1 /* 2 * EAP-TLS/PEAP/TTLS/FAST server common functions 3 * Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/sha1.h" 13 #include "crypto/tls.h" 14 #include "eap_i.h" 15 #include "eap_tls_common.h" 16 17 18 static void eap_server_tls_free_in_buf(struct eap_ssl_data *data); 19 20 21 struct wpabuf * eap_tls_msg_alloc(enum eap_type type, size_t payload_len, 22 u8 code, u8 identifier) 23 { 24 if (type == EAP_UNAUTH_TLS_TYPE) 25 return eap_msg_alloc(EAP_VENDOR_UNAUTH_TLS, 26 EAP_VENDOR_TYPE_UNAUTH_TLS, payload_len, 27 code, identifier); 28 else if (type == EAP_WFA_UNAUTH_TLS_TYPE) 29 return eap_msg_alloc(EAP_VENDOR_WFA_NEW, 30 EAP_VENDOR_WFA_UNAUTH_TLS, payload_len, 31 code, identifier); 32 return eap_msg_alloc(EAP_VENDOR_IETF, type, payload_len, code, 33 identifier); 34 } 35 36 37 #ifdef CONFIG_TLS_INTERNAL 38 static void eap_server_tls_log_cb(void *ctx, const char *msg) 39 { 40 struct eap_sm *sm = ctx; 41 eap_log_msg(sm, "TLS: %s", msg); 42 } 43 #endif /* CONFIG_TLS_INTERNAL */ 44 45 46 int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data, 47 int verify_peer, int eap_type) 48 { 49 u8 session_ctx[8]; 50 unsigned int flags = sm->cfg->tls_flags; 51 52 if (!sm->cfg->ssl_ctx) { 53 wpa_printf(MSG_ERROR, "TLS context not initialized - cannot use TLS-based EAP method"); 54 return -1; 55 } 56 57 data->eap = sm; 58 data->phase2 = sm->init_phase2; 59 60 data->conn = tls_connection_init(sm->cfg->ssl_ctx); 61 if (data->conn == NULL) { 62 wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS " 63 "connection"); 64 return -1; 65 } 66 67 #ifdef CONFIG_TLS_INTERNAL 68 tls_connection_set_log_cb(data->conn, eap_server_tls_log_cb, sm); 69 #ifdef CONFIG_TESTING_OPTIONS 70 tls_connection_set_test_flags(data->conn, sm->tls_test_flags); 71 #endif /* CONFIG_TESTING_OPTIONS */ 72 #endif /* CONFIG_TLS_INTERNAL */ 73 74 if (eap_type != EAP_TYPE_FAST) 75 flags |= TLS_CONN_DISABLE_SESSION_TICKET; 76 os_memcpy(session_ctx, "hostapd", 7); 77 session_ctx[7] = (u8) eap_type; 78 if (tls_connection_set_verify(sm->cfg->ssl_ctx, data->conn, verify_peer, 79 flags, session_ctx, 80 sizeof(session_ctx))) { 81 wpa_printf(MSG_INFO, "SSL: Failed to configure verification " 82 "of TLS peer certificate"); 83 tls_connection_deinit(sm->cfg->ssl_ctx, data->conn); 84 data->conn = NULL; 85 return -1; 86 } 87 88 data->tls_out_limit = sm->cfg->fragment_size > 0 ? 89 sm->cfg->fragment_size : 1398; 90 if (data->phase2) { 91 /* Limit the fragment size in the inner TLS authentication 92 * since the outer authentication with EAP-PEAP does not yet 93 * support fragmentation */ 94 if (data->tls_out_limit > 100) 95 data->tls_out_limit -= 100; 96 } 97 98 #ifdef CONFIG_TESTING_OPTIONS 99 data->skip_prot_success = sm->cfg->skip_prot_success; 100 #endif /* CONFIG_TESTING_OPTIONS */ 101 102 return 0; 103 } 104 105 106 void eap_server_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data) 107 { 108 tls_connection_deinit(sm->cfg->ssl_ctx, data->conn); 109 eap_server_tls_free_in_buf(data); 110 wpabuf_free(data->tls_out); 111 data->tls_out = NULL; 112 } 113 114 115 u8 * eap_server_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data, 116 const char *label, const u8 *context, 117 size_t context_len, size_t len) 118 { 119 u8 *out; 120 121 out = os_malloc(len); 122 if (out == NULL) 123 return NULL; 124 125 if (tls_connection_export_key(sm->cfg->ssl_ctx, data->conn, label, 126 context, context_len, out, len)) { 127 os_free(out); 128 return NULL; 129 } 130 131 return out; 132 } 133 134 135 /** 136 * eap_server_tls_derive_session_id - Derive a Session-Id based on TLS data 137 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 138 * @data: Data for TLS processing 139 * @eap_type: EAP method used in Phase 1 (EAP_TYPE_TLS/PEAP/TTLS/FAST) 140 * @len: Pointer to length of the session ID generated 141 * Returns: Pointer to allocated Session-Id on success or %NULL on failure 142 * 143 * This function derive the Session-Id based on the TLS session data 144 * (client/server random and method type). 145 * 146 * The caller is responsible for freeing the returned buffer. 147 */ 148 u8 * eap_server_tls_derive_session_id(struct eap_sm *sm, 149 struct eap_ssl_data *data, u8 eap_type, 150 size_t *len) 151 { 152 struct tls_random keys; 153 u8 *out; 154 155 if (data->tls_v13) { 156 u8 *id, *method_id; 157 const u8 context[] = { eap_type }; 158 159 /* Session-Id = <EAP-Type> || Method-Id 160 * Method-Id = TLS-Exporter("EXPORTER_EAP_TLS_Method-Id", 161 * Type-Code, 64) 162 */ 163 *len = 1 + 64; 164 id = os_malloc(*len); 165 if (!id) 166 return NULL; 167 method_id = eap_server_tls_derive_key( 168 sm, data, "EXPORTER_EAP_TLS_Method-Id", context, 1, 64); 169 if (!method_id) { 170 os_free(id); 171 return NULL; 172 } 173 id[0] = eap_type; 174 os_memcpy(id + 1, method_id, 64); 175 os_free(method_id); 176 return id; 177 } 178 179 if (tls_connection_get_random(sm->cfg->ssl_ctx, data->conn, &keys)) 180 return NULL; 181 182 if (keys.client_random == NULL || keys.server_random == NULL) 183 return NULL; 184 185 *len = 1 + keys.client_random_len + keys.server_random_len; 186 out = os_malloc(*len); 187 if (out == NULL) 188 return NULL; 189 190 /* Session-Id = EAP type || client.random || server.random */ 191 out[0] = eap_type; 192 os_memcpy(out + 1, keys.client_random, keys.client_random_len); 193 os_memcpy(out + 1 + keys.client_random_len, keys.server_random, 194 keys.server_random_len); 195 196 return out; 197 } 198 199 200 struct wpabuf * eap_server_tls_build_msg(struct eap_ssl_data *data, 201 int eap_type, int version, u8 id) 202 { 203 struct wpabuf *req; 204 u8 flags; 205 size_t send_len, plen; 206 207 wpa_printf(MSG_DEBUG, "SSL: Generating Request"); 208 if (data->tls_out == NULL) { 209 wpa_printf(MSG_ERROR, "SSL: tls_out NULL in %s", __func__); 210 return NULL; 211 } 212 213 flags = version; 214 send_len = wpabuf_len(data->tls_out) - data->tls_out_pos; 215 if (1 + send_len > data->tls_out_limit) { 216 send_len = data->tls_out_limit - 1; 217 flags |= EAP_TLS_FLAGS_MORE_FRAGMENTS; 218 if (data->tls_out_pos == 0) { 219 flags |= EAP_TLS_FLAGS_LENGTH_INCLUDED; 220 send_len -= 4; 221 } 222 } 223 224 plen = 1 + send_len; 225 if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) 226 plen += 4; 227 228 req = eap_tls_msg_alloc(eap_type, plen, EAP_CODE_REQUEST, id); 229 if (req == NULL) 230 return NULL; 231 232 wpabuf_put_u8(req, flags); /* Flags */ 233 if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) 234 wpabuf_put_be32(req, wpabuf_len(data->tls_out)); 235 236 wpabuf_put_data(req, wpabuf_head_u8(data->tls_out) + data->tls_out_pos, 237 send_len); 238 data->tls_out_pos += send_len; 239 240 if (data->tls_out_pos == wpabuf_len(data->tls_out)) { 241 wpa_printf(MSG_DEBUG, "SSL: Sending out %lu bytes " 242 "(message sent completely)", 243 (unsigned long) send_len); 244 wpabuf_free(data->tls_out); 245 data->tls_out = NULL; 246 data->tls_out_pos = 0; 247 data->state = MSG; 248 } else { 249 wpa_printf(MSG_DEBUG, "SSL: Sending out %lu bytes " 250 "(%lu more to send)", (unsigned long) send_len, 251 (unsigned long) wpabuf_len(data->tls_out) - 252 data->tls_out_pos); 253 data->state = WAIT_FRAG_ACK; 254 } 255 256 return req; 257 } 258 259 260 struct wpabuf * eap_server_tls_build_ack(u8 id, int eap_type, int version) 261 { 262 struct wpabuf *req; 263 264 req = eap_tls_msg_alloc(eap_type, 1, EAP_CODE_REQUEST, id); 265 if (req == NULL) 266 return NULL; 267 wpa_printf(MSG_DEBUG, "SSL: Building ACK"); 268 wpabuf_put_u8(req, version); /* Flags */ 269 return req; 270 } 271 272 273 static int eap_server_tls_process_cont(struct eap_ssl_data *data, 274 const u8 *buf, size_t len) 275 { 276 /* Process continuation of a pending message */ 277 if (len > wpabuf_tailroom(data->tls_in)) { 278 wpa_printf(MSG_DEBUG, "SSL: Fragment overflow"); 279 return -1; 280 } 281 282 wpabuf_put_data(data->tls_in, buf, len); 283 wpa_printf(MSG_DEBUG, "SSL: Received %lu bytes, waiting for %lu " 284 "bytes more", (unsigned long) len, 285 (unsigned long) wpabuf_tailroom(data->tls_in)); 286 287 return 0; 288 } 289 290 291 static int eap_server_tls_process_fragment(struct eap_ssl_data *data, 292 u8 flags, u32 message_length, 293 const u8 *buf, size_t len) 294 { 295 /* Process a fragment that is not the last one of the message */ 296 if (data->tls_in == NULL && !(flags & EAP_TLS_FLAGS_LENGTH_INCLUDED)) { 297 wpa_printf(MSG_DEBUG, "SSL: No Message Length field in a " 298 "fragmented packet"); 299 return -1; 300 } 301 302 if (data->tls_in == NULL) { 303 /* First fragment of the message */ 304 305 /* Limit length to avoid rogue peers from causing large 306 * memory allocations. */ 307 if (message_length > 65536) { 308 wpa_printf(MSG_INFO, "SSL: Too long TLS fragment (size" 309 " over 64 kB)"); 310 return -1; 311 } 312 if (len > message_length) { 313 wpa_printf(MSG_INFO, "SSL: Too much data (%zu bytes) " 314 "in first fragment of frame (TLS Message " 315 "Length %u bytes)", len, message_length); 316 return -1; 317 } 318 319 if (len > message_length) { 320 wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in " 321 "first fragment of frame (TLS Message " 322 "Length %d bytes)", 323 (int) len, (int) message_length); 324 return -1; 325 } 326 327 data->tls_in = wpabuf_alloc(message_length); 328 if (data->tls_in == NULL) { 329 wpa_printf(MSG_DEBUG, "SSL: No memory for message"); 330 return -1; 331 } 332 wpabuf_put_data(data->tls_in, buf, len); 333 wpa_printf(MSG_DEBUG, "SSL: Received %lu bytes in first " 334 "fragment, waiting for %lu bytes more", 335 (unsigned long) len, 336 (unsigned long) wpabuf_tailroom(data->tls_in)); 337 } 338 339 return 0; 340 } 341 342 343 int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data) 344 { 345 char buf[20]; 346 347 if (data->tls_out) { 348 /* This should not happen.. */ 349 wpa_printf(MSG_INFO, "SSL: pending tls_out data when " 350 "processing new message"); 351 wpabuf_free(data->tls_out); 352 WPA_ASSERT(data->tls_out == NULL); 353 } 354 355 data->tls_out = tls_connection_server_handshake(sm->cfg->ssl_ctx, 356 data->conn, 357 data->tls_in, NULL); 358 if (data->tls_out == NULL) { 359 wpa_printf(MSG_INFO, "SSL: TLS processing failed"); 360 return -1; 361 } 362 if (tls_connection_get_failed(sm->cfg->ssl_ctx, data->conn)) { 363 /* TLS processing has failed - return error */ 364 wpa_printf(MSG_DEBUG, "SSL: Failed - tls_out available to " 365 "report error"); 366 return -1; 367 } 368 369 if (tls_get_version(sm->cfg->ssl_ctx, data->conn, 370 buf, sizeof(buf)) == 0) { 371 wpa_printf(MSG_DEBUG, "SSL: Using TLS version %s", buf); 372 data->tls_v13 = os_strcmp(buf, "TLSv1.3") == 0; 373 } 374 375 if (!sm->serial_num && 376 tls_connection_established(sm->cfg->ssl_ctx, data->conn)) 377 sm->serial_num = tls_connection_peer_serial_num( 378 sm->cfg->ssl_ctx, data->conn); 379 380 /* 381 * RFC 9190 Section 2.5 382 * 383 * We need to signal the other end that TLS negotiation is done. We 384 * can't send a zero-length application data message, so we send 385 * application data which is one byte of zero. 386 * 387 * Note this is only done for when there is no application data to be 388 * sent. So this is done always for EAP-TLS but notably not for PEAP 389 * even on resumption. 390 */ 391 if (data->tls_v13 && 392 tls_connection_established(sm->cfg->ssl_ctx, data->conn)) { 393 struct wpabuf *plain, *encr; 394 395 switch (sm->currentMethod) { 396 case EAP_TYPE_PEAP: 397 break; 398 default: 399 if (!tls_connection_resumed(sm->cfg->ssl_ctx, 400 data->conn)) 401 break; 402 /* fallthrough */ 403 case EAP_TYPE_TLS: 404 #ifdef CONFIG_TESTING_OPTIONS 405 if (data->skip_prot_success) { 406 wpa_printf(MSG_INFO, 407 "TESTING: Do not send protected success indication"); 408 break; 409 } 410 #endif /* CONFIG_TESTING_OPTIONS */ 411 wpa_printf(MSG_DEBUG, 412 "EAP-TLS: Send protected success indication (appl data 0x00)"); 413 414 plain = wpabuf_alloc(1); 415 if (!plain) 416 return -1; 417 wpabuf_put_u8(plain, 0); 418 encr = eap_server_tls_encrypt(sm, data, plain); 419 wpabuf_free(plain); 420 if (!encr) 421 return -1; 422 if (wpabuf_resize(&data->tls_out, wpabuf_len(encr)) < 0) 423 { 424 wpa_printf(MSG_INFO, 425 "EAP-TLS: Failed to resize output buffer"); 426 wpabuf_free(encr); 427 return -1; 428 } 429 wpabuf_put_buf(data->tls_out, encr); 430 wpa_hexdump_buf(MSG_DEBUG, 431 "EAP-TLS: Data appended to the message", 432 encr); 433 wpabuf_free(encr); 434 } 435 } 436 437 return 0; 438 } 439 440 441 static int eap_server_tls_reassemble(struct eap_ssl_data *data, u8 flags, 442 const u8 **pos, size_t *left) 443 { 444 unsigned int tls_msg_len = 0; 445 const u8 *end = *pos + *left; 446 447 wpa_hexdump(MSG_MSGDUMP, "SSL: Received data", *pos, *left); 448 449 if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) { 450 if (*left < 4) { 451 wpa_printf(MSG_INFO, "SSL: Short frame with TLS " 452 "length"); 453 return -1; 454 } 455 tls_msg_len = WPA_GET_BE32(*pos); 456 wpa_printf(MSG_DEBUG, "SSL: TLS Message Length: %d", 457 tls_msg_len); 458 *pos += 4; 459 *left -= 4; 460 461 if (*left > tls_msg_len) { 462 wpa_printf(MSG_INFO, "SSL: TLS Message Length (%d " 463 "bytes) smaller than this fragment (%d " 464 "bytes)", (int) tls_msg_len, (int) *left); 465 return -1; 466 } 467 } 468 469 wpa_printf(MSG_DEBUG, "SSL: Received packet: Flags 0x%x " 470 "Message Length %u", flags, tls_msg_len); 471 472 if (data->state == WAIT_FRAG_ACK) { 473 if (*left != 0) { 474 wpa_printf(MSG_DEBUG, "SSL: Unexpected payload in " 475 "WAIT_FRAG_ACK state"); 476 return -1; 477 } 478 wpa_printf(MSG_DEBUG, "SSL: Fragment acknowledged"); 479 return 1; 480 } 481 482 if (data->tls_in && 483 eap_server_tls_process_cont(data, *pos, end - *pos) < 0) 484 return -1; 485 486 if (flags & EAP_TLS_FLAGS_MORE_FRAGMENTS) { 487 if (eap_server_tls_process_fragment(data, flags, tls_msg_len, 488 *pos, end - *pos) < 0) 489 return -1; 490 491 data->state = FRAG_ACK; 492 return 1; 493 } 494 495 if (data->state == FRAG_ACK) { 496 wpa_printf(MSG_DEBUG, "SSL: All fragments received"); 497 data->state = MSG; 498 } 499 500 if (data->tls_in == NULL) { 501 /* Wrap unfragmented messages as wpabuf without extra copy */ 502 wpabuf_set(&data->tmpbuf, *pos, end - *pos); 503 data->tls_in = &data->tmpbuf; 504 } 505 506 return 0; 507 } 508 509 510 static void eap_server_tls_free_in_buf(struct eap_ssl_data *data) 511 { 512 if (data->tls_in != &data->tmpbuf) 513 wpabuf_free(data->tls_in); 514 data->tls_in = NULL; 515 } 516 517 518 struct wpabuf * eap_server_tls_encrypt(struct eap_sm *sm, 519 struct eap_ssl_data *data, 520 const struct wpabuf *plain) 521 { 522 struct wpabuf *buf; 523 524 buf = tls_connection_encrypt(sm->cfg->ssl_ctx, data->conn, plain); 525 if (buf == NULL) { 526 wpa_printf(MSG_INFO, "SSL: Failed to encrypt Phase 2 data"); 527 return NULL; 528 } 529 530 return buf; 531 } 532 533 534 int eap_server_tls_process(struct eap_sm *sm, struct eap_ssl_data *data, 535 struct wpabuf *respData, void *priv, int eap_type, 536 int (*proc_version)(struct eap_sm *sm, void *priv, 537 int peer_version), 538 void (*proc_msg)(struct eap_sm *sm, void *priv, 539 const struct wpabuf *respData)) 540 { 541 const u8 *pos; 542 u8 flags; 543 size_t left; 544 int ret, res = 0; 545 546 if (eap_type == EAP_UNAUTH_TLS_TYPE) 547 pos = eap_hdr_validate(EAP_VENDOR_UNAUTH_TLS, 548 EAP_VENDOR_TYPE_UNAUTH_TLS, respData, 549 &left); 550 else if (eap_type == EAP_WFA_UNAUTH_TLS_TYPE) 551 pos = eap_hdr_validate(EAP_VENDOR_WFA_NEW, 552 EAP_VENDOR_WFA_UNAUTH_TLS, respData, 553 &left); 554 else 555 pos = eap_hdr_validate(EAP_VENDOR_IETF, eap_type, respData, 556 &left); 557 if (pos == NULL || left < 1) 558 return 0; /* Should not happen - frame already validated */ 559 flags = *pos++; 560 left--; 561 wpa_printf(MSG_DEBUG, "SSL: Received packet(len=%lu) - Flags 0x%02x", 562 (unsigned long) wpabuf_len(respData), flags); 563 564 if (proc_version && 565 proc_version(sm, priv, flags & EAP_TLS_VERSION_MASK) < 0) 566 return -1; 567 568 ret = eap_server_tls_reassemble(data, flags, &pos, &left); 569 if (ret < 0) { 570 res = -1; 571 goto done; 572 } else if (ret == 1) 573 return 0; 574 575 if (proc_msg) 576 proc_msg(sm, priv, respData); 577 578 if (tls_connection_get_write_alerts(sm->cfg->ssl_ctx, data->conn) > 1) { 579 wpa_printf(MSG_INFO, "SSL: Locally detected fatal error in " 580 "TLS processing"); 581 res = -1; 582 } 583 584 done: 585 eap_server_tls_free_in_buf(data); 586 587 return res; 588 } 589