2 * EAP-FAST server (RFC 4851)
3 * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/aes_wrap.h"
13 #include "crypto/sha1.h"
14 #include "crypto/tls.h"
15 #include "crypto/random.h"
16 #include "eap_common/eap_tlv_common.h"
17 #include "eap_common/eap_fast_common.h"
19 #include "eap_tls_common.h"
22 static void eap_fast_reset(struct eap_sm
*sm
, void *priv
);
25 /* Private PAC-Opaque TLV types */
26 #define PAC_OPAQUE_TYPE_PAD 0
27 #define PAC_OPAQUE_TYPE_KEY 1
28 #define PAC_OPAQUE_TYPE_LIFETIME 2
29 #define PAC_OPAQUE_TYPE_IDENTITY 3
31 struct eap_fast_data
{
32 struct eap_ssl_data ssl
;
34 START
, PHASE1
, PHASE2_START
, PHASE2_ID
, PHASE2_METHOD
,
35 CRYPTO_BINDING
, REQUEST_PAC
, SUCCESS
, FAILURE
39 const struct eap_method
*phase2_method
;
44 u8 crypto_binding_nonce
[32];
47 struct eap_fast_key_block_provisioning
*key_block_p
;
49 u8 simck
[EAP_FAST_SIMCK_LEN
];
50 u8 cmk
[EAP_FAST_CMK_LEN
];
53 u8 pac_opaque_encr
[16];
58 int anon_provisioning
;
59 int send_new_pac
; /* server triggered re-keying of Tunnel PAC */
60 struct wpabuf
*pending_phase2_resp
;
61 u8
*identity
; /* from PAC-Opaque */
67 int pac_key_refresh_time
;
71 static int eap_fast_process_phase2_start(struct eap_sm
*sm
,
72 struct eap_fast_data
*data
);
75 static const char * eap_fast_state_txt(int state
)
83 return "PHASE2_START";
87 return "PHASE2_METHOD";
89 return "CRYPTO_BINDING";
102 static void eap_fast_state(struct eap_fast_data
*data
, int state
)
104 wpa_printf(MSG_DEBUG
, "EAP-FAST: %s -> %s",
105 eap_fast_state_txt(data
->state
),
106 eap_fast_state_txt(state
));
111 static enum eap_type
eap_fast_req_failure(struct eap_sm
*sm
,
112 struct eap_fast_data
*data
)
114 /* TODO: send Result TLV(FAILURE) */
115 eap_fast_state(data
, FAILURE
);
116 return EAP_TYPE_NONE
;
120 static int eap_fast_session_ticket_cb(void *ctx
, const u8
*ticket
, size_t len
,
121 const u8
*client_random
,
122 const u8
*server_random
,
125 struct eap_fast_data
*data
= ctx
;
126 const u8
*pac_opaque
;
127 size_t pac_opaque_len
;
128 u8
*buf
, *pos
, *end
, *pac_key
= NULL
;
129 os_time_t lifetime
= 0;
132 size_t identity_len
= 0;
134 wpa_printf(MSG_DEBUG
, "EAP-FAST: SessionTicket callback");
135 wpa_hexdump(MSG_DEBUG
, "EAP-FAST: SessionTicket (PAC-Opaque)",
138 if (len
< 4 || WPA_GET_BE16(ticket
) != PAC_TYPE_PAC_OPAQUE
) {
139 wpa_printf(MSG_DEBUG
, "EAP-FAST: Ignore invalid "
144 pac_opaque_len
= WPA_GET_BE16(ticket
+ 2);
145 pac_opaque
= ticket
+ 4;
146 if (pac_opaque_len
< 8 || pac_opaque_len
% 8 ||
147 pac_opaque_len
> len
- 4) {
148 wpa_printf(MSG_DEBUG
, "EAP-FAST: Ignore invalid PAC-Opaque "
149 "(len=%lu left=%lu)",
150 (unsigned long) pac_opaque_len
,
151 (unsigned long) len
);
154 wpa_hexdump(MSG_DEBUG
, "EAP-FAST: Received PAC-Opaque",
155 pac_opaque
, pac_opaque_len
);
157 buf
= os_malloc(pac_opaque_len
- 8);
159 wpa_printf(MSG_DEBUG
, "EAP-FAST: Failed to allocate memory "
160 "for decrypting PAC-Opaque");
164 if (aes_unwrap(data
->pac_opaque_encr
, sizeof(data
->pac_opaque_encr
),
165 (pac_opaque_len
- 8) / 8, pac_opaque
, buf
) < 0) {
166 wpa_printf(MSG_DEBUG
, "EAP-FAST: Failed to decrypt "
170 * This may have been caused by server changing the PAC-Opaque
171 * encryption key, so just ignore this PAC-Opaque instead of
172 * failing the authentication completely. Provisioning can now
173 * be used to provision a new PAC.
178 end
= buf
+ pac_opaque_len
- 8;
179 wpa_hexdump_key(MSG_DEBUG
, "EAP-FAST: Decrypted PAC-Opaque",
183 while (end
- pos
> 1) {
188 if (elen
> end
- pos
)
192 case PAC_OPAQUE_TYPE_PAD
:
194 case PAC_OPAQUE_TYPE_KEY
:
195 if (elen
!= EAP_FAST_PAC_KEY_LEN
) {
196 wpa_printf(MSG_DEBUG
,
197 "EAP-FAST: Invalid PAC-Key length %d",
203 wpa_hexdump_key(MSG_DEBUG
, "EAP-FAST: PAC-Key from "
204 "decrypted PAC-Opaque",
205 pac_key
, EAP_FAST_PAC_KEY_LEN
);
207 case PAC_OPAQUE_TYPE_LIFETIME
:
209 wpa_printf(MSG_DEBUG
, "EAP-FAST: Invalid "
210 "PAC-Key lifetime length %d",
215 lifetime
= WPA_GET_BE32(pos
);
217 case PAC_OPAQUE_TYPE_IDENTITY
:
227 if (pac_key
== NULL
) {
228 wpa_printf(MSG_DEBUG
, "EAP-FAST: No PAC-Key included in "
235 wpa_hexdump_ascii(MSG_DEBUG
, "EAP-FAST: Identity from "
236 "PAC-Opaque", identity
, identity_len
);
237 os_free(data
->identity
);
238 data
->identity
= os_malloc(identity_len
);
239 if (data
->identity
) {
240 os_memcpy(data
->identity
, identity
, identity_len
);
241 data
->identity_len
= identity_len
;
245 if (os_get_time(&now
) < 0 || lifetime
<= 0 || now
.sec
> lifetime
) {
246 wpa_printf(MSG_DEBUG
, "EAP-FAST: PAC-Key not valid anymore "
247 "(lifetime=%ld now=%ld)", lifetime
, now
.sec
);
248 data
->send_new_pac
= 2;
250 * Allow PAC to be used to allow a PAC update with some level
251 * of server authentication (i.e., do not fall back to full TLS
252 * handshake since we cannot be sure that the peer would be
253 * able to validate server certificate now). However, reject
254 * the authentication since the PAC was not valid anymore. Peer
255 * can connect again with the newly provisioned PAC after this.
257 } else if (lifetime
- now
.sec
< data
->pac_key_refresh_time
) {
258 wpa_printf(MSG_DEBUG
, "EAP-FAST: PAC-Key soft timeout; send "
259 "an update if authentication succeeds");
260 data
->send_new_pac
= 1;
263 eap_fast_derive_master_secret(pac_key
, server_random
, client_random
,
272 static void eap_fast_derive_key_auth(struct eap_sm
*sm
,
273 struct eap_fast_data
*data
)
277 /* RFC 4851, Section 5.1:
278 * Extra key material after TLS key_block: session_key_seed[40]
281 sks
= eap_fast_derive_key(sm
->ssl_ctx
, data
->ssl
.conn
,
284 wpa_printf(MSG_DEBUG
, "EAP-FAST: Failed to derive "
290 * RFC 4851, Section 5.2:
291 * S-IMCK[0] = session_key_seed
293 wpa_hexdump_key(MSG_DEBUG
,
294 "EAP-FAST: session_key_seed (SKS = S-IMCK[0])",
295 sks
, EAP_FAST_SKS_LEN
);
297 os_memcpy(data
->simck
, sks
, EAP_FAST_SIMCK_LEN
);
302 static void eap_fast_derive_key_provisioning(struct eap_sm
*sm
,
303 struct eap_fast_data
*data
)
305 os_free(data
->key_block_p
);
306 data
->key_block_p
= (struct eap_fast_key_block_provisioning
*)
307 eap_fast_derive_key(sm
->ssl_ctx
, data
->ssl
.conn
,
308 sizeof(*data
->key_block_p
));
309 if (data
->key_block_p
== NULL
) {
310 wpa_printf(MSG_DEBUG
, "EAP-FAST: Failed to derive key block");
314 * RFC 4851, Section 5.2:
315 * S-IMCK[0] = session_key_seed
317 wpa_hexdump_key(MSG_DEBUG
,
318 "EAP-FAST: session_key_seed (SKS = S-IMCK[0])",
319 data
->key_block_p
->session_key_seed
,
320 sizeof(data
->key_block_p
->session_key_seed
));
322 os_memcpy(data
->simck
, data
->key_block_p
->session_key_seed
,
324 wpa_hexdump_key(MSG_DEBUG
, "EAP-FAST: server_challenge",
325 data
->key_block_p
->server_challenge
,
326 sizeof(data
->key_block_p
->server_challenge
));
327 wpa_hexdump_key(MSG_DEBUG
, "EAP-FAST: client_challenge",
328 data
->key_block_p
->client_challenge
,
329 sizeof(data
->key_block_p
->client_challenge
));
333 static int eap_fast_get_phase2_key(struct eap_sm
*sm
,
334 struct eap_fast_data
*data
,
335 u8
*isk
, size_t isk_len
)
340 os_memset(isk
, 0, isk_len
);
342 if (data
->phase2_method
== NULL
|| data
->phase2_priv
== NULL
) {
343 wpa_printf(MSG_DEBUG
, "EAP-FAST: Phase 2 method not "
348 if (data
->phase2_method
->getKey
== NULL
)
351 if ((key
= data
->phase2_method
->getKey(sm
, data
->phase2_priv
,
352 &key_len
)) == NULL
) {
353 wpa_printf(MSG_DEBUG
, "EAP-FAST: Could not get key material "
358 if (key_len
> isk_len
)
361 data
->phase2_method
->vendor
== EAP_VENDOR_IETF
&&
362 data
->phase2_method
->method
== EAP_TYPE_MSCHAPV2
) {
364 * EAP-FAST uses reverse order for MS-MPPE keys when deriving
365 * MSK from EAP-MSCHAPv2. Swap the keys here to get the correct
366 * ISK for EAP-FAST cryptobinding.
368 os_memcpy(isk
, key
+ 16, 16);
369 os_memcpy(isk
+ 16, key
, 16);
371 os_memcpy(isk
, key
, key_len
);
378 static int eap_fast_update_icmk(struct eap_sm
*sm
, struct eap_fast_data
*data
)
380 u8 isk
[32], imck
[60];
382 wpa_printf(MSG_DEBUG
, "EAP-FAST: Deriving ICMK[%d] (S-IMCK and CMK)",
383 data
->simck_idx
+ 1);
386 * RFC 4851, Section 5.2:
387 * IMCK[j] = T-PRF(S-IMCK[j-1], "Inner Methods Compound Keys",
389 * S-IMCK[j] = first 40 octets of IMCK[j]
390 * CMK[j] = last 20 octets of IMCK[j]
393 if (eap_fast_get_phase2_key(sm
, data
, isk
, sizeof(isk
)) < 0)
395 wpa_hexdump_key(MSG_MSGDUMP
, "EAP-FAST: ISK[j]", isk
, sizeof(isk
));
396 sha1_t_prf(data
->simck
, EAP_FAST_SIMCK_LEN
,
397 "Inner Methods Compound Keys",
398 isk
, sizeof(isk
), imck
, sizeof(imck
));
400 os_memcpy(data
->simck
, imck
, EAP_FAST_SIMCK_LEN
);
401 wpa_hexdump_key(MSG_MSGDUMP
, "EAP-FAST: S-IMCK[j]",
402 data
->simck
, EAP_FAST_SIMCK_LEN
);
403 os_memcpy(data
->cmk
, imck
+ EAP_FAST_SIMCK_LEN
, EAP_FAST_CMK_LEN
);
404 wpa_hexdump_key(MSG_MSGDUMP
, "EAP-FAST: CMK[j]",
405 data
->cmk
, EAP_FAST_CMK_LEN
);
411 static void * eap_fast_init(struct eap_sm
*sm
)
413 struct eap_fast_data
*data
;
415 TLS_CIPHER_ANON_DH_AES128_SHA
,
416 TLS_CIPHER_AES128_SHA
,
417 TLS_CIPHER_RSA_DHE_AES128_SHA
,
419 TLS_CIPHER_RSA_DHE_AES256_SHA
,
420 TLS_CIPHER_AES256_SHA
,
424 data
= os_zalloc(sizeof(*data
));
427 data
->fast_version
= EAP_FAST_VERSION
;
428 data
->force_version
= -1;
429 if (sm
->user
&& sm
->user
->force_version
>= 0) {
430 data
->force_version
= sm
->user
->force_version
;
431 wpa_printf(MSG_DEBUG
, "EAP-FAST: forcing version %d",
432 data
->force_version
);
433 data
->fast_version
= data
->force_version
;
437 if (eap_server_tls_ssl_init(sm
, &data
->ssl
, 0, EAP_TYPE_FAST
)) {
438 wpa_printf(MSG_INFO
, "EAP-FAST: Failed to initialize SSL.");
439 eap_fast_reset(sm
, data
);
443 if (tls_connection_set_cipher_list(sm
->ssl_ctx
, data
->ssl
.conn
,
445 wpa_printf(MSG_INFO
, "EAP-FAST: Failed to set TLS cipher "
447 eap_fast_reset(sm
, data
);
451 if (tls_connection_set_session_ticket_cb(sm
->ssl_ctx
, data
->ssl
.conn
,
452 eap_fast_session_ticket_cb
,
454 wpa_printf(MSG_INFO
, "EAP-FAST: Failed to set SessionTicket "
456 eap_fast_reset(sm
, data
);
460 if (sm
->pac_opaque_encr_key
== NULL
) {
461 wpa_printf(MSG_INFO
, "EAP-FAST: No PAC-Opaque encryption key "
463 eap_fast_reset(sm
, data
);
466 os_memcpy(data
->pac_opaque_encr
, sm
->pac_opaque_encr_key
,
467 sizeof(data
->pac_opaque_encr
));
469 if (sm
->eap_fast_a_id
== NULL
) {
470 wpa_printf(MSG_INFO
, "EAP-FAST: No A-ID configured");
471 eap_fast_reset(sm
, data
);
474 data
->srv_id
= os_memdup(sm
->eap_fast_a_id
, sm
->eap_fast_a_id_len
);
475 if (data
->srv_id
== NULL
) {
476 eap_fast_reset(sm
, data
);
479 data
->srv_id_len
= sm
->eap_fast_a_id_len
;
481 if (sm
->eap_fast_a_id_info
== NULL
) {
482 wpa_printf(MSG_INFO
, "EAP-FAST: No A-ID-Info configured");
483 eap_fast_reset(sm
, data
);
486 data
->srv_id_info
= os_strdup(sm
->eap_fast_a_id_info
);
487 if (data
->srv_id_info
== NULL
) {
488 eap_fast_reset(sm
, data
);
492 /* PAC-Key lifetime in seconds (hard limit) */
493 data
->pac_key_lifetime
= sm
->pac_key_lifetime
;
496 * PAC-Key refresh time in seconds (soft limit on remaining hard
497 * limit). The server will generate a new PAC-Key when this number of
498 * seconds (or fewer) of the lifetime remains.
500 data
->pac_key_refresh_time
= sm
->pac_key_refresh_time
;
506 static void eap_fast_reset(struct eap_sm
*sm
, void *priv
)
508 struct eap_fast_data
*data
= priv
;
511 if (data
->phase2_priv
&& data
->phase2_method
)
512 data
->phase2_method
->reset(sm
, data
->phase2_priv
);
513 eap_server_tls_ssl_deinit(sm
, &data
->ssl
);
514 os_free(data
->srv_id
);
515 os_free(data
->srv_id_info
);
516 os_free(data
->key_block_p
);
517 wpabuf_free(data
->pending_phase2_resp
);
518 os_free(data
->identity
);
519 bin_clear_free(data
, sizeof(*data
));
523 static struct wpabuf
* eap_fast_build_start(struct eap_sm
*sm
,
524 struct eap_fast_data
*data
, u8 id
)
528 req
= eap_msg_alloc(EAP_VENDOR_IETF
, EAP_TYPE_FAST
,
529 1 + sizeof(struct pac_tlv_hdr
) + data
->srv_id_len
,
530 EAP_CODE_REQUEST
, id
);
532 wpa_printf(MSG_ERROR
, "EAP-FAST: Failed to allocate memory for"
534 eap_fast_state(data
, FAILURE
);
538 wpabuf_put_u8(req
, EAP_TLS_FLAGS_START
| data
->fast_version
);
540 /* RFC 4851, 4.1.1. Authority ID Data */
541 eap_fast_put_tlv(req
, PAC_TYPE_A_ID
, data
->srv_id
, data
->srv_id_len
);
543 eap_fast_state(data
, PHASE1
);
549 static int eap_fast_phase1_done(struct eap_sm
*sm
, struct eap_fast_data
*data
)
553 wpa_printf(MSG_DEBUG
, "EAP-FAST: Phase1 done, starting Phase2");
555 if (tls_get_cipher(sm
->ssl_ctx
, data
->ssl
.conn
, cipher
, sizeof(cipher
))
557 wpa_printf(MSG_DEBUG
, "EAP-FAST: Failed to get cipher "
559 eap_fast_state(data
, FAILURE
);
562 data
->anon_provisioning
= os_strstr(cipher
, "ADH") != NULL
;
564 if (data
->anon_provisioning
) {
565 wpa_printf(MSG_DEBUG
, "EAP-FAST: Anonymous provisioning");
566 eap_fast_derive_key_provisioning(sm
, data
);
568 eap_fast_derive_key_auth(sm
, data
);
570 eap_fast_state(data
, PHASE2_START
);
576 static struct wpabuf
* eap_fast_build_phase2_req(struct eap_sm
*sm
,
577 struct eap_fast_data
*data
,
582 if (data
->phase2_priv
== NULL
) {
583 wpa_printf(MSG_DEBUG
, "EAP-FAST: Phase 2 method not "
587 req
= data
->phase2_method
->buildReq(sm
, data
->phase2_priv
, id
);
591 wpa_hexdump_buf_key(MSG_MSGDUMP
, "EAP-FAST: Phase 2 EAP-Request", req
);
592 return eap_fast_tlv_eap_payload(req
);
596 static struct wpabuf
* eap_fast_build_crypto_binding(
597 struct eap_sm
*sm
, struct eap_fast_data
*data
)
600 struct eap_tlv_result_tlv
*result
;
601 struct eap_tlv_crypto_binding_tlv
*binding
;
603 buf
= wpabuf_alloc(2 * sizeof(*result
) + sizeof(*binding
));
607 if (data
->send_new_pac
|| data
->anon_provisioning
||
609 data
->final_result
= 0;
611 data
->final_result
= 1;
613 if (!data
->final_result
|| data
->eap_seq
> 1) {
614 /* Intermediate-Result */
615 wpa_printf(MSG_DEBUG
, "EAP-FAST: Add Intermediate-Result TLV "
617 result
= wpabuf_put(buf
, sizeof(*result
));
618 result
->tlv_type
= host_to_be16(
619 EAP_TLV_TYPE_MANDATORY
|
620 EAP_TLV_INTERMEDIATE_RESULT_TLV
);
621 result
->length
= host_to_be16(2);
622 result
->status
= host_to_be16(EAP_TLV_RESULT_SUCCESS
);
625 if (data
->final_result
) {
627 wpa_printf(MSG_DEBUG
, "EAP-FAST: Add Result TLV "
629 result
= wpabuf_put(buf
, sizeof(*result
));
630 result
->tlv_type
= host_to_be16(EAP_TLV_TYPE_MANDATORY
|
632 result
->length
= host_to_be16(2);
633 result
->status
= host_to_be16(EAP_TLV_RESULT_SUCCESS
);
636 /* Crypto-Binding TLV */
637 binding
= wpabuf_put(buf
, sizeof(*binding
));
638 binding
->tlv_type
= host_to_be16(EAP_TLV_TYPE_MANDATORY
|
639 EAP_TLV_CRYPTO_BINDING_TLV
);
640 binding
->length
= host_to_be16(sizeof(*binding
) -
641 sizeof(struct eap_tlv_hdr
));
642 binding
->version
= EAP_FAST_VERSION
;
643 binding
->received_version
= data
->peer_version
;
644 binding
->subtype
= EAP_TLV_CRYPTO_BINDING_SUBTYPE_REQUEST
;
645 if (random_get_bytes(binding
->nonce
, sizeof(binding
->nonce
)) < 0) {
651 * RFC 4851, Section 4.2.8:
652 * The nonce in a request MUST have its least significant bit set to 0.
654 binding
->nonce
[sizeof(binding
->nonce
) - 1] &= ~0x01;
656 os_memcpy(data
->crypto_binding_nonce
, binding
->nonce
,
657 sizeof(binding
->nonce
));
660 * RFC 4851, Section 5.3:
662 * Compound-MAC = HMAC-SHA1( CMK, Crypto-Binding TLV )
665 hmac_sha1(data
->cmk
, EAP_FAST_CMK_LEN
,
666 (u8
*) binding
, sizeof(*binding
),
667 binding
->compound_mac
);
669 wpa_printf(MSG_DEBUG
, "EAP-FAST: Add Crypto-Binding TLV: Version %d "
670 "Received Version %d SubType %d",
671 binding
->version
, binding
->received_version
,
673 wpa_hexdump(MSG_MSGDUMP
, "EAP-FAST: NONCE",
674 binding
->nonce
, sizeof(binding
->nonce
));
675 wpa_hexdump(MSG_MSGDUMP
, "EAP-FAST: Compound MAC",
676 binding
->compound_mac
, sizeof(binding
->compound_mac
));
682 static struct wpabuf
* eap_fast_build_pac(struct eap_sm
*sm
,
683 struct eap_fast_data
*data
)
685 u8 pac_key
[EAP_FAST_PAC_KEY_LEN
];
686 u8
*pac_buf
, *pac_opaque
;
689 size_t buf_len
, srv_id_info_len
, pac_len
;
690 struct eap_tlv_hdr
*pac_tlv
;
691 struct pac_tlv_hdr
*pac_info
;
692 struct eap_tlv_result_tlv
*result
;
695 if (random_get_bytes(pac_key
, EAP_FAST_PAC_KEY_LEN
) < 0 ||
696 os_get_time(&now
) < 0)
698 wpa_hexdump_key(MSG_DEBUG
, "EAP-FAST: Generated PAC-Key",
699 pac_key
, EAP_FAST_PAC_KEY_LEN
);
701 pac_len
= (2 + EAP_FAST_PAC_KEY_LEN
) + (2 + 4) +
702 (2 + sm
->identity_len
) + 8;
703 pac_buf
= os_malloc(pac_len
);
707 srv_id_info_len
= os_strlen(data
->srv_id_info
);
710 *pos
++ = PAC_OPAQUE_TYPE_KEY
;
711 *pos
++ = EAP_FAST_PAC_KEY_LEN
;
712 os_memcpy(pos
, pac_key
, EAP_FAST_PAC_KEY_LEN
);
713 pos
+= EAP_FAST_PAC_KEY_LEN
;
715 *pos
++ = PAC_OPAQUE_TYPE_LIFETIME
;
717 WPA_PUT_BE32(pos
, now
.sec
+ data
->pac_key_lifetime
);
721 *pos
++ = PAC_OPAQUE_TYPE_IDENTITY
;
722 *pos
++ = sm
->identity_len
;
723 os_memcpy(pos
, sm
->identity
, sm
->identity_len
);
724 pos
+= sm
->identity_len
;
727 pac_len
= pos
- pac_buf
;
728 while (pac_len
% 8) {
729 *pos
++ = PAC_OPAQUE_TYPE_PAD
;
733 pac_opaque
= os_malloc(pac_len
+ 8);
734 if (pac_opaque
== NULL
) {
738 if (aes_wrap(data
->pac_opaque_encr
, sizeof(data
->pac_opaque_encr
),
739 pac_len
/ 8, pac_buf
, pac_opaque
) < 0) {
747 wpa_hexdump(MSG_DEBUG
, "EAP-FAST: PAC-Opaque",
748 pac_opaque
, pac_len
);
750 buf_len
= sizeof(*pac_tlv
) +
751 sizeof(struct pac_tlv_hdr
) + EAP_FAST_PAC_KEY_LEN
+
752 sizeof(struct pac_tlv_hdr
) + pac_len
+
753 data
->srv_id_len
+ srv_id_info_len
+ 100 + sizeof(*result
);
754 buf
= wpabuf_alloc(buf_len
);
761 wpa_printf(MSG_DEBUG
, "EAP-FAST: Add Result TLV (status=SUCCESS)");
762 result
= wpabuf_put(buf
, sizeof(*result
));
763 WPA_PUT_BE16((u8
*) &result
->tlv_type
,
764 EAP_TLV_TYPE_MANDATORY
| EAP_TLV_RESULT_TLV
);
765 WPA_PUT_BE16((u8
*) &result
->length
, 2);
766 WPA_PUT_BE16((u8
*) &result
->status
, EAP_TLV_RESULT_SUCCESS
);
769 wpa_printf(MSG_DEBUG
, "EAP-FAST: Add PAC TLV");
770 pac_tlv
= wpabuf_put(buf
, sizeof(*pac_tlv
));
771 pac_tlv
->tlv_type
= host_to_be16(EAP_TLV_TYPE_MANDATORY
|
775 eap_fast_put_tlv(buf
, PAC_TYPE_PAC_KEY
, pac_key
, EAP_FAST_PAC_KEY_LEN
);
778 eap_fast_put_tlv(buf
, PAC_TYPE_PAC_OPAQUE
, pac_opaque
, pac_len
);
782 pac_info
= wpabuf_put(buf
, sizeof(*pac_info
));
783 pac_info
->type
= host_to_be16(PAC_TYPE_PAC_INFO
);
785 /* PAC-Lifetime (inside PAC-Info) */
786 eap_fast_put_tlv_hdr(buf
, PAC_TYPE_CRED_LIFETIME
, 4);
787 wpabuf_put_be32(buf
, now
.sec
+ data
->pac_key_lifetime
);
789 /* A-ID (inside PAC-Info) */
790 eap_fast_put_tlv(buf
, PAC_TYPE_A_ID
, data
->srv_id
, data
->srv_id_len
);
792 /* Note: headers may be misaligned after A-ID */
795 eap_fast_put_tlv(buf
, PAC_TYPE_I_ID
, sm
->identity
,
799 /* A-ID-Info (inside PAC-Info) */
800 eap_fast_put_tlv(buf
, PAC_TYPE_A_ID_INFO
, data
->srv_id_info
,
803 /* PAC-Type (inside PAC-Info) */
804 eap_fast_put_tlv_hdr(buf
, PAC_TYPE_PAC_TYPE
, 2);
805 wpabuf_put_be16(buf
, PAC_TYPE_TUNNEL_PAC
);
807 /* Update PAC-Info and PAC TLV Length fields */
808 pos
= wpabuf_put(buf
, 0);
809 pac_info
->len
= host_to_be16(pos
- (u8
*) (pac_info
+ 1));
810 pac_tlv
->length
= host_to_be16(pos
- (u8
*) (pac_tlv
+ 1));
816 static int eap_fast_encrypt_phase2(struct eap_sm
*sm
,
817 struct eap_fast_data
*data
,
818 struct wpabuf
*plain
, int piggyback
)
822 wpa_hexdump_buf_key(MSG_DEBUG
, "EAP-FAST: Encrypting Phase 2 TLVs",
824 encr
= eap_server_tls_encrypt(sm
, &data
->ssl
, plain
);
830 if (data
->ssl
.tls_out
&& piggyback
) {
831 wpa_printf(MSG_DEBUG
, "EAP-FAST: Piggyback Phase 2 data "
832 "(len=%d) with last Phase 1 Message (len=%d "
834 (int) wpabuf_len(encr
),
835 (int) wpabuf_len(data
->ssl
.tls_out
),
836 (int) data
->ssl
.tls_out_pos
);
837 if (wpabuf_resize(&data
->ssl
.tls_out
, wpabuf_len(encr
)) < 0) {
838 wpa_printf(MSG_WARNING
, "EAP-FAST: Failed to resize "
843 wpabuf_put_buf(data
->ssl
.tls_out
, encr
);
846 wpabuf_free(data
->ssl
.tls_out
);
847 data
->ssl
.tls_out_pos
= 0;
848 data
->ssl
.tls_out
= encr
;
855 static struct wpabuf
* eap_fast_buildReq(struct eap_sm
*sm
, void *priv
, u8 id
)
857 struct eap_fast_data
*data
= priv
;
858 struct wpabuf
*req
= NULL
;
861 if (data
->ssl
.state
== FRAG_ACK
) {
862 return eap_server_tls_build_ack(id
, EAP_TYPE_FAST
,
866 if (data
->ssl
.state
== WAIT_FRAG_ACK
) {
867 return eap_server_tls_build_msg(&data
->ssl
, EAP_TYPE_FAST
,
868 data
->fast_version
, id
);
871 switch (data
->state
) {
873 return eap_fast_build_start(sm
, data
, id
);
875 if (tls_connection_established(sm
->ssl_ctx
, data
->ssl
.conn
)) {
876 if (eap_fast_phase1_done(sm
, data
) < 0)
878 if (data
->state
== PHASE2_START
) {
880 * Try to generate Phase 2 data to piggyback
881 * with the end of Phase 1 to avoid extra
884 wpa_printf(MSG_DEBUG
, "EAP-FAST: Try to start "
886 if (eap_fast_process_phase2_start(sm
, data
))
888 req
= eap_fast_build_phase2_req(sm
, data
, id
);
895 req
= eap_fast_build_phase2_req(sm
, data
, id
);
898 req
= eap_fast_build_crypto_binding(sm
, data
);
899 if (data
->phase2_method
) {
901 * Include the start of the next EAP method in the
902 * sequence in the same message with Crypto-Binding to
906 eap
= eap_fast_build_phase2_req(sm
, data
, id
);
907 req
= wpabuf_concat(req
, eap
);
908 eap_fast_state(data
, PHASE2_METHOD
);
912 req
= eap_fast_build_pac(sm
, data
);
915 wpa_printf(MSG_DEBUG
, "EAP-FAST: %s - unexpected state %d",
916 __func__
, data
->state
);
921 eap_fast_encrypt_phase2(sm
, data
, req
, piggyback
) < 0)
924 return eap_server_tls_build_msg(&data
->ssl
, EAP_TYPE_FAST
,
925 data
->fast_version
, id
);
929 static Boolean
eap_fast_check(struct eap_sm
*sm
, void *priv
,
930 struct wpabuf
*respData
)
935 pos
= eap_hdr_validate(EAP_VENDOR_IETF
, EAP_TYPE_FAST
, respData
, &len
);
936 if (pos
== NULL
|| len
< 1) {
937 wpa_printf(MSG_INFO
, "EAP-FAST: Invalid frame");
945 static int eap_fast_phase2_init(struct eap_sm
*sm
, struct eap_fast_data
*data
,
946 enum eap_type eap_type
)
948 if (data
->phase2_priv
&& data
->phase2_method
) {
949 data
->phase2_method
->reset(sm
, data
->phase2_priv
);
950 data
->phase2_method
= NULL
;
951 data
->phase2_priv
= NULL
;
953 data
->phase2_method
= eap_server_get_eap_method(EAP_VENDOR_IETF
,
955 if (!data
->phase2_method
)
958 if (data
->key_block_p
) {
959 sm
->auth_challenge
= data
->key_block_p
->server_challenge
;
960 sm
->peer_challenge
= data
->key_block_p
->client_challenge
;
963 data
->phase2_priv
= data
->phase2_method
->init(sm
);
965 sm
->auth_challenge
= NULL
;
966 sm
->peer_challenge
= NULL
;
968 return data
->phase2_priv
== NULL
? -1 : 0;
972 static void eap_fast_process_phase2_response(struct eap_sm
*sm
,
973 struct eap_fast_data
*data
,
974 u8
*in_data
, size_t in_len
)
976 u8 next_type
= EAP_TYPE_NONE
;
981 const struct eap_method
*m
= data
->phase2_method
;
982 void *priv
= data
->phase2_priv
;
985 wpa_printf(MSG_DEBUG
, "EAP-FAST: %s - Phase2 not "
986 "initialized?!", __func__
);
990 hdr
= (struct eap_hdr
*) in_data
;
991 pos
= (u8
*) (hdr
+ 1);
993 if (in_len
> sizeof(*hdr
) && *pos
== EAP_TYPE_NAK
) {
994 left
= in_len
- sizeof(*hdr
);
995 wpa_hexdump(MSG_DEBUG
, "EAP-FAST: Phase2 type Nak'ed; "
996 "allowed types", pos
+ 1, left
- 1);
997 #ifdef EAP_SERVER_TNC
998 if (m
&& m
->vendor
== EAP_VENDOR_IETF
&&
999 m
->method
== EAP_TYPE_TNC
) {
1000 wpa_printf(MSG_DEBUG
, "EAP-FAST: Peer Nak'ed required "
1002 next_type
= eap_fast_req_failure(sm
, data
);
1003 eap_fast_phase2_init(sm
, data
, next_type
);
1006 #endif /* EAP_SERVER_TNC */
1007 eap_sm_process_nak(sm
, pos
+ 1, left
- 1);
1008 if (sm
->user
&& sm
->user_eap_method_index
< EAP_MAX_METHODS
&&
1009 sm
->user
->methods
[sm
->user_eap_method_index
].method
!=
1011 next_type
= sm
->user
->methods
[
1012 sm
->user_eap_method_index
++].method
;
1013 wpa_printf(MSG_DEBUG
, "EAP-FAST: try EAP type %d",
1016 next_type
= eap_fast_req_failure(sm
, data
);
1018 eap_fast_phase2_init(sm
, data
, next_type
);
1022 wpabuf_set(&buf
, in_data
, in_len
);
1024 if (m
->check(sm
, priv
, &buf
)) {
1025 wpa_printf(MSG_DEBUG
, "EAP-FAST: Phase2 check() asked to "
1026 "ignore the packet");
1027 eap_fast_req_failure(sm
, data
);
1031 m
->process(sm
, priv
, &buf
);
1033 if (!m
->isDone(sm
, priv
))
1036 if (!m
->isSuccess(sm
, priv
)) {
1037 wpa_printf(MSG_DEBUG
, "EAP-FAST: Phase2 method failed");
1038 next_type
= eap_fast_req_failure(sm
, data
);
1039 eap_fast_phase2_init(sm
, data
, next_type
);
1043 switch (data
->state
) {
1045 if (eap_user_get(sm
, sm
->identity
, sm
->identity_len
, 1) != 0) {
1046 wpa_hexdump_ascii(MSG_DEBUG
, "EAP-FAST: Phase2 "
1047 "Identity not found in the user "
1049 sm
->identity
, sm
->identity_len
);
1050 next_type
= eap_fast_req_failure(sm
, data
);
1054 eap_fast_state(data
, PHASE2_METHOD
);
1055 if (data
->anon_provisioning
) {
1057 * Only EAP-MSCHAPv2 is allowed for anonymous
1060 next_type
= EAP_TYPE_MSCHAPV2
;
1061 sm
->user_eap_method_index
= 0;
1063 next_type
= sm
->user
->methods
[0].method
;
1064 sm
->user_eap_method_index
= 1;
1066 wpa_printf(MSG_DEBUG
, "EAP-FAST: try EAP type %d", next_type
);
1069 case CRYPTO_BINDING
:
1070 eap_fast_update_icmk(sm
, data
);
1071 eap_fast_state(data
, CRYPTO_BINDING
);
1073 next_type
= EAP_TYPE_NONE
;
1074 #ifdef EAP_SERVER_TNC
1075 if (sm
->tnc
&& !data
->tnc_started
) {
1076 wpa_printf(MSG_DEBUG
, "EAP-FAST: Initialize TNC");
1077 next_type
= EAP_TYPE_TNC
;
1078 data
->tnc_started
= 1;
1080 #endif /* EAP_SERVER_TNC */
1085 wpa_printf(MSG_DEBUG
, "EAP-FAST: %s - unexpected state %d",
1086 __func__
, data
->state
);
1090 eap_fast_phase2_init(sm
, data
, next_type
);
1094 static void eap_fast_process_phase2_eap(struct eap_sm
*sm
,
1095 struct eap_fast_data
*data
,
1096 u8
*in_data
, size_t in_len
)
1098 struct eap_hdr
*hdr
;
1101 hdr
= (struct eap_hdr
*) in_data
;
1102 if (in_len
< (int) sizeof(*hdr
)) {
1103 wpa_printf(MSG_INFO
, "EAP-FAST: Too short Phase 2 "
1104 "EAP frame (len=%lu)", (unsigned long) in_len
);
1105 eap_fast_req_failure(sm
, data
);
1108 len
= be_to_host16(hdr
->length
);
1110 wpa_printf(MSG_INFO
, "EAP-FAST: Length mismatch in "
1111 "Phase 2 EAP frame (len=%lu hdr->length=%lu)",
1112 (unsigned long) in_len
, (unsigned long) len
);
1113 eap_fast_req_failure(sm
, data
);
1116 wpa_printf(MSG_DEBUG
, "EAP-FAST: Received Phase 2: code=%d "
1117 "identifier=%d length=%lu", hdr
->code
, hdr
->identifier
,
1118 (unsigned long) len
);
1119 switch (hdr
->code
) {
1120 case EAP_CODE_RESPONSE
:
1121 eap_fast_process_phase2_response(sm
, data
, (u8
*) hdr
, len
);
1124 wpa_printf(MSG_INFO
, "EAP-FAST: Unexpected code=%d in "
1125 "Phase 2 EAP header", hdr
->code
);
1131 static int eap_fast_parse_tlvs(struct wpabuf
*data
,
1132 struct eap_fast_tlv_parse
*tlv
)
1134 int mandatory
, tlv_type
, res
;
1138 os_memset(tlv
, 0, sizeof(*tlv
));
1140 pos
= wpabuf_mhead(data
);
1141 end
= pos
+ wpabuf_len(data
);
1142 while (end
- pos
> 4) {
1143 mandatory
= pos
[0] & 0x80;
1144 tlv_type
= WPA_GET_BE16(pos
) & 0x3fff;
1146 len
= WPA_GET_BE16(pos
);
1148 if (len
> (size_t) (end
- pos
)) {
1149 wpa_printf(MSG_INFO
, "EAP-FAST: TLV overflow");
1152 wpa_printf(MSG_DEBUG
, "EAP-FAST: Received Phase 2: "
1153 "TLV type %d length %u%s",
1154 tlv_type
, (unsigned int) len
,
1155 mandatory
? " (mandatory)" : "");
1157 res
= eap_fast_parse_tlv(tlv
, tlv_type
, pos
, len
);
1162 wpa_printf(MSG_DEBUG
, "EAP-FAST: Nak unknown "
1163 "mandatory TLV type %d", tlv_type
);
1164 /* TODO: generate Nak TLV */
1167 wpa_printf(MSG_DEBUG
, "EAP-FAST: Ignored "
1168 "unknown optional TLV type %d",
1180 static int eap_fast_validate_crypto_binding(
1181 struct eap_fast_data
*data
, struct eap_tlv_crypto_binding_tlv
*b
,
1184 u8 cmac
[SHA1_MAC_LEN
];
1186 wpa_printf(MSG_DEBUG
, "EAP-FAST: Reply Crypto-Binding TLV: "
1187 "Version %d Received Version %d SubType %d",
1188 b
->version
, b
->received_version
, b
->subtype
);
1189 wpa_hexdump(MSG_MSGDUMP
, "EAP-FAST: NONCE",
1190 b
->nonce
, sizeof(b
->nonce
));
1191 wpa_hexdump(MSG_MSGDUMP
, "EAP-FAST: Compound MAC",
1192 b
->compound_mac
, sizeof(b
->compound_mac
));
1194 if (b
->version
!= EAP_FAST_VERSION
||
1195 b
->received_version
!= EAP_FAST_VERSION
) {
1196 wpa_printf(MSG_DEBUG
, "EAP-FAST: Unexpected version "
1197 "in Crypto-Binding: version %d "
1198 "received_version %d", b
->version
,
1199 b
->received_version
);
1203 if (b
->subtype
!= EAP_TLV_CRYPTO_BINDING_SUBTYPE_RESPONSE
) {
1204 wpa_printf(MSG_DEBUG
, "EAP-FAST: Unexpected subtype in "
1205 "Crypto-Binding: %d", b
->subtype
);
1209 if (os_memcmp_const(data
->crypto_binding_nonce
, b
->nonce
, 31) != 0 ||
1210 (data
->crypto_binding_nonce
[31] | 1) != b
->nonce
[31]) {
1211 wpa_printf(MSG_DEBUG
, "EAP-FAST: Invalid nonce in "
1216 os_memcpy(cmac
, b
->compound_mac
, sizeof(cmac
));
1217 os_memset(b
->compound_mac
, 0, sizeof(cmac
));
1218 wpa_hexdump(MSG_MSGDUMP
, "EAP-FAST: Crypto-Binding TLV for "
1219 "Compound MAC calculation",
1220 (u8
*) b
, bind_len
);
1221 hmac_sha1(data
->cmk
, EAP_FAST_CMK_LEN
, (u8
*) b
, bind_len
,
1223 if (os_memcmp_const(cmac
, b
->compound_mac
, sizeof(cmac
)) != 0) {
1224 wpa_hexdump(MSG_MSGDUMP
,
1225 "EAP-FAST: Calculated Compound MAC",
1226 b
->compound_mac
, sizeof(cmac
));
1227 wpa_printf(MSG_INFO
, "EAP-FAST: Compound MAC did not "
1236 static int eap_fast_pac_type(u8
*pac
, size_t len
, u16 type
)
1238 struct eap_tlv_pac_type_tlv
*tlv
;
1240 if (pac
== NULL
|| len
!= sizeof(*tlv
))
1243 tlv
= (struct eap_tlv_pac_type_tlv
*) pac
;
1245 return be_to_host16(tlv
->tlv_type
) == PAC_TYPE_PAC_TYPE
&&
1246 be_to_host16(tlv
->length
) == 2 &&
1247 be_to_host16(tlv
->pac_type
) == type
;
1251 static void eap_fast_process_phase2_tlvs(struct eap_sm
*sm
,
1252 struct eap_fast_data
*data
,
1253 struct wpabuf
*in_data
)
1255 struct eap_fast_tlv_parse tlv
;
1256 int check_crypto_binding
= data
->state
== CRYPTO_BINDING
;
1258 if (eap_fast_parse_tlvs(in_data
, &tlv
) < 0) {
1259 wpa_printf(MSG_DEBUG
, "EAP-FAST: Failed to parse received "
1264 if (tlv
.result
== EAP_TLV_RESULT_FAILURE
) {
1265 wpa_printf(MSG_DEBUG
, "EAP-FAST: Result TLV indicated "
1267 eap_fast_state(data
, FAILURE
);
1271 if (data
->state
== REQUEST_PAC
) {
1273 if (tlv
.pac
== NULL
|| tlv
.pac_len
< 6) {
1274 wpa_printf(MSG_DEBUG
, "EAP-FAST: No PAC "
1275 "Acknowledgement received");
1276 eap_fast_state(data
, FAILURE
);
1280 type
= WPA_GET_BE16(tlv
.pac
);
1281 len
= WPA_GET_BE16(tlv
.pac
+ 2);
1282 res
= WPA_GET_BE16(tlv
.pac
+ 4);
1284 if (type
!= PAC_TYPE_PAC_ACKNOWLEDGEMENT
|| len
!= 2 ||
1285 res
!= EAP_TLV_RESULT_SUCCESS
) {
1286 wpa_printf(MSG_DEBUG
, "EAP-FAST: PAC TLV did not "
1287 "contain acknowledgement");
1288 eap_fast_state(data
, FAILURE
);
1292 wpa_printf(MSG_DEBUG
, "EAP-FAST: PAC-Acknowledgement received "
1293 "- PAC provisioning succeeded");
1294 eap_fast_state(data
, (data
->anon_provisioning
||
1295 data
->send_new_pac
== 2) ?
1300 if (check_crypto_binding
) {
1301 if (tlv
.crypto_binding
== NULL
) {
1302 wpa_printf(MSG_DEBUG
, "EAP-FAST: No Crypto-Binding "
1304 eap_fast_state(data
, FAILURE
);
1308 if (data
->final_result
&&
1309 tlv
.result
!= EAP_TLV_RESULT_SUCCESS
) {
1310 wpa_printf(MSG_DEBUG
, "EAP-FAST: Crypto-Binding TLV "
1311 "without Success Result");
1312 eap_fast_state(data
, FAILURE
);
1316 if (!data
->final_result
&&
1317 tlv
.iresult
!= EAP_TLV_RESULT_SUCCESS
) {
1318 wpa_printf(MSG_DEBUG
, "EAP-FAST: Crypto-Binding TLV "
1319 "without intermediate Success Result");
1320 eap_fast_state(data
, FAILURE
);
1324 if (eap_fast_validate_crypto_binding(data
, tlv
.crypto_binding
,
1325 tlv
.crypto_binding_len
)) {
1326 eap_fast_state(data
, FAILURE
);
1330 wpa_printf(MSG_DEBUG
, "EAP-FAST: Valid Crypto-Binding TLV "
1332 if (data
->final_result
) {
1333 wpa_printf(MSG_DEBUG
, "EAP-FAST: Authentication "
1334 "completed successfully");
1337 if (data
->anon_provisioning
&&
1338 sm
->eap_fast_prov
!= ANON_PROV
&&
1339 sm
->eap_fast_prov
!= BOTH_PROV
) {
1340 wpa_printf(MSG_DEBUG
, "EAP-FAST: Client is trying to "
1341 "use unauthenticated provisioning which is "
1343 eap_fast_state(data
, FAILURE
);
1347 if (sm
->eap_fast_prov
!= AUTH_PROV
&&
1348 sm
->eap_fast_prov
!= BOTH_PROV
&&
1349 tlv
.request_action
== EAP_TLV_ACTION_PROCESS_TLV
&&
1350 eap_fast_pac_type(tlv
.pac
, tlv
.pac_len
,
1351 PAC_TYPE_TUNNEL_PAC
)) {
1352 wpa_printf(MSG_DEBUG
, "EAP-FAST: Client is trying to "
1353 "use authenticated provisioning which is "
1355 eap_fast_state(data
, FAILURE
);
1359 if (data
->anon_provisioning
||
1360 (tlv
.request_action
== EAP_TLV_ACTION_PROCESS_TLV
&&
1361 eap_fast_pac_type(tlv
.pac
, tlv
.pac_len
,
1362 PAC_TYPE_TUNNEL_PAC
))) {
1363 wpa_printf(MSG_DEBUG
, "EAP-FAST: Requested a new "
1365 eap_fast_state(data
, REQUEST_PAC
);
1366 } else if (data
->send_new_pac
) {
1367 wpa_printf(MSG_DEBUG
, "EAP-FAST: Server triggered "
1368 "re-keying of Tunnel PAC");
1369 eap_fast_state(data
, REQUEST_PAC
);
1370 } else if (data
->final_result
)
1371 eap_fast_state(data
, SUCCESS
);
1374 if (tlv
.eap_payload_tlv
) {
1375 eap_fast_process_phase2_eap(sm
, data
, tlv
.eap_payload_tlv
,
1376 tlv
.eap_payload_tlv_len
);
1381 static void eap_fast_process_phase2(struct eap_sm
*sm
,
1382 struct eap_fast_data
*data
,
1383 struct wpabuf
*in_buf
)
1385 struct wpabuf
*in_decrypted
;
1387 wpa_printf(MSG_DEBUG
, "EAP-FAST: Received %lu bytes encrypted data for"
1388 " Phase 2", (unsigned long) wpabuf_len(in_buf
));
1390 if (data
->pending_phase2_resp
) {
1391 wpa_printf(MSG_DEBUG
, "EAP-PEAP: Pending Phase 2 response - "
1392 "skip decryption and use old data");
1393 eap_fast_process_phase2_tlvs(sm
, data
,
1394 data
->pending_phase2_resp
);
1395 wpabuf_free(data
->pending_phase2_resp
);
1396 data
->pending_phase2_resp
= NULL
;
1400 in_decrypted
= tls_connection_decrypt(sm
->ssl_ctx
, data
->ssl
.conn
,
1402 if (in_decrypted
== NULL
) {
1403 wpa_printf(MSG_INFO
, "EAP-FAST: Failed to decrypt Phase 2 "
1405 eap_fast_state(data
, FAILURE
);
1409 wpa_hexdump_buf_key(MSG_DEBUG
, "EAP-FAST: Decrypted Phase 2 TLVs",
1412 eap_fast_process_phase2_tlvs(sm
, data
, in_decrypted
);
1414 if (sm
->method_pending
== METHOD_PENDING_WAIT
) {
1415 wpa_printf(MSG_DEBUG
, "EAP-FAST: Phase2 method is in "
1416 "pending wait state - save decrypted response");
1417 wpabuf_free(data
->pending_phase2_resp
);
1418 data
->pending_phase2_resp
= in_decrypted
;
1422 wpabuf_free(in_decrypted
);
1426 static int eap_fast_process_version(struct eap_sm
*sm
, void *priv
,
1429 struct eap_fast_data
*data
= priv
;
1431 data
->peer_version
= peer_version
;
1433 if (data
->force_version
>= 0 && peer_version
!= data
->force_version
) {
1434 wpa_printf(MSG_INFO
, "EAP-FAST: peer did not select the forced"
1435 " version (forced=%d peer=%d) - reject",
1436 data
->force_version
, peer_version
);
1440 if (peer_version
< data
->fast_version
) {
1441 wpa_printf(MSG_DEBUG
, "EAP-FAST: peer ver=%d, own ver=%d; "
1443 peer_version
, data
->fast_version
, peer_version
);
1444 data
->fast_version
= peer_version
;
1451 static int eap_fast_process_phase1(struct eap_sm
*sm
,
1452 struct eap_fast_data
*data
)
1454 if (eap_server_tls_phase1(sm
, &data
->ssl
) < 0) {
1455 wpa_printf(MSG_INFO
, "EAP-FAST: TLS processing failed");
1456 eap_fast_state(data
, FAILURE
);
1460 if (!tls_connection_established(sm
->ssl_ctx
, data
->ssl
.conn
) ||
1461 wpabuf_len(data
->ssl
.tls_out
) > 0)
1465 * Phase 1 was completed with the received message (e.g., when using
1466 * abbreviated handshake), so Phase 2 can be started immediately
1467 * without having to send through an empty message to the peer.
1470 return eap_fast_phase1_done(sm
, data
);
1474 static int eap_fast_process_phase2_start(struct eap_sm
*sm
,
1475 struct eap_fast_data
*data
)
1479 if (data
->identity
) {
1480 os_free(sm
->identity
);
1481 sm
->identity
= data
->identity
;
1482 data
->identity
= NULL
;
1483 sm
->identity_len
= data
->identity_len
;
1484 data
->identity_len
= 0;
1485 sm
->require_identity_match
= 1;
1486 if (eap_user_get(sm
, sm
->identity
, sm
->identity_len
, 1) != 0) {
1487 wpa_hexdump_ascii(MSG_DEBUG
, "EAP-FAST: "
1488 "Phase2 Identity not found "
1489 "in the user database",
1490 sm
->identity
, sm
->identity_len
);
1491 next_type
= eap_fast_req_failure(sm
, data
);
1493 wpa_printf(MSG_DEBUG
, "EAP-FAST: Identity already "
1494 "known - skip Phase 2 Identity Request");
1495 next_type
= sm
->user
->methods
[0].method
;
1496 sm
->user_eap_method_index
= 1;
1499 eap_fast_state(data
, PHASE2_METHOD
);
1501 eap_fast_state(data
, PHASE2_ID
);
1502 next_type
= EAP_TYPE_IDENTITY
;
1505 return eap_fast_phase2_init(sm
, data
, next_type
);
1509 static void eap_fast_process_msg(struct eap_sm
*sm
, void *priv
,
1510 const struct wpabuf
*respData
)
1512 struct eap_fast_data
*data
= priv
;
1514 switch (data
->state
) {
1516 if (eap_fast_process_phase1(sm
, data
))
1521 eap_fast_process_phase2_start(sm
, data
);
1525 case CRYPTO_BINDING
:
1527 eap_fast_process_phase2(sm
, data
, data
->ssl
.tls_in
);
1530 wpa_printf(MSG_DEBUG
, "EAP-FAST: Unexpected state %d in %s",
1531 data
->state
, __func__
);
1537 static void eap_fast_process(struct eap_sm
*sm
, void *priv
,
1538 struct wpabuf
*respData
)
1540 struct eap_fast_data
*data
= priv
;
1541 if (eap_server_tls_process(sm
, &data
->ssl
, respData
, data
,
1542 EAP_TYPE_FAST
, eap_fast_process_version
,
1543 eap_fast_process_msg
) < 0)
1544 eap_fast_state(data
, FAILURE
);
1548 static Boolean
eap_fast_isDone(struct eap_sm
*sm
, void *priv
)
1550 struct eap_fast_data
*data
= priv
;
1551 return data
->state
== SUCCESS
|| data
->state
== FAILURE
;
1555 static u8
* eap_fast_getKey(struct eap_sm
*sm
, void *priv
, size_t *len
)
1557 struct eap_fast_data
*data
= priv
;
1560 if (data
->state
!= SUCCESS
)
1563 eapKeyData
= os_malloc(EAP_FAST_KEY_LEN
);
1564 if (eapKeyData
== NULL
)
1567 if (eap_fast_derive_eap_msk(data
->simck
, eapKeyData
) < 0) {
1568 os_free(eapKeyData
);
1571 *len
= EAP_FAST_KEY_LEN
;
1577 static u8
* eap_fast_get_emsk(struct eap_sm
*sm
, void *priv
, size_t *len
)
1579 struct eap_fast_data
*data
= priv
;
1582 if (data
->state
!= SUCCESS
)
1585 eapKeyData
= os_malloc(EAP_EMSK_LEN
);
1586 if (eapKeyData
== NULL
)
1589 if (eap_fast_derive_eap_emsk(data
->simck
, eapKeyData
) < 0) {
1590 os_free(eapKeyData
);
1593 *len
= EAP_EMSK_LEN
;
1599 static Boolean
eap_fast_isSuccess(struct eap_sm
*sm
, void *priv
)
1601 struct eap_fast_data
*data
= priv
;
1602 return data
->state
== SUCCESS
;
1606 static u8
* eap_fast_get_session_id(struct eap_sm
*sm
, void *priv
, size_t *len
)
1608 struct eap_fast_data
*data
= priv
;
1610 if (data
->state
!= SUCCESS
)
1613 return eap_server_tls_derive_session_id(sm
, &data
->ssl
, EAP_TYPE_FAST
,
1618 int eap_server_fast_register(void)
1620 struct eap_method
*eap
;
1622 eap
= eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION
,
1623 EAP_VENDOR_IETF
, EAP_TYPE_FAST
, "FAST");
1627 eap
->init
= eap_fast_init
;
1628 eap
->reset
= eap_fast_reset
;
1629 eap
->buildReq
= eap_fast_buildReq
;
1630 eap
->check
= eap_fast_check
;
1631 eap
->process
= eap_fast_process
;
1632 eap
->isDone
= eap_fast_isDone
;
1633 eap
->getKey
= eap_fast_getKey
;
1634 eap
->get_emsk
= eap_fast_get_emsk
;
1635 eap
->isSuccess
= eap_fast_isSuccess
;
1636 eap
->getSessionId
= eap_fast_get_session_id
;
1638 return eap_server_method_register(eap
);