1 /*
2 * hostapd / EAP-TTLS (RFC 5281)
3 * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 *
9 * Alternatively, this software may be distributed under the terms of BSD
10 * license.
11 *
12 * See README and COPYING for more details.
13 */
14
15 #include "includes.h"
16
17 #include "common.h"
18 #include "eap_server/eap_i.h"
19 #include "eap_server/eap_tls_common.h"
20 #include "ms_funcs.h"
21 #include "sha1.h"
22 #include "eap_common/chap.h"
23 #include "tls.h"
24 #include "eap_common/eap_ttls.h"
25
26
27 /* Maximum supported TTLS version
28 * 0 = RFC 5281
29 * 1 = draft-funk-eap-ttls-v1-00.txt
30 */
31 #ifndef EAP_TTLS_VERSION
32 #define EAP_TTLS_VERSION 0 /* TTLSv1 implementation is not yet complete */
33 #endif /* EAP_TTLS_VERSION */
34
35
36 #define MSCHAPV2_KEY_LEN 16
37
38
39 static void eap_ttls_reset(struct eap_sm *sm, void *priv);
40
41
42 struct eap_ttls_data {
43 struct eap_ssl_data ssl;
44 enum {
45 START, PHASE1, PHASE2_START, PHASE2_METHOD,
46 PHASE2_MSCHAPV2_RESP, PHASE_FINISHED, SUCCESS, FAILURE
47 } state;
48
49 int ttls_version;
50 int force_version;
51 const struct eap_method *phase2_method;
52 void *phase2_priv;
53 int mschapv2_resp_ok;
54 u8 mschapv2_auth_response[20];
55 u8 mschapv2_ident;
56 int tls_ia_configured;
57 struct wpabuf *pending_phase2_eap_resp;
58 int tnc_started;
59 };
60
61
eap_ttls_state_txt(int state)62 static const char * eap_ttls_state_txt(int state)
63 {
64 switch (state) {
65 case START:
66 return "START";
67 case PHASE1:
68 return "PHASE1";
69 case PHASE2_START:
70 return "PHASE2_START";
71 case PHASE2_METHOD:
72 return "PHASE2_METHOD";
73 case PHASE2_MSCHAPV2_RESP:
74 return "PHASE2_MSCHAPV2_RESP";
75 case PHASE_FINISHED:
76 return "PHASE_FINISHED";
77 case SUCCESS:
78 return "SUCCESS";
79 case FAILURE:
80 return "FAILURE";
81 default:
82 return "Unknown?!";
83 }
84 }
85
86
eap_ttls_state(struct eap_ttls_data * data,int state)87 static void eap_ttls_state(struct eap_ttls_data *data, int state)
88 {
89 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s -> %s",
90 eap_ttls_state_txt(data->state),
91 eap_ttls_state_txt(state));
92 data->state = state;
93 }
94
95
eap_ttls_avp_hdr(u8 * avphdr,u32 avp_code,u32 vendor_id,int mandatory,size_t len)96 static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id,
97 int mandatory, size_t len)
98 {
99 struct ttls_avp_vendor *avp;
100 u8 flags;
101 size_t hdrlen;
102
103 avp = (struct ttls_avp_vendor *) avphdr;
104 flags = mandatory ? AVP_FLAGS_MANDATORY : 0;
105 if (vendor_id) {
106 flags |= AVP_FLAGS_VENDOR;
107 hdrlen = sizeof(*avp);
108 avp->vendor_id = host_to_be32(vendor_id);
109 } else {
110 hdrlen = sizeof(struct ttls_avp);
111 }
112
113 avp->avp_code = host_to_be32(avp_code);
114 avp->avp_length = host_to_be32((flags << 24) | (hdrlen + len));
115
116 return avphdr + hdrlen;
117 }
118
119
eap_ttls_avp_encapsulate(struct wpabuf * resp,u32 avp_code,int mandatory)120 static struct wpabuf * eap_ttls_avp_encapsulate(struct wpabuf *resp,
121 u32 avp_code, int mandatory)
122 {
123 struct wpabuf *avp;
124 u8 *pos;
125
126 avp = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(resp) + 4);
127 if (avp == NULL) {
128 wpabuf_free(resp);
129 return NULL;
130 }
131
132 pos = eap_ttls_avp_hdr(wpabuf_mhead(avp), avp_code, 0, mandatory,
133 wpabuf_len(resp));
134 os_memcpy(pos, wpabuf_head(resp), wpabuf_len(resp));
135 pos += wpabuf_len(resp);
136 AVP_PAD((const u8 *) wpabuf_head(avp), pos);
137 wpabuf_free(resp);
138 wpabuf_put(avp, pos - (u8 *) wpabuf_head(avp));
139 return avp;
140 }
141
142
143 struct eap_ttls_avp {
144 /* Note: eap is allocated memory; caller is responsible for freeing
145 * it. All the other pointers are pointing to the packet data, i.e.,
146 * they must not be freed separately. */
147 u8 *eap;
148 size_t eap_len;
149 u8 *user_name;
150 size_t user_name_len;
151 u8 *user_password;
152 size_t user_password_len;
153 u8 *chap_challenge;
154 size_t chap_challenge_len;
155 u8 *chap_password;
156 size_t chap_password_len;
157 u8 *mschap_challenge;
158 size_t mschap_challenge_len;
159 u8 *mschap_response;
160 size_t mschap_response_len;
161 u8 *mschap2_response;
162 size_t mschap2_response_len;
163 };
164
165
eap_ttls_avp_parse(u8 * buf,size_t len,struct eap_ttls_avp * parse)166 static int eap_ttls_avp_parse(u8 *buf, size_t len, struct eap_ttls_avp *parse)
167 {
168 struct ttls_avp *avp;
169 u8 *pos;
170 int left;
171
172 pos = buf;
173 left = len;
174 os_memset(parse, 0, sizeof(*parse));
175
176 while (left > 0) {
177 u32 avp_code, avp_length, vendor_id = 0;
178 u8 avp_flags, *dpos;
179 size_t pad, dlen;
180 avp = (struct ttls_avp *) pos;
181 avp_code = be_to_host32(avp->avp_code);
182 avp_length = be_to_host32(avp->avp_length);
183 avp_flags = (avp_length >> 24) & 0xff;
184 avp_length &= 0xffffff;
185 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x "
186 "length=%d", (int) avp_code, avp_flags,
187 (int) avp_length);
188 if ((int) avp_length > left) {
189 wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow "
190 "(len=%d, left=%d) - dropped",
191 (int) avp_length, left);
192 goto fail;
193 }
194 if (avp_length < sizeof(*avp)) {
195 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length "
196 "%d", avp_length);
197 goto fail;
198 }
199 dpos = (u8 *) (avp + 1);
200 dlen = avp_length - sizeof(*avp);
201 if (avp_flags & AVP_FLAGS_VENDOR) {
202 if (dlen < 4) {
203 wpa_printf(MSG_WARNING, "EAP-TTLS: vendor AVP "
204 "underflow");
205 goto fail;
206 }
207 vendor_id = be_to_host32(* (be32 *) dpos);
208 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d",
209 (int) vendor_id);
210 dpos += 4;
211 dlen -= 4;
212 }
213
214 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen);
215
216 if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) {
217 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message");
218 if (parse->eap == NULL) {
219 parse->eap = os_malloc(dlen);
220 if (parse->eap == NULL) {
221 wpa_printf(MSG_WARNING, "EAP-TTLS: "
222 "failed to allocate memory "
223 "for Phase 2 EAP data");
224 goto fail;
225 }
226 os_memcpy(parse->eap, dpos, dlen);
227 parse->eap_len = dlen;
228 } else {
229 u8 *neweap = os_realloc(parse->eap,
230 parse->eap_len + dlen);
231 if (neweap == NULL) {
232 wpa_printf(MSG_WARNING, "EAP-TTLS: "
233 "failed to allocate memory "
234 "for Phase 2 EAP data");
235 goto fail;
236 }
237 os_memcpy(neweap + parse->eap_len, dpos, dlen);
238 parse->eap = neweap;
239 parse->eap_len += dlen;
240 }
241 } else if (vendor_id == 0 &&
242 avp_code == RADIUS_ATTR_USER_NAME) {
243 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: User-Name",
244 dpos, dlen);
245 parse->user_name = dpos;
246 parse->user_name_len = dlen;
247 } else if (vendor_id == 0 &&
248 avp_code == RADIUS_ATTR_USER_PASSWORD) {
249 u8 *password = dpos;
250 size_t password_len = dlen;
251 while (password_len > 0 &&
252 password[password_len - 1] == '\0') {
253 password_len--;
254 }
255 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: "
256 "User-Password (PAP)",
257 password, password_len);
258 parse->user_password = password;
259 parse->user_password_len = password_len;
260 } else if (vendor_id == 0 &&
261 avp_code == RADIUS_ATTR_CHAP_CHALLENGE) {
262 wpa_hexdump(MSG_DEBUG,
263 "EAP-TTLS: CHAP-Challenge (CHAP)",
264 dpos, dlen);
265 parse->chap_challenge = dpos;
266 parse->chap_challenge_len = dlen;
267 } else if (vendor_id == 0 &&
268 avp_code == RADIUS_ATTR_CHAP_PASSWORD) {
269 wpa_hexdump(MSG_DEBUG,
270 "EAP-TTLS: CHAP-Password (CHAP)",
271 dpos, dlen);
272 parse->chap_password = dpos;
273 parse->chap_password_len = dlen;
274 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
275 avp_code == RADIUS_ATTR_MS_CHAP_CHALLENGE) {
276 wpa_hexdump(MSG_DEBUG,
277 "EAP-TTLS: MS-CHAP-Challenge",
278 dpos, dlen);
279 parse->mschap_challenge = dpos;
280 parse->mschap_challenge_len = dlen;
281 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
282 avp_code == RADIUS_ATTR_MS_CHAP_RESPONSE) {
283 wpa_hexdump(MSG_DEBUG,
284 "EAP-TTLS: MS-CHAP-Response (MSCHAP)",
285 dpos, dlen);
286 parse->mschap_response = dpos;
287 parse->mschap_response_len = dlen;
288 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
289 avp_code == RADIUS_ATTR_MS_CHAP2_RESPONSE) {
290 wpa_hexdump(MSG_DEBUG,
291 "EAP-TTLS: MS-CHAP2-Response (MSCHAPV2)",
292 dpos, dlen);
293 parse->mschap2_response = dpos;
294 parse->mschap2_response_len = dlen;
295 } else if (avp_flags & AVP_FLAGS_MANDATORY) {
296 wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported "
297 "mandatory AVP code %d vendor_id %d - "
298 "dropped", (int) avp_code, (int) vendor_id);
299 goto fail;
300 } else {
301 wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported "
302 "AVP code %d vendor_id %d",
303 (int) avp_code, (int) vendor_id);
304 }
305
306 pad = (4 - (avp_length & 3)) & 3;
307 pos += avp_length + pad;
308 left -= avp_length + pad;
309 }
310
311 return 0;
312
313 fail:
314 os_free(parse->eap);
315 parse->eap = NULL;
316 return -1;
317 }
318
319
eap_ttls_implicit_challenge(struct eap_sm * sm,struct eap_ttls_data * data,size_t len)320 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm,
321 struct eap_ttls_data *data, size_t len)
322 {
323 struct tls_keys keys;
324 u8 *challenge, *rnd;
325
326 if (data->ttls_version == 0) {
327 return eap_server_tls_derive_key(sm, &data->ssl,
328 "ttls challenge", len);
329 }
330
331 os_memset(&keys, 0, sizeof(keys));
332 if (tls_connection_get_keys(sm->ssl_ctx, data->ssl.conn, &keys) ||
333 keys.client_random == NULL || keys.server_random == NULL ||
334 keys.inner_secret == NULL) {
335 wpa_printf(MSG_INFO, "EAP-TTLS: Could not get inner secret, "
336 "client random, or server random to derive "
337 "implicit challenge");
338 return NULL;
339 }
340
341 rnd = os_malloc(keys.client_random_len + keys.server_random_len);
342 challenge = os_malloc(len);
343 if (rnd == NULL || challenge == NULL) {
344 wpa_printf(MSG_INFO, "EAP-TTLS: No memory for implicit "
345 "challenge derivation");
346 os_free(rnd);
347 os_free(challenge);
348 return NULL;
349 }
350 os_memcpy(rnd, keys.server_random, keys.server_random_len);
351 os_memcpy(rnd + keys.server_random_len, keys.client_random,
352 keys.client_random_len);
353
354 if (tls_prf(keys.inner_secret, keys.inner_secret_len,
355 "inner application challenge", rnd,
356 keys.client_random_len + keys.server_random_len,
357 challenge, len)) {
358 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive implicit "
359 "challenge");
360 os_free(rnd);
361 os_free(challenge);
362 return NULL;
363 }
364
365 os_free(rnd);
366
367 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived implicit challenge",
368 challenge, len);
369
370 return challenge;
371 }
372
373
eap_ttls_init(struct eap_sm * sm)374 static void * eap_ttls_init(struct eap_sm *sm)
375 {
376 struct eap_ttls_data *data;
377
378 data = os_zalloc(sizeof(*data));
379 if (data == NULL)
380 return NULL;
381 data->ttls_version = EAP_TTLS_VERSION;
382 data->force_version = -1;
383 if (sm->user && sm->user->force_version >= 0) {
384 data->force_version = sm->user->force_version;
385 wpa_printf(MSG_DEBUG, "EAP-TTLS: forcing version %d",
386 data->force_version);
387 data->ttls_version = data->force_version;
388 }
389 data->state = START;
390
391 if (!(tls_capabilities(sm->ssl_ctx) & TLS_CAPABILITY_IA) &&
392 data->ttls_version > 0) {
393 if (data->force_version > 0) {
394 wpa_printf(MSG_INFO, "EAP-TTLS: Forced TTLSv%d and "
395 "TLS library does not support TLS/IA.",
396 data->force_version);
397 eap_ttls_reset(sm, data);
398 return NULL;
399 }
400 data->ttls_version = 0;
401 }
402
403 if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) {
404 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
405 eap_ttls_reset(sm, data);
406 return NULL;
407 }
408
409 return data;
410 }
411
412
eap_ttls_reset(struct eap_sm * sm,void * priv)413 static void eap_ttls_reset(struct eap_sm *sm, void *priv)
414 {
415 struct eap_ttls_data *data = priv;
416 if (data == NULL)
417 return;
418 if (data->phase2_priv && data->phase2_method)
419 data->phase2_method->reset(sm, data->phase2_priv);
420 eap_server_tls_ssl_deinit(sm, &data->ssl);
421 wpabuf_free(data->pending_phase2_eap_resp);
422 os_free(data);
423 }
424
425
eap_ttls_build_start(struct eap_sm * sm,struct eap_ttls_data * data,u8 id)426 static struct wpabuf * eap_ttls_build_start(struct eap_sm *sm,
427 struct eap_ttls_data *data, u8 id)
428 {
429 struct wpabuf *req;
430
431 req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TTLS, 1,
432 EAP_CODE_REQUEST, id);
433 if (req == NULL) {
434 wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to allocate memory for"
435 " request");
436 eap_ttls_state(data, FAILURE);
437 return NULL;
438 }
439
440 wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->ttls_version);
441
442 eap_ttls_state(data, PHASE1);
443
444 return req;
445 }
446
447
eap_ttls_build_phase2_eap_req(struct eap_sm * sm,struct eap_ttls_data * data,u8 id)448 static struct wpabuf * eap_ttls_build_phase2_eap_req(
449 struct eap_sm *sm, struct eap_ttls_data *data, u8 id)
450 {
451 struct wpabuf *buf, *encr_req;
452 u8 *req;
453 size_t req_len;
454
455
456 buf = data->phase2_method->buildReq(sm, data->phase2_priv, id);
457 if (buf == NULL)
458 return NULL;
459
460 wpa_hexdump_buf_key(MSG_DEBUG,
461 "EAP-TTLS/EAP: Encapsulate Phase 2 data", buf);
462
463 buf = eap_ttls_avp_encapsulate(buf, RADIUS_ATTR_EAP_MESSAGE, 1);
464 if (buf == NULL) {
465 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Failed to encapsulate "
466 "packet");
467 return NULL;
468 }
469
470 req = wpabuf_mhead(buf);
471 req_len = wpabuf_len(buf);
472 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS/EAP: Encrypt encapsulated Phase "
473 "2 data", req, req_len);
474
475 encr_req = eap_server_tls_encrypt(sm, &data->ssl, req, req_len);
476 wpabuf_free(buf);
477
478 return encr_req;
479 }
480
481
eap_ttls_build_phase2_mschapv2(struct eap_sm * sm,struct eap_ttls_data * data)482 static struct wpabuf * eap_ttls_build_phase2_mschapv2(
483 struct eap_sm *sm, struct eap_ttls_data *data)
484 {
485 struct wpabuf *encr_req;
486 u8 *req, *pos, *end;
487 int ret;
488 size_t req_len;
489
490 pos = req = os_malloc(100);
491 if (req == NULL)
492 return NULL;
493 end = req + 100;
494
495 if (data->mschapv2_resp_ok) {
496 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_SUCCESS,
497 RADIUS_VENDOR_ID_MICROSOFT, 1, 43);
498 *pos++ = data->mschapv2_ident;
499 ret = os_snprintf((char *) pos, end - pos, "S=");
500 if (ret >= 0 && ret < end - pos)
501 pos += ret;
502 pos += wpa_snprintf_hex_uppercase(
503 (char *) pos, end - pos, data->mschapv2_auth_response,
504 sizeof(data->mschapv2_auth_response));
505 } else {
506 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_ERROR,
507 RADIUS_VENDOR_ID_MICROSOFT, 1, 6);
508 os_memcpy(pos, "Failed", 6);
509 pos += 6;
510 AVP_PAD(req, pos);
511 }
512
513 req_len = pos - req;
514 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Encrypting Phase 2 "
515 "data", req, req_len);
516
517 encr_req = eap_server_tls_encrypt(sm, &data->ssl, req, req_len);
518 os_free(req);
519
520 return encr_req;
521 }
522
523
eap_ttls_build_phase_finished(struct eap_sm * sm,struct eap_ttls_data * data,int final)524 static struct wpabuf * eap_ttls_build_phase_finished(
525 struct eap_sm *sm, struct eap_ttls_data *data, int final)
526 {
527 int len;
528 struct wpabuf *req;
529 const int max_len = 300;
530
531 req = wpabuf_alloc(max_len);
532 if (req == NULL)
533 return NULL;
534
535 len = tls_connection_ia_send_phase_finished(sm->ssl_ctx,
536 data->ssl.conn, final,
537 wpabuf_mhead(req),
538 max_len);
539 if (len < 0) {
540 wpabuf_free(req);
541 return NULL;
542 }
543 wpabuf_put(req, len);
544
545 return req;
546 }
547
548
eap_ttls_buildReq(struct eap_sm * sm,void * priv,u8 id)549 static struct wpabuf * eap_ttls_buildReq(struct eap_sm *sm, void *priv, u8 id)
550 {
551 struct eap_ttls_data *data = priv;
552
553 if (data->ssl.state == FRAG_ACK) {
554 return eap_server_tls_build_ack(id, EAP_TYPE_TTLS,
555 data->ttls_version);
556 }
557
558 if (data->ssl.state == WAIT_FRAG_ACK) {
559 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS,
560 data->ttls_version, id);
561 }
562
563 switch (data->state) {
564 case START:
565 return eap_ttls_build_start(sm, data, id);
566 case PHASE1:
567 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
568 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase1 done, "
569 "starting Phase2");
570 eap_ttls_state(data, PHASE2_START);
571 }
572 break;
573 case PHASE2_METHOD:
574 wpabuf_free(data->ssl.out_buf);
575 data->ssl.out_used = 0;
576 data->ssl.out_buf = eap_ttls_build_phase2_eap_req(sm, data,
577 id);
578 break;
579 case PHASE2_MSCHAPV2_RESP:
580 wpabuf_free(data->ssl.out_buf);
581 data->ssl.out_used = 0;
582 data->ssl.out_buf = eap_ttls_build_phase2_mschapv2(sm, data);
583 break;
584 case PHASE_FINISHED:
585 wpabuf_free(data->ssl.out_buf);
586 data->ssl.out_used = 0;
587 data->ssl.out_buf = eap_ttls_build_phase_finished(sm, data, 1);
588 break;
589 default:
590 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
591 __func__, data->state);
592 return NULL;
593 }
594
595 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS,
596 data->ttls_version, id);
597 }
598
599
eap_ttls_check(struct eap_sm * sm,void * priv,struct wpabuf * respData)600 static Boolean eap_ttls_check(struct eap_sm *sm, void *priv,
601 struct wpabuf *respData)
602 {
603 const u8 *pos;
604 size_t len;
605
606 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TTLS, respData, &len);
607 if (pos == NULL || len < 1) {
608 wpa_printf(MSG_INFO, "EAP-TTLS: Invalid frame");
609 return TRUE;
610 }
611
612 return FALSE;
613 }
614
615
eap_ttls_ia_permute_inner_secret(struct eap_sm * sm,struct eap_ttls_data * data,const u8 * key,size_t key_len)616 static int eap_ttls_ia_permute_inner_secret(struct eap_sm *sm,
617 struct eap_ttls_data *data,
618 const u8 *key, size_t key_len)
619 {
620 u8 *buf;
621 size_t buf_len;
622 int ret;
623
624 if (key) {
625 buf_len = 2 + key_len;
626 buf = os_malloc(buf_len);
627 if (buf == NULL)
628 return -1;
629 WPA_PUT_BE16(buf, key_len);
630 os_memcpy(buf + 2, key, key_len);
631 } else {
632 buf = NULL;
633 buf_len = 0;
634 }
635
636 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Session keys for TLS/IA inner "
637 "secret permutation", buf, buf_len);
638 ret = tls_connection_ia_permute_inner_secret(sm->ssl_ctx,
639 data->ssl.conn,
640 buf, buf_len);
641 os_free(buf);
642
643 return ret;
644 }
645
646
eap_ttls_process_phase2_pap(struct eap_sm * sm,struct eap_ttls_data * data,const u8 * user_password,size_t user_password_len)647 static void eap_ttls_process_phase2_pap(struct eap_sm *sm,
648 struct eap_ttls_data *data,
649 const u8 *user_password,
650 size_t user_password_len)
651 {
652 if (!sm->user || !sm->user->password || sm->user->password_hash ||
653 !(sm->user->ttls_auth & EAP_TTLS_AUTH_PAP)) {
654 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: No plaintext user "
655 "password configured");
656 eap_ttls_state(data, FAILURE);
657 return;
658 }
659
660 if (sm->user->password_len != user_password_len ||
661 os_memcmp(sm->user->password, user_password, user_password_len) !=
662 0) {
663 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Invalid user password");
664 eap_ttls_state(data, FAILURE);
665 return;
666 }
667
668 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Correct user password");
669 eap_ttls_state(data, data->ttls_version > 0 ? PHASE_FINISHED :
670 SUCCESS);
671 }
672
673
eap_ttls_process_phase2_chap(struct eap_sm * sm,struct eap_ttls_data * data,const u8 * challenge,size_t challenge_len,const u8 * password,size_t password_len)674 static void eap_ttls_process_phase2_chap(struct eap_sm *sm,
675 struct eap_ttls_data *data,
676 const u8 *challenge,
677 size_t challenge_len,
678 const u8 *password,
679 size_t password_len)
680 {
681 u8 *chal, hash[CHAP_MD5_LEN];
682
683 if (challenge == NULL || password == NULL ||
684 challenge_len != EAP_TTLS_CHAP_CHALLENGE_LEN ||
685 password_len != 1 + EAP_TTLS_CHAP_PASSWORD_LEN) {
686 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid CHAP attributes "
687 "(challenge len %lu password len %lu)",
688 (unsigned long) challenge_len,
689 (unsigned long) password_len);
690 eap_ttls_state(data, FAILURE);
691 return;
692 }
693
694 if (!sm->user || !sm->user->password || sm->user->password_hash ||
695 !(sm->user->ttls_auth & EAP_TTLS_AUTH_CHAP)) {
696 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: No plaintext user "
697 "password configured");
698 eap_ttls_state(data, FAILURE);
699 return;
700 }
701
702 chal = eap_ttls_implicit_challenge(sm, data,
703 EAP_TTLS_CHAP_CHALLENGE_LEN + 1);
704 if (chal == NULL) {
705 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Failed to generate "
706 "challenge from TLS data");
707 eap_ttls_state(data, FAILURE);
708 return;
709 }
710
711 if (os_memcmp(challenge, chal, EAP_TTLS_CHAP_CHALLENGE_LEN) != 0 ||
712 password[0] != chal[EAP_TTLS_CHAP_CHALLENGE_LEN]) {
713 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Challenge mismatch");
714 os_free(chal);
715 eap_ttls_state(data, FAILURE);
716 return;
717 }
718 os_free(chal);
719
720 /* MD5(Ident + Password + Challenge) */
721 chap_md5(password[0], sm->user->password, sm->user->password_len,
722 challenge, challenge_len, hash);
723
724 if (os_memcmp(hash, password + 1, EAP_TTLS_CHAP_PASSWORD_LEN) == 0) {
725 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Correct user password");
726 eap_ttls_state(data, data->ttls_version > 0 ? PHASE_FINISHED :
727 SUCCESS);
728 } else {
729 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid user password");
730 eap_ttls_state(data, FAILURE);
731 }
732 }
733
734
eap_ttls_process_phase2_mschap(struct eap_sm * sm,struct eap_ttls_data * data,u8 * challenge,size_t challenge_len,u8 * response,size_t response_len)735 static void eap_ttls_process_phase2_mschap(struct eap_sm *sm,
736 struct eap_ttls_data *data,
737 u8 *challenge, size_t challenge_len,
738 u8 *response, size_t response_len)
739 {
740 u8 *chal, nt_response[24];
741
742 if (challenge == NULL || response == NULL ||
743 challenge_len != EAP_TTLS_MSCHAP_CHALLENGE_LEN ||
744 response_len != EAP_TTLS_MSCHAP_RESPONSE_LEN) {
745 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid MS-CHAP "
746 "attributes (challenge len %lu response len %lu)",
747 (unsigned long) challenge_len,
748 (unsigned long) response_len);
749 eap_ttls_state(data, FAILURE);
750 return;
751 }
752
753 if (!sm->user || !sm->user->password ||
754 !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAP)) {
755 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: No user password "
756 "configured");
757 eap_ttls_state(data, FAILURE);
758 return;
759 }
760
761 chal = eap_ttls_implicit_challenge(sm, data,
762 EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1);
763 if (chal == NULL) {
764 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Failed to generate "
765 "challenge from TLS data");
766 eap_ttls_state(data, FAILURE);
767 return;
768 }
769
770 if (os_memcmp(challenge, chal, EAP_TTLS_MSCHAP_CHALLENGE_LEN) != 0 ||
771 response[0] != chal[EAP_TTLS_MSCHAP_CHALLENGE_LEN]) {
772 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Challenge mismatch");
773 os_free(chal);
774 eap_ttls_state(data, FAILURE);
775 return;
776 }
777 os_free(chal);
778
779 if (sm->user->password_hash)
780 challenge_response(challenge, sm->user->password, nt_response);
781 else
782 nt_challenge_response(challenge, sm->user->password,
783 sm->user->password_len, nt_response);
784
785 if (os_memcmp(nt_response, response + 2 + 24, 24) == 0) {
786 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Correct response");
787 eap_ttls_state(data, data->ttls_version > 0 ? PHASE_FINISHED :
788 SUCCESS);
789 } else {
790 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid NT-Response");
791 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Received",
792 response + 2 + 24, 24);
793 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Expected",
794 nt_response, 24);
795 eap_ttls_state(data, FAILURE);
796 }
797 }
798
799
eap_ttls_process_phase2_mschapv2(struct eap_sm * sm,struct eap_ttls_data * data,u8 * challenge,size_t challenge_len,u8 * response,size_t response_len)800 static void eap_ttls_process_phase2_mschapv2(struct eap_sm *sm,
801 struct eap_ttls_data *data,
802 u8 *challenge,
803 size_t challenge_len,
804 u8 *response, size_t response_len)
805 {
806 u8 *chal, *username, nt_response[24], *rx_resp, *peer_challenge,
807 *auth_challenge;
808 size_t username_len, i;
809
810 if (challenge == NULL || response == NULL ||
811 challenge_len != EAP_TTLS_MSCHAPV2_CHALLENGE_LEN ||
812 response_len != EAP_TTLS_MSCHAPV2_RESPONSE_LEN) {
813 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid MS-CHAP2 "
814 "attributes (challenge len %lu response len %lu)",
815 (unsigned long) challenge_len,
816 (unsigned long) response_len);
817 eap_ttls_state(data, FAILURE);
818 return;
819 }
820
821 if (!sm->user || !sm->user->password ||
822 !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAPV2)) {
823 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user password "
824 "configured");
825 eap_ttls_state(data, FAILURE);
826 return;
827 }
828
829 /* MSCHAPv2 does not include optional domain name in the
830 * challenge-response calculation, so remove domain prefix
831 * (if present). */
832 username = sm->identity;
833 username_len = sm->identity_len;
834 for (i = 0; i < username_len; i++) {
835 if (username[i] == '\\') {
836 username_len -= i + 1;
837 username += i + 1;
838 break;
839 }
840 }
841
842 chal = eap_ttls_implicit_challenge(
843 sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1);
844 if (chal == NULL) {
845 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Failed to generate "
846 "challenge from TLS data");
847 eap_ttls_state(data, FAILURE);
848 return;
849 }
850
851 if (os_memcmp(challenge, chal, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN) != 0 ||
852 response[0] != chal[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN]) {
853 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Challenge mismatch");
854 os_free(chal);
855 eap_ttls_state(data, FAILURE);
856 return;
857 }
858 os_free(chal);
859
860 auth_challenge = challenge;
861 peer_challenge = response + 2;
862
863 wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: User",
864 username, username_len);
865 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: auth_challenge",
866 auth_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
867 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: peer_challenge",
868 peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
869
870 if (sm->user->password_hash) {
871 generate_nt_response_pwhash(auth_challenge, peer_challenge,
872 username, username_len,
873 sm->user->password,
874 nt_response);
875 } else {
876 generate_nt_response(auth_challenge, peer_challenge,
877 username, username_len,
878 sm->user->password,
879 sm->user->password_len,
880 nt_response);
881 }
882
883 rx_resp = response + 2 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 8;
884 if (os_memcmp(nt_response, rx_resp, 24) == 0) {
885 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Correct "
886 "NT-Response");
887 data->mschapv2_resp_ok = 1;
888 if (data->ttls_version > 0) {
889 const u8 *pw_hash;
890 u8 pw_hash_buf[16], pw_hash_hash[16], master_key[16];
891 u8 session_key[2 * MSCHAPV2_KEY_LEN];
892
893 if (sm->user->password_hash)
894 pw_hash = sm->user->password;
895 else {
896 nt_password_hash(sm->user->password,
897 sm->user->password_len,
898 pw_hash_buf);
899 pw_hash = pw_hash_buf;
900 }
901 hash_nt_password_hash(pw_hash, pw_hash_hash);
902 get_master_key(pw_hash_hash, nt_response, master_key);
903 get_asymetric_start_key(master_key, session_key,
904 MSCHAPV2_KEY_LEN, 0, 0);
905 get_asymetric_start_key(master_key,
906 session_key + MSCHAPV2_KEY_LEN,
907 MSCHAPV2_KEY_LEN, 1, 0);
908 eap_ttls_ia_permute_inner_secret(sm, data,
909 session_key,
910 sizeof(session_key));
911 }
912
913 if (sm->user->password_hash) {
914 generate_authenticator_response_pwhash(
915 sm->user->password,
916 peer_challenge, auth_challenge,
917 username, username_len, nt_response,
918 data->mschapv2_auth_response);
919 } else {
920 generate_authenticator_response(
921 sm->user->password, sm->user->password_len,
922 peer_challenge, auth_challenge,
923 username, username_len, nt_response,
924 data->mschapv2_auth_response);
925 }
926 } else {
927 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid "
928 "NT-Response");
929 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Received",
930 rx_resp, 24);
931 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Expected",
932 nt_response, 24);
933 data->mschapv2_resp_ok = 0;
934 }
935 eap_ttls_state(data, PHASE2_MSCHAPV2_RESP);
936 data->mschapv2_ident = response[0];
937 }
938
939
eap_ttls_phase2_eap_init(struct eap_sm * sm,struct eap_ttls_data * data,EapType eap_type)940 static int eap_ttls_phase2_eap_init(struct eap_sm *sm,
941 struct eap_ttls_data *data,
942 EapType eap_type)
943 {
944 if (data->phase2_priv && data->phase2_method) {
945 data->phase2_method->reset(sm, data->phase2_priv);
946 data->phase2_method = NULL;
947 data->phase2_priv = NULL;
948 }
949 data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF,
950 eap_type);
951 if (!data->phase2_method)
952 return -1;
953
954 sm->init_phase2 = 1;
955 data->phase2_priv = data->phase2_method->init(sm);
956 sm->init_phase2 = 0;
957 return data->phase2_priv == NULL ? -1 : 0;
958 }
959
960
eap_ttls_process_phase2_eap_response(struct eap_sm * sm,struct eap_ttls_data * data,u8 * in_data,size_t in_len)961 static void eap_ttls_process_phase2_eap_response(struct eap_sm *sm,
962 struct eap_ttls_data *data,
963 u8 *in_data, size_t in_len)
964 {
965 u8 next_type = EAP_TYPE_NONE;
966 struct eap_hdr *hdr;
967 u8 *pos;
968 size_t left;
969 struct wpabuf buf;
970 const struct eap_method *m = data->phase2_method;
971 void *priv = data->phase2_priv;
972
973 if (priv == NULL) {
974 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: %s - Phase2 not "
975 "initialized?!", __func__);
976 return;
977 }
978
979 hdr = (struct eap_hdr *) in_data;
980 pos = (u8 *) (hdr + 1);
981
982 if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) {
983 left = in_len - sizeof(*hdr);
984 wpa_hexdump(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 type Nak'ed; "
985 "allowed types", pos + 1, left - 1);
986 eap_sm_process_nak(sm, pos + 1, left - 1);
987 if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
988 sm->user->methods[sm->user_eap_method_index].method !=
989 EAP_TYPE_NONE) {
990 next_type = sm->user->methods[
991 sm->user_eap_method_index++].method;
992 wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d",
993 next_type);
994 if (eap_ttls_phase2_eap_init(sm, data, next_type)) {
995 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to "
996 "initialize EAP type %d",
997 next_type);
998 eap_ttls_state(data, FAILURE);
999 return;
1000 }
1001 } else {
1002 eap_ttls_state(data, FAILURE);
1003 }
1004 return;
1005 }
1006
1007 wpabuf_set(&buf, in_data, in_len);
1008
1009 if (m->check(sm, priv, &buf)) {
1010 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 check() asked to "
1011 "ignore the packet");
1012 return;
1013 }
1014
1015 m->process(sm, priv, &buf);
1016
1017 if (sm->method_pending == METHOD_PENDING_WAIT) {
1018 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method is in "
1019 "pending wait state - save decrypted response");
1020 wpabuf_free(data->pending_phase2_eap_resp);
1021 data->pending_phase2_eap_resp = wpabuf_dup(&buf);
1022 }
1023
1024 if (!m->isDone(sm, priv))
1025 return;
1026
1027 if (!m->isSuccess(sm, priv)) {
1028 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method failed");
1029 eap_ttls_state(data, FAILURE);
1030 return;
1031 }
1032
1033 switch (data->state) {
1034 case PHASE2_START:
1035 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
1036 wpa_hexdump_ascii(MSG_DEBUG, "EAP_TTLS: Phase2 "
1037 "Identity not found in the user "
1038 "database",
1039 sm->identity, sm->identity_len);
1040 eap_ttls_state(data, FAILURE);
1041 break;
1042 }
1043
1044 eap_ttls_state(data, PHASE2_METHOD);
1045 next_type = sm->user->methods[0].method;
1046 sm->user_eap_method_index = 1;
1047 wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d", next_type);
1048 if (eap_ttls_phase2_eap_init(sm, data, next_type)) {
1049 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize "
1050 "EAP type %d", next_type);
1051 eap_ttls_state(data, FAILURE);
1052 }
1053 break;
1054 case PHASE2_METHOD:
1055 if (data->ttls_version > 0) {
1056 if (m->getKey) {
1057 u8 *key;
1058 size_t key_len;
1059 key = m->getKey(sm, priv, &key_len);
1060 eap_ttls_ia_permute_inner_secret(sm, data,
1061 key, key_len);
1062 }
1063 eap_ttls_state(data, PHASE_FINISHED);
1064 } else
1065 eap_ttls_state(data, SUCCESS);
1066 break;
1067 case FAILURE:
1068 break;
1069 default:
1070 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
1071 __func__, data->state);
1072 break;
1073 }
1074 }
1075
1076
eap_ttls_process_phase2_eap(struct eap_sm * sm,struct eap_ttls_data * data,const u8 * eap,size_t eap_len)1077 static void eap_ttls_process_phase2_eap(struct eap_sm *sm,
1078 struct eap_ttls_data *data,
1079 const u8 *eap, size_t eap_len)
1080 {
1081 struct eap_hdr *hdr;
1082 size_t len;
1083
1084 if (data->state == PHASE2_START) {
1085 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: initializing Phase 2");
1086 if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_IDENTITY) < 0)
1087 {
1088 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: failed to "
1089 "initialize EAP-Identity");
1090 return;
1091 }
1092 }
1093
1094 if (eap_len < sizeof(*hdr)) {
1095 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: too short Phase 2 EAP "
1096 "packet (len=%lu)", (unsigned long) eap_len);
1097 return;
1098 }
1099
1100 hdr = (struct eap_hdr *) eap;
1101 len = be_to_host16(hdr->length);
1102 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: received Phase 2 EAP: code=%d "
1103 "identifier=%d length=%lu", hdr->code, hdr->identifier,
1104 (unsigned long) len);
1105 if (len > eap_len) {
1106 wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Length mismatch in Phase 2"
1107 " EAP frame (hdr len=%lu, data len in AVP=%lu)",
1108 (unsigned long) len, (unsigned long) eap_len);
1109 return;
1110 }
1111
1112 switch (hdr->code) {
1113 case EAP_CODE_RESPONSE:
1114 eap_ttls_process_phase2_eap_response(sm, data, (u8 *) hdr,
1115 len);
1116 break;
1117 default:
1118 wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Unexpected code=%d in "
1119 "Phase 2 EAP header", hdr->code);
1120 break;
1121 }
1122 }
1123
1124
eap_ttls_process_phase2(struct eap_sm * sm,struct eap_ttls_data * data,struct wpabuf * in_buf)1125 static void eap_ttls_process_phase2(struct eap_sm *sm,
1126 struct eap_ttls_data *data,
1127 struct wpabuf *in_buf)
1128 {
1129 u8 *in_decrypted;
1130 int len_decrypted;
1131 struct eap_ttls_avp parse;
1132 size_t buf_len;
1133 u8 *in_data;
1134 size_t in_len;
1135
1136 in_data = wpabuf_mhead(in_buf);
1137 in_len = wpabuf_len(in_buf);
1138
1139 wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for"
1140 " Phase 2", (unsigned long) in_len);
1141
1142 if (data->pending_phase2_eap_resp) {
1143 wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 EAP response "
1144 "- skip decryption and use old data");
1145 eap_ttls_process_phase2_eap(
1146 sm, data, wpabuf_head(data->pending_phase2_eap_resp),
1147 wpabuf_len(data->pending_phase2_eap_resp));
1148 wpabuf_free(data->pending_phase2_eap_resp);
1149 data->pending_phase2_eap_resp = NULL;
1150 return;
1151 }
1152
1153 buf_len = in_len;
1154 /*
1155 * Even though we try to disable TLS compression, it is possible that
1156 * this cannot be done with all TLS libraries. Add extra buffer space
1157 * to handle the possibility of the decrypted data being longer than
1158 * input data.
1159 */
1160 buf_len += 500;
1161 buf_len *= 3;
1162 in_decrypted = os_malloc(buf_len);
1163 if (in_decrypted == NULL) {
1164 wpa_printf(MSG_WARNING, "EAP-TTLS: failed to allocate memory "
1165 "for decryption");
1166 return;
1167 }
1168
1169 len_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
1170 in_data, in_len,
1171 in_decrypted, buf_len);
1172 if (len_decrypted < 0) {
1173 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to decrypt Phase 2 "
1174 "data");
1175 os_free(in_decrypted);
1176 eap_ttls_state(data, FAILURE);
1177 return;
1178 }
1179
1180 if (data->state == PHASE_FINISHED) {
1181 if (len_decrypted == 0 &&
1182 tls_connection_ia_final_phase_finished(sm->ssl_ctx,
1183 data->ssl.conn)) {
1184 wpa_printf(MSG_DEBUG, "EAP-TTLS: FinalPhaseFinished "
1185 "received");
1186 eap_ttls_state(data, SUCCESS);
1187 } else {
1188 wpa_printf(MSG_INFO, "EAP-TTLS: Did not receive valid "
1189 "FinalPhaseFinished");
1190 eap_ttls_state(data, FAILURE);
1191 }
1192
1193 os_free(in_decrypted);
1194 return;
1195 }
1196
1197 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 EAP",
1198 in_decrypted, len_decrypted);
1199
1200 if (eap_ttls_avp_parse(in_decrypted, len_decrypted, &parse) < 0) {
1201 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to parse AVPs");
1202 os_free(in_decrypted);
1203 eap_ttls_state(data, FAILURE);
1204 return;
1205 }
1206
1207 if (parse.user_name) {
1208 os_free(sm->identity);
1209 sm->identity = os_malloc(parse.user_name_len);
1210 if (sm->identity) {
1211 os_memcpy(sm->identity, parse.user_name,
1212 parse.user_name_len);
1213 sm->identity_len = parse.user_name_len;
1214 }
1215 if (eap_user_get(sm, parse.user_name, parse.user_name_len, 1)
1216 != 0) {
1217 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 Identity not "
1218 "found in the user database");
1219 eap_ttls_state(data, FAILURE);
1220 goto done;
1221 }
1222 }
1223
1224 #ifdef EAP_TNC
1225 if (data->tnc_started && parse.eap == NULL) {
1226 wpa_printf(MSG_DEBUG, "EAP-TTLS: TNC started but no EAP "
1227 "response from peer");
1228 eap_ttls_state(data, FAILURE);
1229 goto done;
1230 }
1231 #endif /* EAP_TNC */
1232
1233 if (parse.eap) {
1234 eap_ttls_process_phase2_eap(sm, data, parse.eap,
1235 parse.eap_len);
1236 } else if (parse.user_password) {
1237 eap_ttls_process_phase2_pap(sm, data, parse.user_password,
1238 parse.user_password_len);
1239 } else if (parse.chap_password) {
1240 eap_ttls_process_phase2_chap(sm, data,
1241 parse.chap_challenge,
1242 parse.chap_challenge_len,
1243 parse.chap_password,
1244 parse.chap_password_len);
1245 } else if (parse.mschap_response) {
1246 eap_ttls_process_phase2_mschap(sm, data,
1247 parse.mschap_challenge,
1248 parse.mschap_challenge_len,
1249 parse.mschap_response,
1250 parse.mschap_response_len);
1251 } else if (parse.mschap2_response) {
1252 eap_ttls_process_phase2_mschapv2(sm, data,
1253 parse.mschap_challenge,
1254 parse.mschap_challenge_len,
1255 parse.mschap2_response,
1256 parse.mschap2_response_len);
1257 }
1258
1259 done:
1260 os_free(in_decrypted);
1261 os_free(parse.eap);
1262 }
1263
1264
eap_ttls_start_tnc(struct eap_sm * sm,struct eap_ttls_data * data)1265 static void eap_ttls_start_tnc(struct eap_sm *sm, struct eap_ttls_data *data)
1266 {
1267 #ifdef EAP_TNC
1268 if (!sm->tnc || data->state != SUCCESS || data->tnc_started)
1269 return;
1270
1271 wpa_printf(MSG_DEBUG, "EAP-TTLS: Initialize TNC");
1272 if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_TNC)) {
1273 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize TNC");
1274 eap_ttls_state(data, FAILURE);
1275 return;
1276 }
1277
1278 data->tnc_started = 1;
1279 eap_ttls_state(data, PHASE2_METHOD);
1280 #endif /* EAP_TNC */
1281 }
1282
1283
eap_ttls_process_version(struct eap_sm * sm,void * priv,int peer_version)1284 static int eap_ttls_process_version(struct eap_sm *sm, void *priv,
1285 int peer_version)
1286 {
1287 struct eap_ttls_data *data = priv;
1288 if (peer_version < data->ttls_version) {
1289 wpa_printf(MSG_DEBUG, "EAP-TTLS: peer ver=%d, own ver=%d; "
1290 "use version %d",
1291 peer_version, data->ttls_version, peer_version);
1292 data->ttls_version = peer_version;
1293 }
1294
1295 if (data->ttls_version > 0 && !data->tls_ia_configured) {
1296 if (tls_connection_set_ia(sm->ssl_ctx, data->ssl.conn, 1)) {
1297 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to enable "
1298 "TLS/IA");
1299 return -1;
1300 }
1301 data->tls_ia_configured = 1;
1302 }
1303
1304 return 0;
1305 }
1306
1307
eap_ttls_process_msg(struct eap_sm * sm,void * priv,const struct wpabuf * respData)1308 static void eap_ttls_process_msg(struct eap_sm *sm, void *priv,
1309 const struct wpabuf *respData)
1310 {
1311 struct eap_ttls_data *data = priv;
1312
1313 switch (data->state) {
1314 case PHASE1:
1315 if (eap_server_tls_phase1(sm, &data->ssl) < 0)
1316 eap_ttls_state(data, FAILURE);
1317 break;
1318 case PHASE2_START:
1319 case PHASE2_METHOD:
1320 case PHASE_FINISHED:
1321 eap_ttls_process_phase2(sm, data, data->ssl.in_buf);
1322 eap_ttls_start_tnc(sm, data);
1323 break;
1324 case PHASE2_MSCHAPV2_RESP:
1325 if (data->mschapv2_resp_ok && wpabuf_len(data->ssl.in_buf) ==
1326 0) {
1327 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
1328 "acknowledged response");
1329 eap_ttls_state(data, data->ttls_version > 0 ?
1330 PHASE_FINISHED : SUCCESS);
1331 } else if (!data->mschapv2_resp_ok) {
1332 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
1333 "acknowledged error");
1334 eap_ttls_state(data, FAILURE);
1335 } else {
1336 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Unexpected "
1337 "frame from peer (payload len %lu, "
1338 "expected empty frame)",
1339 (unsigned long)
1340 wpabuf_len(data->ssl.in_buf));
1341 eap_ttls_state(data, FAILURE);
1342 }
1343 eap_ttls_start_tnc(sm, data);
1344 break;
1345 default:
1346 wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected state %d in %s",
1347 data->state, __func__);
1348 break;
1349 }
1350 }
1351
1352
eap_ttls_process(struct eap_sm * sm,void * priv,struct wpabuf * respData)1353 static void eap_ttls_process(struct eap_sm *sm, void *priv,
1354 struct wpabuf *respData)
1355 {
1356 struct eap_ttls_data *data = priv;
1357 if (eap_server_tls_process(sm, &data->ssl, respData, data,
1358 EAP_TYPE_TTLS, eap_ttls_process_version,
1359 eap_ttls_process_msg) < 0)
1360 eap_ttls_state(data, FAILURE);
1361 }
1362
1363
eap_ttls_isDone(struct eap_sm * sm,void * priv)1364 static Boolean eap_ttls_isDone(struct eap_sm *sm, void *priv)
1365 {
1366 struct eap_ttls_data *data = priv;
1367 return data->state == SUCCESS || data->state == FAILURE;
1368 }
1369
1370
eap_ttls_v1_derive_key(struct eap_sm * sm,struct eap_ttls_data * data)1371 static u8 * eap_ttls_v1_derive_key(struct eap_sm *sm,
1372 struct eap_ttls_data *data)
1373 {
1374 struct tls_keys keys;
1375 u8 *rnd, *key;
1376
1377 os_memset(&keys, 0, sizeof(keys));
1378 if (tls_connection_get_keys(sm->ssl_ctx, data->ssl.conn, &keys) ||
1379 keys.client_random == NULL || keys.server_random == NULL ||
1380 keys.inner_secret == NULL) {
1381 wpa_printf(MSG_INFO, "EAP-TTLS: Could not get inner secret, "
1382 "client random, or server random to derive keying "
1383 "material");
1384 return NULL;
1385 }
1386
1387 rnd = os_malloc(keys.client_random_len + keys.server_random_len);
1388 key = os_malloc(EAP_TLS_KEY_LEN);
1389 if (rnd == NULL || key == NULL) {
1390 wpa_printf(MSG_INFO, "EAP-TTLS: No memory for key derivation");
1391 os_free(rnd);
1392 os_free(key);
1393 return NULL;
1394 }
1395 os_memcpy(rnd, keys.client_random, keys.client_random_len);
1396 os_memcpy(rnd + keys.client_random_len, keys.server_random,
1397 keys.server_random_len);
1398
1399 if (tls_prf(keys.inner_secret, keys.inner_secret_len,
1400 "ttls v1 keying material", rnd, keys.client_random_len +
1401 keys.server_random_len, key, EAP_TLS_KEY_LEN)) {
1402 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key");
1403 os_free(rnd);
1404 os_free(key);
1405 return NULL;
1406 }
1407
1408 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: client/server random",
1409 rnd, keys.client_random_len + keys.server_random_len);
1410 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: TLS/IA inner secret",
1411 keys.inner_secret, keys.inner_secret_len);
1412
1413 os_free(rnd);
1414
1415 return key;
1416 }
1417
1418
eap_ttls_getKey(struct eap_sm * sm,void * priv,size_t * len)1419 static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len)
1420 {
1421 struct eap_ttls_data *data = priv;
1422 u8 *eapKeyData;
1423
1424 if (data->state != SUCCESS)
1425 return NULL;
1426
1427 if (data->ttls_version == 0) {
1428 eapKeyData = eap_server_tls_derive_key(sm, &data->ssl,
1429 "ttls keying material",
1430 EAP_TLS_KEY_LEN);
1431 } else {
1432 eapKeyData = eap_ttls_v1_derive_key(sm, data);
1433 }
1434
1435 if (eapKeyData) {
1436 *len = EAP_TLS_KEY_LEN;
1437 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key",
1438 eapKeyData, EAP_TLS_KEY_LEN);
1439 } else {
1440 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key");
1441 }
1442
1443 return eapKeyData;
1444 }
1445
1446
eap_ttls_isSuccess(struct eap_sm * sm,void * priv)1447 static Boolean eap_ttls_isSuccess(struct eap_sm *sm, void *priv)
1448 {
1449 struct eap_ttls_data *data = priv;
1450 return data->state == SUCCESS;
1451 }
1452
1453
eap_server_ttls_register(void)1454 int eap_server_ttls_register(void)
1455 {
1456 struct eap_method *eap;
1457 int ret;
1458
1459 eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
1460 EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS");
1461 if (eap == NULL)
1462 return -1;
1463
1464 eap->init = eap_ttls_init;
1465 eap->reset = eap_ttls_reset;
1466 eap->buildReq = eap_ttls_buildReq;
1467 eap->check = eap_ttls_check;
1468 eap->process = eap_ttls_process;
1469 eap->isDone = eap_ttls_isDone;
1470 eap->getKey = eap_ttls_getKey;
1471 eap->isSuccess = eap_ttls_isSuccess;
1472
1473 ret = eap_server_method_register(eap);
1474 if (ret)
1475 eap_server_method_free(eap);
1476 return ret;
1477 }
1478