src/eap_server/eap_tls_common.c

   1 /*
   2  * EAP-TLS/PEAP/TTLS/FAST server common functions
   3  * Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Alternatively, this software may be distributed under the terms of BSD
  10  * license.
  11  *
  12  * See README and COPYING for more details.
  13  */
  14
  15 #include "includes.h"
  16
  17 #include "common.h"
  18 #include "crypto/sha1.h"
  19 #include "crypto/tls.h"
  20 #include "eap_i.h"
  21 #include "eap_tls_common.h"
  22
  23
  24 int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
  25                             int verify_peer)
  26 {
  27         data->eap = sm;
  28         data->phase2 = sm->init_phase2;
  29
  30         data->conn = tls_connection_init(sm->ssl_ctx);
  31         if (data->conn == NULL) {
  32                 wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "
  33                            "connection");
  34                 return -1;
  35         }
  36
  37         if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer)) {
  38                 wpa_printf(MSG_INFO, "SSL: Failed to configure verification "
  39                            "of TLS peer certificate");
  40                 tls_connection_deinit(sm->ssl_ctx, data->conn);
  41                 data->conn = NULL;
  42                 return -1;
  43         }
  44
  45         /* TODO: make this configurable */
  46         data->tls_out_limit = 1398;
  47         if (data->phase2) {
  48                 /* Limit the fragment size in the inner TLS authentication
  49                  * since the outer authentication with EAP-PEAP does not yet
  50                  * support fragmentation */
  51                 if (data->tls_out_limit > 100)
  52                         data->tls_out_limit -= 100;
  53         }
  54         return 0;
  55 }
  56
  57
  58 void eap_server_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data)
  59 {
  60         tls_connection_deinit(sm->ssl_ctx, data->conn);
  61         os_free(data->tls_in);
  62         os_free(data->tls_out);
  63 }
  64
  65
  66 u8 * eap_server_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data,
  67                                char *label, size_t len)
  68 {
  69         struct tls_keys keys;
  70         u8 *rnd = NULL, *out;
  71
  72         out = os_malloc(len);
  73         if (out == NULL)
  74                 return NULL;
  75
  76         if (tls_connection_prf(sm->ssl_ctx, data->conn, label, 0, out, len) ==
  77             0)
  78                 return out;
  79
  80         if (tls_connection_get_keys(sm->ssl_ctx, data->conn, &keys))
  81                 goto fail;
  82
  83         if (keys.client_random == NULL || keys.server_random == NULL ||
  84             keys.master_key == NULL)
  85                 goto fail;
  86
  87         rnd = os_malloc(keys.client_random_len + keys.server_random_len);
  88         if (rnd == NULL)
  89                 goto fail;
  90         os_memcpy(rnd, keys.client_random, keys.client_random_len);
  91         os_memcpy(rnd + keys.client_random_len, keys.server_random,
  92                   keys.server_random_len);
  93
  94         if (tls_prf(keys.master_key, keys.master_key_len,
  95                     label, rnd, keys.client_random_len +
  96                     keys.server_random_len, out, len))
  97                 goto fail;
  98
  99         os_free(rnd);
 100         return out;
 101
 102 fail:
 103         os_free(out);
 104         os_free(rnd);
 105         return NULL;
 106 }
 107
 108
 109 struct wpabuf * eap_server_tls_build_msg(struct eap_ssl_data *data,
 110                                          int eap_type, int version, u8 id)
 111 {
 112         struct wpabuf *req;
 113         u8 flags;
 114         size_t send_len, plen;
 115
 116         wpa_printf(MSG_DEBUG, "SSL: Generating Request");
 117         if (data->tls_out == NULL) {
 118                 wpa_printf(MSG_ERROR, "SSL: tls_out NULL in %s", __func__);
 119                 return NULL;
 120         }
 121
 122         flags = version;
 123         send_len = wpabuf_len(data->tls_out) - data->tls_out_pos;
 124         if (1 + send_len > data->tls_out_limit) {
 125                 send_len = data->tls_out_limit - 1;
 126                 flags |= EAP_TLS_FLAGS_MORE_FRAGMENTS;
 127                 if (data->tls_out_pos == 0) {
 128                         flags |= EAP_TLS_FLAGS_LENGTH_INCLUDED;
 129                         send_len -= 4;
 130                 }
 131         }
 132
 133         plen = 1 + send_len;
 134         if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED)
 135                 plen += 4;
 136
 137         req = eap_msg_alloc(EAP_VENDOR_IETF, eap_type, plen,
 138                             EAP_CODE_REQUEST, id);
 139         if (req == NULL)
 140                 return NULL;
 141
 142         wpabuf_put_u8(req, flags); /* Flags */
 143         if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED)
 144                 wpabuf_put_be32(req, wpabuf_len(data->tls_out));
 145
 146         wpabuf_put_data(req, wpabuf_head_u8(data->tls_out) + data->tls_out_pos,
 147                         send_len);
 148         data->tls_out_pos += send_len;
 149
 150         if (data->tls_out_pos == wpabuf_len(data->tls_out)) {
 151                 wpa_printf(MSG_DEBUG, "SSL: Sending out %lu bytes "
 152                            "(message sent completely)",
 153                            (unsigned long) send_len);
 154                 wpabuf_free(data->tls_out);
 155                 data->tls_out = NULL;
 156                 data->tls_out_pos = 0;
 157                 data->state = MSG;
 158         } else {
 159                 wpa_printf(MSG_DEBUG, "SSL: Sending out %lu bytes "
 160                            "(%lu more to send)", (unsigned long) send_len,
 161                            (unsigned long) wpabuf_len(data->tls_out) -
 162                            data->tls_out_pos);
 163                 data->state = WAIT_FRAG_ACK;
 164         }
 165
 166         return req;
 167 }
 168
 169
 170 struct wpabuf * eap_server_tls_build_ack(u8 id, int eap_type, int version)
 171 {
 172         struct wpabuf *req;
 173
 174         req = eap_msg_alloc(EAP_VENDOR_IETF, eap_type, 1, EAP_CODE_REQUEST,
 175                             id);
 176         if (req == NULL)
 177                 return NULL;
 178         wpa_printf(MSG_DEBUG, "SSL: Building ACK");
 179         wpabuf_put_u8(req, version); /* Flags */
 180         return req;
 181 }
 182
 183
 184 static int eap_server_tls_process_cont(struct eap_ssl_data *data,
 185                                        const u8 *buf, size_t len)
 186 {
 187         /* Process continuation of a pending message */
 188         if (len > wpabuf_tailroom(data->tls_in)) {
 189                 wpa_printf(MSG_DEBUG, "SSL: Fragment overflow");
 190                 return -1;
 191         }
 192
 193         wpabuf_put_data(data->tls_in, buf, len);
 194         wpa_printf(MSG_DEBUG, "SSL: Received %lu bytes, waiting for %lu "
 195                    "bytes more", (unsigned long) len,
 196                    (unsigned long) wpabuf_tailroom(data->tls_in));
 197
 198         return 0;
 199 }
 200
 201
 202 static int eap_server_tls_process_fragment(struct eap_ssl_data *data,
 203                                            u8 flags, u32 message_length,
 204                                            const u8 *buf, size_t len)
 205 {
 206         /* Process a fragment that is not the last one of the message */
 207         if (data->tls_in == NULL && !(flags & EAP_TLS_FLAGS_LENGTH_INCLUDED)) {
 208                 wpa_printf(MSG_DEBUG, "SSL: No Message Length field in a "
 209                            "fragmented packet");
 210                 return -1;
 211         }
 212
 213         if (data->tls_in == NULL) {
 214                 /* First fragment of the message */
 215
 216                 /* Limit length to avoid rogue peers from causing large
 217                  * memory allocations. */
 218                 if (message_length > 65536) {
 219                         wpa_printf(MSG_INFO, "SSL: Too long TLS fragment (size"
 220                                    " over 64 kB)");
 221                         return -1;
 222                 }
 223
 224                 data->tls_in = wpabuf_alloc(message_length);
 225                 if (data->tls_in == NULL) {
 226                         wpa_printf(MSG_DEBUG, "SSL: No memory for message");
 227                         return -1;
 228                 }
 229                 wpabuf_put_data(data->tls_in, buf, len);
 230                 wpa_printf(MSG_DEBUG, "SSL: Received %lu bytes in first "
 231                            "fragment, waiting for %lu bytes more",
 232                            (unsigned long) len,
 233                            (unsigned long) wpabuf_tailroom(data->tls_in));
 234         }
 235
 236         return 0;
 237 }
 238
 239
 240 int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data)
 241 {
 242         if (data->tls_out) {
 243                 /* This should not happen.. */
 244                 wpa_printf(MSG_INFO, "SSL: pending tls_out data when "
 245                            "processing new message");
 246                 wpabuf_free(data->tls_out);
 247                 WPA_ASSERT(data->tls_out == NULL);
 248         }
 249
 250         data->tls_out = tls_connection_server_handshake(sm->ssl_ctx,
 251                                                         data->conn,
 252                                                         data->tls_in, NULL);
 253         if (data->tls_out == NULL) {
 254                 wpa_printf(MSG_INFO, "SSL: TLS processing failed");
 255                 return -1;
 256         }
 257         if (tls_connection_get_failed(sm->ssl_ctx, data->conn)) {
 258                 /* TLS processing has failed - return error */
 259                 wpa_printf(MSG_DEBUG, "SSL: Failed - tls_out available to "
 260                            "report error");
 261                 return -1;
 262         }
 263
 264         return 0;
 265 }
 266
 267
 268 static int eap_server_tls_reassemble(struct eap_ssl_data *data, u8 flags,
 269                                      const u8 **pos, size_t *left)
 270 {
 271         unsigned int tls_msg_len = 0;
 272         const u8 *end = *pos + *left;
 273
 274         if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) {
 275                 if (*left < 4) {
 276                         wpa_printf(MSG_INFO, "SSL: Short frame with TLS "
 277                                    "length");
 278                         return -1;
 279                 }
 280                 tls_msg_len = WPA_GET_BE32(*pos);
 281                 wpa_printf(MSG_DEBUG, "SSL: TLS Message Length: %d",
 282                            tls_msg_len);
 283                 *pos += 4;
 284                 *left -= 4;
 285         }
 286
 287         wpa_printf(MSG_DEBUG, "SSL: Received packet: Flags 0x%x "
 288                    "Message Length %u", flags, tls_msg_len);
 289
 290         if (data->state == WAIT_FRAG_ACK) {
 291                 if (*left != 0) {
 292                         wpa_printf(MSG_DEBUG, "SSL: Unexpected payload in "
 293                                    "WAIT_FRAG_ACK state");
 294                         return -1;
 295                 }
 296                 wpa_printf(MSG_DEBUG, "SSL: Fragment acknowledged");
 297                 return 1;
 298         }
 299
 300         if (data->tls_in &&
 301             eap_server_tls_process_cont(data, *pos, end - *pos) < 0)
 302                 return -1;
 303
 304         if (flags & EAP_TLS_FLAGS_MORE_FRAGMENTS) {
 305                 if (eap_server_tls_process_fragment(data, flags, tls_msg_len,
 306                                                     *pos, end - *pos) < 0)
 307                         return -1;
 308
 309                 data->state = FRAG_ACK;
 310                 return 1;
 311         }
 312
 313         if (data->state == FRAG_ACK) {
 314                 wpa_printf(MSG_DEBUG, "SSL: All fragments received");
 315                 data->state = MSG;
 316         }
 317
 318         if (data->tls_in == NULL) {
 319                 /* Wrap unfragmented messages as wpabuf without extra copy */
 320                 wpabuf_set(&data->tmpbuf, *pos, end - *pos);
 321                 data->tls_in = &data->tmpbuf;
 322         }
 323
 324         return 0;
 325 }
 326
 327
 328 static void eap_server_tls_free_in_buf(struct eap_ssl_data *data)
 329 {
 330         if (data->tls_in != &data->tmpbuf)
 331                 wpabuf_free(data->tls_in);
 332         data->tls_in = NULL;
 333 }
 334
 335
 336 struct wpabuf * eap_server_tls_encrypt(struct eap_sm *sm,
 337                                        struct eap_ssl_data *data,
 338                                        const struct wpabuf *plain)
 339 {
 340         struct wpabuf *buf;
 341
 342         buf = tls_connection_encrypt(sm->ssl_ctx, data->conn,
 343                                      plain);
 344         if (buf == NULL) {
 345                 wpa_printf(MSG_INFO, "SSL: Failed to encrypt Phase 2 data");
 346                 return NULL;
 347         }
 348
 349         return buf;
 350 }
 351
 352
 353 int eap_server_tls_process(struct eap_sm *sm, struct eap_ssl_data *data,
 354                            struct wpabuf *respData, void *priv, int eap_type,
 355                            int (*proc_version)(struct eap_sm *sm, void *priv,
 356                                                int peer_version),
 357                            void (*proc_msg)(struct eap_sm *sm, void *priv,
 358                                             const struct wpabuf *respData))
 359 {
 360         const u8 *pos;
 361         u8 flags;
 362         size_t left;
 363         int ret, res = 0;
 364
 365         pos = eap_hdr_validate(EAP_VENDOR_IETF, eap_type, respData, &left);
 366         if (pos == NULL || left < 1)
 367                 return 0; /* Should not happen - frame already validated */
 368         flags = *pos++;
 369         left--;
 370         wpa_printf(MSG_DEBUG, "SSL: Received packet(len=%lu) - Flags 0x%02x",
 371                    (unsigned long) wpabuf_len(respData), flags);
 372
 373         if (proc_version &&
 374             proc_version(sm, priv, flags & EAP_TLS_VERSION_MASK) < 0)
 375                 return -1;
 376
 377         ret = eap_server_tls_reassemble(data, flags, &pos, &left);
 378         if (ret < 0) {
 379                 res = -1;
 380                 goto done;
 381         } else if (ret == 1)
 382                 return 0;
 383
 384         if (proc_msg)
 385                 proc_msg(sm, priv, respData);
 386
 387         if (tls_connection_get_write_alerts(sm->ssl_ctx, data->conn) > 1) {
 388                 wpa_printf(MSG_INFO, "SSL: Locally detected fatal error in "
 389                            "TLS processing");
 390                 res = -1;
 391         }
 392
 393 done:
 394         eap_server_tls_free_in_buf(data);
 395
 396         return res;
 397 }