1 /*
2 * EAP peer method: EAP-TTLS (draft-ietf-pppext-eap-ttls-03.txt)
3 * Copyright (c) 2004-2006, Jouni Malinen <j@w1.fi>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 *
9 * Alternatively, this software may be distributed under the terms of BSD
10 * license.
11 *
12 * See README and COPYING for more details.
13 */
14
15 #include "includes.h"
16
17 #include "common.h"
18 #include "eap_i.h"
19 #include "eap_tls_common.h"
20 #include "config_ssid.h"
21 #include "ms_funcs.h"
22 #include "sha1.h"
23 #include "crypto.h"
24 #include "tls.h"
25 #include "eap_ttls.h"
26
27
28 /* Maximum supported PEAP version
29 * 0 = draft-ietf-pppext-eap-ttls-03.txt / draft-funk-eap-ttls-v0-00.txt
30 * 1 = draft-funk-eap-ttls-v1-00.txt
31 */
32 #define EAP_TTLS_VERSION 0 /* TTLSv1 implementation is not yet complete */
33
34
35 #define MSCHAPV2_KEY_LEN 16
36
37
38 static void eap_ttls_deinit(struct eap_sm *sm, void *priv);
39
40
41 struct eap_ttls_data {
42 struct eap_ssl_data ssl;
43 int ssl_initialized;
44
45 int ttls_version, force_ttls_version;
46
47 const struct eap_method *phase2_method;
48 void *phase2_priv;
49 int phase2_success;
50 int phase2_start;
51
52 enum {
53 EAP_TTLS_PHASE2_EAP,
54 EAP_TTLS_PHASE2_MSCHAPV2,
55 EAP_TTLS_PHASE2_MSCHAP,
56 EAP_TTLS_PHASE2_PAP,
57 EAP_TTLS_PHASE2_CHAP
58 } phase2_type;
59 struct eap_method_type phase2_eap_type;
60 struct eap_method_type *phase2_eap_types;
61 size_t num_phase2_eap_types;
62
63 u8 auth_response[20];
64 int auth_response_valid;
65 u8 ident;
66 int resuming; /* starting a resumed session */
67 int reauth; /* reauthentication */
68 u8 *key_data;
69
70 u8 *pending_phase2_req;
71 size_t pending_phase2_req_len;
72 };
73
74
eap_ttls_init(struct eap_sm * sm)75 static void * eap_ttls_init(struct eap_sm *sm)
76 {
77 struct eap_ttls_data *data;
78 struct wpa_ssid *config = eap_get_config(sm);
79 char *selected;
80
81 data = os_zalloc(sizeof(*data));
82 if (data == NULL)
83 return NULL;
84 data->ttls_version = EAP_TTLS_VERSION;
85 data->force_ttls_version = -1;
86 selected = "EAP";
87 data->phase2_type = EAP_TTLS_PHASE2_EAP;
88
89 if (config && config->phase1) {
90 char *pos = os_strstr(config->phase1, "ttlsver=");
91 if (pos) {
92 data->force_ttls_version = atoi(pos + 8);
93 data->ttls_version = data->force_ttls_version;
94 wpa_printf(MSG_DEBUG, "EAP-TTLS: Forced TTLS version "
95 "%d", data->force_ttls_version);
96 }
97 }
98
99 if (config && config->phase2) {
100 if (os_strstr(config->phase2, "autheap=")) {
101 selected = "EAP";
102 data->phase2_type = EAP_TTLS_PHASE2_EAP;
103 } else if (os_strstr(config->phase2, "auth=MSCHAPV2")) {
104 selected = "MSCHAPV2";
105 data->phase2_type = EAP_TTLS_PHASE2_MSCHAPV2;
106 } else if (os_strstr(config->phase2, "auth=MSCHAP")) {
107 selected = "MSCHAP";
108 data->phase2_type = EAP_TTLS_PHASE2_MSCHAP;
109 } else if (os_strstr(config->phase2, "auth=PAP")) {
110 selected = "PAP";
111 data->phase2_type = EAP_TTLS_PHASE2_PAP;
112 } else if (os_strstr(config->phase2, "auth=CHAP")) {
113 selected = "CHAP";
114 data->phase2_type = EAP_TTLS_PHASE2_CHAP;
115 }
116 }
117 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 type: %s", selected);
118
119 if (data->phase2_type == EAP_TTLS_PHASE2_EAP) {
120 if (config && config->phase2) {
121 char *start, *pos, *buf;
122 struct eap_method_type *methods = NULL, *_methods;
123 u8 method;
124 size_t num_methods = 0;
125 start = buf = os_strdup(config->phase2);
126 if (buf == NULL) {
127 eap_ttls_deinit(sm, data);
128 return NULL;
129 }
130 while (start && *start != '\0') {
131 int vendor;
132 pos = os_strstr(start, "autheap=");
133 if (pos == NULL)
134 break;
135 if (start != pos && *(pos - 1) != ' ') {
136 start = pos + 8;
137 continue;
138 }
139
140 start = pos + 8;
141 pos = os_strchr(start, ' ');
142 if (pos)
143 *pos++ = '\0';
144 method = eap_get_phase2_type(start, &vendor);
145 if (vendor == EAP_VENDOR_IETF &&
146 method == EAP_TYPE_NONE) {
147 wpa_printf(MSG_ERROR, "EAP-TTLS: "
148 "Unsupported Phase2 EAP "
149 "method '%s'", start);
150 } else {
151 num_methods++;
152 _methods = os_realloc(
153 methods, num_methods *
154 sizeof(*methods));
155 if (_methods == NULL) {
156 os_free(methods);
157 os_free(buf);
158 eap_ttls_deinit(sm, data);
159 return NULL;
160 }
161 methods = _methods;
162 methods[num_methods - 1].vendor =
163 vendor;
164 methods[num_methods - 1].method =
165 method;
166 }
167
168 start = pos;
169 }
170 os_free(buf);
171 data->phase2_eap_types = methods;
172 data->num_phase2_eap_types = num_methods;
173 }
174 if (data->phase2_eap_types == NULL) {
175 data->phase2_eap_types = eap_get_phase2_types(
176 config, &data->num_phase2_eap_types);
177 }
178 if (data->phase2_eap_types == NULL) {
179 wpa_printf(MSG_ERROR, "EAP-TTLS: No Phase2 EAP method "
180 "available");
181 eap_ttls_deinit(sm, data);
182 return NULL;
183 }
184 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Phase2 EAP types",
185 (u8 *) data->phase2_eap_types,
186 data->num_phase2_eap_types *
187 sizeof(struct eap_method_type));
188 data->phase2_eap_type.vendor = EAP_VENDOR_IETF;
189 data->phase2_eap_type.method = EAP_TYPE_NONE;
190 }
191
192 if (!(tls_capabilities(sm->ssl_ctx) & TLS_CAPABILITY_IA) &&
193 data->ttls_version > 0) {
194 if (data->force_ttls_version > 0) {
195 wpa_printf(MSG_INFO, "EAP-TTLS: Forced TTLSv%d and "
196 "TLS library does not support TLS/IA.",
197 data->force_ttls_version);
198 eap_ttls_deinit(sm, data);
199 return NULL;
200 }
201 data->ttls_version = 0;
202 }
203
204 return data;
205 }
206
207
eap_ttls_deinit(struct eap_sm * sm,void * priv)208 static void eap_ttls_deinit(struct eap_sm *sm, void *priv)
209 {
210 struct eap_ttls_data *data = priv;
211 if (data == NULL)
212 return;
213 if (data->phase2_priv && data->phase2_method)
214 data->phase2_method->deinit(sm, data->phase2_priv);
215 os_free(data->phase2_eap_types);
216 if (data->ssl_initialized)
217 eap_tls_ssl_deinit(sm, &data->ssl);
218 os_free(data->key_data);
219 os_free(data->pending_phase2_req);
220 os_free(data);
221 }
222
223
eap_ttls_encrypt(struct eap_sm * sm,struct eap_ttls_data * data,int id,const u8 * plain,size_t plain_len,u8 ** out_data,size_t * out_len)224 static int eap_ttls_encrypt(struct eap_sm *sm, struct eap_ttls_data *data,
225 int id, const u8 *plain, size_t plain_len,
226 u8 **out_data, size_t *out_len)
227 {
228 int res;
229 u8 *pos;
230 struct eap_hdr *resp;
231
232 /* TODO: add support for fragmentation, if needed. This will need to
233 * add TLS Message Length field, if the frame is fragmented. */
234 resp = os_malloc(sizeof(struct eap_hdr) + 2 + data->ssl.tls_out_limit);
235 if (resp == NULL)
236 return -1;
237
238 resp->code = EAP_CODE_RESPONSE;
239 resp->identifier = id;
240
241 pos = (u8 *) (resp + 1);
242 *pos++ = EAP_TYPE_TTLS;
243 *pos++ = data->ttls_version;
244
245 res = tls_connection_encrypt(sm->ssl_ctx, data->ssl.conn,
246 plain, plain_len,
247 pos, data->ssl.tls_out_limit);
248 if (res < 0) {
249 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to encrypt Phase 2 "
250 "data");
251 os_free(resp);
252 return -1;
253 }
254
255 *out_len = sizeof(struct eap_hdr) + 2 + res;
256 resp->length = host_to_be16(*out_len);
257 *out_data = (u8 *) resp;
258 return 0;
259 }
260
261
eap_ttls_avp_hdr(u8 * avphdr,u32 avp_code,u32 vendor_id,int mandatory,size_t len)262 static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id,
263 int mandatory, size_t len)
264 {
265 struct ttls_avp_vendor *avp;
266 u8 flags;
267 size_t hdrlen;
268
269 avp = (struct ttls_avp_vendor *) avphdr;
270 flags = mandatory ? AVP_FLAGS_MANDATORY : 0;
271 if (vendor_id) {
272 flags |= AVP_FLAGS_VENDOR;
273 hdrlen = sizeof(*avp);
274 avp->vendor_id = host_to_be32(vendor_id);
275 } else {
276 hdrlen = sizeof(struct ttls_avp);
277 }
278
279 avp->avp_code = host_to_be32(avp_code);
280 avp->avp_length = host_to_be32((flags << 24) | (hdrlen + len));
281
282 return avphdr + hdrlen;
283 }
284
285
eap_ttls_avp_add(u8 * start,u8 * avphdr,u32 avp_code,u32 vendor_id,int mandatory,u8 * data,size_t len)286 static u8 * eap_ttls_avp_add(u8 *start, u8 *avphdr, u32 avp_code,
287 u32 vendor_id, int mandatory,
288 u8 *data, size_t len)
289 {
290 u8 *pos;
291 pos = eap_ttls_avp_hdr(avphdr, avp_code, vendor_id, mandatory, len);
292 os_memcpy(pos, data, len);
293 pos += len;
294 AVP_PAD(start, pos);
295 return pos;
296 }
297
298
eap_ttls_avp_encapsulate(u8 ** resp,size_t * resp_len,u32 avp_code,int mandatory)299 static int eap_ttls_avp_encapsulate(u8 **resp, size_t *resp_len, u32 avp_code,
300 int mandatory)
301 {
302 u8 *avp, *pos;
303
304 avp = os_malloc(sizeof(struct ttls_avp) + *resp_len + 4);
305 if (avp == NULL) {
306 os_free(*resp);
307 *resp = NULL;
308 *resp_len = 0;
309 return -1;
310 }
311
312 pos = eap_ttls_avp_hdr(avp, avp_code, 0, mandatory, *resp_len);
313 os_memcpy(pos, *resp, *resp_len);
314 pos += *resp_len;
315 AVP_PAD(avp, pos);
316 os_free(*resp);
317 *resp = avp;
318 *resp_len = pos - avp;
319 return 0;
320 }
321
322
eap_ttls_ia_permute_inner_secret(struct eap_sm * sm,struct eap_ttls_data * data,const u8 * key,size_t key_len)323 static int eap_ttls_ia_permute_inner_secret(struct eap_sm *sm,
324 struct eap_ttls_data *data,
325 const u8 *key, size_t key_len)
326 {
327 u8 *buf;
328 size_t buf_len;
329 int ret;
330
331 if (key) {
332 buf_len = 2 + key_len;
333 buf = os_malloc(buf_len);
334 if (buf == NULL)
335 return -1;
336 WPA_PUT_BE16(buf, key_len);
337 os_memcpy(buf + 2, key, key_len);
338 } else {
339 buf = NULL;
340 buf_len = 0;
341 }
342
343 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Session keys for TLS/IA inner "
344 "secret permutation", buf, buf_len);
345 ret = tls_connection_ia_permute_inner_secret(sm->ssl_ctx,
346 data->ssl.conn,
347 buf, buf_len);
348 os_free(buf);
349
350 return ret;
351 }
352
353
eap_ttls_v0_derive_key(struct eap_sm * sm,struct eap_ttls_data * data)354 static int eap_ttls_v0_derive_key(struct eap_sm *sm,
355 struct eap_ttls_data *data)
356 {
357 os_free(data->key_data);
358 data->key_data = eap_tls_derive_key(sm, &data->ssl,
359 "ttls keying material",
360 EAP_TLS_KEY_LEN);
361 if (!data->key_data) {
362 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to derive key");
363 return -1;
364 }
365
366 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key",
367 data->key_data, EAP_TLS_KEY_LEN);
368
369 return 0;
370 }
371
372
eap_ttls_v1_derive_key(struct eap_sm * sm,struct eap_ttls_data * data)373 static int eap_ttls_v1_derive_key(struct eap_sm *sm,
374 struct eap_ttls_data *data)
375 {
376 struct tls_keys keys;
377 u8 *rnd;
378
379 os_free(data->key_data);
380 data->key_data = NULL;
381
382 os_memset(&keys, 0, sizeof(keys));
383 if (tls_connection_get_keys(sm->ssl_ctx, data->ssl.conn, &keys) ||
384 keys.client_random == NULL || keys.server_random == NULL ||
385 keys.inner_secret == NULL) {
386 wpa_printf(MSG_INFO, "EAP-TTLS: Could not get inner secret, "
387 "client random, or server random to derive keying "
388 "material");
389 return -1;
390 }
391
392 rnd = os_malloc(keys.client_random_len + keys.server_random_len);
393 data->key_data = os_malloc(EAP_TLS_KEY_LEN);
394 if (rnd == NULL || data->key_data == NULL) {
395 wpa_printf(MSG_INFO, "EAP-TTLS: No memory for key derivation");
396 os_free(rnd);
397 os_free(data->key_data);
398 data->key_data = NULL;
399 return -1;
400 }
401 os_memcpy(rnd, keys.client_random, keys.client_random_len);
402 os_memcpy(rnd + keys.client_random_len, keys.server_random,
403 keys.server_random_len);
404
405 if (tls_prf(keys.inner_secret, keys.inner_secret_len,
406 "ttls v1 keying material", rnd, keys.client_random_len +
407 keys.server_random_len, data->key_data, EAP_TLS_KEY_LEN)) {
408 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key");
409 os_free(rnd);
410 os_free(data->key_data);
411 data->key_data = NULL;
412 return -1;
413 }
414
415 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: client/server random",
416 rnd, keys.client_random_len + keys.server_random_len);
417 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: TLS/IA inner secret",
418 keys.inner_secret, keys.inner_secret_len);
419
420 os_free(rnd);
421
422 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key",
423 data->key_data, EAP_TLS_KEY_LEN);
424
425 return 0;
426 }
427
428
eap_ttls_implicit_challenge(struct eap_sm * sm,struct eap_ttls_data * data,size_t len)429 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm,
430 struct eap_ttls_data *data, size_t len)
431 {
432 struct tls_keys keys;
433 u8 *challenge, *rnd;
434
435 if (data->ttls_version == 0) {
436 return eap_tls_derive_key(sm, &data->ssl, "ttls challenge",
437 len);
438 }
439
440 os_memset(&keys, 0, sizeof(keys));
441 if (tls_connection_get_keys(sm->ssl_ctx, data->ssl.conn, &keys) ||
442 keys.client_random == NULL || keys.server_random == NULL ||
443 keys.inner_secret == NULL) {
444 wpa_printf(MSG_INFO, "EAP-TTLS: Could not get inner secret, "
445 "client random, or server random to derive "
446 "implicit challenge");
447 return NULL;
448 }
449
450 rnd = os_malloc(keys.client_random_len + keys.server_random_len);
451 challenge = os_malloc(len);
452 if (rnd == NULL || challenge == NULL) {
453 wpa_printf(MSG_INFO, "EAP-TTLS: No memory for implicit "
454 "challenge derivation");
455 os_free(rnd);
456 os_free(challenge);
457 return NULL;
458 }
459 os_memcpy(rnd, keys.server_random, keys.server_random_len);
460 os_memcpy(rnd + keys.server_random_len, keys.client_random,
461 keys.client_random_len);
462
463 if (tls_prf(keys.inner_secret, keys.inner_secret_len,
464 "inner application challenge", rnd,
465 keys.client_random_len + keys.server_random_len,
466 challenge, len)) {
467 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive implicit "
468 "challenge");
469 os_free(rnd);
470 os_free(challenge);
471 return NULL;
472 }
473
474 os_free(rnd);
475
476 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived implicit challenge",
477 challenge, len);
478
479 return challenge;
480 }
481
482
eap_ttls_phase2_nak(struct eap_ttls_data * data,struct eap_hdr * hdr,u8 ** resp,size_t * resp_len)483 static int eap_ttls_phase2_nak(struct eap_ttls_data *data, struct eap_hdr *hdr,
484 u8 **resp, size_t *resp_len)
485 {
486 struct eap_hdr *resp_hdr;
487 u8 *pos = (u8 *) (hdr + 1);
488 size_t i;
489
490 /* TODO: add support for expanded Nak */
491 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 Request: Nak type=%d", *pos);
492 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Allowed Phase2 EAP types",
493 (u8 *) data->phase2_eap_types, data->num_phase2_eap_types *
494 sizeof(struct eap_method_type));
495 *resp_len = sizeof(struct eap_hdr) + 1;
496 *resp = os_malloc(*resp_len + data->num_phase2_eap_types);
497 if (*resp == NULL)
498 return -1;
499
500 resp_hdr = (struct eap_hdr *) (*resp);
501 resp_hdr->code = EAP_CODE_RESPONSE;
502 resp_hdr->identifier = hdr->identifier;
503 pos = (u8 *) (resp_hdr + 1);
504 *pos++ = EAP_TYPE_NAK;
505 for (i = 0; i < data->num_phase2_eap_types; i++) {
506 if (data->phase2_eap_types[i].vendor == EAP_VENDOR_IETF &&
507 data->phase2_eap_types[i].method < 256) {
508 (*resp_len)++;
509 *pos++ = data->phase2_eap_types[i].method;
510 }
511 }
512 resp_hdr->length = host_to_be16(*resp_len);
513
514 return 0;
515 }
516
517
eap_ttls_phase2_request_eap(struct eap_sm * sm,struct eap_ttls_data * data,struct eap_method_ret * ret,struct eap_hdr * hdr,u8 ** resp,size_t * resp_len)518 static int eap_ttls_phase2_request_eap(struct eap_sm *sm,
519 struct eap_ttls_data *data,
520 struct eap_method_ret *ret,
521 struct eap_hdr *hdr,
522 u8 **resp, size_t *resp_len)
523 {
524 size_t len = be_to_host16(hdr->length);
525 u8 *pos;
526 struct eap_method_ret iret;
527 struct wpa_ssid *config = eap_get_config(sm);
528
529 if (len <= sizeof(struct eap_hdr)) {
530 wpa_printf(MSG_INFO, "EAP-TTLS: too short "
531 "Phase 2 request (len=%lu)", (unsigned long) len);
532 return -1;
533 }
534 pos = (u8 *) (hdr + 1);
535 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP Request: type=%d", *pos);
536 switch (*pos) {
537 case EAP_TYPE_IDENTITY:
538 *resp = eap_sm_buildIdentity(sm, hdr->identifier, resp_len, 1);
539 break;
540 default:
541 if (data->phase2_eap_type.vendor == EAP_VENDOR_IETF &&
542 data->phase2_eap_type.method == EAP_TYPE_NONE) {
543 size_t i;
544 for (i = 0; i < data->num_phase2_eap_types; i++) {
545 if (data->phase2_eap_types[i].vendor !=
546 EAP_VENDOR_IETF ||
547 data->phase2_eap_types[i].method != *pos)
548 continue;
549
550 data->phase2_eap_type.vendor =
551 data->phase2_eap_types[i].vendor;
552 data->phase2_eap_type.method =
553 data->phase2_eap_types[i].method;
554 wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected "
555 "Phase 2 EAP vendor %d method %d",
556 data->phase2_eap_type.vendor,
557 data->phase2_eap_type.method);
558 break;
559 }
560 }
561 if (*pos != data->phase2_eap_type.method ||
562 *pos == EAP_TYPE_NONE) {
563 if (eap_ttls_phase2_nak(data, hdr, resp, resp_len))
564 return -1;
565 break;
566 }
567
568 if (data->phase2_priv == NULL) {
569 data->phase2_method = eap_sm_get_eap_methods(
570 EAP_VENDOR_IETF, *pos);
571 if (data->phase2_method) {
572 sm->init_phase2 = 1;
573 sm->mschapv2_full_key = 1;
574 data->phase2_priv =
575 data->phase2_method->init(sm);
576 sm->init_phase2 = 0;
577 sm->mschapv2_full_key = 0;
578 }
579 }
580 if (data->phase2_priv == NULL || data->phase2_method == NULL) {
581 wpa_printf(MSG_INFO, "EAP-TTLS: failed to initialize "
582 "Phase 2 EAP method %d", *pos);
583 return -1;
584 }
585 os_memset(&iret, 0, sizeof(iret));
586 *resp = data->phase2_method->process(sm, data->phase2_priv,
587 &iret, (u8 *) hdr, len,
588 resp_len);
589 if ((iret.methodState == METHOD_DONE ||
590 iret.methodState == METHOD_MAY_CONT) &&
591 (iret.decision == DECISION_UNCOND_SUCC ||
592 iret.decision == DECISION_COND_SUCC ||
593 iret.decision == DECISION_FAIL)) {
594 ret->methodState = iret.methodState;
595 ret->decision = iret.decision;
596 }
597 if (data->ttls_version > 0) {
598 const struct eap_method *m = data->phase2_method;
599 void *priv = data->phase2_priv;
600
601 /* TTLSv1 requires TLS/IA FinalPhaseFinished */
602 if (ret->decision == DECISION_UNCOND_SUCC)
603 ret->decision = DECISION_COND_SUCC;
604 ret->methodState = METHOD_CONT;
605
606 if (ret->decision == DECISION_COND_SUCC &&
607 m->isKeyAvailable && m->getKey &&
608 m->isKeyAvailable(sm, priv)) {
609 u8 *key;
610 size_t key_len;
611 key = m->getKey(sm, priv, &key_len);
612 if (key) {
613 eap_ttls_ia_permute_inner_secret(
614 sm, data, key, key_len);
615 os_free(key);
616 }
617 }
618 }
619 break;
620 }
621
622 if (*resp == NULL &&
623 (config->pending_req_identity || config->pending_req_password ||
624 config->pending_req_otp)) {
625 return 0;
626 }
627
628 if (*resp == NULL)
629 return -1;
630
631 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP encapsulate EAP Response",
632 *resp, *resp_len);
633 return eap_ttls_avp_encapsulate(resp, resp_len,
634 RADIUS_ATTR_EAP_MESSAGE, 1);
635 }
636
637
eap_ttls_phase2_request_mschapv2(struct eap_sm * sm,struct eap_ttls_data * data,struct eap_method_ret * ret,u8 ** resp,size_t * resp_len)638 static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm,
639 struct eap_ttls_data *data,
640 struct eap_method_ret *ret,
641 u8 **resp, size_t *resp_len)
642 {
643 struct wpa_ssid *config = eap_get_config(sm);
644 u8 *buf, *pos, *challenge, *username, *peer_challenge;
645 size_t username_len, i;
646
647 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAPV2 Request");
648
649 /* MSCHAPv2 does not include optional domain name in the
650 * challenge-response calculation, so remove domain prefix
651 * (if present). */
652 username = config->identity;
653 username_len = config->identity_len;
654 pos = username;
655 for (i = 0; i < username_len; i++) {
656 if (username[i] == '\\') {
657 username_len -= i + 1;
658 username += i + 1;
659 break;
660 }
661 }
662
663 pos = buf = os_malloc(config->identity_len + 1000);
664 if (buf == NULL) {
665 wpa_printf(MSG_ERROR,
666 "EAP-TTLS/MSCHAPV2: Failed to allocate memory");
667 return -1;
668 }
669
670 /* User-Name */
671 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
672 config->identity, config->identity_len);
673
674 /* MS-CHAP-Challenge */
675 challenge = eap_ttls_implicit_challenge(
676 sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1);
677 if (challenge == NULL) {
678 os_free(buf);
679 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive "
680 "implicit challenge");
681 return -1;
682 }
683 peer_challenge = challenge + 1 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN;
684
685 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE,
686 RADIUS_VENDOR_ID_MICROSOFT, 1,
687 challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
688
689 /* MS-CHAP2-Response */
690 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_RESPONSE,
691 RADIUS_VENDOR_ID_MICROSOFT, 1,
692 EAP_TTLS_MSCHAPV2_RESPONSE_LEN);
693 data->ident = challenge[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN];
694 *pos++ = data->ident;
695 *pos++ = 0; /* Flags */
696 os_memcpy(pos, peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
697 pos += EAP_TTLS_MSCHAPV2_CHALLENGE_LEN;
698 os_memset(pos, 0, 8); /* Reserved, must be zero */
699 pos += 8;
700 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAPV2: implicit auth_challenge",
701 challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
702 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAPV2: peer_challenge",
703 peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
704 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MSCHAPV2 username",
705 username, username_len);
706 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: MSCHAPV2 password",
707 config->password, config->password_len);
708 generate_nt_response(challenge, peer_challenge,
709 username, username_len,
710 config->password, config->password_len,
711 pos);
712 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAPV2 response", pos, 24);
713 generate_authenticator_response(config->password, config->password_len,
714 peer_challenge, challenge,
715 username, username_len,
716 pos, data->auth_response);
717 data->auth_response_valid = 1;
718
719 if (data->ttls_version > 0) {
720 u8 pw_hash[16], pw_hash_hash[16], master_key[16];
721 u8 session_key[2 * MSCHAPV2_KEY_LEN];
722 nt_password_hash(config->password, config->password_len,
723 pw_hash);
724 hash_nt_password_hash(pw_hash, pw_hash_hash);
725 get_master_key(pw_hash_hash, pos /* nt_response */,
726 master_key);
727 get_asymetric_start_key(master_key, session_key,
728 MSCHAPV2_KEY_LEN, 0, 0);
729 get_asymetric_start_key(master_key,
730 session_key + MSCHAPV2_KEY_LEN,
731 MSCHAPV2_KEY_LEN, 1, 0);
732 eap_ttls_ia_permute_inner_secret(sm, data,
733 session_key,
734 sizeof(session_key));
735 }
736
737 pos += 24;
738 os_free(challenge);
739 AVP_PAD(buf, pos);
740
741 *resp = buf;
742 *resp_len = pos - buf;
743
744 if (sm->workaround && data->ttls_version == 0) {
745 /* At least FreeRADIUS seems to be terminating
746 * EAP-TTLS/MSHCAPV2 without the expected MS-CHAP-v2 Success
747 * packet. */
748 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: EAP workaround - "
749 "allow success without tunneled response");
750 ret->methodState = METHOD_MAY_CONT;
751 ret->decision = DECISION_COND_SUCC;
752 }
753
754 return 0;
755 }
756
757
eap_ttls_phase2_request_mschap(struct eap_sm * sm,struct eap_ttls_data * data,struct eap_method_ret * ret,u8 ** resp,size_t * resp_len)758 static int eap_ttls_phase2_request_mschap(struct eap_sm *sm,
759 struct eap_ttls_data *data,
760 struct eap_method_ret *ret,
761 u8 **resp, size_t *resp_len)
762 {
763 struct wpa_ssid *config = eap_get_config(sm);
764 u8 *buf, *pos, *challenge;
765
766 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAP Request");
767
768 pos = buf = os_malloc(config->identity_len + 1000);
769 if (buf == NULL) {
770 wpa_printf(MSG_ERROR,
771 "EAP-TTLS/MSCHAP: Failed to allocate memory");
772 return -1;
773 }
774
775 /* User-Name */
776 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
777 config->identity, config->identity_len);
778
779 /* MS-CHAP-Challenge */
780 challenge = eap_ttls_implicit_challenge(
781 sm, data, EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1);
782 if (challenge == NULL) {
783 os_free(buf);
784 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAP: Failed to derive "
785 "implicit challenge");
786 return -1;
787 }
788
789 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE,
790 RADIUS_VENDOR_ID_MICROSOFT, 1,
791 challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN);
792
793 /* MS-CHAP-Response */
794 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_RESPONSE,
795 RADIUS_VENDOR_ID_MICROSOFT, 1,
796 EAP_TTLS_MSCHAP_RESPONSE_LEN);
797 data->ident = challenge[EAP_TTLS_MSCHAP_CHALLENGE_LEN];
798 *pos++ = data->ident;
799 *pos++ = 1; /* Flags: Use NT style passwords */
800 os_memset(pos, 0, 24); /* LM-Response */
801 pos += 24;
802 nt_challenge_response(challenge,
803 config->password, config->password_len,
804 pos); /* NT-Response */
805 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password",
806 config->password, config->password_len);
807 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP implicit challenge",
808 challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN);
809 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP response", pos, 24);
810 pos += 24;
811 os_free(challenge);
812 AVP_PAD(buf, pos);
813
814 *resp = buf;
815 *resp_len = pos - buf;
816
817 if (data->ttls_version > 0) {
818 /* EAP-TTLSv1 uses TLS/IA FinalPhaseFinished to report success,
819 * so do not allow connection to be terminated yet. */
820 ret->methodState = METHOD_CONT;
821 ret->decision = DECISION_COND_SUCC;
822 } else {
823 /* EAP-TTLS/MSCHAP does not provide tunneled success
824 * notification, so assume that Phase2 succeeds. */
825 ret->methodState = METHOD_DONE;
826 ret->decision = DECISION_COND_SUCC;
827 }
828
829 return 0;
830 }
831
832
eap_ttls_phase2_request_pap(struct eap_sm * sm,struct eap_ttls_data * data,struct eap_method_ret * ret,u8 ** resp,size_t * resp_len)833 static int eap_ttls_phase2_request_pap(struct eap_sm *sm,
834 struct eap_ttls_data *data,
835 struct eap_method_ret *ret,
836 u8 **resp, size_t *resp_len)
837 {
838 struct wpa_ssid *config = eap_get_config(sm);
839 u8 *buf, *pos;
840 size_t pad;
841
842 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 PAP Request");
843
844 pos = buf = os_malloc(config->identity_len + config->password_len +
845 100);
846 if (buf == NULL) {
847 wpa_printf(MSG_ERROR,
848 "EAP-TTLS/PAP: Failed to allocate memory");
849 return -1;
850 }
851
852 /* User-Name */
853 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
854 config->identity, config->identity_len);
855
856 /* User-Password; in RADIUS, this is encrypted, but EAP-TTLS encrypts
857 * the data, so no separate encryption is used in the AVP itself.
858 * However, the password is padded to obfuscate its length. */
859 pad = (16 - (config->password_len & 15)) & 15;
860 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_USER_PASSWORD, 0, 1,
861 config->password_len + pad);
862 os_memcpy(pos, config->password, config->password_len);
863 pos += config->password_len;
864 os_memset(pos, 0, pad);
865 pos += pad;
866 AVP_PAD(buf, pos);
867
868 *resp = buf;
869 *resp_len = pos - buf;
870
871 if (data->ttls_version > 0) {
872 /* EAP-TTLSv1 uses TLS/IA FinalPhaseFinished to report success,
873 * so do not allow connection to be terminated yet. */
874 ret->methodState = METHOD_CONT;
875 ret->decision = DECISION_COND_SUCC;
876 } else {
877 /* EAP-TTLS/PAP does not provide tunneled success notification,
878 * so assume that Phase2 succeeds. */
879 ret->methodState = METHOD_DONE;
880 ret->decision = DECISION_COND_SUCC;
881 }
882
883 return 0;
884 }
885
886
eap_ttls_phase2_request_chap(struct eap_sm * sm,struct eap_ttls_data * data,struct eap_method_ret * ret,u8 ** resp,size_t * resp_len)887 static int eap_ttls_phase2_request_chap(struct eap_sm *sm,
888 struct eap_ttls_data *data,
889 struct eap_method_ret *ret,
890 u8 **resp, size_t *resp_len)
891 {
892 struct wpa_ssid *config = eap_get_config(sm);
893 u8 *buf, *pos, *challenge;
894 const u8 *addr[3];
895 size_t len[3];
896
897 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 CHAP Request");
898
899 pos = buf = os_malloc(config->identity_len + 1000);
900 if (buf == NULL) {
901 wpa_printf(MSG_ERROR,
902 "EAP-TTLS/CHAP: Failed to allocate memory");
903 return -1;
904 }
905
906 /* User-Name */
907 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
908 config->identity, config->identity_len);
909
910 /* CHAP-Challenge */
911 challenge = eap_ttls_implicit_challenge(
912 sm, data, EAP_TTLS_CHAP_CHALLENGE_LEN + 1);
913 if (challenge == NULL) {
914 os_free(buf);
915 wpa_printf(MSG_ERROR, "EAP-TTLS/CHAP: Failed to derive "
916 "implicit challenge");
917 return -1;
918 }
919
920 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_CHAP_CHALLENGE, 0, 1,
921 challenge, EAP_TTLS_CHAP_CHALLENGE_LEN);
922
923 /* CHAP-Password */
924 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_CHAP_PASSWORD, 0, 1,
925 1 + EAP_TTLS_CHAP_PASSWORD_LEN);
926 data->ident = challenge[EAP_TTLS_CHAP_CHALLENGE_LEN];
927 *pos++ = data->ident;
928
929 /* MD5(Ident + Password + Challenge) */
930 addr[0] = &data->ident;
931 len[0] = 1;
932 addr[1] = config->password;
933 len[1] = config->password_len;
934 addr[2] = challenge;
935 len[2] = EAP_TTLS_CHAP_CHALLENGE_LEN;
936 md5_vector(3, addr, len, pos);
937
938 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: CHAP username",
939 config->identity, config->identity_len);
940 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: CHAP password",
941 config->password, config->password_len);
942 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP implicit challenge",
943 challenge, EAP_TTLS_CHAP_CHALLENGE_LEN);
944 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP password",
945 pos, EAP_TTLS_CHAP_PASSWORD_LEN);
946 pos += EAP_TTLS_CHAP_PASSWORD_LEN;
947 os_free(challenge);
948 AVP_PAD(buf, pos);
949
950 *resp = buf;
951 *resp_len = pos - buf;
952
953 if (data->ttls_version > 0) {
954 /* EAP-TTLSv1 uses TLS/IA FinalPhaseFinished to report success,
955 * so do not allow connection to be terminated yet. */
956 ret->methodState = METHOD_CONT;
957 ret->decision = DECISION_COND_SUCC;
958 } else {
959 /* EAP-TTLS/CHAP does not provide tunneled success
960 * notification, so assume that Phase2 succeeds. */
961 ret->methodState = METHOD_DONE;
962 ret->decision = DECISION_COND_SUCC;
963 }
964
965 return 0;
966 }
967
968
eap_ttls_phase2_request(struct eap_sm * sm,struct eap_ttls_data * data,struct eap_method_ret * ret,const struct eap_hdr * req,struct eap_hdr * hdr,u8 ** resp,size_t * resp_len)969 static int eap_ttls_phase2_request(struct eap_sm *sm,
970 struct eap_ttls_data *data,
971 struct eap_method_ret *ret,
972 const struct eap_hdr *req,
973 struct eap_hdr *hdr,
974 u8 **resp, size_t *resp_len)
975 {
976 int res = 0;
977 size_t len;
978
979 if (data->phase2_type == EAP_TTLS_PHASE2_MSCHAPV2 ||
980 data->phase2_type == EAP_TTLS_PHASE2_MSCHAP ||
981 data->phase2_type == EAP_TTLS_PHASE2_PAP ||
982 data->phase2_type == EAP_TTLS_PHASE2_CHAP) {
983 if (eap_get_config_identity(sm, &len) == NULL) {
984 wpa_printf(MSG_INFO,
985 "EAP-TTLS: Identity not configured");
986 eap_sm_request_identity(sm);
987 if (eap_get_config_password(sm, &len) == NULL)
988 eap_sm_request_password(sm);
989 return 0;
990 }
991
992 if (eap_get_config_password(sm, &len) == NULL) {
993 wpa_printf(MSG_INFO,
994 "EAP-TTLS: Password not configured");
995 eap_sm_request_password(sm);
996 return 0;
997 }
998 }
999
1000 switch (data->phase2_type) {
1001 case EAP_TTLS_PHASE2_EAP:
1002 res = eap_ttls_phase2_request_eap(sm, data, ret, hdr,
1003 resp, resp_len);
1004 break;
1005 case EAP_TTLS_PHASE2_MSCHAPV2:
1006 res = eap_ttls_phase2_request_mschapv2(sm, data, ret,
1007 resp, resp_len);
1008 break;
1009 case EAP_TTLS_PHASE2_MSCHAP:
1010 res = eap_ttls_phase2_request_mschap(sm, data, ret,
1011 resp, resp_len);
1012 break;
1013 case EAP_TTLS_PHASE2_PAP:
1014 res = eap_ttls_phase2_request_pap(sm, data, ret,
1015 resp, resp_len);
1016 break;
1017 case EAP_TTLS_PHASE2_CHAP:
1018 res = eap_ttls_phase2_request_chap(sm, data, ret,
1019 resp, resp_len);
1020 break;
1021 default:
1022 wpa_printf(MSG_ERROR, "EAP-TTLS: Phase 2 - Unknown");
1023 res = -1;
1024 break;
1025 }
1026
1027 if (res < 0) {
1028 ret->methodState = METHOD_DONE;
1029 ret->decision = DECISION_FAIL;
1030 }
1031
1032 return res;
1033 }
1034
1035
eap_ttls_build_phase_finished(struct eap_sm * sm,struct eap_ttls_data * data,int id,int final,size_t * reqDataLen)1036 static u8 * eap_ttls_build_phase_finished(struct eap_sm *sm,
1037 struct eap_ttls_data *data,
1038 int id, int final,
1039 size_t *reqDataLen)
1040 {
1041 int len;
1042 struct eap_hdr *req;
1043 u8 *pos;
1044 const int max_len = 300;
1045
1046 len = sizeof(struct eap_hdr) + 2 + max_len;
1047 req = os_malloc(len);
1048 if (req == NULL)
1049 return NULL;
1050
1051 req->code = EAP_CODE_RESPONSE;
1052 req->identifier = id;
1053
1054 pos = (u8 *) (req + 1);
1055 *pos++ = EAP_TYPE_TTLS;
1056 *pos++ = data->ttls_version;
1057
1058 len = tls_connection_ia_send_phase_finished(sm->ssl_ctx,
1059 data->ssl.conn,
1060 final, pos, max_len);
1061 if (len < 0) {
1062 os_free(req);
1063 return NULL;
1064 }
1065
1066 *reqDataLen = sizeof(struct eap_hdr) + 2 + len;
1067 req->length = host_to_be16(*reqDataLen);
1068
1069 return (u8 *) req;
1070 }
1071
1072
eap_ttls_decrypt(struct eap_sm * sm,struct eap_ttls_data * data,struct eap_method_ret * ret,const struct eap_hdr * req,const u8 * in_data,size_t in_len,u8 ** out_data,size_t * out_len)1073 static int eap_ttls_decrypt(struct eap_sm *sm, struct eap_ttls_data *data,
1074 struct eap_method_ret *ret,
1075 const struct eap_hdr *req,
1076 const u8 *in_data, size_t in_len,
1077 u8 **out_data, size_t *out_len)
1078 {
1079 u8 *in_decrypted = NULL, *pos;
1080 int res, retval = 0;
1081 struct eap_hdr *hdr = NULL;
1082 u8 *resp = NULL, *mschapv2 = NULL, *eapdata = NULL;
1083 size_t resp_len, eap_len = 0, len_decrypted = 0, len, buf_len, left;
1084 struct ttls_avp *avp;
1085 u8 recv_response[20];
1086 int mschapv2_error = 0;
1087 struct wpa_ssid *config = eap_get_config(sm);
1088 const u8 *msg;
1089 size_t msg_len;
1090 int need_more_input;
1091
1092 wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for"
1093 " Phase 2", (unsigned long) in_len);
1094
1095 if (data->pending_phase2_req) {
1096 wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 request - "
1097 "skip decryption and use old data");
1098 /* Clear TLS reassembly state. */
1099 os_free(data->ssl.tls_in);
1100 data->ssl.tls_in = NULL;
1101 data->ssl.tls_in_len = 0;
1102 data->ssl.tls_in_left = 0;
1103 data->ssl.tls_in_total = 0;
1104
1105 in_decrypted = data->pending_phase2_req;
1106 data->pending_phase2_req = NULL;
1107 len_decrypted = data->pending_phase2_req_len;
1108 if (data->pending_phase2_req_len == 0) {
1109 os_free(in_decrypted);
1110 in_decrypted = NULL;
1111 goto fake_req_identity;
1112 }
1113 goto continue_req;
1114 }
1115
1116 if (in_len == 0 && data->phase2_start) {
1117 data->phase2_start = 0;
1118 /* EAP-TTLS does not use Phase2 on fast re-auth; this must be
1119 * done only if TLS part was indeed resuming a previous
1120 * session. Most Authentication Servers terminate EAP-TTLS
1121 * before reaching this point, but some do not. Make
1122 * wpa_supplicant stop phase 2 here, if needed. */
1123 if (data->reauth &&
1124 tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) {
1125 wpa_printf(MSG_DEBUG, "EAP-TTLS: Session resumption - "
1126 "skip phase 2");
1127 *out_data = eap_tls_build_ack(&data->ssl, out_len,
1128 req->identifier,
1129 EAP_TYPE_TTLS, 0);
1130 ret->methodState = METHOD_DONE;
1131 ret->decision = DECISION_UNCOND_SUCC;
1132 data->phase2_success = 1;
1133 return 0;
1134 }
1135 fake_req_identity:
1136 wpa_printf(MSG_DEBUG, "EAP-TTLS: empty data in beginning of "
1137 "Phase 2 - use fake EAP-Request Identity");
1138 buf_len = sizeof(*hdr) + 1;
1139 in_decrypted = os_malloc(buf_len);
1140 if (in_decrypted == NULL) {
1141 wpa_printf(MSG_WARNING, "EAP-TTLS: failed to allocate "
1142 "memory for fake EAP-Identity Request");
1143 retval = -1;
1144 goto done;
1145 }
1146 hdr = (struct eap_hdr *) in_decrypted;
1147 hdr->code = EAP_CODE_REQUEST;
1148 hdr->identifier = 0;
1149 hdr->length = host_to_be16(sizeof(*hdr) + 1);
1150 in_decrypted[sizeof(*hdr)] = EAP_TYPE_IDENTITY;
1151 goto process_eap;
1152 }
1153
1154 msg = eap_tls_data_reassemble(sm, &data->ssl, in_data, in_len,
1155 &msg_len, &need_more_input);
1156 if (msg == NULL)
1157 return need_more_input ? 1 : -1;
1158
1159 buf_len = in_len;
1160 if (data->ssl.tls_in_total > buf_len)
1161 buf_len = data->ssl.tls_in_total;
1162 in_decrypted = os_malloc(buf_len);
1163 if (in_decrypted == NULL) {
1164 os_free(data->ssl.tls_in);
1165 data->ssl.tls_in = NULL;
1166 data->ssl.tls_in_len = 0;
1167 wpa_printf(MSG_WARNING, "EAP-TTLS: failed to allocate memory "
1168 "for decryption");
1169 retval = -1;
1170 goto done;
1171 }
1172
1173 res = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
1174 msg, msg_len, in_decrypted, buf_len);
1175 os_free(data->ssl.tls_in);
1176 data->ssl.tls_in = NULL;
1177 data->ssl.tls_in_len = 0;
1178 if (res < 0) {
1179 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to decrypt Phase 2 "
1180 "data");
1181 retval = -1;
1182 goto done;
1183 }
1184 len_decrypted = res;
1185
1186 if (data->ttls_version > 0 && len_decrypted == 0 &&
1187 tls_connection_ia_final_phase_finished(sm->ssl_ctx,
1188 data->ssl.conn)) {
1189 wpa_printf(MSG_DEBUG, "EAP-TTLS: FinalPhaseFinished received");
1190 wpa_printf(MSG_INFO, "EAP-TTLS: TLS/IA authentication "
1191 "succeeded");
1192 ret->methodState = METHOD_DONE;
1193 ret->decision = DECISION_UNCOND_SUCC;
1194 data->phase2_success = 1;
1195 *out_data = eap_ttls_build_phase_finished(sm, data,
1196 req->identifier, 1,
1197 out_len);
1198 eap_ttls_v1_derive_key(sm, data);
1199 goto done;
1200 }
1201
1202 continue_req:
1203 data->phase2_start = 0;
1204
1205 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 AVPs",
1206 in_decrypted, len_decrypted);
1207 if (len_decrypted < sizeof(struct ttls_avp)) {
1208 wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 AVP frame"
1209 " len=%lu expected %lu or more - dropped",
1210 (unsigned long) len_decrypted,
1211 (unsigned long) sizeof(struct ttls_avp));
1212 retval = -1;
1213 goto done;
1214 }
1215
1216 /* Parse AVPs */
1217 pos = in_decrypted;
1218 left = len_decrypted;
1219 mschapv2 = NULL;
1220
1221 while (left > 0) {
1222 u32 avp_code, avp_length, vendor_id = 0;
1223 u8 avp_flags, *dpos;
1224 size_t pad, dlen;
1225 avp = (struct ttls_avp *) pos;
1226 avp_code = be_to_host32(avp->avp_code);
1227 avp_length = be_to_host32(avp->avp_length);
1228 avp_flags = (avp_length >> 24) & 0xff;
1229 avp_length &= 0xffffff;
1230 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x "
1231 "length=%d", (int) avp_code, avp_flags,
1232 (int) avp_length);
1233 if (avp_length > left) {
1234 wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow "
1235 "(len=%d, left=%lu) - dropped",
1236 (int) avp_length, (unsigned long) left);
1237 retval = -1;
1238 goto done;
1239 }
1240 if (avp_length < sizeof(*avp)) {
1241 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length "
1242 "%d", avp_length);
1243 retval = -1;
1244 goto done;
1245 }
1246 dpos = (u8 *) (avp + 1);
1247 dlen = avp_length - sizeof(*avp);
1248 if (avp_flags & AVP_FLAGS_VENDOR) {
1249 if (dlen < 4) {
1250 wpa_printf(MSG_WARNING, "EAP-TTLS: vendor AVP "
1251 "underflow");
1252 retval = -1;
1253 goto done;
1254 }
1255 vendor_id = be_to_host32(* (u32 *) dpos);
1256 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d",
1257 (int) vendor_id);
1258 dpos += 4;
1259 dlen -= 4;
1260 }
1261
1262 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen);
1263
1264 if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) {
1265 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message");
1266 if (eapdata == NULL) {
1267 eapdata = os_malloc(dlen);
1268 if (eapdata == NULL) {
1269 retval = -1;
1270 wpa_printf(MSG_WARNING, "EAP-TTLS: "
1271 "failed to allocate memory "
1272 "for Phase 2 EAP data");
1273 goto done;
1274 }
1275 os_memcpy(eapdata, dpos, dlen);
1276 eap_len = dlen;
1277 } else {
1278 u8 *neweap = os_realloc(eapdata,
1279 eap_len + dlen);
1280 if (neweap == NULL) {
1281 retval = -1;
1282 wpa_printf(MSG_WARNING, "EAP-TTLS: "
1283 "failed to allocate memory "
1284 "for Phase 2 EAP data");
1285 goto done;
1286 }
1287 os_memcpy(neweap + eap_len, dpos, dlen);
1288 eapdata = neweap;
1289 eap_len += dlen;
1290 }
1291 } else if (vendor_id == 0 &&
1292 avp_code == RADIUS_ATTR_REPLY_MESSAGE) {
1293 /* This is an optional message that can be displayed to
1294 * the user. */
1295 wpa_hexdump_ascii(MSG_DEBUG,
1296 "EAP-TTLS: AVP - Reply-Message",
1297 dpos, dlen);
1298 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
1299 avp_code == RADIUS_ATTR_MS_CHAP2_SUCCESS) {
1300 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: "
1301 "MS-CHAP2-Success", dpos, dlen);
1302 if (dlen != 43) {
1303 wpa_printf(MSG_WARNING, "EAP-TTLS: Unexpected "
1304 "MS-CHAP2-Success length "
1305 "(len=%lu, expected 43)",
1306 (unsigned long) dlen);
1307 retval = -1;
1308 break;
1309 }
1310 mschapv2 = dpos;
1311 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
1312 avp_code == RADIUS_ATTR_MS_CHAP_ERROR) {
1313 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: "
1314 "MS-CHAP-Error", dpos, dlen);
1315 mschapv2_error = 1;
1316 } else if (avp_flags & AVP_FLAGS_MANDATORY) {
1317 wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported "
1318 "mandatory AVP code %d vendor_id %d - "
1319 "dropped", (int) avp_code, (int) vendor_id);
1320 retval = -1;
1321 goto done;
1322 } else {
1323 wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported "
1324 "AVP code %d vendor_id %d",
1325 (int) avp_code, (int) vendor_id);
1326 }
1327
1328 pad = (4 - (avp_length & 3)) & 3;
1329 pos += avp_length + pad;
1330 if (left < avp_length + pad)
1331 left = 0;
1332 else
1333 left -= avp_length + pad;
1334 }
1335
1336 switch (data->phase2_type) {
1337 case EAP_TTLS_PHASE2_EAP:
1338 if (eapdata == NULL) {
1339 wpa_printf(MSG_WARNING, "EAP-TTLS: No EAP Message in "
1340 "the packet - dropped");
1341 retval = -1;
1342 goto done;
1343 }
1344
1345 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP",
1346 eapdata, eap_len);
1347 hdr = (struct eap_hdr *) eapdata;
1348
1349 if (eap_len < sizeof(*hdr)) {
1350 wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 "
1351 "EAP frame (len=%lu, expected %lu or more) "
1352 "- dropped", (unsigned long) eap_len,
1353 (unsigned long) sizeof(*hdr));
1354 retval = -1;
1355 goto done;
1356 }
1357 len = be_to_host16(hdr->length);
1358 if (len > eap_len) {
1359 wpa_printf(MSG_INFO, "EAP-TTLS: Length mismatch in "
1360 "Phase 2 EAP frame (EAP hdr len=%lu, EAP "
1361 "data len in AVP=%lu)",
1362 (unsigned long) len,
1363 (unsigned long) eap_len);
1364 retval = -1;
1365 goto done;
1366 }
1367 wpa_printf(MSG_DEBUG, "EAP-TTLS: received Phase 2: code=%d "
1368 "identifier=%d length=%lu",
1369 hdr->code, hdr->identifier, (unsigned long) len);
1370 process_eap:
1371 switch (hdr->code) {
1372 case EAP_CODE_REQUEST:
1373 if (eap_ttls_phase2_request(sm, data, ret, req, hdr,
1374 &resp, &resp_len)) {
1375 wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 "
1376 "Request processing failed");
1377 retval = -1;
1378 goto done;
1379 }
1380 break;
1381 default:
1382 wpa_printf(MSG_INFO, "EAP-TTLS: Unexpected code=%d in "
1383 "Phase 2 EAP header", hdr->code);
1384 retval = -1;
1385 break;
1386 }
1387 break;
1388 case EAP_TTLS_PHASE2_MSCHAPV2:
1389 if (mschapv2_error) {
1390 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Received "
1391 "MS-CHAP-Error - failed");
1392 ret->methodState = METHOD_DONE;
1393 ret->decision = DECISION_FAIL;
1394 *out_data = eap_tls_build_ack(&data->ssl, out_len,
1395 req->identifier,
1396 EAP_TYPE_TTLS, 0);
1397 break;
1398 }
1399
1400 if (mschapv2 == NULL) {
1401 wpa_printf(MSG_WARNING, "EAP-TTLS: no MS-CHAP2-Success"
1402 " AVP received for Phase2 MSCHAPV2");
1403 retval = -1;
1404 break;
1405 }
1406 if (mschapv2[0] != data->ident) {
1407 wpa_printf(MSG_WARNING, "EAP-TTLS: Ident mismatch "
1408 "for Phase 2 MSCHAPV2 (received Ident "
1409 "0x%02x, expected 0x%02x)",
1410 mschapv2[0], data->ident);
1411 retval = -1;
1412 break;
1413 }
1414 if (!data->auth_response_valid ||
1415 mschapv2[1] != 'S' || mschapv2[2] != '=' ||
1416 hexstr2bin((char *) (mschapv2 + 3), recv_response, 20) ||
1417 os_memcmp(data->auth_response, recv_response, 20) != 0) {
1418 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid "
1419 "authenticator response in Phase 2 "
1420 "MSCHAPV2 success request");
1421 retval = -1;
1422 break;
1423 }
1424
1425 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 MSCHAPV2 "
1426 "authentication succeeded");
1427 if (data->ttls_version > 0) {
1428 /* EAP-TTLSv1 uses TLS/IA FinalPhaseFinished to report
1429 * success, so do not allow connection to be terminated
1430 * yet. */
1431 ret->methodState = METHOD_CONT;
1432 ret->decision = DECISION_COND_SUCC;
1433 } else {
1434 ret->methodState = METHOD_DONE;
1435 ret->decision = DECISION_UNCOND_SUCC;
1436 data->phase2_success = 1;
1437 }
1438
1439 /* Reply with empty data; authentication server will reply
1440 * with EAP-Success after this. */
1441 retval = 1;
1442 goto done;
1443 case EAP_TTLS_PHASE2_MSCHAP:
1444 case EAP_TTLS_PHASE2_PAP:
1445 case EAP_TTLS_PHASE2_CHAP:
1446 /* EAP-TTLS/{MSCHAP,PAP,CHAP} should not send any TLS tunneled
1447 * requests to the supplicant */
1448 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received unexpected "
1449 "tunneled data");
1450 retval = -1;
1451 break;
1452 }
1453
1454 if (resp) {
1455 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Encrypting Phase 2 data",
1456 resp, resp_len);
1457
1458 if (eap_ttls_encrypt(sm, data, req->identifier,
1459 resp, resp_len, out_data, out_len)) {
1460 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to encrypt "
1461 "a Phase 2 frame");
1462 }
1463 os_free(resp);
1464 } else if (config->pending_req_identity ||
1465 config->pending_req_password ||
1466 config->pending_req_otp ||
1467 config->pending_req_new_password) {
1468 os_free(data->pending_phase2_req);
1469 data->pending_phase2_req = os_malloc(len_decrypted);
1470 if (data->pending_phase2_req) {
1471 os_memcpy(data->pending_phase2_req, in_decrypted,
1472 len_decrypted);
1473 data->pending_phase2_req_len = len_decrypted;
1474 }
1475 }
1476
1477 done:
1478 os_free(in_decrypted);
1479 os_free(eapdata);
1480
1481 if (retval < 0) {
1482 ret->methodState = METHOD_DONE;
1483 ret->decision = DECISION_FAIL;
1484 }
1485
1486 return retval;
1487 }
1488
1489
eap_ttls_process(struct eap_sm * sm,void * priv,struct eap_method_ret * ret,const u8 * reqData,size_t reqDataLen,size_t * respDataLen)1490 static u8 * eap_ttls_process(struct eap_sm *sm, void *priv,
1491 struct eap_method_ret *ret,
1492 const u8 *reqData, size_t reqDataLen,
1493 size_t *respDataLen)
1494 {
1495 const struct eap_hdr *req;
1496 size_t left;
1497 int res;
1498 u8 flags, *resp, id;
1499 const u8 *pos;
1500 struct eap_ttls_data *data = priv;
1501 struct wpa_ssid *config = eap_get_config(sm);
1502
1503 pos = eap_tls_process_init(sm, &data->ssl, EAP_TYPE_TTLS, ret,
1504 reqData, reqDataLen, &left, &flags);
1505 if (pos == NULL)
1506 return NULL;
1507 req = (const struct eap_hdr *) reqData;
1508 id = req->identifier;
1509
1510 if (flags & EAP_TLS_FLAGS_START) {
1511 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start (server ver=%d, own "
1512 "ver=%d)", flags & EAP_PEAP_VERSION_MASK,
1513 data->ttls_version);
1514 if ((flags & EAP_PEAP_VERSION_MASK) < data->ttls_version)
1515 data->ttls_version = flags & EAP_PEAP_VERSION_MASK;
1516 if (data->force_ttls_version >= 0 &&
1517 data->force_ttls_version != data->ttls_version) {
1518 wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to select "
1519 "forced TTLS version %d",
1520 data->force_ttls_version);
1521 ret->methodState = METHOD_DONE;
1522 ret->decision = DECISION_FAIL;
1523 ret->allowNotifications = FALSE;
1524 return NULL;
1525 }
1526 wpa_printf(MSG_DEBUG, "EAP-TTLS: Using TTLS version %d",
1527 data->ttls_version);
1528
1529 if (data->ttls_version > 0)
1530 data->ssl.tls_ia = 1;
1531 if (!data->ssl_initialized &&
1532 eap_tls_ssl_init(sm, &data->ssl, config)) {
1533 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize "
1534 "SSL.");
1535 return NULL;
1536 }
1537 data->ssl_initialized = 1;
1538
1539 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start");
1540 /* draft-ietf-pppext-eap-ttls-03.txt, Ch. 8.1:
1541 * EAP-TTLS Start packet may, in a future specification, be
1542 * allowed to contain data. Client based on this draft version
1543 * must ignore such data but must not reject the Start packet.
1544 */
1545 left = 0;
1546 } else if (!data->ssl_initialized) {
1547 wpa_printf(MSG_DEBUG, "EAP-TTLS: First message did not "
1548 "include Start flag");
1549 ret->methodState = METHOD_DONE;
1550 ret->decision = DECISION_FAIL;
1551 ret->allowNotifications = FALSE;
1552 return NULL;
1553 }
1554
1555 resp = NULL;
1556 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
1557 !data->resuming) {
1558 res = eap_ttls_decrypt(sm, data, ret, req, pos, left,
1559 &resp, respDataLen);
1560 } else {
1561 res = eap_tls_process_helper(sm, &data->ssl, EAP_TYPE_TTLS,
1562 data->ttls_version, id, pos, left,
1563 &resp, respDataLen);
1564
1565 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
1566 wpa_printf(MSG_DEBUG,
1567 "EAP-TTLS: TLS done, proceed to Phase 2");
1568 if (data->resuming) {
1569 wpa_printf(MSG_DEBUG, "EAP-TTLS: fast reauth -"
1570 " may skip Phase 2");
1571 ret->decision = DECISION_COND_SUCC;
1572 ret->methodState = METHOD_MAY_CONT;
1573 }
1574 data->phase2_start = 1;
1575 if (data->ttls_version == 0)
1576 eap_ttls_v0_derive_key(sm, data);
1577
1578 if (*respDataLen == 0) {
1579 if (eap_ttls_decrypt(sm, data, ret, req, NULL,
1580 0, &resp, respDataLen)) {
1581 wpa_printf(MSG_WARNING, "EAP-TTLS: "
1582 "failed to process early "
1583 "start for Phase 2");
1584 }
1585 res = 0;
1586 }
1587 data->resuming = 0;
1588 }
1589
1590 if (res == 2) {
1591 /*
1592 * Application data included in the handshake message.
1593 */
1594 os_free(data->pending_phase2_req);
1595 data->pending_phase2_req = resp;
1596 data->pending_phase2_req_len = *respDataLen;
1597 resp = NULL;
1598 *respDataLen = 0;
1599 res = eap_ttls_decrypt(sm, data, ret, req, pos, left,
1600 &resp, respDataLen);
1601 }
1602 }
1603
1604 if (data->ttls_version == 0 && ret->methodState == METHOD_DONE) {
1605 ret->allowNotifications = FALSE;
1606 if (ret->decision == DECISION_UNCOND_SUCC ||
1607 ret->decision == DECISION_COND_SUCC) {
1608 wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication "
1609 "completed successfully");
1610 data->phase2_success = 1;
1611 }
1612 } else if (data->ttls_version == 0 && sm->workaround &&
1613 ret->methodState == METHOD_MAY_CONT &&
1614 (ret->decision == DECISION_UNCOND_SUCC ||
1615 ret->decision == DECISION_COND_SUCC)) {
1616 wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication "
1617 "completed successfully (EAP workaround)");
1618 data->phase2_success = 1;
1619 }
1620
1621 if (res == 1) {
1622 return eap_tls_build_ack(&data->ssl, respDataLen, id,
1623 EAP_TYPE_TTLS, data->ttls_version);
1624 }
1625 return resp;
1626 }
1627
1628
eap_ttls_has_reauth_data(struct eap_sm * sm,void * priv)1629 static Boolean eap_ttls_has_reauth_data(struct eap_sm *sm, void *priv)
1630 {
1631 struct eap_ttls_data *data = priv;
1632 return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
1633 data->phase2_success;
1634 }
1635
1636
eap_ttls_deinit_for_reauth(struct eap_sm * sm,void * priv)1637 static void eap_ttls_deinit_for_reauth(struct eap_sm *sm, void *priv)
1638 {
1639 struct eap_ttls_data *data = priv;
1640 os_free(data->pending_phase2_req);
1641 data->pending_phase2_req = NULL;
1642 }
1643
1644
eap_ttls_init_for_reauth(struct eap_sm * sm,void * priv)1645 static void * eap_ttls_init_for_reauth(struct eap_sm *sm, void *priv)
1646 {
1647 struct eap_ttls_data *data = priv;
1648 os_free(data->key_data);
1649 data->key_data = NULL;
1650 if (eap_tls_reauth_init(sm, &data->ssl)) {
1651 os_free(data);
1652 return NULL;
1653 }
1654 if (data->phase2_priv && data->phase2_method &&
1655 data->phase2_method->init_for_reauth)
1656 data->phase2_method->init_for_reauth(sm, data->phase2_priv);
1657 data->phase2_start = 0;
1658 data->phase2_success = 0;
1659 data->resuming = 1;
1660 data->reauth = 1;
1661 return priv;
1662 }
1663
1664
eap_ttls_get_status(struct eap_sm * sm,void * priv,char * buf,size_t buflen,int verbose)1665 static int eap_ttls_get_status(struct eap_sm *sm, void *priv, char *buf,
1666 size_t buflen, int verbose)
1667 {
1668 struct eap_ttls_data *data = priv;
1669 int len, ret;
1670
1671 len = eap_tls_status(sm, &data->ssl, buf, buflen, verbose);
1672 ret = os_snprintf(buf + len, buflen - len,
1673 "EAP-TTLSv%d Phase2 method=",
1674 data->ttls_version);
1675 if (ret < 0 || (size_t) ret >= buflen - len)
1676 return len;
1677 len += ret;
1678 switch (data->phase2_type) {
1679 case EAP_TTLS_PHASE2_EAP:
1680 ret = os_snprintf(buf + len, buflen - len, "EAP-%s\n",
1681 data->phase2_method ?
1682 data->phase2_method->name : "?");
1683 break;
1684 case EAP_TTLS_PHASE2_MSCHAPV2:
1685 ret = os_snprintf(buf + len, buflen - len, "MSCHAPV2\n");
1686 break;
1687 case EAP_TTLS_PHASE2_MSCHAP:
1688 ret = os_snprintf(buf + len, buflen - len, "MSCHAP\n");
1689 break;
1690 case EAP_TTLS_PHASE2_PAP:
1691 ret = os_snprintf(buf + len, buflen - len, "PAP\n");
1692 break;
1693 case EAP_TTLS_PHASE2_CHAP:
1694 ret = os_snprintf(buf + len, buflen - len, "CHAP\n");
1695 break;
1696 default:
1697 ret = 0;
1698 break;
1699 }
1700 if (ret < 0 || (size_t) ret >= buflen - len)
1701 return len;
1702 len += ret;
1703
1704 return len;
1705 }
1706
1707
eap_ttls_isKeyAvailable(struct eap_sm * sm,void * priv)1708 static Boolean eap_ttls_isKeyAvailable(struct eap_sm *sm, void *priv)
1709 {
1710 struct eap_ttls_data *data = priv;
1711 return data->key_data != NULL && data->phase2_success;
1712 }
1713
1714
eap_ttls_getKey(struct eap_sm * sm,void * priv,size_t * len)1715 static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len)
1716 {
1717 struct eap_ttls_data *data = priv;
1718 u8 *key;
1719
1720 if (data->key_data == NULL || !data->phase2_success)
1721 return NULL;
1722
1723 key = os_malloc(EAP_TLS_KEY_LEN);
1724 if (key == NULL)
1725 return NULL;
1726
1727 *len = EAP_TLS_KEY_LEN;
1728 os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN);
1729
1730 return key;
1731 }
1732
1733
eap_peer_ttls_register(void)1734 int eap_peer_ttls_register(void)
1735 {
1736 struct eap_method *eap;
1737 int ret;
1738
1739 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
1740 EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS");
1741 if (eap == NULL)
1742 return -1;
1743
1744 eap->init = eap_ttls_init;
1745 eap->deinit = eap_ttls_deinit;
1746 eap->process = eap_ttls_process;
1747 eap->isKeyAvailable = eap_ttls_isKeyAvailable;
1748 eap->getKey = eap_ttls_getKey;
1749 eap->get_status = eap_ttls_get_status;
1750 eap->has_reauth_data = eap_ttls_has_reauth_data;
1751 eap->deinit_for_reauth = eap_ttls_deinit_for_reauth;
1752 eap->init_for_reauth = eap_ttls_init_for_reauth;
1753
1754 ret = eap_peer_method_register(eap);
1755 if (ret)
1756 eap_peer_method_free(eap);
1757 return ret;
1758 }
1759