1 /* 2 * hostapd / EAP-TTLS (RFC 5281) 3 * Copyright (c) 2004-2008, Jouni Malinen <j (at) w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "includes.h" 16 17 #include "common.h" 18 #include "eap_server/eap_i.h" 19 #include "eap_server/eap_tls_common.h" 20 #include "ms_funcs.h" 21 #include "sha1.h" 22 #include "eap_common/chap.h" 23 #include "tls.h" 24 #include "eap_common/eap_ttls.h" 25 26 27 /* Maximum supported TTLS version 28 * 0 = RFC 5281 29 * 1 = draft-funk-eap-ttls-v1-00.txt 30 */ 31 #ifndef EAP_TTLS_VERSION 32 #define EAP_TTLS_VERSION 0 /* TTLSv1 implementation is not yet complete */ 33 #endif /* EAP_TTLS_VERSION */ 34 35 36 #define MSCHAPV2_KEY_LEN 16 37 38 39 static void eap_ttls_reset(struct eap_sm *sm, void *priv); 40 41 42 struct eap_ttls_data { 43 struct eap_ssl_data ssl; 44 enum { 45 START, PHASE1, PHASE2_START, PHASE2_METHOD, 46 PHASE2_MSCHAPV2_RESP, PHASE_FINISHED, SUCCESS, FAILURE 47 } state; 48 49 int ttls_version; 50 int force_version; 51 const struct eap_method *phase2_method; 52 void *phase2_priv; 53 int mschapv2_resp_ok; 54 u8 mschapv2_auth_response[20]; 55 u8 mschapv2_ident; 56 int tls_ia_configured; 57 struct wpabuf *pending_phase2_eap_resp; 58 int tnc_started; 59 }; 60 61 62 static const char * eap_ttls_state_txt(int state) 63 { 64 switch (state) { 65 case START: 66 return "START"; 67 case PHASE1: 68 return "PHASE1"; 69 case PHASE2_START: 70 return "PHASE2_START"; 71 case PHASE2_METHOD: 72 return "PHASE2_METHOD"; 73 case PHASE2_MSCHAPV2_RESP: 74 return "PHASE2_MSCHAPV2_RESP"; 75 case PHASE_FINISHED: 76 return "PHASE_FINISHED"; 77 case SUCCESS: 78 return "SUCCESS"; 79 case FAILURE: 80 return "FAILURE"; 81 default: 82 return "Unknown?!"; 83 } 84 } 85 86 87 static void eap_ttls_state(struct eap_ttls_data *data, int state) 88 { 89 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s -> %s", 90 eap_ttls_state_txt(data->state), 91 eap_ttls_state_txt(state)); 92 data->state = state; 93 } 94 95 96 static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id, 97 int mandatory, size_t len) 98 { 99 struct ttls_avp_vendor *avp; 100 u8 flags; 101 size_t hdrlen; 102 103 avp = (struct ttls_avp_vendor *) avphdr; 104 flags = mandatory ? AVP_FLAGS_MANDATORY : 0; 105 if (vendor_id) { 106 flags |= AVP_FLAGS_VENDOR; 107 hdrlen = sizeof(*avp); 108 avp->vendor_id = host_to_be32(vendor_id); 109 } else { 110 hdrlen = sizeof(struct ttls_avp); 111 } 112 113 avp->avp_code = host_to_be32(avp_code); 114 avp->avp_length = host_to_be32((flags << 24) | (hdrlen + len)); 115 116 return avphdr + hdrlen; 117 } 118 119 120 static struct wpabuf * eap_ttls_avp_encapsulate(struct wpabuf *resp, 121 u32 avp_code, int mandatory) 122 { 123 struct wpabuf *avp; 124 u8 *pos; 125 126 avp = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(resp) + 4); 127 if (avp == NULL) { 128 wpabuf_free(resp); 129 return NULL; 130 } 131 132 pos = eap_ttls_avp_hdr(wpabuf_mhead(avp), avp_code, 0, mandatory, 133 wpabuf_len(resp)); 134 os_memcpy(pos, wpabuf_head(resp), wpabuf_len(resp)); 135 pos += wpabuf_len(resp); 136 AVP_PAD((const u8 *) wpabuf_head(avp), pos); 137 wpabuf_free(resp); 138 wpabuf_put(avp, pos - (u8 *) wpabuf_head(avp)); 139 return avp; 140 } 141 142 143 struct eap_ttls_avp { 144 /* Note: eap is allocated memory; caller is responsible for freeing 145 * it. All the other pointers are pointing to the packet data, i.e., 146 * they must not be freed separately. */ 147 u8 *eap; 148 size_t eap_len; 149 u8 *user_name; 150 size_t user_name_len; 151 u8 *user_password; 152 size_t user_password_len; 153 u8 *chap_challenge; 154 size_t chap_challenge_len; 155 u8 *chap_password; 156 size_t chap_password_len; 157 u8 *mschap_challenge; 158 size_t mschap_challenge_len; 159 u8 *mschap_response; 160 size_t mschap_response_len; 161 u8 *mschap2_response; 162 size_t mschap2_response_len; 163 }; 164 165 166 static int eap_ttls_avp_parse(u8 *buf, size_t len, struct eap_ttls_avp *parse) 167 { 168 struct ttls_avp *avp; 169 u8 *pos; 170 int left; 171 172 pos = buf; 173 left = len; 174 os_memset(parse, 0, sizeof(*parse)); 175 176 while (left > 0) { 177 u32 avp_code, avp_length, vendor_id = 0; 178 u8 avp_flags, *dpos; 179 size_t pad, dlen; 180 avp = (struct ttls_avp *) pos; 181 avp_code = be_to_host32(avp->avp_code); 182 avp_length = be_to_host32(avp->avp_length); 183 avp_flags = (avp_length >> 24) & 0xff; 184 avp_length &= 0xffffff; 185 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x " 186 "length=%d", (int) avp_code, avp_flags, 187 (int) avp_length); 188 if ((int) avp_length > left) { 189 wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow " 190 "(len=%d, left=%d) - dropped", 191 (int) avp_length, left); 192 goto fail; 193 } 194 if (avp_length < sizeof(*avp)) { 195 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length " 196 "%d", avp_length); 197 goto fail; 198 } 199 dpos = (u8 *) (avp + 1); 200 dlen = avp_length - sizeof(*avp); 201 if (avp_flags & AVP_FLAGS_VENDOR) { 202 if (dlen < 4) { 203 wpa_printf(MSG_WARNING, "EAP-TTLS: vendor AVP " 204 "underflow"); 205 goto fail; 206 } 207 vendor_id = be_to_host32(* (be32 *) dpos); 208 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d", 209 (int) vendor_id); 210 dpos += 4; 211 dlen -= 4; 212 } 213 214 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen); 215 216 if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) { 217 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message"); 218 if (parse->eap == NULL) { 219 parse->eap = os_malloc(dlen); 220 if (parse->eap == NULL) { 221 wpa_printf(MSG_WARNING, "EAP-TTLS: " 222 "failed to allocate memory " 223 "for Phase 2 EAP data"); 224 goto fail; 225 } 226 os_memcpy(parse->eap, dpos, dlen); 227 parse->eap_len = dlen; 228 } else { 229 u8 *neweap = os_realloc(parse->eap, 230 parse->eap_len + dlen); 231 if (neweap == NULL) { 232 wpa_printf(MSG_WARNING, "EAP-TTLS: " 233 "failed to allocate memory " 234 "for Phase 2 EAP data"); 235 goto fail; 236 } 237 os_memcpy(neweap + parse->eap_len, dpos, dlen); 238 parse->eap = neweap; 239 parse->eap_len += dlen; 240 } 241 } else if (vendor_id == 0 && 242 avp_code == RADIUS_ATTR_USER_NAME) { 243 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: User-Name", 244 dpos, dlen); 245 parse->user_name = dpos; 246 parse->user_name_len = dlen; 247 } else if (vendor_id == 0 && 248 avp_code == RADIUS_ATTR_USER_PASSWORD) { 249 u8 *password = dpos; 250 size_t password_len = dlen; 251 while (password_len > 0 && 252 password[password_len - 1] == '\0') { 253 password_len--; 254 } 255 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: " 256 "User-Password (PAP)", 257 password, password_len); 258 parse->user_password = password; 259 parse->user_password_len = password_len; 260 } else if (vendor_id == 0 && 261 avp_code == RADIUS_ATTR_CHAP_CHALLENGE) { 262 wpa_hexdump(MSG_DEBUG, 263 "EAP-TTLS: CHAP-Challenge (CHAP)", 264 dpos, dlen); 265 parse->chap_challenge = dpos; 266 parse->chap_challenge_len = dlen; 267 } else if (vendor_id == 0 && 268 avp_code == RADIUS_ATTR_CHAP_PASSWORD) { 269 wpa_hexdump(MSG_DEBUG, 270 "EAP-TTLS: CHAP-Password (CHAP)", 271 dpos, dlen); 272 parse->chap_password = dpos; 273 parse->chap_password_len = dlen; 274 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 275 avp_code == RADIUS_ATTR_MS_CHAP_CHALLENGE) { 276 wpa_hexdump(MSG_DEBUG, 277 "EAP-TTLS: MS-CHAP-Challenge", 278 dpos, dlen); 279 parse->mschap_challenge = dpos; 280 parse->mschap_challenge_len = dlen; 281 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 282 avp_code == RADIUS_ATTR_MS_CHAP_RESPONSE) { 283 wpa_hexdump(MSG_DEBUG, 284 "EAP-TTLS: MS-CHAP-Response (MSCHAP)", 285 dpos, dlen); 286 parse->mschap_response = dpos; 287 parse->mschap_response_len = dlen; 288 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 289 avp_code == RADIUS_ATTR_MS_CHAP2_RESPONSE) { 290 wpa_hexdump(MSG_DEBUG, 291 "EAP-TTLS: MS-CHAP2-Response (MSCHAPV2)", 292 dpos, dlen); 293 parse->mschap2_response = dpos; 294 parse->mschap2_response_len = dlen; 295 } else if (avp_flags & AVP_FLAGS_MANDATORY) { 296 wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported " 297 "mandatory AVP code %d vendor_id %d - " 298 "dropped", (int) avp_code, (int) vendor_id); 299 goto fail; 300 } else { 301 wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported " 302 "AVP code %d vendor_id %d", 303 (int) avp_code, (int) vendor_id); 304 } 305 306 pad = (4 - (avp_length & 3)) & 3; 307 pos += avp_length + pad; 308 left -= avp_length + pad; 309 } 310 311 return 0; 312 313 fail: 314 os_free(parse->eap); 315 parse->eap = NULL; 316 return -1; 317 } 318 319 320 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm, 321 struct eap_ttls_data *data, size_t len) 322 { 323 struct tls_keys keys; 324 u8 *challenge, *rnd; 325 326 if (data->ttls_version == 0) { 327 return eap_server_tls_derive_key(sm, &data->ssl, 328 "ttls challenge", len); 329 } 330 331 os_memset(&keys, 0, sizeof(keys)); 332 if (tls_connection_get_keys(sm->ssl_ctx, data->ssl.conn, &keys) || 333 keys.client_random == NULL || keys.server_random == NULL || 334 keys.inner_secret == NULL) { 335 wpa_printf(MSG_INFO, "EAP-TTLS: Could not get inner secret, " 336 "client random, or server random to derive " 337 "implicit challenge"); 338 return NULL; 339 } 340 341 rnd = os_malloc(keys.client_random_len + keys.server_random_len); 342 challenge = os_malloc(len); 343 if (rnd == NULL || challenge == NULL) { 344 wpa_printf(MSG_INFO, "EAP-TTLS: No memory for implicit " 345 "challenge derivation"); 346 os_free(rnd); 347 os_free(challenge); 348 return NULL; 349 } 350 os_memcpy(rnd, keys.server_random, keys.server_random_len); 351 os_memcpy(rnd + keys.server_random_len, keys.client_random, 352 keys.client_random_len); 353 354 if (tls_prf(keys.inner_secret, keys.inner_secret_len, 355 "inner application challenge", rnd, 356 keys.client_random_len + keys.server_random_len, 357 challenge, len)) { 358 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive implicit " 359 "challenge"); 360 os_free(rnd); 361 os_free(challenge); 362 return NULL; 363 } 364 365 os_free(rnd); 366 367 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived implicit challenge", 368 challenge, len); 369 370 return challenge; 371 } 372 373 374 static void * eap_ttls_init(struct eap_sm *sm) 375 { 376 struct eap_ttls_data *data; 377 378 data = os_zalloc(sizeof(*data)); 379 if (data == NULL) 380 return NULL; 381 data->ttls_version = EAP_TTLS_VERSION; 382 data->force_version = -1; 383 if (sm->user && sm->user->force_version >= 0) { 384 data->force_version = sm->user->force_version; 385 wpa_printf(MSG_DEBUG, "EAP-TTLS: forcing version %d", 386 data->force_version); 387 data->ttls_version = data->force_version; 388 } 389 data->state = START; 390 391 if (!(tls_capabilities(sm->ssl_ctx) & TLS_CAPABILITY_IA) && 392 data->ttls_version > 0) { 393 if (data->force_version > 0) { 394 wpa_printf(MSG_INFO, "EAP-TTLS: Forced TTLSv%d and " 395 "TLS library does not support TLS/IA.", 396 data->force_version); 397 eap_ttls_reset(sm, data); 398 return NULL; 399 } 400 data->ttls_version = 0; 401 } 402 403 if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) { 404 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL."); 405 eap_ttls_reset(sm, data); 406 return NULL; 407 } 408 409 return data; 410 } 411 412 413 static void eap_ttls_reset(struct eap_sm *sm, void *priv) 414 { 415 struct eap_ttls_data *data = priv; 416 if (data == NULL) 417 return; 418 if (data->phase2_priv && data->phase2_method) 419 data->phase2_method->reset(sm, data->phase2_priv); 420 eap_server_tls_ssl_deinit(sm, &data->ssl); 421 wpabuf_free(data->pending_phase2_eap_resp); 422 os_free(data); 423 } 424 425 426 static struct wpabuf * eap_ttls_build_start(struct eap_sm *sm, 427 struct eap_ttls_data *data, u8 id) 428 { 429 struct wpabuf *req; 430 431 req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TTLS, 1, 432 EAP_CODE_REQUEST, id); 433 if (req == NULL) { 434 wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to allocate memory for" 435 " request"); 436 eap_ttls_state(data, FAILURE); 437 return NULL; 438 } 439 440 wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->ttls_version); 441 442 eap_ttls_state(data, PHASE1); 443 444 return req; 445 } 446 447 448 static struct wpabuf * eap_ttls_build_phase2_eap_req( 449 struct eap_sm *sm, struct eap_ttls_data *data, u8 id) 450 { 451 struct wpabuf *buf, *encr_req; 452 u8 *req; 453 size_t req_len; 454 455 456 buf = data->phase2_method->buildReq(sm, data->phase2_priv, id); 457 if (buf == NULL) 458 return NULL; 459 460 wpa_hexdump_buf_key(MSG_DEBUG, 461 "EAP-TTLS/EAP: Encapsulate Phase 2 data", buf); 462 463 buf = eap_ttls_avp_encapsulate(buf, RADIUS_ATTR_EAP_MESSAGE, 1); 464 if (buf == NULL) { 465 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Failed to encapsulate " 466 "packet"); 467 return NULL; 468 } 469 470 req = wpabuf_mhead(buf); 471 req_len = wpabuf_len(buf); 472 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS/EAP: Encrypt encapsulated Phase " 473 "2 data", req, req_len); 474 475 encr_req = eap_server_tls_encrypt(sm, &data->ssl, req, req_len); 476 wpabuf_free(buf); 477 478 return encr_req; 479 } 480 481 482 static struct wpabuf * eap_ttls_build_phase2_mschapv2( 483 struct eap_sm *sm, struct eap_ttls_data *data) 484 { 485 struct wpabuf *encr_req; 486 u8 *req, *pos, *end; 487 int ret; 488 size_t req_len; 489 490 pos = req = os_malloc(100); 491 if (req == NULL) 492 return NULL; 493 end = req + 100; 494 495 if (data->mschapv2_resp_ok) { 496 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_SUCCESS, 497 RADIUS_VENDOR_ID_MICROSOFT, 1, 43); 498 *pos++ = data->mschapv2_ident; 499 ret = os_snprintf((char *) pos, end - pos, "S="); 500 if (ret >= 0 && ret < end - pos) 501 pos += ret; 502 pos += wpa_snprintf_hex_uppercase( 503 (char *) pos, end - pos, data->mschapv2_auth_response, 504 sizeof(data->mschapv2_auth_response)); 505 } else { 506 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_ERROR, 507 RADIUS_VENDOR_ID_MICROSOFT, 1, 6); 508 os_memcpy(pos, "Failed", 6); 509 pos += 6; 510 AVP_PAD(req, pos); 511 } 512 513 req_len = pos - req; 514 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Encrypting Phase 2 " 515 "data", req, req_len); 516 517 encr_req = eap_server_tls_encrypt(sm, &data->ssl, req, req_len); 518 os_free(req); 519 520 return encr_req; 521 } 522 523 524 static struct wpabuf * eap_ttls_build_phase_finished( 525 struct eap_sm *sm, struct eap_ttls_data *data, int final) 526 { 527 int len; 528 struct wpabuf *req; 529 const int max_len = 300; 530 531 req = wpabuf_alloc(max_len); 532 if (req == NULL) 533 return NULL; 534 535 len = tls_connection_ia_send_phase_finished(sm->ssl_ctx, 536 data->ssl.conn, final, 537 wpabuf_mhead(req), 538 max_len); 539 if (len < 0) { 540 wpabuf_free(req); 541 return NULL; 542 } 543 wpabuf_put(req, len); 544 545 return req; 546 } 547 548 549 static struct wpabuf * eap_ttls_buildReq(struct eap_sm *sm, void *priv, u8 id) 550 { 551 struct eap_ttls_data *data = priv; 552 553 if (data->ssl.state == FRAG_ACK) { 554 return eap_server_tls_build_ack(id, EAP_TYPE_TTLS, 555 data->ttls_version); 556 } 557 558 if (data->ssl.state == WAIT_FRAG_ACK) { 559 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS, 560 data->ttls_version, id); 561 } 562 563 switch (data->state) { 564 case START: 565 return eap_ttls_build_start(sm, data, id); 566 case PHASE1: 567 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { 568 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase1 done, " 569 "starting Phase2"); 570 eap_ttls_state(data, PHASE2_START); 571 } 572 break; 573 case PHASE2_METHOD: 574 wpabuf_free(data->ssl.out_buf); 575 data->ssl.out_used = 0; 576 data->ssl.out_buf = eap_ttls_build_phase2_eap_req(sm, data, 577 id); 578 break; 579 case PHASE2_MSCHAPV2_RESP: 580 wpabuf_free(data->ssl.out_buf); 581 data->ssl.out_used = 0; 582 data->ssl.out_buf = eap_ttls_build_phase2_mschapv2(sm, data); 583 break; 584 case PHASE_FINISHED: 585 wpabuf_free(data->ssl.out_buf); 586 data->ssl.out_used = 0; 587 data->ssl.out_buf = eap_ttls_build_phase_finished(sm, data, 1); 588 break; 589 default: 590 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d", 591 __func__, data->state); 592 return NULL; 593 } 594 595 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS, 596 data->ttls_version, id); 597 } 598 599 600 static Boolean eap_ttls_check(struct eap_sm *sm, void *priv, 601 struct wpabuf *respData) 602 { 603 const u8 *pos; 604 size_t len; 605 606 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TTLS, respData, &len); 607 if (pos == NULL || len < 1) { 608 wpa_printf(MSG_INFO, "EAP-TTLS: Invalid frame"); 609 return TRUE; 610 } 611 612 return FALSE; 613 } 614 615 616 static int eap_ttls_ia_permute_inner_secret(struct eap_sm *sm, 617 struct eap_ttls_data *data, 618 const u8 *key, size_t key_len) 619 { 620 u8 *buf; 621 size_t buf_len; 622 int ret; 623 624 if (key) { 625 buf_len = 2 + key_len; 626 buf = os_malloc(buf_len); 627 if (buf == NULL) 628 return -1; 629 WPA_PUT_BE16(buf, key_len); 630 os_memcpy(buf + 2, key, key_len); 631 } else { 632 buf = NULL; 633 buf_len = 0; 634 } 635 636 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Session keys for TLS/IA inner " 637 "secret permutation", buf, buf_len); 638 ret = tls_connection_ia_permute_inner_secret(sm->ssl_ctx, 639 data->ssl.conn, 640 buf, buf_len); 641 os_free(buf); 642 643 return ret; 644 } 645 646 647 static void eap_ttls_process_phase2_pap(struct eap_sm *sm, 648 struct eap_ttls_data *data, 649 const u8 *user_password, 650 size_t user_password_len) 651 { 652 if (!sm->user || !sm->user->password || sm->user->password_hash || 653 !(sm->user->ttls_auth & EAP_TTLS_AUTH_PAP)) { 654 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: No plaintext user " 655 "password configured"); 656 eap_ttls_state(data, FAILURE); 657 return; 658 } 659 660 if (sm->user->password_len != user_password_len || 661 os_memcmp(sm->user->password, user_password, user_password_len) != 662 0) { 663 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Invalid user password"); 664 eap_ttls_state(data, FAILURE); 665 return; 666 } 667 668 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Correct user password"); 669 eap_ttls_state(data, data->ttls_version > 0 ? PHASE_FINISHED : 670 SUCCESS); 671 } 672 673 674 static void eap_ttls_process_phase2_chap(struct eap_sm *sm, 675 struct eap_ttls_data *data, 676 const u8 *challenge, 677 size_t challenge_len, 678 const u8 *password, 679 size_t password_len) 680 { 681 u8 *chal, hash[CHAP_MD5_LEN]; 682 683 if (challenge == NULL || password == NULL || 684 challenge_len != EAP_TTLS_CHAP_CHALLENGE_LEN || 685 password_len != 1 + EAP_TTLS_CHAP_PASSWORD_LEN) { 686 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid CHAP attributes " 687 "(challenge len %lu password len %lu)", 688 (unsigned long) challenge_len, 689 (unsigned long) password_len); 690 eap_ttls_state(data, FAILURE); 691 return; 692 } 693 694 if (!sm->user || !sm->user->password || sm->user->password_hash || 695 !(sm->user->ttls_auth & EAP_TTLS_AUTH_CHAP)) { 696 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: No plaintext user " 697 "password configured"); 698 eap_ttls_state(data, FAILURE); 699 return; 700 } 701 702 chal = eap_ttls_implicit_challenge(sm, data, 703 EAP_TTLS_CHAP_CHALLENGE_LEN + 1); 704 if (chal == NULL) { 705 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Failed to generate " 706 "challenge from TLS data"); 707 eap_ttls_state(data, FAILURE); 708 return; 709 } 710 711 if (os_memcmp(challenge, chal, EAP_TTLS_CHAP_CHALLENGE_LEN) != 0 || 712 password[0] != chal[EAP_TTLS_CHAP_CHALLENGE_LEN]) { 713 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Challenge mismatch"); 714 os_free(chal); 715 eap_ttls_state(data, FAILURE); 716 return; 717 } 718 os_free(chal); 719 720 /* MD5(Ident + Password + Challenge) */ 721 chap_md5(password[0], sm->user->password, sm->user->password_len, 722 challenge, challenge_len, hash); 723 724 if (os_memcmp(hash, password + 1, EAP_TTLS_CHAP_PASSWORD_LEN) == 0) { 725 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Correct user password"); 726 eap_ttls_state(data, data->ttls_version > 0 ? PHASE_FINISHED : 727 SUCCESS); 728 } else { 729 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid user password"); 730 eap_ttls_state(data, FAILURE); 731 } 732 } 733 734 735 static void eap_ttls_process_phase2_mschap(struct eap_sm *sm, 736 struct eap_ttls_data *data, 737 u8 *challenge, size_t challenge_len, 738 u8 *response, size_t response_len) 739 { 740 u8 *chal, nt_response[24]; 741 742 if (challenge == NULL || response == NULL || 743 challenge_len != EAP_TTLS_MSCHAP_CHALLENGE_LEN || 744 response_len != EAP_TTLS_MSCHAP_RESPONSE_LEN) { 745 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid MS-CHAP " 746 "attributes (challenge len %lu response len %lu)", 747 (unsigned long) challenge_len, 748 (unsigned long) response_len); 749 eap_ttls_state(data, FAILURE); 750 return; 751 } 752 753 if (!sm->user || !sm->user->password || 754 !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAP)) { 755 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: No user password " 756 "configured"); 757 eap_ttls_state(data, FAILURE); 758 return; 759 } 760 761 chal = eap_ttls_implicit_challenge(sm, data, 762 EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1); 763 if (chal == NULL) { 764 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Failed to generate " 765 "challenge from TLS data"); 766 eap_ttls_state(data, FAILURE); 767 return; 768 } 769 770 if (os_memcmp(challenge, chal, EAP_TTLS_MSCHAP_CHALLENGE_LEN) != 0 || 771 response[0] != chal[EAP_TTLS_MSCHAP_CHALLENGE_LEN]) { 772 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Challenge mismatch"); 773 os_free(chal); 774 eap_ttls_state(data, FAILURE); 775 return; 776 } 777 os_free(chal); 778 779 if (sm->user->password_hash) 780 challenge_response(challenge, sm->user->password, nt_response); 781 else 782 nt_challenge_response(challenge, sm->user->password, 783 sm->user->password_len, nt_response); 784 785 if (os_memcmp(nt_response, response + 2 + 24, 24) == 0) { 786 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Correct response"); 787 eap_ttls_state(data, data->ttls_version > 0 ? PHASE_FINISHED : 788 SUCCESS); 789 } else { 790 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid NT-Response"); 791 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Received", 792 response + 2 + 24, 24); 793 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Expected", 794 nt_response, 24); 795 eap_ttls_state(data, FAILURE); 796 } 797 } 798 799 800 static void eap_ttls_process_phase2_mschapv2(struct eap_sm *sm, 801 struct eap_ttls_data *data, 802 u8 *challenge, 803 size_t challenge_len, 804 u8 *response, size_t response_len) 805 { 806 u8 *chal, *username, nt_response[24], *rx_resp, *peer_challenge, 807 *auth_challenge; 808 size_t username_len, i; 809 810 if (challenge == NULL || response == NULL || 811 challenge_len != EAP_TTLS_MSCHAPV2_CHALLENGE_LEN || 812 response_len != EAP_TTLS_MSCHAPV2_RESPONSE_LEN) { 813 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid MS-CHAP2 " 814 "attributes (challenge len %lu response len %lu)", 815 (unsigned long) challenge_len, 816 (unsigned long) response_len); 817 eap_ttls_state(data, FAILURE); 818 return; 819 } 820 821 if (!sm->user || !sm->user->password || 822 !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAPV2)) { 823 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user password " 824 "configured"); 825 eap_ttls_state(data, FAILURE); 826 return; 827 } 828 829 /* MSCHAPv2 does not include optional domain name in the 830 * challenge-response calculation, so remove domain prefix 831 * (if present). */ 832 username = sm->identity; 833 username_len = sm->identity_len; 834 for (i = 0; i < username_len; i++) { 835 if (username[i] == '\\') { 836 username_len -= i + 1; 837 username += i + 1; 838 break; 839 } 840 } 841 842 chal = eap_ttls_implicit_challenge( 843 sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1); 844 if (chal == NULL) { 845 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Failed to generate " 846 "challenge from TLS data"); 847 eap_ttls_state(data, FAILURE); 848 return; 849 } 850 851 if (os_memcmp(challenge, chal, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN) != 0 || 852 response[0] != chal[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN]) { 853 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Challenge mismatch"); 854 os_free(chal); 855 eap_ttls_state(data, FAILURE); 856 return; 857 } 858 os_free(chal); 859 860 auth_challenge = challenge; 861 peer_challenge = response + 2; 862 863 wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: User", 864 username, username_len); 865 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: auth_challenge", 866 auth_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN); 867 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: peer_challenge", 868 peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN); 869 870 if (sm->user->password_hash) { 871 generate_nt_response_pwhash(auth_challenge, peer_challenge, 872 username, username_len, 873 sm->user->password, 874 nt_response); 875 } else { 876 generate_nt_response(auth_challenge, peer_challenge, 877 username, username_len, 878 sm->user->password, 879 sm->user->password_len, 880 nt_response); 881 } 882 883 rx_resp = response + 2 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 8; 884 if (os_memcmp(nt_response, rx_resp, 24) == 0) { 885 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Correct " 886 "NT-Response"); 887 data->mschapv2_resp_ok = 1; 888 if (data->ttls_version > 0) { 889 const u8 *pw_hash; 890 u8 pw_hash_buf[16], pw_hash_hash[16], master_key[16]; 891 u8 session_key[2 * MSCHAPV2_KEY_LEN]; 892 893 if (sm->user->password_hash) 894 pw_hash = sm->user->password; 895 else { 896 nt_password_hash(sm->user->password, 897 sm->user->password_len, 898 pw_hash_buf); 899 pw_hash = pw_hash_buf; 900 } 901 hash_nt_password_hash(pw_hash, pw_hash_hash); 902 get_master_key(pw_hash_hash, nt_response, master_key); 903 get_asymetric_start_key(master_key, session_key, 904 MSCHAPV2_KEY_LEN, 0, 0); 905 get_asymetric_start_key(master_key, 906 session_key + MSCHAPV2_KEY_LEN, 907 MSCHAPV2_KEY_LEN, 1, 0); 908 eap_ttls_ia_permute_inner_secret(sm, data, 909 session_key, 910 sizeof(session_key)); 911 } 912 913 if (sm->user->password_hash) { 914 generate_authenticator_response_pwhash( 915 sm->user->password, 916 peer_challenge, auth_challenge, 917 username, username_len, nt_response, 918 data->mschapv2_auth_response); 919 } else { 920 generate_authenticator_response( 921 sm->user->password, sm->user->password_len, 922 peer_challenge, auth_challenge, 923 username, username_len, nt_response, 924 data->mschapv2_auth_response); 925 } 926 } else { 927 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid " 928 "NT-Response"); 929 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Received", 930 rx_resp, 24); 931 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Expected", 932 nt_response, 24); 933 data->mschapv2_resp_ok = 0; 934 } 935 eap_ttls_state(data, PHASE2_MSCHAPV2_RESP); 936 data->mschapv2_ident = response[0]; 937 } 938 939 940 static int eap_ttls_phase2_eap_init(struct eap_sm *sm, 941 struct eap_ttls_data *data, 942 EapType eap_type) 943 { 944 if (data->phase2_priv && data->phase2_method) { 945 data->phase2_method->reset(sm, data->phase2_priv); 946 data->phase2_method = NULL; 947 data->phase2_priv = NULL; 948 } 949 data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF, 950 eap_type); 951 if (!data->phase2_method) 952 return -1; 953 954 sm->init_phase2 = 1; 955 data->phase2_priv = data->phase2_method->init(sm); 956 sm->init_phase2 = 0; 957 return data->phase2_priv == NULL ? -1 : 0; 958 } 959 960 961 static void eap_ttls_process_phase2_eap_response(struct eap_sm *sm, 962 struct eap_ttls_data *data, 963 u8 *in_data, size_t in_len) 964 { 965 u8 next_type = EAP_TYPE_NONE; 966 struct eap_hdr *hdr; 967 u8 *pos; 968 size_t left; 969 struct wpabuf buf; 970 const struct eap_method *m = data->phase2_method; 971 void *priv = data->phase2_priv; 972 973 if (priv == NULL) { 974 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: %s - Phase2 not " 975 "initialized?!", __func__); 976 return; 977 } 978 979 hdr = (struct eap_hdr *) in_data; 980 pos = (u8 *) (hdr + 1); 981 982 if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) { 983 left = in_len - sizeof(*hdr); 984 wpa_hexdump(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 type Nak'ed; " 985 "allowed types", pos + 1, left - 1); 986 eap_sm_process_nak(sm, pos + 1, left - 1); 987 if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS && 988 sm->user->methods[sm->user_eap_method_index].method != 989 EAP_TYPE_NONE) { 990 next_type = sm->user->methods[ 991 sm->user_eap_method_index++].method; 992 wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d", 993 next_type); 994 if (eap_ttls_phase2_eap_init(sm, data, next_type)) { 995 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to " 996 "initialize EAP type %d", 997 next_type); 998 eap_ttls_state(data, FAILURE); 999 return; 1000 } 1001 } else { 1002 eap_ttls_state(data, FAILURE); 1003 } 1004 return; 1005 } 1006 1007 wpabuf_set(&buf, in_data, in_len); 1008 1009 if (m->check(sm, priv, &buf)) { 1010 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 check() asked to " 1011 "ignore the packet"); 1012 return; 1013 } 1014 1015 m->process(sm, priv, &buf); 1016 1017 if (sm->method_pending == METHOD_PENDING_WAIT) { 1018 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method is in " 1019 "pending wait state - save decrypted response"); 1020 wpabuf_free(data->pending_phase2_eap_resp); 1021 data->pending_phase2_eap_resp = wpabuf_dup(&buf); 1022 } 1023 1024 if (!m->isDone(sm, priv)) 1025 return; 1026 1027 if (!m->isSuccess(sm, priv)) { 1028 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method failed"); 1029 eap_ttls_state(data, FAILURE); 1030 return; 1031 } 1032 1033 switch (data->state) { 1034 case PHASE2_START: 1035 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) { 1036 wpa_hexdump_ascii(MSG_DEBUG, "EAP_TTLS: Phase2 " 1037 "Identity not found in the user " 1038 "database", 1039 sm->identity, sm->identity_len); 1040 eap_ttls_state(data, FAILURE); 1041 break; 1042 } 1043 1044 eap_ttls_state(data, PHASE2_METHOD); 1045 next_type = sm->user->methods[0].method; 1046 sm->user_eap_method_index = 1; 1047 wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d", next_type); 1048 if (eap_ttls_phase2_eap_init(sm, data, next_type)) { 1049 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize " 1050 "EAP type %d", next_type); 1051 eap_ttls_state(data, FAILURE); 1052 } 1053 break; 1054 case PHASE2_METHOD: 1055 if (data->ttls_version > 0) { 1056 if (m->getKey) { 1057 u8 *key; 1058 size_t key_len; 1059 key = m->getKey(sm, priv, &key_len); 1060 eap_ttls_ia_permute_inner_secret(sm, data, 1061 key, key_len); 1062 } 1063 eap_ttls_state(data, PHASE_FINISHED); 1064 } else 1065 eap_ttls_state(data, SUCCESS); 1066 break; 1067 case FAILURE: 1068 break; 1069 default: 1070 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d", 1071 __func__, data->state); 1072 break; 1073 } 1074 } 1075 1076 1077 static void eap_ttls_process_phase2_eap(struct eap_sm *sm, 1078 struct eap_ttls_data *data, 1079 const u8 *eap, size_t eap_len) 1080 { 1081 struct eap_hdr *hdr; 1082 size_t len; 1083 1084 if (data->state == PHASE2_START) { 1085 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: initializing Phase 2"); 1086 if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_IDENTITY) < 0) 1087 { 1088 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: failed to " 1089 "initialize EAP-Identity"); 1090 return; 1091 } 1092 } 1093 1094 if (eap_len < sizeof(*hdr)) { 1095 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: too short Phase 2 EAP " 1096 "packet (len=%lu)", (unsigned long) eap_len); 1097 return; 1098 } 1099 1100 hdr = (struct eap_hdr *) eap; 1101 len = be_to_host16(hdr->length); 1102 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: received Phase 2 EAP: code=%d " 1103 "identifier=%d length=%lu", hdr->code, hdr->identifier, 1104 (unsigned long) len); 1105 if (len > eap_len) { 1106 wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Length mismatch in Phase 2" 1107 " EAP frame (hdr len=%lu, data len in AVP=%lu)", 1108 (unsigned long) len, (unsigned long) eap_len); 1109 return; 1110 } 1111 1112 switch (hdr->code) { 1113 case EAP_CODE_RESPONSE: 1114 eap_ttls_process_phase2_eap_response(sm, data, (u8 *) hdr, 1115 len); 1116 break; 1117 default: 1118 wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Unexpected code=%d in " 1119 "Phase 2 EAP header", hdr->code); 1120 break; 1121 } 1122 } 1123 1124 1125 static void eap_ttls_process_phase2(struct eap_sm *sm, 1126 struct eap_ttls_data *data, 1127 struct wpabuf *in_buf) 1128 { 1129 u8 *in_decrypted; 1130 int len_decrypted; 1131 struct eap_ttls_avp parse; 1132 size_t buf_len; 1133 u8 *in_data; 1134 size_t in_len; 1135 1136 in_data = wpabuf_mhead(in_buf); 1137 in_len = wpabuf_len(in_buf); 1138 1139 wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for" 1140 " Phase 2", (unsigned long) in_len); 1141 1142 if (data->pending_phase2_eap_resp) { 1143 wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 EAP response " 1144 "- skip decryption and use old data"); 1145 eap_ttls_process_phase2_eap( 1146 sm, data, wpabuf_head(data->pending_phase2_eap_resp), 1147 wpabuf_len(data->pending_phase2_eap_resp)); 1148 wpabuf_free(data->pending_phase2_eap_resp); 1149 data->pending_phase2_eap_resp = NULL; 1150 return; 1151 } 1152 1153 buf_len = in_len; 1154 /* 1155 * Even though we try to disable TLS compression, it is possible that 1156 * this cannot be done with all TLS libraries. Add extra buffer space 1157 * to handle the possibility of the decrypted data being longer than 1158 * input data. 1159 */ 1160 buf_len += 500; 1161 buf_len *= 3; 1162 in_decrypted = os_malloc(buf_len); 1163 if (in_decrypted == NULL) { 1164 wpa_printf(MSG_WARNING, "EAP-TTLS: failed to allocate memory " 1165 "for decryption"); 1166 return; 1167 } 1168 1169 len_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn, 1170 in_data, in_len, 1171 in_decrypted, buf_len); 1172 if (len_decrypted < 0) { 1173 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to decrypt Phase 2 " 1174 "data"); 1175 os_free(in_decrypted); 1176 eap_ttls_state(data, FAILURE); 1177 return; 1178 } 1179 1180 if (data->state == PHASE_FINISHED) { 1181 if (len_decrypted == 0 && 1182 tls_connection_ia_final_phase_finished(sm->ssl_ctx, 1183 data->ssl.conn)) { 1184 wpa_printf(MSG_DEBUG, "EAP-TTLS: FinalPhaseFinished " 1185 "received"); 1186 eap_ttls_state(data, SUCCESS); 1187 } else { 1188 wpa_printf(MSG_INFO, "EAP-TTLS: Did not receive valid " 1189 "FinalPhaseFinished"); 1190 eap_ttls_state(data, FAILURE); 1191 } 1192 1193 os_free(in_decrypted); 1194 return; 1195 } 1196 1197 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 EAP", 1198 in_decrypted, len_decrypted); 1199 1200 if (eap_ttls_avp_parse(in_decrypted, len_decrypted, &parse) < 0) { 1201 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to parse AVPs"); 1202 os_free(in_decrypted); 1203 eap_ttls_state(data, FAILURE); 1204 return; 1205 } 1206 1207 if (parse.user_name) { 1208 os_free(sm->identity); 1209 sm->identity = os_malloc(parse.user_name_len); 1210 if (sm->identity) { 1211 os_memcpy(sm->identity, parse.user_name, 1212 parse.user_name_len); 1213 sm->identity_len = parse.user_name_len; 1214 } 1215 if (eap_user_get(sm, parse.user_name, parse.user_name_len, 1) 1216 != 0) { 1217 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 Identity not " 1218 "found in the user database"); 1219 eap_ttls_state(data, FAILURE); 1220 goto done; 1221 } 1222 } 1223 1224 #ifdef EAP_TNC 1225 if (data->tnc_started && parse.eap == NULL) { 1226 wpa_printf(MSG_DEBUG, "EAP-TTLS: TNC started but no EAP " 1227 "response from peer"); 1228 eap_ttls_state(data, FAILURE); 1229 goto done; 1230 } 1231 #endif /* EAP_TNC */ 1232 1233 if (parse.eap) { 1234 eap_ttls_process_phase2_eap(sm, data, parse.eap, 1235 parse.eap_len); 1236 } else if (parse.user_password) { 1237 eap_ttls_process_phase2_pap(sm, data, parse.user_password, 1238 parse.user_password_len); 1239 } else if (parse.chap_password) { 1240 eap_ttls_process_phase2_chap(sm, data, 1241 parse.chap_challenge, 1242 parse.chap_challenge_len, 1243 parse.chap_password, 1244 parse.chap_password_len); 1245 } else if (parse.mschap_response) { 1246 eap_ttls_process_phase2_mschap(sm, data, 1247 parse.mschap_challenge, 1248 parse.mschap_challenge_len, 1249 parse.mschap_response, 1250 parse.mschap_response_len); 1251 } else if (parse.mschap2_response) { 1252 eap_ttls_process_phase2_mschapv2(sm, data, 1253 parse.mschap_challenge, 1254 parse.mschap_challenge_len, 1255 parse.mschap2_response, 1256 parse.mschap2_response_len); 1257 } 1258 1259 done: 1260 os_free(in_decrypted); 1261 os_free(parse.eap); 1262 } 1263 1264 1265 static void eap_ttls_start_tnc(struct eap_sm *sm, struct eap_ttls_data *data) 1266 { 1267 #ifdef EAP_TNC 1268 if (!sm->tnc || data->state != SUCCESS || data->tnc_started) 1269 return; 1270 1271 wpa_printf(MSG_DEBUG, "EAP-TTLS: Initialize TNC"); 1272 if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_TNC)) { 1273 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize TNC"); 1274 eap_ttls_state(data, FAILURE); 1275 return; 1276 } 1277 1278 data->tnc_started = 1; 1279 eap_ttls_state(data, PHASE2_METHOD); 1280 #endif /* EAP_TNC */ 1281 } 1282 1283 1284 static int eap_ttls_process_version(struct eap_sm *sm, void *priv, 1285 int peer_version) 1286 { 1287 struct eap_ttls_data *data = priv; 1288 if (peer_version < data->ttls_version) { 1289 wpa_printf(MSG_DEBUG, "EAP-TTLS: peer ver=%d, own ver=%d; " 1290 "use version %d", 1291 peer_version, data->ttls_version, peer_version); 1292 data->ttls_version = peer_version; 1293 } 1294 1295 if (data->ttls_version > 0 && !data->tls_ia_configured) { 1296 if (tls_connection_set_ia(sm->ssl_ctx, data->ssl.conn, 1)) { 1297 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to enable " 1298 "TLS/IA"); 1299 return -1; 1300 } 1301 data->tls_ia_configured = 1; 1302 } 1303 1304 return 0; 1305 } 1306 1307 1308 static void eap_ttls_process_msg(struct eap_sm *sm, void *priv, 1309 const struct wpabuf *respData) 1310 { 1311 struct eap_ttls_data *data = priv; 1312 1313 switch (data->state) { 1314 case PHASE1: 1315 if (eap_server_tls_phase1(sm, &data->ssl) < 0) 1316 eap_ttls_state(data, FAILURE); 1317 break; 1318 case PHASE2_START: 1319 case PHASE2_METHOD: 1320 case PHASE_FINISHED: 1321 eap_ttls_process_phase2(sm, data, data->ssl.in_buf); 1322 eap_ttls_start_tnc(sm, data); 1323 break; 1324 case PHASE2_MSCHAPV2_RESP: 1325 if (data->mschapv2_resp_ok && wpabuf_len(data->ssl.in_buf) == 1326 0) { 1327 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer " 1328 "acknowledged response"); 1329 eap_ttls_state(data, data->ttls_version > 0 ? 1330 PHASE_FINISHED : SUCCESS); 1331 } else if (!data->mschapv2_resp_ok) { 1332 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer " 1333 "acknowledged error"); 1334 eap_ttls_state(data, FAILURE); 1335 } else { 1336 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Unexpected " 1337 "frame from peer (payload len %lu, " 1338 "expected empty frame)", 1339 (unsigned long) 1340 wpabuf_len(data->ssl.in_buf)); 1341 eap_ttls_state(data, FAILURE); 1342 } 1343 eap_ttls_start_tnc(sm, data); 1344 break; 1345 default: 1346 wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected state %d in %s", 1347 data->state, __func__); 1348 break; 1349 } 1350 } 1351 1352 1353 static void eap_ttls_process(struct eap_sm *sm, void *priv, 1354 struct wpabuf *respData) 1355 { 1356 struct eap_ttls_data *data = priv; 1357 if (eap_server_tls_process(sm, &data->ssl, respData, data, 1358 EAP_TYPE_TTLS, eap_ttls_process_version, 1359 eap_ttls_process_msg) < 0) 1360 eap_ttls_state(data, FAILURE); 1361 } 1362 1363 1364 static Boolean eap_ttls_isDone(struct eap_sm *sm, void *priv) 1365 { 1366 struct eap_ttls_data *data = priv; 1367 return data->state == SUCCESS || data->state == FAILURE; 1368 } 1369 1370 1371 static u8 * eap_ttls_v1_derive_key(struct eap_sm *sm, 1372 struct eap_ttls_data *data) 1373 { 1374 struct tls_keys keys; 1375 u8 *rnd, *key; 1376 1377 os_memset(&keys, 0, sizeof(keys)); 1378 if (tls_connection_get_keys(sm->ssl_ctx, data->ssl.conn, &keys) || 1379 keys.client_random == NULL || keys.server_random == NULL || 1380 keys.inner_secret == NULL) { 1381 wpa_printf(MSG_INFO, "EAP-TTLS: Could not get inner secret, " 1382 "client random, or server random to derive keying " 1383 "material"); 1384 return NULL; 1385 } 1386 1387 rnd = os_malloc(keys.client_random_len + keys.server_random_len); 1388 key = os_malloc(EAP_TLS_KEY_LEN); 1389 if (rnd == NULL || key == NULL) { 1390 wpa_printf(MSG_INFO, "EAP-TTLS: No memory for key derivation"); 1391 os_free(rnd); 1392 os_free(key); 1393 return NULL; 1394 } 1395 os_memcpy(rnd, keys.client_random, keys.client_random_len); 1396 os_memcpy(rnd + keys.client_random_len, keys.server_random, 1397 keys.server_random_len); 1398 1399 if (tls_prf(keys.inner_secret, keys.inner_secret_len, 1400 "ttls v1 keying material", rnd, keys.client_random_len + 1401 keys.server_random_len, key, EAP_TLS_KEY_LEN)) { 1402 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key"); 1403 os_free(rnd); 1404 os_free(key); 1405 return NULL; 1406 } 1407 1408 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: client/server random", 1409 rnd, keys.client_random_len + keys.server_random_len); 1410 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: TLS/IA inner secret", 1411 keys.inner_secret, keys.inner_secret_len); 1412 1413 os_free(rnd); 1414 1415 return key; 1416 } 1417 1418 1419 static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len) 1420 { 1421 struct eap_ttls_data *data = priv; 1422 u8 *eapKeyData; 1423 1424 if (data->state != SUCCESS) 1425 return NULL; 1426 1427 if (data->ttls_version == 0) { 1428 eapKeyData = eap_server_tls_derive_key(sm, &data->ssl, 1429 "ttls keying material", 1430 EAP_TLS_KEY_LEN); 1431 } else { 1432 eapKeyData = eap_ttls_v1_derive_key(sm, data); 1433 } 1434 1435 if (eapKeyData) { 1436 *len = EAP_TLS_KEY_LEN; 1437 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key", 1438 eapKeyData, EAP_TLS_KEY_LEN); 1439 } else { 1440 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key"); 1441 } 1442 1443 return eapKeyData; 1444 } 1445 1446 1447 static Boolean eap_ttls_isSuccess(struct eap_sm *sm, void *priv) 1448 { 1449 struct eap_ttls_data *data = priv; 1450 return data->state == SUCCESS; 1451 } 1452 1453 1454 int eap_server_ttls_register(void) 1455 { 1456 struct eap_method *eap; 1457 int ret; 1458 1459 eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION, 1460 EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS"); 1461 if (eap == NULL) 1462 return -1; 1463 1464 eap->init = eap_ttls_init; 1465 eap->reset = eap_ttls_reset; 1466 eap->buildReq = eap_ttls_buildReq; 1467 eap->check = eap_ttls_check; 1468 eap->process = eap_ttls_process; 1469 eap->isDone = eap_ttls_isDone; 1470 eap->getKey = eap_ttls_getKey; 1471 eap->isSuccess = eap_ttls_isSuccess; 1472 1473 ret = eap_server_method_register(eap); 1474 if (ret) 1475 eap_server_method_free(eap); 1476 return ret; 1477 } 1478
