1 /* 2 * EAP-FAST server (RFC 4851) 3 * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "includes.h" 16 17 #include "common.h" 18 #include "crypto/aes_wrap.h" 19 #include "crypto/sha1.h" 20 #include "crypto/tls.h" 21 #include "crypto/random.h" 22 #include "eap_common/eap_tlv_common.h" 23 #include "eap_common/eap_fast_common.h" 24 #include "eap_i.h" 25 #include "eap_tls_common.h" 26 27 28 static void eap_fast_reset(struct eap_sm *sm, void *priv); 29 30 31 /* Private PAC-Opaque TLV types */ 32 #define PAC_OPAQUE_TYPE_PAD 0 33 #define PAC_OPAQUE_TYPE_KEY 1 34 #define PAC_OPAQUE_TYPE_LIFETIME 2 35 #define PAC_OPAQUE_TYPE_IDENTITY 3 36 37 struct eap_fast_data { 38 struct eap_ssl_data ssl; 39 enum { 40 START, PHASE1, PHASE2_START, PHASE2_ID, PHASE2_METHOD, 41 CRYPTO_BINDING, REQUEST_PAC, SUCCESS, FAILURE 42 } state; 43 44 int fast_version; 45 const struct eap_method *phase2_method; 46 void *phase2_priv; 47 int force_version; 48 int peer_version; 49 50 u8 crypto_binding_nonce[32]; 51 int final_result; 52 53 struct eap_fast_key_block_provisioning *key_block_p; 54 55 u8 simck[EAP_FAST_SIMCK_LEN]; 56 u8 cmk[EAP_FAST_CMK_LEN]; 57 int simck_idx; 58 59 u8 pac_opaque_encr[16]; 60 u8 *srv_id; 61 size_t srv_id_len; 62 char *srv_id_info; 63 64 int anon_provisioning; 65 int send_new_pac; /* server triggered re-keying of Tunnel PAC */ 66 struct wpabuf *pending_phase2_resp; 67 u8 *identity; /* from PAC-Opaque */ 68 size_t identity_len; 69 int eap_seq; 70 int tnc_started; 71 72 int pac_key_lifetime; 73 int pac_key_refresh_time; 74 }; 75 76 77 static int eap_fast_process_phase2_start(struct eap_sm *sm, 78 struct eap_fast_data *data); 79 80 81 static const char * eap_fast_state_txt(int state) 82 { 83 switch (state) { 84 case START: 85 return "START"; 86 case PHASE1: 87 return "PHASE1"; 88 case PHASE2_START: 89 return "PHASE2_START"; 90 case PHASE2_ID: 91 return "PHASE2_ID"; 92 case PHASE2_METHOD: 93 return "PHASE2_METHOD"; 94 case CRYPTO_BINDING: 95 return "CRYPTO_BINDING"; 96 case REQUEST_PAC: 97 return "REQUEST_PAC"; 98 case SUCCESS: 99 return "SUCCESS"; 100 case FAILURE: 101 return "FAILURE"; 102 default: 103 return "Unknown?!"; 104 } 105 } 106 107 108 static void eap_fast_state(struct eap_fast_data *data, int state) 109 { 110 wpa_printf(MSG_DEBUG, "EAP-FAST: %s -> %s", 111 eap_fast_state_txt(data->state), 112 eap_fast_state_txt(state)); 113 data->state = state; 114 } 115 116 117 static EapType eap_fast_req_failure(struct eap_sm *sm, 118 struct eap_fast_data *data) 119 { 120 /* TODO: send Result TLV(FAILURE) */ 121 eap_fast_state(data, FAILURE); 122 return EAP_TYPE_NONE; 123 } 124 125 126 static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len, 127 const u8 *client_random, 128 const u8 *server_random, 129 u8 *master_secret) 130 { 131 struct eap_fast_data *data = ctx; 132 const u8 *pac_opaque; 133 size_t pac_opaque_len; 134 u8 *buf, *pos, *end, *pac_key = NULL; 135 os_time_t lifetime = 0; 136 struct os_time now; 137 u8 *identity = NULL; 138 size_t identity_len = 0; 139 140 wpa_printf(MSG_DEBUG, "EAP-FAST: SessionTicket callback"); 141 wpa_hexdump(MSG_DEBUG, "EAP-FAST: SessionTicket (PAC-Opaque)", 142 ticket, len); 143 144 if (len < 4 || WPA_GET_BE16(ticket) != PAC_TYPE_PAC_OPAQUE) { 145 wpa_printf(MSG_DEBUG, "EAP-FAST: Ignore invalid " 146 "SessionTicket"); 147 return 0; 148 } 149 150 pac_opaque_len = WPA_GET_BE16(ticket + 2); 151 pac_opaque = ticket + 4; 152 if (pac_opaque_len < 8 || pac_opaque_len % 8 || 153 pac_opaque_len > len - 4) { 154 wpa_printf(MSG_DEBUG, "EAP-FAST: Ignore invalid PAC-Opaque " 155 "(len=%lu left=%lu)", 156 (unsigned long) pac_opaque_len, 157 (unsigned long) len); 158 return 0; 159 } 160 wpa_hexdump(MSG_DEBUG, "EAP-FAST: Received PAC-Opaque", 161 pac_opaque, pac_opaque_len); 162 163 buf = os_malloc(pac_opaque_len - 8); 164 if (buf == NULL) { 165 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to allocate memory " 166 "for decrypting PAC-Opaque"); 167 return 0; 168 } 169 170 if (aes_unwrap(data->pac_opaque_encr, (pac_opaque_len - 8) / 8, 171 pac_opaque, buf) < 0) { 172 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to decrypt " 173 "PAC-Opaque"); 174 os_free(buf); 175 /* 176 * This may have been caused by server changing the PAC-Opaque 177 * encryption key, so just ignore this PAC-Opaque instead of 178 * failing the authentication completely. Provisioning can now 179 * be used to provision a new PAC. 180 */ 181 return 0; 182 } 183 184 end = buf + pac_opaque_len - 8; 185 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Decrypted PAC-Opaque", 186 buf, end - buf); 187 188 pos = buf; 189 while (pos + 1 < end) { 190 if (pos + 2 + pos[1] > end) 191 break; 192 193 switch (*pos) { 194 case PAC_OPAQUE_TYPE_PAD: 195 pos = end; 196 break; 197 case PAC_OPAQUE_TYPE_KEY: 198 if (pos[1] != EAP_FAST_PAC_KEY_LEN) { 199 wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid " 200 "PAC-Key length %d", pos[1]); 201 os_free(buf); 202 return -1; 203 } 204 pac_key = pos + 2; 205 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: PAC-Key from " 206 "decrypted PAC-Opaque", 207 pac_key, EAP_FAST_PAC_KEY_LEN); 208 break; 209 case PAC_OPAQUE_TYPE_LIFETIME: 210 if (pos[1] != 4) { 211 wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid " 212 "PAC-Key lifetime length %d", 213 pos[1]); 214 os_free(buf); 215 return -1; 216 } 217 lifetime = WPA_GET_BE32(pos + 2); 218 break; 219 case PAC_OPAQUE_TYPE_IDENTITY: 220 identity = pos + 2; 221 identity_len = pos[1]; 222 break; 223 } 224 225 pos += 2 + pos[1]; 226 } 227 228 if (pac_key == NULL) { 229 wpa_printf(MSG_DEBUG, "EAP-FAST: No PAC-Key included in " 230 "PAC-Opaque"); 231 os_free(buf); 232 return -1; 233 } 234 235 if (identity) { 236 wpa_hexdump_ascii(MSG_DEBUG, "EAP-FAST: Identity from " 237 "PAC-Opaque", identity, identity_len); 238 os_free(data->identity); 239 data->identity = os_malloc(identity_len); 240 if (data->identity) { 241 os_memcpy(data->identity, identity, identity_len); 242 data->identity_len = identity_len; 243 } 244 } 245 246 if (os_get_time(&now) < 0 || lifetime <= 0 || now.sec > lifetime) { 247 wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Key not valid anymore " 248 "(lifetime=%ld now=%ld)", lifetime, now.sec); 249 data->send_new_pac = 2; 250 /* 251 * Allow PAC to be used to allow a PAC update with some level 252 * of server authentication (i.e., do not fall back to full TLS 253 * handshake since we cannot be sure that the peer would be 254 * able to validate server certificate now). However, reject 255 * the authentication since the PAC was not valid anymore. Peer 256 * can connect again with the newly provisioned PAC after this. 257 */ 258 } else if (lifetime - now.sec < data->pac_key_refresh_time) { 259 wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Key soft timeout; send " 260 "an update if authentication succeeds"); 261 data->send_new_pac = 1; 262 } 263 264 eap_fast_derive_master_secret(pac_key, server_random, client_random, 265 master_secret); 266 267 os_free(buf); 268 269 return 1; 270 } 271 272 273 static void eap_fast_derive_key_auth(struct eap_sm *sm, 274 struct eap_fast_data *data) 275 { 276 u8 *sks; 277 278 /* RFC 4851, Section 5.1: 279 * Extra key material after TLS key_block: session_key_seed[40] 280 */ 281 282 sks = eap_fast_derive_key(sm->ssl_ctx, data->ssl.conn, "key expansion", 283 EAP_FAST_SKS_LEN); 284 if (sks == NULL) { 285 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive " 286 "session_key_seed"); 287 return; 288 } 289 290 /* 291 * RFC 4851, Section 5.2: 292 * S-IMCK[0] = session_key_seed 293 */ 294 wpa_hexdump_key(MSG_DEBUG, 295 "EAP-FAST: session_key_seed (SKS = S-IMCK[0])", 296 sks, EAP_FAST_SKS_LEN); 297 data->simck_idx = 0; 298 os_memcpy(data->simck, sks, EAP_FAST_SIMCK_LEN); 299 os_free(sks); 300 } 301 302 303 static void eap_fast_derive_key_provisioning(struct eap_sm *sm, 304 struct eap_fast_data *data) 305 { 306 os_free(data->key_block_p); 307 data->key_block_p = (struct eap_fast_key_block_provisioning *) 308 eap_fast_derive_key(sm->ssl_ctx, data->ssl.conn, 309 "key expansion", 310 sizeof(*data->key_block_p)); 311 if (data->key_block_p == NULL) { 312 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive key block"); 313 return; 314 } 315 /* 316 * RFC 4851, Section 5.2: 317 * S-IMCK[0] = session_key_seed 318 */ 319 wpa_hexdump_key(MSG_DEBUG, 320 "EAP-FAST: session_key_seed (SKS = S-IMCK[0])", 321 data->key_block_p->session_key_seed, 322 sizeof(data->key_block_p->session_key_seed)); 323 data->simck_idx = 0; 324 os_memcpy(data->simck, data->key_block_p->session_key_seed, 325 EAP_FAST_SIMCK_LEN); 326 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: server_challenge", 327 data->key_block_p->server_challenge, 328 sizeof(data->key_block_p->server_challenge)); 329 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: client_challenge", 330 data->key_block_p->client_challenge, 331 sizeof(data->key_block_p->client_challenge)); 332 } 333 334 335 static int eap_fast_get_phase2_key(struct eap_sm *sm, 336 struct eap_fast_data *data, 337 u8 *isk, size_t isk_len) 338 { 339 u8 *key; 340 size_t key_len; 341 342 os_memset(isk, 0, isk_len); 343 344 if (data->phase2_method == NULL || data->phase2_priv == NULL) { 345 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase 2 method not " 346 "available"); 347 return -1; 348 } 349 350 if (data->phase2_method->getKey == NULL) 351 return 0; 352 353 if ((key = data->phase2_method->getKey(sm, data->phase2_priv, 354 &key_len)) == NULL) { 355 wpa_printf(MSG_DEBUG, "EAP-FAST: Could not get key material " 356 "from Phase 2"); 357 return -1; 358 } 359 360 if (key_len > isk_len) 361 key_len = isk_len; 362 if (key_len == 32 && 363 data->phase2_method->vendor == EAP_VENDOR_IETF && 364 data->phase2_method->method == EAP_TYPE_MSCHAPV2) { 365 /* 366 * EAP-FAST uses reverse order for MS-MPPE keys when deriving 367 * MSK from EAP-MSCHAPv2. Swap the keys here to get the correct 368 * ISK for EAP-FAST cryptobinding. 369 */ 370 os_memcpy(isk, key + 16, 16); 371 os_memcpy(isk + 16, key, 16); 372 } else 373 os_memcpy(isk, key, key_len); 374 os_free(key); 375 376 return 0; 377 } 378 379 380 static int eap_fast_update_icmk(struct eap_sm *sm, struct eap_fast_data *data) 381 { 382 u8 isk[32], imck[60]; 383 384 wpa_printf(MSG_DEBUG, "EAP-FAST: Deriving ICMK[%d] (S-IMCK and CMK)", 385 data->simck_idx + 1); 386 387 /* 388 * RFC 4851, Section 5.2: 389 * IMCK[j] = T-PRF(S-IMCK[j-1], "Inner Methods Compound Keys", 390 * MSK[j], 60) 391 * S-IMCK[j] = first 40 octets of IMCK[j] 392 * CMK[j] = last 20 octets of IMCK[j] 393 */ 394 395 if (eap_fast_get_phase2_key(sm, data, isk, sizeof(isk)) < 0) 396 return -1; 397 wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: ISK[j]", isk, sizeof(isk)); 398 sha1_t_prf(data->simck, EAP_FAST_SIMCK_LEN, 399 "Inner Methods Compound Keys", 400 isk, sizeof(isk), imck, sizeof(imck)); 401 data->simck_idx++; 402 os_memcpy(data->simck, imck, EAP_FAST_SIMCK_LEN); 403 wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: S-IMCK[j]", 404 data->simck, EAP_FAST_SIMCK_LEN); 405 os_memcpy(data->cmk, imck + EAP_FAST_SIMCK_LEN, EAP_FAST_CMK_LEN); 406 wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: CMK[j]", 407 data->cmk, EAP_FAST_CMK_LEN); 408 409 return 0; 410 } 411 412 413 static void * eap_fast_init(struct eap_sm *sm) 414 { 415 struct eap_fast_data *data; 416 u8 ciphers[5] = { 417 TLS_CIPHER_ANON_DH_AES128_SHA, 418 TLS_CIPHER_AES128_SHA, 419 TLS_CIPHER_RSA_DHE_AES128_SHA, 420 TLS_CIPHER_RC4_SHA, 421 TLS_CIPHER_NONE 422 }; 423 424 data = os_zalloc(sizeof(*data)); 425 if (data == NULL) 426 return NULL; 427 data->fast_version = EAP_FAST_VERSION; 428 data->force_version = -1; 429 if (sm->user && sm->user->force_version >= 0) { 430 data->force_version = sm->user->force_version; 431 wpa_printf(MSG_DEBUG, "EAP-FAST: forcing version %d", 432 data->force_version); 433 data->fast_version = data->force_version; 434 } 435 data->state = START; 436 437 if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) { 438 wpa_printf(MSG_INFO, "EAP-FAST: Failed to initialize SSL."); 439 eap_fast_reset(sm, data); 440 return NULL; 441 } 442 443 if (tls_connection_set_cipher_list(sm->ssl_ctx, data->ssl.conn, 444 ciphers) < 0) { 445 wpa_printf(MSG_INFO, "EAP-FAST: Failed to set TLS cipher " 446 "suites"); 447 eap_fast_reset(sm, data); 448 return NULL; 449 } 450 451 if (tls_connection_set_session_ticket_cb(sm->ssl_ctx, data->ssl.conn, 452 eap_fast_session_ticket_cb, 453 data) < 0) { 454 wpa_printf(MSG_INFO, "EAP-FAST: Failed to set SessionTicket " 455 "callback"); 456 eap_fast_reset(sm, data); 457 return NULL; 458 } 459 460 if (sm->pac_opaque_encr_key == NULL) { 461 wpa_printf(MSG_INFO, "EAP-FAST: No PAC-Opaque encryption key " 462 "configured"); 463 eap_fast_reset(sm, data); 464 return NULL; 465 } 466 os_memcpy(data->pac_opaque_encr, sm->pac_opaque_encr_key, 467 sizeof(data->pac_opaque_encr)); 468 469 if (sm->eap_fast_a_id == NULL) { 470 wpa_printf(MSG_INFO, "EAP-FAST: No A-ID configured"); 471 eap_fast_reset(sm, data); 472 return NULL; 473 } 474 data->srv_id = os_malloc(sm->eap_fast_a_id_len); 475 if (data->srv_id == NULL) { 476 eap_fast_reset(sm, data); 477 return NULL; 478 } 479 os_memcpy(data->srv_id, sm->eap_fast_a_id, sm->eap_fast_a_id_len); 480 data->srv_id_len = sm->eap_fast_a_id_len; 481 482 if (sm->eap_fast_a_id_info == NULL) { 483 wpa_printf(MSG_INFO, "EAP-FAST: No A-ID-Info configured"); 484 eap_fast_reset(sm, data); 485 return NULL; 486 } 487 data->srv_id_info = os_strdup(sm->eap_fast_a_id_info); 488 if (data->srv_id_info == NULL) { 489 eap_fast_reset(sm, data); 490 return NULL; 491 } 492 493 /* PAC-Key lifetime in seconds (hard limit) */ 494 data->pac_key_lifetime = sm->pac_key_lifetime; 495 496 /* 497 * PAC-Key refresh time in seconds (soft limit on remaining hard 498 * limit). The server will generate a new PAC-Key when this number of 499 * seconds (or fewer) of the lifetime remains. 500 */ 501 data->pac_key_refresh_time = sm->pac_key_refresh_time; 502 503 return data; 504 } 505 506 507 static void eap_fast_reset(struct eap_sm *sm, void *priv) 508 { 509 struct eap_fast_data *data = priv; 510 if (data == NULL) 511 return; 512 if (data->phase2_priv && data->phase2_method) 513 data->phase2_method->reset(sm, data->phase2_priv); 514 eap_server_tls_ssl_deinit(sm, &data->ssl); 515 os_free(data->srv_id); 516 os_free(data->srv_id_info); 517 os_free(data->key_block_p); 518 wpabuf_free(data->pending_phase2_resp); 519 os_free(data->identity); 520 os_free(data); 521 } 522 523 524 static struct wpabuf * eap_fast_build_start(struct eap_sm *sm, 525 struct eap_fast_data *data, u8 id) 526 { 527 struct wpabuf *req; 528 529 req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_FAST, 530 1 + sizeof(struct pac_tlv_hdr) + data->srv_id_len, 531 EAP_CODE_REQUEST, id); 532 if (req == NULL) { 533 wpa_printf(MSG_ERROR, "EAP-FAST: Failed to allocate memory for" 534 " request"); 535 eap_fast_state(data, FAILURE); 536 return NULL; 537 } 538 539 wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->fast_version); 540 541 /* RFC 4851, 4.1.1. Authority ID Data */ 542 eap_fast_put_tlv(req, PAC_TYPE_A_ID, data->srv_id, data->srv_id_len); 543 544 eap_fast_state(data, PHASE1); 545 546 return req; 547 } 548 549 550 static int eap_fast_phase1_done(struct eap_sm *sm, struct eap_fast_data *data) 551 { 552 char cipher[64]; 553 554 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase1 done, starting Phase2"); 555 556 if (tls_get_cipher(sm->ssl_ctx, data->ssl.conn, cipher, sizeof(cipher)) 557 < 0) { 558 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to get cipher " 559 "information"); 560 eap_fast_state(data, FAILURE); 561 return -1; 562 } 563 data->anon_provisioning = os_strstr(cipher, "ADH") != NULL; 564 565 if (data->anon_provisioning) { 566 wpa_printf(MSG_DEBUG, "EAP-FAST: Anonymous provisioning"); 567 eap_fast_derive_key_provisioning(sm, data); 568 } else 569 eap_fast_derive_key_auth(sm, data); 570 571 eap_fast_state(data, PHASE2_START); 572 573 return 0; 574 } 575 576 577 static struct wpabuf * eap_fast_build_phase2_req(struct eap_sm *sm, 578 struct eap_fast_data *data, 579 u8 id) 580 { 581 struct wpabuf *req; 582 583 if (data->phase2_priv == NULL) { 584 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase 2 method not " 585 "initialized"); 586 return NULL; 587 } 588 req = data->phase2_method->buildReq(sm, data->phase2_priv, id); 589 if (req == NULL) 590 return NULL; 591 592 wpa_hexdump_buf_key(MSG_MSGDUMP, "EAP-FAST: Phase 2 EAP-Request", req); 593 return eap_fast_tlv_eap_payload(req); 594 } 595 596 597 static struct wpabuf * eap_fast_build_crypto_binding( 598 struct eap_sm *sm, struct eap_fast_data *data) 599 { 600 struct wpabuf *buf; 601 struct eap_tlv_result_tlv *result; 602 struct eap_tlv_crypto_binding_tlv *binding; 603 604 buf = wpabuf_alloc(2 * sizeof(*result) + sizeof(*binding)); 605 if (buf == NULL) 606 return NULL; 607 608 if (data->send_new_pac || data->anon_provisioning || 609 data->phase2_method) 610 data->final_result = 0; 611 else 612 data->final_result = 1; 613 614 if (!data->final_result || data->eap_seq > 1) { 615 /* Intermediate-Result */ 616 wpa_printf(MSG_DEBUG, "EAP-FAST: Add Intermediate-Result TLV " 617 "(status=SUCCESS)"); 618 result = wpabuf_put(buf, sizeof(*result)); 619 result->tlv_type = host_to_be16( 620 EAP_TLV_TYPE_MANDATORY | 621 EAP_TLV_INTERMEDIATE_RESULT_TLV); 622 result->length = host_to_be16(2); 623 result->status = host_to_be16(EAP_TLV_RESULT_SUCCESS); 624 } 625 626 if (data->final_result) { 627 /* Result TLV */ 628 wpa_printf(MSG_DEBUG, "EAP-FAST: Add Result TLV " 629 "(status=SUCCESS)"); 630 result = wpabuf_put(buf, sizeof(*result)); 631 result->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY | 632 EAP_TLV_RESULT_TLV); 633 result->length = host_to_be16(2); 634 result->status = host_to_be16(EAP_TLV_RESULT_SUCCESS); 635 } 636 637 /* Crypto-Binding TLV */ 638 binding = wpabuf_put(buf, sizeof(*binding)); 639 binding->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY | 640 EAP_TLV_CRYPTO_BINDING_TLV); 641 binding->length = host_to_be16(sizeof(*binding) - 642 sizeof(struct eap_tlv_hdr)); 643 binding->version = EAP_FAST_VERSION; 644 binding->received_version = data->peer_version; 645 binding->subtype = EAP_TLV_CRYPTO_BINDING_SUBTYPE_REQUEST; 646 if (random_get_bytes(binding->nonce, sizeof(binding->nonce)) < 0) { 647 wpabuf_free(buf); 648 return NULL; 649 } 650 651 /* 652 * RFC 4851, Section 4.2.8: 653 * The nonce in a request MUST have its least significant bit set to 0. 654 */ 655 binding->nonce[sizeof(binding->nonce) - 1] &= ~0x01; 656 657 os_memcpy(data->crypto_binding_nonce, binding->nonce, 658 sizeof(binding->nonce)); 659 660 /* 661 * RFC 4851, Section 5.3: 662 * CMK = CMK[j] 663 * Compound-MAC = HMAC-SHA1( CMK, Crypto-Binding TLV ) 664 */ 665 666 hmac_sha1(data->cmk, EAP_FAST_CMK_LEN, 667 (u8 *) binding, sizeof(*binding), 668 binding->compound_mac); 669 670 wpa_printf(MSG_DEBUG, "EAP-FAST: Add Crypto-Binding TLV: Version %d " 671 "Received Version %d SubType %d", 672 binding->version, binding->received_version, 673 binding->subtype); 674 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: NONCE", 675 binding->nonce, sizeof(binding->nonce)); 676 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Compound MAC", 677 binding->compound_mac, sizeof(binding->compound_mac)); 678 679 return buf; 680 } 681 682 683 static struct wpabuf * eap_fast_build_pac(struct eap_sm *sm, 684 struct eap_fast_data *data) 685 { 686 u8 pac_key[EAP_FAST_PAC_KEY_LEN]; 687 u8 *pac_buf, *pac_opaque; 688 struct wpabuf *buf; 689 u8 *pos; 690 size_t buf_len, srv_id_info_len, pac_len; 691 struct eap_tlv_hdr *pac_tlv; 692 struct pac_tlv_hdr *pac_info; 693 struct eap_tlv_result_tlv *result; 694 struct os_time now; 695 696 if (random_get_bytes(pac_key, EAP_FAST_PAC_KEY_LEN) < 0 || 697 os_get_time(&now) < 0) 698 return NULL; 699 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Generated PAC-Key", 700 pac_key, EAP_FAST_PAC_KEY_LEN); 701 702 pac_len = (2 + EAP_FAST_PAC_KEY_LEN) + (2 + 4) + 703 (2 + sm->identity_len) + 8; 704 pac_buf = os_malloc(pac_len); 705 if (pac_buf == NULL) 706 return NULL; 707 708 srv_id_info_len = os_strlen(data->srv_id_info); 709 710 pos = pac_buf; 711 *pos++ = PAC_OPAQUE_TYPE_KEY; 712 *pos++ = EAP_FAST_PAC_KEY_LEN; 713 os_memcpy(pos, pac_key, EAP_FAST_PAC_KEY_LEN); 714 pos += EAP_FAST_PAC_KEY_LEN; 715 716 *pos++ = PAC_OPAQUE_TYPE_LIFETIME; 717 *pos++ = 4; 718 WPA_PUT_BE32(pos, now.sec + data->pac_key_lifetime); 719 pos += 4; 720 721 if (sm->identity) { 722 *pos++ = PAC_OPAQUE_TYPE_IDENTITY; 723 *pos++ = sm->identity_len; 724 os_memcpy(pos, sm->identity, sm->identity_len); 725 pos += sm->identity_len; 726 } 727 728 pac_len = pos - pac_buf; 729 while (pac_len % 8) { 730 *pos++ = PAC_OPAQUE_TYPE_PAD; 731 pac_len++; 732 } 733 734 pac_opaque = os_malloc(pac_len + 8); 735 if (pac_opaque == NULL) { 736 os_free(pac_buf); 737 return NULL; 738 } 739 if (aes_wrap(data->pac_opaque_encr, pac_len / 8, pac_buf, 740 pac_opaque) < 0) { 741 os_free(pac_buf); 742 os_free(pac_opaque); 743 return NULL; 744 } 745 os_free(pac_buf); 746 747 pac_len += 8; 748 wpa_hexdump(MSG_DEBUG, "EAP-FAST: PAC-Opaque", 749 pac_opaque, pac_len); 750 751 buf_len = sizeof(*pac_tlv) + 752 sizeof(struct pac_tlv_hdr) + EAP_FAST_PAC_KEY_LEN + 753 sizeof(struct pac_tlv_hdr) + pac_len + 754 data->srv_id_len + srv_id_info_len + 100 + sizeof(*result); 755 buf = wpabuf_alloc(buf_len); 756 if (buf == NULL) { 757 os_free(pac_opaque); 758 return NULL; 759 } 760 761 /* Result TLV */ 762 wpa_printf(MSG_DEBUG, "EAP-FAST: Add Result TLV (status=SUCCESS)"); 763 result = wpabuf_put(buf, sizeof(*result)); 764 WPA_PUT_BE16((u8 *) &result->tlv_type, 765 EAP_TLV_TYPE_MANDATORY | EAP_TLV_RESULT_TLV); 766 WPA_PUT_BE16((u8 *) &result->length, 2); 767 WPA_PUT_BE16((u8 *) &result->status, EAP_TLV_RESULT_SUCCESS); 768 769 /* PAC TLV */ 770 wpa_printf(MSG_DEBUG, "EAP-FAST: Add PAC TLV"); 771 pac_tlv = wpabuf_put(buf, sizeof(*pac_tlv)); 772 pac_tlv->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY | 773 EAP_TLV_PAC_TLV); 774 775 /* PAC-Key */ 776 eap_fast_put_tlv(buf, PAC_TYPE_PAC_KEY, pac_key, EAP_FAST_PAC_KEY_LEN); 777 778 /* PAC-Opaque */ 779 eap_fast_put_tlv(buf, PAC_TYPE_PAC_OPAQUE, pac_opaque, pac_len); 780 os_free(pac_opaque); 781 782 /* PAC-Info */ 783 pac_info = wpabuf_put(buf, sizeof(*pac_info)); 784 pac_info->type = host_to_be16(PAC_TYPE_PAC_INFO); 785 786 /* PAC-Lifetime (inside PAC-Info) */ 787 eap_fast_put_tlv_hdr(buf, PAC_TYPE_CRED_LIFETIME, 4); 788 wpabuf_put_be32(buf, now.sec + data->pac_key_lifetime); 789 790 /* A-ID (inside PAC-Info) */ 791 eap_fast_put_tlv(buf, PAC_TYPE_A_ID, data->srv_id, data->srv_id_len); 792 793 /* Note: headers may be misaligned after A-ID */ 794 795 if (sm->identity) { 796 eap_fast_put_tlv(buf, PAC_TYPE_I_ID, sm->identity, 797 sm->identity_len); 798 } 799 800 /* A-ID-Info (inside PAC-Info) */ 801 eap_fast_put_tlv(buf, PAC_TYPE_A_ID_INFO, data->srv_id_info, 802 srv_id_info_len); 803 804 /* PAC-Type (inside PAC-Info) */ 805 eap_fast_put_tlv_hdr(buf, PAC_TYPE_PAC_TYPE, 2); 806 wpabuf_put_be16(buf, PAC_TYPE_TUNNEL_PAC); 807 808 /* Update PAC-Info and PAC TLV Length fields */ 809 pos = wpabuf_put(buf, 0); 810 pac_info->len = host_to_be16(pos - (u8 *) (pac_info + 1)); 811 pac_tlv->length = host_to_be16(pos - (u8 *) (pac_tlv + 1)); 812 813 return buf; 814 } 815 816 817 static int eap_fast_encrypt_phase2(struct eap_sm *sm, 818 struct eap_fast_data *data, 819 struct wpabuf *plain, int piggyback) 820 { 821 struct wpabuf *encr; 822 823 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-FAST: Encrypting Phase 2 TLVs", 824 plain); 825 encr = eap_server_tls_encrypt(sm, &data->ssl, plain); 826 wpabuf_free(plain); 827 828 if (data->ssl.tls_out && piggyback) { 829 wpa_printf(MSG_DEBUG, "EAP-FAST: Piggyback Phase 2 data " 830 "(len=%d) with last Phase 1 Message (len=%d " 831 "used=%d)", 832 (int) wpabuf_len(encr), 833 (int) wpabuf_len(data->ssl.tls_out), 834 (int) data->ssl.tls_out_pos); 835 if (wpabuf_resize(&data->ssl.tls_out, wpabuf_len(encr)) < 0) { 836 wpa_printf(MSG_WARNING, "EAP-FAST: Failed to resize " 837 "output buffer"); 838 wpabuf_free(encr); 839 return -1; 840 } 841 wpabuf_put_buf(data->ssl.tls_out, encr); 842 wpabuf_free(encr); 843 } else { 844 wpabuf_free(data->ssl.tls_out); 845 data->ssl.tls_out_pos = 0; 846 data->ssl.tls_out = encr; 847 } 848 849 return 0; 850 } 851 852 853 static struct wpabuf * eap_fast_buildReq(struct eap_sm *sm, void *priv, u8 id) 854 { 855 struct eap_fast_data *data = priv; 856 struct wpabuf *req = NULL; 857 int piggyback = 0; 858 859 if (data->ssl.state == FRAG_ACK) { 860 return eap_server_tls_build_ack(id, EAP_TYPE_FAST, 861 data->fast_version); 862 } 863 864 if (data->ssl.state == WAIT_FRAG_ACK) { 865 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_FAST, 866 data->fast_version, id); 867 } 868 869 switch (data->state) { 870 case START: 871 return eap_fast_build_start(sm, data, id); 872 case PHASE1: 873 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { 874 if (eap_fast_phase1_done(sm, data) < 0) 875 return NULL; 876 if (data->state == PHASE2_START) { 877 /* 878 * Try to generate Phase 2 data to piggyback 879 * with the end of Phase 1 to avoid extra 880 * roundtrip. 881 */ 882 wpa_printf(MSG_DEBUG, "EAP-FAST: Try to start " 883 "Phase 2"); 884 if (eap_fast_process_phase2_start(sm, data)) 885 break; 886 req = eap_fast_build_phase2_req(sm, data, id); 887 piggyback = 1; 888 } 889 } 890 break; 891 case PHASE2_ID: 892 case PHASE2_METHOD: 893 req = eap_fast_build_phase2_req(sm, data, id); 894 break; 895 case CRYPTO_BINDING: 896 req = eap_fast_build_crypto_binding(sm, data); 897 if (data->phase2_method) { 898 /* 899 * Include the start of the next EAP method in the 900 * sequence in the same message with Crypto-Binding to 901 * save a round-trip. 902 */ 903 struct wpabuf *eap; 904 eap = eap_fast_build_phase2_req(sm, data, id); 905 req = wpabuf_concat(req, eap); 906 eap_fast_state(data, PHASE2_METHOD); 907 } 908 break; 909 case REQUEST_PAC: 910 req = eap_fast_build_pac(sm, data); 911 break; 912 default: 913 wpa_printf(MSG_DEBUG, "EAP-FAST: %s - unexpected state %d", 914 __func__, data->state); 915 return NULL; 916 } 917 918 if (req && 919 eap_fast_encrypt_phase2(sm, data, req, piggyback) < 0) 920 return NULL; 921 922 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_FAST, 923 data->fast_version, id); 924 } 925 926 927 static Boolean eap_fast_check(struct eap_sm *sm, void *priv, 928 struct wpabuf *respData) 929 { 930 const u8 *pos; 931 size_t len; 932 933 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_FAST, respData, &len); 934 if (pos == NULL || len < 1) { 935 wpa_printf(MSG_INFO, "EAP-FAST: Invalid frame"); 936 return TRUE; 937 } 938 939 return FALSE; 940 } 941 942 943 static int eap_fast_phase2_init(struct eap_sm *sm, struct eap_fast_data *data, 944 EapType eap_type) 945 { 946 if (data->phase2_priv && data->phase2_method) { 947 data->phase2_method->reset(sm, data->phase2_priv); 948 data->phase2_method = NULL; 949 data->phase2_priv = NULL; 950 } 951 data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF, 952 eap_type); 953 if (!data->phase2_method) 954 return -1; 955 956 if (data->key_block_p) { 957 sm->auth_challenge = data->key_block_p->server_challenge; 958 sm->peer_challenge = data->key_block_p->client_challenge; 959 } 960 sm->init_phase2 = 1; 961 data->phase2_priv = data->phase2_method->init(sm); 962 sm->init_phase2 = 0; 963 sm->auth_challenge = NULL; 964 sm->peer_challenge = NULL; 965 966 return data->phase2_priv == NULL ? -1 : 0; 967 } 968 969 970 static void eap_fast_process_phase2_response(struct eap_sm *sm, 971 struct eap_fast_data *data, 972 u8 *in_data, size_t in_len) 973 { 974 u8 next_type = EAP_TYPE_NONE; 975 struct eap_hdr *hdr; 976 u8 *pos; 977 size_t left; 978 struct wpabuf buf; 979 const struct eap_method *m = data->phase2_method; 980 void *priv = data->phase2_priv; 981 982 if (priv == NULL) { 983 wpa_printf(MSG_DEBUG, "EAP-FAST: %s - Phase2 not " 984 "initialized?!", __func__); 985 return; 986 } 987 988 hdr = (struct eap_hdr *) in_data; 989 pos = (u8 *) (hdr + 1); 990 991 if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) { 992 left = in_len - sizeof(*hdr); 993 wpa_hexdump(MSG_DEBUG, "EAP-FAST: Phase2 type Nak'ed; " 994 "allowed types", pos + 1, left - 1); 995 #ifdef EAP_SERVER_TNC 996 if (m && m->vendor == EAP_VENDOR_IETF && 997 m->method == EAP_TYPE_TNC) { 998 wpa_printf(MSG_DEBUG, "EAP-FAST: Peer Nak'ed required " 999 "TNC negotiation"); 1000 next_type = eap_fast_req_failure(sm, data); 1001 eap_fast_phase2_init(sm, data, next_type); 1002 return; 1003 } 1004 #endif /* EAP_SERVER_TNC */ 1005 eap_sm_process_nak(sm, pos + 1, left - 1); 1006 if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS && 1007 sm->user->methods[sm->user_eap_method_index].method != 1008 EAP_TYPE_NONE) { 1009 next_type = sm->user->methods[ 1010 sm->user_eap_method_index++].method; 1011 wpa_printf(MSG_DEBUG, "EAP-FAST: try EAP type %d", 1012 next_type); 1013 } else { 1014 next_type = eap_fast_req_failure(sm, data); 1015 } 1016 eap_fast_phase2_init(sm, data, next_type); 1017 return; 1018 } 1019 1020 wpabuf_set(&buf, in_data, in_len); 1021 1022 if (m->check(sm, priv, &buf)) { 1023 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 check() asked to " 1024 "ignore the packet"); 1025 next_type = eap_fast_req_failure(sm, data); 1026 return; 1027 } 1028 1029 m->process(sm, priv, &buf); 1030 1031 if (!m->isDone(sm, priv)) 1032 return; 1033 1034 if (!m->isSuccess(sm, priv)) { 1035 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 method failed"); 1036 next_type = eap_fast_req_failure(sm, data); 1037 eap_fast_phase2_init(sm, data, next_type); 1038 return; 1039 } 1040 1041 switch (data->state) { 1042 case PHASE2_ID: 1043 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) { 1044 wpa_hexdump_ascii(MSG_DEBUG, "EAP-FAST: Phase2 " 1045 "Identity not found in the user " 1046 "database", 1047 sm->identity, sm->identity_len); 1048 next_type = eap_fast_req_failure(sm, data); 1049 break; 1050 } 1051 1052 eap_fast_state(data, PHASE2_METHOD); 1053 if (data->anon_provisioning) { 1054 /* 1055 * Only EAP-MSCHAPv2 is allowed for anonymous 1056 * provisioning. 1057 */ 1058 next_type = EAP_TYPE_MSCHAPV2; 1059 sm->user_eap_method_index = 0; 1060 } else { 1061 next_type = sm->user->methods[0].method; 1062 sm->user_eap_method_index = 1; 1063 } 1064 wpa_printf(MSG_DEBUG, "EAP-FAST: try EAP type %d", next_type); 1065 break; 1066 case PHASE2_METHOD: 1067 case CRYPTO_BINDING: 1068 eap_fast_update_icmk(sm, data); 1069 eap_fast_state(data, CRYPTO_BINDING); 1070 data->eap_seq++; 1071 next_type = EAP_TYPE_NONE; 1072 #ifdef EAP_SERVER_TNC 1073 if (sm->tnc && !data->tnc_started) { 1074 wpa_printf(MSG_DEBUG, "EAP-FAST: Initialize TNC"); 1075 next_type = EAP_TYPE_TNC; 1076 data->tnc_started = 1; 1077 } 1078 #endif /* EAP_SERVER_TNC */ 1079 break; 1080 case FAILURE: 1081 break; 1082 default: 1083 wpa_printf(MSG_DEBUG, "EAP-FAST: %s - unexpected state %d", 1084 __func__, data->state); 1085 break; 1086 } 1087 1088 eap_fast_phase2_init(sm, data, next_type); 1089 } 1090 1091 1092 static void eap_fast_process_phase2_eap(struct eap_sm *sm, 1093 struct eap_fast_data *data, 1094 u8 *in_data, size_t in_len) 1095 { 1096 struct eap_hdr *hdr; 1097 size_t len; 1098 1099 hdr = (struct eap_hdr *) in_data; 1100 if (in_len < (int) sizeof(*hdr)) { 1101 wpa_printf(MSG_INFO, "EAP-FAST: Too short Phase 2 " 1102 "EAP frame (len=%lu)", (unsigned long) in_len); 1103 eap_fast_req_failure(sm, data); 1104 return; 1105 } 1106 len = be_to_host16(hdr->length); 1107 if (len > in_len) { 1108 wpa_printf(MSG_INFO, "EAP-FAST: Length mismatch in " 1109 "Phase 2 EAP frame (len=%lu hdr->length=%lu)", 1110 (unsigned long) in_len, (unsigned long) len); 1111 eap_fast_req_failure(sm, data); 1112 return; 1113 } 1114 wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: code=%d " 1115 "identifier=%d length=%lu", hdr->code, hdr->identifier, 1116 (unsigned long) len); 1117 switch (hdr->code) { 1118 case EAP_CODE_RESPONSE: 1119 eap_fast_process_phase2_response(sm, data, (u8 *) hdr, len); 1120 break; 1121 default: 1122 wpa_printf(MSG_INFO, "EAP-FAST: Unexpected code=%d in " 1123 "Phase 2 EAP header", hdr->code); 1124 break; 1125 } 1126 } 1127 1128 1129 static int eap_fast_parse_tlvs(struct wpabuf *data, 1130 struct eap_fast_tlv_parse *tlv) 1131 { 1132 int mandatory, tlv_type, len, res; 1133 u8 *pos, *end; 1134 1135 os_memset(tlv, 0, sizeof(*tlv)); 1136 1137 pos = wpabuf_mhead(data); 1138 end = pos + wpabuf_len(data); 1139 while (pos + 4 < end) { 1140 mandatory = pos[0] & 0x80; 1141 tlv_type = WPA_GET_BE16(pos) & 0x3fff; 1142 pos += 2; 1143 len = WPA_GET_BE16(pos); 1144 pos += 2; 1145 if (pos + len > end) { 1146 wpa_printf(MSG_INFO, "EAP-FAST: TLV overflow"); 1147 return -1; 1148 } 1149 wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: " 1150 "TLV type %d length %d%s", 1151 tlv_type, len, mandatory ? " (mandatory)" : ""); 1152 1153 res = eap_fast_parse_tlv(tlv, tlv_type, pos, len); 1154 if (res == -2) 1155 break; 1156 if (res < 0) { 1157 if (mandatory) { 1158 wpa_printf(MSG_DEBUG, "EAP-FAST: Nak unknown " 1159 "mandatory TLV type %d", tlv_type); 1160 /* TODO: generate Nak TLV */ 1161 break; 1162 } else { 1163 wpa_printf(MSG_DEBUG, "EAP-FAST: Ignored " 1164 "unknown optional TLV type %d", 1165 tlv_type); 1166 } 1167 } 1168 1169 pos += len; 1170 } 1171 1172 return 0; 1173 } 1174 1175 1176 static int eap_fast_validate_crypto_binding( 1177 struct eap_fast_data *data, struct eap_tlv_crypto_binding_tlv *b, 1178 size_t bind_len) 1179 { 1180 u8 cmac[SHA1_MAC_LEN]; 1181 1182 wpa_printf(MSG_DEBUG, "EAP-FAST: Reply Crypto-Binding TLV: " 1183 "Version %d Received Version %d SubType %d", 1184 b->version, b->received_version, b->subtype); 1185 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: NONCE", 1186 b->nonce, sizeof(b->nonce)); 1187 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Compound MAC", 1188 b->compound_mac, sizeof(b->compound_mac)); 1189 1190 if (b->version != EAP_FAST_VERSION || 1191 b->received_version != EAP_FAST_VERSION) { 1192 wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected version " 1193 "in Crypto-Binding: version %d " 1194 "received_version %d", b->version, 1195 b->received_version); 1196 return -1; 1197 } 1198 1199 if (b->subtype != EAP_TLV_CRYPTO_BINDING_SUBTYPE_RESPONSE) { 1200 wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected subtype in " 1201 "Crypto-Binding: %d", b->subtype); 1202 return -1; 1203 } 1204 1205 if (os_memcmp(data->crypto_binding_nonce, b->nonce, 31) != 0 || 1206 (data->crypto_binding_nonce[31] | 1) != b->nonce[31]) { 1207 wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid nonce in " 1208 "Crypto-Binding"); 1209 return -1; 1210 } 1211 1212 os_memcpy(cmac, b->compound_mac, sizeof(cmac)); 1213 os_memset(b->compound_mac, 0, sizeof(cmac)); 1214 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Crypto-Binding TLV for " 1215 "Compound MAC calculation", 1216 (u8 *) b, bind_len); 1217 hmac_sha1(data->cmk, EAP_FAST_CMK_LEN, (u8 *) b, bind_len, 1218 b->compound_mac); 1219 if (os_memcmp(cmac, b->compound_mac, sizeof(cmac)) != 0) { 1220 wpa_hexdump(MSG_MSGDUMP, 1221 "EAP-FAST: Calculated Compound MAC", 1222 b->compound_mac, sizeof(cmac)); 1223 wpa_printf(MSG_INFO, "EAP-FAST: Compound MAC did not " 1224 "match"); 1225 return -1; 1226 } 1227 1228 return 0; 1229 } 1230 1231 1232 static int eap_fast_pac_type(u8 *pac, size_t len, u16 type) 1233 { 1234 struct eap_tlv_pac_type_tlv *tlv; 1235 1236 if (pac == NULL || len != sizeof(*tlv)) 1237 return 0; 1238 1239 tlv = (struct eap_tlv_pac_type_tlv *) pac; 1240 1241 return be_to_host16(tlv->tlv_type) == PAC_TYPE_PAC_TYPE && 1242 be_to_host16(tlv->length) == 2 && 1243 be_to_host16(tlv->pac_type) == type; 1244 } 1245 1246 1247 static void eap_fast_process_phase2_tlvs(struct eap_sm *sm, 1248 struct eap_fast_data *data, 1249 struct wpabuf *in_data) 1250 { 1251 struct eap_fast_tlv_parse tlv; 1252 int check_crypto_binding = data->state == CRYPTO_BINDING; 1253 1254 if (eap_fast_parse_tlvs(in_data, &tlv) < 0) { 1255 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to parse received " 1256 "Phase 2 TLVs"); 1257 return; 1258 } 1259 1260 if (tlv.result == EAP_TLV_RESULT_FAILURE) { 1261 wpa_printf(MSG_DEBUG, "EAP-FAST: Result TLV indicated " 1262 "failure"); 1263 eap_fast_state(data, FAILURE); 1264 return; 1265 } 1266 1267 if (data->state == REQUEST_PAC) { 1268 u16 type, len, res; 1269 if (tlv.pac == NULL || tlv.pac_len < 6) { 1270 wpa_printf(MSG_DEBUG, "EAP-FAST: No PAC " 1271 "Acknowledgement received"); 1272 eap_fast_state(data, FAILURE); 1273 return; 1274 } 1275 1276 type = WPA_GET_BE16(tlv.pac); 1277 len = WPA_GET_BE16(tlv.pac + 2); 1278 res = WPA_GET_BE16(tlv.pac + 4); 1279 1280 if (type != PAC_TYPE_PAC_ACKNOWLEDGEMENT || len != 2 || 1281 res != EAP_TLV_RESULT_SUCCESS) { 1282 wpa_printf(MSG_DEBUG, "EAP-FAST: PAC TLV did not " 1283 "contain acknowledgement"); 1284 eap_fast_state(data, FAILURE); 1285 return; 1286 } 1287 1288 wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Acknowledgement received " 1289 "- PAC provisioning succeeded"); 1290 eap_fast_state(data, (data->anon_provisioning || 1291 data->send_new_pac == 2) ? 1292 FAILURE : SUCCESS); 1293 return; 1294 } 1295 1296 if (check_crypto_binding) { 1297 if (tlv.crypto_binding == NULL) { 1298 wpa_printf(MSG_DEBUG, "EAP-FAST: No Crypto-Binding " 1299 "TLV received"); 1300 eap_fast_state(data, FAILURE); 1301 return; 1302 } 1303 1304 if (data->final_result && 1305 tlv.result != EAP_TLV_RESULT_SUCCESS) { 1306 wpa_printf(MSG_DEBUG, "EAP-FAST: Crypto-Binding TLV " 1307 "without Success Result"); 1308 eap_fast_state(data, FAILURE); 1309 return; 1310 } 1311 1312 if (!data->final_result && 1313 tlv.iresult != EAP_TLV_RESULT_SUCCESS) { 1314 wpa_printf(MSG_DEBUG, "EAP-FAST: Crypto-Binding TLV " 1315 "without intermediate Success Result"); 1316 eap_fast_state(data, FAILURE); 1317 return; 1318 } 1319 1320 if (eap_fast_validate_crypto_binding(data, tlv.crypto_binding, 1321 tlv.crypto_binding_len)) { 1322 eap_fast_state(data, FAILURE); 1323 return; 1324 } 1325 1326 wpa_printf(MSG_DEBUG, "EAP-FAST: Valid Crypto-Binding TLV " 1327 "received"); 1328 if (data->final_result) { 1329 wpa_printf(MSG_DEBUG, "EAP-FAST: Authentication " 1330 "completed successfully"); 1331 } 1332 1333 if (data->anon_provisioning && 1334 sm->eap_fast_prov != ANON_PROV && 1335 sm->eap_fast_prov != BOTH_PROV) { 1336 wpa_printf(MSG_DEBUG, "EAP-FAST: Client is trying to " 1337 "use unauthenticated provisioning which is " 1338 "disabled"); 1339 eap_fast_state(data, FAILURE); 1340 return; 1341 } 1342 1343 if (sm->eap_fast_prov != AUTH_PROV && 1344 sm->eap_fast_prov != BOTH_PROV && 1345 tlv.request_action == EAP_TLV_ACTION_PROCESS_TLV && 1346 eap_fast_pac_type(tlv.pac, tlv.pac_len, 1347 PAC_TYPE_TUNNEL_PAC)) { 1348 wpa_printf(MSG_DEBUG, "EAP-FAST: Client is trying to " 1349 "use authenticated provisioning which is " 1350 "disabled"); 1351 eap_fast_state(data, FAILURE); 1352 return; 1353 } 1354 1355 if (data->anon_provisioning || 1356 (tlv.request_action == EAP_TLV_ACTION_PROCESS_TLV && 1357 eap_fast_pac_type(tlv.pac, tlv.pac_len, 1358 PAC_TYPE_TUNNEL_PAC))) { 1359 wpa_printf(MSG_DEBUG, "EAP-FAST: Requested a new " 1360 "Tunnel PAC"); 1361 eap_fast_state(data, REQUEST_PAC); 1362 } else if (data->send_new_pac) { 1363 wpa_printf(MSG_DEBUG, "EAP-FAST: Server triggered " 1364 "re-keying of Tunnel PAC"); 1365 eap_fast_state(data, REQUEST_PAC); 1366 } else if (data->final_result) 1367 eap_fast_state(data, SUCCESS); 1368 } 1369 1370 if (tlv.eap_payload_tlv) { 1371 eap_fast_process_phase2_eap(sm, data, tlv.eap_payload_tlv, 1372 tlv.eap_payload_tlv_len); 1373 } 1374 } 1375 1376 1377 static void eap_fast_process_phase2(struct eap_sm *sm, 1378 struct eap_fast_data *data, 1379 struct wpabuf *in_buf) 1380 { 1381 struct wpabuf *in_decrypted; 1382 1383 wpa_printf(MSG_DEBUG, "EAP-FAST: Received %lu bytes encrypted data for" 1384 " Phase 2", (unsigned long) wpabuf_len(in_buf)); 1385 1386 if (data->pending_phase2_resp) { 1387 wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 response - " 1388 "skip decryption and use old data"); 1389 eap_fast_process_phase2_tlvs(sm, data, 1390 data->pending_phase2_resp); 1391 wpabuf_free(data->pending_phase2_resp); 1392 data->pending_phase2_resp = NULL; 1393 return; 1394 } 1395 1396 in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn, 1397 in_buf); 1398 if (in_decrypted == NULL) { 1399 wpa_printf(MSG_INFO, "EAP-FAST: Failed to decrypt Phase 2 " 1400 "data"); 1401 eap_fast_state(data, FAILURE); 1402 return; 1403 } 1404 1405 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-FAST: Decrypted Phase 2 TLVs", 1406 in_decrypted); 1407 1408 eap_fast_process_phase2_tlvs(sm, data, in_decrypted); 1409 1410 if (sm->method_pending == METHOD_PENDING_WAIT) { 1411 wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 method is in " 1412 "pending wait state - save decrypted response"); 1413 wpabuf_free(data->pending_phase2_resp); 1414 data->pending_phase2_resp = in_decrypted; 1415 return; 1416 } 1417 1418 wpabuf_free(in_decrypted); 1419 } 1420 1421 1422 static int eap_fast_process_version(struct eap_sm *sm, void *priv, 1423 int peer_version) 1424 { 1425 struct eap_fast_data *data = priv; 1426 1427 data->peer_version = peer_version; 1428 1429 if (data->force_version >= 0 && peer_version != data->force_version) { 1430 wpa_printf(MSG_INFO, "EAP-FAST: peer did not select the forced" 1431 " version (forced=%d peer=%d) - reject", 1432 data->force_version, peer_version); 1433 return -1; 1434 } 1435 1436 if (peer_version < data->fast_version) { 1437 wpa_printf(MSG_DEBUG, "EAP-FAST: peer ver=%d, own ver=%d; " 1438 "use version %d", 1439 peer_version, data->fast_version, peer_version); 1440 data->fast_version = peer_version; 1441 } 1442 1443 return 0; 1444 } 1445 1446 1447 static int eap_fast_process_phase1(struct eap_sm *sm, 1448 struct eap_fast_data *data) 1449 { 1450 if (eap_server_tls_phase1(sm, &data->ssl) < 0) { 1451 wpa_printf(MSG_INFO, "EAP-FAST: TLS processing failed"); 1452 eap_fast_state(data, FAILURE); 1453 return -1; 1454 } 1455 1456 if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) || 1457 wpabuf_len(data->ssl.tls_out) > 0) 1458 return 1; 1459 1460 /* 1461 * Phase 1 was completed with the received message (e.g., when using 1462 * abbreviated handshake), so Phase 2 can be started immediately 1463 * without having to send through an empty message to the peer. 1464 */ 1465 1466 return eap_fast_phase1_done(sm, data); 1467 } 1468 1469 1470 static int eap_fast_process_phase2_start(struct eap_sm *sm, 1471 struct eap_fast_data *data) 1472 { 1473 u8 next_type; 1474 1475 if (data->identity) { 1476 os_free(sm->identity); 1477 sm->identity = data->identity; 1478 data->identity = NULL; 1479 sm->identity_len = data->identity_len; 1480 data->identity_len = 0; 1481 sm->require_identity_match = 1; 1482 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) { 1483 wpa_hexdump_ascii(MSG_DEBUG, "EAP-FAST: " 1484 "Phase2 Identity not found " 1485 "in the user database", 1486 sm->identity, sm->identity_len); 1487 next_type = eap_fast_req_failure(sm, data); 1488 } else { 1489 wpa_printf(MSG_DEBUG, "EAP-FAST: Identity already " 1490 "known - skip Phase 2 Identity Request"); 1491 next_type = sm->user->methods[0].method; 1492 sm->user_eap_method_index = 1; 1493 } 1494 1495 eap_fast_state(data, PHASE2_METHOD); 1496 } else { 1497 eap_fast_state(data, PHASE2_ID); 1498 next_type = EAP_TYPE_IDENTITY; 1499 } 1500 1501 return eap_fast_phase2_init(sm, data, next_type); 1502 } 1503 1504 1505 static void eap_fast_process_msg(struct eap_sm *sm, void *priv, 1506 const struct wpabuf *respData) 1507 { 1508 struct eap_fast_data *data = priv; 1509 1510 switch (data->state) { 1511 case PHASE1: 1512 if (eap_fast_process_phase1(sm, data)) 1513 break; 1514 1515 /* fall through to PHASE2_START */ 1516 case PHASE2_START: 1517 eap_fast_process_phase2_start(sm, data); 1518 break; 1519 case PHASE2_ID: 1520 case PHASE2_METHOD: 1521 case CRYPTO_BINDING: 1522 case REQUEST_PAC: 1523 eap_fast_process_phase2(sm, data, data->ssl.tls_in); 1524 break; 1525 default: 1526 wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected state %d in %s", 1527 data->state, __func__); 1528 break; 1529 } 1530 } 1531 1532 1533 static void eap_fast_process(struct eap_sm *sm, void *priv, 1534 struct wpabuf *respData) 1535 { 1536 struct eap_fast_data *data = priv; 1537 if (eap_server_tls_process(sm, &data->ssl, respData, data, 1538 EAP_TYPE_FAST, eap_fast_process_version, 1539 eap_fast_process_msg) < 0) 1540 eap_fast_state(data, FAILURE); 1541 } 1542 1543 1544 static Boolean eap_fast_isDone(struct eap_sm *sm, void *priv) 1545 { 1546 struct eap_fast_data *data = priv; 1547 return data->state == SUCCESS || data->state == FAILURE; 1548 } 1549 1550 1551 static u8 * eap_fast_getKey(struct eap_sm *sm, void *priv, size_t *len) 1552 { 1553 struct eap_fast_data *data = priv; 1554 u8 *eapKeyData; 1555 1556 if (data->state != SUCCESS) 1557 return NULL; 1558 1559 eapKeyData = os_malloc(EAP_FAST_KEY_LEN); 1560 if (eapKeyData == NULL) 1561 return NULL; 1562 1563 eap_fast_derive_eap_msk(data->simck, eapKeyData); 1564 *len = EAP_FAST_KEY_LEN; 1565 1566 return eapKeyData; 1567 } 1568 1569 1570 static u8 * eap_fast_get_emsk(struct eap_sm *sm, void *priv, size_t *len) 1571 { 1572 struct eap_fast_data *data = priv; 1573 u8 *eapKeyData; 1574 1575 if (data->state != SUCCESS) 1576 return NULL; 1577 1578 eapKeyData = os_malloc(EAP_EMSK_LEN); 1579 if (eapKeyData == NULL) 1580 return NULL; 1581 1582 eap_fast_derive_eap_emsk(data->simck, eapKeyData); 1583 *len = EAP_EMSK_LEN; 1584 1585 return eapKeyData; 1586 } 1587 1588 1589 static Boolean eap_fast_isSuccess(struct eap_sm *sm, void *priv) 1590 { 1591 struct eap_fast_data *data = priv; 1592 return data->state == SUCCESS; 1593 } 1594 1595 1596 int eap_server_fast_register(void) 1597 { 1598 struct eap_method *eap; 1599 int ret; 1600 1601 eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION, 1602 EAP_VENDOR_IETF, EAP_TYPE_FAST, "FAST"); 1603 if (eap == NULL) 1604 return -1; 1605 1606 eap->init = eap_fast_init; 1607 eap->reset = eap_fast_reset; 1608 eap->buildReq = eap_fast_buildReq; 1609 eap->check = eap_fast_check; 1610 eap->process = eap_fast_process; 1611 eap->isDone = eap_fast_isDone; 1612 eap->getKey = eap_fast_getKey; 1613 eap->get_emsk = eap_fast_get_emsk; 1614 eap->isSuccess = eap_fast_isSuccess; 1615 1616 ret = eap_server_method_register(eap); 1617 if (ret) 1618 eap_server_method_free(eap); 1619 return ret; 1620 } 1621