1 /* 2 * EAP-TEAP server (RFC 7170) 3 * Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/aes_wrap.h" 13 #include "crypto/tls.h" 14 #include "crypto/random.h" 15 #include "eap_common/eap_teap_common.h" 16 #include "eap_i.h" 17 #include "eap_tls_common.h" 18 19 20 static void eap_teap_reset(struct eap_sm *sm, void *priv); 21 22 23 /* Private PAC-Opaque TLV types */ 24 #define PAC_OPAQUE_TYPE_PAD 0 25 #define PAC_OPAQUE_TYPE_KEY 1 26 #define PAC_OPAQUE_TYPE_LIFETIME 2 27 #define PAC_OPAQUE_TYPE_IDENTITY 3 28 29 struct eap_teap_data { 30 struct eap_ssl_data ssl; 31 enum { 32 START, PHASE1, PHASE1B, PHASE2_START, PHASE2_ID, 33 PHASE2_BASIC_AUTH, PHASE2_METHOD, CRYPTO_BINDING, REQUEST_PAC, 34 FAILURE_SEND_RESULT, SUCCESS_SEND_RESULT, SUCCESS, FAILURE 35 } state; 36 37 u8 teap_version; 38 u8 peer_version; 39 u16 tls_cs; 40 41 const struct eap_method *phase2_method; 42 void *phase2_priv; 43 44 u8 crypto_binding_nonce[32]; 45 int final_result; 46 47 u8 simck_msk[EAP_TEAP_SIMCK_LEN]; 48 u8 cmk_msk[EAP_TEAP_CMK_LEN]; 49 u8 simck_emsk[EAP_TEAP_SIMCK_LEN]; 50 u8 cmk_emsk[EAP_TEAP_CMK_LEN]; 51 int simck_idx; 52 int cmk_emsk_available; 53 54 u8 pac_opaque_encr[16]; 55 u8 *srv_id; 56 size_t srv_id_len; 57 char *srv_id_info; 58 59 unsigned int basic_auth_not_done:1; 60 unsigned int inner_eap_not_done:1; 61 int anon_provisioning; 62 int skipped_inner_auth; 63 int send_new_pac; /* server triggered re-keying of Tunnel PAC */ 64 struct wpabuf *pending_phase2_resp; 65 struct wpabuf *server_outer_tlvs; 66 struct wpabuf *peer_outer_tlvs; 67 u8 *identity; /* from PAC-Opaque or client certificate */ 68 size_t identity_len; 69 int eap_seq; 70 int tnc_started; 71 72 int pac_key_lifetime; 73 int pac_key_refresh_time; 74 75 enum teap_error_codes error_code; 76 enum teap_identity_types cur_id_type; 77 }; 78 79 80 static int eap_teap_process_phase2_start(struct eap_sm *sm, 81 struct eap_teap_data *data); 82 83 84 static const char * eap_teap_state_txt(int state) 85 { 86 switch (state) { 87 case START: 88 return "START"; 89 case PHASE1: 90 return "PHASE1"; 91 case PHASE1B: 92 return "PHASE1B"; 93 case PHASE2_START: 94 return "PHASE2_START"; 95 case PHASE2_ID: 96 return "PHASE2_ID"; 97 case PHASE2_BASIC_AUTH: 98 return "PHASE2_BASIC_AUTH"; 99 case PHASE2_METHOD: 100 return "PHASE2_METHOD"; 101 case CRYPTO_BINDING: 102 return "CRYPTO_BINDING"; 103 case REQUEST_PAC: 104 return "REQUEST_PAC"; 105 case FAILURE_SEND_RESULT: 106 return "FAILURE_SEND_RESULT"; 107 case SUCCESS_SEND_RESULT: 108 return "SUCCESS_SEND_RESULT"; 109 case SUCCESS: 110 return "SUCCESS"; 111 case FAILURE: 112 return "FAILURE"; 113 default: 114 return "Unknown?!"; 115 } 116 } 117 118 119 static void eap_teap_state(struct eap_teap_data *data, int state) 120 { 121 wpa_printf(MSG_DEBUG, "EAP-TEAP: %s -> %s", 122 eap_teap_state_txt(data->state), 123 eap_teap_state_txt(state)); 124 data->state = state; 125 } 126 127 128 static enum eap_type eap_teap_req_failure(struct eap_teap_data *data, 129 enum teap_error_codes error) 130 { 131 eap_teap_state(data, FAILURE_SEND_RESULT); 132 return EAP_TYPE_NONE; 133 } 134 135 136 static int eap_teap_session_ticket_cb(void *ctx, const u8 *ticket, size_t len, 137 const u8 *client_random, 138 const u8 *server_random, 139 u8 *master_secret) 140 { 141 struct eap_teap_data *data = ctx; 142 const u8 *pac_opaque; 143 size_t pac_opaque_len; 144 u8 *buf, *pos, *end, *pac_key = NULL; 145 os_time_t lifetime = 0; 146 struct os_time now; 147 u8 *identity = NULL; 148 size_t identity_len = 0; 149 150 wpa_printf(MSG_DEBUG, "EAP-TEAP: SessionTicket callback"); 151 wpa_hexdump(MSG_DEBUG, "EAP-TEAP: SessionTicket (PAC-Opaque)", 152 ticket, len); 153 154 if (len < 4 || WPA_GET_BE16(ticket) != PAC_TYPE_PAC_OPAQUE) { 155 wpa_printf(MSG_DEBUG, "EAP-TEAP: Ignore invalid SessionTicket"); 156 return 0; 157 } 158 159 pac_opaque_len = WPA_GET_BE16(ticket + 2); 160 pac_opaque = ticket + 4; 161 if (pac_opaque_len < 8 || pac_opaque_len % 8 || 162 pac_opaque_len > len - 4) { 163 wpa_printf(MSG_DEBUG, 164 "EAP-TEAP: Ignore invalid PAC-Opaque (len=%lu left=%lu)", 165 (unsigned long) pac_opaque_len, 166 (unsigned long) len); 167 return 0; 168 } 169 wpa_hexdump(MSG_DEBUG, "EAP-TEAP: Received PAC-Opaque", 170 pac_opaque, pac_opaque_len); 171 172 buf = os_malloc(pac_opaque_len - 8); 173 if (!buf) { 174 wpa_printf(MSG_DEBUG, 175 "EAP-TEAP: Failed to allocate memory for decrypting PAC-Opaque"); 176 return 0; 177 } 178 179 if (aes_unwrap(data->pac_opaque_encr, sizeof(data->pac_opaque_encr), 180 (pac_opaque_len - 8) / 8, pac_opaque, buf) < 0) { 181 wpa_printf(MSG_DEBUG, "EAP-TEAP: Failed to decrypt PAC-Opaque"); 182 os_free(buf); 183 /* 184 * This may have been caused by server changing the PAC-Opaque 185 * encryption key, so just ignore this PAC-Opaque instead of 186 * failing the authentication completely. Provisioning can now 187 * be used to provision a new PAC. 188 */ 189 return 0; 190 } 191 192 end = buf + pac_opaque_len - 8; 193 wpa_hexdump_key(MSG_DEBUG, "EAP-TEAP: Decrypted PAC-Opaque", 194 buf, end - buf); 195 196 pos = buf; 197 while (end - pos > 1) { 198 u8 id, elen; 199 200 id = *pos++; 201 elen = *pos++; 202 if (elen > end - pos) 203 break; 204 205 switch (id) { 206 case PAC_OPAQUE_TYPE_PAD: 207 goto done; 208 case PAC_OPAQUE_TYPE_KEY: 209 if (elen != EAP_TEAP_PAC_KEY_LEN) { 210 wpa_printf(MSG_DEBUG, 211 "EAP-TEAP: Invalid PAC-Key length %d", 212 elen); 213 os_free(buf); 214 return -1; 215 } 216 pac_key = pos; 217 wpa_hexdump_key(MSG_DEBUG, 218 "EAP-TEAP: PAC-Key from decrypted PAC-Opaque", 219 pac_key, EAP_TEAP_PAC_KEY_LEN); 220 break; 221 case PAC_OPAQUE_TYPE_LIFETIME: 222 if (elen != 4) { 223 wpa_printf(MSG_DEBUG, 224 "EAP-TEAP: Invalid PAC-Key lifetime length %d", 225 elen); 226 os_free(buf); 227 return -1; 228 } 229 lifetime = WPA_GET_BE32(pos); 230 break; 231 case PAC_OPAQUE_TYPE_IDENTITY: 232 identity = pos; 233 identity_len = elen; 234 break; 235 } 236 237 pos += elen; 238 } 239 done: 240 241 if (!pac_key) { 242 wpa_printf(MSG_DEBUG, 243 "EAP-TEAP: No PAC-Key included in PAC-Opaque"); 244 os_free(buf); 245 return -1; 246 } 247 248 if (identity) { 249 wpa_hexdump_ascii(MSG_DEBUG, 250 "EAP-TEAP: Identity from PAC-Opaque", 251 identity, identity_len); 252 os_free(data->identity); 253 data->identity = os_malloc(identity_len); 254 if (data->identity) { 255 os_memcpy(data->identity, identity, identity_len); 256 data->identity_len = identity_len; 257 } 258 } 259 260 if (os_get_time(&now) < 0 || lifetime <= 0 || now.sec > lifetime) { 261 wpa_printf(MSG_DEBUG, 262 "EAP-TEAP: PAC-Key not valid anymore (lifetime=%ld now=%ld)", 263 lifetime, now.sec); 264 data->send_new_pac = 2; 265 /* 266 * Allow PAC to be used to allow a PAC update with some level 267 * of server authentication (i.e., do not fall back to full TLS 268 * handshake since we cannot be sure that the peer would be 269 * able to validate server certificate now). However, reject 270 * the authentication since the PAC was not valid anymore. Peer 271 * can connect again with the newly provisioned PAC after this. 272 */ 273 } else if (lifetime - now.sec < data->pac_key_refresh_time) { 274 wpa_printf(MSG_DEBUG, 275 "EAP-TEAP: PAC-Key soft timeout; send an update if authentication succeeds"); 276 data->send_new_pac = 1; 277 } 278 279 /* EAP-TEAP uses PAC-Key as the TLS master_secret */ 280 os_memcpy(master_secret, pac_key, EAP_TEAP_PAC_KEY_LEN); 281 282 os_free(buf); 283 284 return 1; 285 } 286 287 288 static int eap_teap_derive_key_auth(struct eap_sm *sm, 289 struct eap_teap_data *data) 290 { 291 int res; 292 293 /* RFC 7170, Section 5.1 */ 294 res = tls_connection_export_key(sm->cfg->ssl_ctx, data->ssl.conn, 295 TEAP_TLS_EXPORTER_LABEL_SKS, NULL, 0, 296 data->simck_msk, EAP_TEAP_SIMCK_LEN); 297 if (res) 298 return res; 299 wpa_hexdump_key(MSG_DEBUG, 300 "EAP-TEAP: session_key_seed (S-IMCK[0])", 301 data->simck_msk, EAP_TEAP_SIMCK_LEN); 302 os_memcpy(data->simck_emsk, data->simck_msk, EAP_TEAP_SIMCK_LEN); 303 data->simck_idx = 0; 304 return 0; 305 } 306 307 308 static int eap_teap_update_icmk(struct eap_sm *sm, struct eap_teap_data *data) 309 { 310 u8 *msk = NULL, *emsk = NULL; 311 size_t msk_len = 0, emsk_len = 0; 312 int res; 313 314 wpa_printf(MSG_DEBUG, "EAP-TEAP: Deriving ICMK[%d] (S-IMCK and CMK)", 315 data->simck_idx + 1); 316 317 if (sm->cfg->eap_teap_auth == 1) 318 return eap_teap_derive_cmk_basic_pw_auth(data->tls_cs, 319 data->simck_msk, 320 data->cmk_msk); 321 322 if (!data->phase2_method || !data->phase2_priv) { 323 wpa_printf(MSG_INFO, "EAP-TEAP: Phase 2 method not available"); 324 return -1; 325 } 326 327 if (data->phase2_method->getKey) { 328 msk = data->phase2_method->getKey(sm, data->phase2_priv, 329 &msk_len); 330 if (!msk) { 331 wpa_printf(MSG_INFO, 332 "EAP-TEAP: Could not fetch Phase 2 MSK"); 333 return -1; 334 } 335 } 336 337 if (data->phase2_method->get_emsk) { 338 emsk = data->phase2_method->get_emsk(sm, data->phase2_priv, 339 &emsk_len); 340 } 341 342 res = eap_teap_derive_imck(data->tls_cs, 343 data->simck_msk, data->simck_emsk, 344 msk, msk_len, emsk, emsk_len, 345 data->simck_msk, data->cmk_msk, 346 data->simck_emsk, data->cmk_emsk); 347 bin_clear_free(msk, msk_len); 348 bin_clear_free(emsk, emsk_len); 349 if (res == 0) { 350 data->simck_idx++; 351 if (emsk) 352 data->cmk_emsk_available = 1; 353 } 354 return 0; 355 } 356 357 358 static void * eap_teap_init(struct eap_sm *sm) 359 { 360 struct eap_teap_data *data; 361 362 data = os_zalloc(sizeof(*data)); 363 if (!data) 364 return NULL; 365 data->teap_version = EAP_TEAP_VERSION; 366 data->state = START; 367 368 if (eap_server_tls_ssl_init(sm, &data->ssl, 369 sm->cfg->eap_teap_auth == 2 ? 2 : 0, 370 EAP_TYPE_TEAP)) { 371 wpa_printf(MSG_INFO, "EAP-TEAP: Failed to initialize SSL."); 372 eap_teap_reset(sm, data); 373 return NULL; 374 } 375 376 /* TODO: Add anon-DH TLS cipher suites (and if one is negotiated, 377 * enforce inner EAP with mutual authentication to be used) */ 378 379 if (tls_connection_set_session_ticket_cb(sm->cfg->ssl_ctx, 380 data->ssl.conn, 381 eap_teap_session_ticket_cb, 382 data) < 0) { 383 wpa_printf(MSG_INFO, 384 "EAP-TEAP: Failed to set SessionTicket callback"); 385 eap_teap_reset(sm, data); 386 return NULL; 387 } 388 389 if (!sm->cfg->pac_opaque_encr_key) { 390 wpa_printf(MSG_INFO, 391 "EAP-TEAP: No PAC-Opaque encryption key configured"); 392 eap_teap_reset(sm, data); 393 return NULL; 394 } 395 os_memcpy(data->pac_opaque_encr, sm->cfg->pac_opaque_encr_key, 396 sizeof(data->pac_opaque_encr)); 397 398 if (!sm->cfg->eap_fast_a_id) { 399 wpa_printf(MSG_INFO, "EAP-TEAP: No A-ID configured"); 400 eap_teap_reset(sm, data); 401 return NULL; 402 } 403 data->srv_id = os_malloc(sm->cfg->eap_fast_a_id_len); 404 if (!data->srv_id) { 405 eap_teap_reset(sm, data); 406 return NULL; 407 } 408 os_memcpy(data->srv_id, sm->cfg->eap_fast_a_id, 409 sm->cfg->eap_fast_a_id_len); 410 data->srv_id_len = sm->cfg->eap_fast_a_id_len; 411 412 if (!sm->cfg->eap_fast_a_id_info) { 413 wpa_printf(MSG_INFO, "EAP-TEAP: No A-ID-Info configured"); 414 eap_teap_reset(sm, data); 415 return NULL; 416 } 417 data->srv_id_info = os_strdup(sm->cfg->eap_fast_a_id_info); 418 if (!data->srv_id_info) { 419 eap_teap_reset(sm, data); 420 return NULL; 421 } 422 423 /* PAC-Key lifetime in seconds (hard limit) */ 424 data->pac_key_lifetime = sm->cfg->pac_key_lifetime; 425 426 /* 427 * PAC-Key refresh time in seconds (soft limit on remaining hard 428 * limit). The server will generate a new PAC-Key when this number of 429 * seconds (or fewer) of the lifetime remains. 430 */ 431 data->pac_key_refresh_time = sm->cfg->pac_key_refresh_time; 432 433 return data; 434 } 435 436 437 static void eap_teap_reset(struct eap_sm *sm, void *priv) 438 { 439 struct eap_teap_data *data = priv; 440 441 if (!data) 442 return; 443 if (data->phase2_priv && data->phase2_method) 444 data->phase2_method->reset(sm, data->phase2_priv); 445 eap_server_tls_ssl_deinit(sm, &data->ssl); 446 os_free(data->srv_id); 447 os_free(data->srv_id_info); 448 wpabuf_free(data->pending_phase2_resp); 449 wpabuf_free(data->server_outer_tlvs); 450 wpabuf_free(data->peer_outer_tlvs); 451 os_free(data->identity); 452 forced_memzero(data->simck_msk, EAP_TEAP_SIMCK_LEN); 453 forced_memzero(data->simck_emsk, EAP_TEAP_SIMCK_LEN); 454 forced_memzero(data->cmk_msk, EAP_TEAP_CMK_LEN); 455 forced_memzero(data->cmk_emsk, EAP_TEAP_CMK_LEN); 456 forced_memzero(data->pac_opaque_encr, sizeof(data->pac_opaque_encr)); 457 bin_clear_free(data, sizeof(*data)); 458 } 459 460 461 static struct wpabuf * eap_teap_build_start(struct eap_sm *sm, 462 struct eap_teap_data *data, u8 id) 463 { 464 struct wpabuf *req; 465 size_t outer_tlv_len = sizeof(struct teap_tlv_hdr) + data->srv_id_len; 466 const u8 *start, *end; 467 468 req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TEAP, 469 1 + 4 + outer_tlv_len, EAP_CODE_REQUEST, id); 470 if (!req) { 471 wpa_printf(MSG_ERROR, 472 "EAP-TEAP: Failed to allocate memory for request"); 473 eap_teap_state(data, FAILURE); 474 return NULL; 475 } 476 477 wpabuf_put_u8(req, EAP_TLS_FLAGS_START | EAP_TEAP_FLAGS_OUTER_TLV_LEN | 478 data->teap_version); 479 wpabuf_put_be32(req, outer_tlv_len); 480 481 start = wpabuf_put(req, 0); 482 483 /* RFC 7170, Section 4.2.2: Authority-ID TLV */ 484 eap_teap_put_tlv(req, TEAP_TLV_AUTHORITY_ID, 485 data->srv_id, data->srv_id_len); 486 487 end = wpabuf_put(req, 0); 488 wpabuf_free(data->server_outer_tlvs); 489 data->server_outer_tlvs = wpabuf_alloc_copy(start, end - start); 490 if (!data->server_outer_tlvs) { 491 eap_teap_state(data, FAILURE); 492 return NULL; 493 } 494 495 eap_teap_state(data, PHASE1); 496 497 return req; 498 } 499 500 501 static int eap_teap_phase1_done(struct eap_sm *sm, struct eap_teap_data *data) 502 { 503 char cipher[64]; 504 505 wpa_printf(MSG_DEBUG, "EAP-TEAP: Phase 1 done, starting Phase 2"); 506 507 if (!data->identity && sm->cfg->eap_teap_auth == 2) { 508 const char *subject; 509 510 subject = tls_connection_get_peer_subject(data->ssl.conn); 511 if (subject) { 512 wpa_printf(MSG_DEBUG, 513 "EAP-TEAP: Peer subject from Phase 1 client certificate: '%s'", 514 subject); 515 data->identity = (u8 *) os_strdup(subject); 516 data->identity_len = os_strlen(subject); 517 } 518 } 519 520 data->tls_cs = tls_connection_get_cipher_suite(data->ssl.conn); 521 wpa_printf(MSG_DEBUG, "EAP-TEAP: TLS cipher suite 0x%04x", 522 data->tls_cs); 523 524 if (tls_get_cipher(sm->cfg->ssl_ctx, data->ssl.conn, 525 cipher, sizeof(cipher)) < 0) { 526 wpa_printf(MSG_DEBUG, 527 "EAP-TEAP: Failed to get cipher information"); 528 eap_teap_state(data, FAILURE); 529 return -1; 530 } 531 data->anon_provisioning = os_strstr(cipher, "ADH") != NULL; 532 533 if (data->anon_provisioning) 534 wpa_printf(MSG_DEBUG, "EAP-TEAP: Anonymous provisioning"); 535 536 if (eap_teap_derive_key_auth(sm, data) < 0) { 537 eap_teap_state(data, FAILURE); 538 return -1; 539 } 540 541 eap_teap_state(data, PHASE2_START); 542 543 return 0; 544 } 545 546 547 static struct wpabuf * eap_teap_build_phase2_req(struct eap_sm *sm, 548 struct eap_teap_data *data, 549 u8 id) 550 { 551 struct wpabuf *req, *id_tlv = NULL; 552 553 if (sm->cfg->eap_teap_auth == 1 || 554 (data->phase2_priv && data->phase2_method && 555 data->phase2_method->vendor == EAP_VENDOR_IETF && 556 data->phase2_method->method == EAP_TYPE_IDENTITY)) { 557 switch (sm->cfg->eap_teap_id) { 558 case EAP_TEAP_ID_ALLOW_ANY: 559 break; 560 case EAP_TEAP_ID_REQUIRE_USER: 561 case EAP_TEAP_ID_REQUEST_USER_ACCEPT_MACHINE: 562 data->cur_id_type = TEAP_IDENTITY_TYPE_USER; 563 id_tlv = eap_teap_tlv_identity_type(data->cur_id_type); 564 break; 565 case EAP_TEAP_ID_REQUIRE_MACHINE: 566 case EAP_TEAP_ID_REQUEST_MACHINE_ACCEPT_USER: 567 data->cur_id_type = TEAP_IDENTITY_TYPE_MACHINE; 568 id_tlv = eap_teap_tlv_identity_type(data->cur_id_type); 569 break; 570 case EAP_TEAP_ID_REQUIRE_USER_AND_MACHINE: 571 if (data->cur_id_type == TEAP_IDENTITY_TYPE_USER) 572 data->cur_id_type = TEAP_IDENTITY_TYPE_MACHINE; 573 else 574 data->cur_id_type = TEAP_IDENTITY_TYPE_USER; 575 id_tlv = eap_teap_tlv_identity_type(data->cur_id_type); 576 break; 577 } 578 } 579 580 if (sm->cfg->eap_teap_auth == 1) { 581 wpa_printf(MSG_DEBUG, "EAP-TEAP: Initiate Basic-Password-Auth"); 582 data->basic_auth_not_done = 1; 583 req = wpabuf_alloc(sizeof(struct teap_tlv_hdr)); 584 if (!req) { 585 wpabuf_free(id_tlv); 586 return NULL; 587 } 588 eap_teap_put_tlv_hdr(req, TEAP_TLV_BASIC_PASSWORD_AUTH_REQ, 0); 589 return wpabuf_concat(req, id_tlv); 590 } 591 592 wpa_printf(MSG_DEBUG, "EAP-TEAP: Initiate inner EAP method"); 593 data->inner_eap_not_done = 1; 594 if (!data->phase2_priv) { 595 wpa_printf(MSG_DEBUG, 596 "EAP-TEAP: Phase 2 method not initialized"); 597 wpabuf_free(id_tlv); 598 return NULL; 599 } 600 601 req = data->phase2_method->buildReq(sm, data->phase2_priv, id); 602 if (!req) { 603 wpabuf_free(id_tlv); 604 return NULL; 605 } 606 607 wpa_hexdump_buf_key(MSG_MSGDUMP, "EAP-TEAP: Phase 2 EAP-Request", req); 608 609 return wpabuf_concat(eap_teap_tlv_eap_payload(req), id_tlv); 610 } 611 612 613 static struct wpabuf * eap_teap_build_crypto_binding( 614 struct eap_sm *sm, struct eap_teap_data *data) 615 { 616 struct wpabuf *buf; 617 struct teap_tlv_result *result; 618 struct teap_tlv_crypto_binding *cb; 619 u8 subtype, flags; 620 621 buf = wpabuf_alloc(2 * sizeof(*result) + sizeof(*cb)); 622 if (!buf) 623 return NULL; 624 625 if (data->send_new_pac || data->anon_provisioning || 626 data->basic_auth_not_done || data->inner_eap_not_done || 627 data->phase2_method || sm->cfg->eap_teap_separate_result) 628 data->final_result = 0; 629 else 630 data->final_result = 1; 631 632 if (!data->final_result || data->eap_seq > 0 || 633 sm->cfg->eap_teap_auth == 1) { 634 /* Intermediate-Result */ 635 wpa_printf(MSG_DEBUG, 636 "EAP-TEAP: Add Intermediate-Result TLV (status=SUCCESS)"); 637 result = wpabuf_put(buf, sizeof(*result)); 638 result->tlv_type = host_to_be16(TEAP_TLV_MANDATORY | 639 TEAP_TLV_INTERMEDIATE_RESULT); 640 result->length = host_to_be16(2); 641 result->status = host_to_be16(TEAP_STATUS_SUCCESS); 642 } 643 644 if (data->final_result) { 645 /* Result TLV */ 646 wpa_printf(MSG_DEBUG, 647 "EAP-TEAP: Add Result TLV (status=SUCCESS)"); 648 result = wpabuf_put(buf, sizeof(*result)); 649 result->tlv_type = host_to_be16(TEAP_TLV_MANDATORY | 650 TEAP_TLV_RESULT); 651 result->length = host_to_be16(2); 652 result->status = host_to_be16(TEAP_STATUS_SUCCESS); 653 } 654 655 /* Crypto-Binding TLV */ 656 cb = wpabuf_put(buf, sizeof(*cb)); 657 cb->tlv_type = host_to_be16(TEAP_TLV_MANDATORY | 658 TEAP_TLV_CRYPTO_BINDING); 659 cb->length = host_to_be16(sizeof(*cb) - sizeof(struct teap_tlv_hdr)); 660 cb->version = EAP_TEAP_VERSION; 661 cb->received_version = data->peer_version; 662 /* FIX: RFC 7170 is not clear on which Flags value to use when 663 * Crypto-Binding TLV is used with Basic-Password-Auth */ 664 flags = data->cmk_emsk_available ? 665 TEAP_CRYPTO_BINDING_EMSK_AND_MSK_CMAC : 666 TEAP_CRYPTO_BINDING_MSK_CMAC; 667 subtype = TEAP_CRYPTO_BINDING_SUBTYPE_REQUEST; 668 cb->subtype = (flags << 4) | subtype; 669 if (random_get_bytes(cb->nonce, sizeof(cb->nonce)) < 0) { 670 wpabuf_free(buf); 671 return NULL; 672 } 673 674 /* 675 * RFC 7170, Section 4.2.13: 676 * The nonce in a request MUST have its least significant bit set to 0. 677 */ 678 cb->nonce[sizeof(cb->nonce) - 1] &= ~0x01; 679 680 os_memcpy(data->crypto_binding_nonce, cb->nonce, sizeof(cb->nonce)); 681 682 if (eap_teap_compound_mac(data->tls_cs, cb, data->server_outer_tlvs, 683 data->peer_outer_tlvs, data->cmk_msk, 684 cb->msk_compound_mac) < 0) { 685 wpabuf_free(buf); 686 return NULL; 687 } 688 689 if (data->cmk_emsk_available && 690 eap_teap_compound_mac(data->tls_cs, cb, data->server_outer_tlvs, 691 data->peer_outer_tlvs, data->cmk_emsk, 692 cb->emsk_compound_mac) < 0) { 693 wpabuf_free(buf); 694 return NULL; 695 } 696 697 wpa_printf(MSG_DEBUG, 698 "EAP-TEAP: Add Crypto-Binding TLV: Version %u Received Version %u Flags %u Sub-Type %u", 699 cb->version, cb->received_version, flags, subtype); 700 wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: Nonce", 701 cb->nonce, sizeof(cb->nonce)); 702 wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: EMSK Compound MAC", 703 cb->emsk_compound_mac, sizeof(cb->emsk_compound_mac)); 704 wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: MSK Compound MAC", 705 cb->msk_compound_mac, sizeof(cb->msk_compound_mac)); 706 707 return buf; 708 } 709 710 711 static struct wpabuf * eap_teap_build_pac(struct eap_sm *sm, 712 struct eap_teap_data *data) 713 { 714 u8 pac_key[EAP_TEAP_PAC_KEY_LEN]; 715 u8 *pac_buf, *pac_opaque; 716 struct wpabuf *buf; 717 u8 *pos; 718 size_t buf_len, srv_id_info_len, pac_len; 719 struct teap_tlv_hdr *pac_tlv; 720 struct pac_attr_hdr *pac_info; 721 struct teap_tlv_result *result; 722 struct os_time now; 723 724 wpa_printf(MSG_DEBUG, "EAP-TEAP: Build a new PAC"); 725 726 if (random_get_bytes(pac_key, EAP_TEAP_PAC_KEY_LEN) < 0 || 727 os_get_time(&now) < 0) 728 return NULL; 729 wpa_hexdump_key(MSG_DEBUG, "EAP-TEAP: Generated PAC-Key", 730 pac_key, EAP_TEAP_PAC_KEY_LEN); 731 732 pac_len = (2 + EAP_TEAP_PAC_KEY_LEN) + (2 + 4) + 733 (2 + sm->identity_len) + 8; 734 pac_buf = os_malloc(pac_len); 735 if (!pac_buf) 736 return NULL; 737 738 srv_id_info_len = os_strlen(data->srv_id_info); 739 740 pos = pac_buf; 741 *pos++ = PAC_OPAQUE_TYPE_KEY; 742 *pos++ = EAP_TEAP_PAC_KEY_LEN; 743 os_memcpy(pos, pac_key, EAP_TEAP_PAC_KEY_LEN); 744 pos += EAP_TEAP_PAC_KEY_LEN; 745 746 wpa_printf(MSG_DEBUG, "EAP-TEAP: PAC-Key lifetime: %u seconds", 747 data->pac_key_lifetime); 748 *pos++ = PAC_OPAQUE_TYPE_LIFETIME; 749 *pos++ = 4; 750 WPA_PUT_BE32(pos, now.sec + data->pac_key_lifetime); 751 pos += 4; 752 753 if (sm->identity) { 754 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TEAP: PAC-Opaque Identity", 755 sm->identity, sm->identity_len); 756 *pos++ = PAC_OPAQUE_TYPE_IDENTITY; 757 *pos++ = sm->identity_len; 758 os_memcpy(pos, sm->identity, sm->identity_len); 759 pos += sm->identity_len; 760 } 761 762 pac_len = pos - pac_buf; 763 while (pac_len % 8) { 764 *pos++ = PAC_OPAQUE_TYPE_PAD; 765 pac_len++; 766 } 767 768 pac_opaque = os_malloc(pac_len + 8); 769 if (!pac_opaque) { 770 os_free(pac_buf); 771 return NULL; 772 } 773 if (aes_wrap(data->pac_opaque_encr, sizeof(data->pac_opaque_encr), 774 pac_len / 8, pac_buf, pac_opaque) < 0) { 775 os_free(pac_buf); 776 os_free(pac_opaque); 777 return NULL; 778 } 779 os_free(pac_buf); 780 781 pac_len += 8; 782 wpa_hexdump(MSG_DEBUG, "EAP-TEAP: PAC-Opaque", pac_opaque, pac_len); 783 784 buf_len = sizeof(*pac_tlv) + 785 sizeof(struct pac_attr_hdr) + EAP_TEAP_PAC_KEY_LEN + 786 sizeof(struct pac_attr_hdr) + pac_len + 787 data->srv_id_len + srv_id_info_len + 100 + sizeof(*result); 788 buf = wpabuf_alloc(buf_len); 789 if (!buf) { 790 os_free(pac_opaque); 791 return NULL; 792 } 793 794 /* Result TLV */ 795 wpa_printf(MSG_DEBUG, "EAP-TEAP: Add Result TLV (status=SUCCESS)"); 796 result = wpabuf_put(buf, sizeof(*result)); 797 WPA_PUT_BE16((u8 *) &result->tlv_type, 798 TEAP_TLV_MANDATORY | TEAP_TLV_RESULT); 799 WPA_PUT_BE16((u8 *) &result->length, 2); 800 WPA_PUT_BE16((u8 *) &result->status, TEAP_STATUS_SUCCESS); 801 802 /* PAC TLV */ 803 wpa_printf(MSG_DEBUG, "EAP-TEAP: Add PAC TLV"); 804 pac_tlv = wpabuf_put(buf, sizeof(*pac_tlv)); 805 pac_tlv->tlv_type = host_to_be16(TEAP_TLV_MANDATORY | TEAP_TLV_PAC); 806 807 /* PAC-Key */ 808 eap_teap_put_tlv(buf, PAC_TYPE_PAC_KEY, pac_key, EAP_TEAP_PAC_KEY_LEN); 809 810 /* PAC-Opaque */ 811 eap_teap_put_tlv(buf, PAC_TYPE_PAC_OPAQUE, pac_opaque, pac_len); 812 os_free(pac_opaque); 813 814 /* PAC-Info */ 815 pac_info = wpabuf_put(buf, sizeof(*pac_info)); 816 pac_info->type = host_to_be16(PAC_TYPE_PAC_INFO); 817 818 /* PAC-Lifetime (inside PAC-Info) */ 819 eap_teap_put_tlv_hdr(buf, PAC_TYPE_CRED_LIFETIME, 4); 820 wpabuf_put_be32(buf, now.sec + data->pac_key_lifetime); 821 822 /* A-ID (inside PAC-Info) */ 823 eap_teap_put_tlv(buf, PAC_TYPE_A_ID, data->srv_id, data->srv_id_len); 824 825 /* Note: headers may be misaligned after A-ID */ 826 827 if (sm->identity) { 828 eap_teap_put_tlv(buf, PAC_TYPE_I_ID, sm->identity, 829 sm->identity_len); 830 } 831 832 /* A-ID-Info (inside PAC-Info) */ 833 eap_teap_put_tlv(buf, PAC_TYPE_A_ID_INFO, data->srv_id_info, 834 srv_id_info_len); 835 836 /* PAC-Type (inside PAC-Info) */ 837 eap_teap_put_tlv_hdr(buf, PAC_TYPE_PAC_TYPE, 2); 838 wpabuf_put_be16(buf, PAC_TYPE_TUNNEL_PAC); 839 840 /* Update PAC-Info and PAC TLV Length fields */ 841 pos = wpabuf_put(buf, 0); 842 pac_info->len = host_to_be16(pos - (u8 *) (pac_info + 1)); 843 pac_tlv->length = host_to_be16(pos - (u8 *) (pac_tlv + 1)); 844 845 return buf; 846 } 847 848 849 static int eap_teap_encrypt_phase2(struct eap_sm *sm, 850 struct eap_teap_data *data, 851 struct wpabuf *plain, int piggyback) 852 { 853 struct wpabuf *encr; 854 855 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TEAP: Encrypting Phase 2 TLVs", 856 plain); 857 encr = eap_server_tls_encrypt(sm, &data->ssl, plain); 858 wpabuf_free(plain); 859 860 if (!encr) 861 return -1; 862 863 if (data->ssl.tls_out && piggyback) { 864 wpa_printf(MSG_DEBUG, 865 "EAP-TEAP: Piggyback Phase 2 data (len=%d) with last Phase 1 Message (len=%d used=%d)", 866 (int) wpabuf_len(encr), 867 (int) wpabuf_len(data->ssl.tls_out), 868 (int) data->ssl.tls_out_pos); 869 if (wpabuf_resize(&data->ssl.tls_out, wpabuf_len(encr)) < 0) { 870 wpa_printf(MSG_WARNING, 871 "EAP-TEAP: Failed to resize output buffer"); 872 wpabuf_free(encr); 873 return -1; 874 } 875 wpabuf_put_buf(data->ssl.tls_out, encr); 876 wpabuf_free(encr); 877 } else { 878 wpabuf_free(data->ssl.tls_out); 879 data->ssl.tls_out_pos = 0; 880 data->ssl.tls_out = encr; 881 } 882 883 return 0; 884 } 885 886 887 static struct wpabuf * eap_teap_buildReq(struct eap_sm *sm, void *priv, u8 id) 888 { 889 struct eap_teap_data *data = priv; 890 struct wpabuf *req = NULL; 891 int piggyback = 0; 892 893 if (data->ssl.state == FRAG_ACK) { 894 return eap_server_tls_build_ack(id, EAP_TYPE_TEAP, 895 data->teap_version); 896 } 897 898 if (data->ssl.state == WAIT_FRAG_ACK) { 899 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TEAP, 900 data->teap_version, id); 901 } 902 903 switch (data->state) { 904 case START: 905 return eap_teap_build_start(sm, data, id); 906 case PHASE1B: 907 if (tls_connection_established(sm->cfg->ssl_ctx, 908 data->ssl.conn)) { 909 if (eap_teap_phase1_done(sm, data) < 0) 910 return NULL; 911 if (data->state == PHASE2_START) { 912 int res; 913 914 /* 915 * Try to generate Phase 2 data to piggyback 916 * with the end of Phase 1 to avoid extra 917 * roundtrip. 918 */ 919 wpa_printf(MSG_DEBUG, 920 "EAP-TEAP: Try to start Phase 2"); 921 res = eap_teap_process_phase2_start(sm, data); 922 if (res == 1) { 923 req = eap_teap_build_crypto_binding( 924 sm, data); 925 piggyback = 1; 926 break; 927 } 928 929 if (res) 930 break; 931 req = eap_teap_build_phase2_req(sm, data, id); 932 piggyback = 1; 933 } 934 } 935 break; 936 case PHASE2_ID: 937 case PHASE2_BASIC_AUTH: 938 case PHASE2_METHOD: 939 req = eap_teap_build_phase2_req(sm, data, id); 940 break; 941 case CRYPTO_BINDING: 942 req = eap_teap_build_crypto_binding(sm, data); 943 if (data->phase2_method) { 944 /* 945 * Include the start of the next EAP method in the 946 * sequence in the same message with Crypto-Binding to 947 * save a round-trip. 948 */ 949 struct wpabuf *eap; 950 951 eap = eap_teap_build_phase2_req(sm, data, id); 952 req = wpabuf_concat(req, eap); 953 eap_teap_state(data, PHASE2_METHOD); 954 } 955 break; 956 case REQUEST_PAC: 957 req = eap_teap_build_pac(sm, data); 958 break; 959 case FAILURE_SEND_RESULT: 960 req = eap_teap_tlv_result(TEAP_STATUS_FAILURE, 0); 961 if (data->error_code) 962 req = wpabuf_concat( 963 req, eap_teap_tlv_error(data->error_code)); 964 break; 965 case SUCCESS_SEND_RESULT: 966 req = eap_teap_tlv_result(TEAP_STATUS_SUCCESS, 0); 967 data->final_result = 1; 968 break; 969 default: 970 wpa_printf(MSG_DEBUG, "EAP-TEAP: %s - unexpected state %d", 971 __func__, data->state); 972 return NULL; 973 } 974 975 if (req && eap_teap_encrypt_phase2(sm, data, req, piggyback) < 0) 976 return NULL; 977 978 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TEAP, 979 data->teap_version, id); 980 } 981 982 983 static bool eap_teap_check(struct eap_sm *sm, void *priv, 984 struct wpabuf *respData) 985 { 986 const u8 *pos; 987 size_t len; 988 989 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TEAP, respData, &len); 990 if (!pos || len < 1) { 991 wpa_printf(MSG_INFO, "EAP-TEAP: Invalid frame"); 992 return true; 993 } 994 995 return false; 996 } 997 998 999 static int eap_teap_phase2_init(struct eap_sm *sm, struct eap_teap_data *data, 1000 int vendor, enum eap_type eap_type) 1001 { 1002 if (data->phase2_priv && data->phase2_method) { 1003 data->phase2_method->reset(sm, data->phase2_priv); 1004 data->phase2_method = NULL; 1005 data->phase2_priv = NULL; 1006 } 1007 data->phase2_method = eap_server_get_eap_method(vendor, eap_type); 1008 if (!data->phase2_method) 1009 return -1; 1010 1011 sm->init_phase2 = 1; 1012 data->phase2_priv = data->phase2_method->init(sm); 1013 sm->init_phase2 = 0; 1014 1015 return data->phase2_priv ? 0 : -1; 1016 } 1017 1018 1019 static int eap_teap_valid_id_type(struct eap_sm *sm, struct eap_teap_data *data, 1020 enum teap_identity_types id_type) 1021 { 1022 if (sm->cfg->eap_teap_id == EAP_TEAP_ID_REQUIRE_USER && 1023 id_type != TEAP_IDENTITY_TYPE_USER) 1024 return 0; 1025 if (sm->cfg->eap_teap_id == EAP_TEAP_ID_REQUIRE_MACHINE && 1026 id_type != TEAP_IDENTITY_TYPE_MACHINE) 1027 return 0; 1028 if (sm->cfg->eap_teap_id == EAP_TEAP_ID_REQUIRE_USER_AND_MACHINE && 1029 id_type != data->cur_id_type) 1030 return 0; 1031 if (sm->cfg->eap_teap_id != EAP_TEAP_ID_ALLOW_ANY && 1032 id_type != TEAP_IDENTITY_TYPE_USER && 1033 id_type != TEAP_IDENTITY_TYPE_MACHINE) 1034 return 0; 1035 return 1; 1036 } 1037 1038 1039 static void eap_teap_process_phase2_response(struct eap_sm *sm, 1040 struct eap_teap_data *data, 1041 u8 *in_data, size_t in_len, 1042 enum teap_identity_types id_type) 1043 { 1044 int next_vendor = EAP_VENDOR_IETF; 1045 enum eap_type next_type = EAP_TYPE_NONE; 1046 struct eap_hdr *hdr; 1047 u8 *pos; 1048 size_t left; 1049 struct wpabuf buf; 1050 const struct eap_method *m = data->phase2_method; 1051 void *priv = data->phase2_priv; 1052 1053 if (!priv) { 1054 wpa_printf(MSG_DEBUG, 1055 "EAP-TEAP: %s - Phase 2 not initialized?!", 1056 __func__); 1057 return; 1058 } 1059 1060 hdr = (struct eap_hdr *) in_data; 1061 pos = (u8 *) (hdr + 1); 1062 1063 if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) { 1064 left = in_len - sizeof(*hdr); 1065 wpa_hexdump(MSG_DEBUG, 1066 "EAP-TEAP: Phase 2 type Nak'ed; allowed types", 1067 pos + 1, left - 1); 1068 #ifdef EAP_SERVER_TNC 1069 if (m && m->vendor == EAP_VENDOR_IETF && 1070 m->method == EAP_TYPE_TNC) { 1071 wpa_printf(MSG_DEBUG, 1072 "EAP-TEAP: Peer Nak'ed required TNC negotiation"); 1073 next_vendor = EAP_VENDOR_IETF; 1074 next_type = eap_teap_req_failure(data, 0); 1075 eap_teap_phase2_init(sm, data, next_vendor, next_type); 1076 return; 1077 } 1078 #endif /* EAP_SERVER_TNC */ 1079 eap_sm_process_nak(sm, pos + 1, left - 1); 1080 if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS && 1081 sm->user->methods[sm->user_eap_method_index].method != 1082 EAP_TYPE_NONE) { 1083 next_vendor = sm->user->methods[ 1084 sm->user_eap_method_index].vendor; 1085 next_type = sm->user->methods[ 1086 sm->user_eap_method_index++].method; 1087 wpa_printf(MSG_DEBUG, "EAP-TEAP: try EAP type %u:%u", 1088 next_vendor, next_type); 1089 } else { 1090 next_vendor = EAP_VENDOR_IETF; 1091 next_type = eap_teap_req_failure(data, 0); 1092 } 1093 eap_teap_phase2_init(sm, data, next_vendor, next_type); 1094 return; 1095 } 1096 1097 wpabuf_set(&buf, in_data, in_len); 1098 1099 if (m->check(sm, priv, &buf)) { 1100 wpa_printf(MSG_DEBUG, 1101 "EAP-TEAP: Phase 2 check() asked to ignore the packet"); 1102 eap_teap_req_failure(data, TEAP_ERROR_INNER_METHOD); 1103 return; 1104 } 1105 1106 m->process(sm, priv, &buf); 1107 1108 if (!m->isDone(sm, priv)) 1109 return; 1110 1111 if (!m->isSuccess(sm, priv)) { 1112 wpa_printf(MSG_DEBUG, "EAP-TEAP: Phase 2 method failed"); 1113 next_vendor = EAP_VENDOR_IETF; 1114 next_type = eap_teap_req_failure(data, TEAP_ERROR_INNER_METHOD); 1115 eap_teap_phase2_init(sm, data, next_vendor, next_type); 1116 return; 1117 } 1118 1119 switch (data->state) { 1120 case PHASE2_ID: 1121 if (!eap_teap_valid_id_type(sm, data, id_type)) { 1122 wpa_printf(MSG_DEBUG, 1123 "EAP-TEAP: Provided Identity-Type %u not allowed", 1124 id_type); 1125 eap_teap_req_failure(data, TEAP_ERROR_INNER_METHOD); 1126 break; 1127 } 1128 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) { 1129 wpa_hexdump_ascii(MSG_DEBUG, 1130 "EAP-TEAP: Phase 2 Identity not found in the user database", 1131 sm->identity, sm->identity_len); 1132 next_vendor = EAP_VENDOR_IETF; 1133 next_type = eap_teap_req_failure( 1134 data, TEAP_ERROR_INNER_METHOD); 1135 break; 1136 } 1137 1138 eap_teap_state(data, PHASE2_METHOD); 1139 if (data->anon_provisioning) { 1140 /* TODO: Allow any inner EAP method that provides 1141 * mutual authentication and EMSK derivation (i.e., 1142 * EAP-pwd or EAP-EKE). */ 1143 next_vendor = EAP_VENDOR_IETF; 1144 next_type = EAP_TYPE_PWD; 1145 sm->user_eap_method_index = 0; 1146 } else { 1147 next_vendor = sm->user->methods[0].vendor; 1148 next_type = sm->user->methods[0].method; 1149 sm->user_eap_method_index = 1; 1150 } 1151 wpa_printf(MSG_DEBUG, "EAP-TEAP: Try EAP type %u:%u", 1152 next_vendor, next_type); 1153 break; 1154 case PHASE2_METHOD: 1155 case CRYPTO_BINDING: 1156 eap_teap_update_icmk(sm, data); 1157 if (data->state == PHASE2_METHOD && 1158 (sm->cfg->eap_teap_id != 1159 EAP_TEAP_ID_REQUIRE_USER_AND_MACHINE || 1160 data->cur_id_type == TEAP_IDENTITY_TYPE_MACHINE)) 1161 data->inner_eap_not_done = 0; 1162 eap_teap_state(data, CRYPTO_BINDING); 1163 data->eap_seq++; 1164 next_vendor = EAP_VENDOR_IETF; 1165 next_type = EAP_TYPE_NONE; 1166 #ifdef EAP_SERVER_TNC 1167 if (sm->cfg->tnc && !data->tnc_started) { 1168 wpa_printf(MSG_DEBUG, "EAP-TEAP: Initialize TNC"); 1169 next_vendor = EAP_VENDOR_IETF; 1170 next_type = EAP_TYPE_TNC; 1171 data->tnc_started = 1; 1172 } 1173 #endif /* EAP_SERVER_TNC */ 1174 break; 1175 case FAILURE: 1176 break; 1177 default: 1178 wpa_printf(MSG_DEBUG, "EAP-TEAP: %s - unexpected state %d", 1179 __func__, data->state); 1180 break; 1181 } 1182 1183 eap_teap_phase2_init(sm, data, next_vendor, next_type); 1184 } 1185 1186 1187 static void eap_teap_process_phase2_eap(struct eap_sm *sm, 1188 struct eap_teap_data *data, 1189 u8 *in_data, size_t in_len, 1190 enum teap_identity_types id_type) 1191 { 1192 struct eap_hdr *hdr; 1193 size_t len; 1194 1195 hdr = (struct eap_hdr *) in_data; 1196 if (in_len < (int) sizeof(*hdr)) { 1197 wpa_printf(MSG_INFO, 1198 "EAP-TEAP: Too short Phase 2 EAP frame (len=%lu)", 1199 (unsigned long) in_len); 1200 eap_teap_req_failure(data, TEAP_ERROR_INNER_METHOD); 1201 return; 1202 } 1203 len = be_to_host16(hdr->length); 1204 if (len > in_len) { 1205 wpa_printf(MSG_INFO, 1206 "EAP-TEAP: Length mismatch in Phase 2 EAP frame (len=%lu hdr->length=%lu)", 1207 (unsigned long) in_len, (unsigned long) len); 1208 eap_teap_req_failure(data, TEAP_ERROR_INNER_METHOD); 1209 return; 1210 } 1211 wpa_printf(MSG_DEBUG, 1212 "EAP-TEAP: Received Phase 2: code=%d identifier=%d length=%lu", 1213 hdr->code, hdr->identifier, 1214 (unsigned long) len); 1215 switch (hdr->code) { 1216 case EAP_CODE_RESPONSE: 1217 eap_teap_process_phase2_response(sm, data, (u8 *) hdr, len, 1218 id_type); 1219 break; 1220 default: 1221 wpa_printf(MSG_INFO, 1222 "EAP-TEAP: Unexpected code=%d in Phase 2 EAP header", 1223 hdr->code); 1224 break; 1225 } 1226 } 1227 1228 1229 static void eap_teap_process_basic_auth_resp(struct eap_sm *sm, 1230 struct eap_teap_data *data, 1231 u8 *in_data, size_t in_len, 1232 enum teap_identity_types id_type) 1233 { 1234 u8 *pos, *end, *username, *password, *new_id; 1235 u8 userlen, passlen; 1236 1237 if (!eap_teap_valid_id_type(sm, data, id_type)) { 1238 wpa_printf(MSG_DEBUG, 1239 "EAP-TEAP: Provided Identity-Type %u not allowed", 1240 id_type); 1241 eap_teap_req_failure(data, 0); 1242 return; 1243 } 1244 1245 pos = in_data; 1246 end = pos + in_len; 1247 1248 if (end - pos < 1) { 1249 wpa_printf(MSG_DEBUG, 1250 "EAP-TEAP: No room for Basic-Password-Auth-Resp Userlen field"); 1251 eap_teap_req_failure(data, 0); 1252 return; 1253 } 1254 userlen = *pos++; 1255 if (end - pos < userlen) { 1256 wpa_printf(MSG_DEBUG, 1257 "EAP-TEAP: Truncated Basic-Password-Auth-Resp Username field"); 1258 eap_teap_req_failure(data, 0); 1259 return; 1260 } 1261 username = pos; 1262 pos += userlen; 1263 wpa_hexdump_ascii(MSG_DEBUG, 1264 "EAP-TEAP: Basic-Password-Auth-Resp Username", 1265 username, userlen); 1266 1267 if (end - pos < 1) { 1268 wpa_printf(MSG_DEBUG, 1269 "EAP-TEAP: No room for Basic-Password-Auth-Resp Passlen field"); 1270 eap_teap_req_failure(data, 0); 1271 return; 1272 } 1273 passlen = *pos++; 1274 if (end - pos < passlen) { 1275 wpa_printf(MSG_DEBUG, 1276 "EAP-TEAP: Truncated Basic-Password-Auth-Resp Password field"); 1277 eap_teap_req_failure(data, 0); 1278 return; 1279 } 1280 password = pos; 1281 pos += passlen; 1282 wpa_hexdump_ascii_key(MSG_DEBUG, 1283 "EAP-TEAP: Basic-Password-Auth-Resp Password", 1284 password, passlen); 1285 1286 if (end > pos) { 1287 wpa_printf(MSG_DEBUG, 1288 "EAP-TEAP: Unexpected %d extra octet(s) at the end of Basic-Password-Auth-Resp TLV", 1289 (int) (end - pos)); 1290 eap_teap_req_failure(data, 0); 1291 return; 1292 } 1293 1294 if (eap_user_get(sm, username, userlen, 1) != 0) { 1295 wpa_printf(MSG_DEBUG, 1296 "EAP-TEAP: Username not found in the user database"); 1297 eap_teap_req_failure(data, 0); 1298 return; 1299 } 1300 1301 if (!sm->user || !sm->user->password || sm->user->password_hash) { 1302 wpa_printf(MSG_DEBUG, 1303 "EAP-TEAP: No plaintext user password configured"); 1304 eap_teap_req_failure(data, 0); 1305 return; 1306 } 1307 1308 if (sm->user->password_len != passlen || 1309 os_memcmp_const(sm->user->password, password, passlen) != 0) { 1310 wpa_printf(MSG_DEBUG, "EAP-TEAP: Invalid password"); 1311 eap_teap_req_failure(data, 0); 1312 return; 1313 } 1314 1315 wpa_printf(MSG_DEBUG, "EAP-TEAP: Correct password"); 1316 new_id = os_memdup(username, userlen); 1317 if (new_id) { 1318 os_free(sm->identity); 1319 sm->identity = new_id; 1320 sm->identity_len = userlen; 1321 } 1322 if (sm->cfg->eap_teap_id != EAP_TEAP_ID_REQUIRE_USER_AND_MACHINE || 1323 data->cur_id_type == TEAP_IDENTITY_TYPE_MACHINE) 1324 data->basic_auth_not_done = 0; 1325 eap_teap_state(data, CRYPTO_BINDING); 1326 eap_teap_update_icmk(sm, data); 1327 } 1328 1329 1330 static int eap_teap_parse_tlvs(struct wpabuf *data, 1331 struct eap_teap_tlv_parse *tlv) 1332 { 1333 u16 tlv_type; 1334 int mandatory, res; 1335 size_t len; 1336 u8 *pos, *end; 1337 1338 os_memset(tlv, 0, sizeof(*tlv)); 1339 1340 pos = wpabuf_mhead(data); 1341 end = pos + wpabuf_len(data); 1342 while (end - pos > 4) { 1343 mandatory = pos[0] & 0x80; 1344 tlv_type = WPA_GET_BE16(pos) & 0x3fff; 1345 pos += 2; 1346 len = WPA_GET_BE16(pos); 1347 pos += 2; 1348 if (len > (size_t) (end - pos)) { 1349 wpa_printf(MSG_INFO, "EAP-TEAP: TLV overflow"); 1350 return -1; 1351 } 1352 wpa_printf(MSG_DEBUG, 1353 "EAP-TEAP: Received Phase 2: TLV type %u (%s) length %u%s", 1354 tlv_type, eap_teap_tlv_type_str(tlv_type), 1355 (unsigned int) len, 1356 mandatory ? " (mandatory)" : ""); 1357 1358 res = eap_teap_parse_tlv(tlv, tlv_type, pos, len); 1359 if (res == -2) 1360 break; 1361 if (res < 0) { 1362 if (mandatory) { 1363 wpa_printf(MSG_DEBUG, 1364 "EAP-TEAP: NAK unknown mandatory TLV type %u", 1365 tlv_type); 1366 /* TODO: generate NAK TLV */ 1367 break; 1368 } 1369 1370 wpa_printf(MSG_DEBUG, 1371 "EAP-TEAP: Ignore unknown optional TLV type %u", 1372 tlv_type); 1373 } 1374 1375 pos += len; 1376 } 1377 1378 return 0; 1379 } 1380 1381 1382 static int eap_teap_validate_crypto_binding( 1383 struct eap_teap_data *data, const struct teap_tlv_crypto_binding *cb, 1384 size_t bind_len) 1385 { 1386 u8 flags, subtype; 1387 1388 subtype = cb->subtype & 0x0f; 1389 flags = cb->subtype >> 4; 1390 1391 wpa_printf(MSG_DEBUG, 1392 "EAP-TEAP: Reply Crypto-Binding TLV: Version %u Received Version %u Flags %u Sub-Type %u", 1393 cb->version, cb->received_version, flags, subtype); 1394 wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: Nonce", 1395 cb->nonce, sizeof(cb->nonce)); 1396 wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: EMSK Compound MAC", 1397 cb->emsk_compound_mac, sizeof(cb->emsk_compound_mac)); 1398 wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: MSK Compound MAC", 1399 cb->msk_compound_mac, sizeof(cb->msk_compound_mac)); 1400 1401 if (cb->version != EAP_TEAP_VERSION || 1402 cb->received_version != data->peer_version) { 1403 wpa_printf(MSG_DEBUG, 1404 "EAP-TEAP: Unexpected version in Crypto-Binding: Version %u Received Version %u", 1405 cb->version, cb->received_version); 1406 return -1; 1407 } 1408 1409 if (flags < 1 || flags > 3) { 1410 wpa_printf(MSG_DEBUG, 1411 "EAP-TEAP: Unexpected Flags in Crypto-Binding: %u", 1412 flags); 1413 return -1; 1414 } 1415 1416 if (subtype != TEAP_CRYPTO_BINDING_SUBTYPE_RESPONSE) { 1417 wpa_printf(MSG_DEBUG, 1418 "EAP-TEAP: Unexpected Sub-Type in Crypto-Binding: %u", 1419 subtype); 1420 return -1; 1421 } 1422 1423 if (os_memcmp_const(data->crypto_binding_nonce, cb->nonce, 1424 EAP_TEAP_NONCE_LEN - 1) != 0 || 1425 (data->crypto_binding_nonce[EAP_TEAP_NONCE_LEN - 1] | 1) != 1426 cb->nonce[EAP_TEAP_NONCE_LEN - 1]) { 1427 wpa_printf(MSG_DEBUG, 1428 "EAP-TEAP: Invalid Nonce in Crypto-Binding"); 1429 return -1; 1430 } 1431 1432 if (flags == TEAP_CRYPTO_BINDING_MSK_CMAC || 1433 flags == TEAP_CRYPTO_BINDING_EMSK_AND_MSK_CMAC) { 1434 u8 msk_compound_mac[EAP_TEAP_COMPOUND_MAC_LEN]; 1435 1436 if (eap_teap_compound_mac(data->tls_cs, cb, 1437 data->server_outer_tlvs, 1438 data->peer_outer_tlvs, data->cmk_msk, 1439 msk_compound_mac) < 0) 1440 return -1; 1441 if (os_memcmp_const(msk_compound_mac, cb->msk_compound_mac, 1442 EAP_TEAP_COMPOUND_MAC_LEN) != 0) { 1443 wpa_hexdump(MSG_DEBUG, 1444 "EAP-TEAP: Calculated MSK Compound MAC", 1445 msk_compound_mac, 1446 EAP_TEAP_COMPOUND_MAC_LEN); 1447 wpa_printf(MSG_INFO, 1448 "EAP-TEAP: MSK Compound MAC did not match"); 1449 return -1; 1450 } 1451 } 1452 1453 if ((flags == TEAP_CRYPTO_BINDING_EMSK_CMAC || 1454 flags == TEAP_CRYPTO_BINDING_EMSK_AND_MSK_CMAC) && 1455 data->cmk_emsk_available) { 1456 u8 emsk_compound_mac[EAP_TEAP_COMPOUND_MAC_LEN]; 1457 1458 if (eap_teap_compound_mac(data->tls_cs, cb, 1459 data->server_outer_tlvs, 1460 data->peer_outer_tlvs, data->cmk_emsk, 1461 emsk_compound_mac) < 0) 1462 return -1; 1463 if (os_memcmp_const(emsk_compound_mac, cb->emsk_compound_mac, 1464 EAP_TEAP_COMPOUND_MAC_LEN) != 0) { 1465 wpa_hexdump(MSG_DEBUG, 1466 "EAP-TEAP: Calculated EMSK Compound MAC", 1467 emsk_compound_mac, 1468 EAP_TEAP_COMPOUND_MAC_LEN); 1469 wpa_printf(MSG_INFO, 1470 "EAP-TEAP: EMSK Compound MAC did not match"); 1471 return -1; 1472 } 1473 } 1474 1475 if (flags == TEAP_CRYPTO_BINDING_EMSK_CMAC && 1476 !data->cmk_emsk_available) { 1477 wpa_printf(MSG_INFO, 1478 "EAP-TEAP: Peer included only EMSK Compound MAC, but no locally generated inner EAP EMSK to validate this"); 1479 return -1; 1480 } 1481 1482 return 0; 1483 } 1484 1485 1486 static int eap_teap_pac_type(u8 *pac, size_t len, u16 type) 1487 { 1488 struct teap_attr_pac_type *tlv; 1489 1490 if (!pac || len != sizeof(*tlv)) 1491 return 0; 1492 1493 tlv = (struct teap_attr_pac_type *) pac; 1494 1495 return be_to_host16(tlv->type) == PAC_TYPE_PAC_TYPE && 1496 be_to_host16(tlv->length) == 2 && 1497 be_to_host16(tlv->pac_type) == type; 1498 } 1499 1500 1501 static void eap_teap_process_phase2_tlvs(struct eap_sm *sm, 1502 struct eap_teap_data *data, 1503 struct wpabuf *in_data) 1504 { 1505 struct eap_teap_tlv_parse tlv; 1506 int check_crypto_binding = data->state == CRYPTO_BINDING; 1507 1508 if (eap_teap_parse_tlvs(in_data, &tlv) < 0) { 1509 wpa_printf(MSG_DEBUG, 1510 "EAP-TEAP: Failed to parse received Phase 2 TLVs"); 1511 return; 1512 } 1513 1514 if (tlv.result == TEAP_STATUS_FAILURE) { 1515 wpa_printf(MSG_DEBUG, "EAP-TEAP: Result TLV indicated failure"); 1516 eap_teap_state(data, FAILURE); 1517 return; 1518 } 1519 1520 if (tlv.nak) { 1521 wpa_printf(MSG_DEBUG, 1522 "EAP-TEAP: Peer NAK'ed Vendor-Id %u NAK-Type %u", 1523 WPA_GET_BE32(tlv.nak), WPA_GET_BE16(tlv.nak + 4)); 1524 eap_teap_state(data, FAILURE_SEND_RESULT); 1525 return; 1526 } 1527 1528 if (data->state == REQUEST_PAC) { 1529 u16 type, len, res; 1530 1531 if (!tlv.pac || tlv.pac_len < 6) { 1532 wpa_printf(MSG_DEBUG, 1533 "EAP-TEAP: No PAC Acknowledgement received"); 1534 eap_teap_state(data, FAILURE); 1535 return; 1536 } 1537 1538 type = WPA_GET_BE16(tlv.pac); 1539 len = WPA_GET_BE16(tlv.pac + 2); 1540 res = WPA_GET_BE16(tlv.pac + 4); 1541 1542 if (type != PAC_TYPE_PAC_ACKNOWLEDGEMENT || len != 2 || 1543 res != TEAP_STATUS_SUCCESS) { 1544 wpa_printf(MSG_DEBUG, 1545 "EAP-TEAP: PAC TLV did not contain acknowledgement"); 1546 eap_teap_state(data, FAILURE); 1547 return; 1548 } 1549 1550 wpa_printf(MSG_DEBUG, 1551 "EAP-TEAP: PAC-Acknowledgement received - PAC provisioning succeeded"); 1552 eap_teap_state(data, SUCCESS); 1553 return; 1554 } 1555 1556 if (check_crypto_binding) { 1557 if (!tlv.crypto_binding) { 1558 wpa_printf(MSG_DEBUG, 1559 "EAP-TEAP: No Crypto-Binding TLV received"); 1560 eap_teap_state(data, FAILURE); 1561 return; 1562 } 1563 1564 if (data->final_result && 1565 tlv.result != TEAP_STATUS_SUCCESS) { 1566 wpa_printf(MSG_DEBUG, 1567 "EAP-TEAP: Crypto-Binding TLV without Success Result"); 1568 eap_teap_state(data, FAILURE); 1569 return; 1570 } 1571 1572 if (sm->cfg->eap_teap_auth != 1 && 1573 !data->skipped_inner_auth && 1574 tlv.iresult != TEAP_STATUS_SUCCESS) { 1575 wpa_printf(MSG_DEBUG, 1576 "EAP-TEAP: Crypto-Binding TLV without intermediate Success Result"); 1577 eap_teap_state(data, FAILURE); 1578 return; 1579 } 1580 1581 if (eap_teap_validate_crypto_binding(data, tlv.crypto_binding, 1582 tlv.crypto_binding_len)) { 1583 eap_teap_state(data, FAILURE); 1584 return; 1585 } 1586 1587 wpa_printf(MSG_DEBUG, 1588 "EAP-TEAP: Valid Crypto-Binding TLV received"); 1589 if (data->final_result) { 1590 wpa_printf(MSG_DEBUG, 1591 "EAP-TEAP: Authentication completed successfully"); 1592 } 1593 1594 if (data->anon_provisioning && 1595 sm->cfg->eap_fast_prov != ANON_PROV && 1596 sm->cfg->eap_fast_prov != BOTH_PROV) { 1597 wpa_printf(MSG_DEBUG, 1598 "EAP-TEAP: Client is trying to use unauthenticated provisioning which is disabled"); 1599 eap_teap_state(data, FAILURE); 1600 return; 1601 } 1602 1603 if (sm->cfg->eap_fast_prov != AUTH_PROV && 1604 sm->cfg->eap_fast_prov != BOTH_PROV && 1605 tlv.request_action == TEAP_REQUEST_ACTION_PROCESS_TLV && 1606 eap_teap_pac_type(tlv.pac, tlv.pac_len, 1607 PAC_TYPE_TUNNEL_PAC)) { 1608 wpa_printf(MSG_DEBUG, 1609 "EAP-TEAP: Client is trying to use authenticated provisioning which is disabled"); 1610 eap_teap_state(data, FAILURE); 1611 return; 1612 } 1613 1614 if (data->anon_provisioning || 1615 (tlv.request_action == TEAP_REQUEST_ACTION_PROCESS_TLV && 1616 eap_teap_pac_type(tlv.pac, tlv.pac_len, 1617 PAC_TYPE_TUNNEL_PAC))) { 1618 wpa_printf(MSG_DEBUG, 1619 "EAP-TEAP: Requested a new Tunnel PAC"); 1620 eap_teap_state(data, REQUEST_PAC); 1621 } else if (data->send_new_pac) { 1622 wpa_printf(MSG_DEBUG, 1623 "EAP-TEAP: Server triggered re-keying of Tunnel PAC"); 1624 eap_teap_state(data, REQUEST_PAC); 1625 } else if (data->final_result) { 1626 eap_teap_state(data, SUCCESS); 1627 } else if (sm->cfg->eap_teap_separate_result) { 1628 eap_teap_state(data, SUCCESS_SEND_RESULT); 1629 } 1630 } 1631 1632 if (tlv.basic_auth_resp) { 1633 if (sm->cfg->eap_teap_auth != 1) { 1634 wpa_printf(MSG_DEBUG, 1635 "EAP-TEAP: Unexpected Basic-Password-Auth-Resp when trying to use inner EAP"); 1636 eap_teap_state(data, FAILURE); 1637 return; 1638 } 1639 eap_teap_process_basic_auth_resp(sm, data, tlv.basic_auth_resp, 1640 tlv.basic_auth_resp_len, 1641 tlv.identity_type); 1642 } 1643 1644 if (tlv.eap_payload_tlv) { 1645 if (sm->cfg->eap_teap_auth == 1) { 1646 wpa_printf(MSG_DEBUG, 1647 "EAP-TEAP: Unexpected EAP Payload TLV when trying to use Basic-Password-Auth"); 1648 eap_teap_state(data, FAILURE); 1649 return; 1650 } 1651 eap_teap_process_phase2_eap(sm, data, tlv.eap_payload_tlv, 1652 tlv.eap_payload_tlv_len, 1653 tlv.identity_type); 1654 } 1655 1656 if (data->state == SUCCESS_SEND_RESULT && 1657 tlv.result == TEAP_STATUS_SUCCESS) { 1658 wpa_printf(MSG_DEBUG, 1659 "EAP-TEAP: Peer agreed with final success - authentication completed"); 1660 eap_teap_state(data, SUCCESS); 1661 } else if (check_crypto_binding && data->state == CRYPTO_BINDING && 1662 sm->cfg->eap_teap_auth == 1 && data->basic_auth_not_done) { 1663 wpa_printf(MSG_DEBUG, 1664 "EAP-TEAP: Continue with basic password authentication for second credential"); 1665 eap_teap_state(data, PHASE2_BASIC_AUTH); 1666 } else if (check_crypto_binding && data->state == CRYPTO_BINDING && 1667 sm->cfg->eap_teap_auth == 0 && data->inner_eap_not_done) { 1668 wpa_printf(MSG_DEBUG, 1669 "EAP-TEAP: Continue with inner EAP authentication for second credential"); 1670 eap_teap_state(data, PHASE2_ID); 1671 if (eap_teap_phase2_init(sm, data, EAP_VENDOR_IETF, 1672 EAP_TYPE_IDENTITY) < 0) 1673 eap_teap_state(data, FAILURE); 1674 } 1675 } 1676 1677 1678 static void eap_teap_process_phase2(struct eap_sm *sm, 1679 struct eap_teap_data *data, 1680 struct wpabuf *in_buf) 1681 { 1682 struct wpabuf *in_decrypted; 1683 1684 wpa_printf(MSG_DEBUG, 1685 "EAP-TEAP: Received %lu bytes encrypted data for Phase 2", 1686 (unsigned long) wpabuf_len(in_buf)); 1687 1688 if (data->pending_phase2_resp) { 1689 wpa_printf(MSG_DEBUG, 1690 "EAP-TEAP: Pending Phase 2 response - skip decryption and use old data"); 1691 eap_teap_process_phase2_tlvs(sm, data, 1692 data->pending_phase2_resp); 1693 wpabuf_free(data->pending_phase2_resp); 1694 data->pending_phase2_resp = NULL; 1695 return; 1696 } 1697 1698 in_decrypted = tls_connection_decrypt(sm->cfg->ssl_ctx, data->ssl.conn, 1699 in_buf); 1700 if (!in_decrypted) { 1701 wpa_printf(MSG_INFO, 1702 "EAP-TEAP: Failed to decrypt Phase 2 data"); 1703 eap_teap_state(data, FAILURE); 1704 return; 1705 } 1706 1707 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TEAP: Decrypted Phase 2 TLVs", 1708 in_decrypted); 1709 1710 eap_teap_process_phase2_tlvs(sm, data, in_decrypted); 1711 1712 if (sm->method_pending == METHOD_PENDING_WAIT) { 1713 wpa_printf(MSG_DEBUG, 1714 "EAP-TEAP: Phase 2 method is in pending wait state - save decrypted response"); 1715 wpabuf_free(data->pending_phase2_resp); 1716 data->pending_phase2_resp = in_decrypted; 1717 return; 1718 } 1719 1720 wpabuf_free(in_decrypted); 1721 } 1722 1723 1724 static int eap_teap_process_version(struct eap_sm *sm, void *priv, 1725 int peer_version) 1726 { 1727 struct eap_teap_data *data = priv; 1728 1729 if (peer_version < 1) { 1730 /* Version 1 was the first defined version, so reject 0 */ 1731 wpa_printf(MSG_INFO, 1732 "EAP-TEAP: Peer used unknown TEAP version %u", 1733 peer_version); 1734 return -1; 1735 } 1736 1737 if (peer_version < data->teap_version) { 1738 wpa_printf(MSG_DEBUG, "EAP-TEAP: peer ver=%u, own ver=%u; " 1739 "use version %u", 1740 peer_version, data->teap_version, peer_version); 1741 data->teap_version = peer_version; 1742 } 1743 1744 data->peer_version = peer_version; 1745 1746 return 0; 1747 } 1748 1749 1750 static int eap_teap_process_phase1(struct eap_sm *sm, 1751 struct eap_teap_data *data) 1752 { 1753 if (eap_server_tls_phase1(sm, &data->ssl) < 0) { 1754 wpa_printf(MSG_INFO, "EAP-TEAP: TLS processing failed"); 1755 eap_teap_state(data, FAILURE); 1756 return -1; 1757 } 1758 1759 if (!tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn) || 1760 wpabuf_len(data->ssl.tls_out) > 0) 1761 return 1; 1762 1763 /* 1764 * Phase 1 was completed with the received message (e.g., when using 1765 * abbreviated handshake), so Phase 2 can be started immediately 1766 * without having to send through an empty message to the peer. 1767 */ 1768 1769 return eap_teap_phase1_done(sm, data); 1770 } 1771 1772 1773 static int eap_teap_process_phase2_start(struct eap_sm *sm, 1774 struct eap_teap_data *data) 1775 { 1776 int next_vendor; 1777 enum eap_type next_type; 1778 1779 if (data->identity) { 1780 /* Used PAC and identity is from PAC-Opaque */ 1781 os_free(sm->identity); 1782 sm->identity = data->identity; 1783 data->identity = NULL; 1784 sm->identity_len = data->identity_len; 1785 data->identity_len = 0; 1786 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) { 1787 wpa_hexdump_ascii(MSG_DEBUG, 1788 "EAP-TEAP: Phase 2 Identity not found in the user database", 1789 sm->identity, sm->identity_len); 1790 next_vendor = EAP_VENDOR_IETF; 1791 next_type = EAP_TYPE_NONE; 1792 eap_teap_state(data, PHASE2_METHOD); 1793 } else if (sm->cfg->eap_teap_pac_no_inner || 1794 sm->cfg->eap_teap_auth == 2) { 1795 wpa_printf(MSG_DEBUG, 1796 "EAP-TEAP: Used PAC or client certificate and identity already known - skip inner auth"); 1797 data->skipped_inner_auth = 1; 1798 /* FIX: Need to derive CMK here. However, how is that 1799 * supposed to be done? RFC 7170 does not tell that for 1800 * the no-inner-auth case. */ 1801 eap_teap_derive_cmk_basic_pw_auth(data->tls_cs, 1802 data->simck_msk, 1803 data->cmk_msk); 1804 eap_teap_state(data, CRYPTO_BINDING); 1805 return 1; 1806 } else if (sm->cfg->eap_teap_auth == 1) { 1807 eap_teap_state(data, PHASE2_BASIC_AUTH); 1808 return 1; 1809 } else { 1810 wpa_printf(MSG_DEBUG, 1811 "EAP-TEAP: Identity already known - skip Phase 2 Identity Request"); 1812 next_vendor = sm->user->methods[0].vendor; 1813 next_type = sm->user->methods[0].method; 1814 sm->user_eap_method_index = 1; 1815 eap_teap_state(data, PHASE2_METHOD); 1816 } 1817 1818 } else if (sm->cfg->eap_teap_auth == 1) { 1819 eap_teap_state(data, PHASE2_BASIC_AUTH); 1820 return 0; 1821 } else { 1822 eap_teap_state(data, PHASE2_ID); 1823 next_vendor = EAP_VENDOR_IETF; 1824 next_type = EAP_TYPE_IDENTITY; 1825 } 1826 1827 return eap_teap_phase2_init(sm, data, next_vendor, next_type); 1828 } 1829 1830 1831 static void eap_teap_process_msg(struct eap_sm *sm, void *priv, 1832 const struct wpabuf *respData) 1833 { 1834 struct eap_teap_data *data = priv; 1835 1836 switch (data->state) { 1837 case PHASE1: 1838 case PHASE1B: 1839 if (eap_teap_process_phase1(sm, data)) 1840 break; 1841 1842 /* fall through */ 1843 case PHASE2_START: 1844 eap_teap_process_phase2_start(sm, data); 1845 break; 1846 case PHASE2_ID: 1847 case PHASE2_BASIC_AUTH: 1848 case PHASE2_METHOD: 1849 case CRYPTO_BINDING: 1850 case REQUEST_PAC: 1851 case SUCCESS_SEND_RESULT: 1852 eap_teap_process_phase2(sm, data, data->ssl.tls_in); 1853 break; 1854 case FAILURE_SEND_RESULT: 1855 /* Protected failure result indication completed. Ignore the 1856 * received message (which is supposed to include Result TLV 1857 * indicating failure) and terminate exchange with cleartext 1858 * EAP-Failure. */ 1859 eap_teap_state(data, FAILURE); 1860 break; 1861 default: 1862 wpa_printf(MSG_DEBUG, "EAP-TEAP: Unexpected state %d in %s", 1863 data->state, __func__); 1864 break; 1865 } 1866 } 1867 1868 1869 static void eap_teap_process(struct eap_sm *sm, void *priv, 1870 struct wpabuf *respData) 1871 { 1872 struct eap_teap_data *data = priv; 1873 const u8 *pos; 1874 size_t len; 1875 struct wpabuf *resp = respData; 1876 u8 flags; 1877 1878 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TEAP, respData, &len); 1879 if (!pos || len < 1) 1880 return; 1881 1882 flags = *pos++; 1883 len--; 1884 1885 if (flags & EAP_TEAP_FLAGS_OUTER_TLV_LEN) { 1886 /* Extract Outer TLVs from the message before common TLS 1887 * processing */ 1888 u32 message_len = 0, outer_tlv_len; 1889 const u8 *hdr; 1890 1891 if (data->state != PHASE1) { 1892 wpa_printf(MSG_INFO, 1893 "EAP-TEAP: Unexpected Outer TLVs in a message that is not the first message from the peer"); 1894 return; 1895 } 1896 1897 if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) { 1898 if (len < 4) { 1899 wpa_printf(MSG_INFO, 1900 "EAP-TEAP: Too short message to include Message Length field"); 1901 return; 1902 } 1903 1904 message_len = WPA_GET_BE32(pos); 1905 pos += 4; 1906 len -= 4; 1907 if (message_len < 4) { 1908 wpa_printf(MSG_INFO, 1909 "EAP-TEAP: Message Length field has too msall value to include Outer TLV Length field"); 1910 return; 1911 } 1912 } 1913 1914 if (len < 4) { 1915 wpa_printf(MSG_INFO, 1916 "EAP-TEAP: Too short message to include Outer TLVs Length field"); 1917 return; 1918 } 1919 1920 outer_tlv_len = WPA_GET_BE32(pos); 1921 pos += 4; 1922 len -= 4; 1923 1924 wpa_printf(MSG_DEBUG, 1925 "EAP-TEAP: Message Length %u Outer TLV Length %u", 1926 message_len, outer_tlv_len); 1927 if (len < outer_tlv_len) { 1928 wpa_printf(MSG_INFO, 1929 "EAP-TEAP: Too short message to include Outer TLVs field"); 1930 return; 1931 } 1932 1933 if (message_len && 1934 (message_len < outer_tlv_len || 1935 message_len < 4 + outer_tlv_len)) { 1936 wpa_printf(MSG_INFO, 1937 "EAP-TEAP: Message Length field has too small value to include Outer TLVs"); 1938 return; 1939 } 1940 1941 if (wpabuf_len(respData) < 4 + outer_tlv_len || 1942 len < outer_tlv_len) 1943 return; 1944 resp = wpabuf_alloc(wpabuf_len(respData) - 4 - outer_tlv_len); 1945 if (!resp) 1946 return; 1947 hdr = wpabuf_head(respData); 1948 wpabuf_put_u8(resp, *hdr++); /* Code */ 1949 wpabuf_put_u8(resp, *hdr++); /* Identifier */ 1950 wpabuf_put_be16(resp, WPA_GET_BE16(hdr) - 4 - outer_tlv_len); 1951 hdr += 2; 1952 wpabuf_put_u8(resp, *hdr++); /* Type */ 1953 /* Flags | Ver */ 1954 wpabuf_put_u8(resp, flags & ~EAP_TEAP_FLAGS_OUTER_TLV_LEN); 1955 1956 if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) 1957 wpabuf_put_be32(resp, message_len - 4 - outer_tlv_len); 1958 1959 wpabuf_put_data(resp, pos, len - outer_tlv_len); 1960 pos += len - outer_tlv_len; 1961 wpabuf_free(data->peer_outer_tlvs); 1962 data->peer_outer_tlvs = wpabuf_alloc_copy(pos, outer_tlv_len); 1963 if (!data->peer_outer_tlvs) 1964 return; 1965 wpa_hexdump_buf(MSG_DEBUG, "EAP-TEAP: Outer TLVs", 1966 data->peer_outer_tlvs); 1967 1968 wpa_hexdump_buf(MSG_DEBUG, 1969 "EAP-TEAP: TLS Data message after Outer TLV removal", 1970 resp); 1971 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TEAP, resp, 1972 &len); 1973 if (!pos || len < 1) { 1974 wpa_printf(MSG_INFO, 1975 "EAP-TEAP: Invalid frame after Outer TLV removal"); 1976 return; 1977 } 1978 } 1979 1980 if (data->state == PHASE1) 1981 eap_teap_state(data, PHASE1B); 1982 1983 if (eap_server_tls_process(sm, &data->ssl, resp, data, 1984 EAP_TYPE_TEAP, eap_teap_process_version, 1985 eap_teap_process_msg) < 0) 1986 eap_teap_state(data, FAILURE); 1987 1988 if (resp != respData) 1989 wpabuf_free(resp); 1990 } 1991 1992 1993 static bool eap_teap_isDone(struct eap_sm *sm, void *priv) 1994 { 1995 struct eap_teap_data *data = priv; 1996 1997 return data->state == SUCCESS || data->state == FAILURE; 1998 } 1999 2000 2001 static u8 * eap_teap_getKey(struct eap_sm *sm, void *priv, size_t *len) 2002 { 2003 struct eap_teap_data *data = priv; 2004 u8 *eapKeyData; 2005 2006 if (data->state != SUCCESS) 2007 return NULL; 2008 2009 eapKeyData = os_malloc(EAP_TEAP_KEY_LEN); 2010 if (!eapKeyData) 2011 return NULL; 2012 2013 /* FIX: RFC 7170 does not describe whether MSK or EMSK based S-IMCK[j] 2014 * is used in this derivation */ 2015 if (eap_teap_derive_eap_msk(data->tls_cs, data->simck_msk, 2016 eapKeyData) < 0) { 2017 os_free(eapKeyData); 2018 return NULL; 2019 } 2020 *len = EAP_TEAP_KEY_LEN; 2021 2022 return eapKeyData; 2023 } 2024 2025 2026 static u8 * eap_teap_get_emsk(struct eap_sm *sm, void *priv, size_t *len) 2027 { 2028 struct eap_teap_data *data = priv; 2029 u8 *eapKeyData; 2030 2031 if (data->state != SUCCESS) 2032 return NULL; 2033 2034 eapKeyData = os_malloc(EAP_EMSK_LEN); 2035 if (!eapKeyData) 2036 return NULL; 2037 2038 /* FIX: RFC 7170 does not describe whether MSK or EMSK based S-IMCK[j] 2039 * is used in this derivation */ 2040 if (eap_teap_derive_eap_emsk(data->tls_cs, data->simck_msk, 2041 eapKeyData) < 0) { 2042 os_free(eapKeyData); 2043 return NULL; 2044 } 2045 *len = EAP_EMSK_LEN; 2046 2047 return eapKeyData; 2048 } 2049 2050 2051 static bool eap_teap_isSuccess(struct eap_sm *sm, void *priv) 2052 { 2053 struct eap_teap_data *data = priv; 2054 2055 return data->state == SUCCESS; 2056 } 2057 2058 2059 static u8 * eap_teap_get_session_id(struct eap_sm *sm, void *priv, size_t *len) 2060 { 2061 struct eap_teap_data *data = priv; 2062 const size_t max_id_len = 100; 2063 int res; 2064 u8 *id; 2065 2066 if (data->state != SUCCESS) 2067 return NULL; 2068 2069 id = os_malloc(max_id_len); 2070 if (!id) 2071 return NULL; 2072 2073 id[0] = EAP_TYPE_TEAP; 2074 res = tls_get_tls_unique(data->ssl.conn, id + 1, max_id_len - 1); 2075 if (res < 0) { 2076 os_free(id); 2077 wpa_printf(MSG_ERROR, "EAP-TEAP: Failed to derive Session-Id"); 2078 return NULL; 2079 } 2080 2081 *len = 1 + res; 2082 wpa_hexdump(MSG_DEBUG, "EAP-TEAP: Derived Session-Id", id, *len); 2083 return id; 2084 } 2085 2086 2087 int eap_server_teap_register(void) 2088 { 2089 struct eap_method *eap; 2090 2091 eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION, 2092 EAP_VENDOR_IETF, EAP_TYPE_TEAP, "TEAP"); 2093 if (!eap) 2094 return -1; 2095 2096 eap->init = eap_teap_init; 2097 eap->reset = eap_teap_reset; 2098 eap->buildReq = eap_teap_buildReq; 2099 eap->check = eap_teap_check; 2100 eap->process = eap_teap_process; 2101 eap->isDone = eap_teap_isDone; 2102 eap->getKey = eap_teap_getKey; 2103 eap->get_emsk = eap_teap_get_emsk; 2104 eap->isSuccess = eap_teap_isSuccess; 2105 eap->getSessionId = eap_teap_get_session_id; 2106 2107 return eap_server_method_register(eap); 2108 } 2109