1/* 2 * EAP-FAST server (RFC 4851) 3 * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "crypto/aes_wrap.h" 13#include "crypto/sha1.h" 14#include "crypto/tls.h" 15#include "crypto/random.h" 16#include "eap_common/eap_tlv_common.h" 17#include "eap_common/eap_fast_common.h" 18#include "eap_i.h" 19#include "eap_tls_common.h" 20 21 22static void eap_fast_reset(struct eap_sm *sm, void *priv); 23 24 25/* Private PAC-Opaque TLV types */ 26#define PAC_OPAQUE_TYPE_PAD 0 27#define PAC_OPAQUE_TYPE_KEY 1 28#define PAC_OPAQUE_TYPE_LIFETIME 2 29#define PAC_OPAQUE_TYPE_IDENTITY 3 30 31struct eap_fast_data { 32 struct eap_ssl_data ssl; 33 enum { 34 START, PHASE1, PHASE2_START, PHASE2_ID, PHASE2_METHOD, 35 CRYPTO_BINDING, REQUEST_PAC, SUCCESS, FAILURE 36 } state; 37 38 int fast_version; 39 const struct eap_method *phase2_method; 40 void *phase2_priv; 41 int force_version; 42 int peer_version; 43 44 u8 crypto_binding_nonce[32]; 45 int final_result; 46 47 struct eap_fast_key_block_provisioning *key_block_p; 48 49 u8 simck[EAP_FAST_SIMCK_LEN]; 50 u8 cmk[EAP_FAST_CMK_LEN]; 51 int simck_idx; 52 53 u8 pac_opaque_encr[16]; 54 u8 *srv_id; 55 size_t srv_id_len; 56 char *srv_id_info; 57 58 int anon_provisioning; 59 int send_new_pac; /* server triggered re-keying of Tunnel PAC */ 60 struct wpabuf *pending_phase2_resp; 61 u8 *identity; /* from PAC-Opaque */ 62 size_t identity_len; 63 int eap_seq; 64 int tnc_started; 65 66 int pac_key_lifetime; 67 int pac_key_refresh_time; 68}; 69 70 71static int eap_fast_process_phase2_start(struct eap_sm *sm, 72 struct eap_fast_data *data); 73 74 75static const char * eap_fast_state_txt(int state) 76{ 77 switch (state) { 78 case START: 79 return "START"; 80 case PHASE1: 81 return "PHASE1"; 82 case PHASE2_START: 83 return "PHASE2_START"; 84 case PHASE2_ID: 85 return "PHASE2_ID"; 86 case PHASE2_METHOD: 87 return "PHASE2_METHOD"; 88 case CRYPTO_BINDING: 89 return "CRYPTO_BINDING"; 90 case REQUEST_PAC: 91 return "REQUEST_PAC"; 92 case SUCCESS: 93 return "SUCCESS"; 94 case FAILURE: 95 return "FAILURE"; 96 default: 97 return "Unknown?!"; 98 } 99} 100 101 102static void eap_fast_state(struct eap_fast_data *data, int state) 103{ 104 wpa_printf(MSG_DEBUG, "EAP-FAST: %s -> %s", 105 eap_fast_state_txt(data->state), 106 eap_fast_state_txt(state)); 107 data->state = state; 108} 109 110 111static EapType eap_fast_req_failure(struct eap_sm *sm, 112 struct eap_fast_data *data) 113{ 114 /* TODO: send Result TLV(FAILURE) */ 115 eap_fast_state(data, FAILURE); 116 return EAP_TYPE_NONE; 117} 118 119 120static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len, 121 const u8 *client_random, 122 const u8 *server_random, 123 u8 *master_secret) 124{ 125 struct eap_fast_data *data = ctx; 126 const u8 *pac_opaque; 127 size_t pac_opaque_len; 128 u8 *buf, *pos, *end, *pac_key = NULL; 129 os_time_t lifetime = 0; 130 struct os_time now; 131 u8 *identity = NULL; 132 size_t identity_len = 0; 133 134 wpa_printf(MSG_DEBUG, "EAP-FAST: SessionTicket callback"); 135 wpa_hexdump(MSG_DEBUG, "EAP-FAST: SessionTicket (PAC-Opaque)", 136 ticket, len); 137 138 if (len < 4 || WPA_GET_BE16(ticket) != PAC_TYPE_PAC_OPAQUE) { 139 wpa_printf(MSG_DEBUG, "EAP-FAST: Ignore invalid " 140 "SessionTicket"); 141 return 0; 142 } 143 144 pac_opaque_len = WPA_GET_BE16(ticket + 2); 145 pac_opaque = ticket + 4; 146 if (pac_opaque_len < 8 || pac_opaque_len % 8 || 147 pac_opaque_len > len - 4) { 148 wpa_printf(MSG_DEBUG, "EAP-FAST: Ignore invalid PAC-Opaque " 149 "(len=%lu left=%lu)", 150 (unsigned long) pac_opaque_len, 151 (unsigned long) len); 152 return 0; 153 } 154 wpa_hexdump(MSG_DEBUG, "EAP-FAST: Received PAC-Opaque", 155 pac_opaque, pac_opaque_len); 156 157 buf = os_malloc(pac_opaque_len - 8); 158 if (buf == NULL) { 159 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to allocate memory " 160 "for decrypting PAC-Opaque"); 161 return 0; 162 } 163 164 if (aes_unwrap(data->pac_opaque_encr, sizeof(data->pac_opaque_encr), 165 (pac_opaque_len - 8) / 8, pac_opaque, buf) < 0) { 166 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to decrypt " 167 "PAC-Opaque"); 168 os_free(buf); 169 /* 170 * This may have been caused by server changing the PAC-Opaque 171 * encryption key, so just ignore this PAC-Opaque instead of 172 * failing the authentication completely. Provisioning can now 173 * be used to provision a new PAC. 174 */ 175 return 0; 176 } 177 178 end = buf + pac_opaque_len - 8; 179 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Decrypted PAC-Opaque", 180 buf, end - buf); 181 182 pos = buf; 183 while (end - pos > 1) { 184 u8 id, elen; 185 186 id = *pos++; 187 elen = *pos++; 188 if (elen > end - pos) 189 break; 190 191 switch (id) { 192 case PAC_OPAQUE_TYPE_PAD: 193 goto done; 194 case PAC_OPAQUE_TYPE_KEY: 195 if (elen != EAP_FAST_PAC_KEY_LEN) { 196 wpa_printf(MSG_DEBUG, 197 "EAP-FAST: Invalid PAC-Key length %d", 198 elen); 199 os_free(buf); 200 return -1; 201 } 202 pac_key = pos; 203 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: PAC-Key from " 204 "decrypted PAC-Opaque", 205 pac_key, EAP_FAST_PAC_KEY_LEN); 206 break; 207 case PAC_OPAQUE_TYPE_LIFETIME: 208 if (elen != 4) { 209 wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid " 210 "PAC-Key lifetime length %d", 211 elen); 212 os_free(buf); 213 return -1; 214 } 215 lifetime = WPA_GET_BE32(pos); 216 break; 217 case PAC_OPAQUE_TYPE_IDENTITY: 218 identity = pos; 219 identity_len = elen; 220 break; 221 } 222 223 pos += elen; 224 } 225done: 226 227 if (pac_key == NULL) { 228 wpa_printf(MSG_DEBUG, "EAP-FAST: No PAC-Key included in " 229 "PAC-Opaque"); 230 os_free(buf); 231 return -1; 232 } 233 234 if (identity) { 235 wpa_hexdump_ascii(MSG_DEBUG, "EAP-FAST: Identity from " 236 "PAC-Opaque", identity, identity_len); 237 os_free(data->identity); 238 data->identity = os_malloc(identity_len); 239 if (data->identity) { 240 os_memcpy(data->identity, identity, identity_len); 241 data->identity_len = identity_len; 242 } 243 } 244 245 if (os_get_time(&now) < 0 || lifetime <= 0 || now.sec > lifetime) { 246 wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Key not valid anymore " 247 "(lifetime=%ld now=%ld)", lifetime, now.sec); 248 data->send_new_pac = 2; 249 /* 250 * Allow PAC to be used to allow a PAC update with some level 251 * of server authentication (i.e., do not fall back to full TLS 252 * handshake since we cannot be sure that the peer would be 253 * able to validate server certificate now). However, reject 254 * the authentication since the PAC was not valid anymore. Peer 255 * can connect again with the newly provisioned PAC after this. 256 */ 257 } else if (lifetime - now.sec < data->pac_key_refresh_time) { 258 wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Key soft timeout; send " 259 "an update if authentication succeeds"); 260 data->send_new_pac = 1; 261 } 262 263 eap_fast_derive_master_secret(pac_key, server_random, client_random, 264 master_secret); 265 266 os_free(buf); 267 268 return 1; 269} 270 271 272static void eap_fast_derive_key_auth(struct eap_sm *sm, 273 struct eap_fast_data *data) 274{ 275 u8 *sks; 276 277 /* RFC 4851, Section 5.1: 278 * Extra key material after TLS key_block: session_key_seed[40] 279 */ 280 281 sks = eap_fast_derive_key(sm->ssl_ctx, data->ssl.conn, "key expansion", 282 EAP_FAST_SKS_LEN); 283 if (sks == NULL) { 284 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive " 285 "session_key_seed"); 286 return; 287 } 288 289 /* 290 * RFC 4851, Section 5.2: 291 * S-IMCK[0] = session_key_seed 292 */ 293 wpa_hexdump_key(MSG_DEBUG, 294 "EAP-FAST: session_key_seed (SKS = S-IMCK[0])", 295 sks, EAP_FAST_SKS_LEN); 296 data->simck_idx = 0; 297 os_memcpy(data->simck, sks, EAP_FAST_SIMCK_LEN); 298 os_free(sks); 299} 300 301 302static void eap_fast_derive_key_provisioning(struct eap_sm *sm, 303 struct eap_fast_data *data) 304{ 305 os_free(data->key_block_p); 306 data->key_block_p = (struct eap_fast_key_block_provisioning *) 307 eap_fast_derive_key(sm->ssl_ctx, data->ssl.conn, 308 "key expansion", 309 sizeof(*data->key_block_p)); 310 if (data->key_block_p == NULL) { 311 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive key block"); 312 return; 313 } 314 /* 315 * RFC 4851, Section 5.2: 316 * S-IMCK[0] = session_key_seed 317 */ 318 wpa_hexdump_key(MSG_DEBUG, 319 "EAP-FAST: session_key_seed (SKS = S-IMCK[0])", 320 data->key_block_p->session_key_seed, 321 sizeof(data->key_block_p->session_key_seed)); 322 data->simck_idx = 0; 323 os_memcpy(data->simck, data->key_block_p->session_key_seed, 324 EAP_FAST_SIMCK_LEN); 325 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: server_challenge", 326 data->key_block_p->server_challenge, 327 sizeof(data->key_block_p->server_challenge)); 328 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: client_challenge", 329 data->key_block_p->client_challenge, 330 sizeof(data->key_block_p->client_challenge)); 331} 332 333 334static int eap_fast_get_phase2_key(struct eap_sm *sm, 335 struct eap_fast_data *data, 336 u8 *isk, size_t isk_len) 337{ 338 u8 *key; 339 size_t key_len; 340 341 os_memset(isk, 0, isk_len); 342 343 if (data->phase2_method == NULL || data->phase2_priv == NULL) { 344 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase 2 method not " 345 "available"); 346 return -1; 347 } 348 349 if (data->phase2_method->getKey == NULL) 350 return 0; 351 352 if ((key = data->phase2_method->getKey(sm, data->phase2_priv, 353 &key_len)) == NULL) { 354 wpa_printf(MSG_DEBUG, "EAP-FAST: Could not get key material " 355 "from Phase 2"); 356 return -1; 357 } 358 359 if (key_len > isk_len) 360 key_len = isk_len; 361 if (key_len == 32 && 362 data->phase2_method->vendor == EAP_VENDOR_IETF && 363 data->phase2_method->method == EAP_TYPE_MSCHAPV2) { 364 /* 365 * EAP-FAST uses reverse order for MS-MPPE keys when deriving 366 * MSK from EAP-MSCHAPv2. Swap the keys here to get the correct 367 * ISK for EAP-FAST cryptobinding. 368 */ 369 os_memcpy(isk, key + 16, 16); 370 os_memcpy(isk + 16, key, 16); 371 } else 372 os_memcpy(isk, key, key_len); 373 os_free(key); 374 375 return 0; 376} 377 378 379static int eap_fast_update_icmk(struct eap_sm *sm, struct eap_fast_data *data) 380{ 381 u8 isk[32], imck[60]; 382 383 wpa_printf(MSG_DEBUG, "EAP-FAST: Deriving ICMK[%d] (S-IMCK and CMK)", 384 data->simck_idx + 1); 385 386 /* 387 * RFC 4851, Section 5.2: 388 * IMCK[j] = T-PRF(S-IMCK[j-1], "Inner Methods Compound Keys", 389 * MSK[j], 60) 390 * S-IMCK[j] = first 40 octets of IMCK[j] 391 * CMK[j] = last 20 octets of IMCK[j] 392 */ 393 394 if (eap_fast_get_phase2_key(sm, data, isk, sizeof(isk)) < 0) 395 return -1; 396 wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: ISK[j]", isk, sizeof(isk)); 397 sha1_t_prf(data->simck, EAP_FAST_SIMCK_LEN, 398 "Inner Methods Compound Keys", 399 isk, sizeof(isk), imck, sizeof(imck)); 400 data->simck_idx++; 401 os_memcpy(data->simck, imck, EAP_FAST_SIMCK_LEN); 402 wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: S-IMCK[j]", 403 data->simck, EAP_FAST_SIMCK_LEN); 404 os_memcpy(data->cmk, imck + EAP_FAST_SIMCK_LEN, EAP_FAST_CMK_LEN); 405 wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: CMK[j]", 406 data->cmk, EAP_FAST_CMK_LEN); 407 408 return 0; 409} 410 411 412static void * eap_fast_init(struct eap_sm *sm) 413{ 414 struct eap_fast_data *data; 415 u8 ciphers[7] = { 416 TLS_CIPHER_ANON_DH_AES128_SHA, 417 TLS_CIPHER_AES128_SHA, 418 TLS_CIPHER_RSA_DHE_AES128_SHA, 419 TLS_CIPHER_RC4_SHA, 420 TLS_CIPHER_RSA_DHE_AES256_SHA, 421 TLS_CIPHER_AES256_SHA, 422 TLS_CIPHER_NONE 423 }; 424 425 data = os_zalloc(sizeof(*data)); 426 if (data == NULL) 427 return NULL; 428 data->fast_version = EAP_FAST_VERSION; 429 data->force_version = -1; 430 if (sm->user && sm->user->force_version >= 0) { 431 data->force_version = sm->user->force_version; 432 wpa_printf(MSG_DEBUG, "EAP-FAST: forcing version %d", 433 data->force_version); 434 data->fast_version = data->force_version; 435 } 436 data->state = START; 437 438 if (eap_server_tls_ssl_init(sm, &data->ssl, 0, EAP_TYPE_FAST)) { 439 wpa_printf(MSG_INFO, "EAP-FAST: Failed to initialize SSL."); 440 eap_fast_reset(sm, data); 441 return NULL; 442 } 443 444 if (tls_connection_set_cipher_list(sm->ssl_ctx, data->ssl.conn, 445 ciphers) < 0) { 446 wpa_printf(MSG_INFO, "EAP-FAST: Failed to set TLS cipher " 447 "suites"); 448 eap_fast_reset(sm, data); 449 return NULL; 450 } 451 452 if (tls_connection_set_session_ticket_cb(sm->ssl_ctx, data->ssl.conn, 453 eap_fast_session_ticket_cb, 454 data) < 0) { 455 wpa_printf(MSG_INFO, "EAP-FAST: Failed to set SessionTicket " 456 "callback"); 457 eap_fast_reset(sm, data); 458 return NULL; 459 } 460 461 if (sm->pac_opaque_encr_key == NULL) { 462 wpa_printf(MSG_INFO, "EAP-FAST: No PAC-Opaque encryption key " 463 "configured"); 464 eap_fast_reset(sm, data); 465 return NULL; 466 } 467 os_memcpy(data->pac_opaque_encr, sm->pac_opaque_encr_key, 468 sizeof(data->pac_opaque_encr)); 469 470 if (sm->eap_fast_a_id == NULL) { 471 wpa_printf(MSG_INFO, "EAP-FAST: No A-ID configured"); 472 eap_fast_reset(sm, data); 473 return NULL; 474 } 475 data->srv_id = os_malloc(sm->eap_fast_a_id_len); 476 if (data->srv_id == NULL) { 477 eap_fast_reset(sm, data); 478 return NULL; 479 } 480 os_memcpy(data->srv_id, sm->eap_fast_a_id, sm->eap_fast_a_id_len); 481 data->srv_id_len = sm->eap_fast_a_id_len; 482 483 if (sm->eap_fast_a_id_info == NULL) { 484 wpa_printf(MSG_INFO, "EAP-FAST: No A-ID-Info configured"); 485 eap_fast_reset(sm, data); 486 return NULL; 487 } 488 data->srv_id_info = os_strdup(sm->eap_fast_a_id_info); 489 if (data->srv_id_info == NULL) { 490 eap_fast_reset(sm, data); 491 return NULL; 492 } 493 494 /* PAC-Key lifetime in seconds (hard limit) */ 495 data->pac_key_lifetime = sm->pac_key_lifetime; 496 497 /* 498 * PAC-Key refresh time in seconds (soft limit on remaining hard 499 * limit). The server will generate a new PAC-Key when this number of 500 * seconds (or fewer) of the lifetime remains. 501 */ 502 data->pac_key_refresh_time = sm->pac_key_refresh_time; 503 504 return data; 505} 506 507 508static void eap_fast_reset(struct eap_sm *sm, void *priv) 509{ 510 struct eap_fast_data *data = priv; 511 if (data == NULL) 512 return; 513 if (data->phase2_priv && data->phase2_method) 514 data->phase2_method->reset(sm, data->phase2_priv); 515 eap_server_tls_ssl_deinit(sm, &data->ssl); 516 os_free(data->srv_id); 517 os_free(data->srv_id_info); 518 os_free(data->key_block_p); 519 wpabuf_free(data->pending_phase2_resp); 520 os_free(data->identity); 521 bin_clear_free(data, sizeof(*data)); 522} 523 524 525static struct wpabuf * eap_fast_build_start(struct eap_sm *sm, 526 struct eap_fast_data *data, u8 id) 527{ 528 struct wpabuf *req; 529 530 req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_FAST, 531 1 + sizeof(struct pac_tlv_hdr) + data->srv_id_len, 532 EAP_CODE_REQUEST, id); 533 if (req == NULL) { 534 wpa_printf(MSG_ERROR, "EAP-FAST: Failed to allocate memory for" 535 " request"); 536 eap_fast_state(data, FAILURE); 537 return NULL; 538 } 539 540 wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->fast_version); 541 542 /* RFC 4851, 4.1.1. Authority ID Data */ 543 eap_fast_put_tlv(req, PAC_TYPE_A_ID, data->srv_id, data->srv_id_len); 544 545 eap_fast_state(data, PHASE1); 546 547 return req; 548} 549 550 551static int eap_fast_phase1_done(struct eap_sm *sm, struct eap_fast_data *data) 552{ 553 char cipher[64]; 554 555 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase1 done, starting Phase2"); 556 557 if (tls_get_cipher(sm->ssl_ctx, data->ssl.conn, cipher, sizeof(cipher)) 558 < 0) { 559 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to get cipher " 560 "information"); 561 eap_fast_state(data, FAILURE); 562 return -1; 563 } 564 data->anon_provisioning = os_strstr(cipher, "ADH") != NULL; 565 566 if (data->anon_provisioning) { 567 wpa_printf(MSG_DEBUG, "EAP-FAST: Anonymous provisioning"); 568 eap_fast_derive_key_provisioning(sm, data); 569 } else 570 eap_fast_derive_key_auth(sm, data); 571 572 eap_fast_state(data, PHASE2_START); 573 574 return 0; 575} 576 577 578static struct wpabuf * eap_fast_build_phase2_req(struct eap_sm *sm, 579 struct eap_fast_data *data, 580 u8 id) 581{ 582 struct wpabuf *req; 583 584 if (data->phase2_priv == NULL) { 585 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase 2 method not " 586 "initialized"); 587 return NULL; 588 } 589 req = data->phase2_method->buildReq(sm, data->phase2_priv, id); 590 if (req == NULL) 591 return NULL; 592 593 wpa_hexdump_buf_key(MSG_MSGDUMP, "EAP-FAST: Phase 2 EAP-Request", req); 594 return eap_fast_tlv_eap_payload(req); 595} 596 597 598static struct wpabuf * eap_fast_build_crypto_binding( 599 struct eap_sm *sm, struct eap_fast_data *data) 600{ 601 struct wpabuf *buf; 602 struct eap_tlv_result_tlv *result; 603 struct eap_tlv_crypto_binding_tlv *binding; 604 605 buf = wpabuf_alloc(2 * sizeof(*result) + sizeof(*binding)); 606 if (buf == NULL) 607 return NULL; 608 609 if (data->send_new_pac || data->anon_provisioning || 610 data->phase2_method) 611 data->final_result = 0; 612 else 613 data->final_result = 1; 614 615 if (!data->final_result || data->eap_seq > 1) { 616 /* Intermediate-Result */ 617 wpa_printf(MSG_DEBUG, "EAP-FAST: Add Intermediate-Result TLV " 618 "(status=SUCCESS)"); 619 result = wpabuf_put(buf, sizeof(*result)); 620 result->tlv_type = host_to_be16( 621 EAP_TLV_TYPE_MANDATORY | 622 EAP_TLV_INTERMEDIATE_RESULT_TLV); 623 result->length = host_to_be16(2); 624 result->status = host_to_be16(EAP_TLV_RESULT_SUCCESS); 625 } 626 627 if (data->final_result) { 628 /* Result TLV */ 629 wpa_printf(MSG_DEBUG, "EAP-FAST: Add Result TLV " 630 "(status=SUCCESS)"); 631 result = wpabuf_put(buf, sizeof(*result)); 632 result->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY | 633 EAP_TLV_RESULT_TLV); 634 result->length = host_to_be16(2); 635 result->status = host_to_be16(EAP_TLV_RESULT_SUCCESS); 636 } 637 638 /* Crypto-Binding TLV */ 639 binding = wpabuf_put(buf, sizeof(*binding)); 640 binding->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY | 641 EAP_TLV_CRYPTO_BINDING_TLV); 642 binding->length = host_to_be16(sizeof(*binding) - 643 sizeof(struct eap_tlv_hdr)); 644 binding->version = EAP_FAST_VERSION; 645 binding->received_version = data->peer_version; 646 binding->subtype = EAP_TLV_CRYPTO_BINDING_SUBTYPE_REQUEST; 647 if (random_get_bytes(binding->nonce, sizeof(binding->nonce)) < 0) { 648 wpabuf_free(buf); 649 return NULL; 650 } 651 652 /* 653 * RFC 4851, Section 4.2.8: 654 * The nonce in a request MUST have its least significant bit set to 0. 655 */ 656 binding->nonce[sizeof(binding->nonce) - 1] &= ~0x01; 657 658 os_memcpy(data->crypto_binding_nonce, binding->nonce, 659 sizeof(binding->nonce)); 660 661 /* 662 * RFC 4851, Section 5.3: 663 * CMK = CMK[j] 664 * Compound-MAC = HMAC-SHA1( CMK, Crypto-Binding TLV ) 665 */ 666 667 hmac_sha1(data->cmk, EAP_FAST_CMK_LEN, 668 (u8 *) binding, sizeof(*binding), 669 binding->compound_mac); 670 671 wpa_printf(MSG_DEBUG, "EAP-FAST: Add Crypto-Binding TLV: Version %d " 672 "Received Version %d SubType %d", 673 binding->version, binding->received_version, 674 binding->subtype); 675 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: NONCE", 676 binding->nonce, sizeof(binding->nonce)); 677 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Compound MAC", 678 binding->compound_mac, sizeof(binding->compound_mac)); 679 680 return buf; 681} 682 683 684static struct wpabuf * eap_fast_build_pac(struct eap_sm *sm, 685 struct eap_fast_data *data) 686{ 687 u8 pac_key[EAP_FAST_PAC_KEY_LEN]; 688 u8 *pac_buf, *pac_opaque; 689 struct wpabuf *buf; 690 u8 *pos; 691 size_t buf_len, srv_id_info_len, pac_len; 692 struct eap_tlv_hdr *pac_tlv; 693 struct pac_tlv_hdr *pac_info; 694 struct eap_tlv_result_tlv *result; 695 struct os_time now; 696 697 if (random_get_bytes(pac_key, EAP_FAST_PAC_KEY_LEN) < 0 || 698 os_get_time(&now) < 0) 699 return NULL; 700 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Generated PAC-Key", 701 pac_key, EAP_FAST_PAC_KEY_LEN); 702 703 pac_len = (2 + EAP_FAST_PAC_KEY_LEN) + (2 + 4) + 704 (2 + sm->identity_len) + 8; 705 pac_buf = os_malloc(pac_len); 706 if (pac_buf == NULL) 707 return NULL; 708 709 srv_id_info_len = os_strlen(data->srv_id_info); 710 711 pos = pac_buf; 712 *pos++ = PAC_OPAQUE_TYPE_KEY; 713 *pos++ = EAP_FAST_PAC_KEY_LEN; 714 os_memcpy(pos, pac_key, EAP_FAST_PAC_KEY_LEN); 715 pos += EAP_FAST_PAC_KEY_LEN; 716 717 *pos++ = PAC_OPAQUE_TYPE_LIFETIME; 718 *pos++ = 4; 719 WPA_PUT_BE32(pos, now.sec + data->pac_key_lifetime); 720 pos += 4; 721 722 if (sm->identity) { 723 *pos++ = PAC_OPAQUE_TYPE_IDENTITY; 724 *pos++ = sm->identity_len; 725 os_memcpy(pos, sm->identity, sm->identity_len); 726 pos += sm->identity_len; 727 } 728 729 pac_len = pos - pac_buf; 730 while (pac_len % 8) { 731 *pos++ = PAC_OPAQUE_TYPE_PAD; 732 pac_len++; 733 } 734 735 pac_opaque = os_malloc(pac_len + 8); 736 if (pac_opaque == NULL) { 737 os_free(pac_buf); 738 return NULL; 739 } 740 if (aes_wrap(data->pac_opaque_encr, sizeof(data->pac_opaque_encr), 741 pac_len / 8, pac_buf, pac_opaque) < 0) { 742 os_free(pac_buf); 743 os_free(pac_opaque); 744 return NULL; 745 } 746 os_free(pac_buf); 747 748 pac_len += 8; 749 wpa_hexdump(MSG_DEBUG, "EAP-FAST: PAC-Opaque", 750 pac_opaque, pac_len); 751 752 buf_len = sizeof(*pac_tlv) + 753 sizeof(struct pac_tlv_hdr) + EAP_FAST_PAC_KEY_LEN + 754 sizeof(struct pac_tlv_hdr) + pac_len + 755 data->srv_id_len + srv_id_info_len + 100 + sizeof(*result); 756 buf = wpabuf_alloc(buf_len); 757 if (buf == NULL) { 758 os_free(pac_opaque); 759 return NULL; 760 } 761 762 /* Result TLV */ 763 wpa_printf(MSG_DEBUG, "EAP-FAST: Add Result TLV (status=SUCCESS)"); 764 result = wpabuf_put(buf, sizeof(*result)); 765 WPA_PUT_BE16((u8 *) &result->tlv_type, 766 EAP_TLV_TYPE_MANDATORY | EAP_TLV_RESULT_TLV); 767 WPA_PUT_BE16((u8 *) &result->length, 2); 768 WPA_PUT_BE16((u8 *) &result->status, EAP_TLV_RESULT_SUCCESS); 769 770 /* PAC TLV */ 771 wpa_printf(MSG_DEBUG, "EAP-FAST: Add PAC TLV"); 772 pac_tlv = wpabuf_put(buf, sizeof(*pac_tlv)); 773 pac_tlv->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY | 774 EAP_TLV_PAC_TLV); 775 776 /* PAC-Key */ 777 eap_fast_put_tlv(buf, PAC_TYPE_PAC_KEY, pac_key, EAP_FAST_PAC_KEY_LEN); 778 779 /* PAC-Opaque */ 780 eap_fast_put_tlv(buf, PAC_TYPE_PAC_OPAQUE, pac_opaque, pac_len); 781 os_free(pac_opaque); 782 783 /* PAC-Info */ 784 pac_info = wpabuf_put(buf, sizeof(*pac_info)); 785 pac_info->type = host_to_be16(PAC_TYPE_PAC_INFO); 786 787 /* PAC-Lifetime (inside PAC-Info) */ 788 eap_fast_put_tlv_hdr(buf, PAC_TYPE_CRED_LIFETIME, 4); 789 wpabuf_put_be32(buf, now.sec + data->pac_key_lifetime); 790 791 /* A-ID (inside PAC-Info) */ 792 eap_fast_put_tlv(buf, PAC_TYPE_A_ID, data->srv_id, data->srv_id_len); 793 794 /* Note: headers may be misaligned after A-ID */ 795 796 if (sm->identity) { 797 eap_fast_put_tlv(buf, PAC_TYPE_I_ID, sm->identity, 798 sm->identity_len); 799 } 800 801 /* A-ID-Info (inside PAC-Info) */ 802 eap_fast_put_tlv(buf, PAC_TYPE_A_ID_INFO, data->srv_id_info, 803 srv_id_info_len); 804 805 /* PAC-Type (inside PAC-Info) */ 806 eap_fast_put_tlv_hdr(buf, PAC_TYPE_PAC_TYPE, 2); 807 wpabuf_put_be16(buf, PAC_TYPE_TUNNEL_PAC); 808 809 /* Update PAC-Info and PAC TLV Length fields */ 810 pos = wpabuf_put(buf, 0); 811 pac_info->len = host_to_be16(pos - (u8 *) (pac_info + 1)); 812 pac_tlv->length = host_to_be16(pos - (u8 *) (pac_tlv + 1)); 813 814 return buf; 815} 816 817 818static int eap_fast_encrypt_phase2(struct eap_sm *sm, 819 struct eap_fast_data *data, 820 struct wpabuf *plain, int piggyback) 821{ 822 struct wpabuf *encr; 823 824 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-FAST: Encrypting Phase 2 TLVs", 825 plain); 826 encr = eap_server_tls_encrypt(sm, &data->ssl, plain); 827 wpabuf_free(plain); 828 829 if (!encr) 830 return -1; 831 832 if (data->ssl.tls_out && piggyback) { 833 wpa_printf(MSG_DEBUG, "EAP-FAST: Piggyback Phase 2 data " 834 "(len=%d) with last Phase 1 Message (len=%d " 835 "used=%d)", 836 (int) wpabuf_len(encr), 837 (int) wpabuf_len(data->ssl.tls_out), 838 (int) data->ssl.tls_out_pos); 839 if (wpabuf_resize(&data->ssl.tls_out, wpabuf_len(encr)) < 0) { 840 wpa_printf(MSG_WARNING, "EAP-FAST: Failed to resize " 841 "output buffer"); 842 wpabuf_free(encr); 843 return -1; 844 } 845 wpabuf_put_buf(data->ssl.tls_out, encr); 846 wpabuf_free(encr); 847 } else { 848 wpabuf_free(data->ssl.tls_out); 849 data->ssl.tls_out_pos = 0; 850 data->ssl.tls_out = encr; 851 } 852 853 return 0; 854} 855 856 857static struct wpabuf * eap_fast_buildReq(struct eap_sm *sm, void *priv, u8 id) 858{ 859 struct eap_fast_data *data = priv; 860 struct wpabuf *req = NULL; 861 int piggyback = 0; 862 863 if (data->ssl.state == FRAG_ACK) { 864 return eap_server_tls_build_ack(id, EAP_TYPE_FAST, 865 data->fast_version); 866 } 867 868 if (data->ssl.state == WAIT_FRAG_ACK) { 869 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_FAST, 870 data->fast_version, id); 871 } 872 873 switch (data->state) { 874 case START: 875 return eap_fast_build_start(sm, data, id); 876 case PHASE1: 877 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { 878 if (eap_fast_phase1_done(sm, data) < 0) 879 return NULL; 880 if (data->state == PHASE2_START) { 881 /* 882 * Try to generate Phase 2 data to piggyback 883 * with the end of Phase 1 to avoid extra 884 * roundtrip. 885 */ 886 wpa_printf(MSG_DEBUG, "EAP-FAST: Try to start " 887 "Phase 2"); 888 if (eap_fast_process_phase2_start(sm, data)) 889 break; 890 req = eap_fast_build_phase2_req(sm, data, id); 891 piggyback = 1; 892 } 893 } 894 break; 895 case PHASE2_ID: 896 case PHASE2_METHOD: 897 req = eap_fast_build_phase2_req(sm, data, id); 898 break; 899 case CRYPTO_BINDING: 900 req = eap_fast_build_crypto_binding(sm, data); 901 if (data->phase2_method) { 902 /* 903 * Include the start of the next EAP method in the 904 * sequence in the same message with Crypto-Binding to 905 * save a round-trip. 906 */ 907 struct wpabuf *eap; 908 eap = eap_fast_build_phase2_req(sm, data, id); 909 req = wpabuf_concat(req, eap); 910 eap_fast_state(data, PHASE2_METHOD); 911 } 912 break; 913 case REQUEST_PAC: 914 req = eap_fast_build_pac(sm, data); 915 break; 916 default: 917 wpa_printf(MSG_DEBUG, "EAP-FAST: %s - unexpected state %d", 918 __func__, data->state); 919 return NULL; 920 } 921 922 if (req && 923 eap_fast_encrypt_phase2(sm, data, req, piggyback) < 0) 924 return NULL; 925 926 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_FAST, 927 data->fast_version, id); 928} 929 930 931static Boolean eap_fast_check(struct eap_sm *sm, void *priv, 932 struct wpabuf *respData) 933{ 934 const u8 *pos; 935 size_t len; 936 937 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_FAST, respData, &len); 938 if (pos == NULL || len < 1) { 939 wpa_printf(MSG_INFO, "EAP-FAST: Invalid frame"); 940 return TRUE; 941 } 942 943 return FALSE; 944} 945 946 947static int eap_fast_phase2_init(struct eap_sm *sm, struct eap_fast_data *data, 948 EapType eap_type) 949{ 950 if (data->phase2_priv && data->phase2_method) { 951 data->phase2_method->reset(sm, data->phase2_priv); 952 data->phase2_method = NULL; 953 data->phase2_priv = NULL; 954 } 955 data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF, 956 eap_type); 957 if (!data->phase2_method) 958 return -1; 959 960 if (data->key_block_p) { 961 sm->auth_challenge = data->key_block_p->server_challenge; 962 sm->peer_challenge = data->key_block_p->client_challenge; 963 } 964 sm->init_phase2 = 1; 965 data->phase2_priv = data->phase2_method->init(sm); 966 sm->init_phase2 = 0; 967 sm->auth_challenge = NULL; 968 sm->peer_challenge = NULL; 969 970 return data->phase2_priv == NULL ? -1 : 0; 971} 972 973 974static void eap_fast_process_phase2_response(struct eap_sm *sm, 975 struct eap_fast_data *data, 976 u8 *in_data, size_t in_len) 977{ 978 u8 next_type = EAP_TYPE_NONE; 979 struct eap_hdr *hdr; 980 u8 *pos; 981 size_t left; 982 struct wpabuf buf; 983 const struct eap_method *m = data->phase2_method; 984 void *priv = data->phase2_priv; 985 986 if (priv == NULL) { 987 wpa_printf(MSG_DEBUG, "EAP-FAST: %s - Phase2 not " 988 "initialized?!", __func__); 989 return; 990 } 991 992 hdr = (struct eap_hdr *) in_data; 993 pos = (u8 *) (hdr + 1); 994 995 if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) { 996 left = in_len - sizeof(*hdr); 997 wpa_hexdump(MSG_DEBUG, "EAP-FAST: Phase2 type Nak'ed; " 998 "allowed types", pos + 1, left - 1); 999#ifdef EAP_SERVER_TNC 1000 if (m && m->vendor == EAP_VENDOR_IETF && 1001 m->method == EAP_TYPE_TNC) { 1002 wpa_printf(MSG_DEBUG, "EAP-FAST: Peer Nak'ed required " 1003 "TNC negotiation"); 1004 next_type = eap_fast_req_failure(sm, data); 1005 eap_fast_phase2_init(sm, data, next_type); 1006 return; 1007 } 1008#endif /* EAP_SERVER_TNC */ 1009 eap_sm_process_nak(sm, pos + 1, left - 1); 1010 if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS && 1011 sm->user->methods[sm->user_eap_method_index].method != 1012 EAP_TYPE_NONE) { 1013 next_type = sm->user->methods[ 1014 sm->user_eap_method_index++].method; 1015 wpa_printf(MSG_DEBUG, "EAP-FAST: try EAP type %d", 1016 next_type); 1017 } else { 1018 next_type = eap_fast_req_failure(sm, data); 1019 } 1020 eap_fast_phase2_init(sm, data, next_type); 1021 return; 1022 } 1023 1024 wpabuf_set(&buf, in_data, in_len); 1025 1026 if (m->check(sm, priv, &buf)) { 1027 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 check() asked to " 1028 "ignore the packet"); 1029 eap_fast_req_failure(sm, data); 1030 return; 1031 } 1032 1033 m->process(sm, priv, &buf); 1034 1035 if (!m->isDone(sm, priv)) 1036 return; 1037 1038 if (!m->isSuccess(sm, priv)) { 1039 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 method failed"); 1040 next_type = eap_fast_req_failure(sm, data); 1041 eap_fast_phase2_init(sm, data, next_type); 1042 return; 1043 } 1044 1045 switch (data->state) { 1046 case PHASE2_ID: 1047 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) { 1048 wpa_hexdump_ascii(MSG_DEBUG, "EAP-FAST: Phase2 " 1049 "Identity not found in the user " 1050 "database", 1051 sm->identity, sm->identity_len); 1052 next_type = eap_fast_req_failure(sm, data); 1053 break; 1054 } 1055 1056 eap_fast_state(data, PHASE2_METHOD); 1057 if (data->anon_provisioning) { 1058 /* 1059 * Only EAP-MSCHAPv2 is allowed for anonymous 1060 * provisioning. 1061 */ 1062 next_type = EAP_TYPE_MSCHAPV2; 1063 sm->user_eap_method_index = 0; 1064 } else { 1065 next_type = sm->user->methods[0].method; 1066 sm->user_eap_method_index = 1; 1067 } 1068 wpa_printf(MSG_DEBUG, "EAP-FAST: try EAP type %d", next_type); 1069 break; 1070 case PHASE2_METHOD: 1071 case CRYPTO_BINDING: 1072 eap_fast_update_icmk(sm, data); 1073 eap_fast_state(data, CRYPTO_BINDING); 1074 data->eap_seq++; 1075 next_type = EAP_TYPE_NONE; 1076#ifdef EAP_SERVER_TNC 1077 if (sm->tnc && !data->tnc_started) { 1078 wpa_printf(MSG_DEBUG, "EAP-FAST: Initialize TNC"); 1079 next_type = EAP_TYPE_TNC; 1080 data->tnc_started = 1; 1081 } 1082#endif /* EAP_SERVER_TNC */ 1083 break; 1084 case FAILURE: 1085 break; 1086 default: 1087 wpa_printf(MSG_DEBUG, "EAP-FAST: %s - unexpected state %d", 1088 __func__, data->state); 1089 break; 1090 } 1091 1092 eap_fast_phase2_init(sm, data, next_type); 1093} 1094 1095 1096static void eap_fast_process_phase2_eap(struct eap_sm *sm, 1097 struct eap_fast_data *data, 1098 u8 *in_data, size_t in_len) 1099{ 1100 struct eap_hdr *hdr; 1101 size_t len; 1102 1103 hdr = (struct eap_hdr *) in_data; 1104 if (in_len < (int) sizeof(*hdr)) { 1105 wpa_printf(MSG_INFO, "EAP-FAST: Too short Phase 2 " 1106 "EAP frame (len=%lu)", (unsigned long) in_len); 1107 eap_fast_req_failure(sm, data); 1108 return; 1109 } 1110 len = be_to_host16(hdr->length); 1111 if (len > in_len) { 1112 wpa_printf(MSG_INFO, "EAP-FAST: Length mismatch in " 1113 "Phase 2 EAP frame (len=%lu hdr->length=%lu)", 1114 (unsigned long) in_len, (unsigned long) len); 1115 eap_fast_req_failure(sm, data); 1116 return; 1117 } 1118 wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: code=%d " 1119 "identifier=%d length=%lu", hdr->code, hdr->identifier, 1120 (unsigned long) len); 1121 switch (hdr->code) { 1122 case EAP_CODE_RESPONSE: 1123 eap_fast_process_phase2_response(sm, data, (u8 *) hdr, len); 1124 break; 1125 default: 1126 wpa_printf(MSG_INFO, "EAP-FAST: Unexpected code=%d in " 1127 "Phase 2 EAP header", hdr->code); 1128 break; 1129 } 1130} 1131 1132 1133static int eap_fast_parse_tlvs(struct wpabuf *data, 1134 struct eap_fast_tlv_parse *tlv) 1135{ 1136 int mandatory, tlv_type, res; 1137 size_t len; 1138 u8 *pos, *end; 1139 1140 os_memset(tlv, 0, sizeof(*tlv)); 1141 1142 pos = wpabuf_mhead(data); 1143 end = pos + wpabuf_len(data); 1144 while (end - pos > 4) { 1145 mandatory = pos[0] & 0x80; 1146 tlv_type = WPA_GET_BE16(pos) & 0x3fff; 1147 pos += 2; 1148 len = WPA_GET_BE16(pos); 1149 pos += 2; 1150 if (len > (size_t) (end - pos)) { 1151 wpa_printf(MSG_INFO, "EAP-FAST: TLV overflow"); 1152 return -1; 1153 } 1154 wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: " 1155 "TLV type %d length %u%s", 1156 tlv_type, (unsigned int) len, 1157 mandatory ? " (mandatory)" : ""); 1158 1159 res = eap_fast_parse_tlv(tlv, tlv_type, pos, len); 1160 if (res == -2) 1161 break; 1162 if (res < 0) { 1163 if (mandatory) { 1164 wpa_printf(MSG_DEBUG, "EAP-FAST: Nak unknown " 1165 "mandatory TLV type %d", tlv_type); 1166 /* TODO: generate Nak TLV */ 1167 break; 1168 } else { 1169 wpa_printf(MSG_DEBUG, "EAP-FAST: Ignored " 1170 "unknown optional TLV type %d", 1171 tlv_type); 1172 } 1173 } 1174 1175 pos += len; 1176 } 1177 1178 return 0; 1179} 1180 1181 1182static int eap_fast_validate_crypto_binding( 1183 struct eap_fast_data *data, struct eap_tlv_crypto_binding_tlv *b, 1184 size_t bind_len) 1185{ 1186 u8 cmac[SHA1_MAC_LEN]; 1187 1188 wpa_printf(MSG_DEBUG, "EAP-FAST: Reply Crypto-Binding TLV: " 1189 "Version %d Received Version %d SubType %d", 1190 b->version, b->received_version, b->subtype); 1191 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: NONCE", 1192 b->nonce, sizeof(b->nonce)); 1193 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Compound MAC", 1194 b->compound_mac, sizeof(b->compound_mac)); 1195 1196 if (b->version != EAP_FAST_VERSION || 1197 b->received_version != EAP_FAST_VERSION) { 1198 wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected version " 1199 "in Crypto-Binding: version %d " 1200 "received_version %d", b->version, 1201 b->received_version); 1202 return -1; 1203 } 1204 1205 if (b->subtype != EAP_TLV_CRYPTO_BINDING_SUBTYPE_RESPONSE) { 1206 wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected subtype in " 1207 "Crypto-Binding: %d", b->subtype); 1208 return -1; 1209 } 1210 1211 if (os_memcmp_const(data->crypto_binding_nonce, b->nonce, 31) != 0 || 1212 (data->crypto_binding_nonce[31] | 1) != b->nonce[31]) { 1213 wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid nonce in " 1214 "Crypto-Binding"); 1215 return -1; 1216 } 1217 1218 os_memcpy(cmac, b->compound_mac, sizeof(cmac)); 1219 os_memset(b->compound_mac, 0, sizeof(cmac)); 1220 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Crypto-Binding TLV for " 1221 "Compound MAC calculation", 1222 (u8 *) b, bind_len); 1223 hmac_sha1(data->cmk, EAP_FAST_CMK_LEN, (u8 *) b, bind_len, 1224 b->compound_mac); 1225 if (os_memcmp_const(cmac, b->compound_mac, sizeof(cmac)) != 0) { 1226 wpa_hexdump(MSG_MSGDUMP, 1227 "EAP-FAST: Calculated Compound MAC", 1228 b->compound_mac, sizeof(cmac)); 1229 wpa_printf(MSG_INFO, "EAP-FAST: Compound MAC did not " 1230 "match"); 1231 return -1; 1232 } 1233 1234 return 0; 1235} 1236 1237 1238static int eap_fast_pac_type(u8 *pac, size_t len, u16 type) 1239{ 1240 struct eap_tlv_pac_type_tlv *tlv; 1241 1242 if (pac == NULL || len != sizeof(*tlv)) 1243 return 0; 1244 1245 tlv = (struct eap_tlv_pac_type_tlv *) pac; 1246 1247 return be_to_host16(tlv->tlv_type) == PAC_TYPE_PAC_TYPE && 1248 be_to_host16(tlv->length) == 2 && 1249 be_to_host16(tlv->pac_type) == type; 1250} 1251 1252 1253static void eap_fast_process_phase2_tlvs(struct eap_sm *sm, 1254 struct eap_fast_data *data, 1255 struct wpabuf *in_data) 1256{ 1257 struct eap_fast_tlv_parse tlv; 1258 int check_crypto_binding = data->state == CRYPTO_BINDING; 1259 1260 if (eap_fast_parse_tlvs(in_data, &tlv) < 0) { 1261 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to parse received " 1262 "Phase 2 TLVs"); 1263 return; 1264 } 1265 1266 if (tlv.result == EAP_TLV_RESULT_FAILURE) { 1267 wpa_printf(MSG_DEBUG, "EAP-FAST: Result TLV indicated " 1268 "failure"); 1269 eap_fast_state(data, FAILURE); 1270 return; 1271 } 1272 1273 if (data->state == REQUEST_PAC) { 1274 u16 type, len, res; 1275 if (tlv.pac == NULL || tlv.pac_len < 6) { 1276 wpa_printf(MSG_DEBUG, "EAP-FAST: No PAC " 1277 "Acknowledgement received"); 1278 eap_fast_state(data, FAILURE); 1279 return; 1280 } 1281 1282 type = WPA_GET_BE16(tlv.pac); 1283 len = WPA_GET_BE16(tlv.pac + 2); 1284 res = WPA_GET_BE16(tlv.pac + 4); 1285 1286 if (type != PAC_TYPE_PAC_ACKNOWLEDGEMENT || len != 2 || 1287 res != EAP_TLV_RESULT_SUCCESS) { 1288 wpa_printf(MSG_DEBUG, "EAP-FAST: PAC TLV did not " 1289 "contain acknowledgement"); 1290 eap_fast_state(data, FAILURE); 1291 return; 1292 } 1293 1294 wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Acknowledgement received " 1295 "- PAC provisioning succeeded"); 1296 eap_fast_state(data, (data->anon_provisioning || 1297 data->send_new_pac == 2) ? 1298 FAILURE : SUCCESS); 1299 return; 1300 } 1301 1302 if (check_crypto_binding) { 1303 if (tlv.crypto_binding == NULL) { 1304 wpa_printf(MSG_DEBUG, "EAP-FAST: No Crypto-Binding " 1305 "TLV received"); 1306 eap_fast_state(data, FAILURE); 1307 return; 1308 } 1309 1310 if (data->final_result && 1311 tlv.result != EAP_TLV_RESULT_SUCCESS) { 1312 wpa_printf(MSG_DEBUG, "EAP-FAST: Crypto-Binding TLV " 1313 "without Success Result"); 1314 eap_fast_state(data, FAILURE); 1315 return; 1316 } 1317 1318 if (!data->final_result && 1319 tlv.iresult != EAP_TLV_RESULT_SUCCESS) { 1320 wpa_printf(MSG_DEBUG, "EAP-FAST: Crypto-Binding TLV " 1321 "without intermediate Success Result"); 1322 eap_fast_state(data, FAILURE); 1323 return; 1324 } 1325 1326 if (eap_fast_validate_crypto_binding(data, tlv.crypto_binding, 1327 tlv.crypto_binding_len)) { 1328 eap_fast_state(data, FAILURE); 1329 return; 1330 } 1331 1332 wpa_printf(MSG_DEBUG, "EAP-FAST: Valid Crypto-Binding TLV " 1333 "received"); 1334 if (data->final_result) { 1335 wpa_printf(MSG_DEBUG, "EAP-FAST: Authentication " 1336 "completed successfully"); 1337 } 1338 1339 if (data->anon_provisioning && 1340 sm->eap_fast_prov != ANON_PROV && 1341 sm->eap_fast_prov != BOTH_PROV) { 1342 wpa_printf(MSG_DEBUG, "EAP-FAST: Client is trying to " 1343 "use unauthenticated provisioning which is " 1344 "disabled"); 1345 eap_fast_state(data, FAILURE); 1346 return; 1347 } 1348 1349 if (sm->eap_fast_prov != AUTH_PROV && 1350 sm->eap_fast_prov != BOTH_PROV && 1351 tlv.request_action == EAP_TLV_ACTION_PROCESS_TLV && 1352 eap_fast_pac_type(tlv.pac, tlv.pac_len, 1353 PAC_TYPE_TUNNEL_PAC)) { 1354 wpa_printf(MSG_DEBUG, "EAP-FAST: Client is trying to " 1355 "use authenticated provisioning which is " 1356 "disabled"); 1357 eap_fast_state(data, FAILURE); 1358 return; 1359 } 1360 1361 if (data->anon_provisioning || 1362 (tlv.request_action == EAP_TLV_ACTION_PROCESS_TLV && 1363 eap_fast_pac_type(tlv.pac, tlv.pac_len, 1364 PAC_TYPE_TUNNEL_PAC))) { 1365 wpa_printf(MSG_DEBUG, "EAP-FAST: Requested a new " 1366 "Tunnel PAC"); 1367 eap_fast_state(data, REQUEST_PAC); 1368 } else if (data->send_new_pac) { 1369 wpa_printf(MSG_DEBUG, "EAP-FAST: Server triggered " 1370 "re-keying of Tunnel PAC"); 1371 eap_fast_state(data, REQUEST_PAC); 1372 } else if (data->final_result) 1373 eap_fast_state(data, SUCCESS); 1374 } 1375 1376 if (tlv.eap_payload_tlv) { 1377 eap_fast_process_phase2_eap(sm, data, tlv.eap_payload_tlv, 1378 tlv.eap_payload_tlv_len); 1379 } 1380} 1381 1382 1383static void eap_fast_process_phase2(struct eap_sm *sm, 1384 struct eap_fast_data *data, 1385 struct wpabuf *in_buf) 1386{ 1387 struct wpabuf *in_decrypted; 1388 1389 wpa_printf(MSG_DEBUG, "EAP-FAST: Received %lu bytes encrypted data for" 1390 " Phase 2", (unsigned long) wpabuf_len(in_buf)); 1391 1392 if (data->pending_phase2_resp) { 1393 wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 response - " 1394 "skip decryption and use old data"); 1395 eap_fast_process_phase2_tlvs(sm, data, 1396 data->pending_phase2_resp); 1397 wpabuf_free(data->pending_phase2_resp); 1398 data->pending_phase2_resp = NULL; 1399 return; 1400 } 1401 1402 in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn, 1403 in_buf); 1404 if (in_decrypted == NULL) { 1405 wpa_printf(MSG_INFO, "EAP-FAST: Failed to decrypt Phase 2 " 1406 "data"); 1407 eap_fast_state(data, FAILURE); 1408 return; 1409 } 1410 1411 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-FAST: Decrypted Phase 2 TLVs", 1412 in_decrypted); 1413 1414 eap_fast_process_phase2_tlvs(sm, data, in_decrypted); 1415 1416 if (sm->method_pending == METHOD_PENDING_WAIT) { 1417 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 method is in " 1418 "pending wait state - save decrypted response"); 1419 wpabuf_free(data->pending_phase2_resp); 1420 data->pending_phase2_resp = in_decrypted; 1421 return; 1422 } 1423 1424 wpabuf_free(in_decrypted); 1425} 1426 1427 1428static int eap_fast_process_version(struct eap_sm *sm, void *priv, 1429 int peer_version) 1430{ 1431 struct eap_fast_data *data = priv; 1432 1433 data->peer_version = peer_version; 1434 1435 if (data->force_version >= 0 && peer_version != data->force_version) { 1436 wpa_printf(MSG_INFO, "EAP-FAST: peer did not select the forced" 1437 " version (forced=%d peer=%d) - reject", 1438 data->force_version, peer_version); 1439 return -1; 1440 } 1441 1442 if (peer_version < data->fast_version) { 1443 wpa_printf(MSG_DEBUG, "EAP-FAST: peer ver=%d, own ver=%d; " 1444 "use version %d", 1445 peer_version, data->fast_version, peer_version); 1446 data->fast_version = peer_version; 1447 } 1448 1449 return 0; 1450} 1451 1452 1453static int eap_fast_process_phase1(struct eap_sm *sm, 1454 struct eap_fast_data *data) 1455{ 1456 if (eap_server_tls_phase1(sm, &data->ssl) < 0) { 1457 wpa_printf(MSG_INFO, "EAP-FAST: TLS processing failed"); 1458 eap_fast_state(data, FAILURE); 1459 return -1; 1460 } 1461 1462 if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) || 1463 wpabuf_len(data->ssl.tls_out) > 0) 1464 return 1; 1465 1466 /* 1467 * Phase 1 was completed with the received message (e.g., when using 1468 * abbreviated handshake), so Phase 2 can be started immediately 1469 * without having to send through an empty message to the peer. 1470 */ 1471 1472 return eap_fast_phase1_done(sm, data); 1473} 1474 1475 1476static int eap_fast_process_phase2_start(struct eap_sm *sm, 1477 struct eap_fast_data *data) 1478{ 1479 u8 next_type; 1480 1481 if (data->identity) { 1482 os_free(sm->identity); 1483 sm->identity = data->identity; 1484 data->identity = NULL; 1485 sm->identity_len = data->identity_len; 1486 data->identity_len = 0; 1487 sm->require_identity_match = 1; 1488 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) { 1489 wpa_hexdump_ascii(MSG_DEBUG, "EAP-FAST: " 1490 "Phase2 Identity not found " 1491 "in the user database", 1492 sm->identity, sm->identity_len); 1493 next_type = eap_fast_req_failure(sm, data); 1494 } else { 1495 wpa_printf(MSG_DEBUG, "EAP-FAST: Identity already " 1496 "known - skip Phase 2 Identity Request"); 1497 next_type = sm->user->methods[0].method; 1498 sm->user_eap_method_index = 1; 1499 } 1500 1501 eap_fast_state(data, PHASE2_METHOD); 1502 } else { 1503 eap_fast_state(data, PHASE2_ID); 1504 next_type = EAP_TYPE_IDENTITY; 1505 } 1506 1507 return eap_fast_phase2_init(sm, data, next_type); 1508} 1509 1510 1511static void eap_fast_process_msg(struct eap_sm *sm, void *priv, 1512 const struct wpabuf *respData) 1513{ 1514 struct eap_fast_data *data = priv; 1515 1516 switch (data->state) { 1517 case PHASE1: 1518 if (eap_fast_process_phase1(sm, data)) 1519 break; 1520 1521 /* fall through to PHASE2_START */ 1522 case PHASE2_START: 1523 eap_fast_process_phase2_start(sm, data); 1524 break; 1525 case PHASE2_ID: 1526 case PHASE2_METHOD: 1527 case CRYPTO_BINDING: 1528 case REQUEST_PAC: 1529 eap_fast_process_phase2(sm, data, data->ssl.tls_in); 1530 break; 1531 default: 1532 wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected state %d in %s", 1533 data->state, __func__); 1534 break; 1535 } 1536} 1537 1538 1539static void eap_fast_process(struct eap_sm *sm, void *priv, 1540 struct wpabuf *respData) 1541{ 1542 struct eap_fast_data *data = priv; 1543 if (eap_server_tls_process(sm, &data->ssl, respData, data, 1544 EAP_TYPE_FAST, eap_fast_process_version, 1545 eap_fast_process_msg) < 0) 1546 eap_fast_state(data, FAILURE); 1547} 1548 1549 1550static Boolean eap_fast_isDone(struct eap_sm *sm, void *priv) 1551{ 1552 struct eap_fast_data *data = priv; 1553 return data->state == SUCCESS || data->state == FAILURE; 1554} 1555 1556 1557static u8 * eap_fast_getKey(struct eap_sm *sm, void *priv, size_t *len) 1558{ 1559 struct eap_fast_data *data = priv; 1560 u8 *eapKeyData; 1561 1562 if (data->state != SUCCESS) 1563 return NULL; 1564 1565 eapKeyData = os_malloc(EAP_FAST_KEY_LEN); 1566 if (eapKeyData == NULL) 1567 return NULL; 1568 1569 if (eap_fast_derive_eap_msk(data->simck, eapKeyData) < 0) { 1570 os_free(eapKeyData); 1571 return NULL; 1572 } 1573 *len = EAP_FAST_KEY_LEN; 1574 1575 return eapKeyData; 1576} 1577 1578 1579static u8 * eap_fast_get_emsk(struct eap_sm *sm, void *priv, size_t *len) 1580{ 1581 struct eap_fast_data *data = priv; 1582 u8 *eapKeyData; 1583 1584 if (data->state != SUCCESS) 1585 return NULL; 1586 1587 eapKeyData = os_malloc(EAP_EMSK_LEN); 1588 if (eapKeyData == NULL) 1589 return NULL; 1590 1591 if (eap_fast_derive_eap_emsk(data->simck, eapKeyData) < 0) { 1592 os_free(eapKeyData); 1593 return NULL; 1594 } 1595 *len = EAP_EMSK_LEN; 1596 1597 return eapKeyData; 1598} 1599 1600 1601static Boolean eap_fast_isSuccess(struct eap_sm *sm, void *priv) 1602{ 1603 struct eap_fast_data *data = priv; 1604 return data->state == SUCCESS; 1605} 1606 1607 1608static u8 * eap_fast_get_session_id(struct eap_sm *sm, void *priv, size_t *len) 1609{ 1610 struct eap_fast_data *data = priv; 1611 1612 if (data->state != SUCCESS) 1613 return NULL; 1614 1615 return eap_server_tls_derive_session_id(sm, &data->ssl, EAP_TYPE_FAST, 1616 len); 1617} 1618 1619 1620int eap_server_fast_register(void) 1621{ 1622 struct eap_method *eap; 1623 1624 eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION, 1625 EAP_VENDOR_IETF, EAP_TYPE_FAST, "FAST"); 1626 if (eap == NULL) 1627 return -1; 1628 1629 eap->init = eap_fast_init; 1630 eap->reset = eap_fast_reset; 1631 eap->buildReq = eap_fast_buildReq; 1632 eap->check = eap_fast_check; 1633 eap->process = eap_fast_process; 1634 eap->isDone = eap_fast_isDone; 1635 eap->getKey = eap_fast_getKey; 1636 eap->get_emsk = eap_fast_get_emsk; 1637 eap->isSuccess = eap_fast_isSuccess; 1638 eap->getSessionId = eap_fast_get_session_id; 1639 1640 return eap_server_method_register(eap); 1641} 1642