2 * EAP-TLS/PEAP/TTLS/FAST server common functions
3 * Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
18 #include "crypto/sha1.h"
19 #include "crypto/tls.h"
21 #include "eap_tls_common.h"
24 static void eap_server_tls_free_in_buf(struct eap_ssl_data *data);
27 int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
31 data->phase2 = sm->init_phase2;
33 data->conn = tls_connection_init(sm->ssl_ctx);
34 if (data->conn == NULL) {
35 wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "
40 if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer)) {
41 wpa_printf(MSG_INFO, "SSL: Failed to configure verification "
42 "of TLS peer certificate");
43 tls_connection_deinit(sm->ssl_ctx, data->conn);
48 /* TODO: make this configurable */
49 data->tls_out_limit = 1398;
51 /* Limit the fragment size in the inner TLS authentication
52 * since the outer authentication with EAP-PEAP does not yet
53 * support fragmentation */
54 if (data->tls_out_limit > 100)
55 data->tls_out_limit -= 100;
61 void eap_server_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data)
63 tls_connection_deinit(sm->ssl_ctx, data->conn);
64 eap_server_tls_free_in_buf(data);
65 wpabuf_free(data->tls_out);
70 u8 * eap_server_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data,
71 char *label, size_t len)
80 if (tls_connection_prf(sm->ssl_ctx, data->conn, label, 0, out, len) ==
84 if (tls_connection_get_keys(sm->ssl_ctx, data->conn, &keys))
87 if (keys.client_random == NULL || keys.server_random == NULL ||
88 keys.master_key == NULL)
91 rnd = os_malloc(keys.client_random_len + keys.server_random_len);
94 os_memcpy(rnd, keys.client_random, keys.client_random_len);
95 os_memcpy(rnd + keys.client_random_len, keys.server_random,
96 keys.server_random_len);
98 if (tls_prf(keys.master_key, keys.master_key_len,
99 label, rnd, keys.client_random_len +
100 keys.server_random_len, out, len))
113 struct wpabuf * eap_server_tls_build_msg(struct eap_ssl_data *data,
114 int eap_type, int version, u8 id)
118 size_t send_len, plen;
120 wpa_printf(MSG_DEBUG, "SSL: Generating Request");
121 if (data->tls_out == NULL) {
122 wpa_printf(MSG_ERROR, "SSL: tls_out NULL in %s", __func__);
127 send_len = wpabuf_len(data->tls_out) - data->tls_out_pos;
128 if (1 + send_len > data->tls_out_limit) {
129 send_len = data->tls_out_limit - 1;
130 flags |= EAP_TLS_FLAGS_MORE_FRAGMENTS;
131 if (data->tls_out_pos == 0) {
132 flags |= EAP_TLS_FLAGS_LENGTH_INCLUDED;
138 if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED)
141 req = eap_msg_alloc(EAP_VENDOR_IETF, eap_type, plen,
142 EAP_CODE_REQUEST, id);
146 wpabuf_put_u8(req, flags); /* Flags */
147 if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED)
148 wpabuf_put_be32(req, wpabuf_len(data->tls_out));
150 wpabuf_put_data(req, wpabuf_head_u8(data->tls_out) + data->tls_out_pos,
152 data->tls_out_pos += send_len;
154 if (data->tls_out_pos == wpabuf_len(data->tls_out)) {
155 wpa_printf(MSG_DEBUG, "SSL: Sending out %lu bytes "
156 "(message sent completely)",
157 (unsigned long) send_len);
158 wpabuf_free(data->tls_out);
159 data->tls_out = NULL;
160 data->tls_out_pos = 0;
163 wpa_printf(MSG_DEBUG, "SSL: Sending out %lu bytes "
164 "(%lu more to send)", (unsigned long) send_len,
165 (unsigned long) wpabuf_len(data->tls_out) -
167 data->state = WAIT_FRAG_ACK;
174 struct wpabuf * eap_server_tls_build_ack(u8 id, int eap_type, int version)
178 req = eap_msg_alloc(EAP_VENDOR_IETF, eap_type, 1, EAP_CODE_REQUEST,
182 wpa_printf(MSG_DEBUG, "SSL: Building ACK");
183 wpabuf_put_u8(req, version); /* Flags */
188 static int eap_server_tls_process_cont(struct eap_ssl_data *data,
189 const u8 *buf, size_t len)
191 /* Process continuation of a pending message */
192 if (len > wpabuf_tailroom(data->tls_in)) {
193 wpa_printf(MSG_DEBUG, "SSL: Fragment overflow");
197 wpabuf_put_data(data->tls_in, buf, len);
198 wpa_printf(MSG_DEBUG, "SSL: Received %lu bytes, waiting for %lu "
199 "bytes more", (unsigned long) len,
200 (unsigned long) wpabuf_tailroom(data->tls_in));
206 static int eap_server_tls_process_fragment(struct eap_ssl_data *data,
207 u8 flags, u32 message_length,
208 const u8 *buf, size_t len)
210 /* Process a fragment that is not the last one of the message */
211 if (data->tls_in == NULL && !(flags & EAP_TLS_FLAGS_LENGTH_INCLUDED)) {
212 wpa_printf(MSG_DEBUG, "SSL: No Message Length field in a "
213 "fragmented packet");
217 if (data->tls_in == NULL) {
218 /* First fragment of the message */
220 /* Limit length to avoid rogue peers from causing large
221 * memory allocations. */
222 if (message_length > 65536) {
223 wpa_printf(MSG_INFO, "SSL: Too long TLS fragment (size"
228 data->tls_in = wpabuf_alloc(message_length);
229 if (data->tls_in == NULL) {
230 wpa_printf(MSG_DEBUG, "SSL: No memory for message");
233 wpabuf_put_data(data->tls_in, buf, len);
234 wpa_printf(MSG_DEBUG, "SSL: Received %lu bytes in first "
235 "fragment, waiting for %lu bytes more",
237 (unsigned long) wpabuf_tailroom(data->tls_in));
244 int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data)
247 /* This should not happen.. */
248 wpa_printf(MSG_INFO, "SSL: pending tls_out data when "
249 "processing new message");
250 wpabuf_free(data->tls_out);
251 WPA_ASSERT(data->tls_out == NULL);
254 data->tls_out = tls_connection_server_handshake(sm->ssl_ctx,
257 if (data->tls_out == NULL) {
258 wpa_printf(MSG_INFO, "SSL: TLS processing failed");
261 if (tls_connection_get_failed(sm->ssl_ctx, data->conn)) {
262 /* TLS processing has failed - return error */
263 wpa_printf(MSG_DEBUG, "SSL: Failed - tls_out available to "
272 static int eap_server_tls_reassemble(struct eap_ssl_data *data, u8 flags,
273 const u8 **pos, size_t *left)
275 unsigned int tls_msg_len = 0;
276 const u8 *end = *pos + *left;
278 if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) {
280 wpa_printf(MSG_INFO, "SSL: Short frame with TLS "
284 tls_msg_len = WPA_GET_BE32(*pos);
285 wpa_printf(MSG_DEBUG, "SSL: TLS Message Length: %d",
291 wpa_printf(MSG_DEBUG, "SSL: Received packet: Flags 0x%x "
292 "Message Length %u", flags, tls_msg_len);
294 if (data->state == WAIT_FRAG_ACK) {
296 wpa_printf(MSG_DEBUG, "SSL: Unexpected payload in "
297 "WAIT_FRAG_ACK state");
300 wpa_printf(MSG_DEBUG, "SSL: Fragment acknowledged");
305 eap_server_tls_process_cont(data, *pos, end - *pos) < 0)
308 if (flags & EAP_TLS_FLAGS_MORE_FRAGMENTS) {
309 if (eap_server_tls_process_fragment(data, flags, tls_msg_len,
310 *pos, end - *pos) < 0)
313 data->state = FRAG_ACK;
317 if (data->state == FRAG_ACK) {
318 wpa_printf(MSG_DEBUG, "SSL: All fragments received");
322 if (data->tls_in == NULL) {
323 /* Wrap unfragmented messages as wpabuf without extra copy */
324 wpabuf_set(&data->tmpbuf, *pos, end - *pos);
325 data->tls_in = &data->tmpbuf;
332 static void eap_server_tls_free_in_buf(struct eap_ssl_data *data)
334 if (data->tls_in != &data->tmpbuf)
335 wpabuf_free(data->tls_in);
340 struct wpabuf * eap_server_tls_encrypt(struct eap_sm *sm,
341 struct eap_ssl_data *data,
342 const struct wpabuf *plain)
346 buf = tls_connection_encrypt(sm->ssl_ctx, data->conn,
349 wpa_printf(MSG_INFO, "SSL: Failed to encrypt Phase 2 data");
357 int eap_server_tls_process(struct eap_sm *sm, struct eap_ssl_data *data,
358 struct wpabuf *respData, void *priv, int eap_type,
359 int (*proc_version)(struct eap_sm *sm, void *priv,
361 void (*proc_msg)(struct eap_sm *sm, void *priv,
362 const struct wpabuf *respData))
369 pos = eap_hdr_validate(EAP_VENDOR_IETF, eap_type, respData, &left);
370 if (pos == NULL || left < 1)
371 return 0; /* Should not happen - frame already validated */
374 wpa_printf(MSG_DEBUG, "SSL: Received packet(len=%lu) - Flags 0x%02x",
375 (unsigned long) wpabuf_len(respData), flags);
378 proc_version(sm, priv, flags & EAP_TLS_VERSION_MASK) < 0)
381 ret = eap_server_tls_reassemble(data, flags, &pos, &left);
389 proc_msg(sm, priv, respData);
391 if (tls_connection_get_write_alerts(sm->ssl_ctx, data->conn) > 1) {
392 wpa_printf(MSG_INFO, "SSL: Locally detected fatal error in "
398 eap_server_tls_free_in_buf(data);