1 /*
2 * EAP peer method: EAP-TLS (RFC 2716)
3 * Copyright (c) 2004-2008, 2012, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8 #include "utils/includes.h"
9
10 #ifdef EAP_TLS
11 #include "utils/common.h"
12 #include "tls/tls.h"
13 #include "eap_peer/eap_i.h"
14 #include "eap_peer/eap_defs.h"
15 #include "eap_peer/eap_tls_common.h"
16 #include "eap_peer/eap_config.h"
17 #include "eap_peer/eap_methods.h"
18
19
20 static void eap_tls_deinit(struct eap_sm *sm, void *priv);
21
22
23 struct eap_tls_data {
24 struct eap_ssl_data ssl;
25 u8 *key_data;
26 u8 *session_id;
27 size_t id_len;
28 void *ssl_ctx;
29 u8 eap_type;
30 };
31
32
eap_tls_init(struct eap_sm * sm)33 static void * eap_tls_init(struct eap_sm *sm)
34 {
35 struct eap_tls_data *data;
36 struct eap_peer_config *config = eap_get_config(sm);
37 if (config == NULL ||
38 config->private_key == 0) {
39 wpa_printf(MSG_INFO, "EAP-TLS: Private key not configured");
40 return NULL;
41 }
42
43 data = (struct eap_tls_data *)os_zalloc(sizeof(*data));
44 if (data == NULL)
45 return NULL;
46
47 data->ssl_ctx = sm->ssl_ctx;
48
49 if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_TLS)) {
50 wpa_printf(MSG_INFO, "EAP-TLS: Failed to initialize SSL.");
51 eap_tls_deinit(sm, data);
52 return NULL;
53 }
54
55 data->eap_type = EAP_TYPE_TLS;
56
57 return data;
58 }
59
60
eap_tls_deinit(struct eap_sm * sm,void * priv)61 static void eap_tls_deinit(struct eap_sm *sm, void *priv)
62 {
63 struct eap_tls_data *data = priv;
64 if (data == NULL)
65 return;
66 eap_peer_tls_ssl_deinit(sm, &data->ssl);
67 os_free(data->key_data);
68 os_free(data->session_id);
69 os_free(data);
70 }
71
72
eap_tls_failure(struct eap_sm * sm,struct eap_tls_data * data,struct eap_method_ret * ret,int res,struct wpabuf * resp,u8 id)73 static struct wpabuf * eap_tls_failure(struct eap_sm *sm,
74 struct eap_tls_data *data,
75 struct eap_method_ret *ret, int res,
76 struct wpabuf *resp, u8 id)
77 {
78 wpa_printf(MSG_DEBUG, "EAP-TLS: TLS processing failed");
79
80 ret->methodState = METHOD_DONE;
81 ret->decision = DECISION_FAIL;
82
83 if (res == -1) {
84 struct eap_peer_config *config = eap_get_config(sm);
85 if (config) {
86 /*
87 * The TLS handshake failed. So better forget the old
88 * PIN. It may be wrong, we cannot be sure but trying
89 * the wrong one again might block it on the card--so
90 * better ask the user again.
91 */
92 os_free(config->pin);
93 config->pin = NULL;
94 }
95 }
96
97 if (resp) {
98 /*
99 * This is likely an alert message, so send it instead of just
100 * ACKing the error.
101 */
102 return resp;
103 }
104
105 return eap_peer_tls_build_ack(id, data->eap_type, 0);
106 }
107
108
eap_tls_success(struct eap_sm * sm,struct eap_tls_data * data,struct eap_method_ret * ret)109 static void eap_tls_success(struct eap_sm *sm, struct eap_tls_data *data,
110 struct eap_method_ret *ret)
111 {
112 wpa_printf(MSG_DEBUG, "EAP-TLS: Done");
113
114 ret->methodState = METHOD_DONE;
115 ret->decision = DECISION_UNCOND_SUCC;
116
117 os_free(data->key_data);
118 data->key_data = eap_peer_tls_derive_key(sm, &data->ssl,
119 "client EAP encryption",
120 EAP_TLS_KEY_LEN +
121 EAP_EMSK_LEN);
122 if (data->key_data) {
123 wpa_hexdump_key(MSG_DEBUG, "EAP-TLS: Derived key",
124 data->key_data, EAP_TLS_KEY_LEN);
125 wpa_hexdump_key(MSG_DEBUG, "EAP-TLS: Derived EMSK",
126 data->key_data + EAP_TLS_KEY_LEN,
127 EAP_EMSK_LEN);
128 } else {
129 wpa_printf(MSG_INFO, "EAP-TLS: Failed to derive key");
130 }
131
132 os_free(data->session_id);
133 data->session_id = eap_peer_tls_derive_session_id(sm, &data->ssl,
134 EAP_TYPE_TLS,
135 &data->id_len);
136 if (data->session_id) {
137 wpa_hexdump(MSG_DEBUG, "EAP-TLS: Derived Session-Id",
138 data->session_id, data->id_len);
139 } else {
140 wpa_printf(MSG_ERROR, "EAP-TLS: Failed to derive Session-Id");
141 }
142 }
143
144
eap_tls_process(struct eap_sm * sm,void * priv,struct eap_method_ret * ret,const struct wpabuf * reqData)145 static struct wpabuf * eap_tls_process(struct eap_sm *sm, void *priv,
146 struct eap_method_ret *ret,
147 const struct wpabuf *reqData)
148 {
149 size_t left;
150 int res;
151 struct wpabuf *resp;
152 u8 flags, id;
153 const u8 *pos;
154 struct eap_tls_data *data = priv;
155
156 pos = eap_peer_tls_process_init(sm, &data->ssl, data->eap_type, ret,
157 reqData, &left, &flags);
158 if (pos == NULL)
159 return NULL;
160 id = eap_get_id(reqData);
161
162 if (flags & EAP_TLS_FLAGS_START) {
163 wpa_printf(MSG_DEBUG, "EAP-TLS: Start");
164 left = 0; /* make sure that this frame is empty, even though it
165 * should always be, anyway */
166 }
167
168 resp = NULL;
169 res = eap_peer_tls_process_helper(sm, &data->ssl, data->eap_type, 0,
170 id, pos, left, &resp);
171
172 if (res < 0) {
173 return eap_tls_failure(sm, data, ret, res, resp, id);
174 }
175
176 if (tls_connection_established(data->ssl_ctx, data->ssl.conn))
177 eap_tls_success(sm, data, ret);
178
179 if (res == 1) {
180 wpabuf_free(resp);
181 return eap_peer_tls_build_ack(id, data->eap_type, 0);
182 }
183
184 return resp;
185 }
186
eap_tls_isKeyAvailable(struct eap_sm * sm,void * priv)187 static bool eap_tls_isKeyAvailable(struct eap_sm *sm, void *priv)
188 {
189 struct eap_tls_data *data = priv;
190
191 return data->key_data != NULL;
192 }
eap_tls_getKey(struct eap_sm * sm,void * priv,size_t * len)193 static u8 * eap_tls_getKey(struct eap_sm *sm, void *priv, size_t *len)
194 {
195 struct eap_tls_data *data = priv;
196 u8 *key;
197
198 if (data->key_data == NULL)
199 return NULL;
200
201 key = os_malloc(EAP_TLS_KEY_LEN);
202 if (key == NULL)
203 return NULL;
204
205 *len = EAP_TLS_KEY_LEN;
206 os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN);
207
208 return key;
209 }
210
eap_peer_tls_register(void)211 int eap_peer_tls_register(void)
212 {
213 struct eap_method *eap;
214 int ret;
215
216 eap = eap_peer_method_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLS,
217 "TLS");
218
219 if (eap == NULL)
220 return -1;
221
222 eap->init = eap_tls_init;
223 eap->deinit = eap_tls_deinit;
224 eap->process = eap_tls_process;
225 eap->isKeyAvailable = eap_tls_isKeyAvailable;
226 eap->getKey = eap_tls_getKey;
227
228 ret = eap_peer_method_register(eap);
229 if (ret)
230 eap_peer_method_free(eap);
231 return ret;
232 }
233
234
235 #endif /* EAP_TLS */
236