1 /* 2 * EAP peer method: EAP-TTLS (draft-ietf-pppext-eap-ttls-03.txt) 3 * Copyright (c) 2004-2006, Jouni Malinen <j (at) w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "includes.h" 16 17 #include "common.h" 18 #include "eap_i.h" 19 #include "eap_tls_common.h" 20 #include "config_ssid.h" 21 #include "ms_funcs.h" 22 #include "sha1.h" 23 #include "crypto.h" 24 #include "tls.h" 25 #include "eap_ttls.h" 26 27 28 /* Maximum supported PEAP version 29 * 0 = draft-ietf-pppext-eap-ttls-03.txt / draft-funk-eap-ttls-v0-00.txt 30 * 1 = draft-funk-eap-ttls-v1-00.txt 31 */ 32 #define EAP_TTLS_VERSION 0 /* TTLSv1 implementation is not yet complete */ 33 34 35 #define MSCHAPV2_KEY_LEN 16 36 37 38 static void eap_ttls_deinit(struct eap_sm *sm, void *priv); 39 40 41 struct eap_ttls_data { 42 struct eap_ssl_data ssl; 43 int ssl_initialized; 44 45 int ttls_version, force_ttls_version; 46 47 const struct eap_method *phase2_method; 48 void *phase2_priv; 49 int phase2_success; 50 int phase2_start; 51 52 enum { 53 EAP_TTLS_PHASE2_EAP, 54 EAP_TTLS_PHASE2_MSCHAPV2, 55 EAP_TTLS_PHASE2_MSCHAP, 56 EAP_TTLS_PHASE2_PAP, 57 EAP_TTLS_PHASE2_CHAP 58 } phase2_type; 59 struct eap_method_type phase2_eap_type; 60 struct eap_method_type *phase2_eap_types; 61 size_t num_phase2_eap_types; 62 63 u8 auth_response[20]; 64 int auth_response_valid; 65 u8 ident; 66 int resuming; /* starting a resumed session */ 67 int reauth; /* reauthentication */ 68 u8 *key_data; 69 70 u8 *pending_phase2_req; 71 size_t pending_phase2_req_len; 72 }; 73 74 75 static void * eap_ttls_init(struct eap_sm *sm) 76 { 77 struct eap_ttls_data *data; 78 struct wpa_ssid *config = eap_get_config(sm); 79 char *selected; 80 81 data = os_zalloc(sizeof(*data)); 82 if (data == NULL) 83 return NULL; 84 data->ttls_version = EAP_TTLS_VERSION; 85 data->force_ttls_version = -1; 86 selected = "EAP"; 87 data->phase2_type = EAP_TTLS_PHASE2_EAP; 88 89 if (config && config->phase1) { 90 char *pos = os_strstr(config->phase1, "ttlsver="); 91 if (pos) { 92 data->force_ttls_version = atoi(pos + 8); 93 data->ttls_version = data->force_ttls_version; 94 wpa_printf(MSG_DEBUG, "EAP-TTLS: Forced TTLS version " 95 "%d", data->force_ttls_version); 96 } 97 } 98 99 if (config && config->phase2) { 100 if (os_strstr(config->phase2, "autheap=")) { 101 selected = "EAP"; 102 data->phase2_type = EAP_TTLS_PHASE2_EAP; 103 } else if (os_strstr(config->phase2, "auth=MSCHAPV2")) { 104 selected = "MSCHAPV2"; 105 data->phase2_type = EAP_TTLS_PHASE2_MSCHAPV2; 106 } else if (os_strstr(config->phase2, "auth=MSCHAP")) { 107 selected = "MSCHAP"; 108 data->phase2_type = EAP_TTLS_PHASE2_MSCHAP; 109 } else if (os_strstr(config->phase2, "auth=PAP")) { 110 selected = "PAP"; 111 data->phase2_type = EAP_TTLS_PHASE2_PAP; 112 } else if (os_strstr(config->phase2, "auth=CHAP")) { 113 selected = "CHAP"; 114 data->phase2_type = EAP_TTLS_PHASE2_CHAP; 115 } 116 } 117 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 type: %s", selected); 118 119 if (data->phase2_type == EAP_TTLS_PHASE2_EAP) { 120 if (config && config->phase2) { 121 char *start, *pos, *buf; 122 struct eap_method_type *methods = NULL, *_methods; 123 u8 method; 124 size_t num_methods = 0; 125 start = buf = os_strdup(config->phase2); 126 if (buf == NULL) { 127 eap_ttls_deinit(sm, data); 128 return NULL; 129 } 130 while (start && *start != '\0') { 131 int vendor; 132 pos = os_strstr(start, "autheap="); 133 if (pos == NULL) 134 break; 135 if (start != pos && *(pos - 1) != ' ') { 136 start = pos + 8; 137 continue; 138 } 139 140 start = pos + 8; 141 pos = os_strchr(start, ' '); 142 if (pos) 143 *pos++ = '\0'; 144 method = eap_get_phase2_type(start, &vendor); 145 if (vendor == EAP_VENDOR_IETF && 146 method == EAP_TYPE_NONE) { 147 wpa_printf(MSG_ERROR, "EAP-TTLS: " 148 "Unsupported Phase2 EAP " 149 "method '%s'", start); 150 } else { 151 num_methods++; 152 _methods = os_realloc( 153 methods, num_methods * 154 sizeof(*methods)); 155 if (_methods == NULL) { 156 os_free(methods); 157 os_free(buf); 158 eap_ttls_deinit(sm, data); 159 return NULL; 160 } 161 methods = _methods; 162 methods[num_methods - 1].vendor = 163 vendor; 164 methods[num_methods - 1].method = 165 method; 166 } 167 168 start = pos; 169 } 170 os_free(buf); 171 data->phase2_eap_types = methods; 172 data->num_phase2_eap_types = num_methods; 173 } 174 if (data->phase2_eap_types == NULL) { 175 data->phase2_eap_types = eap_get_phase2_types( 176 config, &data->num_phase2_eap_types); 177 } 178 if (data->phase2_eap_types == NULL) { 179 wpa_printf(MSG_ERROR, "EAP-TTLS: No Phase2 EAP method " 180 "available"); 181 eap_ttls_deinit(sm, data); 182 return NULL; 183 } 184 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Phase2 EAP types", 185 (u8 *) data->phase2_eap_types, 186 data->num_phase2_eap_types * 187 sizeof(struct eap_method_type)); 188 data->phase2_eap_type.vendor = EAP_VENDOR_IETF; 189 data->phase2_eap_type.method = EAP_TYPE_NONE; 190 } 191 192 if (!(tls_capabilities(sm->ssl_ctx) & TLS_CAPABILITY_IA) && 193 data->ttls_version > 0) { 194 if (data->force_ttls_version > 0) { 195 wpa_printf(MSG_INFO, "EAP-TTLS: Forced TTLSv%d and " 196 "TLS library does not support TLS/IA.", 197 data->force_ttls_version); 198 eap_ttls_deinit(sm, data); 199 return NULL; 200 } 201 data->ttls_version = 0; 202 } 203 204 return data; 205 } 206 207 208 static void eap_ttls_deinit(struct eap_sm *sm, void *priv) 209 { 210 struct eap_ttls_data *data = priv; 211 if (data == NULL) 212 return; 213 if (data->phase2_priv && data->phase2_method) 214 data->phase2_method->deinit(sm, data->phase2_priv); 215 os_free(data->phase2_eap_types); 216 if (data->ssl_initialized) 217 eap_tls_ssl_deinit(sm, &data->ssl); 218 os_free(data->key_data); 219 os_free(data->pending_phase2_req); 220 os_free(data); 221 } 222 223 224 static int eap_ttls_encrypt(struct eap_sm *sm, struct eap_ttls_data *data, 225 int id, const u8 *plain, size_t plain_len, 226 u8 **out_data, size_t *out_len) 227 { 228 int res; 229 u8 *pos; 230 struct eap_hdr *resp; 231 232 /* TODO: add support for fragmentation, if needed. This will need to 233 * add TLS Message Length field, if the frame is fragmented. */ 234 resp = os_malloc(sizeof(struct eap_hdr) + 2 + data->ssl.tls_out_limit); 235 if (resp == NULL) 236 return -1; 237 238 resp->code = EAP_CODE_RESPONSE; 239 resp->identifier = id; 240 241 pos = (u8 *) (resp + 1); 242 *pos++ = EAP_TYPE_TTLS; 243 *pos++ = data->ttls_version; 244 245 res = tls_connection_encrypt(sm->ssl_ctx, data->ssl.conn, 246 plain, plain_len, 247 pos, data->ssl.tls_out_limit); 248 if (res < 0) { 249 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to encrypt Phase 2 " 250 "data"); 251 os_free(resp); 252 return -1; 253 } 254 255 *out_len = sizeof(struct eap_hdr) + 2 + res; 256 resp->length = host_to_be16(*out_len); 257 *out_data = (u8 *) resp; 258 return 0; 259 } 260 261 262 static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id, 263 int mandatory, size_t len) 264 { 265 struct ttls_avp_vendor *avp; 266 u8 flags; 267 size_t hdrlen; 268 269 avp = (struct ttls_avp_vendor *) avphdr; 270 flags = mandatory ? AVP_FLAGS_MANDATORY : 0; 271 if (vendor_id) { 272 flags |= AVP_FLAGS_VENDOR; 273 hdrlen = sizeof(*avp); 274 avp->vendor_id = host_to_be32(vendor_id); 275 } else { 276 hdrlen = sizeof(struct ttls_avp); 277 } 278 279 avp->avp_code = host_to_be32(avp_code); 280 avp->avp_length = host_to_be32((flags << 24) | (hdrlen + len)); 281 282 return avphdr + hdrlen; 283 } 284 285 286 static u8 * eap_ttls_avp_add(u8 *start, u8 *avphdr, u32 avp_code, 287 u32 vendor_id, int mandatory, 288 u8 *data, size_t len) 289 { 290 u8 *pos; 291 pos = eap_ttls_avp_hdr(avphdr, avp_code, vendor_id, mandatory, len); 292 os_memcpy(pos, data, len); 293 pos += len; 294 AVP_PAD(start, pos); 295 return pos; 296 } 297 298 299 static int eap_ttls_avp_encapsulate(u8 **resp, size_t *resp_len, u32 avp_code, 300 int mandatory) 301 { 302 u8 *avp, *pos; 303 304 avp = os_malloc(sizeof(struct ttls_avp) + *resp_len + 4); 305 if (avp == NULL) { 306 os_free(*resp); 307 *resp = NULL; 308 *resp_len = 0; 309 return -1; 310 } 311 312 pos = eap_ttls_avp_hdr(avp, avp_code, 0, mandatory, *resp_len); 313 os_memcpy(pos, *resp, *resp_len); 314 pos += *resp_len; 315 AVP_PAD(avp, pos); 316 os_free(*resp); 317 *resp = avp; 318 *resp_len = pos - avp; 319 return 0; 320 } 321 322 323 static int eap_ttls_ia_permute_inner_secret(struct eap_sm *sm, 324 struct eap_ttls_data *data, 325 const u8 *key, size_t key_len) 326 { 327 u8 *buf; 328 size_t buf_len; 329 int ret; 330 331 if (key) { 332 buf_len = 2 + key_len; 333 buf = os_malloc(buf_len); 334 if (buf == NULL) 335 return -1; 336 WPA_PUT_BE16(buf, key_len); 337 os_memcpy(buf + 2, key, key_len); 338 } else { 339 buf = NULL; 340 buf_len = 0; 341 } 342 343 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Session keys for TLS/IA inner " 344 "secret permutation", buf, buf_len); 345 ret = tls_connection_ia_permute_inner_secret(sm->ssl_ctx, 346 data->ssl.conn, 347 buf, buf_len); 348 os_free(buf); 349 350 return ret; 351 } 352 353 354 static int eap_ttls_v0_derive_key(struct eap_sm *sm, 355 struct eap_ttls_data *data) 356 { 357 os_free(data->key_data); 358 data->key_data = eap_tls_derive_key(sm, &data->ssl, 359 "ttls keying material", 360 EAP_TLS_KEY_LEN); 361 if (!data->key_data) { 362 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to derive key"); 363 return -1; 364 } 365 366 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key", 367 data->key_data, EAP_TLS_KEY_LEN); 368 369 return 0; 370 } 371 372 373 static int eap_ttls_v1_derive_key(struct eap_sm *sm, 374 struct eap_ttls_data *data) 375 { 376 struct tls_keys keys; 377 u8 *rnd; 378 379 os_free(data->key_data); 380 data->key_data = NULL; 381 382 os_memset(&keys, 0, sizeof(keys)); 383 if (tls_connection_get_keys(sm->ssl_ctx, data->ssl.conn, &keys) || 384 keys.client_random == NULL || keys.server_random == NULL || 385 keys.inner_secret == NULL) { 386 wpa_printf(MSG_INFO, "EAP-TTLS: Could not get inner secret, " 387 "client random, or server random to derive keying " 388 "material"); 389 return -1; 390 } 391 392 rnd = os_malloc(keys.client_random_len + keys.server_random_len); 393 data->key_data = os_malloc(EAP_TLS_KEY_LEN); 394 if (rnd == NULL || data->key_data == NULL) { 395 wpa_printf(MSG_INFO, "EAP-TTLS: No memory for key derivation"); 396 os_free(rnd); 397 os_free(data->key_data); 398 data->key_data = NULL; 399 return -1; 400 } 401 os_memcpy(rnd, keys.client_random, keys.client_random_len); 402 os_memcpy(rnd + keys.client_random_len, keys.server_random, 403 keys.server_random_len); 404 405 if (tls_prf(keys.inner_secret, keys.inner_secret_len, 406 "ttls v1 keying material", rnd, keys.client_random_len + 407 keys.server_random_len, data->key_data, EAP_TLS_KEY_LEN)) { 408 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key"); 409 os_free(rnd); 410 os_free(data->key_data); 411 data->key_data = NULL; 412 return -1; 413 } 414 415 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: client/server random", 416 rnd, keys.client_random_len + keys.server_random_len); 417 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: TLS/IA inner secret", 418 keys.inner_secret, keys.inner_secret_len); 419 420 os_free(rnd); 421 422 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key", 423 data->key_data, EAP_TLS_KEY_LEN); 424 425 return 0; 426 } 427 428 429 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm, 430 struct eap_ttls_data *data, size_t len) 431 { 432 struct tls_keys keys; 433 u8 *challenge, *rnd; 434 435 if (data->ttls_version == 0) { 436 return eap_tls_derive_key(sm, &data->ssl, "ttls challenge", 437 len); 438 } 439 440 os_memset(&keys, 0, sizeof(keys)); 441 if (tls_connection_get_keys(sm->ssl_ctx, data->ssl.conn, &keys) || 442 keys.client_random == NULL || keys.server_random == NULL || 443 keys.inner_secret == NULL) { 444 wpa_printf(MSG_INFO, "EAP-TTLS: Could not get inner secret, " 445 "client random, or server random to derive " 446 "implicit challenge"); 447 return NULL; 448 } 449 450 rnd = os_malloc(keys.client_random_len + keys.server_random_len); 451 challenge = os_malloc(len); 452 if (rnd == NULL || challenge == NULL) { 453 wpa_printf(MSG_INFO, "EAP-TTLS: No memory for implicit " 454 "challenge derivation"); 455 os_free(rnd); 456 os_free(challenge); 457 return NULL; 458 } 459 os_memcpy(rnd, keys.server_random, keys.server_random_len); 460 os_memcpy(rnd + keys.server_random_len, keys.client_random, 461 keys.client_random_len); 462 463 if (tls_prf(keys.inner_secret, keys.inner_secret_len, 464 "inner application challenge", rnd, 465 keys.client_random_len + keys.server_random_len, 466 challenge, len)) { 467 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive implicit " 468 "challenge"); 469 os_free(rnd); 470 os_free(challenge); 471 return NULL; 472 } 473 474 os_free(rnd); 475 476 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived implicit challenge", 477 challenge, len); 478 479 return challenge; 480 } 481 482 483 static int eap_ttls_phase2_nak(struct eap_ttls_data *data, struct eap_hdr *hdr, 484 u8 **resp, size_t *resp_len) 485 { 486 struct eap_hdr *resp_hdr; 487 u8 *pos = (u8 *) (hdr + 1); 488 size_t i; 489 490 /* TODO: add support for expanded Nak */ 491 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 Request: Nak type=%d", *pos); 492 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Allowed Phase2 EAP types", 493 (u8 *) data->phase2_eap_types, data->num_phase2_eap_types * 494 sizeof(struct eap_method_type)); 495 *resp_len = sizeof(struct eap_hdr) + 1; 496 *resp = os_malloc(*resp_len + data->num_phase2_eap_types); 497 if (*resp == NULL) 498 return -1; 499 500 resp_hdr = (struct eap_hdr *) (*resp); 501 resp_hdr->code = EAP_CODE_RESPONSE; 502 resp_hdr->identifier = hdr->identifier; 503 pos = (u8 *) (resp_hdr + 1); 504 *pos++ = EAP_TYPE_NAK; 505 for (i = 0; i < data->num_phase2_eap_types; i++) { 506 if (data->phase2_eap_types[i].vendor == EAP_VENDOR_IETF && 507 data->phase2_eap_types[i].method < 256) { 508 (*resp_len)++; 509 *pos++ = data->phase2_eap_types[i].method; 510 } 511 } 512 resp_hdr->length = host_to_be16(*resp_len); 513 514 return 0; 515 } 516 517 518 static int eap_ttls_phase2_request_eap(struct eap_sm *sm, 519 struct eap_ttls_data *data, 520 struct eap_method_ret *ret, 521 struct eap_hdr *hdr, 522 u8 **resp, size_t *resp_len) 523 { 524 size_t len = be_to_host16(hdr->length); 525 u8 *pos; 526 struct eap_method_ret iret; 527 struct wpa_ssid *config = eap_get_config(sm); 528 529 if (len <= sizeof(struct eap_hdr)) { 530 wpa_printf(MSG_INFO, "EAP-TTLS: too short " 531 "Phase 2 request (len=%lu)", (unsigned long) len); 532 return -1; 533 } 534 pos = (u8 *) (hdr + 1); 535 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP Request: type=%d", *pos); 536 switch (*pos) { 537 case EAP_TYPE_IDENTITY: 538 *resp = eap_sm_buildIdentity(sm, hdr->identifier, resp_len, 1); 539 break; 540 default: 541 if (data->phase2_eap_type.vendor == EAP_VENDOR_IETF && 542 data->phase2_eap_type.method == EAP_TYPE_NONE) { 543 size_t i; 544 for (i = 0; i < data->num_phase2_eap_types; i++) { 545 if (data->phase2_eap_types[i].vendor != 546 EAP_VENDOR_IETF || 547 data->phase2_eap_types[i].method != *pos) 548 continue; 549 550 data->phase2_eap_type.vendor = 551 data->phase2_eap_types[i].vendor; 552 data->phase2_eap_type.method = 553 data->phase2_eap_types[i].method; 554 wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected " 555 "Phase 2 EAP vendor %d method %d", 556 data->phase2_eap_type.vendor, 557 data->phase2_eap_type.method); 558 break; 559 } 560 } 561 if (*pos != data->phase2_eap_type.method || 562 *pos == EAP_TYPE_NONE) { 563 if (eap_ttls_phase2_nak(data, hdr, resp, resp_len)) 564 return -1; 565 break; 566 } 567 568 if (data->phase2_priv == NULL) { 569 data->phase2_method = eap_sm_get_eap_methods( 570 EAP_VENDOR_IETF, *pos); 571 if (data->phase2_method) { 572 sm->init_phase2 = 1; 573 sm->mschapv2_full_key = 1; 574 data->phase2_priv = 575 data->phase2_method->init(sm); 576 sm->init_phase2 = 0; 577 sm->mschapv2_full_key = 0; 578 } 579 } 580 if (data->phase2_priv == NULL || data->phase2_method == NULL) { 581 wpa_printf(MSG_INFO, "EAP-TTLS: failed to initialize " 582 "Phase 2 EAP method %d", *pos); 583 return -1; 584 } 585 os_memset(&iret, 0, sizeof(iret)); 586 *resp = data->phase2_method->process(sm, data->phase2_priv, 587 &iret, (u8 *) hdr, len, 588 resp_len); 589 if ((iret.methodState == METHOD_DONE || 590 iret.methodState == METHOD_MAY_CONT) && 591 (iret.decision == DECISION_UNCOND_SUCC || 592 iret.decision == DECISION_COND_SUCC || 593 iret.decision == DECISION_FAIL)) { 594 ret->methodState = iret.methodState; 595 ret->decision = iret.decision; 596 } 597 if (data->ttls_version > 0) { 598 const struct eap_method *m = data->phase2_method; 599 void *priv = data->phase2_priv; 600 601 /* TTLSv1 requires TLS/IA FinalPhaseFinished */ 602 if (ret->decision == DECISION_UNCOND_SUCC) 603 ret->decision = DECISION_COND_SUCC; 604 ret->methodState = METHOD_CONT; 605 606 if (ret->decision == DECISION_COND_SUCC && 607 m->isKeyAvailable && m->getKey && 608 m->isKeyAvailable(sm, priv)) { 609 u8 *key; 610 size_t key_len; 611 key = m->getKey(sm, priv, &key_len); 612 if (key) { 613 eap_ttls_ia_permute_inner_secret( 614 sm, data, key, key_len); 615 os_free(key); 616 } 617 } 618 } 619 break; 620 } 621 622 if (*resp == NULL && 623 (config->pending_req_identity || config->pending_req_password || 624 config->pending_req_otp)) { 625 return 0; 626 } 627 628 if (*resp == NULL) 629 return -1; 630 631 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP encapsulate EAP Response", 632 *resp, *resp_len); 633 return eap_ttls_avp_encapsulate(resp, resp_len, 634 RADIUS_ATTR_EAP_MESSAGE, 1); 635 } 636 637 638 static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm, 639 struct eap_ttls_data *data, 640 struct eap_method_ret *ret, 641 u8 **resp, size_t *resp_len) 642 { 643 struct wpa_ssid *config = eap_get_config(sm); 644 u8 *buf, *pos, *challenge, *username, *peer_challenge; 645 size_t username_len, i; 646 647 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAPV2 Request"); 648 649 /* MSCHAPv2 does not include optional domain name in the 650 * challenge-response calculation, so remove domain prefix 651 * (if present). */ 652 username = config->identity; 653 username_len = config->identity_len; 654 pos = username; 655 for (i = 0; i < username_len; i++) { 656 if (username[i] == '\\') { 657 username_len -= i + 1; 658 username += i + 1; 659 break; 660 } 661 } 662 663 pos = buf = os_malloc(config->identity_len + 1000); 664 if (buf == NULL) { 665 wpa_printf(MSG_ERROR, 666 "EAP-TTLS/MSCHAPV2: Failed to allocate memory"); 667 return -1; 668 } 669 670 /* User-Name */ 671 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 672 config->identity, config->identity_len); 673 674 /* MS-CHAP-Challenge */ 675 challenge = eap_ttls_implicit_challenge( 676 sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1); 677 if (challenge == NULL) { 678 os_free(buf); 679 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive " 680 "implicit challenge"); 681 return -1; 682 } 683 peer_challenge = challenge + 1 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN; 684 685 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE, 686 RADIUS_VENDOR_ID_MICROSOFT, 1, 687 challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN); 688 689 /* MS-CHAP2-Response */ 690 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_RESPONSE, 691 RADIUS_VENDOR_ID_MICROSOFT, 1, 692 EAP_TTLS_MSCHAPV2_RESPONSE_LEN); 693 data->ident = challenge[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN]; 694 *pos++ = data->ident; 695 *pos++ = 0; /* Flags */ 696 os_memcpy(pos, peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN); 697 pos += EAP_TTLS_MSCHAPV2_CHALLENGE_LEN; 698 os_memset(pos, 0, 8); /* Reserved, must be zero */ 699 pos += 8; 700 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAPV2: implicit auth_challenge", 701 challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN); 702 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAPV2: peer_challenge", 703 peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN); 704 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MSCHAPV2 username", 705 username, username_len); 706 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: MSCHAPV2 password", 707 config->password, config->password_len); 708 generate_nt_response(challenge, peer_challenge, 709 username, username_len, 710 config->password, config->password_len, 711 pos); 712 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAPV2 response", pos, 24); 713 generate_authenticator_response(config->password, config->password_len, 714 peer_challenge, challenge, 715 username, username_len, 716 pos, data->auth_response); 717 data->auth_response_valid = 1; 718 719 if (data->ttls_version > 0) { 720 u8 pw_hash[16], pw_hash_hash[16], master_key[16]; 721 u8 session_key[2 * MSCHAPV2_KEY_LEN]; 722 nt_password_hash(config->password, config->password_len, 723 pw_hash); 724 hash_nt_password_hash(pw_hash, pw_hash_hash); 725 get_master_key(pw_hash_hash, pos /* nt_response */, 726 master_key); 727 get_asymetric_start_key(master_key, session_key, 728 MSCHAPV2_KEY_LEN, 0, 0); 729 get_asymetric_start_key(master_key, 730 session_key + MSCHAPV2_KEY_LEN, 731 MSCHAPV2_KEY_LEN, 1, 0); 732 eap_ttls_ia_permute_inner_secret(sm, data, 733 session_key, 734 sizeof(session_key)); 735 } 736 737 pos += 24; 738 os_free(challenge); 739 AVP_PAD(buf, pos); 740 741 *resp = buf; 742 *resp_len = pos - buf; 743 744 if (sm->workaround && data->ttls_version == 0) { 745 /* At least FreeRADIUS seems to be terminating 746 * EAP-TTLS/MSHCAPV2 without the expected MS-CHAP-v2 Success 747 * packet. */ 748 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: EAP workaround - " 749 "allow success without tunneled response"); 750 ret->methodState = METHOD_MAY_CONT; 751 ret->decision = DECISION_COND_SUCC; 752 } 753 754 return 0; 755 } 756 757 758 static int eap_ttls_phase2_request_mschap(struct eap_sm *sm, 759 struct eap_ttls_data *data, 760 struct eap_method_ret *ret, 761 u8 **resp, size_t *resp_len) 762 { 763 struct wpa_ssid *config = eap_get_config(sm); 764 u8 *buf, *pos, *challenge; 765 766 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAP Request"); 767 768 pos = buf = os_malloc(config->identity_len + 1000); 769 if (buf == NULL) { 770 wpa_printf(MSG_ERROR, 771 "EAP-TTLS/MSCHAP: Failed to allocate memory"); 772 return -1; 773 } 774 775 /* User-Name */ 776 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 777 config->identity, config->identity_len); 778 779 /* MS-CHAP-Challenge */ 780 challenge = eap_ttls_implicit_challenge( 781 sm, data, EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1); 782 if (challenge == NULL) { 783 os_free(buf); 784 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAP: Failed to derive " 785 "implicit challenge"); 786 return -1; 787 } 788 789 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE, 790 RADIUS_VENDOR_ID_MICROSOFT, 1, 791 challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN); 792 793 /* MS-CHAP-Response */ 794 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_RESPONSE, 795 RADIUS_VENDOR_ID_MICROSOFT, 1, 796 EAP_TTLS_MSCHAP_RESPONSE_LEN); 797 data->ident = challenge[EAP_TTLS_MSCHAP_CHALLENGE_LEN]; 798 *pos++ = data->ident; 799 *pos++ = 1; /* Flags: Use NT style passwords */ 800 os_memset(pos, 0, 24); /* LM-Response */ 801 pos += 24; 802 nt_challenge_response(challenge, 803 config->password, config->password_len, 804 pos); /* NT-Response */ 805 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password", 806 config->password, config->password_len); 807 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP implicit challenge", 808 challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN); 809 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP response", pos, 24); 810 pos += 24; 811 os_free(challenge); 812 AVP_PAD(buf, pos); 813 814 *resp = buf; 815 *resp_len = pos - buf; 816 817 if (data->ttls_version > 0) { 818 /* EAP-TTLSv1 uses TLS/IA FinalPhaseFinished to report success, 819 * so do not allow connection to be terminated yet. */ 820 ret->methodState = METHOD_CONT; 821 ret->decision = DECISION_COND_SUCC; 822 } else { 823 /* EAP-TTLS/MSCHAP does not provide tunneled success 824 * notification, so assume that Phase2 succeeds. */ 825 ret->methodState = METHOD_DONE; 826 ret->decision = DECISION_COND_SUCC; 827 } 828 829 return 0; 830 } 831 832 833 static int eap_ttls_phase2_request_pap(struct eap_sm *sm, 834 struct eap_ttls_data *data, 835 struct eap_method_ret *ret, 836 u8 **resp, size_t *resp_len) 837 { 838 struct wpa_ssid *config = eap_get_config(sm); 839 u8 *buf, *pos; 840 size_t pad; 841 842 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 PAP Request"); 843 844 pos = buf = os_malloc(config->identity_len + config->password_len + 845 100); 846 if (buf == NULL) { 847 wpa_printf(MSG_ERROR, 848 "EAP-TTLS/PAP: Failed to allocate memory"); 849 return -1; 850 } 851 852 /* User-Name */ 853 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 854 config->identity, config->identity_len); 855 856 /* User-Password; in RADIUS, this is encrypted, but EAP-TTLS encrypts 857 * the data, so no separate encryption is used in the AVP itself. 858 * However, the password is padded to obfuscate its length. */ 859 pad = (16 - (config->password_len & 15)) & 15; 860 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_USER_PASSWORD, 0, 1, 861 config->password_len + pad); 862 os_memcpy(pos, config->password, config->password_len); 863 pos += config->password_len; 864 os_memset(pos, 0, pad); 865 pos += pad; 866 AVP_PAD(buf, pos); 867 868 *resp = buf; 869 *resp_len = pos - buf; 870 871 if (data->ttls_version > 0) { 872 /* EAP-TTLSv1 uses TLS/IA FinalPhaseFinished to report success, 873 * so do not allow connection to be terminated yet. */ 874 ret->methodState = METHOD_CONT; 875 ret->decision = DECISION_COND_SUCC; 876 } else { 877 /* EAP-TTLS/PAP does not provide tunneled success notification, 878 * so assume that Phase2 succeeds. */ 879 ret->methodState = METHOD_DONE; 880 ret->decision = DECISION_COND_SUCC; 881 } 882 883 return 0; 884 } 885 886 887 static int eap_ttls_phase2_request_chap(struct eap_sm *sm, 888 struct eap_ttls_data *data, 889 struct eap_method_ret *ret, 890 u8 **resp, size_t *resp_len) 891 { 892 struct wpa_ssid *config = eap_get_config(sm); 893 u8 *buf, *pos, *challenge; 894 const u8 *addr[3]; 895 size_t len[3]; 896 897 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 CHAP Request"); 898 899 pos = buf = os_malloc(config->identity_len + 1000); 900 if (buf == NULL) { 901 wpa_printf(MSG_ERROR, 902 "EAP-TTLS/CHAP: Failed to allocate memory"); 903 return -1; 904 } 905 906 /* User-Name */ 907 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 908 config->identity, config->identity_len); 909 910 /* CHAP-Challenge */ 911 challenge = eap_ttls_implicit_challenge( 912 sm, data, EAP_TTLS_CHAP_CHALLENGE_LEN + 1); 913 if (challenge == NULL) { 914 os_free(buf); 915 wpa_printf(MSG_ERROR, "EAP-TTLS/CHAP: Failed to derive " 916 "implicit challenge"); 917 return -1; 918 } 919 920 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_CHAP_CHALLENGE, 0, 1, 921 challenge, EAP_TTLS_CHAP_CHALLENGE_LEN); 922 923 /* CHAP-Password */ 924 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_CHAP_PASSWORD, 0, 1, 925 1 + EAP_TTLS_CHAP_PASSWORD_LEN); 926 data->ident = challenge[EAP_TTLS_CHAP_CHALLENGE_LEN]; 927 *pos++ = data->ident; 928 929 /* MD5(Ident + Password + Challenge) */ 930 addr[0] = &data->ident; 931 len[0] = 1; 932 addr[1] = config->password; 933 len[1] = config->password_len; 934 addr[2] = challenge; 935 len[2] = EAP_TTLS_CHAP_CHALLENGE_LEN; 936 md5_vector(3, addr, len, pos); 937 938 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: CHAP username", 939 config->identity, config->identity_len); 940 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: CHAP password", 941 config->password, config->password_len); 942 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP implicit challenge", 943 challenge, EAP_TTLS_CHAP_CHALLENGE_LEN); 944 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP password", 945 pos, EAP_TTLS_CHAP_PASSWORD_LEN); 946 pos += EAP_TTLS_CHAP_PASSWORD_LEN; 947 os_free(challenge); 948 AVP_PAD(buf, pos); 949 950 *resp = buf; 951 *resp_len = pos - buf; 952 953 if (data->ttls_version > 0) { 954 /* EAP-TTLSv1 uses TLS/IA FinalPhaseFinished to report success, 955 * so do not allow connection to be terminated yet. */ 956 ret->methodState = METHOD_CONT; 957 ret->decision = DECISION_COND_SUCC; 958 } else { 959 /* EAP-TTLS/CHAP does not provide tunneled success 960 * notification, so assume that Phase2 succeeds. */ 961 ret->methodState = METHOD_DONE; 962 ret->decision = DECISION_COND_SUCC; 963 } 964 965 return 0; 966 } 967 968 969 static int eap_ttls_phase2_request(struct eap_sm *sm, 970 struct eap_ttls_data *data, 971 struct eap_method_ret *ret, 972 const struct eap_hdr *req, 973 struct eap_hdr *hdr, 974 u8 **resp, size_t *resp_len) 975 { 976 int res = 0; 977 size_t len; 978 979 if (data->phase2_type == EAP_TTLS_PHASE2_MSCHAPV2 || 980 data->phase2_type == EAP_TTLS_PHASE2_MSCHAP || 981 data->phase2_type == EAP_TTLS_PHASE2_PAP || 982 data->phase2_type == EAP_TTLS_PHASE2_CHAP) { 983 if (eap_get_config_identity(sm, &len) == NULL) { 984 wpa_printf(MSG_INFO, 985 "EAP-TTLS: Identity not configured"); 986 eap_sm_request_identity(sm); 987 if (eap_get_config_password(sm, &len) == NULL) 988 eap_sm_request_password(sm); 989 return 0; 990 } 991 992 if (eap_get_config_password(sm, &len) == NULL) { 993 wpa_printf(MSG_INFO, 994 "EAP-TTLS: Password not configured"); 995 eap_sm_request_password(sm); 996 return 0; 997 } 998 } 999 1000 switch (data->phase2_type) { 1001 case EAP_TTLS_PHASE2_EAP: 1002 res = eap_ttls_phase2_request_eap(sm, data, ret, hdr, 1003 resp, resp_len); 1004 break; 1005 case EAP_TTLS_PHASE2_MSCHAPV2: 1006 res = eap_ttls_phase2_request_mschapv2(sm, data, ret, 1007 resp, resp_len); 1008 break; 1009 case EAP_TTLS_PHASE2_MSCHAP: 1010 res = eap_ttls_phase2_request_mschap(sm, data, ret, 1011 resp, resp_len); 1012 break; 1013 case EAP_TTLS_PHASE2_PAP: 1014 res = eap_ttls_phase2_request_pap(sm, data, ret, 1015 resp, resp_len); 1016 break; 1017 case EAP_TTLS_PHASE2_CHAP: 1018 res = eap_ttls_phase2_request_chap(sm, data, ret, 1019 resp, resp_len); 1020 break; 1021 default: 1022 wpa_printf(MSG_ERROR, "EAP-TTLS: Phase 2 - Unknown"); 1023 res = -1; 1024 break; 1025 } 1026 1027 if (res < 0) { 1028 ret->methodState = METHOD_DONE; 1029 ret->decision = DECISION_FAIL; 1030 } 1031 1032 return res; 1033 } 1034 1035 1036 static u8 * eap_ttls_build_phase_finished(struct eap_sm *sm, 1037 struct eap_ttls_data *data, 1038 int id, int final, 1039 size_t *reqDataLen) 1040 { 1041 int len; 1042 struct eap_hdr *req; 1043 u8 *pos; 1044 const int max_len = 300; 1045 1046 len = sizeof(struct eap_hdr) + 2 + max_len; 1047 req = os_malloc(len); 1048 if (req == NULL) 1049 return NULL; 1050 1051 req->code = EAP_CODE_RESPONSE; 1052 req->identifier = id; 1053 1054 pos = (u8 *) (req + 1); 1055 *pos++ = EAP_TYPE_TTLS; 1056 *pos++ = data->ttls_version; 1057 1058 len = tls_connection_ia_send_phase_finished(sm->ssl_ctx, 1059 data->ssl.conn, 1060 final, pos, max_len); 1061 if (len < 0) { 1062 os_free(req); 1063 return NULL; 1064 } 1065 1066 *reqDataLen = sizeof(struct eap_hdr) + 2 + len; 1067 req->length = host_to_be16(*reqDataLen); 1068 1069 return (u8 *) req; 1070 } 1071 1072 1073 static int eap_ttls_decrypt(struct eap_sm *sm, struct eap_ttls_data *data, 1074 struct eap_method_ret *ret, 1075 const struct eap_hdr *req, 1076 const u8 *in_data, size_t in_len, 1077 u8 **out_data, size_t *out_len) 1078 { 1079 u8 *in_decrypted = NULL, *pos; 1080 int res, retval = 0; 1081 struct eap_hdr *hdr = NULL; 1082 u8 *resp = NULL, *mschapv2 = NULL, *eapdata = NULL; 1083 size_t resp_len, eap_len = 0, len_decrypted = 0, len, buf_len, left; 1084 struct ttls_avp *avp; 1085 u8 recv_response[20]; 1086 int mschapv2_error = 0; 1087 struct wpa_ssid *config = eap_get_config(sm); 1088 const u8 *msg; 1089 size_t msg_len; 1090 int need_more_input; 1091 1092 wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for" 1093 " Phase 2", (unsigned long) in_len); 1094 1095 if (data->pending_phase2_req) { 1096 wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 request - " 1097 "skip decryption and use old data"); 1098 /* Clear TLS reassembly state. */ 1099 os_free(data->ssl.tls_in); 1100 data->ssl.tls_in = NULL; 1101 data->ssl.tls_in_len = 0; 1102 data->ssl.tls_in_left = 0; 1103 data->ssl.tls_in_total = 0; 1104 1105 in_decrypted = data->pending_phase2_req; 1106 data->pending_phase2_req = NULL; 1107 len_decrypted = data->pending_phase2_req_len; 1108 if (data->pending_phase2_req_len == 0) { 1109 os_free(in_decrypted); 1110 in_decrypted = NULL; 1111 goto fake_req_identity; 1112 } 1113 goto continue_req; 1114 } 1115 1116 if (in_len == 0 && data->phase2_start) { 1117 data->phase2_start = 0; 1118 /* EAP-TTLS does not use Phase2 on fast re-auth; this must be 1119 * done only if TLS part was indeed resuming a previous 1120 * session. Most Authentication Servers terminate EAP-TTLS 1121 * before reaching this point, but some do not. Make 1122 * wpa_supplicant stop phase 2 here, if needed. */ 1123 if (data->reauth && 1124 tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) { 1125 wpa_printf(MSG_DEBUG, "EAP-TTLS: Session resumption - " 1126 "skip phase 2"); 1127 *out_data = eap_tls_build_ack(&data->ssl, out_len, 1128 req->identifier, 1129 EAP_TYPE_TTLS, 0); 1130 ret->methodState = METHOD_DONE; 1131 ret->decision = DECISION_UNCOND_SUCC; 1132 data->phase2_success = 1; 1133 return 0; 1134 } 1135 fake_req_identity: 1136 wpa_printf(MSG_DEBUG, "EAP-TTLS: empty data in beginning of " 1137 "Phase 2 - use fake EAP-Request Identity"); 1138 buf_len = sizeof(*hdr) + 1; 1139 in_decrypted = os_malloc(buf_len); 1140 if (in_decrypted == NULL) { 1141 wpa_printf(MSG_WARNING, "EAP-TTLS: failed to allocate " 1142 "memory for fake EAP-Identity Request"); 1143 retval = -1; 1144 goto done; 1145 } 1146 hdr = (struct eap_hdr *) in_decrypted; 1147 hdr->code = EAP_CODE_REQUEST; 1148 hdr->identifier = 0; 1149 hdr->length = host_to_be16(sizeof(*hdr) + 1); 1150 in_decrypted[sizeof(*hdr)] = EAP_TYPE_IDENTITY; 1151 goto process_eap; 1152 } 1153 1154 msg = eap_tls_data_reassemble(sm, &data->ssl, in_data, in_len, 1155 &msg_len, &need_more_input); 1156 if (msg == NULL) 1157 return need_more_input ? 1 : -1; 1158 1159 buf_len = in_len; 1160 if (data->ssl.tls_in_total > buf_len) 1161 buf_len = data->ssl.tls_in_total; 1162 in_decrypted = os_malloc(buf_len); 1163 if (in_decrypted == NULL) { 1164 os_free(data->ssl.tls_in); 1165 data->ssl.tls_in = NULL; 1166 data->ssl.tls_in_len = 0; 1167 wpa_printf(MSG_WARNING, "EAP-TTLS: failed to allocate memory " 1168 "for decryption"); 1169 retval = -1; 1170 goto done; 1171 } 1172 1173 res = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn, 1174 msg, msg_len, in_decrypted, buf_len); 1175 os_free(data->ssl.tls_in); 1176 data->ssl.tls_in = NULL; 1177 data->ssl.tls_in_len = 0; 1178 if (res < 0) { 1179 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to decrypt Phase 2 " 1180 "data"); 1181 retval = -1; 1182 goto done; 1183 } 1184 len_decrypted = res; 1185 1186 if (data->ttls_version > 0 && len_decrypted == 0 && 1187 tls_connection_ia_final_phase_finished(sm->ssl_ctx, 1188 data->ssl.conn)) { 1189 wpa_printf(MSG_DEBUG, "EAP-TTLS: FinalPhaseFinished received"); 1190 wpa_printf(MSG_INFO, "EAP-TTLS: TLS/IA authentication " 1191 "succeeded"); 1192 ret->methodState = METHOD_DONE; 1193 ret->decision = DECISION_UNCOND_SUCC; 1194 data->phase2_success = 1; 1195 *out_data = eap_ttls_build_phase_finished(sm, data, 1196 req->identifier, 1, 1197 out_len); 1198 eap_ttls_v1_derive_key(sm, data); 1199 goto done; 1200 } 1201 1202 continue_req: 1203 data->phase2_start = 0; 1204 1205 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 AVPs", 1206 in_decrypted, len_decrypted); 1207 if (len_decrypted < sizeof(struct ttls_avp)) { 1208 wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 AVP frame" 1209 " len=%lu expected %lu or more - dropped", 1210 (unsigned long) len_decrypted, 1211 (unsigned long) sizeof(struct ttls_avp)); 1212 retval = -1; 1213 goto done; 1214 } 1215 1216 /* Parse AVPs */ 1217 pos = in_decrypted; 1218 left = len_decrypted; 1219 mschapv2 = NULL; 1220 1221 while (left > 0) { 1222 u32 avp_code, avp_length, vendor_id = 0; 1223 u8 avp_flags, *dpos; 1224 size_t pad, dlen; 1225 avp = (struct ttls_avp *) pos; 1226 avp_code = be_to_host32(avp->avp_code); 1227 avp_length = be_to_host32(avp->avp_length); 1228 avp_flags = (avp_length >> 24) & 0xff; 1229 avp_length &= 0xffffff; 1230 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x " 1231 "length=%d", (int) avp_code, avp_flags, 1232 (int) avp_length); 1233 if (avp_length > left) { 1234 wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow " 1235 "(len=%d, left=%lu) - dropped", 1236 (int) avp_length, (unsigned long) left); 1237 retval = -1; 1238 goto done; 1239 } 1240 if (avp_length < sizeof(*avp)) { 1241 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length " 1242 "%d", avp_length); 1243 retval = -1; 1244 goto done; 1245 } 1246 dpos = (u8 *) (avp + 1); 1247 dlen = avp_length - sizeof(*avp); 1248 if (avp_flags & AVP_FLAGS_VENDOR) { 1249 if (dlen < 4) { 1250 wpa_printf(MSG_WARNING, "EAP-TTLS: vendor AVP " 1251 "underflow"); 1252 retval = -1; 1253 goto done; 1254 } 1255 vendor_id = be_to_host32(* (u32 *) dpos); 1256 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d", 1257 (int) vendor_id); 1258 dpos += 4; 1259 dlen -= 4; 1260 } 1261 1262 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen); 1263 1264 if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) { 1265 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message"); 1266 if (eapdata == NULL) { 1267 eapdata = os_malloc(dlen); 1268 if (eapdata == NULL) { 1269 retval = -1; 1270 wpa_printf(MSG_WARNING, "EAP-TTLS: " 1271 "failed to allocate memory " 1272 "for Phase 2 EAP data"); 1273 goto done; 1274 } 1275 os_memcpy(eapdata, dpos, dlen); 1276 eap_len = dlen; 1277 } else { 1278 u8 *neweap = os_realloc(eapdata, 1279 eap_len + dlen); 1280 if (neweap == NULL) { 1281 retval = -1; 1282 wpa_printf(MSG_WARNING, "EAP-TTLS: " 1283 "failed to allocate memory " 1284 "for Phase 2 EAP data"); 1285 goto done; 1286 } 1287 os_memcpy(neweap + eap_len, dpos, dlen); 1288 eapdata = neweap; 1289 eap_len += dlen; 1290 } 1291 } else if (vendor_id == 0 && 1292 avp_code == RADIUS_ATTR_REPLY_MESSAGE) { 1293 /* This is an optional message that can be displayed to 1294 * the user. */ 1295 wpa_hexdump_ascii(MSG_DEBUG, 1296 "EAP-TTLS: AVP - Reply-Message", 1297 dpos, dlen); 1298 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 1299 avp_code == RADIUS_ATTR_MS_CHAP2_SUCCESS) { 1300 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: " 1301 "MS-CHAP2-Success", dpos, dlen); 1302 if (dlen != 43) { 1303 wpa_printf(MSG_WARNING, "EAP-TTLS: Unexpected " 1304 "MS-CHAP2-Success length " 1305 "(len=%lu, expected 43)", 1306 (unsigned long) dlen); 1307 retval = -1; 1308 break; 1309 } 1310 mschapv2 = dpos; 1311 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 1312 avp_code == RADIUS_ATTR_MS_CHAP_ERROR) { 1313 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: " 1314 "MS-CHAP-Error", dpos, dlen); 1315 mschapv2_error = 1; 1316 } else if (avp_flags & AVP_FLAGS_MANDATORY) { 1317 wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported " 1318 "mandatory AVP code %d vendor_id %d - " 1319 "dropped", (int) avp_code, (int) vendor_id); 1320 retval = -1; 1321 goto done; 1322 } else { 1323 wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported " 1324 "AVP code %d vendor_id %d", 1325 (int) avp_code, (int) vendor_id); 1326 } 1327 1328 pad = (4 - (avp_length & 3)) & 3; 1329 pos += avp_length + pad; 1330 if (left < avp_length + pad) 1331 left = 0; 1332 else 1333 left -= avp_length + pad; 1334 } 1335 1336 switch (data->phase2_type) { 1337 case EAP_TTLS_PHASE2_EAP: 1338 if (eapdata == NULL) { 1339 wpa_printf(MSG_WARNING, "EAP-TTLS: No EAP Message in " 1340 "the packet - dropped"); 1341 retval = -1; 1342 goto done; 1343 } 1344 1345 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP", 1346 eapdata, eap_len); 1347 hdr = (struct eap_hdr *) eapdata; 1348 1349 if (eap_len < sizeof(*hdr)) { 1350 wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 " 1351 "EAP frame (len=%lu, expected %lu or more) " 1352 "- dropped", (unsigned long) eap_len, 1353 (unsigned long) sizeof(*hdr)); 1354 retval = -1; 1355 goto done; 1356 } 1357 len = be_to_host16(hdr->length); 1358 if (len > eap_len) { 1359 wpa_printf(MSG_INFO, "EAP-TTLS: Length mismatch in " 1360 "Phase 2 EAP frame (EAP hdr len=%lu, EAP " 1361 "data len in AVP=%lu)", 1362 (unsigned long) len, 1363 (unsigned long) eap_len); 1364 retval = -1; 1365 goto done; 1366 } 1367 wpa_printf(MSG_DEBUG, "EAP-TTLS: received Phase 2: code=%d " 1368 "identifier=%d length=%lu", 1369 hdr->code, hdr->identifier, (unsigned long) len); 1370 process_eap: 1371 switch (hdr->code) { 1372 case EAP_CODE_REQUEST: 1373 if (eap_ttls_phase2_request(sm, data, ret, req, hdr, 1374 &resp, &resp_len)) { 1375 wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 " 1376 "Request processing failed"); 1377 retval = -1; 1378 goto done; 1379 } 1380 break; 1381 default: 1382 wpa_printf(MSG_INFO, "EAP-TTLS: Unexpected code=%d in " 1383 "Phase 2 EAP header", hdr->code); 1384 retval = -1; 1385 break; 1386 } 1387 break; 1388 case EAP_TTLS_PHASE2_MSCHAPV2: 1389 if (mschapv2_error) { 1390 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Received " 1391 "MS-CHAP-Error - failed"); 1392 ret->methodState = METHOD_DONE; 1393 ret->decision = DECISION_FAIL; 1394 *out_data = eap_tls_build_ack(&data->ssl, out_len, 1395 req->identifier, 1396 EAP_TYPE_TTLS, 0); 1397 break; 1398 } 1399 1400 if (mschapv2 == NULL) { 1401 wpa_printf(MSG_WARNING, "EAP-TTLS: no MS-CHAP2-Success" 1402 " AVP received for Phase2 MSCHAPV2"); 1403 retval = -1; 1404 break; 1405 } 1406 if (mschapv2[0] != data->ident) { 1407 wpa_printf(MSG_WARNING, "EAP-TTLS: Ident mismatch " 1408 "for Phase 2 MSCHAPV2 (received Ident " 1409 "0x%02x, expected 0x%02x)", 1410 mschapv2[0], data->ident); 1411 retval = -1; 1412 break; 1413 } 1414 if (!data->auth_response_valid || 1415 mschapv2[1] != 'S' || mschapv2[2] != '=' || 1416 hexstr2bin((char *) (mschapv2 + 3), recv_response, 20) || 1417 os_memcmp(data->auth_response, recv_response, 20) != 0) { 1418 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid " 1419 "authenticator response in Phase 2 " 1420 "MSCHAPV2 success request"); 1421 retval = -1; 1422 break; 1423 } 1424 1425 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 MSCHAPV2 " 1426 "authentication succeeded"); 1427 if (data->ttls_version > 0) { 1428 /* EAP-TTLSv1 uses TLS/IA FinalPhaseFinished to report 1429 * success, so do not allow connection to be terminated 1430 * yet. */ 1431 ret->methodState = METHOD_CONT; 1432 ret->decision = DECISION_COND_SUCC; 1433 } else { 1434 ret->methodState = METHOD_DONE; 1435 ret->decision = DECISION_UNCOND_SUCC; 1436 data->phase2_success = 1; 1437 } 1438 1439 /* Reply with empty data; authentication server will reply 1440 * with EAP-Success after this. */ 1441 retval = 1; 1442 goto done; 1443 case EAP_TTLS_PHASE2_MSCHAP: 1444 case EAP_TTLS_PHASE2_PAP: 1445 case EAP_TTLS_PHASE2_CHAP: 1446 /* EAP-TTLS/{MSCHAP,PAP,CHAP} should not send any TLS tunneled 1447 * requests to the supplicant */ 1448 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received unexpected " 1449 "tunneled data"); 1450 retval = -1; 1451 break; 1452 } 1453 1454 if (resp) { 1455 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Encrypting Phase 2 data", 1456 resp, resp_len); 1457 1458 if (eap_ttls_encrypt(sm, data, req->identifier, 1459 resp, resp_len, out_data, out_len)) { 1460 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to encrypt " 1461 "a Phase 2 frame"); 1462 } 1463 os_free(resp); 1464 } else if (config->pending_req_identity || 1465 config->pending_req_password || 1466 config->pending_req_otp || 1467 config->pending_req_new_password) { 1468 os_free(data->pending_phase2_req); 1469 data->pending_phase2_req = os_malloc(len_decrypted); 1470 if (data->pending_phase2_req) { 1471 os_memcpy(data->pending_phase2_req, in_decrypted, 1472 len_decrypted); 1473 data->pending_phase2_req_len = len_decrypted; 1474 } 1475 } 1476 1477 done: 1478 os_free(in_decrypted); 1479 os_free(eapdata); 1480 1481 if (retval < 0) { 1482 ret->methodState = METHOD_DONE; 1483 ret->decision = DECISION_FAIL; 1484 } 1485 1486 return retval; 1487 } 1488 1489 1490 static u8 * eap_ttls_process(struct eap_sm *sm, void *priv, 1491 struct eap_method_ret *ret, 1492 const u8 *reqData, size_t reqDataLen, 1493 size_t *respDataLen) 1494 { 1495 const struct eap_hdr *req; 1496 size_t left; 1497 int res; 1498 u8 flags, *resp, id; 1499 const u8 *pos; 1500 struct eap_ttls_data *data = priv; 1501 struct wpa_ssid *config = eap_get_config(sm); 1502 1503 pos = eap_tls_process_init(sm, &data->ssl, EAP_TYPE_TTLS, ret, 1504 reqData, reqDataLen, &left, &flags); 1505 if (pos == NULL) 1506 return NULL; 1507 req = (const struct eap_hdr *) reqData; 1508 id = req->identifier; 1509 1510 if (flags & EAP_TLS_FLAGS_START) { 1511 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start (server ver=%d, own " 1512 "ver=%d)", flags & EAP_PEAP_VERSION_MASK, 1513 data->ttls_version); 1514 if ((flags & EAP_PEAP_VERSION_MASK) < data->ttls_version) 1515 data->ttls_version = flags & EAP_PEAP_VERSION_MASK; 1516 if (data->force_ttls_version >= 0 && 1517 data->force_ttls_version != data->ttls_version) { 1518 wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to select " 1519 "forced TTLS version %d", 1520 data->force_ttls_version); 1521 ret->methodState = METHOD_DONE; 1522 ret->decision = DECISION_FAIL; 1523 ret->allowNotifications = FALSE; 1524 return NULL; 1525 } 1526 wpa_printf(MSG_DEBUG, "EAP-TTLS: Using TTLS version %d", 1527 data->ttls_version); 1528 1529 if (data->ttls_version > 0) 1530 data->ssl.tls_ia = 1; 1531 if (!data->ssl_initialized && 1532 eap_tls_ssl_init(sm, &data->ssl, config)) { 1533 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize " 1534 "SSL."); 1535 return NULL; 1536 } 1537 data->ssl_initialized = 1; 1538 1539 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start"); 1540 /* draft-ietf-pppext-eap-ttls-03.txt, Ch. 8.1: 1541 * EAP-TTLS Start packet may, in a future specification, be 1542 * allowed to contain data. Client based on this draft version 1543 * must ignore such data but must not reject the Start packet. 1544 */ 1545 left = 0; 1546 } else if (!data->ssl_initialized) { 1547 wpa_printf(MSG_DEBUG, "EAP-TTLS: First message did not " 1548 "include Start flag"); 1549 ret->methodState = METHOD_DONE; 1550 ret->decision = DECISION_FAIL; 1551 ret->allowNotifications = FALSE; 1552 return NULL; 1553 } 1554 1555 resp = NULL; 1556 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1557 !data->resuming) { 1558 res = eap_ttls_decrypt(sm, data, ret, req, pos, left, 1559 &resp, respDataLen); 1560 } else { 1561 res = eap_tls_process_helper(sm, &data->ssl, EAP_TYPE_TTLS, 1562 data->ttls_version, id, pos, left, 1563 &resp, respDataLen); 1564 1565 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { 1566 wpa_printf(MSG_DEBUG, 1567 "EAP-TTLS: TLS done, proceed to Phase 2"); 1568 if (data->resuming) { 1569 wpa_printf(MSG_DEBUG, "EAP-TTLS: fast reauth -" 1570 " may skip Phase 2"); 1571 ret->decision = DECISION_COND_SUCC; 1572 ret->methodState = METHOD_MAY_CONT; 1573 } 1574 data->phase2_start = 1; 1575 if (data->ttls_version == 0) 1576 eap_ttls_v0_derive_key(sm, data); 1577 1578 if (*respDataLen == 0) { 1579 if (eap_ttls_decrypt(sm, data, ret, req, NULL, 1580 0, &resp, respDataLen)) { 1581 wpa_printf(MSG_WARNING, "EAP-TTLS: " 1582 "failed to process early " 1583 "start for Phase 2"); 1584 } 1585 res = 0; 1586 } 1587 data->resuming = 0; 1588 } 1589 1590 if (res == 2) { 1591 /* 1592 * Application data included in the handshake message. 1593 */ 1594 os_free(data->pending_phase2_req); 1595 data->pending_phase2_req = resp; 1596 data->pending_phase2_req_len = *respDataLen; 1597 resp = NULL; 1598 *respDataLen = 0; 1599 res = eap_ttls_decrypt(sm, data, ret, req, pos, left, 1600 &resp, respDataLen); 1601 } 1602 } 1603 1604 if (data->ttls_version == 0 && ret->methodState == METHOD_DONE) { 1605 ret->allowNotifications = FALSE; 1606 if (ret->decision == DECISION_UNCOND_SUCC || 1607 ret->decision == DECISION_COND_SUCC) { 1608 wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication " 1609 "completed successfully"); 1610 data->phase2_success = 1; 1611 } 1612 } else if (data->ttls_version == 0 && sm->workaround && 1613 ret->methodState == METHOD_MAY_CONT && 1614 (ret->decision == DECISION_UNCOND_SUCC || 1615 ret->decision == DECISION_COND_SUCC)) { 1616 wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication " 1617 "completed successfully (EAP workaround)"); 1618 data->phase2_success = 1; 1619 } 1620 1621 if (res == 1) { 1622 return eap_tls_build_ack(&data->ssl, respDataLen, id, 1623 EAP_TYPE_TTLS, data->ttls_version); 1624 } 1625 return resp; 1626 } 1627 1628 1629 static Boolean eap_ttls_has_reauth_data(struct eap_sm *sm, void *priv) 1630 { 1631 struct eap_ttls_data *data = priv; 1632 return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1633 data->phase2_success; 1634 } 1635 1636 1637 static void eap_ttls_deinit_for_reauth(struct eap_sm *sm, void *priv) 1638 { 1639 struct eap_ttls_data *data = priv; 1640 os_free(data->pending_phase2_req); 1641 data->pending_phase2_req = NULL; 1642 } 1643 1644 1645 static void * eap_ttls_init_for_reauth(struct eap_sm *sm, void *priv) 1646 { 1647 struct eap_ttls_data *data = priv; 1648 os_free(data->key_data); 1649 data->key_data = NULL; 1650 if (eap_tls_reauth_init(sm, &data->ssl)) { 1651 os_free(data); 1652 return NULL; 1653 } 1654 if (data->phase2_priv && data->phase2_method && 1655 data->phase2_method->init_for_reauth) 1656 data->phase2_method->init_for_reauth(sm, data->phase2_priv); 1657 data->phase2_start = 0; 1658 data->phase2_success = 0; 1659 data->resuming = 1; 1660 data->reauth = 1; 1661 return priv; 1662 } 1663 1664 1665 static int eap_ttls_get_status(struct eap_sm *sm, void *priv, char *buf, 1666 size_t buflen, int verbose) 1667 { 1668 struct eap_ttls_data *data = priv; 1669 int len, ret; 1670 1671 len = eap_tls_status(sm, &data->ssl, buf, buflen, verbose); 1672 ret = os_snprintf(buf + len, buflen - len, 1673 "EAP-TTLSv%d Phase2 method=", 1674 data->ttls_version); 1675 if (ret < 0 || (size_t) ret >= buflen - len) 1676 return len; 1677 len += ret; 1678 switch (data->phase2_type) { 1679 case EAP_TTLS_PHASE2_EAP: 1680 ret = os_snprintf(buf + len, buflen - len, "EAP-%s\n", 1681 data->phase2_method ? 1682 data->phase2_method->name : "?"); 1683 break; 1684 case EAP_TTLS_PHASE2_MSCHAPV2: 1685 ret = os_snprintf(buf + len, buflen - len, "MSCHAPV2\n"); 1686 break; 1687 case EAP_TTLS_PHASE2_MSCHAP: 1688 ret = os_snprintf(buf + len, buflen - len, "MSCHAP\n"); 1689 break; 1690 case EAP_TTLS_PHASE2_PAP: 1691 ret = os_snprintf(buf + len, buflen - len, "PAP\n"); 1692 break; 1693 case EAP_TTLS_PHASE2_CHAP: 1694 ret = os_snprintf(buf + len, buflen - len, "CHAP\n"); 1695 break; 1696 default: 1697 ret = 0; 1698 break; 1699 } 1700 if (ret < 0 || (size_t) ret >= buflen - len) 1701 return len; 1702 len += ret; 1703 1704 return len; 1705 } 1706 1707 1708 static Boolean eap_ttls_isKeyAvailable(struct eap_sm *sm, void *priv) 1709 { 1710 struct eap_ttls_data *data = priv; 1711 return data->key_data != NULL && data->phase2_success; 1712 } 1713 1714 1715 static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len) 1716 { 1717 struct eap_ttls_data *data = priv; 1718 u8 *key; 1719 1720 if (data->key_data == NULL || !data->phase2_success) 1721 return NULL; 1722 1723 key = os_malloc(EAP_TLS_KEY_LEN); 1724 if (key == NULL) 1725 return NULL; 1726 1727 *len = EAP_TLS_KEY_LEN; 1728 os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN); 1729 1730 return key; 1731 } 1732 1733 1734 int eap_peer_ttls_register(void) 1735 { 1736 struct eap_method *eap; 1737 int ret; 1738 1739 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION, 1740 EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS"); 1741 if (eap == NULL) 1742 return -1; 1743 1744 eap->init = eap_ttls_init; 1745 eap->deinit = eap_ttls_deinit; 1746 eap->process = eap_ttls_process; 1747 eap->isKeyAvailable = eap_ttls_isKeyAvailable; 1748 eap->getKey = eap_ttls_getKey; 1749 eap->get_status = eap_ttls_get_status; 1750 eap->has_reauth_data = eap_ttls_has_reauth_data; 1751 eap->deinit_for_reauth = eap_ttls_deinit_for_reauth; 1752 eap->init_for_reauth = eap_ttls_init_for_reauth; 1753 1754 ret = eap_peer_method_register(eap); 1755 if (ret) 1756 eap_peer_method_free(eap); 1757 return ret; 1758 } 1759