1 /* 2 * EAP-TLS/PEAP/TTLS/FAST server common functions 3 * Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/sha1.h" 13 #include "crypto/tls.h" 14 #include "eap_i.h" 15 #include "eap_tls_common.h" 16 17 18 static void eap_server_tls_free_in_buf(struct eap_ssl_data *data); 19 20 21 struct wpabuf * eap_tls_msg_alloc(enum eap_type type, size_t payload_len, 22 u8 code, u8 identifier) 23 { 24 if (type == EAP_UNAUTH_TLS_TYPE) 25 return eap_msg_alloc(EAP_VENDOR_UNAUTH_TLS, 26 EAP_VENDOR_TYPE_UNAUTH_TLS, payload_len, 27 code, identifier); 28 else if (type == EAP_WFA_UNAUTH_TLS_TYPE) 29 return eap_msg_alloc(EAP_VENDOR_WFA_NEW, 30 EAP_VENDOR_WFA_UNAUTH_TLS, payload_len, 31 code, identifier); 32 return eap_msg_alloc(EAP_VENDOR_IETF, type, payload_len, code, 33 identifier); 34 } 35 36 37 #ifdef CONFIG_TLS_INTERNAL 38 static void eap_server_tls_log_cb(void *ctx, const char *msg) 39 { 40 struct eap_sm *sm = ctx; 41 eap_log_msg(sm, "TLS: %s", msg); 42 } 43 #endif /* CONFIG_TLS_INTERNAL */ 44 45 46 int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data, 47 int verify_peer, int eap_type) 48 { 49 u8 session_ctx[8]; 50 unsigned int flags = sm->cfg->tls_flags; 51 52 if (!sm->cfg->ssl_ctx) { 53 wpa_printf(MSG_ERROR, "TLS context not initialized - cannot use TLS-based EAP method"); 54 return -1; 55 } 56 57 data->eap = sm; 58 data->phase2 = sm->init_phase2; 59 60 data->conn = tls_connection_init(sm->cfg->ssl_ctx); 61 if (data->conn == NULL) { 62 wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS " 63 "connection"); 64 return -1; 65 } 66 67 #ifdef CONFIG_TLS_INTERNAL 68 tls_connection_set_log_cb(data->conn, eap_server_tls_log_cb, sm); 69 #ifdef CONFIG_TESTING_OPTIONS 70 tls_connection_set_test_flags(data->conn, sm->tls_test_flags); 71 #endif /* CONFIG_TESTING_OPTIONS */ 72 #endif /* CONFIG_TLS_INTERNAL */ 73 74 if (eap_type != EAP_TYPE_FAST) 75 flags |= TLS_CONN_DISABLE_SESSION_TICKET; 76 os_memcpy(session_ctx, "hostapd", 7); 77 session_ctx[7] = (u8) eap_type; 78 if (tls_connection_set_verify(sm->cfg->ssl_ctx, data->conn, verify_peer, 79 flags, session_ctx, 80 sizeof(session_ctx))) { 81 wpa_printf(MSG_INFO, "SSL: Failed to configure verification " 82 "of TLS peer certificate"); 83 tls_connection_deinit(sm->cfg->ssl_ctx, data->conn); 84 data->conn = NULL; 85 return -1; 86 } 87 88 data->tls_out_limit = sm->cfg->fragment_size > 0 ? 89 sm->cfg->fragment_size : 1398; 90 if (data->phase2) { 91 /* Limit the fragment size in the inner TLS authentication 92 * since the outer authentication with EAP-PEAP does not yet 93 * support fragmentation */ 94 if (data->tls_out_limit > 100) 95 data->tls_out_limit -= 100; 96 } 97 return 0; 98 } 99 100 101 void eap_server_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data) 102 { 103 tls_connection_deinit(sm->cfg->ssl_ctx, data->conn); 104 eap_server_tls_free_in_buf(data); 105 wpabuf_free(data->tls_out); 106 data->tls_out = NULL; 107 } 108 109 110 u8 * eap_server_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data, 111 const char *label, const u8 *context, 112 size_t context_len, size_t len) 113 { 114 u8 *out; 115 116 out = os_malloc(len); 117 if (out == NULL) 118 return NULL; 119 120 if (tls_connection_export_key(sm->cfg->ssl_ctx, data->conn, label, 121 context, context_len, out, len)) { 122 os_free(out); 123 return NULL; 124 } 125 126 return out; 127 } 128 129 130 /** 131 * eap_server_tls_derive_session_id - Derive a Session-Id based on TLS data 132 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 133 * @data: Data for TLS processing 134 * @eap_type: EAP method used in Phase 1 (EAP_TYPE_TLS/PEAP/TTLS/FAST) 135 * @len: Pointer to length of the session ID generated 136 * Returns: Pointer to allocated Session-Id on success or %NULL on failure 137 * 138 * This function derive the Session-Id based on the TLS session data 139 * (client/server random and method type). 140 * 141 * The caller is responsible for freeing the returned buffer. 142 */ 143 u8 * eap_server_tls_derive_session_id(struct eap_sm *sm, 144 struct eap_ssl_data *data, u8 eap_type, 145 size_t *len) 146 { 147 struct tls_random keys; 148 u8 *out; 149 150 if (data->tls_v13) { 151 u8 *id, *method_id; 152 const u8 context[] = { eap_type }; 153 154 /* Session-Id = <EAP-Type> || Method-Id 155 * Method-Id = TLS-Exporter("EXPORTER_EAP_TLS_Method-Id", 156 * Type-Code, 64) 157 */ 158 *len = 1 + 64; 159 id = os_malloc(*len); 160 if (!id) 161 return NULL; 162 method_id = eap_server_tls_derive_key( 163 sm, data, "EXPORTER_EAP_TLS_Method-Id", context, 1, 64); 164 if (!method_id) { 165 os_free(id); 166 return NULL; 167 } 168 id[0] = eap_type; 169 os_memcpy(id + 1, method_id, 64); 170 os_free(method_id); 171 return id; 172 } 173 174 if (tls_connection_get_random(sm->cfg->ssl_ctx, data->conn, &keys)) 175 return NULL; 176 177 if (keys.client_random == NULL || keys.server_random == NULL) 178 return NULL; 179 180 *len = 1 + keys.client_random_len + keys.server_random_len; 181 out = os_malloc(*len); 182 if (out == NULL) 183 return NULL; 184 185 /* Session-Id = EAP type || client.random || server.random */ 186 out[0] = eap_type; 187 os_memcpy(out + 1, keys.client_random, keys.client_random_len); 188 os_memcpy(out + 1 + keys.client_random_len, keys.server_random, 189 keys.server_random_len); 190 191 return out; 192 } 193 194 195 struct wpabuf * eap_server_tls_build_msg(struct eap_ssl_data *data, 196 int eap_type, int version, u8 id) 197 { 198 struct wpabuf *req; 199 u8 flags; 200 size_t send_len, plen; 201 202 wpa_printf(MSG_DEBUG, "SSL: Generating Request"); 203 if (data->tls_out == NULL) { 204 wpa_printf(MSG_ERROR, "SSL: tls_out NULL in %s", __func__); 205 return NULL; 206 } 207 208 flags = version; 209 send_len = wpabuf_len(data->tls_out) - data->tls_out_pos; 210 if (1 + send_len > data->tls_out_limit) { 211 send_len = data->tls_out_limit - 1; 212 flags |= EAP_TLS_FLAGS_MORE_FRAGMENTS; 213 if (data->tls_out_pos == 0) { 214 flags |= EAP_TLS_FLAGS_LENGTH_INCLUDED; 215 send_len -= 4; 216 } 217 } 218 219 plen = 1 + send_len; 220 if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) 221 plen += 4; 222 223 req = eap_tls_msg_alloc(eap_type, plen, EAP_CODE_REQUEST, id); 224 if (req == NULL) 225 return NULL; 226 227 wpabuf_put_u8(req, flags); /* Flags */ 228 if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) 229 wpabuf_put_be32(req, wpabuf_len(data->tls_out)); 230 231 wpabuf_put_data(req, wpabuf_head_u8(data->tls_out) + data->tls_out_pos, 232 send_len); 233 data->tls_out_pos += send_len; 234 235 if (data->tls_out_pos == wpabuf_len(data->tls_out)) { 236 wpa_printf(MSG_DEBUG, "SSL: Sending out %lu bytes " 237 "(message sent completely)", 238 (unsigned long) send_len); 239 wpabuf_free(data->tls_out); 240 data->tls_out = NULL; 241 data->tls_out_pos = 0; 242 data->state = MSG; 243 } else { 244 wpa_printf(MSG_DEBUG, "SSL: Sending out %lu bytes " 245 "(%lu more to send)", (unsigned long) send_len, 246 (unsigned long) wpabuf_len(data->tls_out) - 247 data->tls_out_pos); 248 data->state = WAIT_FRAG_ACK; 249 } 250 251 return req; 252 } 253 254 255 struct wpabuf * eap_server_tls_build_ack(u8 id, int eap_type, int version) 256 { 257 struct wpabuf *req; 258 259 req = eap_tls_msg_alloc(eap_type, 1, EAP_CODE_REQUEST, id); 260 if (req == NULL) 261 return NULL; 262 wpa_printf(MSG_DEBUG, "SSL: Building ACK"); 263 wpabuf_put_u8(req, version); /* Flags */ 264 return req; 265 } 266 267 268 static int eap_server_tls_process_cont(struct eap_ssl_data *data, 269 const u8 *buf, size_t len) 270 { 271 /* Process continuation of a pending message */ 272 if (len > wpabuf_tailroom(data->tls_in)) { 273 wpa_printf(MSG_DEBUG, "SSL: Fragment overflow"); 274 return -1; 275 } 276 277 wpabuf_put_data(data->tls_in, buf, len); 278 wpa_printf(MSG_DEBUG, "SSL: Received %lu bytes, waiting for %lu " 279 "bytes more", (unsigned long) len, 280 (unsigned long) wpabuf_tailroom(data->tls_in)); 281 282 return 0; 283 } 284 285 286 static int eap_server_tls_process_fragment(struct eap_ssl_data *data, 287 u8 flags, u32 message_length, 288 const u8 *buf, size_t len) 289 { 290 /* Process a fragment that is not the last one of the message */ 291 if (data->tls_in == NULL && !(flags & EAP_TLS_FLAGS_LENGTH_INCLUDED)) { 292 wpa_printf(MSG_DEBUG, "SSL: No Message Length field in a " 293 "fragmented packet"); 294 return -1; 295 } 296 297 if (data->tls_in == NULL) { 298 /* First fragment of the message */ 299 300 /* Limit length to avoid rogue peers from causing large 301 * memory allocations. */ 302 if (message_length > 65536) { 303 wpa_printf(MSG_INFO, "SSL: Too long TLS fragment (size" 304 " over 64 kB)"); 305 return -1; 306 } 307 308 if (len > message_length) { 309 wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in " 310 "first fragment of frame (TLS Message " 311 "Length %d bytes)", 312 (int) len, (int) message_length); 313 return -1; 314 } 315 316 data->tls_in = wpabuf_alloc(message_length); 317 if (data->tls_in == NULL) { 318 wpa_printf(MSG_DEBUG, "SSL: No memory for message"); 319 return -1; 320 } 321 wpabuf_put_data(data->tls_in, buf, len); 322 wpa_printf(MSG_DEBUG, "SSL: Received %lu bytes in first " 323 "fragment, waiting for %lu bytes more", 324 (unsigned long) len, 325 (unsigned long) wpabuf_tailroom(data->tls_in)); 326 } 327 328 return 0; 329 } 330 331 332 int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data) 333 { 334 char buf[20]; 335 336 if (data->tls_out) { 337 /* This should not happen.. */ 338 wpa_printf(MSG_INFO, "SSL: pending tls_out data when " 339 "processing new message"); 340 wpabuf_free(data->tls_out); 341 WPA_ASSERT(data->tls_out == NULL); 342 } 343 344 data->tls_out = tls_connection_server_handshake(sm->cfg->ssl_ctx, 345 data->conn, 346 data->tls_in, NULL); 347 if (data->tls_out == NULL) { 348 wpa_printf(MSG_INFO, "SSL: TLS processing failed"); 349 return -1; 350 } 351 if (tls_connection_get_failed(sm->cfg->ssl_ctx, data->conn)) { 352 /* TLS processing has failed - return error */ 353 wpa_printf(MSG_DEBUG, "SSL: Failed - tls_out available to " 354 "report error"); 355 return -1; 356 } 357 358 if (tls_get_version(sm->cfg->ssl_ctx, data->conn, 359 buf, sizeof(buf)) == 0) { 360 wpa_printf(MSG_DEBUG, "SSL: Using TLS version %s", buf); 361 data->tls_v13 = os_strcmp(buf, "TLSv1.3") == 0; 362 } 363 364 if (!sm->serial_num && 365 tls_connection_established(sm->cfg->ssl_ctx, data->conn)) 366 sm->serial_num = tls_connection_peer_serial_num( 367 sm->cfg->ssl_ctx, data->conn); 368 369 /* 370 * https://tools.ietf.org/html/draft-ietf-emu-eap-tls13#section-2.5 371 * 372 * We need to signal the other end that TLS negotiation is done. We 373 * can't send a zero-length application data message, so we send 374 * application data which is one byte of zero. 375 * 376 * Note this is only done for when there is no application data to be 377 * sent. So this is done always for EAP-TLS but notibly not for PEAP 378 * even on resumption. 379 */ 380 if (data->tls_v13 && 381 tls_connection_established(sm->cfg->ssl_ctx, data->conn)) { 382 struct wpabuf *plain, *encr; 383 384 switch (sm->currentMethod) { 385 case EAP_TYPE_PEAP: 386 break; 387 default: 388 if (!tls_connection_resumed(sm->cfg->ssl_ctx, 389 data->conn)) 390 break; 391 /* fallthrough */ 392 case EAP_TYPE_TLS: 393 wpa_printf(MSG_DEBUG, 394 "EAP-TLS: Send Commitment Message"); 395 396 plain = wpabuf_alloc(1); 397 if (!plain) 398 return -1; 399 wpabuf_put_u8(plain, 0); 400 encr = eap_server_tls_encrypt(sm, data, plain); 401 wpabuf_free(plain); 402 if (!encr) 403 return -1; 404 if (wpabuf_resize(&data->tls_out, wpabuf_len(encr)) < 0) 405 { 406 wpa_printf(MSG_INFO, 407 "EAP-TLS: Failed to resize output buffer"); 408 wpabuf_free(encr); 409 return -1; 410 } 411 wpabuf_put_buf(data->tls_out, encr); 412 wpa_hexdump_buf(MSG_DEBUG, 413 "EAP-TLS: Data appended to the message", 414 encr); 415 wpabuf_free(encr); 416 } 417 } 418 419 return 0; 420 } 421 422 423 static int eap_server_tls_reassemble(struct eap_ssl_data *data, u8 flags, 424 const u8 **pos, size_t *left) 425 { 426 unsigned int tls_msg_len = 0; 427 const u8 *end = *pos + *left; 428 429 wpa_hexdump(MSG_MSGDUMP, "SSL: Received data", *pos, *left); 430 431 if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) { 432 if (*left < 4) { 433 wpa_printf(MSG_INFO, "SSL: Short frame with TLS " 434 "length"); 435 return -1; 436 } 437 tls_msg_len = WPA_GET_BE32(*pos); 438 wpa_printf(MSG_DEBUG, "SSL: TLS Message Length: %d", 439 tls_msg_len); 440 *pos += 4; 441 *left -= 4; 442 443 if (*left > tls_msg_len) { 444 wpa_printf(MSG_INFO, "SSL: TLS Message Length (%d " 445 "bytes) smaller than this fragment (%d " 446 "bytes)", (int) tls_msg_len, (int) *left); 447 return -1; 448 } 449 } 450 451 wpa_printf(MSG_DEBUG, "SSL: Received packet: Flags 0x%x " 452 "Message Length %u", flags, tls_msg_len); 453 454 if (data->state == WAIT_FRAG_ACK) { 455 if (*left != 0) { 456 wpa_printf(MSG_DEBUG, "SSL: Unexpected payload in " 457 "WAIT_FRAG_ACK state"); 458 return -1; 459 } 460 wpa_printf(MSG_DEBUG, "SSL: Fragment acknowledged"); 461 return 1; 462 } 463 464 if (data->tls_in && 465 eap_server_tls_process_cont(data, *pos, end - *pos) < 0) 466 return -1; 467 468 if (flags & EAP_TLS_FLAGS_MORE_FRAGMENTS) { 469 if (eap_server_tls_process_fragment(data, flags, tls_msg_len, 470 *pos, end - *pos) < 0) 471 return -1; 472 473 data->state = FRAG_ACK; 474 return 1; 475 } 476 477 if (data->state == FRAG_ACK) { 478 wpa_printf(MSG_DEBUG, "SSL: All fragments received"); 479 data->state = MSG; 480 } 481 482 if (data->tls_in == NULL) { 483 /* Wrap unfragmented messages as wpabuf without extra copy */ 484 wpabuf_set(&data->tmpbuf, *pos, end - *pos); 485 data->tls_in = &data->tmpbuf; 486 } 487 488 return 0; 489 } 490 491 492 static void eap_server_tls_free_in_buf(struct eap_ssl_data *data) 493 { 494 if (data->tls_in != &data->tmpbuf) 495 wpabuf_free(data->tls_in); 496 data->tls_in = NULL; 497 } 498 499 500 struct wpabuf * eap_server_tls_encrypt(struct eap_sm *sm, 501 struct eap_ssl_data *data, 502 const struct wpabuf *plain) 503 { 504 struct wpabuf *buf; 505 506 buf = tls_connection_encrypt(sm->cfg->ssl_ctx, data->conn, plain); 507 if (buf == NULL) { 508 wpa_printf(MSG_INFO, "SSL: Failed to encrypt Phase 2 data"); 509 return NULL; 510 } 511 512 return buf; 513 } 514 515 516 int eap_server_tls_process(struct eap_sm *sm, struct eap_ssl_data *data, 517 struct wpabuf *respData, void *priv, int eap_type, 518 int (*proc_version)(struct eap_sm *sm, void *priv, 519 int peer_version), 520 void (*proc_msg)(struct eap_sm *sm, void *priv, 521 const struct wpabuf *respData)) 522 { 523 const u8 *pos; 524 u8 flags; 525 size_t left; 526 int ret, res = 0; 527 528 if (eap_type == EAP_UNAUTH_TLS_TYPE) 529 pos = eap_hdr_validate(EAP_VENDOR_UNAUTH_TLS, 530 EAP_VENDOR_TYPE_UNAUTH_TLS, respData, 531 &left); 532 else if (eap_type == EAP_WFA_UNAUTH_TLS_TYPE) 533 pos = eap_hdr_validate(EAP_VENDOR_WFA_NEW, 534 EAP_VENDOR_WFA_UNAUTH_TLS, respData, 535 &left); 536 else 537 pos = eap_hdr_validate(EAP_VENDOR_IETF, eap_type, respData, 538 &left); 539 if (pos == NULL || left < 1) 540 return 0; /* Should not happen - frame already validated */ 541 flags = *pos++; 542 left--; 543 wpa_printf(MSG_DEBUG, "SSL: Received packet(len=%lu) - Flags 0x%02x", 544 (unsigned long) wpabuf_len(respData), flags); 545 546 if (proc_version && 547 proc_version(sm, priv, flags & EAP_TLS_VERSION_MASK) < 0) 548 return -1; 549 550 ret = eap_server_tls_reassemble(data, flags, &pos, &left); 551 if (ret < 0) { 552 res = -1; 553 goto done; 554 } else if (ret == 1) 555 return 0; 556 557 if (proc_msg) 558 proc_msg(sm, priv, respData); 559 560 if (tls_connection_get_write_alerts(sm->cfg->ssl_ctx, data->conn) > 1) { 561 wpa_printf(MSG_INFO, "SSL: Locally detected fatal error in " 562 "TLS processing"); 563 res = -1; 564 } 565 566 done: 567 eap_server_tls_free_in_buf(data); 568 569 return res; 570 } 571