2 * EAP-FAST server (RFC 4851)
3 * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/aes_wrap.h"
13 #include "crypto/sha1.h"
14 #include "crypto/tls.h"
15 #include "crypto/random.h"
16 #include "eap_common/eap_tlv_common.h"
17 #include "eap_common/eap_fast_common.h"
19 #include "eap_tls_common.h"
22 static void eap_fast_reset(struct eap_sm
*sm
, void *priv
);
25 /* Private PAC-Opaque TLV types */
26 #define PAC_OPAQUE_TYPE_PAD 0
27 #define PAC_OPAQUE_TYPE_KEY 1
28 #define PAC_OPAQUE_TYPE_LIFETIME 2
29 #define PAC_OPAQUE_TYPE_IDENTITY 3
31 struct eap_fast_data
{
32 struct eap_ssl_data ssl
;
34 START
, PHASE1
, PHASE2_START
, PHASE2_ID
, PHASE2_METHOD
,
35 CRYPTO_BINDING
, REQUEST_PAC
, SUCCESS
, FAILURE
39 const struct eap_method
*phase2_method
;
44 u8 crypto_binding_nonce
[32];
47 struct eap_fast_key_block_provisioning
*key_block_p
;
49 u8 simck
[EAP_FAST_SIMCK_LEN
];
50 u8 cmk
[EAP_FAST_CMK_LEN
];
53 u8 pac_opaque_encr
[16];
58 int anon_provisioning
;
59 int send_new_pac
; /* server triggered re-keying of Tunnel PAC */
60 struct wpabuf
*pending_phase2_resp
;
61 u8
*identity
; /* from PAC-Opaque */
67 int pac_key_refresh_time
;
71 static int eap_fast_process_phase2_start(struct eap_sm
*sm
,
72 struct eap_fast_data
*data
);
75 static const char * eap_fast_state_txt(int state
)
83 return "PHASE2_START";
87 return "PHASE2_METHOD";
89 return "CRYPTO_BINDING";
102 static void eap_fast_state(struct eap_fast_data
*data
, int state
)
104 wpa_printf(MSG_DEBUG
, "EAP-FAST: %s -> %s",
105 eap_fast_state_txt(data
->state
),
106 eap_fast_state_txt(state
));
111 static EapType
eap_fast_req_failure(struct eap_sm
*sm
,
112 struct eap_fast_data
*data
)
114 /* TODO: send Result TLV(FAILURE) */
115 eap_fast_state(data
, FAILURE
);
116 return EAP_TYPE_NONE
;
120 static int eap_fast_session_ticket_cb(void *ctx
, const u8
*ticket
, size_t len
,
121 const u8
*client_random
,
122 const u8
*server_random
,
125 struct eap_fast_data
*data
= ctx
;
126 const u8
*pac_opaque
;
127 size_t pac_opaque_len
;
128 u8
*buf
, *pos
, *end
, *pac_key
= NULL
;
129 os_time_t lifetime
= 0;
132 size_t identity_len
= 0;
134 wpa_printf(MSG_DEBUG
, "EAP-FAST: SessionTicket callback");
135 wpa_hexdump(MSG_DEBUG
, "EAP-FAST: SessionTicket (PAC-Opaque)",
138 if (len
< 4 || WPA_GET_BE16(ticket
) != PAC_TYPE_PAC_OPAQUE
) {
139 wpa_printf(MSG_DEBUG
, "EAP-FAST: Ignore invalid "
144 pac_opaque_len
= WPA_GET_BE16(ticket
+ 2);
145 pac_opaque
= ticket
+ 4;
146 if (pac_opaque_len
< 8 || pac_opaque_len
% 8 ||
147 pac_opaque_len
> len
- 4) {
148 wpa_printf(MSG_DEBUG
, "EAP-FAST: Ignore invalid PAC-Opaque "
149 "(len=%lu left=%lu)",
150 (unsigned long) pac_opaque_len
,
151 (unsigned long) len
);
154 wpa_hexdump(MSG_DEBUG
, "EAP-FAST: Received PAC-Opaque",
155 pac_opaque
, pac_opaque_len
);
157 buf
= os_malloc(pac_opaque_len
- 8);
159 wpa_printf(MSG_DEBUG
, "EAP-FAST: Failed to allocate memory "
160 "for decrypting PAC-Opaque");
164 if (aes_unwrap(data
->pac_opaque_encr
, sizeof(data
->pac_opaque_encr
),
165 (pac_opaque_len
- 8) / 8, pac_opaque
, buf
) < 0) {
166 wpa_printf(MSG_DEBUG
, "EAP-FAST: Failed to decrypt "
170 * This may have been caused by server changing the PAC-Opaque
171 * encryption key, so just ignore this PAC-Opaque instead of
172 * failing the authentication completely. Provisioning can now
173 * be used to provision a new PAC.
178 end
= buf
+ pac_opaque_len
- 8;
179 wpa_hexdump_key(MSG_DEBUG
, "EAP-FAST: Decrypted PAC-Opaque",
183 while (pos
+ 1 < end
) {
184 if (pos
+ 2 + pos
[1] > end
)
188 case PAC_OPAQUE_TYPE_PAD
:
190 case PAC_OPAQUE_TYPE_KEY
:
191 if (pos
[1] != EAP_FAST_PAC_KEY_LEN
) {
192 wpa_printf(MSG_DEBUG
, "EAP-FAST: Invalid "
193 "PAC-Key length %d", pos
[1]);
198 wpa_hexdump_key(MSG_DEBUG
, "EAP-FAST: PAC-Key from "
199 "decrypted PAC-Opaque",
200 pac_key
, EAP_FAST_PAC_KEY_LEN
);
202 case PAC_OPAQUE_TYPE_LIFETIME
:
204 wpa_printf(MSG_DEBUG
, "EAP-FAST: Invalid "
205 "PAC-Key lifetime length %d",
210 lifetime
= WPA_GET_BE32(pos
+ 2);
212 case PAC_OPAQUE_TYPE_IDENTITY
:
214 identity_len
= pos
[1];
222 if (pac_key
== NULL
) {
223 wpa_printf(MSG_DEBUG
, "EAP-FAST: No PAC-Key included in "
230 wpa_hexdump_ascii(MSG_DEBUG
, "EAP-FAST: Identity from "
231 "PAC-Opaque", identity
, identity_len
);
232 os_free(data
->identity
);
233 data
->identity
= os_malloc(identity_len
);
234 if (data
->identity
) {
235 os_memcpy(data
->identity
, identity
, identity_len
);
236 data
->identity_len
= identity_len
;
240 if (os_get_time(&now
) < 0 || lifetime
<= 0 || now
.sec
> lifetime
) {
241 wpa_printf(MSG_DEBUG
, "EAP-FAST: PAC-Key not valid anymore "
242 "(lifetime=%ld now=%ld)", lifetime
, now
.sec
);
243 data
->send_new_pac
= 2;
245 * Allow PAC to be used to allow a PAC update with some level
246 * of server authentication (i.e., do not fall back to full TLS
247 * handshake since we cannot be sure that the peer would be
248 * able to validate server certificate now). However, reject
249 * the authentication since the PAC was not valid anymore. Peer
250 * can connect again with the newly provisioned PAC after this.
252 } else if (lifetime
- now
.sec
< data
->pac_key_refresh_time
) {
253 wpa_printf(MSG_DEBUG
, "EAP-FAST: PAC-Key soft timeout; send "
254 "an update if authentication succeeds");
255 data
->send_new_pac
= 1;
258 eap_fast_derive_master_secret(pac_key
, server_random
, client_random
,
267 static void eap_fast_derive_key_auth(struct eap_sm
*sm
,
268 struct eap_fast_data
*data
)
272 /* RFC 4851, Section 5.1:
273 * Extra key material after TLS key_block: session_key_seed[40]
276 sks
= eap_fast_derive_key(sm
->ssl_ctx
, data
->ssl
.conn
, "key expansion",
279 wpa_printf(MSG_DEBUG
, "EAP-FAST: Failed to derive "
285 * RFC 4851, Section 5.2:
286 * S-IMCK[0] = session_key_seed
288 wpa_hexdump_key(MSG_DEBUG
,
289 "EAP-FAST: session_key_seed (SKS = S-IMCK[0])",
290 sks
, EAP_FAST_SKS_LEN
);
292 os_memcpy(data
->simck
, sks
, EAP_FAST_SIMCK_LEN
);
297 static void eap_fast_derive_key_provisioning(struct eap_sm
*sm
,
298 struct eap_fast_data
*data
)
300 os_free(data
->key_block_p
);
301 data
->key_block_p
= (struct eap_fast_key_block_provisioning
*)
302 eap_fast_derive_key(sm
->ssl_ctx
, data
->ssl
.conn
,
304 sizeof(*data
->key_block_p
));
305 if (data
->key_block_p
== NULL
) {
306 wpa_printf(MSG_DEBUG
, "EAP-FAST: Failed to derive key block");
310 * RFC 4851, Section 5.2:
311 * S-IMCK[0] = session_key_seed
313 wpa_hexdump_key(MSG_DEBUG
,
314 "EAP-FAST: session_key_seed (SKS = S-IMCK[0])",
315 data
->key_block_p
->session_key_seed
,
316 sizeof(data
->key_block_p
->session_key_seed
));
318 os_memcpy(data
->simck
, data
->key_block_p
->session_key_seed
,
320 wpa_hexdump_key(MSG_DEBUG
, "EAP-FAST: server_challenge",
321 data
->key_block_p
->server_challenge
,
322 sizeof(data
->key_block_p
->server_challenge
));
323 wpa_hexdump_key(MSG_DEBUG
, "EAP-FAST: client_challenge",
324 data
->key_block_p
->client_challenge
,
325 sizeof(data
->key_block_p
->client_challenge
));
329 static int eap_fast_get_phase2_key(struct eap_sm
*sm
,
330 struct eap_fast_data
*data
,
331 u8
*isk
, size_t isk_len
)
336 os_memset(isk
, 0, isk_len
);
338 if (data
->phase2_method
== NULL
|| data
->phase2_priv
== NULL
) {
339 wpa_printf(MSG_DEBUG
, "EAP-FAST: Phase 2 method not "
344 if (data
->phase2_method
->getKey
== NULL
)
347 if ((key
= data
->phase2_method
->getKey(sm
, data
->phase2_priv
,
348 &key_len
)) == NULL
) {
349 wpa_printf(MSG_DEBUG
, "EAP-FAST: Could not get key material "
354 if (key_len
> isk_len
)
357 data
->phase2_method
->vendor
== EAP_VENDOR_IETF
&&
358 data
->phase2_method
->method
== EAP_TYPE_MSCHAPV2
) {
360 * EAP-FAST uses reverse order for MS-MPPE keys when deriving
361 * MSK from EAP-MSCHAPv2. Swap the keys here to get the correct
362 * ISK for EAP-FAST cryptobinding.
364 os_memcpy(isk
, key
+ 16, 16);
365 os_memcpy(isk
+ 16, key
, 16);
367 os_memcpy(isk
, key
, key_len
);
374 static int eap_fast_update_icmk(struct eap_sm
*sm
, struct eap_fast_data
*data
)
376 u8 isk
[32], imck
[60];
378 wpa_printf(MSG_DEBUG
, "EAP-FAST: Deriving ICMK[%d] (S-IMCK and CMK)",
379 data
->simck_idx
+ 1);
382 * RFC 4851, Section 5.2:
383 * IMCK[j] = T-PRF(S-IMCK[j-1], "Inner Methods Compound Keys",
385 * S-IMCK[j] = first 40 octets of IMCK[j]
386 * CMK[j] = last 20 octets of IMCK[j]
389 if (eap_fast_get_phase2_key(sm
, data
, isk
, sizeof(isk
)) < 0)
391 wpa_hexdump_key(MSG_MSGDUMP
, "EAP-FAST: ISK[j]", isk
, sizeof(isk
));
392 sha1_t_prf(data
->simck
, EAP_FAST_SIMCK_LEN
,
393 "Inner Methods Compound Keys",
394 isk
, sizeof(isk
), imck
, sizeof(imck
));
396 os_memcpy(data
->simck
, imck
, EAP_FAST_SIMCK_LEN
);
397 wpa_hexdump_key(MSG_MSGDUMP
, "EAP-FAST: S-IMCK[j]",
398 data
->simck
, EAP_FAST_SIMCK_LEN
);
399 os_memcpy(data
->cmk
, imck
+ EAP_FAST_SIMCK_LEN
, EAP_FAST_CMK_LEN
);
400 wpa_hexdump_key(MSG_MSGDUMP
, "EAP-FAST: CMK[j]",
401 data
->cmk
, EAP_FAST_CMK_LEN
);
407 static void * eap_fast_init(struct eap_sm
*sm
)
409 struct eap_fast_data
*data
;
411 TLS_CIPHER_ANON_DH_AES128_SHA
,
412 TLS_CIPHER_AES128_SHA
,
413 TLS_CIPHER_RSA_DHE_AES128_SHA
,
418 data
= os_zalloc(sizeof(*data
));
421 data
->fast_version
= EAP_FAST_VERSION
;
422 data
->force_version
= -1;
423 if (sm
->user
&& sm
->user
->force_version
>= 0) {
424 data
->force_version
= sm
->user
->force_version
;
425 wpa_printf(MSG_DEBUG
, "EAP-FAST: forcing version %d",
426 data
->force_version
);
427 data
->fast_version
= data
->force_version
;
431 if (eap_server_tls_ssl_init(sm
, &data
->ssl
, 0, EAP_TYPE_FAST
)) {
432 wpa_printf(MSG_INFO
, "EAP-FAST: Failed to initialize SSL.");
433 eap_fast_reset(sm
, data
);
437 if (tls_connection_set_cipher_list(sm
->ssl_ctx
, data
->ssl
.conn
,
439 wpa_printf(MSG_INFO
, "EAP-FAST: Failed to set TLS cipher "
441 eap_fast_reset(sm
, data
);
445 if (tls_connection_set_session_ticket_cb(sm
->ssl_ctx
, data
->ssl
.conn
,
446 eap_fast_session_ticket_cb
,
448 wpa_printf(MSG_INFO
, "EAP-FAST: Failed to set SessionTicket "
450 eap_fast_reset(sm
, data
);
454 if (sm
->pac_opaque_encr_key
== NULL
) {
455 wpa_printf(MSG_INFO
, "EAP-FAST: No PAC-Opaque encryption key "
457 eap_fast_reset(sm
, data
);
460 os_memcpy(data
->pac_opaque_encr
, sm
->pac_opaque_encr_key
,
461 sizeof(data
->pac_opaque_encr
));
463 if (sm
->eap_fast_a_id
== NULL
) {
464 wpa_printf(MSG_INFO
, "EAP-FAST: No A-ID configured");
465 eap_fast_reset(sm
, data
);
468 data
->srv_id
= os_malloc(sm
->eap_fast_a_id_len
);
469 if (data
->srv_id
== NULL
) {
470 eap_fast_reset(sm
, data
);
473 os_memcpy(data
->srv_id
, sm
->eap_fast_a_id
, sm
->eap_fast_a_id_len
);
474 data
->srv_id_len
= sm
->eap_fast_a_id_len
;
476 if (sm
->eap_fast_a_id_info
== NULL
) {
477 wpa_printf(MSG_INFO
, "EAP-FAST: No A-ID-Info configured");
478 eap_fast_reset(sm
, data
);
481 data
->srv_id_info
= os_strdup(sm
->eap_fast_a_id_info
);
482 if (data
->srv_id_info
== NULL
) {
483 eap_fast_reset(sm
, data
);
487 /* PAC-Key lifetime in seconds (hard limit) */
488 data
->pac_key_lifetime
= sm
->pac_key_lifetime
;
491 * PAC-Key refresh time in seconds (soft limit on remaining hard
492 * limit). The server will generate a new PAC-Key when this number of
493 * seconds (or fewer) of the lifetime remains.
495 data
->pac_key_refresh_time
= sm
->pac_key_refresh_time
;
501 static void eap_fast_reset(struct eap_sm
*sm
, void *priv
)
503 struct eap_fast_data
*data
= priv
;
506 if (data
->phase2_priv
&& data
->phase2_method
)
507 data
->phase2_method
->reset(sm
, data
->phase2_priv
);
508 eap_server_tls_ssl_deinit(sm
, &data
->ssl
);
509 os_free(data
->srv_id
);
510 os_free(data
->srv_id_info
);
511 os_free(data
->key_block_p
);
512 wpabuf_free(data
->pending_phase2_resp
);
513 os_free(data
->identity
);
514 bin_clear_free(data
, sizeof(*data
));
518 static struct wpabuf
* eap_fast_build_start(struct eap_sm
*sm
,
519 struct eap_fast_data
*data
, u8 id
)
523 req
= eap_msg_alloc(EAP_VENDOR_IETF
, EAP_TYPE_FAST
,
524 1 + sizeof(struct pac_tlv_hdr
) + data
->srv_id_len
,
525 EAP_CODE_REQUEST
, id
);
527 wpa_printf(MSG_ERROR
, "EAP-FAST: Failed to allocate memory for"
529 eap_fast_state(data
, FAILURE
);
533 wpabuf_put_u8(req
, EAP_TLS_FLAGS_START
| data
->fast_version
);
535 /* RFC 4851, 4.1.1. Authority ID Data */
536 eap_fast_put_tlv(req
, PAC_TYPE_A_ID
, data
->srv_id
, data
->srv_id_len
);
538 eap_fast_state(data
, PHASE1
);
544 static int eap_fast_phase1_done(struct eap_sm
*sm
, struct eap_fast_data
*data
)
548 wpa_printf(MSG_DEBUG
, "EAP-FAST: Phase1 done, starting Phase2");
550 if (tls_get_cipher(sm
->ssl_ctx
, data
->ssl
.conn
, cipher
, sizeof(cipher
))
552 wpa_printf(MSG_DEBUG
, "EAP-FAST: Failed to get cipher "
554 eap_fast_state(data
, FAILURE
);
557 data
->anon_provisioning
= os_strstr(cipher
, "ADH") != NULL
;
559 if (data
->anon_provisioning
) {
560 wpa_printf(MSG_DEBUG
, "EAP-FAST: Anonymous provisioning");
561 eap_fast_derive_key_provisioning(sm
, data
);
563 eap_fast_derive_key_auth(sm
, data
);
565 eap_fast_state(data
, PHASE2_START
);
571 static struct wpabuf
* eap_fast_build_phase2_req(struct eap_sm
*sm
,
572 struct eap_fast_data
*data
,
577 if (data
->phase2_priv
== NULL
) {
578 wpa_printf(MSG_DEBUG
, "EAP-FAST: Phase 2 method not "
582 req
= data
->phase2_method
->buildReq(sm
, data
->phase2_priv
, id
);
586 wpa_hexdump_buf_key(MSG_MSGDUMP
, "EAP-FAST: Phase 2 EAP-Request", req
);
587 return eap_fast_tlv_eap_payload(req
);
591 static struct wpabuf
* eap_fast_build_crypto_binding(
592 struct eap_sm
*sm
, struct eap_fast_data
*data
)
595 struct eap_tlv_result_tlv
*result
;
596 struct eap_tlv_crypto_binding_tlv
*binding
;
598 buf
= wpabuf_alloc(2 * sizeof(*result
) + sizeof(*binding
));
602 if (data
->send_new_pac
|| data
->anon_provisioning
||
604 data
->final_result
= 0;
606 data
->final_result
= 1;
608 if (!data
->final_result
|| data
->eap_seq
> 1) {
609 /* Intermediate-Result */
610 wpa_printf(MSG_DEBUG
, "EAP-FAST: Add Intermediate-Result TLV "
612 result
= wpabuf_put(buf
, sizeof(*result
));
613 result
->tlv_type
= host_to_be16(
614 EAP_TLV_TYPE_MANDATORY
|
615 EAP_TLV_INTERMEDIATE_RESULT_TLV
);
616 result
->length
= host_to_be16(2);
617 result
->status
= host_to_be16(EAP_TLV_RESULT_SUCCESS
);
620 if (data
->final_result
) {
622 wpa_printf(MSG_DEBUG
, "EAP-FAST: Add Result TLV "
624 result
= wpabuf_put(buf
, sizeof(*result
));
625 result
->tlv_type
= host_to_be16(EAP_TLV_TYPE_MANDATORY
|
627 result
->length
= host_to_be16(2);
628 result
->status
= host_to_be16(EAP_TLV_RESULT_SUCCESS
);
631 /* Crypto-Binding TLV */
632 binding
= wpabuf_put(buf
, sizeof(*binding
));
633 binding
->tlv_type
= host_to_be16(EAP_TLV_TYPE_MANDATORY
|
634 EAP_TLV_CRYPTO_BINDING_TLV
);
635 binding
->length
= host_to_be16(sizeof(*binding
) -
636 sizeof(struct eap_tlv_hdr
));
637 binding
->version
= EAP_FAST_VERSION
;
638 binding
->received_version
= data
->peer_version
;
639 binding
->subtype
= EAP_TLV_CRYPTO_BINDING_SUBTYPE_REQUEST
;
640 if (random_get_bytes(binding
->nonce
, sizeof(binding
->nonce
)) < 0) {
646 * RFC 4851, Section 4.2.8:
647 * The nonce in a request MUST have its least significant bit set to 0.
649 binding
->nonce
[sizeof(binding
->nonce
) - 1] &= ~0x01;
651 os_memcpy(data
->crypto_binding_nonce
, binding
->nonce
,
652 sizeof(binding
->nonce
));
655 * RFC 4851, Section 5.3:
657 * Compound-MAC = HMAC-SHA1( CMK, Crypto-Binding TLV )
660 hmac_sha1(data
->cmk
, EAP_FAST_CMK_LEN
,
661 (u8
*) binding
, sizeof(*binding
),
662 binding
->compound_mac
);
664 wpa_printf(MSG_DEBUG
, "EAP-FAST: Add Crypto-Binding TLV: Version %d "
665 "Received Version %d SubType %d",
666 binding
->version
, binding
->received_version
,
668 wpa_hexdump(MSG_MSGDUMP
, "EAP-FAST: NONCE",
669 binding
->nonce
, sizeof(binding
->nonce
));
670 wpa_hexdump(MSG_MSGDUMP
, "EAP-FAST: Compound MAC",
671 binding
->compound_mac
, sizeof(binding
->compound_mac
));
677 static struct wpabuf
* eap_fast_build_pac(struct eap_sm
*sm
,
678 struct eap_fast_data
*data
)
680 u8 pac_key
[EAP_FAST_PAC_KEY_LEN
];
681 u8
*pac_buf
, *pac_opaque
;
684 size_t buf_len
, srv_id_info_len
, pac_len
;
685 struct eap_tlv_hdr
*pac_tlv
;
686 struct pac_tlv_hdr
*pac_info
;
687 struct eap_tlv_result_tlv
*result
;
690 if (random_get_bytes(pac_key
, EAP_FAST_PAC_KEY_LEN
) < 0 ||
691 os_get_time(&now
) < 0)
693 wpa_hexdump_key(MSG_DEBUG
, "EAP-FAST: Generated PAC-Key",
694 pac_key
, EAP_FAST_PAC_KEY_LEN
);
696 pac_len
= (2 + EAP_FAST_PAC_KEY_LEN
) + (2 + 4) +
697 (2 + sm
->identity_len
) + 8;
698 pac_buf
= os_malloc(pac_len
);
702 srv_id_info_len
= os_strlen(data
->srv_id_info
);
705 *pos
++ = PAC_OPAQUE_TYPE_KEY
;
706 *pos
++ = EAP_FAST_PAC_KEY_LEN
;
707 os_memcpy(pos
, pac_key
, EAP_FAST_PAC_KEY_LEN
);
708 pos
+= EAP_FAST_PAC_KEY_LEN
;
710 *pos
++ = PAC_OPAQUE_TYPE_LIFETIME
;
712 WPA_PUT_BE32(pos
, now
.sec
+ data
->pac_key_lifetime
);
716 *pos
++ = PAC_OPAQUE_TYPE_IDENTITY
;
717 *pos
++ = sm
->identity_len
;
718 os_memcpy(pos
, sm
->identity
, sm
->identity_len
);
719 pos
+= sm
->identity_len
;
722 pac_len
= pos
- pac_buf
;
723 while (pac_len
% 8) {
724 *pos
++ = PAC_OPAQUE_TYPE_PAD
;
728 pac_opaque
= os_malloc(pac_len
+ 8);
729 if (pac_opaque
== NULL
) {
733 if (aes_wrap(data
->pac_opaque_encr
, sizeof(data
->pac_opaque_encr
),
734 pac_len
/ 8, pac_buf
, pac_opaque
) < 0) {
742 wpa_hexdump(MSG_DEBUG
, "EAP-FAST: PAC-Opaque",
743 pac_opaque
, pac_len
);
745 buf_len
= sizeof(*pac_tlv
) +
746 sizeof(struct pac_tlv_hdr
) + EAP_FAST_PAC_KEY_LEN
+
747 sizeof(struct pac_tlv_hdr
) + pac_len
+
748 data
->srv_id_len
+ srv_id_info_len
+ 100 + sizeof(*result
);
749 buf
= wpabuf_alloc(buf_len
);
756 wpa_printf(MSG_DEBUG
, "EAP-FAST: Add Result TLV (status=SUCCESS)");
757 result
= wpabuf_put(buf
, sizeof(*result
));
758 WPA_PUT_BE16((u8
*) &result
->tlv_type
,
759 EAP_TLV_TYPE_MANDATORY
| EAP_TLV_RESULT_TLV
);
760 WPA_PUT_BE16((u8
*) &result
->length
, 2);
761 WPA_PUT_BE16((u8
*) &result
->status
, EAP_TLV_RESULT_SUCCESS
);
764 wpa_printf(MSG_DEBUG
, "EAP-FAST: Add PAC TLV");
765 pac_tlv
= wpabuf_put(buf
, sizeof(*pac_tlv
));
766 pac_tlv
->tlv_type
= host_to_be16(EAP_TLV_TYPE_MANDATORY
|
770 eap_fast_put_tlv(buf
, PAC_TYPE_PAC_KEY
, pac_key
, EAP_FAST_PAC_KEY_LEN
);
773 eap_fast_put_tlv(buf
, PAC_TYPE_PAC_OPAQUE
, pac_opaque
, pac_len
);
777 pac_info
= wpabuf_put(buf
, sizeof(*pac_info
));
778 pac_info
->type
= host_to_be16(PAC_TYPE_PAC_INFO
);
780 /* PAC-Lifetime (inside PAC-Info) */
781 eap_fast_put_tlv_hdr(buf
, PAC_TYPE_CRED_LIFETIME
, 4);
782 wpabuf_put_be32(buf
, now
.sec
+ data
->pac_key_lifetime
);
784 /* A-ID (inside PAC-Info) */
785 eap_fast_put_tlv(buf
, PAC_TYPE_A_ID
, data
->srv_id
, data
->srv_id_len
);
787 /* Note: headers may be misaligned after A-ID */
790 eap_fast_put_tlv(buf
, PAC_TYPE_I_ID
, sm
->identity
,
794 /* A-ID-Info (inside PAC-Info) */
795 eap_fast_put_tlv(buf
, PAC_TYPE_A_ID_INFO
, data
->srv_id_info
,
798 /* PAC-Type (inside PAC-Info) */
799 eap_fast_put_tlv_hdr(buf
, PAC_TYPE_PAC_TYPE
, 2);
800 wpabuf_put_be16(buf
, PAC_TYPE_TUNNEL_PAC
);
802 /* Update PAC-Info and PAC TLV Length fields */
803 pos
= wpabuf_put(buf
, 0);
804 pac_info
->len
= host_to_be16(pos
- (u8
*) (pac_info
+ 1));
805 pac_tlv
->length
= host_to_be16(pos
- (u8
*) (pac_tlv
+ 1));
811 static int eap_fast_encrypt_phase2(struct eap_sm
*sm
,
812 struct eap_fast_data
*data
,
813 struct wpabuf
*plain
, int piggyback
)
817 wpa_hexdump_buf_key(MSG_DEBUG
, "EAP-FAST: Encrypting Phase 2 TLVs",
819 encr
= eap_server_tls_encrypt(sm
, &data
->ssl
, plain
);
825 if (data
->ssl
.tls_out
&& piggyback
) {
826 wpa_printf(MSG_DEBUG
, "EAP-FAST: Piggyback Phase 2 data "
827 "(len=%d) with last Phase 1 Message (len=%d "
829 (int) wpabuf_len(encr
),
830 (int) wpabuf_len(data
->ssl
.tls_out
),
831 (int) data
->ssl
.tls_out_pos
);
832 if (wpabuf_resize(&data
->ssl
.tls_out
, wpabuf_len(encr
)) < 0) {
833 wpa_printf(MSG_WARNING
, "EAP-FAST: Failed to resize "
838 wpabuf_put_buf(data
->ssl
.tls_out
, encr
);
841 wpabuf_free(data
->ssl
.tls_out
);
842 data
->ssl
.tls_out_pos
= 0;
843 data
->ssl
.tls_out
= encr
;
850 static struct wpabuf
* eap_fast_buildReq(struct eap_sm
*sm
, void *priv
, u8 id
)
852 struct eap_fast_data
*data
= priv
;
853 struct wpabuf
*req
= NULL
;
856 if (data
->ssl
.state
== FRAG_ACK
) {
857 return eap_server_tls_build_ack(id
, EAP_TYPE_FAST
,
861 if (data
->ssl
.state
== WAIT_FRAG_ACK
) {
862 return eap_server_tls_build_msg(&data
->ssl
, EAP_TYPE_FAST
,
863 data
->fast_version
, id
);
866 switch (data
->state
) {
868 return eap_fast_build_start(sm
, data
, id
);
870 if (tls_connection_established(sm
->ssl_ctx
, data
->ssl
.conn
)) {
871 if (eap_fast_phase1_done(sm
, data
) < 0)
873 if (data
->state
== PHASE2_START
) {
875 * Try to generate Phase 2 data to piggyback
876 * with the end of Phase 1 to avoid extra
879 wpa_printf(MSG_DEBUG
, "EAP-FAST: Try to start "
881 if (eap_fast_process_phase2_start(sm
, data
))
883 req
= eap_fast_build_phase2_req(sm
, data
, id
);
890 req
= eap_fast_build_phase2_req(sm
, data
, id
);
893 req
= eap_fast_build_crypto_binding(sm
, data
);
894 if (data
->phase2_method
) {
896 * Include the start of the next EAP method in the
897 * sequence in the same message with Crypto-Binding to
901 eap
= eap_fast_build_phase2_req(sm
, data
, id
);
902 req
= wpabuf_concat(req
, eap
);
903 eap_fast_state(data
, PHASE2_METHOD
);
907 req
= eap_fast_build_pac(sm
, data
);
910 wpa_printf(MSG_DEBUG
, "EAP-FAST: %s - unexpected state %d",
911 __func__
, data
->state
);
916 eap_fast_encrypt_phase2(sm
, data
, req
, piggyback
) < 0)
919 return eap_server_tls_build_msg(&data
->ssl
, EAP_TYPE_FAST
,
920 data
->fast_version
, id
);
924 static Boolean
eap_fast_check(struct eap_sm
*sm
, void *priv
,
925 struct wpabuf
*respData
)
930 pos
= eap_hdr_validate(EAP_VENDOR_IETF
, EAP_TYPE_FAST
, respData
, &len
);
931 if (pos
== NULL
|| len
< 1) {
932 wpa_printf(MSG_INFO
, "EAP-FAST: Invalid frame");
940 static int eap_fast_phase2_init(struct eap_sm
*sm
, struct eap_fast_data
*data
,
943 if (data
->phase2_priv
&& data
->phase2_method
) {
944 data
->phase2_method
->reset(sm
, data
->phase2_priv
);
945 data
->phase2_method
= NULL
;
946 data
->phase2_priv
= NULL
;
948 data
->phase2_method
= eap_server_get_eap_method(EAP_VENDOR_IETF
,
950 if (!data
->phase2_method
)
953 if (data
->key_block_p
) {
954 sm
->auth_challenge
= data
->key_block_p
->server_challenge
;
955 sm
->peer_challenge
= data
->key_block_p
->client_challenge
;
958 data
->phase2_priv
= data
->phase2_method
->init(sm
);
960 sm
->auth_challenge
= NULL
;
961 sm
->peer_challenge
= NULL
;
963 return data
->phase2_priv
== NULL
? -1 : 0;
967 static void eap_fast_process_phase2_response(struct eap_sm
*sm
,
968 struct eap_fast_data
*data
,
969 u8
*in_data
, size_t in_len
)
971 u8 next_type
= EAP_TYPE_NONE
;
976 const struct eap_method
*m
= data
->phase2_method
;
977 void *priv
= data
->phase2_priv
;
980 wpa_printf(MSG_DEBUG
, "EAP-FAST: %s - Phase2 not "
981 "initialized?!", __func__
);
985 hdr
= (struct eap_hdr
*) in_data
;
986 pos
= (u8
*) (hdr
+ 1);
988 if (in_len
> sizeof(*hdr
) && *pos
== EAP_TYPE_NAK
) {
989 left
= in_len
- sizeof(*hdr
);
990 wpa_hexdump(MSG_DEBUG
, "EAP-FAST: Phase2 type Nak'ed; "
991 "allowed types", pos
+ 1, left
- 1);
992 #ifdef EAP_SERVER_TNC
993 if (m
&& m
->vendor
== EAP_VENDOR_IETF
&&
994 m
->method
== EAP_TYPE_TNC
) {
995 wpa_printf(MSG_DEBUG
, "EAP-FAST: Peer Nak'ed required "
997 next_type
= eap_fast_req_failure(sm
, data
);
998 eap_fast_phase2_init(sm
, data
, next_type
);
1001 #endif /* EAP_SERVER_TNC */
1002 eap_sm_process_nak(sm
, pos
+ 1, left
- 1);
1003 if (sm
->user
&& sm
->user_eap_method_index
< EAP_MAX_METHODS
&&
1004 sm
->user
->methods
[sm
->user_eap_method_index
].method
!=
1006 next_type
= sm
->user
->methods
[
1007 sm
->user_eap_method_index
++].method
;
1008 wpa_printf(MSG_DEBUG
, "EAP-FAST: try EAP type %d",
1011 next_type
= eap_fast_req_failure(sm
, data
);
1013 eap_fast_phase2_init(sm
, data
, next_type
);
1017 wpabuf_set(&buf
, in_data
, in_len
);
1019 if (m
->check(sm
, priv
, &buf
)) {
1020 wpa_printf(MSG_DEBUG
, "EAP-FAST: Phase2 check() asked to "
1021 "ignore the packet");
1022 eap_fast_req_failure(sm
, data
);
1026 m
->process(sm
, priv
, &buf
);
1028 if (!m
->isDone(sm
, priv
))
1031 if (!m
->isSuccess(sm
, priv
)) {
1032 wpa_printf(MSG_DEBUG
, "EAP-FAST: Phase2 method failed");
1033 next_type
= eap_fast_req_failure(sm
, data
);
1034 eap_fast_phase2_init(sm
, data
, next_type
);
1038 switch (data
->state
) {
1040 if (eap_user_get(sm
, sm
->identity
, sm
->identity_len
, 1) != 0) {
1041 wpa_hexdump_ascii(MSG_DEBUG
, "EAP-FAST: Phase2 "
1042 "Identity not found in the user "
1044 sm
->identity
, sm
->identity_len
);
1045 next_type
= eap_fast_req_failure(sm
, data
);
1049 eap_fast_state(data
, PHASE2_METHOD
);
1050 if (data
->anon_provisioning
) {
1052 * Only EAP-MSCHAPv2 is allowed for anonymous
1055 next_type
= EAP_TYPE_MSCHAPV2
;
1056 sm
->user_eap_method_index
= 0;
1058 next_type
= sm
->user
->methods
[0].method
;
1059 sm
->user_eap_method_index
= 1;
1061 wpa_printf(MSG_DEBUG
, "EAP-FAST: try EAP type %d", next_type
);
1064 case CRYPTO_BINDING
:
1065 eap_fast_update_icmk(sm
, data
);
1066 eap_fast_state(data
, CRYPTO_BINDING
);
1068 next_type
= EAP_TYPE_NONE
;
1069 #ifdef EAP_SERVER_TNC
1070 if (sm
->tnc
&& !data
->tnc_started
) {
1071 wpa_printf(MSG_DEBUG
, "EAP-FAST: Initialize TNC");
1072 next_type
= EAP_TYPE_TNC
;
1073 data
->tnc_started
= 1;
1075 #endif /* EAP_SERVER_TNC */
1080 wpa_printf(MSG_DEBUG
, "EAP-FAST: %s - unexpected state %d",
1081 __func__
, data
->state
);
1085 eap_fast_phase2_init(sm
, data
, next_type
);
1089 static void eap_fast_process_phase2_eap(struct eap_sm
*sm
,
1090 struct eap_fast_data
*data
,
1091 u8
*in_data
, size_t in_len
)
1093 struct eap_hdr
*hdr
;
1096 hdr
= (struct eap_hdr
*) in_data
;
1097 if (in_len
< (int) sizeof(*hdr
)) {
1098 wpa_printf(MSG_INFO
, "EAP-FAST: Too short Phase 2 "
1099 "EAP frame (len=%lu)", (unsigned long) in_len
);
1100 eap_fast_req_failure(sm
, data
);
1103 len
= be_to_host16(hdr
->length
);
1105 wpa_printf(MSG_INFO
, "EAP-FAST: Length mismatch in "
1106 "Phase 2 EAP frame (len=%lu hdr->length=%lu)",
1107 (unsigned long) in_len
, (unsigned long) len
);
1108 eap_fast_req_failure(sm
, data
);
1111 wpa_printf(MSG_DEBUG
, "EAP-FAST: Received Phase 2: code=%d "
1112 "identifier=%d length=%lu", hdr
->code
, hdr
->identifier
,
1113 (unsigned long) len
);
1114 switch (hdr
->code
) {
1115 case EAP_CODE_RESPONSE
:
1116 eap_fast_process_phase2_response(sm
, data
, (u8
*) hdr
, len
);
1119 wpa_printf(MSG_INFO
, "EAP-FAST: Unexpected code=%d in "
1120 "Phase 2 EAP header", hdr
->code
);
1126 static int eap_fast_parse_tlvs(struct wpabuf
*data
,
1127 struct eap_fast_tlv_parse
*tlv
)
1129 int mandatory
, tlv_type
, res
;
1133 os_memset(tlv
, 0, sizeof(*tlv
));
1135 pos
= wpabuf_mhead(data
);
1136 end
= pos
+ wpabuf_len(data
);
1137 while (pos
+ 4 < end
) {
1138 mandatory
= pos
[0] & 0x80;
1139 tlv_type
= WPA_GET_BE16(pos
) & 0x3fff;
1141 len
= WPA_GET_BE16(pos
);
1143 if (len
> (size_t) (end
- pos
)) {
1144 wpa_printf(MSG_INFO
, "EAP-FAST: TLV overflow");
1147 wpa_printf(MSG_DEBUG
, "EAP-FAST: Received Phase 2: "
1148 "TLV type %d length %u%s",
1149 tlv_type
, (unsigned int) len
,
1150 mandatory
? " (mandatory)" : "");
1152 res
= eap_fast_parse_tlv(tlv
, tlv_type
, pos
, len
);
1157 wpa_printf(MSG_DEBUG
, "EAP-FAST: Nak unknown "
1158 "mandatory TLV type %d", tlv_type
);
1159 /* TODO: generate Nak TLV */
1162 wpa_printf(MSG_DEBUG
, "EAP-FAST: Ignored "
1163 "unknown optional TLV type %d",
1175 static int eap_fast_validate_crypto_binding(
1176 struct eap_fast_data
*data
, struct eap_tlv_crypto_binding_tlv
*b
,
1179 u8 cmac
[SHA1_MAC_LEN
];
1181 wpa_printf(MSG_DEBUG
, "EAP-FAST: Reply Crypto-Binding TLV: "
1182 "Version %d Received Version %d SubType %d",
1183 b
->version
, b
->received_version
, b
->subtype
);
1184 wpa_hexdump(MSG_MSGDUMP
, "EAP-FAST: NONCE",
1185 b
->nonce
, sizeof(b
->nonce
));
1186 wpa_hexdump(MSG_MSGDUMP
, "EAP-FAST: Compound MAC",
1187 b
->compound_mac
, sizeof(b
->compound_mac
));
1189 if (b
->version
!= EAP_FAST_VERSION
||
1190 b
->received_version
!= EAP_FAST_VERSION
) {
1191 wpa_printf(MSG_DEBUG
, "EAP-FAST: Unexpected version "
1192 "in Crypto-Binding: version %d "
1193 "received_version %d", b
->version
,
1194 b
->received_version
);
1198 if (b
->subtype
!= EAP_TLV_CRYPTO_BINDING_SUBTYPE_RESPONSE
) {
1199 wpa_printf(MSG_DEBUG
, "EAP-FAST: Unexpected subtype in "
1200 "Crypto-Binding: %d", b
->subtype
);
1204 if (os_memcmp_const(data
->crypto_binding_nonce
, b
->nonce
, 31) != 0 ||
1205 (data
->crypto_binding_nonce
[31] | 1) != b
->nonce
[31]) {
1206 wpa_printf(MSG_DEBUG
, "EAP-FAST: Invalid nonce in "
1211 os_memcpy(cmac
, b
->compound_mac
, sizeof(cmac
));
1212 os_memset(b
->compound_mac
, 0, sizeof(cmac
));
1213 wpa_hexdump(MSG_MSGDUMP
, "EAP-FAST: Crypto-Binding TLV for "
1214 "Compound MAC calculation",
1215 (u8
*) b
, bind_len
);
1216 hmac_sha1(data
->cmk
, EAP_FAST_CMK_LEN
, (u8
*) b
, bind_len
,
1218 if (os_memcmp_const(cmac
, b
->compound_mac
, sizeof(cmac
)) != 0) {
1219 wpa_hexdump(MSG_MSGDUMP
,
1220 "EAP-FAST: Calculated Compound MAC",
1221 b
->compound_mac
, sizeof(cmac
));
1222 wpa_printf(MSG_INFO
, "EAP-FAST: Compound MAC did not "
1231 static int eap_fast_pac_type(u8
*pac
, size_t len
, u16 type
)
1233 struct eap_tlv_pac_type_tlv
*tlv
;
1235 if (pac
== NULL
|| len
!= sizeof(*tlv
))
1238 tlv
= (struct eap_tlv_pac_type_tlv
*) pac
;
1240 return be_to_host16(tlv
->tlv_type
) == PAC_TYPE_PAC_TYPE
&&
1241 be_to_host16(tlv
->length
) == 2 &&
1242 be_to_host16(tlv
->pac_type
) == type
;
1246 static void eap_fast_process_phase2_tlvs(struct eap_sm
*sm
,
1247 struct eap_fast_data
*data
,
1248 struct wpabuf
*in_data
)
1250 struct eap_fast_tlv_parse tlv
;
1251 int check_crypto_binding
= data
->state
== CRYPTO_BINDING
;
1253 if (eap_fast_parse_tlvs(in_data
, &tlv
) < 0) {
1254 wpa_printf(MSG_DEBUG
, "EAP-FAST: Failed to parse received "
1259 if (tlv
.result
== EAP_TLV_RESULT_FAILURE
) {
1260 wpa_printf(MSG_DEBUG
, "EAP-FAST: Result TLV indicated "
1262 eap_fast_state(data
, FAILURE
);
1266 if (data
->state
== REQUEST_PAC
) {
1268 if (tlv
.pac
== NULL
|| tlv
.pac_len
< 6) {
1269 wpa_printf(MSG_DEBUG
, "EAP-FAST: No PAC "
1270 "Acknowledgement received");
1271 eap_fast_state(data
, FAILURE
);
1275 type
= WPA_GET_BE16(tlv
.pac
);
1276 len
= WPA_GET_BE16(tlv
.pac
+ 2);
1277 res
= WPA_GET_BE16(tlv
.pac
+ 4);
1279 if (type
!= PAC_TYPE_PAC_ACKNOWLEDGEMENT
|| len
!= 2 ||
1280 res
!= EAP_TLV_RESULT_SUCCESS
) {
1281 wpa_printf(MSG_DEBUG
, "EAP-FAST: PAC TLV did not "
1282 "contain acknowledgement");
1283 eap_fast_state(data
, FAILURE
);
1287 wpa_printf(MSG_DEBUG
, "EAP-FAST: PAC-Acknowledgement received "
1288 "- PAC provisioning succeeded");
1289 eap_fast_state(data
, (data
->anon_provisioning
||
1290 data
->send_new_pac
== 2) ?
1295 if (check_crypto_binding
) {
1296 if (tlv
.crypto_binding
== NULL
) {
1297 wpa_printf(MSG_DEBUG
, "EAP-FAST: No Crypto-Binding "
1299 eap_fast_state(data
, FAILURE
);
1303 if (data
->final_result
&&
1304 tlv
.result
!= EAP_TLV_RESULT_SUCCESS
) {
1305 wpa_printf(MSG_DEBUG
, "EAP-FAST: Crypto-Binding TLV "
1306 "without Success Result");
1307 eap_fast_state(data
, FAILURE
);
1311 if (!data
->final_result
&&
1312 tlv
.iresult
!= EAP_TLV_RESULT_SUCCESS
) {
1313 wpa_printf(MSG_DEBUG
, "EAP-FAST: Crypto-Binding TLV "
1314 "without intermediate Success Result");
1315 eap_fast_state(data
, FAILURE
);
1319 if (eap_fast_validate_crypto_binding(data
, tlv
.crypto_binding
,
1320 tlv
.crypto_binding_len
)) {
1321 eap_fast_state(data
, FAILURE
);
1325 wpa_printf(MSG_DEBUG
, "EAP-FAST: Valid Crypto-Binding TLV "
1327 if (data
->final_result
) {
1328 wpa_printf(MSG_DEBUG
, "EAP-FAST: Authentication "
1329 "completed successfully");
1332 if (data
->anon_provisioning
&&
1333 sm
->eap_fast_prov
!= ANON_PROV
&&
1334 sm
->eap_fast_prov
!= BOTH_PROV
) {
1335 wpa_printf(MSG_DEBUG
, "EAP-FAST: Client is trying to "
1336 "use unauthenticated provisioning which is "
1338 eap_fast_state(data
, FAILURE
);
1342 if (sm
->eap_fast_prov
!= AUTH_PROV
&&
1343 sm
->eap_fast_prov
!= BOTH_PROV
&&
1344 tlv
.request_action
== EAP_TLV_ACTION_PROCESS_TLV
&&
1345 eap_fast_pac_type(tlv
.pac
, tlv
.pac_len
,
1346 PAC_TYPE_TUNNEL_PAC
)) {
1347 wpa_printf(MSG_DEBUG
, "EAP-FAST: Client is trying to "
1348 "use authenticated provisioning which is "
1350 eap_fast_state(data
, FAILURE
);
1354 if (data
->anon_provisioning
||
1355 (tlv
.request_action
== EAP_TLV_ACTION_PROCESS_TLV
&&
1356 eap_fast_pac_type(tlv
.pac
, tlv
.pac_len
,
1357 PAC_TYPE_TUNNEL_PAC
))) {
1358 wpa_printf(MSG_DEBUG
, "EAP-FAST: Requested a new "
1360 eap_fast_state(data
, REQUEST_PAC
);
1361 } else if (data
->send_new_pac
) {
1362 wpa_printf(MSG_DEBUG
, "EAP-FAST: Server triggered "
1363 "re-keying of Tunnel PAC");
1364 eap_fast_state(data
, REQUEST_PAC
);
1365 } else if (data
->final_result
)
1366 eap_fast_state(data
, SUCCESS
);
1369 if (tlv
.eap_payload_tlv
) {
1370 eap_fast_process_phase2_eap(sm
, data
, tlv
.eap_payload_tlv
,
1371 tlv
.eap_payload_tlv_len
);
1376 static void eap_fast_process_phase2(struct eap_sm
*sm
,
1377 struct eap_fast_data
*data
,
1378 struct wpabuf
*in_buf
)
1380 struct wpabuf
*in_decrypted
;
1382 wpa_printf(MSG_DEBUG
, "EAP-FAST: Received %lu bytes encrypted data for"
1383 " Phase 2", (unsigned long) wpabuf_len(in_buf
));
1385 if (data
->pending_phase2_resp
) {
1386 wpa_printf(MSG_DEBUG
, "EAP-PEAP: Pending Phase 2 response - "
1387 "skip decryption and use old data");
1388 eap_fast_process_phase2_tlvs(sm
, data
,
1389 data
->pending_phase2_resp
);
1390 wpabuf_free(data
->pending_phase2_resp
);
1391 data
->pending_phase2_resp
= NULL
;
1395 in_decrypted
= tls_connection_decrypt(sm
->ssl_ctx
, data
->ssl
.conn
,
1397 if (in_decrypted
== NULL
) {
1398 wpa_printf(MSG_INFO
, "EAP-FAST: Failed to decrypt Phase 2 "
1400 eap_fast_state(data
, FAILURE
);
1404 wpa_hexdump_buf_key(MSG_DEBUG
, "EAP-FAST: Decrypted Phase 2 TLVs",
1407 eap_fast_process_phase2_tlvs(sm
, data
, in_decrypted
);
1409 if (sm
->method_pending
== METHOD_PENDING_WAIT
) {
1410 wpa_printf(MSG_DEBUG
, "EAP-FAST: Phase2 method is in "
1411 "pending wait state - save decrypted response");
1412 wpabuf_free(data
->pending_phase2_resp
);
1413 data
->pending_phase2_resp
= in_decrypted
;
1417 wpabuf_free(in_decrypted
);
1421 static int eap_fast_process_version(struct eap_sm
*sm
, void *priv
,
1424 struct eap_fast_data
*data
= priv
;
1426 data
->peer_version
= peer_version
;
1428 if (data
->force_version
>= 0 && peer_version
!= data
->force_version
) {
1429 wpa_printf(MSG_INFO
, "EAP-FAST: peer did not select the forced"
1430 " version (forced=%d peer=%d) - reject",
1431 data
->force_version
, peer_version
);
1435 if (peer_version
< data
->fast_version
) {
1436 wpa_printf(MSG_DEBUG
, "EAP-FAST: peer ver=%d, own ver=%d; "
1438 peer_version
, data
->fast_version
, peer_version
);
1439 data
->fast_version
= peer_version
;
1446 static int eap_fast_process_phase1(struct eap_sm
*sm
,
1447 struct eap_fast_data
*data
)
1449 if (eap_server_tls_phase1(sm
, &data
->ssl
) < 0) {
1450 wpa_printf(MSG_INFO
, "EAP-FAST: TLS processing failed");
1451 eap_fast_state(data
, FAILURE
);
1455 if (!tls_connection_established(sm
->ssl_ctx
, data
->ssl
.conn
) ||
1456 wpabuf_len(data
->ssl
.tls_out
) > 0)
1460 * Phase 1 was completed with the received message (e.g., when using
1461 * abbreviated handshake), so Phase 2 can be started immediately
1462 * without having to send through an empty message to the peer.
1465 return eap_fast_phase1_done(sm
, data
);
1469 static int eap_fast_process_phase2_start(struct eap_sm
*sm
,
1470 struct eap_fast_data
*data
)
1474 if (data
->identity
) {
1475 os_free(sm
->identity
);
1476 sm
->identity
= data
->identity
;
1477 data
->identity
= NULL
;
1478 sm
->identity_len
= data
->identity_len
;
1479 data
->identity_len
= 0;
1480 sm
->require_identity_match
= 1;
1481 if (eap_user_get(sm
, sm
->identity
, sm
->identity_len
, 1) != 0) {
1482 wpa_hexdump_ascii(MSG_DEBUG
, "EAP-FAST: "
1483 "Phase2 Identity not found "
1484 "in the user database",
1485 sm
->identity
, sm
->identity_len
);
1486 next_type
= eap_fast_req_failure(sm
, data
);
1488 wpa_printf(MSG_DEBUG
, "EAP-FAST: Identity already "
1489 "known - skip Phase 2 Identity Request");
1490 next_type
= sm
->user
->methods
[0].method
;
1491 sm
->user_eap_method_index
= 1;
1494 eap_fast_state(data
, PHASE2_METHOD
);
1496 eap_fast_state(data
, PHASE2_ID
);
1497 next_type
= EAP_TYPE_IDENTITY
;
1500 return eap_fast_phase2_init(sm
, data
, next_type
);
1504 static void eap_fast_process_msg(struct eap_sm
*sm
, void *priv
,
1505 const struct wpabuf
*respData
)
1507 struct eap_fast_data
*data
= priv
;
1509 switch (data
->state
) {
1511 if (eap_fast_process_phase1(sm
, data
))
1514 /* fall through to PHASE2_START */
1516 eap_fast_process_phase2_start(sm
, data
);
1520 case CRYPTO_BINDING
:
1522 eap_fast_process_phase2(sm
, data
, data
->ssl
.tls_in
);
1525 wpa_printf(MSG_DEBUG
, "EAP-FAST: Unexpected state %d in %s",
1526 data
->state
, __func__
);
1532 static void eap_fast_process(struct eap_sm
*sm
, void *priv
,
1533 struct wpabuf
*respData
)
1535 struct eap_fast_data
*data
= priv
;
1536 if (eap_server_tls_process(sm
, &data
->ssl
, respData
, data
,
1537 EAP_TYPE_FAST
, eap_fast_process_version
,
1538 eap_fast_process_msg
) < 0)
1539 eap_fast_state(data
, FAILURE
);
1543 static Boolean
eap_fast_isDone(struct eap_sm
*sm
, void *priv
)
1545 struct eap_fast_data
*data
= priv
;
1546 return data
->state
== SUCCESS
|| data
->state
== FAILURE
;
1550 static u8
* eap_fast_getKey(struct eap_sm
*sm
, void *priv
, size_t *len
)
1552 struct eap_fast_data
*data
= priv
;
1555 if (data
->state
!= SUCCESS
)
1558 eapKeyData
= os_malloc(EAP_FAST_KEY_LEN
);
1559 if (eapKeyData
== NULL
)
1562 eap_fast_derive_eap_msk(data
->simck
, eapKeyData
);
1563 *len
= EAP_FAST_KEY_LEN
;
1569 static u8
* eap_fast_get_emsk(struct eap_sm
*sm
, void *priv
, size_t *len
)
1571 struct eap_fast_data
*data
= priv
;
1574 if (data
->state
!= SUCCESS
)
1577 eapKeyData
= os_malloc(EAP_EMSK_LEN
);
1578 if (eapKeyData
== NULL
)
1581 eap_fast_derive_eap_emsk(data
->simck
, eapKeyData
);
1582 *len
= EAP_EMSK_LEN
;
1588 static Boolean
eap_fast_isSuccess(struct eap_sm
*sm
, void *priv
)
1590 struct eap_fast_data
*data
= priv
;
1591 return data
->state
== SUCCESS
;
1595 static u8
* eap_fast_get_session_id(struct eap_sm
*sm
, void *priv
, size_t *len
)
1597 struct eap_fast_data
*data
= priv
;
1599 if (data
->state
!= SUCCESS
)
1602 return eap_server_tls_derive_session_id(sm
, &data
->ssl
, EAP_TYPE_FAST
,
1607 int eap_server_fast_register(void)
1609 struct eap_method
*eap
;
1612 eap
= eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION
,
1613 EAP_VENDOR_IETF
, EAP_TYPE_FAST
, "FAST");
1617 eap
->init
= eap_fast_init
;
1618 eap
->reset
= eap_fast_reset
;
1619 eap
->buildReq
= eap_fast_buildReq
;
1620 eap
->check
= eap_fast_check
;
1621 eap
->process
= eap_fast_process
;
1622 eap
->isDone
= eap_fast_isDone
;
1623 eap
->getKey
= eap_fast_getKey
;
1624 eap
->get_emsk
= eap_fast_get_emsk
;
1625 eap
->isSuccess
= eap_fast_isSuccess
;
1626 eap
->getSessionId
= eap_fast_get_session_id
;
1628 ret
= eap_server_method_register(eap
);
1630 eap_server_method_free(eap
);