← Back to branch summary

~ubuntu-branches/ubuntu/vivid/wpasupplicant/vivid

« back to all changes in this revision

Viewing changes to src/eap_server/eap_fast.c

  • Committer: Bazaar Package Importer
  • Author(s): Kel Modderman
  • Date: 2008-03-12 20:03:04 UTC
  • mfrom: (1.1.10 upstream)
  • mto: This revision was merged to the branch mainline in revision 4.
  • Revision ID: james.westby@ubuntu.com-20080312200304-4331y9wj46pdd34z
Tags: 0.6.3-1
http://bugs.debian.org/466910
* New upstream release.
* Drop patches applied upstream:
  - debian/patches/30_wpa_gui_qt4_eventhistoryui_rework.patch
  - debian/patches/31_wpa_gui_qt4_eventhistory_always_scrollbar.patch
  - debian/patches/32_wpa_gui_qt4_eventhistory_scroll_with_events.patch
  - debian/patches/40_dbus_ssid_data.patch
* Tidy up the clean target of debian/rules. Now that the madwifi headers are
  handled differently we no longer need to do any cleanup.
* Fix formatting error in debian/ifupdown/wpa_action.8 to make lintian
  quieter.
* Add patch to fix formatting errors in manpages build from sgml source. Use
  <emphasis> tags to hightlight keywords instead of surrounding them in
  strong quotes.
  - debian/patches/41_manpage_format_fixes.patch
* wpasupplicant binary package no longer suggests pcscd, guessnet, iproute
  or wireless-tools, nor does it recommend dhcp3-client. These are not
  needed.
* Add debian/patches/10_silence_siocsiwauth_icotl_failure.patch to disable
  ioctl failure messages that occur under normal conditions.
* Cherry pick two upstream git commits concerning the dbus interface:
  - debian/patches/11_avoid_dbus_version_namespace.patch
  - debian/patches/12_fix_potential_use_after_free.patch
* Add debian/patches/42_manpage_explain_available_drivers.patch to explain
  that not all of the driver backends are available in the provided
  wpa_supplicant binary, and that the canonical list of supported driver
  backends can be retrieved from the wpa_supplicant -h (help) output.
  (Closes: #466910)
* Add debian/patches/20_wpa_gui_qt4_disable_link_prl.patch to remove
  link_prl CONFIG compile flag added by qmake-qt4 >= 4.3.4-2 to avoid excess
  linking.

Show diffs side-by-side

added added

removed removed

Lines of Context:
src/eap_server/eap_fast.c
 
1
/*
 
2
 * EAP-FAST server (RFC 4851)
 
3
 * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
 
4
 *
 
5
 * This program is free software; you can redistribute it and/or modify
 
6
 * it under the terms of the GNU General Public License version 2 as
 
7
 * published by the Free Software Foundation.
 
8
 *
 
9
 * Alternatively, this software may be distributed under the terms of BSD
 
10
 * license.
 
11
 *
 
12
 * See README and COPYING for more details.
 
13
 */
 
14
 
 
15
#include "includes.h"
 
16
 
 
17
#include "common.h"
 
18
#include "aes_wrap.h"
 
19
#include "sha1.h"
 
20
#include "eap_i.h"
 
21
#include "eap_tls_common.h"
 
22
#include "tls.h"
 
23
#include "eap_common/eap_tlv_common.h"
 
24
#include "eap_common/eap_fast_common.h"
 
25
 
 
26
 
 
27
static void eap_fast_reset(struct eap_sm *sm, void *priv);
 
28
 
 
29
 
 
30
/* Private PAC-Opaque TLV types */
 
31
#define PAC_OPAQUE_TYPE_PAD 0
 
32
#define PAC_OPAQUE_TYPE_KEY 1
 
33
#define PAC_OPAQUE_TYPE_LIFETIME 2
 
34
 
 
35
/* PAC-Key lifetime in seconds (hard limit) */
 
36
#define PAC_KEY_LIFETIME (7 * 24 * 60 * 60)
 
37
 
 
38
/*
 
39
 * PAC-Key refresh time in seconds (soft limit on remaining hard limit). The
 
40
 * server will generate a new PAC-Key when this number of seconds (or fewer)
 
41
 * of the lifetime.
 
42
 */
 
43
#define PAC_KEY_REFRESH_TIME (1 * 24 * 60 * 60)
 
44
 
 
45
 
 
46
struct eap_fast_data {
 
47
        struct eap_ssl_data ssl;
 
48
        enum {
 
49
                START, PHASE1, PHASE2_START, PHASE2_ID, PHASE2_METHOD,
 
50
                CRYPTO_BINDING, REQUEST_PAC, SUCCESS, FAILURE
 
51
        } state;
 
52
 
 
53
        int fast_version;
 
54
        const struct eap_method *phase2_method;
 
55
        void *phase2_priv;
 
56
        int force_version;
 
57
        int peer_version;
 
58
 
 
59
        u8 crypto_binding_nonce[32];
 
60
        int final_result;
 
61
 
 
62
        struct eap_fast_key_block_provisioning *key_block_p;
 
63
 
 
64
        u8 simck[EAP_FAST_SIMCK_LEN];
 
65
        u8 cmk[20];
 
66
        int simck_idx;
 
67
 
 
68
        u8 pac_opaque_encr[16];
 
69
        char *srv_id;
 
70
 
 
71
        int anon_provisioning;
 
72
        int send_new_pac; /* server triggered re-keying of Tunnel PAC */
 
73
        struct wpabuf *pending_phase2_resp;
 
74
};
 
75
 
 
76
 
 
77
static const char * eap_fast_state_txt(int state)
 
78
{
 
79
        switch (state) {
 
80
        case START:
 
81
                return "START";
 
82
        case PHASE1:
 
83
                return "PHASE1";
 
84
        case PHASE2_START:
 
85
                return "PHASE2_START";
 
86
        case PHASE2_ID:
 
87
                return "PHASE2_ID";
 
88
        case PHASE2_METHOD:
 
89
                return "PHASE2_METHOD";
 
90
        case CRYPTO_BINDING:
 
91
                return "CRYPTO_BINDING";
 
92
        case REQUEST_PAC:
 
93
                return "REQUEST_PAC";
 
94
        case SUCCESS:
 
95
                return "SUCCESS";
 
96
        case FAILURE:
 
97
                return "FAILURE";
 
98
        default:
 
99
                return "Unknown?!";
 
100
        }
 
101
}
 
102
 
 
103
 
 
104
static void eap_fast_state(struct eap_fast_data *data, int state)
 
105
{
 
106
        wpa_printf(MSG_DEBUG, "EAP-FAST: %s -> %s",
 
107
                   eap_fast_state_txt(data->state),
 
108
                   eap_fast_state_txt(state));
 
109
        data->state = state;
 
110
}
 
111
 
 
112
 
 
113
static EapType eap_fast_req_failure(struct eap_sm *sm,
 
114
                                    struct eap_fast_data *data)
 
115
{
 
116
        /* TODO: send Result TLV(FAILURE) */
 
117
        eap_fast_state(data, FAILURE);
 
118
        return EAP_TYPE_NONE;
 
119
}
 
120
 
 
121
 
 
122
static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len,
 
123
                                      const u8 *client_random,
 
124
                                      const u8 *server_random,
 
125
                                      u8 *master_secret)
 
126
{
 
127
        struct eap_fast_data *data = ctx;
 
128
#define TLS_RANDOM_LEN 32
 
129
#define TLS_MASTER_SECRET_LEN 48
 
130
        u8 seed[2 * TLS_RANDOM_LEN];
 
131
        const u8 *pac_opaque;
 
132
        size_t pac_opaque_len;
 
133
        u8 *buf, *pos, *end, *pac_key = NULL;
 
134
        os_time_t lifetime = 0;
 
135
        struct os_time now;
 
136
 
 
137
        wpa_printf(MSG_DEBUG, "EAP-FAST: SessionTicket callback");
 
138
        wpa_hexdump(MSG_DEBUG, "EAP-FAST: SessionTicket (PAC-Opaque)",
 
139
                    ticket, len);
 
140
        wpa_hexdump(MSG_DEBUG, "EAP-FAST: client_random",
 
141
                    client_random, TLS_RANDOM_LEN);
 
142
        wpa_hexdump(MSG_DEBUG, "EAP-FAST: server_random",
 
143
                    server_random, TLS_RANDOM_LEN);
 
144
 
 
145
        if (len < 4 || WPA_GET_BE16(ticket) != PAC_TYPE_PAC_OPAQUE) {
 
146
                wpa_printf(MSG_DEBUG, "EAP-FAST: Ignore invalid "
 
147
                           "SessionTicket");
 
148
                return 0;
 
149
        }
 
150
 
 
151
        pac_opaque_len = WPA_GET_BE16(ticket + 2);
 
152
        pac_opaque = ticket + 4;
 
153
        if (pac_opaque_len < 8 || pac_opaque_len % 8 ||
 
154
            pac_opaque_len > len - 4) {
 
155
                wpa_printf(MSG_DEBUG, "EAP-FAST: Ignore invalid PAC-Opaque "
 
156
                           "(len=%lu left=%lu)",
 
157
                           (unsigned long) pac_opaque_len,
 
158
                           (unsigned long) len);
 
159
                return 0;
 
160
        }
 
161
        wpa_hexdump(MSG_DEBUG, "EAP-FAST: Received PAC-Opaque",
 
162
                    pac_opaque, pac_opaque_len);
 
163
 
 
164
        buf = os_malloc(pac_opaque_len - 8);
 
165
        if (buf == NULL) {
 
166
                wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to allocate memory "
 
167
                           "for decrypting PAC-Opaque");
 
168
                return 0;
 
169
        }
 
170
 
 
171
        if (aes_unwrap(data->pac_opaque_encr, (pac_opaque_len - 8) / 8,
 
172
                       pac_opaque, buf) < 0) {
 
173
                wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to decrypt "
 
174
                           "PAC-Opaque");
 
175
                os_free(buf);
 
176
                /*
 
177
                 * This may have been caused by server changing the PAC-Opaque
 
178
                 * encryption key, so just ignore this PAC-Opaque instead of
 
179
                 * failing the authentication completely. Provisioning can now
 
180
                 * be used to provision a new PAC.
 
181
                 */
 
182
                return 0;
 
183
        }
 
184
 
 
185
        end = buf + pac_opaque_len - 8;
 
186
        wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Decrypted PAC-Opaque",
 
187
                        buf, end - buf);
 
188
 
 
189
        pos = buf;
 
190
        while (pos + 1 < end) {
 
191
                if (pos + 2 + pos[1] > end)
 
192
                        break;
 
193
 
 
194
                switch (*pos) {
 
195
                case PAC_OPAQUE_TYPE_PAD:
 
196
                        pos = end;
 
197
                        break;
 
198
                case PAC_OPAQUE_TYPE_KEY:
 
199
                        if (pos[1] != EAP_FAST_PAC_KEY_LEN) {
 
200
                                wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid "
 
201
                                           "PAC-Key length %d", pos[1]);
 
202
                                os_free(buf);
 
203
                                return -1;
 
204
                        }
 
205
                        pac_key = pos + 2;
 
206
                        wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: PAC-Key from "
 
207
                                        "decrypted PAC-Opaque",
 
208
                                        pac_key, EAP_FAST_PAC_KEY_LEN);
 
209
                        break;
 
210
                case PAC_OPAQUE_TYPE_LIFETIME:
 
211
                        if (pos[1] != 4) {
 
212
                                wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid "
 
213
                                           "PAC-Key lifetime length %d",
 
214
                                           pos[1]);
 
215
                                os_free(buf);
 
216
                                return -1;
 
217
                        }
 
218
                        lifetime = WPA_GET_BE32(pos + 2);
 
219
                        break;
 
220
                }
 
221
 
 
222
                pos += 2 + pos[1];
 
223
        }
 
224
 
 
225
        if (pac_key == NULL) {
 
226
                wpa_printf(MSG_DEBUG, "EAP-FAST: No PAC-Key included in "
 
227
                           "PAC-Opaque");
 
228
                os_free(buf);
 
229
                return -1;
 
230
        }
 
231
 
 
232
        if (os_get_time(&now) < 0 || lifetime <= 0 || now.sec > lifetime) {
 
233
                wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Key not valid anymore "
 
234
                           "(lifetime=%ld now=%ld)", lifetime, now.sec);
 
235
                os_free(buf);
 
236
                return 0;
 
237
        }
 
238
 
 
239
        if (lifetime - now.sec < PAC_KEY_REFRESH_TIME)
 
240
                data->send_new_pac = 1;
 
241
 
 
242
        /*
 
243
         * RFC 4851, Section 5.1:
 
244
         * master_secret = T-PRF(PAC-Key, "PAC to master secret label hash", 
 
245
         *                       server_random + client_random, 48)
 
246
         */
 
247
        os_memcpy(seed, server_random, TLS_RANDOM_LEN);
 
248
        os_memcpy(seed + TLS_RANDOM_LEN, client_random, TLS_RANDOM_LEN);
 
249
        sha1_t_prf(pac_key, EAP_FAST_PAC_KEY_LEN,
 
250
                   "PAC to master secret label hash",
 
251
                   seed, sizeof(seed), master_secret, TLS_MASTER_SECRET_LEN);
 
252
 
 
253
        wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: master_secret",
 
254
                        master_secret, TLS_MASTER_SECRET_LEN);
 
255
 
 
256
        os_free(buf);
 
257
 
 
258
        return 1;
 
259
}
 
260
 
 
261
 
 
262
static u8 * eap_fast_derive_key(struct eap_sm *sm, struct eap_ssl_data *data,
 
263
                                char *label, size_t len)
 
264
{
 
265
        struct tls_keys keys;
 
266
        u8 *rnd = NULL, *out;
 
267
        int block_size;
 
268
 
 
269
        block_size = tls_connection_get_keyblock_size(sm->ssl_ctx, data->conn);
 
270
        if (block_size < 0)
 
271
                return NULL;
 
272
 
 
273
        out = os_malloc(block_size + len);
 
274
        if (out == NULL)
 
275
                return NULL;
 
276
 
 
277
        if (tls_connection_prf(sm->ssl_ctx, data->conn, label, 1, out,
 
278
                               block_size + len) == 0) {
 
279
                os_memmove(out, out + block_size, len);
 
280
                return out;
 
281
        }
 
282
 
 
283
        if (tls_connection_get_keys(sm->ssl_ctx, data->conn, &keys))
 
284
                goto fail;
 
285
 
 
286
        rnd = os_malloc(keys.client_random_len + keys.server_random_len);
 
287
        if (rnd == NULL)
 
288
                goto fail;
 
289
 
 
290
        os_memcpy(rnd, keys.server_random, keys.server_random_len);
 
291
        os_memcpy(rnd + keys.server_random_len, keys.client_random,
 
292
                  keys.client_random_len);
 
293
 
 
294
        wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: master_secret for key "
 
295
                        "expansion", keys.master_key, keys.master_key_len);
 
296
        if (tls_prf(keys.master_key, keys.master_key_len,
 
297
                    label, rnd, keys.client_random_len +
 
298
                    keys.server_random_len, out, block_size + len))
 
299
                goto fail;
 
300
        os_free(rnd);
 
301
        os_memmove(out, out + block_size, len);
 
302
        return out;
 
303
 
 
304
fail:
 
305
        os_free(rnd);
 
306
        os_free(out);
 
307
        return NULL;
 
308
}
 
309
 
 
310
 
 
311
static void eap_fast_derive_key_auth(struct eap_sm *sm,
 
312
                                     struct eap_fast_data *data)
 
313
{
 
314
        u8 *sks;
 
315
 
 
316
        /* RFC 4851, Section 5.1:
 
317
         * Extra key material after TLS key_block: session_key_seed[40]
 
318
         */
 
319
 
 
320
        sks = eap_fast_derive_key(sm, &data->ssl, "key expansion",
 
321
                                  EAP_FAST_SKS_LEN);
 
322
        if (sks == NULL) {
 
323
                wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive "
 
324
                           "session_key_seed");
 
325
                return;
 
326
        }
 
327
 
 
328
        /*
 
329
         * RFC 4851, Section 5.2:
 
330
         * S-IMCK[0] = session_key_seed
 
331
         */
 
332
        wpa_hexdump_key(MSG_DEBUG,
 
333
                        "EAP-FAST: session_key_seed (SKS = S-IMCK[0])",
 
334
                        sks, EAP_FAST_SKS_LEN);
 
335
        data->simck_idx = 0;
 
336
        os_memcpy(data->simck, sks, EAP_FAST_SIMCK_LEN);
 
337
        os_free(sks);
 
338
}
 
339
 
 
340
 
 
341
static void eap_fast_derive_key_provisioning(struct eap_sm *sm,
 
342
                                             struct eap_fast_data *data)
 
343
{
 
344
        os_free(data->key_block_p);
 
345
        data->key_block_p = (struct eap_fast_key_block_provisioning *)
 
346
                eap_fast_derive_key(sm, &data->ssl, "key expansion",
 
347
                                    sizeof(*data->key_block_p));
 
348
        if (data->key_block_p == NULL) {
 
349
                wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive key block");
 
350
                return;
 
351
        }
 
352
        /*
 
353
         * RFC 4851, Section 5.2:
 
354
         * S-IMCK[0] = session_key_seed
 
355
         */
 
356
        wpa_hexdump_key(MSG_DEBUG,
 
357
                        "EAP-FAST: session_key_seed (SKS = S-IMCK[0])",
 
358
                        data->key_block_p->session_key_seed,
 
359
                        sizeof(data->key_block_p->session_key_seed));
 
360
        data->simck_idx = 0;
 
361
        os_memcpy(data->simck, data->key_block_p->session_key_seed,
 
362
                  EAP_FAST_SIMCK_LEN);
 
363
        wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: server_challenge",
 
364
                        data->key_block_p->server_challenge,
 
365
                        sizeof(data->key_block_p->server_challenge));
 
366
        wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: client_challenge",
 
367
                        data->key_block_p->client_challenge,
 
368
                        sizeof(data->key_block_p->client_challenge));
 
369
}
 
370
 
 
371
 
 
372
static int eap_fast_get_phase2_key(struct eap_sm *sm,
 
373
                                   struct eap_fast_data *data,
 
374
                                   u8 *isk, size_t isk_len)
 
375
{
 
376
        u8 *key;
 
377
        size_t key_len;
 
378
 
 
379
        os_memset(isk, 0, isk_len);
 
380
 
 
381
        if (data->phase2_method == NULL || data->phase2_priv == NULL) {
 
382
                wpa_printf(MSG_DEBUG, "EAP-FAST: Phase 2 method not "
 
383
                           "available");
 
384
                return -1;
 
385
        }
 
386
 
 
387
        if (data->phase2_method->getKey == NULL)
 
388
                return 0;
 
389
 
 
390
        if ((key = data->phase2_method->getKey(sm, data->phase2_priv,
 
391
                                               &key_len)) == NULL) {
 
392
                wpa_printf(MSG_DEBUG, "EAP-FAST: Could not get key material "
 
393
                           "from Phase 2");
 
394
                return -1;
 
395
        }
 
396
 
 
397
        if (key_len > isk_len)
 
398
                key_len = isk_len;
 
399
        os_memcpy(isk, key, key_len);
 
400
        os_free(key);
 
401
 
 
402
        return 0;
 
403
}
 
404
 
 
405
 
 
406
static int eap_fast_update_icmk(struct eap_sm *sm, struct eap_fast_data *data)
 
407
{
 
408
        u8 isk[32], imck[60];
 
409
 
 
410
        wpa_printf(MSG_DEBUG, "EAP-FAST: Deriving ICMK[%d] (S-IMCK and CMK)",
 
411
                   data->simck_idx + 1);
 
412
 
 
413
        /*
 
414
         * RFC 4851, Section 5.2:
 
415
         * IMCK[j] = T-PRF(S-IMCK[j-1], "Inner Methods Compound Keys",
 
416
         *                 MSK[j], 60)
 
417
         * S-IMCK[j] = first 40 octets of IMCK[j]
 
418
         * CMK[j] = last 20 octets of IMCK[j]
 
419
         */
 
420
 
 
421
        if (eap_fast_get_phase2_key(sm, data, isk, sizeof(isk)) < 0)
 
422
                return -1;
 
423
        wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: ISK[j]", isk, sizeof(isk));
 
424
        sha1_t_prf(data->simck, EAP_FAST_SIMCK_LEN,
 
425
                   "Inner Methods Compound Keys",
 
426
                   isk, sizeof(isk), imck, sizeof(imck));
 
427
        data->simck_idx++;
 
428
        os_memcpy(data->simck, imck, EAP_FAST_SIMCK_LEN);
 
429
        wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: S-IMCK[j]",
 
430
                        data->simck, EAP_FAST_SIMCK_LEN);
 
431
        os_memcpy(data->cmk, imck + EAP_FAST_SIMCK_LEN, 20);
 
432
        wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: CMK[j]", data->cmk, 20);
 
433
 
 
434
        return 0;
 
435
}
 
436
 
 
437
 
 
438
static void * eap_fast_init(struct eap_sm *sm)
 
439
{
 
440
        struct eap_fast_data *data;
 
441
        u8 ciphers[5] = {
 
442
                TLS_CIPHER_ANON_DH_AES128_SHA,
 
443
                TLS_CIPHER_AES128_SHA,
 
444
                TLS_CIPHER_RSA_DHE_AES128_SHA,
 
445
                TLS_CIPHER_RC4_SHA,
 
446
                TLS_CIPHER_NONE
 
447
        };
 
448
 
 
449
        data = os_zalloc(sizeof(*data));
 
450
        if (data == NULL)
 
451
                return NULL;
 
452
        data->fast_version = EAP_FAST_VERSION;
 
453
        data->force_version = -1;
 
454
        if (sm->user && sm->user->force_version >= 0) {
 
455
                data->force_version = sm->user->force_version;
 
456
                wpa_printf(MSG_DEBUG, "EAP-FAST: forcing version %d",
 
457
                           data->force_version);
 
458
                data->fast_version = data->force_version;
 
459
        }
 
460
        data->state = START;
 
461
 
 
462
        if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) {
 
463
                wpa_printf(MSG_INFO, "EAP-FAST: Failed to initialize SSL.");
 
464
                eap_fast_reset(sm, data);
 
465
                return NULL;
 
466
        }
 
467
 
 
468
        if (tls_connection_set_cipher_list(sm->ssl_ctx, data->ssl.conn,
 
469
                                           ciphers) < 0) {
 
470
                wpa_printf(MSG_INFO, "EAP-FAST: Failed to set TLS cipher "
 
471
                           "suites");
 
472
                eap_fast_reset(sm, data);
 
473
                return NULL;
 
474
        }
 
475
 
 
476
        if (tls_connection_set_session_ticket_cb(sm->ssl_ctx, data->ssl.conn,
 
477
                                                 eap_fast_session_ticket_cb,
 
478
                                                 data) < 0) {
 
479
                wpa_printf(MSG_INFO, "EAP-FAST: Failed to set SessionTicket "
 
480
                           "callback");
 
481
                eap_fast_reset(sm, data);
 
482
                return NULL;
 
483
        }
 
484
 
 
485
        if (sm->pac_opaque_encr_key == NULL) {
 
486
                wpa_printf(MSG_INFO, "EAP-FAST: No PAC-Opaque encryption key "
 
487
                           "configured");
 
488
                eap_fast_reset(sm, data);
 
489
                return NULL;
 
490
        }
 
491
        os_memcpy(data->pac_opaque_encr, sm->pac_opaque_encr_key,
 
492
                  sizeof(data->pac_opaque_encr));
 
493
 
 
494
        if (sm->eap_fast_a_id == NULL) {
 
495
                wpa_printf(MSG_INFO, "EAP-FAST: No A-ID configured");
 
496
                eap_fast_reset(sm, data);
 
497
                return NULL;
 
498
        }
 
499
        data->srv_id = os_strdup(sm->eap_fast_a_id);
 
500
        if (data->srv_id == NULL) {
 
501
                eap_fast_reset(sm, data);
 
502
                return NULL;
 
503
        }
 
504
 
 
505
        return data;
 
506
}
 
507
 
 
508
 
 
509
static void eap_fast_reset(struct eap_sm *sm, void *priv)
 
510
{
 
511
        struct eap_fast_data *data = priv;
 
512
        if (data == NULL)
 
513
                return;
 
514
        if (data->phase2_priv && data->phase2_method)
 
515
                data->phase2_method->reset(sm, data->phase2_priv);
 
516
        eap_server_tls_ssl_deinit(sm, &data->ssl);
 
517
        os_free(data->srv_id);
 
518
        os_free(data->key_block_p);
 
519
        wpabuf_free(data->pending_phase2_resp);
 
520
        os_free(data);
 
521
}
 
522
 
 
523
 
 
524
static struct wpabuf * eap_fast_build_start(struct eap_sm *sm,
 
525
                                            struct eap_fast_data *data, u8 id)
 
526
{
 
527
        struct wpabuf *req;
 
528
        struct pac_tlv_hdr *a_id;
 
529
        size_t srv_id_len = os_strlen(data->srv_id);
 
530
 
 
531
        req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_FAST,
 
532
                            1 + sizeof(*a_id) + srv_id_len,
 
533
                            EAP_CODE_REQUEST, id);
 
534
        if (req == NULL) {
 
535
                wpa_printf(MSG_ERROR, "EAP-FAST: Failed to allocate memory for"
 
536
                           " request");
 
537
                eap_fast_state(data, FAILURE);
 
538
                return NULL;
 
539
        }
 
540
 
 
541
        wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->fast_version);
 
542
        a_id = wpabuf_put(req, sizeof(*a_id));
 
543
        a_id->type = host_to_be16(PAC_TYPE_A_ID);
 
544
        a_id->len = host_to_be16(srv_id_len);
 
545
        wpabuf_put_data(req, data->srv_id, srv_id_len);
 
546
 
 
547
        eap_fast_state(data, PHASE1);
 
548
 
 
549
        return req;
 
550
}
 
551
 
 
552
 
 
553
static int eap_fast_phase1_done(struct eap_sm *sm, struct eap_fast_data *data)
 
554
{
 
555
        char cipher[64];
 
556
 
 
557
        wpa_printf(MSG_DEBUG, "EAP-FAST: Phase1 done, starting Phase2");
 
558
 
 
559
        if (tls_get_cipher(sm->ssl_ctx, data->ssl.conn, cipher, sizeof(cipher))
 
560
            < 0) {
 
561
                wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to get cipher "
 
562
                           "information");
 
563
                eap_fast_state(data, FAILURE);
 
564
                return -1;
 
565
        }
 
566
        data->anon_provisioning = os_strstr(cipher, "ADH") != NULL;
 
567
                    
 
568
        if (data->anon_provisioning) {
 
569
                wpa_printf(MSG_DEBUG, "EAP-FAST: Anonymous provisioning");
 
570
                eap_fast_derive_key_provisioning(sm, data);
 
571
        } else
 
572
                eap_fast_derive_key_auth(sm, data);
 
573
 
 
574
        eap_fast_state(data, PHASE2_START);
 
575
 
 
576
        return 0;
 
577
}
 
578
 
 
579
 
 
580
static struct wpabuf * eap_fast_build_req(struct eap_sm *sm,
 
581
                                          struct eap_fast_data *data, u8 id)
 
582
{
 
583
        int res;
 
584
        struct wpabuf *req;
 
585
 
 
586
        res = eap_server_tls_buildReq_helper(sm, &data->ssl, EAP_TYPE_FAST,
 
587
                                             data->fast_version, id, &req);
 
588
 
 
589
        if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
 
590
                if (eap_fast_phase1_done(sm, data) < 0) {
 
591
                        os_free(req);
 
592
                        return NULL;
 
593
                }
 
594
        }
 
595
 
 
596
        if (res == 1)
 
597
                return eap_server_tls_build_ack(id, EAP_TYPE_FAST,
 
598
                                                data->fast_version);
 
599
        return req;
 
600
}
 
601
 
 
602
 
 
603
static struct wpabuf * eap_fast_encrypt(struct eap_sm *sm,
 
604
                                        struct eap_fast_data *data,
 
605
                                        u8 id, u8 *plain, size_t plain_len)
 
606
{
 
607
        int res;
 
608
        struct wpabuf *buf;
 
609
 
 
610
        /* TODO: add support for fragmentation, if needed. This will need to
 
611
         * add TLS Message Length field, if the frame is fragmented. */
 
612
        buf = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_FAST,
 
613
                            1 + data->ssl.tls_out_limit,
 
614
                            EAP_CODE_REQUEST, id);
 
615
        if (buf == NULL)
 
616
                return NULL;
 
617
 
 
618
        wpabuf_put_u8(buf, data->fast_version);
 
619
 
 
620
        res = tls_connection_encrypt(sm->ssl_ctx, data->ssl.conn,
 
621
                                     plain, plain_len, wpabuf_put(buf, 0),
 
622
                                     data->ssl.tls_out_limit);
 
623
        if (res < 0) {
 
624
                wpa_printf(MSG_INFO, "EAP-FAST: Failed to encrypt Phase 2 "
 
625
                           "data");
 
626
                wpabuf_free(buf);
 
627
                return NULL;
 
628
        }
 
629
 
 
630
        wpabuf_put(buf, res);
 
631
        eap_update_len(buf);
 
632
 
 
633
        return buf;
 
634
}
 
635
 
 
636
 
 
637
static struct wpabuf * eap_fast_tlv_eap_payload(struct wpabuf *buf)
 
638
{
 
639
        struct wpabuf *e;
 
640
        struct eap_tlv_hdr *tlv;
 
641
 
 
642
        if (buf == NULL)
 
643
                return NULL;
 
644
 
 
645
        /* Encapsulate EAP packet in EAP-Payload TLV */
 
646
        wpa_printf(MSG_DEBUG, "EAP-FAST: Add EAP-Payload TLV");
 
647
        e = wpabuf_alloc(sizeof(*tlv) + wpabuf_len(buf));
 
648
        if (e == NULL) {
 
649
                wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to allocate memory "
 
650
                           "for TLV encapsulation");
 
651
                wpabuf_free(buf);
 
652
                return NULL;
 
653
        }
 
654
        tlv = wpabuf_put(e, sizeof(*tlv));
 
655
        tlv->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY |
 
656
                                     EAP_TLV_EAP_PAYLOAD_TLV);
 
657
        tlv->length = host_to_be16(wpabuf_len(buf));
 
658
        wpabuf_put_buf(e, buf);
 
659
        wpabuf_free(buf);
 
660
        return e;
 
661
}
 
662
 
 
663
 
 
664
static struct wpabuf * eap_fast_build_phase2_req(struct eap_sm *sm,
 
665
                                                 struct eap_fast_data *data,
 
666
                                                 u8 id)
 
667
{
 
668
        struct wpabuf *req;
 
669
 
 
670
        if (data->phase2_priv == NULL) {
 
671
                wpa_printf(MSG_DEBUG, "EAP-FAST: Phase 2 method not "
 
672
                           "initialized");
 
673
                return NULL;
 
674
        }
 
675
        req = data->phase2_method->buildReq(sm, data->phase2_priv, id);
 
676
        if (req == NULL)
 
677
                return NULL;
 
678
 
 
679
        wpa_hexdump_buf_key(MSG_MSGDUMP, "EAP-FAST: Phase 2 EAP-Request", req);
 
680
        return eap_fast_tlv_eap_payload(req);
 
681
}
 
682
 
 
683
 
 
684
static struct wpabuf * eap_fast_build_crypto_binding(
 
685
        struct eap_sm *sm, struct eap_fast_data *data)
 
686
{
 
687
        struct wpabuf *buf;
 
688
        struct eap_tlv_result_tlv *result;
 
689
        struct eap_tlv_crypto_binding__tlv *binding;
 
690
        int type;
 
691
 
 
692
        buf = wpabuf_alloc(sizeof(*result) + sizeof(*binding));
 
693
        if (buf == NULL)
 
694
                return NULL;
 
695
 
 
696
        if (data->send_new_pac || data->anon_provisioning) {
 
697
                type = EAP_TLV_INTERMEDIATE_RESULT_TLV;
 
698
                data->final_result = 0;
 
699
        } else {
 
700
                type = EAP_TLV_RESULT_TLV;
 
701
                data->final_result = 1;
 
702
        }
 
703
 
 
704
        /* Result TLV */
 
705
        wpa_printf(MSG_DEBUG, "EAP-FAST: Add Result TLV (status=SUCCESS)");
 
706
        result = wpabuf_put(buf, sizeof(*result));
 
707
        result->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY | type);
 
708
        result->length = host_to_be16(2);
 
709
        result->status = host_to_be16(EAP_TLV_RESULT_SUCCESS);
 
710
 
 
711
        /* Crypto-Binding TLV */
 
712
        binding = wpabuf_put(buf, sizeof(*binding));
 
713
        binding->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY |
 
714
                                         EAP_TLV_CRYPTO_BINDING_TLV);
 
715
        binding->length = host_to_be16(sizeof(*binding) -
 
716
                                       sizeof(struct eap_tlv_hdr));
 
717
        binding->version = EAP_FAST_VERSION;
 
718
        binding->received_version = data->peer_version;
 
719
        binding->subtype = EAP_TLV_CRYPTO_BINDING_SUBTYPE_REQUEST;
 
720
        if (os_get_random(binding->nonce, sizeof(binding->nonce)) < 0) {
 
721
                wpabuf_free(buf);
 
722
                return NULL;
 
723
        }
 
724
 
 
725
        /*
 
726
         * RFC 4851, Section 4.2.8:
 
727
         * The nonce in a request MUST have its least significant bit set to 0.
 
728
         */
 
729
        binding->nonce[sizeof(binding->nonce) - 1] &= ~0x01;
 
730
 
 
731
        os_memcpy(data->crypto_binding_nonce, binding->nonce,
 
732
                  sizeof(binding->nonce));
 
733
 
 
734
        /*
 
735
         * RFC 4851, Section 5.3:
 
736
         * CMK = CMK[j]
 
737
         * Compound-MAC = HMAC-SHA1( CMK, Crypto-Binding TLV )
 
738
         */
 
739
 
 
740
        hmac_sha1(data->cmk, 20, (u8 *) binding, sizeof(*binding),
 
741
                  binding->compound_mac);
 
742
 
 
743
        wpa_printf(MSG_DEBUG, "EAP-FAST: Add Crypto-Binding TLV: Version %d "
 
744
                   "Received Version %d SubType %d",
 
745
                   binding->version, binding->received_version,
 
746
                   binding->subtype);
 
747
        wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: NONCE",
 
748
                    binding->nonce, sizeof(binding->nonce));
 
749
        wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Compound MAC",
 
750
                    binding->compound_mac, sizeof(binding->compound_mac));
 
751
 
 
752
        return buf;
 
753
}
 
754
 
 
755
 
 
756
static struct wpabuf * eap_fast_build_pac(struct eap_sm *sm,
 
757
                                          struct eap_fast_data *data)
 
758
{
 
759
        u8 pac_key[2 + EAP_FAST_PAC_KEY_LEN + 6];
 
760
        u8 pac_opaque[8 + EAP_FAST_PAC_KEY_LEN + 8];
 
761
        struct wpabuf *buf;
 
762
        u8 *pos;
 
763
        size_t buf_len, srv_id_len;
 
764
        struct eap_tlv_hdr *pac_tlv;
 
765
        struct pac_tlv_hdr *hdr, *pac_info;
 
766
        struct eap_tlv_result_tlv *result;
 
767
        struct os_time now;
 
768
 
 
769
        srv_id_len = os_strlen(data->srv_id);
 
770
 
 
771
        pac_key[0] = PAC_OPAQUE_TYPE_KEY;
 
772
        pac_key[1] = EAP_FAST_PAC_KEY_LEN;
 
773
        if (os_get_random(pac_key + 2, EAP_FAST_PAC_KEY_LEN) < 0)
 
774
                return NULL;
 
775
        if (os_get_time(&now) < 0)
 
776
                return NULL;
 
777
        wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Generated PAC-Key",
 
778
                        pac_key + 2, EAP_FAST_PAC_KEY_LEN);
 
779
        pos = pac_key + 2 + EAP_FAST_PAC_KEY_LEN;
 
780
        *pos++ = PAC_OPAQUE_TYPE_LIFETIME;
 
781
        *pos++ = 4;
 
782
        WPA_PUT_BE32(pos, now.sec + PAC_KEY_LIFETIME);
 
783
 
 
784
        if (aes_wrap(data->pac_opaque_encr, sizeof(pac_key) / 8, pac_key,
 
785
                     pac_opaque) < 0)
 
786
                return NULL;
 
787
 
 
788
        wpa_hexdump(MSG_DEBUG, "EAP-FAST: PAC-Opaque",
 
789
                    pac_opaque, sizeof(pac_opaque));
 
790
 
 
791
        buf_len = sizeof(*pac_tlv) +
 
792
                sizeof(*hdr) + EAP_FAST_PAC_KEY_LEN +
 
793
                sizeof(*hdr) + sizeof(pac_opaque) +
 
794
                2 * srv_id_len + 100 + sizeof(*result);
 
795
        buf = wpabuf_alloc(buf_len);
 
796
        if (buf == NULL)
 
797
                return NULL;
 
798
 
 
799
        /* PAC TLV */
 
800
        wpa_printf(MSG_DEBUG, "EAP-FAST: Add PAC TLV");
 
801
        pac_tlv = wpabuf_put(buf, sizeof(*pac_tlv));
 
802
        pac_tlv->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY |
 
803
                                         EAP_TLV_PAC_TLV);
 
804
 
 
805
        /* PAC-Key */
 
806
        hdr = wpabuf_put(buf, sizeof(*hdr));
 
807
        hdr->type = host_to_be16(PAC_TYPE_PAC_KEY);
 
808
        hdr->len = host_to_be16(EAP_FAST_PAC_KEY_LEN);
 
809
        wpabuf_put_data(buf, pac_key + 2, EAP_FAST_PAC_KEY_LEN);
 
810
 
 
811
        /* PAC-Opaque */
 
812
        hdr = wpabuf_put(buf, sizeof(*hdr));
 
813
        hdr->type = host_to_be16(PAC_TYPE_PAC_OPAQUE);
 
814
        hdr->len = host_to_be16(sizeof(pac_opaque));
 
815
        wpabuf_put_data(buf, pac_opaque, sizeof(pac_opaque));
 
816
 
 
817
        /* PAC-Info */
 
818
        pac_info = wpabuf_put(buf, sizeof(*pac_info));
 
819
        pac_info->type = host_to_be16(PAC_TYPE_PAC_INFO);
 
820
 
 
821
        /* PAC-Lifetime (inside PAC-Info) */
 
822
        hdr = wpabuf_put(buf, sizeof(*hdr));
 
823
        hdr->type = host_to_be16(PAC_TYPE_CRED_LIFETIME);
 
824
        hdr->len = host_to_be16(4);
 
825
        wpabuf_put_be32(buf, now.sec + PAC_KEY_LIFETIME);
 
826
 
 
827
        /* A-ID (inside PAC-Info) */
 
828
        hdr = wpabuf_put(buf, sizeof(*hdr));
 
829
        hdr->type = host_to_be16(PAC_TYPE_A_ID);
 
830
        hdr->len = host_to_be16(srv_id_len);
 
831
        wpabuf_put_data(buf, data->srv_id, srv_id_len);
 
832
        
 
833
        /* Note: headers may be misaligned after A-ID */
 
834
 
 
835
        /* A-ID-Info (inside PAC-Info) */
 
836
        hdr = wpabuf_put(buf, sizeof(*hdr));
 
837
        WPA_PUT_BE16((u8 *) &hdr->type, PAC_TYPE_A_ID_INFO);
 
838
        WPA_PUT_BE16((u8 *) &hdr->len, srv_id_len);
 
839
        wpabuf_put_data(buf, data->srv_id, srv_id_len);
 
840
 
 
841
        /* PAC-Type (inside PAC-Info) */
 
842
        hdr = wpabuf_put(buf, sizeof(*hdr));
 
843
        WPA_PUT_BE16((u8 *) &hdr->type, PAC_TYPE_PAC_TYPE);
 
844
        WPA_PUT_BE16((u8 *) &hdr->len, 2);
 
845
        wpabuf_put_be16(buf, PAC_TYPE_TUNNEL_PAC);
 
846
 
 
847
        /* Update PAC-Info and PAC TLV Length fields */
 
848
        pos = wpabuf_put(buf, 0);
 
849
        pac_info->len = host_to_be16(pos - (u8 *) (pac_info + 1));
 
850
        pac_tlv->length = host_to_be16(pos - (u8 *) (pac_tlv + 1));
 
851
 
 
852
        /* Result TLV */
 
853
        wpa_printf(MSG_DEBUG, "EAP-FAST: Add Result TLV (status=SUCCESS)");
 
854
        result = wpabuf_put(buf, sizeof(*result));
 
855
        WPA_PUT_BE16((u8 *) &result->tlv_type,
 
856
                     EAP_TLV_TYPE_MANDATORY | EAP_TLV_RESULT_TLV);
 
857
        WPA_PUT_BE16((u8 *) &result->length, 2);
 
858
        WPA_PUT_BE16((u8 *) &result->status, EAP_TLV_RESULT_SUCCESS);
 
859
 
 
860
        return buf;
 
861
}
 
862
 
 
863
 
 
864
static struct wpabuf * eap_fast_buildReq(struct eap_sm *sm, void *priv, u8 id)
 
865
{
 
866
        struct eap_fast_data *data = priv;
 
867
        struct wpabuf *req;
 
868
        struct wpabuf *encr;
 
869
 
 
870
        if (data->state == START)
 
871
                return eap_fast_build_start(sm, data, id);
 
872
 
 
873
        if (data->state == PHASE1)
 
874
                return eap_fast_build_req(sm, data, id);
 
875
 
 
876
        switch (data->state) {
 
877
        case PHASE2_ID:
 
878
        case PHASE2_METHOD:
 
879
                req = eap_fast_build_phase2_req(sm, data, id);
 
880
                break;
 
881
        case CRYPTO_BINDING:
 
882
                req = eap_fast_build_crypto_binding(sm, data);
 
883
                break;
 
884
        case REQUEST_PAC:
 
885
                req = eap_fast_build_pac(sm, data);
 
886
                break;
 
887
        default:
 
888
                wpa_printf(MSG_DEBUG, "EAP-FAST: %s - unexpected state %d",
 
889
                           __func__, data->state);
 
890
                return NULL;
 
891
        }
 
892
 
 
893
        if (req == NULL)
 
894
                return NULL;
 
895
 
 
896
        wpa_hexdump_buf_key(MSG_DEBUG, "EAP-FAST: Encrypting Phase 2 TLVs",
 
897
                            req);
 
898
        encr = eap_fast_encrypt(sm, data, id, wpabuf_mhead(req),
 
899
                                wpabuf_len(req));
 
900
        wpabuf_free(req);
 
901
 
 
902
        return encr;
 
903
}
 
904
 
 
905
 
 
906
static Boolean eap_fast_check(struct eap_sm *sm, void *priv,
 
907
                              struct wpabuf *respData)
 
908
{
 
909
        const u8 *pos;
 
910
        size_t len;
 
911
 
 
912
        pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_FAST, respData, &len);
 
913
        if (pos == NULL || len < 1) {
 
914
                wpa_printf(MSG_INFO, "EAP-FAST: Invalid frame");
 
915
                return TRUE;
 
916
        }
 
917
 
 
918
        return FALSE;
 
919
}
 
920
 
 
921
 
 
922
static int eap_fast_phase2_init(struct eap_sm *sm, struct eap_fast_data *data,
 
923
                                EapType eap_type)
 
924
{
 
925
        if (data->phase2_priv && data->phase2_method) {
 
926
                data->phase2_method->reset(sm, data->phase2_priv);
 
927
                data->phase2_method = NULL;
 
928
                data->phase2_priv = NULL;
 
929
        }
 
930
        data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF,
 
931
                                                        eap_type);
 
932
        if (!data->phase2_method)
 
933
                return -1;
 
934
 
 
935
        if (data->key_block_p) {
 
936
                sm->auth_challenge = data->key_block_p->server_challenge;
 
937
                sm->peer_challenge = data->key_block_p->client_challenge;
 
938
        }
 
939
        sm->init_phase2 = 1;
 
940
        data->phase2_priv = data->phase2_method->init(sm);
 
941
        sm->init_phase2 = 0;
 
942
        sm->auth_challenge = NULL;
 
943
        sm->peer_challenge = NULL;
 
944
 
 
945
        return data->phase2_priv == NULL ? -1 : 0;
 
946
}
 
947
 
 
948
 
 
949
static void eap_fast_process_phase2_response(struct eap_sm *sm,
 
950
                                             struct eap_fast_data *data,
 
951
                                             u8 *in_data, size_t in_len)
 
952
{
 
953
        u8 next_type = EAP_TYPE_NONE;
 
954
        struct eap_hdr *hdr;
 
955
        u8 *pos;
 
956
        size_t left;
 
957
        struct wpabuf buf;
 
958
        const struct eap_method *m = data->phase2_method;
 
959
        void *priv = data->phase2_priv;
 
960
 
 
961
        if (priv == NULL) {
 
962
                wpa_printf(MSG_DEBUG, "EAP-FAST: %s - Phase2 not "
 
963
                           "initialized?!", __func__);
 
964
                return;
 
965
        }
 
966
 
 
967
        hdr = (struct eap_hdr *) in_data;
 
968
        pos = (u8 *) (hdr + 1);
 
969
 
 
970
        if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) {
 
971
                left = in_len - sizeof(*hdr);
 
972
                wpa_hexdump(MSG_DEBUG, "EAP-FAST: Phase2 type Nak'ed; "
 
973
                            "allowed types", pos + 1, left - 1);
 
974
                eap_sm_process_nak(sm, pos + 1, left - 1);
 
975
                if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
 
976
                    sm->user->methods[sm->user_eap_method_index].method !=
 
977
                    EAP_TYPE_NONE) {
 
978
                        next_type = sm->user->methods[
 
979
                                sm->user_eap_method_index++].method;
 
980
                        wpa_printf(MSG_DEBUG, "EAP-FAST: try EAP type %d",
 
981
                                   next_type);
 
982
                } else {
 
983
                        next_type = eap_fast_req_failure(sm, data);
 
984
                }
 
985
                eap_fast_phase2_init(sm, data, next_type);
 
986
                return;
 
987
        }
 
988
 
 
989
        wpabuf_set(&buf, in_data, in_len);
 
990
 
 
991
        if (m->check(sm, priv, &buf)) {
 
992
                wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 check() asked to "
 
993
                           "ignore the packet");
 
994
                next_type = eap_fast_req_failure(sm, data);
 
995
                return;
 
996
        }
 
997
 
 
998
        m->process(sm, priv, &buf);
 
999
 
 
1000
        if (!m->isDone(sm, priv))
 
1001
                return;
 
1002
 
 
1003
        if (!m->isSuccess(sm, priv)) {
 
1004
                wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 method failed");
 
1005
                next_type = eap_fast_req_failure(sm, data);
 
1006
                eap_fast_phase2_init(sm, data, next_type);
 
1007
                return;
 
1008
        }
 
1009
 
 
1010
        switch (data->state) {
 
1011
        case PHASE2_ID:
 
1012
                if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
 
1013
                        wpa_hexdump_ascii(MSG_DEBUG, "EAP-FAST: Phase2 "
 
1014
                                          "Identity not found in the user "
 
1015
                                          "database",
 
1016
                                          sm->identity, sm->identity_len);
 
1017
                        next_type = eap_fast_req_failure(sm, data);
 
1018
                        break;
 
1019
                }
 
1020
 
 
1021
                eap_fast_state(data, PHASE2_METHOD);
 
1022
                if (data->anon_provisioning) {
 
1023
                        /*
 
1024
                         * Only EAP-MSCHAPv2 is allowed for anonymous
 
1025
                         * provisioning.
 
1026
                         */
 
1027
                        next_type = EAP_TYPE_MSCHAPV2;
 
1028
                        sm->user_eap_method_index = 0;
 
1029
                } else {
 
1030
                        next_type = sm->user->methods[0].method;
 
1031
                        sm->user_eap_method_index = 1;
 
1032
                }
 
1033
                wpa_printf(MSG_DEBUG, "EAP-FAST: try EAP type %d", next_type);
 
1034
                break;
 
1035
        case PHASE2_METHOD:
 
1036
                eap_fast_update_icmk(sm, data);
 
1037
                eap_fast_state(data, CRYPTO_BINDING);
 
1038
                next_type = EAP_TYPE_NONE;
 
1039
                break;
 
1040
        case FAILURE:
 
1041
                break;
 
1042
        default:
 
1043
                wpa_printf(MSG_DEBUG, "EAP-FAST: %s - unexpected state %d",
 
1044
                           __func__, data->state);
 
1045
                break;
 
1046
        }
 
1047
 
 
1048
        eap_fast_phase2_init(sm, data, next_type);
 
1049
}
 
1050
 
 
1051
 
 
1052
static void eap_fast_process_phase2_eap(struct eap_sm *sm,
 
1053
                                        struct eap_fast_data *data,
 
1054
                                        u8 *in_data, size_t in_len)
 
1055
{
 
1056
        struct eap_hdr *hdr;
 
1057
        size_t len;
 
1058
 
 
1059
        hdr = (struct eap_hdr *) in_data;
 
1060
        if (in_len < (int) sizeof(*hdr)) {
 
1061
                wpa_printf(MSG_INFO, "EAP-FAST: Too short Phase 2 "
 
1062
                           "EAP frame (len=%d)", in_len);
 
1063
                eap_fast_req_failure(sm, data);
 
1064
                return;
 
1065
        }
 
1066
        len = be_to_host16(hdr->length);
 
1067
        if (len > in_len) {
 
1068
                wpa_printf(MSG_INFO, "EAP-FAST: Length mismatch in "
 
1069
                           "Phase 2 EAP frame (len=%d hdr->length=%d)",
 
1070
                           in_len, len);
 
1071
                eap_fast_req_failure(sm, data);
 
1072
                return;
 
1073
        }
 
1074
        wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: code=%d "
 
1075
                   "identifier=%d length=%d", hdr->code, hdr->identifier, len);
 
1076
        switch (hdr->code) {
 
1077
        case EAP_CODE_RESPONSE:
 
1078
                eap_fast_process_phase2_response(sm, data, (u8 *) hdr, len);
 
1079
                break;
 
1080
        default:
 
1081
                wpa_printf(MSG_INFO, "EAP-FAST: Unexpected code=%d in "
 
1082
                           "Phase 2 EAP header", hdr->code);
 
1083
                break;
 
1084
        }
 
1085
}
 
1086
 
 
1087
 
 
1088
struct eap_fast_tlv_parse {
 
1089
        u8 *eap_payload_tlv;
 
1090
        size_t eap_payload_tlv_len;
 
1091
        struct eap_tlv_crypto_binding__tlv *crypto_binding;
 
1092
        size_t crypto_binding_len;
 
1093
        int iresult;
 
1094
        int result;
 
1095
        int request_action;
 
1096
        u8 *pac;
 
1097
        size_t pac_len;
 
1098
};
 
1099
 
 
1100
 
 
1101
static int eap_fast_parse_tlv(struct eap_fast_tlv_parse *tlv,
 
1102
                              int tlv_type, u8 *pos, int len)
 
1103
{
 
1104
        switch (tlv_type) {
 
1105
        case EAP_TLV_EAP_PAYLOAD_TLV:
 
1106
                wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: EAP-Payload TLV",
 
1107
                            pos, len);
 
1108
                if (tlv->eap_payload_tlv) {
 
1109
                        wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
 
1110
                                   "EAP-Payload TLV in the message");
 
1111
                        tlv->iresult = EAP_TLV_RESULT_FAILURE;
 
1112
                        return -2;
 
1113
                }
 
1114
                tlv->eap_payload_tlv = pos;
 
1115
                tlv->eap_payload_tlv_len = len;
 
1116
                break;
 
1117
        case EAP_TLV_RESULT_TLV:
 
1118
                wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Result TLV", pos, len);
 
1119
                if (tlv->result) {
 
1120
                        wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
 
1121
                                   "Result TLV in the message");
 
1122
                        tlv->result = EAP_TLV_RESULT_FAILURE;
 
1123
                        return -2;
 
1124
                }
 
1125
                if (len < 2) {
 
1126
                        wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
 
1127
                                   "Result TLV");
 
1128
                        tlv->result = EAP_TLV_RESULT_FAILURE;
 
1129
                        break;
 
1130
                }
 
1131
                tlv->result = WPA_GET_BE16(pos);
 
1132
                if (tlv->result != EAP_TLV_RESULT_SUCCESS &&
 
1133
                    tlv->result != EAP_TLV_RESULT_FAILURE) {
 
1134
                        wpa_printf(MSG_DEBUG, "EAP-FAST: Unknown Result %d",
 
1135
                                   tlv->result);
 
1136
                        tlv->result = EAP_TLV_RESULT_FAILURE;
 
1137
                }
 
1138
                wpa_printf(MSG_DEBUG, "EAP-FAST: Result: %s",
 
1139
                           tlv->result == EAP_TLV_RESULT_SUCCESS ?
 
1140
                           "Success" : "Failure");
 
1141
                break;
 
1142
        case EAP_TLV_INTERMEDIATE_RESULT_TLV:
 
1143
                wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Intermediate Result TLV",
 
1144
                            pos, len);
 
1145
                if (len < 2) {
 
1146
                        wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
 
1147
                                   "Intermediate-Result TLV");
 
1148
                        tlv->iresult = EAP_TLV_RESULT_FAILURE;
 
1149
                        break;
 
1150
                }
 
1151
                if (tlv->iresult) {
 
1152
                        wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
 
1153
                                   "Intermediate-Result TLV in the message");
 
1154
                        tlv->iresult = EAP_TLV_RESULT_FAILURE;
 
1155
                        return -2;
 
1156
                }
 
1157
                tlv->iresult = WPA_GET_BE16(pos);
 
1158
                if (tlv->iresult != EAP_TLV_RESULT_SUCCESS &&
 
1159
                    tlv->iresult != EAP_TLV_RESULT_FAILURE) {
 
1160
                        wpa_printf(MSG_DEBUG, "EAP-FAST: Unknown Intermediate "
 
1161
                                   "Result %d", tlv->iresult);
 
1162
                        tlv->iresult = EAP_TLV_RESULT_FAILURE;
 
1163
                }
 
1164
                wpa_printf(MSG_DEBUG, "EAP-FAST: Intermediate Result: %s",
 
1165
                           tlv->iresult == EAP_TLV_RESULT_SUCCESS ?
 
1166
                           "Success" : "Failure");
 
1167
                break;
 
1168
        case EAP_TLV_CRYPTO_BINDING_TLV:
 
1169
                wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Crypto-Binding TLV",
 
1170
                            pos, len);
 
1171
                if (tlv->crypto_binding) {
 
1172
                        wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
 
1173
                                   "Crypto-Binding TLV in the message");
 
1174
                        tlv->iresult = EAP_TLV_RESULT_FAILURE;
 
1175
                        return -2;
 
1176
                }
 
1177
                tlv->crypto_binding_len = sizeof(struct eap_tlv_hdr) + len;
 
1178
                if (tlv->crypto_binding_len < sizeof(*tlv->crypto_binding)) {
 
1179
                        wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
 
1180
                                   "Crypto-Binding TLV");
 
1181
                        tlv->iresult = EAP_TLV_RESULT_FAILURE;
 
1182
                        return -2;
 
1183
                }
 
1184
                tlv->crypto_binding = (struct eap_tlv_crypto_binding__tlv *)
 
1185
                        (pos - sizeof(struct eap_tlv_hdr));
 
1186
                break;
 
1187
        case EAP_TLV_REQUEST_ACTION_TLV:
 
1188
                wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Request-Action TLV",
 
1189
                            pos, len);
 
1190
                if (tlv->request_action) {
 
1191
                        wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
 
1192
                                   "Request-Action TLV in the message");
 
1193
                        tlv->iresult = EAP_TLV_RESULT_FAILURE;
 
1194
                        return -2;
 
1195
                }
 
1196
                if (len < 2) {
 
1197
                        wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
 
1198
                                   "Request-Action TLV");
 
1199
                        tlv->iresult = EAP_TLV_RESULT_FAILURE;
 
1200
                        break;
 
1201
                }
 
1202
                tlv->request_action = WPA_GET_BE16(pos);
 
1203
                wpa_printf(MSG_DEBUG, "EAP-FAST: Request-Action: %d",
 
1204
                           tlv->request_action);
 
1205
                break;
 
1206
        case EAP_TLV_PAC_TLV:
 
1207
                wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: PAC TLV", pos, len);
 
1208
                if (tlv->pac) {
 
1209
                        wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
 
1210
                                   "PAC TLV in the message");
 
1211
                        tlv->iresult = EAP_TLV_RESULT_FAILURE;
 
1212
                        return -2;
 
1213
                }
 
1214
                tlv->pac = pos;
 
1215
                tlv->pac_len = len;
 
1216
                break;
 
1217
        default:
 
1218
                /* Unknown TLV */
 
1219
                return -1;
 
1220
        }
 
1221
 
 
1222
        return 0;
 
1223
}
 
1224
 
 
1225
 
 
1226
static int eap_fast_parse_tlvs(u8 *data, size_t data_len,
 
1227
                               struct eap_fast_tlv_parse *tlv)
 
1228
{
 
1229
        int mandatory, tlv_type, len, res;
 
1230
        u8 *pos, *end;
 
1231
 
 
1232
        os_memset(tlv, 0, sizeof(*tlv));
 
1233
 
 
1234
        pos = data;
 
1235
        end = data + data_len;
 
1236
        while (pos + 4 < end) {
 
1237
                mandatory = pos[0] & 0x80;
 
1238
                tlv_type = WPA_GET_BE16(pos) & 0x3fff;
 
1239
                pos += 2;
 
1240
                len = WPA_GET_BE16(pos);
 
1241
                pos += 2;
 
1242
                if (pos + len > end) {
 
1243
                        wpa_printf(MSG_INFO, "EAP-FAST: TLV overflow");
 
1244
                        return -1;
 
1245
                }
 
1246
                wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: "
 
1247
                           "TLV type %d length %d%s",
 
1248
                           tlv_type, len, mandatory ? " (mandatory)" : "");
 
1249
 
 
1250
                res = eap_fast_parse_tlv(tlv, tlv_type, pos, len);
 
1251
                if (res == -2)
 
1252
                        break;
 
1253
                if (res < 0) {
 
1254
                        if (mandatory) {
 
1255
                                wpa_printf(MSG_DEBUG, "EAP-FAST: Nak unknown "
 
1256
                                           "mandatory TLV type %d", tlv_type);
 
1257
                                /* TODO: generate Nak TLV */
 
1258
                                break;
 
1259
                        } else {
 
1260
                                wpa_printf(MSG_DEBUG, "EAP-FAST: Ignored "
 
1261
                                           "unknown optional TLV type %d",
 
1262
                                           tlv_type);
 
1263
                        }
 
1264
                }
 
1265
 
 
1266
                pos += len;
 
1267
        }
 
1268
 
 
1269
        return 0;
 
1270
}
 
1271
 
 
1272
 
 
1273
static int eap_fast_validate_crypto_binding(
 
1274
        struct eap_fast_data *data, struct eap_tlv_crypto_binding__tlv *b,
 
1275
        size_t bind_len)
 
1276
{
 
1277
        u8 cmac[20];
 
1278
 
 
1279
        wpa_printf(MSG_DEBUG, "EAP-FAST: Reply Crypto-Binding TLV: "
 
1280
                   "Version %d Received Version %d SubType %d",
 
1281
                   b->version, b->received_version, b->subtype);
 
1282
        wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: NONCE",
 
1283
                    b->nonce, sizeof(b->nonce));
 
1284
        wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Compound MAC",
 
1285
                    b->compound_mac, sizeof(b->compound_mac));
 
1286
 
 
1287
        if (b->version != EAP_FAST_VERSION ||
 
1288
            b->received_version != EAP_FAST_VERSION) {
 
1289
                wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected version "
 
1290
                           "in Crypto-Binding: version %d "
 
1291
                           "received_version %d", b->version,
 
1292
                           b->received_version);
 
1293
                return -1;
 
1294
        }
 
1295
 
 
1296
        if (b->subtype != EAP_TLV_CRYPTO_BINDING_SUBTYPE_RESPONSE) {
 
1297
                wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected subtype in "
 
1298
                           "Crypto-Binding: %d", b->subtype);
 
1299
                return -1;
 
1300
        }
 
1301
 
 
1302
        if (os_memcmp(data->crypto_binding_nonce, b->nonce, 31) != 0 ||
 
1303
            (data->crypto_binding_nonce[31] | 1) != b->nonce[31]) {
 
1304
                wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid nonce in "
 
1305
                           "Crypto-Binding");
 
1306
                return -1;
 
1307
        }
 
1308
 
 
1309
        os_memcpy(cmac, b->compound_mac, sizeof(cmac));
 
1310
        os_memset(b->compound_mac, 0, sizeof(cmac));
 
1311
        wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Crypto-Binding TLV for "
 
1312
                    "Compound MAC calculation",
 
1313
                    (u8 *) b, bind_len);
 
1314
        hmac_sha1(data->cmk, 20, (u8 *) b, bind_len, b->compound_mac);
 
1315
        if (os_memcmp(cmac, b->compound_mac, sizeof(cmac)) != 0) {
 
1316
                wpa_hexdump(MSG_MSGDUMP,
 
1317
                            "EAP-FAST: Calculated Compound MAC",
 
1318
                            b->compound_mac, sizeof(cmac));
 
1319
                wpa_printf(MSG_INFO, "EAP-FAST: Compound MAC did not "
 
1320
                           "match");
 
1321
                return -1;
 
1322
        }
 
1323
 
 
1324
        return 0;
 
1325
}
 
1326
 
 
1327
 
 
1328
static int eap_fast_pac_type(u8 *pac, size_t len, u16 type)
 
1329
{
 
1330
        struct eap_tlv_pac_type_tlv *tlv;
 
1331
 
 
1332
        if (pac == NULL || len != sizeof(*tlv))
 
1333
                return 0;
 
1334
 
 
1335
        tlv = (struct eap_tlv_pac_type_tlv *) pac;
 
1336
 
 
1337
        return be_to_host16(tlv->tlv_type) == PAC_TYPE_PAC_TYPE &&
 
1338
                be_to_host16(tlv->length) == 2 &&
 
1339
                be_to_host16(tlv->pac_type) == type;
 
1340
}
 
1341
 
 
1342
 
 
1343
static void eap_fast_process_phase2_tlvs(struct eap_sm *sm,
 
1344
                                         struct eap_fast_data *data,
 
1345
                                         u8 *in_data, size_t in_len)
 
1346
{
 
1347
        struct eap_fast_tlv_parse tlv;
 
1348
        int check_crypto_binding = data->state == CRYPTO_BINDING;
 
1349
 
 
1350
        if (eap_fast_parse_tlvs(in_data, in_len, &tlv) < 0) {
 
1351
                wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to parse received "
 
1352
                           "Phase 2 TLVs");
 
1353
                return;
 
1354
        }
 
1355
 
 
1356
        if (tlv.result == EAP_TLV_RESULT_FAILURE) {
 
1357
                wpa_printf(MSG_DEBUG, "EAP-FAST: Result TLV indicated "
 
1358
                           "failure");
 
1359
                eap_fast_state(data, FAILURE);
 
1360
                return;
 
1361
        }
 
1362
 
 
1363
        if (data->state == REQUEST_PAC) {
 
1364
                u16 type, len, res;
 
1365
                if (tlv.pac == NULL || tlv.pac_len < 6) {
 
1366
                        wpa_printf(MSG_DEBUG, "EAP-FAST: No PAC "
 
1367
                                   "Acknowledgement received");
 
1368
                        eap_fast_state(data, FAILURE);
 
1369
                        return;
 
1370
                }
 
1371
 
 
1372
                type = WPA_GET_BE16(tlv.pac);
 
1373
                len = WPA_GET_BE16(tlv.pac + 2);
 
1374
                res = WPA_GET_BE16(tlv.pac + 4);
 
1375
 
 
1376
                if (type != PAC_TYPE_PAC_ACKNOWLEDGEMENT || len != 2 ||
 
1377
                    res != EAP_TLV_RESULT_SUCCESS) {
 
1378
                        wpa_printf(MSG_DEBUG, "EAP-FAST: PAC TLV did not "
 
1379
                                   "contain acknowledgement");
 
1380
                        eap_fast_state(data, FAILURE);
 
1381
                        return;
 
1382
                }
 
1383
 
 
1384
                wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Acknowledgement received "
 
1385
                           "- PAC provisioning succeeded");
 
1386
                eap_fast_state(data, data->anon_provisioning ?
 
1387
                               FAILURE : SUCCESS);
 
1388
                return;
 
1389
        }
 
1390
 
 
1391
        if (tlv.eap_payload_tlv) {
 
1392
                eap_fast_process_phase2_eap(sm, data, tlv.eap_payload_tlv,
 
1393
                                            tlv.eap_payload_tlv_len);
 
1394
        }
 
1395
 
 
1396
        if (check_crypto_binding) {
 
1397
                if (tlv.crypto_binding == NULL) {
 
1398
                        wpa_printf(MSG_DEBUG, "EAP-FAST: No Crypto-Binding "
 
1399
                                   "TLV received");
 
1400
                        eap_fast_state(data, FAILURE);
 
1401
                        return;
 
1402
                }
 
1403
 
 
1404
                if (data->final_result &&
 
1405
                    tlv.result != EAP_TLV_RESULT_SUCCESS) {
 
1406
                        wpa_printf(MSG_DEBUG, "EAP-FAST: Crypto-Binding TLV "
 
1407
                                   "without Success Result");
 
1408
                        eap_fast_state(data, FAILURE);
 
1409
                        return;
 
1410
                }
 
1411
 
 
1412
                if (!data->final_result &&
 
1413
                    tlv.iresult != EAP_TLV_RESULT_SUCCESS) {
 
1414
                        wpa_printf(MSG_DEBUG, "EAP-FAST: Crypto-Binding TLV "
 
1415
                                   "without intermediate Success Result");
 
1416
                        eap_fast_state(data, FAILURE);
 
1417
                        return;
 
1418
                }
 
1419
 
 
1420
                if (eap_fast_validate_crypto_binding(data, tlv.crypto_binding,
 
1421
                                                     tlv.crypto_binding_len)) {
 
1422
                        eap_fast_state(data, FAILURE);
 
1423
                        return;
 
1424
                }
 
1425
 
 
1426
                wpa_printf(MSG_DEBUG, "EAP-FAST: Valid Crypto-Binding TLV "
 
1427
                           "received - authentication completed successfully");
 
1428
 
 
1429
                if (data->anon_provisioning ||
 
1430
                    (tlv.request_action == EAP_TLV_ACTION_PROCESS_TLV &&
 
1431
                     eap_fast_pac_type(tlv.pac, tlv.pac_len,
 
1432
                                       PAC_TYPE_TUNNEL_PAC))) {
 
1433
                        wpa_printf(MSG_DEBUG, "EAP-FAST: Requested a new "
 
1434
                                   "Tunnel PAC");
 
1435
                        eap_fast_state(data, REQUEST_PAC);
 
1436
                } else if (data->send_new_pac) {
 
1437
                        wpa_printf(MSG_DEBUG, "EAP-FAST: Server triggered "
 
1438
                                   "re-keying of Tunnel PAC");
 
1439
                        eap_fast_state(data, REQUEST_PAC);
 
1440
                } else
 
1441
                        eap_fast_state(data, SUCCESS);
 
1442
        }
 
1443
}
 
1444
 
 
1445
 
 
1446
static void eap_fast_process_phase2(struct eap_sm *sm,
 
1447
                                    struct eap_fast_data *data,
 
1448
                                    const u8 *in_data, size_t in_len)
 
1449
{
 
1450
        u8 *in_decrypted;
 
1451
        int len_decrypted, res;
 
1452
        size_t buf_len;
 
1453
 
 
1454
        wpa_printf(MSG_DEBUG, "EAP-FAST: Received %lu bytes encrypted data for"
 
1455
                   " Phase 2", (unsigned long) in_len);
 
1456
 
 
1457
        if (data->pending_phase2_resp) {
 
1458
                wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 response - "
 
1459
                           "skip decryption and use old data");
 
1460
                eap_fast_process_phase2_tlvs(
 
1461
                        sm, data, wpabuf_mhead(data->pending_phase2_resp),
 
1462
                        wpabuf_len(data->pending_phase2_resp));
 
1463
                wpabuf_free(data->pending_phase2_resp);
 
1464
                data->pending_phase2_resp = NULL;
 
1465
                return;
 
1466
        }
 
1467
 
 
1468
        /* FIX: get rid of const -> non-const typecast */
 
1469
        res = eap_server_tls_data_reassemble(sm, &data->ssl, (u8 **) &in_data,
 
1470
                                             &in_len);
 
1471
        if (res < 0 || res == 1)
 
1472
                return;
 
1473
 
 
1474
        buf_len = in_len;
 
1475
        if (data->ssl.tls_in_total > buf_len)
 
1476
                buf_len = data->ssl.tls_in_total;
 
1477
        in_decrypted = os_malloc(buf_len);
 
1478
        if (in_decrypted == NULL) {
 
1479
                os_free(data->ssl.tls_in);
 
1480
                data->ssl.tls_in = NULL;
 
1481
                data->ssl.tls_in_len = 0;
 
1482
                wpa_printf(MSG_WARNING, "EAP-FAST: Failed to allocate memory "
 
1483
                           "for decryption");
 
1484
                return;
 
1485
        }
 
1486
 
 
1487
        len_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
 
1488
                                               in_data, in_len,
 
1489
                                               in_decrypted, buf_len);
 
1490
        os_free(data->ssl.tls_in);
 
1491
        data->ssl.tls_in = NULL;
 
1492
        data->ssl.tls_in_len = 0;
 
1493
        if (len_decrypted < 0) {
 
1494
                wpa_printf(MSG_INFO, "EAP-FAST: Failed to decrypt Phase 2 "
 
1495
                           "data");
 
1496
                os_free(in_decrypted);
 
1497
                eap_fast_state(data, FAILURE);
 
1498
                return;
 
1499
        }
 
1500
 
 
1501
        wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Decrypted Phase 2 TLVs",
 
1502
                        in_decrypted, len_decrypted);
 
1503
 
 
1504
        eap_fast_process_phase2_tlvs(sm, data, in_decrypted, len_decrypted);
 
1505
 
 
1506
        if (sm->method_pending == METHOD_PENDING_WAIT) {
 
1507
                wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 method is in "
 
1508
                           "pending wait state - save decrypted response");
 
1509
                wpabuf_free(data->pending_phase2_resp);
 
1510
                data->pending_phase2_resp = wpabuf_alloc_copy(in_decrypted,
 
1511
                                                              len_decrypted);
 
1512
        }
 
1513
 
 
1514
        os_free(in_decrypted);
 
1515
}
 
1516
 
 
1517
 
 
1518
static void eap_fast_process(struct eap_sm *sm, void *priv,
 
1519
                             struct wpabuf *respData)
 
1520
{
 
1521
        struct eap_fast_data *data = priv;
 
1522
        const u8 *pos;
 
1523
        u8 flags;
 
1524
        size_t left;
 
1525
        unsigned int tls_msg_len;
 
1526
        int peer_version;
 
1527
 
 
1528
        pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_FAST, respData,
 
1529
                               &left);
 
1530
        if (pos == NULL || left < 1)
 
1531
                return;
 
1532
        flags = *pos++;
 
1533
        left--;
 
1534
        wpa_printf(MSG_DEBUG, "EAP-FAST: Received packet(len=%lu) - "
 
1535
                   "Flags 0x%02x", (unsigned long) wpabuf_len(respData),
 
1536
                   flags);
 
1537
        data->peer_version = peer_version = flags & EAP_PEAP_VERSION_MASK;
 
1538
        if (data->force_version >= 0 && peer_version != data->force_version) {
 
1539
                wpa_printf(MSG_INFO, "EAP-FAST: peer did not select the forced"
 
1540
                           " version (forced=%d peer=%d) - reject",
 
1541
                           data->force_version, peer_version);
 
1542
                eap_fast_state(data, FAILURE);
 
1543
                return;
 
1544
        }
 
1545
        if (peer_version < data->fast_version) {
 
1546
                wpa_printf(MSG_DEBUG, "EAP-FAST: peer ver=%d, own ver=%d; "
 
1547
                           "use version %d",
 
1548
                           peer_version, data->fast_version, peer_version);
 
1549
                data->fast_version = peer_version;
 
1550
        }
 
1551
        if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) {
 
1552
                if (left < 4) {
 
1553
                        wpa_printf(MSG_INFO, "EAP-FAST: Short frame with TLS "
 
1554
                                   "length");
 
1555
                        eap_fast_state(data, FAILURE);
 
1556
                        return;
 
1557
                }
 
1558
                tls_msg_len = WPA_GET_BE32(pos);
 
1559
                wpa_printf(MSG_DEBUG, "EAP-FAST: TLS Message Length: %d",
 
1560
                           tls_msg_len);
 
1561
                if (data->ssl.tls_in_left == 0) {
 
1562
                        data->ssl.tls_in_total = tls_msg_len;
 
1563
                        data->ssl.tls_in_left = tls_msg_len;
 
1564
                        os_free(data->ssl.tls_in);
 
1565
                        data->ssl.tls_in = NULL;
 
1566
                        data->ssl.tls_in_len = 0;
 
1567
                }
 
1568
                pos += 4;
 
1569
                left -= 4;
 
1570
        }
 
1571
 
 
1572
        switch (data->state) {
 
1573
        case PHASE1:
 
1574
                if (eap_server_tls_process_helper(sm, &data->ssl, pos, left) <
 
1575
                    0) {
 
1576
                        wpa_printf(MSG_INFO, "EAP-FAST: TLS processing "
 
1577
                                   "failed");
 
1578
                        eap_fast_state(data, FAILURE);
 
1579
                }
 
1580
 
 
1581
                if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) ||
 
1582
                    data->ssl.tls_out_len > 0)
 
1583
                        break;
 
1584
 
 
1585
                /*
 
1586
                 * Phase 1 was completed with the received message (e.g., when
 
1587
                 * using abbreviated handshake), so Phase 2 can be started
 
1588
                 * immediately without having to send through an empty message
 
1589
                 * to the peer.
 
1590
                 */
 
1591
 
 
1592
                if (eap_fast_phase1_done(sm, data) < 0)
 
1593
                        break;
 
1594
 
 
1595
                /* fall through to PHASE2_START */
 
1596
        case PHASE2_START:
 
1597
                eap_fast_state(data, PHASE2_ID);
 
1598
                eap_fast_phase2_init(sm, data, EAP_TYPE_IDENTITY);
 
1599
                break;
 
1600
        case PHASE2_ID:
 
1601
        case PHASE2_METHOD:
 
1602
        case CRYPTO_BINDING:
 
1603
        case REQUEST_PAC:
 
1604
                eap_fast_process_phase2(sm, data, pos, left);
 
1605
                break;
 
1606
        default:
 
1607
                wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected state %d in %s",
 
1608
                           data->state, __func__);
 
1609
                break;
 
1610
        }
 
1611
 
 
1612
        if (tls_connection_get_write_alerts(sm->ssl_ctx, data->ssl.conn) > 1) {
 
1613
                wpa_printf(MSG_INFO, "EAP-FAST: Locally detected fatal error "
 
1614
                           "in TLS processing");
 
1615
                eap_fast_state(data, FAILURE);
 
1616
        }
 
1617
}
 
1618
 
 
1619
 
 
1620
static Boolean eap_fast_isDone(struct eap_sm *sm, void *priv)
 
1621
{
 
1622
        struct eap_fast_data *data = priv;
 
1623
        return data->state == SUCCESS || data->state == FAILURE;
 
1624
}
 
1625
 
 
1626
 
 
1627
static u8 * eap_fast_getKey(struct eap_sm *sm, void *priv, size_t *len)
 
1628
{
 
1629
        struct eap_fast_data *data = priv;
 
1630
        u8 *eapKeyData;
 
1631
 
 
1632
        if (data->state != SUCCESS)
 
1633
                return NULL;
 
1634
 
 
1635
        /*
 
1636
         * RFC 4851, Section 5.4: EAP Master Session Key Genreration
 
1637
         * MSK = T-PRF(S-IMCK[j], "Session Key Generating Function", 64)
 
1638
         */
 
1639
 
 
1640
        eapKeyData = os_malloc(EAP_FAST_KEY_LEN);
 
1641
        if (eapKeyData == NULL)
 
1642
                return NULL;
 
1643
 
 
1644
        sha1_t_prf(data->simck, EAP_FAST_SIMCK_LEN,
 
1645
                   "Session Key Generating Function", (u8 *) "", 0,
 
1646
                   eapKeyData, EAP_FAST_KEY_LEN);
 
1647
        wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Derived key (MSK)",
 
1648
                        eapKeyData, EAP_FAST_KEY_LEN);
 
1649
        *len = EAP_FAST_KEY_LEN;
 
1650
 
 
1651
        return eapKeyData;
 
1652
}
 
1653
 
 
1654
 
 
1655
static u8 * eap_fast_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
 
1656
{
 
1657
        struct eap_fast_data *data = priv;
 
1658
        u8 *eapKeyData;
 
1659
 
 
1660
        if (data->state != SUCCESS)
 
1661
                return NULL;
 
1662
 
 
1663
        /*
 
1664
         * RFC 4851, Section 5.4: EAP Master Session Key Genreration
 
1665
         * EMSK = T-PRF(S-IMCK[j],
 
1666
         *        "Extended Session Key Generating Function", 64)
 
1667
         */
 
1668
 
 
1669
        eapKeyData = os_malloc(EAP_EMSK_LEN);
 
1670
        if (eapKeyData == NULL)
 
1671
                return NULL;
 
1672
 
 
1673
        sha1_t_prf(data->simck, EAP_FAST_SIMCK_LEN,
 
1674
                   "Extended Session Key Generating Function",
 
1675
                   (u8 *) "", 0, eapKeyData, EAP_EMSK_LEN);
 
1676
        wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Derived key (EMSK)",
 
1677
                        eapKeyData, EAP_EMSK_LEN);
 
1678
 
 
1679
        *len = EAP_EMSK_LEN;
 
1680
 
 
1681
        return eapKeyData;
 
1682
}
 
1683
 
 
1684
 
 
1685
static Boolean eap_fast_isSuccess(struct eap_sm *sm, void *priv)
 
1686
{
 
1687
        struct eap_fast_data *data = priv;
 
1688
        return data->state == SUCCESS;
 
1689
}
 
1690
 
 
1691
 
 
1692
int eap_server_fast_register(void)
 
1693
{
 
1694
        struct eap_method *eap;
 
1695
        int ret;
 
1696
 
 
1697
        eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
 
1698
                                      EAP_VENDOR_IETF, EAP_TYPE_FAST, "FAST");
 
1699
        if (eap == NULL)
 
1700
                return -1;
 
1701
 
 
1702
        eap->init = eap_fast_init;
 
1703
        eap->reset = eap_fast_reset;
 
1704
        eap->buildReq = eap_fast_buildReq;
 
1705
        eap->check = eap_fast_check;
 
1706
        eap->process = eap_fast_process;
 
1707
        eap->isDone = eap_fast_isDone;
 
1708
        eap->getKey = eap_fast_getKey;
 
1709
        eap->get_emsk = eap_fast_get_emsk;
 
1710
        eap->isSuccess = eap_fast_isSuccess;
 
1711
 
 
1712
        ret = eap_server_method_register(eap);
 
1713
        if (ret)
 
1714
                eap_server_method_free(eap);
 
1715
        return ret;
 
1716
}