1 /*
2 * EAP peer method: EAP-TTLS (RFC 5281)
3 * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/ms_funcs.h"
13 #include "crypto/sha1.h"
14 #include "crypto/tls.h"
15 #include "eap_common/chap.h"
16 #include "eap_common/eap_ttls.h"
17 #include "mschapv2.h"
18 #include "eap_i.h"
19 #include "eap_tls_common.h"
20 #include "eap_config.h"
21
22
23 #define EAP_TTLS_VERSION 0
24
25
26 static void eap_ttls_deinit(struct eap_sm *sm, void *priv);
27
28
29 struct eap_ttls_data {
30 struct eap_ssl_data ssl;
31
32 int ttls_version;
33
34 const struct eap_method *phase2_method;
35 void *phase2_priv;
36 int phase2_success;
37 int phase2_start;
38
39 enum phase2_types {
40 EAP_TTLS_PHASE2_EAP,
41 EAP_TTLS_PHASE2_MSCHAPV2,
42 EAP_TTLS_PHASE2_MSCHAP,
43 EAP_TTLS_PHASE2_PAP,
44 EAP_TTLS_PHASE2_CHAP
45 } phase2_type;
46 struct eap_method_type phase2_eap_type;
47 struct eap_method_type *phase2_eap_types;
48 size_t num_phase2_eap_types;
49
50 u8 auth_response[MSCHAPV2_AUTH_RESPONSE_LEN];
51 int auth_response_valid;
52 u8 master_key[MSCHAPV2_MASTER_KEY_LEN]; /* MSCHAPv2 master key */
53 u8 ident;
54 int resuming; /* starting a resumed session */
55 int reauth; /* reauthentication */
56 u8 *key_data;
57 u8 *session_id;
58 size_t id_len;
59
60 struct wpabuf *pending_phase2_req;
61
62 #ifdef EAP_TNC
63 int ready_for_tnc;
64 int tnc_started;
65 #endif /* EAP_TNC */
66 };
67
68
eap_ttls_init(struct eap_sm * sm)69 static void * eap_ttls_init(struct eap_sm *sm)
70 {
71 struct eap_ttls_data *data;
72 struct eap_peer_config *config = eap_get_config(sm);
73 char *selected;
74
75 data = os_zalloc(sizeof(*data));
76 if (data == NULL)
77 return NULL;
78 data->ttls_version = EAP_TTLS_VERSION;
79 selected = "EAP";
80 data->phase2_type = EAP_TTLS_PHASE2_EAP;
81
82 if (config && config->phase2) {
83 if (os_strstr(config->phase2, "autheap=")) {
84 selected = "EAP";
85 data->phase2_type = EAP_TTLS_PHASE2_EAP;
86 } else if (os_strstr(config->phase2, "auth=MSCHAPV2")) {
87 selected = "MSCHAPV2";
88 data->phase2_type = EAP_TTLS_PHASE2_MSCHAPV2;
89 } else if (os_strstr(config->phase2, "auth=MSCHAP")) {
90 selected = "MSCHAP";
91 data->phase2_type = EAP_TTLS_PHASE2_MSCHAP;
92 } else if (os_strstr(config->phase2, "auth=PAP")) {
93 selected = "PAP";
94 data->phase2_type = EAP_TTLS_PHASE2_PAP;
95 } else if (os_strstr(config->phase2, "auth=CHAP")) {
96 selected = "CHAP";
97 data->phase2_type = EAP_TTLS_PHASE2_CHAP;
98 }
99 }
100 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 type: %s", selected);
101
102 if (data->phase2_type == EAP_TTLS_PHASE2_EAP) {
103 if (eap_peer_select_phase2_methods(config, "autheap=",
104 &data->phase2_eap_types,
105 &data->num_phase2_eap_types)
106 < 0) {
107 eap_ttls_deinit(sm, data);
108 return NULL;
109 }
110
111 data->phase2_eap_type.vendor = EAP_VENDOR_IETF;
112 data->phase2_eap_type.method = EAP_TYPE_NONE;
113 }
114
115 if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_TTLS)) {
116 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
117 eap_ttls_deinit(sm, data);
118 return NULL;
119 }
120
121 return data;
122 }
123
124
eap_ttls_phase2_eap_deinit(struct eap_sm * sm,struct eap_ttls_data * data)125 static void eap_ttls_phase2_eap_deinit(struct eap_sm *sm,
126 struct eap_ttls_data *data)
127 {
128 if (data->phase2_priv && data->phase2_method) {
129 data->phase2_method->deinit(sm, data->phase2_priv);
130 data->phase2_method = NULL;
131 data->phase2_priv = NULL;
132 }
133 }
134
135
eap_ttls_free_key(struct eap_ttls_data * data)136 static void eap_ttls_free_key(struct eap_ttls_data *data)
137 {
138 if (data->key_data) {
139 bin_clear_free(data->key_data, EAP_TLS_KEY_LEN + EAP_EMSK_LEN);
140 data->key_data = NULL;
141 }
142 }
143
144
eap_ttls_deinit(struct eap_sm * sm,void * priv)145 static void eap_ttls_deinit(struct eap_sm *sm, void *priv)
146 {
147 struct eap_ttls_data *data = priv;
148 if (data == NULL)
149 return;
150 eap_ttls_phase2_eap_deinit(sm, data);
151 os_free(data->phase2_eap_types);
152 eap_peer_tls_ssl_deinit(sm, &data->ssl);
153 eap_ttls_free_key(data);
154 os_free(data->session_id);
155 wpabuf_free(data->pending_phase2_req);
156 os_free(data);
157 }
158
159
eap_ttls_avp_hdr(u8 * avphdr,u32 avp_code,u32 vendor_id,int mandatory,size_t len)160 static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id,
161 int mandatory, size_t len)
162 {
163 struct ttls_avp_vendor *avp;
164 u8 flags;
165 size_t hdrlen;
166
167 avp = (struct ttls_avp_vendor *) avphdr;
168 flags = mandatory ? AVP_FLAGS_MANDATORY : 0;
169 if (vendor_id) {
170 flags |= AVP_FLAGS_VENDOR;
171 hdrlen = sizeof(*avp);
172 avp->vendor_id = host_to_be32(vendor_id);
173 } else {
174 hdrlen = sizeof(struct ttls_avp);
175 }
176
177 avp->avp_code = host_to_be32(avp_code);
178 avp->avp_length = host_to_be32((flags << 24) | (u32) (hdrlen + len));
179
180 return avphdr + hdrlen;
181 }
182
183
eap_ttls_avp_add(u8 * start,u8 * avphdr,u32 avp_code,u32 vendor_id,int mandatory,const u8 * data,size_t len)184 static u8 * eap_ttls_avp_add(u8 *start, u8 *avphdr, u32 avp_code,
185 u32 vendor_id, int mandatory,
186 const u8 *data, size_t len)
187 {
188 u8 *pos;
189 pos = eap_ttls_avp_hdr(avphdr, avp_code, vendor_id, mandatory, len);
190 os_memcpy(pos, data, len);
191 pos += len;
192 AVP_PAD(start, pos);
193 return pos;
194 }
195
196
eap_ttls_avp_encapsulate(struct wpabuf ** resp,u32 avp_code,int mandatory)197 static int eap_ttls_avp_encapsulate(struct wpabuf **resp, u32 avp_code,
198 int mandatory)
199 {
200 struct wpabuf *msg;
201 u8 *avp, *pos;
202
203 msg = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(*resp) + 4);
204 if (msg == NULL) {
205 wpabuf_free(*resp);
206 *resp = NULL;
207 return -1;
208 }
209
210 avp = wpabuf_mhead(msg);
211 pos = eap_ttls_avp_hdr(avp, avp_code, 0, mandatory, wpabuf_len(*resp));
212 os_memcpy(pos, wpabuf_head(*resp), wpabuf_len(*resp));
213 pos += wpabuf_len(*resp);
214 AVP_PAD(avp, pos);
215 wpabuf_free(*resp);
216 wpabuf_put(msg, pos - avp);
217 *resp = msg;
218 return 0;
219 }
220
221
eap_ttls_v0_derive_key(struct eap_sm * sm,struct eap_ttls_data * data)222 static int eap_ttls_v0_derive_key(struct eap_sm *sm,
223 struct eap_ttls_data *data)
224 {
225 eap_ttls_free_key(data);
226 data->key_data = eap_peer_tls_derive_key(sm, &data->ssl,
227 "ttls keying material",
228 EAP_TLS_KEY_LEN +
229 EAP_EMSK_LEN);
230 if (!data->key_data) {
231 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to derive key");
232 return -1;
233 }
234
235 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key",
236 data->key_data, EAP_TLS_KEY_LEN);
237 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived EMSK",
238 data->key_data + EAP_TLS_KEY_LEN,
239 EAP_EMSK_LEN);
240
241 os_free(data->session_id);
242 data->session_id = eap_peer_tls_derive_session_id(sm, &data->ssl,
243 EAP_TYPE_TTLS,
244 &data->id_len);
245 if (data->session_id) {
246 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Derived Session-Id",
247 data->session_id, data->id_len);
248 } else {
249 wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to derive Session-Id");
250 }
251
252 return 0;
253 }
254
255
eap_ttls_implicit_challenge(struct eap_sm * sm,struct eap_ttls_data * data,size_t len)256 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm,
257 struct eap_ttls_data *data, size_t len)
258 {
259 return eap_peer_tls_derive_key(sm, &data->ssl, "ttls challenge", len);
260 }
261
262
eap_ttls_phase2_select_eap_method(struct eap_ttls_data * data,u8 method)263 static void eap_ttls_phase2_select_eap_method(struct eap_ttls_data *data,
264 u8 method)
265 {
266 size_t i;
267 for (i = 0; i < data->num_phase2_eap_types; i++) {
268 if (data->phase2_eap_types[i].vendor != EAP_VENDOR_IETF ||
269 data->phase2_eap_types[i].method != method)
270 continue;
271
272 data->phase2_eap_type.vendor =
273 data->phase2_eap_types[i].vendor;
274 data->phase2_eap_type.method =
275 data->phase2_eap_types[i].method;
276 wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected "
277 "Phase 2 EAP vendor %d method %d",
278 data->phase2_eap_type.vendor,
279 data->phase2_eap_type.method);
280 break;
281 }
282 }
283
284
eap_ttls_phase2_eap_process(struct eap_sm * sm,struct eap_ttls_data * data,struct eap_method_ret * ret,struct eap_hdr * hdr,size_t len,struct wpabuf ** resp)285 static int eap_ttls_phase2_eap_process(struct eap_sm *sm,
286 struct eap_ttls_data *data,
287 struct eap_method_ret *ret,
288 struct eap_hdr *hdr, size_t len,
289 struct wpabuf **resp)
290 {
291 struct wpabuf msg;
292 struct eap_method_ret iret;
293
294 os_memset(&iret, 0, sizeof(iret));
295 wpabuf_set(&msg, hdr, len);
296 *resp = data->phase2_method->process(sm, data->phase2_priv, &iret,
297 &msg);
298 if ((iret.methodState == METHOD_DONE ||
299 iret.methodState == METHOD_MAY_CONT) &&
300 (iret.decision == DECISION_UNCOND_SUCC ||
301 iret.decision == DECISION_COND_SUCC ||
302 iret.decision == DECISION_FAIL)) {
303 ret->methodState = iret.methodState;
304 ret->decision = iret.decision;
305 }
306
307 return 0;
308 }
309
310
eap_ttls_phase2_request_eap_method(struct eap_sm * sm,struct eap_ttls_data * data,struct eap_method_ret * ret,struct eap_hdr * hdr,size_t len,u8 method,struct wpabuf ** resp)311 static int eap_ttls_phase2_request_eap_method(struct eap_sm *sm,
312 struct eap_ttls_data *data,
313 struct eap_method_ret *ret,
314 struct eap_hdr *hdr, size_t len,
315 u8 method, struct wpabuf **resp)
316 {
317 #ifdef EAP_TNC
318 if (data->tnc_started && data->phase2_method &&
319 data->phase2_priv && method == EAP_TYPE_TNC &&
320 data->phase2_eap_type.method == EAP_TYPE_TNC)
321 return eap_ttls_phase2_eap_process(sm, data, ret, hdr, len,
322 resp);
323
324 if (data->ready_for_tnc && !data->tnc_started &&
325 method == EAP_TYPE_TNC) {
326 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start TNC after completed "
327 "EAP method");
328 data->tnc_started = 1;
329 }
330
331 if (data->tnc_started) {
332 if (data->phase2_eap_type.vendor != EAP_VENDOR_IETF ||
333 data->phase2_eap_type.method == EAP_TYPE_TNC) {
334 wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected EAP "
335 "type %d for TNC", method);
336 return -1;
337 }
338
339 data->phase2_eap_type.vendor = EAP_VENDOR_IETF;
340 data->phase2_eap_type.method = method;
341 wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected "
342 "Phase 2 EAP vendor %d method %d (TNC)",
343 data->phase2_eap_type.vendor,
344 data->phase2_eap_type.method);
345
346 if (data->phase2_type == EAP_TTLS_PHASE2_EAP)
347 eap_ttls_phase2_eap_deinit(sm, data);
348 }
349 #endif /* EAP_TNC */
350
351 if (data->phase2_eap_type.vendor == EAP_VENDOR_IETF &&
352 data->phase2_eap_type.method == EAP_TYPE_NONE)
353 eap_ttls_phase2_select_eap_method(data, method);
354
355 if (method != data->phase2_eap_type.method || method == EAP_TYPE_NONE)
356 {
357 if (eap_peer_tls_phase2_nak(data->phase2_eap_types,
358 data->num_phase2_eap_types,
359 hdr, resp))
360 return -1;
361 return 0;
362 }
363
364 if (data->phase2_priv == NULL) {
365 data->phase2_method = eap_peer_get_eap_method(
366 EAP_VENDOR_IETF, method);
367 if (data->phase2_method) {
368 sm->init_phase2 = 1;
369 data->phase2_priv = data->phase2_method->init(sm);
370 sm->init_phase2 = 0;
371 }
372 }
373 if (data->phase2_priv == NULL || data->phase2_method == NULL) {
374 wpa_printf(MSG_INFO, "EAP-TTLS: failed to initialize "
375 "Phase 2 EAP method %d", method);
376 return -1;
377 }
378
379 return eap_ttls_phase2_eap_process(sm, data, ret, hdr, len, resp);
380 }
381
382
eap_ttls_phase2_request_eap(struct eap_sm * sm,struct eap_ttls_data * data,struct eap_method_ret * ret,struct eap_hdr * hdr,struct wpabuf ** resp)383 static int eap_ttls_phase2_request_eap(struct eap_sm *sm,
384 struct eap_ttls_data *data,
385 struct eap_method_ret *ret,
386 struct eap_hdr *hdr,
387 struct wpabuf **resp)
388 {
389 size_t len = be_to_host16(hdr->length);
390 u8 *pos;
391 struct eap_peer_config *config = eap_get_config(sm);
392
393 if (len <= sizeof(struct eap_hdr)) {
394 wpa_printf(MSG_INFO, "EAP-TTLS: too short "
395 "Phase 2 request (len=%lu)", (unsigned long) len);
396 return -1;
397 }
398 pos = (u8 *) (hdr + 1);
399 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP Request: type=%d", *pos);
400 switch (*pos) {
401 case EAP_TYPE_IDENTITY:
402 *resp = eap_sm_buildIdentity(sm, hdr->identifier, 1);
403 break;
404 default:
405 if (eap_ttls_phase2_request_eap_method(sm, data, ret, hdr, len,
406 *pos, resp) < 0)
407 return -1;
408 break;
409 }
410
411 if (*resp == NULL &&
412 (config->pending_req_identity || config->pending_req_password ||
413 config->pending_req_otp)) {
414 return 0;
415 }
416
417 if (*resp == NULL)
418 return -1;
419
420 wpa_hexdump_buf(MSG_DEBUG, "EAP-TTLS: AVP encapsulate EAP Response",
421 *resp);
422 return eap_ttls_avp_encapsulate(resp, RADIUS_ATTR_EAP_MESSAGE, 1);
423 }
424
425
eap_ttls_phase2_request_mschapv2(struct eap_sm * sm,struct eap_ttls_data * data,struct eap_method_ret * ret,struct wpabuf ** resp)426 static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm,
427 struct eap_ttls_data *data,
428 struct eap_method_ret *ret,
429 struct wpabuf **resp)
430 {
431 #ifdef EAP_MSCHAPv2
432 struct wpabuf *msg;
433 u8 *buf, *pos, *challenge, *peer_challenge;
434 const u8 *identity, *password;
435 size_t identity_len, password_len;
436 int pwhash;
437
438 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAPV2 Request");
439
440 identity = eap_get_config_identity(sm, &identity_len);
441 password = eap_get_config_password2(sm, &password_len, &pwhash);
442 if (identity == NULL || password == NULL)
443 return -1;
444
445 msg = wpabuf_alloc(identity_len + 1000);
446 if (msg == NULL) {
447 wpa_printf(MSG_ERROR,
448 "EAP-TTLS/MSCHAPV2: Failed to allocate memory");
449 return -1;
450 }
451 pos = buf = wpabuf_mhead(msg);
452
453 /* User-Name */
454 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
455 identity, identity_len);
456
457 /* MS-CHAP-Challenge */
458 challenge = eap_ttls_implicit_challenge(
459 sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1);
460 if (challenge == NULL) {
461 wpabuf_free(msg);
462 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive "
463 "implicit challenge");
464 return -1;
465 }
466
467 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE,
468 RADIUS_VENDOR_ID_MICROSOFT, 1,
469 challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
470
471 /* MS-CHAP2-Response */
472 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_RESPONSE,
473 RADIUS_VENDOR_ID_MICROSOFT, 1,
474 EAP_TTLS_MSCHAPV2_RESPONSE_LEN);
475 data->ident = challenge[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN];
476 *pos++ = data->ident;
477 *pos++ = 0; /* Flags */
478 if (os_get_random(pos, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN) < 0) {
479 os_free(challenge);
480 wpabuf_free(msg);
481 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to get "
482 "random data for peer challenge");
483 return -1;
484 }
485 peer_challenge = pos;
486 pos += EAP_TTLS_MSCHAPV2_CHALLENGE_LEN;
487 os_memset(pos, 0, 8); /* Reserved, must be zero */
488 pos += 8;
489 if (mschapv2_derive_response(identity, identity_len, password,
490 password_len, pwhash, challenge,
491 peer_challenge, pos, data->auth_response,
492 data->master_key)) {
493 os_free(challenge);
494 wpabuf_free(msg);
495 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive "
496 "response");
497 return -1;
498 }
499 data->auth_response_valid = 1;
500
501 pos += 24;
502 os_free(challenge);
503 AVP_PAD(buf, pos);
504
505 wpabuf_put(msg, pos - buf);
506 *resp = msg;
507
508 return 0;
509 #else /* EAP_MSCHAPv2 */
510 wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build");
511 return -1;
512 #endif /* EAP_MSCHAPv2 */
513 }
514
515
eap_ttls_phase2_request_mschap(struct eap_sm * sm,struct eap_ttls_data * data,struct eap_method_ret * ret,struct wpabuf ** resp)516 static int eap_ttls_phase2_request_mschap(struct eap_sm *sm,
517 struct eap_ttls_data *data,
518 struct eap_method_ret *ret,
519 struct wpabuf **resp)
520 {
521 struct wpabuf *msg;
522 u8 *buf, *pos, *challenge;
523 const u8 *identity, *password;
524 size_t identity_len, password_len;
525 int pwhash;
526
527 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAP Request");
528
529 identity = eap_get_config_identity(sm, &identity_len);
530 password = eap_get_config_password2(sm, &password_len, &pwhash);
531 if (identity == NULL || password == NULL)
532 return -1;
533
534 msg = wpabuf_alloc(identity_len + 1000);
535 if (msg == NULL) {
536 wpa_printf(MSG_ERROR,
537 "EAP-TTLS/MSCHAP: Failed to allocate memory");
538 return -1;
539 }
540 pos = buf = wpabuf_mhead(msg);
541
542 /* User-Name */
543 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
544 identity, identity_len);
545
546 /* MS-CHAP-Challenge */
547 challenge = eap_ttls_implicit_challenge(
548 sm, data, EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1);
549 if (challenge == NULL) {
550 wpabuf_free(msg);
551 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAP: Failed to derive "
552 "implicit challenge");
553 return -1;
554 }
555
556 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE,
557 RADIUS_VENDOR_ID_MICROSOFT, 1,
558 challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN);
559
560 /* MS-CHAP-Response */
561 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_RESPONSE,
562 RADIUS_VENDOR_ID_MICROSOFT, 1,
563 EAP_TTLS_MSCHAP_RESPONSE_LEN);
564 data->ident = challenge[EAP_TTLS_MSCHAP_CHALLENGE_LEN];
565 *pos++ = data->ident;
566 *pos++ = 1; /* Flags: Use NT style passwords */
567 os_memset(pos, 0, 24); /* LM-Response */
568 pos += 24;
569 if (pwhash) {
570 challenge_response(challenge, password, pos); /* NT-Response */
571 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password hash",
572 password, 16);
573 } else {
574 nt_challenge_response(challenge, password, password_len,
575 pos); /* NT-Response */
576 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password",
577 password, password_len);
578 }
579 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP implicit challenge",
580 challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN);
581 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP response", pos, 24);
582 pos += 24;
583 os_free(challenge);
584 AVP_PAD(buf, pos);
585
586 wpabuf_put(msg, pos - buf);
587 *resp = msg;
588
589 /* EAP-TTLS/MSCHAP does not provide tunneled success
590 * notification, so assume that Phase2 succeeds. */
591 ret->methodState = METHOD_DONE;
592 ret->decision = DECISION_COND_SUCC;
593
594 return 0;
595 }
596
597
eap_ttls_phase2_request_pap(struct eap_sm * sm,struct eap_ttls_data * data,struct eap_method_ret * ret,struct wpabuf ** resp)598 static int eap_ttls_phase2_request_pap(struct eap_sm *sm,
599 struct eap_ttls_data *data,
600 struct eap_method_ret *ret,
601 struct wpabuf **resp)
602 {
603 struct wpabuf *msg;
604 u8 *buf, *pos;
605 size_t pad;
606 const u8 *identity, *password;
607 size_t identity_len, password_len;
608
609 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 PAP Request");
610
611 identity = eap_get_config_identity(sm, &identity_len);
612 password = eap_get_config_password(sm, &password_len);
613 if (identity == NULL || password == NULL)
614 return -1;
615
616 msg = wpabuf_alloc(identity_len + password_len + 100);
617 if (msg == NULL) {
618 wpa_printf(MSG_ERROR,
619 "EAP-TTLS/PAP: Failed to allocate memory");
620 return -1;
621 }
622 pos = buf = wpabuf_mhead(msg);
623
624 /* User-Name */
625 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
626 identity, identity_len);
627
628 /* User-Password; in RADIUS, this is encrypted, but EAP-TTLS encrypts
629 * the data, so no separate encryption is used in the AVP itself.
630 * However, the password is padded to obfuscate its length. */
631 pad = password_len == 0 ? 16 : (16 - (password_len & 15)) & 15;
632 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_USER_PASSWORD, 0, 1,
633 password_len + pad);
634 os_memcpy(pos, password, password_len);
635 pos += password_len;
636 os_memset(pos, 0, pad);
637 pos += pad;
638 AVP_PAD(buf, pos);
639
640 wpabuf_put(msg, pos - buf);
641 *resp = msg;
642
643 /* EAP-TTLS/PAP does not provide tunneled success notification,
644 * so assume that Phase2 succeeds. */
645 ret->methodState = METHOD_DONE;
646 ret->decision = DECISION_COND_SUCC;
647
648 return 0;
649 }
650
651
eap_ttls_phase2_request_chap(struct eap_sm * sm,struct eap_ttls_data * data,struct eap_method_ret * ret,struct wpabuf ** resp)652 static int eap_ttls_phase2_request_chap(struct eap_sm *sm,
653 struct eap_ttls_data *data,
654 struct eap_method_ret *ret,
655 struct wpabuf **resp)
656 {
657 struct wpabuf *msg;
658 u8 *buf, *pos, *challenge;
659 const u8 *identity, *password;
660 size_t identity_len, password_len;
661
662 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 CHAP Request");
663
664 identity = eap_get_config_identity(sm, &identity_len);
665 password = eap_get_config_password(sm, &password_len);
666 if (identity == NULL || password == NULL)
667 return -1;
668
669 msg = wpabuf_alloc(identity_len + 1000);
670 if (msg == NULL) {
671 wpa_printf(MSG_ERROR,
672 "EAP-TTLS/CHAP: Failed to allocate memory");
673 return -1;
674 }
675 pos = buf = wpabuf_mhead(msg);
676
677 /* User-Name */
678 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
679 identity, identity_len);
680
681 /* CHAP-Challenge */
682 challenge = eap_ttls_implicit_challenge(
683 sm, data, EAP_TTLS_CHAP_CHALLENGE_LEN + 1);
684 if (challenge == NULL) {
685 wpabuf_free(msg);
686 wpa_printf(MSG_ERROR, "EAP-TTLS/CHAP: Failed to derive "
687 "implicit challenge");
688 return -1;
689 }
690
691 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_CHAP_CHALLENGE, 0, 1,
692 challenge, EAP_TTLS_CHAP_CHALLENGE_LEN);
693
694 /* CHAP-Password */
695 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_CHAP_PASSWORD, 0, 1,
696 1 + EAP_TTLS_CHAP_PASSWORD_LEN);
697 data->ident = challenge[EAP_TTLS_CHAP_CHALLENGE_LEN];
698 *pos++ = data->ident;
699
700 /* MD5(Ident + Password + Challenge) */
701 chap_md5(data->ident, password, password_len, challenge,
702 EAP_TTLS_CHAP_CHALLENGE_LEN, pos);
703
704 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: CHAP username",
705 identity, identity_len);
706 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: CHAP password",
707 password, password_len);
708 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP implicit challenge",
709 challenge, EAP_TTLS_CHAP_CHALLENGE_LEN);
710 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP password",
711 pos, EAP_TTLS_CHAP_PASSWORD_LEN);
712 pos += EAP_TTLS_CHAP_PASSWORD_LEN;
713 os_free(challenge);
714 AVP_PAD(buf, pos);
715
716 wpabuf_put(msg, pos - buf);
717 *resp = msg;
718
719 /* EAP-TTLS/CHAP does not provide tunneled success
720 * notification, so assume that Phase2 succeeds. */
721 ret->methodState = METHOD_DONE;
722 ret->decision = DECISION_COND_SUCC;
723
724 return 0;
725 }
726
727
eap_ttls_phase2_request(struct eap_sm * sm,struct eap_ttls_data * data,struct eap_method_ret * ret,struct eap_hdr * hdr,struct wpabuf ** resp)728 static int eap_ttls_phase2_request(struct eap_sm *sm,
729 struct eap_ttls_data *data,
730 struct eap_method_ret *ret,
731 struct eap_hdr *hdr,
732 struct wpabuf **resp)
733 {
734 int res = 0;
735 size_t len;
736 enum phase2_types phase2_type = data->phase2_type;
737
738 #ifdef EAP_TNC
739 if (data->tnc_started) {
740 wpa_printf(MSG_DEBUG, "EAP-TTLS: Processing TNC");
741 phase2_type = EAP_TTLS_PHASE2_EAP;
742 }
743 #endif /* EAP_TNC */
744
745 if (phase2_type == EAP_TTLS_PHASE2_MSCHAPV2 ||
746 phase2_type == EAP_TTLS_PHASE2_MSCHAP ||
747 phase2_type == EAP_TTLS_PHASE2_PAP ||
748 phase2_type == EAP_TTLS_PHASE2_CHAP) {
749 if (eap_get_config_identity(sm, &len) == NULL) {
750 wpa_printf(MSG_INFO,
751 "EAP-TTLS: Identity not configured");
752 eap_sm_request_identity(sm);
753 if (eap_get_config_password(sm, &len) == NULL)
754 eap_sm_request_password(sm);
755 return 0;
756 }
757
758 if (eap_get_config_password(sm, &len) == NULL) {
759 wpa_printf(MSG_INFO,
760 "EAP-TTLS: Password not configured");
761 eap_sm_request_password(sm);
762 return 0;
763 }
764 }
765
766 switch (phase2_type) {
767 case EAP_TTLS_PHASE2_EAP:
768 res = eap_ttls_phase2_request_eap(sm, data, ret, hdr, resp);
769 break;
770 case EAP_TTLS_PHASE2_MSCHAPV2:
771 res = eap_ttls_phase2_request_mschapv2(sm, data, ret, resp);
772 break;
773 case EAP_TTLS_PHASE2_MSCHAP:
774 res = eap_ttls_phase2_request_mschap(sm, data, ret, resp);
775 break;
776 case EAP_TTLS_PHASE2_PAP:
777 res = eap_ttls_phase2_request_pap(sm, data, ret, resp);
778 break;
779 case EAP_TTLS_PHASE2_CHAP:
780 res = eap_ttls_phase2_request_chap(sm, data, ret, resp);
781 break;
782 default:
783 wpa_printf(MSG_ERROR, "EAP-TTLS: Phase 2 - Unknown");
784 res = -1;
785 break;
786 }
787
788 if (res < 0) {
789 ret->methodState = METHOD_DONE;
790 ret->decision = DECISION_FAIL;
791 }
792
793 return res;
794 }
795
796
797 struct ttls_parse_avp {
798 u8 *mschapv2;
799 u8 *eapdata;
800 size_t eap_len;
801 int mschapv2_error;
802 };
803
804
eap_ttls_parse_attr_eap(const u8 * dpos,size_t dlen,struct ttls_parse_avp * parse)805 static int eap_ttls_parse_attr_eap(const u8 *dpos, size_t dlen,
806 struct ttls_parse_avp *parse)
807 {
808 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message");
809 if (parse->eapdata == NULL) {
810 parse->eapdata = os_malloc(dlen);
811 if (parse->eapdata == NULL) {
812 wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to allocate "
813 "memory for Phase 2 EAP data");
814 return -1;
815 }
816 os_memcpy(parse->eapdata, dpos, dlen);
817 parse->eap_len = dlen;
818 } else {
819 u8 *neweap = os_realloc(parse->eapdata, parse->eap_len + dlen);
820 if (neweap == NULL) {
821 wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to allocate "
822 "memory for Phase 2 EAP data");
823 return -1;
824 }
825 os_memcpy(neweap + parse->eap_len, dpos, dlen);
826 parse->eapdata = neweap;
827 parse->eap_len += dlen;
828 }
829
830 return 0;
831 }
832
833
eap_ttls_parse_avp(u8 * pos,size_t left,struct ttls_parse_avp * parse)834 static int eap_ttls_parse_avp(u8 *pos, size_t left,
835 struct ttls_parse_avp *parse)
836 {
837 struct ttls_avp *avp;
838 u32 avp_code, avp_length, vendor_id = 0;
839 u8 avp_flags, *dpos;
840 size_t dlen;
841
842 avp = (struct ttls_avp *) pos;
843 avp_code = be_to_host32(avp->avp_code);
844 avp_length = be_to_host32(avp->avp_length);
845 avp_flags = (avp_length >> 24) & 0xff;
846 avp_length &= 0xffffff;
847 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x "
848 "length=%d", (int) avp_code, avp_flags,
849 (int) avp_length);
850
851 if (avp_length > left) {
852 wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow "
853 "(len=%d, left=%lu) - dropped",
854 (int) avp_length, (unsigned long) left);
855 return -1;
856 }
857
858 if (avp_length < sizeof(*avp)) {
859 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length %d",
860 avp_length);
861 return -1;
862 }
863
864 dpos = (u8 *) (avp + 1);
865 dlen = avp_length - sizeof(*avp);
866 if (avp_flags & AVP_FLAGS_VENDOR) {
867 if (dlen < 4) {
868 wpa_printf(MSG_WARNING, "EAP-TTLS: Vendor AVP "
869 "underflow");
870 return -1;
871 }
872 vendor_id = WPA_GET_BE32(dpos);
873 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d",
874 (int) vendor_id);
875 dpos += 4;
876 dlen -= 4;
877 }
878
879 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen);
880
881 if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) {
882 if (eap_ttls_parse_attr_eap(dpos, dlen, parse) < 0)
883 return -1;
884 } else if (vendor_id == 0 && avp_code == RADIUS_ATTR_REPLY_MESSAGE) {
885 /* This is an optional message that can be displayed to
886 * the user. */
887 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: AVP - Reply-Message",
888 dpos, dlen);
889 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
890 avp_code == RADIUS_ATTR_MS_CHAP2_SUCCESS) {
891 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MS-CHAP2-Success",
892 dpos, dlen);
893 if (dlen != 43) {
894 wpa_printf(MSG_WARNING, "EAP-TTLS: Unexpected "
895 "MS-CHAP2-Success length "
896 "(len=%lu, expected 43)",
897 (unsigned long) dlen);
898 return -1;
899 }
900 parse->mschapv2 = dpos;
901 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
902 avp_code == RADIUS_ATTR_MS_CHAP_ERROR) {
903 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MS-CHAP-Error",
904 dpos, dlen);
905 parse->mschapv2_error = 1;
906 } else if (avp_flags & AVP_FLAGS_MANDATORY) {
907 wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported mandatory AVP "
908 "code %d vendor_id %d - dropped",
909 (int) avp_code, (int) vendor_id);
910 return -1;
911 } else {
912 wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported AVP "
913 "code %d vendor_id %d",
914 (int) avp_code, (int) vendor_id);
915 }
916
917 return avp_length;
918 }
919
920
eap_ttls_parse_avps(struct wpabuf * in_decrypted,struct ttls_parse_avp * parse)921 static int eap_ttls_parse_avps(struct wpabuf *in_decrypted,
922 struct ttls_parse_avp *parse)
923 {
924 u8 *pos;
925 size_t left, pad;
926 int avp_length;
927
928 pos = wpabuf_mhead(in_decrypted);
929 left = wpabuf_len(in_decrypted);
930 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 AVPs", pos, left);
931 if (left < sizeof(struct ttls_avp)) {
932 wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 AVP frame"
933 " len=%lu expected %lu or more - dropped",
934 (unsigned long) left,
935 (unsigned long) sizeof(struct ttls_avp));
936 return -1;
937 }
938
939 /* Parse AVPs */
940 os_memset(parse, 0, sizeof(*parse));
941
942 while (left > 0) {
943 avp_length = eap_ttls_parse_avp(pos, left, parse);
944 if (avp_length < 0)
945 return -1;
946
947 pad = (4 - (avp_length & 3)) & 3;
948 pos += avp_length + pad;
949 if (left < avp_length + pad)
950 left = 0;
951 else
952 left -= avp_length + pad;
953 }
954
955 return 0;
956 }
957
958
eap_ttls_fake_identity_request(void)959 static u8 * eap_ttls_fake_identity_request(void)
960 {
961 struct eap_hdr *hdr;
962 u8 *buf;
963
964 wpa_printf(MSG_DEBUG, "EAP-TTLS: empty data in beginning of "
965 "Phase 2 - use fake EAP-Request Identity");
966 buf = os_malloc(sizeof(*hdr) + 1);
967 if (buf == NULL) {
968 wpa_printf(MSG_WARNING, "EAP-TTLS: failed to allocate "
969 "memory for fake EAP-Identity Request");
970 return NULL;
971 }
972
973 hdr = (struct eap_hdr *) buf;
974 hdr->code = EAP_CODE_REQUEST;
975 hdr->identifier = 0;
976 hdr->length = host_to_be16(sizeof(*hdr) + 1);
977 buf[sizeof(*hdr)] = EAP_TYPE_IDENTITY;
978
979 return buf;
980 }
981
982
eap_ttls_encrypt_response(struct eap_sm * sm,struct eap_ttls_data * data,struct wpabuf * resp,u8 identifier,struct wpabuf ** out_data)983 static int eap_ttls_encrypt_response(struct eap_sm *sm,
984 struct eap_ttls_data *data,
985 struct wpabuf *resp, u8 identifier,
986 struct wpabuf **out_data)
987 {
988 if (resp == NULL)
989 return 0;
990
991 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS: Encrypting Phase 2 data",
992 resp);
993 if (eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_TTLS,
994 data->ttls_version, identifier,
995 resp, out_data)) {
996 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to encrypt a Phase 2 "
997 "frame");
998 wpabuf_free(resp);
999 return -1;
1000 }
1001 wpabuf_free(resp);
1002
1003 return 0;
1004 }
1005
1006
eap_ttls_process_phase2_eap(struct eap_sm * sm,struct eap_ttls_data * data,struct eap_method_ret * ret,struct ttls_parse_avp * parse,struct wpabuf ** resp)1007 static int eap_ttls_process_phase2_eap(struct eap_sm *sm,
1008 struct eap_ttls_data *data,
1009 struct eap_method_ret *ret,
1010 struct ttls_parse_avp *parse,
1011 struct wpabuf **resp)
1012 {
1013 struct eap_hdr *hdr;
1014 size_t len;
1015
1016 if (parse->eapdata == NULL) {
1017 wpa_printf(MSG_WARNING, "EAP-TTLS: No EAP Message in the "
1018 "packet - dropped");
1019 return -1;
1020 }
1021
1022 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP",
1023 parse->eapdata, parse->eap_len);
1024 hdr = (struct eap_hdr *) parse->eapdata;
1025
1026 if (parse->eap_len < sizeof(*hdr)) {
1027 wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 EAP "
1028 "frame (len=%lu, expected %lu or more) - dropped",
1029 (unsigned long) parse->eap_len,
1030 (unsigned long) sizeof(*hdr));
1031 return -1;
1032 }
1033 len = be_to_host16(hdr->length);
1034 if (len > parse->eap_len) {
1035 wpa_printf(MSG_INFO, "EAP-TTLS: Length mismatch in Phase 2 "
1036 "EAP frame (EAP hdr len=%lu, EAP data len in "
1037 "AVP=%lu)",
1038 (unsigned long) len,
1039 (unsigned long) parse->eap_len);
1040 return -1;
1041 }
1042 wpa_printf(MSG_DEBUG, "EAP-TTLS: received Phase 2: code=%d "
1043 "identifier=%d length=%lu",
1044 hdr->code, hdr->identifier, (unsigned long) len);
1045 switch (hdr->code) {
1046 case EAP_CODE_REQUEST:
1047 if (eap_ttls_phase2_request(sm, data, ret, hdr, resp)) {
1048 wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 Request "
1049 "processing failed");
1050 return -1;
1051 }
1052 break;
1053 default:
1054 wpa_printf(MSG_INFO, "EAP-TTLS: Unexpected code=%d in "
1055 "Phase 2 EAP header", hdr->code);
1056 return -1;
1057 }
1058
1059 return 0;
1060 }
1061
1062
eap_ttls_process_phase2_mschapv2(struct eap_sm * sm,struct eap_ttls_data * data,struct eap_method_ret * ret,struct ttls_parse_avp * parse)1063 static int eap_ttls_process_phase2_mschapv2(struct eap_sm *sm,
1064 struct eap_ttls_data *data,
1065 struct eap_method_ret *ret,
1066 struct ttls_parse_avp *parse)
1067 {
1068 #ifdef EAP_MSCHAPv2
1069 if (parse->mschapv2_error) {
1070 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Received "
1071 "MS-CHAP-Error - failed");
1072 ret->methodState = METHOD_DONE;
1073 ret->decision = DECISION_FAIL;
1074 /* Reply with empty data to ACK error */
1075 return 1;
1076 }
1077
1078 if (parse->mschapv2 == NULL) {
1079 #ifdef EAP_TNC
1080 if (data->phase2_success && parse->eapdata) {
1081 /*
1082 * Allow EAP-TNC to be started after successfully
1083 * completed MSCHAPV2.
1084 */
1085 return 1;
1086 }
1087 #endif /* EAP_TNC */
1088 wpa_printf(MSG_WARNING, "EAP-TTLS: no MS-CHAP2-Success AVP "
1089 "received for Phase2 MSCHAPV2");
1090 return -1;
1091 }
1092 if (parse->mschapv2[0] != data->ident) {
1093 wpa_printf(MSG_WARNING, "EAP-TTLS: Ident mismatch for Phase 2 "
1094 "MSCHAPV2 (received Ident 0x%02x, expected 0x%02x)",
1095 parse->mschapv2[0], data->ident);
1096 return -1;
1097 }
1098 if (!data->auth_response_valid ||
1099 mschapv2_verify_auth_response(data->auth_response,
1100 parse->mschapv2 + 1, 42)) {
1101 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid authenticator "
1102 "response in Phase 2 MSCHAPV2 success request");
1103 return -1;
1104 }
1105
1106 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 MSCHAPV2 "
1107 "authentication succeeded");
1108 ret->methodState = METHOD_DONE;
1109 ret->decision = DECISION_UNCOND_SUCC;
1110 data->phase2_success = 1;
1111
1112 /*
1113 * Reply with empty data; authentication server will reply
1114 * with EAP-Success after this.
1115 */
1116 return 1;
1117 #else /* EAP_MSCHAPv2 */
1118 wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build");
1119 return -1;
1120 #endif /* EAP_MSCHAPv2 */
1121 }
1122
1123
1124 #ifdef EAP_TNC
eap_ttls_process_tnc_start(struct eap_sm * sm,struct eap_ttls_data * data,struct eap_method_ret * ret,struct ttls_parse_avp * parse,struct wpabuf ** resp)1125 static int eap_ttls_process_tnc_start(struct eap_sm *sm,
1126 struct eap_ttls_data *data,
1127 struct eap_method_ret *ret,
1128 struct ttls_parse_avp *parse,
1129 struct wpabuf **resp)
1130 {
1131 /* TNC uses inner EAP method after non-EAP TTLS phase 2. */
1132 if (parse->eapdata == NULL) {
1133 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received "
1134 "unexpected tunneled data (no EAP)");
1135 return -1;
1136 }
1137
1138 if (!data->ready_for_tnc) {
1139 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received "
1140 "EAP after non-EAP, but not ready for TNC");
1141 return -1;
1142 }
1143
1144 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start TNC after completed "
1145 "non-EAP method");
1146 data->tnc_started = 1;
1147
1148 if (eap_ttls_process_phase2_eap(sm, data, ret, parse, resp) < 0)
1149 return -1;
1150
1151 return 0;
1152 }
1153 #endif /* EAP_TNC */
1154
1155
eap_ttls_process_decrypted(struct eap_sm * sm,struct eap_ttls_data * data,struct eap_method_ret * ret,u8 identifier,struct ttls_parse_avp * parse,struct wpabuf * in_decrypted,struct wpabuf ** out_data)1156 static int eap_ttls_process_decrypted(struct eap_sm *sm,
1157 struct eap_ttls_data *data,
1158 struct eap_method_ret *ret,
1159 u8 identifier,
1160 struct ttls_parse_avp *parse,
1161 struct wpabuf *in_decrypted,
1162 struct wpabuf **out_data)
1163 {
1164 struct wpabuf *resp = NULL;
1165 struct eap_peer_config *config = eap_get_config(sm);
1166 int res;
1167 enum phase2_types phase2_type = data->phase2_type;
1168
1169 #ifdef EAP_TNC
1170 if (data->tnc_started)
1171 phase2_type = EAP_TTLS_PHASE2_EAP;
1172 #endif /* EAP_TNC */
1173
1174 switch (phase2_type) {
1175 case EAP_TTLS_PHASE2_EAP:
1176 if (eap_ttls_process_phase2_eap(sm, data, ret, parse, &resp) <
1177 0)
1178 return -1;
1179 break;
1180 case EAP_TTLS_PHASE2_MSCHAPV2:
1181 res = eap_ttls_process_phase2_mschapv2(sm, data, ret, parse);
1182 #ifdef EAP_TNC
1183 if (res == 1 && parse->eapdata && data->phase2_success) {
1184 /*
1185 * TNC may be required as the next
1186 * authentication method within the tunnel.
1187 */
1188 ret->methodState = METHOD_MAY_CONT;
1189 data->ready_for_tnc = 1;
1190 if (eap_ttls_process_tnc_start(sm, data, ret, parse,
1191 &resp) == 0)
1192 break;
1193 }
1194 #endif /* EAP_TNC */
1195 return res;
1196 case EAP_TTLS_PHASE2_MSCHAP:
1197 case EAP_TTLS_PHASE2_PAP:
1198 case EAP_TTLS_PHASE2_CHAP:
1199 #ifdef EAP_TNC
1200 if (eap_ttls_process_tnc_start(sm, data, ret, parse, &resp) <
1201 0)
1202 return -1;
1203 break;
1204 #else /* EAP_TNC */
1205 /* EAP-TTLS/{MSCHAP,PAP,CHAP} should not send any TLS tunneled
1206 * requests to the supplicant */
1207 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received unexpected "
1208 "tunneled data");
1209 return -1;
1210 #endif /* EAP_TNC */
1211 }
1212
1213 if (resp) {
1214 if (eap_ttls_encrypt_response(sm, data, resp, identifier,
1215 out_data) < 0)
1216 return -1;
1217 } else if (config->pending_req_identity ||
1218 config->pending_req_password ||
1219 config->pending_req_otp ||
1220 config->pending_req_new_password) {
1221 wpabuf_free(data->pending_phase2_req);
1222 data->pending_phase2_req = wpabuf_dup(in_decrypted);
1223 }
1224
1225 return 0;
1226 }
1227
1228
eap_ttls_implicit_identity_request(struct eap_sm * sm,struct eap_ttls_data * data,struct eap_method_ret * ret,u8 identifier,struct wpabuf ** out_data)1229 static int eap_ttls_implicit_identity_request(struct eap_sm *sm,
1230 struct eap_ttls_data *data,
1231 struct eap_method_ret *ret,
1232 u8 identifier,
1233 struct wpabuf **out_data)
1234 {
1235 int retval = 0;
1236 struct eap_hdr *hdr;
1237 struct wpabuf *resp;
1238
1239 hdr = (struct eap_hdr *) eap_ttls_fake_identity_request();
1240 if (hdr == NULL) {
1241 ret->methodState = METHOD_DONE;
1242 ret->decision = DECISION_FAIL;
1243 return -1;
1244 }
1245
1246 resp = NULL;
1247 if (eap_ttls_phase2_request(sm, data, ret, hdr, &resp)) {
1248 wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 Request "
1249 "processing failed");
1250 retval = -1;
1251 } else {
1252 struct eap_peer_config *config = eap_get_config(sm);
1253 if (resp == NULL &&
1254 (config->pending_req_identity ||
1255 config->pending_req_password ||
1256 config->pending_req_otp ||
1257 config->pending_req_new_password)) {
1258 /*
1259 * Use empty buffer to force implicit request
1260 * processing when EAP request is re-processed after
1261 * user input.
1262 */
1263 wpabuf_free(data->pending_phase2_req);
1264 data->pending_phase2_req = wpabuf_alloc(0);
1265 }
1266
1267 retval = eap_ttls_encrypt_response(sm, data, resp, identifier,
1268 out_data);
1269 }
1270
1271 os_free(hdr);
1272
1273 if (retval < 0) {
1274 ret->methodState = METHOD_DONE;
1275 ret->decision = DECISION_FAIL;
1276 }
1277
1278 return retval;
1279 }
1280
1281
eap_ttls_phase2_start(struct eap_sm * sm,struct eap_ttls_data * data,struct eap_method_ret * ret,u8 identifier,struct wpabuf ** out_data)1282 static int eap_ttls_phase2_start(struct eap_sm *sm, struct eap_ttls_data *data,
1283 struct eap_method_ret *ret, u8 identifier,
1284 struct wpabuf **out_data)
1285 {
1286 data->phase2_start = 0;
1287
1288 /*
1289 * EAP-TTLS does not use Phase2 on fast re-auth; this must be done only
1290 * if TLS part was indeed resuming a previous session. Most
1291 * Authentication Servers terminate EAP-TTLS before reaching this
1292 * point, but some do not. Make wpa_supplicant stop phase 2 here, if
1293 * needed.
1294 */
1295 if (data->reauth &&
1296 tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) {
1297 wpa_printf(MSG_DEBUG, "EAP-TTLS: Session resumption - "
1298 "skip phase 2");
1299 *out_data = eap_peer_tls_build_ack(identifier, EAP_TYPE_TTLS,
1300 data->ttls_version);
1301 ret->methodState = METHOD_DONE;
1302 ret->decision = DECISION_UNCOND_SUCC;
1303 data->phase2_success = 1;
1304 return 0;
1305 }
1306
1307 return eap_ttls_implicit_identity_request(sm, data, ret, identifier,
1308 out_data);
1309 }
1310
1311
eap_ttls_decrypt(struct eap_sm * sm,struct eap_ttls_data * data,struct eap_method_ret * ret,u8 identifier,const struct wpabuf * in_data,struct wpabuf ** out_data)1312 static int eap_ttls_decrypt(struct eap_sm *sm, struct eap_ttls_data *data,
1313 struct eap_method_ret *ret, u8 identifier,
1314 const struct wpabuf *in_data,
1315 struct wpabuf **out_data)
1316 {
1317 struct wpabuf *in_decrypted = NULL;
1318 int retval = 0;
1319 struct ttls_parse_avp parse;
1320
1321 os_memset(&parse, 0, sizeof(parse));
1322
1323 wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for"
1324 " Phase 2",
1325 in_data ? (unsigned long) wpabuf_len(in_data) : 0);
1326
1327 if (data->pending_phase2_req) {
1328 wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 request - "
1329 "skip decryption and use old data");
1330 /* Clear TLS reassembly state. */
1331 eap_peer_tls_reset_input(&data->ssl);
1332
1333 in_decrypted = data->pending_phase2_req;
1334 data->pending_phase2_req = NULL;
1335 if (wpabuf_len(in_decrypted) == 0) {
1336 wpabuf_free(in_decrypted);
1337 return eap_ttls_implicit_identity_request(
1338 sm, data, ret, identifier, out_data);
1339 }
1340 goto continue_req;
1341 }
1342
1343 if ((in_data == NULL || wpabuf_len(in_data) == 0) &&
1344 data->phase2_start) {
1345 return eap_ttls_phase2_start(sm, data, ret, identifier,
1346 out_data);
1347 }
1348
1349 if (in_data == NULL || wpabuf_len(in_data) == 0) {
1350 /* Received TLS ACK - requesting more fragments */
1351 return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_TTLS,
1352 data->ttls_version,
1353 identifier, NULL, out_data);
1354 }
1355
1356 retval = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted);
1357 if (retval)
1358 goto done;
1359
1360 continue_req:
1361 data->phase2_start = 0;
1362
1363 if (eap_ttls_parse_avps(in_decrypted, &parse) < 0) {
1364 retval = -1;
1365 goto done;
1366 }
1367
1368 retval = eap_ttls_process_decrypted(sm, data, ret, identifier,
1369 &parse, in_decrypted, out_data);
1370
1371 done:
1372 wpabuf_free(in_decrypted);
1373 os_free(parse.eapdata);
1374
1375 if (retval < 0) {
1376 ret->methodState = METHOD_DONE;
1377 ret->decision = DECISION_FAIL;
1378 }
1379
1380 return retval;
1381 }
1382
1383
eap_ttls_process_handshake(struct eap_sm * sm,struct eap_ttls_data * data,struct eap_method_ret * ret,u8 identifier,const struct wpabuf * in_data,struct wpabuf ** out_data)1384 static int eap_ttls_process_handshake(struct eap_sm *sm,
1385 struct eap_ttls_data *data,
1386 struct eap_method_ret *ret,
1387 u8 identifier,
1388 const struct wpabuf *in_data,
1389 struct wpabuf **out_data)
1390 {
1391 int res;
1392
1393 res = eap_peer_tls_process_helper(sm, &data->ssl, EAP_TYPE_TTLS,
1394 data->ttls_version, identifier,
1395 in_data, out_data);
1396
1397 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
1398 wpa_printf(MSG_DEBUG, "EAP-TTLS: TLS done, proceed to "
1399 "Phase 2");
1400 if (data->resuming) {
1401 wpa_printf(MSG_DEBUG, "EAP-TTLS: fast reauth - may "
1402 "skip Phase 2");
1403 ret->decision = DECISION_COND_SUCC;
1404 ret->methodState = METHOD_MAY_CONT;
1405 }
1406 data->phase2_start = 1;
1407 eap_ttls_v0_derive_key(sm, data);
1408
1409 if (*out_data == NULL || wpabuf_len(*out_data) == 0) {
1410 if (eap_ttls_decrypt(sm, data, ret, identifier,
1411 NULL, out_data)) {
1412 wpa_printf(MSG_WARNING, "EAP-TTLS: "
1413 "failed to process early "
1414 "start for Phase 2");
1415 }
1416 res = 0;
1417 }
1418 data->resuming = 0;
1419 }
1420
1421 if (res == 2) {
1422 /*
1423 * Application data included in the handshake message.
1424 */
1425 wpabuf_free(data->pending_phase2_req);
1426 data->pending_phase2_req = *out_data;
1427 *out_data = NULL;
1428 res = eap_ttls_decrypt(sm, data, ret, identifier, in_data,
1429 out_data);
1430 }
1431
1432 return res;
1433 }
1434
1435
eap_ttls_check_auth_status(struct eap_sm * sm,struct eap_ttls_data * data,struct eap_method_ret * ret)1436 static void eap_ttls_check_auth_status(struct eap_sm *sm,
1437 struct eap_ttls_data *data,
1438 struct eap_method_ret *ret)
1439 {
1440 if (ret->methodState == METHOD_DONE) {
1441 ret->allowNotifications = FALSE;
1442 if (ret->decision == DECISION_UNCOND_SUCC ||
1443 ret->decision == DECISION_COND_SUCC) {
1444 wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication "
1445 "completed successfully");
1446 data->phase2_success = 1;
1447 #ifdef EAP_TNC
1448 if (!data->ready_for_tnc && !data->tnc_started) {
1449 /*
1450 * TNC may be required as the next
1451 * authentication method within the tunnel.
1452 */
1453 ret->methodState = METHOD_MAY_CONT;
1454 data->ready_for_tnc = 1;
1455 }
1456 #endif /* EAP_TNC */
1457 }
1458 } else if (ret->methodState == METHOD_MAY_CONT &&
1459 (ret->decision == DECISION_UNCOND_SUCC ||
1460 ret->decision == DECISION_COND_SUCC)) {
1461 wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication "
1462 "completed successfully (MAY_CONT)");
1463 data->phase2_success = 1;
1464 }
1465 }
1466
1467
eap_ttls_process(struct eap_sm * sm,void * priv,struct eap_method_ret * ret,const struct wpabuf * reqData)1468 static struct wpabuf * eap_ttls_process(struct eap_sm *sm, void *priv,
1469 struct eap_method_ret *ret,
1470 const struct wpabuf *reqData)
1471 {
1472 size_t left;
1473 int res;
1474 u8 flags, id;
1475 struct wpabuf *resp;
1476 const u8 *pos;
1477 struct eap_ttls_data *data = priv;
1478 struct wpabuf msg;
1479
1480 pos = eap_peer_tls_process_init(sm, &data->ssl, EAP_TYPE_TTLS, ret,
1481 reqData, &left, &flags);
1482 if (pos == NULL)
1483 return NULL;
1484 id = eap_get_id(reqData);
1485
1486 if (flags & EAP_TLS_FLAGS_START) {
1487 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start (server ver=%d, own "
1488 "ver=%d)", flags & EAP_TLS_VERSION_MASK,
1489 data->ttls_version);
1490
1491 /* RFC 5281, Ch. 9.2:
1492 * "This packet MAY contain additional information in the form
1493 * of AVPs, which may provide useful hints to the client"
1494 * For now, ignore any potential extra data.
1495 */
1496 left = 0;
1497 }
1498
1499 wpabuf_set(&msg, pos, left);
1500
1501 resp = NULL;
1502 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
1503 !data->resuming) {
1504 res = eap_ttls_decrypt(sm, data, ret, id, &msg, &resp);
1505 } else {
1506 res = eap_ttls_process_handshake(sm, data, ret, id,
1507 &msg, &resp);
1508 }
1509
1510 eap_ttls_check_auth_status(sm, data, ret);
1511
1512 /* FIX: what about res == -1? Could just move all error processing into
1513 * the other functions and get rid of this res==1 case here. */
1514 if (res == 1) {
1515 wpabuf_free(resp);
1516 return eap_peer_tls_build_ack(id, EAP_TYPE_TTLS,
1517 data->ttls_version);
1518 }
1519 return resp;
1520 }
1521
1522
eap_ttls_has_reauth_data(struct eap_sm * sm,void * priv)1523 static Boolean eap_ttls_has_reauth_data(struct eap_sm *sm, void *priv)
1524 {
1525 struct eap_ttls_data *data = priv;
1526 return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
1527 data->phase2_success;
1528 }
1529
1530
eap_ttls_deinit_for_reauth(struct eap_sm * sm,void * priv)1531 static void eap_ttls_deinit_for_reauth(struct eap_sm *sm, void *priv)
1532 {
1533 struct eap_ttls_data *data = priv;
1534 wpabuf_free(data->pending_phase2_req);
1535 data->pending_phase2_req = NULL;
1536 #ifdef EAP_TNC
1537 data->ready_for_tnc = 0;
1538 data->tnc_started = 0;
1539 #endif /* EAP_TNC */
1540 }
1541
1542
eap_ttls_init_for_reauth(struct eap_sm * sm,void * priv)1543 static void * eap_ttls_init_for_reauth(struct eap_sm *sm, void *priv)
1544 {
1545 struct eap_ttls_data *data = priv;
1546 eap_ttls_free_key(data);
1547 os_free(data->session_id);
1548 data->session_id = NULL;
1549 if (eap_peer_tls_reauth_init(sm, &data->ssl)) {
1550 os_free(data);
1551 return NULL;
1552 }
1553 if (data->phase2_priv && data->phase2_method &&
1554 data->phase2_method->init_for_reauth)
1555 data->phase2_method->init_for_reauth(sm, data->phase2_priv);
1556 data->phase2_start = 0;
1557 data->phase2_success = 0;
1558 data->resuming = 1;
1559 data->reauth = 1;
1560 return priv;
1561 }
1562
1563
eap_ttls_get_status(struct eap_sm * sm,void * priv,char * buf,size_t buflen,int verbose)1564 static int eap_ttls_get_status(struct eap_sm *sm, void *priv, char *buf,
1565 size_t buflen, int verbose)
1566 {
1567 struct eap_ttls_data *data = priv;
1568 int len, ret;
1569
1570 len = eap_peer_tls_status(sm, &data->ssl, buf, buflen, verbose);
1571 ret = os_snprintf(buf + len, buflen - len,
1572 "EAP-TTLSv%d Phase2 method=",
1573 data->ttls_version);
1574 if (os_snprintf_error(buflen - len, ret))
1575 return len;
1576 len += ret;
1577 switch (data->phase2_type) {
1578 case EAP_TTLS_PHASE2_EAP:
1579 ret = os_snprintf(buf + len, buflen - len, "EAP-%s\n",
1580 data->phase2_method ?
1581 data->phase2_method->name : "?");
1582 break;
1583 case EAP_TTLS_PHASE2_MSCHAPV2:
1584 ret = os_snprintf(buf + len, buflen - len, "MSCHAPV2\n");
1585 break;
1586 case EAP_TTLS_PHASE2_MSCHAP:
1587 ret = os_snprintf(buf + len, buflen - len, "MSCHAP\n");
1588 break;
1589 case EAP_TTLS_PHASE2_PAP:
1590 ret = os_snprintf(buf + len, buflen - len, "PAP\n");
1591 break;
1592 case EAP_TTLS_PHASE2_CHAP:
1593 ret = os_snprintf(buf + len, buflen - len, "CHAP\n");
1594 break;
1595 default:
1596 ret = 0;
1597 break;
1598 }
1599 if (os_snprintf_error(buflen - len, ret))
1600 return len;
1601 len += ret;
1602
1603 return len;
1604 }
1605
1606
eap_ttls_isKeyAvailable(struct eap_sm * sm,void * priv)1607 static Boolean eap_ttls_isKeyAvailable(struct eap_sm *sm, void *priv)
1608 {
1609 struct eap_ttls_data *data = priv;
1610 return data->key_data != NULL && data->phase2_success;
1611 }
1612
1613
eap_ttls_getKey(struct eap_sm * sm,void * priv,size_t * len)1614 static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len)
1615 {
1616 struct eap_ttls_data *data = priv;
1617 u8 *key;
1618
1619 if (data->key_data == NULL || !data->phase2_success)
1620 return NULL;
1621
1622 key = os_malloc(EAP_TLS_KEY_LEN);
1623 if (key == NULL)
1624 return NULL;
1625
1626 *len = EAP_TLS_KEY_LEN;
1627 os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN);
1628
1629 return key;
1630 }
1631
1632
eap_ttls_get_session_id(struct eap_sm * sm,void * priv,size_t * len)1633 static u8 * eap_ttls_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
1634 {
1635 struct eap_ttls_data *data = priv;
1636 u8 *id;
1637
1638 if (data->session_id == NULL || !data->phase2_success)
1639 return NULL;
1640
1641 id = os_malloc(data->id_len);
1642 if (id == NULL)
1643 return NULL;
1644
1645 *len = data->id_len;
1646 os_memcpy(id, data->session_id, data->id_len);
1647
1648 return id;
1649 }
1650
1651
eap_ttls_get_emsk(struct eap_sm * sm,void * priv,size_t * len)1652 static u8 * eap_ttls_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
1653 {
1654 struct eap_ttls_data *data = priv;
1655 u8 *key;
1656
1657 if (data->key_data == NULL)
1658 return NULL;
1659
1660 key = os_malloc(EAP_EMSK_LEN);
1661 if (key == NULL)
1662 return NULL;
1663
1664 *len = EAP_EMSK_LEN;
1665 os_memcpy(key, data->key_data + EAP_TLS_KEY_LEN, EAP_EMSK_LEN);
1666
1667 return key;
1668 }
1669
1670
eap_peer_ttls_register(void)1671 int eap_peer_ttls_register(void)
1672 {
1673 struct eap_method *eap;
1674 int ret;
1675
1676 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
1677 EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS");
1678 if (eap == NULL)
1679 return -1;
1680
1681 eap->init = eap_ttls_init;
1682 eap->deinit = eap_ttls_deinit;
1683 eap->process = eap_ttls_process;
1684 eap->isKeyAvailable = eap_ttls_isKeyAvailable;
1685 eap->getKey = eap_ttls_getKey;
1686 eap->getSessionId = eap_ttls_get_session_id;
1687 eap->get_status = eap_ttls_get_status;
1688 eap->has_reauth_data = eap_ttls_has_reauth_data;
1689 eap->deinit_for_reauth = eap_ttls_deinit_for_reauth;
1690 eap->init_for_reauth = eap_ttls_init_for_reauth;
1691 eap->get_emsk = eap_ttls_get_emsk;
1692
1693 ret = eap_peer_method_register(eap);
1694 if (ret)
1695 eap_peer_method_free(eap);
1696 return ret;
1697 }
1698