2
* EAP-FAST server (RFC 4851)
3
* Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
5
* This program is free software; you can redistribute it and/or modify
6
* it under the terms of the GNU General Public License version 2 as
7
* published by the Free Software Foundation.
9
* Alternatively, this software may be distributed under the terms of BSD
12
* See README and COPYING for more details.
21
#include "eap_tls_common.h"
23
#include "eap_common/eap_tlv_common.h"
24
#include "eap_common/eap_fast_common.h"
27
static void eap_fast_reset(struct eap_sm *sm, void *priv);
30
/* Private PAC-Opaque TLV types */
31
#define PAC_OPAQUE_TYPE_PAD 0
32
#define PAC_OPAQUE_TYPE_KEY 1
33
#define PAC_OPAQUE_TYPE_LIFETIME 2
35
/* PAC-Key lifetime in seconds (hard limit) */
36
#define PAC_KEY_LIFETIME (7 * 24 * 60 * 60)
39
* PAC-Key refresh time in seconds (soft limit on remaining hard limit). The
40
* server will generate a new PAC-Key when this number of seconds (or fewer)
43
#define PAC_KEY_REFRESH_TIME (1 * 24 * 60 * 60)
46
struct eap_fast_data {
47
struct eap_ssl_data ssl;
49
START, PHASE1, PHASE2_START, PHASE2_ID, PHASE2_METHOD,
50
CRYPTO_BINDING, REQUEST_PAC, SUCCESS, FAILURE
54
const struct eap_method *phase2_method;
59
u8 crypto_binding_nonce[32];
62
struct eap_fast_key_block_provisioning *key_block_p;
64
u8 simck[EAP_FAST_SIMCK_LEN];
68
u8 pac_opaque_encr[16];
71
int anon_provisioning;
72
int send_new_pac; /* server triggered re-keying of Tunnel PAC */
73
struct wpabuf *pending_phase2_resp;
77
static const char * eap_fast_state_txt(int state)
85
return "PHASE2_START";
89
return "PHASE2_METHOD";
91
return "CRYPTO_BINDING";
104
static void eap_fast_state(struct eap_fast_data *data, int state)
106
wpa_printf(MSG_DEBUG, "EAP-FAST: %s -> %s",
107
eap_fast_state_txt(data->state),
108
eap_fast_state_txt(state));
113
static EapType eap_fast_req_failure(struct eap_sm *sm,
114
struct eap_fast_data *data)
116
/* TODO: send Result TLV(FAILURE) */
117
eap_fast_state(data, FAILURE);
118
return EAP_TYPE_NONE;
122
static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len,
123
const u8 *client_random,
124
const u8 *server_random,
127
struct eap_fast_data *data = ctx;
128
#define TLS_RANDOM_LEN 32
129
#define TLS_MASTER_SECRET_LEN 48
130
u8 seed[2 * TLS_RANDOM_LEN];
131
const u8 *pac_opaque;
132
size_t pac_opaque_len;
133
u8 *buf, *pos, *end, *pac_key = NULL;
134
os_time_t lifetime = 0;
137
wpa_printf(MSG_DEBUG, "EAP-FAST: SessionTicket callback");
138
wpa_hexdump(MSG_DEBUG, "EAP-FAST: SessionTicket (PAC-Opaque)",
140
wpa_hexdump(MSG_DEBUG, "EAP-FAST: client_random",
141
client_random, TLS_RANDOM_LEN);
142
wpa_hexdump(MSG_DEBUG, "EAP-FAST: server_random",
143
server_random, TLS_RANDOM_LEN);
145
if (len < 4 || WPA_GET_BE16(ticket) != PAC_TYPE_PAC_OPAQUE) {
146
wpa_printf(MSG_DEBUG, "EAP-FAST: Ignore invalid "
151
pac_opaque_len = WPA_GET_BE16(ticket + 2);
152
pac_opaque = ticket + 4;
153
if (pac_opaque_len < 8 || pac_opaque_len % 8 ||
154
pac_opaque_len > len - 4) {
155
wpa_printf(MSG_DEBUG, "EAP-FAST: Ignore invalid PAC-Opaque "
156
"(len=%lu left=%lu)",
157
(unsigned long) pac_opaque_len,
158
(unsigned long) len);
161
wpa_hexdump(MSG_DEBUG, "EAP-FAST: Received PAC-Opaque",
162
pac_opaque, pac_opaque_len);
164
buf = os_malloc(pac_opaque_len - 8);
166
wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to allocate memory "
167
"for decrypting PAC-Opaque");
171
if (aes_unwrap(data->pac_opaque_encr, (pac_opaque_len - 8) / 8,
172
pac_opaque, buf) < 0) {
173
wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to decrypt "
177
* This may have been caused by server changing the PAC-Opaque
178
* encryption key, so just ignore this PAC-Opaque instead of
179
* failing the authentication completely. Provisioning can now
180
* be used to provision a new PAC.
185
end = buf + pac_opaque_len - 8;
186
wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Decrypted PAC-Opaque",
190
while (pos + 1 < end) {
191
if (pos + 2 + pos[1] > end)
195
case PAC_OPAQUE_TYPE_PAD:
198
case PAC_OPAQUE_TYPE_KEY:
199
if (pos[1] != EAP_FAST_PAC_KEY_LEN) {
200
wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid "
201
"PAC-Key length %d", pos[1]);
206
wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: PAC-Key from "
207
"decrypted PAC-Opaque",
208
pac_key, EAP_FAST_PAC_KEY_LEN);
210
case PAC_OPAQUE_TYPE_LIFETIME:
212
wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid "
213
"PAC-Key lifetime length %d",
218
lifetime = WPA_GET_BE32(pos + 2);
225
if (pac_key == NULL) {
226
wpa_printf(MSG_DEBUG, "EAP-FAST: No PAC-Key included in "
232
if (os_get_time(&now) < 0 || lifetime <= 0 || now.sec > lifetime) {
233
wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Key not valid anymore "
234
"(lifetime=%ld now=%ld)", lifetime, now.sec);
239
if (lifetime - now.sec < PAC_KEY_REFRESH_TIME)
240
data->send_new_pac = 1;
243
* RFC 4851, Section 5.1:
244
* master_secret = T-PRF(PAC-Key, "PAC to master secret label hash",
245
* server_random + client_random, 48)
247
os_memcpy(seed, server_random, TLS_RANDOM_LEN);
248
os_memcpy(seed + TLS_RANDOM_LEN, client_random, TLS_RANDOM_LEN);
249
sha1_t_prf(pac_key, EAP_FAST_PAC_KEY_LEN,
250
"PAC to master secret label hash",
251
seed, sizeof(seed), master_secret, TLS_MASTER_SECRET_LEN);
253
wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: master_secret",
254
master_secret, TLS_MASTER_SECRET_LEN);
262
static u8 * eap_fast_derive_key(struct eap_sm *sm, struct eap_ssl_data *data,
263
char *label, size_t len)
265
struct tls_keys keys;
266
u8 *rnd = NULL, *out;
269
block_size = tls_connection_get_keyblock_size(sm->ssl_ctx, data->conn);
273
out = os_malloc(block_size + len);
277
if (tls_connection_prf(sm->ssl_ctx, data->conn, label, 1, out,
278
block_size + len) == 0) {
279
os_memmove(out, out + block_size, len);
283
if (tls_connection_get_keys(sm->ssl_ctx, data->conn, &keys))
286
rnd = os_malloc(keys.client_random_len + keys.server_random_len);
290
os_memcpy(rnd, keys.server_random, keys.server_random_len);
291
os_memcpy(rnd + keys.server_random_len, keys.client_random,
292
keys.client_random_len);
294
wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: master_secret for key "
295
"expansion", keys.master_key, keys.master_key_len);
296
if (tls_prf(keys.master_key, keys.master_key_len,
297
label, rnd, keys.client_random_len +
298
keys.server_random_len, out, block_size + len))
301
os_memmove(out, out + block_size, len);
311
static void eap_fast_derive_key_auth(struct eap_sm *sm,
312
struct eap_fast_data *data)
316
/* RFC 4851, Section 5.1:
317
* Extra key material after TLS key_block: session_key_seed[40]
320
sks = eap_fast_derive_key(sm, &data->ssl, "key expansion",
323
wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive "
329
* RFC 4851, Section 5.2:
330
* S-IMCK[0] = session_key_seed
332
wpa_hexdump_key(MSG_DEBUG,
333
"EAP-FAST: session_key_seed (SKS = S-IMCK[0])",
334
sks, EAP_FAST_SKS_LEN);
336
os_memcpy(data->simck, sks, EAP_FAST_SIMCK_LEN);
341
static void eap_fast_derive_key_provisioning(struct eap_sm *sm,
342
struct eap_fast_data *data)
344
os_free(data->key_block_p);
345
data->key_block_p = (struct eap_fast_key_block_provisioning *)
346
eap_fast_derive_key(sm, &data->ssl, "key expansion",
347
sizeof(*data->key_block_p));
348
if (data->key_block_p == NULL) {
349
wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive key block");
353
* RFC 4851, Section 5.2:
354
* S-IMCK[0] = session_key_seed
356
wpa_hexdump_key(MSG_DEBUG,
357
"EAP-FAST: session_key_seed (SKS = S-IMCK[0])",
358
data->key_block_p->session_key_seed,
359
sizeof(data->key_block_p->session_key_seed));
361
os_memcpy(data->simck, data->key_block_p->session_key_seed,
363
wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: server_challenge",
364
data->key_block_p->server_challenge,
365
sizeof(data->key_block_p->server_challenge));
366
wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: client_challenge",
367
data->key_block_p->client_challenge,
368
sizeof(data->key_block_p->client_challenge));
372
static int eap_fast_get_phase2_key(struct eap_sm *sm,
373
struct eap_fast_data *data,
374
u8 *isk, size_t isk_len)
379
os_memset(isk, 0, isk_len);
381
if (data->phase2_method == NULL || data->phase2_priv == NULL) {
382
wpa_printf(MSG_DEBUG, "EAP-FAST: Phase 2 method not "
387
if (data->phase2_method->getKey == NULL)
390
if ((key = data->phase2_method->getKey(sm, data->phase2_priv,
391
&key_len)) == NULL) {
392
wpa_printf(MSG_DEBUG, "EAP-FAST: Could not get key material "
397
if (key_len > isk_len)
399
os_memcpy(isk, key, key_len);
406
static int eap_fast_update_icmk(struct eap_sm *sm, struct eap_fast_data *data)
408
u8 isk[32], imck[60];
410
wpa_printf(MSG_DEBUG, "EAP-FAST: Deriving ICMK[%d] (S-IMCK and CMK)",
411
data->simck_idx + 1);
414
* RFC 4851, Section 5.2:
415
* IMCK[j] = T-PRF(S-IMCK[j-1], "Inner Methods Compound Keys",
417
* S-IMCK[j] = first 40 octets of IMCK[j]
418
* CMK[j] = last 20 octets of IMCK[j]
421
if (eap_fast_get_phase2_key(sm, data, isk, sizeof(isk)) < 0)
423
wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: ISK[j]", isk, sizeof(isk));
424
sha1_t_prf(data->simck, EAP_FAST_SIMCK_LEN,
425
"Inner Methods Compound Keys",
426
isk, sizeof(isk), imck, sizeof(imck));
428
os_memcpy(data->simck, imck, EAP_FAST_SIMCK_LEN);
429
wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: S-IMCK[j]",
430
data->simck, EAP_FAST_SIMCK_LEN);
431
os_memcpy(data->cmk, imck + EAP_FAST_SIMCK_LEN, 20);
432
wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: CMK[j]", data->cmk, 20);
438
static void * eap_fast_init(struct eap_sm *sm)
440
struct eap_fast_data *data;
442
TLS_CIPHER_ANON_DH_AES128_SHA,
443
TLS_CIPHER_AES128_SHA,
444
TLS_CIPHER_RSA_DHE_AES128_SHA,
449
data = os_zalloc(sizeof(*data));
452
data->fast_version = EAP_FAST_VERSION;
453
data->force_version = -1;
454
if (sm->user && sm->user->force_version >= 0) {
455
data->force_version = sm->user->force_version;
456
wpa_printf(MSG_DEBUG, "EAP-FAST: forcing version %d",
457
data->force_version);
458
data->fast_version = data->force_version;
462
if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) {
463
wpa_printf(MSG_INFO, "EAP-FAST: Failed to initialize SSL.");
464
eap_fast_reset(sm, data);
468
if (tls_connection_set_cipher_list(sm->ssl_ctx, data->ssl.conn,
470
wpa_printf(MSG_INFO, "EAP-FAST: Failed to set TLS cipher "
472
eap_fast_reset(sm, data);
476
if (tls_connection_set_session_ticket_cb(sm->ssl_ctx, data->ssl.conn,
477
eap_fast_session_ticket_cb,
479
wpa_printf(MSG_INFO, "EAP-FAST: Failed to set SessionTicket "
481
eap_fast_reset(sm, data);
485
if (sm->pac_opaque_encr_key == NULL) {
486
wpa_printf(MSG_INFO, "EAP-FAST: No PAC-Opaque encryption key "
488
eap_fast_reset(sm, data);
491
os_memcpy(data->pac_opaque_encr, sm->pac_opaque_encr_key,
492
sizeof(data->pac_opaque_encr));
494
if (sm->eap_fast_a_id == NULL) {
495
wpa_printf(MSG_INFO, "EAP-FAST: No A-ID configured");
496
eap_fast_reset(sm, data);
499
data->srv_id = os_strdup(sm->eap_fast_a_id);
500
if (data->srv_id == NULL) {
501
eap_fast_reset(sm, data);
509
static void eap_fast_reset(struct eap_sm *sm, void *priv)
511
struct eap_fast_data *data = priv;
514
if (data->phase2_priv && data->phase2_method)
515
data->phase2_method->reset(sm, data->phase2_priv);
516
eap_server_tls_ssl_deinit(sm, &data->ssl);
517
os_free(data->srv_id);
518
os_free(data->key_block_p);
519
wpabuf_free(data->pending_phase2_resp);
524
static struct wpabuf * eap_fast_build_start(struct eap_sm *sm,
525
struct eap_fast_data *data, u8 id)
528
struct pac_tlv_hdr *a_id;
529
size_t srv_id_len = os_strlen(data->srv_id);
531
req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_FAST,
532
1 + sizeof(*a_id) + srv_id_len,
533
EAP_CODE_REQUEST, id);
535
wpa_printf(MSG_ERROR, "EAP-FAST: Failed to allocate memory for"
537
eap_fast_state(data, FAILURE);
541
wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->fast_version);
542
a_id = wpabuf_put(req, sizeof(*a_id));
543
a_id->type = host_to_be16(PAC_TYPE_A_ID);
544
a_id->len = host_to_be16(srv_id_len);
545
wpabuf_put_data(req, data->srv_id, srv_id_len);
547
eap_fast_state(data, PHASE1);
553
static int eap_fast_phase1_done(struct eap_sm *sm, struct eap_fast_data *data)
557
wpa_printf(MSG_DEBUG, "EAP-FAST: Phase1 done, starting Phase2");
559
if (tls_get_cipher(sm->ssl_ctx, data->ssl.conn, cipher, sizeof(cipher))
561
wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to get cipher "
563
eap_fast_state(data, FAILURE);
566
data->anon_provisioning = os_strstr(cipher, "ADH") != NULL;
568
if (data->anon_provisioning) {
569
wpa_printf(MSG_DEBUG, "EAP-FAST: Anonymous provisioning");
570
eap_fast_derive_key_provisioning(sm, data);
572
eap_fast_derive_key_auth(sm, data);
574
eap_fast_state(data, PHASE2_START);
580
static struct wpabuf * eap_fast_build_req(struct eap_sm *sm,
581
struct eap_fast_data *data, u8 id)
586
res = eap_server_tls_buildReq_helper(sm, &data->ssl, EAP_TYPE_FAST,
587
data->fast_version, id, &req);
589
if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
590
if (eap_fast_phase1_done(sm, data) < 0) {
597
return eap_server_tls_build_ack(id, EAP_TYPE_FAST,
603
static struct wpabuf * eap_fast_encrypt(struct eap_sm *sm,
604
struct eap_fast_data *data,
605
u8 id, u8 *plain, size_t plain_len)
610
/* TODO: add support for fragmentation, if needed. This will need to
611
* add TLS Message Length field, if the frame is fragmented. */
612
buf = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_FAST,
613
1 + data->ssl.tls_out_limit,
614
EAP_CODE_REQUEST, id);
618
wpabuf_put_u8(buf, data->fast_version);
620
res = tls_connection_encrypt(sm->ssl_ctx, data->ssl.conn,
621
plain, plain_len, wpabuf_put(buf, 0),
622
data->ssl.tls_out_limit);
624
wpa_printf(MSG_INFO, "EAP-FAST: Failed to encrypt Phase 2 "
630
wpabuf_put(buf, res);
637
static struct wpabuf * eap_fast_tlv_eap_payload(struct wpabuf *buf)
640
struct eap_tlv_hdr *tlv;
645
/* Encapsulate EAP packet in EAP-Payload TLV */
646
wpa_printf(MSG_DEBUG, "EAP-FAST: Add EAP-Payload TLV");
647
e = wpabuf_alloc(sizeof(*tlv) + wpabuf_len(buf));
649
wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to allocate memory "
650
"for TLV encapsulation");
654
tlv = wpabuf_put(e, sizeof(*tlv));
655
tlv->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY |
656
EAP_TLV_EAP_PAYLOAD_TLV);
657
tlv->length = host_to_be16(wpabuf_len(buf));
658
wpabuf_put_buf(e, buf);
664
static struct wpabuf * eap_fast_build_phase2_req(struct eap_sm *sm,
665
struct eap_fast_data *data,
670
if (data->phase2_priv == NULL) {
671
wpa_printf(MSG_DEBUG, "EAP-FAST: Phase 2 method not "
675
req = data->phase2_method->buildReq(sm, data->phase2_priv, id);
679
wpa_hexdump_buf_key(MSG_MSGDUMP, "EAP-FAST: Phase 2 EAP-Request", req);
680
return eap_fast_tlv_eap_payload(req);
684
static struct wpabuf * eap_fast_build_crypto_binding(
685
struct eap_sm *sm, struct eap_fast_data *data)
688
struct eap_tlv_result_tlv *result;
689
struct eap_tlv_crypto_binding__tlv *binding;
692
buf = wpabuf_alloc(sizeof(*result) + sizeof(*binding));
696
if (data->send_new_pac || data->anon_provisioning) {
697
type = EAP_TLV_INTERMEDIATE_RESULT_TLV;
698
data->final_result = 0;
700
type = EAP_TLV_RESULT_TLV;
701
data->final_result = 1;
705
wpa_printf(MSG_DEBUG, "EAP-FAST: Add Result TLV (status=SUCCESS)");
706
result = wpabuf_put(buf, sizeof(*result));
707
result->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY | type);
708
result->length = host_to_be16(2);
709
result->status = host_to_be16(EAP_TLV_RESULT_SUCCESS);
711
/* Crypto-Binding TLV */
712
binding = wpabuf_put(buf, sizeof(*binding));
713
binding->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY |
714
EAP_TLV_CRYPTO_BINDING_TLV);
715
binding->length = host_to_be16(sizeof(*binding) -
716
sizeof(struct eap_tlv_hdr));
717
binding->version = EAP_FAST_VERSION;
718
binding->received_version = data->peer_version;
719
binding->subtype = EAP_TLV_CRYPTO_BINDING_SUBTYPE_REQUEST;
720
if (os_get_random(binding->nonce, sizeof(binding->nonce)) < 0) {
726
* RFC 4851, Section 4.2.8:
727
* The nonce in a request MUST have its least significant bit set to 0.
729
binding->nonce[sizeof(binding->nonce) - 1] &= ~0x01;
731
os_memcpy(data->crypto_binding_nonce, binding->nonce,
732
sizeof(binding->nonce));
735
* RFC 4851, Section 5.3:
737
* Compound-MAC = HMAC-SHA1( CMK, Crypto-Binding TLV )
740
hmac_sha1(data->cmk, 20, (u8 *) binding, sizeof(*binding),
741
binding->compound_mac);
743
wpa_printf(MSG_DEBUG, "EAP-FAST: Add Crypto-Binding TLV: Version %d "
744
"Received Version %d SubType %d",
745
binding->version, binding->received_version,
747
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: NONCE",
748
binding->nonce, sizeof(binding->nonce));
749
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Compound MAC",
750
binding->compound_mac, sizeof(binding->compound_mac));
756
static struct wpabuf * eap_fast_build_pac(struct eap_sm *sm,
757
struct eap_fast_data *data)
759
u8 pac_key[2 + EAP_FAST_PAC_KEY_LEN + 6];
760
u8 pac_opaque[8 + EAP_FAST_PAC_KEY_LEN + 8];
763
size_t buf_len, srv_id_len;
764
struct eap_tlv_hdr *pac_tlv;
765
struct pac_tlv_hdr *hdr, *pac_info;
766
struct eap_tlv_result_tlv *result;
769
srv_id_len = os_strlen(data->srv_id);
771
pac_key[0] = PAC_OPAQUE_TYPE_KEY;
772
pac_key[1] = EAP_FAST_PAC_KEY_LEN;
773
if (os_get_random(pac_key + 2, EAP_FAST_PAC_KEY_LEN) < 0)
775
if (os_get_time(&now) < 0)
777
wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Generated PAC-Key",
778
pac_key + 2, EAP_FAST_PAC_KEY_LEN);
779
pos = pac_key + 2 + EAP_FAST_PAC_KEY_LEN;
780
*pos++ = PAC_OPAQUE_TYPE_LIFETIME;
782
WPA_PUT_BE32(pos, now.sec + PAC_KEY_LIFETIME);
784
if (aes_wrap(data->pac_opaque_encr, sizeof(pac_key) / 8, pac_key,
788
wpa_hexdump(MSG_DEBUG, "EAP-FAST: PAC-Opaque",
789
pac_opaque, sizeof(pac_opaque));
791
buf_len = sizeof(*pac_tlv) +
792
sizeof(*hdr) + EAP_FAST_PAC_KEY_LEN +
793
sizeof(*hdr) + sizeof(pac_opaque) +
794
2 * srv_id_len + 100 + sizeof(*result);
795
buf = wpabuf_alloc(buf_len);
800
wpa_printf(MSG_DEBUG, "EAP-FAST: Add PAC TLV");
801
pac_tlv = wpabuf_put(buf, sizeof(*pac_tlv));
802
pac_tlv->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY |
806
hdr = wpabuf_put(buf, sizeof(*hdr));
807
hdr->type = host_to_be16(PAC_TYPE_PAC_KEY);
808
hdr->len = host_to_be16(EAP_FAST_PAC_KEY_LEN);
809
wpabuf_put_data(buf, pac_key + 2, EAP_FAST_PAC_KEY_LEN);
812
hdr = wpabuf_put(buf, sizeof(*hdr));
813
hdr->type = host_to_be16(PAC_TYPE_PAC_OPAQUE);
814
hdr->len = host_to_be16(sizeof(pac_opaque));
815
wpabuf_put_data(buf, pac_opaque, sizeof(pac_opaque));
818
pac_info = wpabuf_put(buf, sizeof(*pac_info));
819
pac_info->type = host_to_be16(PAC_TYPE_PAC_INFO);
821
/* PAC-Lifetime (inside PAC-Info) */
822
hdr = wpabuf_put(buf, sizeof(*hdr));
823
hdr->type = host_to_be16(PAC_TYPE_CRED_LIFETIME);
824
hdr->len = host_to_be16(4);
825
wpabuf_put_be32(buf, now.sec + PAC_KEY_LIFETIME);
827
/* A-ID (inside PAC-Info) */
828
hdr = wpabuf_put(buf, sizeof(*hdr));
829
hdr->type = host_to_be16(PAC_TYPE_A_ID);
830
hdr->len = host_to_be16(srv_id_len);
831
wpabuf_put_data(buf, data->srv_id, srv_id_len);
833
/* Note: headers may be misaligned after A-ID */
835
/* A-ID-Info (inside PAC-Info) */
836
hdr = wpabuf_put(buf, sizeof(*hdr));
837
WPA_PUT_BE16((u8 *) &hdr->type, PAC_TYPE_A_ID_INFO);
838
WPA_PUT_BE16((u8 *) &hdr->len, srv_id_len);
839
wpabuf_put_data(buf, data->srv_id, srv_id_len);
841
/* PAC-Type (inside PAC-Info) */
842
hdr = wpabuf_put(buf, sizeof(*hdr));
843
WPA_PUT_BE16((u8 *) &hdr->type, PAC_TYPE_PAC_TYPE);
844
WPA_PUT_BE16((u8 *) &hdr->len, 2);
845
wpabuf_put_be16(buf, PAC_TYPE_TUNNEL_PAC);
847
/* Update PAC-Info and PAC TLV Length fields */
848
pos = wpabuf_put(buf, 0);
849
pac_info->len = host_to_be16(pos - (u8 *) (pac_info + 1));
850
pac_tlv->length = host_to_be16(pos - (u8 *) (pac_tlv + 1));
853
wpa_printf(MSG_DEBUG, "EAP-FAST: Add Result TLV (status=SUCCESS)");
854
result = wpabuf_put(buf, sizeof(*result));
855
WPA_PUT_BE16((u8 *) &result->tlv_type,
856
EAP_TLV_TYPE_MANDATORY | EAP_TLV_RESULT_TLV);
857
WPA_PUT_BE16((u8 *) &result->length, 2);
858
WPA_PUT_BE16((u8 *) &result->status, EAP_TLV_RESULT_SUCCESS);
864
static struct wpabuf * eap_fast_buildReq(struct eap_sm *sm, void *priv, u8 id)
866
struct eap_fast_data *data = priv;
870
if (data->state == START)
871
return eap_fast_build_start(sm, data, id);
873
if (data->state == PHASE1)
874
return eap_fast_build_req(sm, data, id);
876
switch (data->state) {
879
req = eap_fast_build_phase2_req(sm, data, id);
882
req = eap_fast_build_crypto_binding(sm, data);
885
req = eap_fast_build_pac(sm, data);
888
wpa_printf(MSG_DEBUG, "EAP-FAST: %s - unexpected state %d",
889
__func__, data->state);
896
wpa_hexdump_buf_key(MSG_DEBUG, "EAP-FAST: Encrypting Phase 2 TLVs",
898
encr = eap_fast_encrypt(sm, data, id, wpabuf_mhead(req),
906
static Boolean eap_fast_check(struct eap_sm *sm, void *priv,
907
struct wpabuf *respData)
912
pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_FAST, respData, &len);
913
if (pos == NULL || len < 1) {
914
wpa_printf(MSG_INFO, "EAP-FAST: Invalid frame");
922
static int eap_fast_phase2_init(struct eap_sm *sm, struct eap_fast_data *data,
925
if (data->phase2_priv && data->phase2_method) {
926
data->phase2_method->reset(sm, data->phase2_priv);
927
data->phase2_method = NULL;
928
data->phase2_priv = NULL;
930
data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF,
932
if (!data->phase2_method)
935
if (data->key_block_p) {
936
sm->auth_challenge = data->key_block_p->server_challenge;
937
sm->peer_challenge = data->key_block_p->client_challenge;
940
data->phase2_priv = data->phase2_method->init(sm);
942
sm->auth_challenge = NULL;
943
sm->peer_challenge = NULL;
945
return data->phase2_priv == NULL ? -1 : 0;
949
static void eap_fast_process_phase2_response(struct eap_sm *sm,
950
struct eap_fast_data *data,
951
u8 *in_data, size_t in_len)
953
u8 next_type = EAP_TYPE_NONE;
958
const struct eap_method *m = data->phase2_method;
959
void *priv = data->phase2_priv;
962
wpa_printf(MSG_DEBUG, "EAP-FAST: %s - Phase2 not "
963
"initialized?!", __func__);
967
hdr = (struct eap_hdr *) in_data;
968
pos = (u8 *) (hdr + 1);
970
if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) {
971
left = in_len - sizeof(*hdr);
972
wpa_hexdump(MSG_DEBUG, "EAP-FAST: Phase2 type Nak'ed; "
973
"allowed types", pos + 1, left - 1);
974
eap_sm_process_nak(sm, pos + 1, left - 1);
975
if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
976
sm->user->methods[sm->user_eap_method_index].method !=
978
next_type = sm->user->methods[
979
sm->user_eap_method_index++].method;
980
wpa_printf(MSG_DEBUG, "EAP-FAST: try EAP type %d",
983
next_type = eap_fast_req_failure(sm, data);
985
eap_fast_phase2_init(sm, data, next_type);
989
wpabuf_set(&buf, in_data, in_len);
991
if (m->check(sm, priv, &buf)) {
992
wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 check() asked to "
993
"ignore the packet");
994
next_type = eap_fast_req_failure(sm, data);
998
m->process(sm, priv, &buf);
1000
if (!m->isDone(sm, priv))
1003
if (!m->isSuccess(sm, priv)) {
1004
wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 method failed");
1005
next_type = eap_fast_req_failure(sm, data);
1006
eap_fast_phase2_init(sm, data, next_type);
1010
switch (data->state) {
1012
if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
1013
wpa_hexdump_ascii(MSG_DEBUG, "EAP-FAST: Phase2 "
1014
"Identity not found in the user "
1016
sm->identity, sm->identity_len);
1017
next_type = eap_fast_req_failure(sm, data);
1021
eap_fast_state(data, PHASE2_METHOD);
1022
if (data->anon_provisioning) {
1024
* Only EAP-MSCHAPv2 is allowed for anonymous
1027
next_type = EAP_TYPE_MSCHAPV2;
1028
sm->user_eap_method_index = 0;
1030
next_type = sm->user->methods[0].method;
1031
sm->user_eap_method_index = 1;
1033
wpa_printf(MSG_DEBUG, "EAP-FAST: try EAP type %d", next_type);
1036
eap_fast_update_icmk(sm, data);
1037
eap_fast_state(data, CRYPTO_BINDING);
1038
next_type = EAP_TYPE_NONE;
1043
wpa_printf(MSG_DEBUG, "EAP-FAST: %s - unexpected state %d",
1044
__func__, data->state);
1048
eap_fast_phase2_init(sm, data, next_type);
1052
static void eap_fast_process_phase2_eap(struct eap_sm *sm,
1053
struct eap_fast_data *data,
1054
u8 *in_data, size_t in_len)
1056
struct eap_hdr *hdr;
1059
hdr = (struct eap_hdr *) in_data;
1060
if (in_len < (int) sizeof(*hdr)) {
1061
wpa_printf(MSG_INFO, "EAP-FAST: Too short Phase 2 "
1062
"EAP frame (len=%d)", in_len);
1063
eap_fast_req_failure(sm, data);
1066
len = be_to_host16(hdr->length);
1068
wpa_printf(MSG_INFO, "EAP-FAST: Length mismatch in "
1069
"Phase 2 EAP frame (len=%d hdr->length=%d)",
1071
eap_fast_req_failure(sm, data);
1074
wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: code=%d "
1075
"identifier=%d length=%d", hdr->code, hdr->identifier, len);
1076
switch (hdr->code) {
1077
case EAP_CODE_RESPONSE:
1078
eap_fast_process_phase2_response(sm, data, (u8 *) hdr, len);
1081
wpa_printf(MSG_INFO, "EAP-FAST: Unexpected code=%d in "
1082
"Phase 2 EAP header", hdr->code);
1088
struct eap_fast_tlv_parse {
1089
u8 *eap_payload_tlv;
1090
size_t eap_payload_tlv_len;
1091
struct eap_tlv_crypto_binding__tlv *crypto_binding;
1092
size_t crypto_binding_len;
1101
static int eap_fast_parse_tlv(struct eap_fast_tlv_parse *tlv,
1102
int tlv_type, u8 *pos, int len)
1105
case EAP_TLV_EAP_PAYLOAD_TLV:
1106
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: EAP-Payload TLV",
1108
if (tlv->eap_payload_tlv) {
1109
wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
1110
"EAP-Payload TLV in the message");
1111
tlv->iresult = EAP_TLV_RESULT_FAILURE;
1114
tlv->eap_payload_tlv = pos;
1115
tlv->eap_payload_tlv_len = len;
1117
case EAP_TLV_RESULT_TLV:
1118
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Result TLV", pos, len);
1120
wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
1121
"Result TLV in the message");
1122
tlv->result = EAP_TLV_RESULT_FAILURE;
1126
wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
1128
tlv->result = EAP_TLV_RESULT_FAILURE;
1131
tlv->result = WPA_GET_BE16(pos);
1132
if (tlv->result != EAP_TLV_RESULT_SUCCESS &&
1133
tlv->result != EAP_TLV_RESULT_FAILURE) {
1134
wpa_printf(MSG_DEBUG, "EAP-FAST: Unknown Result %d",
1136
tlv->result = EAP_TLV_RESULT_FAILURE;
1138
wpa_printf(MSG_DEBUG, "EAP-FAST: Result: %s",
1139
tlv->result == EAP_TLV_RESULT_SUCCESS ?
1140
"Success" : "Failure");
1142
case EAP_TLV_INTERMEDIATE_RESULT_TLV:
1143
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Intermediate Result TLV",
1146
wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
1147
"Intermediate-Result TLV");
1148
tlv->iresult = EAP_TLV_RESULT_FAILURE;
1152
wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
1153
"Intermediate-Result TLV in the message");
1154
tlv->iresult = EAP_TLV_RESULT_FAILURE;
1157
tlv->iresult = WPA_GET_BE16(pos);
1158
if (tlv->iresult != EAP_TLV_RESULT_SUCCESS &&
1159
tlv->iresult != EAP_TLV_RESULT_FAILURE) {
1160
wpa_printf(MSG_DEBUG, "EAP-FAST: Unknown Intermediate "
1161
"Result %d", tlv->iresult);
1162
tlv->iresult = EAP_TLV_RESULT_FAILURE;
1164
wpa_printf(MSG_DEBUG, "EAP-FAST: Intermediate Result: %s",
1165
tlv->iresult == EAP_TLV_RESULT_SUCCESS ?
1166
"Success" : "Failure");
1168
case EAP_TLV_CRYPTO_BINDING_TLV:
1169
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Crypto-Binding TLV",
1171
if (tlv->crypto_binding) {
1172
wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
1173
"Crypto-Binding TLV in the message");
1174
tlv->iresult = EAP_TLV_RESULT_FAILURE;
1177
tlv->crypto_binding_len = sizeof(struct eap_tlv_hdr) + len;
1178
if (tlv->crypto_binding_len < sizeof(*tlv->crypto_binding)) {
1179
wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
1180
"Crypto-Binding TLV");
1181
tlv->iresult = EAP_TLV_RESULT_FAILURE;
1184
tlv->crypto_binding = (struct eap_tlv_crypto_binding__tlv *)
1185
(pos - sizeof(struct eap_tlv_hdr));
1187
case EAP_TLV_REQUEST_ACTION_TLV:
1188
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Request-Action TLV",
1190
if (tlv->request_action) {
1191
wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
1192
"Request-Action TLV in the message");
1193
tlv->iresult = EAP_TLV_RESULT_FAILURE;
1197
wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
1198
"Request-Action TLV");
1199
tlv->iresult = EAP_TLV_RESULT_FAILURE;
1202
tlv->request_action = WPA_GET_BE16(pos);
1203
wpa_printf(MSG_DEBUG, "EAP-FAST: Request-Action: %d",
1204
tlv->request_action);
1206
case EAP_TLV_PAC_TLV:
1207
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: PAC TLV", pos, len);
1209
wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
1210
"PAC TLV in the message");
1211
tlv->iresult = EAP_TLV_RESULT_FAILURE;
1226
static int eap_fast_parse_tlvs(u8 *data, size_t data_len,
1227
struct eap_fast_tlv_parse *tlv)
1229
int mandatory, tlv_type, len, res;
1232
os_memset(tlv, 0, sizeof(*tlv));
1235
end = data + data_len;
1236
while (pos + 4 < end) {
1237
mandatory = pos[0] & 0x80;
1238
tlv_type = WPA_GET_BE16(pos) & 0x3fff;
1240
len = WPA_GET_BE16(pos);
1242
if (pos + len > end) {
1243
wpa_printf(MSG_INFO, "EAP-FAST: TLV overflow");
1246
wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: "
1247
"TLV type %d length %d%s",
1248
tlv_type, len, mandatory ? " (mandatory)" : "");
1250
res = eap_fast_parse_tlv(tlv, tlv_type, pos, len);
1255
wpa_printf(MSG_DEBUG, "EAP-FAST: Nak unknown "
1256
"mandatory TLV type %d", tlv_type);
1257
/* TODO: generate Nak TLV */
1260
wpa_printf(MSG_DEBUG, "EAP-FAST: Ignored "
1261
"unknown optional TLV type %d",
1273
static int eap_fast_validate_crypto_binding(
1274
struct eap_fast_data *data, struct eap_tlv_crypto_binding__tlv *b,
1279
wpa_printf(MSG_DEBUG, "EAP-FAST: Reply Crypto-Binding TLV: "
1280
"Version %d Received Version %d SubType %d",
1281
b->version, b->received_version, b->subtype);
1282
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: NONCE",
1283
b->nonce, sizeof(b->nonce));
1284
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Compound MAC",
1285
b->compound_mac, sizeof(b->compound_mac));
1287
if (b->version != EAP_FAST_VERSION ||
1288
b->received_version != EAP_FAST_VERSION) {
1289
wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected version "
1290
"in Crypto-Binding: version %d "
1291
"received_version %d", b->version,
1292
b->received_version);
1296
if (b->subtype != EAP_TLV_CRYPTO_BINDING_SUBTYPE_RESPONSE) {
1297
wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected subtype in "
1298
"Crypto-Binding: %d", b->subtype);
1302
if (os_memcmp(data->crypto_binding_nonce, b->nonce, 31) != 0 ||
1303
(data->crypto_binding_nonce[31] | 1) != b->nonce[31]) {
1304
wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid nonce in "
1309
os_memcpy(cmac, b->compound_mac, sizeof(cmac));
1310
os_memset(b->compound_mac, 0, sizeof(cmac));
1311
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Crypto-Binding TLV for "
1312
"Compound MAC calculation",
1313
(u8 *) b, bind_len);
1314
hmac_sha1(data->cmk, 20, (u8 *) b, bind_len, b->compound_mac);
1315
if (os_memcmp(cmac, b->compound_mac, sizeof(cmac)) != 0) {
1316
wpa_hexdump(MSG_MSGDUMP,
1317
"EAP-FAST: Calculated Compound MAC",
1318
b->compound_mac, sizeof(cmac));
1319
wpa_printf(MSG_INFO, "EAP-FAST: Compound MAC did not "
1328
static int eap_fast_pac_type(u8 *pac, size_t len, u16 type)
1330
struct eap_tlv_pac_type_tlv *tlv;
1332
if (pac == NULL || len != sizeof(*tlv))
1335
tlv = (struct eap_tlv_pac_type_tlv *) pac;
1337
return be_to_host16(tlv->tlv_type) == PAC_TYPE_PAC_TYPE &&
1338
be_to_host16(tlv->length) == 2 &&
1339
be_to_host16(tlv->pac_type) == type;
1343
static void eap_fast_process_phase2_tlvs(struct eap_sm *sm,
1344
struct eap_fast_data *data,
1345
u8 *in_data, size_t in_len)
1347
struct eap_fast_tlv_parse tlv;
1348
int check_crypto_binding = data->state == CRYPTO_BINDING;
1350
if (eap_fast_parse_tlvs(in_data, in_len, &tlv) < 0) {
1351
wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to parse received "
1356
if (tlv.result == EAP_TLV_RESULT_FAILURE) {
1357
wpa_printf(MSG_DEBUG, "EAP-FAST: Result TLV indicated "
1359
eap_fast_state(data, FAILURE);
1363
if (data->state == REQUEST_PAC) {
1365
if (tlv.pac == NULL || tlv.pac_len < 6) {
1366
wpa_printf(MSG_DEBUG, "EAP-FAST: No PAC "
1367
"Acknowledgement received");
1368
eap_fast_state(data, FAILURE);
1372
type = WPA_GET_BE16(tlv.pac);
1373
len = WPA_GET_BE16(tlv.pac + 2);
1374
res = WPA_GET_BE16(tlv.pac + 4);
1376
if (type != PAC_TYPE_PAC_ACKNOWLEDGEMENT || len != 2 ||
1377
res != EAP_TLV_RESULT_SUCCESS) {
1378
wpa_printf(MSG_DEBUG, "EAP-FAST: PAC TLV did not "
1379
"contain acknowledgement");
1380
eap_fast_state(data, FAILURE);
1384
wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Acknowledgement received "
1385
"- PAC provisioning succeeded");
1386
eap_fast_state(data, data->anon_provisioning ?
1391
if (tlv.eap_payload_tlv) {
1392
eap_fast_process_phase2_eap(sm, data, tlv.eap_payload_tlv,
1393
tlv.eap_payload_tlv_len);
1396
if (check_crypto_binding) {
1397
if (tlv.crypto_binding == NULL) {
1398
wpa_printf(MSG_DEBUG, "EAP-FAST: No Crypto-Binding "
1400
eap_fast_state(data, FAILURE);
1404
if (data->final_result &&
1405
tlv.result != EAP_TLV_RESULT_SUCCESS) {
1406
wpa_printf(MSG_DEBUG, "EAP-FAST: Crypto-Binding TLV "
1407
"without Success Result");
1408
eap_fast_state(data, FAILURE);
1412
if (!data->final_result &&
1413
tlv.iresult != EAP_TLV_RESULT_SUCCESS) {
1414
wpa_printf(MSG_DEBUG, "EAP-FAST: Crypto-Binding TLV "
1415
"without intermediate Success Result");
1416
eap_fast_state(data, FAILURE);
1420
if (eap_fast_validate_crypto_binding(data, tlv.crypto_binding,
1421
tlv.crypto_binding_len)) {
1422
eap_fast_state(data, FAILURE);
1426
wpa_printf(MSG_DEBUG, "EAP-FAST: Valid Crypto-Binding TLV "
1427
"received - authentication completed successfully");
1429
if (data->anon_provisioning ||
1430
(tlv.request_action == EAP_TLV_ACTION_PROCESS_TLV &&
1431
eap_fast_pac_type(tlv.pac, tlv.pac_len,
1432
PAC_TYPE_TUNNEL_PAC))) {
1433
wpa_printf(MSG_DEBUG, "EAP-FAST: Requested a new "
1435
eap_fast_state(data, REQUEST_PAC);
1436
} else if (data->send_new_pac) {
1437
wpa_printf(MSG_DEBUG, "EAP-FAST: Server triggered "
1438
"re-keying of Tunnel PAC");
1439
eap_fast_state(data, REQUEST_PAC);
1441
eap_fast_state(data, SUCCESS);
1446
static void eap_fast_process_phase2(struct eap_sm *sm,
1447
struct eap_fast_data *data,
1448
const u8 *in_data, size_t in_len)
1451
int len_decrypted, res;
1454
wpa_printf(MSG_DEBUG, "EAP-FAST: Received %lu bytes encrypted data for"
1455
" Phase 2", (unsigned long) in_len);
1457
if (data->pending_phase2_resp) {
1458
wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 response - "
1459
"skip decryption and use old data");
1460
eap_fast_process_phase2_tlvs(
1461
sm, data, wpabuf_mhead(data->pending_phase2_resp),
1462
wpabuf_len(data->pending_phase2_resp));
1463
wpabuf_free(data->pending_phase2_resp);
1464
data->pending_phase2_resp = NULL;
1468
/* FIX: get rid of const -> non-const typecast */
1469
res = eap_server_tls_data_reassemble(sm, &data->ssl, (u8 **) &in_data,
1471
if (res < 0 || res == 1)
1475
if (data->ssl.tls_in_total > buf_len)
1476
buf_len = data->ssl.tls_in_total;
1477
in_decrypted = os_malloc(buf_len);
1478
if (in_decrypted == NULL) {
1479
os_free(data->ssl.tls_in);
1480
data->ssl.tls_in = NULL;
1481
data->ssl.tls_in_len = 0;
1482
wpa_printf(MSG_WARNING, "EAP-FAST: Failed to allocate memory "
1487
len_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
1489
in_decrypted, buf_len);
1490
os_free(data->ssl.tls_in);
1491
data->ssl.tls_in = NULL;
1492
data->ssl.tls_in_len = 0;
1493
if (len_decrypted < 0) {
1494
wpa_printf(MSG_INFO, "EAP-FAST: Failed to decrypt Phase 2 "
1496
os_free(in_decrypted);
1497
eap_fast_state(data, FAILURE);
1501
wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Decrypted Phase 2 TLVs",
1502
in_decrypted, len_decrypted);
1504
eap_fast_process_phase2_tlvs(sm, data, in_decrypted, len_decrypted);
1506
if (sm->method_pending == METHOD_PENDING_WAIT) {
1507
wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 method is in "
1508
"pending wait state - save decrypted response");
1509
wpabuf_free(data->pending_phase2_resp);
1510
data->pending_phase2_resp = wpabuf_alloc_copy(in_decrypted,
1514
os_free(in_decrypted);
1518
static void eap_fast_process(struct eap_sm *sm, void *priv,
1519
struct wpabuf *respData)
1521
struct eap_fast_data *data = priv;
1525
unsigned int tls_msg_len;
1528
pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_FAST, respData,
1530
if (pos == NULL || left < 1)
1534
wpa_printf(MSG_DEBUG, "EAP-FAST: Received packet(len=%lu) - "
1535
"Flags 0x%02x", (unsigned long) wpabuf_len(respData),
1537
data->peer_version = peer_version = flags & EAP_PEAP_VERSION_MASK;
1538
if (data->force_version >= 0 && peer_version != data->force_version) {
1539
wpa_printf(MSG_INFO, "EAP-FAST: peer did not select the forced"
1540
" version (forced=%d peer=%d) - reject",
1541
data->force_version, peer_version);
1542
eap_fast_state(data, FAILURE);
1545
if (peer_version < data->fast_version) {
1546
wpa_printf(MSG_DEBUG, "EAP-FAST: peer ver=%d, own ver=%d; "
1548
peer_version, data->fast_version, peer_version);
1549
data->fast_version = peer_version;
1551
if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) {
1553
wpa_printf(MSG_INFO, "EAP-FAST: Short frame with TLS "
1555
eap_fast_state(data, FAILURE);
1558
tls_msg_len = WPA_GET_BE32(pos);
1559
wpa_printf(MSG_DEBUG, "EAP-FAST: TLS Message Length: %d",
1561
if (data->ssl.tls_in_left == 0) {
1562
data->ssl.tls_in_total = tls_msg_len;
1563
data->ssl.tls_in_left = tls_msg_len;
1564
os_free(data->ssl.tls_in);
1565
data->ssl.tls_in = NULL;
1566
data->ssl.tls_in_len = 0;
1572
switch (data->state) {
1574
if (eap_server_tls_process_helper(sm, &data->ssl, pos, left) <
1576
wpa_printf(MSG_INFO, "EAP-FAST: TLS processing "
1578
eap_fast_state(data, FAILURE);
1581
if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) ||
1582
data->ssl.tls_out_len > 0)
1586
* Phase 1 was completed with the received message (e.g., when
1587
* using abbreviated handshake), so Phase 2 can be started
1588
* immediately without having to send through an empty message
1592
if (eap_fast_phase1_done(sm, data) < 0)
1595
/* fall through to PHASE2_START */
1597
eap_fast_state(data, PHASE2_ID);
1598
eap_fast_phase2_init(sm, data, EAP_TYPE_IDENTITY);
1602
case CRYPTO_BINDING:
1604
eap_fast_process_phase2(sm, data, pos, left);
1607
wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected state %d in %s",
1608
data->state, __func__);
1612
if (tls_connection_get_write_alerts(sm->ssl_ctx, data->ssl.conn) > 1) {
1613
wpa_printf(MSG_INFO, "EAP-FAST: Locally detected fatal error "
1614
"in TLS processing");
1615
eap_fast_state(data, FAILURE);
1620
static Boolean eap_fast_isDone(struct eap_sm *sm, void *priv)
1622
struct eap_fast_data *data = priv;
1623
return data->state == SUCCESS || data->state == FAILURE;
1627
static u8 * eap_fast_getKey(struct eap_sm *sm, void *priv, size_t *len)
1629
struct eap_fast_data *data = priv;
1632
if (data->state != SUCCESS)
1636
* RFC 4851, Section 5.4: EAP Master Session Key Genreration
1637
* MSK = T-PRF(S-IMCK[j], "Session Key Generating Function", 64)
1640
eapKeyData = os_malloc(EAP_FAST_KEY_LEN);
1641
if (eapKeyData == NULL)
1644
sha1_t_prf(data->simck, EAP_FAST_SIMCK_LEN,
1645
"Session Key Generating Function", (u8 *) "", 0,
1646
eapKeyData, EAP_FAST_KEY_LEN);
1647
wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Derived key (MSK)",
1648
eapKeyData, EAP_FAST_KEY_LEN);
1649
*len = EAP_FAST_KEY_LEN;
1655
static u8 * eap_fast_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
1657
struct eap_fast_data *data = priv;
1660
if (data->state != SUCCESS)
1664
* RFC 4851, Section 5.4: EAP Master Session Key Genreration
1665
* EMSK = T-PRF(S-IMCK[j],
1666
* "Extended Session Key Generating Function", 64)
1669
eapKeyData = os_malloc(EAP_EMSK_LEN);
1670
if (eapKeyData == NULL)
1673
sha1_t_prf(data->simck, EAP_FAST_SIMCK_LEN,
1674
"Extended Session Key Generating Function",
1675
(u8 *) "", 0, eapKeyData, EAP_EMSK_LEN);
1676
wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Derived key (EMSK)",
1677
eapKeyData, EAP_EMSK_LEN);
1679
*len = EAP_EMSK_LEN;
1685
static Boolean eap_fast_isSuccess(struct eap_sm *sm, void *priv)
1687
struct eap_fast_data *data = priv;
1688
return data->state == SUCCESS;
1692
int eap_server_fast_register(void)
1694
struct eap_method *eap;
1697
eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
1698
EAP_VENDOR_IETF, EAP_TYPE_FAST, "FAST");
1702
eap->init = eap_fast_init;
1703
eap->reset = eap_fast_reset;
1704
eap->buildReq = eap_fast_buildReq;
1705
eap->check = eap_fast_check;
1706
eap->process = eap_fast_process;
1707
eap->isDone = eap_fast_isDone;
1708
eap->getKey = eap_fast_getKey;
1709
eap->get_emsk = eap_fast_get_emsk;
1710
eap->isSuccess = eap_fast_isSuccess;
1712
ret = eap_server_method_register(eap);
1714
eap_server_method_free(eap);