1 /* 2 * EAP-FAST server (RFC 4851) 3 * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/aes_wrap.h" 13 #include "crypto/sha1.h" 14 #include "crypto/tls.h" 15 #include "crypto/random.h" 16 #include "eap_common/eap_tlv_common.h" 17 #include "eap_common/eap_fast_common.h" 18 #include "eap_i.h" 19 #include "eap_tls_common.h" 20 21 22 static void eap_fast_reset(struct eap_sm *sm, void *priv); 23 24 25 /* Private PAC-Opaque TLV types */ 26 #define PAC_OPAQUE_TYPE_PAD 0 27 #define PAC_OPAQUE_TYPE_KEY 1 28 #define PAC_OPAQUE_TYPE_LIFETIME 2 29 #define PAC_OPAQUE_TYPE_IDENTITY 3 30 31 struct eap_fast_data { 32 struct eap_ssl_data ssl; 33 enum { 34 START, PHASE1, PHASE2_START, PHASE2_ID, PHASE2_METHOD, 35 CRYPTO_BINDING, REQUEST_PAC, SUCCESS, FAILURE 36 } state; 37 38 int fast_version; 39 const struct eap_method *phase2_method; 40 void *phase2_priv; 41 int force_version; 42 int peer_version; 43 44 u8 crypto_binding_nonce[32]; 45 int final_result; 46 47 struct eap_fast_key_block_provisioning *key_block_p; 48 49 u8 simck[EAP_FAST_SIMCK_LEN]; 50 u8 cmk[EAP_FAST_CMK_LEN]; 51 int simck_idx; 52 53 u8 pac_opaque_encr[16]; 54 u8 *srv_id; 55 size_t srv_id_len; 56 char *srv_id_info; 57 58 int anon_provisioning; 59 int send_new_pac; /* server triggered re-keying of Tunnel PAC */ 60 struct wpabuf *pending_phase2_resp; 61 u8 *identity; /* from PAC-Opaque */ 62 size_t identity_len; 63 int eap_seq; 64 int tnc_started; 65 66 int pac_key_lifetime; 67 int pac_key_refresh_time; 68 }; 69 70 71 static int eap_fast_process_phase2_start(struct eap_sm *sm, 72 struct eap_fast_data *data); 73 74 75 static const char * eap_fast_state_txt(int state) 76 { 77 switch (state) { 78 case START: 79 return "START"; 80 case PHASE1: 81 return "PHASE1"; 82 case PHASE2_START: 83 return "PHASE2_START"; 84 case PHASE2_ID: 85 return "PHASE2_ID"; 86 case PHASE2_METHOD: 87 return "PHASE2_METHOD"; 88 case CRYPTO_BINDING: 89 return "CRYPTO_BINDING"; 90 case REQUEST_PAC: 91 return "REQUEST_PAC"; 92 case SUCCESS: 93 return "SUCCESS"; 94 case FAILURE: 95 return "FAILURE"; 96 default: 97 return "Unknown?!"; 98 } 99 } 100 101 102 static void eap_fast_state(struct eap_fast_data *data, int state) 103 { 104 wpa_printf(MSG_DEBUG, "EAP-FAST: %s -> %s", 105 eap_fast_state_txt(data->state), 106 eap_fast_state_txt(state)); 107 data->state = state; 108 } 109 110 111 static EapType eap_fast_req_failure(struct eap_sm *sm, 112 struct eap_fast_data *data) 113 { 114 /* TODO: send Result TLV(FAILURE) */ 115 eap_fast_state(data, FAILURE); 116 return EAP_TYPE_NONE; 117 } 118 119 120 static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len, 121 const u8 *client_random, 122 const u8 *server_random, 123 u8 *master_secret) 124 { 125 struct eap_fast_data *data = ctx; 126 const u8 *pac_opaque; 127 size_t pac_opaque_len; 128 u8 *buf, *pos, *end, *pac_key = NULL; 129 os_time_t lifetime = 0; 130 struct os_time now; 131 u8 *identity = NULL; 132 size_t identity_len = 0; 133 134 wpa_printf(MSG_DEBUG, "EAP-FAST: SessionTicket callback"); 135 wpa_hexdump(MSG_DEBUG, "EAP-FAST: SessionTicket (PAC-Opaque)", 136 ticket, len); 137 138 if (len < 4 || WPA_GET_BE16(ticket) != PAC_TYPE_PAC_OPAQUE) { 139 wpa_printf(MSG_DEBUG, "EAP-FAST: Ignore invalid " 140 "SessionTicket"); 141 return 0; 142 } 143 144 pac_opaque_len = WPA_GET_BE16(ticket + 2); 145 pac_opaque = ticket + 4; 146 if (pac_opaque_len < 8 || pac_opaque_len % 8 || 147 pac_opaque_len > len - 4) { 148 wpa_printf(MSG_DEBUG, "EAP-FAST: Ignore invalid PAC-Opaque " 149 "(len=%lu left=%lu)", 150 (unsigned long) pac_opaque_len, 151 (unsigned long) len); 152 return 0; 153 } 154 wpa_hexdump(MSG_DEBUG, "EAP-FAST: Received PAC-Opaque", 155 pac_opaque, pac_opaque_len); 156 157 buf = os_malloc(pac_opaque_len - 8); 158 if (buf == NULL) { 159 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to allocate memory " 160 "for decrypting PAC-Opaque"); 161 return 0; 162 } 163 164 if (aes_unwrap(data->pac_opaque_encr, sizeof(data->pac_opaque_encr), 165 (pac_opaque_len - 8) / 8, pac_opaque, buf) < 0) { 166 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to decrypt " 167 "PAC-Opaque"); 168 os_free(buf); 169 /* 170 * This may have been caused by server changing the PAC-Opaque 171 * encryption key, so just ignore this PAC-Opaque instead of 172 * failing the authentication completely. Provisioning can now 173 * be used to provision a new PAC. 174 */ 175 return 0; 176 } 177 178 end = buf + pac_opaque_len - 8; 179 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Decrypted PAC-Opaque", 180 buf, end - buf); 181 182 pos = buf; 183 while (pos + 1 < end) { 184 if (pos + 2 + pos[1] > end) 185 break; 186 187 switch (*pos) { 188 case PAC_OPAQUE_TYPE_PAD: 189 goto done; 190 case PAC_OPAQUE_TYPE_KEY: 191 if (pos[1] != EAP_FAST_PAC_KEY_LEN) { 192 wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid " 193 "PAC-Key length %d", pos[1]); 194 os_free(buf); 195 return -1; 196 } 197 pac_key = pos + 2; 198 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: PAC-Key from " 199 "decrypted PAC-Opaque", 200 pac_key, EAP_FAST_PAC_KEY_LEN); 201 break; 202 case PAC_OPAQUE_TYPE_LIFETIME: 203 if (pos[1] != 4) { 204 wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid " 205 "PAC-Key lifetime length %d", 206 pos[1]); 207 os_free(buf); 208 return -1; 209 } 210 lifetime = WPA_GET_BE32(pos + 2); 211 break; 212 case PAC_OPAQUE_TYPE_IDENTITY: 213 identity = pos + 2; 214 identity_len = pos[1]; 215 break; 216 } 217 218 pos += 2 + pos[1]; 219 } 220 done: 221 222 if (pac_key == NULL) { 223 wpa_printf(MSG_DEBUG, "EAP-FAST: No PAC-Key included in " 224 "PAC-Opaque"); 225 os_free(buf); 226 return -1; 227 } 228 229 if (identity) { 230 wpa_hexdump_ascii(MSG_DEBUG, "EAP-FAST: Identity from " 231 "PAC-Opaque", identity, identity_len); 232 os_free(data->identity); 233 data->identity = os_malloc(identity_len); 234 if (data->identity) { 235 os_memcpy(data->identity, identity, identity_len); 236 data->identity_len = identity_len; 237 } 238 } 239 240 if (os_get_time(&now) < 0 || lifetime <= 0 || now.sec > lifetime) { 241 wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Key not valid anymore " 242 "(lifetime=%ld now=%ld)", lifetime, now.sec); 243 data->send_new_pac = 2; 244 /* 245 * Allow PAC to be used to allow a PAC update with some level 246 * of server authentication (i.e., do not fall back to full TLS 247 * handshake since we cannot be sure that the peer would be 248 * able to validate server certificate now). However, reject 249 * the authentication since the PAC was not valid anymore. Peer 250 * can connect again with the newly provisioned PAC after this. 251 */ 252 } else if (lifetime - now.sec < data->pac_key_refresh_time) { 253 wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Key soft timeout; send " 254 "an update if authentication succeeds"); 255 data->send_new_pac = 1; 256 } 257 258 eap_fast_derive_master_secret(pac_key, server_random, client_random, 259 master_secret); 260 261 os_free(buf); 262 263 return 1; 264 } 265 266 267 static void eap_fast_derive_key_auth(struct eap_sm *sm, 268 struct eap_fast_data *data) 269 { 270 u8 *sks; 271 272 /* RFC 4851, Section 5.1: 273 * Extra key material after TLS key_block: session_key_seed[40] 274 */ 275 276 sks = eap_fast_derive_key(sm->ssl_ctx, data->ssl.conn, "key expansion", 277 EAP_FAST_SKS_LEN); 278 if (sks == NULL) { 279 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive " 280 "session_key_seed"); 281 return; 282 } 283 284 /* 285 * RFC 4851, Section 5.2: 286 * S-IMCK[0] = session_key_seed 287 */ 288 wpa_hexdump_key(MSG_DEBUG, 289 "EAP-FAST: session_key_seed (SKS = S-IMCK[0])", 290 sks, EAP_FAST_SKS_LEN); 291 data->simck_idx = 0; 292 os_memcpy(data->simck, sks, EAP_FAST_SIMCK_LEN); 293 os_free(sks); 294 } 295 296 297 static void eap_fast_derive_key_provisioning(struct eap_sm *sm, 298 struct eap_fast_data *data) 299 { 300 os_free(data->key_block_p); 301 data->key_block_p = (struct eap_fast_key_block_provisioning *) 302 eap_fast_derive_key(sm->ssl_ctx, data->ssl.conn, 303 "key expansion", 304 sizeof(*data->key_block_p)); 305 if (data->key_block_p == NULL) { 306 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive key block"); 307 return; 308 } 309 /* 310 * RFC 4851, Section 5.2: 311 * S-IMCK[0] = session_key_seed 312 */ 313 wpa_hexdump_key(MSG_DEBUG, 314 "EAP-FAST: session_key_seed (SKS = S-IMCK[0])", 315 data->key_block_p->session_key_seed, 316 sizeof(data->key_block_p->session_key_seed)); 317 data->simck_idx = 0; 318 os_memcpy(data->simck, data->key_block_p->session_key_seed, 319 EAP_FAST_SIMCK_LEN); 320 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: server_challenge", 321 data->key_block_p->server_challenge, 322 sizeof(data->key_block_p->server_challenge)); 323 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: client_challenge", 324 data->key_block_p->client_challenge, 325 sizeof(data->key_block_p->client_challenge)); 326 } 327 328 329 static int eap_fast_get_phase2_key(struct eap_sm *sm, 330 struct eap_fast_data *data, 331 u8 *isk, size_t isk_len) 332 { 333 u8 *key; 334 size_t key_len; 335 336 os_memset(isk, 0, isk_len); 337 338 if (data->phase2_method == NULL || data->phase2_priv == NULL) { 339 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase 2 method not " 340 "available"); 341 return -1; 342 } 343 344 if (data->phase2_method->getKey == NULL) 345 return 0; 346 347 if ((key = data->phase2_method->getKey(sm, data->phase2_priv, 348 &key_len)) == NULL) { 349 wpa_printf(MSG_DEBUG, "EAP-FAST: Could not get key material " 350 "from Phase 2"); 351 return -1; 352 } 353 354 if (key_len > isk_len) 355 key_len = isk_len; 356 if (key_len == 32 && 357 data->phase2_method->vendor == EAP_VENDOR_IETF && 358 data->phase2_method->method == EAP_TYPE_MSCHAPV2) { 359 /* 360 * EAP-FAST uses reverse order for MS-MPPE keys when deriving 361 * MSK from EAP-MSCHAPv2. Swap the keys here to get the correct 362 * ISK for EAP-FAST cryptobinding. 363 */ 364 os_memcpy(isk, key + 16, 16); 365 os_memcpy(isk + 16, key, 16); 366 } else 367 os_memcpy(isk, key, key_len); 368 os_free(key); 369 370 return 0; 371 } 372 373 374 static int eap_fast_update_icmk(struct eap_sm *sm, struct eap_fast_data *data) 375 { 376 u8 isk[32], imck[60]; 377 378 wpa_printf(MSG_DEBUG, "EAP-FAST: Deriving ICMK[%d] (S-IMCK and CMK)", 379 data->simck_idx + 1); 380 381 /* 382 * RFC 4851, Section 5.2: 383 * IMCK[j] = T-PRF(S-IMCK[j-1], "Inner Methods Compound Keys", 384 * MSK[j], 60) 385 * S-IMCK[j] = first 40 octets of IMCK[j] 386 * CMK[j] = last 20 octets of IMCK[j] 387 */ 388 389 if (eap_fast_get_phase2_key(sm, data, isk, sizeof(isk)) < 0) 390 return -1; 391 wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: ISK[j]", isk, sizeof(isk)); 392 sha1_t_prf(data->simck, EAP_FAST_SIMCK_LEN, 393 "Inner Methods Compound Keys", 394 isk, sizeof(isk), imck, sizeof(imck)); 395 data->simck_idx++; 396 os_memcpy(data->simck, imck, EAP_FAST_SIMCK_LEN); 397 wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: S-IMCK[j]", 398 data->simck, EAP_FAST_SIMCK_LEN); 399 os_memcpy(data->cmk, imck + EAP_FAST_SIMCK_LEN, EAP_FAST_CMK_LEN); 400 wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: CMK[j]", 401 data->cmk, EAP_FAST_CMK_LEN); 402 403 return 0; 404 } 405 406 407 static void * eap_fast_init(struct eap_sm *sm) 408 { 409 struct eap_fast_data *data; 410 u8 ciphers[5] = { 411 TLS_CIPHER_ANON_DH_AES128_SHA, 412 TLS_CIPHER_AES128_SHA, 413 TLS_CIPHER_RSA_DHE_AES128_SHA, 414 TLS_CIPHER_RC4_SHA, 415 TLS_CIPHER_NONE 416 }; 417 418 data = os_zalloc(sizeof(*data)); 419 if (data == NULL) 420 return NULL; 421 data->fast_version = EAP_FAST_VERSION; 422 data->force_version = -1; 423 if (sm->user && sm->user->force_version >= 0) { 424 data->force_version = sm->user->force_version; 425 wpa_printf(MSG_DEBUG, "EAP-FAST: forcing version %d", 426 data->force_version); 427 data->fast_version = data->force_version; 428 } 429 data->state = START; 430 431 if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) { 432 wpa_printf(MSG_INFO, "EAP-FAST: Failed to initialize SSL."); 433 eap_fast_reset(sm, data); 434 return NULL; 435 } 436 437 if (tls_connection_set_cipher_list(sm->ssl_ctx, data->ssl.conn, 438 ciphers) < 0) { 439 wpa_printf(MSG_INFO, "EAP-FAST: Failed to set TLS cipher " 440 "suites"); 441 eap_fast_reset(sm, data); 442 return NULL; 443 } 444 445 if (tls_connection_set_session_ticket_cb(sm->ssl_ctx, data->ssl.conn, 446 eap_fast_session_ticket_cb, 447 data) < 0) { 448 wpa_printf(MSG_INFO, "EAP-FAST: Failed to set SessionTicket " 449 "callback"); 450 eap_fast_reset(sm, data); 451 return NULL; 452 } 453 454 if (sm->pac_opaque_encr_key == NULL) { 455 wpa_printf(MSG_INFO, "EAP-FAST: No PAC-Opaque encryption key " 456 "configured"); 457 eap_fast_reset(sm, data); 458 return NULL; 459 } 460 os_memcpy(data->pac_opaque_encr, sm->pac_opaque_encr_key, 461 sizeof(data->pac_opaque_encr)); 462 463 if (sm->eap_fast_a_id == NULL) { 464 wpa_printf(MSG_INFO, "EAP-FAST: No A-ID configured"); 465 eap_fast_reset(sm, data); 466 return NULL; 467 } 468 data->srv_id = os_malloc(sm->eap_fast_a_id_len); 469 if (data->srv_id == NULL) { 470 eap_fast_reset(sm, data); 471 return NULL; 472 } 473 os_memcpy(data->srv_id, sm->eap_fast_a_id, sm->eap_fast_a_id_len); 474 data->srv_id_len = sm->eap_fast_a_id_len; 475 476 if (sm->eap_fast_a_id_info == NULL) { 477 wpa_printf(MSG_INFO, "EAP-FAST: No A-ID-Info configured"); 478 eap_fast_reset(sm, data); 479 return NULL; 480 } 481 data->srv_id_info = os_strdup(sm->eap_fast_a_id_info); 482 if (data->srv_id_info == NULL) { 483 eap_fast_reset(sm, data); 484 return NULL; 485 } 486 487 /* PAC-Key lifetime in seconds (hard limit) */ 488 data->pac_key_lifetime = sm->pac_key_lifetime; 489 490 /* 491 * PAC-Key refresh time in seconds (soft limit on remaining hard 492 * limit). The server will generate a new PAC-Key when this number of 493 * seconds (or fewer) of the lifetime remains. 494 */ 495 data->pac_key_refresh_time = sm->pac_key_refresh_time; 496 497 return data; 498 } 499 500 501 static void eap_fast_reset(struct eap_sm *sm, void *priv) 502 { 503 struct eap_fast_data *data = priv; 504 if (data == NULL) 505 return; 506 if (data->phase2_priv && data->phase2_method) 507 data->phase2_method->reset(sm, data->phase2_priv); 508 eap_server_tls_ssl_deinit(sm, &data->ssl); 509 os_free(data->srv_id); 510 os_free(data->srv_id_info); 511 os_free(data->key_block_p); 512 wpabuf_free(data->pending_phase2_resp); 513 os_free(data->identity); 514 bin_clear_free(data, sizeof(*data)); 515 } 516 517 518 static struct wpabuf * eap_fast_build_start(struct eap_sm *sm, 519 struct eap_fast_data *data, u8 id) 520 { 521 struct wpabuf *req; 522 523 req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_FAST, 524 1 + sizeof(struct pac_tlv_hdr) + data->srv_id_len, 525 EAP_CODE_REQUEST, id); 526 if (req == NULL) { 527 wpa_printf(MSG_ERROR, "EAP-FAST: Failed to allocate memory for" 528 " request"); 529 eap_fast_state(data, FAILURE); 530 return NULL; 531 } 532 533 wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->fast_version); 534 535 /* RFC 4851, 4.1.1. Authority ID Data */ 536 eap_fast_put_tlv(req, PAC_TYPE_A_ID, data->srv_id, data->srv_id_len); 537 538 eap_fast_state(data, PHASE1); 539 540 return req; 541 } 542 543 544 static int eap_fast_phase1_done(struct eap_sm *sm, struct eap_fast_data *data) 545 { 546 char cipher[64]; 547 548 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase1 done, starting Phase2"); 549 550 if (tls_get_cipher(sm->ssl_ctx, data->ssl.conn, cipher, sizeof(cipher)) 551 < 0) { 552 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to get cipher " 553 "information"); 554 eap_fast_state(data, FAILURE); 555 return -1; 556 } 557 data->anon_provisioning = os_strstr(cipher, "ADH") != NULL; 558 559 if (data->anon_provisioning) { 560 wpa_printf(MSG_DEBUG, "EAP-FAST: Anonymous provisioning"); 561 eap_fast_derive_key_provisioning(sm, data); 562 } else 563 eap_fast_derive_key_auth(sm, data); 564 565 eap_fast_state(data, PHASE2_START); 566 567 return 0; 568 } 569 570 571 static struct wpabuf * eap_fast_build_phase2_req(struct eap_sm *sm, 572 struct eap_fast_data *data, 573 u8 id) 574 { 575 struct wpabuf *req; 576 577 if (data->phase2_priv == NULL) { 578 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase 2 method not " 579 "initialized"); 580 return NULL; 581 } 582 req = data->phase2_method->buildReq(sm, data->phase2_priv, id); 583 if (req == NULL) 584 return NULL; 585 586 wpa_hexdump_buf_key(MSG_MSGDUMP, "EAP-FAST: Phase 2 EAP-Request", req); 587 return eap_fast_tlv_eap_payload(req); 588 } 589 590 591 static struct wpabuf * eap_fast_build_crypto_binding( 592 struct eap_sm *sm, struct eap_fast_data *data) 593 { 594 struct wpabuf *buf; 595 struct eap_tlv_result_tlv *result; 596 struct eap_tlv_crypto_binding_tlv *binding; 597 598 buf = wpabuf_alloc(2 * sizeof(*result) + sizeof(*binding)); 599 if (buf == NULL) 600 return NULL; 601 602 if (data->send_new_pac || data->anon_provisioning || 603 data->phase2_method) 604 data->final_result = 0; 605 else 606 data->final_result = 1; 607 608 if (!data->final_result || data->eap_seq > 1) { 609 /* Intermediate-Result */ 610 wpa_printf(MSG_DEBUG, "EAP-FAST: Add Intermediate-Result TLV " 611 "(status=SUCCESS)"); 612 result = wpabuf_put(buf, sizeof(*result)); 613 result->tlv_type = host_to_be16( 614 EAP_TLV_TYPE_MANDATORY | 615 EAP_TLV_INTERMEDIATE_RESULT_TLV); 616 result->length = host_to_be16(2); 617 result->status = host_to_be16(EAP_TLV_RESULT_SUCCESS); 618 } 619 620 if (data->final_result) { 621 /* Result TLV */ 622 wpa_printf(MSG_DEBUG, "EAP-FAST: Add Result TLV " 623 "(status=SUCCESS)"); 624 result = wpabuf_put(buf, sizeof(*result)); 625 result->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY | 626 EAP_TLV_RESULT_TLV); 627 result->length = host_to_be16(2); 628 result->status = host_to_be16(EAP_TLV_RESULT_SUCCESS); 629 } 630 631 /* Crypto-Binding TLV */ 632 binding = wpabuf_put(buf, sizeof(*binding)); 633 binding->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY | 634 EAP_TLV_CRYPTO_BINDING_TLV); 635 binding->length = host_to_be16(sizeof(*binding) - 636 sizeof(struct eap_tlv_hdr)); 637 binding->version = EAP_FAST_VERSION; 638 binding->received_version = data->peer_version; 639 binding->subtype = EAP_TLV_CRYPTO_BINDING_SUBTYPE_REQUEST; 640 if (random_get_bytes(binding->nonce, sizeof(binding->nonce)) < 0) { 641 wpabuf_free(buf); 642 return NULL; 643 } 644 645 /* 646 * RFC 4851, Section 4.2.8: 647 * The nonce in a request MUST have its least significant bit set to 0. 648 */ 649 binding->nonce[sizeof(binding->nonce) - 1] &= ~0x01; 650 651 os_memcpy(data->crypto_binding_nonce, binding->nonce, 652 sizeof(binding->nonce)); 653 654 /* 655 * RFC 4851, Section 5.3: 656 * CMK = CMK[j] 657 * Compound-MAC = HMAC-SHA1( CMK, Crypto-Binding TLV ) 658 */ 659 660 hmac_sha1(data->cmk, EAP_FAST_CMK_LEN, 661 (u8 *) binding, sizeof(*binding), 662 binding->compound_mac); 663 664 wpa_printf(MSG_DEBUG, "EAP-FAST: Add Crypto-Binding TLV: Version %d " 665 "Received Version %d SubType %d", 666 binding->version, binding->received_version, 667 binding->subtype); 668 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: NONCE", 669 binding->nonce, sizeof(binding->nonce)); 670 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Compound MAC", 671 binding->compound_mac, sizeof(binding->compound_mac)); 672 673 return buf; 674 } 675 676 677 static struct wpabuf * eap_fast_build_pac(struct eap_sm *sm, 678 struct eap_fast_data *data) 679 { 680 u8 pac_key[EAP_FAST_PAC_KEY_LEN]; 681 u8 *pac_buf, *pac_opaque; 682 struct wpabuf *buf; 683 u8 *pos; 684 size_t buf_len, srv_id_info_len, pac_len; 685 struct eap_tlv_hdr *pac_tlv; 686 struct pac_tlv_hdr *pac_info; 687 struct eap_tlv_result_tlv *result; 688 struct os_time now; 689 690 if (random_get_bytes(pac_key, EAP_FAST_PAC_KEY_LEN) < 0 || 691 os_get_time(&now) < 0) 692 return NULL; 693 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Generated PAC-Key", 694 pac_key, EAP_FAST_PAC_KEY_LEN); 695 696 pac_len = (2 + EAP_FAST_PAC_KEY_LEN) + (2 + 4) + 697 (2 + sm->identity_len) + 8; 698 pac_buf = os_malloc(pac_len); 699 if (pac_buf == NULL) 700 return NULL; 701 702 srv_id_info_len = os_strlen(data->srv_id_info); 703 704 pos = pac_buf; 705 *pos++ = PAC_OPAQUE_TYPE_KEY; 706 *pos++ = EAP_FAST_PAC_KEY_LEN; 707 os_memcpy(pos, pac_key, EAP_FAST_PAC_KEY_LEN); 708 pos += EAP_FAST_PAC_KEY_LEN; 709 710 *pos++ = PAC_OPAQUE_TYPE_LIFETIME; 711 *pos++ = 4; 712 WPA_PUT_BE32(pos, now.sec + data->pac_key_lifetime); 713 pos += 4; 714 715 if (sm->identity) { 716 *pos++ = PAC_OPAQUE_TYPE_IDENTITY; 717 *pos++ = sm->identity_len; 718 os_memcpy(pos, sm->identity, sm->identity_len); 719 pos += sm->identity_len; 720 } 721 722 pac_len = pos - pac_buf; 723 while (pac_len % 8) { 724 *pos++ = PAC_OPAQUE_TYPE_PAD; 725 pac_len++; 726 } 727 728 pac_opaque = os_malloc(pac_len + 8); 729 if (pac_opaque == NULL) { 730 os_free(pac_buf); 731 return NULL; 732 } 733 if (aes_wrap(data->pac_opaque_encr, sizeof(data->pac_opaque_encr), 734 pac_len / 8, pac_buf, pac_opaque) < 0) { 735 os_free(pac_buf); 736 os_free(pac_opaque); 737 return NULL; 738 } 739 os_free(pac_buf); 740 741 pac_len += 8; 742 wpa_hexdump(MSG_DEBUG, "EAP-FAST: PAC-Opaque", 743 pac_opaque, pac_len); 744 745 buf_len = sizeof(*pac_tlv) + 746 sizeof(struct pac_tlv_hdr) + EAP_FAST_PAC_KEY_LEN + 747 sizeof(struct pac_tlv_hdr) + pac_len + 748 data->srv_id_len + srv_id_info_len + 100 + sizeof(*result); 749 buf = wpabuf_alloc(buf_len); 750 if (buf == NULL) { 751 os_free(pac_opaque); 752 return NULL; 753 } 754 755 /* Result TLV */ 756 wpa_printf(MSG_DEBUG, "EAP-FAST: Add Result TLV (status=SUCCESS)"); 757 result = wpabuf_put(buf, sizeof(*result)); 758 WPA_PUT_BE16((u8 *) &result->tlv_type, 759 EAP_TLV_TYPE_MANDATORY | EAP_TLV_RESULT_TLV); 760 WPA_PUT_BE16((u8 *) &result->length, 2); 761 WPA_PUT_BE16((u8 *) &result->status, EAP_TLV_RESULT_SUCCESS); 762 763 /* PAC TLV */ 764 wpa_printf(MSG_DEBUG, "EAP-FAST: Add PAC TLV"); 765 pac_tlv = wpabuf_put(buf, sizeof(*pac_tlv)); 766 pac_tlv->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY | 767 EAP_TLV_PAC_TLV); 768 769 /* PAC-Key */ 770 eap_fast_put_tlv(buf, PAC_TYPE_PAC_KEY, pac_key, EAP_FAST_PAC_KEY_LEN); 771 772 /* PAC-Opaque */ 773 eap_fast_put_tlv(buf, PAC_TYPE_PAC_OPAQUE, pac_opaque, pac_len); 774 os_free(pac_opaque); 775 776 /* PAC-Info */ 777 pac_info = wpabuf_put(buf, sizeof(*pac_info)); 778 pac_info->type = host_to_be16(PAC_TYPE_PAC_INFO); 779 780 /* PAC-Lifetime (inside PAC-Info) */ 781 eap_fast_put_tlv_hdr(buf, PAC_TYPE_CRED_LIFETIME, 4); 782 wpabuf_put_be32(buf, now.sec + data->pac_key_lifetime); 783 784 /* A-ID (inside PAC-Info) */ 785 eap_fast_put_tlv(buf, PAC_TYPE_A_ID, data->srv_id, data->srv_id_len); 786 787 /* Note: headers may be misaligned after A-ID */ 788 789 if (sm->identity) { 790 eap_fast_put_tlv(buf, PAC_TYPE_I_ID, sm->identity, 791 sm->identity_len); 792 } 793 794 /* A-ID-Info (inside PAC-Info) */ 795 eap_fast_put_tlv(buf, PAC_TYPE_A_ID_INFO, data->srv_id_info, 796 srv_id_info_len); 797 798 /* PAC-Type (inside PAC-Info) */ 799 eap_fast_put_tlv_hdr(buf, PAC_TYPE_PAC_TYPE, 2); 800 wpabuf_put_be16(buf, PAC_TYPE_TUNNEL_PAC); 801 802 /* Update PAC-Info and PAC TLV Length fields */ 803 pos = wpabuf_put(buf, 0); 804 pac_info->len = host_to_be16(pos - (u8 *) (pac_info + 1)); 805 pac_tlv->length = host_to_be16(pos - (u8 *) (pac_tlv + 1)); 806 807 return buf; 808 } 809 810 811 static int eap_fast_encrypt_phase2(struct eap_sm *sm, 812 struct eap_fast_data *data, 813 struct wpabuf *plain, int piggyback) 814 { 815 struct wpabuf *encr; 816 817 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-FAST: Encrypting Phase 2 TLVs", 818 plain); 819 encr = eap_server_tls_encrypt(sm, &data->ssl, plain); 820 wpabuf_free(plain); 821 822 if (!encr) 823 return -1; 824 825 if (data->ssl.tls_out && piggyback) { 826 wpa_printf(MSG_DEBUG, "EAP-FAST: Piggyback Phase 2 data " 827 "(len=%d) with last Phase 1 Message (len=%d " 828 "used=%d)", 829 (int) wpabuf_len(encr), 830 (int) wpabuf_len(data->ssl.tls_out), 831 (int) data->ssl.tls_out_pos); 832 if (wpabuf_resize(&data->ssl.tls_out, wpabuf_len(encr)) < 0) { 833 wpa_printf(MSG_WARNING, "EAP-FAST: Failed to resize " 834 "output buffer"); 835 wpabuf_free(encr); 836 return -1; 837 } 838 wpabuf_put_buf(data->ssl.tls_out, encr); 839 wpabuf_free(encr); 840 } else { 841 wpabuf_free(data->ssl.tls_out); 842 data->ssl.tls_out_pos = 0; 843 data->ssl.tls_out = encr; 844 } 845 846 return 0; 847 } 848 849 850 static struct wpabuf * eap_fast_buildReq(struct eap_sm *sm, void *priv, u8 id) 851 { 852 struct eap_fast_data *data = priv; 853 struct wpabuf *req = NULL; 854 int piggyback = 0; 855 856 if (data->ssl.state == FRAG_ACK) { 857 return eap_server_tls_build_ack(id, EAP_TYPE_FAST, 858 data->fast_version); 859 } 860 861 if (data->ssl.state == WAIT_FRAG_ACK) { 862 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_FAST, 863 data->fast_version, id); 864 } 865 866 switch (data->state) { 867 case START: 868 return eap_fast_build_start(sm, data, id); 869 case PHASE1: 870 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { 871 if (eap_fast_phase1_done(sm, data) < 0) 872 return NULL; 873 if (data->state == PHASE2_START) { 874 /* 875 * Try to generate Phase 2 data to piggyback 876 * with the end of Phase 1 to avoid extra 877 * roundtrip. 878 */ 879 wpa_printf(MSG_DEBUG, "EAP-FAST: Try to start " 880 "Phase 2"); 881 if (eap_fast_process_phase2_start(sm, data)) 882 break; 883 req = eap_fast_build_phase2_req(sm, data, id); 884 piggyback = 1; 885 } 886 } 887 break; 888 case PHASE2_ID: 889 case PHASE2_METHOD: 890 req = eap_fast_build_phase2_req(sm, data, id); 891 break; 892 case CRYPTO_BINDING: 893 req = eap_fast_build_crypto_binding(sm, data); 894 if (data->phase2_method) { 895 /* 896 * Include the start of the next EAP method in the 897 * sequence in the same message with Crypto-Binding to 898 * save a round-trip. 899 */ 900 struct wpabuf *eap; 901 eap = eap_fast_build_phase2_req(sm, data, id); 902 req = wpabuf_concat(req, eap); 903 eap_fast_state(data, PHASE2_METHOD); 904 } 905 break; 906 case REQUEST_PAC: 907 req = eap_fast_build_pac(sm, data); 908 break; 909 default: 910 wpa_printf(MSG_DEBUG, "EAP-FAST: %s - unexpected state %d", 911 __func__, data->state); 912 return NULL; 913 } 914 915 if (req && 916 eap_fast_encrypt_phase2(sm, data, req, piggyback) < 0) 917 return NULL; 918 919 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_FAST, 920 data->fast_version, id); 921 } 922 923 924 static Boolean eap_fast_check(struct eap_sm *sm, void *priv, 925 struct wpabuf *respData) 926 { 927 const u8 *pos; 928 size_t len; 929 930 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_FAST, respData, &len); 931 if (pos == NULL || len < 1) { 932 wpa_printf(MSG_INFO, "EAP-FAST: Invalid frame"); 933 return TRUE; 934 } 935 936 return FALSE; 937 } 938 939 940 static int eap_fast_phase2_init(struct eap_sm *sm, struct eap_fast_data *data, 941 EapType eap_type) 942 { 943 if (data->phase2_priv && data->phase2_method) { 944 data->phase2_method->reset(sm, data->phase2_priv); 945 data->phase2_method = NULL; 946 data->phase2_priv = NULL; 947 } 948 data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF, 949 eap_type); 950 if (!data->phase2_method) 951 return -1; 952 953 if (data->key_block_p) { 954 sm->auth_challenge = data->key_block_p->server_challenge; 955 sm->peer_challenge = data->key_block_p->client_challenge; 956 } 957 sm->init_phase2 = 1; 958 data->phase2_priv = data->phase2_method->init(sm); 959 sm->init_phase2 = 0; 960 sm->auth_challenge = NULL; 961 sm->peer_challenge = NULL; 962 963 return data->phase2_priv == NULL ? -1 : 0; 964 } 965 966 967 static void eap_fast_process_phase2_response(struct eap_sm *sm, 968 struct eap_fast_data *data, 969 u8 *in_data, size_t in_len) 970 { 971 u8 next_type = EAP_TYPE_NONE; 972 struct eap_hdr *hdr; 973 u8 *pos; 974 size_t left; 975 struct wpabuf buf; 976 const struct eap_method *m = data->phase2_method; 977 void *priv = data->phase2_priv; 978 979 if (priv == NULL) { 980 wpa_printf(MSG_DEBUG, "EAP-FAST: %s - Phase2 not " 981 "initialized?!", __func__); 982 return; 983 } 984 985 hdr = (struct eap_hdr *) in_data; 986 pos = (u8 *) (hdr + 1); 987 988 if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) { 989 left = in_len - sizeof(*hdr); 990 wpa_hexdump(MSG_DEBUG, "EAP-FAST: Phase2 type Nak'ed; " 991 "allowed types", pos + 1, left - 1); 992 #ifdef EAP_SERVER_TNC 993 if (m && m->vendor == EAP_VENDOR_IETF && 994 m->method == EAP_TYPE_TNC) { 995 wpa_printf(MSG_DEBUG, "EAP-FAST: Peer Nak'ed required " 996 "TNC negotiation"); 997 next_type = eap_fast_req_failure(sm, data); 998 eap_fast_phase2_init(sm, data, next_type); 999 return; 1000 } 1001 #endif /* EAP_SERVER_TNC */ 1002 eap_sm_process_nak(sm, pos + 1, left - 1); 1003 if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS && 1004 sm->user->methods[sm->user_eap_method_index].method != 1005 EAP_TYPE_NONE) { 1006 next_type = sm->user->methods[ 1007 sm->user_eap_method_index++].method; 1008 wpa_printf(MSG_DEBUG, "EAP-FAST: try EAP type %d", 1009 next_type); 1010 } else { 1011 next_type = eap_fast_req_failure(sm, data); 1012 } 1013 eap_fast_phase2_init(sm, data, next_type); 1014 return; 1015 } 1016 1017 wpabuf_set(&buf, in_data, in_len); 1018 1019 if (m->check(sm, priv, &buf)) { 1020 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 check() asked to " 1021 "ignore the packet"); 1022 eap_fast_req_failure(sm, data); 1023 return; 1024 } 1025 1026 m->process(sm, priv, &buf); 1027 1028 if (!m->isDone(sm, priv)) 1029 return; 1030 1031 if (!m->isSuccess(sm, priv)) { 1032 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 method failed"); 1033 next_type = eap_fast_req_failure(sm, data); 1034 eap_fast_phase2_init(sm, data, next_type); 1035 return; 1036 } 1037 1038 switch (data->state) { 1039 case PHASE2_ID: 1040 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) { 1041 wpa_hexdump_ascii(MSG_DEBUG, "EAP-FAST: Phase2 " 1042 "Identity not found in the user " 1043 "database", 1044 sm->identity, sm->identity_len); 1045 next_type = eap_fast_req_failure(sm, data); 1046 break; 1047 } 1048 1049 eap_fast_state(data, PHASE2_METHOD); 1050 if (data->anon_provisioning) { 1051 /* 1052 * Only EAP-MSCHAPv2 is allowed for anonymous 1053 * provisioning. 1054 */ 1055 next_type = EAP_TYPE_MSCHAPV2; 1056 sm->user_eap_method_index = 0; 1057 } else { 1058 next_type = sm->user->methods[0].method; 1059 sm->user_eap_method_index = 1; 1060 } 1061 wpa_printf(MSG_DEBUG, "EAP-FAST: try EAP type %d", next_type); 1062 break; 1063 case PHASE2_METHOD: 1064 case CRYPTO_BINDING: 1065 eap_fast_update_icmk(sm, data); 1066 eap_fast_state(data, CRYPTO_BINDING); 1067 data->eap_seq++; 1068 next_type = EAP_TYPE_NONE; 1069 #ifdef EAP_SERVER_TNC 1070 if (sm->tnc && !data->tnc_started) { 1071 wpa_printf(MSG_DEBUG, "EAP-FAST: Initialize TNC"); 1072 next_type = EAP_TYPE_TNC; 1073 data->tnc_started = 1; 1074 } 1075 #endif /* EAP_SERVER_TNC */ 1076 break; 1077 case FAILURE: 1078 break; 1079 default: 1080 wpa_printf(MSG_DEBUG, "EAP-FAST: %s - unexpected state %d", 1081 __func__, data->state); 1082 break; 1083 } 1084 1085 eap_fast_phase2_init(sm, data, next_type); 1086 } 1087 1088 1089 static void eap_fast_process_phase2_eap(struct eap_sm *sm, 1090 struct eap_fast_data *data, 1091 u8 *in_data, size_t in_len) 1092 { 1093 struct eap_hdr *hdr; 1094 size_t len; 1095 1096 hdr = (struct eap_hdr *) in_data; 1097 if (in_len < (int) sizeof(*hdr)) { 1098 wpa_printf(MSG_INFO, "EAP-FAST: Too short Phase 2 " 1099 "EAP frame (len=%lu)", (unsigned long) in_len); 1100 eap_fast_req_failure(sm, data); 1101 return; 1102 } 1103 len = be_to_host16(hdr->length); 1104 if (len > in_len) { 1105 wpa_printf(MSG_INFO, "EAP-FAST: Length mismatch in " 1106 "Phase 2 EAP frame (len=%lu hdr->length=%lu)", 1107 (unsigned long) in_len, (unsigned long) len); 1108 eap_fast_req_failure(sm, data); 1109 return; 1110 } 1111 wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: code=%d " 1112 "identifier=%d length=%lu", hdr->code, hdr->identifier, 1113 (unsigned long) len); 1114 switch (hdr->code) { 1115 case EAP_CODE_RESPONSE: 1116 eap_fast_process_phase2_response(sm, data, (u8 *) hdr, len); 1117 break; 1118 default: 1119 wpa_printf(MSG_INFO, "EAP-FAST: Unexpected code=%d in " 1120 "Phase 2 EAP header", hdr->code); 1121 break; 1122 } 1123 } 1124 1125 1126 static int eap_fast_parse_tlvs(struct wpabuf *data, 1127 struct eap_fast_tlv_parse *tlv) 1128 { 1129 int mandatory, tlv_type, res; 1130 size_t len; 1131 u8 *pos, *end; 1132 1133 os_memset(tlv, 0, sizeof(*tlv)); 1134 1135 pos = wpabuf_mhead(data); 1136 end = pos + wpabuf_len(data); 1137 while (pos + 4 < end) { 1138 mandatory = pos[0] & 0x80; 1139 tlv_type = WPA_GET_BE16(pos) & 0x3fff; 1140 pos += 2; 1141 len = WPA_GET_BE16(pos); 1142 pos += 2; 1143 if (len > (size_t) (end - pos)) { 1144 wpa_printf(MSG_INFO, "EAP-FAST: TLV overflow"); 1145 return -1; 1146 } 1147 wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: " 1148 "TLV type %d length %u%s", 1149 tlv_type, (unsigned int) len, 1150 mandatory ? " (mandatory)" : ""); 1151 1152 res = eap_fast_parse_tlv(tlv, tlv_type, pos, len); 1153 if (res == -2) 1154 break; 1155 if (res < 0) { 1156 if (mandatory) { 1157 wpa_printf(MSG_DEBUG, "EAP-FAST: Nak unknown " 1158 "mandatory TLV type %d", tlv_type); 1159 /* TODO: generate Nak TLV */ 1160 break; 1161 } else { 1162 wpa_printf(MSG_DEBUG, "EAP-FAST: Ignored " 1163 "unknown optional TLV type %d", 1164 tlv_type); 1165 } 1166 } 1167 1168 pos += len; 1169 } 1170 1171 return 0; 1172 } 1173 1174 1175 static int eap_fast_validate_crypto_binding( 1176 struct eap_fast_data *data, struct eap_tlv_crypto_binding_tlv *b, 1177 size_t bind_len) 1178 { 1179 u8 cmac[SHA1_MAC_LEN]; 1180 1181 wpa_printf(MSG_DEBUG, "EAP-FAST: Reply Crypto-Binding TLV: " 1182 "Version %d Received Version %d SubType %d", 1183 b->version, b->received_version, b->subtype); 1184 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: NONCE", 1185 b->nonce, sizeof(b->nonce)); 1186 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Compound MAC", 1187 b->compound_mac, sizeof(b->compound_mac)); 1188 1189 if (b->version != EAP_FAST_VERSION || 1190 b->received_version != EAP_FAST_VERSION) { 1191 wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected version " 1192 "in Crypto-Binding: version %d " 1193 "received_version %d", b->version, 1194 b->received_version); 1195 return -1; 1196 } 1197 1198 if (b->subtype != EAP_TLV_CRYPTO_BINDING_SUBTYPE_RESPONSE) { 1199 wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected subtype in " 1200 "Crypto-Binding: %d", b->subtype); 1201 return -1; 1202 } 1203 1204 if (os_memcmp_const(data->crypto_binding_nonce, b->nonce, 31) != 0 || 1205 (data->crypto_binding_nonce[31] | 1) != b->nonce[31]) { 1206 wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid nonce in " 1207 "Crypto-Binding"); 1208 return -1; 1209 } 1210 1211 os_memcpy(cmac, b->compound_mac, sizeof(cmac)); 1212 os_memset(b->compound_mac, 0, sizeof(cmac)); 1213 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Crypto-Binding TLV for " 1214 "Compound MAC calculation", 1215 (u8 *) b, bind_len); 1216 hmac_sha1(data->cmk, EAP_FAST_CMK_LEN, (u8 *) b, bind_len, 1217 b->compound_mac); 1218 if (os_memcmp_const(cmac, b->compound_mac, sizeof(cmac)) != 0) { 1219 wpa_hexdump(MSG_MSGDUMP, 1220 "EAP-FAST: Calculated Compound MAC", 1221 b->compound_mac, sizeof(cmac)); 1222 wpa_printf(MSG_INFO, "EAP-FAST: Compound MAC did not " 1223 "match"); 1224 return -1; 1225 } 1226 1227 return 0; 1228 } 1229 1230 1231 static int eap_fast_pac_type(u8 *pac, size_t len, u16 type) 1232 { 1233 struct eap_tlv_pac_type_tlv *tlv; 1234 1235 if (pac == NULL || len != sizeof(*tlv)) 1236 return 0; 1237 1238 tlv = (struct eap_tlv_pac_type_tlv *) pac; 1239 1240 return be_to_host16(tlv->tlv_type) == PAC_TYPE_PAC_TYPE && 1241 be_to_host16(tlv->length) == 2 && 1242 be_to_host16(tlv->pac_type) == type; 1243 } 1244 1245 1246 static void eap_fast_process_phase2_tlvs(struct eap_sm *sm, 1247 struct eap_fast_data *data, 1248 struct wpabuf *in_data) 1249 { 1250 struct eap_fast_tlv_parse tlv; 1251 int check_crypto_binding = data->state == CRYPTO_BINDING; 1252 1253 if (eap_fast_parse_tlvs(in_data, &tlv) < 0) { 1254 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to parse received " 1255 "Phase 2 TLVs"); 1256 return; 1257 } 1258 1259 if (tlv.result == EAP_TLV_RESULT_FAILURE) { 1260 wpa_printf(MSG_DEBUG, "EAP-FAST: Result TLV indicated " 1261 "failure"); 1262 eap_fast_state(data, FAILURE); 1263 return; 1264 } 1265 1266 if (data->state == REQUEST_PAC) { 1267 u16 type, len, res; 1268 if (tlv.pac == NULL || tlv.pac_len < 6) { 1269 wpa_printf(MSG_DEBUG, "EAP-FAST: No PAC " 1270 "Acknowledgement received"); 1271 eap_fast_state(data, FAILURE); 1272 return; 1273 } 1274 1275 type = WPA_GET_BE16(tlv.pac); 1276 len = WPA_GET_BE16(tlv.pac + 2); 1277 res = WPA_GET_BE16(tlv.pac + 4); 1278 1279 if (type != PAC_TYPE_PAC_ACKNOWLEDGEMENT || len != 2 || 1280 res != EAP_TLV_RESULT_SUCCESS) { 1281 wpa_printf(MSG_DEBUG, "EAP-FAST: PAC TLV did not " 1282 "contain acknowledgement"); 1283 eap_fast_state(data, FAILURE); 1284 return; 1285 } 1286 1287 wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Acknowledgement received " 1288 "- PAC provisioning succeeded"); 1289 eap_fast_state(data, (data->anon_provisioning || 1290 data->send_new_pac == 2) ? 1291 FAILURE : SUCCESS); 1292 return; 1293 } 1294 1295 if (check_crypto_binding) { 1296 if (tlv.crypto_binding == NULL) { 1297 wpa_printf(MSG_DEBUG, "EAP-FAST: No Crypto-Binding " 1298 "TLV received"); 1299 eap_fast_state(data, FAILURE); 1300 return; 1301 } 1302 1303 if (data->final_result && 1304 tlv.result != EAP_TLV_RESULT_SUCCESS) { 1305 wpa_printf(MSG_DEBUG, "EAP-FAST: Crypto-Binding TLV " 1306 "without Success Result"); 1307 eap_fast_state(data, FAILURE); 1308 return; 1309 } 1310 1311 if (!data->final_result && 1312 tlv.iresult != EAP_TLV_RESULT_SUCCESS) { 1313 wpa_printf(MSG_DEBUG, "EAP-FAST: Crypto-Binding TLV " 1314 "without intermediate Success Result"); 1315 eap_fast_state(data, FAILURE); 1316 return; 1317 } 1318 1319 if (eap_fast_validate_crypto_binding(data, tlv.crypto_binding, 1320 tlv.crypto_binding_len)) { 1321 eap_fast_state(data, FAILURE); 1322 return; 1323 } 1324 1325 wpa_printf(MSG_DEBUG, "EAP-FAST: Valid Crypto-Binding TLV " 1326 "received"); 1327 if (data->final_result) { 1328 wpa_printf(MSG_DEBUG, "EAP-FAST: Authentication " 1329 "completed successfully"); 1330 } 1331 1332 if (data->anon_provisioning && 1333 sm->eap_fast_prov != ANON_PROV && 1334 sm->eap_fast_prov != BOTH_PROV) { 1335 wpa_printf(MSG_DEBUG, "EAP-FAST: Client is trying to " 1336 "use unauthenticated provisioning which is " 1337 "disabled"); 1338 eap_fast_state(data, FAILURE); 1339 return; 1340 } 1341 1342 if (sm->eap_fast_prov != AUTH_PROV && 1343 sm->eap_fast_prov != BOTH_PROV && 1344 tlv.request_action == EAP_TLV_ACTION_PROCESS_TLV && 1345 eap_fast_pac_type(tlv.pac, tlv.pac_len, 1346 PAC_TYPE_TUNNEL_PAC)) { 1347 wpa_printf(MSG_DEBUG, "EAP-FAST: Client is trying to " 1348 "use authenticated provisioning which is " 1349 "disabled"); 1350 eap_fast_state(data, FAILURE); 1351 return; 1352 } 1353 1354 if (data->anon_provisioning || 1355 (tlv.request_action == EAP_TLV_ACTION_PROCESS_TLV && 1356 eap_fast_pac_type(tlv.pac, tlv.pac_len, 1357 PAC_TYPE_TUNNEL_PAC))) { 1358 wpa_printf(MSG_DEBUG, "EAP-FAST: Requested a new " 1359 "Tunnel PAC"); 1360 eap_fast_state(data, REQUEST_PAC); 1361 } else if (data->send_new_pac) { 1362 wpa_printf(MSG_DEBUG, "EAP-FAST: Server triggered " 1363 "re-keying of Tunnel PAC"); 1364 eap_fast_state(data, REQUEST_PAC); 1365 } else if (data->final_result) 1366 eap_fast_state(data, SUCCESS); 1367 } 1368 1369 if (tlv.eap_payload_tlv) { 1370 eap_fast_process_phase2_eap(sm, data, tlv.eap_payload_tlv, 1371 tlv.eap_payload_tlv_len); 1372 } 1373 } 1374 1375 1376 static void eap_fast_process_phase2(struct eap_sm *sm, 1377 struct eap_fast_data *data, 1378 struct wpabuf *in_buf) 1379 { 1380 struct wpabuf *in_decrypted; 1381 1382 wpa_printf(MSG_DEBUG, "EAP-FAST: Received %lu bytes encrypted data for" 1383 " Phase 2", (unsigned long) wpabuf_len(in_buf)); 1384 1385 if (data->pending_phase2_resp) { 1386 wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 response - " 1387 "skip decryption and use old data"); 1388 eap_fast_process_phase2_tlvs(sm, data, 1389 data->pending_phase2_resp); 1390 wpabuf_free(data->pending_phase2_resp); 1391 data->pending_phase2_resp = NULL; 1392 return; 1393 } 1394 1395 in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn, 1396 in_buf); 1397 if (in_decrypted == NULL) { 1398 wpa_printf(MSG_INFO, "EAP-FAST: Failed to decrypt Phase 2 " 1399 "data"); 1400 eap_fast_state(data, FAILURE); 1401 return; 1402 } 1403 1404 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-FAST: Decrypted Phase 2 TLVs", 1405 in_decrypted); 1406 1407 eap_fast_process_phase2_tlvs(sm, data, in_decrypted); 1408 1409 if (sm->method_pending == METHOD_PENDING_WAIT) { 1410 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 method is in " 1411 "pending wait state - save decrypted response"); 1412 wpabuf_free(data->pending_phase2_resp); 1413 data->pending_phase2_resp = in_decrypted; 1414 return; 1415 } 1416 1417 wpabuf_free(in_decrypted); 1418 } 1419 1420 1421 static int eap_fast_process_version(struct eap_sm *sm, void *priv, 1422 int peer_version) 1423 { 1424 struct eap_fast_data *data = priv; 1425 1426 data->peer_version = peer_version; 1427 1428 if (data->force_version >= 0 && peer_version != data->force_version) { 1429 wpa_printf(MSG_INFO, "EAP-FAST: peer did not select the forced" 1430 " version (forced=%d peer=%d) - reject", 1431 data->force_version, peer_version); 1432 return -1; 1433 } 1434 1435 if (peer_version < data->fast_version) { 1436 wpa_printf(MSG_DEBUG, "EAP-FAST: peer ver=%d, own ver=%d; " 1437 "use version %d", 1438 peer_version, data->fast_version, peer_version); 1439 data->fast_version = peer_version; 1440 } 1441 1442 return 0; 1443 } 1444 1445 1446 static int eap_fast_process_phase1(struct eap_sm *sm, 1447 struct eap_fast_data *data) 1448 { 1449 if (eap_server_tls_phase1(sm, &data->ssl) < 0) { 1450 wpa_printf(MSG_INFO, "EAP-FAST: TLS processing failed"); 1451 eap_fast_state(data, FAILURE); 1452 return -1; 1453 } 1454 1455 if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) || 1456 wpabuf_len(data->ssl.tls_out) > 0) 1457 return 1; 1458 1459 /* 1460 * Phase 1 was completed with the received message (e.g., when using 1461 * abbreviated handshake), so Phase 2 can be started immediately 1462 * without having to send through an empty message to the peer. 1463 */ 1464 1465 return eap_fast_phase1_done(sm, data); 1466 } 1467 1468 1469 static int eap_fast_process_phase2_start(struct eap_sm *sm, 1470 struct eap_fast_data *data) 1471 { 1472 u8 next_type; 1473 1474 if (data->identity) { 1475 os_free(sm->identity); 1476 sm->identity = data->identity; 1477 data->identity = NULL; 1478 sm->identity_len = data->identity_len; 1479 data->identity_len = 0; 1480 sm->require_identity_match = 1; 1481 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) { 1482 wpa_hexdump_ascii(MSG_DEBUG, "EAP-FAST: " 1483 "Phase2 Identity not found " 1484 "in the user database", 1485 sm->identity, sm->identity_len); 1486 next_type = eap_fast_req_failure(sm, data); 1487 } else { 1488 wpa_printf(MSG_DEBUG, "EAP-FAST: Identity already " 1489 "known - skip Phase 2 Identity Request"); 1490 next_type = sm->user->methods[0].method; 1491 sm->user_eap_method_index = 1; 1492 } 1493 1494 eap_fast_state(data, PHASE2_METHOD); 1495 } else { 1496 eap_fast_state(data, PHASE2_ID); 1497 next_type = EAP_TYPE_IDENTITY; 1498 } 1499 1500 return eap_fast_phase2_init(sm, data, next_type); 1501 } 1502 1503 1504 static void eap_fast_process_msg(struct eap_sm *sm, void *priv, 1505 const struct wpabuf *respData) 1506 { 1507 struct eap_fast_data *data = priv; 1508 1509 switch (data->state) { 1510 case PHASE1: 1511 if (eap_fast_process_phase1(sm, data)) 1512 break; 1513 1514 /* fall through to PHASE2_START */ 1515 case PHASE2_START: 1516 eap_fast_process_phase2_start(sm, data); 1517 break; 1518 case PHASE2_ID: 1519 case PHASE2_METHOD: 1520 case CRYPTO_BINDING: 1521 case REQUEST_PAC: 1522 eap_fast_process_phase2(sm, data, data->ssl.tls_in); 1523 break; 1524 default: 1525 wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected state %d in %s", 1526 data->state, __func__); 1527 break; 1528 } 1529 } 1530 1531 1532 static void eap_fast_process(struct eap_sm *sm, void *priv, 1533 struct wpabuf *respData) 1534 { 1535 struct eap_fast_data *data = priv; 1536 if (eap_server_tls_process(sm, &data->ssl, respData, data, 1537 EAP_TYPE_FAST, eap_fast_process_version, 1538 eap_fast_process_msg) < 0) 1539 eap_fast_state(data, FAILURE); 1540 } 1541 1542 1543 static Boolean eap_fast_isDone(struct eap_sm *sm, void *priv) 1544 { 1545 struct eap_fast_data *data = priv; 1546 return data->state == SUCCESS || data->state == FAILURE; 1547 } 1548 1549 1550 static u8 * eap_fast_getKey(struct eap_sm *sm, void *priv, size_t *len) 1551 { 1552 struct eap_fast_data *data = priv; 1553 u8 *eapKeyData; 1554 1555 if (data->state != SUCCESS) 1556 return NULL; 1557 1558 eapKeyData = os_malloc(EAP_FAST_KEY_LEN); 1559 if (eapKeyData == NULL) 1560 return NULL; 1561 1562 eap_fast_derive_eap_msk(data->simck, eapKeyData); 1563 *len = EAP_FAST_KEY_LEN; 1564 1565 return eapKeyData; 1566 } 1567 1568 1569 static u8 * eap_fast_get_emsk(struct eap_sm *sm, void *priv, size_t *len) 1570 { 1571 struct eap_fast_data *data = priv; 1572 u8 *eapKeyData; 1573 1574 if (data->state != SUCCESS) 1575 return NULL; 1576 1577 eapKeyData = os_malloc(EAP_EMSK_LEN); 1578 if (eapKeyData == NULL) 1579 return NULL; 1580 1581 eap_fast_derive_eap_emsk(data->simck, eapKeyData); 1582 *len = EAP_EMSK_LEN; 1583 1584 return eapKeyData; 1585 } 1586 1587 1588 static Boolean eap_fast_isSuccess(struct eap_sm *sm, void *priv) 1589 { 1590 struct eap_fast_data *data = priv; 1591 return data->state == SUCCESS; 1592 } 1593 1594 1595 static u8 * eap_fast_get_session_id(struct eap_sm *sm, void *priv, size_t *len) 1596 { 1597 struct eap_fast_data *data = priv; 1598 1599 if (data->state != SUCCESS) 1600 return NULL; 1601 1602 return eap_server_tls_derive_session_id(sm, &data->ssl, EAP_TYPE_FAST, 1603 len); 1604 } 1605 1606 1607 int eap_server_fast_register(void) 1608 { 1609 struct eap_method *eap; 1610 int ret; 1611 1612 eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION, 1613 EAP_VENDOR_IETF, EAP_TYPE_FAST, "FAST"); 1614 if (eap == NULL) 1615 return -1; 1616 1617 eap->init = eap_fast_init; 1618 eap->reset = eap_fast_reset; 1619 eap->buildReq = eap_fast_buildReq; 1620 eap->check = eap_fast_check; 1621 eap->process = eap_fast_process; 1622 eap->isDone = eap_fast_isDone; 1623 eap->getKey = eap_fast_getKey; 1624 eap->get_emsk = eap_fast_get_emsk; 1625 eap->isSuccess = eap_fast_isSuccess; 1626 eap->getSessionId = eap_fast_get_session_id; 1627 1628 ret = eap_server_method_register(eap); 1629 if (ret) 1630 eap_server_method_free(eap); 1631 return ret; 1632 } 1633