contrib/wpa/src/eap_server/eap_tls_common.c

   1 /*
   2  * hostapd / EAP-TLS/PEAP/TTLS/FAST common functions
   3  * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Alternatively, this software may be distributed under the terms of BSD
  10  * license.
  11  *
  12  * See README and COPYING for more details.
  13  */
  14
  15 #include "includes.h"
  16
  17 #include "common.h"
  18 #include "eap_i.h"
  19 #include "eap_tls_common.h"
  20 #include "sha1.h"
  21 #include "tls.h"
  22
  23
  24 int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
  25                             int verify_peer)
  26 {
  27         data->eap = sm;
  28         data->phase2 = sm->init_phase2;
  29
  30         data->conn = tls_connection_init(sm->ssl_ctx);
  31         if (data->conn == NULL) {
  32                 wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "
  33                            "connection");
  34                 return -1;
  35         }
  36
  37         if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer)) {
  38                 wpa_printf(MSG_INFO, "SSL: Failed to configure verification "
  39                            "of TLS peer certificate");
  40                 tls_connection_deinit(sm->ssl_ctx, data->conn);
  41                 data->conn = NULL;
  42                 return -1;
  43         }
  44
  45         /* TODO: make this configurable */
  46         data->tls_out_limit = 1398;
  47         if (data->phase2) {
  48                 /* Limit the fragment size in the inner TLS authentication
  49                  * since the outer authentication with EAP-PEAP does not yet
  50                  * support fragmentation */
  51                 if (data->tls_out_limit > 100)
  52                         data->tls_out_limit -= 100;
  53         }
  54         return 0;
  55 }
  56
  57
  58 void eap_server_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data)
  59 {
  60         tls_connection_deinit(sm->ssl_ctx, data->conn);
  61         os_free(data->in_buf);
  62         os_free(data->out_buf);
  63 }
  64
  65
  66 u8 * eap_server_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data,
  67                                char *label, size_t len)
  68 {
  69         struct tls_keys keys;
  70         u8 *rnd = NULL, *out;
  71
  72         out = os_malloc(len);
  73         if (out == NULL)
  74                 return NULL;
  75
  76         if (tls_connection_prf(sm->ssl_ctx, data->conn, label, 0, out, len) ==
  77             0)
  78                 return out;
  79
  80         if (tls_connection_get_keys(sm->ssl_ctx, data->conn, &keys))
  81                 goto fail;
  82
  83         if (keys.client_random == NULL || keys.server_random == NULL ||
  84             keys.master_key == NULL)
  85                 goto fail;
  86
  87         rnd = os_malloc(keys.client_random_len + keys.server_random_len);
  88         if (rnd == NULL)
  89                 goto fail;
  90         os_memcpy(rnd, keys.client_random, keys.client_random_len);
  91         os_memcpy(rnd + keys.client_random_len, keys.server_random,
  92                   keys.server_random_len);
  93
  94         if (tls_prf(keys.master_key, keys.master_key_len,
  95                     label, rnd, keys.client_random_len +
  96                     keys.server_random_len, out, len))
  97                 goto fail;
  98
  99         os_free(rnd);
 100         return out;
 101
 102 fail:
 103         os_free(out);
 104         os_free(rnd);
 105         return NULL;
 106 }
 107
 108
 109 struct wpabuf * eap_server_tls_build_msg(struct eap_ssl_data *data,
 110                                          int eap_type, int version, u8 id)
 111 {
 112         struct wpabuf *req;
 113         u8 flags;
 114         size_t send_len, plen;
 115
 116         wpa_printf(MSG_DEBUG, "SSL: Generating Request");
 117         if (data->out_buf == NULL) {
 118                 wpa_printf(MSG_ERROR, "SSL: out_buf NULL in %s", __func__);
 119                 return NULL;
 120         }
 121
 122         flags = version;
 123         send_len = wpabuf_len(data->out_buf) - data->out_used;
 124         if (1 + send_len > data->tls_out_limit) {
 125                 send_len = data->tls_out_limit - 1;
 126                 flags |= EAP_TLS_FLAGS_MORE_FRAGMENTS;
 127                 if (data->out_used == 0) {
 128                         flags |= EAP_TLS_FLAGS_LENGTH_INCLUDED;
 129                         send_len -= 4;
 130                 }
 131         }
 132
 133         plen = 1 + send_len;
 134         if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED)
 135                 plen += 4;
 136
 137         req = eap_msg_alloc(EAP_VENDOR_IETF, eap_type, plen,
 138                             EAP_CODE_REQUEST, id);
 139         if (req == NULL)
 140                 return NULL;
 141
 142         wpabuf_put_u8(req, flags); /* Flags */
 143         if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED)
 144                 wpabuf_put_be32(req, wpabuf_len(data->out_buf));
 145
 146         wpabuf_put_data(req, wpabuf_head_u8(data->out_buf) + data->out_used,
 147                         send_len);
 148         data->out_used += send_len;
 149
 150         if (data->out_used == wpabuf_len(data->out_buf)) {
 151                 wpa_printf(MSG_DEBUG, "SSL: Sending out %lu bytes "
 152                            "(message sent completely)",
 153                            (unsigned long) send_len);
 154                 wpabuf_free(data->out_buf);
 155                 data->out_buf = NULL;
 156                 data->out_used = 0;
 157                 data->state = MSG;
 158         } else {
 159                 wpa_printf(MSG_DEBUG, "SSL: Sending out %lu bytes "
 160                            "(%lu more to send)", (unsigned long) send_len,
 161                            (unsigned long) wpabuf_len(data->out_buf) -
 162                            data->out_used);
 163                 data->state = WAIT_FRAG_ACK;
 164         }
 165
 166         return req;
 167 }
 168
 169
 170 struct wpabuf * eap_server_tls_build_ack(u8 id, int eap_type, int version)
 171 {
 172         struct wpabuf *req;
 173
 174         req = eap_msg_alloc(EAP_VENDOR_IETF, eap_type, 1, EAP_CODE_REQUEST,
 175                             id);
 176         if (req == NULL)
 177                 return NULL;
 178         wpa_printf(MSG_DEBUG, "SSL: Building ACK");
 179         wpabuf_put_u8(req, version); /* Flags */
 180         return req;
 181 }
 182
 183
 184 static int eap_server_tls_process_cont(struct eap_ssl_data *data,
 185                                        const u8 *buf, size_t len)
 186 {
 187         /* Process continuation of a pending message */
 188         if (len > wpabuf_tailroom(data->in_buf)) {
 189                 wpa_printf(MSG_DEBUG, "SSL: Fragment overflow");
 190                 return -1;
 191         }
 192
 193         wpabuf_put_data(data->in_buf, buf, len);
 194         wpa_printf(MSG_DEBUG, "SSL: Received %lu bytes, waiting for %lu "
 195                    "bytes more", (unsigned long) len,
 196                    (unsigned long) wpabuf_tailroom(data->in_buf));
 197
 198         return 0;
 199 }
 200
 201
 202 static int eap_server_tls_process_fragment(struct eap_ssl_data *data,
 203                                            u8 flags, u32 message_length,
 204                                            const u8 *buf, size_t len)
 205 {
 206         /* Process a fragment that is not the last one of the message */
 207         if (data->in_buf == NULL && !(flags & EAP_TLS_FLAGS_LENGTH_INCLUDED)) {
 208                 wpa_printf(MSG_DEBUG, "SSL: No Message Length field in a "
 209                            "fragmented packet");
 210                 return -1;
 211         }
 212
 213         if (data->in_buf == NULL) {
 214                 /* First fragment of the message */
 215
 216                 /* Limit length to avoid rogue peers from causing large
 217                  * memory allocations. */
 218                 if (message_length > 65536) {
 219                         wpa_printf(MSG_INFO, "SSL: Too long TLS fragment (size"
 220                                    " over 64 kB)");
 221                         return -1;
 222                 }
 223                 if (len > message_length) {
 224                         wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
 225                                    "first fragment of frame (TLS Message "
 226                                    "Length %d bytes)",
 227                                    (int) len, (int) message_length);
 228                         return -1;
 229                 }
 230
 231                 data->in_buf = wpabuf_alloc(message_length);
 232                 if (data->in_buf == NULL) {
 233                         wpa_printf(MSG_DEBUG, "SSL: No memory for message");
 234                         return -1;
 235                 }
 236                 wpabuf_put_data(data->in_buf, buf, len);
 237                 wpa_printf(MSG_DEBUG, "SSL: Received %lu bytes in first "
 238                            "fragment, waiting for %lu bytes more",
 239                            (unsigned long) len,
 240                            (unsigned long) wpabuf_tailroom(data->in_buf));
 241         }
 242
 243         return 0;
 244 }
 245
 246
 247 int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data)
 248 {
 249         u8 *next;
 250         size_t next_len;
 251
 252         next = tls_connection_server_handshake(
 253                 sm->ssl_ctx, data->conn,
 254                 wpabuf_mhead(data->in_buf),
 255                 wpabuf_len(data->in_buf),
 256                 &next_len);
 257         if (next == NULL) {
 258                 wpa_printf(MSG_INFO, "SSL: TLS processing failed");
 259                 return -1;
 260         }
 261         if (data->out_buf) {
 262                 /* This should not happen.. */
 263                 wpa_printf(MSG_INFO, "SSL: pending tls_out data when "
 264                            "processing new message");
 265                 os_free(data->out_buf);
 266                 WPA_ASSERT(data->out_buf == NULL);
 267         }
 268         data->out_buf = wpabuf_alloc_ext_data(next, next_len);
 269         if (data->out_buf == NULL) {
 270                 os_free(next);
 271                 return -1;
 272         }
 273         return 0;
 274 }
 275
 276
 277 static int eap_server_tls_reassemble(struct eap_ssl_data *data, u8 flags,
 278                                      const u8 **pos, size_t *left)
 279 {
 280         unsigned int tls_msg_len = 0;
 281         const u8 *end = *pos + *left;
 282
 283         if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) {
 284                 if (*left < 4) {
 285                         wpa_printf(MSG_INFO, "SSL: Short frame with TLS "
 286                                    "length");
 287                         return -1;
 288                 }
 289                 tls_msg_len = WPA_GET_BE32(*pos);
 290                 wpa_printf(MSG_DEBUG, "SSL: TLS Message Length: %d",
 291                            tls_msg_len);
 292                 *pos += 4;
 293                 *left -= 4;
 294         }
 295
 296         wpa_printf(MSG_DEBUG, "SSL: Received packet: Flags 0x%x "
 297                    "Message Length %u", flags, tls_msg_len);
 298
 299         if (data->state == WAIT_FRAG_ACK) {
 300                 if (*left != 0) {
 301                         wpa_printf(MSG_DEBUG, "SSL: Unexpected payload in "
 302                                    "WAIT_FRAG_ACK state");
 303                         return -1;
 304                 }
 305                 wpa_printf(MSG_DEBUG, "SSL: Fragment acknowledged");
 306                 return 1;
 307         }
 308
 309         if (data->in_buf &&
 310             eap_server_tls_process_cont(data, *pos, end - *pos) < 0)
 311                 return -1;
 312
 313         if (flags & EAP_TLS_FLAGS_MORE_FRAGMENTS) {
 314                 if (eap_server_tls_process_fragment(data, flags, tls_msg_len,
 315                                                     *pos, end - *pos) < 0)
 316                         return -1;
 317
 318                 data->state = FRAG_ACK;
 319                 return 1;
 320         }
 321
 322         if (data->state == FRAG_ACK) {
 323                 wpa_printf(MSG_DEBUG, "SSL: All fragments received");
 324                 data->state = MSG;
 325         }
 326
 327         if (data->in_buf == NULL) {
 328                 /* Wrap unfragmented messages as wpabuf without extra copy */
 329                 wpabuf_set(&data->tmpbuf, *pos, end - *pos);
 330                 data->in_buf = &data->tmpbuf;
 331         }
 332
 333         return 0;
 334 }
 335
 336
 337 static void eap_server_tls_free_in_buf(struct eap_ssl_data *data)
 338 {
 339         if (data->in_buf != &data->tmpbuf)
 340                 wpabuf_free(data->in_buf);
 341         data->in_buf = NULL;
 342 }
 343
 344
 345 struct wpabuf * eap_server_tls_encrypt(struct eap_sm *sm,
 346                                        struct eap_ssl_data *data,
 347                                        const u8 *plain, size_t plain_len)
 348 {
 349         int res;
 350         struct wpabuf *buf;
 351         size_t buf_len;
 352
 353         /* reserve some extra room for encryption overhead */
 354         buf_len = plain_len + 200;
 355         buf = wpabuf_alloc(buf_len);
 356         if (buf == NULL)
 357                 return NULL;
 358         res = tls_connection_encrypt(sm->ssl_ctx, data->conn,
 359                                      plain, plain_len, wpabuf_put(buf, 0),
 360                                      buf_len);
 361         if (res < 0) {
 362                 wpa_printf(MSG_INFO, "SSL: Failed to encrypt Phase 2 data");
 363                 wpabuf_free(buf);
 364                 return NULL;
 365         }
 366
 367         wpabuf_put(buf, res);
 368
 369         return buf;
 370 }
 371
 372
 373 int eap_server_tls_process(struct eap_sm *sm, struct eap_ssl_data *data,
 374                            struct wpabuf *respData, void *priv, int eap_type,
 375                            int (*proc_version)(struct eap_sm *sm, void *priv,
 376                                                int peer_version),
 377                            void (*proc_msg)(struct eap_sm *sm, void *priv,
 378                                             const struct wpabuf *respData))
 379 {
 380         const u8 *pos;
 381         u8 flags;
 382         size_t left;
 383         int ret, res = 0;
 384
 385         pos = eap_hdr_validate(EAP_VENDOR_IETF, eap_type, respData, &left);
 386         if (pos == NULL || left < 1)
 387                 return 0; /* Should not happen - frame already validated */
 388         flags = *pos++;
 389         left--;
 390         wpa_printf(MSG_DEBUG, "SSL: Received packet(len=%lu) - Flags 0x%02x",
 391                    (unsigned long) wpabuf_len(respData), flags);
 392
 393         if (proc_version &&
 394             proc_version(sm, priv, flags & EAP_TLS_VERSION_MASK) < 0)
 395                 return -1;
 396
 397         ret = eap_server_tls_reassemble(data, flags, &pos, &left);
 398         if (ret < 0) {
 399                 res = -1;
 400                 goto done;
 401         } else if (ret == 1)
 402                 return 0;
 403
 404         if (proc_msg)
 405                 proc_msg(sm, priv, respData);
 406
 407         if (tls_connection_get_write_alerts(sm->ssl_ctx, data->conn) > 1) {
 408                 wpa_printf(MSG_INFO, "SSL: Locally detected fatal error in "
 409                            "TLS processing");
 410                 res = -1;
 411         }
 412
 413 done:
 414         eap_server_tls_free_in_buf(data);
 415
 416         return res;
 417 }