1 /* 2 * EAP peer method: EAP-TTLS (RFC 5281) 3 * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/ms_funcs.h" 13 #include "crypto/sha1.h" 14 #include "crypto/tls.h" 15 #include "eap_common/chap.h" 16 #include "eap_common/eap_ttls.h" 17 #include "mschapv2.h" 18 #include "eap_i.h" 19 #include "eap_tls_common.h" 20 #include "eap_config.h" 21 22 23 #define EAP_TTLS_VERSION 0 24 25 26 static void eap_ttls_deinit(struct eap_sm *sm, void *priv); 27 28 29 struct eap_ttls_data { 30 struct eap_ssl_data ssl; 31 32 int ttls_version; 33 34 const struct eap_method *phase2_method; 35 void *phase2_priv; 36 int phase2_success; 37 int phase2_start; 38 39 enum phase2_types { 40 EAP_TTLS_PHASE2_EAP, 41 EAP_TTLS_PHASE2_MSCHAPV2, 42 EAP_TTLS_PHASE2_MSCHAP, 43 EAP_TTLS_PHASE2_PAP, 44 EAP_TTLS_PHASE2_CHAP 45 } phase2_type; 46 struct eap_method_type phase2_eap_type; 47 struct eap_method_type *phase2_eap_types; 48 size_t num_phase2_eap_types; 49 50 u8 auth_response[MSCHAPV2_AUTH_RESPONSE_LEN]; 51 int auth_response_valid; 52 u8 master_key[MSCHAPV2_MASTER_KEY_LEN]; /* MSCHAPv2 master key */ 53 u8 ident; 54 int resuming; /* starting a resumed session */ 55 int reauth; /* reauthentication */ 56 u8 *key_data; 57 u8 *session_id; 58 size_t id_len; 59 60 struct wpabuf *pending_phase2_req; 61 62 #ifdef EAP_TNC 63 int ready_for_tnc; 64 int tnc_started; 65 #endif /* EAP_TNC */ 66 }; 67 68 69 static void * eap_ttls_init(struct eap_sm *sm) 70 { 71 struct eap_ttls_data *data; 72 struct eap_peer_config *config = eap_get_config(sm); 73 char *selected; 74 75 data = os_zalloc(sizeof(*data)); 76 if (data == NULL) 77 return NULL; 78 data->ttls_version = EAP_TTLS_VERSION; 79 selected = "EAP"; 80 data->phase2_type = EAP_TTLS_PHASE2_EAP; 81 82 if (config && config->phase2) { 83 if (os_strstr(config->phase2, "autheap=")) { 84 selected = "EAP"; 85 data->phase2_type = EAP_TTLS_PHASE2_EAP; 86 } else if (os_strstr(config->phase2, "auth=MSCHAPV2")) { 87 selected = "MSCHAPV2"; 88 data->phase2_type = EAP_TTLS_PHASE2_MSCHAPV2; 89 } else if (os_strstr(config->phase2, "auth=MSCHAP")) { 90 selected = "MSCHAP"; 91 data->phase2_type = EAP_TTLS_PHASE2_MSCHAP; 92 } else if (os_strstr(config->phase2, "auth=PAP")) { 93 selected = "PAP"; 94 data->phase2_type = EAP_TTLS_PHASE2_PAP; 95 } else if (os_strstr(config->phase2, "auth=CHAP")) { 96 selected = "CHAP"; 97 data->phase2_type = EAP_TTLS_PHASE2_CHAP; 98 } 99 } 100 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 type: %s", selected); 101 102 if (data->phase2_type == EAP_TTLS_PHASE2_EAP) { 103 if (eap_peer_select_phase2_methods(config, "autheap=", 104 &data->phase2_eap_types, 105 &data->num_phase2_eap_types) 106 < 0) { 107 eap_ttls_deinit(sm, data); 108 return NULL; 109 } 110 111 data->phase2_eap_type.vendor = EAP_VENDOR_IETF; 112 data->phase2_eap_type.method = EAP_TYPE_NONE; 113 } 114 115 if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_TTLS)) { 116 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL."); 117 eap_ttls_deinit(sm, data); 118 return NULL; 119 } 120 121 return data; 122 } 123 124 125 static void eap_ttls_phase2_eap_deinit(struct eap_sm *sm, 126 struct eap_ttls_data *data) 127 { 128 if (data->phase2_priv && data->phase2_method) { 129 data->phase2_method->deinit(sm, data->phase2_priv); 130 data->phase2_method = NULL; 131 data->phase2_priv = NULL; 132 } 133 } 134 135 136 static void eap_ttls_free_key(struct eap_ttls_data *data) 137 { 138 if (data->key_data) { 139 bin_clear_free(data->key_data, EAP_TLS_KEY_LEN + EAP_EMSK_LEN); 140 data->key_data = NULL; 141 } 142 } 143 144 145 static void eap_ttls_deinit(struct eap_sm *sm, void *priv) 146 { 147 struct eap_ttls_data *data = priv; 148 if (data == NULL) 149 return; 150 eap_ttls_phase2_eap_deinit(sm, data); 151 os_free(data->phase2_eap_types); 152 eap_peer_tls_ssl_deinit(sm, &data->ssl); 153 eap_ttls_free_key(data); 154 os_free(data->session_id); 155 wpabuf_free(data->pending_phase2_req); 156 os_free(data); 157 } 158 159 160 static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id, 161 int mandatory, size_t len) 162 { 163 struct ttls_avp_vendor *avp; 164 u8 flags; 165 size_t hdrlen; 166 167 avp = (struct ttls_avp_vendor *) avphdr; 168 flags = mandatory ? AVP_FLAGS_MANDATORY : 0; 169 if (vendor_id) { 170 flags |= AVP_FLAGS_VENDOR; 171 hdrlen = sizeof(*avp); 172 avp->vendor_id = host_to_be32(vendor_id); 173 } else { 174 hdrlen = sizeof(struct ttls_avp); 175 } 176 177 avp->avp_code = host_to_be32(avp_code); 178 avp->avp_length = host_to_be32((flags << 24) | (u32) (hdrlen + len)); 179 180 return avphdr + hdrlen; 181 } 182 183 184 static u8 * eap_ttls_avp_add(u8 *start, u8 *avphdr, u32 avp_code, 185 u32 vendor_id, int mandatory, 186 const u8 *data, size_t len) 187 { 188 u8 *pos; 189 pos = eap_ttls_avp_hdr(avphdr, avp_code, vendor_id, mandatory, len); 190 os_memcpy(pos, data, len); 191 pos += len; 192 AVP_PAD(start, pos); 193 return pos; 194 } 195 196 197 static int eap_ttls_avp_encapsulate(struct wpabuf **resp, u32 avp_code, 198 int mandatory) 199 { 200 struct wpabuf *msg; 201 u8 *avp, *pos; 202 203 msg = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(*resp) + 4); 204 if (msg == NULL) { 205 wpabuf_free(*resp); 206 *resp = NULL; 207 return -1; 208 } 209 210 avp = wpabuf_mhead(msg); 211 pos = eap_ttls_avp_hdr(avp, avp_code, 0, mandatory, wpabuf_len(*resp)); 212 os_memcpy(pos, wpabuf_head(*resp), wpabuf_len(*resp)); 213 pos += wpabuf_len(*resp); 214 AVP_PAD(avp, pos); 215 wpabuf_free(*resp); 216 wpabuf_put(msg, pos - avp); 217 *resp = msg; 218 return 0; 219 } 220 221 222 static int eap_ttls_v0_derive_key(struct eap_sm *sm, 223 struct eap_ttls_data *data) 224 { 225 eap_ttls_free_key(data); 226 data->key_data = eap_peer_tls_derive_key(sm, &data->ssl, 227 "ttls keying material", 228 EAP_TLS_KEY_LEN + 229 EAP_EMSK_LEN); 230 if (!data->key_data) { 231 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to derive key"); 232 return -1; 233 } 234 235 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key", 236 data->key_data, EAP_TLS_KEY_LEN); 237 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived EMSK", 238 data->key_data + EAP_TLS_KEY_LEN, 239 EAP_EMSK_LEN); 240 241 os_free(data->session_id); 242 data->session_id = eap_peer_tls_derive_session_id(sm, &data->ssl, 243 EAP_TYPE_TTLS, 244 &data->id_len); 245 if (data->session_id) { 246 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Derived Session-Id", 247 data->session_id, data->id_len); 248 } else { 249 wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to derive Session-Id"); 250 } 251 252 return 0; 253 } 254 255 256 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm, 257 struct eap_ttls_data *data, size_t len) 258 { 259 return eap_peer_tls_derive_key(sm, &data->ssl, "ttls challenge", len); 260 } 261 262 263 static void eap_ttls_phase2_select_eap_method(struct eap_ttls_data *data, 264 u8 method) 265 { 266 size_t i; 267 for (i = 0; i < data->num_phase2_eap_types; i++) { 268 if (data->phase2_eap_types[i].vendor != EAP_VENDOR_IETF || 269 data->phase2_eap_types[i].method != method) 270 continue; 271 272 data->phase2_eap_type.vendor = 273 data->phase2_eap_types[i].vendor; 274 data->phase2_eap_type.method = 275 data->phase2_eap_types[i].method; 276 wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected " 277 "Phase 2 EAP vendor %d method %d", 278 data->phase2_eap_type.vendor, 279 data->phase2_eap_type.method); 280 break; 281 } 282 } 283 284 285 static int eap_ttls_phase2_eap_process(struct eap_sm *sm, 286 struct eap_ttls_data *data, 287 struct eap_method_ret *ret, 288 struct eap_hdr *hdr, size_t len, 289 struct wpabuf **resp) 290 { 291 struct wpabuf msg; 292 struct eap_method_ret iret; 293 294 os_memset(&iret, 0, sizeof(iret)); 295 wpabuf_set(&msg, hdr, len); 296 *resp = data->phase2_method->process(sm, data->phase2_priv, &iret, 297 &msg); 298 if ((iret.methodState == METHOD_DONE || 299 iret.methodState == METHOD_MAY_CONT) && 300 (iret.decision == DECISION_UNCOND_SUCC || 301 iret.decision == DECISION_COND_SUCC || 302 iret.decision == DECISION_FAIL)) { 303 ret->methodState = iret.methodState; 304 ret->decision = iret.decision; 305 } 306 307 return 0; 308 } 309 310 311 static int eap_ttls_phase2_request_eap_method(struct eap_sm *sm, 312 struct eap_ttls_data *data, 313 struct eap_method_ret *ret, 314 struct eap_hdr *hdr, size_t len, 315 u8 method, struct wpabuf **resp) 316 { 317 #ifdef EAP_TNC 318 if (data->tnc_started && data->phase2_method && 319 data->phase2_priv && method == EAP_TYPE_TNC && 320 data->phase2_eap_type.method == EAP_TYPE_TNC) 321 return eap_ttls_phase2_eap_process(sm, data, ret, hdr, len, 322 resp); 323 324 if (data->ready_for_tnc && !data->tnc_started && 325 method == EAP_TYPE_TNC) { 326 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start TNC after completed " 327 "EAP method"); 328 data->tnc_started = 1; 329 } 330 331 if (data->tnc_started) { 332 if (data->phase2_eap_type.vendor != EAP_VENDOR_IETF || 333 data->phase2_eap_type.method == EAP_TYPE_TNC) { 334 wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected EAP " 335 "type %d for TNC", method); 336 return -1; 337 } 338 339 data->phase2_eap_type.vendor = EAP_VENDOR_IETF; 340 data->phase2_eap_type.method = method; 341 wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected " 342 "Phase 2 EAP vendor %d method %d (TNC)", 343 data->phase2_eap_type.vendor, 344 data->phase2_eap_type.method); 345 346 if (data->phase2_type == EAP_TTLS_PHASE2_EAP) 347 eap_ttls_phase2_eap_deinit(sm, data); 348 } 349 #endif /* EAP_TNC */ 350 351 if (data->phase2_eap_type.vendor == EAP_VENDOR_IETF && 352 data->phase2_eap_type.method == EAP_TYPE_NONE) 353 eap_ttls_phase2_select_eap_method(data, method); 354 355 if (method != data->phase2_eap_type.method || method == EAP_TYPE_NONE) 356 { 357 if (eap_peer_tls_phase2_nak(data->phase2_eap_types, 358 data->num_phase2_eap_types, 359 hdr, resp)) 360 return -1; 361 return 0; 362 } 363 364 if (data->phase2_priv == NULL) { 365 data->phase2_method = eap_peer_get_eap_method( 366 EAP_VENDOR_IETF, method); 367 if (data->phase2_method) { 368 sm->init_phase2 = 1; 369 data->phase2_priv = data->phase2_method->init(sm); 370 sm->init_phase2 = 0; 371 } 372 } 373 if (data->phase2_priv == NULL || data->phase2_method == NULL) { 374 wpa_printf(MSG_INFO, "EAP-TTLS: failed to initialize " 375 "Phase 2 EAP method %d", method); 376 return -1; 377 } 378 379 return eap_ttls_phase2_eap_process(sm, data, ret, hdr, len, resp); 380 } 381 382 383 static int eap_ttls_phase2_request_eap(struct eap_sm *sm, 384 struct eap_ttls_data *data, 385 struct eap_method_ret *ret, 386 struct eap_hdr *hdr, 387 struct wpabuf **resp) 388 { 389 size_t len = be_to_host16(hdr->length); 390 u8 *pos; 391 struct eap_peer_config *config = eap_get_config(sm); 392 393 if (len <= sizeof(struct eap_hdr)) { 394 wpa_printf(MSG_INFO, "EAP-TTLS: too short " 395 "Phase 2 request (len=%lu)", (unsigned long) len); 396 return -1; 397 } 398 pos = (u8 *) (hdr + 1); 399 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP Request: type=%d", *pos); 400 switch (*pos) { 401 case EAP_TYPE_IDENTITY: 402 *resp = eap_sm_buildIdentity(sm, hdr->identifier, 1); 403 break; 404 default: 405 if (eap_ttls_phase2_request_eap_method(sm, data, ret, hdr, len, 406 *pos, resp) < 0) 407 return -1; 408 break; 409 } 410 411 if (*resp == NULL && 412 (config->pending_req_identity || config->pending_req_password || 413 config->pending_req_otp)) { 414 return 0; 415 } 416 417 if (*resp == NULL) 418 return -1; 419 420 wpa_hexdump_buf(MSG_DEBUG, "EAP-TTLS: AVP encapsulate EAP Response", 421 *resp); 422 return eap_ttls_avp_encapsulate(resp, RADIUS_ATTR_EAP_MESSAGE, 1); 423 } 424 425 426 static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm, 427 struct eap_ttls_data *data, 428 struct eap_method_ret *ret, 429 struct wpabuf **resp) 430 { 431 #ifdef EAP_MSCHAPv2 432 struct wpabuf *msg; 433 u8 *buf, *pos, *challenge, *peer_challenge; 434 const u8 *identity, *password; 435 size_t identity_len, password_len; 436 int pwhash; 437 438 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAPV2 Request"); 439 440 identity = eap_get_config_identity(sm, &identity_len); 441 password = eap_get_config_password2(sm, &password_len, &pwhash); 442 if (identity == NULL || password == NULL) 443 return -1; 444 445 msg = wpabuf_alloc(identity_len + 1000); 446 if (msg == NULL) { 447 wpa_printf(MSG_ERROR, 448 "EAP-TTLS/MSCHAPV2: Failed to allocate memory"); 449 return -1; 450 } 451 pos = buf = wpabuf_mhead(msg); 452 453 /* User-Name */ 454 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 455 identity, identity_len); 456 457 /* MS-CHAP-Challenge */ 458 challenge = eap_ttls_implicit_challenge( 459 sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1); 460 if (challenge == NULL) { 461 wpabuf_free(msg); 462 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive " 463 "implicit challenge"); 464 return -1; 465 } 466 467 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE, 468 RADIUS_VENDOR_ID_MICROSOFT, 1, 469 challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN); 470 471 /* MS-CHAP2-Response */ 472 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_RESPONSE, 473 RADIUS_VENDOR_ID_MICROSOFT, 1, 474 EAP_TTLS_MSCHAPV2_RESPONSE_LEN); 475 data->ident = challenge[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN]; 476 *pos++ = data->ident; 477 *pos++ = 0; /* Flags */ 478 if (os_get_random(pos, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN) < 0) { 479 os_free(challenge); 480 wpabuf_free(msg); 481 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to get " 482 "random data for peer challenge"); 483 return -1; 484 } 485 peer_challenge = pos; 486 pos += EAP_TTLS_MSCHAPV2_CHALLENGE_LEN; 487 os_memset(pos, 0, 8); /* Reserved, must be zero */ 488 pos += 8; 489 if (mschapv2_derive_response(identity, identity_len, password, 490 password_len, pwhash, challenge, 491 peer_challenge, pos, data->auth_response, 492 data->master_key)) { 493 os_free(challenge); 494 wpabuf_free(msg); 495 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive " 496 "response"); 497 return -1; 498 } 499 data->auth_response_valid = 1; 500 501 pos += 24; 502 os_free(challenge); 503 AVP_PAD(buf, pos); 504 505 wpabuf_put(msg, pos - buf); 506 *resp = msg; 507 508 return 0; 509 #else /* EAP_MSCHAPv2 */ 510 wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build"); 511 return -1; 512 #endif /* EAP_MSCHAPv2 */ 513 } 514 515 516 static int eap_ttls_phase2_request_mschap(struct eap_sm *sm, 517 struct eap_ttls_data *data, 518 struct eap_method_ret *ret, 519 struct wpabuf **resp) 520 { 521 struct wpabuf *msg; 522 u8 *buf, *pos, *challenge; 523 const u8 *identity, *password; 524 size_t identity_len, password_len; 525 int pwhash; 526 527 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAP Request"); 528 529 identity = eap_get_config_identity(sm, &identity_len); 530 password = eap_get_config_password2(sm, &password_len, &pwhash); 531 if (identity == NULL || password == NULL) 532 return -1; 533 534 msg = wpabuf_alloc(identity_len + 1000); 535 if (msg == NULL) { 536 wpa_printf(MSG_ERROR, 537 "EAP-TTLS/MSCHAP: Failed to allocate memory"); 538 return -1; 539 } 540 pos = buf = wpabuf_mhead(msg); 541 542 /* User-Name */ 543 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 544 identity, identity_len); 545 546 /* MS-CHAP-Challenge */ 547 challenge = eap_ttls_implicit_challenge( 548 sm, data, EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1); 549 if (challenge == NULL) { 550 wpabuf_free(msg); 551 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAP: Failed to derive " 552 "implicit challenge"); 553 return -1; 554 } 555 556 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE, 557 RADIUS_VENDOR_ID_MICROSOFT, 1, 558 challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN); 559 560 /* MS-CHAP-Response */ 561 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_RESPONSE, 562 RADIUS_VENDOR_ID_MICROSOFT, 1, 563 EAP_TTLS_MSCHAP_RESPONSE_LEN); 564 data->ident = challenge[EAP_TTLS_MSCHAP_CHALLENGE_LEN]; 565 *pos++ = data->ident; 566 *pos++ = 1; /* Flags: Use NT style passwords */ 567 os_memset(pos, 0, 24); /* LM-Response */ 568 pos += 24; 569 if (pwhash) { 570 challenge_response(challenge, password, pos); /* NT-Response */ 571 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password hash", 572 password, 16); 573 } else { 574 nt_challenge_response(challenge, password, password_len, 575 pos); /* NT-Response */ 576 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password", 577 password, password_len); 578 } 579 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP implicit challenge", 580 challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN); 581 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP response", pos, 24); 582 pos += 24; 583 os_free(challenge); 584 AVP_PAD(buf, pos); 585 586 wpabuf_put(msg, pos - buf); 587 *resp = msg; 588 589 /* EAP-TTLS/MSCHAP does not provide tunneled success 590 * notification, so assume that Phase2 succeeds. */ 591 ret->methodState = METHOD_DONE; 592 ret->decision = DECISION_COND_SUCC; 593 594 return 0; 595 } 596 597 598 static int eap_ttls_phase2_request_pap(struct eap_sm *sm, 599 struct eap_ttls_data *data, 600 struct eap_method_ret *ret, 601 struct wpabuf **resp) 602 { 603 struct wpabuf *msg; 604 u8 *buf, *pos; 605 size_t pad; 606 const u8 *identity, *password; 607 size_t identity_len, password_len; 608 609 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 PAP Request"); 610 611 identity = eap_get_config_identity(sm, &identity_len); 612 password = eap_get_config_password(sm, &password_len); 613 if (identity == NULL || password == NULL) 614 return -1; 615 616 msg = wpabuf_alloc(identity_len + password_len + 100); 617 if (msg == NULL) { 618 wpa_printf(MSG_ERROR, 619 "EAP-TTLS/PAP: Failed to allocate memory"); 620 return -1; 621 } 622 pos = buf = wpabuf_mhead(msg); 623 624 /* User-Name */ 625 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 626 identity, identity_len); 627 628 /* User-Password; in RADIUS, this is encrypted, but EAP-TTLS encrypts 629 * the data, so no separate encryption is used in the AVP itself. 630 * However, the password is padded to obfuscate its length. */ 631 pad = password_len == 0 ? 16 : (16 - (password_len & 15)) & 15; 632 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_USER_PASSWORD, 0, 1, 633 password_len + pad); 634 os_memcpy(pos, password, password_len); 635 pos += password_len; 636 os_memset(pos, 0, pad); 637 pos += pad; 638 AVP_PAD(buf, pos); 639 640 wpabuf_put(msg, pos - buf); 641 *resp = msg; 642 643 /* EAP-TTLS/PAP does not provide tunneled success notification, 644 * so assume that Phase2 succeeds. */ 645 ret->methodState = METHOD_DONE; 646 ret->decision = DECISION_COND_SUCC; 647 648 return 0; 649 } 650 651 652 static int eap_ttls_phase2_request_chap(struct eap_sm *sm, 653 struct eap_ttls_data *data, 654 struct eap_method_ret *ret, 655 struct wpabuf **resp) 656 { 657 struct wpabuf *msg; 658 u8 *buf, *pos, *challenge; 659 const u8 *identity, *password; 660 size_t identity_len, password_len; 661 662 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 CHAP Request"); 663 664 identity = eap_get_config_identity(sm, &identity_len); 665 password = eap_get_config_password(sm, &password_len); 666 if (identity == NULL || password == NULL) 667 return -1; 668 669 msg = wpabuf_alloc(identity_len + 1000); 670 if (msg == NULL) { 671 wpa_printf(MSG_ERROR, 672 "EAP-TTLS/CHAP: Failed to allocate memory"); 673 return -1; 674 } 675 pos = buf = wpabuf_mhead(msg); 676 677 /* User-Name */ 678 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 679 identity, identity_len); 680 681 /* CHAP-Challenge */ 682 challenge = eap_ttls_implicit_challenge( 683 sm, data, EAP_TTLS_CHAP_CHALLENGE_LEN + 1); 684 if (challenge == NULL) { 685 wpabuf_free(msg); 686 wpa_printf(MSG_ERROR, "EAP-TTLS/CHAP: Failed to derive " 687 "implicit challenge"); 688 return -1; 689 } 690 691 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_CHAP_CHALLENGE, 0, 1, 692 challenge, EAP_TTLS_CHAP_CHALLENGE_LEN); 693 694 /* CHAP-Password */ 695 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_CHAP_PASSWORD, 0, 1, 696 1 + EAP_TTLS_CHAP_PASSWORD_LEN); 697 data->ident = challenge[EAP_TTLS_CHAP_CHALLENGE_LEN]; 698 *pos++ = data->ident; 699 700 /* MD5(Ident + Password + Challenge) */ 701 chap_md5(data->ident, password, password_len, challenge, 702 EAP_TTLS_CHAP_CHALLENGE_LEN, pos); 703 704 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: CHAP username", 705 identity, identity_len); 706 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: CHAP password", 707 password, password_len); 708 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP implicit challenge", 709 challenge, EAP_TTLS_CHAP_CHALLENGE_LEN); 710 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP password", 711 pos, EAP_TTLS_CHAP_PASSWORD_LEN); 712 pos += EAP_TTLS_CHAP_PASSWORD_LEN; 713 os_free(challenge); 714 AVP_PAD(buf, pos); 715 716 wpabuf_put(msg, pos - buf); 717 *resp = msg; 718 719 /* EAP-TTLS/CHAP does not provide tunneled success 720 * notification, so assume that Phase2 succeeds. */ 721 ret->methodState = METHOD_DONE; 722 ret->decision = DECISION_COND_SUCC; 723 724 return 0; 725 } 726 727 728 static int eap_ttls_phase2_request(struct eap_sm *sm, 729 struct eap_ttls_data *data, 730 struct eap_method_ret *ret, 731 struct eap_hdr *hdr, 732 struct wpabuf **resp) 733 { 734 int res = 0; 735 size_t len; 736 enum phase2_types phase2_type = data->phase2_type; 737 738 #ifdef EAP_TNC 739 if (data->tnc_started) { 740 wpa_printf(MSG_DEBUG, "EAP-TTLS: Processing TNC"); 741 phase2_type = EAP_TTLS_PHASE2_EAP; 742 } 743 #endif /* EAP_TNC */ 744 745 if (phase2_type == EAP_TTLS_PHASE2_MSCHAPV2 || 746 phase2_type == EAP_TTLS_PHASE2_MSCHAP || 747 phase2_type == EAP_TTLS_PHASE2_PAP || 748 phase2_type == EAP_TTLS_PHASE2_CHAP) { 749 if (eap_get_config_identity(sm, &len) == NULL) { 750 wpa_printf(MSG_INFO, 751 "EAP-TTLS: Identity not configured"); 752 eap_sm_request_identity(sm); 753 if (eap_get_config_password(sm, &len) == NULL) 754 eap_sm_request_password(sm); 755 return 0; 756 } 757 758 if (eap_get_config_password(sm, &len) == NULL) { 759 wpa_printf(MSG_INFO, 760 "EAP-TTLS: Password not configured"); 761 eap_sm_request_password(sm); 762 return 0; 763 } 764 } 765 766 switch (phase2_type) { 767 case EAP_TTLS_PHASE2_EAP: 768 res = eap_ttls_phase2_request_eap(sm, data, ret, hdr, resp); 769 break; 770 case EAP_TTLS_PHASE2_MSCHAPV2: 771 res = eap_ttls_phase2_request_mschapv2(sm, data, ret, resp); 772 break; 773 case EAP_TTLS_PHASE2_MSCHAP: 774 res = eap_ttls_phase2_request_mschap(sm, data, ret, resp); 775 break; 776 case EAP_TTLS_PHASE2_PAP: 777 res = eap_ttls_phase2_request_pap(sm, data, ret, resp); 778 break; 779 case EAP_TTLS_PHASE2_CHAP: 780 res = eap_ttls_phase2_request_chap(sm, data, ret, resp); 781 break; 782 default: 783 wpa_printf(MSG_ERROR, "EAP-TTLS: Phase 2 - Unknown"); 784 res = -1; 785 break; 786 } 787 788 if (res < 0) { 789 ret->methodState = METHOD_DONE; 790 ret->decision = DECISION_FAIL; 791 } 792 793 return res; 794 } 795 796 797 struct ttls_parse_avp { 798 u8 *mschapv2; 799 u8 *eapdata; 800 size_t eap_len; 801 int mschapv2_error; 802 }; 803 804 805 static int eap_ttls_parse_attr_eap(const u8 *dpos, size_t dlen, 806 struct ttls_parse_avp *parse) 807 { 808 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message"); 809 if (parse->eapdata == NULL) { 810 parse->eapdata = os_malloc(dlen); 811 if (parse->eapdata == NULL) { 812 wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to allocate " 813 "memory for Phase 2 EAP data"); 814 return -1; 815 } 816 os_memcpy(parse->eapdata, dpos, dlen); 817 parse->eap_len = dlen; 818 } else { 819 u8 *neweap = os_realloc(parse->eapdata, parse->eap_len + dlen); 820 if (neweap == NULL) { 821 wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to allocate " 822 "memory for Phase 2 EAP data"); 823 return -1; 824 } 825 os_memcpy(neweap + parse->eap_len, dpos, dlen); 826 parse->eapdata = neweap; 827 parse->eap_len += dlen; 828 } 829 830 return 0; 831 } 832 833 834 static int eap_ttls_parse_avp(u8 *pos, size_t left, 835 struct ttls_parse_avp *parse) 836 { 837 struct ttls_avp *avp; 838 u32 avp_code, avp_length, vendor_id = 0; 839 u8 avp_flags, *dpos; 840 size_t dlen; 841 842 avp = (struct ttls_avp *) pos; 843 avp_code = be_to_host32(avp->avp_code); 844 avp_length = be_to_host32(avp->avp_length); 845 avp_flags = (avp_length >> 24) & 0xff; 846 avp_length &= 0xffffff; 847 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x " 848 "length=%d", (int) avp_code, avp_flags, 849 (int) avp_length); 850 851 if (avp_length > left) { 852 wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow " 853 "(len=%d, left=%lu) - dropped", 854 (int) avp_length, (unsigned long) left); 855 return -1; 856 } 857 858 if (avp_length < sizeof(*avp)) { 859 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length %d", 860 avp_length); 861 return -1; 862 } 863 864 dpos = (u8 *) (avp + 1); 865 dlen = avp_length - sizeof(*avp); 866 if (avp_flags & AVP_FLAGS_VENDOR) { 867 if (dlen < 4) { 868 wpa_printf(MSG_WARNING, "EAP-TTLS: Vendor AVP " 869 "underflow"); 870 return -1; 871 } 872 vendor_id = WPA_GET_BE32(dpos); 873 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d", 874 (int) vendor_id); 875 dpos += 4; 876 dlen -= 4; 877 } 878 879 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen); 880 881 if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) { 882 if (eap_ttls_parse_attr_eap(dpos, dlen, parse) < 0) 883 return -1; 884 } else if (vendor_id == 0 && avp_code == RADIUS_ATTR_REPLY_MESSAGE) { 885 /* This is an optional message that can be displayed to 886 * the user. */ 887 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: AVP - Reply-Message", 888 dpos, dlen); 889 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 890 avp_code == RADIUS_ATTR_MS_CHAP2_SUCCESS) { 891 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MS-CHAP2-Success", 892 dpos, dlen); 893 if (dlen != 43) { 894 wpa_printf(MSG_WARNING, "EAP-TTLS: Unexpected " 895 "MS-CHAP2-Success length " 896 "(len=%lu, expected 43)", 897 (unsigned long) dlen); 898 return -1; 899 } 900 parse->mschapv2 = dpos; 901 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 902 avp_code == RADIUS_ATTR_MS_CHAP_ERROR) { 903 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MS-CHAP-Error", 904 dpos, dlen); 905 parse->mschapv2_error = 1; 906 } else if (avp_flags & AVP_FLAGS_MANDATORY) { 907 wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported mandatory AVP " 908 "code %d vendor_id %d - dropped", 909 (int) avp_code, (int) vendor_id); 910 return -1; 911 } else { 912 wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported AVP " 913 "code %d vendor_id %d", 914 (int) avp_code, (int) vendor_id); 915 } 916 917 return avp_length; 918 } 919 920 921 static int eap_ttls_parse_avps(struct wpabuf *in_decrypted, 922 struct ttls_parse_avp *parse) 923 { 924 u8 *pos; 925 size_t left, pad; 926 int avp_length; 927 928 pos = wpabuf_mhead(in_decrypted); 929 left = wpabuf_len(in_decrypted); 930 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 AVPs", pos, left); 931 if (left < sizeof(struct ttls_avp)) { 932 wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 AVP frame" 933 " len=%lu expected %lu or more - dropped", 934 (unsigned long) left, 935 (unsigned long) sizeof(struct ttls_avp)); 936 return -1; 937 } 938 939 /* Parse AVPs */ 940 os_memset(parse, 0, sizeof(*parse)); 941 942 while (left > 0) { 943 avp_length = eap_ttls_parse_avp(pos, left, parse); 944 if (avp_length < 0) 945 return -1; 946 947 pad = (4 - (avp_length & 3)) & 3; 948 pos += avp_length + pad; 949 if (left < avp_length + pad) 950 left = 0; 951 else 952 left -= avp_length + pad; 953 } 954 955 return 0; 956 } 957 958 959 static u8 * eap_ttls_fake_identity_request(void) 960 { 961 struct eap_hdr *hdr; 962 u8 *buf; 963 964 wpa_printf(MSG_DEBUG, "EAP-TTLS: empty data in beginning of " 965 "Phase 2 - use fake EAP-Request Identity"); 966 buf = os_malloc(sizeof(*hdr) + 1); 967 if (buf == NULL) { 968 wpa_printf(MSG_WARNING, "EAP-TTLS: failed to allocate " 969 "memory for fake EAP-Identity Request"); 970 return NULL; 971 } 972 973 hdr = (struct eap_hdr *) buf; 974 hdr->code = EAP_CODE_REQUEST; 975 hdr->identifier = 0; 976 hdr->length = host_to_be16(sizeof(*hdr) + 1); 977 buf[sizeof(*hdr)] = EAP_TYPE_IDENTITY; 978 979 return buf; 980 } 981 982 983 static int eap_ttls_encrypt_response(struct eap_sm *sm, 984 struct eap_ttls_data *data, 985 struct wpabuf *resp, u8 identifier, 986 struct wpabuf **out_data) 987 { 988 if (resp == NULL) 989 return 0; 990 991 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS: Encrypting Phase 2 data", 992 resp); 993 if (eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_TTLS, 994 data->ttls_version, identifier, 995 resp, out_data)) { 996 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to encrypt a Phase 2 " 997 "frame"); 998 wpabuf_free(resp); 999 return -1; 1000 } 1001 wpabuf_free(resp); 1002 1003 return 0; 1004 } 1005 1006 1007 static int eap_ttls_process_phase2_eap(struct eap_sm *sm, 1008 struct eap_ttls_data *data, 1009 struct eap_method_ret *ret, 1010 struct ttls_parse_avp *parse, 1011 struct wpabuf **resp) 1012 { 1013 struct eap_hdr *hdr; 1014 size_t len; 1015 1016 if (parse->eapdata == NULL) { 1017 wpa_printf(MSG_WARNING, "EAP-TTLS: No EAP Message in the " 1018 "packet - dropped"); 1019 return -1; 1020 } 1021 1022 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP", 1023 parse->eapdata, parse->eap_len); 1024 hdr = (struct eap_hdr *) parse->eapdata; 1025 1026 if (parse->eap_len < sizeof(*hdr)) { 1027 wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 EAP " 1028 "frame (len=%lu, expected %lu or more) - dropped", 1029 (unsigned long) parse->eap_len, 1030 (unsigned long) sizeof(*hdr)); 1031 return -1; 1032 } 1033 len = be_to_host16(hdr->length); 1034 if (len > parse->eap_len) { 1035 wpa_printf(MSG_INFO, "EAP-TTLS: Length mismatch in Phase 2 " 1036 "EAP frame (EAP hdr len=%lu, EAP data len in " 1037 "AVP=%lu)", 1038 (unsigned long) len, 1039 (unsigned long) parse->eap_len); 1040 return -1; 1041 } 1042 wpa_printf(MSG_DEBUG, "EAP-TTLS: received Phase 2: code=%d " 1043 "identifier=%d length=%lu", 1044 hdr->code, hdr->identifier, (unsigned long) len); 1045 switch (hdr->code) { 1046 case EAP_CODE_REQUEST: 1047 if (eap_ttls_phase2_request(sm, data, ret, hdr, resp)) { 1048 wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 Request " 1049 "processing failed"); 1050 return -1; 1051 } 1052 break; 1053 default: 1054 wpa_printf(MSG_INFO, "EAP-TTLS: Unexpected code=%d in " 1055 "Phase 2 EAP header", hdr->code); 1056 return -1; 1057 } 1058 1059 return 0; 1060 } 1061 1062 1063 static int eap_ttls_process_phase2_mschapv2(struct eap_sm *sm, 1064 struct eap_ttls_data *data, 1065 struct eap_method_ret *ret, 1066 struct ttls_parse_avp *parse) 1067 { 1068 #ifdef EAP_MSCHAPv2 1069 if (parse->mschapv2_error) { 1070 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Received " 1071 "MS-CHAP-Error - failed"); 1072 ret->methodState = METHOD_DONE; 1073 ret->decision = DECISION_FAIL; 1074 /* Reply with empty data to ACK error */ 1075 return 1; 1076 } 1077 1078 if (parse->mschapv2 == NULL) { 1079 #ifdef EAP_TNC 1080 if (data->phase2_success && parse->eapdata) { 1081 /* 1082 * Allow EAP-TNC to be started after successfully 1083 * completed MSCHAPV2. 1084 */ 1085 return 1; 1086 } 1087 #endif /* EAP_TNC */ 1088 wpa_printf(MSG_WARNING, "EAP-TTLS: no MS-CHAP2-Success AVP " 1089 "received for Phase2 MSCHAPV2"); 1090 return -1; 1091 } 1092 if (parse->mschapv2[0] != data->ident) { 1093 wpa_printf(MSG_WARNING, "EAP-TTLS: Ident mismatch for Phase 2 " 1094 "MSCHAPV2 (received Ident 0x%02x, expected 0x%02x)", 1095 parse->mschapv2[0], data->ident); 1096 return -1; 1097 } 1098 if (!data->auth_response_valid || 1099 mschapv2_verify_auth_response(data->auth_response, 1100 parse->mschapv2 + 1, 42)) { 1101 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid authenticator " 1102 "response in Phase 2 MSCHAPV2 success request"); 1103 return -1; 1104 } 1105 1106 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 MSCHAPV2 " 1107 "authentication succeeded"); 1108 ret->methodState = METHOD_DONE; 1109 ret->decision = DECISION_UNCOND_SUCC; 1110 data->phase2_success = 1; 1111 1112 /* 1113 * Reply with empty data; authentication server will reply 1114 * with EAP-Success after this. 1115 */ 1116 return 1; 1117 #else /* EAP_MSCHAPv2 */ 1118 wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build"); 1119 return -1; 1120 #endif /* EAP_MSCHAPv2 */ 1121 } 1122 1123 1124 #ifdef EAP_TNC 1125 static int eap_ttls_process_tnc_start(struct eap_sm *sm, 1126 struct eap_ttls_data *data, 1127 struct eap_method_ret *ret, 1128 struct ttls_parse_avp *parse, 1129 struct wpabuf **resp) 1130 { 1131 /* TNC uses inner EAP method after non-EAP TTLS phase 2. */ 1132 if (parse->eapdata == NULL) { 1133 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received " 1134 "unexpected tunneled data (no EAP)"); 1135 return -1; 1136 } 1137 1138 if (!data->ready_for_tnc) { 1139 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received " 1140 "EAP after non-EAP, but not ready for TNC"); 1141 return -1; 1142 } 1143 1144 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start TNC after completed " 1145 "non-EAP method"); 1146 data->tnc_started = 1; 1147 1148 if (eap_ttls_process_phase2_eap(sm, data, ret, parse, resp) < 0) 1149 return -1; 1150 1151 return 0; 1152 } 1153 #endif /* EAP_TNC */ 1154 1155 1156 static int eap_ttls_process_decrypted(struct eap_sm *sm, 1157 struct eap_ttls_data *data, 1158 struct eap_method_ret *ret, 1159 u8 identifier, 1160 struct ttls_parse_avp *parse, 1161 struct wpabuf *in_decrypted, 1162 struct wpabuf **out_data) 1163 { 1164 struct wpabuf *resp = NULL; 1165 struct eap_peer_config *config = eap_get_config(sm); 1166 int res; 1167 enum phase2_types phase2_type = data->phase2_type; 1168 1169 #ifdef EAP_TNC 1170 if (data->tnc_started) 1171 phase2_type = EAP_TTLS_PHASE2_EAP; 1172 #endif /* EAP_TNC */ 1173 1174 switch (phase2_type) { 1175 case EAP_TTLS_PHASE2_EAP: 1176 if (eap_ttls_process_phase2_eap(sm, data, ret, parse, &resp) < 1177 0) 1178 return -1; 1179 break; 1180 case EAP_TTLS_PHASE2_MSCHAPV2: 1181 res = eap_ttls_process_phase2_mschapv2(sm, data, ret, parse); 1182 #ifdef EAP_TNC 1183 if (res == 1 && parse->eapdata && data->phase2_success) { 1184 /* 1185 * TNC may be required as the next 1186 * authentication method within the tunnel. 1187 */ 1188 ret->methodState = METHOD_MAY_CONT; 1189 data->ready_for_tnc = 1; 1190 if (eap_ttls_process_tnc_start(sm, data, ret, parse, 1191 &resp) == 0) 1192 break; 1193 } 1194 #endif /* EAP_TNC */ 1195 return res; 1196 case EAP_TTLS_PHASE2_MSCHAP: 1197 case EAP_TTLS_PHASE2_PAP: 1198 case EAP_TTLS_PHASE2_CHAP: 1199 #ifdef EAP_TNC 1200 if (eap_ttls_process_tnc_start(sm, data, ret, parse, &resp) < 1201 0) 1202 return -1; 1203 break; 1204 #else /* EAP_TNC */ 1205 /* EAP-TTLS/{MSCHAP,PAP,CHAP} should not send any TLS tunneled 1206 * requests to the supplicant */ 1207 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received unexpected " 1208 "tunneled data"); 1209 return -1; 1210 #endif /* EAP_TNC */ 1211 } 1212 1213 if (resp) { 1214 if (eap_ttls_encrypt_response(sm, data, resp, identifier, 1215 out_data) < 0) 1216 return -1; 1217 } else if (config->pending_req_identity || 1218 config->pending_req_password || 1219 config->pending_req_otp || 1220 config->pending_req_new_password) { 1221 wpabuf_free(data->pending_phase2_req); 1222 data->pending_phase2_req = wpabuf_dup(in_decrypted); 1223 } 1224 1225 return 0; 1226 } 1227 1228 1229 static int eap_ttls_implicit_identity_request(struct eap_sm *sm, 1230 struct eap_ttls_data *data, 1231 struct eap_method_ret *ret, 1232 u8 identifier, 1233 struct wpabuf **out_data) 1234 { 1235 int retval = 0; 1236 struct eap_hdr *hdr; 1237 struct wpabuf *resp; 1238 1239 hdr = (struct eap_hdr *) eap_ttls_fake_identity_request(); 1240 if (hdr == NULL) { 1241 ret->methodState = METHOD_DONE; 1242 ret->decision = DECISION_FAIL; 1243 return -1; 1244 } 1245 1246 resp = NULL; 1247 if (eap_ttls_phase2_request(sm, data, ret, hdr, &resp)) { 1248 wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 Request " 1249 "processing failed"); 1250 retval = -1; 1251 } else { 1252 struct eap_peer_config *config = eap_get_config(sm); 1253 if (resp == NULL && 1254 (config->pending_req_identity || 1255 config->pending_req_password || 1256 config->pending_req_otp || 1257 config->pending_req_new_password)) { 1258 /* 1259 * Use empty buffer to force implicit request 1260 * processing when EAP request is re-processed after 1261 * user input. 1262 */ 1263 wpabuf_free(data->pending_phase2_req); 1264 data->pending_phase2_req = wpabuf_alloc(0); 1265 } 1266 1267 retval = eap_ttls_encrypt_response(sm, data, resp, identifier, 1268 out_data); 1269 } 1270 1271 os_free(hdr); 1272 1273 if (retval < 0) { 1274 ret->methodState = METHOD_DONE; 1275 ret->decision = DECISION_FAIL; 1276 } 1277 1278 return retval; 1279 } 1280 1281 1282 static int eap_ttls_phase2_start(struct eap_sm *sm, struct eap_ttls_data *data, 1283 struct eap_method_ret *ret, u8 identifier, 1284 struct wpabuf **out_data) 1285 { 1286 data->phase2_start = 0; 1287 1288 /* 1289 * EAP-TTLS does not use Phase2 on fast re-auth; this must be done only 1290 * if TLS part was indeed resuming a previous session. Most 1291 * Authentication Servers terminate EAP-TTLS before reaching this 1292 * point, but some do not. Make wpa_supplicant stop phase 2 here, if 1293 * needed. 1294 */ 1295 if (data->reauth && 1296 tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) { 1297 wpa_printf(MSG_DEBUG, "EAP-TTLS: Session resumption - " 1298 "skip phase 2"); 1299 *out_data = eap_peer_tls_build_ack(identifier, EAP_TYPE_TTLS, 1300 data->ttls_version); 1301 ret->methodState = METHOD_DONE; 1302 ret->decision = DECISION_UNCOND_SUCC; 1303 data->phase2_success = 1; 1304 return 0; 1305 } 1306 1307 return eap_ttls_implicit_identity_request(sm, data, ret, identifier, 1308 out_data); 1309 } 1310 1311 1312 static int eap_ttls_decrypt(struct eap_sm *sm, struct eap_ttls_data *data, 1313 struct eap_method_ret *ret, u8 identifier, 1314 const struct wpabuf *in_data, 1315 struct wpabuf **out_data) 1316 { 1317 struct wpabuf *in_decrypted = NULL; 1318 int retval = 0; 1319 struct ttls_parse_avp parse; 1320 1321 os_memset(&parse, 0, sizeof(parse)); 1322 1323 wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for" 1324 " Phase 2", 1325 in_data ? (unsigned long) wpabuf_len(in_data) : 0); 1326 1327 if (data->pending_phase2_req) { 1328 wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 request - " 1329 "skip decryption and use old data"); 1330 /* Clear TLS reassembly state. */ 1331 eap_peer_tls_reset_input(&data->ssl); 1332 1333 in_decrypted = data->pending_phase2_req; 1334 data->pending_phase2_req = NULL; 1335 if (wpabuf_len(in_decrypted) == 0) { 1336 wpabuf_free(in_decrypted); 1337 return eap_ttls_implicit_identity_request( 1338 sm, data, ret, identifier, out_data); 1339 } 1340 goto continue_req; 1341 } 1342 1343 if ((in_data == NULL || wpabuf_len(in_data) == 0) && 1344 data->phase2_start) { 1345 return eap_ttls_phase2_start(sm, data, ret, identifier, 1346 out_data); 1347 } 1348 1349 if (in_data == NULL || wpabuf_len(in_data) == 0) { 1350 /* Received TLS ACK - requesting more fragments */ 1351 return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_TTLS, 1352 data->ttls_version, 1353 identifier, NULL, out_data); 1354 } 1355 1356 retval = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted); 1357 if (retval) 1358 goto done; 1359 1360 continue_req: 1361 data->phase2_start = 0; 1362 1363 if (eap_ttls_parse_avps(in_decrypted, &parse) < 0) { 1364 retval = -1; 1365 goto done; 1366 } 1367 1368 retval = eap_ttls_process_decrypted(sm, data, ret, identifier, 1369 &parse, in_decrypted, out_data); 1370 1371 done: 1372 wpabuf_free(in_decrypted); 1373 os_free(parse.eapdata); 1374 1375 if (retval < 0) { 1376 ret->methodState = METHOD_DONE; 1377 ret->decision = DECISION_FAIL; 1378 } 1379 1380 return retval; 1381 } 1382 1383 1384 static int eap_ttls_process_handshake(struct eap_sm *sm, 1385 struct eap_ttls_data *data, 1386 struct eap_method_ret *ret, 1387 u8 identifier, 1388 const u8 *in_data, size_t in_len, 1389 struct wpabuf **out_data) 1390 { 1391 int res; 1392 1393 res = eap_peer_tls_process_helper(sm, &data->ssl, EAP_TYPE_TTLS, 1394 data->ttls_version, identifier, 1395 in_data, in_len, out_data); 1396 1397 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { 1398 wpa_printf(MSG_DEBUG, "EAP-TTLS: TLS done, proceed to " 1399 "Phase 2"); 1400 if (data->resuming) { 1401 wpa_printf(MSG_DEBUG, "EAP-TTLS: fast reauth - may " 1402 "skip Phase 2"); 1403 ret->decision = DECISION_COND_SUCC; 1404 ret->methodState = METHOD_MAY_CONT; 1405 } 1406 data->phase2_start = 1; 1407 eap_ttls_v0_derive_key(sm, data); 1408 1409 if (*out_data == NULL || wpabuf_len(*out_data) == 0) { 1410 if (eap_ttls_decrypt(sm, data, ret, identifier, 1411 NULL, out_data)) { 1412 wpa_printf(MSG_WARNING, "EAP-TTLS: " 1413 "failed to process early " 1414 "start for Phase 2"); 1415 } 1416 res = 0; 1417 } 1418 data->resuming = 0; 1419 } 1420 1421 if (res == 2) { 1422 struct wpabuf msg; 1423 /* 1424 * Application data included in the handshake message. 1425 */ 1426 wpabuf_free(data->pending_phase2_req); 1427 data->pending_phase2_req = *out_data; 1428 *out_data = NULL; 1429 wpabuf_set(&msg, in_data, in_len); 1430 res = eap_ttls_decrypt(sm, data, ret, identifier, &msg, 1431 out_data); 1432 } 1433 1434 return res; 1435 } 1436 1437 1438 static void eap_ttls_check_auth_status(struct eap_sm *sm, 1439 struct eap_ttls_data *data, 1440 struct eap_method_ret *ret) 1441 { 1442 if (ret->methodState == METHOD_DONE) { 1443 ret->allowNotifications = FALSE; 1444 if (ret->decision == DECISION_UNCOND_SUCC || 1445 ret->decision == DECISION_COND_SUCC) { 1446 wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication " 1447 "completed successfully"); 1448 data->phase2_success = 1; 1449 #ifdef EAP_TNC 1450 if (!data->ready_for_tnc && !data->tnc_started) { 1451 /* 1452 * TNC may be required as the next 1453 * authentication method within the tunnel. 1454 */ 1455 ret->methodState = METHOD_MAY_CONT; 1456 data->ready_for_tnc = 1; 1457 } 1458 #endif /* EAP_TNC */ 1459 } 1460 } else if (ret->methodState == METHOD_MAY_CONT && 1461 (ret->decision == DECISION_UNCOND_SUCC || 1462 ret->decision == DECISION_COND_SUCC)) { 1463 wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication " 1464 "completed successfully (MAY_CONT)"); 1465 data->phase2_success = 1; 1466 } 1467 } 1468 1469 1470 static struct wpabuf * eap_ttls_process(struct eap_sm *sm, void *priv, 1471 struct eap_method_ret *ret, 1472 const struct wpabuf *reqData) 1473 { 1474 size_t left; 1475 int res; 1476 u8 flags, id; 1477 struct wpabuf *resp; 1478 const u8 *pos; 1479 struct eap_ttls_data *data = priv; 1480 1481 pos = eap_peer_tls_process_init(sm, &data->ssl, EAP_TYPE_TTLS, ret, 1482 reqData, &left, &flags); 1483 if (pos == NULL) 1484 return NULL; 1485 id = eap_get_id(reqData); 1486 1487 if (flags & EAP_TLS_FLAGS_START) { 1488 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start (server ver=%d, own " 1489 "ver=%d)", flags & EAP_TLS_VERSION_MASK, 1490 data->ttls_version); 1491 1492 /* RFC 5281, Ch. 9.2: 1493 * "This packet MAY contain additional information in the form 1494 * of AVPs, which may provide useful hints to the client" 1495 * For now, ignore any potential extra data. 1496 */ 1497 left = 0; 1498 } 1499 1500 resp = NULL; 1501 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1502 !data->resuming) { 1503 struct wpabuf msg; 1504 wpabuf_set(&msg, pos, left); 1505 res = eap_ttls_decrypt(sm, data, ret, id, &msg, &resp); 1506 } else { 1507 res = eap_ttls_process_handshake(sm, data, ret, id, 1508 pos, left, &resp); 1509 } 1510 1511 eap_ttls_check_auth_status(sm, data, ret); 1512 1513 /* FIX: what about res == -1? Could just move all error processing into 1514 * the other functions and get rid of this res==1 case here. */ 1515 if (res == 1) { 1516 wpabuf_free(resp); 1517 return eap_peer_tls_build_ack(id, EAP_TYPE_TTLS, 1518 data->ttls_version); 1519 } 1520 return resp; 1521 } 1522 1523 1524 static Boolean eap_ttls_has_reauth_data(struct eap_sm *sm, void *priv) 1525 { 1526 struct eap_ttls_data *data = priv; 1527 return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1528 data->phase2_success; 1529 } 1530 1531 1532 static void eap_ttls_deinit_for_reauth(struct eap_sm *sm, void *priv) 1533 { 1534 struct eap_ttls_data *data = priv; 1535 wpabuf_free(data->pending_phase2_req); 1536 data->pending_phase2_req = NULL; 1537 #ifdef EAP_TNC 1538 data->ready_for_tnc = 0; 1539 data->tnc_started = 0; 1540 #endif /* EAP_TNC */ 1541 } 1542 1543 1544 static void * eap_ttls_init_for_reauth(struct eap_sm *sm, void *priv) 1545 { 1546 struct eap_ttls_data *data = priv; 1547 eap_ttls_free_key(data); 1548 os_free(data->session_id); 1549 data->session_id = NULL; 1550 if (eap_peer_tls_reauth_init(sm, &data->ssl)) { 1551 os_free(data); 1552 return NULL; 1553 } 1554 if (data->phase2_priv && data->phase2_method && 1555 data->phase2_method->init_for_reauth) 1556 data->phase2_method->init_for_reauth(sm, data->phase2_priv); 1557 data->phase2_start = 0; 1558 data->phase2_success = 0; 1559 data->resuming = 1; 1560 data->reauth = 1; 1561 return priv; 1562 } 1563 1564 1565 static int eap_ttls_get_status(struct eap_sm *sm, void *priv, char *buf, 1566 size_t buflen, int verbose) 1567 { 1568 struct eap_ttls_data *data = priv; 1569 int len, ret; 1570 1571 len = eap_peer_tls_status(sm, &data->ssl, buf, buflen, verbose); 1572 ret = os_snprintf(buf + len, buflen - len, 1573 "EAP-TTLSv%d Phase2 method=", 1574 data->ttls_version); 1575 if (os_snprintf_error(buflen - len, ret)) 1576 return len; 1577 len += ret; 1578 switch (data->phase2_type) { 1579 case EAP_TTLS_PHASE2_EAP: 1580 ret = os_snprintf(buf + len, buflen - len, "EAP-%s\n", 1581 data->phase2_method ? 1582 data->phase2_method->name : "?"); 1583 break; 1584 case EAP_TTLS_PHASE2_MSCHAPV2: 1585 ret = os_snprintf(buf + len, buflen - len, "MSCHAPV2\n"); 1586 break; 1587 case EAP_TTLS_PHASE2_MSCHAP: 1588 ret = os_snprintf(buf + len, buflen - len, "MSCHAP\n"); 1589 break; 1590 case EAP_TTLS_PHASE2_PAP: 1591 ret = os_snprintf(buf + len, buflen - len, "PAP\n"); 1592 break; 1593 case EAP_TTLS_PHASE2_CHAP: 1594 ret = os_snprintf(buf + len, buflen - len, "CHAP\n"); 1595 break; 1596 default: 1597 ret = 0; 1598 break; 1599 } 1600 if (os_snprintf_error(buflen - len, ret)) 1601 return len; 1602 len += ret; 1603 1604 return len; 1605 } 1606 1607 1608 static Boolean eap_ttls_isKeyAvailable(struct eap_sm *sm, void *priv) 1609 { 1610 struct eap_ttls_data *data = priv; 1611 return data->key_data != NULL && data->phase2_success; 1612 } 1613 1614 1615 static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len) 1616 { 1617 struct eap_ttls_data *data = priv; 1618 u8 *key; 1619 1620 if (data->key_data == NULL || !data->phase2_success) 1621 return NULL; 1622 1623 key = os_malloc(EAP_TLS_KEY_LEN); 1624 if (key == NULL) 1625 return NULL; 1626 1627 *len = EAP_TLS_KEY_LEN; 1628 os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN); 1629 1630 return key; 1631 } 1632 1633 1634 static u8 * eap_ttls_get_session_id(struct eap_sm *sm, void *priv, size_t *len) 1635 { 1636 struct eap_ttls_data *data = priv; 1637 u8 *id; 1638 1639 if (data->session_id == NULL || !data->phase2_success) 1640 return NULL; 1641 1642 id = os_malloc(data->id_len); 1643 if (id == NULL) 1644 return NULL; 1645 1646 *len = data->id_len; 1647 os_memcpy(id, data->session_id, data->id_len); 1648 1649 return id; 1650 } 1651 1652 1653 static u8 * eap_ttls_get_emsk(struct eap_sm *sm, void *priv, size_t *len) 1654 { 1655 struct eap_ttls_data *data = priv; 1656 u8 *key; 1657 1658 if (data->key_data == NULL) 1659 return NULL; 1660 1661 key = os_malloc(EAP_EMSK_LEN); 1662 if (key == NULL) 1663 return NULL; 1664 1665 *len = EAP_EMSK_LEN; 1666 os_memcpy(key, data->key_data + EAP_TLS_KEY_LEN, EAP_EMSK_LEN); 1667 1668 return key; 1669 } 1670 1671 1672 int eap_peer_ttls_register(void) 1673 { 1674 struct eap_method *eap; 1675 int ret; 1676 1677 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION, 1678 EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS"); 1679 if (eap == NULL) 1680 return -1; 1681 1682 eap->init = eap_ttls_init; 1683 eap->deinit = eap_ttls_deinit; 1684 eap->process = eap_ttls_process; 1685 eap->isKeyAvailable = eap_ttls_isKeyAvailable; 1686 eap->getKey = eap_ttls_getKey; 1687 eap->getSessionId = eap_ttls_get_session_id; 1688 eap->get_status = eap_ttls_get_status; 1689 eap->has_reauth_data = eap_ttls_has_reauth_data; 1690 eap->deinit_for_reauth = eap_ttls_deinit_for_reauth; 1691 eap->init_for_reauth = eap_ttls_init_for_reauth; 1692 eap->get_emsk = eap_ttls_get_emsk; 1693 1694 ret = eap_peer_method_register(eap); 1695 if (ret) 1696 eap_peer_method_free(eap); 1697 return ret; 1698 } 1699