]> git.ipfire.org Git - thirdparty/hostap.git/blob - src/eap_peer/eap_tls.c
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
EAP-TLS peer: Support fragmentation of last message
[thirdparty/hostap.git] / src / eap_peer / eap_tls.c
1 /*
2 * EAP peer method: EAP-TLS (RFC 2716)
3 * Copyright (c) 2004-2008, 2012-2015, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/tls.h"
13 #include "eap_i.h"
14 #include "eap_tls_common.h"
15 #include "eap_config.h"
16
17
18 static void eap_tls_deinit(struct eap_sm *sm, void *priv);
19
20
21 struct eap_tls_data {
22 struct eap_ssl_data ssl;
23 u8 *key_data;
24 u8 *session_id;
25 size_t id_len;
26 void *ssl_ctx;
27 u8 eap_type;
28 struct wpabuf *pending_resp;
29 };
30
31
32 static void * eap_tls_init(struct eap_sm *sm)
33 {
34 struct eap_tls_data *data;
35 struct eap_peer_config *config = eap_get_config(sm);
36 if (config == NULL ||
37 ((sm->init_phase2 ? config->private_key2 : config->private_key)
38 == NULL &&
39 (sm->init_phase2 ? config->engine2 : config->engine) == 0)) {
40 wpa_printf(MSG_INFO, "EAP-TLS: Private key not configured");
41 return NULL;
42 }
43
44 data = os_zalloc(sizeof(*data));
45 if (data == NULL)
46 return NULL;
47
48 data->ssl_ctx = sm->init_phase2 && sm->ssl_ctx2 ? sm->ssl_ctx2 :
49 sm->ssl_ctx;
50
51 if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_TLS)) {
52 wpa_printf(MSG_INFO, "EAP-TLS: Failed to initialize SSL.");
53 eap_tls_deinit(sm, data);
54 if (config->engine) {
55 wpa_printf(MSG_DEBUG, "EAP-TLS: Requesting Smartcard "
56 "PIN");
57 eap_sm_request_pin(sm);
58 sm->ignore = TRUE;
59 } else if (config->private_key && !config->private_key_passwd)
60 {
61 wpa_printf(MSG_DEBUG, "EAP-TLS: Requesting private "
62 "key passphrase");
63 eap_sm_request_passphrase(sm);
64 sm->ignore = TRUE;
65 }
66 return NULL;
67 }
68
69 data->eap_type = EAP_TYPE_TLS;
70
71 return data;
72 }
73
74
75 #ifdef EAP_UNAUTH_TLS
76 static void * eap_unauth_tls_init(struct eap_sm *sm)
77 {
78 struct eap_tls_data *data;
79 struct eap_peer_config *config = eap_get_config(sm);
80
81 data = os_zalloc(sizeof(*data));
82 if (data == NULL)
83 return NULL;
84
85 data->ssl_ctx = sm->init_phase2 && sm->ssl_ctx2 ? sm->ssl_ctx2 :
86 sm->ssl_ctx;
87
88 if (eap_peer_tls_ssl_init(sm, &data->ssl, config,
89 EAP_UNAUTH_TLS_TYPE)) {
90 wpa_printf(MSG_INFO, "EAP-TLS: Failed to initialize SSL.");
91 eap_tls_deinit(sm, data);
92 return NULL;
93 }
94
95 data->eap_type = EAP_UNAUTH_TLS_TYPE;
96
97 return data;
98 }
99 #endif /* EAP_UNAUTH_TLS */
100
101
102 #ifdef CONFIG_HS20
103 static void * eap_wfa_unauth_tls_init(struct eap_sm *sm)
104 {
105 struct eap_tls_data *data;
106 struct eap_peer_config *config = eap_get_config(sm);
107
108 data = os_zalloc(sizeof(*data));
109 if (data == NULL)
110 return NULL;
111
112 data->ssl_ctx = sm->init_phase2 && sm->ssl_ctx2 ? sm->ssl_ctx2 :
113 sm->ssl_ctx;
114
115 if (eap_peer_tls_ssl_init(sm, &data->ssl, config,
116 EAP_WFA_UNAUTH_TLS_TYPE)) {
117 wpa_printf(MSG_INFO, "EAP-TLS: Failed to initialize SSL.");
118 eap_tls_deinit(sm, data);
119 return NULL;
120 }
121
122 data->eap_type = EAP_WFA_UNAUTH_TLS_TYPE;
123
124 return data;
125 }
126 #endif /* CONFIG_HS20 */
127
128
129 static void eap_tls_free_key(struct eap_tls_data *data)
130 {
131 if (data->key_data) {
132 bin_clear_free(data->key_data, EAP_TLS_KEY_LEN + EAP_EMSK_LEN);
133 data->key_data = NULL;
134 }
135 }
136
137
138 static void eap_tls_deinit(struct eap_sm *sm, void *priv)
139 {
140 struct eap_tls_data *data = priv;
141 if (data == NULL)
142 return;
143 eap_peer_tls_ssl_deinit(sm, &data->ssl);
144 eap_tls_free_key(data);
145 os_free(data->session_id);
146 wpabuf_free(data->pending_resp);
147 os_free(data);
148 }
149
150
151 static struct wpabuf * eap_tls_failure(struct eap_sm *sm,
152 struct eap_tls_data *data,
153 struct eap_method_ret *ret, int res,
154 struct wpabuf *resp, u8 id)
155 {
156 wpa_printf(MSG_DEBUG, "EAP-TLS: TLS processing failed");
157
158 ret->methodState = METHOD_DONE;
159 ret->decision = DECISION_FAIL;
160
161 if (resp) {
162 /*
163 * This is likely an alert message, so send it instead of just
164 * ACKing the error.
165 */
166 return resp;
167 }
168
169 return eap_peer_tls_build_ack(id, data->eap_type, 0);
170 }
171
172
173 static void eap_tls_success(struct eap_sm *sm, struct eap_tls_data *data,
174 struct eap_method_ret *ret)
175 {
176 wpa_printf(MSG_DEBUG, "EAP-TLS: Done");
177
178 if (data->ssl.tls_out) {
179 wpa_printf(MSG_DEBUG, "EAP-TLS: Fragment(s) remaining");
180 return;
181 }
182
183 ret->methodState = METHOD_DONE;
184 ret->decision = DECISION_UNCOND_SUCC;
185
186 eap_tls_free_key(data);
187 data->key_data = eap_peer_tls_derive_key(sm, &data->ssl,
188 "client EAP encryption",
189 EAP_TLS_KEY_LEN +
190 EAP_EMSK_LEN);
191 if (data->key_data) {
192 wpa_hexdump_key(MSG_DEBUG, "EAP-TLS: Derived key",
193 data->key_data, EAP_TLS_KEY_LEN);
194 wpa_hexdump_key(MSG_DEBUG, "EAP-TLS: Derived EMSK",
195 data->key_data + EAP_TLS_KEY_LEN,
196 EAP_EMSK_LEN);
197 } else {
198 wpa_printf(MSG_INFO, "EAP-TLS: Failed to derive key");
199 }
200
201 os_free(data->session_id);
202 data->session_id = eap_peer_tls_derive_session_id(sm, &data->ssl,
203 EAP_TYPE_TLS,
204 &data->id_len);
205 if (data->session_id) {
206 wpa_hexdump(MSG_DEBUG, "EAP-TLS: Derived Session-Id",
207 data->session_id, data->id_len);
208 } else {
209 wpa_printf(MSG_ERROR, "EAP-TLS: Failed to derive Session-Id");
210 }
211 }
212
213
214 static struct wpabuf * eap_tls_process(struct eap_sm *sm, void *priv,
215 struct eap_method_ret *ret,
216 const struct wpabuf *reqData)
217 {
218 size_t left;
219 int res;
220 struct wpabuf *resp;
221 u8 flags, id;
222 const u8 *pos;
223 struct eap_tls_data *data = priv;
224 struct wpabuf msg;
225
226 if (sm->waiting_ext_cert_check && data->pending_resp) {
227 struct eap_peer_config *config = eap_get_config(sm);
228
229 if (config->pending_ext_cert_check == EXT_CERT_CHECK_GOOD) {
230 wpa_printf(MSG_DEBUG,
231 "EAP-TLS: External certificate check succeeded - continue handshake");
232 resp = data->pending_resp;
233 data->pending_resp = NULL;
234 sm->waiting_ext_cert_check = 0;
235 return resp;
236 }
237
238 if (config->pending_ext_cert_check == EXT_CERT_CHECK_BAD) {
239 wpa_printf(MSG_DEBUG,
240 "EAP-TLS: External certificate check failed - force authentication failure");
241 ret->methodState = METHOD_DONE;
242 ret->decision = DECISION_FAIL;
243 sm->waiting_ext_cert_check = 0;
244 return NULL;
245 }
246
247 wpa_printf(MSG_DEBUG,
248 "EAP-TLS: Continuing to wait external server certificate validation");
249 return NULL;
250 }
251
252 pos = eap_peer_tls_process_init(sm, &data->ssl, data->eap_type, ret,
253 reqData, &left, &flags);
254 if (pos == NULL)
255 return NULL;
256 id = eap_get_id(reqData);
257
258 if (flags & EAP_TLS_FLAGS_START) {
259 wpa_printf(MSG_DEBUG, "EAP-TLS: Start");
260 left = 0; /* make sure that this frame is empty, even though it
261 * should always be, anyway */
262 }
263
264 resp = NULL;
265 wpabuf_set(&msg, pos, left);
266 res = eap_peer_tls_process_helper(sm, &data->ssl, data->eap_type, 0,
267 id, &msg, &resp);
268
269 if (res < 0) {
270 return eap_tls_failure(sm, data, ret, res, resp, id);
271 }
272
273 if (sm->waiting_ext_cert_check) {
274 wpa_printf(MSG_DEBUG,
275 "EAP-TLS: Waiting external server certificate validation");
276 wpabuf_free(data->pending_resp);
277 data->pending_resp = resp;
278 return NULL;
279 }
280
281 if (tls_connection_established(data->ssl_ctx, data->ssl.conn))
282 eap_tls_success(sm, data, ret);
283
284 if (res == 1) {
285 wpabuf_free(resp);
286 return eap_peer_tls_build_ack(id, data->eap_type, 0);
287 }
288
289 return resp;
290 }
291
292
293 static Boolean eap_tls_has_reauth_data(struct eap_sm *sm, void *priv)
294 {
295 struct eap_tls_data *data = priv;
296 return tls_connection_established(data->ssl_ctx, data->ssl.conn);
297 }
298
299
300 static void eap_tls_deinit_for_reauth(struct eap_sm *sm, void *priv)
301 {
302 struct eap_tls_data *data = priv;
303
304 wpabuf_free(data->pending_resp);
305 data->pending_resp = NULL;
306 }
307
308
309 static void * eap_tls_init_for_reauth(struct eap_sm *sm, void *priv)
310 {
311 struct eap_tls_data *data = priv;
312 eap_tls_free_key(data);
313 os_free(data->session_id);
314 data->session_id = NULL;
315 if (eap_peer_tls_reauth_init(sm, &data->ssl)) {
316 os_free(data);
317 return NULL;
318 }
319 return priv;
320 }
321
322
323 static int eap_tls_get_status(struct eap_sm *sm, void *priv, char *buf,
324 size_t buflen, int verbose)
325 {
326 struct eap_tls_data *data = priv;
327 return eap_peer_tls_status(sm, &data->ssl, buf, buflen, verbose);
328 }
329
330
331 static Boolean eap_tls_isKeyAvailable(struct eap_sm *sm, void *priv)
332 {
333 struct eap_tls_data *data = priv;
334 return data->key_data != NULL;
335 }
336
337
338 static u8 * eap_tls_getKey(struct eap_sm *sm, void *priv, size_t *len)
339 {
340 struct eap_tls_data *data = priv;
341 u8 *key;
342
343 if (data->key_data == NULL)
344 return NULL;
345
346 key = os_memdup(data->key_data, EAP_TLS_KEY_LEN);
347 if (key == NULL)
348 return NULL;
349
350 *len = EAP_TLS_KEY_LEN;
351
352 return key;
353 }
354
355
356 static u8 * eap_tls_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
357 {
358 struct eap_tls_data *data = priv;
359 u8 *key;
360
361 if (data->key_data == NULL)
362 return NULL;
363
364 key = os_memdup(data->key_data + EAP_TLS_KEY_LEN, EAP_EMSK_LEN);
365 if (key == NULL)
366 return NULL;
367
368 *len = EAP_EMSK_LEN;
369
370 return key;
371 }
372
373
374 static u8 * eap_tls_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
375 {
376 struct eap_tls_data *data = priv;
377 u8 *id;
378
379 if (data->session_id == NULL)
380 return NULL;
381
382 id = os_memdup(data->session_id, data->id_len);
383 if (id == NULL)
384 return NULL;
385
386 *len = data->id_len;
387
388 return id;
389 }
390
391
392 int eap_peer_tls_register(void)
393 {
394 struct eap_method *eap;
395
396 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
397 EAP_VENDOR_IETF, EAP_TYPE_TLS, "TLS");
398 if (eap == NULL)
399 return -1;
400
401 eap->init = eap_tls_init;
402 eap->deinit = eap_tls_deinit;
403 eap->process = eap_tls_process;
404 eap->isKeyAvailable = eap_tls_isKeyAvailable;
405 eap->getKey = eap_tls_getKey;
406 eap->getSessionId = eap_tls_get_session_id;
407 eap->get_status = eap_tls_get_status;
408 eap->has_reauth_data = eap_tls_has_reauth_data;
409 eap->deinit_for_reauth = eap_tls_deinit_for_reauth;
410 eap->init_for_reauth = eap_tls_init_for_reauth;
411 eap->get_emsk = eap_tls_get_emsk;
412
413 return eap_peer_method_register(eap);
414 }
415
416
417 #ifdef EAP_UNAUTH_TLS
418 int eap_peer_unauth_tls_register(void)
419 {
420 struct eap_method *eap;
421
422 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
423 EAP_VENDOR_UNAUTH_TLS,
424 EAP_VENDOR_TYPE_UNAUTH_TLS, "UNAUTH-TLS");
425 if (eap == NULL)
426 return -1;
427
428 eap->init = eap_unauth_tls_init;
429 eap->deinit = eap_tls_deinit;
430 eap->process = eap_tls_process;
431 eap->isKeyAvailable = eap_tls_isKeyAvailable;
432 eap->getKey = eap_tls_getKey;
433 eap->get_status = eap_tls_get_status;
434 eap->has_reauth_data = eap_tls_has_reauth_data;
435 eap->deinit_for_reauth = eap_tls_deinit_for_reauth;
436 eap->init_for_reauth = eap_tls_init_for_reauth;
437 eap->get_emsk = eap_tls_get_emsk;
438
439 return eap_peer_method_register(eap);
440 }
441 #endif /* EAP_UNAUTH_TLS */
442
443
444 #ifdef CONFIG_HS20
445 int eap_peer_wfa_unauth_tls_register(void)
446 {
447 struct eap_method *eap;
448
449 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
450 EAP_VENDOR_WFA_NEW,
451 EAP_VENDOR_WFA_UNAUTH_TLS,
452 "WFA-UNAUTH-TLS");
453 if (eap == NULL)
454 return -1;
455
456 eap->init = eap_wfa_unauth_tls_init;
457 eap->deinit = eap_tls_deinit;
458 eap->process = eap_tls_process;
459 eap->isKeyAvailable = eap_tls_isKeyAvailable;
460 eap->getKey = eap_tls_getKey;
461 eap->get_status = eap_tls_get_status;
462 eap->has_reauth_data = eap_tls_has_reauth_data;
463 eap->deinit_for_reauth = eap_tls_deinit_for_reauth;
464 eap->init_for_reauth = eap_tls_init_for_reauth;
465 eap->get_emsk = eap_tls_get_emsk;
466
467 return eap_peer_method_register(eap);
468 }
469 #endif /* CONFIG_HS20 */
Unnamed repository; edit this file 'description' to name the repository.