TLV_RESULT_SUCCESS) { 1322 wpa_printf(MSG_DEBUG, "EAP-FAST: Crypto-Binding TLV " 1323 "without intermediate Success Result"); 1324 eap_fast_state(data, FAILURE); 1325 return; 1326 } 1327 1328 if (eap_fast_validate_crypto_binding(data, tlv.crypto_binding, 1329 tlv.crypto_binding_len)) { 1330 eap_fast_state(data, FAILURE); 1331 return; 1332 } 1333 1334 wpa_printf(MSG_DEBUG, "EAP-FAST: Valid Crypto-Binding TLV " 1335 "received"); 1336 if (data->final_result) { 1337 wpa_printf(MSG_DEBUG, "EAP-FAST: Authentication " 1338 "completed successfully"); 1339 } 1340 1341 if (data->anon_provisioning && 1342 sm->cfg->eap_fast_prov != ANON_PROV && 1343 sm->cfg->eap_fast_prov != BOTH_PROV) { 1344 wpa_printf(MSG_DEBUG, "EAP-FAST: Client is trying to " 1345 "use unauthenticated provisioning which is " 1346 "disabled"); 1347 eap_fast_state(data, FAILURE); 1348 return; 1349 } 1350 1351 if (sm->cfg->eap_fast_prov != AUTH_PROV && 1352 sm->cfg->eap_fast_prov != BOTH_PROV && 1353 tlv.request_action == EAP_TLV_ACTION_PROCESS_TLV && 1354 eap_fast_pac_type(tlv.pac, tlv.pac_len, 1355 PAC_TYPE_TUNNEL_PAC)) { 1356 wpa_printf(MSG_DEBUG, "EAP-FAST: Client is trying to " 1357 "use authenticated provisioning which is " 1358 "disabled"); 1359 eap_fast_state(data, FAILURE); 1360 return; 1361 } 1362 1363 if (data->anon_provisioning || 1364 (tlv.request_action == EAP_TLV_ACTION_PROCESS_TLV && 1365 eap_fast_pac_type(tlv.pac, tlv.pac_len, 1366 PAC_TYPE_TUNNEL_PAC))) { 1367 wpa_printf(MSG_DEBUG, "EAP-FAST: Requested a new " 1368 "Tunnel PAC"); 1369 eap_fast_state(data, REQUEST_PAC); 1370 } else if (data->send_new_pac) { 1371 wpa_printf(MSG_DEBUG, "EAP-FAST: Server triggered " 1372 "re-keying of Tunnel PAC"); 1373 eap_fast_state(data, REQUEST_PAC); 1374 } else if (data->final_result) 1375 eap_fast_state(data, SUCCESS); 1376 } 1377 1378 if (tlv.eap_payload_tlv) { 1379 eap_fast_process_phase2_eap(sm, data, tlv.eap_payload_tlv, 1380 tlv.eap_payload_tlv_len); 1381 } 1382 } 1383 1384 1385 static void eap_fast_process_phase2(struct eap_sm *sm, 1386 struct eap_fast_data *data, 1387 struct wpabuf *in_buf) 1388 { 1389 struct wpabuf *in_decrypted; 1390 1391 wpa_printf(MSG_DEBUG, "EAP-FAST: Received %lu bytes encrypted data for" 1392 " Phase 2", (unsigned long) wpabuf_len(in_buf)); 1393 1394 if (data->pending_phase2_resp) { 1395 wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 response - " 1396 "skip decryption and use old data"); 1397 eap_fast_process_phase2_tlvs(sm, data, 1398 data->pending_phase2_resp); 1399 wpabuf_free(data->pending_phase2_resp); 1400 data->pending_phase2_resp = NULL; 1401 return; 1402 } 1403 1404 in_decrypted = tls_connection_decrypt(sm->cfg->ssl_ctx, data->ssl.conn, 1405 in_buf); 1406 if (in_decrypted == NULL) { 1407 wpa_printf(MSG_INFO, "EAP-FAST: Failed to decrypt Phase 2 " 1408 "data"); 1409 eap_fast_state(data, FAILURE); 1410 return; 1411 } 1412 1413 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-FAST: Decrypted Phase 2 TLVs", 1414 in_decrypted); 1415 1416 eap_fast_process_phase2_tlvs(sm, data, in_decrypted); 1417 1418 if (sm->method_pending == METHOD_PENDING_WAIT) { 1419 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 method is in " 1420 "pending wait state - save decrypted response"); 1421 wpabuf_free(data->pending_phase2_resp); 1422 data->pending_phase2_resp = in_decrypted; 1423 return; 1424 } 1425 1426 wpabuf_free(in_decrypted); 1427 } 1428 1429 1430 static int eap_fast_process_version(struct eap_sm *sm, void *priv, 1431 int peer_version) 1432 { 1433 struct eap_fast_data *data = priv; 1434 1435 data->peer_version = peer_version; 1436 1437 if (data->force_version >= 0 && peer_version != data->force_version) { 1438 wpa_printf(MSG_INFO, "EAP-FAST: peer did not select the forced" 1439 " version (forced=%d peer=%d) - reject", 1440 data->force_version, peer_version); 1441 return -1; 1442 } 1443 1444 if (peer_version < data->fast_version) { 1445 wpa_printf(MSG_DEBUG, "EAP-FAST: peer ver=%d, own ver=%d; " 1446 "use version %d", 1447 peer_version, data->fast_version, peer_version); 1448 data->fast_version = peer_version; 1449 } 1450 1451 return 0; 1452 } 1453 1454 1455 static int eap_fast_process_phase1(struct eap_sm *sm, 1456 struct eap_fast_data *data) 1457 { 1458 if (eap_server_tls_phase1(sm, &data->ssl) < 0) { 1459 wpa_printf(MSG_INFO, "EAP-FAST: TLS processing failed"); 1460 eap_fast_state(data, FAILURE); 1461 return -1; 1462 } 1463 1464 if (!tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn) || 1465 wpabuf_len(data->ssl.tls_out) > 0) 1466 return 1; 1467 1468 /* 1469 * Phase 1 was completed with the received message (e.g., when using 1470 * abbreviated handshake), so Phase 2 can be started immediately 1471 * without having to send through an empty message to the peer. 1472 */ 1473 1474 return eap_fast_phase1_done(sm, data); 1475 } 1476 1477 1478 static int eap_fast_process_phase2_start(struct eap_sm *sm, 1479 struct eap_fast_data *data) 1480 { 1481 int next_vendor; 1482 enum eap_type next_type; 1483 1484 if (data->identity) { 1485 os_free(sm->identity); 1486 sm->identity = data->identity; 1487 data->identity = NULL; 1488 sm->identity_len = data->identity_len; 1489 data->identity_len = 0; 1490 sm->require_identity_match = 1; 1491 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) { 1492 wpa_hexdump_ascii(MSG_DEBUG, "EAP-FAST: " 1493 "Phase2 Identity not found " 1494 "in the user database", 1495 sm->identity, sm->identity_len); 1496 next_vendor = EAP_VENDOR_IETF; 1497 next_type = eap_fast_req_failure(sm, data); 1498 } else { 1499 wpa_printf(MSG_DEBUG, "EAP-FAST: Identity already " 1500 "known - skip Phase 2 Identity Request"); 1501 next_vendor = sm->user->methods[0].vendor; 1502 next_type = sm->user->methods[0].method; 1503 sm->user_eap_method_index = 1; 1504 } 1505 1506 eap_fast_state(data, PHASE2_METHOD); 1507 } else { 1508 eap_fast_state(data, PHASE2_ID); 1509 next_vendor = EAP_VENDOR_IETF; 1510 next_type = EAP_TYPE_IDENTITY; 1511 } 1512 1513 return eap_fast_phase2_init(sm, data, next_vendor, next_type); 1514 } 1515 1516 1517 static void eap_fast_process_msg(struct eap_sm *sm, void *priv, 1518 const struct wpabuf *respData) 1519 { 1520 struct eap_fast_data *data = priv; 1521 1522 switch (data->state) { 1523 case PHASE1: 1524 if (eap_fast_process_phase1(sm, data)) 1525 break; 1526 1527 /* fall through */ 1528 case PHASE2_START: 1529 eap_fast_process_phase2_start(sm, data); 1530 break; 1531 case PHASE2_ID: 1532 case PHASE2_METHOD: 1533 case CRYPTO_BINDING: 1534 case REQUEST_PAC: 1535 eap_fast_process_phase2(sm, data, data->ssl.tls_in); 1536 break; 1537 default: 1538 wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected state %d in %s", 1539 data->state, __func__); 1540 break; 1541 } 1542 } 1543 1544 1545 static void eap_fast_process(struct eap_sm *sm, void *priv, 1546 struct wpabuf *respData) 1547 { 1548 struct eap_fast_data *data = priv; 1549 if (eap_server_tls_process(sm, &data->ssl, respData, data, 1550 EAP_TYPE_FAST, eap_fast_process_version, 1551 eap_fast_process_msg) < 0) 1552 eap_fast_state(data, FAILURE); 1553 } 1554 1555 1556 static bool eap_fast_isDone(struct eap_sm *sm, void *priv) 1557 { 1558 struct eap_fast_data *data = priv; 1559 return data->state == SUCCESS || data->state == FAILURE; 1560 } 1561 1562 1563 static u8 * eap_fast_getKey(struct eap_sm *sm, void *priv, size_t *len) 1564 { 1565 struct eap_fast_data *data = priv; 1566 u8 *eapKeyData; 1567 1568 if (data->state != SUCCESS) 1569 return NULL; 1570 1571 eapKeyData = os_malloc(EAP_FAST_KEY_LEN); 1572 if (eapKeyData == NULL) 1573 return NULL; 1574 1575 if (eap_fast_derive_eap_msk(data->simck, eapKeyData) < 0) { 1576 os_free(eapKeyData); 1577 return NULL; 1578 } 1579 *len = EAP_FAST_KEY_LEN; 1580 1581 return eapKeyData; 1582 } 1583 1584 1585 static u8 * eap_fast_get_emsk(struct eap_sm *sm, void *priv, size_t *len) 1586 { 1587 struct eap_fast_data *data = priv; 1588 u8 *eapKeyData; 1589 1590 if (data->state != SUCCESS) 1591 return NULL; 1592 1593 eapKeyData = os_malloc(EAP_EMSK_LEN); 1594 if (eapKeyData == NULL) 1595 return NULL; 1596 1597 if (eap_fast_derive_eap_emsk(data->simck, eapKeyData) < 0) { 1598 os_free(eapKeyData); 1599 return NULL; 1600 } 1601 *len = EAP_EMSK_LEN; 1602 1603 return eapKeyData; 1604 } 1605 1606 1607 static bool eap_fast_isSuccess(struct eap_sm *sm, void *priv) 1608 { 1609 struct eap_fast_data *data = priv; 1610 return data->state == SUCCESS; 1611 } 1612 1613 1614 static u8 * eap_fast_get_session_id(struct eap_sm *sm, void *priv, size_t *len) 1615 { 1616 struct eap_fast_data *data = priv; 1617 1618 if (data->state != SUCCESS) 1619 return NULL; 1620 1621 return eap_server_tls_derive_session_id(sm, &data->ssl, EAP_TYPE_FAST, 1622 len); 1623 } 1624 1625 1626 int eap_server_fast_register(void) 1627 { 1628 struct eap_method *eap; 1629 1630 eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION, 1631 EAP_VENDOR_IETF, EAP_TYPE_FAST, "FAST"); 1632 if (eap == NULL) 1633 return -1; 1634 1635 eap->init = eap_fast_init; 1636 eap->reset = eap_fast_reset; 1637 eap->buildReq = eap_fast_buildReq; 1638 eap->check = eap_fast_check; 1639 eap->process = eap_fast_process; 1640 eap->isDone = eap_fast_isDone; 1641 eap->getKey = eap_fast_getKey; 1642 eap->get_emsk = eap_fast_get_emsk; 1643 eap->isSuccess = eap_fast_isSuccess; 1644 eap->getSessionId = eap_fast_get_session_id; 1645 1646 return eap_server_method_register(eap); 1647 } 1648