1 /*
2 * eap_tls.c
3 *
4 * Version: $Id: 17e4cadca894fabe71ebb72c741dad844fe85bc9 $
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
19 *
20 * Copyright 2001 hereUare Communications, Inc. <raghud@hereuare.com>
21 * Copyright 2003 Alan DeKok <aland@freeradius.org>
22 * Copyright 2006 The FreeRADIUS server project
23 */
24
25 /*
26 *
27 * TLS Packet Format in EAP
28 * --- ------ ------ -- ---
29 * 0 1 2 3
30 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
31 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
32 * | Code | Identifier | Length |
33 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
34 * | Type | Flags | TLS Message Length
35 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
36 * | TLS Message Length | TLS Data...
37 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
38 *
39 */
40
41 RCSID("$Id: 17e4cadca894fabe71ebb72c741dad844fe85bc9 $")
42 USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
43
44 #include <assert.h>
45
46 #include "eap_tls.h"
47 /*
48 * Send an initial eap-tls request to the peer.
49 *
50 * Frame eap reply packet.
51 * len = header + type + tls_typedata
52 * tls_typedata = flags(Start (S) bit set, and no data)
53 *
54 * Once having received the peer's Identity, the EAP server MUST
55 * respond with an EAP-TLS/Start packet, which is an
56 * EAP-Request packet with EAP-Type=EAP-TLS, the Start (S) bit
57 * set, and no data. The EAP-TLS conversation will then begin,
58 * with the peer sending an EAP-Response packet with
59 * EAP-Type = EAP-TLS. The data field of that packet will
60 * be the TLS data.
61 *
62 * Fragment length is Framed-MTU - 4.
63 */
eaptls_session(eap_handler_t * handler,fr_tls_server_conf_t * tls_conf,bool client_cert,bool allow_tls13)64 tls_session_t *eaptls_session(eap_handler_t *handler, fr_tls_server_conf_t *tls_conf, bool client_cert, bool allow_tls13)
65 {
66 tls_session_t *ssn;
67 REQUEST *request = handler->request;
68
69 handler->tls = true;
70
71 /*
72 * Every new session is started only from EAP-TLS-START.
73 * Before Sending EAP-TLS-START, open a new SSL session.
74 * Create all the required data structures & store them
75 * in Opaque. So that we can use these data structures
76 * when we get the response
77 */
78 ssn = tls_new_session(handler, tls_conf, request, client_cert, allow_tls13);
79 if (!ssn) {
80 return NULL;
81 }
82
83 /*
84 * Create a structure for all the items required to be
85 * verified for each client and set that as opaque data
86 * structure.
87 *
88 * NOTE: If we want to set each item sepearately then
89 * this index should be global.
90 */
91 SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_HANDLER, (void *)handler);
92 SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_CONF, (void *)tls_conf);
93 SSL_set_ex_data(ssn->ssl, fr_tls_ex_index_certs, (void *)&(handler->certs));
94 SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_IDENTITY, (void *)&(handler->identity));
95 #ifdef HAVE_OPENSSL_OCSP_H
96 SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_STORE, (void *)tls_conf->ocsp_store);
97 #endif
98 SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_SSN, (void *)ssn);
99 SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_TALLOC, handler);
100
101 return talloc_steal(handler, ssn); /* ssn */
102 }
103
104 /*
105 The S flag is set only within the EAP-TLS start message
106 sent from the EAP server to the peer.
107 */
eaptls_start(EAP_DS * eap_ds,int peap_flag)108 int eaptls_start(EAP_DS *eap_ds, int peap_flag)
109 {
110 EAPTLS_PACKET reply;
111
112 reply.code = FR_TLS_START;
113 reply.length = TLS_HEADER_LEN + 1/*flags*/;
114
115 reply.flags = peap_flag;
116 reply.flags = SET_START(reply.flags);
117
118 reply.data = NULL;
119 reply.dlen = 0;
120
121 eaptls_compose(eap_ds, &reply);
122
123 return 1;
124 }
125
126
127 /** Send an EAP-TLS success
128 *
129 * Composes an EAP-TLS-Success. This is a message with code EAP_TLS_ESTABLISHED.
130 * It contains no cryptographic material, and is not protected.
131 *
132 * We add the MPPE keys here. These are used by the NAS. The supplicant
133 * will derive the same keys separately.
134 *
135 * @param handler handler of eap session that completed successfully.
136 * @param peap_flag to indicate PEAP version
137 * @return
138 * - 1 on success.
139 */
eaptls_success(eap_handler_t * handler,int peap_flag)140 int eaptls_success(eap_handler_t *handler, int peap_flag)
141 {
142 EAPTLS_PACKET reply;
143 REQUEST *request = handler->request;
144 tls_session_t *tls_session = handler->opaque;
145
146 handler->finished = true;
147 reply.code = FR_TLS_SUCCESS;
148 reply.length = TLS_HEADER_LEN;
149 reply.flags = peap_flag;
150 reply.data = NULL;
151 reply.dlen = 0;
152
153 tls_success(tls_session, request);
154
155 /*
156 * Call compose AFTER checking for cached data.
157 */
158 eaptls_compose(handler->eap_ds, &reply);
159
160 /*
161 * Automatically generate MPPE keying material.
162 */
163 if (tls_session->label) {
164 uint8_t const *context = NULL;
165 size_t context_size = 0;
166 #ifdef TLS1_3_VERSION
167 uint8_t const context_tls13[] = { handler->type };
168 #endif
169
170 switch (tls_session->info.version) {
171 #ifdef TLS1_3_VERSION
172 case TLS1_3_VERSION:
173 context = context_tls13;
174 context_size = sizeof(context_tls13);
175 tls_session->label = "EXPORTER_EAP_TLS_Key_Material";
176 break;
177 #endif
178 case TLS1_2_VERSION:
179 case TLS1_1_VERSION:
180 case TLS1_VERSION:
181 break;
182 case SSL2_VERSION:
183 case SSL3_VERSION:
184 default:
185 /* Should never happen */
186 rad_assert(0);
187 return 0;
188 break;
189 }
190 eaptls_gen_mppe_keys(request,
191 tls_session->ssl, tls_session->label,
192 context, context_size);
193 } else if (handler->type != PW_EAP_FAST) {
194 RWDEBUG("(TLS) EAP Not adding MPPE keys because there is no PRF label");
195 }
196
197 eaptls_gen_eap_key(handler);
198
199 return 1;
200 }
201
eaptls_fail(eap_handler_t * handler,int peap_flag)202 int eaptls_fail(eap_handler_t *handler, int peap_flag)
203 {
204 EAPTLS_PACKET reply;
205 tls_session_t *tls_session = handler->opaque;
206
207 handler->finished = true;
208 reply.code = FR_TLS_FAIL;
209 reply.length = TLS_HEADER_LEN;
210 reply.flags = peap_flag;
211 reply.data = NULL;
212 reply.dlen = 0;
213
214 tls_fail(tls_session);
215
216 eaptls_compose(handler->eap_ds, &reply);
217
218 return 1;
219 }
220
221 /*
222 A single TLS record may be up to 16384 octets in length, but a TLS
223 message may span multiple TLS records, and a TLS certificate message
224 may in principle be as long as 16MB.
225 */
226
227 /*
228 * Frame the Dirty data that needs to be send to the client in an
229 * EAP-Request. We always embed the TLS-length in all EAP-TLS
230 * packets that we send, for easy reference purpose. Handle
231 * fragmentation and sending the next fragment etc.
232 */
eaptls_request(EAP_DS * eap_ds,tls_session_t * ssn)233 int eaptls_request(EAP_DS *eap_ds, tls_session_t *ssn)
234 {
235 EAPTLS_PACKET reply;
236 unsigned int size;
237 unsigned int nlen;
238 unsigned int lbit = 0;
239
240 /* This value determines whether we set (L)ength flag for
241 EVERY packet we send and add corresponding
242 "TLS Message Length" field.
243
244 length_flag = true;
245 This means we include L flag and "TLS Msg Len" in EVERY
246 packet we send out.
247
248 length_flag = false;
249 This means we include L flag and "TLS Msg Len" **ONLY**
250 in First packet of a fragment series. We do not use
251 it anywhere else.
252
253 Having L flag in every packet is prefered.
254
255 */
256 if (ssn->length_flag) {
257 lbit = 4;
258 }
259 if (ssn->fragment == 0) {
260 ssn->tls_msg_len = ssn->dirty_out.used;
261 }
262
263 reply.code = FR_TLS_REQUEST;
264 reply.flags = ssn->peap_flag;
265
266 /* Send data, NOT more than the FRAGMENT size */
267 if (ssn->dirty_out.used > ssn->mtu) {
268 size = ssn->mtu;
269 reply.flags = SET_MORE_FRAGMENTS(reply.flags);
270 /* Length MUST be included if it is the First Fragment */
271 if (ssn->fragment == 0) {
272 lbit = 4;
273 }
274 ssn->fragment = 1;
275 } else {
276 size = ssn->dirty_out.used;
277 ssn->fragment = 0;
278 }
279
280 reply.dlen = lbit + size;
281 reply.length = TLS_HEADER_LEN + 1/*flags*/ + reply.dlen;
282
283 reply.data = talloc_array(eap_ds, uint8_t, reply.length);
284 if (!reply.data) return 0;
285
286 if (lbit) {
287 nlen = htonl(ssn->tls_msg_len);
288 memcpy(reply.data, &nlen, lbit);
289 reply.flags = SET_LENGTH_INCLUDED(reply.flags);
290 }
291 (ssn->record_minus)(&ssn->dirty_out, reply.data + lbit, size);
292
293 eaptls_compose(eap_ds, &reply);
294 talloc_free(reply.data);
295 reply.data = NULL;
296
297 return 1;
298 }
299
300
301 /*
302 * Similarly, when the EAP server receives an EAP-Response with
303 * the M bit set, it MUST respond with an EAP-Request with
304 * EAP-Type=EAP-TLS and no data. This serves as a fragment ACK.
305 *
306 * In order to prevent errors in the processing of fragments, the
307 * EAP server MUST use increment the Identifier value for each
308 * fragment ACK contained within an EAP-Request, and the peer
309 * MUST include this Identifier value in the subsequent fragment
310 * contained within an EAP- Reponse.
311 *
312 * EAP server sends an ACK when it determines there are More
313 * fragments to receive to make the complete
314 * TLS-record/TLS-Message
315 */
eaptls_send_ack(eap_handler_t * handler,int peap_flag)316 static int eaptls_send_ack(eap_handler_t *handler, int peap_flag)
317 {
318 EAPTLS_PACKET reply;
319 REQUEST *request = handler->request;
320
321 RDEBUG2("(TLS) EAP ACKing fragment, the peer should send more data.");
322 reply.code = FR_TLS_ACK;
323 reply.length = TLS_HEADER_LEN + 1/*flags*/;
324 reply.flags = peap_flag;
325 reply.data = NULL;
326 reply.dlen = 0;
327
328 eaptls_compose(handler->eap_ds, &reply);
329
330 return 1;
331 }
332
333 /*
334 * The S flag is set only within the EAP-TLS start message sent
335 * from the EAP server to the peer.
336 *
337 * Similarly, when the EAP server receives an EAP-Response with
338 * the M bit set, it MUST respond with an EAP-Request with
339 * EAP-Type=EAP-TLS and no data. This serves as a fragment
340 * ACK. The EAP peer MUST wait.
341 */
eaptls_verify(eap_handler_t * handler)342 static fr_tls_status_t eaptls_verify(eap_handler_t *handler)
343 {
344 EAP_DS *eap_ds = handler->eap_ds;
345 tls_session_t *tls_session = handler->opaque;
346 EAP_DS *prev_eap_ds = handler->prev_eapds;
347 eaptls_packet_t *eaptls_packet, *eaptls_prev = NULL;
348 REQUEST *request = handler->request;
349 size_t frag_len;
350
351 /*
352 * We don't check ANY of the input parameters. It's all
353 * code which works together, so if something is wrong,
354 * we SHOULD core dump.
355 *
356 * e.g. if eap_ds is NULL, of if eap_ds->response is
357 * NULL, of if it's NOT an EAP-Response, or if the packet
358 * is too short. See eap_validation()., in ../../eap.c
359 *
360 * Also, eap_method_select() takes care of selecting the
361 * appropriate type, so we don't need to check
362 * eap_ds->response->type.num == PW_EAP_TLS, or anything
363 * else.
364 */
365 eaptls_packet = (eaptls_packet_t *)eap_ds->response->type.data;
366 if (prev_eap_ds && prev_eap_ds->response)
367 eaptls_prev = (eaptls_packet_t *)prev_eap_ds->response->type.data;
368
369 if (eaptls_packet) {
370 /*
371 * First output the flags (for debugging)
372 */
373 RDEBUG3("(TLS) EAP Peer sent flags %c%c%c",
374 TLS_START(eaptls_packet->flags) ? 'S' : '-',
375 TLS_MORE_FRAGMENTS(eaptls_packet->flags) ? 'M' : '-',
376 TLS_LENGTH_INCLUDED(eaptls_packet->flags) ? 'L' : '-');
377 }
378
379 /*
380 * check for ACK
381 *
382 * If there's no TLS data, or there's 1 byte of TLS data,
383 * with the flags set to zero, then it's an ACK.
384 *
385 * Find if this is a reply to the previous request sent
386 */
387 if ((!eaptls_packet) ||
388 ((eap_ds->response->length == EAP_HEADER_LEN + 2) &&
389 ((eaptls_packet->flags & 0xc0) == 0x00))) {
390
391 if (prev_eap_ds && (prev_eap_ds->request->id == eap_ds->response->id)) {
392 return tls_ack_handler(handler->opaque, request);
393 } else {
394 REDEBUG("(TLS) EAP Received Unexpected ACK - rejection the connection");
395 return FR_TLS_INVALID;
396 }
397 }
398
399 /*
400 * We send TLS_START, but do not receive it.
401 */
402 if (TLS_START(eaptls_packet->flags)) {
403 REDEBUG("(TLS) EAP Peer sent EAP-TLS Start message (only the server is allowed to do this)");
404 return FR_TLS_INVALID;
405 }
406
407 /*
408 * Calculate this fragment's length
409 */
410 frag_len = eap_ds->response->length -
411 (EAP_HEADER_LEN + (TLS_LENGTH_INCLUDED(eaptls_packet->flags) ? 6 : 2));
412
413 /*
414 * The L bit (length included) is set to indicate the
415 * presence of the four octet TLS Message Length field,
416 * and MUST be set for the first fragment of a fragmented
417 * TLS message or set of messages.
418 *
419 * The M bit (more fragments) is set on all but the last
420 * fragment.
421 *
422 * The S bit (EAP-TLS start) is set in an EAP-TLS Start
423 * message. This differentiates the EAP-TLS Start message
424 * from a fragment acknowledgement.
425 */
426 if (TLS_LENGTH_INCLUDED(eaptls_packet->flags)) {
427 size_t total_len = eaptls_packet->data[2] * 256 | eaptls_packet->data[3];
428
429 if (frag_len > total_len) {
430 RWDEBUG("(TLS) EAP Fragment length (%zu bytes) is greater than TLS record length (%zu bytes)", frag_len,
431 total_len);
432 }
433
434 RDEBUG2("(TLS) EAP Peer says that the final record size will be %zu bytes", total_len);
435 if (TLS_MORE_FRAGMENTS(eaptls_packet->flags)) {
436 /*
437 * The supplicant is free to send fragments of wildly varying
438 * lengths, but the vast majority won't.
439 *
440 * In this calculation we take into account the fact that the future
441 * fragments are likely to be 4 bytes larger than the initial one
442 * as they won't contain the length field.
443 */
444 if (frag_len + 4) { /* check for wrap, else clang scan gets excited */
445 RDEBUG2("(TLS) EAP Expecting %i fragments",
446 (int)((((total_len - frag_len) + ((frag_len + 4) - 1)) / (frag_len + 4)) + 1));
447 }
448
449 /*
450 * FIRST_FRAGMENT is identified
451 * 1. If there is no previous EAP-response received.
452 * 2. If EAP-response received, then its M bit not set.
453 * (It is because Last fragment will not have M bit set)
454 */
455 if (!prev_eap_ds || (!prev_eap_ds->response) || (!eaptls_prev) ||
456 !TLS_MORE_FRAGMENTS(eaptls_prev->flags)) {
457 RDEBUG2("(TLS) EAP Got first TLS fragment (%zu bytes). Peer says more fragments "
458 "will follow", frag_len);
459 tls_session->tls_record_in_total_len = total_len;
460 tls_session->tls_record_in_recvd_len = frag_len;
461
462 return FR_TLS_FIRST_FRAGMENT;
463 }
464
465 RDEBUG2("(TLS) EAP Got additional fragment with length (%zu bytes). "
466 "Peer says more fragments will follow", frag_len);
467
468 /*
469 * Check we've not exceeded the originally indicated TLS record size.
470 */
471 tls_session->tls_record_in_recvd_len += frag_len;
472 if (tls_session->tls_record_in_recvd_len > tls_session->tls_record_in_total_len) {
473 RWDEBUG("(TLS) EAP Total received fragments (%zu bytes), exceeds "
474 "total data length (%zu bytes)", frag_len, total_len);
475 }
476
477 return FR_TLS_MORE_FRAGMENTS_WITH_LENGTH;
478 }
479
480 /*
481 * If it's a complete record, our fragment size should match the
482 * value of the four octet TLS length field.
483 */
484 if (total_len != frag_len) {
485 RWDEBUG("(TLS) EAP Peer says no more fragments, but expected data length (%zu bytes) "
486 "does not match expected data length (%zu bytes)", total_len, frag_len);
487 }
488
489 tls_session->tls_record_in_total_len = total_len;
490 tls_session->tls_record_in_recvd_len = frag_len;
491 RDEBUG2("(TLS) EAP Got all data (%zu bytes)", frag_len);
492 return FR_TLS_LENGTH_INCLUDED;
493 }
494
495 /*
496 * The previous packet had the M flags set, but this one doesn't,
497 * this must be the final record fragment
498 */
499 if ((eaptls_prev && TLS_MORE_FRAGMENTS(eaptls_prev->flags)) && !TLS_MORE_FRAGMENTS(eaptls_packet->flags)) {
500 RDEBUG2("(TLS) EAP Got final fragment (%zu bytes)", frag_len);
501 tls_session->tls_record_in_recvd_len += frag_len;
502 if (tls_session->tls_record_in_recvd_len != tls_session->tls_record_in_total_len) {
503 RWDEBUG("(TLS) EAP Total received record fragments (%zu bytes), does not equal expected "
504 "expected data length (%zu bytes)",
505 tls_session->tls_record_in_recvd_len, tls_session->tls_record_in_total_len);
506 }
507 }
508
509 if (TLS_MORE_FRAGMENTS(eaptls_packet->flags)) {
510 RDEBUG2("(TLS) EAP Got additional fragment (%zu bytes). Peer says more fragments will follow",
511 frag_len);
512 tls_session->tls_record_in_recvd_len += frag_len;
513 if (tls_session->tls_record_in_recvd_len > tls_session->tls_record_in_total_len) {
514 RWDEBUG("(TLS) EAP Total received fragments (%zu bytes), exceeds "
515 "expected length (%zu bytes)",
516 tls_session->tls_record_in_recvd_len, tls_session->tls_record_in_total_len);
517 }
518 return FR_TLS_MORE_FRAGMENTS;
519 }
520
521 /*
522 * None of the flags are set, but it's still a valid EAP-TLS packet.
523 */
524 return FR_TLS_OK;
525 }
526
527 /*
528 * EAPTLS_PACKET
529 * code = EAP-code
530 * id = EAP-id
531 * length = code + id + length + flags + tlsdata
532 * = 1 + 1 + 2 + 1 + X
533 * length = EAP-length - 1(EAP-Type = 1 octet)
534 * flags = EAP-typedata[0] (1 octet)
535 * dlen = EAP-typedata[1-4] (4 octets), if L flag set
536 * = length - 5(code+id+length+flags), otherwise
537 * data = EAP-typedata[5-n], if L flag set
538 * = EAP-typedata[1-n], otherwise
539 * packet = EAP-typedata (complete typedata)
540 *
541 * Points to consider during EAP-TLS data extraction
542 * 1. In the received packet, No data will be present incase of ACK-NAK
543 * 2. Incase if more fragments need to be received then ACK after retreiving this fragment.
544 *
545 * RFC 2716 Section 4.2. PPP EAP TLS Request Packet
546 *
547 * 0 1 2 3
548 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
549 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
550 * | Code | Identifier | Length |
551 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
552 * | Type | Flags | TLS Message Length
553 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
554 * | TLS Message Length | TLS Data...
555 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
556 *
557 * The Length field is two octets and indicates the length of the EAP
558 * packet including the Code, Identifir, Length, Type, and TLS data
559 * fields.
560 */
eaptls_extract(REQUEST * request,EAP_DS * eap_ds,fr_tls_status_t status)561 static EAPTLS_PACKET *eaptls_extract(REQUEST *request, EAP_DS *eap_ds, fr_tls_status_t status)
562 {
563 EAPTLS_PACKET *tlspacket;
564 uint32_t data_len = 0;
565 uint32_t len = 0;
566 uint8_t *data = NULL;
567
568 if (status == FR_TLS_INVALID) return NULL;
569
570 /*
571 * The main EAP code & eaptls_verify() take care of
572 * ensuring that the packet is OK, and that we can
573 * extract the various fields we want.
574 *
575 * e.g. a TLS packet with zero data is allowed as an ACK,
576 * but we will never see it here, as we will simply
577 * send another fragment, instead of trying to extract
578 * the data.
579 *
580 * MUST have TLS type octet, followed by flags, followed
581 * by data.
582 */
583 assert(eap_ds->response->length > 2);
584
585 tlspacket = talloc(eap_ds, EAPTLS_PACKET);
586 if (!tlspacket) return NULL;
587
588 /*
589 * Code & id for EAPTLS & EAP are same
590 * but eaptls_length = eap_length - 1(EAP-Type = 1 octet)
591 *
592 * length = code + id + length + type + tlsdata
593 * = 1 + 1 + 2 + 1 + X
594 */
595 tlspacket->code = eap_ds->response->code;
596 tlspacket->id = eap_ds->response->id;
597 tlspacket->length = eap_ds->response->length - 1; /* EAP type */
598 tlspacket->flags = eap_ds->response->type.data[0];
599
600 /*
601 * A quick sanity check of the flags. If we've been told
602 * that there's a length, and there isn't one, then stop.
603 */
604 if (TLS_LENGTH_INCLUDED(tlspacket->flags) &&
605 (tlspacket->length < 5)) { /* flags + TLS message length */
606 REDEBUG("(TLS) EAP Invalid packet received: Length bit is set,"
607 "but packet too short to contain length field");
608 talloc_free(tlspacket);
609 return NULL;
610 }
611
612 /*
613 * If the final TLS packet is larger than we can handle, die
614 * now.
615 *
616 * Likewise, if the EAP packet says N bytes, and the TLS
617 * packet says there's fewer bytes, it's a problem.
618 */
619 if (TLS_LENGTH_INCLUDED(tlspacket->flags)) {
620 memcpy(&data_len, &eap_ds->response->type.data[1], 4);
621 data_len = ntohl(data_len);
622 if (data_len > MAX_RECORD_SIZE) {
623 REDEBUG("(TLS) EAP Reassembled data will be %u bytes, "
624 "greater than the size that we can handle (" STRINGIFY(MAX_RECORD_SIZE) " bytes)",
625 data_len);
626 talloc_free(tlspacket);
627 return NULL;
628 }
629 }
630
631 switch (status) {
632 /*
633 * The TLS Message Length field is four octets, and
634 * provides the total length of the TLS message or set of
635 * messages that is being fragmented; this simplifies
636 * buffer allocation.
637 *
638 * Dynamic allocation of buffers as & when we know the
639 * length should solve the problem.
640 */
641 case FR_TLS_FIRST_FRAGMENT:
642 case FR_TLS_LENGTH_INCLUDED:
643 case FR_TLS_MORE_FRAGMENTS_WITH_LENGTH:
644 if (tlspacket->length < 5) { /* flags + TLS message length */
645 REDEBUG("(TLS) EAP Invalid packet received: Expected length, got none");
646 talloc_free(tlspacket);
647 return NULL;
648 }
649
650 /*
651 * Extract all the TLS fragments from the
652 * previous eap_ds Start appending this
653 * fragment to the above ds
654 */
655 memcpy(&data_len, &eap_ds->response->type.data[1], sizeof(uint32_t));
656 data_len = ntohl(data_len);
657 data = (eap_ds->response->type.data + 5/*flags+TLS-Length*/);
658 len = eap_ds->response->type.length - 5/*flags+TLS-Length*/;
659
660 /*
661 * Hmm... this should be an error, too.
662 */
663 if (data_len > len) {
664 data_len = len;
665 }
666 break;
667
668 /*
669 * Data length is implicit, from the EAP header.
670 */
671 case FR_TLS_MORE_FRAGMENTS:
672 case FR_TLS_OK:
673 data_len = eap_ds->response->type.length - 1/*flags*/;
674 data = eap_ds->response->type.data + 1/*flags*/;
675 break;
676
677 default:
678 REDEBUG("(TLS) EAP Invalid packet received");
679 talloc_free(tlspacket);
680 return NULL;
681 }
682
683 tlspacket->dlen = data_len;
684 if (data_len) {
685 tlspacket->data = talloc_array(tlspacket, uint8_t,
686 data_len);
687 if (!tlspacket->data) {
688 talloc_free(tlspacket);
689 return NULL;
690 }
691 memcpy(tlspacket->data, data, data_len);
692 }
693
694 return tlspacket;
695 }
696
697
698
699 /*
700 * To process the TLS,
701 * INCOMING DATA:
702 * 1. EAP-TLS should get the compelete TLS data from the peer.
703 * 2. Store that data in a data structure with any other required info
704 * 3. Handle that data structure to the TLS module.
705 * 4. TLS module will perform its operations on the data and
706 * handle back to EAP-TLS
707 *
708 * OUTGOING DATA:
709 * 1. EAP-TLS if necessary will fragment it and send it to the
710 * destination.
711 *
712 * During EAP-TLS initialization, TLS Context object will be
713 * initialized and stored. For every new authentication
714 * requests, TLS will open a new session object and that session
715 * object should be maintained even after the session is
716 * completed for session resumption. (Probably later as a feature
717 * as we donot know who maintains these session objects ie,
718 * SSL_CTX (internally) or TLS module(explicitly). If TLS module,
719 * then how to let SSL API know about these sessions.)
720 */
eaptls_operation(fr_tls_status_t status,eap_handler_t * handler)721 static fr_tls_status_t eaptls_operation(fr_tls_status_t status, eap_handler_t *handler)
722 {
723 REQUEST *request = handler->request;
724 tls_session_t *tls_session = handler->opaque;
725
726 if ((status == FR_TLS_MORE_FRAGMENTS) ||
727 (status == FR_TLS_MORE_FRAGMENTS_WITH_LENGTH) ||
728 (status == FR_TLS_FIRST_FRAGMENT)) {
729 /*
730 * Send the ACK.
731 */
732 eaptls_send_ack(handler, tls_session->peap_flag);
733 return FR_TLS_HANDLED;
734
735 }
736
737 /*
738 * We have the complete TLS-data or TLS-message.
739 *
740 * Clean the dirty message.
741 *
742 * Authenticate the user and send
743 * Success/Failure.
744 *
745 * If more info
746 * is required then send another request.
747 */
748 if (!tls_handshake_recv(handler->request, tls_session)) {
749 REDEBUG("(TLS) EAP Receive handshake failed during operation");
750 tls_fail(tls_session);
751 return FR_TLS_FAIL;
752 }
753
754 #ifdef TLS1_3_VERSION
755 /*
756 * https://tools.ietf.org/html/draft-ietf-emu-eap-tls13#section-2.5
757 *
758 * We need to signal the other end that TLS negotiation
759 * is done. We can't send a zero-length application data
760 * message, so we send application data which is one byte
761 * of zero.
762 *
763 * Note this is only done for when there is no application
764 * data to be sent. So this is done always for EAP-TLS but
765 * notibly not for PEAP even on resumption.
766 */
767 if ((tls_session->info.version == TLS1_3_VERSION) &&
768 (tls_session->client_cert_ok || tls_session->authentication_success || SSL_session_reused(tls_session->ssl))) {
769 if ((handler->type == PW_EAP_TLS) || SSL_session_reused(tls_session->ssl)) {
770 tls_session->authentication_success = true;
771
772 RDEBUG("(TLS) EAP Sending final Commitment Message.");
773 tls_session->record_plus(&tls_session->clean_in, "\0", 1);
774 }
775
776 tls_handshake_send(request, tls_session);
777 }
778 #endif
779
780 /*
781 * FIXME: return success/fail.
782 *
783 * TLS proper can decide what to do, then.
784 */
785 if (tls_session->dirty_out.used > 0) {
786 eaptls_request(handler->eap_ds, tls_session);
787 return FR_TLS_HANDLED;
788 }
789
790 /*
791 * If there is no data to send i.e
792 * dirty_out.used <=0 and if the SSL
793 * handshake is finished.
794 */
795 if (tls_session->is_init_finished) return FR_TLS_SUCCESS;
796
797 /*
798 * Who knows what happened...
799 */
800 REDEBUG("(TLS) Cannot continue, as the peer is misbehaving.");
801 return FR_TLS_FAIL;
802 }
803
804
805 /*
806 * In the actual authentication first verify the packet and then create the data structure
807 */
808 /*
809 * To process the TLS,
810 * INCOMING DATA:
811 * 1. EAP-TLS should get the compelete TLS data from the peer.
812 * 2. Store that data in a data structure with any other required info
813 * 3. Hand this data structure to the TLS module.
814 * 4. TLS module will perform its operations on the data and hands back to EAP-TLS
815 * OUTGOING DATA:
816 * 1. EAP-TLS if necessary will fragment it and send it to the destination.
817 *
818 * During EAP-TLS initialization, TLS Context object will be
819 * initialized and stored. For every new authentication
820 * requests, TLS will open a new session object and that
821 * session object SHOULD be maintained even after the session
822 * is completed, for session resumption. (Probably later as a
823 * feature, as we do not know who maintains these session
824 * objects ie, SSL_CTX (internally) or TLS module (explicitly). If
825 * TLS module, then how to let SSL API know about these
826 * sessions.)
827 */
828
829 /*
830 * Process an EAP request
831 */
eaptls_process(eap_handler_t * handler)832 fr_tls_status_t eaptls_process(eap_handler_t *handler)
833 {
834 tls_session_t *tls_session = (tls_session_t *) handler->opaque;
835 EAPTLS_PACKET *tlspacket;
836 fr_tls_status_t status;
837 REQUEST *request = handler->request;
838
839 if (!request) return FR_TLS_FAIL;
840
841 RDEBUG3("(TLS) EAP Continuing ...");
842
843 SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_REQUEST, request);
844
845 if (handler->certs) fr_pair_add(&request->packet->vps,
846 fr_pair_list_copy(request->packet, handler->certs));
847
848 /*
849 * This case is when SSL generates Alert then we
850 * send that alert to the client and then send the EAP-Failure
851 */
852 status = eaptls_verify(handler);
853 if ((status == FR_TLS_INVALID) || (status == FR_TLS_FAIL)) {
854 REDEBUG("(TLS) EAP Verification failed with %s", fr_int2str(fr_tls_status_table, status, "<INVALID>"));
855 } else {
856 RDEBUG3("(TLS) EAP Verification says %s", fr_int2str(fr_tls_status_table, status, "<INVALID>"));
857 }
858
859 switch (status) {
860 default:
861 case FR_TLS_INVALID:
862 case FR_TLS_FAIL:
863
864 /*
865 * Success means that we're done the initial
866 * handshake. For TTLS, this means send stuff
867 * back to the client, and the client sends us
868 * more tunneled data.
869 */
870 case FR_TLS_SUCCESS:
871 goto done;
872
873 /*
874 * Normal TLS request, continue with the "get rest
875 * of fragments" phase.
876 */
877 case FR_TLS_REQUEST:
878 eaptls_request(handler->eap_ds, tls_session);
879 status = FR_TLS_HANDLED;
880 goto done;
881
882 /*
883 * The handshake is done, and we're in the "tunnel
884 * data" phase.
885 */
886 case FR_TLS_OK:
887 RDEBUG2("(TLS) EAP Done initial handshake");
888
889 /*
890 * Get the rest of the fragments.
891 */
892 case FR_TLS_FIRST_FRAGMENT:
893 case FR_TLS_MORE_FRAGMENTS:
894 case FR_TLS_LENGTH_INCLUDED:
895 case FR_TLS_MORE_FRAGMENTS_WITH_LENGTH:
896 break;
897 }
898
899 /*
900 * Extract the TLS packet from the buffer.
901 */
902 if ((tlspacket = eaptls_extract(request, handler->eap_ds, status)) == NULL) {
903 REDEBUG("(TLS) EAP Failed extracting TLS packet from EAP-Message");
904 status = FR_TLS_FAIL;
905 goto done;
906 }
907
908 /*
909 * Get the session struct from the handler
910 *
911 * update the dirty_in buffer
912 *
913 * NOTE: This buffer will contain partial data when M bit is set.
914 *
915 * CAUTION while reinitializing this buffer, it should be
916 * reinitialized only when this M bit is NOT set.
917 */
918 if (tlspacket->dlen !=
919 (tls_session->record_plus)(&tls_session->dirty_in, tlspacket->data, tlspacket->dlen)) {
920 talloc_free(tlspacket);
921 REDEBUG("(TLS) EAP Exceeded maximum record size");
922 status = FR_TLS_FAIL;
923 goto done;
924 }
925
926 /*
927 * No longer needed.
928 */
929 talloc_free(tlspacket);
930
931 /*
932 * SSL initalization is done. Return.
933 *
934 * The TLS data will be in the tls_session structure.
935 */
936 if (tls_session->is_init_finished) {
937 /*
938 * The initialization may be finished, but if
939 * there more fragments coming, then send ACK,
940 * and get the caller to continue the
941 * conversation.
942 */
943 if ((status == FR_TLS_MORE_FRAGMENTS) ||
944 (status == FR_TLS_MORE_FRAGMENTS_WITH_LENGTH) ||
945 (status == FR_TLS_FIRST_FRAGMENT)) {
946 /*
947 * Send the ACK.
948 */
949 eaptls_send_ack(handler, tls_session->peap_flag);
950 RDEBUG2("(TLS) EAP Init is done, but tunneled data is fragmented");
951 status = FR_TLS_HANDLED;
952 goto done;
953 }
954
955 status = tls_application_data(tls_session, request);
956 goto done;
957 }
958
959 /*
960 * Continue the handshake.
961 */
962 status = eaptls_operation(status, handler);
963 if (status == FR_TLS_SUCCESS) {
964 #define MAX_SESSION_SIZE (256)
965 VALUE_PAIR *vps;
966 char buffer[2 * MAX_SESSION_SIZE + 1];
967
968 /*
969 * Restore the cached VPs before processing the
970 * application data.
971 */
972 tls_session_id(tls_session->ssl_session, buffer, MAX_SESSION_SIZE);
973
974 vps = SSL_SESSION_get_ex_data(tls_session->ssl_session, fr_tls_ex_index_vps);
975 if (!vps) {
976 RWDEBUG("(TLS) EAP No information in cached session %s", buffer);
977 } else {
978 vp_cursor_t cursor;
979 VALUE_PAIR *vp;
980 fr_tls_server_conf_t *conf;
981
982 RDEBUG("(TLS) EAP Adding cached attributes from session %s", buffer);
983
984 conf = (fr_tls_server_conf_t *)SSL_get_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_CONF);
985 rad_assert(conf != NULL);
986
987 /*
988 * The cbtls_get_session() function doesn't have
989 * access to sock->certs or handler->certs, which
990 * is where the certificates normally live. So
991 * the certs are all in the VPS list here, and
992 * have to be manually extracted.
993 */
994 RINDENT();
995 for (vp = fr_cursor_init(&cursor, &vps);
996 vp;
997 vp = fr_cursor_next(&cursor)) {
998 if (conf->cache_ht && fr_hash_table_finddata(conf->cache_ht, vp->da)) {
999 rdebug_pair(L_DBG_LVL_2, request, vp, "&session-state:");
1000 fr_pair_add(&request->state, fr_pair_copy(request->state_ctx, vp));
1001 continue;
1002 }
1003
1004 /*
1005 * TLS-* attrs get added back to
1006 * the request list.
1007 */
1008 if ((vp->da->vendor == 0) &&
1009 (vp->da->attr >= PW_TLS_CERT_SERIAL) &&
1010 (vp->da->attr <= PW_TLS_CLIENT_CERT_SUBJECT_ALT_NAME_UPN)) {
1011 /*
1012 * Certs already exist. Don't re-add them.
1013 */
1014 if (!handler->certs) {
1015 rdebug_pair(L_DBG_LVL_2, request, vp, "&request:");
1016 fr_pair_add(&request->packet->vps, fr_pair_copy(request->packet, vp));
1017 }
1018
1019 } else if ((vp->da->vendor == 0) &&
1020 (vp->da->attr == PW_EAP_TYPE)) {
1021 /*
1022 * EAP-Type gets added to
1023 * the control list, so
1024 * that we can sanity check it.
1025 */
1026 rdebug_pair(L_DBG_LVL_2, request, vp, "&control:");
1027 fr_pair_add(&request->config, fr_pair_copy(request, vp));
1028
1029 } else {
1030
1031 rdebug_pair(L_DBG_LVL_2, request, vp, "&reply:");
1032 fr_pair_add(&request->reply->vps, fr_pair_copy(request->reply, vp));
1033 }
1034 }
1035 REXDENT();
1036 }
1037 }
1038
1039 done:
1040 SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_REQUEST, NULL);
1041
1042 return status;
1043 }
1044
1045
1046 /*
1047 * compose the TLS reply packet in the EAP reply typedata
1048 */
eaptls_compose(EAP_DS * eap_ds,EAPTLS_PACKET * reply)1049 int eaptls_compose(EAP_DS *eap_ds, EAPTLS_PACKET *reply)
1050 {
1051 uint8_t *ptr;
1052
1053 /*
1054 * Don't set eap_ds->request->type.num, as the main EAP
1055 * handler will do that for us. This allows the TLS
1056 * module to be called from TTLS & PEAP.
1057 */
1058
1059 /*
1060 * When the EAP server receives an EAP-Response with the
1061 * M bit set, it MUST respond with an EAP-Request with
1062 * EAP-Type=EAP-TLS and no data. This serves as a
1063 * fragment ACK. The EAP peer MUST wait until it receives
1064 * the EAP-Request before sending another fragment.
1065 *
1066 * In order to prevent errors in the processing of
1067 * fragments, the EAP server MUST use increment the
1068 * Identifier value for each fragment ACK contained
1069 * within an EAP-Request, and the peer MUST include this
1070 * Identifier value in the subsequent fragment contained
1071 * within an EAP- Reponse.
1072 */
1073 eap_ds->request->type.data = talloc_array(eap_ds->request, uint8_t,
1074 reply->length - TLS_HEADER_LEN + 1);
1075 if (!eap_ds->request->type.data) return 0;
1076
1077 /* EAPTLS Header length is excluded while computing EAP typelen */
1078 eap_ds->request->type.length = reply->length - TLS_HEADER_LEN;
1079
1080 ptr = eap_ds->request->type.data;
1081 *ptr++ = (uint8_t)(reply->flags & 0xFF);
1082
1083 if (reply->dlen) memcpy(ptr, reply->data, reply->dlen);
1084
1085 switch (reply->code) {
1086 case FR_TLS_ACK:
1087 case FR_TLS_START:
1088 case FR_TLS_REQUEST:
1089 eap_ds->request->code = PW_EAP_REQUEST;
1090 break;
1091
1092 case FR_TLS_SUCCESS:
1093 eap_ds->request->code = PW_EAP_SUCCESS;
1094 break;
1095
1096 case FR_TLS_FAIL:
1097 eap_ds->request->code = PW_EAP_FAILURE;
1098 break;
1099
1100 default:
1101 /* Should never enter here */
1102 rad_assert(0);
1103 break;
1104 }
1105
1106 return 1;
1107 }
1108
1109 /*
1110 * Parse TLS configuration
1111 *
1112 * If the option given by 'attr' is set, we find the config section
1113 * of that name and use that for the TLS configuration. If not, we
1114 * fall back to compatibility mode and read the TLS options from
1115 * the 'tls' section.
1116 */
eaptls_conf_parse(CONF_SECTION * cs,char const * attr)1117 fr_tls_server_conf_t *eaptls_conf_parse(CONF_SECTION *cs, char const *attr)
1118 {
1119 char const *tls_conf_name;
1120 CONF_PAIR *cp;
1121 CONF_SECTION *parent;
1122 CONF_SECTION *tls_cs;
1123 fr_tls_server_conf_t *tls_conf;
1124
1125 if (!cs)
1126 return NULL;
1127
1128 rad_assert(attr != NULL);
1129
1130 parent = cf_item_parent(cf_section_to_item(cs));
1131
1132 cp = cf_pair_find(cs, attr);
1133 if (cp) {
1134 tls_conf_name = cf_pair_value(cp);
1135
1136 tls_cs = cf_section_sub_find_name2(parent, TLS_CONFIG_SECTION, tls_conf_name);
1137
1138 if (!tls_cs) {
1139 ERROR("Cannot find tls config \"%s\"", tls_conf_name);
1140 return NULL;
1141 }
1142 } else {
1143 /*
1144 * If we can't find the section given by the 'attr', we
1145 * fall-back to looking for the "tls" section, as in
1146 * previous versions.
1147 *
1148 * We don't fall back if the 'attr' is specified, but we can't
1149 * find the section - that is just a config error.
1150 */
1151 INFO("TLS section \"%s\" missing, trying to use legacy configuration", attr);
1152 tls_cs = cf_section_sub_find(parent, "tls");
1153 }
1154
1155 if (!tls_cs)
1156 return NULL;
1157
1158 tls_conf = tls_server_conf_parse(tls_cs);
1159
1160 if (!tls_conf)
1161 return NULL;
1162
1163 /*
1164 * The EAP RFC's say 1020, but we're less picky.
1165 */
1166 if (tls_conf->fragment_size < 100) {
1167 ERROR("Configured fragment size is too small, must be >= 100");
1168 return NULL;
1169 }
1170
1171 /*
1172 * The maximum size for a RADIUS packet is 4096,
1173 * minus the header (20), Message-Authenticator (18),
1174 * and State (18), etc. results in about 4000 bytes of data
1175 * that can be devoted *solely* to EAP.
1176 */
1177 if (tls_conf->fragment_size > 4000) {
1178 ERROR("Configured fragment size is too large, must be <= 4000");
1179 return NULL;
1180 }
1181
1182 /*
1183 * Account for the EAP header (4), and the EAP-TLS header
1184 * (6), as per Section 4.2 of RFC 2716. What's left is
1185 * the maximum amount of data we read from a TLS buffer.
1186 */
1187 tls_conf->fragment_size -= 10;
1188
1189 return tls_conf;
1190 }
1191
1192