1 /* 2 * EAP-TLS/PEAP/TTLS/FAST server common functions 3 * Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/sha1.h" 13 #include "crypto/tls.h" 14 #include "eap_i.h" 15 #include "eap_tls_common.h" 16 17 18 static void eap_server_tls_free_in_buf(struct eap_ssl_data *data); 19 20 21 struct wpabuf * eap_tls_msg_alloc(EapType type, size_t payload_len, 22 u8 code, u8 identifier) 23 { 24 if (type == EAP_UNAUTH_TLS_TYPE) 25 return eap_msg_alloc(EAP_VENDOR_UNAUTH_TLS, 26 EAP_VENDOR_TYPE_UNAUTH_TLS, payload_len, 27 code, identifier); 28 else if (type == EAP_WFA_UNAUTH_TLS_TYPE) 29 return eap_msg_alloc(EAP_VENDOR_WFA_NEW, 30 EAP_VENDOR_WFA_UNAUTH_TLS, payload_len, 31 code, identifier); 32 return eap_msg_alloc(EAP_VENDOR_IETF, type, payload_len, code, 33 identifier); 34 } 35 36 37 #ifdef CONFIG_TLS_INTERNAL 38 static void eap_server_tls_log_cb(void *ctx, const char *msg) 39 { 40 struct eap_sm *sm = ctx; 41 eap_log_msg(sm, "TLS: %s", msg); 42 } 43 #endif /* CONFIG_TLS_INTERNAL */ 44 45 46 int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data, 47 int verify_peer) 48 { 49 if (sm->ssl_ctx == NULL) { 50 wpa_printf(MSG_ERROR, "TLS context not initialized - cannot use TLS-based EAP method"); 51 return -1; 52 } 53 54 data->eap = sm; 55 data->phase2 = sm->init_phase2; 56 57 data->conn = tls_connection_init(sm->ssl_ctx); 58 if (data->conn == NULL) { 59 wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS " 60 "connection"); 61 return -1; 62 } 63 64 #ifdef CONFIG_TLS_INTERNAL 65 tls_connection_set_log_cb(data->conn, eap_server_tls_log_cb, sm); 66 #ifdef CONFIG_TESTING_OPTIONS 67 tls_connection_set_test_flags(data->conn, sm->tls_test_flags); 68 #endif /* CONFIG_TESTING_OPTIONS */ 69 #endif /* CONFIG_TLS_INTERNAL */ 70 71 if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer)) { 72 wpa_printf(MSG_INFO, "SSL: Failed to configure verification " 73 "of TLS peer certificate"); 74 tls_connection_deinit(sm->ssl_ctx, data->conn); 75 data->conn = NULL; 76 return -1; 77 } 78 79 data->tls_out_limit = sm->fragment_size > 0 ? sm->fragment_size : 1398; 80 if (data->phase2) { 81 /* Limit the fragment size in the inner TLS authentication 82 * since the outer authentication with EAP-PEAP does not yet 83 * support fragmentation */ 84 if (data->tls_out_limit > 100) 85 data->tls_out_limit -= 100; 86 } 87 return 0; 88 } 89 90 91 void eap_server_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data) 92 { 93 tls_connection_deinit(sm->ssl_ctx, data->conn); 94 eap_server_tls_free_in_buf(data); 95 wpabuf_free(data->tls_out); 96 data->tls_out = NULL; 97 } 98 99 100 u8 * eap_server_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data, 101 char *label, size_t len) 102 { 103 struct tls_keys keys; 104 u8 *rnd = NULL, *out; 105 106 out = os_malloc(len); 107 if (out == NULL) 108 return NULL; 109 110 if (tls_connection_prf(sm->ssl_ctx, data->conn, label, 0, out, len) == 111 0) 112 return out; 113 114 if (tls_connection_get_keys(sm->ssl_ctx, data->conn, &keys)) 115 goto fail; 116 117 if (keys.client_random == NULL || keys.server_random == NULL || 118 keys.master_key == NULL) 119 goto fail; 120 121 rnd = os_malloc(keys.client_random_len + keys.server_random_len); 122 if (rnd == NULL) 123 goto fail; 124 os_memcpy(rnd, keys.client_random, keys.client_random_len); 125 os_memcpy(rnd + keys.client_random_len, keys.server_random, 126 keys.server_random_len); 127 128 if (tls_prf_sha1_md5(keys.master_key, keys.master_key_len, 129 label, rnd, keys.client_random_len + 130 keys.server_random_len, out, len)) 131 goto fail; 132 133 os_free(rnd); 134 return out; 135 136 fail: 137 os_free(out); 138 os_free(rnd); 139 return NULL; 140 } 141 142 143 /** 144 * eap_server_tls_derive_session_id - Derive a Session-Id based on TLS data 145 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 146 * @data: Data for TLS processing 147 * @eap_type: EAP method used in Phase 1 (EAP_TYPE_TLS/PEAP/TTLS/FAST) 148 * @len: Pointer to length of the session ID generated 149 * Returns: Pointer to allocated Session-Id on success or %NULL on failure 150 * 151 * This function derive the Session-Id based on the TLS session data 152 * (client/server random and method type). 153 * 154 * The caller is responsible for freeing the returned buffer. 155 */ 156 u8 * eap_server_tls_derive_session_id(struct eap_sm *sm, 157 struct eap_ssl_data *data, u8 eap_type, 158 size_t *len) 159 { 160 struct tls_keys keys; 161 u8 *out; 162 163 if (tls_connection_get_keys(sm->ssl_ctx, data->conn, &keys)) 164 return NULL; 165 166 if (keys.client_random == NULL || keys.server_random == NULL) 167 return NULL; 168 169 *len = 1 + keys.client_random_len + keys.server_random_len; 170 out = os_malloc(*len); 171 if (out == NULL) 172 return NULL; 173 174 /* Session-Id = EAP type || client.random || server.random */ 175 out[0] = eap_type; 176 os_memcpy(out + 1, keys.client_random, keys.client_random_len); 177 os_memcpy(out + 1 + keys.client_random_len, keys.server_random, 178 keys.server_random_len); 179 180 return out; 181 } 182 183 184 struct wpabuf * eap_server_tls_build_msg(struct eap_ssl_data *data, 185 int eap_type, int version, u8 id) 186 { 187 struct wpabuf *req; 188 u8 flags; 189 size_t send_len, plen; 190 191 wpa_printf(MSG_DEBUG, "SSL: Generating Request"); 192 if (data->tls_out == NULL) { 193 wpa_printf(MSG_ERROR, "SSL: tls_out NULL in %s", __func__); 194 return NULL; 195 } 196 197 flags = version; 198 send_len = wpabuf_len(data->tls_out) - data->tls_out_pos; 199 if (1 + send_len > data->tls_out_limit) { 200 send_len = data->tls_out_limit - 1; 201 flags |= EAP_TLS_FLAGS_MORE_FRAGMENTS; 202 if (data->tls_out_pos == 0) { 203 flags |= EAP_TLS_FLAGS_LENGTH_INCLUDED; 204 send_len -= 4; 205 } 206 } 207 208 plen = 1 + send_len; 209 if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) 210 plen += 4; 211 212 req = eap_tls_msg_alloc(eap_type, plen, EAP_CODE_REQUEST, id); 213 if (req == NULL) 214 return NULL; 215 216 wpabuf_put_u8(req, flags); /* Flags */ 217 if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) 218 wpabuf_put_be32(req, wpabuf_len(data->tls_out)); 219 220 wpabuf_put_data(req, wpabuf_head_u8(data->tls_out) + data->tls_out_pos, 221 send_len); 222 data->tls_out_pos += send_len; 223 224 if (data->tls_out_pos == wpabuf_len(data->tls_out)) { 225 wpa_printf(MSG_DEBUG, "SSL: Sending out %lu bytes " 226 "(message sent completely)", 227 (unsigned long) send_len); 228 wpabuf_free(data->tls_out); 229 data->tls_out = NULL; 230 data->tls_out_pos = 0; 231 data->state = MSG; 232 } else { 233 wpa_printf(MSG_DEBUG, "SSL: Sending out %lu bytes " 234 "(%lu more to send)", (unsigned long) send_len, 235 (unsigned long) wpabuf_len(data->tls_out) - 236 data->tls_out_pos); 237 data->state = WAIT_FRAG_ACK; 238 } 239 240 return req; 241 } 242 243 244 struct wpabuf * eap_server_tls_build_ack(u8 id, int eap_type, int version) 245 { 246 struct wpabuf *req; 247 248 req = eap_tls_msg_alloc(eap_type, 1, EAP_CODE_REQUEST, id); 249 if (req == NULL) 250 return NULL; 251 wpa_printf(MSG_DEBUG, "SSL: Building ACK"); 252 wpabuf_put_u8(req, version); /* Flags */ 253 return req; 254 } 255 256 257 static int eap_server_tls_process_cont(struct eap_ssl_data *data, 258 const u8 *buf, size_t len) 259 { 260 /* Process continuation of a pending message */ 261 if (len > wpabuf_tailroom(data->tls_in)) { 262 wpa_printf(MSG_DEBUG, "SSL: Fragment overflow"); 263 return -1; 264 } 265 266 wpabuf_put_data(data->tls_in, buf, len); 267 wpa_printf(MSG_DEBUG, "SSL: Received %lu bytes, waiting for %lu " 268 "bytes more", (unsigned long) len, 269 (unsigned long) wpabuf_tailroom(data->tls_in)); 270 271 return 0; 272 } 273 274 275 static int eap_server_tls_process_fragment(struct eap_ssl_data *data, 276 u8 flags, u32 message_length, 277 const u8 *buf, size_t len) 278 { 279 /* Process a fragment that is not the last one of the message */ 280 if (data->tls_in == NULL && !(flags & EAP_TLS_FLAGS_LENGTH_INCLUDED)) { 281 wpa_printf(MSG_DEBUG, "SSL: No Message Length field in a " 282 "fragmented packet"); 283 return -1; 284 } 285 286 if (data->tls_in == NULL) { 287 /* First fragment of the message */ 288 289 /* Limit length to avoid rogue peers from causing large 290 * memory allocations. */ 291 if (message_length > 65536) { 292 wpa_printf(MSG_INFO, "SSL: Too long TLS fragment (size" 293 " over 64 kB)"); 294 return -1; 295 } 296 297 if (len > message_length) { 298 wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in " 299 "first fragment of frame (TLS Message " 300 "Length %d bytes)", 301 (int) len, (int) message_length); 302 return -1; 303 } 304 305 data->tls_in = wpabuf_alloc(message_length); 306 if (data->tls_in == NULL) { 307 wpa_printf(MSG_DEBUG, "SSL: No memory for message"); 308 return -1; 309 } 310 wpabuf_put_data(data->tls_in, buf, len); 311 wpa_printf(MSG_DEBUG, "SSL: Received %lu bytes in first " 312 "fragment, waiting for %lu bytes more", 313 (unsigned long) len, 314 (unsigned long) wpabuf_tailroom(data->tls_in)); 315 } 316 317 return 0; 318 } 319 320 321 int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data) 322 { 323 if (data->tls_out) { 324 /* This should not happen.. */ 325 wpa_printf(MSG_INFO, "SSL: pending tls_out data when " 326 "processing new message"); 327 wpabuf_free(data->tls_out); 328 WPA_ASSERT(data->tls_out == NULL); 329 } 330 331 data->tls_out = tls_connection_server_handshake(sm->ssl_ctx, 332 data->conn, 333 data->tls_in, NULL); 334 if (data->tls_out == NULL) { 335 wpa_printf(MSG_INFO, "SSL: TLS processing failed"); 336 return -1; 337 } 338 if (tls_connection_get_failed(sm->ssl_ctx, data->conn)) { 339 /* TLS processing has failed - return error */ 340 wpa_printf(MSG_DEBUG, "SSL: Failed - tls_out available to " 341 "report error"); 342 return -1; 343 } 344 345 return 0; 346 } 347 348 349 static int eap_server_tls_reassemble(struct eap_ssl_data *data, u8 flags, 350 const u8 **pos, size_t *left) 351 { 352 unsigned int tls_msg_len = 0; 353 const u8 *end = *pos + *left; 354 355 if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) { 356 if (*left < 4) { 357 wpa_printf(MSG_INFO, "SSL: Short frame with TLS " 358 "length"); 359 return -1; 360 } 361 tls_msg_len = WPA_GET_BE32(*pos); 362 wpa_printf(MSG_DEBUG, "SSL: TLS Message Length: %d", 363 tls_msg_len); 364 *pos += 4; 365 *left -= 4; 366 367 if (*left > tls_msg_len) { 368 wpa_printf(MSG_INFO, "SSL: TLS Message Length (%d " 369 "bytes) smaller than this fragment (%d " 370 "bytes)", (int) tls_msg_len, (int) *left); 371 return -1; 372 } 373 } 374 375 wpa_printf(MSG_DEBUG, "SSL: Received packet: Flags 0x%x " 376 "Message Length %u", flags, tls_msg_len); 377 378 if (data->state == WAIT_FRAG_ACK) { 379 if (*left != 0) { 380 wpa_printf(MSG_DEBUG, "SSL: Unexpected payload in " 381 "WAIT_FRAG_ACK state"); 382 return -1; 383 } 384 wpa_printf(MSG_DEBUG, "SSL: Fragment acknowledged"); 385 return 1; 386 } 387 388 if (data->tls_in && 389 eap_server_tls_process_cont(data, *pos, end - *pos) < 0) 390 return -1; 391 392 if (flags & EAP_TLS_FLAGS_MORE_FRAGMENTS) { 393 if (eap_server_tls_process_fragment(data, flags, tls_msg_len, 394 *pos, end - *pos) < 0) 395 return -1; 396 397 data->state = FRAG_ACK; 398 return 1; 399 } 400 401 if (data->state == FRAG_ACK) { 402 wpa_printf(MSG_DEBUG, "SSL: All fragments received"); 403 data->state = MSG; 404 } 405 406 if (data->tls_in == NULL) { 407 /* Wrap unfragmented messages as wpabuf without extra copy */ 408 wpabuf_set(&data->tmpbuf, *pos, end - *pos); 409 data->tls_in = &data->tmpbuf; 410 } 411 412 return 0; 413 } 414 415 416 static void eap_server_tls_free_in_buf(struct eap_ssl_data *data) 417 { 418 if (data->tls_in != &data->tmpbuf) 419 wpabuf_free(data->tls_in); 420 data->tls_in = NULL; 421 } 422 423 424 struct wpabuf * eap_server_tls_encrypt(struct eap_sm *sm, 425 struct eap_ssl_data *data, 426 const struct wpabuf *plain) 427 { 428 struct wpabuf *buf; 429 430 buf = tls_connection_encrypt(sm->ssl_ctx, data->conn, 431 plain); 432 if (buf == NULL) { 433 wpa_printf(MSG_INFO, "SSL: Failed to encrypt Phase 2 data"); 434 return NULL; 435 } 436 437 return buf; 438 } 439 440 441 int eap_server_tls_process(struct eap_sm *sm, struct eap_ssl_data *data, 442 struct wpabuf *respData, void *priv, int eap_type, 443 int (*proc_version)(struct eap_sm *sm, void *priv, 444 int peer_version), 445 void (*proc_msg)(struct eap_sm *sm, void *priv, 446 const struct wpabuf *respData)) 447 { 448 const u8 *pos; 449 u8 flags; 450 size_t left; 451 int ret, res = 0; 452 453 if (eap_type == EAP_UNAUTH_TLS_TYPE) 454 pos = eap_hdr_validate(EAP_VENDOR_UNAUTH_TLS, 455 EAP_VENDOR_TYPE_UNAUTH_TLS, respData, 456 &left); 457 else if (eap_type == EAP_WFA_UNAUTH_TLS_TYPE) 458 pos = eap_hdr_validate(EAP_VENDOR_WFA_NEW, 459 EAP_VENDOR_WFA_UNAUTH_TLS, respData, 460 &left); 461 else 462 pos = eap_hdr_validate(EAP_VENDOR_IETF, eap_type, respData, 463 &left); 464 if (pos == NULL || left < 1) 465 return 0; /* Should not happen - frame already validated */ 466 flags = *pos++; 467 left--; 468 wpa_printf(MSG_DEBUG, "SSL: Received packet(len=%lu) - Flags 0x%02x", 469 (unsigned long) wpabuf_len(respData), flags); 470 471 if (proc_version && 472 proc_version(sm, priv, flags & EAP_TLS_VERSION_MASK) < 0) 473 return -1; 474 475 ret = eap_server_tls_reassemble(data, flags, &pos, &left); 476 if (ret < 0) { 477 res = -1; 478 goto done; 479 } else if (ret == 1) 480 return 0; 481 482 if (proc_msg) 483 proc_msg(sm, priv, respData); 484 485 if (tls_connection_get_write_alerts(sm->ssl_ctx, data->conn) > 1) { 486 wpa_printf(MSG_INFO, "SSL: Locally detected fatal error in " 487 "TLS processing"); 488 res = -1; 489 } 490 491 done: 492 eap_server_tls_free_in_buf(data); 493 494 return res; 495 } 496