1 /* 2 * EAP peer method: EAP-PEAP (draft-josefsson-pppext-eap-tls-eap-10.txt) 3 * Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/sha1.h" 13 #include "crypto/tls.h" 14 #include "eap_common/eap_tlv_common.h" 15 #include "eap_common/eap_peap_common.h" 16 #include "eap_i.h" 17 #include "eap_tls_common.h" 18 #include "eap_config.h" 19 #include "tncc.h" 20 21 22 /* Maximum supported PEAP version 23 * 0 = Microsoft's PEAP version 0; draft-kamath-pppext-peapv0-00.txt 24 * 1 = draft-josefsson-ppext-eap-tls-eap-05.txt 25 */ 26 #define EAP_PEAP_VERSION 1 27 28 29 static void eap_peap_deinit(struct eap_sm *sm, void *priv); 30 31 32 struct eap_peap_data { 33 struct eap_ssl_data ssl; 34 35 int peap_version, force_peap_version, force_new_label; 36 37 const struct eap_method *phase2_method; 38 void *phase2_priv; 39 int phase2_success; 40 int phase2_eap_success; 41 int phase2_eap_started; 42 43 struct eap_method_type phase2_type; 44 struct eap_method_type *phase2_types; 45 size_t num_phase2_types; 46 47 int peap_outer_success; /* 0 = PEAP terminated on Phase 2 inner 48 * EAP-Success 49 * 1 = reply with tunneled EAP-Success to inner 50 * EAP-Success and expect AS to send outer 51 * (unencrypted) EAP-Success after this 52 * 2 = reply with PEAP/TLS ACK to inner 53 * EAP-Success and expect AS to send outer 54 * (unencrypted) EAP-Success after this */ 55 int resuming; /* starting a resumed session */ 56 int reauth; /* reauthentication */ 57 u8 *key_data; 58 u8 *session_id; 59 size_t id_len; 60 61 struct wpabuf *pending_phase2_req; 62 struct wpabuf *pending_resp; 63 enum { NO_BINDING, OPTIONAL_BINDING, REQUIRE_BINDING } crypto_binding; 64 int crypto_binding_used; 65 u8 binding_nonce[32]; 66 u8 ipmk[40]; 67 u8 cmk[20]; 68 int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP) 69 * is enabled. */ 70 }; 71 72 73 static void eap_peap_parse_phase1(struct eap_peap_data *data, 74 const char *phase1) 75 { 76 const char *pos; 77 78 pos = os_strstr(phase1, "peapver="); 79 if (pos) { 80 data->force_peap_version = atoi(pos + 8); 81 data->peap_version = data->force_peap_version; 82 wpa_printf(MSG_DEBUG, "EAP-PEAP: Forced PEAP version %d", 83 data->force_peap_version); 84 } 85 86 if (os_strstr(phase1, "peaplabel=1")) { 87 data->force_new_label = 1; 88 wpa_printf(MSG_DEBUG, "EAP-PEAP: Force new label for key " 89 "derivation"); 90 } 91 92 if (os_strstr(phase1, "peap_outer_success=0")) { 93 data->peap_outer_success = 0; 94 wpa_printf(MSG_DEBUG, "EAP-PEAP: terminate authentication on " 95 "tunneled EAP-Success"); 96 } else if (os_strstr(phase1, "peap_outer_success=1")) { 97 data->peap_outer_success = 1; 98 wpa_printf(MSG_DEBUG, "EAP-PEAP: send tunneled EAP-Success " 99 "after receiving tunneled EAP-Success"); 100 } else if (os_strstr(phase1, "peap_outer_success=2")) { 101 data->peap_outer_success = 2; 102 wpa_printf(MSG_DEBUG, "EAP-PEAP: send PEAP/TLS ACK after " 103 "receiving tunneled EAP-Success"); 104 } 105 106 if (os_strstr(phase1, "crypto_binding=0")) { 107 data->crypto_binding = NO_BINDING; 108 wpa_printf(MSG_DEBUG, "EAP-PEAP: Do not use cryptobinding"); 109 } else if (os_strstr(phase1, "crypto_binding=1")) { 110 data->crypto_binding = OPTIONAL_BINDING; 111 wpa_printf(MSG_DEBUG, "EAP-PEAP: Optional cryptobinding"); 112 } else if (os_strstr(phase1, "crypto_binding=2")) { 113 data->crypto_binding = REQUIRE_BINDING; 114 wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding"); 115 } 116 117 #ifdef EAP_TNC 118 if (os_strstr(phase1, "tnc=soh2")) { 119 data->soh = 2; 120 wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 2 enabled"); 121 } else if (os_strstr(phase1, "tnc=soh1")) { 122 data->soh = 1; 123 wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 1 enabled"); 124 } else if (os_strstr(phase1, "tnc=soh")) { 125 data->soh = 2; 126 wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 2 enabled"); 127 } 128 #endif /* EAP_TNC */ 129 } 130 131 132 static void * eap_peap_init(struct eap_sm *sm) 133 { 134 struct eap_peap_data *data; 135 struct eap_peer_config *config = eap_get_config(sm); 136 137 data = os_zalloc(sizeof(*data)); 138 if (data == NULL) 139 return NULL; 140 sm->peap_done = false; 141 data->peap_version = EAP_PEAP_VERSION; 142 data->force_peap_version = -1; 143 data->peap_outer_success = 2; 144 data->crypto_binding = OPTIONAL_BINDING; 145 146 if (config && config->phase1) 147 eap_peap_parse_phase1(data, config->phase1); 148 149 if (eap_peer_select_phase2_methods(config, "auth=", 150 &data->phase2_types, 151 &data->num_phase2_types, 0) < 0) { 152 eap_peap_deinit(sm, data); 153 return NULL; 154 } 155 156 data->phase2_type.vendor = EAP_VENDOR_IETF; 157 data->phase2_type.method = EAP_TYPE_NONE; 158 159 if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_PEAP)) { 160 wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL."); 161 eap_peap_deinit(sm, data); 162 return NULL; 163 } 164 165 return data; 166 } 167 168 169 static void eap_peap_free_key(struct eap_peap_data *data) 170 { 171 if (data->key_data) { 172 bin_clear_free(data->key_data, EAP_TLS_KEY_LEN + EAP_EMSK_LEN); 173 data->key_data = NULL; 174 } 175 } 176 177 178 static void eap_peap_deinit(struct eap_sm *sm, void *priv) 179 { 180 struct eap_peap_data *data = priv; 181 if (data == NULL) 182 return; 183 if (data->phase2_priv && data->phase2_method) 184 data->phase2_method->deinit(sm, data->phase2_priv); 185 os_free(data->phase2_types); 186 eap_peer_tls_ssl_deinit(sm, &data->ssl); 187 eap_peap_free_key(data); 188 os_free(data->session_id); 189 wpabuf_clear_free(data->pending_phase2_req); 190 wpabuf_clear_free(data->pending_resp); 191 bin_clear_free(data, sizeof(*data)); 192 } 193 194 195 /** 196 * eap_tlv_build_nak - Build EAP-TLV NAK message 197 * @id: EAP identifier for the header 198 * @nak_type: TLV type (EAP_TLV_*) 199 * Returns: Buffer to the allocated EAP-TLV NAK message or %NULL on failure 200 * 201 * This function builds an EAP-TLV NAK message. The caller is responsible for 202 * freeing the returned buffer. 203 */ 204 static struct wpabuf * eap_tlv_build_nak(int id, u16 nak_type) 205 { 206 struct wpabuf *msg; 207 208 msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, 10, 209 EAP_CODE_RESPONSE, id); 210 if (msg == NULL) 211 return NULL; 212 213 wpabuf_put_u8(msg, 0x80); /* Mandatory */ 214 wpabuf_put_u8(msg, EAP_TLV_NAK_TLV); 215 wpabuf_put_be16(msg, 6); /* Length */ 216 wpabuf_put_be32(msg, 0); /* Vendor-Id */ 217 wpabuf_put_be16(msg, nak_type); /* NAK-Type */ 218 219 return msg; 220 } 221 222 223 static int eap_peap_get_isk(struct eap_sm *sm, struct eap_peap_data *data, 224 u8 *isk, size_t isk_len) 225 { 226 u8 *key; 227 size_t key_len; 228 229 os_memset(isk, 0, isk_len); 230 if (data->phase2_method == NULL || data->phase2_priv == NULL || 231 data->phase2_method->isKeyAvailable == NULL || 232 data->phase2_method->getKey == NULL) 233 return 0; 234 235 if (!data->phase2_method->isKeyAvailable(sm, data->phase2_priv) || 236 (key = data->phase2_method->getKey(sm, data->phase2_priv, 237 &key_len)) == NULL) { 238 wpa_printf(MSG_DEBUG, "EAP-PEAP: Could not get key material " 239 "from Phase 2"); 240 return -1; 241 } 242 243 if (key_len > isk_len) 244 key_len = isk_len; 245 os_memcpy(isk, key, key_len); 246 os_free(key); 247 248 return 0; 249 } 250 251 252 static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data) 253 { 254 u8 *tk; 255 u8 isk[32], imck[60]; 256 int resumed, res; 257 258 /* 259 * Tunnel key (TK) is the first 60 octets of the key generated by 260 * phase 1 of PEAP (based on TLS). 261 */ 262 tk = data->key_data; 263 if (tk == NULL) 264 return -1; 265 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TK", tk, 60); 266 267 resumed = tls_connection_resumed(sm->ssl_ctx, data->ssl.conn); 268 wpa_printf(MSG_DEBUG, 269 "EAP-PEAP: CMK derivation - reauth=%d resumed=%d phase2_eap_started=%d phase2_success=%d", 270 data->reauth, resumed, data->phase2_eap_started, 271 data->phase2_success); 272 if (data->reauth && !data->phase2_eap_started && resumed) { 273 /* Fast-connect: IPMK|CMK = TK */ 274 os_memcpy(data->ipmk, tk, 40); 275 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK from TK", 276 data->ipmk, 40); 277 os_memcpy(data->cmk, tk + 40, 20); 278 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK from TK", 279 data->cmk, 20); 280 return 0; 281 } 282 283 if (eap_peap_get_isk(sm, data, isk, sizeof(isk)) < 0) 284 return -1; 285 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: ISK", isk, sizeof(isk)); 286 287 /* 288 * IPMK Seed = "Inner Methods Compound Keys" | ISK 289 * TempKey = First 40 octets of TK 290 * IPMK|CMK = PRF+(TempKey, IPMK Seed, 60) 291 * (note: draft-josefsson-pppext-eap-tls-eap-10.txt includes a space 292 * in the end of the label just before ISK; is that just a typo?) 293 */ 294 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TempKey", tk, 40); 295 res = peap_prfplus(data->peap_version, tk, 40, 296 "Inner Methods Compound Keys", 297 isk, sizeof(isk), imck, sizeof(imck)); 298 forced_memzero(isk, sizeof(isk)); 299 if (res < 0) 300 return -1; 301 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IMCK (IPMKj)", 302 imck, sizeof(imck)); 303 304 os_memcpy(data->ipmk, imck, 40); 305 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK (S-IPMKj)", data->ipmk, 40); 306 os_memcpy(data->cmk, imck + 40, 20); 307 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK (CMKj)", data->cmk, 20); 308 forced_memzero(imck, sizeof(imck)); 309 310 return 0; 311 } 312 313 314 static int eap_tlv_add_cryptobinding(struct eap_sm *sm, 315 struct eap_peap_data *data, 316 struct wpabuf *buf) 317 { 318 u8 *mac; 319 u8 eap_type = EAP_TYPE_PEAP; 320 const u8 *addr[2]; 321 size_t len[2]; 322 u16 tlv_type; 323 324 /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */ 325 addr[0] = wpabuf_put(buf, 0); 326 len[0] = 60; 327 addr[1] = &eap_type; 328 len[1] = 1; 329 330 tlv_type = EAP_TLV_CRYPTO_BINDING_TLV; 331 wpabuf_put_be16(buf, tlv_type); 332 wpabuf_put_be16(buf, 56); 333 334 wpabuf_put_u8(buf, 0); /* Reserved */ 335 wpabuf_put_u8(buf, data->peap_version); /* Version */ 336 wpabuf_put_u8(buf, data->peap_version); /* RecvVersion */ 337 wpabuf_put_u8(buf, 1); /* SubType: 0 = Request, 1 = Response */ 338 wpabuf_put_data(buf, data->binding_nonce, 32); /* Nonce */ 339 mac = wpabuf_put(buf, 20); /* Compound_MAC */ 340 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC CMK", data->cmk, 20); 341 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 1", 342 addr[0], len[0]); 343 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 2", 344 addr[1], len[1]); 345 if (hmac_sha1_vector(data->cmk, 20, 2, addr, len, mac) < 0) 346 return -1; 347 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC", mac, SHA1_MAC_LEN); 348 data->crypto_binding_used = 1; 349 350 return 0; 351 } 352 353 354 /** 355 * eap_tlv_build_result - Build EAP-TLV Result message 356 * @id: EAP identifier for the header 357 * @status: Status (EAP_TLV_RESULT_SUCCESS or EAP_TLV_RESULT_FAILURE) 358 * Returns: Buffer to the allocated EAP-TLV Result message or %NULL on failure 359 * 360 * This function builds an EAP-TLV Result message. The caller is responsible 361 * for freeing the returned buffer. 362 */ 363 static struct wpabuf * eap_tlv_build_result(struct eap_sm *sm, 364 struct eap_peap_data *data, 365 int crypto_tlv_used, 366 int id, u16 status) 367 { 368 struct wpabuf *msg; 369 size_t len; 370 371 if (data->crypto_binding == NO_BINDING) 372 crypto_tlv_used = 0; 373 374 len = 6; 375 if (crypto_tlv_used) 376 len += 60; /* Cryptobinding TLV */ 377 msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, len, 378 EAP_CODE_RESPONSE, id); 379 if (msg == NULL) 380 return NULL; 381 382 wpabuf_put_u8(msg, 0x80); /* Mandatory */ 383 wpabuf_put_u8(msg, EAP_TLV_RESULT_TLV); 384 wpabuf_put_be16(msg, 2); /* Length */ 385 wpabuf_put_be16(msg, status); /* Status */ 386 387 if (crypto_tlv_used && eap_tlv_add_cryptobinding(sm, data, msg)) { 388 wpabuf_clear_free(msg); 389 return NULL; 390 } 391 392 return msg; 393 } 394 395 396 static int eap_tlv_validate_cryptobinding(struct eap_sm *sm, 397 struct eap_peap_data *data, 398 const u8 *crypto_tlv, 399 size_t crypto_tlv_len) 400 { 401 u8 buf[61], mac[SHA1_MAC_LEN]; 402 const u8 *pos; 403 404 if (eap_peap_derive_cmk(sm, data) < 0) { 405 wpa_printf(MSG_DEBUG, "EAP-PEAP: Could not derive CMK"); 406 return -1; 407 } 408 409 if (crypto_tlv_len != 4 + 56) { 410 wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid cryptobinding TLV " 411 "length %d", (int) crypto_tlv_len); 412 return -1; 413 } 414 415 pos = crypto_tlv; 416 pos += 4; /* TLV header */ 417 if (pos[1] != data->peap_version) { 418 wpa_printf(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV Version " 419 "mismatch (was %d; expected %d)", 420 pos[1], data->peap_version); 421 return -1; 422 } 423 424 if (pos[3] != 0) { 425 wpa_printf(MSG_DEBUG, "EAP-PEAP: Unexpected Cryptobinding TLV " 426 "SubType %d", pos[3]); 427 return -1; 428 } 429 pos += 4; 430 os_memcpy(data->binding_nonce, pos, 32); 431 pos += 32; /* Nonce */ 432 433 /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */ 434 os_memcpy(buf, crypto_tlv, 60); 435 os_memset(buf + 4 + 4 + 32, 0, 20); /* Compound_MAC */ 436 buf[60] = EAP_TYPE_PEAP; 437 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Compound_MAC data", 438 buf, sizeof(buf)); 439 hmac_sha1(data->cmk, 20, buf, sizeof(buf), mac); 440 441 if (os_memcmp_const(mac, pos, SHA1_MAC_LEN) != 0) { 442 wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid Compound_MAC in " 443 "cryptobinding TLV"); 444 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Received MAC", 445 pos, SHA1_MAC_LEN); 446 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Expected MAC", 447 mac, SHA1_MAC_LEN); 448 return -1; 449 } 450 451 wpa_printf(MSG_DEBUG, "EAP-PEAP: Valid cryptobinding TLV received"); 452 453 return 0; 454 } 455 456 457 /** 458 * eap_tlv_process - Process a received EAP-TLV message and generate a response 459 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 460 * @ret: Return values from EAP request validation and processing 461 * @req: EAP-TLV request to be processed. The caller must have validated that 462 * the buffer is large enough to contain full request (hdr->length bytes) and 463 * that the EAP type is EAP_TYPE_TLV. 464 * @resp: Buffer to return a pointer to the allocated response message. This 465 * field should be initialized to %NULL before the call. The value will be 466 * updated if a response message is generated. The caller is responsible for 467 * freeing the allocated message. 468 * @force_failure: Force negotiation to fail 469 * Returns: 0 on success, -1 on failure 470 */ 471 static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data, 472 struct eap_method_ret *ret, 473 const struct wpabuf *req, struct wpabuf **resp, 474 int force_failure) 475 { 476 size_t left, tlv_len; 477 const u8 *pos; 478 const u8 *result_tlv = NULL, *crypto_tlv = NULL; 479 size_t result_tlv_len = 0, crypto_tlv_len = 0; 480 int tlv_type, mandatory; 481 482 /* Parse TLVs */ 483 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TLV, req, &left); 484 if (pos == NULL) 485 return -1; 486 wpa_hexdump(MSG_DEBUG, "EAP-TLV: Received TLVs", pos, left); 487 while (left >= 4) { 488 mandatory = !!(pos[0] & 0x80); 489 tlv_type = WPA_GET_BE16(pos) & 0x3fff; 490 pos += 2; 491 tlv_len = WPA_GET_BE16(pos); 492 pos += 2; 493 left -= 4; 494 if (tlv_len > left) { 495 wpa_printf(MSG_DEBUG, "EAP-TLV: TLV underrun " 496 "(tlv_len=%lu left=%lu)", 497 (unsigned long) tlv_len, 498 (unsigned long) left); 499 return -1; 500 } 501 switch (tlv_type) { 502 case EAP_TLV_RESULT_TLV: 503 result_tlv = pos; 504 result_tlv_len = tlv_len; 505 break; 506 case EAP_TLV_CRYPTO_BINDING_TLV: 507 crypto_tlv = pos; 508 crypto_tlv_len = tlv_len; 509 break; 510 default: 511 wpa_printf(MSG_DEBUG, "EAP-TLV: Unsupported TLV Type " 512 "%d%s", tlv_type, 513 mandatory ? " (mandatory)" : ""); 514 if (mandatory) { 515 /* NAK TLV and ignore all TLVs in this packet. 516 */ 517 *resp = eap_tlv_build_nak(eap_get_id(req), 518 tlv_type); 519 return *resp == NULL ? -1 : 0; 520 } 521 /* Ignore this TLV, but process other TLVs */ 522 break; 523 } 524 525 pos += tlv_len; 526 left -= tlv_len; 527 } 528 if (left) { 529 wpa_printf(MSG_DEBUG, "EAP-TLV: Last TLV too short in " 530 "Request (left=%lu)", (unsigned long) left); 531 return -1; 532 } 533 534 /* Process supported TLVs */ 535 if (crypto_tlv && data->crypto_binding != NO_BINDING) { 536 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV", 537 crypto_tlv, crypto_tlv_len); 538 if (eap_tlv_validate_cryptobinding(sm, data, crypto_tlv - 4, 539 crypto_tlv_len + 4) < 0) { 540 if (result_tlv == NULL) 541 return -1; 542 force_failure = 1; 543 crypto_tlv = NULL; /* do not include Cryptobinding TLV 544 * in response, if the received 545 * cryptobinding was invalid. */ 546 } 547 } else if (!crypto_tlv && data->crypto_binding == REQUIRE_BINDING) { 548 wpa_printf(MSG_DEBUG, "EAP-PEAP: No cryptobinding TLV"); 549 return -1; 550 } 551 552 if (result_tlv) { 553 int status, resp_status; 554 wpa_hexdump(MSG_DEBUG, "EAP-TLV: Result TLV", 555 result_tlv, result_tlv_len); 556 if (result_tlv_len < 2) { 557 wpa_printf(MSG_INFO, "EAP-TLV: Too short Result TLV " 558 "(len=%lu)", 559 (unsigned long) result_tlv_len); 560 return -1; 561 } 562 status = WPA_GET_BE16(result_tlv); 563 if (status == EAP_TLV_RESULT_SUCCESS) { 564 wpa_printf(MSG_INFO, "EAP-TLV: TLV Result - Success " 565 "- EAP-TLV/Phase2 Completed"); 566 if (force_failure) { 567 wpa_printf(MSG_INFO, "EAP-TLV: Earlier failure" 568 " - force failed Phase 2"); 569 resp_status = EAP_TLV_RESULT_FAILURE; 570 ret->decision = DECISION_FAIL; 571 } else { 572 resp_status = EAP_TLV_RESULT_SUCCESS; 573 ret->decision = DECISION_UNCOND_SUCC; 574 } 575 } else if (status == EAP_TLV_RESULT_FAILURE) { 576 wpa_printf(MSG_INFO, "EAP-TLV: TLV Result - Failure"); 577 resp_status = EAP_TLV_RESULT_FAILURE; 578 ret->decision = DECISION_FAIL; 579 } else { 580 wpa_printf(MSG_INFO, "EAP-TLV: Unknown TLV Result " 581 "Status %d", status); 582 resp_status = EAP_TLV_RESULT_FAILURE; 583 ret->decision = DECISION_FAIL; 584 } 585 ret->methodState = METHOD_DONE; 586 587 *resp = eap_tlv_build_result(sm, data, crypto_tlv != NULL, 588 eap_get_id(req), resp_status); 589 } 590 591 return 0; 592 } 593 594 595 static int eap_peap_phase2_request(struct eap_sm *sm, 596 struct eap_peap_data *data, 597 struct eap_method_ret *ret, 598 struct wpabuf *req, 599 struct wpabuf **resp) 600 { 601 struct eap_hdr *hdr = wpabuf_mhead(req); 602 size_t len = be_to_host16(hdr->length); 603 u8 *pos; 604 struct eap_method_ret iret; 605 struct eap_peer_config *config = eap_get_config(sm); 606 int vendor; 607 enum eap_type method; 608 609 if (len <= sizeof(struct eap_hdr)) { 610 wpa_printf(MSG_INFO, "EAP-PEAP: too short " 611 "Phase 2 request (len=%lu)", (unsigned long) len); 612 return -1; 613 } 614 pos = (u8 *) (hdr + 1); 615 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Request: type=%d", *pos); 616 switch (*pos) { 617 case EAP_TYPE_IDENTITY: 618 *resp = eap_sm_buildIdentity(sm, hdr->identifier, 1); 619 break; 620 case EAP_TYPE_TLV: 621 os_memset(&iret, 0, sizeof(iret)); 622 if (eap_tlv_process(sm, data, &iret, req, resp, 623 data->phase2_eap_started && 624 !data->phase2_eap_success)) { 625 ret->methodState = METHOD_DONE; 626 ret->decision = DECISION_FAIL; 627 return -1; 628 } 629 if (iret.methodState == METHOD_DONE || 630 iret.methodState == METHOD_MAY_CONT) { 631 ret->methodState = iret.methodState; 632 ret->decision = iret.decision; 633 data->phase2_success = 1; 634 } 635 break; 636 case EAP_TYPE_EXPANDED: 637 #ifdef EAP_TNC 638 if (data->soh) { 639 const u8 *epos; 640 size_t eleft; 641 642 epos = eap_hdr_validate(EAP_VENDOR_MICROSOFT, 0x21, 643 req, &eleft); 644 if (epos) { 645 struct wpabuf *buf; 646 wpa_printf(MSG_DEBUG, 647 "EAP-PEAP: SoH EAP Extensions"); 648 buf = tncc_process_soh_request(data->soh, 649 epos, eleft); 650 if (buf) { 651 *resp = eap_msg_alloc( 652 EAP_VENDOR_MICROSOFT, 0x21, 653 wpabuf_len(buf), 654 EAP_CODE_RESPONSE, 655 hdr->identifier); 656 if (*resp == NULL) { 657 ret->methodState = METHOD_DONE; 658 ret->decision = DECISION_FAIL; 659 wpabuf_clear_free(buf); 660 return -1; 661 } 662 wpabuf_put_buf(*resp, buf); 663 wpabuf_clear_free(buf); 664 break; 665 } 666 } 667 } 668 #endif /* EAP_TNC */ 669 /* fall through */ 670 default: 671 vendor = EAP_VENDOR_IETF; 672 method = *pos; 673 674 if (method == EAP_TYPE_EXPANDED) { 675 if (len < sizeof(struct eap_hdr) + 8) { 676 wpa_printf(MSG_INFO, 677 "EAP-PEAP: Too short Phase 2 request (expanded header) (len=%lu)", 678 (unsigned long) len); 679 return -1; 680 } 681 vendor = WPA_GET_BE24(pos + 1); 682 method = WPA_GET_BE32(pos + 4); 683 } 684 685 if (data->phase2_type.vendor == EAP_VENDOR_IETF && 686 data->phase2_type.method == EAP_TYPE_NONE) { 687 size_t i; 688 for (i = 0; i < data->num_phase2_types; i++) { 689 if (data->phase2_types[i].vendor != vendor || 690 data->phase2_types[i].method != method) 691 continue; 692 693 data->phase2_type.vendor = 694 data->phase2_types[i].vendor; 695 data->phase2_type.method = 696 data->phase2_types[i].method; 697 wpa_printf(MSG_DEBUG, "EAP-PEAP: Selected " 698 "Phase 2 EAP vendor %d method %d", 699 data->phase2_type.vendor, 700 data->phase2_type.method); 701 break; 702 } 703 } 704 if (vendor != data->phase2_type.vendor || 705 method != data->phase2_type.method || 706 (vendor == EAP_VENDOR_IETF && method == EAP_TYPE_NONE)) { 707 if (eap_peer_tls_phase2_nak(data->phase2_types, 708 data->num_phase2_types, 709 hdr, resp)) 710 return -1; 711 return 0; 712 } 713 714 if (data->phase2_priv == NULL) { 715 data->phase2_method = eap_peer_get_eap_method( 716 data->phase2_type.vendor, 717 data->phase2_type.method); 718 if (data->phase2_method) { 719 sm->init_phase2 = 1; 720 data->phase2_priv = 721 data->phase2_method->init(sm); 722 sm->init_phase2 = 0; 723 } 724 } 725 if (data->phase2_priv == NULL || data->phase2_method == NULL) { 726 wpa_printf(MSG_INFO, "EAP-PEAP: failed to initialize " 727 "Phase 2 EAP method %d", *pos); 728 ret->methodState = METHOD_DONE; 729 ret->decision = DECISION_FAIL; 730 return -1; 731 } 732 data->phase2_eap_started = 1; 733 os_memset(&iret, 0, sizeof(iret)); 734 *resp = data->phase2_method->process(sm, data->phase2_priv, 735 &iret, req); 736 if ((iret.methodState == METHOD_DONE || 737 iret.methodState == METHOD_MAY_CONT) && 738 (iret.decision == DECISION_UNCOND_SUCC || 739 iret.decision == DECISION_COND_SUCC)) { 740 data->phase2_eap_success = 1; 741 data->phase2_success = 1; 742 } 743 break; 744 } 745 746 if (*resp == NULL && 747 (config->pending_req_identity || config->pending_req_password || 748 config->pending_req_otp || config->pending_req_new_password || 749 config->pending_req_sim)) { 750 wpabuf_clear_free(data->pending_phase2_req); 751 data->pending_phase2_req = wpabuf_alloc_copy(hdr, len); 752 } 753 754 return 0; 755 } 756 757 758 static int eap_peap_decrypt(struct eap_sm *sm, struct eap_peap_data *data, 759 struct eap_method_ret *ret, 760 const struct eap_hdr *req, 761 const struct wpabuf *in_data, 762 struct wpabuf **out_data) 763 { 764 struct wpabuf *in_decrypted = NULL; 765 int res, skip_change = 0; 766 struct eap_hdr *hdr, *rhdr; 767 struct wpabuf *resp = NULL; 768 size_t len; 769 770 wpa_printf(MSG_DEBUG, "EAP-PEAP: received %lu bytes encrypted data for" 771 " Phase 2", (unsigned long) wpabuf_len(in_data)); 772 773 if (data->pending_phase2_req) { 774 wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 request - " 775 "skip decryption and use old data"); 776 /* Clear TLS reassembly state. */ 777 eap_peer_tls_reset_input(&data->ssl); 778 in_decrypted = data->pending_phase2_req; 779 data->pending_phase2_req = NULL; 780 skip_change = 1; 781 goto continue_req; 782 } 783 784 if (wpabuf_len(in_data) == 0 && sm->workaround && 785 data->phase2_success) { 786 /* 787 * Cisco ACS seems to be using TLS ACK to terminate 788 * EAP-PEAPv0/GTC. Try to reply with TLS ACK. 789 */ 790 wpa_printf(MSG_DEBUG, "EAP-PEAP: Received TLS ACK, but " 791 "expected data - acknowledge with TLS ACK since " 792 "Phase 2 has been completed"); 793 ret->decision = DECISION_COND_SUCC; 794 ret->methodState = METHOD_DONE; 795 return 1; 796 } else if (wpabuf_len(in_data) == 0) { 797 /* Received TLS ACK - requesting more fragments */ 798 return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_PEAP, 799 data->peap_version, 800 req->identifier, NULL, out_data); 801 } 802 803 res = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted); 804 if (res) 805 return res; 806 if (wpabuf_len(in_decrypted) == 0) { 807 wpabuf_free(in_decrypted); 808 return 1; 809 } 810 811 continue_req: 812 wpa_hexdump_buf(MSG_DEBUG, "EAP-PEAP: Decrypted Phase 2 EAP", 813 in_decrypted); 814 815 hdr = wpabuf_mhead(in_decrypted); 816 if (wpabuf_len(in_decrypted) == 5 && hdr->code == EAP_CODE_REQUEST && 817 be_to_host16(hdr->length) == 5 && 818 eap_get_type(in_decrypted) == EAP_TYPE_IDENTITY) { 819 /* At least FreeRADIUS seems to send full EAP header with 820 * EAP Request Identity */ 821 skip_change = 1; 822 } 823 if (wpabuf_len(in_decrypted) >= 5 && hdr->code == EAP_CODE_REQUEST && 824 eap_get_type(in_decrypted) == EAP_TYPE_TLV) { 825 skip_change = 1; 826 } 827 828 if (data->peap_version == 0 && !skip_change) { 829 struct eap_hdr *nhdr; 830 struct wpabuf *nmsg = wpabuf_alloc(sizeof(struct eap_hdr) + 831 wpabuf_len(in_decrypted)); 832 if (nmsg == NULL) { 833 wpabuf_clear_free(in_decrypted); 834 return 0; 835 } 836 nhdr = wpabuf_put(nmsg, sizeof(*nhdr)); 837 wpabuf_put_buf(nmsg, in_decrypted); 838 nhdr->code = req->code; 839 nhdr->identifier = req->identifier; 840 nhdr->length = host_to_be16(sizeof(struct eap_hdr) + 841 wpabuf_len(in_decrypted)); 842 843 wpabuf_clear_free(in_decrypted); 844 in_decrypted = nmsg; 845 } 846 847 hdr = wpabuf_mhead(in_decrypted); 848 if (wpabuf_len(in_decrypted) < sizeof(*hdr)) { 849 wpa_printf(MSG_INFO, "EAP-PEAP: Too short Phase 2 " 850 "EAP frame (len=%lu)", 851 (unsigned long) wpabuf_len(in_decrypted)); 852 wpabuf_clear_free(in_decrypted); 853 return 0; 854 } 855 len = be_to_host16(hdr->length); 856 if (len > wpabuf_len(in_decrypted)) { 857 wpa_printf(MSG_INFO, "EAP-PEAP: Length mismatch in " 858 "Phase 2 EAP frame (len=%lu hdr->length=%lu)", 859 (unsigned long) wpabuf_len(in_decrypted), 860 (unsigned long) len); 861 wpabuf_clear_free(in_decrypted); 862 return 0; 863 } 864 if (len < wpabuf_len(in_decrypted)) { 865 wpa_printf(MSG_INFO, "EAP-PEAP: Odd.. Phase 2 EAP header has " 866 "shorter length than full decrypted data " 867 "(%lu < %lu)", 868 (unsigned long) len, 869 (unsigned long) wpabuf_len(in_decrypted)); 870 } 871 wpa_printf(MSG_DEBUG, "EAP-PEAP: received Phase 2: code=%d " 872 "identifier=%d length=%lu", hdr->code, hdr->identifier, 873 (unsigned long) len); 874 switch (hdr->code) { 875 case EAP_CODE_REQUEST: 876 if (eap_peap_phase2_request(sm, data, ret, in_decrypted, 877 &resp)) { 878 wpabuf_clear_free(in_decrypted); 879 wpa_printf(MSG_INFO, "EAP-PEAP: Phase2 Request " 880 "processing failed"); 881 return 0; 882 } 883 break; 884 case EAP_CODE_SUCCESS: 885 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Success"); 886 if (data->peap_version == 1) { 887 /* EAP-Success within TLS tunnel is used to indicate 888 * shutdown of the TLS channel. The authentication has 889 * been completed. */ 890 if (data->phase2_eap_started && 891 !data->phase2_eap_success) { 892 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 " 893 "Success used to indicate success, " 894 "but Phase 2 EAP was not yet " 895 "completed successfully"); 896 ret->methodState = METHOD_DONE; 897 ret->decision = DECISION_FAIL; 898 wpabuf_clear_free(in_decrypted); 899 return 0; 900 } 901 wpa_printf(MSG_DEBUG, "EAP-PEAP: Version 1 - " 902 "EAP-Success within TLS tunnel - " 903 "authentication completed"); 904 ret->decision = DECISION_UNCOND_SUCC; 905 ret->methodState = METHOD_DONE; 906 data->phase2_success = 1; 907 if (data->peap_outer_success == 2) { 908 wpabuf_clear_free(in_decrypted); 909 wpa_printf(MSG_DEBUG, "EAP-PEAP: Use TLS ACK " 910 "to finish authentication"); 911 return 1; 912 } else if (data->peap_outer_success == 1) { 913 /* Reply with EAP-Success within the TLS 914 * channel to complete the authentication. */ 915 resp = wpabuf_alloc(sizeof(struct eap_hdr)); 916 if (resp) { 917 rhdr = wpabuf_put(resp, sizeof(*rhdr)); 918 rhdr->code = EAP_CODE_SUCCESS; 919 rhdr->identifier = hdr->identifier; 920 rhdr->length = 921 host_to_be16(sizeof(*rhdr)); 922 } 923 } else { 924 /* No EAP-Success expected for Phase 1 (outer, 925 * unencrypted auth), so force EAP state 926 * machine to SUCCESS state. */ 927 sm->peap_done = true; 928 } 929 } else { 930 /* FIX: ? */ 931 } 932 break; 933 case EAP_CODE_FAILURE: 934 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Failure"); 935 ret->decision = DECISION_FAIL; 936 ret->methodState = METHOD_MAY_CONT; 937 ret->allowNotifications = false; 938 /* Reply with EAP-Failure within the TLS channel to complete 939 * failure reporting. */ 940 resp = wpabuf_alloc(sizeof(struct eap_hdr)); 941 if (resp) { 942 rhdr = wpabuf_put(resp, sizeof(*rhdr)); 943 rhdr->code = EAP_CODE_FAILURE; 944 rhdr->identifier = hdr->identifier; 945 rhdr->length = host_to_be16(sizeof(*rhdr)); 946 } 947 break; 948 default: 949 wpa_printf(MSG_INFO, "EAP-PEAP: Unexpected code=%d in " 950 "Phase 2 EAP header", hdr->code); 951 break; 952 } 953 954 wpabuf_clear_free(in_decrypted); 955 956 if (resp) { 957 int skip_change2 = 0; 958 struct wpabuf *rmsg, buf; 959 960 wpa_hexdump_buf_key(MSG_DEBUG, 961 "EAP-PEAP: Encrypting Phase 2 data", resp); 962 /* PEAP version changes */ 963 if (wpabuf_len(resp) >= 5 && 964 wpabuf_head_u8(resp)[0] == EAP_CODE_RESPONSE && 965 eap_get_type(resp) == EAP_TYPE_TLV) 966 skip_change2 = 1; 967 rmsg = resp; 968 if (data->peap_version == 0 && !skip_change2) { 969 wpabuf_set(&buf, wpabuf_head_u8(resp) + 970 sizeof(struct eap_hdr), 971 wpabuf_len(resp) - sizeof(struct eap_hdr)); 972 rmsg = &buf; 973 } 974 975 if (eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_PEAP, 976 data->peap_version, req->identifier, 977 rmsg, out_data)) { 978 wpa_printf(MSG_INFO, "EAP-PEAP: Failed to encrypt " 979 "a Phase 2 frame"); 980 } 981 wpabuf_clear_free(resp); 982 } 983 984 return 0; 985 } 986 987 988 static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv, 989 struct eap_method_ret *ret, 990 const struct wpabuf *reqData) 991 { 992 const struct eap_hdr *req; 993 size_t left; 994 int res; 995 u8 flags, id; 996 struct wpabuf *resp; 997 const u8 *pos; 998 struct eap_peap_data *data = priv; 999 struct wpabuf msg; 1000 1001 pos = eap_peer_tls_process_init(sm, &data->ssl, EAP_TYPE_PEAP, ret, 1002 reqData, &left, &flags); 1003 if (pos == NULL) 1004 return NULL; 1005 req = wpabuf_head(reqData); 1006 id = req->identifier; 1007 1008 if (flags & EAP_TLS_FLAGS_START) { 1009 wpa_printf(MSG_DEBUG, "EAP-PEAP: Start (server ver=%d, own " 1010 "ver=%d)", flags & EAP_TLS_VERSION_MASK, 1011 data->peap_version); 1012 if ((flags & EAP_TLS_VERSION_MASK) < data->peap_version) 1013 data->peap_version = flags & EAP_TLS_VERSION_MASK; 1014 if (data->force_peap_version >= 0 && 1015 data->force_peap_version != data->peap_version) { 1016 wpa_printf(MSG_WARNING, "EAP-PEAP: Failed to select " 1017 "forced PEAP version %d", 1018 data->force_peap_version); 1019 ret->methodState = METHOD_DONE; 1020 ret->decision = DECISION_FAIL; 1021 ret->allowNotifications = false; 1022 return NULL; 1023 } 1024 wpa_printf(MSG_DEBUG, "EAP-PEAP: Using PEAP version %d", 1025 data->peap_version); 1026 left = 0; /* make sure that this frame is empty, even though it 1027 * should always be, anyway */ 1028 } 1029 1030 wpabuf_set(&msg, pos, left); 1031 1032 resp = NULL; 1033 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1034 !data->resuming) { 1035 res = eap_peap_decrypt(sm, data, ret, req, &msg, &resp); 1036 } else { 1037 if (sm->waiting_ext_cert_check && data->pending_resp) { 1038 struct eap_peer_config *config = eap_get_config(sm); 1039 1040 if (config->pending_ext_cert_check == 1041 EXT_CERT_CHECK_GOOD) { 1042 wpa_printf(MSG_DEBUG, 1043 "EAP-PEAP: External certificate check succeeded - continue handshake"); 1044 resp = data->pending_resp; 1045 data->pending_resp = NULL; 1046 sm->waiting_ext_cert_check = 0; 1047 return resp; 1048 } 1049 1050 if (config->pending_ext_cert_check == 1051 EXT_CERT_CHECK_BAD) { 1052 wpa_printf(MSG_DEBUG, 1053 "EAP-PEAP: External certificate check failed - force authentication failure"); 1054 ret->methodState = METHOD_DONE; 1055 ret->decision = DECISION_FAIL; 1056 sm->waiting_ext_cert_check = 0; 1057 return NULL; 1058 } 1059 1060 wpa_printf(MSG_DEBUG, 1061 "EAP-PEAP: Continuing to wait external server certificate validation"); 1062 return NULL; 1063 } 1064 1065 res = eap_peer_tls_process_helper(sm, &data->ssl, 1066 EAP_TYPE_PEAP, 1067 data->peap_version, id, &msg, 1068 &resp); 1069 1070 if (res < 0) { 1071 wpa_printf(MSG_DEBUG, 1072 "EAP-PEAP: TLS processing failed"); 1073 ret->methodState = METHOD_DONE; 1074 ret->decision = DECISION_FAIL; 1075 return resp; 1076 } 1077 1078 1079 if (sm->waiting_ext_cert_check) { 1080 wpa_printf(MSG_DEBUG, 1081 "EAP-PEAP: Waiting external server certificate validation"); 1082 wpabuf_clear_free(data->pending_resp); 1083 data->pending_resp = resp; 1084 return NULL; 1085 } 1086 1087 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { 1088 const char *label; 1089 const u8 eap_tls13_context[1] = { EAP_TYPE_PEAP }; 1090 const u8 *context = NULL; 1091 size_t context_len = 0; 1092 1093 wpa_printf(MSG_DEBUG, 1094 "EAP-PEAP: TLS done, proceed to Phase 2"); 1095 eap_peap_free_key(data); 1096 /* draft-josefsson-ppext-eap-tls-eap-05.txt 1097 * specifies that PEAPv1 would use "client PEAP 1098 * encryption" as the label. However, most existing 1099 * PEAPv1 implementations seem to be using the old 1100 * label, "client EAP encryption", instead. Use the old 1101 * label by default, but allow it to be configured with 1102 * phase1 parameter peaplabel=1. 1103 * 1104 * When using TLS 1.3, draft-ietf-emu-tls-eap-types 1105 * defines a new set of label and context parameters. 1106 */ 1107 if (data->ssl.tls_v13) { 1108 label = "EXPORTER_EAP_TLS_Key_Material"; 1109 context = eap_tls13_context; 1110 context_len = sizeof(eap_tls13_context); 1111 } else if (data->force_new_label) { 1112 label = "client PEAP encryption"; 1113 } else { 1114 label = "client EAP encryption"; 1115 } 1116 wpa_printf(MSG_DEBUG, "EAP-PEAP: using label '%s' in " 1117 "key derivation", label); 1118 data->key_data = 1119 eap_peer_tls_derive_key(sm, &data->ssl, label, 1120 context, context_len, 1121 EAP_TLS_KEY_LEN + 1122 EAP_EMSK_LEN); 1123 if (data->key_data) { 1124 wpa_hexdump_key(MSG_DEBUG, 1125 "EAP-PEAP: Derived key", 1126 data->key_data, 1127 EAP_TLS_KEY_LEN); 1128 wpa_hexdump_key(MSG_DEBUG, 1129 "EAP-PEAP: Derived EMSK", 1130 data->key_data + 1131 EAP_TLS_KEY_LEN, 1132 EAP_EMSK_LEN); 1133 } else { 1134 wpa_printf(MSG_DEBUG, "EAP-PEAP: Failed to " 1135 "derive key"); 1136 } 1137 1138 os_free(data->session_id); 1139 data->session_id = 1140 eap_peer_tls_derive_session_id(sm, &data->ssl, 1141 EAP_TYPE_PEAP, 1142 &data->id_len); 1143 if (data->session_id) { 1144 wpa_hexdump(MSG_DEBUG, 1145 "EAP-PEAP: Derived Session-Id", 1146 data->session_id, data->id_len); 1147 } else { 1148 wpa_printf(MSG_ERROR, "EAP-PEAP: Failed to " 1149 "derive Session-Id"); 1150 } 1151 1152 if (sm->workaround && data->resuming) { 1153 /* 1154 * At least few RADIUS servers (Aegis v1.1.6; 1155 * but not v1.1.4; and Cisco ACS) seem to be 1156 * terminating PEAPv1 (Aegis) or PEAPv0 (Cisco 1157 * ACS) session resumption with outer 1158 * EAP-Success. This does not seem to follow 1159 * draft-josefsson-pppext-eap-tls-eap-05.txt 1160 * section 4.2, so only allow this if EAP 1161 * workarounds are enabled. 1162 */ 1163 wpa_printf(MSG_DEBUG, "EAP-PEAP: Workaround - " 1164 "allow outer EAP-Success to " 1165 "terminate PEAP resumption"); 1166 ret->decision = DECISION_COND_SUCC; 1167 data->phase2_success = 1; 1168 } 1169 1170 data->resuming = 0; 1171 } 1172 1173 if (res == 2) { 1174 /* 1175 * Application data included in the handshake message. 1176 */ 1177 wpabuf_clear_free(data->pending_phase2_req); 1178 data->pending_phase2_req = resp; 1179 resp = NULL; 1180 res = eap_peap_decrypt(sm, data, ret, req, &msg, 1181 &resp); 1182 } 1183 } 1184 1185 if (ret->methodState == METHOD_DONE) { 1186 ret->allowNotifications = false; 1187 } 1188 1189 if (res == 1) { 1190 wpabuf_clear_free(resp); 1191 return eap_peer_tls_build_ack(id, EAP_TYPE_PEAP, 1192 data->peap_version); 1193 } 1194 1195 return resp; 1196 } 1197 1198 1199 static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv) 1200 { 1201 struct eap_peap_data *data = priv; 1202 return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1203 data->phase2_success; 1204 } 1205 1206 1207 static void eap_peap_deinit_for_reauth(struct eap_sm *sm, void *priv) 1208 { 1209 struct eap_peap_data *data = priv; 1210 1211 if (data->phase2_priv && data->phase2_method && 1212 data->phase2_method->deinit_for_reauth) 1213 data->phase2_method->deinit_for_reauth(sm, data->phase2_priv); 1214 wpabuf_clear_free(data->pending_phase2_req); 1215 data->pending_phase2_req = NULL; 1216 wpabuf_clear_free(data->pending_resp); 1217 data->pending_resp = NULL; 1218 data->crypto_binding_used = 0; 1219 } 1220 1221 1222 static void * eap_peap_init_for_reauth(struct eap_sm *sm, void *priv) 1223 { 1224 struct eap_peap_data *data = priv; 1225 eap_peap_free_key(data); 1226 os_free(data->session_id); 1227 data->session_id = NULL; 1228 if (eap_peer_tls_reauth_init(sm, &data->ssl)) { 1229 os_free(data); 1230 return NULL; 1231 } 1232 if (data->phase2_priv && data->phase2_method && 1233 data->phase2_method->init_for_reauth) 1234 data->phase2_method->init_for_reauth(sm, data->phase2_priv); 1235 data->phase2_success = 0; 1236 data->phase2_eap_success = 0; 1237 data->phase2_eap_started = 0; 1238 data->resuming = 1; 1239 data->reauth = 1; 1240 sm->peap_done = false; 1241 return priv; 1242 } 1243 1244 1245 static int eap_peap_get_status(struct eap_sm *sm, void *priv, char *buf, 1246 size_t buflen, int verbose) 1247 { 1248 struct eap_peap_data *data = priv; 1249 int len, ret; 1250 1251 len = eap_peer_tls_status(sm, &data->ssl, buf, buflen, verbose); 1252 if (data->phase2_method) { 1253 ret = os_snprintf(buf + len, buflen - len, 1254 "EAP-PEAPv%d Phase2 method=%s\n", 1255 data->peap_version, 1256 data->phase2_method->name); 1257 if (os_snprintf_error(buflen - len, ret)) 1258 return len; 1259 len += ret; 1260 } 1261 return len; 1262 } 1263 1264 1265 static bool eap_peap_isKeyAvailable(struct eap_sm *sm, void *priv) 1266 { 1267 struct eap_peap_data *data = priv; 1268 return data->key_data != NULL && data->phase2_success; 1269 } 1270 1271 1272 static u8 * eap_peap_getKey(struct eap_sm *sm, void *priv, size_t *len) 1273 { 1274 struct eap_peap_data *data = priv; 1275 u8 *key; 1276 1277 if (data->key_data == NULL || !data->phase2_success) 1278 return NULL; 1279 1280 key = os_malloc(EAP_TLS_KEY_LEN); 1281 if (key == NULL) 1282 return NULL; 1283 1284 *len = EAP_TLS_KEY_LEN; 1285 1286 if (data->crypto_binding_used) { 1287 u8 csk[128]; 1288 /* 1289 * Note: It looks like Microsoft implementation requires null 1290 * termination for this label while the one used for deriving 1291 * IPMK|CMK did not use null termination. 1292 */ 1293 if (peap_prfplus(data->peap_version, data->ipmk, 40, 1294 "Session Key Generating Function", 1295 (u8 *) "\00", 1, csk, sizeof(csk)) < 0) { 1296 os_free(key); 1297 return NULL; 1298 } 1299 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CSK", csk, sizeof(csk)); 1300 os_memcpy(key, csk, EAP_TLS_KEY_LEN); 1301 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Derived key", 1302 key, EAP_TLS_KEY_LEN); 1303 forced_memzero(csk, sizeof(csk)); 1304 } else 1305 os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN); 1306 1307 return key; 1308 } 1309 1310 1311 static u8 * eap_peap_get_emsk(struct eap_sm *sm, void *priv, size_t *len) 1312 { 1313 struct eap_peap_data *data = priv; 1314 u8 *key; 1315 1316 if (!data->key_data || !data->phase2_success) 1317 return NULL; 1318 1319 if (data->crypto_binding_used) { 1320 /* [MS-PEAP] does not define EMSK derivation */ 1321 return NULL; 1322 } 1323 1324 key = os_memdup(data->key_data + EAP_TLS_KEY_LEN, EAP_EMSK_LEN); 1325 if (!key) 1326 return NULL; 1327 1328 *len = EAP_EMSK_LEN; 1329 1330 return key; 1331 } 1332 1333 1334 static u8 * eap_peap_get_session_id(struct eap_sm *sm, void *priv, size_t *len) 1335 { 1336 struct eap_peap_data *data = priv; 1337 u8 *id; 1338 1339 if (data->session_id == NULL || !data->phase2_success) 1340 return NULL; 1341 1342 id = os_memdup(data->session_id, data->id_len); 1343 if (id == NULL) 1344 return NULL; 1345 1346 *len = data->id_len; 1347 1348 return id; 1349 } 1350 1351 1352 int eap_peer_peap_register(void) 1353 { 1354 struct eap_method *eap; 1355 1356 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION, 1357 EAP_VENDOR_IETF, EAP_TYPE_PEAP, "PEAP"); 1358 if (eap == NULL) 1359 return -1; 1360 1361 eap->init = eap_peap_init; 1362 eap->deinit = eap_peap_deinit; 1363 eap->process = eap_peap_process; 1364 eap->isKeyAvailable = eap_peap_isKeyAvailable; 1365 eap->getKey = eap_peap_getKey; 1366 eap->get_emsk = eap_peap_get_emsk; 1367 eap->get_status = eap_peap_get_status; 1368 eap->has_reauth_data = eap_peap_has_reauth_data; 1369 eap->deinit_for_reauth = eap_peap_deinit_for_reauth; 1370 eap->init_for_reauth = eap_peap_init_for_reauth; 1371 eap->getSessionId = eap_peap_get_session_id; 1372 1373 return eap_peer_method_register(eap); 1374 } 1375