2 * EAP peer: EAP-TLS/PEAP/TTLS/FAST common functions
3 * Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/sha1.h"
13 #include "crypto/tls.h"
15 #include "eap_tls_common.h"
16 #include "eap_config.h"
19 static struct wpabuf
* eap_tls_msg_alloc(enum eap_type type
, size_t payload_len
,
20 u8 code
, u8 identifier
)
22 if (type
== EAP_UNAUTH_TLS_TYPE
)
23 return eap_msg_alloc(EAP_VENDOR_UNAUTH_TLS
,
24 EAP_VENDOR_TYPE_UNAUTH_TLS
, payload_len
,
26 if (type
== EAP_WFA_UNAUTH_TLS_TYPE
)
27 return eap_msg_alloc(EAP_VENDOR_WFA_NEW
,
28 EAP_VENDOR_WFA_UNAUTH_TLS
, payload_len
,
30 return eap_msg_alloc(EAP_VENDOR_IETF
, type
, payload_len
, code
,
35 static int eap_tls_check_blob(struct eap_sm
*sm
, const char **name
,
36 const u8
**data
, size_t *data_len
)
38 const struct wpa_config_blob
*blob
;
40 if (*name
== NULL
|| os_strncmp(*name
, "blob://", 7) != 0)
43 blob
= eap_get_config_blob(sm
, *name
+ 7);
45 wpa_printf(MSG_ERROR
, "%s: Named configuration blob '%s' not "
46 "found", __func__
, *name
+ 7);
52 *data_len
= blob
->len
;
58 static void eap_tls_params_flags(struct tls_connection_params
*params
,
63 if (os_strstr(txt
, "tls_allow_md5=1"))
64 params
->flags
|= TLS_CONN_ALLOW_SIGN_RSA_MD5
;
65 if (os_strstr(txt
, "tls_disable_time_checks=1"))
66 params
->flags
|= TLS_CONN_DISABLE_TIME_CHECKS
;
67 if (os_strstr(txt
, "tls_disable_session_ticket=1"))
68 params
->flags
|= TLS_CONN_DISABLE_SESSION_TICKET
;
69 if (os_strstr(txt
, "tls_disable_session_ticket=0"))
70 params
->flags
&= ~TLS_CONN_DISABLE_SESSION_TICKET
;
71 if (os_strstr(txt
, "tls_disable_tlsv1_0=1"))
72 params
->flags
|= TLS_CONN_DISABLE_TLSv1_0
;
73 if (os_strstr(txt
, "tls_disable_tlsv1_0=0")) {
74 params
->flags
&= ~TLS_CONN_DISABLE_TLSv1_0
;
75 params
->flags
|= TLS_CONN_ENABLE_TLSv1_0
;
77 if (os_strstr(txt
, "tls_disable_tlsv1_1=1"))
78 params
->flags
|= TLS_CONN_DISABLE_TLSv1_1
;
79 if (os_strstr(txt
, "tls_disable_tlsv1_1=0")) {
80 params
->flags
&= ~TLS_CONN_DISABLE_TLSv1_1
;
81 params
->flags
|= TLS_CONN_ENABLE_TLSv1_1
;
83 if (os_strstr(txt
, "tls_disable_tlsv1_2=1"))
84 params
->flags
|= TLS_CONN_DISABLE_TLSv1_2
;
85 if (os_strstr(txt
, "tls_disable_tlsv1_2=0")) {
86 params
->flags
&= ~TLS_CONN_DISABLE_TLSv1_2
;
87 params
->flags
|= TLS_CONN_ENABLE_TLSv1_2
;
89 if (os_strstr(txt
, "tls_disable_tlsv1_3=1"))
90 params
->flags
|= TLS_CONN_DISABLE_TLSv1_3
;
91 if (os_strstr(txt
, "tls_disable_tlsv1_3=0"))
92 params
->flags
&= ~TLS_CONN_DISABLE_TLSv1_3
;
93 if (os_strstr(txt
, "tls_ext_cert_check=1"))
94 params
->flags
|= TLS_CONN_EXT_CERT_CHECK
;
95 if (os_strstr(txt
, "tls_ext_cert_check=0"))
96 params
->flags
&= ~TLS_CONN_EXT_CERT_CHECK
;
97 if (os_strstr(txt
, "tls_suiteb=1"))
98 params
->flags
|= TLS_CONN_SUITEB
;
99 if (os_strstr(txt
, "tls_suiteb=0"))
100 params
->flags
&= ~TLS_CONN_SUITEB
;
101 if (os_strstr(txt
, "tls_suiteb_no_ecdh=1"))
102 params
->flags
|= TLS_CONN_SUITEB_NO_ECDH
;
103 if (os_strstr(txt
, "tls_suiteb_no_ecdh=0"))
104 params
->flags
&= ~TLS_CONN_SUITEB_NO_ECDH
;
108 static void eap_tls_cert_params_from_conf(struct tls_connection_params
*params
,
109 struct eap_peer_cert_config
*config
)
111 params
->ca_cert
= config
->ca_cert
;
112 params
->ca_path
= config
->ca_path
;
113 params
->client_cert
= config
->client_cert
;
114 params
->private_key
= config
->private_key
;
115 params
->private_key_passwd
= config
->private_key_passwd
;
116 params
->dh_file
= config
->dh_file
;
117 params
->subject_match
= config
->subject_match
;
118 params
->altsubject_match
= config
->altsubject_match
;
119 params
->check_cert_subject
= config
->check_cert_subject
;
120 params
->suffix_match
= config
->domain_suffix_match
;
121 params
->domain_match
= config
->domain_match
;
122 params
->engine
= config
->engine
;
123 params
->engine_id
= config
->engine_id
;
124 params
->pin
= config
->pin
;
125 params
->key_id
= config
->key_id
;
126 params
->cert_id
= config
->cert_id
;
127 params
->ca_cert_id
= config
->ca_cert_id
;
129 params
->flags
|= TLS_CONN_REQUEST_OCSP
;
130 if (config
->ocsp
>= 2)
131 params
->flags
|= TLS_CONN_REQUIRE_OCSP
;
132 if (config
->ocsp
== 3)
133 params
->flags
|= TLS_CONN_REQUIRE_OCSP_ALL
;
137 static void eap_tls_params_from_conf1(struct tls_connection_params
*params
,
138 struct eap_peer_config
*config
)
140 eap_tls_cert_params_from_conf(params
, &config
->cert
);
141 eap_tls_params_flags(params
, config
->phase1
);
145 static void eap_tls_params_from_conf2(struct tls_connection_params
*params
,
146 struct eap_peer_config
*config
)
148 eap_tls_cert_params_from_conf(params
, &config
->phase2_cert
);
149 eap_tls_params_flags(params
, config
->phase2
);
153 static void eap_tls_params_from_conf2m(struct tls_connection_params
*params
,
154 struct eap_peer_config
*config
)
156 eap_tls_cert_params_from_conf(params
, &config
->machine_cert
);
157 eap_tls_params_flags(params
, config
->machine_phase2
);
161 static int eap_tls_params_from_conf(struct eap_sm
*sm
,
162 struct eap_ssl_data
*data
,
163 struct tls_connection_params
*params
,
164 struct eap_peer_config
*config
, int phase2
)
166 os_memset(params
, 0, sizeof(*params
));
167 if (sm
->workaround
&& data
->eap_type
!= EAP_TYPE_FAST
&&
168 data
->eap_type
!= EAP_TYPE_TEAP
) {
170 * Some deployed authentication servers seem to be unable to
171 * handle the TLS Session Ticket extension (they are supposed
172 * to ignore unrecognized TLS extensions, but end up rejecting
173 * the ClientHello instead). As a workaround, disable use of
174 * TLS Sesson Ticket extension for EAP-TLS, EAP-PEAP, and
175 * EAP-TTLS (EAP-FAST uses session ticket, so any server that
176 * supports EAP-FAST does not need this workaround).
178 params
->flags
|= TLS_CONN_DISABLE_SESSION_TICKET
;
180 if (data
->eap_type
== EAP_TYPE_TEAP
) {
181 /* RFC 7170 requires TLS v1.2 or newer to be used with TEAP */
182 params
->flags
|= TLS_CONN_DISABLE_TLSv1_0
|
183 TLS_CONN_DISABLE_TLSv1_1
;
184 if (config
->teap_anon_dh
)
185 params
->flags
|= TLS_CONN_TEAP_ANON_DH
;
187 if (data
->eap_type
== EAP_TYPE_FAST
||
188 data
->eap_type
== EAP_TYPE_TEAP
||
189 data
->eap_type
== EAP_TYPE_TTLS
||
190 data
->eap_type
== EAP_TYPE_PEAP
) {
191 /* The current EAP peer implementation is not yet ready for the
192 * TLS v1.3 changes, so disable this by default for now. */
193 params
->flags
|= TLS_CONN_DISABLE_TLSv1_3
;
195 if (data
->eap_type
== EAP_TYPE_TLS
||
196 data
->eap_type
== EAP_UNAUTH_TLS_TYPE
||
197 data
->eap_type
== EAP_WFA_UNAUTH_TLS_TYPE
) {
198 /* While the current EAP-TLS implementation is more or less
199 * complete for TLS v1.3, there has been no interoperability
200 * testing with other implementations, so disable for by default
201 * for now until there has been chance to confirm that no
202 * significant interoperability issues show up with TLS version
205 params
->flags
|= TLS_CONN_DISABLE_TLSv1_3
;
207 if (phase2
&& sm
->use_machine_cred
) {
208 wpa_printf(MSG_DEBUG
, "TLS: using machine config options");
209 eap_tls_params_from_conf2m(params
, config
);
211 wpa_printf(MSG_DEBUG
, "TLS: using phase2 config options");
212 eap_tls_params_from_conf2(params
, config
);
214 wpa_printf(MSG_DEBUG
, "TLS: using phase1 config options");
215 eap_tls_params_from_conf1(params
, config
);
216 if (data
->eap_type
== EAP_TYPE_FAST
)
217 params
->flags
|= TLS_CONN_EAP_FAST
;
221 * Use blob data, if available. Otherwise, leave reference to external
224 if (eap_tls_check_blob(sm
, ¶ms
->ca_cert
, ¶ms
->ca_cert_blob
,
225 ¶ms
->ca_cert_blob_len
) ||
226 eap_tls_check_blob(sm
, ¶ms
->client_cert
,
227 ¶ms
->client_cert_blob
,
228 ¶ms
->client_cert_blob_len
) ||
229 eap_tls_check_blob(sm
, ¶ms
->private_key
,
230 ¶ms
->private_key_blob
,
231 ¶ms
->private_key_blob_len
) ||
232 eap_tls_check_blob(sm
, ¶ms
->dh_file
, ¶ms
->dh_blob
,
233 ¶ms
->dh_blob_len
)) {
234 wpa_printf(MSG_INFO
, "SSL: Failed to get configuration blobs");
238 params
->openssl_ciphers
= config
->openssl_ciphers
;
240 sm
->ext_cert_check
= !!(params
->flags
& TLS_CONN_EXT_CERT_CHECK
);
246 static int eap_tls_init_connection(struct eap_sm
*sm
,
247 struct eap_ssl_data
*data
,
248 struct eap_peer_config
*config
,
249 struct tls_connection_params
*params
)
253 data
->conn
= tls_connection_init(data
->ssl_ctx
);
254 if (data
->conn
== NULL
) {
255 wpa_printf(MSG_INFO
, "SSL: Failed to initialize new TLS "
260 res
= tls_connection_set_params(data
->ssl_ctx
, data
->conn
, params
);
261 if (res
== TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN
) {
263 * At this point with the pkcs11 engine the PIN is wrong. We
264 * reset the PIN in the configuration to be sure to not use it
265 * again and the calling function must request a new one.
268 "TLS: Bad PIN provided, requesting a new one");
269 os_free(config
->cert
.pin
);
270 config
->cert
.pin
= NULL
;
271 eap_sm_request_pin(sm
);
273 } else if (res
== TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED
) {
274 wpa_printf(MSG_INFO
, "TLS: Failed to initialize engine");
275 } else if (res
== TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED
) {
276 wpa_printf(MSG_INFO
, "TLS: Failed to load private key");
280 wpa_printf(MSG_INFO
, "TLS: Failed to set TLS connection "
282 tls_connection_deinit(data
->ssl_ctx
, data
->conn
);
292 * eap_peer_tls_ssl_init - Initialize shared TLS functionality
293 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
294 * @data: Data for TLS processing
295 * @config: Pointer to the network configuration
296 * @eap_type: EAP method used in Phase 1 (EAP_TYPE_TLS/PEAP/TTLS/FAST)
297 * Returns: 0 on success, -1 on failure
299 * This function is used to initialize shared TLS functionality for EAP-TLS,
300 * EAP-PEAP, EAP-TTLS, and EAP-FAST.
302 int eap_peer_tls_ssl_init(struct eap_sm
*sm
, struct eap_ssl_data
*data
,
303 struct eap_peer_config
*config
, u8 eap_type
)
305 struct tls_connection_params params
;
311 data
->eap_type
= eap_type
;
312 data
->phase2
= sm
->init_phase2
;
313 data
->ssl_ctx
= sm
->init_phase2
&& sm
->ssl_ctx2
? sm
->ssl_ctx2
:
315 if (eap_tls_params_from_conf(sm
, data
, ¶ms
, config
, data
->phase2
) <
319 if (eap_tls_init_connection(sm
, data
, config
, ¶ms
) < 0)
322 data
->tls_out_limit
= config
->fragment_size
;
324 /* Limit the fragment size in the inner TLS authentication
325 * since the outer authentication with EAP-PEAP does not yet
326 * support fragmentation */
327 if (data
->tls_out_limit
> 100)
328 data
->tls_out_limit
-= 100;
331 if (config
->phase1
&&
332 os_strstr(config
->phase1
, "include_tls_length=1")) {
333 wpa_printf(MSG_DEBUG
, "TLS: Include TLS Message Length in "
334 "unfragmented packets");
335 data
->include_tls_length
= 1;
343 * eap_peer_tls_ssl_deinit - Deinitialize shared TLS functionality
344 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
345 * @data: Data for TLS processing
347 * This function deinitializes shared TLS functionality that was initialized
348 * with eap_peer_tls_ssl_init().
350 void eap_peer_tls_ssl_deinit(struct eap_sm
*sm
, struct eap_ssl_data
*data
)
352 tls_connection_deinit(data
->ssl_ctx
, data
->conn
);
353 eap_peer_tls_reset_input(data
);
354 eap_peer_tls_reset_output(data
);
359 * eap_peer_tls_derive_key - Derive a key based on TLS session data
360 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
361 * @data: Data for TLS processing
362 * @label: Label string for deriving the keys, e.g., "client EAP encryption"
363 * @context: Optional extra upper-layer context (max len 2^16)
364 * @context_len: The length of the context value
365 * @len: Length of the key material to generate (usually 64 for MSK)
366 * Returns: Pointer to allocated key on success or %NULL on failure
368 * This function uses TLS-PRF to generate pseudo-random data based on the TLS
369 * session data (client/server random and master key). Each key type may use a
370 * different label to bind the key usage into the generated material.
372 * The caller is responsible for freeing the returned buffer.
374 * Note: To provide the RFC 5705 context, the context variable must be non-NULL.
376 u8
* eap_peer_tls_derive_key(struct eap_sm
*sm
, struct eap_ssl_data
*data
,
377 const char *label
, const u8
*context
,
378 size_t context_len
, size_t len
)
382 out
= os_malloc(len
);
386 if (tls_connection_export_key(data
->ssl_ctx
, data
->conn
, label
,
387 context
, context_len
, out
, len
)) {
397 * eap_peer_tls_derive_session_id - Derive a Session-Id based on TLS data
398 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
399 * @data: Data for TLS processing
400 * @eap_type: EAP method used in Phase 1 (EAP_TYPE_TLS/PEAP/TTLS/FAST)
401 * @len: Pointer to length of the session ID generated
402 * Returns: Pointer to allocated Session-Id on success or %NULL on failure
404 * This function derive the Session-Id based on the TLS session data
405 * (client/server random and method type).
407 * The caller is responsible for freeing the returned buffer.
409 u8
* eap_peer_tls_derive_session_id(struct eap_sm
*sm
,
410 struct eap_ssl_data
*data
, u8 eap_type
,
413 struct tls_random keys
;
416 if (eap_type
== EAP_TYPE_TLS
&& data
->tls_v13
) {
418 const u8 context
[] = { EAP_TYPE_TLS
};
420 /* Session-Id = <EAP-Type> || Method-Id
421 * Method-Id = TLS-Exporter("EXPORTER_EAP_TLS_Method-Id",
425 id
= os_malloc(*len
);
428 method_id
= eap_peer_tls_derive_key(
429 sm
, data
, "EXPORTER_EAP_TLS_Method-Id", context
, 1, 64);
435 os_memcpy(id
+ 1, method_id
, 64);
440 if (tls_connection_get_random(sm
->ssl_ctx
, data
->conn
, &keys
) ||
441 keys
.client_random
== NULL
|| keys
.server_random
== NULL
)
444 *len
= 1 + keys
.client_random_len
+ keys
.server_random_len
;
445 out
= os_malloc(*len
);
449 /* Session-Id = EAP type || client.random || server.random */
451 os_memcpy(out
+ 1, keys
.client_random
, keys
.client_random_len
);
452 os_memcpy(out
+ 1 + keys
.client_random_len
, keys
.server_random
,
453 keys
.server_random_len
);
460 * eap_peer_tls_reassemble_fragment - Reassemble a received fragment
461 * @data: Data for TLS processing
462 * @in_data: Next incoming TLS segment
463 * Returns: 0 on success, 1 if more data is needed for the full message, or
466 static int eap_peer_tls_reassemble_fragment(struct eap_ssl_data
*data
,
467 const struct wpabuf
*in_data
)
469 size_t tls_in_len
, in_len
;
471 tls_in_len
= data
->tls_in
? wpabuf_len(data
->tls_in
) : 0;
472 in_len
= in_data
? wpabuf_len(in_data
) : 0;
474 if (tls_in_len
+ in_len
== 0) {
475 /* No message data received?! */
476 wpa_printf(MSG_WARNING
, "SSL: Invalid reassembly state: "
477 "tls_in_left=%lu tls_in_len=%lu in_len=%lu",
478 (unsigned long) data
->tls_in_left
,
479 (unsigned long) tls_in_len
,
480 (unsigned long) in_len
);
481 eap_peer_tls_reset_input(data
);
485 if (tls_in_len
+ in_len
> 65536) {
487 * Limit length to avoid rogue servers from causing large
488 * memory allocations.
490 wpa_printf(MSG_INFO
, "SSL: Too long TLS fragment (size over "
492 eap_peer_tls_reset_input(data
);
496 if (in_len
> data
->tls_in_left
) {
497 /* Sender is doing something odd - reject message */
498 wpa_printf(MSG_INFO
, "SSL: more data than TLS message length "
500 eap_peer_tls_reset_input(data
);
504 if (wpabuf_resize(&data
->tls_in
, in_len
) < 0) {
505 wpa_printf(MSG_INFO
, "SSL: Could not allocate memory for TLS "
507 eap_peer_tls_reset_input(data
);
511 wpabuf_put_buf(data
->tls_in
, in_data
);
512 data
->tls_in_left
-= in_len
;
514 if (data
->tls_in_left
> 0) {
515 wpa_printf(MSG_DEBUG
, "SSL: Need %lu bytes more input "
516 "data", (unsigned long) data
->tls_in_left
);
525 * eap_peer_tls_data_reassemble - Reassemble TLS data
526 * @data: Data for TLS processing
527 * @in_data: Next incoming TLS segment
528 * @need_more_input: Variable for returning whether more input data is needed
529 * to reassemble this TLS packet
530 * Returns: Pointer to output data, %NULL on error or when more data is needed
531 * for the full message (in which case, *need_more_input is also set to 1).
533 * This function reassembles TLS fragments. Caller must not free the returned
534 * data buffer since an internal pointer to it is maintained.
536 static const struct wpabuf
* eap_peer_tls_data_reassemble(
537 struct eap_ssl_data
*data
, const struct wpabuf
*in_data
,
538 int *need_more_input
)
540 *need_more_input
= 0;
542 if (data
->tls_in_left
> wpabuf_len(in_data
) || data
->tls_in
) {
543 /* Message has fragments */
544 int res
= eap_peer_tls_reassemble_fragment(data
, in_data
);
547 *need_more_input
= 1;
551 /* Message is now fully reassembled. */
553 /* No fragments in this message, so just make a copy of it. */
554 data
->tls_in_left
= 0;
555 data
->tls_in
= wpabuf_dup(in_data
);
556 if (data
->tls_in
== NULL
)
565 * eap_tls_process_input - Process incoming TLS message
566 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
567 * @data: Data for TLS processing
568 * @in_data: Message received from the server
569 * @out_data: Buffer for returning a pointer to application data (if available)
570 * Returns: 0 on success, 1 if more input data is needed, 2 if application data
571 * is available, -1 on failure
573 static int eap_tls_process_input(struct eap_sm
*sm
, struct eap_ssl_data
*data
,
574 const struct wpabuf
*in_data
,
575 struct wpabuf
**out_data
)
577 const struct wpabuf
*msg
;
579 struct wpabuf
*appl_data
;
581 msg
= eap_peer_tls_data_reassemble(data
, in_data
, &need_more_input
);
583 return need_more_input
? 1 : -1;
585 /* Full TLS message reassembled - continue handshake processing */
587 /* This should not happen.. */
588 wpa_printf(MSG_INFO
, "SSL: eap_tls_process_input - pending "
589 "tls_out data even though tls_out_len = 0");
590 wpabuf_free(data
->tls_out
);
591 WPA_ASSERT(data
->tls_out
== NULL
);
594 data
->tls_out
= tls_connection_handshake(data
->ssl_ctx
, data
->conn
,
597 eap_peer_tls_reset_input(data
);
600 tls_connection_established(data
->ssl_ctx
, data
->conn
) &&
601 !tls_connection_get_failed(data
->ssl_ctx
, data
->conn
)) {
602 wpa_hexdump_buf_key(MSG_MSGDUMP
, "SSL: Application data",
604 *out_data
= appl_data
;
608 wpabuf_free(appl_data
);
615 * eap_tls_process_output - Process outgoing TLS message
616 * @data: Data for TLS processing
617 * @eap_type: EAP type (EAP_TYPE_TLS, EAP_TYPE_PEAP, ...)
618 * @peap_version: Version number for EAP-PEAP/TTLS
619 * @id: EAP identifier for the response
620 * @ret: Return value to use on success
621 * @out_data: Buffer for returning the allocated output buffer
622 * Returns: ret (0 or 1) on success, -1 on failure
624 static int eap_tls_process_output(struct eap_ssl_data
*data
,
625 enum eap_type eap_type
,
626 int peap_version
, u8 id
, int ret
,
627 struct wpabuf
**out_data
)
631 int more_fragments
, length_included
;
633 if (data
->tls_out
== NULL
)
635 len
= wpabuf_len(data
->tls_out
) - data
->tls_out_pos
;
636 wpa_printf(MSG_DEBUG
, "SSL: %lu bytes left to be sent out (of total "
639 (unsigned long) wpabuf_len(data
->tls_out
));
642 * Limit outgoing message to the configured maximum size. Fragment
645 if (len
> data
->tls_out_limit
) {
647 len
= data
->tls_out_limit
;
648 wpa_printf(MSG_DEBUG
, "SSL: sending %lu bytes, more fragments "
649 "will follow", (unsigned long) len
);
653 length_included
= data
->tls_out_pos
== 0 &&
654 (wpabuf_len(data
->tls_out
) > data
->tls_out_limit
||
655 data
->include_tls_length
);
656 if (!length_included
&&
657 eap_type
== EAP_TYPE_PEAP
&& peap_version
== 0 &&
658 !tls_connection_established(data
->eap
->ssl_ctx
, data
->conn
)) {
660 * Windows Server 2008 NPS really wants to have the TLS Message
661 * length included in phase 0 even for unfragmented frames or
662 * it will get very confused with Compound MAC calculation and
668 *out_data
= eap_tls_msg_alloc(eap_type
, 1 + length_included
* 4 + len
,
669 EAP_CODE_RESPONSE
, id
);
670 if (*out_data
== NULL
)
673 flags
= wpabuf_put(*out_data
, 1);
674 *flags
= peap_version
;
676 *flags
|= EAP_TLS_FLAGS_MORE_FRAGMENTS
;
677 if (length_included
) {
678 *flags
|= EAP_TLS_FLAGS_LENGTH_INCLUDED
;
679 wpabuf_put_be32(*out_data
, wpabuf_len(data
->tls_out
));
682 wpabuf_put_data(*out_data
,
683 wpabuf_head_u8(data
->tls_out
) + data
->tls_out_pos
,
685 data
->tls_out_pos
+= len
;
688 eap_peer_tls_reset_output(data
);
695 * eap_peer_tls_process_helper - Process TLS handshake message
696 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
697 * @data: Data for TLS processing
698 * @eap_type: EAP type (EAP_TYPE_TLS, EAP_TYPE_PEAP, ...)
699 * @peap_version: Version number for EAP-PEAP/TTLS
700 * @id: EAP identifier for the response
701 * @in_data: Message received from the server
702 * @out_data: Buffer for returning a pointer to the response message
703 * Returns: 0 on success, 1 if more input data is needed, 2 if application data
704 * is available, or -1 on failure
706 * This function can be used to process TLS handshake messages. It reassembles
707 * the received fragments and uses a TLS library to process the messages. The
708 * response data from the TLS library is fragmented to suitable output messages
709 * that the caller can send out.
711 * out_data is used to return the response message if the return value of this
712 * function is 0, 2, or -1. In case of failure, the message is likely a TLS
713 * alarm message. The caller is responsible for freeing the allocated buffer if
714 * *out_data is not %NULL.
716 * This function is called for each received TLS message during the TLS
717 * handshake after eap_peer_tls_process_init() call and possible processing of
718 * TLS Flags field. Once the handshake has been completed, i.e., when
719 * tls_connection_established() returns 1, EAP method specific decrypting of
720 * the tunneled data is used.
722 int eap_peer_tls_process_helper(struct eap_sm
*sm
, struct eap_ssl_data
*data
,
723 enum eap_type eap_type
, int peap_version
,
724 u8 id
, const struct wpabuf
*in_data
,
725 struct wpabuf
**out_data
)
731 if (data
->tls_out
&& wpabuf_len(data
->tls_out
) > 0 &&
732 wpabuf_len(in_data
) > 0) {
733 wpa_printf(MSG_DEBUG
, "SSL: Received non-ACK when output "
734 "fragments are waiting to be sent out");
738 if (data
->tls_out
== NULL
|| wpabuf_len(data
->tls_out
) == 0) {
740 * No more data to send out - expect to receive more data from
743 int res
= eap_tls_process_input(sm
, data
, in_data
, out_data
);
748 * Input processing failed (res = -1) or more data is
755 * The incoming message has been reassembled and processed. The
756 * response was allocated into data->tls_out buffer.
759 if (tls_get_version(data
->ssl_ctx
, data
->conn
,
760 buf
, sizeof(buf
)) == 0) {
761 wpa_printf(MSG_DEBUG
, "SSL: Using TLS version %s", buf
);
762 data
->tls_v13
= os_strcmp(buf
, "TLSv1.3") == 0;
766 if (data
->tls_out
== NULL
) {
768 * No outgoing fragments remaining from the previous message
769 * and no new message generated. This indicates an error in TLS
772 eap_peer_tls_reset_output(data
);
776 if (tls_connection_get_failed(data
->ssl_ctx
, data
->conn
)) {
777 /* TLS processing has failed - return error */
778 wpa_printf(MSG_DEBUG
, "SSL: Failed - tls_out available to "
779 "report error (len=%u)",
780 (unsigned int) wpabuf_len(data
->tls_out
));
782 /* TODO: clean pin if engine used? */
783 if (wpabuf_len(data
->tls_out
) == 0) {
784 wpabuf_free(data
->tls_out
);
785 data
->tls_out
= NULL
;
790 if (wpabuf_len(data
->tls_out
) == 0) {
792 * TLS negotiation should now be complete since all other cases
793 * needing more data should have been caught above based on
794 * the TLS Message Length field.
796 wpa_printf(MSG_DEBUG
, "SSL: No data to be sent out");
797 wpabuf_free(data
->tls_out
);
798 data
->tls_out
= NULL
;
802 /* Send the pending message (in fragments, if needed). */
803 return eap_tls_process_output(data
, eap_type
, peap_version
, id
, ret
,
809 * eap_peer_tls_build_ack - Build a TLS ACK frame
810 * @id: EAP identifier for the response
811 * @eap_type: EAP type (EAP_TYPE_TLS, EAP_TYPE_PEAP, ...)
812 * @peap_version: Version number for EAP-PEAP/TTLS
813 * Returns: Pointer to the allocated ACK frame or %NULL on failure
815 struct wpabuf
* eap_peer_tls_build_ack(u8 id
, enum eap_type eap_type
,
820 resp
= eap_tls_msg_alloc(eap_type
, 1, EAP_CODE_RESPONSE
, id
);
823 wpa_printf(MSG_DEBUG
, "SSL: Building ACK (type=%d id=%d ver=%d)",
824 (int) eap_type
, id
, peap_version
);
825 wpabuf_put_u8(resp
, peap_version
); /* Flags */
831 * eap_peer_tls_reauth_init - Re-initialize shared TLS for session resumption
832 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
833 * @data: Data for TLS processing
834 * Returns: 0 on success, -1 on failure
836 int eap_peer_tls_reauth_init(struct eap_sm
*sm
, struct eap_ssl_data
*data
)
838 eap_peer_tls_reset_input(data
);
839 eap_peer_tls_reset_output(data
);
840 return tls_connection_shutdown(data
->ssl_ctx
, data
->conn
);
845 * eap_peer_tls_status - Get TLS status
846 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
847 * @data: Data for TLS processing
848 * @buf: Buffer for status information
849 * @buflen: Maximum buffer length
850 * @verbose: Whether to include verbose status information
851 * Returns: Number of bytes written to buf.
853 int eap_peer_tls_status(struct eap_sm
*sm
, struct eap_ssl_data
*data
,
854 char *buf
, size_t buflen
, int verbose
)
856 char version
[20], name
[128];
859 if (tls_get_version(data
->ssl_ctx
, data
->conn
, version
,
860 sizeof(version
)) < 0)
862 if (tls_get_cipher(data
->ssl_ctx
, data
->conn
, name
, sizeof(name
)) < 0)
865 ret
= os_snprintf(buf
+ len
, buflen
- len
,
866 "eap_tls_version=%s\n"
867 "EAP TLS cipher=%s\n"
868 "tls_session_reused=%d\n",
870 tls_connection_resumed(data
->ssl_ctx
, data
->conn
));
871 if (os_snprintf_error(buflen
- len
, ret
))
880 * eap_peer_tls_process_init - Initial validation/processing of EAP requests
881 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
882 * @data: Data for TLS processing
883 * @eap_type: EAP type (EAP_TYPE_TLS, EAP_TYPE_PEAP, ...)
884 * @ret: Return values from EAP request validation and processing
885 * @reqData: EAP request to be processed (eapReqData)
886 * @len: Buffer for returning length of the remaining payload
887 * @flags: Buffer for returning TLS flags
888 * Returns: Pointer to payload after TLS flags and length or %NULL on failure
890 * This function validates the EAP header and processes the optional TLS
891 * Message Length field. If this is the first fragment of a TLS message, the
892 * TLS reassembly code is initialized to receive the indicated number of bytes.
894 * EAP-TLS, EAP-PEAP, EAP-TTLS, and EAP-FAST methods are expected to use this
895 * function as the first step in processing received messages. They will need
896 * to process the flags (apart from Message Length Included) that are returned
897 * through the flags pointer and the message payload that will be returned (and
898 * the length is returned through the len pointer). Return values (ret) are set
899 * for continuation of EAP method processing. The caller is responsible for
900 * setting these to indicate completion (either success or failure) based on
901 * the authentication result.
903 const u8
* eap_peer_tls_process_init(struct eap_sm
*sm
,
904 struct eap_ssl_data
*data
,
905 enum eap_type eap_type
,
906 struct eap_method_ret
*ret
,
907 const struct wpabuf
*reqData
,
908 size_t *len
, u8
*flags
)
912 unsigned int tls_msg_len
;
914 if (tls_get_errors(data
->ssl_ctx
)) {
915 wpa_printf(MSG_INFO
, "SSL: TLS errors detected");
920 if (eap_type
== EAP_UNAUTH_TLS_TYPE
)
921 pos
= eap_hdr_validate(EAP_VENDOR_UNAUTH_TLS
,
922 EAP_VENDOR_TYPE_UNAUTH_TLS
, reqData
,
924 else if (eap_type
== EAP_WFA_UNAUTH_TLS_TYPE
)
925 pos
= eap_hdr_validate(EAP_VENDOR_WFA_NEW
,
926 EAP_VENDOR_WFA_UNAUTH_TLS
, reqData
,
929 pos
= eap_hdr_validate(EAP_VENDOR_IETF
, eap_type
, reqData
,
936 wpa_printf(MSG_DEBUG
, "SSL: Invalid TLS message: no Flags "
938 if (!sm
->workaround
) {
943 wpa_printf(MSG_DEBUG
, "SSL: Workaround - assume no Flags "
944 "indicates ACK frame");
950 wpa_printf(MSG_DEBUG
, "SSL: Received packet(len=%lu) - "
951 "Flags 0x%02x", (unsigned long) wpabuf_len(reqData
),
953 if (*flags
& EAP_TLS_FLAGS_LENGTH_INCLUDED
) {
955 wpa_printf(MSG_INFO
, "SSL: Short frame with TLS "
960 tls_msg_len
= WPA_GET_BE32(pos
);
961 wpa_printf(MSG_DEBUG
, "SSL: TLS Message Length: %d",
963 if (data
->tls_in_left
== 0) {
964 data
->tls_in_total
= tls_msg_len
;
965 data
->tls_in_left
= tls_msg_len
;
966 wpabuf_free(data
->tls_in
);
972 if (left
> tls_msg_len
) {
973 wpa_printf(MSG_INFO
, "SSL: TLS Message Length (%d "
974 "bytes) smaller than this fragment (%d "
975 "bytes)", (int) tls_msg_len
, (int) left
);
982 ret
->methodState
= METHOD_MAY_CONT
;
983 ret
->decision
= DECISION_FAIL
;
984 ret
->allowNotifications
= TRUE
;
992 * eap_peer_tls_reset_input - Reset input buffers
993 * @data: Data for TLS processing
995 * This function frees any allocated memory for input buffers and resets input
998 void eap_peer_tls_reset_input(struct eap_ssl_data
*data
)
1000 data
->tls_in_left
= data
->tls_in_total
= 0;
1001 wpabuf_free(data
->tls_in
);
1002 data
->tls_in
= NULL
;
1007 * eap_peer_tls_reset_output - Reset output buffers
1008 * @data: Data for TLS processing
1010 * This function frees any allocated memory for output buffers and resets
1013 void eap_peer_tls_reset_output(struct eap_ssl_data
*data
)
1015 data
->tls_out_pos
= 0;
1016 wpabuf_free(data
->tls_out
);
1017 data
->tls_out
= NULL
;
1022 * eap_peer_tls_decrypt - Decrypt received phase 2 TLS message
1023 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
1024 * @data: Data for TLS processing
1025 * @in_data: Message received from the server
1026 * @in_decrypted: Buffer for returning a pointer to the decrypted message
1027 * Returns: 0 on success, 1 if more input data is needed, or -1 on failure
1029 int eap_peer_tls_decrypt(struct eap_sm
*sm
, struct eap_ssl_data
*data
,
1030 const struct wpabuf
*in_data
,
1031 struct wpabuf
**in_decrypted
)
1033 const struct wpabuf
*msg
;
1034 int need_more_input
;
1036 msg
= eap_peer_tls_data_reassemble(data
, in_data
, &need_more_input
);
1038 return need_more_input
? 1 : -1;
1040 *in_decrypted
= tls_connection_decrypt(data
->ssl_ctx
, data
->conn
, msg
);
1041 eap_peer_tls_reset_input(data
);
1042 if (*in_decrypted
== NULL
) {
1043 wpa_printf(MSG_INFO
, "SSL: Failed to decrypt Phase 2 data");
1051 * eap_peer_tls_encrypt - Encrypt phase 2 TLS message
1052 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
1053 * @data: Data for TLS processing
1054 * @eap_type: EAP type (EAP_TYPE_TLS, EAP_TYPE_PEAP, ...)
1055 * @peap_version: Version number for EAP-PEAP/TTLS
1056 * @id: EAP identifier for the response
1057 * @in_data: Plaintext phase 2 data to encrypt or %NULL to continue fragments
1058 * @out_data: Buffer for returning a pointer to the encrypted response message
1059 * Returns: 0 on success, -1 on failure
1061 int eap_peer_tls_encrypt(struct eap_sm
*sm
, struct eap_ssl_data
*data
,
1062 enum eap_type eap_type
, int peap_version
, u8 id
,
1063 const struct wpabuf
*in_data
,
1064 struct wpabuf
**out_data
)
1067 eap_peer_tls_reset_output(data
);
1068 data
->tls_out
= tls_connection_encrypt(data
->ssl_ctx
,
1069 data
->conn
, in_data
);
1070 if (data
->tls_out
== NULL
) {
1071 wpa_printf(MSG_INFO
, "SSL: Failed to encrypt Phase 2 "
1072 "data (in_len=%lu)",
1073 (unsigned long) wpabuf_len(in_data
));
1074 eap_peer_tls_reset_output(data
);
1079 return eap_tls_process_output(data
, eap_type
, peap_version
, id
, 0,
1085 * eap_peer_select_phase2_methods - Select phase 2 EAP method
1086 * @config: Pointer to the network configuration
1087 * @prefix: 'phase2' configuration prefix, e.g., "auth="
1088 * @types: Buffer for returning allocated list of allowed EAP methods
1089 * @num_types: Buffer for returning number of allocated EAP methods
1090 * Returns: 0 on success, -1 on failure
1092 * This function is used to parse EAP method list and select allowed methods
1093 * for Phase2 authentication.
1095 int eap_peer_select_phase2_methods(struct eap_peer_config
*config
,
1097 struct eap_method_type
**types
,
1098 size_t *num_types
, int use_machine_cred
)
1100 char *start
, *pos
, *buf
;
1101 struct eap_method_type
*methods
= NULL
, *_methods
;
1103 size_t num_methods
= 0, prefix_len
;
1108 phase2
= use_machine_cred
? config
->machine_phase2
: config
->phase2
;
1112 start
= buf
= os_strdup(phase2
);
1116 prefix_len
= os_strlen(prefix
);
1118 while (start
&& *start
!= '\0') {
1120 pos
= os_strstr(start
, prefix
);
1123 if (start
!= pos
&& *(pos
- 1) != ' ') {
1124 start
= pos
+ prefix_len
;
1128 start
= pos
+ prefix_len
;
1129 pos
= os_strchr(start
, ' ');
1132 method
= eap_get_phase2_type(start
, &vendor
);
1133 if (vendor
== EAP_VENDOR_IETF
&& method
== EAP_TYPE_NONE
) {
1134 wpa_printf(MSG_ERROR
, "TLS: Unsupported Phase2 EAP "
1135 "method '%s'", start
);
1141 _methods
= os_realloc_array(methods
, num_methods
,
1143 if (_methods
== NULL
) {
1149 methods
[num_methods
- 1].vendor
= vendor
;
1150 methods
[num_methods
- 1].method
= method
;
1159 if (methods
== NULL
)
1160 methods
= eap_get_phase2_types(config
, &num_methods
);
1162 if (methods
== NULL
) {
1163 wpa_printf(MSG_ERROR
, "TLS: No Phase2 EAP methods available");
1166 wpa_hexdump(MSG_DEBUG
, "TLS: Phase2 EAP types",
1168 num_methods
* sizeof(struct eap_method_type
));
1171 *num_types
= num_methods
;
1178 * eap_peer_tls_phase2_nak - Generate EAP-Nak for Phase 2
1179 * @types: Buffer for returning allocated list of allowed EAP methods
1180 * @num_types: Buffer for returning number of allocated EAP methods
1181 * @hdr: EAP-Request header (and the following EAP type octet)
1182 * @resp: Buffer for returning the EAP-Nak message
1183 * Returns: 0 on success, -1 on failure
1185 int eap_peer_tls_phase2_nak(struct eap_method_type
*types
, size_t num_types
,
1186 struct eap_hdr
*hdr
, struct wpabuf
**resp
)
1188 u8
*pos
= (u8
*) (hdr
+ 1);
1191 /* TODO: add support for expanded Nak */
1192 wpa_printf(MSG_DEBUG
, "TLS: Phase 2 Request: Nak type=%d", *pos
);
1193 wpa_hexdump(MSG_DEBUG
, "TLS: Allowed Phase2 EAP types",
1194 (u8
*) types
, num_types
* sizeof(struct eap_method_type
));
1195 *resp
= eap_msg_alloc(EAP_VENDOR_IETF
, EAP_TYPE_NAK
, num_types
,
1196 EAP_CODE_RESPONSE
, hdr
->identifier
);
1200 for (i
= 0; i
< num_types
; i
++) {
1201 if (types
[i
].vendor
== EAP_VENDOR_IETF
&&
1202 types
[i
].method
< 256)
1203 wpabuf_put_u8(*resp
, types
[i
].method
);
1206 eap_update_len(*resp
);