2008-02-28 02:34:43 +01:00
|
|
|
/*
|
|
|
|
* EAP peer method: EAP-PEAP (draft-josefsson-pppext-eap-tls-eap-10.txt)
|
2019-02-01 22:52:28 +01:00
|
|
|
* Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi>
|
2008-02-28 02:34:43 +01:00
|
|
|
*
|
2012-02-11 15:46:35 +01:00
|
|
|
* This software may be distributed under the terms of the BSD license.
|
|
|
|
* See README for more details.
|
2008-02-28 02:34:43 +01:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include "includes.h"
|
|
|
|
|
|
|
|
#include "common.h"
|
2008-03-18 11:19:52 +01:00
|
|
|
#include "crypto/sha1.h"
|
2009-11-29 22:04:43 +01:00
|
|
|
#include "crypto/tls.h"
|
|
|
|
#include "eap_common/eap_tlv_common.h"
|
|
|
|
#include "eap_common/eap_peap_common.h"
|
2008-02-28 02:34:43 +01:00
|
|
|
#include "eap_i.h"
|
|
|
|
#include "eap_tls_common.h"
|
|
|
|
#include "eap_config.h"
|
2008-04-08 15:15:56 +02:00
|
|
|
#include "tncc.h"
|
2008-02-28 02:34:43 +01:00
|
|
|
|
|
|
|
|
|
|
|
/* Maximum supported PEAP version
|
|
|
|
* 0 = Microsoft's PEAP version 0; draft-kamath-pppext-peapv0-00.txt
|
|
|
|
* 1 = draft-josefsson-ppext-eap-tls-eap-05.txt
|
|
|
|
*/
|
|
|
|
#define EAP_PEAP_VERSION 1
|
|
|
|
|
|
|
|
|
|
|
|
static void eap_peap_deinit(struct eap_sm *sm, void *priv);
|
|
|
|
|
|
|
|
|
|
|
|
struct eap_peap_data {
|
|
|
|
struct eap_ssl_data ssl;
|
|
|
|
|
|
|
|
int peap_version, force_peap_version, force_new_label;
|
|
|
|
|
|
|
|
const struct eap_method *phase2_method;
|
|
|
|
void *phase2_priv;
|
|
|
|
int phase2_success;
|
|
|
|
int phase2_eap_success;
|
|
|
|
int phase2_eap_started;
|
|
|
|
|
|
|
|
struct eap_method_type phase2_type;
|
|
|
|
struct eap_method_type *phase2_types;
|
|
|
|
size_t num_phase2_types;
|
|
|
|
|
|
|
|
int peap_outer_success; /* 0 = PEAP terminated on Phase 2 inner
|
|
|
|
* EAP-Success
|
|
|
|
* 1 = reply with tunneled EAP-Success to inner
|
|
|
|
* EAP-Success and expect AS to send outer
|
|
|
|
* (unencrypted) EAP-Success after this
|
|
|
|
* 2 = reply with PEAP/TLS ACK to inner
|
|
|
|
* EAP-Success and expect AS to send outer
|
|
|
|
* (unencrypted) EAP-Success after this */
|
|
|
|
int resuming; /* starting a resumed session */
|
2008-11-26 12:27:40 +01:00
|
|
|
int reauth; /* reauthentication */
|
2008-02-28 02:34:43 +01:00
|
|
|
u8 *key_data;
|
2013-02-06 17:52:33 +01:00
|
|
|
u8 *session_id;
|
|
|
|
size_t id_len;
|
2008-02-28 02:34:43 +01:00
|
|
|
|
|
|
|
struct wpabuf *pending_phase2_req;
|
EAP peer: External server certificate chain validation
This adds support for optional functionality to validate server
certificate chain in TLS-based EAP methods in an external program.
wpa_supplicant control interface is used to indicate when such
validation is needed and what the result of the external validation is.
This external validation can extend or replace the internal validation.
When ca_cert or ca_path parameter is set, the internal validation is
used. If these parameters are omitted, only the external validation is
used. It needs to be understood that leaving those parameters out will
disable most of the validation steps done with the TLS library and that
configuration is not really recommend.
By default, the external validation is not used. It can be enabled by
addingtls_ext_cert_check=1 into the network profile phase1 parameter.
When enabled, external validation is required through the CTRL-REQ/RSP
mechanism similarly to other EAP authentication parameters through the
control interface.
The request to perform external validation is indicated by the following
event:
CTRL-REQ-EXT_CERT_CHECK-<id>:External server certificate validation needed for SSID <ssid>
Before that event, the server certificate chain is provided with the
CTRL-EVENT-EAP-PEER-CERT events that include the cert=<hexdump>
parameter. depth=# indicates which certificate is in question (0 for the
server certificate, 1 for its issues, and so on).
The result of the external validation is provided with the following
command:
CTRL-RSP-EXT_CERT_CHECK-<id>:<good|bad>
It should be noted that this is currently enabled only for OpenSSL (and
BoringSSL/LibreSSL). Due to the constraints in the library API, the
validation result from external processing cannot be reported cleanly
with TLS alert. In other words, if the external validation reject the
server certificate chain, the pending TLS handshake is terminated
without sending more messages to the server.
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-12 17:16:54 +01:00
|
|
|
struct wpabuf *pending_resp;
|
2008-03-18 11:19:52 +01:00
|
|
|
enum { NO_BINDING, OPTIONAL_BINDING, REQUIRE_BINDING } crypto_binding;
|
|
|
|
int crypto_binding_used;
|
2008-11-19 18:25:14 +01:00
|
|
|
u8 binding_nonce[32];
|
2008-03-18 11:19:52 +01:00
|
|
|
u8 ipmk[40];
|
|
|
|
u8 cmk[20];
|
2008-04-08 15:15:56 +02:00
|
|
|
int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP)
|
|
|
|
* is enabled. */
|
2008-02-28 02:34:43 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
|
2015-12-19 18:54:56 +01:00
|
|
|
static void eap_peap_parse_phase1(struct eap_peap_data *data,
|
|
|
|
const char *phase1)
|
2008-02-28 02:34:43 +01:00
|
|
|
{
|
|
|
|
const char *pos;
|
|
|
|
|
|
|
|
pos = os_strstr(phase1, "peapver=");
|
|
|
|
if (pos) {
|
|
|
|
data->force_peap_version = atoi(pos + 8);
|
|
|
|
data->peap_version = data->force_peap_version;
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: Forced PEAP version %d",
|
|
|
|
data->force_peap_version);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (os_strstr(phase1, "peaplabel=1")) {
|
|
|
|
data->force_new_label = 1;
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: Force new label for key "
|
|
|
|
"derivation");
|
|
|
|
}
|
|
|
|
|
|
|
|
if (os_strstr(phase1, "peap_outer_success=0")) {
|
|
|
|
data->peap_outer_success = 0;
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: terminate authentication on "
|
|
|
|
"tunneled EAP-Success");
|
|
|
|
} else if (os_strstr(phase1, "peap_outer_success=1")) {
|
|
|
|
data->peap_outer_success = 1;
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: send tunneled EAP-Success "
|
|
|
|
"after receiving tunneled EAP-Success");
|
|
|
|
} else if (os_strstr(phase1, "peap_outer_success=2")) {
|
|
|
|
data->peap_outer_success = 2;
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: send PEAP/TLS ACK after "
|
|
|
|
"receiving tunneled EAP-Success");
|
|
|
|
}
|
|
|
|
|
2008-04-08 13:57:39 +02:00
|
|
|
if (os_strstr(phase1, "crypto_binding=0")) {
|
|
|
|
data->crypto_binding = NO_BINDING;
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: Do not use cryptobinding");
|
|
|
|
} else if (os_strstr(phase1, "crypto_binding=1")) {
|
|
|
|
data->crypto_binding = OPTIONAL_BINDING;
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: Optional cryptobinding");
|
|
|
|
} else if (os_strstr(phase1, "crypto_binding=2")) {
|
|
|
|
data->crypto_binding = REQUIRE_BINDING;
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding");
|
|
|
|
}
|
|
|
|
|
2008-04-08 15:15:56 +02:00
|
|
|
#ifdef EAP_TNC
|
2008-12-07 20:00:42 +01:00
|
|
|
if (os_strstr(phase1, "tnc=soh2")) {
|
|
|
|
data->soh = 2;
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 2 enabled");
|
|
|
|
} else if (os_strstr(phase1, "tnc=soh1")) {
|
2008-04-08 15:15:56 +02:00
|
|
|
data->soh = 1;
|
2008-12-07 20:00:42 +01:00
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 1 enabled");
|
|
|
|
} else if (os_strstr(phase1, "tnc=soh")) {
|
|
|
|
data->soh = 2;
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 2 enabled");
|
2008-04-08 15:15:56 +02:00
|
|
|
}
|
|
|
|
#endif /* EAP_TNC */
|
2008-02-28 02:34:43 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void * eap_peap_init(struct eap_sm *sm)
|
|
|
|
{
|
|
|
|
struct eap_peap_data *data;
|
|
|
|
struct eap_peer_config *config = eap_get_config(sm);
|
|
|
|
|
|
|
|
data = os_zalloc(sizeof(*data));
|
|
|
|
if (data == NULL)
|
|
|
|
return NULL;
|
|
|
|
sm->peap_done = FALSE;
|
|
|
|
data->peap_version = EAP_PEAP_VERSION;
|
|
|
|
data->force_peap_version = -1;
|
|
|
|
data->peap_outer_success = 2;
|
2008-12-14 23:15:54 +01:00
|
|
|
data->crypto_binding = OPTIONAL_BINDING;
|
2008-02-28 02:34:43 +01:00
|
|
|
|
2015-12-19 18:54:56 +01:00
|
|
|
if (config && config->phase1)
|
|
|
|
eap_peap_parse_phase1(data, config->phase1);
|
2008-02-28 02:34:43 +01:00
|
|
|
|
|
|
|
if (eap_peer_select_phase2_methods(config, "auth=",
|
|
|
|
&data->phase2_types,
|
|
|
|
&data->num_phase2_types) < 0) {
|
|
|
|
eap_peap_deinit(sm, data);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
data->phase2_type.vendor = EAP_VENDOR_IETF;
|
|
|
|
data->phase2_type.method = EAP_TYPE_NONE;
|
|
|
|
|
2012-08-17 21:26:28 +02:00
|
|
|
if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_PEAP)) {
|
2008-02-28 02:34:43 +01:00
|
|
|
wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL.");
|
|
|
|
eap_peap_deinit(sm, data);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
return data;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2014-06-29 20:16:30 +02:00
|
|
|
static void eap_peap_free_key(struct eap_peap_data *data)
|
|
|
|
{
|
|
|
|
if (data->key_data) {
|
2019-02-01 22:52:28 +01:00
|
|
|
bin_clear_free(data->key_data, EAP_TLS_KEY_LEN + EAP_EMSK_LEN);
|
2014-06-29 20:16:30 +02:00
|
|
|
data->key_data = NULL;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2008-02-28 02:34:43 +01:00
|
|
|
static void eap_peap_deinit(struct eap_sm *sm, void *priv)
|
|
|
|
{
|
|
|
|
struct eap_peap_data *data = priv;
|
|
|
|
if (data == NULL)
|
|
|
|
return;
|
|
|
|
if (data->phase2_priv && data->phase2_method)
|
|
|
|
data->phase2_method->deinit(sm, data->phase2_priv);
|
|
|
|
os_free(data->phase2_types);
|
|
|
|
eap_peer_tls_ssl_deinit(sm, &data->ssl);
|
2014-06-29 20:16:30 +02:00
|
|
|
eap_peap_free_key(data);
|
2013-02-06 17:52:33 +01:00
|
|
|
os_free(data->session_id);
|
2008-02-28 02:34:43 +01:00
|
|
|
wpabuf_free(data->pending_phase2_req);
|
EAP peer: External server certificate chain validation
This adds support for optional functionality to validate server
certificate chain in TLS-based EAP methods in an external program.
wpa_supplicant control interface is used to indicate when such
validation is needed and what the result of the external validation is.
This external validation can extend or replace the internal validation.
When ca_cert or ca_path parameter is set, the internal validation is
used. If these parameters are omitted, only the external validation is
used. It needs to be understood that leaving those parameters out will
disable most of the validation steps done with the TLS library and that
configuration is not really recommend.
By default, the external validation is not used. It can be enabled by
addingtls_ext_cert_check=1 into the network profile phase1 parameter.
When enabled, external validation is required through the CTRL-REQ/RSP
mechanism similarly to other EAP authentication parameters through the
control interface.
The request to perform external validation is indicated by the following
event:
CTRL-REQ-EXT_CERT_CHECK-<id>:External server certificate validation needed for SSID <ssid>
Before that event, the server certificate chain is provided with the
CTRL-EVENT-EAP-PEER-CERT events that include the cert=<hexdump>
parameter. depth=# indicates which certificate is in question (0 for the
server certificate, 1 for its issues, and so on).
The result of the external validation is provided with the following
command:
CTRL-RSP-EXT_CERT_CHECK-<id>:<good|bad>
It should be noted that this is currently enabled only for OpenSSL (and
BoringSSL/LibreSSL). Due to the constraints in the library API, the
validation result from external processing cannot be reported cleanly
with TLS alert. In other words, if the external validation reject the
server certificate chain, the pending TLS handshake is terminated
without sending more messages to the server.
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-12 17:16:54 +01:00
|
|
|
wpabuf_free(data->pending_resp);
|
2008-02-28 02:34:43 +01:00
|
|
|
os_free(data);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2008-03-18 10:26:17 +01:00
|
|
|
/**
|
|
|
|
* eap_tlv_build_nak - Build EAP-TLV NAK message
|
|
|
|
* @id: EAP identifier for the header
|
|
|
|
* @nak_type: TLV type (EAP_TLV_*)
|
|
|
|
* Returns: Buffer to the allocated EAP-TLV NAK message or %NULL on failure
|
|
|
|
*
|
2011-09-21 23:43:59 +02:00
|
|
|
* This function builds an EAP-TLV NAK message. The caller is responsible for
|
2008-03-18 10:26:17 +01:00
|
|
|
* freeing the returned buffer.
|
|
|
|
*/
|
|
|
|
static struct wpabuf * eap_tlv_build_nak(int id, u16 nak_type)
|
|
|
|
{
|
|
|
|
struct wpabuf *msg;
|
|
|
|
|
|
|
|
msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, 10,
|
|
|
|
EAP_CODE_RESPONSE, id);
|
|
|
|
if (msg == NULL)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
wpabuf_put_u8(msg, 0x80); /* Mandatory */
|
|
|
|
wpabuf_put_u8(msg, EAP_TLV_NAK_TLV);
|
|
|
|
wpabuf_put_be16(msg, 6); /* Length */
|
|
|
|
wpabuf_put_be32(msg, 0); /* Vendor-Id */
|
|
|
|
wpabuf_put_be16(msg, nak_type); /* NAK-Type */
|
|
|
|
|
|
|
|
return msg;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2008-03-18 11:19:52 +01:00
|
|
|
static int eap_peap_get_isk(struct eap_sm *sm, struct eap_peap_data *data,
|
|
|
|
u8 *isk, size_t isk_len)
|
|
|
|
{
|
|
|
|
u8 *key;
|
|
|
|
size_t key_len;
|
|
|
|
|
|
|
|
os_memset(isk, 0, isk_len);
|
|
|
|
if (data->phase2_method == NULL || data->phase2_priv == NULL ||
|
|
|
|
data->phase2_method->isKeyAvailable == NULL ||
|
|
|
|
data->phase2_method->getKey == NULL)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (!data->phase2_method->isKeyAvailable(sm, data->phase2_priv) ||
|
|
|
|
(key = data->phase2_method->getKey(sm, data->phase2_priv,
|
|
|
|
&key_len)) == NULL) {
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: Could not get key material "
|
|
|
|
"from Phase 2");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (key_len > isk_len)
|
|
|
|
key_len = isk_len;
|
|
|
|
os_memcpy(isk, key, key_len);
|
|
|
|
os_free(key);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data)
|
|
|
|
{
|
|
|
|
u8 *tk;
|
|
|
|
u8 isk[32], imck[60];
|
2016-01-05 22:50:50 +01:00
|
|
|
int resumed;
|
2008-03-18 11:19:52 +01:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Tunnel key (TK) is the first 60 octets of the key generated by
|
|
|
|
* phase 1 of PEAP (based on TLS).
|
|
|
|
*/
|
|
|
|
tk = data->key_data;
|
|
|
|
if (tk == NULL)
|
|
|
|
return -1;
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TK", tk, 60);
|
|
|
|
|
2016-01-05 22:50:50 +01:00
|
|
|
resumed = tls_connection_resumed(sm->ssl_ctx, data->ssl.conn);
|
|
|
|
wpa_printf(MSG_DEBUG,
|
|
|
|
"EAP-PEAP: CMK derivation - reauth=%d resumed=%d phase2_eap_started=%d phase2_success=%d",
|
|
|
|
data->reauth, resumed, data->phase2_eap_started,
|
|
|
|
data->phase2_success);
|
|
|
|
if (data->reauth && !data->phase2_eap_started && resumed) {
|
2008-11-26 12:27:40 +01:00
|
|
|
/* Fast-connect: IPMK|CMK = TK */
|
|
|
|
os_memcpy(data->ipmk, tk, 40);
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK from TK",
|
|
|
|
data->ipmk, 40);
|
|
|
|
os_memcpy(data->cmk, tk + 40, 20);
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK from TK",
|
|
|
|
data->cmk, 20);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2008-03-18 11:19:52 +01:00
|
|
|
if (eap_peap_get_isk(sm, data, isk, sizeof(isk)) < 0)
|
|
|
|
return -1;
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: ISK", isk, sizeof(isk));
|
|
|
|
|
|
|
|
/*
|
|
|
|
* IPMK Seed = "Inner Methods Compound Keys" | ISK
|
|
|
|
* TempKey = First 40 octets of TK
|
|
|
|
* IPMK|CMK = PRF+(TempKey, IPMK Seed, 60)
|
|
|
|
* (note: draft-josefsson-pppext-eap-tls-eap-10.txt includes a space
|
|
|
|
* in the end of the label just before ISK; is that just a typo?)
|
|
|
|
*/
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TempKey", tk, 40);
|
2011-11-13 10:29:17 +01:00
|
|
|
if (peap_prfplus(data->peap_version, tk, 40,
|
|
|
|
"Inner Methods Compound Keys",
|
|
|
|
isk, sizeof(isk), imck, sizeof(imck)) < 0)
|
|
|
|
return -1;
|
2008-03-18 11:19:52 +01:00
|
|
|
wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IMCK (IPMKj)",
|
|
|
|
imck, sizeof(imck));
|
|
|
|
|
|
|
|
os_memcpy(data->ipmk, imck, 40);
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK (S-IPMKj)", data->ipmk, 40);
|
|
|
|
os_memcpy(data->cmk, imck + 40, 20);
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK (CMKj)", data->cmk, 20);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int eap_tlv_add_cryptobinding(struct eap_sm *sm,
|
|
|
|
struct eap_peap_data *data,
|
|
|
|
struct wpabuf *buf)
|
|
|
|
{
|
|
|
|
u8 *mac;
|
|
|
|
u8 eap_type = EAP_TYPE_PEAP;
|
|
|
|
const u8 *addr[2];
|
|
|
|
size_t len[2];
|
|
|
|
u16 tlv_type;
|
|
|
|
|
|
|
|
/* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */
|
|
|
|
addr[0] = wpabuf_put(buf, 0);
|
|
|
|
len[0] = 60;
|
|
|
|
addr[1] = &eap_type;
|
|
|
|
len[1] = 1;
|
|
|
|
|
|
|
|
tlv_type = EAP_TLV_CRYPTO_BINDING_TLV;
|
|
|
|
wpabuf_put_be16(buf, tlv_type);
|
|
|
|
wpabuf_put_be16(buf, 56);
|
|
|
|
|
|
|
|
wpabuf_put_u8(buf, 0); /* Reserved */
|
|
|
|
wpabuf_put_u8(buf, data->peap_version); /* Version */
|
|
|
|
wpabuf_put_u8(buf, data->peap_version); /* RecvVersion */
|
|
|
|
wpabuf_put_u8(buf, 1); /* SubType: 0 = Request, 1 = Response */
|
2008-11-19 18:25:14 +01:00
|
|
|
wpabuf_put_data(buf, data->binding_nonce, 32); /* Nonce */
|
2008-03-18 11:19:52 +01:00
|
|
|
mac = wpabuf_put(buf, 20); /* Compound_MAC */
|
|
|
|
wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC CMK", data->cmk, 20);
|
|
|
|
wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 1",
|
|
|
|
addr[0], len[0]);
|
|
|
|
wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 2",
|
|
|
|
addr[1], len[1]);
|
2015-12-19 19:34:27 +01:00
|
|
|
if (hmac_sha1_vector(data->cmk, 20, 2, addr, len, mac) < 0)
|
|
|
|
return -1;
|
2008-03-18 11:19:52 +01:00
|
|
|
wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC", mac, SHA1_MAC_LEN);
|
|
|
|
data->crypto_binding_used = 1;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2008-03-18 10:26:17 +01:00
|
|
|
/**
|
|
|
|
* eap_tlv_build_result - Build EAP-TLV Result message
|
|
|
|
* @id: EAP identifier for the header
|
|
|
|
* @status: Status (EAP_TLV_RESULT_SUCCESS or EAP_TLV_RESULT_FAILURE)
|
|
|
|
* Returns: Buffer to the allocated EAP-TLV Result message or %NULL on failure
|
|
|
|
*
|
2011-09-21 23:43:59 +02:00
|
|
|
* This function builds an EAP-TLV Result message. The caller is responsible
|
|
|
|
* for freeing the returned buffer.
|
2008-03-18 10:26:17 +01:00
|
|
|
*/
|
2008-03-18 11:19:52 +01:00
|
|
|
static struct wpabuf * eap_tlv_build_result(struct eap_sm *sm,
|
|
|
|
struct eap_peap_data *data,
|
|
|
|
int crypto_tlv_used,
|
|
|
|
int id, u16 status)
|
2008-03-18 10:26:17 +01:00
|
|
|
{
|
|
|
|
struct wpabuf *msg;
|
2008-03-18 11:19:52 +01:00
|
|
|
size_t len;
|
|
|
|
|
|
|
|
if (data->crypto_binding == NO_BINDING)
|
|
|
|
crypto_tlv_used = 0;
|
2008-03-18 10:26:17 +01:00
|
|
|
|
2008-03-18 11:19:52 +01:00
|
|
|
len = 6;
|
|
|
|
if (crypto_tlv_used)
|
|
|
|
len += 60; /* Cryptobinding TLV */
|
|
|
|
msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, len,
|
2008-03-18 10:26:17 +01:00
|
|
|
EAP_CODE_RESPONSE, id);
|
|
|
|
if (msg == NULL)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
wpabuf_put_u8(msg, 0x80); /* Mandatory */
|
|
|
|
wpabuf_put_u8(msg, EAP_TLV_RESULT_TLV);
|
|
|
|
wpabuf_put_be16(msg, 2); /* Length */
|
|
|
|
wpabuf_put_be16(msg, status); /* Status */
|
|
|
|
|
2008-03-18 11:19:52 +01:00
|
|
|
if (crypto_tlv_used && eap_tlv_add_cryptobinding(sm, data, msg)) {
|
|
|
|
wpabuf_free(msg);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2008-03-18 10:26:17 +01:00
|
|
|
return msg;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2008-03-18 11:19:52 +01:00
|
|
|
static int eap_tlv_validate_cryptobinding(struct eap_sm *sm,
|
|
|
|
struct eap_peap_data *data,
|
|
|
|
const u8 *crypto_tlv,
|
|
|
|
size_t crypto_tlv_len)
|
|
|
|
{
|
|
|
|
u8 buf[61], mac[SHA1_MAC_LEN];
|
|
|
|
const u8 *pos;
|
|
|
|
|
|
|
|
if (eap_peap_derive_cmk(sm, data) < 0) {
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: Could not derive CMK");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (crypto_tlv_len != 4 + 56) {
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid cryptobinding TLV "
|
|
|
|
"length %d", (int) crypto_tlv_len);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
pos = crypto_tlv;
|
|
|
|
pos += 4; /* TLV header */
|
|
|
|
if (pos[1] != data->peap_version) {
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV Version "
|
|
|
|
"mismatch (was %d; expected %d)",
|
|
|
|
pos[1], data->peap_version);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (pos[3] != 0) {
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: Unexpected Cryptobinding TLV "
|
|
|
|
"SubType %d", pos[3]);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
pos += 4;
|
2008-11-19 18:25:14 +01:00
|
|
|
os_memcpy(data->binding_nonce, pos, 32);
|
2008-03-18 11:19:52 +01:00
|
|
|
pos += 32; /* Nonce */
|
|
|
|
|
|
|
|
/* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */
|
|
|
|
os_memcpy(buf, crypto_tlv, 60);
|
|
|
|
os_memset(buf + 4 + 4 + 32, 0, 20); /* Compound_MAC */
|
|
|
|
buf[60] = EAP_TYPE_PEAP;
|
2008-11-19 18:25:14 +01:00
|
|
|
wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Compound_MAC data",
|
|
|
|
buf, sizeof(buf));
|
2008-03-18 11:19:52 +01:00
|
|
|
hmac_sha1(data->cmk, 20, buf, sizeof(buf), mac);
|
|
|
|
|
2014-06-29 19:22:44 +02:00
|
|
|
if (os_memcmp_const(mac, pos, SHA1_MAC_LEN) != 0) {
|
2008-03-18 11:19:52 +01:00
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid Compound_MAC in "
|
|
|
|
"cryptobinding TLV");
|
2008-11-19 18:25:14 +01:00
|
|
|
wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Received MAC",
|
|
|
|
pos, SHA1_MAC_LEN);
|
|
|
|
wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Expected MAC",
|
|
|
|
mac, SHA1_MAC_LEN);
|
2008-03-18 11:19:52 +01:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: Valid cryptobinding TLV received");
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2008-03-18 10:26:17 +01:00
|
|
|
/**
|
|
|
|
* eap_tlv_process - Process a received EAP-TLV message and generate a response
|
|
|
|
* @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
|
|
|
|
* @ret: Return values from EAP request validation and processing
|
|
|
|
* @req: EAP-TLV request to be processed. The caller must have validated that
|
|
|
|
* the buffer is large enough to contain full request (hdr->length bytes) and
|
|
|
|
* that the EAP type is EAP_TYPE_TLV.
|
|
|
|
* @resp: Buffer to return a pointer to the allocated response message. This
|
|
|
|
* field should be initialized to %NULL before the call. The value will be
|
|
|
|
* updated if a response message is generated. The caller is responsible for
|
|
|
|
* freeing the allocated message.
|
|
|
|
* @force_failure: Force negotiation to fail
|
|
|
|
* Returns: 0 on success, -1 on failure
|
|
|
|
*/
|
2008-03-18 11:19:52 +01:00
|
|
|
static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data,
|
|
|
|
struct eap_method_ret *ret,
|
2008-03-18 10:26:17 +01:00
|
|
|
const struct wpabuf *req, struct wpabuf **resp,
|
|
|
|
int force_failure)
|
|
|
|
{
|
|
|
|
size_t left, tlv_len;
|
|
|
|
const u8 *pos;
|
2008-03-18 11:19:52 +01:00
|
|
|
const u8 *result_tlv = NULL, *crypto_tlv = NULL;
|
|
|
|
size_t result_tlv_len = 0, crypto_tlv_len = 0;
|
2008-03-18 10:26:17 +01:00
|
|
|
int tlv_type, mandatory;
|
|
|
|
|
|
|
|
/* Parse TLVs */
|
|
|
|
pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TLV, req, &left);
|
|
|
|
if (pos == NULL)
|
|
|
|
return -1;
|
|
|
|
wpa_hexdump(MSG_DEBUG, "EAP-TLV: Received TLVs", pos, left);
|
|
|
|
while (left >= 4) {
|
|
|
|
mandatory = !!(pos[0] & 0x80);
|
|
|
|
tlv_type = WPA_GET_BE16(pos) & 0x3fff;
|
|
|
|
pos += 2;
|
|
|
|
tlv_len = WPA_GET_BE16(pos);
|
|
|
|
pos += 2;
|
|
|
|
left -= 4;
|
|
|
|
if (tlv_len > left) {
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-TLV: TLV underrun "
|
|
|
|
"(tlv_len=%lu left=%lu)",
|
|
|
|
(unsigned long) tlv_len,
|
|
|
|
(unsigned long) left);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
switch (tlv_type) {
|
|
|
|
case EAP_TLV_RESULT_TLV:
|
|
|
|
result_tlv = pos;
|
|
|
|
result_tlv_len = tlv_len;
|
|
|
|
break;
|
2008-03-18 11:19:52 +01:00
|
|
|
case EAP_TLV_CRYPTO_BINDING_TLV:
|
|
|
|
crypto_tlv = pos;
|
|
|
|
crypto_tlv_len = tlv_len;
|
|
|
|
break;
|
2008-03-18 10:26:17 +01:00
|
|
|
default:
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-TLV: Unsupported TLV Type "
|
|
|
|
"%d%s", tlv_type,
|
|
|
|
mandatory ? " (mandatory)" : "");
|
|
|
|
if (mandatory) {
|
|
|
|
/* NAK TLV and ignore all TLVs in this packet.
|
|
|
|
*/
|
|
|
|
*resp = eap_tlv_build_nak(eap_get_id(req),
|
|
|
|
tlv_type);
|
|
|
|
return *resp == NULL ? -1 : 0;
|
|
|
|
}
|
|
|
|
/* Ignore this TLV, but process other TLVs */
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
pos += tlv_len;
|
|
|
|
left -= tlv_len;
|
|
|
|
}
|
|
|
|
if (left) {
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-TLV: Last TLV too short in "
|
|
|
|
"Request (left=%lu)", (unsigned long) left);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Process supported TLVs */
|
2008-03-18 11:19:52 +01:00
|
|
|
if (crypto_tlv && data->crypto_binding != NO_BINDING) {
|
|
|
|
wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV",
|
|
|
|
crypto_tlv, crypto_tlv_len);
|
|
|
|
if (eap_tlv_validate_cryptobinding(sm, data, crypto_tlv - 4,
|
|
|
|
crypto_tlv_len + 4) < 0) {
|
|
|
|
if (result_tlv == NULL)
|
|
|
|
return -1;
|
|
|
|
force_failure = 1;
|
2008-11-19 18:25:14 +01:00
|
|
|
crypto_tlv = NULL; /* do not include Cryptobinding TLV
|
|
|
|
* in response, if the received
|
|
|
|
* cryptobinding was invalid. */
|
2008-03-18 11:19:52 +01:00
|
|
|
}
|
|
|
|
} else if (!crypto_tlv && data->crypto_binding == REQUIRE_BINDING) {
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: No cryptobinding TLV");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2008-03-18 10:26:17 +01:00
|
|
|
if (result_tlv) {
|
|
|
|
int status, resp_status;
|
|
|
|
wpa_hexdump(MSG_DEBUG, "EAP-TLV: Result TLV",
|
|
|
|
result_tlv, result_tlv_len);
|
|
|
|
if (result_tlv_len < 2) {
|
|
|
|
wpa_printf(MSG_INFO, "EAP-TLV: Too short Result TLV "
|
|
|
|
"(len=%lu)",
|
|
|
|
(unsigned long) result_tlv_len);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
status = WPA_GET_BE16(result_tlv);
|
|
|
|
if (status == EAP_TLV_RESULT_SUCCESS) {
|
|
|
|
wpa_printf(MSG_INFO, "EAP-TLV: TLV Result - Success "
|
|
|
|
"- EAP-TLV/Phase2 Completed");
|
|
|
|
if (force_failure) {
|
|
|
|
wpa_printf(MSG_INFO, "EAP-TLV: Earlier failure"
|
|
|
|
" - force failed Phase 2");
|
|
|
|
resp_status = EAP_TLV_RESULT_FAILURE;
|
|
|
|
ret->decision = DECISION_FAIL;
|
|
|
|
} else {
|
|
|
|
resp_status = EAP_TLV_RESULT_SUCCESS;
|
|
|
|
ret->decision = DECISION_UNCOND_SUCC;
|
|
|
|
}
|
|
|
|
} else if (status == EAP_TLV_RESULT_FAILURE) {
|
|
|
|
wpa_printf(MSG_INFO, "EAP-TLV: TLV Result - Failure");
|
|
|
|
resp_status = EAP_TLV_RESULT_FAILURE;
|
|
|
|
ret->decision = DECISION_FAIL;
|
|
|
|
} else {
|
|
|
|
wpa_printf(MSG_INFO, "EAP-TLV: Unknown TLV Result "
|
|
|
|
"Status %d", status);
|
|
|
|
resp_status = EAP_TLV_RESULT_FAILURE;
|
|
|
|
ret->decision = DECISION_FAIL;
|
|
|
|
}
|
|
|
|
ret->methodState = METHOD_DONE;
|
|
|
|
|
2008-03-18 11:19:52 +01:00
|
|
|
*resp = eap_tlv_build_result(sm, data, crypto_tlv != NULL,
|
|
|
|
eap_get_id(req), resp_status);
|
2008-03-18 10:26:17 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2008-02-28 02:34:43 +01:00
|
|
|
static int eap_peap_phase2_request(struct eap_sm *sm,
|
|
|
|
struct eap_peap_data *data,
|
|
|
|
struct eap_method_ret *ret,
|
|
|
|
struct wpabuf *req,
|
|
|
|
struct wpabuf **resp)
|
|
|
|
{
|
|
|
|
struct eap_hdr *hdr = wpabuf_mhead(req);
|
|
|
|
size_t len = be_to_host16(hdr->length);
|
|
|
|
u8 *pos;
|
|
|
|
struct eap_method_ret iret;
|
|
|
|
struct eap_peer_config *config = eap_get_config(sm);
|
|
|
|
|
|
|
|
if (len <= sizeof(struct eap_hdr)) {
|
|
|
|
wpa_printf(MSG_INFO, "EAP-PEAP: too short "
|
|
|
|
"Phase 2 request (len=%lu)", (unsigned long) len);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
pos = (u8 *) (hdr + 1);
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Request: type=%d", *pos);
|
|
|
|
switch (*pos) {
|
|
|
|
case EAP_TYPE_IDENTITY:
|
|
|
|
*resp = eap_sm_buildIdentity(sm, hdr->identifier, 1);
|
|
|
|
break;
|
|
|
|
case EAP_TYPE_TLV:
|
|
|
|
os_memset(&iret, 0, sizeof(iret));
|
2008-03-18 11:19:52 +01:00
|
|
|
if (eap_tlv_process(sm, data, &iret, req, resp,
|
2008-02-28 02:34:43 +01:00
|
|
|
data->phase2_eap_started &&
|
|
|
|
!data->phase2_eap_success)) {
|
|
|
|
ret->methodState = METHOD_DONE;
|
|
|
|
ret->decision = DECISION_FAIL;
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
if (iret.methodState == METHOD_DONE ||
|
|
|
|
iret.methodState == METHOD_MAY_CONT) {
|
|
|
|
ret->methodState = iret.methodState;
|
|
|
|
ret->decision = iret.decision;
|
|
|
|
data->phase2_success = 1;
|
|
|
|
}
|
|
|
|
break;
|
2008-04-08 15:15:56 +02:00
|
|
|
case EAP_TYPE_EXPANDED:
|
|
|
|
#ifdef EAP_TNC
|
|
|
|
if (data->soh) {
|
|
|
|
const u8 *epos;
|
|
|
|
size_t eleft;
|
|
|
|
|
|
|
|
epos = eap_hdr_validate(EAP_VENDOR_MICROSOFT, 0x21,
|
|
|
|
req, &eleft);
|
|
|
|
if (epos) {
|
|
|
|
struct wpabuf *buf;
|
|
|
|
wpa_printf(MSG_DEBUG,
|
|
|
|
"EAP-PEAP: SoH EAP Extensions");
|
2008-12-07 20:00:42 +01:00
|
|
|
buf = tncc_process_soh_request(data->soh,
|
|
|
|
epos, eleft);
|
2008-04-08 15:15:56 +02:00
|
|
|
if (buf) {
|
|
|
|
*resp = eap_msg_alloc(
|
|
|
|
EAP_VENDOR_MICROSOFT, 0x21,
|
|
|
|
wpabuf_len(buf),
|
|
|
|
EAP_CODE_RESPONSE,
|
|
|
|
hdr->identifier);
|
|
|
|
if (*resp == NULL) {
|
|
|
|
ret->methodState = METHOD_DONE;
|
|
|
|
ret->decision = DECISION_FAIL;
|
2015-12-20 15:55:28 +01:00
|
|
|
wpabuf_free(buf);
|
2008-04-08 15:15:56 +02:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
wpabuf_put_buf(*resp, buf);
|
|
|
|
wpabuf_free(buf);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
#endif /* EAP_TNC */
|
|
|
|
/* fall through */
|
2008-02-28 02:34:43 +01:00
|
|
|
default:
|
|
|
|
if (data->phase2_type.vendor == EAP_VENDOR_IETF &&
|
|
|
|
data->phase2_type.method == EAP_TYPE_NONE) {
|
|
|
|
size_t i;
|
|
|
|
for (i = 0; i < data->num_phase2_types; i++) {
|
|
|
|
if (data->phase2_types[i].vendor !=
|
|
|
|
EAP_VENDOR_IETF ||
|
|
|
|
data->phase2_types[i].method != *pos)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
data->phase2_type.vendor =
|
|
|
|
data->phase2_types[i].vendor;
|
|
|
|
data->phase2_type.method =
|
|
|
|
data->phase2_types[i].method;
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: Selected "
|
|
|
|
"Phase 2 EAP vendor %d method %d",
|
|
|
|
data->phase2_type.vendor,
|
|
|
|
data->phase2_type.method);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (*pos != data->phase2_type.method ||
|
|
|
|
*pos == EAP_TYPE_NONE) {
|
|
|
|
if (eap_peer_tls_phase2_nak(data->phase2_types,
|
|
|
|
data->num_phase2_types,
|
|
|
|
hdr, resp))
|
|
|
|
return -1;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (data->phase2_priv == NULL) {
|
|
|
|
data->phase2_method = eap_peer_get_eap_method(
|
|
|
|
data->phase2_type.vendor,
|
|
|
|
data->phase2_type.method);
|
|
|
|
if (data->phase2_method) {
|
|
|
|
sm->init_phase2 = 1;
|
|
|
|
data->phase2_priv =
|
|
|
|
data->phase2_method->init(sm);
|
|
|
|
sm->init_phase2 = 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (data->phase2_priv == NULL || data->phase2_method == NULL) {
|
|
|
|
wpa_printf(MSG_INFO, "EAP-PEAP: failed to initialize "
|
|
|
|
"Phase 2 EAP method %d", *pos);
|
|
|
|
ret->methodState = METHOD_DONE;
|
|
|
|
ret->decision = DECISION_FAIL;
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
data->phase2_eap_started = 1;
|
|
|
|
os_memset(&iret, 0, sizeof(iret));
|
|
|
|
*resp = data->phase2_method->process(sm, data->phase2_priv,
|
|
|
|
&iret, req);
|
|
|
|
if ((iret.methodState == METHOD_DONE ||
|
|
|
|
iret.methodState == METHOD_MAY_CONT) &&
|
|
|
|
(iret.decision == DECISION_UNCOND_SUCC ||
|
|
|
|
iret.decision == DECISION_COND_SUCC)) {
|
|
|
|
data->phase2_eap_success = 1;
|
|
|
|
data->phase2_success = 1;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (*resp == NULL &&
|
|
|
|
(config->pending_req_identity || config->pending_req_password ||
|
2017-02-09 01:46:41 +01:00
|
|
|
config->pending_req_otp || config->pending_req_new_password ||
|
|
|
|
config->pending_req_sim)) {
|
2008-02-28 02:34:43 +01:00
|
|
|
wpabuf_free(data->pending_phase2_req);
|
|
|
|
data->pending_phase2_req = wpabuf_alloc_copy(hdr, len);
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int eap_peap_decrypt(struct eap_sm *sm, struct eap_peap_data *data,
|
|
|
|
struct eap_method_ret *ret,
|
|
|
|
const struct eap_hdr *req,
|
|
|
|
const struct wpabuf *in_data,
|
|
|
|
struct wpabuf **out_data)
|
|
|
|
{
|
|
|
|
struct wpabuf *in_decrypted = NULL;
|
|
|
|
int res, skip_change = 0;
|
|
|
|
struct eap_hdr *hdr, *rhdr;
|
|
|
|
struct wpabuf *resp = NULL;
|
|
|
|
size_t len;
|
|
|
|
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: received %lu bytes encrypted data for"
|
|
|
|
" Phase 2", (unsigned long) wpabuf_len(in_data));
|
|
|
|
|
|
|
|
if (data->pending_phase2_req) {
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 request - "
|
|
|
|
"skip decryption and use old data");
|
|
|
|
/* Clear TLS reassembly state. */
|
|
|
|
eap_peer_tls_reset_input(&data->ssl);
|
|
|
|
in_decrypted = data->pending_phase2_req;
|
|
|
|
data->pending_phase2_req = NULL;
|
|
|
|
skip_change = 1;
|
|
|
|
goto continue_req;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (wpabuf_len(in_data) == 0 && sm->workaround &&
|
|
|
|
data->phase2_success) {
|
|
|
|
/*
|
|
|
|
* Cisco ACS seems to be using TLS ACK to terminate
|
|
|
|
* EAP-PEAPv0/GTC. Try to reply with TLS ACK.
|
|
|
|
*/
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: Received TLS ACK, but "
|
|
|
|
"expected data - acknowledge with TLS ACK since "
|
|
|
|
"Phase 2 has been completed");
|
|
|
|
ret->decision = DECISION_COND_SUCC;
|
|
|
|
ret->methodState = METHOD_DONE;
|
|
|
|
return 1;
|
|
|
|
} else if (wpabuf_len(in_data) == 0) {
|
|
|
|
/* Received TLS ACK - requesting more fragments */
|
|
|
|
return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_PEAP,
|
|
|
|
data->peap_version,
|
|
|
|
req->identifier, NULL, out_data);
|
|
|
|
}
|
|
|
|
|
|
|
|
res = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted);
|
|
|
|
if (res)
|
|
|
|
return res;
|
|
|
|
|
|
|
|
continue_req:
|
|
|
|
wpa_hexdump_buf(MSG_DEBUG, "EAP-PEAP: Decrypted Phase 2 EAP",
|
|
|
|
in_decrypted);
|
|
|
|
|
|
|
|
hdr = wpabuf_mhead(in_decrypted);
|
|
|
|
if (wpabuf_len(in_decrypted) == 5 && hdr->code == EAP_CODE_REQUEST &&
|
|
|
|
be_to_host16(hdr->length) == 5 &&
|
|
|
|
eap_get_type(in_decrypted) == EAP_TYPE_IDENTITY) {
|
|
|
|
/* At least FreeRADIUS seems to send full EAP header with
|
|
|
|
* EAP Request Identity */
|
|
|
|
skip_change = 1;
|
|
|
|
}
|
|
|
|
if (wpabuf_len(in_decrypted) >= 5 && hdr->code == EAP_CODE_REQUEST &&
|
|
|
|
eap_get_type(in_decrypted) == EAP_TYPE_TLV) {
|
|
|
|
skip_change = 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (data->peap_version == 0 && !skip_change) {
|
|
|
|
struct eap_hdr *nhdr;
|
|
|
|
struct wpabuf *nmsg = wpabuf_alloc(sizeof(struct eap_hdr) +
|
|
|
|
wpabuf_len(in_decrypted));
|
|
|
|
if (nmsg == NULL) {
|
|
|
|
wpabuf_free(in_decrypted);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
nhdr = wpabuf_put(nmsg, sizeof(*nhdr));
|
|
|
|
wpabuf_put_buf(nmsg, in_decrypted);
|
|
|
|
nhdr->code = req->code;
|
|
|
|
nhdr->identifier = req->identifier;
|
|
|
|
nhdr->length = host_to_be16(sizeof(struct eap_hdr) +
|
|
|
|
wpabuf_len(in_decrypted));
|
|
|
|
|
|
|
|
wpabuf_free(in_decrypted);
|
|
|
|
in_decrypted = nmsg;
|
|
|
|
}
|
|
|
|
|
|
|
|
hdr = wpabuf_mhead(in_decrypted);
|
|
|
|
if (wpabuf_len(in_decrypted) < sizeof(*hdr)) {
|
|
|
|
wpa_printf(MSG_INFO, "EAP-PEAP: Too short Phase 2 "
|
|
|
|
"EAP frame (len=%lu)",
|
|
|
|
(unsigned long) wpabuf_len(in_decrypted));
|
|
|
|
wpabuf_free(in_decrypted);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
len = be_to_host16(hdr->length);
|
|
|
|
if (len > wpabuf_len(in_decrypted)) {
|
|
|
|
wpa_printf(MSG_INFO, "EAP-PEAP: Length mismatch in "
|
|
|
|
"Phase 2 EAP frame (len=%lu hdr->length=%lu)",
|
|
|
|
(unsigned long) wpabuf_len(in_decrypted),
|
|
|
|
(unsigned long) len);
|
|
|
|
wpabuf_free(in_decrypted);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
if (len < wpabuf_len(in_decrypted)) {
|
|
|
|
wpa_printf(MSG_INFO, "EAP-PEAP: Odd.. Phase 2 EAP header has "
|
|
|
|
"shorter length than full decrypted data "
|
|
|
|
"(%lu < %lu)",
|
|
|
|
(unsigned long) len,
|
|
|
|
(unsigned long) wpabuf_len(in_decrypted));
|
|
|
|
}
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: received Phase 2: code=%d "
|
|
|
|
"identifier=%d length=%lu", hdr->code, hdr->identifier,
|
|
|
|
(unsigned long) len);
|
|
|
|
switch (hdr->code) {
|
|
|
|
case EAP_CODE_REQUEST:
|
|
|
|
if (eap_peap_phase2_request(sm, data, ret, in_decrypted,
|
|
|
|
&resp)) {
|
|
|
|
wpabuf_free(in_decrypted);
|
|
|
|
wpa_printf(MSG_INFO, "EAP-PEAP: Phase2 Request "
|
|
|
|
"processing failed");
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case EAP_CODE_SUCCESS:
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Success");
|
|
|
|
if (data->peap_version == 1) {
|
|
|
|
/* EAP-Success within TLS tunnel is used to indicate
|
|
|
|
* shutdown of the TLS channel. The authentication has
|
|
|
|
* been completed. */
|
|
|
|
if (data->phase2_eap_started &&
|
|
|
|
!data->phase2_eap_success) {
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 "
|
|
|
|
"Success used to indicate success, "
|
|
|
|
"but Phase 2 EAP was not yet "
|
|
|
|
"completed successfully");
|
|
|
|
ret->methodState = METHOD_DONE;
|
|
|
|
ret->decision = DECISION_FAIL;
|
|
|
|
wpabuf_free(in_decrypted);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: Version 1 - "
|
|
|
|
"EAP-Success within TLS tunnel - "
|
|
|
|
"authentication completed");
|
|
|
|
ret->decision = DECISION_UNCOND_SUCC;
|
|
|
|
ret->methodState = METHOD_DONE;
|
|
|
|
data->phase2_success = 1;
|
|
|
|
if (data->peap_outer_success == 2) {
|
|
|
|
wpabuf_free(in_decrypted);
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: Use TLS ACK "
|
|
|
|
"to finish authentication");
|
|
|
|
return 1;
|
|
|
|
} else if (data->peap_outer_success == 1) {
|
|
|
|
/* Reply with EAP-Success within the TLS
|
|
|
|
* channel to complete the authentication. */
|
|
|
|
resp = wpabuf_alloc(sizeof(struct eap_hdr));
|
|
|
|
if (resp) {
|
|
|
|
rhdr = wpabuf_put(resp, sizeof(*rhdr));
|
|
|
|
rhdr->code = EAP_CODE_SUCCESS;
|
|
|
|
rhdr->identifier = hdr->identifier;
|
|
|
|
rhdr->length =
|
|
|
|
host_to_be16(sizeof(*rhdr));
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
/* No EAP-Success expected for Phase 1 (outer,
|
|
|
|
* unencrypted auth), so force EAP state
|
|
|
|
* machine to SUCCESS state. */
|
|
|
|
sm->peap_done = TRUE;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
/* FIX: ? */
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case EAP_CODE_FAILURE:
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Failure");
|
|
|
|
ret->decision = DECISION_FAIL;
|
|
|
|
ret->methodState = METHOD_MAY_CONT;
|
|
|
|
ret->allowNotifications = FALSE;
|
|
|
|
/* Reply with EAP-Failure within the TLS channel to complete
|
|
|
|
* failure reporting. */
|
|
|
|
resp = wpabuf_alloc(sizeof(struct eap_hdr));
|
|
|
|
if (resp) {
|
|
|
|
rhdr = wpabuf_put(resp, sizeof(*rhdr));
|
|
|
|
rhdr->code = EAP_CODE_FAILURE;
|
|
|
|
rhdr->identifier = hdr->identifier;
|
|
|
|
rhdr->length = host_to_be16(sizeof(*rhdr));
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
wpa_printf(MSG_INFO, "EAP-PEAP: Unexpected code=%d in "
|
|
|
|
"Phase 2 EAP header", hdr->code);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
wpabuf_free(in_decrypted);
|
|
|
|
|
|
|
|
if (resp) {
|
|
|
|
int skip_change2 = 0;
|
|
|
|
struct wpabuf *rmsg, buf;
|
|
|
|
|
|
|
|
wpa_hexdump_buf_key(MSG_DEBUG,
|
|
|
|
"EAP-PEAP: Encrypting Phase 2 data", resp);
|
|
|
|
/* PEAP version changes */
|
|
|
|
if (wpabuf_len(resp) >= 5 &&
|
|
|
|
wpabuf_head_u8(resp)[0] == EAP_CODE_RESPONSE &&
|
|
|
|
eap_get_type(resp) == EAP_TYPE_TLV)
|
|
|
|
skip_change2 = 1;
|
|
|
|
rmsg = resp;
|
|
|
|
if (data->peap_version == 0 && !skip_change2) {
|
|
|
|
wpabuf_set(&buf, wpabuf_head_u8(resp) +
|
|
|
|
sizeof(struct eap_hdr),
|
|
|
|
wpabuf_len(resp) - sizeof(struct eap_hdr));
|
|
|
|
rmsg = &buf;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_PEAP,
|
|
|
|
data->peap_version, req->identifier,
|
|
|
|
rmsg, out_data)) {
|
|
|
|
wpa_printf(MSG_INFO, "EAP-PEAP: Failed to encrypt "
|
|
|
|
"a Phase 2 frame");
|
|
|
|
}
|
|
|
|
wpabuf_free(resp);
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv,
|
|
|
|
struct eap_method_ret *ret,
|
|
|
|
const struct wpabuf *reqData)
|
|
|
|
{
|
|
|
|
const struct eap_hdr *req;
|
|
|
|
size_t left;
|
|
|
|
int res;
|
|
|
|
u8 flags, id;
|
|
|
|
struct wpabuf *resp;
|
|
|
|
const u8 *pos;
|
|
|
|
struct eap_peap_data *data = priv;
|
2015-05-02 15:42:19 +02:00
|
|
|
struct wpabuf msg;
|
2008-02-28 02:34:43 +01:00
|
|
|
|
|
|
|
pos = eap_peer_tls_process_init(sm, &data->ssl, EAP_TYPE_PEAP, ret,
|
|
|
|
reqData, &left, &flags);
|
|
|
|
if (pos == NULL)
|
|
|
|
return NULL;
|
|
|
|
req = wpabuf_head(reqData);
|
|
|
|
id = req->identifier;
|
|
|
|
|
|
|
|
if (flags & EAP_TLS_FLAGS_START) {
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: Start (server ver=%d, own "
|
2009-12-23 23:16:58 +01:00
|
|
|
"ver=%d)", flags & EAP_TLS_VERSION_MASK,
|
2008-02-28 02:34:43 +01:00
|
|
|
data->peap_version);
|
2009-12-23 23:16:58 +01:00
|
|
|
if ((flags & EAP_TLS_VERSION_MASK) < data->peap_version)
|
|
|
|
data->peap_version = flags & EAP_TLS_VERSION_MASK;
|
2008-02-28 02:34:43 +01:00
|
|
|
if (data->force_peap_version >= 0 &&
|
|
|
|
data->force_peap_version != data->peap_version) {
|
|
|
|
wpa_printf(MSG_WARNING, "EAP-PEAP: Failed to select "
|
|
|
|
"forced PEAP version %d",
|
|
|
|
data->force_peap_version);
|
|
|
|
ret->methodState = METHOD_DONE;
|
|
|
|
ret->decision = DECISION_FAIL;
|
|
|
|
ret->allowNotifications = FALSE;
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: Using PEAP version %d",
|
|
|
|
data->peap_version);
|
|
|
|
left = 0; /* make sure that this frame is empty, even though it
|
|
|
|
* should always be, anyway */
|
|
|
|
}
|
|
|
|
|
2015-05-02 15:42:19 +02:00
|
|
|
wpabuf_set(&msg, pos, left);
|
|
|
|
|
2008-02-28 02:34:43 +01:00
|
|
|
resp = NULL;
|
|
|
|
if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
|
|
|
|
!data->resuming) {
|
|
|
|
res = eap_peap_decrypt(sm, data, ret, req, &msg, &resp);
|
|
|
|
} else {
|
EAP peer: External server certificate chain validation
This adds support for optional functionality to validate server
certificate chain in TLS-based EAP methods in an external program.
wpa_supplicant control interface is used to indicate when such
validation is needed and what the result of the external validation is.
This external validation can extend or replace the internal validation.
When ca_cert or ca_path parameter is set, the internal validation is
used. If these parameters are omitted, only the external validation is
used. It needs to be understood that leaving those parameters out will
disable most of the validation steps done with the TLS library and that
configuration is not really recommend.
By default, the external validation is not used. It can be enabled by
addingtls_ext_cert_check=1 into the network profile phase1 parameter.
When enabled, external validation is required through the CTRL-REQ/RSP
mechanism similarly to other EAP authentication parameters through the
control interface.
The request to perform external validation is indicated by the following
event:
CTRL-REQ-EXT_CERT_CHECK-<id>:External server certificate validation needed for SSID <ssid>
Before that event, the server certificate chain is provided with the
CTRL-EVENT-EAP-PEER-CERT events that include the cert=<hexdump>
parameter. depth=# indicates which certificate is in question (0 for the
server certificate, 1 for its issues, and so on).
The result of the external validation is provided with the following
command:
CTRL-RSP-EXT_CERT_CHECK-<id>:<good|bad>
It should be noted that this is currently enabled only for OpenSSL (and
BoringSSL/LibreSSL). Due to the constraints in the library API, the
validation result from external processing cannot be reported cleanly
with TLS alert. In other words, if the external validation reject the
server certificate chain, the pending TLS handshake is terminated
without sending more messages to the server.
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-12 17:16:54 +01:00
|
|
|
if (sm->waiting_ext_cert_check && data->pending_resp) {
|
|
|
|
struct eap_peer_config *config = eap_get_config(sm);
|
|
|
|
|
|
|
|
if (config->pending_ext_cert_check ==
|
|
|
|
EXT_CERT_CHECK_GOOD) {
|
|
|
|
wpa_printf(MSG_DEBUG,
|
|
|
|
"EAP-PEAP: External certificate check succeeded - continue handshake");
|
|
|
|
resp = data->pending_resp;
|
|
|
|
data->pending_resp = NULL;
|
|
|
|
sm->waiting_ext_cert_check = 0;
|
|
|
|
return resp;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (config->pending_ext_cert_check ==
|
|
|
|
EXT_CERT_CHECK_BAD) {
|
|
|
|
wpa_printf(MSG_DEBUG,
|
|
|
|
"EAP-PEAP: External certificate check failed - force authentication failure");
|
|
|
|
ret->methodState = METHOD_DONE;
|
|
|
|
ret->decision = DECISION_FAIL;
|
|
|
|
sm->waiting_ext_cert_check = 0;
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
wpa_printf(MSG_DEBUG,
|
|
|
|
"EAP-PEAP: Continuing to wait external server certificate validation");
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2008-02-28 02:34:43 +01:00
|
|
|
res = eap_peer_tls_process_helper(sm, &data->ssl,
|
|
|
|
EAP_TYPE_PEAP,
|
2015-05-02 15:42:19 +02:00
|
|
|
data->peap_version, id, &msg,
|
|
|
|
&resp);
|
2008-02-28 02:34:43 +01:00
|
|
|
|
2015-07-28 15:30:41 +02:00
|
|
|
if (res < 0) {
|
|
|
|
wpa_printf(MSG_DEBUG,
|
|
|
|
"EAP-PEAP: TLS processing failed");
|
|
|
|
ret->methodState = METHOD_DONE;
|
|
|
|
ret->decision = DECISION_FAIL;
|
|
|
|
return resp;
|
|
|
|
}
|
EAP peer: External server certificate chain validation
This adds support for optional functionality to validate server
certificate chain in TLS-based EAP methods in an external program.
wpa_supplicant control interface is used to indicate when such
validation is needed and what the result of the external validation is.
This external validation can extend or replace the internal validation.
When ca_cert or ca_path parameter is set, the internal validation is
used. If these parameters are omitted, only the external validation is
used. It needs to be understood that leaving those parameters out will
disable most of the validation steps done with the TLS library and that
configuration is not really recommend.
By default, the external validation is not used. It can be enabled by
addingtls_ext_cert_check=1 into the network profile phase1 parameter.
When enabled, external validation is required through the CTRL-REQ/RSP
mechanism similarly to other EAP authentication parameters through the
control interface.
The request to perform external validation is indicated by the following
event:
CTRL-REQ-EXT_CERT_CHECK-<id>:External server certificate validation needed for SSID <ssid>
Before that event, the server certificate chain is provided with the
CTRL-EVENT-EAP-PEER-CERT events that include the cert=<hexdump>
parameter. depth=# indicates which certificate is in question (0 for the
server certificate, 1 for its issues, and so on).
The result of the external validation is provided with the following
command:
CTRL-RSP-EXT_CERT_CHECK-<id>:<good|bad>
It should be noted that this is currently enabled only for OpenSSL (and
BoringSSL/LibreSSL). Due to the constraints in the library API, the
validation result from external processing cannot be reported cleanly
with TLS alert. In other words, if the external validation reject the
server certificate chain, the pending TLS handshake is terminated
without sending more messages to the server.
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-12 17:16:54 +01:00
|
|
|
|
|
|
|
|
|
|
|
if (sm->waiting_ext_cert_check) {
|
|
|
|
wpa_printf(MSG_DEBUG,
|
|
|
|
"EAP-PEAP: Waiting external server certificate validation");
|
|
|
|
wpabuf_free(data->pending_resp);
|
|
|
|
data->pending_resp = resp;
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2008-02-28 02:34:43 +01:00
|
|
|
if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
|
|
|
|
char *label;
|
|
|
|
wpa_printf(MSG_DEBUG,
|
|
|
|
"EAP-PEAP: TLS done, proceed to Phase 2");
|
2014-06-29 20:16:30 +02:00
|
|
|
eap_peap_free_key(data);
|
2008-02-28 02:34:43 +01:00
|
|
|
/* draft-josefsson-ppext-eap-tls-eap-05.txt
|
|
|
|
* specifies that PEAPv1 would use "client PEAP
|
|
|
|
* encryption" as the label. However, most existing
|
|
|
|
* PEAPv1 implementations seem to be using the old
|
|
|
|
* label, "client EAP encryption", instead. Use the old
|
|
|
|
* label by default, but allow it to be configured with
|
|
|
|
* phase1 parameter peaplabel=1. */
|
2014-01-05 17:32:24 +01:00
|
|
|
if (data->force_new_label)
|
2008-02-28 02:34:43 +01:00
|
|
|
label = "client PEAP encryption";
|
|
|
|
else
|
|
|
|
label = "client EAP encryption";
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: using label '%s' in "
|
|
|
|
"key derivation", label);
|
|
|
|
data->key_data =
|
|
|
|
eap_peer_tls_derive_key(sm, &data->ssl, label,
|
2019-02-01 22:52:28 +01:00
|
|
|
EAP_TLS_KEY_LEN +
|
|
|
|
EAP_EMSK_LEN);
|
2008-02-28 02:34:43 +01:00
|
|
|
if (data->key_data) {
|
2016-12-27 16:11:27 +01:00
|
|
|
wpa_hexdump_key(MSG_DEBUG,
|
2008-02-28 02:34:43 +01:00
|
|
|
"EAP-PEAP: Derived key",
|
|
|
|
data->key_data,
|
|
|
|
EAP_TLS_KEY_LEN);
|
2019-02-01 22:52:28 +01:00
|
|
|
wpa_hexdump_key(MSG_DEBUG,
|
|
|
|
"EAP-PEAP: Derived EMSK",
|
|
|
|
data->key_data +
|
|
|
|
EAP_TLS_KEY_LEN,
|
|
|
|
EAP_EMSK_LEN);
|
2008-02-28 02:34:43 +01:00
|
|
|
} else {
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: Failed to "
|
|
|
|
"derive key");
|
|
|
|
}
|
|
|
|
|
2013-02-06 17:52:33 +01:00
|
|
|
os_free(data->session_id);
|
|
|
|
data->session_id =
|
|
|
|
eap_peer_tls_derive_session_id(sm, &data->ssl,
|
|
|
|
EAP_TYPE_PEAP,
|
|
|
|
&data->id_len);
|
|
|
|
if (data->session_id) {
|
|
|
|
wpa_hexdump(MSG_DEBUG,
|
|
|
|
"EAP-PEAP: Derived Session-Id",
|
|
|
|
data->session_id, data->id_len);
|
|
|
|
} else {
|
|
|
|
wpa_printf(MSG_ERROR, "EAP-PEAP: Failed to "
|
|
|
|
"derive Session-Id");
|
|
|
|
}
|
|
|
|
|
2008-02-28 02:34:43 +01:00
|
|
|
if (sm->workaround && data->resuming) {
|
|
|
|
/*
|
|
|
|
* At least few RADIUS servers (Aegis v1.1.6;
|
|
|
|
* but not v1.1.4; and Cisco ACS) seem to be
|
|
|
|
* terminating PEAPv1 (Aegis) or PEAPv0 (Cisco
|
|
|
|
* ACS) session resumption with outer
|
|
|
|
* EAP-Success. This does not seem to follow
|
|
|
|
* draft-josefsson-pppext-eap-tls-eap-05.txt
|
|
|
|
* section 4.2, so only allow this if EAP
|
|
|
|
* workarounds are enabled.
|
|
|
|
*/
|
|
|
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: Workaround - "
|
|
|
|
"allow outer EAP-Success to "
|
|
|
|
"terminate PEAP resumption");
|
|
|
|
ret->decision = DECISION_COND_SUCC;
|
|
|
|
data->phase2_success = 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
data->resuming = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (res == 2) {
|
|
|
|
/*
|
|
|
|
* Application data included in the handshake message.
|
|
|
|
*/
|
|
|
|
wpabuf_free(data->pending_phase2_req);
|
|
|
|
data->pending_phase2_req = resp;
|
|
|
|
resp = NULL;
|
|
|
|
res = eap_peap_decrypt(sm, data, ret, req, &msg,
|
|
|
|
&resp);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (ret->methodState == METHOD_DONE) {
|
|
|
|
ret->allowNotifications = FALSE;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (res == 1) {
|
|
|
|
wpabuf_free(resp);
|
|
|
|
return eap_peer_tls_build_ack(id, EAP_TYPE_PEAP,
|
|
|
|
data->peap_version);
|
|
|
|
}
|
|
|
|
|
|
|
|
return resp;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static Boolean eap_peap_has_reauth_data(struct eap_sm *sm, void *priv)
|
|
|
|
{
|
|
|
|
struct eap_peap_data *data = priv;
|
|
|
|
return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
|
|
|
|
data->phase2_success;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void eap_peap_deinit_for_reauth(struct eap_sm *sm, void *priv)
|
|
|
|
{
|
|
|
|
struct eap_peap_data *data = priv;
|
2017-02-10 17:55:26 +01:00
|
|
|
|
|
|
|
if (data->phase2_priv && data->phase2_method &&
|
|
|
|
data->phase2_method->deinit_for_reauth)
|
|
|
|
data->phase2_method->deinit_for_reauth(sm, data->phase2_priv);
|
2008-02-28 02:34:43 +01:00
|
|
|
wpabuf_free(data->pending_phase2_req);
|
|
|
|
data->pending_phase2_req = NULL;
|
EAP peer: External server certificate chain validation
This adds support for optional functionality to validate server
certificate chain in TLS-based EAP methods in an external program.
wpa_supplicant control interface is used to indicate when such
validation is needed and what the result of the external validation is.
This external validation can extend or replace the internal validation.
When ca_cert or ca_path parameter is set, the internal validation is
used. If these parameters are omitted, only the external validation is
used. It needs to be understood that leaving those parameters out will
disable most of the validation steps done with the TLS library and that
configuration is not really recommend.
By default, the external validation is not used. It can be enabled by
addingtls_ext_cert_check=1 into the network profile phase1 parameter.
When enabled, external validation is required through the CTRL-REQ/RSP
mechanism similarly to other EAP authentication parameters through the
control interface.
The request to perform external validation is indicated by the following
event:
CTRL-REQ-EXT_CERT_CHECK-<id>:External server certificate validation needed for SSID <ssid>
Before that event, the server certificate chain is provided with the
CTRL-EVENT-EAP-PEER-CERT events that include the cert=<hexdump>
parameter. depth=# indicates which certificate is in question (0 for the
server certificate, 1 for its issues, and so on).
The result of the external validation is provided with the following
command:
CTRL-RSP-EXT_CERT_CHECK-<id>:<good|bad>
It should be noted that this is currently enabled only for OpenSSL (and
BoringSSL/LibreSSL). Due to the constraints in the library API, the
validation result from external processing cannot be reported cleanly
with TLS alert. In other words, if the external validation reject the
server certificate chain, the pending TLS handshake is terminated
without sending more messages to the server.
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-12 17:16:54 +01:00
|
|
|
wpabuf_free(data->pending_resp);
|
|
|
|
data->pending_resp = NULL;
|
2008-03-18 11:19:52 +01:00
|
|
|
data->crypto_binding_used = 0;
|
2008-02-28 02:34:43 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void * eap_peap_init_for_reauth(struct eap_sm *sm, void *priv)
|
|
|
|
{
|
|
|
|
struct eap_peap_data *data = priv;
|
2014-06-29 20:16:30 +02:00
|
|
|
eap_peap_free_key(data);
|
2013-02-06 17:52:33 +01:00
|
|
|
os_free(data->session_id);
|
|
|
|
data->session_id = NULL;
|
2008-02-28 02:34:43 +01:00
|
|
|
if (eap_peer_tls_reauth_init(sm, &data->ssl)) {
|
|
|
|
os_free(data);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
if (data->phase2_priv && data->phase2_method &&
|
|
|
|
data->phase2_method->init_for_reauth)
|
|
|
|
data->phase2_method->init_for_reauth(sm, data->phase2_priv);
|
|
|
|
data->phase2_success = 0;
|
|
|
|
data->phase2_eap_success = 0;
|
|
|
|
data->phase2_eap_started = 0;
|
|
|
|
data->resuming = 1;
|
2008-11-26 12:27:40 +01:00
|
|
|
data->reauth = 1;
|
2008-02-28 02:34:43 +01:00
|
|
|
sm->peap_done = FALSE;
|
|
|
|
return priv;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int eap_peap_get_status(struct eap_sm *sm, void *priv, char *buf,
|
|
|
|
size_t buflen, int verbose)
|
|
|
|
{
|
|
|
|
struct eap_peap_data *data = priv;
|
|
|
|
int len, ret;
|
|
|
|
|
|
|
|
len = eap_peer_tls_status(sm, &data->ssl, buf, buflen, verbose);
|
|
|
|
if (data->phase2_method) {
|
|
|
|
ret = os_snprintf(buf + len, buflen - len,
|
|
|
|
"EAP-PEAPv%d Phase2 method=%s\n",
|
|
|
|
data->peap_version,
|
|
|
|
data->phase2_method->name);
|
Check os_snprintf() result more consistently - automatic 1
This converts os_snprintf() result validation cases to use
os_snprintf_error() where the exact rule used in os_snprintf_error() was
used. These changes were done automatically with spatch using the
following semantic patch:
@@
identifier E1;
expression E2,E3,E4,E5,E6;
statement S1;
@@
(
E1 = os_snprintf(E2, E3, ...);
|
int E1 = os_snprintf(E2, E3, ...);
|
if (E5)
E1 = os_snprintf(E2, E3, ...);
else
E1 = os_snprintf(E2, E3, ...);
|
if (E5)
E1 = os_snprintf(E2, E3, ...);
else if (E6)
E1 = os_snprintf(E2, E3, ...);
else
E1 = 0;
|
if (E5) {
...
E1 = os_snprintf(E2, E3, ...);
} else {
...
return -1;
}
|
if (E5) {
...
E1 = os_snprintf(E2, E3, ...);
} else if (E6) {
...
E1 = os_snprintf(E2, E3, ...);
} else {
...
return -1;
}
|
if (E5) {
...
E1 = os_snprintf(E2, E3, ...);
} else {
...
E1 = os_snprintf(E2, E3, ...);
}
)
? os_free(E4);
- if (E1 < 0 || \( E1 >= E3 \| (size_t) E1 >= E3 \| (unsigned int) E1 >= E3 \| E1 >= (int) E3 \))
+ if (os_snprintf_error(E3, E1))
(
S1
|
{ ... }
)
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-08 10:15:51 +01:00
|
|
|
if (os_snprintf_error(buflen - len, ret))
|
2008-02-28 02:34:43 +01:00
|
|
|
return len;
|
|
|
|
len += ret;
|
|
|
|
}
|
|
|
|
return len;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static Boolean eap_peap_isKeyAvailable(struct eap_sm *sm, void *priv)
|
|
|
|
{
|
|
|
|
struct eap_peap_data *data = priv;
|
|
|
|
return data->key_data != NULL && data->phase2_success;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static u8 * eap_peap_getKey(struct eap_sm *sm, void *priv, size_t *len)
|
|
|
|
{
|
|
|
|
struct eap_peap_data *data = priv;
|
|
|
|
u8 *key;
|
|
|
|
|
|
|
|
if (data->key_data == NULL || !data->phase2_success)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
key = os_malloc(EAP_TLS_KEY_LEN);
|
|
|
|
if (key == NULL)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
*len = EAP_TLS_KEY_LEN;
|
2008-03-18 11:19:52 +01:00
|
|
|
|
|
|
|
if (data->crypto_binding_used) {
|
|
|
|
u8 csk[128];
|
2008-03-19 15:58:06 +01:00
|
|
|
/*
|
|
|
|
* Note: It looks like Microsoft implementation requires null
|
|
|
|
* termination for this label while the one used for deriving
|
|
|
|
* IPMK|CMK did not use null termination.
|
|
|
|
*/
|
2011-11-13 10:29:17 +01:00
|
|
|
if (peap_prfplus(data->peap_version, data->ipmk, 40,
|
|
|
|
"Session Key Generating Function",
|
|
|
|
(u8 *) "\00", 1, csk, sizeof(csk)) < 0) {
|
|
|
|
os_free(key);
|
|
|
|
return NULL;
|
|
|
|
}
|
2008-03-18 11:19:52 +01:00
|
|
|
wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CSK", csk, sizeof(csk));
|
|
|
|
os_memcpy(key, csk, EAP_TLS_KEY_LEN);
|
|
|
|
wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Derived key",
|
|
|
|
key, EAP_TLS_KEY_LEN);
|
|
|
|
} else
|
|
|
|
os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN);
|
2008-02-28 02:34:43 +01:00
|
|
|
|
|
|
|
return key;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2019-02-01 22:52:28 +01:00
|
|
|
static u8 * eap_peap_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
|
|
|
|
{
|
|
|
|
struct eap_peap_data *data = priv;
|
|
|
|
u8 *key;
|
|
|
|
|
|
|
|
if (!data->key_data || !data->phase2_success)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
if (data->crypto_binding_used) {
|
|
|
|
/* [MS-PEAP] does not define EMSK derivation */
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
key = os_memdup(data->key_data + EAP_TLS_KEY_LEN, EAP_EMSK_LEN);
|
|
|
|
if (!key)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
*len = EAP_EMSK_LEN;
|
|
|
|
|
|
|
|
return key;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2013-02-06 17:52:33 +01:00
|
|
|
static u8 * eap_peap_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
|
|
|
|
{
|
|
|
|
struct eap_peap_data *data = priv;
|
|
|
|
u8 *id;
|
|
|
|
|
|
|
|
if (data->session_id == NULL || !data->phase2_success)
|
|
|
|
return NULL;
|
|
|
|
|
2017-03-07 10:17:23 +01:00
|
|
|
id = os_memdup(data->session_id, data->id_len);
|
2013-02-06 17:52:33 +01:00
|
|
|
if (id == NULL)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
*len = data->id_len;
|
|
|
|
|
|
|
|
return id;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2008-02-28 02:34:43 +01:00
|
|
|
int eap_peer_peap_register(void)
|
|
|
|
{
|
|
|
|
struct eap_method *eap;
|
|
|
|
|
|
|
|
eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
|
|
|
|
EAP_VENDOR_IETF, EAP_TYPE_PEAP, "PEAP");
|
|
|
|
if (eap == NULL)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
eap->init = eap_peap_init;
|
|
|
|
eap->deinit = eap_peap_deinit;
|
|
|
|
eap->process = eap_peap_process;
|
|
|
|
eap->isKeyAvailable = eap_peap_isKeyAvailable;
|
|
|
|
eap->getKey = eap_peap_getKey;
|
2019-02-01 22:52:28 +01:00
|
|
|
eap->get_emsk = eap_peap_get_emsk;
|
2008-02-28 02:34:43 +01:00
|
|
|
eap->get_status = eap_peap_get_status;
|
|
|
|
eap->has_reauth_data = eap_peap_has_reauth_data;
|
|
|
|
eap->deinit_for_reauth = eap_peap_deinit_for_reauth;
|
|
|
|
eap->init_for_reauth = eap_peap_init_for_reauth;
|
2013-02-06 17:52:33 +01:00
|
|
|
eap->getSessionId = eap_peap_get_session_id;
|
2008-02-28 02:34:43 +01:00
|
|
|
|
2016-01-13 22:25:54 +01:00
|
|
|
return eap_peer_method_register(eap);
|
2008-02-28 02:34:43 +01:00
|
|
|
}
|