16d49e1aeSJan Lentfer /*
26d49e1aeSJan Lentfer * EAP peer: EAP-TLS/PEAP/TTLS/FAST common functions
3*a1157835SDaniel Fojt * Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi>
46d49e1aeSJan Lentfer *
53ff40c12SJohn Marino * This software may be distributed under the terms of the BSD license.
63ff40c12SJohn Marino * See README for more details.
76d49e1aeSJan Lentfer */
86d49e1aeSJan Lentfer
96d49e1aeSJan Lentfer #include "includes.h"
106d49e1aeSJan Lentfer
116d49e1aeSJan Lentfer #include "common.h"
123ff40c12SJohn Marino #include "crypto/sha1.h"
133ff40c12SJohn Marino #include "crypto/tls.h"
146d49e1aeSJan Lentfer #include "eap_i.h"
156d49e1aeSJan Lentfer #include "eap_tls_common.h"
166d49e1aeSJan Lentfer #include "eap_config.h"
173ff40c12SJohn Marino
183ff40c12SJohn Marino
eap_tls_msg_alloc(EapType type,size_t payload_len,u8 code,u8 identifier)193ff40c12SJohn Marino static struct wpabuf * eap_tls_msg_alloc(EapType type, size_t payload_len,
203ff40c12SJohn Marino u8 code, u8 identifier)
213ff40c12SJohn Marino {
223ff40c12SJohn Marino if (type == EAP_UNAUTH_TLS_TYPE)
233ff40c12SJohn Marino return eap_msg_alloc(EAP_VENDOR_UNAUTH_TLS,
243ff40c12SJohn Marino EAP_VENDOR_TYPE_UNAUTH_TLS, payload_len,
253ff40c12SJohn Marino code, identifier);
26*a1157835SDaniel Fojt if (type == EAP_WFA_UNAUTH_TLS_TYPE)
27*a1157835SDaniel Fojt return eap_msg_alloc(EAP_VENDOR_WFA_NEW,
28*a1157835SDaniel Fojt EAP_VENDOR_WFA_UNAUTH_TLS, payload_len,
29*a1157835SDaniel Fojt code, identifier);
303ff40c12SJohn Marino return eap_msg_alloc(EAP_VENDOR_IETF, type, payload_len, code,
313ff40c12SJohn Marino identifier);
323ff40c12SJohn Marino }
336d49e1aeSJan Lentfer
346d49e1aeSJan Lentfer
eap_tls_check_blob(struct eap_sm * sm,const char ** name,const u8 ** data,size_t * data_len)356d49e1aeSJan Lentfer static int eap_tls_check_blob(struct eap_sm *sm, const char **name,
366d49e1aeSJan Lentfer const u8 **data, size_t *data_len)
376d49e1aeSJan Lentfer {
386d49e1aeSJan Lentfer const struct wpa_config_blob *blob;
396d49e1aeSJan Lentfer
406d49e1aeSJan Lentfer if (*name == NULL || os_strncmp(*name, "blob://", 7) != 0)
416d49e1aeSJan Lentfer return 0;
426d49e1aeSJan Lentfer
436d49e1aeSJan Lentfer blob = eap_get_config_blob(sm, *name + 7);
446d49e1aeSJan Lentfer if (blob == NULL) {
456d49e1aeSJan Lentfer wpa_printf(MSG_ERROR, "%s: Named configuration blob '%s' not "
466d49e1aeSJan Lentfer "found", __func__, *name + 7);
476d49e1aeSJan Lentfer return -1;
486d49e1aeSJan Lentfer }
496d49e1aeSJan Lentfer
506d49e1aeSJan Lentfer *name = NULL;
516d49e1aeSJan Lentfer *data = blob->data;
526d49e1aeSJan Lentfer *data_len = blob->len;
536d49e1aeSJan Lentfer
546d49e1aeSJan Lentfer return 0;
556d49e1aeSJan Lentfer }
566d49e1aeSJan Lentfer
576d49e1aeSJan Lentfer
eap_tls_params_flags(struct tls_connection_params * params,const char * txt)586d49e1aeSJan Lentfer static void eap_tls_params_flags(struct tls_connection_params *params,
596d49e1aeSJan Lentfer const char *txt)
606d49e1aeSJan Lentfer {
616d49e1aeSJan Lentfer if (txt == NULL)
626d49e1aeSJan Lentfer return;
636d49e1aeSJan Lentfer if (os_strstr(txt, "tls_allow_md5=1"))
646d49e1aeSJan Lentfer params->flags |= TLS_CONN_ALLOW_SIGN_RSA_MD5;
656d49e1aeSJan Lentfer if (os_strstr(txt, "tls_disable_time_checks=1"))
666d49e1aeSJan Lentfer params->flags |= TLS_CONN_DISABLE_TIME_CHECKS;
673ff40c12SJohn Marino if (os_strstr(txt, "tls_disable_session_ticket=1"))
683ff40c12SJohn Marino params->flags |= TLS_CONN_DISABLE_SESSION_TICKET;
693ff40c12SJohn Marino if (os_strstr(txt, "tls_disable_session_ticket=0"))
703ff40c12SJohn Marino params->flags &= ~TLS_CONN_DISABLE_SESSION_TICKET;
71*a1157835SDaniel Fojt if (os_strstr(txt, "tls_disable_tlsv1_0=1"))
72*a1157835SDaniel Fojt params->flags |= TLS_CONN_DISABLE_TLSv1_0;
73*a1157835SDaniel Fojt if (os_strstr(txt, "tls_disable_tlsv1_0=0")) {
74*a1157835SDaniel Fojt params->flags &= ~TLS_CONN_DISABLE_TLSv1_0;
75*a1157835SDaniel Fojt params->flags |= TLS_CONN_ENABLE_TLSv1_0;
76*a1157835SDaniel Fojt }
77*a1157835SDaniel Fojt if (os_strstr(txt, "tls_disable_tlsv1_1=1"))
78*a1157835SDaniel Fojt params->flags |= TLS_CONN_DISABLE_TLSv1_1;
79*a1157835SDaniel Fojt if (os_strstr(txt, "tls_disable_tlsv1_1=0")) {
80*a1157835SDaniel Fojt params->flags &= ~TLS_CONN_DISABLE_TLSv1_1;
81*a1157835SDaniel Fojt params->flags |= TLS_CONN_ENABLE_TLSv1_1;
82*a1157835SDaniel Fojt }
83*a1157835SDaniel Fojt if (os_strstr(txt, "tls_disable_tlsv1_2=1"))
84*a1157835SDaniel Fojt params->flags |= TLS_CONN_DISABLE_TLSv1_2;
85*a1157835SDaniel Fojt if (os_strstr(txt, "tls_disable_tlsv1_2=0")) {
86*a1157835SDaniel Fojt params->flags &= ~TLS_CONN_DISABLE_TLSv1_2;
87*a1157835SDaniel Fojt params->flags |= TLS_CONN_ENABLE_TLSv1_2;
88*a1157835SDaniel Fojt }
89*a1157835SDaniel Fojt if (os_strstr(txt, "tls_disable_tlsv1_3=1"))
90*a1157835SDaniel Fojt params->flags |= TLS_CONN_DISABLE_TLSv1_3;
91*a1157835SDaniel Fojt if (os_strstr(txt, "tls_disable_tlsv1_3=0"))
92*a1157835SDaniel Fojt params->flags &= ~TLS_CONN_DISABLE_TLSv1_3;
93*a1157835SDaniel Fojt if (os_strstr(txt, "tls_ext_cert_check=1"))
94*a1157835SDaniel Fojt params->flags |= TLS_CONN_EXT_CERT_CHECK;
95*a1157835SDaniel Fojt if (os_strstr(txt, "tls_ext_cert_check=0"))
96*a1157835SDaniel Fojt params->flags &= ~TLS_CONN_EXT_CERT_CHECK;
97*a1157835SDaniel Fojt if (os_strstr(txt, "tls_suiteb=1"))
98*a1157835SDaniel Fojt params->flags |= TLS_CONN_SUITEB;
99*a1157835SDaniel Fojt if (os_strstr(txt, "tls_suiteb=0"))
100*a1157835SDaniel Fojt params->flags &= ~TLS_CONN_SUITEB;
101*a1157835SDaniel Fojt if (os_strstr(txt, "tls_suiteb_no_ecdh=1"))
102*a1157835SDaniel Fojt params->flags |= TLS_CONN_SUITEB_NO_ECDH;
103*a1157835SDaniel Fojt if (os_strstr(txt, "tls_suiteb_no_ecdh=0"))
104*a1157835SDaniel Fojt params->flags &= ~TLS_CONN_SUITEB_NO_ECDH;
1056d49e1aeSJan Lentfer }
1066d49e1aeSJan Lentfer
1076d49e1aeSJan Lentfer
eap_tls_params_from_conf1(struct tls_connection_params * params,struct eap_peer_config * config)1086d49e1aeSJan Lentfer static void eap_tls_params_from_conf1(struct tls_connection_params *params,
1096d49e1aeSJan Lentfer struct eap_peer_config *config)
1106d49e1aeSJan Lentfer {
111*a1157835SDaniel Fojt params->ca_cert = config->ca_cert;
112*a1157835SDaniel Fojt params->ca_path = config->ca_path;
113*a1157835SDaniel Fojt params->client_cert = config->client_cert;
114*a1157835SDaniel Fojt params->private_key = config->private_key;
115*a1157835SDaniel Fojt params->private_key_passwd = config->private_key_passwd;
116*a1157835SDaniel Fojt params->dh_file = config->dh_file;
117*a1157835SDaniel Fojt params->subject_match = config->subject_match;
118*a1157835SDaniel Fojt params->altsubject_match = config->altsubject_match;
119*a1157835SDaniel Fojt params->check_cert_subject = config->check_cert_subject;
1203ff40c12SJohn Marino params->suffix_match = config->domain_suffix_match;
121*a1157835SDaniel Fojt params->domain_match = config->domain_match;
1226d49e1aeSJan Lentfer params->engine = config->engine;
1236d49e1aeSJan Lentfer params->engine_id = config->engine_id;
1246d49e1aeSJan Lentfer params->pin = config->pin;
1256d49e1aeSJan Lentfer params->key_id = config->key_id;
1266d49e1aeSJan Lentfer params->cert_id = config->cert_id;
1276d49e1aeSJan Lentfer params->ca_cert_id = config->ca_cert_id;
1286d49e1aeSJan Lentfer eap_tls_params_flags(params, config->phase1);
1296d49e1aeSJan Lentfer }
1306d49e1aeSJan Lentfer
1316d49e1aeSJan Lentfer
eap_tls_params_from_conf2(struct tls_connection_params * params,struct eap_peer_config * config)1326d49e1aeSJan Lentfer static void eap_tls_params_from_conf2(struct tls_connection_params *params,
1336d49e1aeSJan Lentfer struct eap_peer_config *config)
1346d49e1aeSJan Lentfer {
135*a1157835SDaniel Fojt params->ca_cert = config->ca_cert2;
136*a1157835SDaniel Fojt params->ca_path = config->ca_path2;
137*a1157835SDaniel Fojt params->client_cert = config->client_cert2;
138*a1157835SDaniel Fojt params->private_key = config->private_key2;
139*a1157835SDaniel Fojt params->private_key_passwd = config->private_key2_passwd;
140*a1157835SDaniel Fojt params->dh_file = config->dh_file2;
141*a1157835SDaniel Fojt params->subject_match = config->subject_match2;
142*a1157835SDaniel Fojt params->altsubject_match = config->altsubject_match2;
143*a1157835SDaniel Fojt params->check_cert_subject = config->check_cert_subject2;
1443ff40c12SJohn Marino params->suffix_match = config->domain_suffix_match2;
145*a1157835SDaniel Fojt params->domain_match = config->domain_match2;
1466d49e1aeSJan Lentfer params->engine = config->engine2;
1476d49e1aeSJan Lentfer params->engine_id = config->engine2_id;
1486d49e1aeSJan Lentfer params->pin = config->pin2;
1496d49e1aeSJan Lentfer params->key_id = config->key2_id;
1506d49e1aeSJan Lentfer params->cert_id = config->cert2_id;
1516d49e1aeSJan Lentfer params->ca_cert_id = config->ca_cert2_id;
1526d49e1aeSJan Lentfer eap_tls_params_flags(params, config->phase2);
1536d49e1aeSJan Lentfer }
1546d49e1aeSJan Lentfer
1556d49e1aeSJan Lentfer
eap_tls_params_from_conf(struct eap_sm * sm,struct eap_ssl_data * data,struct tls_connection_params * params,struct eap_peer_config * config,int phase2)1566d49e1aeSJan Lentfer static int eap_tls_params_from_conf(struct eap_sm *sm,
1576d49e1aeSJan Lentfer struct eap_ssl_data *data,
1586d49e1aeSJan Lentfer struct tls_connection_params *params,
1596d49e1aeSJan Lentfer struct eap_peer_config *config, int phase2)
1606d49e1aeSJan Lentfer {
1616d49e1aeSJan Lentfer os_memset(params, 0, sizeof(*params));
162*a1157835SDaniel Fojt if (sm->workaround && data->eap_type != EAP_TYPE_FAST &&
163*a1157835SDaniel Fojt data->eap_type != EAP_TYPE_TEAP) {
1643ff40c12SJohn Marino /*
1653ff40c12SJohn Marino * Some deployed authentication servers seem to be unable to
1663ff40c12SJohn Marino * handle the TLS Session Ticket extension (they are supposed
1673ff40c12SJohn Marino * to ignore unrecognized TLS extensions, but end up rejecting
1683ff40c12SJohn Marino * the ClientHello instead). As a workaround, disable use of
1693ff40c12SJohn Marino * TLS Sesson Ticket extension for EAP-TLS, EAP-PEAP, and
1703ff40c12SJohn Marino * EAP-TTLS (EAP-FAST uses session ticket, so any server that
1713ff40c12SJohn Marino * supports EAP-FAST does not need this workaround).
1723ff40c12SJohn Marino */
1733ff40c12SJohn Marino params->flags |= TLS_CONN_DISABLE_SESSION_TICKET;
1743ff40c12SJohn Marino }
175*a1157835SDaniel Fojt if (data->eap_type == EAP_TYPE_TEAP) {
176*a1157835SDaniel Fojt /* RFC 7170 requires TLS v1.2 or newer to be used with TEAP */
177*a1157835SDaniel Fojt params->flags |= TLS_CONN_DISABLE_TLSv1_0 |
178*a1157835SDaniel Fojt TLS_CONN_DISABLE_TLSv1_1;
179*a1157835SDaniel Fojt if (config->teap_anon_dh)
180*a1157835SDaniel Fojt params->flags |= TLS_CONN_TEAP_ANON_DH;
181*a1157835SDaniel Fojt }
182*a1157835SDaniel Fojt if (data->eap_type == EAP_TYPE_FAST ||
183*a1157835SDaniel Fojt data->eap_type == EAP_TYPE_TEAP ||
184*a1157835SDaniel Fojt data->eap_type == EAP_TYPE_TTLS ||
185*a1157835SDaniel Fojt data->eap_type == EAP_TYPE_PEAP) {
186*a1157835SDaniel Fojt /* The current EAP peer implementation is not yet ready for the
187*a1157835SDaniel Fojt * TLS v1.3 changes, so disable this by default for now. */
188*a1157835SDaniel Fojt params->flags |= TLS_CONN_DISABLE_TLSv1_3;
189*a1157835SDaniel Fojt }
190*a1157835SDaniel Fojt if (data->eap_type == EAP_TYPE_TLS ||
191*a1157835SDaniel Fojt data->eap_type == EAP_UNAUTH_TLS_TYPE ||
192*a1157835SDaniel Fojt data->eap_type == EAP_WFA_UNAUTH_TLS_TYPE) {
193*a1157835SDaniel Fojt /* While the current EAP-TLS implementation is more or less
194*a1157835SDaniel Fojt * complete for TLS v1.3, there has been no interoperability
195*a1157835SDaniel Fojt * testing with other implementations, so disable for by default
196*a1157835SDaniel Fojt * for now until there has been chance to confirm that no
197*a1157835SDaniel Fojt * significant interoperability issues show up with TLS version
198*a1157835SDaniel Fojt * update.
199*a1157835SDaniel Fojt */
200*a1157835SDaniel Fojt params->flags |= TLS_CONN_DISABLE_TLSv1_3;
201*a1157835SDaniel Fojt }
2026d49e1aeSJan Lentfer if (phase2) {
2036d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "TLS: using phase2 config options");
2046d49e1aeSJan Lentfer eap_tls_params_from_conf2(params, config);
2056d49e1aeSJan Lentfer } else {
2066d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "TLS: using phase1 config options");
2076d49e1aeSJan Lentfer eap_tls_params_from_conf1(params, config);
208*a1157835SDaniel Fojt if (data->eap_type == EAP_TYPE_FAST)
209*a1157835SDaniel Fojt params->flags |= TLS_CONN_EAP_FAST;
2106d49e1aeSJan Lentfer }
2116d49e1aeSJan Lentfer
2126d49e1aeSJan Lentfer /*
2136d49e1aeSJan Lentfer * Use blob data, if available. Otherwise, leave reference to external
2146d49e1aeSJan Lentfer * file as-is.
2156d49e1aeSJan Lentfer */
2166d49e1aeSJan Lentfer if (eap_tls_check_blob(sm, ¶ms->ca_cert, ¶ms->ca_cert_blob,
2176d49e1aeSJan Lentfer ¶ms->ca_cert_blob_len) ||
2186d49e1aeSJan Lentfer eap_tls_check_blob(sm, ¶ms->client_cert,
2196d49e1aeSJan Lentfer ¶ms->client_cert_blob,
2206d49e1aeSJan Lentfer ¶ms->client_cert_blob_len) ||
2216d49e1aeSJan Lentfer eap_tls_check_blob(sm, ¶ms->private_key,
2226d49e1aeSJan Lentfer ¶ms->private_key_blob,
2236d49e1aeSJan Lentfer ¶ms->private_key_blob_len) ||
2246d49e1aeSJan Lentfer eap_tls_check_blob(sm, ¶ms->dh_file, ¶ms->dh_blob,
2256d49e1aeSJan Lentfer ¶ms->dh_blob_len)) {
2266d49e1aeSJan Lentfer wpa_printf(MSG_INFO, "SSL: Failed to get configuration blobs");
2276d49e1aeSJan Lentfer return -1;
2286d49e1aeSJan Lentfer }
2296d49e1aeSJan Lentfer
230*a1157835SDaniel Fojt params->openssl_ciphers = config->openssl_ciphers;
231*a1157835SDaniel Fojt
232*a1157835SDaniel Fojt sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK);
233*a1157835SDaniel Fojt
2346d49e1aeSJan Lentfer return 0;
2356d49e1aeSJan Lentfer }
2366d49e1aeSJan Lentfer
2376d49e1aeSJan Lentfer
eap_tls_init_connection(struct eap_sm * sm,struct eap_ssl_data * data,struct eap_peer_config * config,struct tls_connection_params * params)2386d49e1aeSJan Lentfer static int eap_tls_init_connection(struct eap_sm *sm,
2396d49e1aeSJan Lentfer struct eap_ssl_data *data,
2406d49e1aeSJan Lentfer struct eap_peer_config *config,
2416d49e1aeSJan Lentfer struct tls_connection_params *params)
2426d49e1aeSJan Lentfer {
2436d49e1aeSJan Lentfer int res;
2446d49e1aeSJan Lentfer
2453ff40c12SJohn Marino if (config->ocsp)
2463ff40c12SJohn Marino params->flags |= TLS_CONN_REQUEST_OCSP;
247*a1157835SDaniel Fojt if (config->ocsp >= 2)
2483ff40c12SJohn Marino params->flags |= TLS_CONN_REQUIRE_OCSP;
249*a1157835SDaniel Fojt if (config->ocsp == 3)
250*a1157835SDaniel Fojt params->flags |= TLS_CONN_REQUIRE_OCSP_ALL;
2513ff40c12SJohn Marino data->conn = tls_connection_init(data->ssl_ctx);
2526d49e1aeSJan Lentfer if (data->conn == NULL) {
2536d49e1aeSJan Lentfer wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "
2546d49e1aeSJan Lentfer "connection");
2556d49e1aeSJan Lentfer return -1;
2566d49e1aeSJan Lentfer }
2576d49e1aeSJan Lentfer
2583ff40c12SJohn Marino res = tls_connection_set_params(data->ssl_ctx, data->conn, params);
259*a1157835SDaniel Fojt if (res == TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN) {
2606d49e1aeSJan Lentfer /*
261*a1157835SDaniel Fojt * At this point with the pkcs11 engine the PIN is wrong. We
262*a1157835SDaniel Fojt * reset the PIN in the configuration to be sure to not use it
263*a1157835SDaniel Fojt * again and the calling function must request a new one.
2646d49e1aeSJan Lentfer */
265*a1157835SDaniel Fojt wpa_printf(MSG_INFO,
266*a1157835SDaniel Fojt "TLS: Bad PIN provided, requesting a new one");
2676d49e1aeSJan Lentfer os_free(config->pin);
2686d49e1aeSJan Lentfer config->pin = NULL;
2696d49e1aeSJan Lentfer eap_sm_request_pin(sm);
2706d49e1aeSJan Lentfer sm->ignore = TRUE;
271*a1157835SDaniel Fojt } else if (res == TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED) {
272*a1157835SDaniel Fojt wpa_printf(MSG_INFO, "TLS: Failed to initialize engine");
273*a1157835SDaniel Fojt } else if (res == TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED) {
274*a1157835SDaniel Fojt wpa_printf(MSG_INFO, "TLS: Failed to load private key");
275*a1157835SDaniel Fojt sm->ignore = TRUE;
276*a1157835SDaniel Fojt }
277*a1157835SDaniel Fojt if (res) {
2786d49e1aeSJan Lentfer wpa_printf(MSG_INFO, "TLS: Failed to set TLS connection "
2796d49e1aeSJan Lentfer "parameters");
2803ff40c12SJohn Marino tls_connection_deinit(data->ssl_ctx, data->conn);
2813ff40c12SJohn Marino data->conn = NULL;
2826d49e1aeSJan Lentfer return -1;
2836d49e1aeSJan Lentfer }
2846d49e1aeSJan Lentfer
2856d49e1aeSJan Lentfer return 0;
2866d49e1aeSJan Lentfer }
2876d49e1aeSJan Lentfer
2886d49e1aeSJan Lentfer
2896d49e1aeSJan Lentfer /**
2906d49e1aeSJan Lentfer * eap_peer_tls_ssl_init - Initialize shared TLS functionality
2916d49e1aeSJan Lentfer * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
2926d49e1aeSJan Lentfer * @data: Data for TLS processing
2936d49e1aeSJan Lentfer * @config: Pointer to the network configuration
2943ff40c12SJohn Marino * @eap_type: EAP method used in Phase 1 (EAP_TYPE_TLS/PEAP/TTLS/FAST)
2956d49e1aeSJan Lentfer * Returns: 0 on success, -1 on failure
2966d49e1aeSJan Lentfer *
2976d49e1aeSJan Lentfer * This function is used to initialize shared TLS functionality for EAP-TLS,
2986d49e1aeSJan Lentfer * EAP-PEAP, EAP-TTLS, and EAP-FAST.
2996d49e1aeSJan Lentfer */
eap_peer_tls_ssl_init(struct eap_sm * sm,struct eap_ssl_data * data,struct eap_peer_config * config,u8 eap_type)3006d49e1aeSJan Lentfer int eap_peer_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
3013ff40c12SJohn Marino struct eap_peer_config *config, u8 eap_type)
3026d49e1aeSJan Lentfer {
3036d49e1aeSJan Lentfer struct tls_connection_params params;
3046d49e1aeSJan Lentfer
3056d49e1aeSJan Lentfer if (config == NULL)
3066d49e1aeSJan Lentfer return -1;
3076d49e1aeSJan Lentfer
3086d49e1aeSJan Lentfer data->eap = sm;
3093ff40c12SJohn Marino data->eap_type = eap_type;
3106d49e1aeSJan Lentfer data->phase2 = sm->init_phase2;
3113ff40c12SJohn Marino data->ssl_ctx = sm->init_phase2 && sm->ssl_ctx2 ? sm->ssl_ctx2 :
3123ff40c12SJohn Marino sm->ssl_ctx;
3136d49e1aeSJan Lentfer if (eap_tls_params_from_conf(sm, data, ¶ms, config, data->phase2) <
3146d49e1aeSJan Lentfer 0)
3156d49e1aeSJan Lentfer return -1;
3166d49e1aeSJan Lentfer
3176d49e1aeSJan Lentfer if (eap_tls_init_connection(sm, data, config, ¶ms) < 0)
3186d49e1aeSJan Lentfer return -1;
3196d49e1aeSJan Lentfer
3206d49e1aeSJan Lentfer data->tls_out_limit = config->fragment_size;
3216d49e1aeSJan Lentfer if (data->phase2) {
3226d49e1aeSJan Lentfer /* Limit the fragment size in the inner TLS authentication
3236d49e1aeSJan Lentfer * since the outer authentication with EAP-PEAP does not yet
3246d49e1aeSJan Lentfer * support fragmentation */
3256d49e1aeSJan Lentfer if (data->tls_out_limit > 100)
3266d49e1aeSJan Lentfer data->tls_out_limit -= 100;
3276d49e1aeSJan Lentfer }
3286d49e1aeSJan Lentfer
3296d49e1aeSJan Lentfer if (config->phase1 &&
3306d49e1aeSJan Lentfer os_strstr(config->phase1, "include_tls_length=1")) {
3316d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "TLS: Include TLS Message Length in "
3326d49e1aeSJan Lentfer "unfragmented packets");
3336d49e1aeSJan Lentfer data->include_tls_length = 1;
3346d49e1aeSJan Lentfer }
3356d49e1aeSJan Lentfer
3366d49e1aeSJan Lentfer return 0;
3376d49e1aeSJan Lentfer }
3386d49e1aeSJan Lentfer
3396d49e1aeSJan Lentfer
3406d49e1aeSJan Lentfer /**
3416d49e1aeSJan Lentfer * eap_peer_tls_ssl_deinit - Deinitialize shared TLS functionality
3426d49e1aeSJan Lentfer * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
3436d49e1aeSJan Lentfer * @data: Data for TLS processing
3446d49e1aeSJan Lentfer *
3456d49e1aeSJan Lentfer * This function deinitializes shared TLS functionality that was initialized
3466d49e1aeSJan Lentfer * with eap_peer_tls_ssl_init().
3476d49e1aeSJan Lentfer */
eap_peer_tls_ssl_deinit(struct eap_sm * sm,struct eap_ssl_data * data)3486d49e1aeSJan Lentfer void eap_peer_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data)
3496d49e1aeSJan Lentfer {
3503ff40c12SJohn Marino tls_connection_deinit(data->ssl_ctx, data->conn);
3516d49e1aeSJan Lentfer eap_peer_tls_reset_input(data);
3526d49e1aeSJan Lentfer eap_peer_tls_reset_output(data);
3536d49e1aeSJan Lentfer }
3546d49e1aeSJan Lentfer
3556d49e1aeSJan Lentfer
3566d49e1aeSJan Lentfer /**
3576d49e1aeSJan Lentfer * eap_peer_tls_derive_key - Derive a key based on TLS session data
3586d49e1aeSJan Lentfer * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
3596d49e1aeSJan Lentfer * @data: Data for TLS processing
3606d49e1aeSJan Lentfer * @label: Label string for deriving the keys, e.g., "client EAP encryption"
361*a1157835SDaniel Fojt * @context: Optional extra upper-layer context (max len 2^16)
362*a1157835SDaniel Fojt * @context_len: The length of the context value
3636d49e1aeSJan Lentfer * @len: Length of the key material to generate (usually 64 for MSK)
3646d49e1aeSJan Lentfer * Returns: Pointer to allocated key on success or %NULL on failure
3656d49e1aeSJan Lentfer *
3666d49e1aeSJan Lentfer * This function uses TLS-PRF to generate pseudo-random data based on the TLS
3676d49e1aeSJan Lentfer * session data (client/server random and master key). Each key type may use a
3686d49e1aeSJan Lentfer * different label to bind the key usage into the generated material.
3696d49e1aeSJan Lentfer *
3706d49e1aeSJan Lentfer * The caller is responsible for freeing the returned buffer.
371*a1157835SDaniel Fojt *
372*a1157835SDaniel Fojt * Note: To provide the RFC 5705 context, the context variable must be non-NULL.
3736d49e1aeSJan Lentfer */
eap_peer_tls_derive_key(struct eap_sm * sm,struct eap_ssl_data * data,const char * label,const u8 * context,size_t context_len,size_t len)3746d49e1aeSJan Lentfer u8 * eap_peer_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data,
375*a1157835SDaniel Fojt const char *label, const u8 *context,
376*a1157835SDaniel Fojt size_t context_len, size_t len)
3776d49e1aeSJan Lentfer {
378*a1157835SDaniel Fojt u8 *out;
3796d49e1aeSJan Lentfer
3806d49e1aeSJan Lentfer out = os_malloc(len);
3816d49e1aeSJan Lentfer if (out == NULL)
3826d49e1aeSJan Lentfer return NULL;
3836d49e1aeSJan Lentfer
384*a1157835SDaniel Fojt if (tls_connection_export_key(data->ssl_ctx, data->conn, label,
385*a1157835SDaniel Fojt context, context_len, out, len)) {
3866d49e1aeSJan Lentfer os_free(out);
3876d49e1aeSJan Lentfer return NULL;
3886d49e1aeSJan Lentfer }
3896d49e1aeSJan Lentfer
390*a1157835SDaniel Fojt return out;
391*a1157835SDaniel Fojt }
392*a1157835SDaniel Fojt
3936d49e1aeSJan Lentfer
3946d49e1aeSJan Lentfer /**
3953ff40c12SJohn Marino * eap_peer_tls_derive_session_id - Derive a Session-Id based on TLS data
3963ff40c12SJohn Marino * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
3973ff40c12SJohn Marino * @data: Data for TLS processing
3983ff40c12SJohn Marino * @eap_type: EAP method used in Phase 1 (EAP_TYPE_TLS/PEAP/TTLS/FAST)
3993ff40c12SJohn Marino * @len: Pointer to length of the session ID generated
4003ff40c12SJohn Marino * Returns: Pointer to allocated Session-Id on success or %NULL on failure
4013ff40c12SJohn Marino *
4023ff40c12SJohn Marino * This function derive the Session-Id based on the TLS session data
4033ff40c12SJohn Marino * (client/server random and method type).
4043ff40c12SJohn Marino *
4053ff40c12SJohn Marino * The caller is responsible for freeing the returned buffer.
4063ff40c12SJohn Marino */
eap_peer_tls_derive_session_id(struct eap_sm * sm,struct eap_ssl_data * data,u8 eap_type,size_t * len)4073ff40c12SJohn Marino u8 * eap_peer_tls_derive_session_id(struct eap_sm *sm,
4083ff40c12SJohn Marino struct eap_ssl_data *data, u8 eap_type,
4093ff40c12SJohn Marino size_t *len)
4103ff40c12SJohn Marino {
411*a1157835SDaniel Fojt struct tls_random keys;
4123ff40c12SJohn Marino u8 *out;
4133ff40c12SJohn Marino
414*a1157835SDaniel Fojt if (eap_type == EAP_TYPE_TLS && data->tls_v13) {
415*a1157835SDaniel Fojt u8 *id, *method_id;
416*a1157835SDaniel Fojt const u8 context[] = { EAP_TYPE_TLS };
4173ff40c12SJohn Marino
418*a1157835SDaniel Fojt /* Session-Id = <EAP-Type> || Method-Id
419*a1157835SDaniel Fojt * Method-Id = TLS-Exporter("EXPORTER_EAP_TLS_Method-Id",
420*a1157835SDaniel Fojt * Type-Code, 64)
421*a1157835SDaniel Fojt */
422*a1157835SDaniel Fojt *len = 1 + 64;
423*a1157835SDaniel Fojt id = os_malloc(*len);
424*a1157835SDaniel Fojt if (!id)
425*a1157835SDaniel Fojt return NULL;
426*a1157835SDaniel Fojt method_id = eap_peer_tls_derive_key(
427*a1157835SDaniel Fojt sm, data, "EXPORTER_EAP_TLS_Method-Id", context, 1, 64);
428*a1157835SDaniel Fojt if (!method_id) {
429*a1157835SDaniel Fojt os_free(id);
430*a1157835SDaniel Fojt return NULL;
431*a1157835SDaniel Fojt }
432*a1157835SDaniel Fojt id[0] = eap_type;
433*a1157835SDaniel Fojt os_memcpy(id + 1, method_id, 64);
434*a1157835SDaniel Fojt os_free(method_id);
435*a1157835SDaniel Fojt return id;
436*a1157835SDaniel Fojt }
437*a1157835SDaniel Fojt
438*a1157835SDaniel Fojt if (tls_connection_get_random(sm->ssl_ctx, data->conn, &keys) ||
439*a1157835SDaniel Fojt keys.client_random == NULL || keys.server_random == NULL)
4403ff40c12SJohn Marino return NULL;
4413ff40c12SJohn Marino
4423ff40c12SJohn Marino *len = 1 + keys.client_random_len + keys.server_random_len;
4433ff40c12SJohn Marino out = os_malloc(*len);
4443ff40c12SJohn Marino if (out == NULL)
4453ff40c12SJohn Marino return NULL;
4463ff40c12SJohn Marino
4473ff40c12SJohn Marino /* Session-Id = EAP type || client.random || server.random */
4483ff40c12SJohn Marino out[0] = eap_type;
4493ff40c12SJohn Marino os_memcpy(out + 1, keys.client_random, keys.client_random_len);
4503ff40c12SJohn Marino os_memcpy(out + 1 + keys.client_random_len, keys.server_random,
4513ff40c12SJohn Marino keys.server_random_len);
4523ff40c12SJohn Marino
4533ff40c12SJohn Marino return out;
4543ff40c12SJohn Marino }
4553ff40c12SJohn Marino
4563ff40c12SJohn Marino
4573ff40c12SJohn Marino /**
4586d49e1aeSJan Lentfer * eap_peer_tls_reassemble_fragment - Reassemble a received fragment
4596d49e1aeSJan Lentfer * @data: Data for TLS processing
4606d49e1aeSJan Lentfer * @in_data: Next incoming TLS segment
4616d49e1aeSJan Lentfer * Returns: 0 on success, 1 if more data is needed for the full message, or
4626d49e1aeSJan Lentfer * -1 on error
4636d49e1aeSJan Lentfer */
eap_peer_tls_reassemble_fragment(struct eap_ssl_data * data,const struct wpabuf * in_data)4646d49e1aeSJan Lentfer static int eap_peer_tls_reassemble_fragment(struct eap_ssl_data *data,
4653ff40c12SJohn Marino const struct wpabuf *in_data)
4666d49e1aeSJan Lentfer {
4673ff40c12SJohn Marino size_t tls_in_len, in_len;
4686d49e1aeSJan Lentfer
4693ff40c12SJohn Marino tls_in_len = data->tls_in ? wpabuf_len(data->tls_in) : 0;
4703ff40c12SJohn Marino in_len = in_data ? wpabuf_len(in_data) : 0;
4713ff40c12SJohn Marino
4723ff40c12SJohn Marino if (tls_in_len + in_len == 0) {
4736d49e1aeSJan Lentfer /* No message data received?! */
4746d49e1aeSJan Lentfer wpa_printf(MSG_WARNING, "SSL: Invalid reassembly state: "
4756d49e1aeSJan Lentfer "tls_in_left=%lu tls_in_len=%lu in_len=%lu",
4766d49e1aeSJan Lentfer (unsigned long) data->tls_in_left,
4773ff40c12SJohn Marino (unsigned long) tls_in_len,
4786d49e1aeSJan Lentfer (unsigned long) in_len);
4796d49e1aeSJan Lentfer eap_peer_tls_reset_input(data);
4806d49e1aeSJan Lentfer return -1;
4816d49e1aeSJan Lentfer }
4826d49e1aeSJan Lentfer
4833ff40c12SJohn Marino if (tls_in_len + in_len > 65536) {
4846d49e1aeSJan Lentfer /*
4856d49e1aeSJan Lentfer * Limit length to avoid rogue servers from causing large
4866d49e1aeSJan Lentfer * memory allocations.
4876d49e1aeSJan Lentfer */
4886d49e1aeSJan Lentfer wpa_printf(MSG_INFO, "SSL: Too long TLS fragment (size over "
4896d49e1aeSJan Lentfer "64 kB)");
4906d49e1aeSJan Lentfer eap_peer_tls_reset_input(data);
4916d49e1aeSJan Lentfer return -1;
4926d49e1aeSJan Lentfer }
4936d49e1aeSJan Lentfer
4946d49e1aeSJan Lentfer if (in_len > data->tls_in_left) {
4956d49e1aeSJan Lentfer /* Sender is doing something odd - reject message */
4966d49e1aeSJan Lentfer wpa_printf(MSG_INFO, "SSL: more data than TLS message length "
4976d49e1aeSJan Lentfer "indicated");
4986d49e1aeSJan Lentfer eap_peer_tls_reset_input(data);
4996d49e1aeSJan Lentfer return -1;
5006d49e1aeSJan Lentfer }
5016d49e1aeSJan Lentfer
5023ff40c12SJohn Marino if (wpabuf_resize(&data->tls_in, in_len) < 0) {
5036d49e1aeSJan Lentfer wpa_printf(MSG_INFO, "SSL: Could not allocate memory for TLS "
5046d49e1aeSJan Lentfer "data");
5056d49e1aeSJan Lentfer eap_peer_tls_reset_input(data);
5066d49e1aeSJan Lentfer return -1;
5076d49e1aeSJan Lentfer }
5083ff40c12SJohn Marino if (in_data)
5093ff40c12SJohn Marino wpabuf_put_buf(data->tls_in, in_data);
5106d49e1aeSJan Lentfer data->tls_in_left -= in_len;
5116d49e1aeSJan Lentfer
5126d49e1aeSJan Lentfer if (data->tls_in_left > 0) {
5136d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "SSL: Need %lu bytes more input "
5146d49e1aeSJan Lentfer "data", (unsigned long) data->tls_in_left);
5156d49e1aeSJan Lentfer return 1;
5166d49e1aeSJan Lentfer }
5176d49e1aeSJan Lentfer
5186d49e1aeSJan Lentfer return 0;
5196d49e1aeSJan Lentfer }
5206d49e1aeSJan Lentfer
5216d49e1aeSJan Lentfer
5226d49e1aeSJan Lentfer /**
5236d49e1aeSJan Lentfer * eap_peer_tls_data_reassemble - Reassemble TLS data
5246d49e1aeSJan Lentfer * @data: Data for TLS processing
5256d49e1aeSJan Lentfer * @in_data: Next incoming TLS segment
5266d49e1aeSJan Lentfer * @need_more_input: Variable for returning whether more input data is needed
5276d49e1aeSJan Lentfer * to reassemble this TLS packet
5286d49e1aeSJan Lentfer * Returns: Pointer to output data, %NULL on error or when more data is needed
5296d49e1aeSJan Lentfer * for the full message (in which case, *need_more_input is also set to 1).
5306d49e1aeSJan Lentfer *
5316d49e1aeSJan Lentfer * This function reassembles TLS fragments. Caller must not free the returned
5326d49e1aeSJan Lentfer * data buffer since an internal pointer to it is maintained.
5336d49e1aeSJan Lentfer */
eap_peer_tls_data_reassemble(struct eap_ssl_data * data,const struct wpabuf * in_data,int * need_more_input)5343ff40c12SJohn Marino static const struct wpabuf * eap_peer_tls_data_reassemble(
5353ff40c12SJohn Marino struct eap_ssl_data *data, const struct wpabuf *in_data,
5363ff40c12SJohn Marino int *need_more_input)
5376d49e1aeSJan Lentfer {
5386d49e1aeSJan Lentfer *need_more_input = 0;
5396d49e1aeSJan Lentfer
5403ff40c12SJohn Marino if (data->tls_in_left > wpabuf_len(in_data) || data->tls_in) {
5416d49e1aeSJan Lentfer /* Message has fragments */
5423ff40c12SJohn Marino int res = eap_peer_tls_reassemble_fragment(data, in_data);
5436d49e1aeSJan Lentfer if (res) {
5446d49e1aeSJan Lentfer if (res == 1)
5456d49e1aeSJan Lentfer *need_more_input = 1;
5466d49e1aeSJan Lentfer return NULL;
5476d49e1aeSJan Lentfer }
5486d49e1aeSJan Lentfer
5496d49e1aeSJan Lentfer /* Message is now fully reassembled. */
5506d49e1aeSJan Lentfer } else {
5516d49e1aeSJan Lentfer /* No fragments in this message, so just make a copy of it. */
5526d49e1aeSJan Lentfer data->tls_in_left = 0;
5533ff40c12SJohn Marino data->tls_in = wpabuf_dup(in_data);
5546d49e1aeSJan Lentfer if (data->tls_in == NULL)
5556d49e1aeSJan Lentfer return NULL;
5566d49e1aeSJan Lentfer }
5576d49e1aeSJan Lentfer
5586d49e1aeSJan Lentfer return data->tls_in;
5596d49e1aeSJan Lentfer }
5606d49e1aeSJan Lentfer
5616d49e1aeSJan Lentfer
5626d49e1aeSJan Lentfer /**
5636d49e1aeSJan Lentfer * eap_tls_process_input - Process incoming TLS message
5646d49e1aeSJan Lentfer * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
5656d49e1aeSJan Lentfer * @data: Data for TLS processing
5666d49e1aeSJan Lentfer * @in_data: Message received from the server
5676d49e1aeSJan Lentfer * @out_data: Buffer for returning a pointer to application data (if available)
5686d49e1aeSJan Lentfer * Returns: 0 on success, 1 if more input data is needed, 2 if application data
5696d49e1aeSJan Lentfer * is available, -1 on failure
5706d49e1aeSJan Lentfer */
eap_tls_process_input(struct eap_sm * sm,struct eap_ssl_data * data,const struct wpabuf * in_data,struct wpabuf ** out_data)5716d49e1aeSJan Lentfer static int eap_tls_process_input(struct eap_sm *sm, struct eap_ssl_data *data,
572*a1157835SDaniel Fojt const struct wpabuf *in_data,
5736d49e1aeSJan Lentfer struct wpabuf **out_data)
5746d49e1aeSJan Lentfer {
5753ff40c12SJohn Marino const struct wpabuf *msg;
5766d49e1aeSJan Lentfer int need_more_input;
5773ff40c12SJohn Marino struct wpabuf *appl_data;
5786d49e1aeSJan Lentfer
579*a1157835SDaniel Fojt msg = eap_peer_tls_data_reassemble(data, in_data, &need_more_input);
5806d49e1aeSJan Lentfer if (msg == NULL)
5816d49e1aeSJan Lentfer return need_more_input ? 1 : -1;
5826d49e1aeSJan Lentfer
5836d49e1aeSJan Lentfer /* Full TLS message reassembled - continue handshake processing */
5846d49e1aeSJan Lentfer if (data->tls_out) {
5856d49e1aeSJan Lentfer /* This should not happen.. */
5866d49e1aeSJan Lentfer wpa_printf(MSG_INFO, "SSL: eap_tls_process_input - pending "
5876d49e1aeSJan Lentfer "tls_out data even though tls_out_len = 0");
5883ff40c12SJohn Marino wpabuf_free(data->tls_out);
5896d49e1aeSJan Lentfer WPA_ASSERT(data->tls_out == NULL);
5906d49e1aeSJan Lentfer }
5916d49e1aeSJan Lentfer appl_data = NULL;
5923ff40c12SJohn Marino data->tls_out = tls_connection_handshake(data->ssl_ctx, data->conn,
5933ff40c12SJohn Marino msg, &appl_data);
5946d49e1aeSJan Lentfer
5956d49e1aeSJan Lentfer eap_peer_tls_reset_input(data);
5966d49e1aeSJan Lentfer
5976d49e1aeSJan Lentfer if (appl_data &&
5983ff40c12SJohn Marino tls_connection_established(data->ssl_ctx, data->conn) &&
5993ff40c12SJohn Marino !tls_connection_get_failed(data->ssl_ctx, data->conn)) {
6003ff40c12SJohn Marino wpa_hexdump_buf_key(MSG_MSGDUMP, "SSL: Application data",
6013ff40c12SJohn Marino appl_data);
6023ff40c12SJohn Marino *out_data = appl_data;
6036d49e1aeSJan Lentfer return 2;
6046d49e1aeSJan Lentfer }
6056d49e1aeSJan Lentfer
6063ff40c12SJohn Marino wpabuf_free(appl_data);
6076d49e1aeSJan Lentfer
6086d49e1aeSJan Lentfer return 0;
6096d49e1aeSJan Lentfer }
6106d49e1aeSJan Lentfer
6116d49e1aeSJan Lentfer
6126d49e1aeSJan Lentfer /**
6136d49e1aeSJan Lentfer * eap_tls_process_output - Process outgoing TLS message
6146d49e1aeSJan Lentfer * @data: Data for TLS processing
6156d49e1aeSJan Lentfer * @eap_type: EAP type (EAP_TYPE_TLS, EAP_TYPE_PEAP, ...)
6166d49e1aeSJan Lentfer * @peap_version: Version number for EAP-PEAP/TTLS
6176d49e1aeSJan Lentfer * @id: EAP identifier for the response
6186d49e1aeSJan Lentfer * @ret: Return value to use on success
6196d49e1aeSJan Lentfer * @out_data: Buffer for returning the allocated output buffer
6206d49e1aeSJan Lentfer * Returns: ret (0 or 1) on success, -1 on failure
6216d49e1aeSJan Lentfer */
eap_tls_process_output(struct eap_ssl_data * data,EapType eap_type,int peap_version,u8 id,int ret,struct wpabuf ** out_data)6226d49e1aeSJan Lentfer static int eap_tls_process_output(struct eap_ssl_data *data, EapType eap_type,
6236d49e1aeSJan Lentfer int peap_version, u8 id, int ret,
6246d49e1aeSJan Lentfer struct wpabuf **out_data)
6256d49e1aeSJan Lentfer {
6266d49e1aeSJan Lentfer size_t len;
6276d49e1aeSJan Lentfer u8 *flags;
6286d49e1aeSJan Lentfer int more_fragments, length_included;
6296d49e1aeSJan Lentfer
6303ff40c12SJohn Marino if (data->tls_out == NULL)
6313ff40c12SJohn Marino return -1;
6323ff40c12SJohn Marino len = wpabuf_len(data->tls_out) - data->tls_out_pos;
6336d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "SSL: %lu bytes left to be sent out (of total "
6346d49e1aeSJan Lentfer "%lu bytes)",
6353ff40c12SJohn Marino (unsigned long) len,
6363ff40c12SJohn Marino (unsigned long) wpabuf_len(data->tls_out));
6376d49e1aeSJan Lentfer
6386d49e1aeSJan Lentfer /*
6396d49e1aeSJan Lentfer * Limit outgoing message to the configured maximum size. Fragment
6406d49e1aeSJan Lentfer * message if needed.
6416d49e1aeSJan Lentfer */
6426d49e1aeSJan Lentfer if (len > data->tls_out_limit) {
6436d49e1aeSJan Lentfer more_fragments = 1;
6446d49e1aeSJan Lentfer len = data->tls_out_limit;
6456d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "SSL: sending %lu bytes, more fragments "
6466d49e1aeSJan Lentfer "will follow", (unsigned long) len);
6476d49e1aeSJan Lentfer } else
6486d49e1aeSJan Lentfer more_fragments = 0;
6496d49e1aeSJan Lentfer
6506d49e1aeSJan Lentfer length_included = data->tls_out_pos == 0 &&
6513ff40c12SJohn Marino (wpabuf_len(data->tls_out) > data->tls_out_limit ||
6526d49e1aeSJan Lentfer data->include_tls_length);
6536d49e1aeSJan Lentfer if (!length_included &&
6546d49e1aeSJan Lentfer eap_type == EAP_TYPE_PEAP && peap_version == 0 &&
6556d49e1aeSJan Lentfer !tls_connection_established(data->eap->ssl_ctx, data->conn)) {
6566d49e1aeSJan Lentfer /*
6576d49e1aeSJan Lentfer * Windows Server 2008 NPS really wants to have the TLS Message
6586d49e1aeSJan Lentfer * length included in phase 0 even for unfragmented frames or
6596d49e1aeSJan Lentfer * it will get very confused with Compound MAC calculation and
6606d49e1aeSJan Lentfer * Outer TLVs.
6616d49e1aeSJan Lentfer */
6626d49e1aeSJan Lentfer length_included = 1;
6636d49e1aeSJan Lentfer }
6646d49e1aeSJan Lentfer
6653ff40c12SJohn Marino *out_data = eap_tls_msg_alloc(eap_type, 1 + length_included * 4 + len,
6666d49e1aeSJan Lentfer EAP_CODE_RESPONSE, id);
6676d49e1aeSJan Lentfer if (*out_data == NULL)
6686d49e1aeSJan Lentfer return -1;
6696d49e1aeSJan Lentfer
6706d49e1aeSJan Lentfer flags = wpabuf_put(*out_data, 1);
6716d49e1aeSJan Lentfer *flags = peap_version;
6726d49e1aeSJan Lentfer if (more_fragments)
6736d49e1aeSJan Lentfer *flags |= EAP_TLS_FLAGS_MORE_FRAGMENTS;
6746d49e1aeSJan Lentfer if (length_included) {
6756d49e1aeSJan Lentfer *flags |= EAP_TLS_FLAGS_LENGTH_INCLUDED;
6763ff40c12SJohn Marino wpabuf_put_be32(*out_data, wpabuf_len(data->tls_out));
6776d49e1aeSJan Lentfer }
6786d49e1aeSJan Lentfer
6793ff40c12SJohn Marino wpabuf_put_data(*out_data,
6803ff40c12SJohn Marino wpabuf_head_u8(data->tls_out) + data->tls_out_pos,
6813ff40c12SJohn Marino len);
6826d49e1aeSJan Lentfer data->tls_out_pos += len;
6836d49e1aeSJan Lentfer
6846d49e1aeSJan Lentfer if (!more_fragments)
6856d49e1aeSJan Lentfer eap_peer_tls_reset_output(data);
6866d49e1aeSJan Lentfer
6876d49e1aeSJan Lentfer return ret;
6886d49e1aeSJan Lentfer }
6896d49e1aeSJan Lentfer
6906d49e1aeSJan Lentfer
6916d49e1aeSJan Lentfer /**
6926d49e1aeSJan Lentfer * eap_peer_tls_process_helper - Process TLS handshake message
6936d49e1aeSJan Lentfer * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
6946d49e1aeSJan Lentfer * @data: Data for TLS processing
6956d49e1aeSJan Lentfer * @eap_type: EAP type (EAP_TYPE_TLS, EAP_TYPE_PEAP, ...)
6966d49e1aeSJan Lentfer * @peap_version: Version number for EAP-PEAP/TTLS
6976d49e1aeSJan Lentfer * @id: EAP identifier for the response
6986d49e1aeSJan Lentfer * @in_data: Message received from the server
6996d49e1aeSJan Lentfer * @out_data: Buffer for returning a pointer to the response message
7006d49e1aeSJan Lentfer * Returns: 0 on success, 1 if more input data is needed, 2 if application data
7016d49e1aeSJan Lentfer * is available, or -1 on failure
7026d49e1aeSJan Lentfer *
7036d49e1aeSJan Lentfer * This function can be used to process TLS handshake messages. It reassembles
7046d49e1aeSJan Lentfer * the received fragments and uses a TLS library to process the messages. The
7056d49e1aeSJan Lentfer * response data from the TLS library is fragmented to suitable output messages
7066d49e1aeSJan Lentfer * that the caller can send out.
7076d49e1aeSJan Lentfer *
7086d49e1aeSJan Lentfer * out_data is used to return the response message if the return value of this
7096d49e1aeSJan Lentfer * function is 0, 2, or -1. In case of failure, the message is likely a TLS
7106d49e1aeSJan Lentfer * alarm message. The caller is responsible for freeing the allocated buffer if
7116d49e1aeSJan Lentfer * *out_data is not %NULL.
7126d49e1aeSJan Lentfer *
7136d49e1aeSJan Lentfer * This function is called for each received TLS message during the TLS
7146d49e1aeSJan Lentfer * handshake after eap_peer_tls_process_init() call and possible processing of
7156d49e1aeSJan Lentfer * TLS Flags field. Once the handshake has been completed, i.e., when
7166d49e1aeSJan Lentfer * tls_connection_established() returns 1, EAP method specific decrypting of
7176d49e1aeSJan Lentfer * the tunneled data is used.
7186d49e1aeSJan Lentfer */
eap_peer_tls_process_helper(struct eap_sm * sm,struct eap_ssl_data * data,EapType eap_type,int peap_version,u8 id,const struct wpabuf * in_data,struct wpabuf ** out_data)7196d49e1aeSJan Lentfer int eap_peer_tls_process_helper(struct eap_sm *sm, struct eap_ssl_data *data,
7206d49e1aeSJan Lentfer EapType eap_type, int peap_version,
721*a1157835SDaniel Fojt u8 id, const struct wpabuf *in_data,
7226d49e1aeSJan Lentfer struct wpabuf **out_data)
7236d49e1aeSJan Lentfer {
7246d49e1aeSJan Lentfer int ret = 0;
7256d49e1aeSJan Lentfer
7266d49e1aeSJan Lentfer *out_data = NULL;
7276d49e1aeSJan Lentfer
728*a1157835SDaniel Fojt if (data->tls_out && wpabuf_len(data->tls_out) > 0 &&
729*a1157835SDaniel Fojt wpabuf_len(in_data) > 0) {
7306d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "SSL: Received non-ACK when output "
7316d49e1aeSJan Lentfer "fragments are waiting to be sent out");
7326d49e1aeSJan Lentfer return -1;
7336d49e1aeSJan Lentfer }
7346d49e1aeSJan Lentfer
7353ff40c12SJohn Marino if (data->tls_out == NULL || wpabuf_len(data->tls_out) == 0) {
7366d49e1aeSJan Lentfer /*
7376d49e1aeSJan Lentfer * No more data to send out - expect to receive more data from
7386d49e1aeSJan Lentfer * the AS.
7396d49e1aeSJan Lentfer */
740*a1157835SDaniel Fojt int res = eap_tls_process_input(sm, data, in_data, out_data);
741*a1157835SDaniel Fojt char buf[20];
742*a1157835SDaniel Fojt
7436d49e1aeSJan Lentfer if (res) {
7446d49e1aeSJan Lentfer /*
7456d49e1aeSJan Lentfer * Input processing failed (res = -1) or more data is
7466d49e1aeSJan Lentfer * needed (res = 1).
7476d49e1aeSJan Lentfer */
7486d49e1aeSJan Lentfer return res;
7496d49e1aeSJan Lentfer }
7506d49e1aeSJan Lentfer
7516d49e1aeSJan Lentfer /*
7526d49e1aeSJan Lentfer * The incoming message has been reassembled and processed. The
7536d49e1aeSJan Lentfer * response was allocated into data->tls_out buffer.
7546d49e1aeSJan Lentfer */
755*a1157835SDaniel Fojt
756*a1157835SDaniel Fojt if (tls_get_version(data->ssl_ctx, data->conn,
757*a1157835SDaniel Fojt buf, sizeof(buf)) == 0) {
758*a1157835SDaniel Fojt wpa_printf(MSG_DEBUG, "SSL: Using TLS version %s", buf);
759*a1157835SDaniel Fojt data->tls_v13 = os_strcmp(buf, "TLSv1.3") == 0;
760*a1157835SDaniel Fojt }
7616d49e1aeSJan Lentfer }
7626d49e1aeSJan Lentfer
7636d49e1aeSJan Lentfer if (data->tls_out == NULL) {
7646d49e1aeSJan Lentfer /*
7656d49e1aeSJan Lentfer * No outgoing fragments remaining from the previous message
7666d49e1aeSJan Lentfer * and no new message generated. This indicates an error in TLS
7676d49e1aeSJan Lentfer * processing.
7686d49e1aeSJan Lentfer */
7696d49e1aeSJan Lentfer eap_peer_tls_reset_output(data);
7706d49e1aeSJan Lentfer return -1;
7716d49e1aeSJan Lentfer }
7726d49e1aeSJan Lentfer
7733ff40c12SJohn Marino if (tls_connection_get_failed(data->ssl_ctx, data->conn)) {
7746d49e1aeSJan Lentfer /* TLS processing has failed - return error */
7756d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "SSL: Failed - tls_out available to "
776*a1157835SDaniel Fojt "report error (len=%u)",
777*a1157835SDaniel Fojt (unsigned int) wpabuf_len(data->tls_out));
7786d49e1aeSJan Lentfer ret = -1;
7796d49e1aeSJan Lentfer /* TODO: clean pin if engine used? */
780*a1157835SDaniel Fojt if (wpabuf_len(data->tls_out) == 0) {
781*a1157835SDaniel Fojt wpabuf_free(data->tls_out);
782*a1157835SDaniel Fojt data->tls_out = NULL;
783*a1157835SDaniel Fojt return -1;
784*a1157835SDaniel Fojt }
7856d49e1aeSJan Lentfer }
7866d49e1aeSJan Lentfer
787*a1157835SDaniel Fojt if (wpabuf_len(data->tls_out) == 0) {
7886d49e1aeSJan Lentfer /*
7896d49e1aeSJan Lentfer * TLS negotiation should now be complete since all other cases
7906d49e1aeSJan Lentfer * needing more data should have been caught above based on
7916d49e1aeSJan Lentfer * the TLS Message Length field.
7926d49e1aeSJan Lentfer */
7936d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "SSL: No data to be sent out");
7943ff40c12SJohn Marino wpabuf_free(data->tls_out);
7956d49e1aeSJan Lentfer data->tls_out = NULL;
7966d49e1aeSJan Lentfer return 1;
7976d49e1aeSJan Lentfer }
7986d49e1aeSJan Lentfer
7996d49e1aeSJan Lentfer /* Send the pending message (in fragments, if needed). */
8006d49e1aeSJan Lentfer return eap_tls_process_output(data, eap_type, peap_version, id, ret,
8016d49e1aeSJan Lentfer out_data);
8026d49e1aeSJan Lentfer }
8036d49e1aeSJan Lentfer
8046d49e1aeSJan Lentfer
8056d49e1aeSJan Lentfer /**
8066d49e1aeSJan Lentfer * eap_peer_tls_build_ack - Build a TLS ACK frame
8076d49e1aeSJan Lentfer * @id: EAP identifier for the response
8086d49e1aeSJan Lentfer * @eap_type: EAP type (EAP_TYPE_TLS, EAP_TYPE_PEAP, ...)
8096d49e1aeSJan Lentfer * @peap_version: Version number for EAP-PEAP/TTLS
8106d49e1aeSJan Lentfer * Returns: Pointer to the allocated ACK frame or %NULL on failure
8116d49e1aeSJan Lentfer */
eap_peer_tls_build_ack(u8 id,EapType eap_type,int peap_version)8126d49e1aeSJan Lentfer struct wpabuf * eap_peer_tls_build_ack(u8 id, EapType eap_type,
8136d49e1aeSJan Lentfer int peap_version)
8146d49e1aeSJan Lentfer {
8156d49e1aeSJan Lentfer struct wpabuf *resp;
8166d49e1aeSJan Lentfer
8173ff40c12SJohn Marino resp = eap_tls_msg_alloc(eap_type, 1, EAP_CODE_RESPONSE, id);
8186d49e1aeSJan Lentfer if (resp == NULL)
8196d49e1aeSJan Lentfer return NULL;
8206d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "SSL: Building ACK (type=%d id=%d ver=%d)",
8216d49e1aeSJan Lentfer (int) eap_type, id, peap_version);
8226d49e1aeSJan Lentfer wpabuf_put_u8(resp, peap_version); /* Flags */
8236d49e1aeSJan Lentfer return resp;
8246d49e1aeSJan Lentfer }
8256d49e1aeSJan Lentfer
8266d49e1aeSJan Lentfer
8276d49e1aeSJan Lentfer /**
8286d49e1aeSJan Lentfer * eap_peer_tls_reauth_init - Re-initialize shared TLS for session resumption
8296d49e1aeSJan Lentfer * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
8306d49e1aeSJan Lentfer * @data: Data for TLS processing
8316d49e1aeSJan Lentfer * Returns: 0 on success, -1 on failure
8326d49e1aeSJan Lentfer */
eap_peer_tls_reauth_init(struct eap_sm * sm,struct eap_ssl_data * data)8336d49e1aeSJan Lentfer int eap_peer_tls_reauth_init(struct eap_sm *sm, struct eap_ssl_data *data)
8346d49e1aeSJan Lentfer {
8356d49e1aeSJan Lentfer eap_peer_tls_reset_input(data);
8366d49e1aeSJan Lentfer eap_peer_tls_reset_output(data);
8373ff40c12SJohn Marino return tls_connection_shutdown(data->ssl_ctx, data->conn);
8386d49e1aeSJan Lentfer }
8396d49e1aeSJan Lentfer
8406d49e1aeSJan Lentfer
8416d49e1aeSJan Lentfer /**
8426d49e1aeSJan Lentfer * eap_peer_tls_status - Get TLS status
8436d49e1aeSJan Lentfer * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
8446d49e1aeSJan Lentfer * @data: Data for TLS processing
8456d49e1aeSJan Lentfer * @buf: Buffer for status information
8466d49e1aeSJan Lentfer * @buflen: Maximum buffer length
8476d49e1aeSJan Lentfer * @verbose: Whether to include verbose status information
8486d49e1aeSJan Lentfer * Returns: Number of bytes written to buf.
8496d49e1aeSJan Lentfer */
eap_peer_tls_status(struct eap_sm * sm,struct eap_ssl_data * data,char * buf,size_t buflen,int verbose)8506d49e1aeSJan Lentfer int eap_peer_tls_status(struct eap_sm *sm, struct eap_ssl_data *data,
8516d49e1aeSJan Lentfer char *buf, size_t buflen, int verbose)
8526d49e1aeSJan Lentfer {
853*a1157835SDaniel Fojt char version[20], name[128];
8546d49e1aeSJan Lentfer int len = 0, ret;
8556d49e1aeSJan Lentfer
856*a1157835SDaniel Fojt if (tls_get_version(data->ssl_ctx, data->conn, version,
857*a1157835SDaniel Fojt sizeof(version)) < 0)
858*a1157835SDaniel Fojt version[0] = '\0';
859*a1157835SDaniel Fojt if (tls_get_cipher(data->ssl_ctx, data->conn, name, sizeof(name)) < 0)
860*a1157835SDaniel Fojt name[0] = '\0';
861*a1157835SDaniel Fojt
8626d49e1aeSJan Lentfer ret = os_snprintf(buf + len, buflen - len,
863*a1157835SDaniel Fojt "eap_tls_version=%s\n"
864*a1157835SDaniel Fojt "EAP TLS cipher=%s\n"
865*a1157835SDaniel Fojt "tls_session_reused=%d\n",
866*a1157835SDaniel Fojt version, name,
867*a1157835SDaniel Fojt tls_connection_resumed(data->ssl_ctx, data->conn));
868*a1157835SDaniel Fojt if (os_snprintf_error(buflen - len, ret))
8696d49e1aeSJan Lentfer return len;
8706d49e1aeSJan Lentfer len += ret;
8716d49e1aeSJan Lentfer
8726d49e1aeSJan Lentfer return len;
8736d49e1aeSJan Lentfer }
8746d49e1aeSJan Lentfer
8756d49e1aeSJan Lentfer
8766d49e1aeSJan Lentfer /**
8776d49e1aeSJan Lentfer * eap_peer_tls_process_init - Initial validation/processing of EAP requests
8786d49e1aeSJan Lentfer * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
8796d49e1aeSJan Lentfer * @data: Data for TLS processing
8806d49e1aeSJan Lentfer * @eap_type: EAP type (EAP_TYPE_TLS, EAP_TYPE_PEAP, ...)
8816d49e1aeSJan Lentfer * @ret: Return values from EAP request validation and processing
8826d49e1aeSJan Lentfer * @reqData: EAP request to be processed (eapReqData)
8836d49e1aeSJan Lentfer * @len: Buffer for returning length of the remaining payload
8846d49e1aeSJan Lentfer * @flags: Buffer for returning TLS flags
8856d49e1aeSJan Lentfer * Returns: Pointer to payload after TLS flags and length or %NULL on failure
8866d49e1aeSJan Lentfer *
8876d49e1aeSJan Lentfer * This function validates the EAP header and processes the optional TLS
8886d49e1aeSJan Lentfer * Message Length field. If this is the first fragment of a TLS message, the
8896d49e1aeSJan Lentfer * TLS reassembly code is initialized to receive the indicated number of bytes.
8906d49e1aeSJan Lentfer *
8916d49e1aeSJan Lentfer * EAP-TLS, EAP-PEAP, EAP-TTLS, and EAP-FAST methods are expected to use this
8926d49e1aeSJan Lentfer * function as the first step in processing received messages. They will need
8936d49e1aeSJan Lentfer * to process the flags (apart from Message Length Included) that are returned
8946d49e1aeSJan Lentfer * through the flags pointer and the message payload that will be returned (and
8956d49e1aeSJan Lentfer * the length is returned through the len pointer). Return values (ret) are set
8966d49e1aeSJan Lentfer * for continuation of EAP method processing. The caller is responsible for
8976d49e1aeSJan Lentfer * setting these to indicate completion (either success or failure) based on
8986d49e1aeSJan Lentfer * the authentication result.
8996d49e1aeSJan Lentfer */
eap_peer_tls_process_init(struct eap_sm * sm,struct eap_ssl_data * data,EapType eap_type,struct eap_method_ret * ret,const struct wpabuf * reqData,size_t * len,u8 * flags)9006d49e1aeSJan Lentfer const u8 * eap_peer_tls_process_init(struct eap_sm *sm,
9016d49e1aeSJan Lentfer struct eap_ssl_data *data,
9026d49e1aeSJan Lentfer EapType eap_type,
9036d49e1aeSJan Lentfer struct eap_method_ret *ret,
9046d49e1aeSJan Lentfer const struct wpabuf *reqData,
9056d49e1aeSJan Lentfer size_t *len, u8 *flags)
9066d49e1aeSJan Lentfer {
9076d49e1aeSJan Lentfer const u8 *pos;
9086d49e1aeSJan Lentfer size_t left;
9096d49e1aeSJan Lentfer unsigned int tls_msg_len;
9106d49e1aeSJan Lentfer
9113ff40c12SJohn Marino if (tls_get_errors(data->ssl_ctx)) {
9126d49e1aeSJan Lentfer wpa_printf(MSG_INFO, "SSL: TLS errors detected");
9136d49e1aeSJan Lentfer ret->ignore = TRUE;
9146d49e1aeSJan Lentfer return NULL;
9156d49e1aeSJan Lentfer }
9166d49e1aeSJan Lentfer
9173ff40c12SJohn Marino if (eap_type == EAP_UNAUTH_TLS_TYPE)
9183ff40c12SJohn Marino pos = eap_hdr_validate(EAP_VENDOR_UNAUTH_TLS,
9193ff40c12SJohn Marino EAP_VENDOR_TYPE_UNAUTH_TLS, reqData,
9203ff40c12SJohn Marino &left);
921*a1157835SDaniel Fojt else if (eap_type == EAP_WFA_UNAUTH_TLS_TYPE)
922*a1157835SDaniel Fojt pos = eap_hdr_validate(EAP_VENDOR_WFA_NEW,
923*a1157835SDaniel Fojt EAP_VENDOR_WFA_UNAUTH_TLS, reqData,
924*a1157835SDaniel Fojt &left);
9253ff40c12SJohn Marino else
9263ff40c12SJohn Marino pos = eap_hdr_validate(EAP_VENDOR_IETF, eap_type, reqData,
9273ff40c12SJohn Marino &left);
9286d49e1aeSJan Lentfer if (pos == NULL) {
9296d49e1aeSJan Lentfer ret->ignore = TRUE;
9306d49e1aeSJan Lentfer return NULL;
9316d49e1aeSJan Lentfer }
9326d49e1aeSJan Lentfer if (left == 0) {
9336d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "SSL: Invalid TLS message: no Flags "
9346d49e1aeSJan Lentfer "octet included");
9356d49e1aeSJan Lentfer if (!sm->workaround) {
9366d49e1aeSJan Lentfer ret->ignore = TRUE;
9376d49e1aeSJan Lentfer return NULL;
9386d49e1aeSJan Lentfer }
9396d49e1aeSJan Lentfer
9406d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "SSL: Workaround - assume no Flags "
9416d49e1aeSJan Lentfer "indicates ACK frame");
9426d49e1aeSJan Lentfer *flags = 0;
9436d49e1aeSJan Lentfer } else {
9446d49e1aeSJan Lentfer *flags = *pos++;
9456d49e1aeSJan Lentfer left--;
9466d49e1aeSJan Lentfer }
9476d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "SSL: Received packet(len=%lu) - "
9486d49e1aeSJan Lentfer "Flags 0x%02x", (unsigned long) wpabuf_len(reqData),
9496d49e1aeSJan Lentfer *flags);
9506d49e1aeSJan Lentfer if (*flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) {
9516d49e1aeSJan Lentfer if (left < 4) {
9526d49e1aeSJan Lentfer wpa_printf(MSG_INFO, "SSL: Short frame with TLS "
9536d49e1aeSJan Lentfer "length");
9546d49e1aeSJan Lentfer ret->ignore = TRUE;
9556d49e1aeSJan Lentfer return NULL;
9566d49e1aeSJan Lentfer }
9576d49e1aeSJan Lentfer tls_msg_len = WPA_GET_BE32(pos);
9586d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "SSL: TLS Message Length: %d",
9596d49e1aeSJan Lentfer tls_msg_len);
9606d49e1aeSJan Lentfer if (data->tls_in_left == 0) {
9616d49e1aeSJan Lentfer data->tls_in_total = tls_msg_len;
9626d49e1aeSJan Lentfer data->tls_in_left = tls_msg_len;
9633ff40c12SJohn Marino wpabuf_free(data->tls_in);
9646d49e1aeSJan Lentfer data->tls_in = NULL;
9656d49e1aeSJan Lentfer }
9666d49e1aeSJan Lentfer pos += 4;
9676d49e1aeSJan Lentfer left -= 4;
9683ff40c12SJohn Marino
9693ff40c12SJohn Marino if (left > tls_msg_len) {
9703ff40c12SJohn Marino wpa_printf(MSG_INFO, "SSL: TLS Message Length (%d "
9713ff40c12SJohn Marino "bytes) smaller than this fragment (%d "
9723ff40c12SJohn Marino "bytes)", (int) tls_msg_len, (int) left);
9733ff40c12SJohn Marino ret->ignore = TRUE;
9743ff40c12SJohn Marino return NULL;
9753ff40c12SJohn Marino }
9766d49e1aeSJan Lentfer }
9776d49e1aeSJan Lentfer
9786d49e1aeSJan Lentfer ret->ignore = FALSE;
9796d49e1aeSJan Lentfer ret->methodState = METHOD_MAY_CONT;
9806d49e1aeSJan Lentfer ret->decision = DECISION_FAIL;
9816d49e1aeSJan Lentfer ret->allowNotifications = TRUE;
9826d49e1aeSJan Lentfer
9836d49e1aeSJan Lentfer *len = left;
9846d49e1aeSJan Lentfer return pos;
9856d49e1aeSJan Lentfer }
9866d49e1aeSJan Lentfer
9876d49e1aeSJan Lentfer
9886d49e1aeSJan Lentfer /**
9896d49e1aeSJan Lentfer * eap_peer_tls_reset_input - Reset input buffers
9906d49e1aeSJan Lentfer * @data: Data for TLS processing
9916d49e1aeSJan Lentfer *
9926d49e1aeSJan Lentfer * This function frees any allocated memory for input buffers and resets input
9936d49e1aeSJan Lentfer * state.
9946d49e1aeSJan Lentfer */
eap_peer_tls_reset_input(struct eap_ssl_data * data)9956d49e1aeSJan Lentfer void eap_peer_tls_reset_input(struct eap_ssl_data *data)
9966d49e1aeSJan Lentfer {
9973ff40c12SJohn Marino data->tls_in_left = data->tls_in_total = 0;
9983ff40c12SJohn Marino wpabuf_free(data->tls_in);
9996d49e1aeSJan Lentfer data->tls_in = NULL;
10006d49e1aeSJan Lentfer }
10016d49e1aeSJan Lentfer
10026d49e1aeSJan Lentfer
10036d49e1aeSJan Lentfer /**
10046d49e1aeSJan Lentfer * eap_peer_tls_reset_output - Reset output buffers
10056d49e1aeSJan Lentfer * @data: Data for TLS processing
10066d49e1aeSJan Lentfer *
10076d49e1aeSJan Lentfer * This function frees any allocated memory for output buffers and resets
10086d49e1aeSJan Lentfer * output state.
10096d49e1aeSJan Lentfer */
eap_peer_tls_reset_output(struct eap_ssl_data * data)10106d49e1aeSJan Lentfer void eap_peer_tls_reset_output(struct eap_ssl_data *data)
10116d49e1aeSJan Lentfer {
10126d49e1aeSJan Lentfer data->tls_out_pos = 0;
10133ff40c12SJohn Marino wpabuf_free(data->tls_out);
10146d49e1aeSJan Lentfer data->tls_out = NULL;
10156d49e1aeSJan Lentfer }
10166d49e1aeSJan Lentfer
10176d49e1aeSJan Lentfer
10186d49e1aeSJan Lentfer /**
10196d49e1aeSJan Lentfer * eap_peer_tls_decrypt - Decrypt received phase 2 TLS message
10206d49e1aeSJan Lentfer * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
10216d49e1aeSJan Lentfer * @data: Data for TLS processing
10226d49e1aeSJan Lentfer * @in_data: Message received from the server
10236d49e1aeSJan Lentfer * @in_decrypted: Buffer for returning a pointer to the decrypted message
10246d49e1aeSJan Lentfer * Returns: 0 on success, 1 if more input data is needed, or -1 on failure
10256d49e1aeSJan Lentfer */
eap_peer_tls_decrypt(struct eap_sm * sm,struct eap_ssl_data * data,const struct wpabuf * in_data,struct wpabuf ** in_decrypted)10266d49e1aeSJan Lentfer int eap_peer_tls_decrypt(struct eap_sm *sm, struct eap_ssl_data *data,
10276d49e1aeSJan Lentfer const struct wpabuf *in_data,
10286d49e1aeSJan Lentfer struct wpabuf **in_decrypted)
10296d49e1aeSJan Lentfer {
10303ff40c12SJohn Marino const struct wpabuf *msg;
10316d49e1aeSJan Lentfer int need_more_input;
10326d49e1aeSJan Lentfer
10333ff40c12SJohn Marino msg = eap_peer_tls_data_reassemble(data, in_data, &need_more_input);
10346d49e1aeSJan Lentfer if (msg == NULL)
10356d49e1aeSJan Lentfer return need_more_input ? 1 : -1;
10366d49e1aeSJan Lentfer
10373ff40c12SJohn Marino *in_decrypted = tls_connection_decrypt(data->ssl_ctx, data->conn, msg);
10383ff40c12SJohn Marino eap_peer_tls_reset_input(data);
10396d49e1aeSJan Lentfer if (*in_decrypted == NULL) {
10406d49e1aeSJan Lentfer wpa_printf(MSG_INFO, "SSL: Failed to decrypt Phase 2 data");
10416d49e1aeSJan Lentfer return -1;
10426d49e1aeSJan Lentfer }
10436d49e1aeSJan Lentfer return 0;
10446d49e1aeSJan Lentfer }
10456d49e1aeSJan Lentfer
10466d49e1aeSJan Lentfer
10476d49e1aeSJan Lentfer /**
10486d49e1aeSJan Lentfer * eap_peer_tls_encrypt - Encrypt phase 2 TLS message
10496d49e1aeSJan Lentfer * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
10506d49e1aeSJan Lentfer * @data: Data for TLS processing
10516d49e1aeSJan Lentfer * @eap_type: EAP type (EAP_TYPE_TLS, EAP_TYPE_PEAP, ...)
10526d49e1aeSJan Lentfer * @peap_version: Version number for EAP-PEAP/TTLS
10536d49e1aeSJan Lentfer * @id: EAP identifier for the response
10546d49e1aeSJan Lentfer * @in_data: Plaintext phase 2 data to encrypt or %NULL to continue fragments
10556d49e1aeSJan Lentfer * @out_data: Buffer for returning a pointer to the encrypted response message
10566d49e1aeSJan Lentfer * Returns: 0 on success, -1 on failure
10576d49e1aeSJan Lentfer */
eap_peer_tls_encrypt(struct eap_sm * sm,struct eap_ssl_data * data,EapType eap_type,int peap_version,u8 id,const struct wpabuf * in_data,struct wpabuf ** out_data)10586d49e1aeSJan Lentfer int eap_peer_tls_encrypt(struct eap_sm *sm, struct eap_ssl_data *data,
10596d49e1aeSJan Lentfer EapType eap_type, int peap_version, u8 id,
10606d49e1aeSJan Lentfer const struct wpabuf *in_data,
10616d49e1aeSJan Lentfer struct wpabuf **out_data)
10626d49e1aeSJan Lentfer {
10636d49e1aeSJan Lentfer if (in_data) {
10646d49e1aeSJan Lentfer eap_peer_tls_reset_output(data);
10653ff40c12SJohn Marino data->tls_out = tls_connection_encrypt(data->ssl_ctx,
10663ff40c12SJohn Marino data->conn, in_data);
10673ff40c12SJohn Marino if (data->tls_out == NULL) {
10686d49e1aeSJan Lentfer wpa_printf(MSG_INFO, "SSL: Failed to encrypt Phase 2 "
10696d49e1aeSJan Lentfer "data (in_len=%lu)",
10706d49e1aeSJan Lentfer (unsigned long) wpabuf_len(in_data));
10716d49e1aeSJan Lentfer eap_peer_tls_reset_output(data);
10726d49e1aeSJan Lentfer return -1;
10736d49e1aeSJan Lentfer }
10746d49e1aeSJan Lentfer }
10756d49e1aeSJan Lentfer
10766d49e1aeSJan Lentfer return eap_tls_process_output(data, eap_type, peap_version, id, 0,
10776d49e1aeSJan Lentfer out_data);
10786d49e1aeSJan Lentfer }
10796d49e1aeSJan Lentfer
10806d49e1aeSJan Lentfer
10816d49e1aeSJan Lentfer /**
10826d49e1aeSJan Lentfer * eap_peer_select_phase2_methods - Select phase 2 EAP method
10836d49e1aeSJan Lentfer * @config: Pointer to the network configuration
10846d49e1aeSJan Lentfer * @prefix: 'phase2' configuration prefix, e.g., "auth="
10856d49e1aeSJan Lentfer * @types: Buffer for returning allocated list of allowed EAP methods
10866d49e1aeSJan Lentfer * @num_types: Buffer for returning number of allocated EAP methods
10876d49e1aeSJan Lentfer * Returns: 0 on success, -1 on failure
10886d49e1aeSJan Lentfer *
10896d49e1aeSJan Lentfer * This function is used to parse EAP method list and select allowed methods
10906d49e1aeSJan Lentfer * for Phase2 authentication.
10916d49e1aeSJan Lentfer */
eap_peer_select_phase2_methods(struct eap_peer_config * config,const char * prefix,struct eap_method_type ** types,size_t * num_types)10926d49e1aeSJan Lentfer int eap_peer_select_phase2_methods(struct eap_peer_config *config,
10936d49e1aeSJan Lentfer const char *prefix,
10946d49e1aeSJan Lentfer struct eap_method_type **types,
10956d49e1aeSJan Lentfer size_t *num_types)
10966d49e1aeSJan Lentfer {
10976d49e1aeSJan Lentfer char *start, *pos, *buf;
10986d49e1aeSJan Lentfer struct eap_method_type *methods = NULL, *_methods;
1099*a1157835SDaniel Fojt u32 method;
11006d49e1aeSJan Lentfer size_t num_methods = 0, prefix_len;
11016d49e1aeSJan Lentfer
11026d49e1aeSJan Lentfer if (config == NULL || config->phase2 == NULL)
11036d49e1aeSJan Lentfer goto get_defaults;
11046d49e1aeSJan Lentfer
11056d49e1aeSJan Lentfer start = buf = os_strdup(config->phase2);
11066d49e1aeSJan Lentfer if (buf == NULL)
11076d49e1aeSJan Lentfer return -1;
11086d49e1aeSJan Lentfer
11096d49e1aeSJan Lentfer prefix_len = os_strlen(prefix);
11106d49e1aeSJan Lentfer
11116d49e1aeSJan Lentfer while (start && *start != '\0') {
11126d49e1aeSJan Lentfer int vendor;
11136d49e1aeSJan Lentfer pos = os_strstr(start, prefix);
11146d49e1aeSJan Lentfer if (pos == NULL)
11156d49e1aeSJan Lentfer break;
11166d49e1aeSJan Lentfer if (start != pos && *(pos - 1) != ' ') {
11176d49e1aeSJan Lentfer start = pos + prefix_len;
11186d49e1aeSJan Lentfer continue;
11196d49e1aeSJan Lentfer }
11206d49e1aeSJan Lentfer
11216d49e1aeSJan Lentfer start = pos + prefix_len;
11226d49e1aeSJan Lentfer pos = os_strchr(start, ' ');
11236d49e1aeSJan Lentfer if (pos)
11246d49e1aeSJan Lentfer *pos++ = '\0';
11256d49e1aeSJan Lentfer method = eap_get_phase2_type(start, &vendor);
11266d49e1aeSJan Lentfer if (vendor == EAP_VENDOR_IETF && method == EAP_TYPE_NONE) {
11276d49e1aeSJan Lentfer wpa_printf(MSG_ERROR, "TLS: Unsupported Phase2 EAP "
11286d49e1aeSJan Lentfer "method '%s'", start);
1129*a1157835SDaniel Fojt os_free(methods);
1130*a1157835SDaniel Fojt os_free(buf);
1131*a1157835SDaniel Fojt return -1;
11326d49e1aeSJan Lentfer } else {
11336d49e1aeSJan Lentfer num_methods++;
11343ff40c12SJohn Marino _methods = os_realloc_array(methods, num_methods,
11353ff40c12SJohn Marino sizeof(*methods));
11366d49e1aeSJan Lentfer if (_methods == NULL) {
11376d49e1aeSJan Lentfer os_free(methods);
11386d49e1aeSJan Lentfer os_free(buf);
11396d49e1aeSJan Lentfer return -1;
11406d49e1aeSJan Lentfer }
11416d49e1aeSJan Lentfer methods = _methods;
11426d49e1aeSJan Lentfer methods[num_methods - 1].vendor = vendor;
11436d49e1aeSJan Lentfer methods[num_methods - 1].method = method;
11446d49e1aeSJan Lentfer }
11456d49e1aeSJan Lentfer
11466d49e1aeSJan Lentfer start = pos;
11476d49e1aeSJan Lentfer }
11486d49e1aeSJan Lentfer
11496d49e1aeSJan Lentfer os_free(buf);
11506d49e1aeSJan Lentfer
11516d49e1aeSJan Lentfer get_defaults:
11526d49e1aeSJan Lentfer if (methods == NULL)
11536d49e1aeSJan Lentfer methods = eap_get_phase2_types(config, &num_methods);
11546d49e1aeSJan Lentfer
11556d49e1aeSJan Lentfer if (methods == NULL) {
11566d49e1aeSJan Lentfer wpa_printf(MSG_ERROR, "TLS: No Phase2 EAP methods available");
11576d49e1aeSJan Lentfer return -1;
11586d49e1aeSJan Lentfer }
11596d49e1aeSJan Lentfer wpa_hexdump(MSG_DEBUG, "TLS: Phase2 EAP types",
11606d49e1aeSJan Lentfer (u8 *) methods,
11616d49e1aeSJan Lentfer num_methods * sizeof(struct eap_method_type));
11626d49e1aeSJan Lentfer
11636d49e1aeSJan Lentfer *types = methods;
11646d49e1aeSJan Lentfer *num_types = num_methods;
11656d49e1aeSJan Lentfer
11666d49e1aeSJan Lentfer return 0;
11676d49e1aeSJan Lentfer }
11686d49e1aeSJan Lentfer
11696d49e1aeSJan Lentfer
11706d49e1aeSJan Lentfer /**
11716d49e1aeSJan Lentfer * eap_peer_tls_phase2_nak - Generate EAP-Nak for Phase 2
11726d49e1aeSJan Lentfer * @types: Buffer for returning allocated list of allowed EAP methods
11736d49e1aeSJan Lentfer * @num_types: Buffer for returning number of allocated EAP methods
11746d49e1aeSJan Lentfer * @hdr: EAP-Request header (and the following EAP type octet)
11756d49e1aeSJan Lentfer * @resp: Buffer for returning the EAP-Nak message
11766d49e1aeSJan Lentfer * Returns: 0 on success, -1 on failure
11776d49e1aeSJan Lentfer */
eap_peer_tls_phase2_nak(struct eap_method_type * types,size_t num_types,struct eap_hdr * hdr,struct wpabuf ** resp)11786d49e1aeSJan Lentfer int eap_peer_tls_phase2_nak(struct eap_method_type *types, size_t num_types,
11796d49e1aeSJan Lentfer struct eap_hdr *hdr, struct wpabuf **resp)
11806d49e1aeSJan Lentfer {
11816d49e1aeSJan Lentfer u8 *pos = (u8 *) (hdr + 1);
11826d49e1aeSJan Lentfer size_t i;
11836d49e1aeSJan Lentfer
11846d49e1aeSJan Lentfer /* TODO: add support for expanded Nak */
11856d49e1aeSJan Lentfer wpa_printf(MSG_DEBUG, "TLS: Phase 2 Request: Nak type=%d", *pos);
11866d49e1aeSJan Lentfer wpa_hexdump(MSG_DEBUG, "TLS: Allowed Phase2 EAP types",
11876d49e1aeSJan Lentfer (u8 *) types, num_types * sizeof(struct eap_method_type));
11886d49e1aeSJan Lentfer *resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_NAK, num_types,
11896d49e1aeSJan Lentfer EAP_CODE_RESPONSE, hdr->identifier);
11906d49e1aeSJan Lentfer if (*resp == NULL)
11916d49e1aeSJan Lentfer return -1;
11926d49e1aeSJan Lentfer
11936d49e1aeSJan Lentfer for (i = 0; i < num_types; i++) {
11946d49e1aeSJan Lentfer if (types[i].vendor == EAP_VENDOR_IETF &&
11956d49e1aeSJan Lentfer types[i].method < 256)
11966d49e1aeSJan Lentfer wpabuf_put_u8(*resp, types[i].method);
11976d49e1aeSJan Lentfer }
11986d49e1aeSJan Lentfer
11996d49e1aeSJan Lentfer eap_update_len(*resp);
12006d49e1aeSJan Lentfer
12016d49e1aeSJan Lentfer return 0;
12026d49e1aeSJan Lentfer }
1203