eap_server_teap.c revision 351611
1/* 2 * EAP-TEAP server (RFC 7170) 3 * Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "crypto/aes_wrap.h" 13#include "crypto/tls.h" 14#include "crypto/random.h" 15#include "eap_common/eap_teap_common.h" 16#include "eap_i.h" 17#include "eap_tls_common.h" 18 19 20static void eap_teap_reset(struct eap_sm *sm, void *priv); 21 22 23/* Private PAC-Opaque TLV types */ 24#define PAC_OPAQUE_TYPE_PAD 0 25#define PAC_OPAQUE_TYPE_KEY 1 26#define PAC_OPAQUE_TYPE_LIFETIME 2 27#define PAC_OPAQUE_TYPE_IDENTITY 3 28 29struct eap_teap_data { 30 struct eap_ssl_data ssl; 31 enum { 32 START, PHASE1, PHASE1B, PHASE2_START, PHASE2_ID, 33 PHASE2_BASIC_AUTH, PHASE2_METHOD, CRYPTO_BINDING, REQUEST_PAC, 34 FAILURE_SEND_RESULT, SUCCESS, FAILURE 35 } state; 36 37 u8 teap_version; 38 u8 peer_version; 39 u16 tls_cs; 40 41 const struct eap_method *phase2_method; 42 void *phase2_priv; 43 44 u8 crypto_binding_nonce[32]; 45 int final_result; 46 47 u8 simck_msk[EAP_TEAP_SIMCK_LEN]; 48 u8 cmk_msk[EAP_TEAP_CMK_LEN]; 49 u8 simck_emsk[EAP_TEAP_SIMCK_LEN]; 50 u8 cmk_emsk[EAP_TEAP_CMK_LEN]; 51 int simck_idx; 52 int cmk_emsk_available; 53 54 u8 pac_opaque_encr[16]; 55 u8 *srv_id; 56 size_t srv_id_len; 57 char *srv_id_info; 58 59 int anon_provisioning; 60 int send_new_pac; /* server triggered re-keying of Tunnel PAC */ 61 struct wpabuf *pending_phase2_resp; 62 struct wpabuf *server_outer_tlvs; 63 struct wpabuf *peer_outer_tlvs; 64 u8 *identity; /* from PAC-Opaque */ 65 size_t identity_len; 66 int eap_seq; 67 int tnc_started; 68 69 int pac_key_lifetime; 70 int pac_key_refresh_time; 71 72 enum teap_error_codes error_code; 73}; 74 75 76static int eap_teap_process_phase2_start(struct eap_sm *sm, 77 struct eap_teap_data *data); 78 79 80static const char * eap_teap_state_txt(int state) 81{ 82 switch (state) { 83 case START: 84 return "START"; 85 case PHASE1: 86 return "PHASE1"; 87 case PHASE1B: 88 return "PHASE1B"; 89 case PHASE2_START: 90 return "PHASE2_START"; 91 case PHASE2_ID: 92 return "PHASE2_ID"; 93 case PHASE2_BASIC_AUTH: 94 return "PHASE2_BASIC_AUTH"; 95 case PHASE2_METHOD: 96 return "PHASE2_METHOD"; 97 case CRYPTO_BINDING: 98 return "CRYPTO_BINDING"; 99 case REQUEST_PAC: 100 return "REQUEST_PAC"; 101 case FAILURE_SEND_RESULT: 102 return "FAILURE_SEND_RESULT"; 103 case SUCCESS: 104 return "SUCCESS"; 105 case FAILURE: 106 return "FAILURE"; 107 default: 108 return "Unknown?!"; 109 } 110} 111 112 113static void eap_teap_state(struct eap_teap_data *data, int state) 114{ 115 wpa_printf(MSG_DEBUG, "EAP-TEAP: %s -> %s", 116 eap_teap_state_txt(data->state), 117 eap_teap_state_txt(state)); 118 data->state = state; 119} 120 121 122static EapType eap_teap_req_failure(struct eap_teap_data *data, 123 enum teap_error_codes error) 124{ 125 eap_teap_state(data, FAILURE_SEND_RESULT); 126 return EAP_TYPE_NONE; 127} 128 129 130static int eap_teap_session_ticket_cb(void *ctx, const u8 *ticket, size_t len, 131 const u8 *client_random, 132 const u8 *server_random, 133 u8 *master_secret) 134{ 135 struct eap_teap_data *data = ctx; 136 const u8 *pac_opaque; 137 size_t pac_opaque_len; 138 u8 *buf, *pos, *end, *pac_key = NULL; 139 os_time_t lifetime = 0; 140 struct os_time now; 141 u8 *identity = NULL; 142 size_t identity_len = 0; 143 144 wpa_printf(MSG_DEBUG, "EAP-TEAP: SessionTicket callback"); 145 wpa_hexdump(MSG_DEBUG, "EAP-TEAP: SessionTicket (PAC-Opaque)", 146 ticket, len); 147 148 if (len < 4 || WPA_GET_BE16(ticket) != PAC_TYPE_PAC_OPAQUE) { 149 wpa_printf(MSG_DEBUG, "EAP-TEAP: Ignore invalid SessionTicket"); 150 return 0; 151 } 152 153 pac_opaque_len = WPA_GET_BE16(ticket + 2); 154 pac_opaque = ticket + 4; 155 if (pac_opaque_len < 8 || pac_opaque_len % 8 || 156 pac_opaque_len > len - 4) { 157 wpa_printf(MSG_DEBUG, 158 "EAP-TEAP: Ignore invalid PAC-Opaque (len=%lu left=%lu)", 159 (unsigned long) pac_opaque_len, 160 (unsigned long) len); 161 return 0; 162 } 163 wpa_hexdump(MSG_DEBUG, "EAP-TEAP: Received PAC-Opaque", 164 pac_opaque, pac_opaque_len); 165 166 buf = os_malloc(pac_opaque_len - 8); 167 if (!buf) { 168 wpa_printf(MSG_DEBUG, 169 "EAP-TEAP: Failed to allocate memory for decrypting PAC-Opaque"); 170 return 0; 171 } 172 173 if (aes_unwrap(data->pac_opaque_encr, sizeof(data->pac_opaque_encr), 174 (pac_opaque_len - 8) / 8, pac_opaque, buf) < 0) { 175 wpa_printf(MSG_DEBUG, "EAP-TEAP: Failed to decrypt PAC-Opaque"); 176 os_free(buf); 177 /* 178 * This may have been caused by server changing the PAC-Opaque 179 * encryption key, so just ignore this PAC-Opaque instead of 180 * failing the authentication completely. Provisioning can now 181 * be used to provision a new PAC. 182 */ 183 return 0; 184 } 185 186 end = buf + pac_opaque_len - 8; 187 wpa_hexdump_key(MSG_DEBUG, "EAP-TEAP: Decrypted PAC-Opaque", 188 buf, end - buf); 189 190 pos = buf; 191 while (end - pos > 1) { 192 u8 id, elen; 193 194 id = *pos++; 195 elen = *pos++; 196 if (elen > end - pos) 197 break; 198 199 switch (id) { 200 case PAC_OPAQUE_TYPE_PAD: 201 goto done; 202 case PAC_OPAQUE_TYPE_KEY: 203 if (elen != EAP_TEAP_PAC_KEY_LEN) { 204 wpa_printf(MSG_DEBUG, 205 "EAP-TEAP: Invalid PAC-Key length %d", 206 elen); 207 os_free(buf); 208 return -1; 209 } 210 pac_key = pos; 211 wpa_hexdump_key(MSG_DEBUG, 212 "EAP-TEAP: PAC-Key from decrypted PAC-Opaque", 213 pac_key, EAP_TEAP_PAC_KEY_LEN); 214 break; 215 case PAC_OPAQUE_TYPE_LIFETIME: 216 if (elen != 4) { 217 wpa_printf(MSG_DEBUG, 218 "EAP-TEAP: Invalid PAC-Key lifetime length %d", 219 elen); 220 os_free(buf); 221 return -1; 222 } 223 lifetime = WPA_GET_BE32(pos); 224 break; 225 case PAC_OPAQUE_TYPE_IDENTITY: 226 identity = pos; 227 identity_len = elen; 228 break; 229 } 230 231 pos += elen; 232 } 233done: 234 235 if (!pac_key) { 236 wpa_printf(MSG_DEBUG, 237 "EAP-TEAP: No PAC-Key included in PAC-Opaque"); 238 os_free(buf); 239 return -1; 240 } 241 242 if (identity) { 243 wpa_hexdump_ascii(MSG_DEBUG, 244 "EAP-TEAP: Identity from PAC-Opaque", 245 identity, identity_len); 246 os_free(data->identity); 247 data->identity = os_malloc(identity_len); 248 if (data->identity) { 249 os_memcpy(data->identity, identity, identity_len); 250 data->identity_len = identity_len; 251 } 252 } 253 254 if (os_get_time(&now) < 0 || lifetime <= 0 || now.sec > lifetime) { 255 wpa_printf(MSG_DEBUG, 256 "EAP-TEAP: PAC-Key not valid anymore (lifetime=%ld now=%ld)", 257 lifetime, now.sec); 258 data->send_new_pac = 2; 259 /* 260 * Allow PAC to be used to allow a PAC update with some level 261 * of server authentication (i.e., do not fall back to full TLS 262 * handshake since we cannot be sure that the peer would be 263 * able to validate server certificate now). However, reject 264 * the authentication since the PAC was not valid anymore. Peer 265 * can connect again with the newly provisioned PAC after this. 266 */ 267 } else if (lifetime - now.sec < data->pac_key_refresh_time) { 268 wpa_printf(MSG_DEBUG, 269 "EAP-TEAP: PAC-Key soft timeout; send an update if authentication succeeds"); 270 data->send_new_pac = 1; 271 } 272 273 /* EAP-TEAP uses PAC-Key as the TLS master_secret */ 274 os_memcpy(master_secret, pac_key, EAP_TEAP_PAC_KEY_LEN); 275 276 os_free(buf); 277 278 return 1; 279} 280 281 282static int eap_teap_derive_key_auth(struct eap_sm *sm, 283 struct eap_teap_data *data) 284{ 285 int res; 286 287 /* RFC 7170, Section 5.1 */ 288 res = tls_connection_export_key(sm->ssl_ctx, data->ssl.conn, 289 TEAP_TLS_EXPORTER_LABEL_SKS, NULL, 0, 290 data->simck_msk, EAP_TEAP_SIMCK_LEN); 291 if (res) 292 return res; 293 wpa_hexdump_key(MSG_DEBUG, 294 "EAP-TEAP: session_key_seed (S-IMCK[0])", 295 data->simck_msk, EAP_TEAP_SIMCK_LEN); 296 os_memcpy(data->simck_emsk, data->simck_msk, EAP_TEAP_SIMCK_LEN); 297 data->simck_idx = 0; 298 return 0; 299} 300 301 302static int eap_teap_update_icmk(struct eap_sm *sm, struct eap_teap_data *data) 303{ 304 u8 *msk = NULL, *emsk = NULL; 305 size_t msk_len = 0, emsk_len = 0; 306 int res; 307 308 wpa_printf(MSG_DEBUG, "EAP-TEAP: Deriving ICMK[%d] (S-IMCK and CMK)", 309 data->simck_idx + 1); 310 311 if (sm->eap_teap_auth == 1) 312 return eap_teap_derive_cmk_basic_pw_auth(data->simck_msk, 313 data->cmk_msk); 314 315 if (!data->phase2_method || !data->phase2_priv) { 316 wpa_printf(MSG_INFO, "EAP-TEAP: Phase 2 method not available"); 317 return -1; 318 } 319 320 if (data->phase2_method->getKey) { 321 msk = data->phase2_method->getKey(sm, data->phase2_priv, 322 &msk_len); 323 if (!msk) { 324 wpa_printf(MSG_INFO, 325 "EAP-TEAP: Could not fetch Phase 2 MSK"); 326 return -1; 327 } 328 } 329 330 if (data->phase2_method->get_emsk) { 331 emsk = data->phase2_method->get_emsk(sm, data->phase2_priv, 332 &emsk_len); 333 } 334 335 res = eap_teap_derive_imck(data->simck_msk, data->simck_emsk, 336 msk, msk_len, emsk, emsk_len, 337 data->simck_msk, data->cmk_msk, 338 data->simck_emsk, data->cmk_emsk); 339 bin_clear_free(msk, msk_len); 340 bin_clear_free(emsk, emsk_len); 341 if (res == 0) { 342 data->simck_idx++; 343 if (emsk) 344 data->cmk_emsk_available = 1; 345 } 346 return 0; 347} 348 349 350static void * eap_teap_init(struct eap_sm *sm) 351{ 352 struct eap_teap_data *data; 353 354 data = os_zalloc(sizeof(*data)); 355 if (!data) 356 return NULL; 357 data->teap_version = EAP_TEAP_VERSION; 358 data->state = START; 359 360 if (eap_server_tls_ssl_init(sm, &data->ssl, 0, EAP_TYPE_TEAP)) { 361 wpa_printf(MSG_INFO, "EAP-TEAP: Failed to initialize SSL."); 362 eap_teap_reset(sm, data); 363 return NULL; 364 } 365 366 /* TODO: Add anon-DH TLS cipher suites (and if one is negotiated, 367 * enforce inner EAP with mutual authentication to be used) */ 368 369 if (tls_connection_set_session_ticket_cb(sm->ssl_ctx, data->ssl.conn, 370 eap_teap_session_ticket_cb, 371 data) < 0) { 372 wpa_printf(MSG_INFO, 373 "EAP-TEAP: Failed to set SessionTicket callback"); 374 eap_teap_reset(sm, data); 375 return NULL; 376 } 377 378 if (!sm->pac_opaque_encr_key) { 379 wpa_printf(MSG_INFO, 380 "EAP-TEAP: No PAC-Opaque encryption key configured"); 381 eap_teap_reset(sm, data); 382 return NULL; 383 } 384 os_memcpy(data->pac_opaque_encr, sm->pac_opaque_encr_key, 385 sizeof(data->pac_opaque_encr)); 386 387 if (!sm->eap_fast_a_id) { 388 wpa_printf(MSG_INFO, "EAP-TEAP: No A-ID configured"); 389 eap_teap_reset(sm, data); 390 return NULL; 391 } 392 data->srv_id = os_malloc(sm->eap_fast_a_id_len); 393 if (!data->srv_id) { 394 eap_teap_reset(sm, data); 395 return NULL; 396 } 397 os_memcpy(data->srv_id, sm->eap_fast_a_id, sm->eap_fast_a_id_len); 398 data->srv_id_len = sm->eap_fast_a_id_len; 399 400 if (!sm->eap_fast_a_id_info) { 401 wpa_printf(MSG_INFO, "EAP-TEAP: No A-ID-Info configured"); 402 eap_teap_reset(sm, data); 403 return NULL; 404 } 405 data->srv_id_info = os_strdup(sm->eap_fast_a_id_info); 406 if (!data->srv_id_info) { 407 eap_teap_reset(sm, data); 408 return NULL; 409 } 410 411 /* PAC-Key lifetime in seconds (hard limit) */ 412 data->pac_key_lifetime = sm->pac_key_lifetime; 413 414 /* 415 * PAC-Key refresh time in seconds (soft limit on remaining hard 416 * limit). The server will generate a new PAC-Key when this number of 417 * seconds (or fewer) of the lifetime remains. 418 */ 419 data->pac_key_refresh_time = sm->pac_key_refresh_time; 420 421 return data; 422} 423 424 425static void eap_teap_reset(struct eap_sm *sm, void *priv) 426{ 427 struct eap_teap_data *data = priv; 428 429 if (!data) 430 return; 431 if (data->phase2_priv && data->phase2_method) 432 data->phase2_method->reset(sm, data->phase2_priv); 433 eap_server_tls_ssl_deinit(sm, &data->ssl); 434 os_free(data->srv_id); 435 os_free(data->srv_id_info); 436 wpabuf_free(data->pending_phase2_resp); 437 wpabuf_free(data->server_outer_tlvs); 438 wpabuf_free(data->peer_outer_tlvs); 439 os_free(data->identity); 440 forced_memzero(data->simck_msk, EAP_TEAP_SIMCK_LEN); 441 forced_memzero(data->simck_emsk, EAP_TEAP_SIMCK_LEN); 442 forced_memzero(data->cmk_msk, EAP_TEAP_CMK_LEN); 443 forced_memzero(data->cmk_emsk, EAP_TEAP_CMK_LEN); 444 forced_memzero(data->pac_opaque_encr, sizeof(data->pac_opaque_encr)); 445 bin_clear_free(data, sizeof(*data)); 446} 447 448 449static struct wpabuf * eap_teap_build_start(struct eap_sm *sm, 450 struct eap_teap_data *data, u8 id) 451{ 452 struct wpabuf *req; 453 size_t outer_tlv_len = sizeof(struct teap_tlv_hdr) + data->srv_id_len; 454 const u8 *start, *end; 455 456 req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TEAP, 457 1 + 4 + outer_tlv_len, EAP_CODE_REQUEST, id); 458 if (!req) { 459 wpa_printf(MSG_ERROR, 460 "EAP-TEAP: Failed to allocate memory for request"); 461 eap_teap_state(data, FAILURE); 462 return NULL; 463 } 464 465 wpabuf_put_u8(req, EAP_TLS_FLAGS_START | EAP_TEAP_FLAGS_OUTER_TLV_LEN | 466 data->teap_version); 467 wpabuf_put_be32(req, outer_tlv_len); 468 469 start = wpabuf_put(req, 0); 470 471 /* RFC 7170, Section 4.2.2: Authority-ID TLV */ 472 eap_teap_put_tlv(req, TEAP_TLV_AUTHORITY_ID, 473 data->srv_id, data->srv_id_len); 474 475 end = wpabuf_put(req, 0); 476 wpabuf_free(data->server_outer_tlvs); 477 data->server_outer_tlvs = wpabuf_alloc_copy(start, end - start); 478 if (!data->server_outer_tlvs) { 479 eap_teap_state(data, FAILURE); 480 return NULL; 481 } 482 483 eap_teap_state(data, PHASE1); 484 485 return req; 486} 487 488 489static int eap_teap_phase1_done(struct eap_sm *sm, struct eap_teap_data *data) 490{ 491 char cipher[64]; 492 493 wpa_printf(MSG_DEBUG, "EAP-TEAP: Phase 1 done, starting Phase 2"); 494 495 data->tls_cs = tls_connection_get_cipher_suite(data->ssl.conn); 496 wpa_printf(MSG_DEBUG, "EAP-TEAP: TLS cipher suite 0x%04x", 497 data->tls_cs); 498 499 if (tls_get_cipher(sm->ssl_ctx, data->ssl.conn, cipher, sizeof(cipher)) 500 < 0) { 501 wpa_printf(MSG_DEBUG, 502 "EAP-TEAP: Failed to get cipher information"); 503 eap_teap_state(data, FAILURE); 504 return -1; 505 } 506 data->anon_provisioning = os_strstr(cipher, "ADH") != NULL; 507 508 if (data->anon_provisioning) 509 wpa_printf(MSG_DEBUG, "EAP-TEAP: Anonymous provisioning"); 510 511 if (eap_teap_derive_key_auth(sm, data) < 0) { 512 eap_teap_state(data, FAILURE); 513 return -1; 514 } 515 516 eap_teap_state(data, PHASE2_START); 517 518 return 0; 519} 520 521 522static struct wpabuf * eap_teap_build_phase2_req(struct eap_sm *sm, 523 struct eap_teap_data *data, 524 u8 id) 525{ 526 struct wpabuf *req; 527 528 if (sm->eap_teap_auth == 1) { 529 wpa_printf(MSG_DEBUG, "EAP-TEAP: Initiate Basic-Password-Auth"); 530 req = wpabuf_alloc(sizeof(struct teap_tlv_hdr)); 531 if (!req) 532 return NULL; 533 eap_teap_put_tlv_hdr(req, TEAP_TLV_BASIC_PASSWORD_AUTH_REQ, 0); 534 return req; 535 } 536 537 wpa_printf(MSG_DEBUG, "EAP-TEAP: Initiate inner EAP method"); 538 if (!data->phase2_priv) { 539 wpa_printf(MSG_DEBUG, 540 "EAP-TEAP: Phase 2 method not initialized"); 541 return NULL; 542 } 543 544 req = data->phase2_method->buildReq(sm, data->phase2_priv, id); 545 if (!req) 546 return NULL; 547 548 wpa_hexdump_buf_key(MSG_MSGDUMP, "EAP-TEAP: Phase 2 EAP-Request", req); 549 return eap_teap_tlv_eap_payload(req); 550} 551 552 553static struct wpabuf * eap_teap_build_crypto_binding( 554 struct eap_sm *sm, struct eap_teap_data *data) 555{ 556 struct wpabuf *buf; 557 struct teap_tlv_result *result; 558 struct teap_tlv_crypto_binding *cb; 559 u8 subtype, flags; 560 561 buf = wpabuf_alloc(2 * sizeof(*result) + sizeof(*cb)); 562 if (!buf) 563 return NULL; 564 565 if (data->send_new_pac || data->anon_provisioning || 566 data->phase2_method) 567 data->final_result = 0; 568 else 569 data->final_result = 1; 570 571 if (!data->final_result || data->eap_seq > 0) { 572 /* Intermediate-Result */ 573 wpa_printf(MSG_DEBUG, 574 "EAP-TEAP: Add Intermediate-Result TLV (status=SUCCESS)"); 575 result = wpabuf_put(buf, sizeof(*result)); 576 result->tlv_type = host_to_be16(TEAP_TLV_MANDATORY | 577 TEAP_TLV_INTERMEDIATE_RESULT); 578 result->length = host_to_be16(2); 579 result->status = host_to_be16(TEAP_STATUS_SUCCESS); 580 } 581 582 if (data->final_result) { 583 /* Result TLV */ 584 wpa_printf(MSG_DEBUG, 585 "EAP-TEAP: Add Result TLV (status=SUCCESS)"); 586 result = wpabuf_put(buf, sizeof(*result)); 587 result->tlv_type = host_to_be16(TEAP_TLV_MANDATORY | 588 TEAP_TLV_RESULT); 589 result->length = host_to_be16(2); 590 result->status = host_to_be16(TEAP_STATUS_SUCCESS); 591 } 592 593 /* Crypto-Binding TLV */ 594 cb = wpabuf_put(buf, sizeof(*cb)); 595 cb->tlv_type = host_to_be16(TEAP_TLV_MANDATORY | 596 TEAP_TLV_CRYPTO_BINDING); 597 cb->length = host_to_be16(sizeof(*cb) - sizeof(struct teap_tlv_hdr)); 598 cb->version = EAP_TEAP_VERSION; 599 cb->received_version = data->peer_version; 600 /* FIX: RFC 7170 is not clear on which Flags value to use when 601 * Crypto-Binding TLV is used with Basic-Password-Auth */ 602 flags = data->cmk_emsk_available ? 603 TEAP_CRYPTO_BINDING_EMSK_AND_MSK_CMAC : 604 TEAP_CRYPTO_BINDING_MSK_CMAC; 605 subtype = TEAP_CRYPTO_BINDING_SUBTYPE_REQUEST; 606 cb->subtype = (flags << 4) | subtype; 607 if (random_get_bytes(cb->nonce, sizeof(cb->nonce)) < 0) { 608 wpabuf_free(buf); 609 return NULL; 610 } 611 612 /* 613 * RFC 7170, Section 4.2.13: 614 * The nonce in a request MUST have its least significant bit set to 0. 615 */ 616 cb->nonce[sizeof(cb->nonce) - 1] &= ~0x01; 617 618 os_memcpy(data->crypto_binding_nonce, cb->nonce, sizeof(cb->nonce)); 619 620 if (eap_teap_compound_mac(data->tls_cs, cb, data->server_outer_tlvs, 621 data->peer_outer_tlvs, data->cmk_msk, 622 cb->msk_compound_mac) < 0) { 623 wpabuf_free(buf); 624 return NULL; 625 } 626 627 if (data->cmk_emsk_available && 628 eap_teap_compound_mac(data->tls_cs, cb, data->server_outer_tlvs, 629 data->peer_outer_tlvs, data->cmk_emsk, 630 cb->emsk_compound_mac) < 0) { 631 wpabuf_free(buf); 632 return NULL; 633 } 634 635 wpa_printf(MSG_DEBUG, 636 "EAP-TEAP: Add Crypto-Binding TLV: Version %u Received Version %u Flags %u Sub-Type %u", 637 cb->version, cb->received_version, flags, subtype); 638 wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: Nonce", 639 cb->nonce, sizeof(cb->nonce)); 640 wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: EMSK Compound MAC", 641 cb->emsk_compound_mac, sizeof(cb->emsk_compound_mac)); 642 wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: MSK Compound MAC", 643 cb->msk_compound_mac, sizeof(cb->msk_compound_mac)); 644 645 return buf; 646} 647 648 649static struct wpabuf * eap_teap_build_pac(struct eap_sm *sm, 650 struct eap_teap_data *data) 651{ 652 u8 pac_key[EAP_TEAP_PAC_KEY_LEN]; 653 u8 *pac_buf, *pac_opaque; 654 struct wpabuf *buf; 655 u8 *pos; 656 size_t buf_len, srv_id_info_len, pac_len; 657 struct teap_tlv_hdr *pac_tlv; 658 struct pac_attr_hdr *pac_info; 659 struct teap_tlv_result *result; 660 struct os_time now; 661 662 wpa_printf(MSG_DEBUG, "EAP-TEAP: Build a new PAC"); 663 664 if (random_get_bytes(pac_key, EAP_TEAP_PAC_KEY_LEN) < 0 || 665 os_get_time(&now) < 0) 666 return NULL; 667 wpa_hexdump_key(MSG_DEBUG, "EAP-TEAP: Generated PAC-Key", 668 pac_key, EAP_TEAP_PAC_KEY_LEN); 669 670 pac_len = (2 + EAP_TEAP_PAC_KEY_LEN) + (2 + 4) + 671 (2 + sm->identity_len) + 8; 672 pac_buf = os_malloc(pac_len); 673 if (!pac_buf) 674 return NULL; 675 676 srv_id_info_len = os_strlen(data->srv_id_info); 677 678 pos = pac_buf; 679 *pos++ = PAC_OPAQUE_TYPE_KEY; 680 *pos++ = EAP_TEAP_PAC_KEY_LEN; 681 os_memcpy(pos, pac_key, EAP_TEAP_PAC_KEY_LEN); 682 pos += EAP_TEAP_PAC_KEY_LEN; 683 684 wpa_printf(MSG_DEBUG, "EAP-TEAP: PAC-Key lifetime: %u seconds", 685 data->pac_key_lifetime); 686 *pos++ = PAC_OPAQUE_TYPE_LIFETIME; 687 *pos++ = 4; 688 WPA_PUT_BE32(pos, now.sec + data->pac_key_lifetime); 689 pos += 4; 690 691 if (sm->identity) { 692 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TEAP: PAC-Opaque Identity", 693 sm->identity, sm->identity_len); 694 *pos++ = PAC_OPAQUE_TYPE_IDENTITY; 695 *pos++ = sm->identity_len; 696 os_memcpy(pos, sm->identity, sm->identity_len); 697 pos += sm->identity_len; 698 } 699 700 pac_len = pos - pac_buf; 701 while (pac_len % 8) { 702 *pos++ = PAC_OPAQUE_TYPE_PAD; 703 pac_len++; 704 } 705 706 pac_opaque = os_malloc(pac_len + 8); 707 if (!pac_opaque) { 708 os_free(pac_buf); 709 return NULL; 710 } 711 if (aes_wrap(data->pac_opaque_encr, sizeof(data->pac_opaque_encr), 712 pac_len / 8, pac_buf, pac_opaque) < 0) { 713 os_free(pac_buf); 714 os_free(pac_opaque); 715 return NULL; 716 } 717 os_free(pac_buf); 718 719 pac_len += 8; 720 wpa_hexdump(MSG_DEBUG, "EAP-TEAP: PAC-Opaque", pac_opaque, pac_len); 721 722 buf_len = sizeof(*pac_tlv) + 723 sizeof(struct pac_attr_hdr) + EAP_TEAP_PAC_KEY_LEN + 724 sizeof(struct pac_attr_hdr) + pac_len + 725 data->srv_id_len + srv_id_info_len + 100 + sizeof(*result); 726 buf = wpabuf_alloc(buf_len); 727 if (!buf) { 728 os_free(pac_opaque); 729 return NULL; 730 } 731 732 /* Result TLV */ 733 wpa_printf(MSG_DEBUG, "EAP-TEAP: Add Result TLV (status=SUCCESS)"); 734 result = wpabuf_put(buf, sizeof(*result)); 735 WPA_PUT_BE16((u8 *) &result->tlv_type, 736 TEAP_TLV_MANDATORY | TEAP_TLV_RESULT); 737 WPA_PUT_BE16((u8 *) &result->length, 2); 738 WPA_PUT_BE16((u8 *) &result->status, TEAP_STATUS_SUCCESS); 739 740 /* PAC TLV */ 741 wpa_printf(MSG_DEBUG, "EAP-TEAP: Add PAC TLV"); 742 pac_tlv = wpabuf_put(buf, sizeof(*pac_tlv)); 743 pac_tlv->tlv_type = host_to_be16(TEAP_TLV_MANDATORY | TEAP_TLV_PAC); 744 745 /* PAC-Key */ 746 eap_teap_put_tlv(buf, PAC_TYPE_PAC_KEY, pac_key, EAP_TEAP_PAC_KEY_LEN); 747 748 /* PAC-Opaque */ 749 eap_teap_put_tlv(buf, PAC_TYPE_PAC_OPAQUE, pac_opaque, pac_len); 750 os_free(pac_opaque); 751 752 /* PAC-Info */ 753 pac_info = wpabuf_put(buf, sizeof(*pac_info)); 754 pac_info->type = host_to_be16(PAC_TYPE_PAC_INFO); 755 756 /* PAC-Lifetime (inside PAC-Info) */ 757 eap_teap_put_tlv_hdr(buf, PAC_TYPE_CRED_LIFETIME, 4); 758 wpabuf_put_be32(buf, now.sec + data->pac_key_lifetime); 759 760 /* A-ID (inside PAC-Info) */ 761 eap_teap_put_tlv(buf, PAC_TYPE_A_ID, data->srv_id, data->srv_id_len); 762 763 /* Note: headers may be misaligned after A-ID */ 764 765 if (sm->identity) { 766 eap_teap_put_tlv(buf, PAC_TYPE_I_ID, sm->identity, 767 sm->identity_len); 768 } 769 770 /* A-ID-Info (inside PAC-Info) */ 771 eap_teap_put_tlv(buf, PAC_TYPE_A_ID_INFO, data->srv_id_info, 772 srv_id_info_len); 773 774 /* PAC-Type (inside PAC-Info) */ 775 eap_teap_put_tlv_hdr(buf, PAC_TYPE_PAC_TYPE, 2); 776 wpabuf_put_be16(buf, PAC_TYPE_TUNNEL_PAC); 777 778 /* Update PAC-Info and PAC TLV Length fields */ 779 pos = wpabuf_put(buf, 0); 780 pac_info->len = host_to_be16(pos - (u8 *) (pac_info + 1)); 781 pac_tlv->length = host_to_be16(pos - (u8 *) (pac_tlv + 1)); 782 783 return buf; 784} 785 786 787static int eap_teap_encrypt_phase2(struct eap_sm *sm, 788 struct eap_teap_data *data, 789 struct wpabuf *plain, int piggyback) 790{ 791 struct wpabuf *encr; 792 793 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TEAP: Encrypting Phase 2 TLVs", 794 plain); 795 encr = eap_server_tls_encrypt(sm, &data->ssl, plain); 796 wpabuf_free(plain); 797 798 if (!encr) 799 return -1; 800 801 if (data->ssl.tls_out && piggyback) { 802 wpa_printf(MSG_DEBUG, 803 "EAP-TEAP: Piggyback Phase 2 data (len=%d) with last Phase 1 Message (len=%d used=%d)", 804 (int) wpabuf_len(encr), 805 (int) wpabuf_len(data->ssl.tls_out), 806 (int) data->ssl.tls_out_pos); 807 if (wpabuf_resize(&data->ssl.tls_out, wpabuf_len(encr)) < 0) { 808 wpa_printf(MSG_WARNING, 809 "EAP-TEAP: Failed to resize output buffer"); 810 wpabuf_free(encr); 811 return -1; 812 } 813 wpabuf_put_buf(data->ssl.tls_out, encr); 814 wpabuf_free(encr); 815 } else { 816 wpabuf_free(data->ssl.tls_out); 817 data->ssl.tls_out_pos = 0; 818 data->ssl.tls_out = encr; 819 } 820 821 return 0; 822} 823 824 825static struct wpabuf * eap_teap_buildReq(struct eap_sm *sm, void *priv, u8 id) 826{ 827 struct eap_teap_data *data = priv; 828 struct wpabuf *req = NULL; 829 int piggyback = 0; 830 831 if (data->ssl.state == FRAG_ACK) { 832 return eap_server_tls_build_ack(id, EAP_TYPE_TEAP, 833 data->teap_version); 834 } 835 836 if (data->ssl.state == WAIT_FRAG_ACK) { 837 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TEAP, 838 data->teap_version, id); 839 } 840 841 switch (data->state) { 842 case START: 843 return eap_teap_build_start(sm, data, id); 844 case PHASE1B: 845 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { 846 if (eap_teap_phase1_done(sm, data) < 0) 847 return NULL; 848 if (data->state == PHASE2_START) { 849 int res; 850 851 /* 852 * Try to generate Phase 2 data to piggyback 853 * with the end of Phase 1 to avoid extra 854 * roundtrip. 855 */ 856 wpa_printf(MSG_DEBUG, 857 "EAP-TEAP: Try to start Phase 2"); 858 res = eap_teap_process_phase2_start(sm, data); 859 if (res == 1) { 860 req = eap_teap_build_crypto_binding( 861 sm, data); 862 piggyback = 1; 863 break; 864 } 865 866 if (res) 867 break; 868 req = eap_teap_build_phase2_req(sm, data, id); 869 piggyback = 1; 870 } 871 } 872 break; 873 case PHASE2_ID: 874 case PHASE2_BASIC_AUTH: 875 case PHASE2_METHOD: 876 req = eap_teap_build_phase2_req(sm, data, id); 877 break; 878 case CRYPTO_BINDING: 879 req = eap_teap_build_crypto_binding(sm, data); 880 if (data->phase2_method) { 881 /* 882 * Include the start of the next EAP method in the 883 * sequence in the same message with Crypto-Binding to 884 * save a round-trip. 885 */ 886 struct wpabuf *eap; 887 888 eap = eap_teap_build_phase2_req(sm, data, id); 889 req = wpabuf_concat(req, eap); 890 eap_teap_state(data, PHASE2_METHOD); 891 } 892 break; 893 case REQUEST_PAC: 894 req = eap_teap_build_pac(sm, data); 895 break; 896 case FAILURE_SEND_RESULT: 897 req = eap_teap_tlv_result(TEAP_STATUS_FAILURE, 0); 898 if (data->error_code) 899 req = wpabuf_concat( 900 req, eap_teap_tlv_error(data->error_code)); 901 break; 902 default: 903 wpa_printf(MSG_DEBUG, "EAP-TEAP: %s - unexpected state %d", 904 __func__, data->state); 905 return NULL; 906 } 907 908 if (req && eap_teap_encrypt_phase2(sm, data, req, piggyback) < 0) 909 return NULL; 910 911 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TEAP, 912 data->teap_version, id); 913} 914 915 916static Boolean eap_teap_check(struct eap_sm *sm, void *priv, 917 struct wpabuf *respData) 918{ 919 const u8 *pos; 920 size_t len; 921 922 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TEAP, respData, &len); 923 if (!pos || len < 1) { 924 wpa_printf(MSG_INFO, "EAP-TEAP: Invalid frame"); 925 return TRUE; 926 } 927 928 return FALSE; 929} 930 931 932static int eap_teap_phase2_init(struct eap_sm *sm, struct eap_teap_data *data, 933 EapType eap_type) 934{ 935 if (data->phase2_priv && data->phase2_method) { 936 data->phase2_method->reset(sm, data->phase2_priv); 937 data->phase2_method = NULL; 938 data->phase2_priv = NULL; 939 } 940 data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF, 941 eap_type); 942 if (!data->phase2_method) 943 return -1; 944 945 sm->init_phase2 = 1; 946 data->phase2_priv = data->phase2_method->init(sm); 947 sm->init_phase2 = 0; 948 949 return data->phase2_priv ? 0 : -1; 950} 951 952 953static void eap_teap_process_phase2_response(struct eap_sm *sm, 954 struct eap_teap_data *data, 955 u8 *in_data, size_t in_len) 956{ 957 u8 next_type = EAP_TYPE_NONE; 958 struct eap_hdr *hdr; 959 u8 *pos; 960 size_t left; 961 struct wpabuf buf; 962 const struct eap_method *m = data->phase2_method; 963 void *priv = data->phase2_priv; 964 965 if (!priv) { 966 wpa_printf(MSG_DEBUG, 967 "EAP-TEAP: %s - Phase 2 not initialized?!", 968 __func__); 969 return; 970 } 971 972 hdr = (struct eap_hdr *) in_data; 973 pos = (u8 *) (hdr + 1); 974 975 if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) { 976 left = in_len - sizeof(*hdr); 977 wpa_hexdump(MSG_DEBUG, 978 "EAP-TEAP: Phase 2 type Nak'ed; allowed types", 979 pos + 1, left - 1); 980#ifdef EAP_SERVER_TNC 981 if (m && m->vendor == EAP_VENDOR_IETF && 982 m->method == EAP_TYPE_TNC) { 983 wpa_printf(MSG_DEBUG, 984 "EAP-TEAP: Peer Nak'ed required TNC negotiation"); 985 next_type = eap_teap_req_failure(data, 0); 986 eap_teap_phase2_init(sm, data, next_type); 987 return; 988 } 989#endif /* EAP_SERVER_TNC */ 990 eap_sm_process_nak(sm, pos + 1, left - 1); 991 if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS && 992 sm->user->methods[sm->user_eap_method_index].method != 993 EAP_TYPE_NONE) { 994 next_type = sm->user->methods[ 995 sm->user_eap_method_index++].method; 996 wpa_printf(MSG_DEBUG, "EAP-TEAP: try EAP type %d", 997 next_type); 998 } else { 999 next_type = eap_teap_req_failure(data, 0); 1000 } 1001 eap_teap_phase2_init(sm, data, next_type); 1002 return; 1003 } 1004 1005 wpabuf_set(&buf, in_data, in_len); 1006 1007 if (m->check(sm, priv, &buf)) { 1008 wpa_printf(MSG_DEBUG, 1009 "EAP-TEAP: Phase 2 check() asked to ignore the packet"); 1010 eap_teap_req_failure(data, TEAP_ERROR_INNER_METHOD); 1011 return; 1012 } 1013 1014 m->process(sm, priv, &buf); 1015 1016 if (!m->isDone(sm, priv)) 1017 return; 1018 1019 if (!m->isSuccess(sm, priv)) { 1020 wpa_printf(MSG_DEBUG, "EAP-TEAP: Phase 2 method failed"); 1021 next_type = eap_teap_req_failure(data, TEAP_ERROR_INNER_METHOD); 1022 eap_teap_phase2_init(sm, data, next_type); 1023 return; 1024 } 1025 1026 switch (data->state) { 1027 case PHASE2_ID: 1028 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) { 1029 wpa_hexdump_ascii(MSG_DEBUG, 1030 "EAP-TEAP: Phase 2 Identity not found in the user database", 1031 sm->identity, sm->identity_len); 1032 next_type = eap_teap_req_failure( 1033 data, TEAP_ERROR_INNER_METHOD); 1034 break; 1035 } 1036 1037 eap_teap_state(data, PHASE2_METHOD); 1038 if (data->anon_provisioning) { 1039 /* TODO: Allow any inner EAP method that provides 1040 * mutual authentication and EMSK derivation (i.e., 1041 * EAP-pwd or EAP-EKE). */ 1042 next_type = EAP_TYPE_PWD; 1043 sm->user_eap_method_index = 0; 1044 } else { 1045 next_type = sm->user->methods[0].method; 1046 sm->user_eap_method_index = 1; 1047 } 1048 wpa_printf(MSG_DEBUG, "EAP-TEAP: Try EAP type %d", next_type); 1049 break; 1050 case PHASE2_METHOD: 1051 case CRYPTO_BINDING: 1052 eap_teap_update_icmk(sm, data); 1053 eap_teap_state(data, CRYPTO_BINDING); 1054 data->eap_seq++; 1055 next_type = EAP_TYPE_NONE; 1056#ifdef EAP_SERVER_TNC 1057 if (sm->tnc && !data->tnc_started) { 1058 wpa_printf(MSG_DEBUG, "EAP-TEAP: Initialize TNC"); 1059 next_type = EAP_TYPE_TNC; 1060 data->tnc_started = 1; 1061 } 1062#endif /* EAP_SERVER_TNC */ 1063 break; 1064 case FAILURE: 1065 break; 1066 default: 1067 wpa_printf(MSG_DEBUG, "EAP-TEAP: %s - unexpected state %d", 1068 __func__, data->state); 1069 break; 1070 } 1071 1072 eap_teap_phase2_init(sm, data, next_type); 1073} 1074 1075 1076static void eap_teap_process_phase2_eap(struct eap_sm *sm, 1077 struct eap_teap_data *data, 1078 u8 *in_data, size_t in_len) 1079{ 1080 struct eap_hdr *hdr; 1081 size_t len; 1082 1083 hdr = (struct eap_hdr *) in_data; 1084 if (in_len < (int) sizeof(*hdr)) { 1085 wpa_printf(MSG_INFO, 1086 "EAP-TEAP: Too short Phase 2 EAP frame (len=%lu)", 1087 (unsigned long) in_len); 1088 eap_teap_req_failure(data, TEAP_ERROR_INNER_METHOD); 1089 return; 1090 } 1091 len = be_to_host16(hdr->length); 1092 if (len > in_len) { 1093 wpa_printf(MSG_INFO, 1094 "EAP-TEAP: Length mismatch in Phase 2 EAP frame (len=%lu hdr->length=%lu)", 1095 (unsigned long) in_len, (unsigned long) len); 1096 eap_teap_req_failure(data, TEAP_ERROR_INNER_METHOD); 1097 return; 1098 } 1099 wpa_printf(MSG_DEBUG, 1100 "EAP-TEAP: Received Phase 2: code=%d identifier=%d length=%lu", 1101 hdr->code, hdr->identifier, 1102 (unsigned long) len); 1103 switch (hdr->code) { 1104 case EAP_CODE_RESPONSE: 1105 eap_teap_process_phase2_response(sm, data, (u8 *) hdr, len); 1106 break; 1107 default: 1108 wpa_printf(MSG_INFO, 1109 "EAP-TEAP: Unexpected code=%d in Phase 2 EAP header", 1110 hdr->code); 1111 break; 1112 } 1113} 1114 1115 1116static void eap_teap_process_basic_auth_resp(struct eap_sm *sm, 1117 struct eap_teap_data *data, 1118 u8 *in_data, size_t in_len) 1119{ 1120 u8 *pos, *end, *username, *password, *new_id; 1121 u8 userlen, passlen; 1122 1123 pos = in_data; 1124 end = pos + in_len; 1125 1126 if (end - pos < 1) { 1127 wpa_printf(MSG_DEBUG, 1128 "EAP-TEAP: No room for Basic-Password-Auth-Resp Userlen field"); 1129 eap_teap_req_failure(data, 0); 1130 return; 1131 } 1132 userlen = *pos++; 1133 if (end - pos < userlen) { 1134 wpa_printf(MSG_DEBUG, 1135 "EAP-TEAP: Truncated Basic-Password-Auth-Resp Username field"); 1136 eap_teap_req_failure(data, 0); 1137 return; 1138 } 1139 username = pos; 1140 pos += userlen; 1141 wpa_hexdump_ascii(MSG_DEBUG, 1142 "EAP-TEAP: Basic-Password-Auth-Resp Username", 1143 username, userlen); 1144 1145 if (end - pos < 1) { 1146 wpa_printf(MSG_DEBUG, 1147 "EAP-TEAP: No room for Basic-Password-Auth-Resp Passlen field"); 1148 eap_teap_req_failure(data, 0); 1149 return; 1150 } 1151 passlen = *pos++; 1152 if (end - pos < passlen) { 1153 wpa_printf(MSG_DEBUG, 1154 "EAP-TEAP: Truncated Basic-Password-Auth-Resp Password field"); 1155 eap_teap_req_failure(data, 0); 1156 return; 1157 } 1158 password = pos; 1159 pos += passlen; 1160 wpa_hexdump_ascii_key(MSG_DEBUG, 1161 "EAP-TEAP: Basic-Password-Auth-Resp Password", 1162 password, passlen); 1163 1164 if (end > pos) { 1165 wpa_printf(MSG_DEBUG, 1166 "EAP-TEAP: Unexpected %d extra octet(s) at the end of Basic-Password-Auth-Resp TLV", 1167 (int) (end - pos)); 1168 eap_teap_req_failure(data, 0); 1169 return; 1170 } 1171 1172 if (eap_user_get(sm, username, userlen, 1) != 0) { 1173 wpa_printf(MSG_DEBUG, 1174 "EAP-TEAP: Username not found in the user database"); 1175 eap_teap_req_failure(data, 0); 1176 return; 1177 } 1178 1179 if (!sm->user || !sm->user->password || sm->user->password_hash) { 1180 wpa_printf(MSG_DEBUG, 1181 "EAP-TEAP: No plaintext user password configured"); 1182 eap_teap_req_failure(data, 0); 1183 return; 1184 } 1185 1186 if (sm->user->password_len != passlen || 1187 os_memcmp_const(sm->user->password, password, passlen) != 0) { 1188 wpa_printf(MSG_DEBUG, "EAP-TEAP: Invalid password"); 1189 eap_teap_req_failure(data, 0); 1190 return; 1191 } 1192 1193 wpa_printf(MSG_DEBUG, "EAP-TEAP: Correct password"); 1194 new_id = os_memdup(username, userlen); 1195 if (new_id) { 1196 os_free(sm->identity); 1197 sm->identity = new_id; 1198 sm->identity_len = userlen; 1199 } 1200 eap_teap_state(data, CRYPTO_BINDING); 1201 eap_teap_update_icmk(sm, data); 1202} 1203 1204 1205static int eap_teap_parse_tlvs(struct wpabuf *data, 1206 struct eap_teap_tlv_parse *tlv) 1207{ 1208 u16 tlv_type; 1209 int mandatory, res; 1210 size_t len; 1211 u8 *pos, *end; 1212 1213 os_memset(tlv, 0, sizeof(*tlv)); 1214 1215 pos = wpabuf_mhead(data); 1216 end = pos + wpabuf_len(data); 1217 while (end - pos > 4) { 1218 mandatory = pos[0] & 0x80; 1219 tlv_type = WPA_GET_BE16(pos) & 0x3fff; 1220 pos += 2; 1221 len = WPA_GET_BE16(pos); 1222 pos += 2; 1223 if (len > (size_t) (end - pos)) { 1224 wpa_printf(MSG_INFO, "EAP-TEAP: TLV overflow"); 1225 return -1; 1226 } 1227 wpa_printf(MSG_DEBUG, 1228 "EAP-TEAP: Received Phase 2: TLV type %u (%s) length %u%s", 1229 tlv_type, eap_teap_tlv_type_str(tlv_type), 1230 (unsigned int) len, 1231 mandatory ? " (mandatory)" : ""); 1232 1233 res = eap_teap_parse_tlv(tlv, tlv_type, pos, len); 1234 if (res == -2) 1235 break; 1236 if (res < 0) { 1237 if (mandatory) { 1238 wpa_printf(MSG_DEBUG, 1239 "EAP-TEAP: NAK unknown mandatory TLV type %u", 1240 tlv_type); 1241 /* TODO: generate NAK TLV */ 1242 break; 1243 } 1244 1245 wpa_printf(MSG_DEBUG, 1246 "EAP-TEAP: Ignore unknown optional TLV type %u", 1247 tlv_type); 1248 } 1249 1250 pos += len; 1251 } 1252 1253 return 0; 1254} 1255 1256 1257static int eap_teap_validate_crypto_binding( 1258 struct eap_teap_data *data, const struct teap_tlv_crypto_binding *cb, 1259 size_t bind_len) 1260{ 1261 u8 flags, subtype; 1262 1263 subtype = cb->subtype & 0x0f; 1264 flags = cb->subtype >> 4; 1265 1266 wpa_printf(MSG_DEBUG, 1267 "EAP-TEAP: Reply Crypto-Binding TLV: Version %u Received Version %u Flags %u Sub-Type %u", 1268 cb->version, cb->received_version, flags, subtype); 1269 wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: Nonce", 1270 cb->nonce, sizeof(cb->nonce)); 1271 wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: EMSK Compound MAC", 1272 cb->emsk_compound_mac, sizeof(cb->emsk_compound_mac)); 1273 wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: MSK Compound MAC", 1274 cb->msk_compound_mac, sizeof(cb->msk_compound_mac)); 1275 1276 if (cb->version != EAP_TEAP_VERSION || 1277 cb->received_version != data->peer_version) { 1278 wpa_printf(MSG_DEBUG, 1279 "EAP-TEAP: Unexpected version in Crypto-Binding: Version %u Received Version %u", 1280 cb->version, cb->received_version); 1281 return -1; 1282 } 1283 1284 if (flags < 1 || flags > 3) { 1285 wpa_printf(MSG_DEBUG, 1286 "EAP-TEAP: Unexpected Flags in Crypto-Binding: %u", 1287 flags); 1288 return -1; 1289 } 1290 1291 if (subtype != TEAP_CRYPTO_BINDING_SUBTYPE_RESPONSE) { 1292 wpa_printf(MSG_DEBUG, 1293 "EAP-TEAP: Unexpected Sub-Type in Crypto-Binding: %u", 1294 subtype); 1295 return -1; 1296 } 1297 1298 if (os_memcmp_const(data->crypto_binding_nonce, cb->nonce, 1299 EAP_TEAP_NONCE_LEN - 1) != 0 || 1300 (data->crypto_binding_nonce[EAP_TEAP_NONCE_LEN - 1] | 1) != 1301 cb->nonce[EAP_TEAP_NONCE_LEN - 1]) { 1302 wpa_printf(MSG_DEBUG, 1303 "EAP-TEAP: Invalid Nonce in Crypto-Binding"); 1304 return -1; 1305 } 1306 1307 if (flags == TEAP_CRYPTO_BINDING_MSK_CMAC || 1308 flags == TEAP_CRYPTO_BINDING_EMSK_AND_MSK_CMAC) { 1309 u8 msk_compound_mac[EAP_TEAP_COMPOUND_MAC_LEN]; 1310 1311 if (eap_teap_compound_mac(data->tls_cs, cb, 1312 data->server_outer_tlvs, 1313 data->peer_outer_tlvs, data->cmk_msk, 1314 msk_compound_mac) < 0) 1315 return -1; 1316 if (os_memcmp_const(msk_compound_mac, cb->msk_compound_mac, 1317 EAP_TEAP_COMPOUND_MAC_LEN) != 0) { 1318 wpa_hexdump(MSG_DEBUG, 1319 "EAP-TEAP: Calculated MSK Compound MAC", 1320 msk_compound_mac, 1321 EAP_TEAP_COMPOUND_MAC_LEN); 1322 wpa_printf(MSG_INFO, 1323 "EAP-TEAP: MSK Compound MAC did not match"); 1324 return -1; 1325 } 1326 } 1327 1328 if ((flags == TEAP_CRYPTO_BINDING_EMSK_CMAC || 1329 flags == TEAP_CRYPTO_BINDING_EMSK_AND_MSK_CMAC) && 1330 data->cmk_emsk_available) { 1331 u8 emsk_compound_mac[EAP_TEAP_COMPOUND_MAC_LEN]; 1332 1333 if (eap_teap_compound_mac(data->tls_cs, cb, 1334 data->server_outer_tlvs, 1335 data->peer_outer_tlvs, data->cmk_emsk, 1336 emsk_compound_mac) < 0) 1337 return -1; 1338 if (os_memcmp_const(emsk_compound_mac, cb->emsk_compound_mac, 1339 EAP_TEAP_COMPOUND_MAC_LEN) != 0) { 1340 wpa_hexdump(MSG_DEBUG, 1341 "EAP-TEAP: Calculated EMSK Compound MAC", 1342 emsk_compound_mac, 1343 EAP_TEAP_COMPOUND_MAC_LEN); 1344 wpa_printf(MSG_INFO, 1345 "EAP-TEAP: EMSK Compound MAC did not match"); 1346 return -1; 1347 } 1348 } 1349 1350 if (flags == TEAP_CRYPTO_BINDING_EMSK_CMAC && 1351 !data->cmk_emsk_available) { 1352 wpa_printf(MSG_INFO, 1353 "EAP-TEAP: Peer included only EMSK Compound MAC, but no locally generated inner EAP EMSK to validate this"); 1354 return -1; 1355 } 1356 1357 return 0; 1358} 1359 1360 1361static int eap_teap_pac_type(u8 *pac, size_t len, u16 type) 1362{ 1363 struct teap_attr_pac_type *tlv; 1364 1365 if (!pac || len != sizeof(*tlv)) 1366 return 0; 1367 1368 tlv = (struct teap_attr_pac_type *) pac; 1369 1370 return be_to_host16(tlv->type) == PAC_TYPE_PAC_TYPE && 1371 be_to_host16(tlv->length) == 2 && 1372 be_to_host16(tlv->pac_type) == type; 1373} 1374 1375 1376static void eap_teap_process_phase2_tlvs(struct eap_sm *sm, 1377 struct eap_teap_data *data, 1378 struct wpabuf *in_data) 1379{ 1380 struct eap_teap_tlv_parse tlv; 1381 int check_crypto_binding = data->state == CRYPTO_BINDING; 1382 1383 if (eap_teap_parse_tlvs(in_data, &tlv) < 0) { 1384 wpa_printf(MSG_DEBUG, 1385 "EAP-TEAP: Failed to parse received Phase 2 TLVs"); 1386 return; 1387 } 1388 1389 if (tlv.result == TEAP_STATUS_FAILURE) { 1390 wpa_printf(MSG_DEBUG, "EAP-TEAP: Result TLV indicated failure"); 1391 eap_teap_state(data, FAILURE); 1392 return; 1393 } 1394 1395 if (tlv.nak) { 1396 wpa_printf(MSG_DEBUG, 1397 "EAP-TEAP: Peer NAK'ed Vendor-Id %u NAK-Type %u", 1398 WPA_GET_BE32(tlv.nak), WPA_GET_BE16(tlv.nak + 4)); 1399 eap_teap_state(data, FAILURE_SEND_RESULT); 1400 return; 1401 } 1402 1403 if (data->state == REQUEST_PAC) { 1404 u16 type, len, res; 1405 1406 if (!tlv.pac || tlv.pac_len < 6) { 1407 wpa_printf(MSG_DEBUG, 1408 "EAP-TEAP: No PAC Acknowledgement received"); 1409 eap_teap_state(data, FAILURE); 1410 return; 1411 } 1412 1413 type = WPA_GET_BE16(tlv.pac); 1414 len = WPA_GET_BE16(tlv.pac + 2); 1415 res = WPA_GET_BE16(tlv.pac + 4); 1416 1417 if (type != PAC_TYPE_PAC_ACKNOWLEDGEMENT || len != 2 || 1418 res != TEAP_STATUS_SUCCESS) { 1419 wpa_printf(MSG_DEBUG, 1420 "EAP-TEAP: PAC TLV did not contain acknowledgement"); 1421 eap_teap_state(data, FAILURE); 1422 return; 1423 } 1424 1425 wpa_printf(MSG_DEBUG, 1426 "EAP-TEAP: PAC-Acknowledgement received - PAC provisioning succeeded"); 1427 eap_teap_state(data, SUCCESS); 1428 return; 1429 } 1430 1431 if (check_crypto_binding) { 1432 if (!tlv.crypto_binding) { 1433 wpa_printf(MSG_DEBUG, 1434 "EAP-TEAP: No Crypto-Binding TLV received"); 1435 eap_teap_state(data, FAILURE); 1436 return; 1437 } 1438 1439 if (data->final_result && 1440 tlv.result != TEAP_STATUS_SUCCESS) { 1441 wpa_printf(MSG_DEBUG, 1442 "EAP-TEAP: Crypto-Binding TLV without Success Result"); 1443 eap_teap_state(data, FAILURE); 1444 return; 1445 } 1446 1447 if (!data->final_result && 1448 tlv.iresult != TEAP_STATUS_SUCCESS) { 1449 wpa_printf(MSG_DEBUG, 1450 "EAP-TEAP: Crypto-Binding TLV without intermediate Success Result"); 1451 eap_teap_state(data, FAILURE); 1452 return; 1453 } 1454 1455 if (eap_teap_validate_crypto_binding(data, tlv.crypto_binding, 1456 tlv.crypto_binding_len)) { 1457 eap_teap_state(data, FAILURE); 1458 return; 1459 } 1460 1461 wpa_printf(MSG_DEBUG, 1462 "EAP-TEAP: Valid Crypto-Binding TLV received"); 1463 if (data->final_result) { 1464 wpa_printf(MSG_DEBUG, 1465 "EAP-TEAP: Authentication completed successfully"); 1466 } 1467 1468 if (data->anon_provisioning && 1469 sm->eap_fast_prov != ANON_PROV && 1470 sm->eap_fast_prov != BOTH_PROV) { 1471 wpa_printf(MSG_DEBUG, 1472 "EAP-TEAP: Client is trying to use unauthenticated provisioning which is disabled"); 1473 eap_teap_state(data, FAILURE); 1474 return; 1475 } 1476 1477 if (sm->eap_fast_prov != AUTH_PROV && 1478 sm->eap_fast_prov != BOTH_PROV && 1479 tlv.request_action == TEAP_REQUEST_ACTION_PROCESS_TLV && 1480 eap_teap_pac_type(tlv.pac, tlv.pac_len, 1481 PAC_TYPE_TUNNEL_PAC)) { 1482 wpa_printf(MSG_DEBUG, 1483 "EAP-TEAP: Client is trying to use authenticated provisioning which is disabled"); 1484 eap_teap_state(data, FAILURE); 1485 return; 1486 } 1487 1488 if (data->anon_provisioning || 1489 (tlv.request_action == TEAP_REQUEST_ACTION_PROCESS_TLV && 1490 eap_teap_pac_type(tlv.pac, tlv.pac_len, 1491 PAC_TYPE_TUNNEL_PAC))) { 1492 wpa_printf(MSG_DEBUG, 1493 "EAP-TEAP: Requested a new Tunnel PAC"); 1494 eap_teap_state(data, REQUEST_PAC); 1495 } else if (data->send_new_pac) { 1496 wpa_printf(MSG_DEBUG, 1497 "EAP-TEAP: Server triggered re-keying of Tunnel PAC"); 1498 eap_teap_state(data, REQUEST_PAC); 1499 } else if (data->final_result) 1500 eap_teap_state(data, SUCCESS); 1501 } 1502 1503 if (tlv.basic_auth_resp) { 1504 if (sm->eap_teap_auth != 1) { 1505 wpa_printf(MSG_DEBUG, 1506 "EAP-TEAP: Unexpected Basic-Password-Auth-Resp when trying to use inner EAP"); 1507 eap_teap_state(data, FAILURE); 1508 return; 1509 } 1510 eap_teap_process_basic_auth_resp(sm, data, tlv.basic_auth_resp, 1511 tlv.basic_auth_resp_len); 1512 } 1513 1514 if (tlv.eap_payload_tlv) { 1515 if (sm->eap_teap_auth == 1) { 1516 wpa_printf(MSG_DEBUG, 1517 "EAP-TEAP: Unexpected EAP Payload TLV when trying to use Basic-Password-Auth"); 1518 eap_teap_state(data, FAILURE); 1519 return; 1520 } 1521 eap_teap_process_phase2_eap(sm, data, tlv.eap_payload_tlv, 1522 tlv.eap_payload_tlv_len); 1523 } 1524} 1525 1526 1527static void eap_teap_process_phase2(struct eap_sm *sm, 1528 struct eap_teap_data *data, 1529 struct wpabuf *in_buf) 1530{ 1531 struct wpabuf *in_decrypted; 1532 1533 wpa_printf(MSG_DEBUG, 1534 "EAP-TEAP: Received %lu bytes encrypted data for Phase 2", 1535 (unsigned long) wpabuf_len(in_buf)); 1536 1537 if (data->pending_phase2_resp) { 1538 wpa_printf(MSG_DEBUG, 1539 "EAP-TEAP: Pending Phase 2 response - skip decryption and use old data"); 1540 eap_teap_process_phase2_tlvs(sm, data, 1541 data->pending_phase2_resp); 1542 wpabuf_free(data->pending_phase2_resp); 1543 data->pending_phase2_resp = NULL; 1544 return; 1545 } 1546 1547 in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn, 1548 in_buf); 1549 if (!in_decrypted) { 1550 wpa_printf(MSG_INFO, 1551 "EAP-TEAP: Failed to decrypt Phase 2 data"); 1552 eap_teap_state(data, FAILURE); 1553 return; 1554 } 1555 1556 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TEAP: Decrypted Phase 2 TLVs", 1557 in_decrypted); 1558 1559 eap_teap_process_phase2_tlvs(sm, data, in_decrypted); 1560 1561 if (sm->method_pending == METHOD_PENDING_WAIT) { 1562 wpa_printf(MSG_DEBUG, 1563 "EAP-TEAP: Phase 2 method is in pending wait state - save decrypted response"); 1564 wpabuf_free(data->pending_phase2_resp); 1565 data->pending_phase2_resp = in_decrypted; 1566 return; 1567 } 1568 1569 wpabuf_free(in_decrypted); 1570} 1571 1572 1573static int eap_teap_process_version(struct eap_sm *sm, void *priv, 1574 int peer_version) 1575{ 1576 struct eap_teap_data *data = priv; 1577 1578 if (peer_version < 1) { 1579 /* Version 1 was the first defined version, so reject 0 */ 1580 wpa_printf(MSG_INFO, 1581 "EAP-TEAP: Peer used unknown TEAP version %u", 1582 peer_version); 1583 return -1; 1584 } 1585 1586 if (peer_version < data->teap_version) { 1587 wpa_printf(MSG_DEBUG, "EAP-TEAP: peer ver=%u, own ver=%u; " 1588 "use version %u", 1589 peer_version, data->teap_version, peer_version); 1590 data->teap_version = peer_version; 1591 } 1592 1593 data->peer_version = peer_version; 1594 1595 return 0; 1596} 1597 1598 1599static int eap_teap_process_phase1(struct eap_sm *sm, 1600 struct eap_teap_data *data) 1601{ 1602 if (eap_server_tls_phase1(sm, &data->ssl) < 0) { 1603 wpa_printf(MSG_INFO, "EAP-TEAP: TLS processing failed"); 1604 eap_teap_state(data, FAILURE); 1605 return -1; 1606 } 1607 1608 if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) || 1609 wpabuf_len(data->ssl.tls_out) > 0) 1610 return 1; 1611 1612 /* 1613 * Phase 1 was completed with the received message (e.g., when using 1614 * abbreviated handshake), so Phase 2 can be started immediately 1615 * without having to send through an empty message to the peer. 1616 */ 1617 1618 return eap_teap_phase1_done(sm, data); 1619} 1620 1621 1622static int eap_teap_process_phase2_start(struct eap_sm *sm, 1623 struct eap_teap_data *data) 1624{ 1625 u8 next_type; 1626 1627 if (data->identity) { 1628 /* Used PAC and identity is from PAC-Opaque */ 1629 os_free(sm->identity); 1630 sm->identity = data->identity; 1631 data->identity = NULL; 1632 sm->identity_len = data->identity_len; 1633 data->identity_len = 0; 1634 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) { 1635 wpa_hexdump_ascii(MSG_DEBUG, 1636 "EAP-TEAP: Phase 2 Identity not found in the user database", 1637 sm->identity, sm->identity_len); 1638 next_type = EAP_TYPE_NONE; 1639 eap_teap_state(data, PHASE2_METHOD); 1640 } else if (sm->eap_teap_pac_no_inner) { 1641 wpa_printf(MSG_DEBUG, 1642 "EAP-TEAP: Used PAC and identity already known - skip inner auth"); 1643 /* FIX: Need to derive CMK here. However, how is that 1644 * supposed to be done? RFC 7170 does not tell that for 1645 * the no-inner-auth case. */ 1646 eap_teap_derive_cmk_basic_pw_auth(data->simck_msk, 1647 data->cmk_msk); 1648 eap_teap_state(data, CRYPTO_BINDING); 1649 return 1; 1650 } else if (sm->eap_teap_auth == 1) { 1651 eap_teap_state(data, PHASE2_BASIC_AUTH); 1652 return 1; 1653 } else { 1654 wpa_printf(MSG_DEBUG, 1655 "EAP-TEAP: Identity already known - skip Phase 2 Identity Request"); 1656 next_type = sm->user->methods[0].method; 1657 sm->user_eap_method_index = 1; 1658 eap_teap_state(data, PHASE2_METHOD); 1659 } 1660 1661 } else if (sm->eap_teap_auth == 1) { 1662 eap_teap_state(data, PHASE2_BASIC_AUTH); 1663 return 0; 1664 } else { 1665 eap_teap_state(data, PHASE2_ID); 1666 next_type = EAP_TYPE_IDENTITY; 1667 } 1668 1669 return eap_teap_phase2_init(sm, data, next_type); 1670} 1671 1672 1673static void eap_teap_process_msg(struct eap_sm *sm, void *priv, 1674 const struct wpabuf *respData) 1675{ 1676 struct eap_teap_data *data = priv; 1677 1678 switch (data->state) { 1679 case PHASE1: 1680 case PHASE1B: 1681 if (eap_teap_process_phase1(sm, data)) 1682 break; 1683 1684 /* fall through */ 1685 case PHASE2_START: 1686 eap_teap_process_phase2_start(sm, data); 1687 break; 1688 case PHASE2_ID: 1689 case PHASE2_BASIC_AUTH: 1690 case PHASE2_METHOD: 1691 case CRYPTO_BINDING: 1692 case REQUEST_PAC: 1693 eap_teap_process_phase2(sm, data, data->ssl.tls_in); 1694 break; 1695 case FAILURE_SEND_RESULT: 1696 /* Protected failure result indication completed. Ignore the 1697 * received message (which is supposed to include Result TLV 1698 * indicating failure) and terminate exchange with cleartext 1699 * EAP-Failure. */ 1700 eap_teap_state(data, FAILURE); 1701 break; 1702 default: 1703 wpa_printf(MSG_DEBUG, "EAP-TEAP: Unexpected state %d in %s", 1704 data->state, __func__); 1705 break; 1706 } 1707} 1708 1709 1710static void eap_teap_process(struct eap_sm *sm, void *priv, 1711 struct wpabuf *respData) 1712{ 1713 struct eap_teap_data *data = priv; 1714 const u8 *pos; 1715 size_t len; 1716 struct wpabuf *resp = respData; 1717 u8 flags; 1718 1719 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TEAP, respData, &len); 1720 if (!pos || len < 1) 1721 return; 1722 1723 flags = *pos++; 1724 len--; 1725 1726 if (flags & EAP_TEAP_FLAGS_OUTER_TLV_LEN) { 1727 /* Extract Outer TLVs from the message before common TLS 1728 * processing */ 1729 u32 message_len = 0, outer_tlv_len; 1730 const u8 *hdr; 1731 1732 if (data->state != PHASE1) { 1733 wpa_printf(MSG_INFO, 1734 "EAP-TEAP: Unexpected Outer TLVs in a message that is not the first message from the peer"); 1735 return; 1736 } 1737 1738 if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) { 1739 if (len < 4) { 1740 wpa_printf(MSG_INFO, 1741 "EAP-TEAP: Too short message to include Message Length field"); 1742 return; 1743 } 1744 1745 message_len = WPA_GET_BE32(pos); 1746 pos += 4; 1747 len -= 4; 1748 if (message_len < 4) { 1749 wpa_printf(MSG_INFO, 1750 "EAP-TEAP: Message Length field has too msall value to include Outer TLV Length field"); 1751 return; 1752 } 1753 } 1754 1755 if (len < 4) { 1756 wpa_printf(MSG_INFO, 1757 "EAP-TEAP: Too short message to include Outer TLVs Length field"); 1758 return; 1759 } 1760 1761 outer_tlv_len = WPA_GET_BE32(pos); 1762 pos += 4; 1763 len -= 4; 1764 1765 wpa_printf(MSG_DEBUG, 1766 "EAP-TEAP: Message Length %u Outer TLV Length %u", 1767 message_len, outer_tlv_len); 1768 if (len < outer_tlv_len) { 1769 wpa_printf(MSG_INFO, 1770 "EAP-TEAP: Too short message to include Outer TLVs field"); 1771 return; 1772 } 1773 1774 if (message_len && 1775 (message_len < outer_tlv_len || 1776 message_len < 4 + outer_tlv_len)) { 1777 wpa_printf(MSG_INFO, 1778 "EAP-TEAP: Message Length field has too small value to include Outer TLVs"); 1779 return; 1780 } 1781 1782 if (wpabuf_len(respData) < 4 + outer_tlv_len || 1783 len < outer_tlv_len) 1784 return; 1785 resp = wpabuf_alloc(wpabuf_len(respData) - 4 - outer_tlv_len); 1786 if (!resp) 1787 return; 1788 hdr = wpabuf_head(respData); 1789 wpabuf_put_u8(resp, *hdr++); /* Code */ 1790 wpabuf_put_u8(resp, *hdr++); /* Identifier */ 1791 wpabuf_put_be16(resp, WPA_GET_BE16(hdr) - 4 - outer_tlv_len); 1792 hdr += 2; 1793 wpabuf_put_u8(resp, *hdr++); /* Type */ 1794 /* Flags | Ver */ 1795 wpabuf_put_u8(resp, flags & ~EAP_TEAP_FLAGS_OUTER_TLV_LEN); 1796 1797 if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) 1798 wpabuf_put_be32(resp, message_len - 4 - outer_tlv_len); 1799 1800 wpabuf_put_data(resp, pos, len - outer_tlv_len); 1801 pos += len - outer_tlv_len; 1802 wpabuf_free(data->peer_outer_tlvs); 1803 data->peer_outer_tlvs = wpabuf_alloc_copy(pos, outer_tlv_len); 1804 if (!data->peer_outer_tlvs) 1805 return; 1806 wpa_hexdump_buf(MSG_DEBUG, "EAP-TEAP: Outer TLVs", 1807 data->peer_outer_tlvs); 1808 1809 wpa_hexdump_buf(MSG_DEBUG, 1810 "EAP-TEAP: TLS Data message after Outer TLV removal", 1811 resp); 1812 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TEAP, resp, 1813 &len); 1814 if (!pos || len < 1) { 1815 wpa_printf(MSG_INFO, 1816 "EAP-TEAP: Invalid frame after Outer TLV removal"); 1817 return; 1818 } 1819 } 1820 1821 if (data->state == PHASE1) 1822 eap_teap_state(data, PHASE1B); 1823 1824 if (eap_server_tls_process(sm, &data->ssl, resp, data, 1825 EAP_TYPE_TEAP, eap_teap_process_version, 1826 eap_teap_process_msg) < 0) 1827 eap_teap_state(data, FAILURE); 1828 1829 if (resp != respData) 1830 wpabuf_free(resp); 1831} 1832 1833 1834static Boolean eap_teap_isDone(struct eap_sm *sm, void *priv) 1835{ 1836 struct eap_teap_data *data = priv; 1837 1838 return data->state == SUCCESS || data->state == FAILURE; 1839} 1840 1841 1842static u8 * eap_teap_getKey(struct eap_sm *sm, void *priv, size_t *len) 1843{ 1844 struct eap_teap_data *data = priv; 1845 u8 *eapKeyData; 1846 1847 if (data->state != SUCCESS) 1848 return NULL; 1849 1850 eapKeyData = os_malloc(EAP_TEAP_KEY_LEN); 1851 if (!eapKeyData) 1852 return NULL; 1853 1854 /* FIX: RFC 7170 does not describe whether MSK or EMSK based S-IMCK[j] 1855 * is used in this derivation */ 1856 if (eap_teap_derive_eap_msk(data->simck_msk, eapKeyData) < 0) { 1857 os_free(eapKeyData); 1858 return NULL; 1859 } 1860 *len = EAP_TEAP_KEY_LEN; 1861 1862 return eapKeyData; 1863} 1864 1865 1866static u8 * eap_teap_get_emsk(struct eap_sm *sm, void *priv, size_t *len) 1867{ 1868 struct eap_teap_data *data = priv; 1869 u8 *eapKeyData; 1870 1871 if (data->state != SUCCESS) 1872 return NULL; 1873 1874 eapKeyData = os_malloc(EAP_EMSK_LEN); 1875 if (!eapKeyData) 1876 return NULL; 1877 1878 /* FIX: RFC 7170 does not describe whether MSK or EMSK based S-IMCK[j] 1879 * is used in this derivation */ 1880 if (eap_teap_derive_eap_emsk(data->simck_msk, eapKeyData) < 0) { 1881 os_free(eapKeyData); 1882 return NULL; 1883 } 1884 *len = EAP_EMSK_LEN; 1885 1886 return eapKeyData; 1887} 1888 1889 1890static Boolean eap_teap_isSuccess(struct eap_sm *sm, void *priv) 1891{ 1892 struct eap_teap_data *data = priv; 1893 1894 return data->state == SUCCESS; 1895} 1896 1897 1898static u8 * eap_teap_get_session_id(struct eap_sm *sm, void *priv, size_t *len) 1899{ 1900 struct eap_teap_data *data = priv; 1901 const size_t max_id_len = 100; 1902 int res; 1903 u8 *id; 1904 1905 if (data->state != SUCCESS) 1906 return NULL; 1907 1908 id = os_malloc(max_id_len); 1909 if (!id) 1910 return NULL; 1911 1912 id[0] = EAP_TYPE_TEAP; 1913 res = tls_get_tls_unique(data->ssl.conn, id + 1, max_id_len - 1); 1914 if (res < 0) { 1915 os_free(id); 1916 wpa_printf(MSG_ERROR, "EAP-TEAP: Failed to derive Session-Id"); 1917 return NULL; 1918 } 1919 1920 *len = 1 + res; 1921 wpa_hexdump(MSG_DEBUG, "EAP-TEAP: Derived Session-Id", id, *len); 1922 return id; 1923} 1924 1925 1926int eap_server_teap_register(void) 1927{ 1928 struct eap_method *eap; 1929 1930 eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION, 1931 EAP_VENDOR_IETF, EAP_TYPE_TEAP, "TEAP"); 1932 if (!eap) 1933 return -1; 1934 1935 eap->init = eap_teap_init; 1936 eap->reset = eap_teap_reset; 1937 eap->buildReq = eap_teap_buildReq; 1938 eap->check = eap_teap_check; 1939 eap->process = eap_teap_process; 1940 eap->isDone = eap_teap_isDone; 1941 eap->getKey = eap_teap_getKey; 1942 eap->get_emsk = eap_teap_get_emsk; 1943 eap->isSuccess = eap_teap_isSuccess; 1944 eap->getSessionId = eap_teap_get_session_id; 1945 1946 return eap_server_method_register(eap); 1947} 1948