1/* 2 * EAP-FAST server (RFC 4851) 3 * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "crypto/aes_wrap.h" 13#include "crypto/sha1.h" 14#include "crypto/tls.h" 15#include "crypto/random.h" 16#include "eap_common/eap_tlv_common.h" 17#include "eap_common/eap_fast_common.h" 18#include "eap_i.h" 19#include "eap_tls_common.h" 20 21 22static void eap_fast_reset(struct eap_sm *sm, void *priv); 23 24 25/* Private PAC-Opaque TLV types */ 26#define PAC_OPAQUE_TYPE_PAD 0 27#define PAC_OPAQUE_TYPE_KEY 1 28#define PAC_OPAQUE_TYPE_LIFETIME 2 29#define PAC_OPAQUE_TYPE_IDENTITY 3 30 31struct eap_fast_data { 32 struct eap_ssl_data ssl; 33 enum { 34 START, PHASE1, PHASE2_START, PHASE2_ID, PHASE2_METHOD, 35 CRYPTO_BINDING, REQUEST_PAC, SUCCESS, FAILURE 36 } state; 37 38 int fast_version; 39 const struct eap_method *phase2_method; 40 void *phase2_priv; 41 int force_version; 42 int peer_version; 43 44 u8 crypto_binding_nonce[32]; 45 int final_result; 46 47 struct eap_fast_key_block_provisioning *key_block_p; 48 49 u8 simck[EAP_FAST_SIMCK_LEN]; 50 u8 cmk[EAP_FAST_CMK_LEN]; 51 int simck_idx; 52 53 u8 pac_opaque_encr[16]; 54 u8 *srv_id; 55 size_t srv_id_len; 56 char *srv_id_info; 57 58 int anon_provisioning; 59 int send_new_pac; /* server triggered re-keying of Tunnel PAC */ 60 struct wpabuf *pending_phase2_resp; 61 u8 *identity; /* from PAC-Opaque */ 62 size_t identity_len; 63 int eap_seq; 64 int tnc_started; 65 66 int pac_key_lifetime; 67 int pac_key_refresh_time; 68}; 69 70 71static int eap_fast_process_phase2_start(struct eap_sm *sm, 72 struct eap_fast_data *data); 73 74 75static const char * eap_fast_state_txt(int state) 76{ 77 switch (state) { 78 case START: 79 return "START"; 80 case PHASE1: 81 return "PHASE1"; 82 case PHASE2_START: 83 return "PHASE2_START"; 84 case PHASE2_ID: 85 return "PHASE2_ID"; 86 case PHASE2_METHOD: 87 return "PHASE2_METHOD"; 88 case CRYPTO_BINDING: 89 return "CRYPTO_BINDING"; 90 case REQUEST_PAC: 91 return "REQUEST_PAC"; 92 case SUCCESS: 93 return "SUCCESS"; 94 case FAILURE: 95 return "FAILURE"; 96 default: 97 return "Unknown?!"; 98 } 99} 100 101 102static void eap_fast_state(struct eap_fast_data *data, int state) 103{ 104 wpa_printf(MSG_DEBUG, "EAP-FAST: %s -> %s", 105 eap_fast_state_txt(data->state), 106 eap_fast_state_txt(state)); 107 data->state = state; 108} 109 110 111static EapType eap_fast_req_failure(struct eap_sm *sm, 112 struct eap_fast_data *data) 113{ 114 /* TODO: send Result TLV(FAILURE) */ 115 eap_fast_state(data, FAILURE); 116 return EAP_TYPE_NONE; 117} 118 119 120static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len, 121 const u8 *client_random, 122 const u8 *server_random, 123 u8 *master_secret) 124{ 125 struct eap_fast_data *data = ctx; 126 const u8 *pac_opaque; 127 size_t pac_opaque_len; 128 u8 *buf, *pos, *end, *pac_key = NULL; 129 os_time_t lifetime = 0; 130 struct os_time now; 131 u8 *identity = NULL; 132 size_t identity_len = 0; 133 134 wpa_printf(MSG_DEBUG, "EAP-FAST: SessionTicket callback"); 135 wpa_hexdump(MSG_DEBUG, "EAP-FAST: SessionTicket (PAC-Opaque)", 136 ticket, len); 137 138 if (len < 4 || WPA_GET_BE16(ticket) != PAC_TYPE_PAC_OPAQUE) { 139 wpa_printf(MSG_DEBUG, "EAP-FAST: Ignore invalid " 140 "SessionTicket"); 141 return 0; 142 } 143 144 pac_opaque_len = WPA_GET_BE16(ticket + 2); 145 pac_opaque = ticket + 4; 146 if (pac_opaque_len < 8 || pac_opaque_len % 8 || 147 pac_opaque_len > len - 4) { 148 wpa_printf(MSG_DEBUG, "EAP-FAST: Ignore invalid PAC-Opaque " 149 "(len=%lu left=%lu)", 150 (unsigned long) pac_opaque_len, 151 (unsigned long) len); 152 return 0; 153 } 154 wpa_hexdump(MSG_DEBUG, "EAP-FAST: Received PAC-Opaque", 155 pac_opaque, pac_opaque_len); 156 157 buf = os_malloc(pac_opaque_len - 8); 158 if (buf == NULL) { 159 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to allocate memory " 160 "for decrypting PAC-Opaque"); 161 return 0; 162 } 163 164 if (aes_unwrap(data->pac_opaque_encr, sizeof(data->pac_opaque_encr), 165 (pac_opaque_len - 8) / 8, pac_opaque, buf) < 0) { 166 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to decrypt " 167 "PAC-Opaque"); 168 os_free(buf); 169 /* 170 * This may have been caused by server changing the PAC-Opaque 171 * encryption key, so just ignore this PAC-Opaque instead of 172 * failing the authentication completely. Provisioning can now 173 * be used to provision a new PAC. 174 */ 175 return 0; 176 } 177 178 end = buf + pac_opaque_len - 8; 179 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Decrypted PAC-Opaque", 180 buf, end - buf); 181 182 pos = buf; 183 while (pos + 1 < end) { 184 if (pos + 2 + pos[1] > end) 185 break; 186 187 switch (*pos) { 188 case PAC_OPAQUE_TYPE_PAD: 189 pos = end; 190 goto done; 191 case PAC_OPAQUE_TYPE_KEY: 192 if (pos[1] != EAP_FAST_PAC_KEY_LEN) { 193 wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid " 194 "PAC-Key length %d", pos[1]); 195 os_free(buf); 196 return -1; 197 } 198 pac_key = pos + 2; 199 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: PAC-Key from " 200 "decrypted PAC-Opaque", 201 pac_key, EAP_FAST_PAC_KEY_LEN); 202 break; 203 case PAC_OPAQUE_TYPE_LIFETIME: 204 if (pos[1] != 4) { 205 wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid " 206 "PAC-Key lifetime length %d", 207 pos[1]); 208 os_free(buf); 209 return -1; 210 } 211 lifetime = WPA_GET_BE32(pos + 2); 212 break; 213 case PAC_OPAQUE_TYPE_IDENTITY: 214 identity = pos + 2; 215 identity_len = pos[1]; 216 break; 217 } 218 219 pos += 2 + pos[1]; 220 } 221done: 222 223 if (pac_key == NULL) { 224 wpa_printf(MSG_DEBUG, "EAP-FAST: No PAC-Key included in " 225 "PAC-Opaque"); 226 os_free(buf); 227 return -1; 228 } 229 230 if (identity) { 231 wpa_hexdump_ascii(MSG_DEBUG, "EAP-FAST: Identity from " 232 "PAC-Opaque", identity, identity_len); 233 os_free(data->identity); 234 data->identity = os_malloc(identity_len); 235 if (data->identity) { 236 os_memcpy(data->identity, identity, identity_len); 237 data->identity_len = identity_len; 238 } 239 } 240 241 if (os_get_time(&now) < 0 || lifetime <= 0 || now.sec > lifetime) { 242 wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Key not valid anymore " 243 "(lifetime=%ld now=%ld)", lifetime, now.sec); 244 data->send_new_pac = 2; 245 /* 246 * Allow PAC to be used to allow a PAC update with some level 247 * of server authentication (i.e., do not fall back to full TLS 248 * handshake since we cannot be sure that the peer would be 249 * able to validate server certificate now). However, reject 250 * the authentication since the PAC was not valid anymore. Peer 251 * can connect again with the newly provisioned PAC after this. 252 */ 253 } else if (lifetime - now.sec < data->pac_key_refresh_time) { 254 wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Key soft timeout; send " 255 "an update if authentication succeeds"); 256 data->send_new_pac = 1; 257 } 258 259 eap_fast_derive_master_secret(pac_key, server_random, client_random, 260 master_secret); 261 262 os_free(buf); 263 264 return 1; 265} 266 267 268static void eap_fast_derive_key_auth(struct eap_sm *sm, 269 struct eap_fast_data *data) 270{ 271 u8 *sks; 272 273 /* RFC 4851, Section 5.1: 274 * Extra key material after TLS key_block: session_key_seed[40] 275 */ 276 277 sks = eap_fast_derive_key(sm->ssl_ctx, data->ssl.conn, "key expansion", 278 EAP_FAST_SKS_LEN); 279 if (sks == NULL) { 280 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive " 281 "session_key_seed"); 282 return; 283 } 284 285 /* 286 * RFC 4851, Section 5.2: 287 * S-IMCK[0] = session_key_seed 288 */ 289 wpa_hexdump_key(MSG_DEBUG, 290 "EAP-FAST: session_key_seed (SKS = S-IMCK[0])", 291 sks, EAP_FAST_SKS_LEN); 292 data->simck_idx = 0; 293 os_memcpy(data->simck, sks, EAP_FAST_SIMCK_LEN); 294 os_free(sks); 295} 296 297 298static void eap_fast_derive_key_provisioning(struct eap_sm *sm, 299 struct eap_fast_data *data) 300{ 301 os_free(data->key_block_p); 302 data->key_block_p = (struct eap_fast_key_block_provisioning *) 303 eap_fast_derive_key(sm->ssl_ctx, data->ssl.conn, 304 "key expansion", 305 sizeof(*data->key_block_p)); 306 if (data->key_block_p == NULL) { 307 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive key block"); 308 return; 309 } 310 /* 311 * RFC 4851, Section 5.2: 312 * S-IMCK[0] = session_key_seed 313 */ 314 wpa_hexdump_key(MSG_DEBUG, 315 "EAP-FAST: session_key_seed (SKS = S-IMCK[0])", 316 data->key_block_p->session_key_seed, 317 sizeof(data->key_block_p->session_key_seed)); 318 data->simck_idx = 0; 319 os_memcpy(data->simck, data->key_block_p->session_key_seed, 320 EAP_FAST_SIMCK_LEN); 321 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: server_challenge", 322 data->key_block_p->server_challenge, 323 sizeof(data->key_block_p->server_challenge)); 324 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: client_challenge", 325 data->key_block_p->client_challenge, 326 sizeof(data->key_block_p->client_challenge)); 327} 328 329 330static int eap_fast_get_phase2_key(struct eap_sm *sm, 331 struct eap_fast_data *data, 332 u8 *isk, size_t isk_len) 333{ 334 u8 *key; 335 size_t key_len; 336 337 os_memset(isk, 0, isk_len); 338 339 if (data->phase2_method == NULL || data->phase2_priv == NULL) { 340 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase 2 method not " 341 "available"); 342 return -1; 343 } 344 345 if (data->phase2_method->getKey == NULL) 346 return 0; 347 348 if ((key = data->phase2_method->getKey(sm, data->phase2_priv, 349 &key_len)) == NULL) { 350 wpa_printf(MSG_DEBUG, "EAP-FAST: Could not get key material " 351 "from Phase 2"); 352 return -1; 353 } 354 355 if (key_len > isk_len) 356 key_len = isk_len; 357 if (key_len == 32 && 358 data->phase2_method->vendor == EAP_VENDOR_IETF && 359 data->phase2_method->method == EAP_TYPE_MSCHAPV2) { 360 /* 361 * EAP-FAST uses reverse order for MS-MPPE keys when deriving 362 * MSK from EAP-MSCHAPv2. Swap the keys here to get the correct 363 * ISK for EAP-FAST cryptobinding. 364 */ 365 os_memcpy(isk, key + 16, 16); 366 os_memcpy(isk + 16, key, 16); 367 } else 368 os_memcpy(isk, key, key_len); 369 os_free(key); 370 371 return 0; 372} 373 374 375static int eap_fast_update_icmk(struct eap_sm *sm, struct eap_fast_data *data) 376{ 377 u8 isk[32], imck[60]; 378 379 wpa_printf(MSG_DEBUG, "EAP-FAST: Deriving ICMK[%d] (S-IMCK and CMK)", 380 data->simck_idx + 1); 381 382 /* 383 * RFC 4851, Section 5.2: 384 * IMCK[j] = T-PRF(S-IMCK[j-1], "Inner Methods Compound Keys", 385 * MSK[j], 60) 386 * S-IMCK[j] = first 40 octets of IMCK[j] 387 * CMK[j] = last 20 octets of IMCK[j] 388 */ 389 390 if (eap_fast_get_phase2_key(sm, data, isk, sizeof(isk)) < 0) 391 return -1; 392 wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: ISK[j]", isk, sizeof(isk)); 393 sha1_t_prf(data->simck, EAP_FAST_SIMCK_LEN, 394 "Inner Methods Compound Keys", 395 isk, sizeof(isk), imck, sizeof(imck)); 396 data->simck_idx++; 397 os_memcpy(data->simck, imck, EAP_FAST_SIMCK_LEN); 398 wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: S-IMCK[j]", 399 data->simck, EAP_FAST_SIMCK_LEN); 400 os_memcpy(data->cmk, imck + EAP_FAST_SIMCK_LEN, EAP_FAST_CMK_LEN); 401 wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: CMK[j]", 402 data->cmk, EAP_FAST_CMK_LEN); 403 404 return 0; 405} 406 407 408static void * eap_fast_init(struct eap_sm *sm) 409{ 410 struct eap_fast_data *data; 411 u8 ciphers[5] = { 412 TLS_CIPHER_ANON_DH_AES128_SHA, 413 TLS_CIPHER_AES128_SHA, 414 TLS_CIPHER_RSA_DHE_AES128_SHA, 415 TLS_CIPHER_RC4_SHA, 416 TLS_CIPHER_NONE 417 }; 418 419 data = os_zalloc(sizeof(*data)); 420 if (data == NULL) 421 return NULL; 422 data->fast_version = EAP_FAST_VERSION; 423 data->force_version = -1; 424 if (sm->user && sm->user->force_version >= 0) { 425 data->force_version = sm->user->force_version; 426 wpa_printf(MSG_DEBUG, "EAP-FAST: forcing version %d", 427 data->force_version); 428 data->fast_version = data->force_version; 429 } 430 data->state = START; 431 432 if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) { 433 wpa_printf(MSG_INFO, "EAP-FAST: Failed to initialize SSL."); 434 eap_fast_reset(sm, data); 435 return NULL; 436 } 437 438 if (tls_connection_set_cipher_list(sm->ssl_ctx, data->ssl.conn, 439 ciphers) < 0) { 440 wpa_printf(MSG_INFO, "EAP-FAST: Failed to set TLS cipher " 441 "suites"); 442 eap_fast_reset(sm, data); 443 return NULL; 444 } 445 446 if (tls_connection_set_session_ticket_cb(sm->ssl_ctx, data->ssl.conn, 447 eap_fast_session_ticket_cb, 448 data) < 0) { 449 wpa_printf(MSG_INFO, "EAP-FAST: Failed to set SessionTicket " 450 "callback"); 451 eap_fast_reset(sm, data); 452 return NULL; 453 } 454 455 if (sm->pac_opaque_encr_key == NULL) { 456 wpa_printf(MSG_INFO, "EAP-FAST: No PAC-Opaque encryption key " 457 "configured"); 458 eap_fast_reset(sm, data); 459 return NULL; 460 } 461 os_memcpy(data->pac_opaque_encr, sm->pac_opaque_encr_key, 462 sizeof(data->pac_opaque_encr)); 463 464 if (sm->eap_fast_a_id == NULL) { 465 wpa_printf(MSG_INFO, "EAP-FAST: No A-ID configured"); 466 eap_fast_reset(sm, data); 467 return NULL; 468 } 469 data->srv_id = os_malloc(sm->eap_fast_a_id_len); 470 if (data->srv_id == NULL) { 471 eap_fast_reset(sm, data); 472 return NULL; 473 } 474 os_memcpy(data->srv_id, sm->eap_fast_a_id, sm->eap_fast_a_id_len); 475 data->srv_id_len = sm->eap_fast_a_id_len; 476 477 if (sm->eap_fast_a_id_info == NULL) { 478 wpa_printf(MSG_INFO, "EAP-FAST: No A-ID-Info configured"); 479 eap_fast_reset(sm, data); 480 return NULL; 481 } 482 data->srv_id_info = os_strdup(sm->eap_fast_a_id_info); 483 if (data->srv_id_info == NULL) { 484 eap_fast_reset(sm, data); 485 return NULL; 486 } 487 488 /* PAC-Key lifetime in seconds (hard limit) */ 489 data->pac_key_lifetime = sm->pac_key_lifetime; 490 491 /* 492 * PAC-Key refresh time in seconds (soft limit on remaining hard 493 * limit). The server will generate a new PAC-Key when this number of 494 * seconds (or fewer) of the lifetime remains. 495 */ 496 data->pac_key_refresh_time = sm->pac_key_refresh_time; 497 498 return data; 499} 500 501 502static void eap_fast_reset(struct eap_sm *sm, void *priv) 503{ 504 struct eap_fast_data *data = priv; 505 if (data == NULL) 506 return; 507 if (data->phase2_priv && data->phase2_method) 508 data->phase2_method->reset(sm, data->phase2_priv); 509 eap_server_tls_ssl_deinit(sm, &data->ssl); 510 os_free(data->srv_id); 511 os_free(data->srv_id_info); 512 os_free(data->key_block_p); 513 wpabuf_free(data->pending_phase2_resp); 514 os_free(data->identity); 515 bin_clear_free(data, sizeof(*data)); 516} 517 518 519static struct wpabuf * eap_fast_build_start(struct eap_sm *sm, 520 struct eap_fast_data *data, u8 id) 521{ 522 struct wpabuf *req; 523 524 req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_FAST, 525 1 + sizeof(struct pac_tlv_hdr) + data->srv_id_len, 526 EAP_CODE_REQUEST, id); 527 if (req == NULL) { 528 wpa_printf(MSG_ERROR, "EAP-FAST: Failed to allocate memory for" 529 " request"); 530 eap_fast_state(data, FAILURE); 531 return NULL; 532 } 533 534 wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->fast_version); 535 536 /* RFC 4851, 4.1.1. Authority ID Data */ 537 eap_fast_put_tlv(req, PAC_TYPE_A_ID, data->srv_id, data->srv_id_len); 538 539 eap_fast_state(data, PHASE1); 540 541 return req; 542} 543 544 545static int eap_fast_phase1_done(struct eap_sm *sm, struct eap_fast_data *data) 546{ 547 char cipher[64]; 548 549 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase1 done, starting Phase2"); 550 551 if (tls_get_cipher(sm->ssl_ctx, data->ssl.conn, cipher, sizeof(cipher)) 552 < 0) { 553 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to get cipher " 554 "information"); 555 eap_fast_state(data, FAILURE); 556 return -1; 557 } 558 data->anon_provisioning = os_strstr(cipher, "ADH") != NULL; 559 560 if (data->anon_provisioning) { 561 wpa_printf(MSG_DEBUG, "EAP-FAST: Anonymous provisioning"); 562 eap_fast_derive_key_provisioning(sm, data); 563 } else 564 eap_fast_derive_key_auth(sm, data); 565 566 eap_fast_state(data, PHASE2_START); 567 568 return 0; 569} 570 571 572static struct wpabuf * eap_fast_build_phase2_req(struct eap_sm *sm, 573 struct eap_fast_data *data, 574 u8 id) 575{ 576 struct wpabuf *req; 577 578 if (data->phase2_priv == NULL) { 579 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase 2 method not " 580 "initialized"); 581 return NULL; 582 } 583 req = data->phase2_method->buildReq(sm, data->phase2_priv, id); 584 if (req == NULL) 585 return NULL; 586 587 wpa_hexdump_buf_key(MSG_MSGDUMP, "EAP-FAST: Phase 2 EAP-Request", req); 588 return eap_fast_tlv_eap_payload(req); 589} 590 591 592static struct wpabuf * eap_fast_build_crypto_binding( 593 struct eap_sm *sm, struct eap_fast_data *data) 594{ 595 struct wpabuf *buf; 596 struct eap_tlv_result_tlv *result; 597 struct eap_tlv_crypto_binding_tlv *binding; 598 599 buf = wpabuf_alloc(2 * sizeof(*result) + sizeof(*binding)); 600 if (buf == NULL) 601 return NULL; 602 603 if (data->send_new_pac || data->anon_provisioning || 604 data->phase2_method) 605 data->final_result = 0; 606 else 607 data->final_result = 1; 608 609 if (!data->final_result || data->eap_seq > 1) { 610 /* Intermediate-Result */ 611 wpa_printf(MSG_DEBUG, "EAP-FAST: Add Intermediate-Result TLV " 612 "(status=SUCCESS)"); 613 result = wpabuf_put(buf, sizeof(*result)); 614 result->tlv_type = host_to_be16( 615 EAP_TLV_TYPE_MANDATORY | 616 EAP_TLV_INTERMEDIATE_RESULT_TLV); 617 result->length = host_to_be16(2); 618 result->status = host_to_be16(EAP_TLV_RESULT_SUCCESS); 619 } 620 621 if (data->final_result) { 622 /* Result TLV */ 623 wpa_printf(MSG_DEBUG, "EAP-FAST: Add Result TLV " 624 "(status=SUCCESS)"); 625 result = wpabuf_put(buf, sizeof(*result)); 626 result->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY | 627 EAP_TLV_RESULT_TLV); 628 result->length = host_to_be16(2); 629 result->status = host_to_be16(EAP_TLV_RESULT_SUCCESS); 630 } 631 632 /* Crypto-Binding TLV */ 633 binding = wpabuf_put(buf, sizeof(*binding)); 634 binding->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY | 635 EAP_TLV_CRYPTO_BINDING_TLV); 636 binding->length = host_to_be16(sizeof(*binding) - 637 sizeof(struct eap_tlv_hdr)); 638 binding->version = EAP_FAST_VERSION; 639 binding->received_version = data->peer_version; 640 binding->subtype = EAP_TLV_CRYPTO_BINDING_SUBTYPE_REQUEST; 641 if (random_get_bytes(binding->nonce, sizeof(binding->nonce)) < 0) { 642 wpabuf_free(buf); 643 return NULL; 644 } 645 646 /* 647 * RFC 4851, Section 4.2.8: 648 * The nonce in a request MUST have its least significant bit set to 0. 649 */ 650 binding->nonce[sizeof(binding->nonce) - 1] &= ~0x01; 651 652 os_memcpy(data->crypto_binding_nonce, binding->nonce, 653 sizeof(binding->nonce)); 654 655 /* 656 * RFC 4851, Section 5.3: 657 * CMK = CMK[j] 658 * Compound-MAC = HMAC-SHA1( CMK, Crypto-Binding TLV ) 659 */ 660 661 hmac_sha1(data->cmk, EAP_FAST_CMK_LEN, 662 (u8 *) binding, sizeof(*binding), 663 binding->compound_mac); 664 665 wpa_printf(MSG_DEBUG, "EAP-FAST: Add Crypto-Binding TLV: Version %d " 666 "Received Version %d SubType %d", 667 binding->version, binding->received_version, 668 binding->subtype); 669 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: NONCE", 670 binding->nonce, sizeof(binding->nonce)); 671 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Compound MAC", 672 binding->compound_mac, sizeof(binding->compound_mac)); 673 674 return buf; 675} 676 677 678static struct wpabuf * eap_fast_build_pac(struct eap_sm *sm, 679 struct eap_fast_data *data) 680{ 681 u8 pac_key[EAP_FAST_PAC_KEY_LEN]; 682 u8 *pac_buf, *pac_opaque; 683 struct wpabuf *buf; 684 u8 *pos; 685 size_t buf_len, srv_id_info_len, pac_len; 686 struct eap_tlv_hdr *pac_tlv; 687 struct pac_tlv_hdr *pac_info; 688 struct eap_tlv_result_tlv *result; 689 struct os_time now; 690 691 if (random_get_bytes(pac_key, EAP_FAST_PAC_KEY_LEN) < 0 || 692 os_get_time(&now) < 0) 693 return NULL; 694 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Generated PAC-Key", 695 pac_key, EAP_FAST_PAC_KEY_LEN); 696 697 pac_len = (2 + EAP_FAST_PAC_KEY_LEN) + (2 + 4) + 698 (2 + sm->identity_len) + 8; 699 pac_buf = os_malloc(pac_len); 700 if (pac_buf == NULL) 701 return NULL; 702 703 srv_id_info_len = os_strlen(data->srv_id_info); 704 705 pos = pac_buf; 706 *pos++ = PAC_OPAQUE_TYPE_KEY; 707 *pos++ = EAP_FAST_PAC_KEY_LEN; 708 os_memcpy(pos, pac_key, EAP_FAST_PAC_KEY_LEN); 709 pos += EAP_FAST_PAC_KEY_LEN; 710 711 *pos++ = PAC_OPAQUE_TYPE_LIFETIME; 712 *pos++ = 4; 713 WPA_PUT_BE32(pos, now.sec + data->pac_key_lifetime); 714 pos += 4; 715 716 if (sm->identity) { 717 *pos++ = PAC_OPAQUE_TYPE_IDENTITY; 718 *pos++ = sm->identity_len; 719 os_memcpy(pos, sm->identity, sm->identity_len); 720 pos += sm->identity_len; 721 } 722 723 pac_len = pos - pac_buf; 724 while (pac_len % 8) { 725 *pos++ = PAC_OPAQUE_TYPE_PAD; 726 pac_len++; 727 } 728 729 pac_opaque = os_malloc(pac_len + 8); 730 if (pac_opaque == NULL) { 731 os_free(pac_buf); 732 return NULL; 733 } 734 if (aes_wrap(data->pac_opaque_encr, sizeof(data->pac_opaque_encr), 735 pac_len / 8, pac_buf, pac_opaque) < 0) { 736 os_free(pac_buf); 737 os_free(pac_opaque); 738 return NULL; 739 } 740 os_free(pac_buf); 741 742 pac_len += 8; 743 wpa_hexdump(MSG_DEBUG, "EAP-FAST: PAC-Opaque", 744 pac_opaque, pac_len); 745 746 buf_len = sizeof(*pac_tlv) + 747 sizeof(struct pac_tlv_hdr) + EAP_FAST_PAC_KEY_LEN + 748 sizeof(struct pac_tlv_hdr) + pac_len + 749 data->srv_id_len + srv_id_info_len + 100 + sizeof(*result); 750 buf = wpabuf_alloc(buf_len); 751 if (buf == NULL) { 752 os_free(pac_opaque); 753 return NULL; 754 } 755 756 /* Result TLV */ 757 wpa_printf(MSG_DEBUG, "EAP-FAST: Add Result TLV (status=SUCCESS)"); 758 result = wpabuf_put(buf, sizeof(*result)); 759 WPA_PUT_BE16((u8 *) &result->tlv_type, 760 EAP_TLV_TYPE_MANDATORY | EAP_TLV_RESULT_TLV); 761 WPA_PUT_BE16((u8 *) &result->length, 2); 762 WPA_PUT_BE16((u8 *) &result->status, EAP_TLV_RESULT_SUCCESS); 763 764 /* PAC TLV */ 765 wpa_printf(MSG_DEBUG, "EAP-FAST: Add PAC TLV"); 766 pac_tlv = wpabuf_put(buf, sizeof(*pac_tlv)); 767 pac_tlv->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY | 768 EAP_TLV_PAC_TLV); 769 770 /* PAC-Key */ 771 eap_fast_put_tlv(buf, PAC_TYPE_PAC_KEY, pac_key, EAP_FAST_PAC_KEY_LEN); 772 773 /* PAC-Opaque */ 774 eap_fast_put_tlv(buf, PAC_TYPE_PAC_OPAQUE, pac_opaque, pac_len); 775 os_free(pac_opaque); 776 777 /* PAC-Info */ 778 pac_info = wpabuf_put(buf, sizeof(*pac_info)); 779 pac_info->type = host_to_be16(PAC_TYPE_PAC_INFO); 780 781 /* PAC-Lifetime (inside PAC-Info) */ 782 eap_fast_put_tlv_hdr(buf, PAC_TYPE_CRED_LIFETIME, 4); 783 wpabuf_put_be32(buf, now.sec + data->pac_key_lifetime); 784 785 /* A-ID (inside PAC-Info) */ 786 eap_fast_put_tlv(buf, PAC_TYPE_A_ID, data->srv_id, data->srv_id_len); 787 788 /* Note: headers may be misaligned after A-ID */ 789 790 if (sm->identity) { 791 eap_fast_put_tlv(buf, PAC_TYPE_I_ID, sm->identity, 792 sm->identity_len); 793 } 794 795 /* A-ID-Info (inside PAC-Info) */ 796 eap_fast_put_tlv(buf, PAC_TYPE_A_ID_INFO, data->srv_id_info, 797 srv_id_info_len); 798 799 /* PAC-Type (inside PAC-Info) */ 800 eap_fast_put_tlv_hdr(buf, PAC_TYPE_PAC_TYPE, 2); 801 wpabuf_put_be16(buf, PAC_TYPE_TUNNEL_PAC); 802 803 /* Update PAC-Info and PAC TLV Length fields */ 804 pos = wpabuf_put(buf, 0); 805 pac_info->len = host_to_be16(pos - (u8 *) (pac_info + 1)); 806 pac_tlv->length = host_to_be16(pos - (u8 *) (pac_tlv + 1)); 807 808 return buf; 809} 810 811 812static int eap_fast_encrypt_phase2(struct eap_sm *sm, 813 struct eap_fast_data *data, 814 struct wpabuf *plain, int piggyback) 815{ 816 struct wpabuf *encr; 817 818 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-FAST: Encrypting Phase 2 TLVs", 819 plain); 820 encr = eap_server_tls_encrypt(sm, &data->ssl, plain); 821 wpabuf_free(plain); 822 823 if (data->ssl.tls_out && piggyback) { 824 wpa_printf(MSG_DEBUG, "EAP-FAST: Piggyback Phase 2 data " 825 "(len=%d) with last Phase 1 Message (len=%d " 826 "used=%d)", 827 (int) wpabuf_len(encr), 828 (int) wpabuf_len(data->ssl.tls_out), 829 (int) data->ssl.tls_out_pos); 830 if (wpabuf_resize(&data->ssl.tls_out, wpabuf_len(encr)) < 0) { 831 wpa_printf(MSG_WARNING, "EAP-FAST: Failed to resize " 832 "output buffer"); 833 wpabuf_free(encr); 834 return -1; 835 } 836 wpabuf_put_buf(data->ssl.tls_out, encr); 837 wpabuf_free(encr); 838 } else { 839 wpabuf_free(data->ssl.tls_out); 840 data->ssl.tls_out_pos = 0; 841 data->ssl.tls_out = encr; 842 } 843 844 return 0; 845} 846 847 848static struct wpabuf * eap_fast_buildReq(struct eap_sm *sm, void *priv, u8 id) 849{ 850 struct eap_fast_data *data = priv; 851 struct wpabuf *req = NULL; 852 int piggyback = 0; 853 854 if (data->ssl.state == FRAG_ACK) { 855 return eap_server_tls_build_ack(id, EAP_TYPE_FAST, 856 data->fast_version); 857 } 858 859 if (data->ssl.state == WAIT_FRAG_ACK) { 860 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_FAST, 861 data->fast_version, id); 862 } 863 864 switch (data->state) { 865 case START: 866 return eap_fast_build_start(sm, data, id); 867 case PHASE1: 868 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { 869 if (eap_fast_phase1_done(sm, data) < 0) 870 return NULL; 871 if (data->state == PHASE2_START) { 872 /* 873 * Try to generate Phase 2 data to piggyback 874 * with the end of Phase 1 to avoid extra 875 * roundtrip. 876 */ 877 wpa_printf(MSG_DEBUG, "EAP-FAST: Try to start " 878 "Phase 2"); 879 if (eap_fast_process_phase2_start(sm, data)) 880 break; 881 req = eap_fast_build_phase2_req(sm, data, id); 882 piggyback = 1; 883 } 884 } 885 break; 886 case PHASE2_ID: 887 case PHASE2_METHOD: 888 req = eap_fast_build_phase2_req(sm, data, id); 889 break; 890 case CRYPTO_BINDING: 891 req = eap_fast_build_crypto_binding(sm, data); 892 if (data->phase2_method) { 893 /* 894 * Include the start of the next EAP method in the 895 * sequence in the same message with Crypto-Binding to 896 * save a round-trip. 897 */ 898 struct wpabuf *eap; 899 eap = eap_fast_build_phase2_req(sm, data, id); 900 req = wpabuf_concat(req, eap); 901 eap_fast_state(data, PHASE2_METHOD); 902 } 903 break; 904 case REQUEST_PAC: 905 req = eap_fast_build_pac(sm, data); 906 break; 907 default: 908 wpa_printf(MSG_DEBUG, "EAP-FAST: %s - unexpected state %d", 909 __func__, data->state); 910 return NULL; 911 } 912 913 if (req && 914 eap_fast_encrypt_phase2(sm, data, req, piggyback) < 0) 915 return NULL; 916 917 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_FAST, 918 data->fast_version, id); 919} 920 921 922static Boolean eap_fast_check(struct eap_sm *sm, void *priv, 923 struct wpabuf *respData) 924{ 925 const u8 *pos; 926 size_t len; 927 928 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_FAST, respData, &len); 929 if (pos == NULL || len < 1) { 930 wpa_printf(MSG_INFO, "EAP-FAST: Invalid frame"); 931 return TRUE; 932 } 933 934 return FALSE; 935} 936 937 938static int eap_fast_phase2_init(struct eap_sm *sm, struct eap_fast_data *data, 939 EapType eap_type) 940{ 941 if (data->phase2_priv && data->phase2_method) { 942 data->phase2_method->reset(sm, data->phase2_priv); 943 data->phase2_method = NULL; 944 data->phase2_priv = NULL; 945 } 946 data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF, 947 eap_type); 948 if (!data->phase2_method) 949 return -1; 950 951 if (data->key_block_p) { 952 sm->auth_challenge = data->key_block_p->server_challenge; 953 sm->peer_challenge = data->key_block_p->client_challenge; 954 } 955 sm->init_phase2 = 1; 956 data->phase2_priv = data->phase2_method->init(sm); 957 sm->init_phase2 = 0; 958 sm->auth_challenge = NULL; 959 sm->peer_challenge = NULL; 960 961 return data->phase2_priv == NULL ? -1 : 0; 962} 963 964 965static void eap_fast_process_phase2_response(struct eap_sm *sm, 966 struct eap_fast_data *data, 967 u8 *in_data, size_t in_len) 968{ 969 u8 next_type = EAP_TYPE_NONE; 970 struct eap_hdr *hdr; 971 u8 *pos; 972 size_t left; 973 struct wpabuf buf; 974 const struct eap_method *m = data->phase2_method; 975 void *priv = data->phase2_priv; 976 977 if (priv == NULL) { 978 wpa_printf(MSG_DEBUG, "EAP-FAST: %s - Phase2 not " 979 "initialized?!", __func__); 980 return; 981 } 982 983 hdr = (struct eap_hdr *) in_data; 984 pos = (u8 *) (hdr + 1); 985 986 if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) { 987 left = in_len - sizeof(*hdr); 988 wpa_hexdump(MSG_DEBUG, "EAP-FAST: Phase2 type Nak'ed; " 989 "allowed types", pos + 1, left - 1); 990#ifdef EAP_SERVER_TNC 991 if (m && m->vendor == EAP_VENDOR_IETF && 992 m->method == EAP_TYPE_TNC) { 993 wpa_printf(MSG_DEBUG, "EAP-FAST: Peer Nak'ed required " 994 "TNC negotiation"); 995 next_type = eap_fast_req_failure(sm, data); 996 eap_fast_phase2_init(sm, data, next_type); 997 return; 998 } 999#endif /* EAP_SERVER_TNC */ 1000 eap_sm_process_nak(sm, pos + 1, left - 1); 1001 if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS && 1002 sm->user->methods[sm->user_eap_method_index].method != 1003 EAP_TYPE_NONE) { 1004 next_type = sm->user->methods[ 1005 sm->user_eap_method_index++].method; 1006 wpa_printf(MSG_DEBUG, "EAP-FAST: try EAP type %d", 1007 next_type); 1008 } else { 1009 next_type = eap_fast_req_failure(sm, data); 1010 } 1011 eap_fast_phase2_init(sm, data, next_type); 1012 return; 1013 } 1014 1015 wpabuf_set(&buf, in_data, in_len); 1016 1017 if (m->check(sm, priv, &buf)) { 1018 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 check() asked to " 1019 "ignore the packet"); 1020 next_type = eap_fast_req_failure(sm, data); 1021 return; 1022 } 1023 1024 m->process(sm, priv, &buf); 1025 1026 if (!m->isDone(sm, priv)) 1027 return; 1028 1029 if (!m->isSuccess(sm, priv)) { 1030 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 method failed"); 1031 next_type = eap_fast_req_failure(sm, data); 1032 eap_fast_phase2_init(sm, data, next_type); 1033 return; 1034 } 1035 1036 switch (data->state) { 1037 case PHASE2_ID: 1038 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) { 1039 wpa_hexdump_ascii(MSG_DEBUG, "EAP-FAST: Phase2 " 1040 "Identity not found in the user " 1041 "database", 1042 sm->identity, sm->identity_len); 1043 next_type = eap_fast_req_failure(sm, data); 1044 break; 1045 } 1046 1047 eap_fast_state(data, PHASE2_METHOD); 1048 if (data->anon_provisioning) { 1049 /* 1050 * Only EAP-MSCHAPv2 is allowed for anonymous 1051 * provisioning. 1052 */ 1053 next_type = EAP_TYPE_MSCHAPV2; 1054 sm->user_eap_method_index = 0; 1055 } else { 1056 next_type = sm->user->methods[0].method; 1057 sm->user_eap_method_index = 1; 1058 } 1059 wpa_printf(MSG_DEBUG, "EAP-FAST: try EAP type %d", next_type); 1060 break; 1061 case PHASE2_METHOD: 1062 case CRYPTO_BINDING: 1063 eap_fast_update_icmk(sm, data); 1064 eap_fast_state(data, CRYPTO_BINDING); 1065 data->eap_seq++; 1066 next_type = EAP_TYPE_NONE; 1067#ifdef EAP_SERVER_TNC 1068 if (sm->tnc && !data->tnc_started) { 1069 wpa_printf(MSG_DEBUG, "EAP-FAST: Initialize TNC"); 1070 next_type = EAP_TYPE_TNC; 1071 data->tnc_started = 1; 1072 } 1073#endif /* EAP_SERVER_TNC */ 1074 break; 1075 case FAILURE: 1076 break; 1077 default: 1078 wpa_printf(MSG_DEBUG, "EAP-FAST: %s - unexpected state %d", 1079 __func__, data->state); 1080 break; 1081 } 1082 1083 eap_fast_phase2_init(sm, data, next_type); 1084} 1085 1086 1087static void eap_fast_process_phase2_eap(struct eap_sm *sm, 1088 struct eap_fast_data *data, 1089 u8 *in_data, size_t in_len) 1090{ 1091 struct eap_hdr *hdr; 1092 size_t len; 1093 1094 hdr = (struct eap_hdr *) in_data; 1095 if (in_len < (int) sizeof(*hdr)) { 1096 wpa_printf(MSG_INFO, "EAP-FAST: Too short Phase 2 " 1097 "EAP frame (len=%lu)", (unsigned long) in_len); 1098 eap_fast_req_failure(sm, data); 1099 return; 1100 } 1101 len = be_to_host16(hdr->length); 1102 if (len > in_len) { 1103 wpa_printf(MSG_INFO, "EAP-FAST: Length mismatch in " 1104 "Phase 2 EAP frame (len=%lu hdr->length=%lu)", 1105 (unsigned long) in_len, (unsigned long) len); 1106 eap_fast_req_failure(sm, data); 1107 return; 1108 } 1109 wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: code=%d " 1110 "identifier=%d length=%lu", hdr->code, hdr->identifier, 1111 (unsigned long) len); 1112 switch (hdr->code) { 1113 case EAP_CODE_RESPONSE: 1114 eap_fast_process_phase2_response(sm, data, (u8 *) hdr, len); 1115 break; 1116 default: 1117 wpa_printf(MSG_INFO, "EAP-FAST: Unexpected code=%d in " 1118 "Phase 2 EAP header", hdr->code); 1119 break; 1120 } 1121} 1122 1123 1124static int eap_fast_parse_tlvs(struct wpabuf *data, 1125 struct eap_fast_tlv_parse *tlv) 1126{ 1127 int mandatory, tlv_type, res; 1128 size_t len; 1129 u8 *pos, *end; 1130 1131 os_memset(tlv, 0, sizeof(*tlv)); 1132 1133 pos = wpabuf_mhead(data); 1134 end = pos + wpabuf_len(data); 1135 while (pos + 4 < end) { 1136 mandatory = pos[0] & 0x80; 1137 tlv_type = WPA_GET_BE16(pos) & 0x3fff; 1138 pos += 2; 1139 len = WPA_GET_BE16(pos); 1140 pos += 2; 1141 if (len > (size_t) (end - pos)) { 1142 wpa_printf(MSG_INFO, "EAP-FAST: TLV overflow"); 1143 return -1; 1144 } 1145 wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: " 1146 "TLV type %d length %u%s", 1147 tlv_type, (unsigned int) len, 1148 mandatory ? " (mandatory)" : ""); 1149 1150 res = eap_fast_parse_tlv(tlv, tlv_type, pos, len); 1151 if (res == -2) 1152 break; 1153 if (res < 0) { 1154 if (mandatory) { 1155 wpa_printf(MSG_DEBUG, "EAP-FAST: Nak unknown " 1156 "mandatory TLV type %d", tlv_type); 1157 /* TODO: generate Nak TLV */ 1158 break; 1159 } else { 1160 wpa_printf(MSG_DEBUG, "EAP-FAST: Ignored " 1161 "unknown optional TLV type %d", 1162 tlv_type); 1163 } 1164 } 1165 1166 pos += len; 1167 } 1168 1169 return 0; 1170} 1171 1172 1173static int eap_fast_validate_crypto_binding( 1174 struct eap_fast_data *data, struct eap_tlv_crypto_binding_tlv *b, 1175 size_t bind_len) 1176{ 1177 u8 cmac[SHA1_MAC_LEN]; 1178 1179 wpa_printf(MSG_DEBUG, "EAP-FAST: Reply Crypto-Binding TLV: " 1180 "Version %d Received Version %d SubType %d", 1181 b->version, b->received_version, b->subtype); 1182 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: NONCE", 1183 b->nonce, sizeof(b->nonce)); 1184 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Compound MAC", 1185 b->compound_mac, sizeof(b->compound_mac)); 1186 1187 if (b->version != EAP_FAST_VERSION || 1188 b->received_version != EAP_FAST_VERSION) { 1189 wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected version " 1190 "in Crypto-Binding: version %d " 1191 "received_version %d", b->version, 1192 b->received_version); 1193 return -1; 1194 } 1195 1196 if (b->subtype != EAP_TLV_CRYPTO_BINDING_SUBTYPE_RESPONSE) { 1197 wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected subtype in " 1198 "Crypto-Binding: %d", b->subtype); 1199 return -1; 1200 } 1201 1202 if (os_memcmp_const(data->crypto_binding_nonce, b->nonce, 31) != 0 || 1203 (data->crypto_binding_nonce[31] | 1) != b->nonce[31]) { 1204 wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid nonce in " 1205 "Crypto-Binding"); 1206 return -1; 1207 } 1208 1209 os_memcpy(cmac, b->compound_mac, sizeof(cmac)); 1210 os_memset(b->compound_mac, 0, sizeof(cmac)); 1211 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Crypto-Binding TLV for " 1212 "Compound MAC calculation", 1213 (u8 *) b, bind_len); 1214 hmac_sha1(data->cmk, EAP_FAST_CMK_LEN, (u8 *) b, bind_len, 1215 b->compound_mac); 1216 if (os_memcmp_const(cmac, b->compound_mac, sizeof(cmac)) != 0) { 1217 wpa_hexdump(MSG_MSGDUMP, 1218 "EAP-FAST: Calculated Compound MAC", 1219 b->compound_mac, sizeof(cmac)); 1220 wpa_printf(MSG_INFO, "EAP-FAST: Compound MAC did not " 1221 "match"); 1222 return -1; 1223 } 1224 1225 return 0; 1226} 1227 1228 1229static int eap_fast_pac_type(u8 *pac, size_t len, u16 type) 1230{ 1231 struct eap_tlv_pac_type_tlv *tlv; 1232 1233 if (pac == NULL || len != sizeof(*tlv)) 1234 return 0; 1235 1236 tlv = (struct eap_tlv_pac_type_tlv *) pac; 1237 1238 return be_to_host16(tlv->tlv_type) == PAC_TYPE_PAC_TYPE && 1239 be_to_host16(tlv->length) == 2 && 1240 be_to_host16(tlv->pac_type) == type; 1241} 1242 1243 1244static void eap_fast_process_phase2_tlvs(struct eap_sm *sm, 1245 struct eap_fast_data *data, 1246 struct wpabuf *in_data) 1247{ 1248 struct eap_fast_tlv_parse tlv; 1249 int check_crypto_binding = data->state == CRYPTO_BINDING; 1250 1251 if (eap_fast_parse_tlvs(in_data, &tlv) < 0) { 1252 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to parse received " 1253 "Phase 2 TLVs"); 1254 return; 1255 } 1256 1257 if (tlv.result == EAP_TLV_RESULT_FAILURE) { 1258 wpa_printf(MSG_DEBUG, "EAP-FAST: Result TLV indicated " 1259 "failure"); 1260 eap_fast_state(data, FAILURE); 1261 return; 1262 } 1263 1264 if (data->state == REQUEST_PAC) { 1265 u16 type, len, res; 1266 if (tlv.pac == NULL || tlv.pac_len < 6) { 1267 wpa_printf(MSG_DEBUG, "EAP-FAST: No PAC " 1268 "Acknowledgement received"); 1269 eap_fast_state(data, FAILURE); 1270 return; 1271 } 1272 1273 type = WPA_GET_BE16(tlv.pac); 1274 len = WPA_GET_BE16(tlv.pac + 2); 1275 res = WPA_GET_BE16(tlv.pac + 4); 1276 1277 if (type != PAC_TYPE_PAC_ACKNOWLEDGEMENT || len != 2 || 1278 res != EAP_TLV_RESULT_SUCCESS) { 1279 wpa_printf(MSG_DEBUG, "EAP-FAST: PAC TLV did not " 1280 "contain acknowledgement"); 1281 eap_fast_state(data, FAILURE); 1282 return; 1283 } 1284 1285 wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Acknowledgement received " 1286 "- PAC provisioning succeeded"); 1287 eap_fast_state(data, (data->anon_provisioning || 1288 data->send_new_pac == 2) ? 1289 FAILURE : SUCCESS); 1290 return; 1291 } 1292 1293 if (check_crypto_binding) { 1294 if (tlv.crypto_binding == NULL) { 1295 wpa_printf(MSG_DEBUG, "EAP-FAST: No Crypto-Binding " 1296 "TLV received"); 1297 eap_fast_state(data, FAILURE); 1298 return; 1299 } 1300 1301 if (data->final_result && 1302 tlv.result != EAP_TLV_RESULT_SUCCESS) { 1303 wpa_printf(MSG_DEBUG, "EAP-FAST: Crypto-Binding TLV " 1304 "without Success Result"); 1305 eap_fast_state(data, FAILURE); 1306 return; 1307 } 1308 1309 if (!data->final_result && 1310 tlv.iresult != EAP_TLV_RESULT_SUCCESS) { 1311 wpa_printf(MSG_DEBUG, "EAP-FAST: Crypto-Binding TLV " 1312 "without intermediate Success Result"); 1313 eap_fast_state(data, FAILURE); 1314 return; 1315 } 1316 1317 if (eap_fast_validate_crypto_binding(data, tlv.crypto_binding, 1318 tlv.crypto_binding_len)) { 1319 eap_fast_state(data, FAILURE); 1320 return; 1321 } 1322 1323 wpa_printf(MSG_DEBUG, "EAP-FAST: Valid Crypto-Binding TLV " 1324 "received"); 1325 if (data->final_result) { 1326 wpa_printf(MSG_DEBUG, "EAP-FAST: Authentication " 1327 "completed successfully"); 1328 } 1329 1330 if (data->anon_provisioning && 1331 sm->eap_fast_prov != ANON_PROV && 1332 sm->eap_fast_prov != BOTH_PROV) { 1333 wpa_printf(MSG_DEBUG, "EAP-FAST: Client is trying to " 1334 "use unauthenticated provisioning which is " 1335 "disabled"); 1336 eap_fast_state(data, FAILURE); 1337 return; 1338 } 1339 1340 if (sm->eap_fast_prov != AUTH_PROV && 1341 sm->eap_fast_prov != BOTH_PROV && 1342 tlv.request_action == EAP_TLV_ACTION_PROCESS_TLV && 1343 eap_fast_pac_type(tlv.pac, tlv.pac_len, 1344 PAC_TYPE_TUNNEL_PAC)) { 1345 wpa_printf(MSG_DEBUG, "EAP-FAST: Client is trying to " 1346 "use authenticated provisioning which is " 1347 "disabled"); 1348 eap_fast_state(data, FAILURE); 1349 return; 1350 } 1351 1352 if (data->anon_provisioning || 1353 (tlv.request_action == EAP_TLV_ACTION_PROCESS_TLV && 1354 eap_fast_pac_type(tlv.pac, tlv.pac_len, 1355 PAC_TYPE_TUNNEL_PAC))) { 1356 wpa_printf(MSG_DEBUG, "EAP-FAST: Requested a new " 1357 "Tunnel PAC"); 1358 eap_fast_state(data, REQUEST_PAC); 1359 } else if (data->send_new_pac) { 1360 wpa_printf(MSG_DEBUG, "EAP-FAST: Server triggered " 1361 "re-keying of Tunnel PAC"); 1362 eap_fast_state(data, REQUEST_PAC); 1363 } else if (data->final_result) 1364 eap_fast_state(data, SUCCESS); 1365 } 1366 1367 if (tlv.eap_payload_tlv) { 1368 eap_fast_process_phase2_eap(sm, data, tlv.eap_payload_tlv, 1369 tlv.eap_payload_tlv_len); 1370 } 1371} 1372 1373 1374static void eap_fast_process_phase2(struct eap_sm *sm, 1375 struct eap_fast_data *data, 1376 struct wpabuf *in_buf) 1377{ 1378 struct wpabuf *in_decrypted; 1379 1380 wpa_printf(MSG_DEBUG, "EAP-FAST: Received %lu bytes encrypted data for" 1381 " Phase 2", (unsigned long) wpabuf_len(in_buf)); 1382 1383 if (data->pending_phase2_resp) { 1384 wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 response - " 1385 "skip decryption and use old data"); 1386 eap_fast_process_phase2_tlvs(sm, data, 1387 data->pending_phase2_resp); 1388 wpabuf_free(data->pending_phase2_resp); 1389 data->pending_phase2_resp = NULL; 1390 return; 1391 } 1392 1393 in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn, 1394 in_buf); 1395 if (in_decrypted == NULL) { 1396 wpa_printf(MSG_INFO, "EAP-FAST: Failed to decrypt Phase 2 " 1397 "data"); 1398 eap_fast_state(data, FAILURE); 1399 return; 1400 } 1401 1402 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-FAST: Decrypted Phase 2 TLVs", 1403 in_decrypted); 1404 1405 eap_fast_process_phase2_tlvs(sm, data, in_decrypted); 1406 1407 if (sm->method_pending == METHOD_PENDING_WAIT) { 1408 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 method is in " 1409 "pending wait state - save decrypted response"); 1410 wpabuf_free(data->pending_phase2_resp); 1411 data->pending_phase2_resp = in_decrypted; 1412 return; 1413 } 1414 1415 wpabuf_free(in_decrypted); 1416} 1417 1418 1419static int eap_fast_process_version(struct eap_sm *sm, void *priv, 1420 int peer_version) 1421{ 1422 struct eap_fast_data *data = priv; 1423 1424 data->peer_version = peer_version; 1425 1426 if (data->force_version >= 0 && peer_version != data->force_version) { 1427 wpa_printf(MSG_INFO, "EAP-FAST: peer did not select the forced" 1428 " version (forced=%d peer=%d) - reject", 1429 data->force_version, peer_version); 1430 return -1; 1431 } 1432 1433 if (peer_version < data->fast_version) { 1434 wpa_printf(MSG_DEBUG, "EAP-FAST: peer ver=%d, own ver=%d; " 1435 "use version %d", 1436 peer_version, data->fast_version, peer_version); 1437 data->fast_version = peer_version; 1438 } 1439 1440 return 0; 1441} 1442 1443 1444static int eap_fast_process_phase1(struct eap_sm *sm, 1445 struct eap_fast_data *data) 1446{ 1447 if (eap_server_tls_phase1(sm, &data->ssl) < 0) { 1448 wpa_printf(MSG_INFO, "EAP-FAST: TLS processing failed"); 1449 eap_fast_state(data, FAILURE); 1450 return -1; 1451 } 1452 1453 if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) || 1454 wpabuf_len(data->ssl.tls_out) > 0) 1455 return 1; 1456 1457 /* 1458 * Phase 1 was completed with the received message (e.g., when using 1459 * abbreviated handshake), so Phase 2 can be started immediately 1460 * without having to send through an empty message to the peer. 1461 */ 1462 1463 return eap_fast_phase1_done(sm, data); 1464} 1465 1466 1467static int eap_fast_process_phase2_start(struct eap_sm *sm, 1468 struct eap_fast_data *data) 1469{ 1470 u8 next_type; 1471 1472 if (data->identity) { 1473 os_free(sm->identity); 1474 sm->identity = data->identity; 1475 data->identity = NULL; 1476 sm->identity_len = data->identity_len; 1477 data->identity_len = 0; 1478 sm->require_identity_match = 1; 1479 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) { 1480 wpa_hexdump_ascii(MSG_DEBUG, "EAP-FAST: " 1481 "Phase2 Identity not found " 1482 "in the user database", 1483 sm->identity, sm->identity_len); 1484 next_type = eap_fast_req_failure(sm, data); 1485 } else { 1486 wpa_printf(MSG_DEBUG, "EAP-FAST: Identity already " 1487 "known - skip Phase 2 Identity Request"); 1488 next_type = sm->user->methods[0].method; 1489 sm->user_eap_method_index = 1; 1490 } 1491 1492 eap_fast_state(data, PHASE2_METHOD); 1493 } else { 1494 eap_fast_state(data, PHASE2_ID); 1495 next_type = EAP_TYPE_IDENTITY; 1496 } 1497 1498 return eap_fast_phase2_init(sm, data, next_type); 1499} 1500 1501 1502static void eap_fast_process_msg(struct eap_sm *sm, void *priv, 1503 const struct wpabuf *respData) 1504{ 1505 struct eap_fast_data *data = priv; 1506 1507 switch (data->state) { 1508 case PHASE1: 1509 if (eap_fast_process_phase1(sm, data)) 1510 break; 1511 1512 /* fall through to PHASE2_START */ 1513 case PHASE2_START: 1514 eap_fast_process_phase2_start(sm, data); 1515 break; 1516 case PHASE2_ID: 1517 case PHASE2_METHOD: 1518 case CRYPTO_BINDING: 1519 case REQUEST_PAC: 1520 eap_fast_process_phase2(sm, data, data->ssl.tls_in); 1521 break; 1522 default: 1523 wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected state %d in %s", 1524 data->state, __func__); 1525 break; 1526 } 1527} 1528 1529 1530static void eap_fast_process(struct eap_sm *sm, void *priv, 1531 struct wpabuf *respData) 1532{ 1533 struct eap_fast_data *data = priv; 1534 if (eap_server_tls_process(sm, &data->ssl, respData, data, 1535 EAP_TYPE_FAST, eap_fast_process_version, 1536 eap_fast_process_msg) < 0) 1537 eap_fast_state(data, FAILURE); 1538} 1539 1540 1541static Boolean eap_fast_isDone(struct eap_sm *sm, void *priv) 1542{ 1543 struct eap_fast_data *data = priv; 1544 return data->state == SUCCESS || data->state == FAILURE; 1545} 1546 1547 1548static u8 * eap_fast_getKey(struct eap_sm *sm, void *priv, size_t *len) 1549{ 1550 struct eap_fast_data *data = priv; 1551 u8 *eapKeyData; 1552 1553 if (data->state != SUCCESS) 1554 return NULL; 1555 1556 eapKeyData = os_malloc(EAP_FAST_KEY_LEN); 1557 if (eapKeyData == NULL) 1558 return NULL; 1559 1560 eap_fast_derive_eap_msk(data->simck, eapKeyData); 1561 *len = EAP_FAST_KEY_LEN; 1562 1563 return eapKeyData; 1564} 1565 1566 1567static u8 * eap_fast_get_emsk(struct eap_sm *sm, void *priv, size_t *len) 1568{ 1569 struct eap_fast_data *data = priv; 1570 u8 *eapKeyData; 1571 1572 if (data->state != SUCCESS) 1573 return NULL; 1574 1575 eapKeyData = os_malloc(EAP_EMSK_LEN); 1576 if (eapKeyData == NULL) 1577 return NULL; 1578 1579 eap_fast_derive_eap_emsk(data->simck, eapKeyData); 1580 *len = EAP_EMSK_LEN; 1581 1582 return eapKeyData; 1583} 1584 1585 1586static Boolean eap_fast_isSuccess(struct eap_sm *sm, void *priv) 1587{ 1588 struct eap_fast_data *data = priv; 1589 return data->state == SUCCESS; 1590} 1591 1592 1593int eap_server_fast_register(void) 1594{ 1595 struct eap_method *eap; 1596 int ret; 1597 1598 eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION, 1599 EAP_VENDOR_IETF, EAP_TYPE_FAST, "FAST"); 1600 if (eap == NULL) 1601 return -1; 1602 1603 eap->init = eap_fast_init; 1604 eap->reset = eap_fast_reset; 1605 eap->buildReq = eap_fast_buildReq; 1606 eap->check = eap_fast_check; 1607 eap->process = eap_fast_process; 1608 eap->isDone = eap_fast_isDone; 1609 eap->getKey = eap_fast_getKey; 1610 eap->get_emsk = eap_fast_get_emsk; 1611 eap->isSuccess = eap_fast_isSuccess; 1612 1613 ret = eap_server_method_register(eap); 1614 if (ret) 1615 eap_server_method_free(eap); 1616 return ret; 1617} 1618