1/* 2 * EAP-FAST server (RFC 4851) 3 * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15#include "includes.h" 16 17#include "common.h" 18#include "aes_wrap.h" 19#include "sha1.h" 20#include "eap_i.h" 21#include "eap_tls_common.h" 22#include "tls.h" 23#include "eap_common/eap_tlv_common.h" 24#include "eap_common/eap_fast_common.h" 25 26 27static void eap_fast_reset(struct eap_sm *sm, void *priv); 28 29 30/* Private PAC-Opaque TLV types */ 31#define PAC_OPAQUE_TYPE_PAD 0 32#define PAC_OPAQUE_TYPE_KEY 1 33#define PAC_OPAQUE_TYPE_LIFETIME 2 34#define PAC_OPAQUE_TYPE_IDENTITY 3 35 36struct eap_fast_data { 37 struct eap_ssl_data ssl; 38 enum { 39 START, PHASE1, PHASE2_START, PHASE2_ID, PHASE2_METHOD, 40 CRYPTO_BINDING, REQUEST_PAC, SUCCESS, FAILURE 41 } state; 42 43 int fast_version; 44 const struct eap_method *phase2_method; 45 void *phase2_priv; 46 int force_version; 47 int peer_version; 48 49 u8 crypto_binding_nonce[32]; 50 int final_result; 51 52 struct eap_fast_key_block_provisioning *key_block_p; 53 54 u8 simck[EAP_FAST_SIMCK_LEN]; 55 u8 cmk[EAP_FAST_CMK_LEN]; 56 int simck_idx; 57 58 u8 pac_opaque_encr[16]; 59 u8 *srv_id; 60 size_t srv_id_len; 61 char *srv_id_info; 62 63 int anon_provisioning; 64 int send_new_pac; /* server triggered re-keying of Tunnel PAC */ 65 struct wpabuf *pending_phase2_resp; 66 u8 *identity; /* from PAC-Opaque */ 67 size_t identity_len; 68 int eap_seq; 69 int tnc_started; 70 71 int pac_key_lifetime; 72 int pac_key_refresh_time; 73}; 74 75 76static int eap_fast_process_phase2_start(struct eap_sm *sm, 77 struct eap_fast_data *data); 78 79 80static const char * eap_fast_state_txt(int state) 81{ 82 switch (state) { 83 case START: 84 return "START"; 85 case PHASE1: 86 return "PHASE1"; 87 case PHASE2_START: 88 return "PHASE2_START"; 89 case PHASE2_ID: 90 return "PHASE2_ID"; 91 case PHASE2_METHOD: 92 return "PHASE2_METHOD"; 93 case CRYPTO_BINDING: 94 return "CRYPTO_BINDING"; 95 case REQUEST_PAC: 96 return "REQUEST_PAC"; 97 case SUCCESS: 98 return "SUCCESS"; 99 case FAILURE: 100 return "FAILURE"; 101 default: 102 return "Unknown?!"; 103 } 104} 105 106 107static void eap_fast_state(struct eap_fast_data *data, int state) 108{ 109 wpa_printf(MSG_DEBUG, "EAP-FAST: %s -> %s", 110 eap_fast_state_txt(data->state), 111 eap_fast_state_txt(state)); 112 data->state = state; 113} 114 115 116static EapType eap_fast_req_failure(struct eap_sm *sm, 117 struct eap_fast_data *data) 118{ 119 /* TODO: send Result TLV(FAILURE) */ 120 eap_fast_state(data, FAILURE); 121 return EAP_TYPE_NONE; 122} 123 124 125static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len, 126 const u8 *client_random, 127 const u8 *server_random, 128 u8 *master_secret) 129{ 130 struct eap_fast_data *data = ctx; 131 const u8 *pac_opaque; 132 size_t pac_opaque_len; 133 u8 *buf, *pos, *end, *pac_key = NULL; 134 os_time_t lifetime = 0; 135 struct os_time now; 136 u8 *identity = NULL; 137 size_t identity_len = 0; 138 139 wpa_printf(MSG_DEBUG, "EAP-FAST: SessionTicket callback"); 140 wpa_hexdump(MSG_DEBUG, "EAP-FAST: SessionTicket (PAC-Opaque)", 141 ticket, len); 142 143 if (len < 4 || WPA_GET_BE16(ticket) != PAC_TYPE_PAC_OPAQUE) { 144 wpa_printf(MSG_DEBUG, "EAP-FAST: Ignore invalid " 145 "SessionTicket"); 146 return 0; 147 } 148 149 pac_opaque_len = WPA_GET_BE16(ticket + 2); 150 pac_opaque = ticket + 4; 151 if (pac_opaque_len < 8 || pac_opaque_len % 8 || 152 pac_opaque_len > len - 4) { 153 wpa_printf(MSG_DEBUG, "EAP-FAST: Ignore invalid PAC-Opaque " 154 "(len=%lu left=%lu)", 155 (unsigned long) pac_opaque_len, 156 (unsigned long) len); 157 return 0; 158 } 159 wpa_hexdump(MSG_DEBUG, "EAP-FAST: Received PAC-Opaque", 160 pac_opaque, pac_opaque_len); 161 162 buf = os_malloc(pac_opaque_len - 8); 163 if (buf == NULL) { 164 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to allocate memory " 165 "for decrypting PAC-Opaque"); 166 return 0; 167 } 168 169 if (aes_unwrap(data->pac_opaque_encr, (pac_opaque_len - 8) / 8, 170 pac_opaque, buf) < 0) { 171 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to decrypt " 172 "PAC-Opaque"); 173 os_free(buf); 174 /* 175 * This may have been caused by server changing the PAC-Opaque 176 * encryption key, so just ignore this PAC-Opaque instead of 177 * failing the authentication completely. Provisioning can now 178 * be used to provision a new PAC. 179 */ 180 return 0; 181 } 182 183 end = buf + pac_opaque_len - 8; 184 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Decrypted PAC-Opaque", 185 buf, end - buf); 186 187 pos = buf; 188 while (pos + 1 < end) { 189 if (pos + 2 + pos[1] > end) 190 break; 191 192 switch (*pos) { 193 case PAC_OPAQUE_TYPE_PAD: 194 pos = end; 195 break; 196 case PAC_OPAQUE_TYPE_KEY: 197 if (pos[1] != EAP_FAST_PAC_KEY_LEN) { 198 wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid " 199 "PAC-Key length %d", pos[1]); 200 os_free(buf); 201 return -1; 202 } 203 pac_key = pos + 2; 204 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: PAC-Key from " 205 "decrypted PAC-Opaque", 206 pac_key, EAP_FAST_PAC_KEY_LEN); 207 break; 208 case PAC_OPAQUE_TYPE_LIFETIME: 209 if (pos[1] != 4) { 210 wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid " 211 "PAC-Key lifetime length %d", 212 pos[1]); 213 os_free(buf); 214 return -1; 215 } 216 lifetime = WPA_GET_BE32(pos + 2); 217 break; 218 case PAC_OPAQUE_TYPE_IDENTITY: 219 identity = pos + 2; 220 identity_len = pos[1]; 221 break; 222 } 223 224 pos += 2 + pos[1]; 225 } 226 227 if (pac_key == NULL) { 228 wpa_printf(MSG_DEBUG, "EAP-FAST: No PAC-Key included in " 229 "PAC-Opaque"); 230 os_free(buf); 231 return -1; 232 } 233 234 if (identity) { 235 wpa_hexdump_ascii(MSG_DEBUG, "EAP-FAST: Identity from " 236 "PAC-Opaque", identity, identity_len); 237 os_free(data->identity); 238 data->identity = os_malloc(identity_len); 239 if (data->identity) { 240 os_memcpy(data->identity, identity, identity_len); 241 data->identity_len = identity_len; 242 } 243 } 244 245 if (os_get_time(&now) < 0 || lifetime <= 0 || now.sec > lifetime) { 246 wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Key not valid anymore " 247 "(lifetime=%ld now=%ld)", lifetime, now.sec); 248 data->send_new_pac = 2; 249 /* 250 * Allow PAC to be used to allow a PAC update with some level 251 * of server authentication (i.e., do not fall back to full TLS 252 * handshake since we cannot be sure that the peer would be 253 * able to validate server certificate now). However, reject 254 * the authentication since the PAC was not valid anymore. Peer 255 * can connect again with the newly provisioned PAC after this. 256 */ 257 } else if (lifetime - now.sec < data->pac_key_refresh_time) { 258 wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Key soft timeout; send " 259 "an update if authentication succeeds"); 260 data->send_new_pac = 1; 261 } 262 263 eap_fast_derive_master_secret(pac_key, server_random, client_random, 264 master_secret); 265 266 os_free(buf); 267 268 return 1; 269} 270 271 272static void eap_fast_derive_key_auth(struct eap_sm *sm, 273 struct eap_fast_data *data) 274{ 275 u8 *sks; 276 277 /* RFC 4851, Section 5.1: 278 * Extra key material after TLS key_block: session_key_seed[40] 279 */ 280 281 sks = eap_fast_derive_key(sm->ssl_ctx, data->ssl.conn, "key expansion", 282 EAP_FAST_SKS_LEN); 283 if (sks == NULL) { 284 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive " 285 "session_key_seed"); 286 return; 287 } 288 289 /* 290 * RFC 4851, Section 5.2: 291 * S-IMCK[0] = session_key_seed 292 */ 293 wpa_hexdump_key(MSG_DEBUG, 294 "EAP-FAST: session_key_seed (SKS = S-IMCK[0])", 295 sks, EAP_FAST_SKS_LEN); 296 data->simck_idx = 0; 297 os_memcpy(data->simck, sks, EAP_FAST_SIMCK_LEN); 298 os_free(sks); 299} 300 301 302static void eap_fast_derive_key_provisioning(struct eap_sm *sm, 303 struct eap_fast_data *data) 304{ 305 os_free(data->key_block_p); 306 data->key_block_p = (struct eap_fast_key_block_provisioning *) 307 eap_fast_derive_key(sm->ssl_ctx, data->ssl.conn, 308 "key expansion", 309 sizeof(*data->key_block_p)); 310 if (data->key_block_p == NULL) { 311 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive key block"); 312 return; 313 } 314 /* 315 * RFC 4851, Section 5.2: 316 * S-IMCK[0] = session_key_seed 317 */ 318 wpa_hexdump_key(MSG_DEBUG, 319 "EAP-FAST: session_key_seed (SKS = S-IMCK[0])", 320 data->key_block_p->session_key_seed, 321 sizeof(data->key_block_p->session_key_seed)); 322 data->simck_idx = 0; 323 os_memcpy(data->simck, data->key_block_p->session_key_seed, 324 EAP_FAST_SIMCK_LEN); 325 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: server_challenge", 326 data->key_block_p->server_challenge, 327 sizeof(data->key_block_p->server_challenge)); 328 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: client_challenge", 329 data->key_block_p->client_challenge, 330 sizeof(data->key_block_p->client_challenge)); 331} 332 333 334static int eap_fast_get_phase2_key(struct eap_sm *sm, 335 struct eap_fast_data *data, 336 u8 *isk, size_t isk_len) 337{ 338 u8 *key; 339 size_t key_len; 340 341 os_memset(isk, 0, isk_len); 342 343 if (data->phase2_method == NULL || data->phase2_priv == NULL) { 344 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase 2 method not " 345 "available"); 346 return -1; 347 } 348 349 if (data->phase2_method->getKey == NULL) 350 return 0; 351 352 if ((key = data->phase2_method->getKey(sm, data->phase2_priv, 353 &key_len)) == NULL) { 354 wpa_printf(MSG_DEBUG, "EAP-FAST: Could not get key material " 355 "from Phase 2"); 356 return -1; 357 } 358 359 if (key_len > isk_len) 360 key_len = isk_len; 361 if (key_len == 32 && 362 data->phase2_method->vendor == EAP_VENDOR_IETF && 363 data->phase2_method->method == EAP_TYPE_MSCHAPV2) { 364 /* 365 * EAP-FAST uses reverse order for MS-MPPE keys when deriving 366 * MSK from EAP-MSCHAPv2. Swap the keys here to get the correct 367 * ISK for EAP-FAST cryptobinding. 368 */ 369 os_memcpy(isk, key + 16, 16); 370 os_memcpy(isk + 16, key, 16); 371 } else 372 os_memcpy(isk, key, key_len); 373 os_free(key); 374 375 return 0; 376} 377 378 379static int eap_fast_update_icmk(struct eap_sm *sm, struct eap_fast_data *data) 380{ 381 u8 isk[32], imck[60]; 382 383 wpa_printf(MSG_DEBUG, "EAP-FAST: Deriving ICMK[%d] (S-IMCK and CMK)", 384 data->simck_idx + 1); 385 386 /* 387 * RFC 4851, Section 5.2: 388 * IMCK[j] = T-PRF(S-IMCK[j-1], "Inner Methods Compound Keys", 389 * MSK[j], 60) 390 * S-IMCK[j] = first 40 octets of IMCK[j] 391 * CMK[j] = last 20 octets of IMCK[j] 392 */ 393 394 if (eap_fast_get_phase2_key(sm, data, isk, sizeof(isk)) < 0) 395 return -1; 396 wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: ISK[j]", isk, sizeof(isk)); 397 sha1_t_prf(data->simck, EAP_FAST_SIMCK_LEN, 398 "Inner Methods Compound Keys", 399 isk, sizeof(isk), imck, sizeof(imck)); 400 data->simck_idx++; 401 os_memcpy(data->simck, imck, EAP_FAST_SIMCK_LEN); 402 wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: S-IMCK[j]", 403 data->simck, EAP_FAST_SIMCK_LEN); 404 os_memcpy(data->cmk, imck + EAP_FAST_SIMCK_LEN, EAP_FAST_CMK_LEN); 405 wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: CMK[j]", 406 data->cmk, EAP_FAST_CMK_LEN); 407 408 return 0; 409} 410 411 412static void * eap_fast_init(struct eap_sm *sm) 413{ 414 struct eap_fast_data *data; 415 u8 ciphers[5] = { 416 TLS_CIPHER_ANON_DH_AES128_SHA, 417 TLS_CIPHER_AES128_SHA, 418 TLS_CIPHER_RSA_DHE_AES128_SHA, 419 TLS_CIPHER_RC4_SHA, 420 TLS_CIPHER_NONE 421 }; 422 423 data = os_zalloc(sizeof(*data)); 424 if (data == NULL) 425 return NULL; 426 data->fast_version = EAP_FAST_VERSION; 427 data->force_version = -1; 428 if (sm->user && sm->user->force_version >= 0) { 429 data->force_version = sm->user->force_version; 430 wpa_printf(MSG_DEBUG, "EAP-FAST: forcing version %d", 431 data->force_version); 432 data->fast_version = data->force_version; 433 } 434 data->state = START; 435 436 if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) { 437 wpa_printf(MSG_INFO, "EAP-FAST: Failed to initialize SSL."); 438 eap_fast_reset(sm, data); 439 return NULL; 440 } 441 442 if (tls_connection_set_cipher_list(sm->ssl_ctx, data->ssl.conn, 443 ciphers) < 0) { 444 wpa_printf(MSG_INFO, "EAP-FAST: Failed to set TLS cipher " 445 "suites"); 446 eap_fast_reset(sm, data); 447 return NULL; 448 } 449 450 if (tls_connection_set_session_ticket_cb(sm->ssl_ctx, data->ssl.conn, 451 eap_fast_session_ticket_cb, 452 data) < 0) { 453 wpa_printf(MSG_INFO, "EAP-FAST: Failed to set SessionTicket " 454 "callback"); 455 eap_fast_reset(sm, data); 456 return NULL; 457 } 458 459 if (sm->pac_opaque_encr_key == NULL) { 460 wpa_printf(MSG_INFO, "EAP-FAST: No PAC-Opaque encryption key " 461 "configured"); 462 eap_fast_reset(sm, data); 463 return NULL; 464 } 465 os_memcpy(data->pac_opaque_encr, sm->pac_opaque_encr_key, 466 sizeof(data->pac_opaque_encr)); 467 468 if (sm->eap_fast_a_id == NULL) { 469 wpa_printf(MSG_INFO, "EAP-FAST: No A-ID configured"); 470 eap_fast_reset(sm, data); 471 return NULL; 472 } 473 data->srv_id = os_malloc(sm->eap_fast_a_id_len); 474 if (data->srv_id == NULL) { 475 eap_fast_reset(sm, data); 476 return NULL; 477 } 478 os_memcpy(data->srv_id, sm->eap_fast_a_id, sm->eap_fast_a_id_len); 479 data->srv_id_len = sm->eap_fast_a_id_len; 480 481 if (sm->eap_fast_a_id_info == NULL) { 482 wpa_printf(MSG_INFO, "EAP-FAST: No A-ID-Info configured"); 483 eap_fast_reset(sm, data); 484 return NULL; 485 } 486 data->srv_id_info = os_strdup(sm->eap_fast_a_id_info); 487 if (data->srv_id_info == NULL) { 488 eap_fast_reset(sm, data); 489 return NULL; 490 } 491 492 /* PAC-Key lifetime in seconds (hard limit) */ 493 data->pac_key_lifetime = sm->pac_key_lifetime; 494 495 /* 496 * PAC-Key refresh time in seconds (soft limit on remaining hard 497 * limit). The server will generate a new PAC-Key when this number of 498 * seconds (or fewer) of the lifetime remains. 499 */ 500 data->pac_key_refresh_time = sm->pac_key_refresh_time; 501 502 return data; 503} 504 505 506static void eap_fast_reset(struct eap_sm *sm, void *priv) 507{ 508 struct eap_fast_data *data = priv; 509 if (data == NULL) 510 return; 511 if (data->phase2_priv && data->phase2_method) 512 data->phase2_method->reset(sm, data->phase2_priv); 513 eap_server_tls_ssl_deinit(sm, &data->ssl); 514 os_free(data->srv_id); 515 os_free(data->srv_id_info); 516 os_free(data->key_block_p); 517 wpabuf_free(data->pending_phase2_resp); 518 os_free(data->identity); 519 os_free(data); 520} 521 522 523static struct wpabuf * eap_fast_build_start(struct eap_sm *sm, 524 struct eap_fast_data *data, u8 id) 525{ 526 struct wpabuf *req; 527 528 req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_FAST, 529 1 + sizeof(struct pac_tlv_hdr) + data->srv_id_len, 530 EAP_CODE_REQUEST, id); 531 if (req == NULL) { 532 wpa_printf(MSG_ERROR, "EAP-FAST: Failed to allocate memory for" 533 " request"); 534 eap_fast_state(data, FAILURE); 535 return NULL; 536 } 537 538 wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->fast_version); 539 540 /* RFC 4851, 4.1.1. Authority ID Data */ 541 eap_fast_put_tlv(req, PAC_TYPE_A_ID, data->srv_id, data->srv_id_len); 542 543 eap_fast_state(data, PHASE1); 544 545 return req; 546} 547 548 549static int eap_fast_phase1_done(struct eap_sm *sm, struct eap_fast_data *data) 550{ 551 char cipher[64]; 552 553 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase1 done, starting Phase2"); 554 555 if (tls_get_cipher(sm->ssl_ctx, data->ssl.conn, cipher, sizeof(cipher)) 556 < 0) { 557 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to get cipher " 558 "information"); 559 eap_fast_state(data, FAILURE); 560 return -1; 561 } 562 data->anon_provisioning = os_strstr(cipher, "ADH") != NULL; 563 564 if (data->anon_provisioning) { 565 wpa_printf(MSG_DEBUG, "EAP-FAST: Anonymous provisioning"); 566 eap_fast_derive_key_provisioning(sm, data); 567 } else 568 eap_fast_derive_key_auth(sm, data); 569 570 eap_fast_state(data, PHASE2_START); 571 572 return 0; 573} 574 575 576static struct wpabuf * eap_fast_build_phase2_req(struct eap_sm *sm, 577 struct eap_fast_data *data, 578 u8 id) 579{ 580 struct wpabuf *req; 581 582 if (data->phase2_priv == NULL) { 583 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase 2 method not " 584 "initialized"); 585 return NULL; 586 } 587 req = data->phase2_method->buildReq(sm, data->phase2_priv, id); 588 if (req == NULL) 589 return NULL; 590 591 wpa_hexdump_buf_key(MSG_MSGDUMP, "EAP-FAST: Phase 2 EAP-Request", req); 592 return eap_fast_tlv_eap_payload(req); 593} 594 595 596static struct wpabuf * eap_fast_build_crypto_binding( 597 struct eap_sm *sm, struct eap_fast_data *data) 598{ 599 struct wpabuf *buf; 600 struct eap_tlv_result_tlv *result; 601 struct eap_tlv_crypto_binding_tlv *binding; 602 603 buf = wpabuf_alloc(2 * sizeof(*result) + sizeof(*binding)); 604 if (buf == NULL) 605 return NULL; 606 607 if (data->send_new_pac || data->anon_provisioning || 608 data->phase2_method) 609 data->final_result = 0; 610 else 611 data->final_result = 1; 612 613 if (!data->final_result || data->eap_seq > 1) { 614 /* Intermediate-Result */ 615 wpa_printf(MSG_DEBUG, "EAP-FAST: Add Intermediate-Result TLV " 616 "(status=SUCCESS)"); 617 result = wpabuf_put(buf, sizeof(*result)); 618 result->tlv_type = host_to_be16( 619 EAP_TLV_TYPE_MANDATORY | 620 EAP_TLV_INTERMEDIATE_RESULT_TLV); 621 result->length = host_to_be16(2); 622 result->status = host_to_be16(EAP_TLV_RESULT_SUCCESS); 623 } 624 625 if (data->final_result) { 626 /* Result TLV */ 627 wpa_printf(MSG_DEBUG, "EAP-FAST: Add Result TLV " 628 "(status=SUCCESS)"); 629 result = wpabuf_put(buf, sizeof(*result)); 630 result->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY | 631 EAP_TLV_RESULT_TLV); 632 result->length = host_to_be16(2); 633 result->status = host_to_be16(EAP_TLV_RESULT_SUCCESS); 634 } 635 636 /* Crypto-Binding TLV */ 637 binding = wpabuf_put(buf, sizeof(*binding)); 638 binding->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY | 639 EAP_TLV_CRYPTO_BINDING_TLV); 640 binding->length = host_to_be16(sizeof(*binding) - 641 sizeof(struct eap_tlv_hdr)); 642 binding->version = EAP_FAST_VERSION; 643 binding->received_version = data->peer_version; 644 binding->subtype = EAP_TLV_CRYPTO_BINDING_SUBTYPE_REQUEST; 645 if (os_get_random(binding->nonce, sizeof(binding->nonce)) < 0) { 646 wpabuf_free(buf); 647 return NULL; 648 } 649 650 /* 651 * RFC 4851, Section 4.2.8: 652 * The nonce in a request MUST have its least significant bit set to 0. 653 */ 654 binding->nonce[sizeof(binding->nonce) - 1] &= ~0x01; 655 656 os_memcpy(data->crypto_binding_nonce, binding->nonce, 657 sizeof(binding->nonce)); 658 659 /* 660 * RFC 4851, Section 5.3: 661 * CMK = CMK[j] 662 * Compound-MAC = HMAC-SHA1( CMK, Crypto-Binding TLV ) 663 */ 664 665 hmac_sha1(data->cmk, EAP_FAST_CMK_LEN, 666 (u8 *) binding, sizeof(*binding), 667 binding->compound_mac); 668 669 wpa_printf(MSG_DEBUG, "EAP-FAST: Add Crypto-Binding TLV: Version %d " 670 "Received Version %d SubType %d", 671 binding->version, binding->received_version, 672 binding->subtype); 673 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: NONCE", 674 binding->nonce, sizeof(binding->nonce)); 675 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Compound MAC", 676 binding->compound_mac, sizeof(binding->compound_mac)); 677 678 return buf; 679} 680 681 682static struct wpabuf * eap_fast_build_pac(struct eap_sm *sm, 683 struct eap_fast_data *data) 684{ 685 u8 pac_key[EAP_FAST_PAC_KEY_LEN]; 686 u8 *pac_buf, *pac_opaque; 687 struct wpabuf *buf; 688 u8 *pos; 689 size_t buf_len, srv_id_info_len, pac_len; 690 struct eap_tlv_hdr *pac_tlv; 691 struct pac_tlv_hdr *pac_info; 692 struct eap_tlv_result_tlv *result; 693 struct os_time now; 694 695 if (os_get_random(pac_key, EAP_FAST_PAC_KEY_LEN) < 0 || 696 os_get_time(&now) < 0) 697 return NULL; 698 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Generated PAC-Key", 699 pac_key, EAP_FAST_PAC_KEY_LEN); 700 701 pac_len = (2 + EAP_FAST_PAC_KEY_LEN) + (2 + 4) + 702 (2 + sm->identity_len) + 8; 703 pac_buf = os_malloc(pac_len); 704 if (pac_buf == NULL) 705 return NULL; 706 707 srv_id_info_len = os_strlen(data->srv_id_info); 708 709 pos = pac_buf; 710 *pos++ = PAC_OPAQUE_TYPE_KEY; 711 *pos++ = EAP_FAST_PAC_KEY_LEN; 712 os_memcpy(pos, pac_key, EAP_FAST_PAC_KEY_LEN); 713 pos += EAP_FAST_PAC_KEY_LEN; 714 715 *pos++ = PAC_OPAQUE_TYPE_LIFETIME; 716 *pos++ = 4; 717 WPA_PUT_BE32(pos, now.sec + data->pac_key_lifetime); 718 pos += 4; 719 720 if (sm->identity) { 721 *pos++ = PAC_OPAQUE_TYPE_IDENTITY; 722 *pos++ = sm->identity_len; 723 os_memcpy(pos, sm->identity, sm->identity_len); 724 pos += sm->identity_len; 725 } 726 727 pac_len = pos - pac_buf; 728 while (pac_len % 8) { 729 *pos++ = PAC_OPAQUE_TYPE_PAD; 730 pac_len++; 731 } 732 733 pac_opaque = os_malloc(pac_len + 8); 734 if (pac_opaque == NULL) { 735 os_free(pac_buf); 736 return NULL; 737 } 738 if (aes_wrap(data->pac_opaque_encr, pac_len / 8, pac_buf, 739 pac_opaque) < 0) { 740 os_free(pac_buf); 741 os_free(pac_opaque); 742 return NULL; 743 } 744 os_free(pac_buf); 745 746 pac_len += 8; 747 wpa_hexdump(MSG_DEBUG, "EAP-FAST: PAC-Opaque", 748 pac_opaque, pac_len); 749 750 buf_len = sizeof(*pac_tlv) + 751 sizeof(struct pac_tlv_hdr) + EAP_FAST_PAC_KEY_LEN + 752 sizeof(struct pac_tlv_hdr) + pac_len + 753 data->srv_id_len + srv_id_info_len + 100 + sizeof(*result); 754 buf = wpabuf_alloc(buf_len); 755 if (buf == NULL) { 756 os_free(pac_opaque); 757 return NULL; 758 } 759 760 /* Result TLV */ 761 wpa_printf(MSG_DEBUG, "EAP-FAST: Add Result TLV (status=SUCCESS)"); 762 result = wpabuf_put(buf, sizeof(*result)); 763 WPA_PUT_BE16((u8 *) &result->tlv_type, 764 EAP_TLV_TYPE_MANDATORY | EAP_TLV_RESULT_TLV); 765 WPA_PUT_BE16((u8 *) &result->length, 2); 766 WPA_PUT_BE16((u8 *) &result->status, EAP_TLV_RESULT_SUCCESS); 767 768 /* PAC TLV */ 769 wpa_printf(MSG_DEBUG, "EAP-FAST: Add PAC TLV"); 770 pac_tlv = wpabuf_put(buf, sizeof(*pac_tlv)); 771 pac_tlv->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY | 772 EAP_TLV_PAC_TLV); 773 774 /* PAC-Key */ 775 eap_fast_put_tlv(buf, PAC_TYPE_PAC_KEY, pac_key, EAP_FAST_PAC_KEY_LEN); 776 777 /* PAC-Opaque */ 778 eap_fast_put_tlv(buf, PAC_TYPE_PAC_OPAQUE, pac_opaque, pac_len); 779 os_free(pac_opaque); 780 781 /* PAC-Info */ 782 pac_info = wpabuf_put(buf, sizeof(*pac_info)); 783 pac_info->type = host_to_be16(PAC_TYPE_PAC_INFO); 784 785 /* PAC-Lifetime (inside PAC-Info) */ 786 eap_fast_put_tlv_hdr(buf, PAC_TYPE_CRED_LIFETIME, 4); 787 wpabuf_put_be32(buf, now.sec + data->pac_key_lifetime); 788 789 /* A-ID (inside PAC-Info) */ 790 eap_fast_put_tlv(buf, PAC_TYPE_A_ID, data->srv_id, data->srv_id_len); 791 792 /* Note: headers may be misaligned after A-ID */ 793 794 /* A-ID-Info (inside PAC-Info) */ 795 eap_fast_put_tlv(buf, PAC_TYPE_A_ID_INFO, data->srv_id_info, 796 srv_id_info_len); 797 798 /* PAC-Type (inside PAC-Info) */ 799 eap_fast_put_tlv_hdr(buf, PAC_TYPE_PAC_TYPE, 2); 800 wpabuf_put_be16(buf, PAC_TYPE_TUNNEL_PAC); 801 802 /* Update PAC-Info and PAC TLV Length fields */ 803 pos = wpabuf_put(buf, 0); 804 pac_info->len = host_to_be16(pos - (u8 *) (pac_info + 1)); 805 pac_tlv->length = host_to_be16(pos - (u8 *) (pac_tlv + 1)); 806 807 return buf; 808} 809 810 811static int eap_fast_encrypt_phase2(struct eap_sm *sm, 812 struct eap_fast_data *data, 813 struct wpabuf *plain, int piggyback) 814{ 815 struct wpabuf *encr; 816 817 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-FAST: Encrypting Phase 2 TLVs", 818 plain); 819 encr = eap_server_tls_encrypt(sm, &data->ssl, wpabuf_mhead(plain), 820 wpabuf_len(plain)); 821 wpabuf_free(plain); 822 823 if (data->ssl.out_buf && piggyback) { 824 wpa_printf(MSG_DEBUG, "EAP-FAST: Piggyback Phase 2 data " 825 "(len=%d) with last Phase 1 Message (len=%d " 826 "used=%d)", 827 (int) wpabuf_len(encr), 828 (int) wpabuf_len(data->ssl.out_buf), 829 (int) data->ssl.out_used); 830 if (wpabuf_resize(&data->ssl.out_buf, wpabuf_len(encr)) < 0) { 831 wpa_printf(MSG_WARNING, "EAP-FAST: Failed to resize " 832 "output buffer"); 833 wpabuf_free(encr); 834 return -1; 835 } 836 wpabuf_put_buf(data->ssl.out_buf, encr); 837 wpabuf_free(encr); 838 } else { 839 wpabuf_free(data->ssl.out_buf); 840 data->ssl.out_used = 0; 841 data->ssl.out_buf = encr; 842 } 843 844 return 0; 845} 846 847 848static struct wpabuf * eap_fast_buildReq(struct eap_sm *sm, void *priv, u8 id) 849{ 850 struct eap_fast_data *data = priv; 851 struct wpabuf *req = NULL; 852 int piggyback = 0; 853 854 if (data->ssl.state == FRAG_ACK) { 855 return eap_server_tls_build_ack(id, EAP_TYPE_FAST, 856 data->fast_version); 857 } 858 859 if (data->ssl.state == WAIT_FRAG_ACK) { 860 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_FAST, 861 data->fast_version, id); 862 } 863 864 switch (data->state) { 865 case START: 866 return eap_fast_build_start(sm, data, id); 867 case PHASE1: 868 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { 869 if (eap_fast_phase1_done(sm, data) < 0) 870 return NULL; 871 if (data->state == PHASE2_START) { 872 /* 873 * Try to generate Phase 2 data to piggyback 874 * with the end of Phase 1 to avoid extra 875 * roundtrip. 876 */ 877 wpa_printf(MSG_DEBUG, "EAP-FAST: Try to start " 878 "Phase 2"); 879 if (eap_fast_process_phase2_start(sm, data)) 880 break; 881 req = eap_fast_build_phase2_req(sm, data, id); 882 piggyback = 1; 883 } 884 } 885 break; 886 case PHASE2_ID: 887 case PHASE2_METHOD: 888 req = eap_fast_build_phase2_req(sm, data, id); 889 break; 890 case CRYPTO_BINDING: 891 req = eap_fast_build_crypto_binding(sm, data); 892 if (data->phase2_method) { 893 /* 894 * Include the start of the next EAP method in the 895 * sequence in the same message with Crypto-Binding to 896 * save a round-trip. 897 */ 898 struct wpabuf *eap; 899 eap = eap_fast_build_phase2_req(sm, data, id); 900 req = wpabuf_concat(req, eap); 901 eap_fast_state(data, PHASE2_METHOD); 902 } 903 break; 904 case REQUEST_PAC: 905 req = eap_fast_build_pac(sm, data); 906 break; 907 default: 908 wpa_printf(MSG_DEBUG, "EAP-FAST: %s - unexpected state %d", 909 __func__, data->state); 910 return NULL; 911 } 912 913 if (req && 914 eap_fast_encrypt_phase2(sm, data, req, piggyback) < 0) 915 return NULL; 916 917 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_FAST, 918 data->fast_version, id); 919} 920 921 922static Boolean eap_fast_check(struct eap_sm *sm, void *priv, 923 struct wpabuf *respData) 924{ 925 const u8 *pos; 926 size_t len; 927 928 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_FAST, respData, &len); 929 if (pos == NULL || len < 1) { 930 wpa_printf(MSG_INFO, "EAP-FAST: Invalid frame"); 931 return TRUE; 932 } 933 934 return FALSE; 935} 936 937 938static int eap_fast_phase2_init(struct eap_sm *sm, struct eap_fast_data *data, 939 EapType eap_type) 940{ 941 if (data->phase2_priv && data->phase2_method) { 942 data->phase2_method->reset(sm, data->phase2_priv); 943 data->phase2_method = NULL; 944 data->phase2_priv = NULL; 945 } 946 data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF, 947 eap_type); 948 if (!data->phase2_method) 949 return -1; 950 951 if (data->key_block_p) { 952 sm->auth_challenge = data->key_block_p->server_challenge; 953 sm->peer_challenge = data->key_block_p->client_challenge; 954 } 955 sm->init_phase2 = 1; 956 data->phase2_priv = data->phase2_method->init(sm); 957 sm->init_phase2 = 0; 958 sm->auth_challenge = NULL; 959 sm->peer_challenge = NULL; 960 961 return data->phase2_priv == NULL ? -1 : 0; 962} 963 964 965static void eap_fast_process_phase2_response(struct eap_sm *sm, 966 struct eap_fast_data *data, 967 u8 *in_data, size_t in_len) 968{ 969 u8 next_type = EAP_TYPE_NONE; 970 struct eap_hdr *hdr; 971 u8 *pos; 972 size_t left; 973 struct wpabuf buf; 974 const struct eap_method *m = data->phase2_method; 975 void *priv = data->phase2_priv; 976 977 if (priv == NULL) { 978 wpa_printf(MSG_DEBUG, "EAP-FAST: %s - Phase2 not " 979 "initialized?!", __func__); 980 return; 981 } 982 983 hdr = (struct eap_hdr *) in_data; 984 pos = (u8 *) (hdr + 1); 985 986 if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) { 987 left = in_len - sizeof(*hdr); 988 wpa_hexdump(MSG_DEBUG, "EAP-FAST: Phase2 type Nak'ed; " 989 "allowed types", pos + 1, left - 1); 990#ifdef EAP_TNC 991 if (m && m->vendor == EAP_VENDOR_IETF && 992 m->method == EAP_TYPE_TNC) { 993 wpa_printf(MSG_DEBUG, "EAP-FAST: Peer Nak'ed required " 994 "TNC negotiation"); 995 next_type = eap_fast_req_failure(sm, data); 996 eap_fast_phase2_init(sm, data, next_type); 997 return; 998 } 999#endif /* EAP_TNC */ 1000 eap_sm_process_nak(sm, pos + 1, left - 1); 1001 if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS && 1002 sm->user->methods[sm->user_eap_method_index].method != 1003 EAP_TYPE_NONE) { 1004 next_type = sm->user->methods[ 1005 sm->user_eap_method_index++].method; 1006 wpa_printf(MSG_DEBUG, "EAP-FAST: try EAP type %d", 1007 next_type); 1008 } else { 1009 next_type = eap_fast_req_failure(sm, data); 1010 } 1011 eap_fast_phase2_init(sm, data, next_type); 1012 return; 1013 } 1014 1015 wpabuf_set(&buf, in_data, in_len); 1016 1017 if (m->check(sm, priv, &buf)) { 1018 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 check() asked to " 1019 "ignore the packet"); 1020 next_type = eap_fast_req_failure(sm, data); 1021 return; 1022 } 1023 1024 m->process(sm, priv, &buf); 1025 1026 if (!m->isDone(sm, priv)) 1027 return; 1028 1029 if (!m->isSuccess(sm, priv)) { 1030 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 method failed"); 1031 next_type = eap_fast_req_failure(sm, data); 1032 eap_fast_phase2_init(sm, data, next_type); 1033 return; 1034 } 1035 1036 switch (data->state) { 1037 case PHASE2_ID: 1038 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) { 1039 wpa_hexdump_ascii(MSG_DEBUG, "EAP-FAST: Phase2 " 1040 "Identity not found in the user " 1041 "database", 1042 sm->identity, sm->identity_len); 1043 next_type = eap_fast_req_failure(sm, data); 1044 break; 1045 } 1046 1047 eap_fast_state(data, PHASE2_METHOD); 1048 if (data->anon_provisioning) { 1049 /* 1050 * Only EAP-MSCHAPv2 is allowed for anonymous 1051 * provisioning. 1052 */ 1053 next_type = EAP_TYPE_MSCHAPV2; 1054 sm->user_eap_method_index = 0; 1055 } else { 1056 next_type = sm->user->methods[0].method; 1057 sm->user_eap_method_index = 1; 1058 } 1059 wpa_printf(MSG_DEBUG, "EAP-FAST: try EAP type %d", next_type); 1060 break; 1061 case PHASE2_METHOD: 1062 case CRYPTO_BINDING: 1063 eap_fast_update_icmk(sm, data); 1064 eap_fast_state(data, CRYPTO_BINDING); 1065 data->eap_seq++; 1066 next_type = EAP_TYPE_NONE; 1067#ifdef EAP_TNC 1068 if (sm->tnc && !data->tnc_started) { 1069 wpa_printf(MSG_DEBUG, "EAP-FAST: Initialize TNC"); 1070 next_type = EAP_TYPE_TNC; 1071 data->tnc_started = 1; 1072 } 1073#endif /* EAP_TNC */ 1074 break; 1075 case FAILURE: 1076 break; 1077 default: 1078 wpa_printf(MSG_DEBUG, "EAP-FAST: %s - unexpected state %d", 1079 __func__, data->state); 1080 break; 1081 } 1082 1083 eap_fast_phase2_init(sm, data, next_type); 1084} 1085 1086 1087static void eap_fast_process_phase2_eap(struct eap_sm *sm, 1088 struct eap_fast_data *data, 1089 u8 *in_data, size_t in_len) 1090{ 1091 struct eap_hdr *hdr; 1092 size_t len; 1093 1094 hdr = (struct eap_hdr *) in_data; 1095 if (in_len < (int) sizeof(*hdr)) { 1096 wpa_printf(MSG_INFO, "EAP-FAST: Too short Phase 2 " 1097 "EAP frame (len=%lu)", (unsigned long) in_len); 1098 eap_fast_req_failure(sm, data); 1099 return; 1100 } 1101 len = be_to_host16(hdr->length); 1102 if (len > in_len) { 1103 wpa_printf(MSG_INFO, "EAP-FAST: Length mismatch in " 1104 "Phase 2 EAP frame (len=%lu hdr->length=%lu)", 1105 (unsigned long) in_len, (unsigned long) len); 1106 eap_fast_req_failure(sm, data); 1107 return; 1108 } 1109 wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: code=%d " 1110 "identifier=%d length=%lu", hdr->code, hdr->identifier, 1111 (unsigned long) len); 1112 switch (hdr->code) { 1113 case EAP_CODE_RESPONSE: 1114 eap_fast_process_phase2_response(sm, data, (u8 *) hdr, len); 1115 break; 1116 default: 1117 wpa_printf(MSG_INFO, "EAP-FAST: Unexpected code=%d in " 1118 "Phase 2 EAP header", hdr->code); 1119 break; 1120 } 1121} 1122 1123 1124static int eap_fast_parse_tlvs(u8 *data, size_t data_len, 1125 struct eap_fast_tlv_parse *tlv) 1126{ 1127 int mandatory, tlv_type, len, res; 1128 u8 *pos, *end; 1129 1130 os_memset(tlv, 0, sizeof(*tlv)); 1131 1132 pos = data; 1133 end = data + data_len; 1134 while (pos + 4 < end) { 1135 mandatory = pos[0] & 0x80; 1136 tlv_type = WPA_GET_BE16(pos) & 0x3fff; 1137 pos += 2; 1138 len = WPA_GET_BE16(pos); 1139 pos += 2; 1140 if (pos + len > end) { 1141 wpa_printf(MSG_INFO, "EAP-FAST: TLV overflow"); 1142 return -1; 1143 } 1144 wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: " 1145 "TLV type %d length %d%s", 1146 tlv_type, len, mandatory ? " (mandatory)" : ""); 1147 1148 res = eap_fast_parse_tlv(tlv, tlv_type, pos, len); 1149 if (res == -2) 1150 break; 1151 if (res < 0) { 1152 if (mandatory) { 1153 wpa_printf(MSG_DEBUG, "EAP-FAST: Nak unknown " 1154 "mandatory TLV type %d", tlv_type); 1155 /* TODO: generate Nak TLV */ 1156 break; 1157 } else { 1158 wpa_printf(MSG_DEBUG, "EAP-FAST: Ignored " 1159 "unknown optional TLV type %d", 1160 tlv_type); 1161 } 1162 } 1163 1164 pos += len; 1165 } 1166 1167 return 0; 1168} 1169 1170 1171static int eap_fast_validate_crypto_binding( 1172 struct eap_fast_data *data, struct eap_tlv_crypto_binding_tlv *b, 1173 size_t bind_len) 1174{ 1175 u8 cmac[SHA1_MAC_LEN]; 1176 1177 wpa_printf(MSG_DEBUG, "EAP-FAST: Reply Crypto-Binding TLV: " 1178 "Version %d Received Version %d SubType %d", 1179 b->version, b->received_version, b->subtype); 1180 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: NONCE", 1181 b->nonce, sizeof(b->nonce)); 1182 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Compound MAC", 1183 b->compound_mac, sizeof(b->compound_mac)); 1184 1185 if (b->version != EAP_FAST_VERSION || 1186 b->received_version != EAP_FAST_VERSION) { 1187 wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected version " 1188 "in Crypto-Binding: version %d " 1189 "received_version %d", b->version, 1190 b->received_version); 1191 return -1; 1192 } 1193 1194 if (b->subtype != EAP_TLV_CRYPTO_BINDING_SUBTYPE_RESPONSE) { 1195 wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected subtype in " 1196 "Crypto-Binding: %d", b->subtype); 1197 return -1; 1198 } 1199 1200 if (os_memcmp(data->crypto_binding_nonce, b->nonce, 31) != 0 || 1201 (data->crypto_binding_nonce[31] | 1) != b->nonce[31]) { 1202 wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid nonce in " 1203 "Crypto-Binding"); 1204 return -1; 1205 } 1206 1207 os_memcpy(cmac, b->compound_mac, sizeof(cmac)); 1208 os_memset(b->compound_mac, 0, sizeof(cmac)); 1209 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Crypto-Binding TLV for " 1210 "Compound MAC calculation", 1211 (u8 *) b, bind_len); 1212 hmac_sha1(data->cmk, EAP_FAST_CMK_LEN, (u8 *) b, bind_len, 1213 b->compound_mac); 1214 if (os_memcmp(cmac, b->compound_mac, sizeof(cmac)) != 0) { 1215 wpa_hexdump(MSG_MSGDUMP, 1216 "EAP-FAST: Calculated Compound MAC", 1217 b->compound_mac, sizeof(cmac)); 1218 wpa_printf(MSG_INFO, "EAP-FAST: Compound MAC did not " 1219 "match"); 1220 return -1; 1221 } 1222 1223 return 0; 1224} 1225 1226 1227static int eap_fast_pac_type(u8 *pac, size_t len, u16 type) 1228{ 1229 struct eap_tlv_pac_type_tlv *tlv; 1230 1231 if (pac == NULL || len != sizeof(*tlv)) 1232 return 0; 1233 1234 tlv = (struct eap_tlv_pac_type_tlv *) pac; 1235 1236 return be_to_host16(tlv->tlv_type) == PAC_TYPE_PAC_TYPE && 1237 be_to_host16(tlv->length) == 2 && 1238 be_to_host16(tlv->pac_type) == type; 1239} 1240 1241 1242static void eap_fast_process_phase2_tlvs(struct eap_sm *sm, 1243 struct eap_fast_data *data, 1244 u8 *in_data, size_t in_len) 1245{ 1246 struct eap_fast_tlv_parse tlv; 1247 int check_crypto_binding = data->state == CRYPTO_BINDING; 1248 1249 if (eap_fast_parse_tlvs(in_data, in_len, &tlv) < 0) { 1250 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to parse received " 1251 "Phase 2 TLVs"); 1252 return; 1253 } 1254 1255 if (tlv.result == EAP_TLV_RESULT_FAILURE) { 1256 wpa_printf(MSG_DEBUG, "EAP-FAST: Result TLV indicated " 1257 "failure"); 1258 eap_fast_state(data, FAILURE); 1259 return; 1260 } 1261 1262 if (data->state == REQUEST_PAC) { 1263 u16 type, len, res; 1264 if (tlv.pac == NULL || tlv.pac_len < 6) { 1265 wpa_printf(MSG_DEBUG, "EAP-FAST: No PAC " 1266 "Acknowledgement received"); 1267 eap_fast_state(data, FAILURE); 1268 return; 1269 } 1270 1271 type = WPA_GET_BE16(tlv.pac); 1272 len = WPA_GET_BE16(tlv.pac + 2); 1273 res = WPA_GET_BE16(tlv.pac + 4); 1274 1275 if (type != PAC_TYPE_PAC_ACKNOWLEDGEMENT || len != 2 || 1276 res != EAP_TLV_RESULT_SUCCESS) { 1277 wpa_printf(MSG_DEBUG, "EAP-FAST: PAC TLV did not " 1278 "contain acknowledgement"); 1279 eap_fast_state(data, FAILURE); 1280 return; 1281 } 1282 1283 wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Acknowledgement received " 1284 "- PAC provisioning succeeded"); 1285 eap_fast_state(data, (data->anon_provisioning || 1286 data->send_new_pac == 2) ? 1287 FAILURE : SUCCESS); 1288 return; 1289 } 1290 1291 if (check_crypto_binding) { 1292 if (tlv.crypto_binding == NULL) { 1293 wpa_printf(MSG_DEBUG, "EAP-FAST: No Crypto-Binding " 1294 "TLV received"); 1295 eap_fast_state(data, FAILURE); 1296 return; 1297 } 1298 1299 if (data->final_result && 1300 tlv.result != EAP_TLV_RESULT_SUCCESS) { 1301 wpa_printf(MSG_DEBUG, "EAP-FAST: Crypto-Binding TLV " 1302 "without Success Result"); 1303 eap_fast_state(data, FAILURE); 1304 return; 1305 } 1306 1307 if (!data->final_result && 1308 tlv.iresult != EAP_TLV_RESULT_SUCCESS) { 1309 wpa_printf(MSG_DEBUG, "EAP-FAST: Crypto-Binding TLV " 1310 "without intermediate Success Result"); 1311 eap_fast_state(data, FAILURE); 1312 return; 1313 } 1314 1315 if (eap_fast_validate_crypto_binding(data, tlv.crypto_binding, 1316 tlv.crypto_binding_len)) { 1317 eap_fast_state(data, FAILURE); 1318 return; 1319 } 1320 1321 wpa_printf(MSG_DEBUG, "EAP-FAST: Valid Crypto-Binding TLV " 1322 "received"); 1323 if (data->final_result) { 1324 wpa_printf(MSG_DEBUG, "EAP-FAST: Authentication " 1325 "completed successfully"); 1326 } 1327 1328 if (data->anon_provisioning && 1329 sm->eap_fast_prov != ANON_PROV && 1330 sm->eap_fast_prov != BOTH_PROV) { 1331 wpa_printf(MSG_DEBUG, "EAP-FAST: Client is trying to " 1332 "use unauthenticated provisioning which is " 1333 "disabled"); 1334 eap_fast_state(data, FAILURE); 1335 return; 1336 } 1337 1338 if (sm->eap_fast_prov != AUTH_PROV && 1339 sm->eap_fast_prov != BOTH_PROV && 1340 tlv.request_action == EAP_TLV_ACTION_PROCESS_TLV && 1341 eap_fast_pac_type(tlv.pac, tlv.pac_len, 1342 PAC_TYPE_TUNNEL_PAC)) { 1343 wpa_printf(MSG_DEBUG, "EAP-FAST: Client is trying to " 1344 "use authenticated provisioning which is " 1345 "disabled"); 1346 eap_fast_state(data, FAILURE); 1347 return; 1348 } 1349 1350 if (data->anon_provisioning || 1351 (tlv.request_action == EAP_TLV_ACTION_PROCESS_TLV && 1352 eap_fast_pac_type(tlv.pac, tlv.pac_len, 1353 PAC_TYPE_TUNNEL_PAC))) { 1354 wpa_printf(MSG_DEBUG, "EAP-FAST: Requested a new " 1355 "Tunnel PAC"); 1356 eap_fast_state(data, REQUEST_PAC); 1357 } else if (data->send_new_pac) { 1358 wpa_printf(MSG_DEBUG, "EAP-FAST: Server triggered " 1359 "re-keying of Tunnel PAC"); 1360 eap_fast_state(data, REQUEST_PAC); 1361 } else if (data->final_result) 1362 eap_fast_state(data, SUCCESS); 1363 } 1364 1365 if (tlv.eap_payload_tlv) { 1366 eap_fast_process_phase2_eap(sm, data, tlv.eap_payload_tlv, 1367 tlv.eap_payload_tlv_len); 1368 } 1369} 1370 1371 1372static void eap_fast_process_phase2(struct eap_sm *sm, 1373 struct eap_fast_data *data, 1374 struct wpabuf *in_buf) 1375{ 1376 u8 *in_decrypted; 1377 int len_decrypted; 1378 size_t buf_len; 1379 u8 *in_data; 1380 size_t in_len; 1381 1382 in_data = wpabuf_mhead(in_buf); 1383 in_len = wpabuf_len(in_buf); 1384 1385 wpa_printf(MSG_DEBUG, "EAP-FAST: Received %lu bytes encrypted data for" 1386 " Phase 2", (unsigned long) in_len); 1387 1388 if (data->pending_phase2_resp) { 1389 wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 response - " 1390 "skip decryption and use old data"); 1391 eap_fast_process_phase2_tlvs( 1392 sm, data, wpabuf_mhead(data->pending_phase2_resp), 1393 wpabuf_len(data->pending_phase2_resp)); 1394 wpabuf_free(data->pending_phase2_resp); 1395 data->pending_phase2_resp = NULL; 1396 return; 1397 } 1398 1399 buf_len = in_len; 1400 /* 1401 * Even though we try to disable TLS compression, it is possible that 1402 * this cannot be done with all TLS libraries. Add extra buffer space 1403 * to handle the possibility of the decrypted data being longer than 1404 * input data. 1405 */ 1406 buf_len += 500; 1407 buf_len *= 3; 1408 in_decrypted = os_malloc(buf_len); 1409 if (in_decrypted == NULL) { 1410 wpa_printf(MSG_WARNING, "EAP-FAST: Failed to allocate memory " 1411 "for decryption"); 1412 return; 1413 } 1414 1415 len_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn, 1416 in_data, in_len, 1417 in_decrypted, buf_len); 1418 if (len_decrypted < 0) { 1419 wpa_printf(MSG_INFO, "EAP-FAST: Failed to decrypt Phase 2 " 1420 "data"); 1421 os_free(in_decrypted); 1422 eap_fast_state(data, FAILURE); 1423 return; 1424 } 1425 1426 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Decrypted Phase 2 TLVs", 1427 in_decrypted, len_decrypted); 1428 1429 eap_fast_process_phase2_tlvs(sm, data, in_decrypted, len_decrypted); 1430 1431 if (sm->method_pending == METHOD_PENDING_WAIT) { 1432 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 method is in " 1433 "pending wait state - save decrypted response"); 1434 wpabuf_free(data->pending_phase2_resp); 1435 data->pending_phase2_resp = wpabuf_alloc_copy(in_decrypted, 1436 len_decrypted); 1437 } 1438 1439 os_free(in_decrypted); 1440} 1441 1442 1443static int eap_fast_process_version(struct eap_sm *sm, void *priv, 1444 int peer_version) 1445{ 1446 struct eap_fast_data *data = priv; 1447 1448 data->peer_version = peer_version; 1449 1450 if (data->force_version >= 0 && peer_version != data->force_version) { 1451 wpa_printf(MSG_INFO, "EAP-FAST: peer did not select the forced" 1452 " version (forced=%d peer=%d) - reject", 1453 data->force_version, peer_version); 1454 return -1; 1455 } 1456 1457 if (peer_version < data->fast_version) { 1458 wpa_printf(MSG_DEBUG, "EAP-FAST: peer ver=%d, own ver=%d; " 1459 "use version %d", 1460 peer_version, data->fast_version, peer_version); 1461 data->fast_version = peer_version; 1462 } 1463 1464 return 0; 1465} 1466 1467 1468static int eap_fast_process_phase1(struct eap_sm *sm, 1469 struct eap_fast_data *data) 1470{ 1471 if (eap_server_tls_phase1(sm, &data->ssl) < 0) { 1472 wpa_printf(MSG_INFO, "EAP-FAST: TLS processing failed"); 1473 eap_fast_state(data, FAILURE); 1474 return -1; 1475 } 1476 1477 if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) || 1478 wpabuf_len(data->ssl.out_buf) > 0) 1479 return 1; 1480 1481 /* 1482 * Phase 1 was completed with the received message (e.g., when using 1483 * abbreviated handshake), so Phase 2 can be started immediately 1484 * without having to send through an empty message to the peer. 1485 */ 1486 1487 return eap_fast_phase1_done(sm, data); 1488} 1489 1490 1491static int eap_fast_process_phase2_start(struct eap_sm *sm, 1492 struct eap_fast_data *data) 1493{ 1494 u8 next_type; 1495 1496 if (data->identity) { 1497 os_free(sm->identity); 1498 sm->identity = data->identity; 1499 data->identity = NULL; 1500 sm->identity_len = data->identity_len; 1501 data->identity_len = 0; 1502 sm->require_identity_match = 1; 1503 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) { 1504 wpa_hexdump_ascii(MSG_DEBUG, "EAP-FAST: " 1505 "Phase2 Identity not found " 1506 "in the user database", 1507 sm->identity, sm->identity_len); 1508 next_type = eap_fast_req_failure(sm, data); 1509 } else { 1510 wpa_printf(MSG_DEBUG, "EAP-FAST: Identity already " 1511 "known - skip Phase 2 Identity Request"); 1512 next_type = sm->user->methods[0].method; 1513 sm->user_eap_method_index = 1; 1514 } 1515 1516 eap_fast_state(data, PHASE2_METHOD); 1517 } else { 1518 eap_fast_state(data, PHASE2_ID); 1519 next_type = EAP_TYPE_IDENTITY; 1520 } 1521 1522 return eap_fast_phase2_init(sm, data, next_type); 1523} 1524 1525 1526static void eap_fast_process_msg(struct eap_sm *sm, void *priv, 1527 const struct wpabuf *respData) 1528{ 1529 struct eap_fast_data *data = priv; 1530 1531 switch (data->state) { 1532 case PHASE1: 1533 if (eap_fast_process_phase1(sm, data)) 1534 break; 1535 1536 /* fall through to PHASE2_START */ 1537 case PHASE2_START: 1538 eap_fast_process_phase2_start(sm, data); 1539 break; 1540 case PHASE2_ID: 1541 case PHASE2_METHOD: 1542 case CRYPTO_BINDING: 1543 case REQUEST_PAC: 1544 eap_fast_process_phase2(sm, data, data->ssl.in_buf); 1545 break; 1546 default: 1547 wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected state %d in %s", 1548 data->state, __func__); 1549 break; 1550 } 1551} 1552 1553 1554static void eap_fast_process(struct eap_sm *sm, void *priv, 1555 struct wpabuf *respData) 1556{ 1557 struct eap_fast_data *data = priv; 1558 if (eap_server_tls_process(sm, &data->ssl, respData, data, 1559 EAP_TYPE_FAST, eap_fast_process_version, 1560 eap_fast_process_msg) < 0) 1561 eap_fast_state(data, FAILURE); 1562} 1563 1564 1565static Boolean eap_fast_isDone(struct eap_sm *sm, void *priv) 1566{ 1567 struct eap_fast_data *data = priv; 1568 return data->state == SUCCESS || data->state == FAILURE; 1569} 1570 1571 1572static u8 * eap_fast_getKey(struct eap_sm *sm, void *priv, size_t *len) 1573{ 1574 struct eap_fast_data *data = priv; 1575 u8 *eapKeyData; 1576 1577 if (data->state != SUCCESS) 1578 return NULL; 1579 1580 eapKeyData = os_malloc(EAP_FAST_KEY_LEN); 1581 if (eapKeyData == NULL) 1582 return NULL; 1583 1584 eap_fast_derive_eap_msk(data->simck, eapKeyData); 1585 *len = EAP_FAST_KEY_LEN; 1586 1587 return eapKeyData; 1588} 1589 1590 1591static u8 * eap_fast_get_emsk(struct eap_sm *sm, void *priv, size_t *len) 1592{ 1593 struct eap_fast_data *data = priv; 1594 u8 *eapKeyData; 1595 1596 if (data->state != SUCCESS) 1597 return NULL; 1598 1599 eapKeyData = os_malloc(EAP_EMSK_LEN); 1600 if (eapKeyData == NULL) 1601 return NULL; 1602 1603 eap_fast_derive_eap_emsk(data->simck, eapKeyData); 1604 *len = EAP_EMSK_LEN; 1605 1606 return eapKeyData; 1607} 1608 1609 1610static Boolean eap_fast_isSuccess(struct eap_sm *sm, void *priv) 1611{ 1612 struct eap_fast_data *data = priv; 1613 return data->state == SUCCESS; 1614} 1615 1616 1617int eap_server_fast_register(void) 1618{ 1619 struct eap_method *eap; 1620 int ret; 1621 1622 eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION, 1623 EAP_VENDOR_IETF, EAP_TYPE_FAST, "FAST"); 1624 if (eap == NULL) 1625 return -1; 1626 1627 eap->init = eap_fast_init; 1628 eap->reset = eap_fast_reset; 1629 eap->buildReq = eap_fast_buildReq; 1630 eap->check = eap_fast_check; 1631 eap->process = eap_fast_process; 1632 eap->isDone = eap_fast_isDone; 1633 eap->getKey = eap_fast_getKey; 1634 eap->get_emsk = eap_fast_get_emsk; 1635 eap->isSuccess = eap_fast_isSuccess; 1636 1637 ret = eap_server_method_register(eap); 1638 if (ret) 1639 eap_server_method_free(eap); 1640 return ret; 1641} 1642