1/* 2 * EAP peer method: EAP-TTLS (RFC 5281) 3 * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "crypto/ms_funcs.h" 13#include "crypto/sha1.h" 14#include "crypto/tls.h" 15#include "eap_common/chap.h" 16#include "eap_common/eap_ttls.h" 17#include "mschapv2.h" 18#include "eap_i.h" 19#include "eap_tls_common.h" 20#include "eap_config.h" 21 22 23#define EAP_TTLS_VERSION 0 24 25 26static void eap_ttls_deinit(struct eap_sm *sm, void *priv); 27 28 29struct eap_ttls_data { 30 struct eap_ssl_data ssl; 31 32 int ttls_version; 33 34 const struct eap_method *phase2_method; 35 void *phase2_priv; 36 int phase2_success; 37 int phase2_start; 38 39 enum phase2_types { 40 EAP_TTLS_PHASE2_EAP, 41 EAP_TTLS_PHASE2_MSCHAPV2, 42 EAP_TTLS_PHASE2_MSCHAP, 43 EAP_TTLS_PHASE2_PAP, 44 EAP_TTLS_PHASE2_CHAP 45 } phase2_type; 46 struct eap_method_type phase2_eap_type; 47 struct eap_method_type *phase2_eap_types; 48 size_t num_phase2_eap_types; 49 50 u8 auth_response[MSCHAPV2_AUTH_RESPONSE_LEN]; 51 int auth_response_valid; 52 u8 master_key[MSCHAPV2_MASTER_KEY_LEN]; /* MSCHAPv2 master key */ 53 u8 ident; 54 int resuming; /* starting a resumed session */ 55 int reauth; /* reauthentication */ 56 u8 *key_data; 57 58 struct wpabuf *pending_phase2_req; 59 60#ifdef EAP_TNC 61 int ready_for_tnc; 62 int tnc_started; 63#endif /* EAP_TNC */ 64}; 65 66 67static void * eap_ttls_init(struct eap_sm *sm) 68{ 69 struct eap_ttls_data *data; 70 struct eap_peer_config *config = eap_get_config(sm); 71 char *selected; 72 73 data = os_zalloc(sizeof(*data)); 74 if (data == NULL) 75 return NULL; 76 data->ttls_version = EAP_TTLS_VERSION; 77 selected = "EAP"; 78 data->phase2_type = EAP_TTLS_PHASE2_EAP; 79 80 if (config && config->phase2) { 81 if (os_strstr(config->phase2, "autheap=")) { 82 selected = "EAP"; 83 data->phase2_type = EAP_TTLS_PHASE2_EAP; 84 } else if (os_strstr(config->phase2, "auth=MSCHAPV2")) { 85 selected = "MSCHAPV2"; 86 data->phase2_type = EAP_TTLS_PHASE2_MSCHAPV2; 87 } else if (os_strstr(config->phase2, "auth=MSCHAP")) { 88 selected = "MSCHAP"; 89 data->phase2_type = EAP_TTLS_PHASE2_MSCHAP; 90 } else if (os_strstr(config->phase2, "auth=PAP")) { 91 selected = "PAP"; 92 data->phase2_type = EAP_TTLS_PHASE2_PAP; 93 } else if (os_strstr(config->phase2, "auth=CHAP")) { 94 selected = "CHAP"; 95 data->phase2_type = EAP_TTLS_PHASE2_CHAP; 96 } 97 } 98 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 type: %s", selected); 99 100 if (data->phase2_type == EAP_TTLS_PHASE2_EAP) { 101 if (eap_peer_select_phase2_methods(config, "autheap=", 102 &data->phase2_eap_types, 103 &data->num_phase2_eap_types) 104 < 0) { 105 eap_ttls_deinit(sm, data); 106 return NULL; 107 } 108 109 data->phase2_eap_type.vendor = EAP_VENDOR_IETF; 110 data->phase2_eap_type.method = EAP_TYPE_NONE; 111 } 112 113 if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_TTLS)) { 114 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL."); 115 eap_ttls_deinit(sm, data); 116 return NULL; 117 } 118 119 return data; 120} 121 122 123static void eap_ttls_phase2_eap_deinit(struct eap_sm *sm, 124 struct eap_ttls_data *data) 125{ 126 if (data->phase2_priv && data->phase2_method) { 127 data->phase2_method->deinit(sm, data->phase2_priv); 128 data->phase2_method = NULL; 129 data->phase2_priv = NULL; 130 } 131} 132 133 134static void eap_ttls_deinit(struct eap_sm *sm, void *priv) 135{ 136 struct eap_ttls_data *data = priv; 137 if (data == NULL) 138 return; 139 eap_ttls_phase2_eap_deinit(sm, data); 140 os_free(data->phase2_eap_types); 141 eap_peer_tls_ssl_deinit(sm, &data->ssl); 142 os_free(data->key_data); 143 wpabuf_free(data->pending_phase2_req); 144 os_free(data); 145} 146 147 148static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id, 149 int mandatory, size_t len) 150{ 151 struct ttls_avp_vendor *avp; 152 u8 flags; 153 size_t hdrlen; 154 155 avp = (struct ttls_avp_vendor *) avphdr; 156 flags = mandatory ? AVP_FLAGS_MANDATORY : 0; 157 if (vendor_id) { 158 flags |= AVP_FLAGS_VENDOR; 159 hdrlen = sizeof(*avp); 160 avp->vendor_id = host_to_be32(vendor_id); 161 } else { 162 hdrlen = sizeof(struct ttls_avp); 163 } 164 165 avp->avp_code = host_to_be32(avp_code); 166 avp->avp_length = host_to_be32((flags << 24) | (u32) (hdrlen + len)); 167 168 return avphdr + hdrlen; 169} 170 171 172static u8 * eap_ttls_avp_add(u8 *start, u8 *avphdr, u32 avp_code, 173 u32 vendor_id, int mandatory, 174 const u8 *data, size_t len) 175{ 176 u8 *pos; 177 pos = eap_ttls_avp_hdr(avphdr, avp_code, vendor_id, mandatory, len); 178 os_memcpy(pos, data, len); 179 pos += len; 180 AVP_PAD(start, pos); 181 return pos; 182} 183 184 185static int eap_ttls_avp_encapsulate(struct wpabuf **resp, u32 avp_code, 186 int mandatory) 187{ 188 struct wpabuf *msg; 189 u8 *avp, *pos; 190 191 msg = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(*resp) + 4); 192 if (msg == NULL) { 193 wpabuf_free(*resp); 194 *resp = NULL; 195 return -1; 196 } 197 198 avp = wpabuf_mhead(msg); 199 pos = eap_ttls_avp_hdr(avp, avp_code, 0, mandatory, wpabuf_len(*resp)); 200 os_memcpy(pos, wpabuf_head(*resp), wpabuf_len(*resp)); 201 pos += wpabuf_len(*resp); 202 AVP_PAD(avp, pos); 203 wpabuf_free(*resp); 204 wpabuf_put(msg, pos - avp); 205 *resp = msg; 206 return 0; 207} 208 209 210static int eap_ttls_v0_derive_key(struct eap_sm *sm, 211 struct eap_ttls_data *data) 212{ 213 os_free(data->key_data); 214 data->key_data = eap_peer_tls_derive_key(sm, &data->ssl, 215 "ttls keying material", 216 EAP_TLS_KEY_LEN); 217 if (!data->key_data) { 218 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to derive key"); 219 return -1; 220 } 221 222 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key", 223 data->key_data, EAP_TLS_KEY_LEN); 224 225 return 0; 226} 227 228 229static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm, 230 struct eap_ttls_data *data, size_t len) 231{ 232 return eap_peer_tls_derive_key(sm, &data->ssl, "ttls challenge", len); 233} 234 235 236static void eap_ttls_phase2_select_eap_method(struct eap_ttls_data *data, 237 u8 method) 238{ 239 size_t i; 240 for (i = 0; i < data->num_phase2_eap_types; i++) { 241 if (data->phase2_eap_types[i].vendor != EAP_VENDOR_IETF || 242 data->phase2_eap_types[i].method != method) 243 continue; 244 245 data->phase2_eap_type.vendor = 246 data->phase2_eap_types[i].vendor; 247 data->phase2_eap_type.method = 248 data->phase2_eap_types[i].method; 249 wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected " 250 "Phase 2 EAP vendor %d method %d", 251 data->phase2_eap_type.vendor, 252 data->phase2_eap_type.method); 253 break; 254 } 255} 256 257 258static int eap_ttls_phase2_eap_process(struct eap_sm *sm, 259 struct eap_ttls_data *data, 260 struct eap_method_ret *ret, 261 struct eap_hdr *hdr, size_t len, 262 struct wpabuf **resp) 263{ 264 struct wpabuf msg; 265 struct eap_method_ret iret; 266 267 os_memset(&iret, 0, sizeof(iret)); 268 wpabuf_set(&msg, hdr, len); 269 *resp = data->phase2_method->process(sm, data->phase2_priv, &iret, 270 &msg); 271 if ((iret.methodState == METHOD_DONE || 272 iret.methodState == METHOD_MAY_CONT) && 273 (iret.decision == DECISION_UNCOND_SUCC || 274 iret.decision == DECISION_COND_SUCC || 275 iret.decision == DECISION_FAIL)) { 276 ret->methodState = iret.methodState; 277 ret->decision = iret.decision; 278 } 279 280 return 0; 281} 282 283 284static int eap_ttls_phase2_request_eap_method(struct eap_sm *sm, 285 struct eap_ttls_data *data, 286 struct eap_method_ret *ret, 287 struct eap_hdr *hdr, size_t len, 288 u8 method, struct wpabuf **resp) 289{ 290#ifdef EAP_TNC 291 if (data->tnc_started && data->phase2_method && 292 data->phase2_priv && method == EAP_TYPE_TNC && 293 data->phase2_eap_type.method == EAP_TYPE_TNC) 294 return eap_ttls_phase2_eap_process(sm, data, ret, hdr, len, 295 resp); 296 297 if (data->ready_for_tnc && !data->tnc_started && 298 method == EAP_TYPE_TNC) { 299 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start TNC after completed " 300 "EAP method"); 301 data->tnc_started = 1; 302 } 303 304 if (data->tnc_started) { 305 if (data->phase2_eap_type.vendor != EAP_VENDOR_IETF || 306 data->phase2_eap_type.method == EAP_TYPE_TNC) { 307 wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected EAP " 308 "type %d for TNC", method); 309 return -1; 310 } 311 312 data->phase2_eap_type.vendor = EAP_VENDOR_IETF; 313 data->phase2_eap_type.method = method; 314 wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected " 315 "Phase 2 EAP vendor %d method %d (TNC)", 316 data->phase2_eap_type.vendor, 317 data->phase2_eap_type.method); 318 319 if (data->phase2_type == EAP_TTLS_PHASE2_EAP) 320 eap_ttls_phase2_eap_deinit(sm, data); 321 } 322#endif /* EAP_TNC */ 323 324 if (data->phase2_eap_type.vendor == EAP_VENDOR_IETF && 325 data->phase2_eap_type.method == EAP_TYPE_NONE) 326 eap_ttls_phase2_select_eap_method(data, method); 327 328 if (method != data->phase2_eap_type.method || method == EAP_TYPE_NONE) 329 { 330 if (eap_peer_tls_phase2_nak(data->phase2_eap_types, 331 data->num_phase2_eap_types, 332 hdr, resp)) 333 return -1; 334 return 0; 335 } 336 337 if (data->phase2_priv == NULL) { 338 data->phase2_method = eap_peer_get_eap_method( 339 EAP_VENDOR_IETF, method); 340 if (data->phase2_method) { 341 sm->init_phase2 = 1; 342 data->phase2_priv = data->phase2_method->init(sm); 343 sm->init_phase2 = 0; 344 } 345 } 346 if (data->phase2_priv == NULL || data->phase2_method == NULL) { 347 wpa_printf(MSG_INFO, "EAP-TTLS: failed to initialize " 348 "Phase 2 EAP method %d", method); 349 return -1; 350 } 351 352 return eap_ttls_phase2_eap_process(sm, data, ret, hdr, len, resp); 353} 354 355 356static int eap_ttls_phase2_request_eap(struct eap_sm *sm, 357 struct eap_ttls_data *data, 358 struct eap_method_ret *ret, 359 struct eap_hdr *hdr, 360 struct wpabuf **resp) 361{ 362 size_t len = be_to_host16(hdr->length); 363 u8 *pos; 364 struct eap_peer_config *config = eap_get_config(sm); 365 366 if (len <= sizeof(struct eap_hdr)) { 367 wpa_printf(MSG_INFO, "EAP-TTLS: too short " 368 "Phase 2 request (len=%lu)", (unsigned long) len); 369 return -1; 370 } 371 pos = (u8 *) (hdr + 1); 372 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP Request: type=%d", *pos); 373 switch (*pos) { 374 case EAP_TYPE_IDENTITY: 375 *resp = eap_sm_buildIdentity(sm, hdr->identifier, 1); 376 break; 377 default: 378 if (eap_ttls_phase2_request_eap_method(sm, data, ret, hdr, len, 379 *pos, resp) < 0) 380 return -1; 381 break; 382 } 383 384 if (*resp == NULL && 385 (config->pending_req_identity || config->pending_req_password || 386 config->pending_req_otp)) { 387 return 0; 388 } 389 390 if (*resp == NULL) 391 return -1; 392 393 wpa_hexdump_buf(MSG_DEBUG, "EAP-TTLS: AVP encapsulate EAP Response", 394 *resp); 395 return eap_ttls_avp_encapsulate(resp, RADIUS_ATTR_EAP_MESSAGE, 1); 396} 397 398 399static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm, 400 struct eap_ttls_data *data, 401 struct eap_method_ret *ret, 402 struct wpabuf **resp) 403{ 404#ifdef EAP_MSCHAPv2 405 struct wpabuf *msg; 406 u8 *buf, *pos, *challenge, *peer_challenge; 407 const u8 *identity, *password; 408 size_t identity_len, password_len; 409 int pwhash; 410 411 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAPV2 Request"); 412 413 identity = eap_get_config_identity(sm, &identity_len); 414 password = eap_get_config_password2(sm, &password_len, &pwhash); 415 if (identity == NULL || password == NULL) 416 return -1; 417 418 msg = wpabuf_alloc(identity_len + 1000); 419 if (msg == NULL) { 420 wpa_printf(MSG_ERROR, 421 "EAP-TTLS/MSCHAPV2: Failed to allocate memory"); 422 return -1; 423 } 424 pos = buf = wpabuf_mhead(msg); 425 426 /* User-Name */ 427 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 428 identity, identity_len); 429 430 /* MS-CHAP-Challenge */ 431 challenge = eap_ttls_implicit_challenge( 432 sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1); 433 if (challenge == NULL) { 434 wpabuf_free(msg); 435 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive " 436 "implicit challenge"); 437 return -1; 438 } 439 440 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE, 441 RADIUS_VENDOR_ID_MICROSOFT, 1, 442 challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN); 443 444 /* MS-CHAP2-Response */ 445 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_RESPONSE, 446 RADIUS_VENDOR_ID_MICROSOFT, 1, 447 EAP_TTLS_MSCHAPV2_RESPONSE_LEN); 448 data->ident = challenge[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN]; 449 *pos++ = data->ident; 450 *pos++ = 0; /* Flags */ 451 if (os_get_random(pos, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN) < 0) { 452 os_free(challenge); 453 wpabuf_free(msg); 454 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to get " 455 "random data for peer challenge"); 456 return -1; 457 } 458 peer_challenge = pos; 459 pos += EAP_TTLS_MSCHAPV2_CHALLENGE_LEN; 460 os_memset(pos, 0, 8); /* Reserved, must be zero */ 461 pos += 8; 462 if (mschapv2_derive_response(identity, identity_len, password, 463 password_len, pwhash, challenge, 464 peer_challenge, pos, data->auth_response, 465 data->master_key)) { 466 os_free(challenge); 467 wpabuf_free(msg); 468 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive " 469 "response"); 470 return -1; 471 } 472 data->auth_response_valid = 1; 473 474 pos += 24; 475 os_free(challenge); 476 AVP_PAD(buf, pos); 477 478 wpabuf_put(msg, pos - buf); 479 *resp = msg; 480 481 if (sm->workaround) { 482 /* At least FreeRADIUS seems to be terminating 483 * EAP-TTLS/MSHCAPV2 without the expected MS-CHAP-v2 Success 484 * packet. */ 485 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: EAP workaround - " 486 "allow success without tunneled response"); 487 ret->methodState = METHOD_MAY_CONT; 488 ret->decision = DECISION_COND_SUCC; 489 } 490 491 return 0; 492#else /* EAP_MSCHAPv2 */ 493 wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build"); 494 return -1; 495#endif /* EAP_MSCHAPv2 */ 496} 497 498 499static int eap_ttls_phase2_request_mschap(struct eap_sm *sm, 500 struct eap_ttls_data *data, 501 struct eap_method_ret *ret, 502 struct wpabuf **resp) 503{ 504 struct wpabuf *msg; 505 u8 *buf, *pos, *challenge; 506 const u8 *identity, *password; 507 size_t identity_len, password_len; 508 int pwhash; 509 510 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAP Request"); 511 512 identity = eap_get_config_identity(sm, &identity_len); 513 password = eap_get_config_password2(sm, &password_len, &pwhash); 514 if (identity == NULL || password == NULL) 515 return -1; 516 517 msg = wpabuf_alloc(identity_len + 1000); 518 if (msg == NULL) { 519 wpa_printf(MSG_ERROR, 520 "EAP-TTLS/MSCHAP: Failed to allocate memory"); 521 return -1; 522 } 523 pos = buf = wpabuf_mhead(msg); 524 525 /* User-Name */ 526 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 527 identity, identity_len); 528 529 /* MS-CHAP-Challenge */ 530 challenge = eap_ttls_implicit_challenge( 531 sm, data, EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1); 532 if (challenge == NULL) { 533 wpabuf_free(msg); 534 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAP: Failed to derive " 535 "implicit challenge"); 536 return -1; 537 } 538 539 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE, 540 RADIUS_VENDOR_ID_MICROSOFT, 1, 541 challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN); 542 543 /* MS-CHAP-Response */ 544 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_RESPONSE, 545 RADIUS_VENDOR_ID_MICROSOFT, 1, 546 EAP_TTLS_MSCHAP_RESPONSE_LEN); 547 data->ident = challenge[EAP_TTLS_MSCHAP_CHALLENGE_LEN]; 548 *pos++ = data->ident; 549 *pos++ = 1; /* Flags: Use NT style passwords */ 550 os_memset(pos, 0, 24); /* LM-Response */ 551 pos += 24; 552 if (pwhash) { 553 challenge_response(challenge, password, pos); /* NT-Response */ 554 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password hash", 555 password, 16); 556 } else { 557 nt_challenge_response(challenge, password, password_len, 558 pos); /* NT-Response */ 559 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password", 560 password, password_len); 561 } 562 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP implicit challenge", 563 challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN); 564 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP response", pos, 24); 565 pos += 24; 566 os_free(challenge); 567 AVP_PAD(buf, pos); 568 569 wpabuf_put(msg, pos - buf); 570 *resp = msg; 571 572 /* EAP-TTLS/MSCHAP does not provide tunneled success 573 * notification, so assume that Phase2 succeeds. */ 574 ret->methodState = METHOD_DONE; 575 ret->decision = DECISION_COND_SUCC; 576 577 return 0; 578} 579 580 581static int eap_ttls_phase2_request_pap(struct eap_sm *sm, 582 struct eap_ttls_data *data, 583 struct eap_method_ret *ret, 584 struct wpabuf **resp) 585{ 586 struct wpabuf *msg; 587 u8 *buf, *pos; 588 size_t pad; 589 const u8 *identity, *password; 590 size_t identity_len, password_len; 591 592 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 PAP Request"); 593 594 identity = eap_get_config_identity(sm, &identity_len); 595 password = eap_get_config_password(sm, &password_len); 596 if (identity == NULL || password == NULL) 597 return -1; 598 599 msg = wpabuf_alloc(identity_len + password_len + 100); 600 if (msg == NULL) { 601 wpa_printf(MSG_ERROR, 602 "EAP-TTLS/PAP: Failed to allocate memory"); 603 return -1; 604 } 605 pos = buf = wpabuf_mhead(msg); 606 607 /* User-Name */ 608 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 609 identity, identity_len); 610 611 /* User-Password; in RADIUS, this is encrypted, but EAP-TTLS encrypts 612 * the data, so no separate encryption is used in the AVP itself. 613 * However, the password is padded to obfuscate its length. */ 614 pad = password_len == 0 ? 16 : (16 - (password_len & 15)) & 15; 615 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_USER_PASSWORD, 0, 1, 616 password_len + pad); 617 os_memcpy(pos, password, password_len); 618 pos += password_len; 619 os_memset(pos, 0, pad); 620 pos += pad; 621 AVP_PAD(buf, pos); 622 623 wpabuf_put(msg, pos - buf); 624 *resp = msg; 625 626 /* EAP-TTLS/PAP does not provide tunneled success notification, 627 * so assume that Phase2 succeeds. */ 628 ret->methodState = METHOD_DONE; 629 ret->decision = DECISION_COND_SUCC; 630 631 return 0; 632} 633 634 635static int eap_ttls_phase2_request_chap(struct eap_sm *sm, 636 struct eap_ttls_data *data, 637 struct eap_method_ret *ret, 638 struct wpabuf **resp) 639{ 640 struct wpabuf *msg; 641 u8 *buf, *pos, *challenge; 642 const u8 *identity, *password; 643 size_t identity_len, password_len; 644 645 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 CHAP Request"); 646 647 identity = eap_get_config_identity(sm, &identity_len); 648 password = eap_get_config_password(sm, &password_len); 649 if (identity == NULL || password == NULL) 650 return -1; 651 652 msg = wpabuf_alloc(identity_len + 1000); 653 if (msg == NULL) { 654 wpa_printf(MSG_ERROR, 655 "EAP-TTLS/CHAP: Failed to allocate memory"); 656 return -1; 657 } 658 pos = buf = wpabuf_mhead(msg); 659 660 /* User-Name */ 661 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 662 identity, identity_len); 663 664 /* CHAP-Challenge */ 665 challenge = eap_ttls_implicit_challenge( 666 sm, data, EAP_TTLS_CHAP_CHALLENGE_LEN + 1); 667 if (challenge == NULL) { 668 wpabuf_free(msg); 669 wpa_printf(MSG_ERROR, "EAP-TTLS/CHAP: Failed to derive " 670 "implicit challenge"); 671 return -1; 672 } 673 674 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_CHAP_CHALLENGE, 0, 1, 675 challenge, EAP_TTLS_CHAP_CHALLENGE_LEN); 676 677 /* CHAP-Password */ 678 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_CHAP_PASSWORD, 0, 1, 679 1 + EAP_TTLS_CHAP_PASSWORD_LEN); 680 data->ident = challenge[EAP_TTLS_CHAP_CHALLENGE_LEN]; 681 *pos++ = data->ident; 682 683 /* MD5(Ident + Password + Challenge) */ 684 chap_md5(data->ident, password, password_len, challenge, 685 EAP_TTLS_CHAP_CHALLENGE_LEN, pos); 686 687 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: CHAP username", 688 identity, identity_len); 689 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: CHAP password", 690 password, password_len); 691 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP implicit challenge", 692 challenge, EAP_TTLS_CHAP_CHALLENGE_LEN); 693 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP password", 694 pos, EAP_TTLS_CHAP_PASSWORD_LEN); 695 pos += EAP_TTLS_CHAP_PASSWORD_LEN; 696 os_free(challenge); 697 AVP_PAD(buf, pos); 698 699 wpabuf_put(msg, pos - buf); 700 *resp = msg; 701 702 /* EAP-TTLS/CHAP does not provide tunneled success 703 * notification, so assume that Phase2 succeeds. */ 704 ret->methodState = METHOD_DONE; 705 ret->decision = DECISION_COND_SUCC; 706 707 return 0; 708} 709 710 711static int eap_ttls_phase2_request(struct eap_sm *sm, 712 struct eap_ttls_data *data, 713 struct eap_method_ret *ret, 714 struct eap_hdr *hdr, 715 struct wpabuf **resp) 716{ 717 int res = 0; 718 size_t len; 719 enum phase2_types phase2_type = data->phase2_type; 720 721#ifdef EAP_TNC 722 if (data->tnc_started) { 723 wpa_printf(MSG_DEBUG, "EAP-TTLS: Processing TNC"); 724 phase2_type = EAP_TTLS_PHASE2_EAP; 725 } 726#endif /* EAP_TNC */ 727 728 if (phase2_type == EAP_TTLS_PHASE2_MSCHAPV2 || 729 phase2_type == EAP_TTLS_PHASE2_MSCHAP || 730 phase2_type == EAP_TTLS_PHASE2_PAP || 731 phase2_type == EAP_TTLS_PHASE2_CHAP) { 732 if (eap_get_config_identity(sm, &len) == NULL) { 733 wpa_printf(MSG_INFO, 734 "EAP-TTLS: Identity not configured"); 735 eap_sm_request_identity(sm); 736 if (eap_get_config_password(sm, &len) == NULL) 737 eap_sm_request_password(sm); 738 return 0; 739 } 740 741 if (eap_get_config_password(sm, &len) == NULL) { 742 wpa_printf(MSG_INFO, 743 "EAP-TTLS: Password not configured"); 744 eap_sm_request_password(sm); 745 return 0; 746 } 747 } 748 749 switch (phase2_type) { 750 case EAP_TTLS_PHASE2_EAP: 751 res = eap_ttls_phase2_request_eap(sm, data, ret, hdr, resp); 752 break; 753 case EAP_TTLS_PHASE2_MSCHAPV2: 754 res = eap_ttls_phase2_request_mschapv2(sm, data, ret, resp); 755 break; 756 case EAP_TTLS_PHASE2_MSCHAP: 757 res = eap_ttls_phase2_request_mschap(sm, data, ret, resp); 758 break; 759 case EAP_TTLS_PHASE2_PAP: 760 res = eap_ttls_phase2_request_pap(sm, data, ret, resp); 761 break; 762 case EAP_TTLS_PHASE2_CHAP: 763 res = eap_ttls_phase2_request_chap(sm, data, ret, resp); 764 break; 765 default: 766 wpa_printf(MSG_ERROR, "EAP-TTLS: Phase 2 - Unknown"); 767 res = -1; 768 break; 769 } 770 771 if (res < 0) { 772 ret->methodState = METHOD_DONE; 773 ret->decision = DECISION_FAIL; 774 } 775 776 return res; 777} 778 779 780struct ttls_parse_avp { 781 u8 *mschapv2; 782 u8 *eapdata; 783 size_t eap_len; 784 int mschapv2_error; 785}; 786 787 788static int eap_ttls_parse_attr_eap(const u8 *dpos, size_t dlen, 789 struct ttls_parse_avp *parse) 790{ 791 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message"); 792 if (parse->eapdata == NULL) { 793 parse->eapdata = os_malloc(dlen); 794 if (parse->eapdata == NULL) { 795 wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to allocate " 796 "memory for Phase 2 EAP data"); 797 return -1; 798 } 799 os_memcpy(parse->eapdata, dpos, dlen); 800 parse->eap_len = dlen; 801 } else { 802 u8 *neweap = os_realloc(parse->eapdata, parse->eap_len + dlen); 803 if (neweap == NULL) { 804 wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to allocate " 805 "memory for Phase 2 EAP data"); 806 return -1; 807 } 808 os_memcpy(neweap + parse->eap_len, dpos, dlen); 809 parse->eapdata = neweap; 810 parse->eap_len += dlen; 811 } 812 813 return 0; 814} 815 816 817static int eap_ttls_parse_avp(u8 *pos, size_t left, 818 struct ttls_parse_avp *parse) 819{ 820 struct ttls_avp *avp; 821 u32 avp_code, avp_length, vendor_id = 0; 822 u8 avp_flags, *dpos; 823 size_t dlen; 824 825 avp = (struct ttls_avp *) pos; 826 avp_code = be_to_host32(avp->avp_code); 827 avp_length = be_to_host32(avp->avp_length); 828 avp_flags = (avp_length >> 24) & 0xff; 829 avp_length &= 0xffffff; 830 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x " 831 "length=%d", (int) avp_code, avp_flags, 832 (int) avp_length); 833 834 if (avp_length > left) { 835 wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow " 836 "(len=%d, left=%lu) - dropped", 837 (int) avp_length, (unsigned long) left); 838 return -1; 839 } 840 841 if (avp_length < sizeof(*avp)) { 842 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length %d", 843 avp_length); 844 return -1; 845 } 846 847 dpos = (u8 *) (avp + 1); 848 dlen = avp_length - sizeof(*avp); 849 if (avp_flags & AVP_FLAGS_VENDOR) { 850 if (dlen < 4) { 851 wpa_printf(MSG_WARNING, "EAP-TTLS: Vendor AVP " 852 "underflow"); 853 return -1; 854 } 855 vendor_id = WPA_GET_BE32(dpos); 856 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d", 857 (int) vendor_id); 858 dpos += 4; 859 dlen -= 4; 860 } 861 862 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen); 863 864 if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) { 865 if (eap_ttls_parse_attr_eap(dpos, dlen, parse) < 0) 866 return -1; 867 } else if (vendor_id == 0 && avp_code == RADIUS_ATTR_REPLY_MESSAGE) { 868 /* This is an optional message that can be displayed to 869 * the user. */ 870 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: AVP - Reply-Message", 871 dpos, dlen); 872 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 873 avp_code == RADIUS_ATTR_MS_CHAP2_SUCCESS) { 874 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MS-CHAP2-Success", 875 dpos, dlen); 876 if (dlen != 43) { 877 wpa_printf(MSG_WARNING, "EAP-TTLS: Unexpected " 878 "MS-CHAP2-Success length " 879 "(len=%lu, expected 43)", 880 (unsigned long) dlen); 881 return -1; 882 } 883 parse->mschapv2 = dpos; 884 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 885 avp_code == RADIUS_ATTR_MS_CHAP_ERROR) { 886 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MS-CHAP-Error", 887 dpos, dlen); 888 parse->mschapv2_error = 1; 889 } else if (avp_flags & AVP_FLAGS_MANDATORY) { 890 wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported mandatory AVP " 891 "code %d vendor_id %d - dropped", 892 (int) avp_code, (int) vendor_id); 893 return -1; 894 } else { 895 wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported AVP " 896 "code %d vendor_id %d", 897 (int) avp_code, (int) vendor_id); 898 } 899 900 return avp_length; 901} 902 903 904static int eap_ttls_parse_avps(struct wpabuf *in_decrypted, 905 struct ttls_parse_avp *parse) 906{ 907 u8 *pos; 908 size_t left, pad; 909 int avp_length; 910 911 pos = wpabuf_mhead(in_decrypted); 912 left = wpabuf_len(in_decrypted); 913 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 AVPs", pos, left); 914 if (left < sizeof(struct ttls_avp)) { 915 wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 AVP frame" 916 " len=%lu expected %lu or more - dropped", 917 (unsigned long) left, 918 (unsigned long) sizeof(struct ttls_avp)); 919 return -1; 920 } 921 922 /* Parse AVPs */ 923 os_memset(parse, 0, sizeof(*parse)); 924 925 while (left > 0) { 926 avp_length = eap_ttls_parse_avp(pos, left, parse); 927 if (avp_length < 0) 928 return -1; 929 930 pad = (4 - (avp_length & 3)) & 3; 931 pos += avp_length + pad; 932 if (left < avp_length + pad) 933 left = 0; 934 else 935 left -= avp_length + pad; 936 } 937 938 return 0; 939} 940 941 942static u8 * eap_ttls_fake_identity_request(void) 943{ 944 struct eap_hdr *hdr; 945 u8 *buf; 946 947 wpa_printf(MSG_DEBUG, "EAP-TTLS: empty data in beginning of " 948 "Phase 2 - use fake EAP-Request Identity"); 949 buf = os_malloc(sizeof(*hdr) + 1); 950 if (buf == NULL) { 951 wpa_printf(MSG_WARNING, "EAP-TTLS: failed to allocate " 952 "memory for fake EAP-Identity Request"); 953 return NULL; 954 } 955 956 hdr = (struct eap_hdr *) buf; 957 hdr->code = EAP_CODE_REQUEST; 958 hdr->identifier = 0; 959 hdr->length = host_to_be16(sizeof(*hdr) + 1); 960 buf[sizeof(*hdr)] = EAP_TYPE_IDENTITY; 961 962 return buf; 963} 964 965 966static int eap_ttls_encrypt_response(struct eap_sm *sm, 967 struct eap_ttls_data *data, 968 struct wpabuf *resp, u8 identifier, 969 struct wpabuf **out_data) 970{ 971 if (resp == NULL) 972 return 0; 973 974 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS: Encrypting Phase 2 data", 975 resp); 976 if (eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_TTLS, 977 data->ttls_version, identifier, 978 resp, out_data)) { 979 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to encrypt a Phase 2 " 980 "frame"); 981 return -1; 982 } 983 wpabuf_free(resp); 984 985 return 0; 986} 987 988 989static int eap_ttls_process_phase2_eap(struct eap_sm *sm, 990 struct eap_ttls_data *data, 991 struct eap_method_ret *ret, 992 struct ttls_parse_avp *parse, 993 struct wpabuf **resp) 994{ 995 struct eap_hdr *hdr; 996 size_t len; 997 998 if (parse->eapdata == NULL) { 999 wpa_printf(MSG_WARNING, "EAP-TTLS: No EAP Message in the " 1000 "packet - dropped"); 1001 return -1; 1002 } 1003 1004 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP", 1005 parse->eapdata, parse->eap_len); 1006 hdr = (struct eap_hdr *) parse->eapdata; 1007 1008 if (parse->eap_len < sizeof(*hdr)) { 1009 wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 EAP " 1010 "frame (len=%lu, expected %lu or more) - dropped", 1011 (unsigned long) parse->eap_len, 1012 (unsigned long) sizeof(*hdr)); 1013 return -1; 1014 } 1015 len = be_to_host16(hdr->length); 1016 if (len > parse->eap_len) { 1017 wpa_printf(MSG_INFO, "EAP-TTLS: Length mismatch in Phase 2 " 1018 "EAP frame (EAP hdr len=%lu, EAP data len in " 1019 "AVP=%lu)", 1020 (unsigned long) len, 1021 (unsigned long) parse->eap_len); 1022 return -1; 1023 } 1024 wpa_printf(MSG_DEBUG, "EAP-TTLS: received Phase 2: code=%d " 1025 "identifier=%d length=%lu", 1026 hdr->code, hdr->identifier, (unsigned long) len); 1027 switch (hdr->code) { 1028 case EAP_CODE_REQUEST: 1029 if (eap_ttls_phase2_request(sm, data, ret, hdr, resp)) { 1030 wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 Request " 1031 "processing failed"); 1032 return -1; 1033 } 1034 break; 1035 default: 1036 wpa_printf(MSG_INFO, "EAP-TTLS: Unexpected code=%d in " 1037 "Phase 2 EAP header", hdr->code); 1038 return -1; 1039 } 1040 1041 return 0; 1042} 1043 1044 1045static int eap_ttls_process_phase2_mschapv2(struct eap_sm *sm, 1046 struct eap_ttls_data *data, 1047 struct eap_method_ret *ret, 1048 struct ttls_parse_avp *parse) 1049{ 1050#ifdef EAP_MSCHAPv2 1051 if (parse->mschapv2_error) { 1052 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Received " 1053 "MS-CHAP-Error - failed"); 1054 ret->methodState = METHOD_DONE; 1055 ret->decision = DECISION_FAIL; 1056 /* Reply with empty data to ACK error */ 1057 return 1; 1058 } 1059 1060 if (parse->mschapv2 == NULL) { 1061#ifdef EAP_TNC 1062 if (data->phase2_success && parse->eapdata) { 1063 /* 1064 * Allow EAP-TNC to be started after successfully 1065 * completed MSCHAPV2. 1066 */ 1067 return 1; 1068 } 1069#endif /* EAP_TNC */ 1070 wpa_printf(MSG_WARNING, "EAP-TTLS: no MS-CHAP2-Success AVP " 1071 "received for Phase2 MSCHAPV2"); 1072 return -1; 1073 } 1074 if (parse->mschapv2[0] != data->ident) { 1075 wpa_printf(MSG_WARNING, "EAP-TTLS: Ident mismatch for Phase 2 " 1076 "MSCHAPV2 (received Ident 0x%02x, expected 0x%02x)", 1077 parse->mschapv2[0], data->ident); 1078 return -1; 1079 } 1080 if (!data->auth_response_valid || 1081 mschapv2_verify_auth_response(data->auth_response, 1082 parse->mschapv2 + 1, 42)) { 1083 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid authenticator " 1084 "response in Phase 2 MSCHAPV2 success request"); 1085 return -1; 1086 } 1087 1088 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 MSCHAPV2 " 1089 "authentication succeeded"); 1090 ret->methodState = METHOD_DONE; 1091 ret->decision = DECISION_UNCOND_SUCC; 1092 data->phase2_success = 1; 1093 1094 /* 1095 * Reply with empty data; authentication server will reply 1096 * with EAP-Success after this. 1097 */ 1098 return 1; 1099#else /* EAP_MSCHAPv2 */ 1100 wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build"); 1101 return -1; 1102#endif /* EAP_MSCHAPv2 */ 1103} 1104 1105 1106#ifdef EAP_TNC 1107static int eap_ttls_process_tnc_start(struct eap_sm *sm, 1108 struct eap_ttls_data *data, 1109 struct eap_method_ret *ret, 1110 struct ttls_parse_avp *parse, 1111 struct wpabuf **resp) 1112{ 1113 /* TNC uses inner EAP method after non-EAP TTLS phase 2. */ 1114 if (parse->eapdata == NULL) { 1115 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received " 1116 "unexpected tunneled data (no EAP)"); 1117 return -1; 1118 } 1119 1120 if (!data->ready_for_tnc) { 1121 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received " 1122 "EAP after non-EAP, but not ready for TNC"); 1123 return -1; 1124 } 1125 1126 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start TNC after completed " 1127 "non-EAP method"); 1128 data->tnc_started = 1; 1129 1130 if (eap_ttls_process_phase2_eap(sm, data, ret, parse, resp) < 0) 1131 return -1; 1132 1133 return 0; 1134} 1135#endif /* EAP_TNC */ 1136 1137 1138static int eap_ttls_process_decrypted(struct eap_sm *sm, 1139 struct eap_ttls_data *data, 1140 struct eap_method_ret *ret, 1141 u8 identifier, 1142 struct ttls_parse_avp *parse, 1143 struct wpabuf *in_decrypted, 1144 struct wpabuf **out_data) 1145{ 1146 struct wpabuf *resp = NULL; 1147 struct eap_peer_config *config = eap_get_config(sm); 1148 int res; 1149 enum phase2_types phase2_type = data->phase2_type; 1150 1151#ifdef EAP_TNC 1152 if (data->tnc_started) 1153 phase2_type = EAP_TTLS_PHASE2_EAP; 1154#endif /* EAP_TNC */ 1155 1156 switch (phase2_type) { 1157 case EAP_TTLS_PHASE2_EAP: 1158 if (eap_ttls_process_phase2_eap(sm, data, ret, parse, &resp) < 1159 0) 1160 return -1; 1161 break; 1162 case EAP_TTLS_PHASE2_MSCHAPV2: 1163 res = eap_ttls_process_phase2_mschapv2(sm, data, ret, parse); 1164#ifdef EAP_TNC 1165 if (res == 1 && parse->eapdata && data->phase2_success) { 1166 /* 1167 * TNC may be required as the next 1168 * authentication method within the tunnel. 1169 */ 1170 ret->methodState = METHOD_MAY_CONT; 1171 data->ready_for_tnc = 1; 1172 if (eap_ttls_process_tnc_start(sm, data, ret, parse, 1173 &resp) == 0) 1174 break; 1175 } 1176#endif /* EAP_TNC */ 1177 return res; 1178 case EAP_TTLS_PHASE2_MSCHAP: 1179 case EAP_TTLS_PHASE2_PAP: 1180 case EAP_TTLS_PHASE2_CHAP: 1181#ifdef EAP_TNC 1182 if (eap_ttls_process_tnc_start(sm, data, ret, parse, &resp) < 1183 0) 1184 return -1; 1185 break; 1186#else /* EAP_TNC */ 1187 /* EAP-TTLS/{MSCHAP,PAP,CHAP} should not send any TLS tunneled 1188 * requests to the supplicant */ 1189 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received unexpected " 1190 "tunneled data"); 1191 return -1; 1192#endif /* EAP_TNC */ 1193 } 1194 1195 if (resp) { 1196 if (eap_ttls_encrypt_response(sm, data, resp, identifier, 1197 out_data) < 0) 1198 return -1; 1199 } else if (config->pending_req_identity || 1200 config->pending_req_password || 1201 config->pending_req_otp || 1202 config->pending_req_new_password) { 1203 wpabuf_free(data->pending_phase2_req); 1204 data->pending_phase2_req = wpabuf_dup(in_decrypted); 1205 } 1206 1207 return 0; 1208} 1209 1210 1211static int eap_ttls_implicit_identity_request(struct eap_sm *sm, 1212 struct eap_ttls_data *data, 1213 struct eap_method_ret *ret, 1214 u8 identifier, 1215 struct wpabuf **out_data) 1216{ 1217 int retval = 0; 1218 struct eap_hdr *hdr; 1219 struct wpabuf *resp; 1220 1221 hdr = (struct eap_hdr *) eap_ttls_fake_identity_request(); 1222 if (hdr == NULL) { 1223 ret->methodState = METHOD_DONE; 1224 ret->decision = DECISION_FAIL; 1225 return -1; 1226 } 1227 1228 resp = NULL; 1229 if (eap_ttls_phase2_request(sm, data, ret, hdr, &resp)) { 1230 wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 Request " 1231 "processing failed"); 1232 retval = -1; 1233 } else { 1234 struct eap_peer_config *config = eap_get_config(sm); 1235 if (resp == NULL && 1236 (config->pending_req_identity || 1237 config->pending_req_password || 1238 config->pending_req_otp || 1239 config->pending_req_new_password)) { 1240 /* 1241 * Use empty buffer to force implicit request 1242 * processing when EAP request is re-processed after 1243 * user input. 1244 */ 1245 wpabuf_free(data->pending_phase2_req); 1246 data->pending_phase2_req = wpabuf_alloc(0); 1247 } 1248 1249 retval = eap_ttls_encrypt_response(sm, data, resp, identifier, 1250 out_data); 1251 } 1252 1253 os_free(hdr); 1254 1255 if (retval < 0) { 1256 ret->methodState = METHOD_DONE; 1257 ret->decision = DECISION_FAIL; 1258 } 1259 1260 return retval; 1261} 1262 1263 1264static int eap_ttls_phase2_start(struct eap_sm *sm, struct eap_ttls_data *data, 1265 struct eap_method_ret *ret, u8 identifier, 1266 struct wpabuf **out_data) 1267{ 1268 data->phase2_start = 0; 1269 1270 /* 1271 * EAP-TTLS does not use Phase2 on fast re-auth; this must be done only 1272 * if TLS part was indeed resuming a previous session. Most 1273 * Authentication Servers terminate EAP-TTLS before reaching this 1274 * point, but some do not. Make wpa_supplicant stop phase 2 here, if 1275 * needed. 1276 */ 1277 if (data->reauth && 1278 tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) { 1279 wpa_printf(MSG_DEBUG, "EAP-TTLS: Session resumption - " 1280 "skip phase 2"); 1281 *out_data = eap_peer_tls_build_ack(identifier, EAP_TYPE_TTLS, 1282 data->ttls_version); 1283 ret->methodState = METHOD_DONE; 1284 ret->decision = DECISION_UNCOND_SUCC; 1285 data->phase2_success = 1; 1286 return 0; 1287 } 1288 1289 return eap_ttls_implicit_identity_request(sm, data, ret, identifier, 1290 out_data); 1291} 1292 1293 1294static int eap_ttls_decrypt(struct eap_sm *sm, struct eap_ttls_data *data, 1295 struct eap_method_ret *ret, u8 identifier, 1296 const struct wpabuf *in_data, 1297 struct wpabuf **out_data) 1298{ 1299 struct wpabuf *in_decrypted = NULL; 1300 int retval = 0; 1301 struct ttls_parse_avp parse; 1302 1303 os_memset(&parse, 0, sizeof(parse)); 1304 1305 wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for" 1306 " Phase 2", 1307 in_data ? (unsigned long) wpabuf_len(in_data) : 0); 1308 1309 if (data->pending_phase2_req) { 1310 wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 request - " 1311 "skip decryption and use old data"); 1312 /* Clear TLS reassembly state. */ 1313 eap_peer_tls_reset_input(&data->ssl); 1314 1315 in_decrypted = data->pending_phase2_req; 1316 data->pending_phase2_req = NULL; 1317 if (wpabuf_len(in_decrypted) == 0) { 1318 wpabuf_free(in_decrypted); 1319 return eap_ttls_implicit_identity_request( 1320 sm, data, ret, identifier, out_data); 1321 } 1322 goto continue_req; 1323 } 1324 1325 if ((in_data == NULL || wpabuf_len(in_data) == 0) && 1326 data->phase2_start) { 1327 return eap_ttls_phase2_start(sm, data, ret, identifier, 1328 out_data); 1329 } 1330 1331 if (in_data == NULL || wpabuf_len(in_data) == 0) { 1332 /* Received TLS ACK - requesting more fragments */ 1333 return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_TTLS, 1334 data->ttls_version, 1335 identifier, NULL, out_data); 1336 } 1337 1338 retval = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted); 1339 if (retval) 1340 goto done; 1341 1342continue_req: 1343 data->phase2_start = 0; 1344 1345 if (eap_ttls_parse_avps(in_decrypted, &parse) < 0) { 1346 retval = -1; 1347 goto done; 1348 } 1349 1350 retval = eap_ttls_process_decrypted(sm, data, ret, identifier, 1351 &parse, in_decrypted, out_data); 1352 1353done: 1354 wpabuf_free(in_decrypted); 1355 os_free(parse.eapdata); 1356 1357 if (retval < 0) { 1358 ret->methodState = METHOD_DONE; 1359 ret->decision = DECISION_FAIL; 1360 } 1361 1362 return retval; 1363} 1364 1365 1366static int eap_ttls_process_handshake(struct eap_sm *sm, 1367 struct eap_ttls_data *data, 1368 struct eap_method_ret *ret, 1369 u8 identifier, 1370 const u8 *in_data, size_t in_len, 1371 struct wpabuf **out_data) 1372{ 1373 int res; 1374 1375 res = eap_peer_tls_process_helper(sm, &data->ssl, EAP_TYPE_TTLS, 1376 data->ttls_version, identifier, 1377 in_data, in_len, out_data); 1378 1379 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { 1380 wpa_printf(MSG_DEBUG, "EAP-TTLS: TLS done, proceed to " 1381 "Phase 2"); 1382 if (data->resuming) { 1383 wpa_printf(MSG_DEBUG, "EAP-TTLS: fast reauth - may " 1384 "skip Phase 2"); 1385 ret->decision = DECISION_COND_SUCC; 1386 ret->methodState = METHOD_MAY_CONT; 1387 } 1388 data->phase2_start = 1; 1389 eap_ttls_v0_derive_key(sm, data); 1390 1391 if (*out_data == NULL || wpabuf_len(*out_data) == 0) { 1392 if (eap_ttls_decrypt(sm, data, ret, identifier, 1393 NULL, out_data)) { 1394 wpa_printf(MSG_WARNING, "EAP-TTLS: " 1395 "failed to process early " 1396 "start for Phase 2"); 1397 } 1398 res = 0; 1399 } 1400 data->resuming = 0; 1401 } 1402 1403 if (res == 2) { 1404 struct wpabuf msg; 1405 /* 1406 * Application data included in the handshake message. 1407 */ 1408 wpabuf_free(data->pending_phase2_req); 1409 data->pending_phase2_req = *out_data; 1410 *out_data = NULL; 1411 wpabuf_set(&msg, in_data, in_len); 1412 res = eap_ttls_decrypt(sm, data, ret, identifier, &msg, 1413 out_data); 1414 } 1415 1416 return res; 1417} 1418 1419 1420static void eap_ttls_check_auth_status(struct eap_sm *sm, 1421 struct eap_ttls_data *data, 1422 struct eap_method_ret *ret) 1423{ 1424 if (ret->methodState == METHOD_DONE) { 1425 ret->allowNotifications = FALSE; 1426 if (ret->decision == DECISION_UNCOND_SUCC || 1427 ret->decision == DECISION_COND_SUCC) { 1428 wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication " 1429 "completed successfully"); 1430 data->phase2_success = 1; 1431#ifdef EAP_TNC 1432 if (!data->ready_for_tnc && !data->tnc_started) { 1433 /* 1434 * TNC may be required as the next 1435 * authentication method within the tunnel. 1436 */ 1437 ret->methodState = METHOD_MAY_CONT; 1438 data->ready_for_tnc = 1; 1439 } 1440#endif /* EAP_TNC */ 1441 } 1442 } else if (ret->methodState == METHOD_MAY_CONT && 1443 (ret->decision == DECISION_UNCOND_SUCC || 1444 ret->decision == DECISION_COND_SUCC)) { 1445 wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication " 1446 "completed successfully (MAY_CONT)"); 1447 data->phase2_success = 1; 1448 } 1449} 1450 1451 1452static struct wpabuf * eap_ttls_process(struct eap_sm *sm, void *priv, 1453 struct eap_method_ret *ret, 1454 const struct wpabuf *reqData) 1455{ 1456 size_t left; 1457 int res; 1458 u8 flags, id; 1459 struct wpabuf *resp; 1460 const u8 *pos; 1461 struct eap_ttls_data *data = priv; 1462 1463 pos = eap_peer_tls_process_init(sm, &data->ssl, EAP_TYPE_TTLS, ret, 1464 reqData, &left, &flags); 1465 if (pos == NULL) 1466 return NULL; 1467 id = eap_get_id(reqData); 1468 1469 if (flags & EAP_TLS_FLAGS_START) { 1470 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start (server ver=%d, own " 1471 "ver=%d)", flags & EAP_TLS_VERSION_MASK, 1472 data->ttls_version); 1473 1474 /* RFC 5281, Ch. 9.2: 1475 * "This packet MAY contain additional information in the form 1476 * of AVPs, which may provide useful hints to the client" 1477 * For now, ignore any potential extra data. 1478 */ 1479 left = 0; 1480 } 1481 1482 resp = NULL; 1483 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1484 !data->resuming) { 1485 struct wpabuf msg; 1486 wpabuf_set(&msg, pos, left); 1487 res = eap_ttls_decrypt(sm, data, ret, id, &msg, &resp); 1488 } else { 1489 res = eap_ttls_process_handshake(sm, data, ret, id, 1490 pos, left, &resp); 1491 } 1492 1493 eap_ttls_check_auth_status(sm, data, ret); 1494 1495 /* FIX: what about res == -1? Could just move all error processing into 1496 * the other functions and get rid of this res==1 case here. */ 1497 if (res == 1) { 1498 wpabuf_free(resp); 1499 return eap_peer_tls_build_ack(id, EAP_TYPE_TTLS, 1500 data->ttls_version); 1501 } 1502 return resp; 1503} 1504 1505 1506static Boolean eap_ttls_has_reauth_data(struct eap_sm *sm, void *priv) 1507{ 1508 struct eap_ttls_data *data = priv; 1509 return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1510 data->phase2_success; 1511} 1512 1513 1514static void eap_ttls_deinit_for_reauth(struct eap_sm *sm, void *priv) 1515{ 1516 struct eap_ttls_data *data = priv; 1517 wpabuf_free(data->pending_phase2_req); 1518 data->pending_phase2_req = NULL; 1519#ifdef EAP_TNC 1520 data->ready_for_tnc = 0; 1521 data->tnc_started = 0; 1522#endif /* EAP_TNC */ 1523} 1524 1525 1526static void * eap_ttls_init_for_reauth(struct eap_sm *sm, void *priv) 1527{ 1528 struct eap_ttls_data *data = priv; 1529 os_free(data->key_data); 1530 data->key_data = NULL; 1531 if (eap_peer_tls_reauth_init(sm, &data->ssl)) { 1532 os_free(data); 1533 return NULL; 1534 } 1535 if (data->phase2_priv && data->phase2_method && 1536 data->phase2_method->init_for_reauth) 1537 data->phase2_method->init_for_reauth(sm, data->phase2_priv); 1538 data->phase2_start = 0; 1539 data->phase2_success = 0; 1540 data->resuming = 1; 1541 data->reauth = 1; 1542 return priv; 1543} 1544 1545 1546static int eap_ttls_get_status(struct eap_sm *sm, void *priv, char *buf, 1547 size_t buflen, int verbose) 1548{ 1549 struct eap_ttls_data *data = priv; 1550 int len, ret; 1551 1552 len = eap_peer_tls_status(sm, &data->ssl, buf, buflen, verbose); 1553 ret = os_snprintf(buf + len, buflen - len, 1554 "EAP-TTLSv%d Phase2 method=", 1555 data->ttls_version); 1556 if (ret < 0 || (size_t) ret >= buflen - len) 1557 return len; 1558 len += ret; 1559 switch (data->phase2_type) { 1560 case EAP_TTLS_PHASE2_EAP: 1561 ret = os_snprintf(buf + len, buflen - len, "EAP-%s\n", 1562 data->phase2_method ? 1563 data->phase2_method->name : "?"); 1564 break; 1565 case EAP_TTLS_PHASE2_MSCHAPV2: 1566 ret = os_snprintf(buf + len, buflen - len, "MSCHAPV2\n"); 1567 break; 1568 case EAP_TTLS_PHASE2_MSCHAP: 1569 ret = os_snprintf(buf + len, buflen - len, "MSCHAP\n"); 1570 break; 1571 case EAP_TTLS_PHASE2_PAP: 1572 ret = os_snprintf(buf + len, buflen - len, "PAP\n"); 1573 break; 1574 case EAP_TTLS_PHASE2_CHAP: 1575 ret = os_snprintf(buf + len, buflen - len, "CHAP\n"); 1576 break; 1577 default: 1578 ret = 0; 1579 break; 1580 } 1581 if (ret < 0 || (size_t) ret >= buflen - len) 1582 return len; 1583 len += ret; 1584 1585 return len; 1586} 1587 1588 1589static Boolean eap_ttls_isKeyAvailable(struct eap_sm *sm, void *priv) 1590{ 1591 struct eap_ttls_data *data = priv; 1592 return data->key_data != NULL && data->phase2_success; 1593} 1594 1595 1596static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len) 1597{ 1598 struct eap_ttls_data *data = priv; 1599 u8 *key; 1600 1601 if (data->key_data == NULL || !data->phase2_success) 1602 return NULL; 1603 1604 key = os_malloc(EAP_TLS_KEY_LEN); 1605 if (key == NULL) 1606 return NULL; 1607 1608 *len = EAP_TLS_KEY_LEN; 1609 os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN); 1610 1611 return key; 1612} 1613 1614 1615int eap_peer_ttls_register(void) 1616{ 1617 struct eap_method *eap; 1618 int ret; 1619 1620 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION, 1621 EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS"); 1622 if (eap == NULL) 1623 return -1; 1624 1625 eap->init = eap_ttls_init; 1626 eap->deinit = eap_ttls_deinit; 1627 eap->process = eap_ttls_process; 1628 eap->isKeyAvailable = eap_ttls_isKeyAvailable; 1629 eap->getKey = eap_ttls_getKey; 1630 eap->get_status = eap_ttls_get_status; 1631 eap->has_reauth_data = eap_ttls_has_reauth_data; 1632 eap->deinit_for_reauth = eap_ttls_deinit_for_reauth; 1633 eap->init_for_reauth = eap_ttls_init_for_reauth; 1634 1635 ret = eap_peer_method_register(eap); 1636 if (ret) 1637 eap_peer_method_free(eap); 1638 return ret; 1639} 1640