1 /* 2 * hostapd / EAP-TTLS (RFC 5281) 3 * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "includes.h" 16 17 #include "common.h" 18 #include "crypto/ms_funcs.h" 19 #include "crypto/sha1.h" 20 #include "crypto/tls.h" 21 #include "eap_server/eap_i.h" 22 #include "eap_server/eap_tls_common.h" 23 #include "eap_common/chap.h" 24 #include "eap_common/eap_ttls.h" 25 26 27 /* Maximum supported TTLS version 28 * 0 = RFC 5281 29 * 1 = draft-funk-eap-ttls-v1-00.txt 30 */ 31 #ifndef EAP_TTLS_VERSION 32 #define EAP_TTLS_VERSION 0 /* TTLSv1 implementation is not yet complete */ 33 #endif /* EAP_TTLS_VERSION */ 34 35 36 #define MSCHAPV2_KEY_LEN 16 37 38 39 static void eap_ttls_reset(struct eap_sm *sm, void *priv); 40 41 42 struct eap_ttls_data { 43 struct eap_ssl_data ssl; 44 enum { 45 START, PHASE1, PHASE2_START, PHASE2_METHOD, 46 PHASE2_MSCHAPV2_RESP, PHASE_FINISHED, SUCCESS, FAILURE 47 } state; 48 49 int ttls_version; 50 int force_version; 51 const struct eap_method *phase2_method; 52 void *phase2_priv; 53 int mschapv2_resp_ok; 54 u8 mschapv2_auth_response[20]; 55 u8 mschapv2_ident; 56 int tls_ia_configured; 57 struct wpabuf *pending_phase2_eap_resp; 58 int tnc_started; 59 }; 60 61 62 static const char * eap_ttls_state_txt(int state) 63 { 64 switch (state) { 65 case START: 66 return "START"; 67 case PHASE1: 68 return "PHASE1"; 69 case PHASE2_START: 70 return "PHASE2_START"; 71 case PHASE2_METHOD: 72 return "PHASE2_METHOD"; 73 case PHASE2_MSCHAPV2_RESP: 74 return "PHASE2_MSCHAPV2_RESP"; 75 case PHASE_FINISHED: 76 return "PHASE_FINISHED"; 77 case SUCCESS: 78 return "SUCCESS"; 79 case FAILURE: 80 return "FAILURE"; 81 default: 82 return "Unknown?!"; 83 } 84 } 85 86 87 static void eap_ttls_state(struct eap_ttls_data *data, int state) 88 { 89 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s -> %s", 90 eap_ttls_state_txt(data->state), 91 eap_ttls_state_txt(state)); 92 data->state = state; 93 } 94 95 96 static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id, 97 int mandatory, size_t len) 98 { 99 struct ttls_avp_vendor *avp; 100 u8 flags; 101 size_t hdrlen; 102 103 avp = (struct ttls_avp_vendor *) avphdr; 104 flags = mandatory ? AVP_FLAGS_MANDATORY : 0; 105 if (vendor_id) { 106 flags |= AVP_FLAGS_VENDOR; 107 hdrlen = sizeof(*avp); 108 avp->vendor_id = host_to_be32(vendor_id); 109 } else { 110 hdrlen = sizeof(struct ttls_avp); 111 } 112 113 avp->avp_code = host_to_be32(avp_code); 114 avp->avp_length = host_to_be32((flags << 24) | (hdrlen + len)); 115 116 return avphdr + hdrlen; 117 } 118 119 120 static struct wpabuf * eap_ttls_avp_encapsulate(struct wpabuf *resp, 121 u32 avp_code, int mandatory) 122 { 123 struct wpabuf *avp; 124 u8 *pos; 125 126 avp = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(resp) + 4); 127 if (avp == NULL) { 128 wpabuf_free(resp); 129 return NULL; 130 } 131 132 pos = eap_ttls_avp_hdr(wpabuf_mhead(avp), avp_code, 0, mandatory, 133 wpabuf_len(resp)); 134 os_memcpy(pos, wpabuf_head(resp), wpabuf_len(resp)); 135 pos += wpabuf_len(resp); 136 AVP_PAD((const u8 *) wpabuf_head(avp), pos); 137 wpabuf_free(resp); 138 wpabuf_put(avp, pos - (u8 *) wpabuf_head(avp)); 139 return avp; 140 } 141 142 143 struct eap_ttls_avp { 144 /* Note: eap is allocated memory; caller is responsible for freeing 145 * it. All the other pointers are pointing to the packet data, i.e., 146 * they must not be freed separately. */ 147 u8 *eap; 148 size_t eap_len; 149 u8 *user_name; 150 size_t user_name_len; 151 u8 *user_password; 152 size_t user_password_len; 153 u8 *chap_challenge; 154 size_t chap_challenge_len; 155 u8 *chap_password; 156 size_t chap_password_len; 157 u8 *mschap_challenge; 158 size_t mschap_challenge_len; 159 u8 *mschap_response; 160 size_t mschap_response_len; 161 u8 *mschap2_response; 162 size_t mschap2_response_len; 163 }; 164 165 166 static int eap_ttls_avp_parse(struct wpabuf *buf, struct eap_ttls_avp *parse) 167 { 168 struct ttls_avp *avp; 169 u8 *pos; 170 int left; 171 172 pos = wpabuf_mhead(buf); 173 left = wpabuf_len(buf); 174 os_memset(parse, 0, sizeof(*parse)); 175 176 while (left > 0) { 177 u32 avp_code, avp_length, vendor_id = 0; 178 u8 avp_flags, *dpos; 179 size_t pad, dlen; 180 avp = (struct ttls_avp *) pos; 181 avp_code = be_to_host32(avp->avp_code); 182 avp_length = be_to_host32(avp->avp_length); 183 avp_flags = (avp_length >> 24) & 0xff; 184 avp_length &= 0xffffff; 185 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x " 186 "length=%d", (int) avp_code, avp_flags, 187 (int) avp_length); 188 if ((int) avp_length > left) { 189 wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow " 190 "(len=%d, left=%d) - dropped", 191 (int) avp_length, left); 192 goto fail; 193 } 194 if (avp_length < sizeof(*avp)) { 195 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length " 196 "%d", avp_length); 197 goto fail; 198 } 199 dpos = (u8 *) (avp + 1); 200 dlen = avp_length - sizeof(*avp); 201 if (avp_flags & AVP_FLAGS_VENDOR) { 202 if (dlen < 4) { 203 wpa_printf(MSG_WARNING, "EAP-TTLS: vendor AVP " 204 "underflow"); 205 goto fail; 206 } 207 vendor_id = be_to_host32(* (be32 *) dpos); 208 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d", 209 (int) vendor_id); 210 dpos += 4; 211 dlen -= 4; 212 } 213 214 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen); 215 216 if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) { 217 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message"); 218 if (parse->eap == NULL) { 219 parse->eap = os_malloc(dlen); 220 if (parse->eap == NULL) { 221 wpa_printf(MSG_WARNING, "EAP-TTLS: " 222 "failed to allocate memory " 223 "for Phase 2 EAP data"); 224 goto fail; 225 } 226 os_memcpy(parse->eap, dpos, dlen); 227 parse->eap_len = dlen; 228 } else { 229 u8 *neweap = os_realloc(parse->eap, 230 parse->eap_len + dlen); 231 if (neweap == NULL) { 232 wpa_printf(MSG_WARNING, "EAP-TTLS: " 233 "failed to allocate memory " 234 "for Phase 2 EAP data"); 235 goto fail; 236 } 237 os_memcpy(neweap + parse->eap_len, dpos, dlen); 238 parse->eap = neweap; 239 parse->eap_len += dlen; 240 } 241 } else if (vendor_id == 0 && 242 avp_code == RADIUS_ATTR_USER_NAME) { 243 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: User-Name", 244 dpos, dlen); 245 parse->user_name = dpos; 246 parse->user_name_len = dlen; 247 } else if (vendor_id == 0 && 248 avp_code == RADIUS_ATTR_USER_PASSWORD) { 249 u8 *password = dpos; 250 size_t password_len = dlen; 251 while (password_len > 0 && 252 password[password_len - 1] == '\0') { 253 password_len--; 254 } 255 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: " 256 "User-Password (PAP)", 257 password, password_len); 258 parse->user_password = password; 259 parse->user_password_len = password_len; 260 } else if (vendor_id == 0 && 261 avp_code == RADIUS_ATTR_CHAP_CHALLENGE) { 262 wpa_hexdump(MSG_DEBUG, 263 "EAP-TTLS: CHAP-Challenge (CHAP)", 264 dpos, dlen); 265 parse->chap_challenge = dpos; 266 parse->chap_challenge_len = dlen; 267 } else if (vendor_id == 0 && 268 avp_code == RADIUS_ATTR_CHAP_PASSWORD) { 269 wpa_hexdump(MSG_DEBUG, 270 "EAP-TTLS: CHAP-Password (CHAP)", 271 dpos, dlen); 272 parse->chap_password = dpos; 273 parse->chap_password_len = dlen; 274 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 275 avp_code == RADIUS_ATTR_MS_CHAP_CHALLENGE) { 276 wpa_hexdump(MSG_DEBUG, 277 "EAP-TTLS: MS-CHAP-Challenge", 278 dpos, dlen); 279 parse->mschap_challenge = dpos; 280 parse->mschap_challenge_len = dlen; 281 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 282 avp_code == RADIUS_ATTR_MS_CHAP_RESPONSE) { 283 wpa_hexdump(MSG_DEBUG, 284 "EAP-TTLS: MS-CHAP-Response (MSCHAP)", 285 dpos, dlen); 286 parse->mschap_response = dpos; 287 parse->mschap_response_len = dlen; 288 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 289 avp_code == RADIUS_ATTR_MS_CHAP2_RESPONSE) { 290 wpa_hexdump(MSG_DEBUG, 291 "EAP-TTLS: MS-CHAP2-Response (MSCHAPV2)", 292 dpos, dlen); 293 parse->mschap2_response = dpos; 294 parse->mschap2_response_len = dlen; 295 } else if (avp_flags & AVP_FLAGS_MANDATORY) { 296 wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported " 297 "mandatory AVP code %d vendor_id %d - " 298 "dropped", (int) avp_code, (int) vendor_id); 299 goto fail; 300 } else { 301 wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported " 302 "AVP code %d vendor_id %d", 303 (int) avp_code, (int) vendor_id); 304 } 305 306 pad = (4 - (avp_length & 3)) & 3; 307 pos += avp_length + pad; 308 left -= avp_length + pad; 309 } 310 311 return 0; 312 313 fail: 314 os_free(parse->eap); 315 parse->eap = NULL; 316 return -1; 317 } 318 319 320 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm, 321 struct eap_ttls_data *data, size_t len) 322 { 323 struct tls_keys keys; 324 u8 *challenge, *rnd; 325 326 if (data->ttls_version == 0) { 327 return eap_server_tls_derive_key(sm, &data->ssl, 328 "ttls challenge", len); 329 } 330 331 os_memset(&keys, 0, sizeof(keys)); 332 if (tls_connection_get_keys(sm->ssl_ctx, data->ssl.conn, &keys) || 333 keys.client_random == NULL || keys.server_random == NULL || 334 keys.inner_secret == NULL) { 335 wpa_printf(MSG_INFO, "EAP-TTLS: Could not get inner secret, " 336 "client random, or server random to derive " 337 "implicit challenge"); 338 return NULL; 339 } 340 341 rnd = os_malloc(keys.client_random_len + keys.server_random_len); 342 challenge = os_malloc(len); 343 if (rnd == NULL || challenge == NULL) { 344 wpa_printf(MSG_INFO, "EAP-TTLS: No memory for implicit " 345 "challenge derivation"); 346 os_free(rnd); 347 os_free(challenge); 348 return NULL; 349 } 350 os_memcpy(rnd, keys.server_random, keys.server_random_len); 351 os_memcpy(rnd + keys.server_random_len, keys.client_random, 352 keys.client_random_len); 353 354 if (tls_prf(keys.inner_secret, keys.inner_secret_len, 355 "inner application challenge", rnd, 356 keys.client_random_len + keys.server_random_len, 357 challenge, len)) { 358 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive implicit " 359 "challenge"); 360 os_free(rnd); 361 os_free(challenge); 362 return NULL; 363 } 364 365 os_free(rnd); 366 367 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived implicit challenge", 368 challenge, len); 369 370 return challenge; 371 } 372 373 374 static void * eap_ttls_init(struct eap_sm *sm) 375 { 376 struct eap_ttls_data *data; 377 378 data = os_zalloc(sizeof(*data)); 379 if (data == NULL) 380 return NULL; 381 data->ttls_version = EAP_TTLS_VERSION; 382 data->force_version = -1; 383 if (sm->user && sm->user->force_version >= 0) { 384 data->force_version = sm->user->force_version; 385 wpa_printf(MSG_DEBUG, "EAP-TTLS: forcing version %d", 386 data->force_version); 387 data->ttls_version = data->force_version; 388 } 389 data->state = START; 390 391 if (!(tls_capabilities(sm->ssl_ctx) & TLS_CAPABILITY_IA) && 392 data->ttls_version > 0) { 393 if (data->force_version > 0) { 394 wpa_printf(MSG_INFO, "EAP-TTLS: Forced TTLSv%d and " 395 "TLS library does not support TLS/IA.", 396 data->force_version); 397 eap_ttls_reset(sm, data); 398 return NULL; 399 } 400 data->ttls_version = 0; 401 } 402 403 if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) { 404 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL."); 405 eap_ttls_reset(sm, data); 406 return NULL; 407 } 408 409 return data; 410 } 411 412 413 static void eap_ttls_reset(struct eap_sm *sm, void *priv) 414 { 415 struct eap_ttls_data *data = priv; 416 if (data == NULL) 417 return; 418 if (data->phase2_priv && data->phase2_method) 419 data->phase2_method->reset(sm, data->phase2_priv); 420 eap_server_tls_ssl_deinit(sm, &data->ssl); 421 wpabuf_free(data->pending_phase2_eap_resp); 422 os_free(data); 423 } 424 425 426 static struct wpabuf * eap_ttls_build_start(struct eap_sm *sm, 427 struct eap_ttls_data *data, u8 id) 428 { 429 struct wpabuf *req; 430 431 req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TTLS, 1, 432 EAP_CODE_REQUEST, id); 433 if (req == NULL) { 434 wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to allocate memory for" 435 " request"); 436 eap_ttls_state(data, FAILURE); 437 return NULL; 438 } 439 440 wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->ttls_version); 441 442 eap_ttls_state(data, PHASE1); 443 444 return req; 445 } 446 447 448 static struct wpabuf * eap_ttls_build_phase2_eap_req( 449 struct eap_sm *sm, struct eap_ttls_data *data, u8 id) 450 { 451 struct wpabuf *buf, *encr_req; 452 453 454 buf = data->phase2_method->buildReq(sm, data->phase2_priv, id); 455 if (buf == NULL) 456 return NULL; 457 458 wpa_hexdump_buf_key(MSG_DEBUG, 459 "EAP-TTLS/EAP: Encapsulate Phase 2 data", buf); 460 461 buf = eap_ttls_avp_encapsulate(buf, RADIUS_ATTR_EAP_MESSAGE, 1); 462 if (buf == NULL) { 463 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Failed to encapsulate " 464 "packet"); 465 return NULL; 466 } 467 468 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS/EAP: Encrypt encapsulated " 469 "Phase 2 data", buf); 470 471 encr_req = eap_server_tls_encrypt(sm, &data->ssl, buf); 472 wpabuf_free(buf); 473 474 return encr_req; 475 } 476 477 478 static struct wpabuf * eap_ttls_build_phase2_mschapv2( 479 struct eap_sm *sm, struct eap_ttls_data *data) 480 { 481 struct wpabuf *encr_req, msgbuf; 482 u8 *req, *pos, *end; 483 int ret; 484 485 pos = req = os_malloc(100); 486 if (req == NULL) 487 return NULL; 488 end = req + 100; 489 490 if (data->mschapv2_resp_ok) { 491 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_SUCCESS, 492 RADIUS_VENDOR_ID_MICROSOFT, 1, 43); 493 *pos++ = data->mschapv2_ident; 494 ret = os_snprintf((char *) pos, end - pos, "S="); 495 if (ret >= 0 && ret < end - pos) 496 pos += ret; 497 pos += wpa_snprintf_hex_uppercase( 498 (char *) pos, end - pos, data->mschapv2_auth_response, 499 sizeof(data->mschapv2_auth_response)); 500 } else { 501 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_ERROR, 502 RADIUS_VENDOR_ID_MICROSOFT, 1, 6); 503 os_memcpy(pos, "Failed", 6); 504 pos += 6; 505 AVP_PAD(req, pos); 506 } 507 508 wpabuf_set(&msgbuf, req, pos - req); 509 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Encrypting Phase 2 " 510 "data", &msgbuf); 511 512 encr_req = eap_server_tls_encrypt(sm, &data->ssl, &msgbuf); 513 os_free(req); 514 515 return encr_req; 516 } 517 518 519 static struct wpabuf * eap_ttls_build_phase_finished( 520 struct eap_sm *sm, struct eap_ttls_data *data, int final) 521 { 522 return tls_connection_ia_send_phase_finished(sm->ssl_ctx, 523 data->ssl.conn, final); 524 } 525 526 527 static struct wpabuf * eap_ttls_buildReq(struct eap_sm *sm, void *priv, u8 id) 528 { 529 struct eap_ttls_data *data = priv; 530 531 if (data->ssl.state == FRAG_ACK) { 532 return eap_server_tls_build_ack(id, EAP_TYPE_TTLS, 533 data->ttls_version); 534 } 535 536 if (data->ssl.state == WAIT_FRAG_ACK) { 537 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS, 538 data->ttls_version, id); 539 } 540 541 switch (data->state) { 542 case START: 543 return eap_ttls_build_start(sm, data, id); 544 case PHASE1: 545 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { 546 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase1 done, " 547 "starting Phase2"); 548 eap_ttls_state(data, PHASE2_START); 549 } 550 break; 551 case PHASE2_METHOD: 552 wpabuf_free(data->ssl.tls_out); 553 data->ssl.tls_out_pos = 0; 554 data->ssl.tls_out = eap_ttls_build_phase2_eap_req(sm, data, 555 id); 556 break; 557 case PHASE2_MSCHAPV2_RESP: 558 wpabuf_free(data->ssl.tls_out); 559 data->ssl.tls_out_pos = 0; 560 data->ssl.tls_out = eap_ttls_build_phase2_mschapv2(sm, data); 561 break; 562 case PHASE_FINISHED: 563 wpabuf_free(data->ssl.tls_out); 564 data->ssl.tls_out_pos = 0; 565 data->ssl.tls_out = eap_ttls_build_phase_finished(sm, data, 1); 566 break; 567 default: 568 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d", 569 __func__, data->state); 570 return NULL; 571 } 572 573 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS, 574 data->ttls_version, id); 575 } 576 577 578 static Boolean eap_ttls_check(struct eap_sm *sm, void *priv, 579 struct wpabuf *respData) 580 { 581 const u8 *pos; 582 size_t len; 583 584 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TTLS, respData, &len); 585 if (pos == NULL || len < 1) { 586 wpa_printf(MSG_INFO, "EAP-TTLS: Invalid frame"); 587 return TRUE; 588 } 589 590 return FALSE; 591 } 592 593 594 static int eap_ttls_ia_permute_inner_secret(struct eap_sm *sm, 595 struct eap_ttls_data *data, 596 const u8 *key, size_t key_len) 597 { 598 u8 *buf; 599 size_t buf_len; 600 int ret; 601 602 if (key) { 603 buf_len = 2 + key_len; 604 buf = os_malloc(buf_len); 605 if (buf == NULL) 606 return -1; 607 WPA_PUT_BE16(buf, key_len); 608 os_memcpy(buf + 2, key, key_len); 609 } else { 610 buf = NULL; 611 buf_len = 0; 612 } 613 614 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Session keys for TLS/IA inner " 615 "secret permutation", buf, buf_len); 616 ret = tls_connection_ia_permute_inner_secret(sm->ssl_ctx, 617 data->ssl.conn, 618 buf, buf_len); 619 os_free(buf); 620 621 return ret; 622 } 623 624 625 static void eap_ttls_process_phase2_pap(struct eap_sm *sm, 626 struct eap_ttls_data *data, 627 const u8 *user_password, 628 size_t user_password_len) 629 { 630 if (!sm->user || !sm->user->password || sm->user->password_hash || 631 !(sm->user->ttls_auth & EAP_TTLS_AUTH_PAP)) { 632 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: No plaintext user " 633 "password configured"); 634 eap_ttls_state(data, FAILURE); 635 return; 636 } 637 638 if (sm->user->password_len != user_password_len || 639 os_memcmp(sm->user->password, user_password, user_password_len) != 640 0) { 641 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Invalid user password"); 642 eap_ttls_state(data, FAILURE); 643 return; 644 } 645 646 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Correct user password"); 647 eap_ttls_state(data, data->ttls_version > 0 ? PHASE_FINISHED : 648 SUCCESS); 649 } 650 651 652 static void eap_ttls_process_phase2_chap(struct eap_sm *sm, 653 struct eap_ttls_data *data, 654 const u8 *challenge, 655 size_t challenge_len, 656 const u8 *password, 657 size_t password_len) 658 { 659 u8 *chal, hash[CHAP_MD5_LEN]; 660 661 if (challenge == NULL || password == NULL || 662 challenge_len != EAP_TTLS_CHAP_CHALLENGE_LEN || 663 password_len != 1 + EAP_TTLS_CHAP_PASSWORD_LEN) { 664 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid CHAP attributes " 665 "(challenge len %lu password len %lu)", 666 (unsigned long) challenge_len, 667 (unsigned long) password_len); 668 eap_ttls_state(data, FAILURE); 669 return; 670 } 671 672 if (!sm->user || !sm->user->password || sm->user->password_hash || 673 !(sm->user->ttls_auth & EAP_TTLS_AUTH_CHAP)) { 674 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: No plaintext user " 675 "password configured"); 676 eap_ttls_state(data, FAILURE); 677 return; 678 } 679 680 chal = eap_ttls_implicit_challenge(sm, data, 681 EAP_TTLS_CHAP_CHALLENGE_LEN + 1); 682 if (chal == NULL) { 683 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Failed to generate " 684 "challenge from TLS data"); 685 eap_ttls_state(data, FAILURE); 686 return; 687 } 688 689 if (os_memcmp(challenge, chal, EAP_TTLS_CHAP_CHALLENGE_LEN) != 0 || 690 password[0] != chal[EAP_TTLS_CHAP_CHALLENGE_LEN]) { 691 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Challenge mismatch"); 692 os_free(chal); 693 eap_ttls_state(data, FAILURE); 694 return; 695 } 696 os_free(chal); 697 698 /* MD5(Ident + Password + Challenge) */ 699 chap_md5(password[0], sm->user->password, sm->user->password_len, 700 challenge, challenge_len, hash); 701 702 if (os_memcmp(hash, password + 1, EAP_TTLS_CHAP_PASSWORD_LEN) == 0) { 703 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Correct user password"); 704 eap_ttls_state(data, data->ttls_version > 0 ? PHASE_FINISHED : 705 SUCCESS); 706 } else { 707 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid user password"); 708 eap_ttls_state(data, FAILURE); 709 } 710 } 711 712 713 static void eap_ttls_process_phase2_mschap(struct eap_sm *sm, 714 struct eap_ttls_data *data, 715 u8 *challenge, size_t challenge_len, 716 u8 *response, size_t response_len) 717 { 718 u8 *chal, nt_response[24]; 719 720 if (challenge == NULL || response == NULL || 721 challenge_len != EAP_TTLS_MSCHAP_CHALLENGE_LEN || 722 response_len != EAP_TTLS_MSCHAP_RESPONSE_LEN) { 723 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid MS-CHAP " 724 "attributes (challenge len %lu response len %lu)", 725 (unsigned long) challenge_len, 726 (unsigned long) response_len); 727 eap_ttls_state(data, FAILURE); 728 return; 729 } 730 731 if (!sm->user || !sm->user->password || 732 !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAP)) { 733 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: No user password " 734 "configured"); 735 eap_ttls_state(data, FAILURE); 736 return; 737 } 738 739 chal = eap_ttls_implicit_challenge(sm, data, 740 EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1); 741 if (chal == NULL) { 742 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Failed to generate " 743 "challenge from TLS data"); 744 eap_ttls_state(data, FAILURE); 745 return; 746 } 747 748 if (os_memcmp(challenge, chal, EAP_TTLS_MSCHAP_CHALLENGE_LEN) != 0 || 749 response[0] != chal[EAP_TTLS_MSCHAP_CHALLENGE_LEN]) { 750 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Challenge mismatch"); 751 os_free(chal); 752 eap_ttls_state(data, FAILURE); 753 return; 754 } 755 os_free(chal); 756 757 if (sm->user->password_hash) 758 challenge_response(challenge, sm->user->password, nt_response); 759 else 760 nt_challenge_response(challenge, sm->user->password, 761 sm->user->password_len, nt_response); 762 763 if (os_memcmp(nt_response, response + 2 + 24, 24) == 0) { 764 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Correct response"); 765 eap_ttls_state(data, data->ttls_version > 0 ? PHASE_FINISHED : 766 SUCCESS); 767 } else { 768 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid NT-Response"); 769 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Received", 770 response + 2 + 24, 24); 771 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Expected", 772 nt_response, 24); 773 eap_ttls_state(data, FAILURE); 774 } 775 } 776 777 778 static void eap_ttls_process_phase2_mschapv2(struct eap_sm *sm, 779 struct eap_ttls_data *data, 780 u8 *challenge, 781 size_t challenge_len, 782 u8 *response, size_t response_len) 783 { 784 u8 *chal, *username, nt_response[24], *rx_resp, *peer_challenge, 785 *auth_challenge; 786 size_t username_len, i; 787 788 if (challenge == NULL || response == NULL || 789 challenge_len != EAP_TTLS_MSCHAPV2_CHALLENGE_LEN || 790 response_len != EAP_TTLS_MSCHAPV2_RESPONSE_LEN) { 791 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid MS-CHAP2 " 792 "attributes (challenge len %lu response len %lu)", 793 (unsigned long) challenge_len, 794 (unsigned long) response_len); 795 eap_ttls_state(data, FAILURE); 796 return; 797 } 798 799 if (!sm->user || !sm->user->password || 800 !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAPV2)) { 801 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user password " 802 "configured"); 803 eap_ttls_state(data, FAILURE); 804 return; 805 } 806 807 /* MSCHAPv2 does not include optional domain name in the 808 * challenge-response calculation, so remove domain prefix 809 * (if present). */ 810 username = sm->identity; 811 username_len = sm->identity_len; 812 for (i = 0; i < username_len; i++) { 813 if (username[i] == '\\') { 814 username_len -= i + 1; 815 username += i + 1; 816 break; 817 } 818 } 819 820 chal = eap_ttls_implicit_challenge( 821 sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1); 822 if (chal == NULL) { 823 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Failed to generate " 824 "challenge from TLS data"); 825 eap_ttls_state(data, FAILURE); 826 return; 827 } 828 829 if (os_memcmp(challenge, chal, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN) != 0 || 830 response[0] != chal[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN]) { 831 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Challenge mismatch"); 832 os_free(chal); 833 eap_ttls_state(data, FAILURE); 834 return; 835 } 836 os_free(chal); 837 838 auth_challenge = challenge; 839 peer_challenge = response + 2; 840 841 wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: User", 842 username, username_len); 843 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: auth_challenge", 844 auth_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN); 845 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: peer_challenge", 846 peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN); 847 848 if (sm->user->password_hash) { 849 generate_nt_response_pwhash(auth_challenge, peer_challenge, 850 username, username_len, 851 sm->user->password, 852 nt_response); 853 } else { 854 generate_nt_response(auth_challenge, peer_challenge, 855 username, username_len, 856 sm->user->password, 857 sm->user->password_len, 858 nt_response); 859 } 860 861 rx_resp = response + 2 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 8; 862 if (os_memcmp(nt_response, rx_resp, 24) == 0) { 863 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Correct " 864 "NT-Response"); 865 data->mschapv2_resp_ok = 1; 866 if (data->ttls_version > 0) { 867 const u8 *pw_hash; 868 u8 pw_hash_buf[16], pw_hash_hash[16], master_key[16]; 869 u8 session_key[2 * MSCHAPV2_KEY_LEN]; 870 871 if (sm->user->password_hash) 872 pw_hash = sm->user->password; 873 else { 874 nt_password_hash(sm->user->password, 875 sm->user->password_len, 876 pw_hash_buf); 877 pw_hash = pw_hash_buf; 878 } 879 hash_nt_password_hash(pw_hash, pw_hash_hash); 880 get_master_key(pw_hash_hash, nt_response, master_key); 881 get_asymetric_start_key(master_key, session_key, 882 MSCHAPV2_KEY_LEN, 0, 0); 883 get_asymetric_start_key(master_key, 884 session_key + MSCHAPV2_KEY_LEN, 885 MSCHAPV2_KEY_LEN, 1, 0); 886 eap_ttls_ia_permute_inner_secret(sm, data, 887 session_key, 888 sizeof(session_key)); 889 } 890 891 if (sm->user->password_hash) { 892 generate_authenticator_response_pwhash( 893 sm->user->password, 894 peer_challenge, auth_challenge, 895 username, username_len, nt_response, 896 data->mschapv2_auth_response); 897 } else { 898 generate_authenticator_response( 899 sm->user->password, sm->user->password_len, 900 peer_challenge, auth_challenge, 901 username, username_len, nt_response, 902 data->mschapv2_auth_response); 903 } 904 } else { 905 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid " 906 "NT-Response"); 907 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Received", 908 rx_resp, 24); 909 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Expected", 910 nt_response, 24); 911 data->mschapv2_resp_ok = 0; 912 } 913 eap_ttls_state(data, PHASE2_MSCHAPV2_RESP); 914 data->mschapv2_ident = response[0]; 915 } 916 917 918 static int eap_ttls_phase2_eap_init(struct eap_sm *sm, 919 struct eap_ttls_data *data, 920 EapType eap_type) 921 { 922 if (data->phase2_priv && data->phase2_method) { 923 data->phase2_method->reset(sm, data->phase2_priv); 924 data->phase2_method = NULL; 925 data->phase2_priv = NULL; 926 } 927 data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF, 928 eap_type); 929 if (!data->phase2_method) 930 return -1; 931 932 sm->init_phase2 = 1; 933 data->phase2_priv = data->phase2_method->init(sm); 934 sm->init_phase2 = 0; 935 return data->phase2_priv == NULL ? -1 : 0; 936 } 937 938 939 static void eap_ttls_process_phase2_eap_response(struct eap_sm *sm, 940 struct eap_ttls_data *data, 941 u8 *in_data, size_t in_len) 942 { 943 u8 next_type = EAP_TYPE_NONE; 944 struct eap_hdr *hdr; 945 u8 *pos; 946 size_t left; 947 struct wpabuf buf; 948 const struct eap_method *m = data->phase2_method; 949 void *priv = data->phase2_priv; 950 951 if (priv == NULL) { 952 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: %s - Phase2 not " 953 "initialized?!", __func__); 954 return; 955 } 956 957 hdr = (struct eap_hdr *) in_data; 958 pos = (u8 *) (hdr + 1); 959 960 if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) { 961 left = in_len - sizeof(*hdr); 962 wpa_hexdump(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 type Nak'ed; " 963 "allowed types", pos + 1, left - 1); 964 eap_sm_process_nak(sm, pos + 1, left - 1); 965 if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS && 966 sm->user->methods[sm->user_eap_method_index].method != 967 EAP_TYPE_NONE) { 968 next_type = sm->user->methods[ 969 sm->user_eap_method_index++].method; 970 wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d", 971 next_type); 972 if (eap_ttls_phase2_eap_init(sm, data, next_type)) { 973 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to " 974 "initialize EAP type %d", 975 next_type); 976 eap_ttls_state(data, FAILURE); 977 return; 978 } 979 } else { 980 eap_ttls_state(data, FAILURE); 981 } 982 return; 983 } 984 985 wpabuf_set(&buf, in_data, in_len); 986 987 if (m->check(sm, priv, &buf)) { 988 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 check() asked to " 989 "ignore the packet"); 990 return; 991 } 992 993 m->process(sm, priv, &buf); 994 995 if (sm->method_pending == METHOD_PENDING_WAIT) { 996 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method is in " 997 "pending wait state - save decrypted response"); 998 wpabuf_free(data->pending_phase2_eap_resp); 999 data->pending_phase2_eap_resp = wpabuf_dup(&buf); 1000 } 1001 1002 if (!m->isDone(sm, priv)) 1003 return; 1004 1005 if (!m->isSuccess(sm, priv)) { 1006 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method failed"); 1007 eap_ttls_state(data, FAILURE); 1008 return; 1009 } 1010 1011 switch (data->state) { 1012 case PHASE2_START: 1013 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) { 1014 wpa_hexdump_ascii(MSG_DEBUG, "EAP_TTLS: Phase2 " 1015 "Identity not found in the user " 1016 "database", 1017 sm->identity, sm->identity_len); 1018 eap_ttls_state(data, FAILURE); 1019 break; 1020 } 1021 1022 eap_ttls_state(data, PHASE2_METHOD); 1023 next_type = sm->user->methods[0].method; 1024 sm->user_eap_method_index = 1; 1025 wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d", next_type); 1026 if (eap_ttls_phase2_eap_init(sm, data, next_type)) { 1027 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize " 1028 "EAP type %d", next_type); 1029 eap_ttls_state(data, FAILURE); 1030 } 1031 break; 1032 case PHASE2_METHOD: 1033 if (data->ttls_version > 0) { 1034 if (m->getKey) { 1035 u8 *key; 1036 size_t key_len; 1037 key = m->getKey(sm, priv, &key_len); 1038 eap_ttls_ia_permute_inner_secret(sm, data, 1039 key, key_len); 1040 } 1041 eap_ttls_state(data, PHASE_FINISHED); 1042 } else 1043 eap_ttls_state(data, SUCCESS); 1044 break; 1045 case FAILURE: 1046 break; 1047 default: 1048 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d", 1049 __func__, data->state); 1050 break; 1051 } 1052 } 1053 1054 1055 static void eap_ttls_process_phase2_eap(struct eap_sm *sm, 1056 struct eap_ttls_data *data, 1057 const u8 *eap, size_t eap_len) 1058 { 1059 struct eap_hdr *hdr; 1060 size_t len; 1061 1062 if (data->state == PHASE2_START) { 1063 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: initializing Phase 2"); 1064 if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_IDENTITY) < 0) 1065 { 1066 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: failed to " 1067 "initialize EAP-Identity"); 1068 return; 1069 } 1070 } 1071 1072 if (eap_len < sizeof(*hdr)) { 1073 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: too short Phase 2 EAP " 1074 "packet (len=%lu)", (unsigned long) eap_len); 1075 return; 1076 } 1077 1078 hdr = (struct eap_hdr *) eap; 1079 len = be_to_host16(hdr->length); 1080 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: received Phase 2 EAP: code=%d " 1081 "identifier=%d length=%lu", hdr->code, hdr->identifier, 1082 (unsigned long) len); 1083 if (len > eap_len) { 1084 wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Length mismatch in Phase 2" 1085 " EAP frame (hdr len=%lu, data len in AVP=%lu)", 1086 (unsigned long) len, (unsigned long) eap_len); 1087 return; 1088 } 1089 1090 switch (hdr->code) { 1091 case EAP_CODE_RESPONSE: 1092 eap_ttls_process_phase2_eap_response(sm, data, (u8 *) hdr, 1093 len); 1094 break; 1095 default: 1096 wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Unexpected code=%d in " 1097 "Phase 2 EAP header", hdr->code); 1098 break; 1099 } 1100 } 1101 1102 1103 static void eap_ttls_process_phase2(struct eap_sm *sm, 1104 struct eap_ttls_data *data, 1105 struct wpabuf *in_buf) 1106 { 1107 struct wpabuf *in_decrypted; 1108 struct eap_ttls_avp parse; 1109 1110 wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for" 1111 " Phase 2", (unsigned long) wpabuf_len(in_buf)); 1112 1113 if (data->pending_phase2_eap_resp) { 1114 wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 EAP response " 1115 "- skip decryption and use old data"); 1116 eap_ttls_process_phase2_eap( 1117 sm, data, wpabuf_head(data->pending_phase2_eap_resp), 1118 wpabuf_len(data->pending_phase2_eap_resp)); 1119 wpabuf_free(data->pending_phase2_eap_resp); 1120 data->pending_phase2_eap_resp = NULL; 1121 return; 1122 } 1123 1124 in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn, 1125 in_buf); 1126 if (in_decrypted == NULL) { 1127 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to decrypt Phase 2 " 1128 "data"); 1129 eap_ttls_state(data, FAILURE); 1130 return; 1131 } 1132 1133 if (data->state == PHASE_FINISHED) { 1134 if (wpabuf_len(in_decrypted) == 0 && 1135 tls_connection_ia_final_phase_finished(sm->ssl_ctx, 1136 data->ssl.conn)) { 1137 wpa_printf(MSG_DEBUG, "EAP-TTLS: FinalPhaseFinished " 1138 "received"); 1139 eap_ttls_state(data, SUCCESS); 1140 } else { 1141 wpa_printf(MSG_INFO, "EAP-TTLS: Did not receive valid " 1142 "FinalPhaseFinished"); 1143 eap_ttls_state(data, FAILURE); 1144 } 1145 1146 wpabuf_free(in_decrypted); 1147 return; 1148 } 1149 1150 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 EAP", 1151 in_decrypted); 1152 1153 if (eap_ttls_avp_parse(in_decrypted, &parse) < 0) { 1154 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to parse AVPs"); 1155 wpabuf_free(in_decrypted); 1156 eap_ttls_state(data, FAILURE); 1157 return; 1158 } 1159 1160 if (parse.user_name) { 1161 os_free(sm->identity); 1162 sm->identity = os_malloc(parse.user_name_len); 1163 if (sm->identity) { 1164 os_memcpy(sm->identity, parse.user_name, 1165 parse.user_name_len); 1166 sm->identity_len = parse.user_name_len; 1167 } 1168 if (eap_user_get(sm, parse.user_name, parse.user_name_len, 1) 1169 != 0) { 1170 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 Identity not " 1171 "found in the user database"); 1172 eap_ttls_state(data, FAILURE); 1173 goto done; 1174 } 1175 } 1176 1177 #ifdef EAP_SERVER_TNC 1178 if (data->tnc_started && parse.eap == NULL) { 1179 wpa_printf(MSG_DEBUG, "EAP-TTLS: TNC started but no EAP " 1180 "response from peer"); 1181 eap_ttls_state(data, FAILURE); 1182 goto done; 1183 } 1184 #endif /* EAP_SERVER_TNC */ 1185 1186 if (parse.eap) { 1187 eap_ttls_process_phase2_eap(sm, data, parse.eap, 1188 parse.eap_len); 1189 } else if (parse.user_password) { 1190 eap_ttls_process_phase2_pap(sm, data, parse.user_password, 1191 parse.user_password_len); 1192 } else if (parse.chap_password) { 1193 eap_ttls_process_phase2_chap(sm, data, 1194 parse.chap_challenge, 1195 parse.chap_challenge_len, 1196 parse.chap_password, 1197 parse.chap_password_len); 1198 } else if (parse.mschap_response) { 1199 eap_ttls_process_phase2_mschap(sm, data, 1200 parse.mschap_challenge, 1201 parse.mschap_challenge_len, 1202 parse.mschap_response, 1203 parse.mschap_response_len); 1204 } else if (parse.mschap2_response) { 1205 eap_ttls_process_phase2_mschapv2(sm, data, 1206 parse.mschap_challenge, 1207 parse.mschap_challenge_len, 1208 parse.mschap2_response, 1209 parse.mschap2_response_len); 1210 } 1211 1212 done: 1213 wpabuf_free(in_decrypted); 1214 os_free(parse.eap); 1215 } 1216 1217 1218 static void eap_ttls_start_tnc(struct eap_sm *sm, struct eap_ttls_data *data) 1219 { 1220 #ifdef EAP_SERVER_TNC 1221 if (!sm->tnc || data->state != SUCCESS || data->tnc_started) 1222 return; 1223 1224 wpa_printf(MSG_DEBUG, "EAP-TTLS: Initialize TNC"); 1225 if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_TNC)) { 1226 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize TNC"); 1227 eap_ttls_state(data, FAILURE); 1228 return; 1229 } 1230 1231 data->tnc_started = 1; 1232 eap_ttls_state(data, PHASE2_METHOD); 1233 #endif /* EAP_SERVER_TNC */ 1234 } 1235 1236 1237 static int eap_ttls_process_version(struct eap_sm *sm, void *priv, 1238 int peer_version) 1239 { 1240 struct eap_ttls_data *data = priv; 1241 if (peer_version < data->ttls_version) { 1242 wpa_printf(MSG_DEBUG, "EAP-TTLS: peer ver=%d, own ver=%d; " 1243 "use version %d", 1244 peer_version, data->ttls_version, peer_version); 1245 data->ttls_version = peer_version; 1246 } 1247 1248 if (data->ttls_version > 0 && !data->tls_ia_configured) { 1249 if (tls_connection_set_ia(sm->ssl_ctx, data->ssl.conn, 1)) { 1250 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to enable " 1251 "TLS/IA"); 1252 return -1; 1253 } 1254 data->tls_ia_configured = 1; 1255 } 1256 1257 return 0; 1258 } 1259 1260 1261 static void eap_ttls_process_msg(struct eap_sm *sm, void *priv, 1262 const struct wpabuf *respData) 1263 { 1264 struct eap_ttls_data *data = priv; 1265 1266 switch (data->state) { 1267 case PHASE1: 1268 if (eap_server_tls_phase1(sm, &data->ssl) < 0) 1269 eap_ttls_state(data, FAILURE); 1270 break; 1271 case PHASE2_START: 1272 case PHASE2_METHOD: 1273 case PHASE_FINISHED: 1274 eap_ttls_process_phase2(sm, data, data->ssl.tls_in); 1275 eap_ttls_start_tnc(sm, data); 1276 break; 1277 case PHASE2_MSCHAPV2_RESP: 1278 if (data->mschapv2_resp_ok && wpabuf_len(data->ssl.tls_in) == 1279 0) { 1280 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer " 1281 "acknowledged response"); 1282 eap_ttls_state(data, data->ttls_version > 0 ? 1283 PHASE_FINISHED : SUCCESS); 1284 } else if (!data->mschapv2_resp_ok) { 1285 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer " 1286 "acknowledged error"); 1287 eap_ttls_state(data, FAILURE); 1288 } else { 1289 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Unexpected " 1290 "frame from peer (payload len %lu, " 1291 "expected empty frame)", 1292 (unsigned long) 1293 wpabuf_len(data->ssl.tls_in)); 1294 eap_ttls_state(data, FAILURE); 1295 } 1296 eap_ttls_start_tnc(sm, data); 1297 break; 1298 default: 1299 wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected state %d in %s", 1300 data->state, __func__); 1301 break; 1302 } 1303 } 1304 1305 1306 static void eap_ttls_process(struct eap_sm *sm, void *priv, 1307 struct wpabuf *respData) 1308 { 1309 struct eap_ttls_data *data = priv; 1310 if (eap_server_tls_process(sm, &data->ssl, respData, data, 1311 EAP_TYPE_TTLS, eap_ttls_process_version, 1312 eap_ttls_process_msg) < 0) 1313 eap_ttls_state(data, FAILURE); 1314 } 1315 1316 1317 static Boolean eap_ttls_isDone(struct eap_sm *sm, void *priv) 1318 { 1319 struct eap_ttls_data *data = priv; 1320 return data->state == SUCCESS || data->state == FAILURE; 1321 } 1322 1323 1324 static u8 * eap_ttls_v1_derive_key(struct eap_sm *sm, 1325 struct eap_ttls_data *data) 1326 { 1327 struct tls_keys keys; 1328 u8 *rnd, *key; 1329 1330 os_memset(&keys, 0, sizeof(keys)); 1331 if (tls_connection_get_keys(sm->ssl_ctx, data->ssl.conn, &keys) || 1332 keys.client_random == NULL || keys.server_random == NULL || 1333 keys.inner_secret == NULL) { 1334 wpa_printf(MSG_INFO, "EAP-TTLS: Could not get inner secret, " 1335 "client random, or server random to derive keying " 1336 "material"); 1337 return NULL; 1338 } 1339 1340 rnd = os_malloc(keys.client_random_len + keys.server_random_len); 1341 key = os_malloc(EAP_TLS_KEY_LEN); 1342 if (rnd == NULL || key == NULL) { 1343 wpa_printf(MSG_INFO, "EAP-TTLS: No memory for key derivation"); 1344 os_free(rnd); 1345 os_free(key); 1346 return NULL; 1347 } 1348 os_memcpy(rnd, keys.client_random, keys.client_random_len); 1349 os_memcpy(rnd + keys.client_random_len, keys.server_random, 1350 keys.server_random_len); 1351 1352 if (tls_prf(keys.inner_secret, keys.inner_secret_len, 1353 "ttls v1 keying material", rnd, keys.client_random_len + 1354 keys.server_random_len, key, EAP_TLS_KEY_LEN)) { 1355 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key"); 1356 os_free(rnd); 1357 os_free(key); 1358 return NULL; 1359 } 1360 1361 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: client/server random", 1362 rnd, keys.client_random_len + keys.server_random_len); 1363 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: TLS/IA inner secret", 1364 keys.inner_secret, keys.inner_secret_len); 1365 1366 os_free(rnd); 1367 1368 return key; 1369 } 1370 1371 1372 static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len) 1373 { 1374 struct eap_ttls_data *data = priv; 1375 u8 *eapKeyData; 1376 1377 if (data->state != SUCCESS) 1378 return NULL; 1379 1380 if (data->ttls_version == 0) { 1381 eapKeyData = eap_server_tls_derive_key(sm, &data->ssl, 1382 "ttls keying material", 1383 EAP_TLS_KEY_LEN); 1384 } else { 1385 eapKeyData = eap_ttls_v1_derive_key(sm, data); 1386 } 1387 1388 if (eapKeyData) { 1389 *len = EAP_TLS_KEY_LEN; 1390 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key", 1391 eapKeyData, EAP_TLS_KEY_LEN); 1392 } else { 1393 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key"); 1394 } 1395 1396 return eapKeyData; 1397 } 1398 1399 1400 static Boolean eap_ttls_isSuccess(struct eap_sm *sm, void *priv) 1401 { 1402 struct eap_ttls_data *data = priv; 1403 return data->state == SUCCESS; 1404 } 1405 1406 1407 int eap_server_ttls_register(void) 1408 { 1409 struct eap_method *eap; 1410 int ret; 1411 1412 eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION, 1413 EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS"); 1414 if (eap == NULL) 1415 return -1; 1416 1417 eap->init = eap_ttls_init; 1418 eap->reset = eap_ttls_reset; 1419 eap->buildReq = eap_ttls_buildReq; 1420 eap->check = eap_ttls_check; 1421 eap->process = eap_ttls_process; 1422 eap->isDone = eap_ttls_isDone; 1423 eap->getKey = eap_ttls_getKey; 1424 eap->isSuccess = eap_ttls_isSuccess; 1425 1426 ret = eap_server_method_register(eap); 1427 if (ret) 1428 eap_server_method_free(eap); 1429 return ret; 1430 } 1431