USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
#define __STDC_WANT_LIB_EXT1__ 1
#include <string.h>
#include <openssl/hmac.h>
#include <freeradius-devel/util/sha1.h>
#include <freeradius-devel/tls/base.h>
#include <freeradius-devel/tls/missing.h>
#include "tls.h"
#include "base.h"
#include "attrs.h"
#define EAP_TLS_MPPE_KEY_LEN 32
/** Generate keys according to RFC 2716 and add to the reply
*
*/
int eap_crypto_mppe_keys(REQUEST *request, SSL *ssl, char const *prf_label, size_t prf_label_len)
{
uint8_t out[4 * EAP_TLS_MPPE_KEY_LEN];
uint8_t *p;
if (SSL_export_keying_material(ssl, out, sizeof(out), prf_label, prf_label_len, NULL, 0, 0) != 1) {
tls_log_error(request, "Failed generating MPPE keys");
return -1;
}
if (RDEBUG_ENABLED3) {
uint8_t random[SSL3_RANDOM_SIZE];
size_t random_len;
uint8_t master_key[SSL_MAX_MASTER_KEY_LENGTH];
size_t master_key_len;
RDEBUG3("Key Derivation Function input");
RINDENT();
RDEBUG3("prf label : %pV", fr_box_strvalue_len(prf_label, prf_label_len));
master_key_len = SSL_SESSION_get_master_key(SSL_get_session(ssl), master_key, sizeof(master_key));
RDEBUG3("master session key : %pH", fr_box_octets(master_key, master_key_len));
random_len = SSL_get_client_random(ssl, random, SSL3_RANDOM_SIZE);
RDEBUG3("client random : %pH", fr_box_octets(random, random_len));
random_len = SSL_get_server_random(ssl, random, SSL3_RANDOM_SIZE);
RDEBUG3("server random : %pH", fr_box_octets(random, random_len));
REXDENT();
}
RDEBUG2("Adding session keys");
p = out;
eap_add_reply(request, attr_ms_mppe_recv_key, p, EAP_TLS_MPPE_KEY_LEN);
p += EAP_TLS_MPPE_KEY_LEN;
eap_add_reply(request, attr_ms_mppe_send_key, p, EAP_TLS_MPPE_KEY_LEN);
eap_add_reply(request, attr_eap_msk, out, 64);
eap_add_reply(request, attr_eap_emsk, out + 64, 64);
return 0;
}
/*
* Generate keys according to RFC 2716 and add to reply
*/
void eaptls_gen_mppe_keys(REQUEST *request, SSL *s, char const *prf_label)
{
uint8_t out[4 * EAPTLS_MPPE_KEY_LEN];
uint8_t *p;
size_t prf_size;
if (!s->s3) {
ERROR("No SSLv3 information");
return;
}
prf_size = strlen(prf_label);
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
if (SSL_export_keying_material(s, out, sizeof(out), prf_label, prf_size, NULL, 0, 0) != 1) {
ERROR("Failed generating keying material");
return;
}
#else
{
uint8_t seed[64 + (2 * SSL3_RANDOM_SIZE)];
uint8_t buf[4 * EAPTLS_MPPE_KEY_LEN];
p = seed;
memcpy(p, prf_label, prf_size);
p += prf_size;
memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
p += SSL3_RANDOM_SIZE;
prf_size += SSL3_RANDOM_SIZE;
memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
prf_size += SSL3_RANDOM_SIZE;
PRF(s->session->master_key, s->session->master_key_length,
seed, prf_size, out, buf, sizeof(out));
}
#endif
p = out;
eap_add_reply(request, "MS-MPPE-Recv-Key", p, EAPTLS_MPPE_KEY_LEN);
p += EAPTLS_MPPE_KEY_LEN;
eap_add_reply(request, "MS-MPPE-Send-Key", p, EAPTLS_MPPE_KEY_LEN);
eap_add_reply(request, "EAP-MSK", out, 64);
eap_add_reply(request, "EAP-EMSK", out + 64, 64);
}
/** Send a success message
*
* The only work to be done is the add the appropriate SEND/RECV
* radius attributes derived from the MSK.
*/
static int eap_sim_send_eap_success(eap_session_t *eap_session)
{
REQUEST *request = eap_session->request;
uint8_t *p;
eap_sim_session_t *eap_sim_session = talloc_get_type_abort(eap_session->opaque, eap_sim_session_t);
RDEBUG2("Sending SIM-Success");
eap_session->this_round->request->code = FR_EAP_CODE_SUCCESS;
eap_session->finished = true;
p = eap_sim_session->keys.msk;
eap_add_reply(eap_session->request, attr_ms_mppe_recv_key, p, EAP_TLS_MPPE_KEY_LEN);
p += EAP_TLS_MPPE_KEY_LEN;
eap_add_reply(eap_session->request, attr_ms_mppe_send_key, p, EAP_TLS_MPPE_KEY_LEN);
return 0;
}
static int set_mppe_keys(eap_handler_t *handler)
{
uint8_t const *p;
struct IKEv2Session *session;
session = ((struct IKEv2Data*)handler->opaque)->session;
if (session->eapKeyData==NULL){
INFO(IKEv2_LOG_PREFIX "Key session not available!!!");
return 1;
}
p = session->eapKeyData;
eap_add_reply(handler->request, "MS-MPPE-Recv-Key", p, IKEV2_MPPE_KEY_LEN);
p += IKEV2_MPPE_KEY_LEN;
eap_add_reply(handler->request, "MS-MPPE-Send-Key", p, IKEV2_MPPE_KEY_LEN);
return 0;
}
/*
* this code sends the success message.
*
* the only work to be done is the add the appropriate SEND/RECV
* radius attributes derived from the MSK.
*
*/
static int eap_sim_sendsuccess(eap_handler_t *handler)
{
unsigned char *p;
struct eap_sim_server_state *ess;
VALUE_PAIR *vp;
RADIUS_PACKET *packet;
/* outvps is the data to the client. */
packet = handler->request->reply;
ess = (struct eap_sim_server_state *)handler->opaque;
/* set the EAP_ID - new value */
vp = paircreate(packet, ATTRIBUTE_EAP_ID, 0);
vp->vp_integer = ess->sim_id++;
pairreplace(&handler->request->reply->vps, vp);
p = ess->keys.msk;
eap_add_reply(handler->request, "MS-MPPE-Recv-Key", p, EAPTLS_MPPE_KEY_LEN);
p += EAPTLS_MPPE_KEY_LEN;
eap_add_reply(handler->request, "MS-MPPE-Send-Key", p, EAPTLS_MPPE_KEY_LEN);
return 1;
}
/*
* Generate keys according to RFC 2716 and add to reply
*/
void eaptls_gen_mppe_keys(REQUEST *request, SSL *s,
char const *prf_label)
{
unsigned char out[4*EAPTLS_MPPE_KEY_LEN], buf[4*EAPTLS_MPPE_KEY_LEN];
unsigned char seed[64 + 2*SSL3_RANDOM_SIZE];
unsigned char *p = seed;
size_t prf_size;
if (!s->s3) {
EDEBUG("No SSLv3 information");
return;
}
prf_size = strlen(prf_label);
memcpy(p, prf_label, prf_size);
p += prf_size;
memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
p += SSL3_RANDOM_SIZE;
prf_size += SSL3_RANDOM_SIZE;
memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
prf_size += SSL3_RANDOM_SIZE;
PRF(s->session->master_key, s->session->master_key_length,
seed, prf_size, out, buf, sizeof(out));
p = out;
eap_add_reply(request, "MS-MPPE-Recv-Key", p, EAPTLS_MPPE_KEY_LEN);
p += EAPTLS_MPPE_KEY_LEN;
eap_add_reply(request, "MS-MPPE-Send-Key", p, EAPTLS_MPPE_KEY_LEN);
eap_add_reply(request, "EAP-MSK", out, 64);
eap_add_reply(request, "EAP-EMSK", out + 64, 64);
}
static int
mod_authenticate (void *arg, eap_handler_t *handler)
{
pwd_session_t *pwd_session;
pwd_hdr *hdr;
pwd_id_packet *id;
eap_packet_t *response;
REQUEST *request, *fake;
VALUE_PAIR *pw, *vp;
EAP_DS *eap_ds;
int len, ret = 0;
eap_pwd_t *inst = (eap_pwd_t *)arg;
uint16_t offset;
uint8_t exch, *buf, *ptr, msk[MSK_EMSK_LEN], emsk[MSK_EMSK_LEN];
uint8_t peer_confirm[SHA256_DIGEST_LENGTH];
BIGNUM *x = NULL, *y = NULL;
if ((!handler) ||
((eap_ds = handler->eap_ds) == NULL) ||
(!inst)) {
return 0;
}
pwd_session = (pwd_session_t *)handler->opaque;
request = handler->request;
response = handler->eap_ds->response;
hdr = (pwd_hdr *)response->type.data;
buf = hdr->data;
len = response->type.length - sizeof(pwd_hdr);
/*
* see if we're fragmenting, if so continue until we're done
*/
if (pwd_session->out_buf_pos) {
if (len) {
RDEBUG2("pwd got something more than an ACK for a fragment");
}
return send_pwd_request(pwd_session, eap_ds);
}
/*
* the first fragment will have a total length, make a
* buffer to hold all the fragments
*/
if (EAP_PWD_GET_LENGTH_BIT(hdr)) {
if (pwd_session->in_buf) {
RDEBUG2("pwd already alloced buffer for fragments");
return 0;
}
pwd_session->in_buf_len = ntohs(buf[0] * 256 | buf[1]);
if ((pwd_session->in_buf = talloc_zero_array(pwd_session, uint8_t,
pwd_session->in_buf_len)) == NULL) {
RDEBUG2("pwd cannot allocate %d buffer to hold fragments",
pwd_session->in_buf_len);
return 0;
}
memset(pwd_session->in_buf, 0, pwd_session->in_buf_len);
pwd_session->in_buf_pos = 0;
buf += sizeof(uint16_t);
len -= sizeof(uint16_t);
}
/*
* all fragments, including the 1st will have the M(ore) bit set,
* buffer those fragments!
*/
if (EAP_PWD_GET_MORE_BIT(hdr)) {
rad_assert(pwd_session->in_buf != NULL);
if ((pwd_session->in_buf_pos + len) > pwd_session->in_buf_len) {
RDEBUG2("pwd will not overflow a fragment buffer. Nope, not prudent.");
return 0;
}
memcpy(pwd_session->in_buf + pwd_session->in_buf_pos, buf, len);
pwd_session->in_buf_pos += len;
/*
* send back an ACK for this fragment
*/
exch = EAP_PWD_GET_EXCHANGE(hdr);
eap_ds->request->code = PW_EAP_REQUEST;
eap_ds->request->type.num = PW_EAP_PWD;
eap_ds->request->type.length = sizeof(pwd_hdr);
if ((eap_ds->request->type.data = talloc_array(eap_ds->request,
uint8_t, sizeof(pwd_hdr))) == NULL) {
return 0;
}
hdr = (pwd_hdr *)eap_ds->request->type.data;
EAP_PWD_SET_EXCHANGE(hdr, exch);
return 1;
}
if (pwd_session->in_buf) {
/*
* the last fragment...
*/
if ((pwd_session->in_buf_pos + len) > pwd_session->in_buf_len) {
RDEBUG2("pwd will not overflow a fragment buffer. Nope, not prudent.");
return 0;
}
memcpy(pwd_session->in_buf + pwd_session->in_buf_pos, buf, len);
buf = pwd_session->in_buf;
len = pwd_session->in_buf_len;
}
switch (pwd_session->state) {
case PWD_STATE_ID_REQ:
if (EAP_PWD_GET_EXCHANGE(hdr) != EAP_PWD_EXCH_ID) {
RDEBUG2("pwd exchange is incorrect: not ID");
return 0;
}
id = (pwd_id_packet *)buf;
if ((id->prf != EAP_PWD_DEF_PRF) ||
(id->random_function != EAP_PWD_DEF_RAND_FUN) ||
(id->prep != EAP_PWD_PREP_NONE) ||
(memcmp(id->token, (char *)&pwd_session->token, 4)) ||
(id->group_num != ntohs(pwd_session->group_num))) {
RDEBUG2("pwd id response is invalid");
return 0;
}
/*
* we've agreed on the ciphersuite, record it...
*/
ptr = (uint8_t *)&pwd_session->ciphersuite;
memcpy(ptr, (char *)&id->group_num, sizeof(uint16_t));
ptr += sizeof(uint16_t);
*ptr = EAP_PWD_DEF_RAND_FUN;
ptr += sizeof(uint8_t);
*ptr = EAP_PWD_DEF_PRF;
pwd_session->peer_id_len = len - sizeof(pwd_id_packet);
if (pwd_session->peer_id_len >= sizeof(pwd_session->peer_id)) {
RDEBUG2("pwd id response is malformed");
return 0;
}
memcpy(pwd_session->peer_id, id->identity,
pwd_session->peer_id_len);
pwd_session->peer_id[pwd_session->peer_id_len] = '\0';
/*
* make fake request to get the password for the usable ID
*/
if ((fake = request_alloc_fake(handler->request)) == NULL) {
RDEBUG("pwd unable to create fake request!");
return 0;
}
fake->username = pairmake_packet("User-Name", "", T_OP_EQ);
if (!fake->username) {
RDEBUG("pwd unanable to create value pair for username!");
request_free(&fake);
return 0;
}
memcpy(fake->username->vp_strvalue, pwd_session->peer_id,
pwd_session->peer_id_len);
fake->username->length = pwd_session->peer_id_len;
fake->username->vp_strvalue[fake->username->length] = 0;
if ((vp = pairfind(request->config_items, PW_VIRTUAL_SERVER, 0, TAG_ANY)) != NULL) {
fake->server = vp->vp_strvalue;
} else if (inst->conf->virtual_server) {
fake->server = inst->conf->virtual_server;
} /* else fake->server == request->server */
if ((debug_flag > 0) && fr_log_fp) {
RDEBUG("Sending tunneled request");
debug_pair_list(fake->packet->vps);
fprintf(fr_log_fp, "server %s {\n",
(!fake->server) ? "" : fake->server);
}
/*
* Call authorization recursively, which will
* get the password.
*/
process_authorize(0, fake);
/*
* Note that we don't do *anything* with the reply
* attributes.
*/
if ((debug_flag > 0) && fr_log_fp) {
fprintf(fr_log_fp, "} # server %s\n",
(!fake->server) ? "" : fake->server);
RDEBUG("Got tunneled reply code %d", fake->reply->code);
debug_pair_list(fake->reply->vps);
}
if ((pw = pairfind(fake->config_items, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY)) == NULL) {
DEBUG2("failed to find password for %s to do pwd authentication",
pwd_session->peer_id);
request_free(&fake);
return 0;
}
if (compute_password_element(pwd_session, pwd_session->group_num,
pw->data.strvalue, strlen(pw->data.strvalue),
inst->conf->server_id, strlen(inst->conf->server_id),
pwd_session->peer_id, strlen(pwd_session->peer_id),
&pwd_session->token)) {
DEBUG2("failed to obtain password element :-(");
request_free(&fake);
return 0;
}
request_free(&fake);
/*
* compute our scalar and element
*/
if (compute_scalar_element(pwd_session, inst->bnctx)) {
DEBUG2("failed to compute server's scalar and element");
return 0;
}
if (((x = BN_new()) == NULL) ||
((y = BN_new()) == NULL)) {
DEBUG2("server point allocation failed");
return 0;
}
/*
* element is a point, get both coordinates: x and y
*/
if (!EC_POINT_get_affine_coordinates_GFp(pwd_session->group,
pwd_session->my_element, x, y,
inst->bnctx)) {
DEBUG2("server point assignment failed");
BN_free(x);
BN_free(y);
return 0;
}
/*
* construct request
*/
pwd_session->out_buf_len = BN_num_bytes(pwd_session->order) +
(2 * BN_num_bytes(pwd_session->prime));
if ((pwd_session->out_buf = talloc_array(pwd_session, uint8_t,
pwd_session->out_buf_len)) == NULL) {
return 0;
}
memset(pwd_session->out_buf, 0, pwd_session->out_buf_len);
ptr = pwd_session->out_buf;
offset = BN_num_bytes(pwd_session->prime) - BN_num_bytes(x);
BN_bn2bin(x, ptr + offset);
ptr += BN_num_bytes(pwd_session->prime);
offset = BN_num_bytes(pwd_session->prime) - BN_num_bytes(y);
BN_bn2bin(y, ptr + offset);
ptr += BN_num_bytes(pwd_session->prime);
offset = BN_num_bytes(pwd_session->order) - BN_num_bytes(pwd_session->my_scalar);
BN_bn2bin(pwd_session->my_scalar, ptr + offset);
pwd_session->state = PWD_STATE_COMMIT;
ret = send_pwd_request(pwd_session, eap_ds);
break;
case PWD_STATE_COMMIT:
if (EAP_PWD_GET_EXCHANGE(hdr) != EAP_PWD_EXCH_COMMIT) {
RDEBUG2("pwd exchange is incorrect: not commit!");
return 0;
}
/*
* process the peer's commit and generate the shared key, k
*/
if (process_peer_commit(pwd_session, buf, inst->bnctx)) {
RDEBUG2("failed to process peer's commit");
return 0;
}
/*
* compute our confirm blob
*/
if (compute_server_confirm(pwd_session, pwd_session->my_confirm, inst->bnctx)) {
ERROR("rlm_eap_pwd: failed to compute confirm!");
return 0;
}
/*
* construct a response...which is just our confirm blob
*/
pwd_session->out_buf_len = SHA256_DIGEST_LENGTH;
if ((pwd_session->out_buf = talloc_array(pwd_session, uint8_t,
pwd_session->out_buf_len)) == NULL) {
return 0;
}
memset(pwd_session->out_buf, 0, pwd_session->out_buf_len);
memcpy(pwd_session->out_buf, pwd_session->my_confirm, SHA256_DIGEST_LENGTH);
pwd_session->state = PWD_STATE_CONFIRM;
ret = send_pwd_request(pwd_session, eap_ds);
break;
case PWD_STATE_CONFIRM:
if (EAP_PWD_GET_EXCHANGE(hdr) != EAP_PWD_EXCH_CONFIRM) {
RDEBUG2("pwd exchange is incorrect: not commit!");
return 0;
}
if (compute_peer_confirm(pwd_session, peer_confirm, inst->bnctx)) {
RDEBUG2("pwd exchange cannot compute peer's confirm");
return 0;
}
if (memcmp(peer_confirm, buf, SHA256_DIGEST_LENGTH)) {
RDEBUG2("pwd exchange fails: peer confirm is incorrect!");
return 0;
}
if (compute_keys(pwd_session, peer_confirm, msk, emsk)) {
RDEBUG2("pwd exchange cannot generate (E)MSK!");
return 0;
}
eap_ds->request->code = PW_EAP_SUCCESS;
/*
* return the MSK (in halves)
*/
eap_add_reply(handler->request,
"MS-MPPE-Recv-Key", msk, MPPE_KEY_LEN);
eap_add_reply(handler->request,
"MS-MPPE-Send-Key", msk+MPPE_KEY_LEN, MPPE_KEY_LEN);
ret = 1;
break;
default:
RDEBUG2("unknown PWD state");
return 0;
}
/*
* we processed the buffered fragments, get rid of them
*/
if (pwd_session->in_buf) {
talloc_free(pwd_session->in_buf);
pwd_session->in_buf = NULL;
}
return ret;
}
static int mod_process(void *arg, eap_handler_t *handler)
{
pwd_session_t *session;
pwd_hdr *hdr;
pwd_id_packet_t *packet;
eap_packet_t *response;
REQUEST *request, *fake;
VALUE_PAIR *pw, *vp;
EAP_DS *eap_ds;
size_t in_len;
int ret = 0;
eap_pwd_t *inst = (eap_pwd_t *)arg;
uint16_t offset;
uint8_t exch, *in, *ptr, msk[MSK_EMSK_LEN], emsk[MSK_EMSK_LEN];
uint8_t peer_confirm[SHA256_DIGEST_LENGTH];
if (((eap_ds = handler->eap_ds) == NULL) || !inst) return 0;
session = (pwd_session_t *)handler->opaque;
request = handler->request;
response = handler->eap_ds->response;
hdr = (pwd_hdr *)response->type.data;
/*
* The header must be at least one byte.
*/
if (!hdr || (response->type.length < sizeof(pwd_hdr))) {
RDEBUG("Packet with insufficient data");
return 0;
}
in = hdr->data;
in_len = response->type.length - sizeof(pwd_hdr);
/*
* see if we're fragmenting, if so continue until we're done
*/
if (session->out_pos) {
if (in_len) RDEBUG2("pwd got something more than an ACK for a fragment");
return send_pwd_request(session, eap_ds);
}
/*
* the first fragment will have a total length, make a
* buffer to hold all the fragments
*/
if (EAP_PWD_GET_LENGTH_BIT(hdr)) {
if (session->in) {
RDEBUG2("pwd already alloced buffer for fragments");
return 0;
}
if (in_len < 2) {
RDEBUG("Invalid packet: length bit set, but no length field");
return 0;
}
session->in_len = ntohs(in[0] * 256 | in[1]);
if ((session->in = talloc_zero_array(session, uint8_t, session->in_len)) == NULL) {
RDEBUG2("pwd cannot allocate %zd buffer to hold fragments",
session->in_len);
return 0;
}
memset(session->in, 0, session->in_len);
session->in_pos = 0;
in += sizeof(uint16_t);
in_len -= sizeof(uint16_t);
}
/*
* all fragments, including the 1st will have the M(ore) bit set,
* buffer those fragments!
*/
if (EAP_PWD_GET_MORE_BIT(hdr)) {
rad_assert(session->in != NULL);
if ((session->in_pos + in_len) > session->in_len) {
RDEBUG2("Fragment overflows packet.");
return 0;
}
memcpy(session->in + session->in_pos, in, in_len);
session->in_pos += in_len;
/*
* send back an ACK for this fragment
*/
exch = EAP_PWD_GET_EXCHANGE(hdr);
eap_ds->request->code = PW_EAP_REQUEST;
eap_ds->request->type.num = PW_EAP_PWD;
eap_ds->request->type.length = sizeof(pwd_hdr);
if ((eap_ds->request->type.data = talloc_array(eap_ds->request, uint8_t, sizeof(pwd_hdr))) == NULL) {
return 0;
}
hdr = (pwd_hdr *)eap_ds->request->type.data;
EAP_PWD_SET_EXCHANGE(hdr, exch);
return 1;
}
if (session->in) {
/*
* the last fragment...
*/
if ((session->in_pos + in_len) > session->in_len) {
RDEBUG2("pwd will not overflow a fragment buffer. Nope, not prudent");
return 0;
}
memcpy(session->in + session->in_pos, in, in_len);
in = session->in;
in_len = session->in_len;
}
switch (session->state) {
case PWD_STATE_ID_REQ:
{
BIGNUM *x = NULL, *y = NULL;
if (EAP_PWD_GET_EXCHANGE(hdr) != EAP_PWD_EXCH_ID) {
RDEBUG2("pwd exchange is incorrect: not ID");
return 0;
}
packet = (pwd_id_packet_t *) in;
if (in_len < sizeof(*packet)) {
RDEBUG("Packet is too small (%zd < %zd).", in_len, sizeof(*packet));
return 0;
}
if ((packet->prf != EAP_PWD_DEF_PRF) ||
(packet->random_function != EAP_PWD_DEF_RAND_FUN) ||
(packet->prep != EAP_PWD_PREP_NONE) ||
(CRYPTO_memcmp(packet->token, &session->token, 4)) ||
(packet->group_num != ntohs(session->group_num))) {
RDEBUG2("pwd id response is invalid");
return 0;
}
/*
* we've agreed on the ciphersuite, record it...
*/
ptr = (uint8_t *)&session->ciphersuite;
memcpy(ptr, (char *)&packet->group_num, sizeof(uint16_t));
ptr += sizeof(uint16_t);
*ptr = EAP_PWD_DEF_RAND_FUN;
ptr += sizeof(uint8_t);
*ptr = EAP_PWD_DEF_PRF;
session->peer_id_len = in_len - sizeof(pwd_id_packet_t);
if (session->peer_id_len >= sizeof(session->peer_id)) {
RDEBUG2("pwd id response is malformed");
return 0;
}
memcpy(session->peer_id, packet->identity, session->peer_id_len);
session->peer_id[session->peer_id_len] = '\0';
/*
* make fake request to get the password for the usable ID
*/
if ((fake = request_alloc_fake(handler->request)) == NULL) {
RDEBUG("pwd unable to create fake request!");
return 0;
}
fake->username = fr_pair_afrom_num(fake->packet, PW_USER_NAME, 0);
if (!fake->username) {
RDEBUG("Failed creating pair for peer id");
talloc_free(fake);
return 0;
}
fr_pair_value_bstrncpy(fake->username, session->peer_id, session->peer_id_len);
fr_pair_add(&fake->packet->vps, fake->username);
if ((vp = fr_pair_find_by_num(request->config, PW_VIRTUAL_SERVER, 0, TAG_ANY)) != NULL) {
fake->server = vp->vp_strvalue;
} else if (inst->virtual_server) {
fake->server = inst->virtual_server;
} /* else fake->server == request->server */
RDEBUG("Sending tunneled request");
rdebug_pair_list(L_DBG_LVL_1, request, fake->packet->vps, NULL);
if (fake->server) {
RDEBUG("server %s {", fake->server);
} else {
RDEBUG("server {");
}
/*
* Call authorization recursively, which will
* get the password.
*/
RINDENT();
process_authorize(0, fake);
REXDENT();
/*
* Note that we don't do *anything* with the reply
* attributes.
*/
if (fake->server) {
RDEBUG("} # server %s", fake->server);
} else {
RDEBUG("}");
}
RDEBUG("Got tunneled reply code %d", fake->reply->code);
rdebug_pair_list(L_DBG_LVL_1, request, fake->reply->vps, NULL);
if ((pw = fr_pair_find_by_num(fake->config, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY)) == NULL) {
DEBUG2("failed to find password for %s to do pwd authentication",
session->peer_id);
talloc_free(fake);
return 0;
}
if (compute_password_element(session, session->group_num,
pw->data.strvalue, strlen(pw->data.strvalue),
inst->server_id, strlen(inst->server_id),
session->peer_id, strlen(session->peer_id),
&session->token)) {
DEBUG2("failed to obtain password element");
talloc_free(fake);
return 0;
}
TALLOC_FREE(fake);
/*
* compute our scalar and element
*/
if (compute_scalar_element(session, inst->bnctx)) {
DEBUG2("failed to compute server's scalar and element");
return 0;
}
MEM(x = BN_new());
MEM(y = BN_new());
/*
* element is a point, get both coordinates: x and y
*/
if (!EC_POINT_get_affine_coordinates_GFp(session->group, session->my_element, x, y,
inst->bnctx)) {
DEBUG2("server point assignment failed");
BN_clear_free(x);
BN_clear_free(y);
return 0;
}
/*
* construct request
*/
session->out_len = BN_num_bytes(session->order) + (2 * BN_num_bytes(session->prime));
if ((session->out = talloc_array(session, uint8_t, session->out_len)) == NULL) {
return 0;
}
memset(session->out, 0, session->out_len);
ptr = session->out;
offset = BN_num_bytes(session->prime) - BN_num_bytes(x);
BN_bn2bin(x, ptr + offset);
BN_clear_free(x);
ptr += BN_num_bytes(session->prime);
offset = BN_num_bytes(session->prime) - BN_num_bytes(y);
BN_bn2bin(y, ptr + offset);
BN_clear_free(y);
ptr += BN_num_bytes(session->prime);
offset = BN_num_bytes(session->order) - BN_num_bytes(session->my_scalar);
BN_bn2bin(session->my_scalar, ptr + offset);
session->state = PWD_STATE_COMMIT;
ret = send_pwd_request(session, eap_ds);
}
break;
case PWD_STATE_COMMIT:
if (EAP_PWD_GET_EXCHANGE(hdr) != EAP_PWD_EXCH_COMMIT) {
RDEBUG2("pwd exchange is incorrect: not commit!");
return 0;
}
/*
* process the peer's commit and generate the shared key, k
*/
if (process_peer_commit(session, in, in_len, inst->bnctx)) {
RDEBUG2("failed to process peer's commit");
return 0;
}
/*
* compute our confirm blob
*/
if (compute_server_confirm(session, session->my_confirm, inst->bnctx)) {
ERROR("rlm_eap_pwd: failed to compute confirm!");
return 0;
}
/*
* construct a response...which is just our confirm blob
*/
session->out_len = SHA256_DIGEST_LENGTH;
if ((session->out = talloc_array(session, uint8_t, session->out_len)) == NULL) {
return 0;
}
memset(session->out, 0, session->out_len);
memcpy(session->out, session->my_confirm, SHA256_DIGEST_LENGTH);
session->state = PWD_STATE_CONFIRM;
ret = send_pwd_request(session, eap_ds);
break;
case PWD_STATE_CONFIRM:
if (in_len < SHA256_DIGEST_LENGTH) {
RDEBUG("Peer confirm is too short (%zd < %d)",
in_len, SHA256_DIGEST_LENGTH);
return 0;
}
if (EAP_PWD_GET_EXCHANGE(hdr) != EAP_PWD_EXCH_CONFIRM) {
RDEBUG2("pwd exchange is incorrect: not commit!");
return 0;
}
if (compute_peer_confirm(session, peer_confirm, inst->bnctx)) {
RDEBUG2("pwd exchange cannot compute peer's confirm");
return 0;
}
if (CRYPTO_memcmp(peer_confirm, in, SHA256_DIGEST_LENGTH)) {
RDEBUG2("pwd exchange fails: peer confirm is incorrect!");
return 0;
}
if (compute_keys(session, peer_confirm, msk, emsk)) {
RDEBUG2("pwd exchange cannot generate (E)MSK!");
return 0;
}
eap_ds->request->code = PW_EAP_SUCCESS;
/*
* return the MSK (in halves)
*/
eap_add_reply(handler->request, "MS-MPPE-Recv-Key", msk, MPPE_KEY_LEN);
eap_add_reply(handler->request, "MS-MPPE-Send-Key", msk + MPPE_KEY_LEN, MPPE_KEY_LEN);
ret = 1;
break;
default:
RDEBUG2("unknown PWD state");
return 0;
}
/*
* we processed the buffered fragments, get rid of them
*/
if (session->in) {
talloc_free(session->in);
session->in = NULL;
}
return ret;
}
/*
* Process the inner tunnel data
*/
FR_CODE eap_fast_process(eap_session_t *eap_session, tls_session_t *tls_session)
{
FR_CODE code;
VALUE_PAIR *fast_vps = NULL;
fr_cursor_t cursor;
uint8_t const *data;
size_t data_len;
eap_fast_tunnel_t *t;
REQUEST *request = eap_session->request;
/*
* Just look at the buffer directly, without doing
* record_to_buff.
*/
data_len = tls_session->clean_out.used;
tls_session->clean_out.used = 0;
data = tls_session->clean_out.data;
t = talloc_get_type_abort(tls_session->opaque, eap_fast_tunnel_t);
/*
* See if the tunneled data is well formed.
*/
if (!eap_fast_verify(request, tls_session, data, data_len)) return FR_CODE_ACCESS_REJECT;
if (t->stage == EAP_FAST_TLS_SESSION_HANDSHAKE) {
rad_assert(t->mode == EAP_FAST_UNKNOWN);
char buf[256];
if (strstr(SSL_CIPHER_description(SSL_get_current_cipher(tls_session->ssl),
buf, sizeof(buf)), "Au=None")) {
/* FIXME enforce MSCHAPv2 - RFC 5422 section 3.2.2 */
RDEBUG2("Using anonymous provisioning");
t->mode = EAP_FAST_PROVISIONING_ANON;
t->pac.send = true;
} else {
if (SSL_session_reused(tls_session->ssl)) {
RDEBUG2("Session Resumed from PAC");
t->mode = EAP_FAST_NORMAL_AUTH;
} else {
RDEBUG2("Using authenticated provisioning");
t->mode = EAP_FAST_PROVISIONING_AUTH;
}
if (!t->pac.expires || t->pac.expired || t->pac.expires - time(NULL) < t->pac_lifetime * 0.6) {
t->pac.send = true;
}
}
eap_fast_init_keys(request, tls_session);
eap_fast_send_identity_request(request, tls_session, eap_session);
t->stage = EAP_FAST_AUTHENTICATION;
return FR_CODE_ACCESS_CHALLENGE;
}
fr_cursor_init(&cursor, &fast_vps);
if (eap_fast_decode_pair(request, &cursor, attr_eap_fast_tlv,
data, data_len, NULL) < 0) return FR_CODE_ACCESS_REJECT;
RDEBUG2("Got Tunneled FAST TLVs");
log_request_pair_list(L_DBG_LVL_1, request, fast_vps, NULL);
code = eap_fast_process_tlvs(request, eap_session, tls_session, fast_vps);
fr_pair_list_free(&fast_vps);
if (code == FR_CODE_ACCESS_REJECT) return FR_CODE_ACCESS_REJECT;
switch (t->stage) {
case EAP_FAST_AUTHENTICATION:
code = FR_CODE_ACCESS_CHALLENGE;
break;
case EAP_FAST_CRYPTOBIND_CHECK:
{
if (t->mode != EAP_FAST_PROVISIONING_ANON && !t->pac.send)
t->result_final = true;
eap_fast_append_result(tls_session, code);
eap_fast_update_icmk(request, tls_session, (uint8_t *)&t->isk);
eap_fast_append_crypto_binding(request, tls_session);
code = FR_CODE_ACCESS_CHALLENGE;
break;
}
case EAP_FAST_PROVISIONING:
t->result_final = true;
eap_fast_append_result(tls_session, code);
if (t->pac.send) {
RDEBUG2("Peer requires new PAC");
eap_fast_send_pac_tunnel(request, tls_session);
code = FR_CODE_ACCESS_CHALLENGE;
break;
}
t->stage = EAP_FAST_COMPLETE;
/* fallthrough */
case EAP_FAST_COMPLETE:
/*
* RFC 5422 section 3.5 - Network Access after EAP-FAST Provisioning
*/
if (t->pac.type && t->pac.expired) {
REDEBUG("Rejecting expired PAC.");
code = FR_CODE_ACCESS_REJECT;
break;
}
if (t->mode == EAP_FAST_PROVISIONING_ANON) {
REDEBUG("Rejecting unauthenticated provisioning");
code = FR_CODE_ACCESS_REJECT;
break;
}
/*
* eap_crypto_mppe_keys() is unsuitable for EAP-FAST as Cisco decided
* it would be a great idea to flip the recv/send keys around
*/
#define EAPTLS_MPPE_KEY_LEN 32
eap_add_reply(request, attr_ms_mppe_recv_key, t->msk, EAPTLS_MPPE_KEY_LEN);
eap_add_reply(request, attr_ms_mppe_send_key, &t->msk[EAPTLS_MPPE_KEY_LEN], EAPTLS_MPPE_KEY_LEN);
eap_add_reply(request, attr_eap_msk, t->msk, EAP_FAST_KEY_LEN);
eap_add_reply(request, attr_eap_emsk, t->emsk, EAP_EMSK_LEN);
break;
default:
RERROR("Internal sanity check failed in EAP-FAST at %d", t->stage);
code = FR_CODE_ACCESS_REJECT;
}
return code;
}
