1 /* 2 * EAP peer method: EAP-TTLS (RFC 5281) 3 * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/ms_funcs.h" 13 #include "crypto/sha1.h" 14 #include "crypto/tls.h" 15 #include "eap_common/chap.h" 16 #include "eap_common/eap_ttls.h" 17 #include "mschapv2.h" 18 #include "eap_i.h" 19 #include "eap_tls_common.h" 20 #include "eap_config.h" 21 22 23 #define EAP_TTLS_VERSION 0 24 25 26 static void eap_ttls_deinit(struct eap_sm *sm, void *priv); 27 28 29 struct eap_ttls_data { 30 struct eap_ssl_data ssl; 31 32 int ttls_version; 33 34 const struct eap_method *phase2_method; 35 void *phase2_priv; 36 int phase2_success; 37 int phase2_start; 38 39 enum phase2_types { 40 EAP_TTLS_PHASE2_EAP, 41 EAP_TTLS_PHASE2_MSCHAPV2, 42 EAP_TTLS_PHASE2_MSCHAP, 43 EAP_TTLS_PHASE2_PAP, 44 EAP_TTLS_PHASE2_CHAP 45 } phase2_type; 46 struct eap_method_type phase2_eap_type; 47 struct eap_method_type *phase2_eap_types; 48 size_t num_phase2_eap_types; 49 50 u8 auth_response[MSCHAPV2_AUTH_RESPONSE_LEN]; 51 int auth_response_valid; 52 u8 master_key[MSCHAPV2_MASTER_KEY_LEN]; /* MSCHAPv2 master key */ 53 u8 ident; 54 int resuming; /* starting a resumed session */ 55 int reauth; /* reauthentication */ 56 u8 *key_data; 57 u8 *session_id; 58 size_t id_len; 59 60 struct wpabuf *pending_phase2_req; 61 62 #ifdef EAP_TNC 63 int ready_for_tnc; 64 int tnc_started; 65 #endif /* EAP_TNC */ 66 }; 67 68 69 static void * eap_ttls_init(struct eap_sm *sm) 70 { 71 struct eap_ttls_data *data; 72 struct eap_peer_config *config = eap_get_config(sm); 73 char *selected; 74 75 data = os_zalloc(sizeof(*data)); 76 if (data == NULL) 77 return NULL; 78 data->ttls_version = EAP_TTLS_VERSION; 79 selected = "EAP"; 80 data->phase2_type = EAP_TTLS_PHASE2_EAP; 81 82 if (config && config->phase2) { 83 if (os_strstr(config->phase2, "autheap=")) { 84 selected = "EAP"; 85 data->phase2_type = EAP_TTLS_PHASE2_EAP; 86 } else if (os_strstr(config->phase2, "auth=MSCHAPV2")) { 87 selected = "MSCHAPV2"; 88 data->phase2_type = EAP_TTLS_PHASE2_MSCHAPV2; 89 } else if (os_strstr(config->phase2, "auth=MSCHAP")) { 90 selected = "MSCHAP"; 91 data->phase2_type = EAP_TTLS_PHASE2_MSCHAP; 92 } else if (os_strstr(config->phase2, "auth=PAP")) { 93 selected = "PAP"; 94 data->phase2_type = EAP_TTLS_PHASE2_PAP; 95 } else if (os_strstr(config->phase2, "auth=CHAP")) { 96 selected = "CHAP"; 97 data->phase2_type = EAP_TTLS_PHASE2_CHAP; 98 } 99 } 100 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 type: %s", selected); 101 102 if (data->phase2_type == EAP_TTLS_PHASE2_EAP) { 103 if (eap_peer_select_phase2_methods(config, "autheap=", 104 &data->phase2_eap_types, 105 &data->num_phase2_eap_types) 106 < 0) { 107 eap_ttls_deinit(sm, data); 108 return NULL; 109 } 110 111 data->phase2_eap_type.vendor = EAP_VENDOR_IETF; 112 data->phase2_eap_type.method = EAP_TYPE_NONE; 113 } 114 115 if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_TTLS)) { 116 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL."); 117 eap_ttls_deinit(sm, data); 118 return NULL; 119 } 120 121 return data; 122 } 123 124 125 static void eap_ttls_phase2_eap_deinit(struct eap_sm *sm, 126 struct eap_ttls_data *data) 127 { 128 if (data->phase2_priv && data->phase2_method) { 129 data->phase2_method->deinit(sm, data->phase2_priv); 130 data->phase2_method = NULL; 131 data->phase2_priv = NULL; 132 } 133 } 134 135 136 static void eap_ttls_free_key(struct eap_ttls_data *data) 137 { 138 if (data->key_data) { 139 bin_clear_free(data->key_data, EAP_TLS_KEY_LEN + EAP_EMSK_LEN); 140 data->key_data = NULL; 141 } 142 } 143 144 145 static void eap_ttls_deinit(struct eap_sm *sm, void *priv) 146 { 147 struct eap_ttls_data *data = priv; 148 if (data == NULL) 149 return; 150 eap_ttls_phase2_eap_deinit(sm, data); 151 os_free(data->phase2_eap_types); 152 eap_peer_tls_ssl_deinit(sm, &data->ssl); 153 eap_ttls_free_key(data); 154 os_free(data->session_id); 155 wpabuf_free(data->pending_phase2_req); 156 os_free(data); 157 } 158 159 160 static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id, 161 int mandatory, size_t len) 162 { 163 struct ttls_avp_vendor *avp; 164 u8 flags; 165 size_t hdrlen; 166 167 avp = (struct ttls_avp_vendor *) avphdr; 168 flags = mandatory ? AVP_FLAGS_MANDATORY : 0; 169 if (vendor_id) { 170 flags |= AVP_FLAGS_VENDOR; 171 hdrlen = sizeof(*avp); 172 avp->vendor_id = host_to_be32(vendor_id); 173 } else { 174 hdrlen = sizeof(struct ttls_avp); 175 } 176 177 avp->avp_code = host_to_be32(avp_code); 178 avp->avp_length = host_to_be32(((u32) flags << 24) | 179 (u32) (hdrlen + len)); 180 181 return avphdr + hdrlen; 182 } 183 184 185 static u8 * eap_ttls_avp_add(u8 *start, u8 *avphdr, u32 avp_code, 186 u32 vendor_id, int mandatory, 187 const u8 *data, size_t len) 188 { 189 u8 *pos; 190 pos = eap_ttls_avp_hdr(avphdr, avp_code, vendor_id, mandatory, len); 191 os_memcpy(pos, data, len); 192 pos += len; 193 AVP_PAD(start, pos); 194 return pos; 195 } 196 197 198 static int eap_ttls_avp_encapsulate(struct wpabuf **resp, u32 avp_code, 199 int mandatory) 200 { 201 struct wpabuf *msg; 202 u8 *avp, *pos; 203 204 msg = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(*resp) + 4); 205 if (msg == NULL) { 206 wpabuf_free(*resp); 207 *resp = NULL; 208 return -1; 209 } 210 211 avp = wpabuf_mhead(msg); 212 pos = eap_ttls_avp_hdr(avp, avp_code, 0, mandatory, wpabuf_len(*resp)); 213 os_memcpy(pos, wpabuf_head(*resp), wpabuf_len(*resp)); 214 pos += wpabuf_len(*resp); 215 AVP_PAD(avp, pos); 216 wpabuf_free(*resp); 217 wpabuf_put(msg, pos - avp); 218 *resp = msg; 219 return 0; 220 } 221 222 223 static int eap_ttls_v0_derive_key(struct eap_sm *sm, 224 struct eap_ttls_data *data) 225 { 226 eap_ttls_free_key(data); 227 data->key_data = eap_peer_tls_derive_key(sm, &data->ssl, 228 "ttls keying material", 229 EAP_TLS_KEY_LEN + 230 EAP_EMSK_LEN); 231 if (!data->key_data) { 232 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to derive key"); 233 return -1; 234 } 235 236 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key", 237 data->key_data, EAP_TLS_KEY_LEN); 238 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived EMSK", 239 data->key_data + EAP_TLS_KEY_LEN, 240 EAP_EMSK_LEN); 241 242 os_free(data->session_id); 243 data->session_id = eap_peer_tls_derive_session_id(sm, &data->ssl, 244 EAP_TYPE_TTLS, 245 &data->id_len); 246 if (data->session_id) { 247 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Derived Session-Id", 248 data->session_id, data->id_len); 249 } else { 250 wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to derive Session-Id"); 251 } 252 253 return 0; 254 } 255 256 257 #ifndef CONFIG_FIPS 258 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm, 259 struct eap_ttls_data *data, size_t len) 260 { 261 return eap_peer_tls_derive_key(sm, &data->ssl, "ttls challenge", len); 262 } 263 #endif /* CONFIG_FIPS */ 264 265 266 static void eap_ttls_phase2_select_eap_method(struct eap_ttls_data *data, 267 u8 method) 268 { 269 size_t i; 270 for (i = 0; i < data->num_phase2_eap_types; i++) { 271 if (data->phase2_eap_types[i].vendor != EAP_VENDOR_IETF || 272 data->phase2_eap_types[i].method != method) 273 continue; 274 275 data->phase2_eap_type.vendor = 276 data->phase2_eap_types[i].vendor; 277 data->phase2_eap_type.method = 278 data->phase2_eap_types[i].method; 279 wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected " 280 "Phase 2 EAP vendor %d method %d", 281 data->phase2_eap_type.vendor, 282 data->phase2_eap_type.method); 283 break; 284 } 285 } 286 287 288 static int eap_ttls_phase2_eap_process(struct eap_sm *sm, 289 struct eap_ttls_data *data, 290 struct eap_method_ret *ret, 291 struct eap_hdr *hdr, size_t len, 292 struct wpabuf **resp) 293 { 294 struct wpabuf msg; 295 struct eap_method_ret iret; 296 297 os_memset(&iret, 0, sizeof(iret)); 298 wpabuf_set(&msg, hdr, len); 299 *resp = data->phase2_method->process(sm, data->phase2_priv, &iret, 300 &msg); 301 if ((iret.methodState == METHOD_DONE || 302 iret.methodState == METHOD_MAY_CONT) && 303 (iret.decision == DECISION_UNCOND_SUCC || 304 iret.decision == DECISION_COND_SUCC || 305 iret.decision == DECISION_FAIL)) { 306 ret->methodState = iret.methodState; 307 ret->decision = iret.decision; 308 } 309 310 return 0; 311 } 312 313 314 static int eap_ttls_phase2_request_eap_method(struct eap_sm *sm, 315 struct eap_ttls_data *data, 316 struct eap_method_ret *ret, 317 struct eap_hdr *hdr, size_t len, 318 u8 method, struct wpabuf **resp) 319 { 320 #ifdef EAP_TNC 321 if (data->tnc_started && data->phase2_method && 322 data->phase2_priv && method == EAP_TYPE_TNC && 323 data->phase2_eap_type.method == EAP_TYPE_TNC) 324 return eap_ttls_phase2_eap_process(sm, data, ret, hdr, len, 325 resp); 326 327 if (data->ready_for_tnc && !data->tnc_started && 328 method == EAP_TYPE_TNC) { 329 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start TNC after completed " 330 "EAP method"); 331 data->tnc_started = 1; 332 } 333 334 if (data->tnc_started) { 335 if (data->phase2_eap_type.vendor != EAP_VENDOR_IETF || 336 data->phase2_eap_type.method == EAP_TYPE_TNC) { 337 wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected EAP " 338 "type %d for TNC", method); 339 return -1; 340 } 341 342 data->phase2_eap_type.vendor = EAP_VENDOR_IETF; 343 data->phase2_eap_type.method = method; 344 wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected " 345 "Phase 2 EAP vendor %d method %d (TNC)", 346 data->phase2_eap_type.vendor, 347 data->phase2_eap_type.method); 348 349 if (data->phase2_type == EAP_TTLS_PHASE2_EAP) 350 eap_ttls_phase2_eap_deinit(sm, data); 351 } 352 #endif /* EAP_TNC */ 353 354 if (data->phase2_eap_type.vendor == EAP_VENDOR_IETF && 355 data->phase2_eap_type.method == EAP_TYPE_NONE) 356 eap_ttls_phase2_select_eap_method(data, method); 357 358 if (method != data->phase2_eap_type.method || method == EAP_TYPE_NONE) 359 { 360 if (eap_peer_tls_phase2_nak(data->phase2_eap_types, 361 data->num_phase2_eap_types, 362 hdr, resp)) 363 return -1; 364 return 0; 365 } 366 367 if (data->phase2_priv == NULL) { 368 data->phase2_method = eap_peer_get_eap_method( 369 EAP_VENDOR_IETF, method); 370 if (data->phase2_method) { 371 sm->init_phase2 = 1; 372 data->phase2_priv = data->phase2_method->init(sm); 373 sm->init_phase2 = 0; 374 } 375 } 376 if (data->phase2_priv == NULL || data->phase2_method == NULL) { 377 wpa_printf(MSG_INFO, "EAP-TTLS: failed to initialize " 378 "Phase 2 EAP method %d", method); 379 return -1; 380 } 381 382 return eap_ttls_phase2_eap_process(sm, data, ret, hdr, len, resp); 383 } 384 385 386 static int eap_ttls_phase2_request_eap(struct eap_sm *sm, 387 struct eap_ttls_data *data, 388 struct eap_method_ret *ret, 389 struct eap_hdr *hdr, 390 struct wpabuf **resp) 391 { 392 size_t len = be_to_host16(hdr->length); 393 u8 *pos; 394 struct eap_peer_config *config = eap_get_config(sm); 395 396 if (len <= sizeof(struct eap_hdr)) { 397 wpa_printf(MSG_INFO, "EAP-TTLS: too short " 398 "Phase 2 request (len=%lu)", (unsigned long) len); 399 return -1; 400 } 401 pos = (u8 *) (hdr + 1); 402 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP Request: type=%d", *pos); 403 switch (*pos) { 404 case EAP_TYPE_IDENTITY: 405 *resp = eap_sm_buildIdentity(sm, hdr->identifier, 1); 406 break; 407 default: 408 if (eap_ttls_phase2_request_eap_method(sm, data, ret, hdr, len, 409 *pos, resp) < 0) 410 return -1; 411 break; 412 } 413 414 if (*resp == NULL && 415 (config->pending_req_identity || config->pending_req_password || 416 config->pending_req_otp)) { 417 return 0; 418 } 419 420 if (*resp == NULL) 421 return -1; 422 423 wpa_hexdump_buf(MSG_DEBUG, "EAP-TTLS: AVP encapsulate EAP Response", 424 *resp); 425 return eap_ttls_avp_encapsulate(resp, RADIUS_ATTR_EAP_MESSAGE, 1); 426 } 427 428 429 static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm, 430 struct eap_ttls_data *data, 431 struct eap_method_ret *ret, 432 struct wpabuf **resp) 433 { 434 #ifdef CONFIG_FIPS 435 wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPV2 not supported in FIPS build"); 436 return -1; 437 #else /* CONFIG_FIPS */ 438 #ifdef EAP_MSCHAPv2 439 struct wpabuf *msg; 440 u8 *buf, *pos, *challenge, *peer_challenge; 441 const u8 *identity, *password; 442 size_t identity_len, password_len; 443 int pwhash; 444 445 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAPV2 Request"); 446 447 identity = eap_get_config_identity(sm, &identity_len); 448 password = eap_get_config_password2(sm, &password_len, &pwhash); 449 if (identity == NULL || password == NULL) 450 return -1; 451 452 msg = wpabuf_alloc(identity_len + 1000); 453 if (msg == NULL) { 454 wpa_printf(MSG_ERROR, 455 "EAP-TTLS/MSCHAPV2: Failed to allocate memory"); 456 return -1; 457 } 458 pos = buf = wpabuf_mhead(msg); 459 460 /* User-Name */ 461 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 462 identity, identity_len); 463 464 /* MS-CHAP-Challenge */ 465 challenge = eap_ttls_implicit_challenge( 466 sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1); 467 if (challenge == NULL) { 468 wpabuf_free(msg); 469 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive " 470 "implicit challenge"); 471 return -1; 472 } 473 474 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE, 475 RADIUS_VENDOR_ID_MICROSOFT, 1, 476 challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN); 477 478 /* MS-CHAP2-Response */ 479 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_RESPONSE, 480 RADIUS_VENDOR_ID_MICROSOFT, 1, 481 EAP_TTLS_MSCHAPV2_RESPONSE_LEN); 482 data->ident = challenge[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN]; 483 *pos++ = data->ident; 484 *pos++ = 0; /* Flags */ 485 if (os_get_random(pos, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN) < 0) { 486 os_free(challenge); 487 wpabuf_free(msg); 488 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to get " 489 "random data for peer challenge"); 490 return -1; 491 } 492 peer_challenge = pos; 493 pos += EAP_TTLS_MSCHAPV2_CHALLENGE_LEN; 494 os_memset(pos, 0, 8); /* Reserved, must be zero */ 495 pos += 8; 496 if (mschapv2_derive_response(identity, identity_len, password, 497 password_len, pwhash, challenge, 498 peer_challenge, pos, data->auth_response, 499 data->master_key)) { 500 os_free(challenge); 501 wpabuf_free(msg); 502 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive " 503 "response"); 504 return -1; 505 } 506 data->auth_response_valid = 1; 507 508 pos += 24; 509 os_free(challenge); 510 AVP_PAD(buf, pos); 511 512 wpabuf_put(msg, pos - buf); 513 *resp = msg; 514 515 return 0; 516 #else /* EAP_MSCHAPv2 */ 517 wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build"); 518 return -1; 519 #endif /* EAP_MSCHAPv2 */ 520 #endif /* CONFIG_FIPS */ 521 } 522 523 524 static int eap_ttls_phase2_request_mschap(struct eap_sm *sm, 525 struct eap_ttls_data *data, 526 struct eap_method_ret *ret, 527 struct wpabuf **resp) 528 { 529 #ifdef CONFIG_FIPS 530 wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAP not supported in FIPS build"); 531 return -1; 532 #else /* CONFIG_FIPS */ 533 struct wpabuf *msg; 534 u8 *buf, *pos, *challenge; 535 const u8 *identity, *password; 536 size_t identity_len, password_len; 537 int pwhash; 538 539 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAP Request"); 540 541 identity = eap_get_config_identity(sm, &identity_len); 542 password = eap_get_config_password2(sm, &password_len, &pwhash); 543 if (identity == NULL || password == NULL) 544 return -1; 545 546 msg = wpabuf_alloc(identity_len + 1000); 547 if (msg == NULL) { 548 wpa_printf(MSG_ERROR, 549 "EAP-TTLS/MSCHAP: Failed to allocate memory"); 550 return -1; 551 } 552 pos = buf = wpabuf_mhead(msg); 553 554 /* User-Name */ 555 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 556 identity, identity_len); 557 558 /* MS-CHAP-Challenge */ 559 challenge = eap_ttls_implicit_challenge( 560 sm, data, EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1); 561 if (challenge == NULL) { 562 wpabuf_free(msg); 563 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAP: Failed to derive " 564 "implicit challenge"); 565 return -1; 566 } 567 568 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE, 569 RADIUS_VENDOR_ID_MICROSOFT, 1, 570 challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN); 571 572 /* MS-CHAP-Response */ 573 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_RESPONSE, 574 RADIUS_VENDOR_ID_MICROSOFT, 1, 575 EAP_TTLS_MSCHAP_RESPONSE_LEN); 576 data->ident = challenge[EAP_TTLS_MSCHAP_CHALLENGE_LEN]; 577 *pos++ = data->ident; 578 *pos++ = 1; /* Flags: Use NT style passwords */ 579 os_memset(pos, 0, 24); /* LM-Response */ 580 pos += 24; 581 if (pwhash) { 582 challenge_response(challenge, password, pos); /* NT-Response */ 583 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password hash", 584 password, 16); 585 } else { 586 nt_challenge_response(challenge, password, password_len, 587 pos); /* NT-Response */ 588 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password", 589 password, password_len); 590 } 591 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP implicit challenge", 592 challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN); 593 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP response", pos, 24); 594 pos += 24; 595 os_free(challenge); 596 AVP_PAD(buf, pos); 597 598 wpabuf_put(msg, pos - buf); 599 *resp = msg; 600 601 /* EAP-TTLS/MSCHAP does not provide tunneled success 602 * notification, so assume that Phase2 succeeds. */ 603 ret->methodState = METHOD_DONE; 604 ret->decision = DECISION_COND_SUCC; 605 606 return 0; 607 #endif /* CONFIG_FIPS */ 608 } 609 610 611 static int eap_ttls_phase2_request_pap(struct eap_sm *sm, 612 struct eap_ttls_data *data, 613 struct eap_method_ret *ret, 614 struct wpabuf **resp) 615 { 616 struct wpabuf *msg; 617 u8 *buf, *pos; 618 size_t pad; 619 const u8 *identity, *password; 620 size_t identity_len, password_len; 621 622 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 PAP Request"); 623 624 identity = eap_get_config_identity(sm, &identity_len); 625 password = eap_get_config_password(sm, &password_len); 626 if (identity == NULL || password == NULL) 627 return -1; 628 629 msg = wpabuf_alloc(identity_len + password_len + 100); 630 if (msg == NULL) { 631 wpa_printf(MSG_ERROR, 632 "EAP-TTLS/PAP: Failed to allocate memory"); 633 return -1; 634 } 635 pos = buf = wpabuf_mhead(msg); 636 637 /* User-Name */ 638 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 639 identity, identity_len); 640 641 /* User-Password; in RADIUS, this is encrypted, but EAP-TTLS encrypts 642 * the data, so no separate encryption is used in the AVP itself. 643 * However, the password is padded to obfuscate its length. */ 644 pad = password_len == 0 ? 16 : (16 - (password_len & 15)) & 15; 645 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_USER_PASSWORD, 0, 1, 646 password_len + pad); 647 os_memcpy(pos, password, password_len); 648 pos += password_len; 649 os_memset(pos, 0, pad); 650 pos += pad; 651 AVP_PAD(buf, pos); 652 653 wpabuf_put(msg, pos - buf); 654 *resp = msg; 655 656 /* EAP-TTLS/PAP does not provide tunneled success notification, 657 * so assume that Phase2 succeeds. */ 658 ret->methodState = METHOD_DONE; 659 ret->decision = DECISION_COND_SUCC; 660 661 return 0; 662 } 663 664 665 static int eap_ttls_phase2_request_chap(struct eap_sm *sm, 666 struct eap_ttls_data *data, 667 struct eap_method_ret *ret, 668 struct wpabuf **resp) 669 { 670 #ifdef CONFIG_FIPS 671 wpa_printf(MSG_ERROR, "EAP-TTLS: CHAP not supported in FIPS build"); 672 return -1; 673 #else /* CONFIG_FIPS */ 674 struct wpabuf *msg; 675 u8 *buf, *pos, *challenge; 676 const u8 *identity, *password; 677 size_t identity_len, password_len; 678 679 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 CHAP Request"); 680 681 identity = eap_get_config_identity(sm, &identity_len); 682 password = eap_get_config_password(sm, &password_len); 683 if (identity == NULL || password == NULL) 684 return -1; 685 686 msg = wpabuf_alloc(identity_len + 1000); 687 if (msg == NULL) { 688 wpa_printf(MSG_ERROR, 689 "EAP-TTLS/CHAP: Failed to allocate memory"); 690 return -1; 691 } 692 pos = buf = wpabuf_mhead(msg); 693 694 /* User-Name */ 695 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 696 identity, identity_len); 697 698 /* CHAP-Challenge */ 699 challenge = eap_ttls_implicit_challenge( 700 sm, data, EAP_TTLS_CHAP_CHALLENGE_LEN + 1); 701 if (challenge == NULL) { 702 wpabuf_free(msg); 703 wpa_printf(MSG_ERROR, "EAP-TTLS/CHAP: Failed to derive " 704 "implicit challenge"); 705 return -1; 706 } 707 708 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_CHAP_CHALLENGE, 0, 1, 709 challenge, EAP_TTLS_CHAP_CHALLENGE_LEN); 710 711 /* CHAP-Password */ 712 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_CHAP_PASSWORD, 0, 1, 713 1 + EAP_TTLS_CHAP_PASSWORD_LEN); 714 data->ident = challenge[EAP_TTLS_CHAP_CHALLENGE_LEN]; 715 *pos++ = data->ident; 716 717 /* MD5(Ident + Password + Challenge) */ 718 chap_md5(data->ident, password, password_len, challenge, 719 EAP_TTLS_CHAP_CHALLENGE_LEN, pos); 720 721 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: CHAP username", 722 identity, identity_len); 723 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: CHAP password", 724 password, password_len); 725 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP implicit challenge", 726 challenge, EAP_TTLS_CHAP_CHALLENGE_LEN); 727 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP password", 728 pos, EAP_TTLS_CHAP_PASSWORD_LEN); 729 pos += EAP_TTLS_CHAP_PASSWORD_LEN; 730 os_free(challenge); 731 AVP_PAD(buf, pos); 732 733 wpabuf_put(msg, pos - buf); 734 *resp = msg; 735 736 /* EAP-TTLS/CHAP does not provide tunneled success 737 * notification, so assume that Phase2 succeeds. */ 738 ret->methodState = METHOD_DONE; 739 ret->decision = DECISION_COND_SUCC; 740 741 return 0; 742 #endif /* CONFIG_FIPS */ 743 } 744 745 746 static int eap_ttls_phase2_request(struct eap_sm *sm, 747 struct eap_ttls_data *data, 748 struct eap_method_ret *ret, 749 struct eap_hdr *hdr, 750 struct wpabuf **resp) 751 { 752 int res = 0; 753 size_t len; 754 enum phase2_types phase2_type = data->phase2_type; 755 756 #ifdef EAP_TNC 757 if (data->tnc_started) { 758 wpa_printf(MSG_DEBUG, "EAP-TTLS: Processing TNC"); 759 phase2_type = EAP_TTLS_PHASE2_EAP; 760 } 761 #endif /* EAP_TNC */ 762 763 if (phase2_type == EAP_TTLS_PHASE2_MSCHAPV2 || 764 phase2_type == EAP_TTLS_PHASE2_MSCHAP || 765 phase2_type == EAP_TTLS_PHASE2_PAP || 766 phase2_type == EAP_TTLS_PHASE2_CHAP) { 767 if (eap_get_config_identity(sm, &len) == NULL) { 768 wpa_printf(MSG_INFO, 769 "EAP-TTLS: Identity not configured"); 770 eap_sm_request_identity(sm); 771 if (eap_get_config_password(sm, &len) == NULL) 772 eap_sm_request_password(sm); 773 return 0; 774 } 775 776 if (eap_get_config_password(sm, &len) == NULL) { 777 wpa_printf(MSG_INFO, 778 "EAP-TTLS: Password not configured"); 779 eap_sm_request_password(sm); 780 return 0; 781 } 782 } 783 784 switch (phase2_type) { 785 case EAP_TTLS_PHASE2_EAP: 786 res = eap_ttls_phase2_request_eap(sm, data, ret, hdr, resp); 787 break; 788 case EAP_TTLS_PHASE2_MSCHAPV2: 789 res = eap_ttls_phase2_request_mschapv2(sm, data, ret, resp); 790 break; 791 case EAP_TTLS_PHASE2_MSCHAP: 792 res = eap_ttls_phase2_request_mschap(sm, data, ret, resp); 793 break; 794 case EAP_TTLS_PHASE2_PAP: 795 res = eap_ttls_phase2_request_pap(sm, data, ret, resp); 796 break; 797 case EAP_TTLS_PHASE2_CHAP: 798 res = eap_ttls_phase2_request_chap(sm, data, ret, resp); 799 break; 800 default: 801 wpa_printf(MSG_ERROR, "EAP-TTLS: Phase 2 - Unknown"); 802 res = -1; 803 break; 804 } 805 806 if (res < 0) { 807 ret->methodState = METHOD_DONE; 808 ret->decision = DECISION_FAIL; 809 } 810 811 return res; 812 } 813 814 815 struct ttls_parse_avp { 816 u8 *mschapv2; 817 u8 *eapdata; 818 size_t eap_len; 819 int mschapv2_error; 820 }; 821 822 823 static int eap_ttls_parse_attr_eap(const u8 *dpos, size_t dlen, 824 struct ttls_parse_avp *parse) 825 { 826 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message"); 827 if (parse->eapdata == NULL) { 828 parse->eapdata = os_malloc(dlen); 829 if (parse->eapdata == NULL) { 830 wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to allocate " 831 "memory for Phase 2 EAP data"); 832 return -1; 833 } 834 os_memcpy(parse->eapdata, dpos, dlen); 835 parse->eap_len = dlen; 836 } else { 837 u8 *neweap = os_realloc(parse->eapdata, parse->eap_len + dlen); 838 if (neweap == NULL) { 839 wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to allocate " 840 "memory for Phase 2 EAP data"); 841 return -1; 842 } 843 os_memcpy(neweap + parse->eap_len, dpos, dlen); 844 parse->eapdata = neweap; 845 parse->eap_len += dlen; 846 } 847 848 return 0; 849 } 850 851 852 static int eap_ttls_parse_avp(u8 *pos, size_t left, 853 struct ttls_parse_avp *parse) 854 { 855 struct ttls_avp *avp; 856 u32 avp_code, avp_length, vendor_id = 0; 857 u8 avp_flags, *dpos; 858 size_t dlen; 859 860 avp = (struct ttls_avp *) pos; 861 avp_code = be_to_host32(avp->avp_code); 862 avp_length = be_to_host32(avp->avp_length); 863 avp_flags = (avp_length >> 24) & 0xff; 864 avp_length &= 0xffffff; 865 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x " 866 "length=%d", (int) avp_code, avp_flags, 867 (int) avp_length); 868 869 if (avp_length > left) { 870 wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow " 871 "(len=%d, left=%lu) - dropped", 872 (int) avp_length, (unsigned long) left); 873 return -1; 874 } 875 876 if (avp_length < sizeof(*avp)) { 877 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length %d", 878 avp_length); 879 return -1; 880 } 881 882 dpos = (u8 *) (avp + 1); 883 dlen = avp_length - sizeof(*avp); 884 if (avp_flags & AVP_FLAGS_VENDOR) { 885 if (dlen < 4) { 886 wpa_printf(MSG_WARNING, "EAP-TTLS: Vendor AVP " 887 "underflow"); 888 return -1; 889 } 890 vendor_id = WPA_GET_BE32(dpos); 891 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d", 892 (int) vendor_id); 893 dpos += 4; 894 dlen -= 4; 895 } 896 897 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen); 898 899 if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) { 900 if (eap_ttls_parse_attr_eap(dpos, dlen, parse) < 0) 901 return -1; 902 } else if (vendor_id == 0 && avp_code == RADIUS_ATTR_REPLY_MESSAGE) { 903 /* This is an optional message that can be displayed to 904 * the user. */ 905 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: AVP - Reply-Message", 906 dpos, dlen); 907 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 908 avp_code == RADIUS_ATTR_MS_CHAP2_SUCCESS) { 909 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MS-CHAP2-Success", 910 dpos, dlen); 911 if (dlen != 43) { 912 wpa_printf(MSG_WARNING, "EAP-TTLS: Unexpected " 913 "MS-CHAP2-Success length " 914 "(len=%lu, expected 43)", 915 (unsigned long) dlen); 916 return -1; 917 } 918 parse->mschapv2 = dpos; 919 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 920 avp_code == RADIUS_ATTR_MS_CHAP_ERROR) { 921 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MS-CHAP-Error", 922 dpos, dlen); 923 parse->mschapv2_error = 1; 924 } else if (avp_flags & AVP_FLAGS_MANDATORY) { 925 wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported mandatory AVP " 926 "code %d vendor_id %d - dropped", 927 (int) avp_code, (int) vendor_id); 928 return -1; 929 } else { 930 wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported AVP " 931 "code %d vendor_id %d", 932 (int) avp_code, (int) vendor_id); 933 } 934 935 return avp_length; 936 } 937 938 939 static int eap_ttls_parse_avps(struct wpabuf *in_decrypted, 940 struct ttls_parse_avp *parse) 941 { 942 u8 *pos; 943 size_t left, pad; 944 int avp_length; 945 946 pos = wpabuf_mhead(in_decrypted); 947 left = wpabuf_len(in_decrypted); 948 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 AVPs", pos, left); 949 if (left < sizeof(struct ttls_avp)) { 950 wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 AVP frame" 951 " len=%lu expected %lu or more - dropped", 952 (unsigned long) left, 953 (unsigned long) sizeof(struct ttls_avp)); 954 return -1; 955 } 956 957 /* Parse AVPs */ 958 os_memset(parse, 0, sizeof(*parse)); 959 960 while (left > 0) { 961 avp_length = eap_ttls_parse_avp(pos, left, parse); 962 if (avp_length < 0) 963 return -1; 964 965 pad = (4 - (avp_length & 3)) & 3; 966 pos += avp_length + pad; 967 if (left < avp_length + pad) 968 left = 0; 969 else 970 left -= avp_length + pad; 971 } 972 973 return 0; 974 } 975 976 977 static u8 * eap_ttls_fake_identity_request(void) 978 { 979 struct eap_hdr *hdr; 980 u8 *buf; 981 982 wpa_printf(MSG_DEBUG, "EAP-TTLS: empty data in beginning of " 983 "Phase 2 - use fake EAP-Request Identity"); 984 buf = os_malloc(sizeof(*hdr) + 1); 985 if (buf == NULL) { 986 wpa_printf(MSG_WARNING, "EAP-TTLS: failed to allocate " 987 "memory for fake EAP-Identity Request"); 988 return NULL; 989 } 990 991 hdr = (struct eap_hdr *) buf; 992 hdr->code = EAP_CODE_REQUEST; 993 hdr->identifier = 0; 994 hdr->length = host_to_be16(sizeof(*hdr) + 1); 995 buf[sizeof(*hdr)] = EAP_TYPE_IDENTITY; 996 997 return buf; 998 } 999 1000 1001 static int eap_ttls_encrypt_response(struct eap_sm *sm, 1002 struct eap_ttls_data *data, 1003 struct wpabuf *resp, u8 identifier, 1004 struct wpabuf **out_data) 1005 { 1006 if (resp == NULL) 1007 return 0; 1008 1009 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS: Encrypting Phase 2 data", 1010 resp); 1011 if (eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_TTLS, 1012 data->ttls_version, identifier, 1013 resp, out_data)) { 1014 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to encrypt a Phase 2 " 1015 "frame"); 1016 wpabuf_free(resp); 1017 return -1; 1018 } 1019 wpabuf_free(resp); 1020 1021 return 0; 1022 } 1023 1024 1025 static int eap_ttls_process_phase2_eap(struct eap_sm *sm, 1026 struct eap_ttls_data *data, 1027 struct eap_method_ret *ret, 1028 struct ttls_parse_avp *parse, 1029 struct wpabuf **resp) 1030 { 1031 struct eap_hdr *hdr; 1032 size_t len; 1033 1034 if (parse->eapdata == NULL) { 1035 wpa_printf(MSG_WARNING, "EAP-TTLS: No EAP Message in the " 1036 "packet - dropped"); 1037 return -1; 1038 } 1039 1040 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP", 1041 parse->eapdata, parse->eap_len); 1042 hdr = (struct eap_hdr *) parse->eapdata; 1043 1044 if (parse->eap_len < sizeof(*hdr)) { 1045 wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 EAP " 1046 "frame (len=%lu, expected %lu or more) - dropped", 1047 (unsigned long) parse->eap_len, 1048 (unsigned long) sizeof(*hdr)); 1049 return -1; 1050 } 1051 len = be_to_host16(hdr->length); 1052 if (len > parse->eap_len) { 1053 wpa_printf(MSG_INFO, "EAP-TTLS: Length mismatch in Phase 2 " 1054 "EAP frame (EAP hdr len=%lu, EAP data len in " 1055 "AVP=%lu)", 1056 (unsigned long) len, 1057 (unsigned long) parse->eap_len); 1058 return -1; 1059 } 1060 wpa_printf(MSG_DEBUG, "EAP-TTLS: received Phase 2: code=%d " 1061 "identifier=%d length=%lu", 1062 hdr->code, hdr->identifier, (unsigned long) len); 1063 switch (hdr->code) { 1064 case EAP_CODE_REQUEST: 1065 if (eap_ttls_phase2_request(sm, data, ret, hdr, resp)) { 1066 wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 Request " 1067 "processing failed"); 1068 return -1; 1069 } 1070 break; 1071 default: 1072 wpa_printf(MSG_INFO, "EAP-TTLS: Unexpected code=%d in " 1073 "Phase 2 EAP header", hdr->code); 1074 return -1; 1075 } 1076 1077 return 0; 1078 } 1079 1080 1081 static int eap_ttls_process_phase2_mschapv2(struct eap_sm *sm, 1082 struct eap_ttls_data *data, 1083 struct eap_method_ret *ret, 1084 struct ttls_parse_avp *parse) 1085 { 1086 #ifdef EAP_MSCHAPv2 1087 if (parse->mschapv2_error) { 1088 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Received " 1089 "MS-CHAP-Error - failed"); 1090 ret->methodState = METHOD_DONE; 1091 ret->decision = DECISION_FAIL; 1092 /* Reply with empty data to ACK error */ 1093 return 1; 1094 } 1095 1096 if (parse->mschapv2 == NULL) { 1097 #ifdef EAP_TNC 1098 if (data->phase2_success && parse->eapdata) { 1099 /* 1100 * Allow EAP-TNC to be started after successfully 1101 * completed MSCHAPV2. 1102 */ 1103 return 1; 1104 } 1105 #endif /* EAP_TNC */ 1106 wpa_printf(MSG_WARNING, "EAP-TTLS: no MS-CHAP2-Success AVP " 1107 "received for Phase2 MSCHAPV2"); 1108 return -1; 1109 } 1110 if (parse->mschapv2[0] != data->ident) { 1111 wpa_printf(MSG_WARNING, "EAP-TTLS: Ident mismatch for Phase 2 " 1112 "MSCHAPV2 (received Ident 0x%02x, expected 0x%02x)", 1113 parse->mschapv2[0], data->ident); 1114 return -1; 1115 } 1116 if (!data->auth_response_valid || 1117 mschapv2_verify_auth_response(data->auth_response, 1118 parse->mschapv2 + 1, 42)) { 1119 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid authenticator " 1120 "response in Phase 2 MSCHAPV2 success request"); 1121 return -1; 1122 } 1123 1124 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 MSCHAPV2 " 1125 "authentication succeeded"); 1126 ret->methodState = METHOD_DONE; 1127 ret->decision = DECISION_UNCOND_SUCC; 1128 data->phase2_success = 1; 1129 1130 /* 1131 * Reply with empty data; authentication server will reply 1132 * with EAP-Success after this. 1133 */ 1134 return 1; 1135 #else /* EAP_MSCHAPv2 */ 1136 wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build"); 1137 return -1; 1138 #endif /* EAP_MSCHAPv2 */ 1139 } 1140 1141 1142 #ifdef EAP_TNC 1143 static int eap_ttls_process_tnc_start(struct eap_sm *sm, 1144 struct eap_ttls_data *data, 1145 struct eap_method_ret *ret, 1146 struct ttls_parse_avp *parse, 1147 struct wpabuf **resp) 1148 { 1149 /* TNC uses inner EAP method after non-EAP TTLS phase 2. */ 1150 if (parse->eapdata == NULL) { 1151 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received " 1152 "unexpected tunneled data (no EAP)"); 1153 return -1; 1154 } 1155 1156 if (!data->ready_for_tnc) { 1157 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received " 1158 "EAP after non-EAP, but not ready for TNC"); 1159 return -1; 1160 } 1161 1162 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start TNC after completed " 1163 "non-EAP method"); 1164 data->tnc_started = 1; 1165 1166 if (eap_ttls_process_phase2_eap(sm, data, ret, parse, resp) < 0) 1167 return -1; 1168 1169 return 0; 1170 } 1171 #endif /* EAP_TNC */ 1172 1173 1174 static int eap_ttls_process_decrypted(struct eap_sm *sm, 1175 struct eap_ttls_data *data, 1176 struct eap_method_ret *ret, 1177 u8 identifier, 1178 struct ttls_parse_avp *parse, 1179 struct wpabuf *in_decrypted, 1180 struct wpabuf **out_data) 1181 { 1182 struct wpabuf *resp = NULL; 1183 struct eap_peer_config *config = eap_get_config(sm); 1184 int res; 1185 enum phase2_types phase2_type = data->phase2_type; 1186 1187 #ifdef EAP_TNC 1188 if (data->tnc_started) 1189 phase2_type = EAP_TTLS_PHASE2_EAP; 1190 #endif /* EAP_TNC */ 1191 1192 switch (phase2_type) { 1193 case EAP_TTLS_PHASE2_EAP: 1194 if (eap_ttls_process_phase2_eap(sm, data, ret, parse, &resp) < 1195 0) 1196 return -1; 1197 break; 1198 case EAP_TTLS_PHASE2_MSCHAPV2: 1199 res = eap_ttls_process_phase2_mschapv2(sm, data, ret, parse); 1200 #ifdef EAP_TNC 1201 if (res == 1 && parse->eapdata && data->phase2_success) { 1202 /* 1203 * TNC may be required as the next 1204 * authentication method within the tunnel. 1205 */ 1206 ret->methodState = METHOD_MAY_CONT; 1207 data->ready_for_tnc = 1; 1208 if (eap_ttls_process_tnc_start(sm, data, ret, parse, 1209 &resp) == 0) 1210 break; 1211 } 1212 #endif /* EAP_TNC */ 1213 return res; 1214 case EAP_TTLS_PHASE2_MSCHAP: 1215 case EAP_TTLS_PHASE2_PAP: 1216 case EAP_TTLS_PHASE2_CHAP: 1217 #ifdef EAP_TNC 1218 if (eap_ttls_process_tnc_start(sm, data, ret, parse, &resp) < 1219 0) 1220 return -1; 1221 break; 1222 #else /* EAP_TNC */ 1223 /* EAP-TTLS/{MSCHAP,PAP,CHAP} should not send any TLS tunneled 1224 * requests to the supplicant */ 1225 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received unexpected " 1226 "tunneled data"); 1227 return -1; 1228 #endif /* EAP_TNC */ 1229 } 1230 1231 if (resp) { 1232 if (eap_ttls_encrypt_response(sm, data, resp, identifier, 1233 out_data) < 0) 1234 return -1; 1235 } else if (config->pending_req_identity || 1236 config->pending_req_password || 1237 config->pending_req_otp || 1238 config->pending_req_new_password) { 1239 wpabuf_free(data->pending_phase2_req); 1240 data->pending_phase2_req = wpabuf_dup(in_decrypted); 1241 } 1242 1243 return 0; 1244 } 1245 1246 1247 static int eap_ttls_implicit_identity_request(struct eap_sm *sm, 1248 struct eap_ttls_data *data, 1249 struct eap_method_ret *ret, 1250 u8 identifier, 1251 struct wpabuf **out_data) 1252 { 1253 int retval = 0; 1254 struct eap_hdr *hdr; 1255 struct wpabuf *resp; 1256 1257 hdr = (struct eap_hdr *) eap_ttls_fake_identity_request(); 1258 if (hdr == NULL) { 1259 ret->methodState = METHOD_DONE; 1260 ret->decision = DECISION_FAIL; 1261 return -1; 1262 } 1263 1264 resp = NULL; 1265 if (eap_ttls_phase2_request(sm, data, ret, hdr, &resp)) { 1266 wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 Request " 1267 "processing failed"); 1268 retval = -1; 1269 } else { 1270 struct eap_peer_config *config = eap_get_config(sm); 1271 if (resp == NULL && 1272 (config->pending_req_identity || 1273 config->pending_req_password || 1274 config->pending_req_otp || 1275 config->pending_req_new_password)) { 1276 /* 1277 * Use empty buffer to force implicit request 1278 * processing when EAP request is re-processed after 1279 * user input. 1280 */ 1281 wpabuf_free(data->pending_phase2_req); 1282 data->pending_phase2_req = wpabuf_alloc(0); 1283 } 1284 1285 retval = eap_ttls_encrypt_response(sm, data, resp, identifier, 1286 out_data); 1287 } 1288 1289 os_free(hdr); 1290 1291 if (retval < 0) { 1292 ret->methodState = METHOD_DONE; 1293 ret->decision = DECISION_FAIL; 1294 } 1295 1296 return retval; 1297 } 1298 1299 1300 static int eap_ttls_phase2_start(struct eap_sm *sm, struct eap_ttls_data *data, 1301 struct eap_method_ret *ret, u8 identifier, 1302 struct wpabuf **out_data) 1303 { 1304 data->phase2_start = 0; 1305 1306 /* 1307 * EAP-TTLS does not use Phase2 on fast re-auth; this must be done only 1308 * if TLS part was indeed resuming a previous session. Most 1309 * Authentication Servers terminate EAP-TTLS before reaching this 1310 * point, but some do not. Make wpa_supplicant stop phase 2 here, if 1311 * needed. 1312 */ 1313 if (data->reauth && 1314 tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) { 1315 wpa_printf(MSG_DEBUG, "EAP-TTLS: Session resumption - " 1316 "skip phase 2"); 1317 *out_data = eap_peer_tls_build_ack(identifier, EAP_TYPE_TTLS, 1318 data->ttls_version); 1319 ret->methodState = METHOD_DONE; 1320 ret->decision = DECISION_UNCOND_SUCC; 1321 data->phase2_success = 1; 1322 return 0; 1323 } 1324 1325 return eap_ttls_implicit_identity_request(sm, data, ret, identifier, 1326 out_data); 1327 } 1328 1329 1330 static int eap_ttls_decrypt(struct eap_sm *sm, struct eap_ttls_data *data, 1331 struct eap_method_ret *ret, u8 identifier, 1332 const struct wpabuf *in_data, 1333 struct wpabuf **out_data) 1334 { 1335 struct wpabuf *in_decrypted = NULL; 1336 int retval = 0; 1337 struct ttls_parse_avp parse; 1338 1339 os_memset(&parse, 0, sizeof(parse)); 1340 1341 wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for" 1342 " Phase 2", 1343 in_data ? (unsigned long) wpabuf_len(in_data) : 0); 1344 1345 if (data->pending_phase2_req) { 1346 wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 request - " 1347 "skip decryption and use old data"); 1348 /* Clear TLS reassembly state. */ 1349 eap_peer_tls_reset_input(&data->ssl); 1350 1351 in_decrypted = data->pending_phase2_req; 1352 data->pending_phase2_req = NULL; 1353 if (wpabuf_len(in_decrypted) == 0) { 1354 wpabuf_free(in_decrypted); 1355 return eap_ttls_implicit_identity_request( 1356 sm, data, ret, identifier, out_data); 1357 } 1358 goto continue_req; 1359 } 1360 1361 if ((in_data == NULL || wpabuf_len(in_data) == 0) && 1362 data->phase2_start) { 1363 return eap_ttls_phase2_start(sm, data, ret, identifier, 1364 out_data); 1365 } 1366 1367 if (in_data == NULL || wpabuf_len(in_data) == 0) { 1368 /* Received TLS ACK - requesting more fragments */ 1369 return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_TTLS, 1370 data->ttls_version, 1371 identifier, NULL, out_data); 1372 } 1373 1374 retval = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted); 1375 if (retval) 1376 goto done; 1377 1378 continue_req: 1379 data->phase2_start = 0; 1380 1381 if (eap_ttls_parse_avps(in_decrypted, &parse) < 0) { 1382 retval = -1; 1383 goto done; 1384 } 1385 1386 retval = eap_ttls_process_decrypted(sm, data, ret, identifier, 1387 &parse, in_decrypted, out_data); 1388 1389 done: 1390 wpabuf_free(in_decrypted); 1391 os_free(parse.eapdata); 1392 1393 if (retval < 0) { 1394 ret->methodState = METHOD_DONE; 1395 ret->decision = DECISION_FAIL; 1396 } 1397 1398 return retval; 1399 } 1400 1401 1402 static int eap_ttls_process_handshake(struct eap_sm *sm, 1403 struct eap_ttls_data *data, 1404 struct eap_method_ret *ret, 1405 u8 identifier, 1406 const struct wpabuf *in_data, 1407 struct wpabuf **out_data) 1408 { 1409 int res; 1410 1411 res = eap_peer_tls_process_helper(sm, &data->ssl, EAP_TYPE_TTLS, 1412 data->ttls_version, identifier, 1413 in_data, out_data); 1414 if (res < 0) { 1415 wpa_printf(MSG_DEBUG, "EAP-TTLS: TLS processing failed"); 1416 ret->methodState = METHOD_DONE; 1417 ret->decision = DECISION_FAIL; 1418 return -1; 1419 } 1420 1421 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { 1422 wpa_printf(MSG_DEBUG, "EAP-TTLS: TLS done, proceed to " 1423 "Phase 2"); 1424 if (data->resuming) { 1425 wpa_printf(MSG_DEBUG, "EAP-TTLS: fast reauth - may " 1426 "skip Phase 2"); 1427 ret->decision = DECISION_COND_SUCC; 1428 ret->methodState = METHOD_MAY_CONT; 1429 } 1430 data->phase2_start = 1; 1431 eap_ttls_v0_derive_key(sm, data); 1432 1433 if (*out_data == NULL || wpabuf_len(*out_data) == 0) { 1434 if (eap_ttls_decrypt(sm, data, ret, identifier, 1435 NULL, out_data)) { 1436 wpa_printf(MSG_WARNING, "EAP-TTLS: " 1437 "failed to process early " 1438 "start for Phase 2"); 1439 } 1440 res = 0; 1441 } 1442 data->resuming = 0; 1443 } 1444 1445 if (res == 2) { 1446 /* 1447 * Application data included in the handshake message. 1448 */ 1449 wpabuf_free(data->pending_phase2_req); 1450 data->pending_phase2_req = *out_data; 1451 *out_data = NULL; 1452 res = eap_ttls_decrypt(sm, data, ret, identifier, in_data, 1453 out_data); 1454 } 1455 1456 return res; 1457 } 1458 1459 1460 static void eap_ttls_check_auth_status(struct eap_sm *sm, 1461 struct eap_ttls_data *data, 1462 struct eap_method_ret *ret) 1463 { 1464 if (ret->methodState == METHOD_DONE) { 1465 ret->allowNotifications = FALSE; 1466 if (ret->decision == DECISION_UNCOND_SUCC || 1467 ret->decision == DECISION_COND_SUCC) { 1468 wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication " 1469 "completed successfully"); 1470 data->phase2_success = 1; 1471 #ifdef EAP_TNC 1472 if (!data->ready_for_tnc && !data->tnc_started) { 1473 /* 1474 * TNC may be required as the next 1475 * authentication method within the tunnel. 1476 */ 1477 ret->methodState = METHOD_MAY_CONT; 1478 data->ready_for_tnc = 1; 1479 } 1480 #endif /* EAP_TNC */ 1481 } 1482 } else if (ret->methodState == METHOD_MAY_CONT && 1483 (ret->decision == DECISION_UNCOND_SUCC || 1484 ret->decision == DECISION_COND_SUCC)) { 1485 wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication " 1486 "completed successfully (MAY_CONT)"); 1487 data->phase2_success = 1; 1488 } 1489 } 1490 1491 1492 static struct wpabuf * eap_ttls_process(struct eap_sm *sm, void *priv, 1493 struct eap_method_ret *ret, 1494 const struct wpabuf *reqData) 1495 { 1496 size_t left; 1497 int res; 1498 u8 flags, id; 1499 struct wpabuf *resp; 1500 const u8 *pos; 1501 struct eap_ttls_data *data = priv; 1502 struct wpabuf msg; 1503 1504 pos = eap_peer_tls_process_init(sm, &data->ssl, EAP_TYPE_TTLS, ret, 1505 reqData, &left, &flags); 1506 if (pos == NULL) 1507 return NULL; 1508 id = eap_get_id(reqData); 1509 1510 if (flags & EAP_TLS_FLAGS_START) { 1511 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start (server ver=%d, own " 1512 "ver=%d)", flags & EAP_TLS_VERSION_MASK, 1513 data->ttls_version); 1514 1515 /* RFC 5281, Ch. 9.2: 1516 * "This packet MAY contain additional information in the form 1517 * of AVPs, which may provide useful hints to the client" 1518 * For now, ignore any potential extra data. 1519 */ 1520 left = 0; 1521 } 1522 1523 wpabuf_set(&msg, pos, left); 1524 1525 resp = NULL; 1526 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1527 !data->resuming) { 1528 res = eap_ttls_decrypt(sm, data, ret, id, &msg, &resp); 1529 } else { 1530 res = eap_ttls_process_handshake(sm, data, ret, id, 1531 &msg, &resp); 1532 } 1533 1534 eap_ttls_check_auth_status(sm, data, ret); 1535 1536 /* FIX: what about res == -1? Could just move all error processing into 1537 * the other functions and get rid of this res==1 case here. */ 1538 if (res == 1) { 1539 wpabuf_free(resp); 1540 return eap_peer_tls_build_ack(id, EAP_TYPE_TTLS, 1541 data->ttls_version); 1542 } 1543 return resp; 1544 } 1545 1546 1547 static Boolean eap_ttls_has_reauth_data(struct eap_sm *sm, void *priv) 1548 { 1549 struct eap_ttls_data *data = priv; 1550 return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1551 data->phase2_success; 1552 } 1553 1554 1555 static void eap_ttls_deinit_for_reauth(struct eap_sm *sm, void *priv) 1556 { 1557 struct eap_ttls_data *data = priv; 1558 wpabuf_free(data->pending_phase2_req); 1559 data->pending_phase2_req = NULL; 1560 #ifdef EAP_TNC 1561 data->ready_for_tnc = 0; 1562 data->tnc_started = 0; 1563 #endif /* EAP_TNC */ 1564 } 1565 1566 1567 static void * eap_ttls_init_for_reauth(struct eap_sm *sm, void *priv) 1568 { 1569 struct eap_ttls_data *data = priv; 1570 eap_ttls_free_key(data); 1571 os_free(data->session_id); 1572 data->session_id = NULL; 1573 if (eap_peer_tls_reauth_init(sm, &data->ssl)) { 1574 os_free(data); 1575 return NULL; 1576 } 1577 if (data->phase2_priv && data->phase2_method && 1578 data->phase2_method->init_for_reauth) 1579 data->phase2_method->init_for_reauth(sm, data->phase2_priv); 1580 data->phase2_start = 0; 1581 data->phase2_success = 0; 1582 data->resuming = 1; 1583 data->reauth = 1; 1584 return priv; 1585 } 1586 1587 1588 static int eap_ttls_get_status(struct eap_sm *sm, void *priv, char *buf, 1589 size_t buflen, int verbose) 1590 { 1591 struct eap_ttls_data *data = priv; 1592 int len, ret; 1593 1594 len = eap_peer_tls_status(sm, &data->ssl, buf, buflen, verbose); 1595 ret = os_snprintf(buf + len, buflen - len, 1596 "EAP-TTLSv%d Phase2 method=", 1597 data->ttls_version); 1598 if (os_snprintf_error(buflen - len, ret)) 1599 return len; 1600 len += ret; 1601 switch (data->phase2_type) { 1602 case EAP_TTLS_PHASE2_EAP: 1603 ret = os_snprintf(buf + len, buflen - len, "EAP-%s\n", 1604 data->phase2_method ? 1605 data->phase2_method->name : "?"); 1606 break; 1607 case EAP_TTLS_PHASE2_MSCHAPV2: 1608 ret = os_snprintf(buf + len, buflen - len, "MSCHAPV2\n"); 1609 break; 1610 case EAP_TTLS_PHASE2_MSCHAP: 1611 ret = os_snprintf(buf + len, buflen - len, "MSCHAP\n"); 1612 break; 1613 case EAP_TTLS_PHASE2_PAP: 1614 ret = os_snprintf(buf + len, buflen - len, "PAP\n"); 1615 break; 1616 case EAP_TTLS_PHASE2_CHAP: 1617 ret = os_snprintf(buf + len, buflen - len, "CHAP\n"); 1618 break; 1619 default: 1620 ret = 0; 1621 break; 1622 } 1623 if (os_snprintf_error(buflen - len, ret)) 1624 return len; 1625 len += ret; 1626 1627 return len; 1628 } 1629 1630 1631 static Boolean eap_ttls_isKeyAvailable(struct eap_sm *sm, void *priv) 1632 { 1633 struct eap_ttls_data *data = priv; 1634 return data->key_data != NULL && data->phase2_success; 1635 } 1636 1637 1638 static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len) 1639 { 1640 struct eap_ttls_data *data = priv; 1641 u8 *key; 1642 1643 if (data->key_data == NULL || !data->phase2_success) 1644 return NULL; 1645 1646 key = os_malloc(EAP_TLS_KEY_LEN); 1647 if (key == NULL) 1648 return NULL; 1649 1650 *len = EAP_TLS_KEY_LEN; 1651 os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN); 1652 1653 return key; 1654 } 1655 1656 1657 static u8 * eap_ttls_get_session_id(struct eap_sm *sm, void *priv, size_t *len) 1658 { 1659 struct eap_ttls_data *data = priv; 1660 u8 *id; 1661 1662 if (data->session_id == NULL || !data->phase2_success) 1663 return NULL; 1664 1665 id = os_malloc(data->id_len); 1666 if (id == NULL) 1667 return NULL; 1668 1669 *len = data->id_len; 1670 os_memcpy(id, data->session_id, data->id_len); 1671 1672 return id; 1673 } 1674 1675 1676 static u8 * eap_ttls_get_emsk(struct eap_sm *sm, void *priv, size_t *len) 1677 { 1678 struct eap_ttls_data *data = priv; 1679 u8 *key; 1680 1681 if (data->key_data == NULL) 1682 return NULL; 1683 1684 key = os_malloc(EAP_EMSK_LEN); 1685 if (key == NULL) 1686 return NULL; 1687 1688 *len = EAP_EMSK_LEN; 1689 os_memcpy(key, data->key_data + EAP_TLS_KEY_LEN, EAP_EMSK_LEN); 1690 1691 return key; 1692 } 1693 1694 1695 int eap_peer_ttls_register(void) 1696 { 1697 struct eap_method *eap; 1698 int ret; 1699 1700 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION, 1701 EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS"); 1702 if (eap == NULL) 1703 return -1; 1704 1705 eap->init = eap_ttls_init; 1706 eap->deinit = eap_ttls_deinit; 1707 eap->process = eap_ttls_process; 1708 eap->isKeyAvailable = eap_ttls_isKeyAvailable; 1709 eap->getKey = eap_ttls_getKey; 1710 eap->getSessionId = eap_ttls_get_session_id; 1711 eap->get_status = eap_ttls_get_status; 1712 eap->has_reauth_data = eap_ttls_has_reauth_data; 1713 eap->deinit_for_reauth = eap_ttls_deinit_for_reauth; 1714 eap->init_for_reauth = eap_ttls_init_for_reauth; 1715 eap->get_emsk = eap_ttls_get_emsk; 1716 1717 ret = eap_peer_method_register(eap); 1718 if (ret) 1719 eap_peer_method_free(eap); 1720 return ret; 1721 } 1722