eap-tls-common: Address PEAPv0 interoperability with Windows

Windows Server 2008 - Network Policy Server (NPS) generates an invalid Compound MAC for Cryptobinding TLV when is used within PEAPv0 due to incorrect parsing of the message containing TLS Client Hello. Setting L bit and including TLS Message Length field, even for the packets that do not require fragmentation, corrects the issue. The redundant TLS Message Length field in unfragmented packets doesn't seem to affect the other server implementations.
2024-10-04 02:18:49 +02:00 · 2020-01-31 14:25:14 -08:00 · 2020-01-31 14:25:14 -08:00 · c2078c703d
commit c2078c703d
parent 0508879e2a
1 changed files with 35 additions and 0 deletions
--- a/src/eap-tls-common.c
+++ b/src/eap-tls-common.c
@ -112,6 +112,7 @@ struct eap_tls_state {
 	size_t tx_frag_last_len;

 	bool expecting_frag_ack:1;
+	bool tunnel_ready:1;

 	struct l_queue *ca_cert;
 	struct l_certchain *client_cert;
@ -128,6 +129,7 @@ static void __eap_tls_common_state_reset(struct eap_tls_state *eap_tls)
 	eap_tls->method_completed = false;
 	eap_tls->phase2_failed = false;
 	eap_tls->expecting_frag_ack = false;
+	eap_tls->tunnel_ready = false;

 	if (eap_tls->tunnel) {
 		l_tls_free(eap_tls->tunnel);
@ -244,6 +246,8 @@ static void eap_tls_tunnel_ready(const char *peer_identity, void *user_data)
 	 */
 	eap_start_complete_timeout(eap);

+	eap_tls->tunnel_ready = true;
+
 	if (!eap_tls->variant_ops->tunnel_ready)
 		return;

@ -261,6 +265,7 @@ static void eap_tls_tunnel_disconnected(enum l_tls_alert_desc reason,
 			eap_get_method_name(eap), l_tls_alert_to_str(reason));

 	eap_tls->method_completed = true;
+	eap_tls->tunnel_ready = false;
 }

 static bool eap_tls_validate_version(struct eap_state *eap,
@ -325,11 +330,32 @@ static void eap_tls_send_fragment(struct eap_state *eap)
 	eap_tls->tx_frag_last_len = len;
 }

+static bool needs_workaround(struct eap_state *eap)
+{
+	struct eap_tls_state *eap_tls = eap_get_data(eap);
+
+	/*
+	 * Windows Server 2008 - Network Policy Server (NPS) generates an
+	 * invalid Compound MAC for Cryptobinding TLV when is used within PEAPv0
+	 * due to incorrect parsing of the message containing TLS Client Hello.
+	 * Setting L bit and including TLS Message Length field, even for the
+	 * packets that do not require fragmentation, corrects the issue. The
+	 * redundant TLS Message Length field in unfragmented packets doesn't
+	 * seem to effect the other server implementations.
+	 */
+	return eap_get_method_type(eap) == EAP_TYPE_PEAP &&
+			eap_tls->version_negotiated == EAP_TLS_VERSION_0 &&
+			!eap_tls->tunnel_ready;
+}
+
 static void eap_tls_send_response(struct eap_state *eap,
 					const uint8_t *pdu, size_t pdu_len)
 {
 	struct eap_tls_state *eap_tls = eap_get_data(eap);
 	size_t msg_len = EAP_TLS_HEADER_LEN + pdu_len;
+	bool set_tls_msg_len = needs_workaround(eap);
+
+	msg_len += set_tls_msg_len ? 4 : 0;

 	if (msg_len <= eap_get_mtu(eap)) {
 		uint8_t *buf;
@ -345,6 +371,15 @@ static void eap_tls_send_response(struct eap_state *eap,
 		buf[EAP_TLS_HEADER_OCTET_FLAGS + extra] =
 						eap_tls->version_negotiated;

+		if (set_tls_msg_len) {
+			buf[extra + EAP_TLS_HEADER_OCTET_FLAGS] |=
+								EAP_TLS_FLAG_L;
+			l_put_be32(pdu_len,
+				   &buf[extra + EAP_TLS_HEADER_OCTET_FRAG_LEN]);
+
+			extra += 4;
+		}
+
 		memcpy(buf + EAP_TLS_HEADER_LEN + extra, pdu, pdu_len);

 		eap_send_response(eap, eap_get_method_type(eap), buf, msg_len);