1/* 2 * EAP peer method: EAP-PEAP (draft-josefsson-pppext-eap-tls-eap-10.txt) 3 * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "crypto/sha1.h" 13#include "crypto/tls.h" 14#include "eap_common/eap_tlv_common.h" 15#include "eap_common/eap_peap_common.h" 16#include "eap_i.h" 17#include "eap_tls_common.h" 18#include "eap_config.h" 19#include "tncc.h" 20 21 22/* Maximum supported PEAP version 23 * 0 = Microsoft's PEAP version 0; draft-kamath-pppext-peapv0-00.txt 24 * 1 = draft-josefsson-ppext-eap-tls-eap-05.txt 25 * 2 = draft-josefsson-ppext-eap-tls-eap-10.txt 26 */ 27#define EAP_PEAP_VERSION 1 28 29 30static void eap_peap_deinit(struct eap_sm *sm, void *priv); 31 32 33struct eap_peap_data { 34 struct eap_ssl_data ssl; 35 36 int peap_version, force_peap_version, force_new_label; 37 38 const struct eap_method *phase2_method; 39 void *phase2_priv; 40 int phase2_success; 41 int phase2_eap_success; 42 int phase2_eap_started; 43 44 struct eap_method_type phase2_type; 45 struct eap_method_type *phase2_types; 46 size_t num_phase2_types; 47 48 int peap_outer_success; /* 0 = PEAP terminated on Phase 2 inner 49 * EAP-Success 50 * 1 = reply with tunneled EAP-Success to inner 51 * EAP-Success and expect AS to send outer 52 * (unencrypted) EAP-Success after this 53 * 2 = reply with PEAP/TLS ACK to inner 54 * EAP-Success and expect AS to send outer 55 * (unencrypted) EAP-Success after this */ 56 int resuming; /* starting a resumed session */ 57 int reauth; /* reauthentication */ 58 u8 *key_data; 59 60 struct wpabuf *pending_phase2_req; 61 enum { NO_BINDING, OPTIONAL_BINDING, REQUIRE_BINDING } crypto_binding; 62 int crypto_binding_used; 63 u8 binding_nonce[32]; 64 u8 ipmk[40]; 65 u8 cmk[20]; 66 int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP) 67 * is enabled. */ 68}; 69 70 71static int eap_peap_parse_phase1(struct eap_peap_data *data, 72 const char *phase1) 73{ 74 const char *pos; 75 76 pos = os_strstr(phase1, "peapver="); 77 if (pos) { 78 data->force_peap_version = atoi(pos + 8); 79 data->peap_version = data->force_peap_version; 80 wpa_printf(MSG_DEBUG, "EAP-PEAP: Forced PEAP version %d", 81 data->force_peap_version); 82 } 83 84 if (os_strstr(phase1, "peaplabel=1")) { 85 data->force_new_label = 1; 86 wpa_printf(MSG_DEBUG, "EAP-PEAP: Force new label for key " 87 "derivation"); 88 } 89 90 if (os_strstr(phase1, "peap_outer_success=0")) { 91 data->peap_outer_success = 0; 92 wpa_printf(MSG_DEBUG, "EAP-PEAP: terminate authentication on " 93 "tunneled EAP-Success"); 94 } else if (os_strstr(phase1, "peap_outer_success=1")) { 95 data->peap_outer_success = 1; 96 wpa_printf(MSG_DEBUG, "EAP-PEAP: send tunneled EAP-Success " 97 "after receiving tunneled EAP-Success"); 98 } else if (os_strstr(phase1, "peap_outer_success=2")) { 99 data->peap_outer_success = 2; 100 wpa_printf(MSG_DEBUG, "EAP-PEAP: send PEAP/TLS ACK after " 101 "receiving tunneled EAP-Success"); 102 } 103 104 if (os_strstr(phase1, "crypto_binding=0")) { 105 data->crypto_binding = NO_BINDING; 106 wpa_printf(MSG_DEBUG, "EAP-PEAP: Do not use cryptobinding"); 107 } else if (os_strstr(phase1, "crypto_binding=1")) { 108 data->crypto_binding = OPTIONAL_BINDING; 109 wpa_printf(MSG_DEBUG, "EAP-PEAP: Optional cryptobinding"); 110 } else if (os_strstr(phase1, "crypto_binding=2")) { 111 data->crypto_binding = REQUIRE_BINDING; 112 wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding"); 113 } 114 115#ifdef EAP_TNC 116 if (os_strstr(phase1, "tnc=soh2")) { 117 data->soh = 2; 118 wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 2 enabled"); 119 } else if (os_strstr(phase1, "tnc=soh1")) { 120 data->soh = 1; 121 wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 1 enabled"); 122 } else if (os_strstr(phase1, "tnc=soh")) { 123 data->soh = 2; 124 wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 2 enabled"); 125 } 126#endif /* EAP_TNC */ 127 128 return 0; 129} 130 131 132static void * eap_peap_init(struct eap_sm *sm) 133{ 134 struct eap_peap_data *data; 135 struct eap_peer_config *config = eap_get_config(sm); 136 137 data = os_zalloc(sizeof(*data)); 138 if (data == NULL) 139 return NULL; 140 sm->peap_done = FALSE; 141 data->peap_version = EAP_PEAP_VERSION; 142 data->force_peap_version = -1; 143 data->peap_outer_success = 2; 144 data->crypto_binding = OPTIONAL_BINDING; 145 146 if (config && config->phase1 && 147 eap_peap_parse_phase1(data, config->phase1) < 0) { 148 eap_peap_deinit(sm, data); 149 return NULL; 150 } 151 152 if (eap_peer_select_phase2_methods(config, "auth=", 153 &data->phase2_types, 154 &data->num_phase2_types) < 0) { 155 eap_peap_deinit(sm, data); 156 return NULL; 157 } 158 159 data->phase2_type.vendor = EAP_VENDOR_IETF; 160 data->phase2_type.method = EAP_TYPE_NONE; 161 162 if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_PEAP)) { 163 wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL."); 164 eap_peap_deinit(sm, data); 165 return NULL; 166 } 167 168 return data; 169} 170 171 172static void eap_peap_deinit(struct eap_sm *sm, void *priv) 173{ 174 struct eap_peap_data *data = priv; 175 if (data == NULL) 176 return; 177 if (data->phase2_priv && data->phase2_method) 178 data->phase2_method->deinit(sm, data->phase2_priv); 179 os_free(data->phase2_types); 180 eap_peer_tls_ssl_deinit(sm, &data->ssl); 181 os_free(data->key_data); 182 wpabuf_free(data->pending_phase2_req); 183 os_free(data); 184} 185 186 187/** 188 * eap_tlv_build_nak - Build EAP-TLV NAK message 189 * @id: EAP identifier for the header 190 * @nak_type: TLV type (EAP_TLV_*) 191 * Returns: Buffer to the allocated EAP-TLV NAK message or %NULL on failure 192 * 193 * This function builds an EAP-TLV NAK message. The caller is responsible for 194 * freeing the returned buffer. 195 */ 196static struct wpabuf * eap_tlv_build_nak(int id, u16 nak_type) 197{ 198 struct wpabuf *msg; 199 200 msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, 10, 201 EAP_CODE_RESPONSE, id); 202 if (msg == NULL) 203 return NULL; 204 205 wpabuf_put_u8(msg, 0x80); /* Mandatory */ 206 wpabuf_put_u8(msg, EAP_TLV_NAK_TLV); 207 wpabuf_put_be16(msg, 6); /* Length */ 208 wpabuf_put_be32(msg, 0); /* Vendor-Id */ 209 wpabuf_put_be16(msg, nak_type); /* NAK-Type */ 210 211 return msg; 212} 213 214 215static int eap_peap_get_isk(struct eap_sm *sm, struct eap_peap_data *data, 216 u8 *isk, size_t isk_len) 217{ 218 u8 *key; 219 size_t key_len; 220 221 os_memset(isk, 0, isk_len); 222 if (data->phase2_method == NULL || data->phase2_priv == NULL || 223 data->phase2_method->isKeyAvailable == NULL || 224 data->phase2_method->getKey == NULL) 225 return 0; 226 227 if (!data->phase2_method->isKeyAvailable(sm, data->phase2_priv) || 228 (key = data->phase2_method->getKey(sm, data->phase2_priv, 229 &key_len)) == NULL) { 230 wpa_printf(MSG_DEBUG, "EAP-PEAP: Could not get key material " 231 "from Phase 2"); 232 return -1; 233 } 234 235 if (key_len > isk_len) 236 key_len = isk_len; 237 os_memcpy(isk, key, key_len); 238 os_free(key); 239 240 return 0; 241} 242 243 244static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data) 245{ 246 u8 *tk; 247 u8 isk[32], imck[60]; 248 249 /* 250 * Tunnel key (TK) is the first 60 octets of the key generated by 251 * phase 1 of PEAP (based on TLS). 252 */ 253 tk = data->key_data; 254 if (tk == NULL) 255 return -1; 256 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TK", tk, 60); 257 258 if (data->reauth && 259 tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) { 260 /* Fast-connect: IPMK|CMK = TK */ 261 os_memcpy(data->ipmk, tk, 40); 262 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK from TK", 263 data->ipmk, 40); 264 os_memcpy(data->cmk, tk + 40, 20); 265 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK from TK", 266 data->cmk, 20); 267 return 0; 268 } 269 270 if (eap_peap_get_isk(sm, data, isk, sizeof(isk)) < 0) 271 return -1; 272 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: ISK", isk, sizeof(isk)); 273 274 /* 275 * IPMK Seed = "Inner Methods Compound Keys" | ISK 276 * TempKey = First 40 octets of TK 277 * IPMK|CMK = PRF+(TempKey, IPMK Seed, 60) 278 * (note: draft-josefsson-pppext-eap-tls-eap-10.txt includes a space 279 * in the end of the label just before ISK; is that just a typo?) 280 */ 281 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TempKey", tk, 40); 282 if (peap_prfplus(data->peap_version, tk, 40, 283 "Inner Methods Compound Keys", 284 isk, sizeof(isk), imck, sizeof(imck)) < 0) 285 return -1; 286 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IMCK (IPMKj)", 287 imck, sizeof(imck)); 288 289 os_memcpy(data->ipmk, imck, 40); 290 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK (S-IPMKj)", data->ipmk, 40); 291 os_memcpy(data->cmk, imck + 40, 20); 292 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK (CMKj)", data->cmk, 20); 293 294 return 0; 295} 296 297 298static int eap_tlv_add_cryptobinding(struct eap_sm *sm, 299 struct eap_peap_data *data, 300 struct wpabuf *buf) 301{ 302 u8 *mac; 303 u8 eap_type = EAP_TYPE_PEAP; 304 const u8 *addr[2]; 305 size_t len[2]; 306 u16 tlv_type; 307 308 /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */ 309 addr[0] = wpabuf_put(buf, 0); 310 len[0] = 60; 311 addr[1] = &eap_type; 312 len[1] = 1; 313 314 tlv_type = EAP_TLV_CRYPTO_BINDING_TLV; 315 if (data->peap_version >= 2) 316 tlv_type |= EAP_TLV_TYPE_MANDATORY; 317 wpabuf_put_be16(buf, tlv_type); 318 wpabuf_put_be16(buf, 56); 319 320 wpabuf_put_u8(buf, 0); /* Reserved */ 321 wpabuf_put_u8(buf, data->peap_version); /* Version */ 322 wpabuf_put_u8(buf, data->peap_version); /* RecvVersion */ 323 wpabuf_put_u8(buf, 1); /* SubType: 0 = Request, 1 = Response */ 324 wpabuf_put_data(buf, data->binding_nonce, 32); /* Nonce */ 325 mac = wpabuf_put(buf, 20); /* Compound_MAC */ 326 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC CMK", data->cmk, 20); 327 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 1", 328 addr[0], len[0]); 329 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 2", 330 addr[1], len[1]); 331 hmac_sha1_vector(data->cmk, 20, 2, addr, len, mac); 332 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC", mac, SHA1_MAC_LEN); 333 data->crypto_binding_used = 1; 334 335 return 0; 336} 337 338 339/** 340 * eap_tlv_build_result - Build EAP-TLV Result message 341 * @id: EAP identifier for the header 342 * @status: Status (EAP_TLV_RESULT_SUCCESS or EAP_TLV_RESULT_FAILURE) 343 * Returns: Buffer to the allocated EAP-TLV Result message or %NULL on failure 344 * 345 * This function builds an EAP-TLV Result message. The caller is responsible 346 * for freeing the returned buffer. 347 */ 348static struct wpabuf * eap_tlv_build_result(struct eap_sm *sm, 349 struct eap_peap_data *data, 350 int crypto_tlv_used, 351 int id, u16 status) 352{ 353 struct wpabuf *msg; 354 size_t len; 355 356 if (data->crypto_binding == NO_BINDING) 357 crypto_tlv_used = 0; 358 359 len = 6; 360 if (crypto_tlv_used) 361 len += 60; /* Cryptobinding TLV */ 362 msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, len, 363 EAP_CODE_RESPONSE, id); 364 if (msg == NULL) 365 return NULL; 366 367 wpabuf_put_u8(msg, 0x80); /* Mandatory */ 368 wpabuf_put_u8(msg, EAP_TLV_RESULT_TLV); 369 wpabuf_put_be16(msg, 2); /* Length */ 370 wpabuf_put_be16(msg, status); /* Status */ 371 372 if (crypto_tlv_used && eap_tlv_add_cryptobinding(sm, data, msg)) { 373 wpabuf_free(msg); 374 return NULL; 375 } 376 377 return msg; 378} 379 380 381static int eap_tlv_validate_cryptobinding(struct eap_sm *sm, 382 struct eap_peap_data *data, 383 const u8 *crypto_tlv, 384 size_t crypto_tlv_len) 385{ 386 u8 buf[61], mac[SHA1_MAC_LEN]; 387 const u8 *pos; 388 389 if (eap_peap_derive_cmk(sm, data) < 0) { 390 wpa_printf(MSG_DEBUG, "EAP-PEAP: Could not derive CMK"); 391 return -1; 392 } 393 394 if (crypto_tlv_len != 4 + 56) { 395 wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid cryptobinding TLV " 396 "length %d", (int) crypto_tlv_len); 397 return -1; 398 } 399 400 pos = crypto_tlv; 401 pos += 4; /* TLV header */ 402 if (pos[1] != data->peap_version) { 403 wpa_printf(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV Version " 404 "mismatch (was %d; expected %d)", 405 pos[1], data->peap_version); 406 return -1; 407 } 408 409 if (pos[3] != 0) { 410 wpa_printf(MSG_DEBUG, "EAP-PEAP: Unexpected Cryptobinding TLV " 411 "SubType %d", pos[3]); 412 return -1; 413 } 414 pos += 4; 415 os_memcpy(data->binding_nonce, pos, 32); 416 pos += 32; /* Nonce */ 417 418 /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */ 419 os_memcpy(buf, crypto_tlv, 60); 420 os_memset(buf + 4 + 4 + 32, 0, 20); /* Compound_MAC */ 421 buf[60] = EAP_TYPE_PEAP; 422 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Compound_MAC data", 423 buf, sizeof(buf)); 424 hmac_sha1(data->cmk, 20, buf, sizeof(buf), mac); 425 426 if (os_memcmp(mac, pos, SHA1_MAC_LEN) != 0) { 427 wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid Compound_MAC in " 428 "cryptobinding TLV"); 429 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Received MAC", 430 pos, SHA1_MAC_LEN); 431 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Expected MAC", 432 mac, SHA1_MAC_LEN); 433 return -1; 434 } 435 436 wpa_printf(MSG_DEBUG, "EAP-PEAP: Valid cryptobinding TLV received"); 437 438 return 0; 439} 440 441 442/** 443 * eap_tlv_process - Process a received EAP-TLV message and generate a response 444 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 445 * @ret: Return values from EAP request validation and processing 446 * @req: EAP-TLV request to be processed. The caller must have validated that 447 * the buffer is large enough to contain full request (hdr->length bytes) and 448 * that the EAP type is EAP_TYPE_TLV. 449 * @resp: Buffer to return a pointer to the allocated response message. This 450 * field should be initialized to %NULL before the call. The value will be 451 * updated if a response message is generated. The caller is responsible for 452 * freeing the allocated message. 453 * @force_failure: Force negotiation to fail 454 * Returns: 0 on success, -1 on failure 455 */ 456static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data, 457 struct eap_method_ret *ret, 458 const struct wpabuf *req, struct wpabuf **resp, 459 int force_failure) 460{ 461 size_t left, tlv_len; 462 const u8 *pos; 463 const u8 *result_tlv = NULL, *crypto_tlv = NULL; 464 size_t result_tlv_len = 0, crypto_tlv_len = 0; 465 int tlv_type, mandatory; 466 467 /* Parse TLVs */ 468 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TLV, req, &left); 469 if (pos == NULL) 470 return -1; 471 wpa_hexdump(MSG_DEBUG, "EAP-TLV: Received TLVs", pos, left); 472 while (left >= 4) { 473 mandatory = !!(pos[0] & 0x80); 474 tlv_type = WPA_GET_BE16(pos) & 0x3fff; 475 pos += 2; 476 tlv_len = WPA_GET_BE16(pos); 477 pos += 2; 478 left -= 4; 479 if (tlv_len > left) { 480 wpa_printf(MSG_DEBUG, "EAP-TLV: TLV underrun " 481 "(tlv_len=%lu left=%lu)", 482 (unsigned long) tlv_len, 483 (unsigned long) left); 484 return -1; 485 } 486 switch (tlv_type) { 487 case EAP_TLV_RESULT_TLV: 488 result_tlv = pos; 489 result_tlv_len = tlv_len; 490 break; 491 case EAP_TLV_CRYPTO_BINDING_TLV: 492 crypto_tlv = pos; 493 crypto_tlv_len = tlv_len; 494 break; 495 default: 496 wpa_printf(MSG_DEBUG, "EAP-TLV: Unsupported TLV Type " 497 "%d%s", tlv_type, 498 mandatory ? " (mandatory)" : ""); 499 if (mandatory) { 500 /* NAK TLV and ignore all TLVs in this packet. 501 */ 502 *resp = eap_tlv_build_nak(eap_get_id(req), 503 tlv_type); 504 return *resp == NULL ? -1 : 0; 505 } 506 /* Ignore this TLV, but process other TLVs */ 507 break; 508 } 509 510 pos += tlv_len; 511 left -= tlv_len; 512 } 513 if (left) { 514 wpa_printf(MSG_DEBUG, "EAP-TLV: Last TLV too short in " 515 "Request (left=%lu)", (unsigned long) left); 516 return -1; 517 } 518 519 /* Process supported TLVs */ 520 if (crypto_tlv && data->crypto_binding != NO_BINDING) { 521 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV", 522 crypto_tlv, crypto_tlv_len); 523 if (eap_tlv_validate_cryptobinding(sm, data, crypto_tlv - 4, 524 crypto_tlv_len + 4) < 0) { 525 if (result_tlv == NULL) 526 return -1; 527 force_failure = 1; 528 crypto_tlv = NULL; /* do not include Cryptobinding TLV 529 * in response, if the received 530 * cryptobinding was invalid. */ 531 } 532 } else if (!crypto_tlv && data->crypto_binding == REQUIRE_BINDING) { 533 wpa_printf(MSG_DEBUG, "EAP-PEAP: No cryptobinding TLV"); 534 return -1; 535 } 536 537 if (result_tlv) { 538 int status, resp_status; 539 wpa_hexdump(MSG_DEBUG, "EAP-TLV: Result TLV", 540 result_tlv, result_tlv_len); 541 if (result_tlv_len < 2) { 542 wpa_printf(MSG_INFO, "EAP-TLV: Too short Result TLV " 543 "(len=%lu)", 544 (unsigned long) result_tlv_len); 545 return -1; 546 } 547 status = WPA_GET_BE16(result_tlv); 548 if (status == EAP_TLV_RESULT_SUCCESS) { 549 wpa_printf(MSG_INFO, "EAP-TLV: TLV Result - Success " 550 "- EAP-TLV/Phase2 Completed"); 551 if (force_failure) { 552 wpa_printf(MSG_INFO, "EAP-TLV: Earlier failure" 553 " - force failed Phase 2"); 554 resp_status = EAP_TLV_RESULT_FAILURE; 555 ret->decision = DECISION_FAIL; 556 } else { 557 resp_status = EAP_TLV_RESULT_SUCCESS; 558 ret->decision = DECISION_UNCOND_SUCC; 559 } 560 } else if (status == EAP_TLV_RESULT_FAILURE) { 561 wpa_printf(MSG_INFO, "EAP-TLV: TLV Result - Failure"); 562 resp_status = EAP_TLV_RESULT_FAILURE; 563 ret->decision = DECISION_FAIL; 564 } else { 565 wpa_printf(MSG_INFO, "EAP-TLV: Unknown TLV Result " 566 "Status %d", status); 567 resp_status = EAP_TLV_RESULT_FAILURE; 568 ret->decision = DECISION_FAIL; 569 } 570 ret->methodState = METHOD_DONE; 571 572 *resp = eap_tlv_build_result(sm, data, crypto_tlv != NULL, 573 eap_get_id(req), resp_status); 574 } 575 576 return 0; 577} 578 579 580static struct wpabuf * eap_peapv2_tlv_eap_payload(struct wpabuf *buf) 581{ 582 struct wpabuf *e; 583 struct eap_tlv_hdr *tlv; 584 585 if (buf == NULL) 586 return NULL; 587 588 /* Encapsulate EAP packet in EAP-Payload TLV */ 589 wpa_printf(MSG_DEBUG, "EAP-PEAPv2: Add EAP-Payload TLV"); 590 e = wpabuf_alloc(sizeof(*tlv) + wpabuf_len(buf)); 591 if (e == NULL) { 592 wpa_printf(MSG_DEBUG, "EAP-PEAPv2: Failed to allocate memory " 593 "for TLV encapsulation"); 594 wpabuf_free(buf); 595 return NULL; 596 } 597 tlv = wpabuf_put(e, sizeof(*tlv)); 598 tlv->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY | 599 EAP_TLV_EAP_PAYLOAD_TLV); 600 tlv->length = host_to_be16(wpabuf_len(buf)); 601 wpabuf_put_buf(e, buf); 602 wpabuf_free(buf); 603 return e; 604} 605 606 607static int eap_peap_phase2_request(struct eap_sm *sm, 608 struct eap_peap_data *data, 609 struct eap_method_ret *ret, 610 struct wpabuf *req, 611 struct wpabuf **resp) 612{ 613 struct eap_hdr *hdr = wpabuf_mhead(req); 614 size_t len = be_to_host16(hdr->length); 615 u8 *pos; 616 struct eap_method_ret iret; 617 struct eap_peer_config *config = eap_get_config(sm); 618 619 if (len <= sizeof(struct eap_hdr)) { 620 wpa_printf(MSG_INFO, "EAP-PEAP: too short " 621 "Phase 2 request (len=%lu)", (unsigned long) len); 622 return -1; 623 } 624 pos = (u8 *) (hdr + 1); 625 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Request: type=%d", *pos); 626 switch (*pos) { 627 case EAP_TYPE_IDENTITY: 628 *resp = eap_sm_buildIdentity(sm, hdr->identifier, 1); 629 break; 630 case EAP_TYPE_TLV: 631 os_memset(&iret, 0, sizeof(iret)); 632 if (eap_tlv_process(sm, data, &iret, req, resp, 633 data->phase2_eap_started && 634 !data->phase2_eap_success)) { 635 ret->methodState = METHOD_DONE; 636 ret->decision = DECISION_FAIL; 637 return -1; 638 } 639 if (iret.methodState == METHOD_DONE || 640 iret.methodState == METHOD_MAY_CONT) { 641 ret->methodState = iret.methodState; 642 ret->decision = iret.decision; 643 data->phase2_success = 1; 644 } 645 break; 646 case EAP_TYPE_EXPANDED: 647#ifdef EAP_TNC 648 if (data->soh) { 649 const u8 *epos; 650 size_t eleft; 651 652 epos = eap_hdr_validate(EAP_VENDOR_MICROSOFT, 0x21, 653 req, &eleft); 654 if (epos) { 655 struct wpabuf *buf; 656 wpa_printf(MSG_DEBUG, 657 "EAP-PEAP: SoH EAP Extensions"); 658 buf = tncc_process_soh_request(data->soh, 659 epos, eleft); 660 if (buf) { 661 *resp = eap_msg_alloc( 662 EAP_VENDOR_MICROSOFT, 0x21, 663 wpabuf_len(buf), 664 EAP_CODE_RESPONSE, 665 hdr->identifier); 666 if (*resp == NULL) { 667 ret->methodState = METHOD_DONE; 668 ret->decision = DECISION_FAIL; 669 return -1; 670 } 671 wpabuf_put_buf(*resp, buf); 672 wpabuf_free(buf); 673 break; 674 } 675 } 676 } 677#endif /* EAP_TNC */ 678 /* fall through */ 679 default: 680 if (data->phase2_type.vendor == EAP_VENDOR_IETF && 681 data->phase2_type.method == EAP_TYPE_NONE) { 682 size_t i; 683 for (i = 0; i < data->num_phase2_types; i++) { 684 if (data->phase2_types[i].vendor != 685 EAP_VENDOR_IETF || 686 data->phase2_types[i].method != *pos) 687 continue; 688 689 data->phase2_type.vendor = 690 data->phase2_types[i].vendor; 691 data->phase2_type.method = 692 data->phase2_types[i].method; 693 wpa_printf(MSG_DEBUG, "EAP-PEAP: Selected " 694 "Phase 2 EAP vendor %d method %d", 695 data->phase2_type.vendor, 696 data->phase2_type.method); 697 break; 698 } 699 } 700 if (*pos != data->phase2_type.method || 701 *pos == EAP_TYPE_NONE) { 702 if (eap_peer_tls_phase2_nak(data->phase2_types, 703 data->num_phase2_types, 704 hdr, resp)) 705 return -1; 706 return 0; 707 } 708 709 if (data->phase2_priv == NULL) { 710 data->phase2_method = eap_peer_get_eap_method( 711 data->phase2_type.vendor, 712 data->phase2_type.method); 713 if (data->phase2_method) { 714 sm->init_phase2 = 1; 715 data->phase2_priv = 716 data->phase2_method->init(sm); 717 sm->init_phase2 = 0; 718 } 719 } 720 if (data->phase2_priv == NULL || data->phase2_method == NULL) { 721 wpa_printf(MSG_INFO, "EAP-PEAP: failed to initialize " 722 "Phase 2 EAP method %d", *pos); 723 ret->methodState = METHOD_DONE; 724 ret->decision = DECISION_FAIL; 725 return -1; 726 } 727 data->phase2_eap_started = 1; 728 os_memset(&iret, 0, sizeof(iret)); 729 *resp = data->phase2_method->process(sm, data->phase2_priv, 730 &iret, req); 731 if ((iret.methodState == METHOD_DONE || 732 iret.methodState == METHOD_MAY_CONT) && 733 (iret.decision == DECISION_UNCOND_SUCC || 734 iret.decision == DECISION_COND_SUCC)) { 735 data->phase2_eap_success = 1; 736 data->phase2_success = 1; 737 } 738 break; 739 } 740 741 if (*resp == NULL && 742 (config->pending_req_identity || config->pending_req_password || 743 config->pending_req_otp || config->pending_req_new_password)) { 744 wpabuf_free(data->pending_phase2_req); 745 data->pending_phase2_req = wpabuf_alloc_copy(hdr, len); 746 } 747 748 return 0; 749} 750 751 752static int eap_peap_decrypt(struct eap_sm *sm, struct eap_peap_data *data, 753 struct eap_method_ret *ret, 754 const struct eap_hdr *req, 755 const struct wpabuf *in_data, 756 struct wpabuf **out_data) 757{ 758 struct wpabuf *in_decrypted = NULL; 759 int res, skip_change = 0; 760 struct eap_hdr *hdr, *rhdr; 761 struct wpabuf *resp = NULL; 762 size_t len; 763 764 wpa_printf(MSG_DEBUG, "EAP-PEAP: received %lu bytes encrypted data for" 765 " Phase 2", (unsigned long) wpabuf_len(in_data)); 766 767 if (data->pending_phase2_req) { 768 wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 request - " 769 "skip decryption and use old data"); 770 /* Clear TLS reassembly state. */ 771 eap_peer_tls_reset_input(&data->ssl); 772 in_decrypted = data->pending_phase2_req; 773 data->pending_phase2_req = NULL; 774 skip_change = 1; 775 goto continue_req; 776 } 777 778 if (wpabuf_len(in_data) == 0 && sm->workaround && 779 data->phase2_success) { 780 /* 781 * Cisco ACS seems to be using TLS ACK to terminate 782 * EAP-PEAPv0/GTC. Try to reply with TLS ACK. 783 */ 784 wpa_printf(MSG_DEBUG, "EAP-PEAP: Received TLS ACK, but " 785 "expected data - acknowledge with TLS ACK since " 786 "Phase 2 has been completed"); 787 ret->decision = DECISION_COND_SUCC; 788 ret->methodState = METHOD_DONE; 789 return 1; 790 } else if (wpabuf_len(in_data) == 0) { 791 /* Received TLS ACK - requesting more fragments */ 792 return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_PEAP, 793 data->peap_version, 794 req->identifier, NULL, out_data); 795 } 796 797 res = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted); 798 if (res) 799 return res; 800 801continue_req: 802 wpa_hexdump_buf(MSG_DEBUG, "EAP-PEAP: Decrypted Phase 2 EAP", 803 in_decrypted); 804 805 hdr = wpabuf_mhead(in_decrypted); 806 if (wpabuf_len(in_decrypted) == 5 && hdr->code == EAP_CODE_REQUEST && 807 be_to_host16(hdr->length) == 5 && 808 eap_get_type(in_decrypted) == EAP_TYPE_IDENTITY) { 809 /* At least FreeRADIUS seems to send full EAP header with 810 * EAP Request Identity */ 811 skip_change = 1; 812 } 813 if (wpabuf_len(in_decrypted) >= 5 && hdr->code == EAP_CODE_REQUEST && 814 eap_get_type(in_decrypted) == EAP_TYPE_TLV) { 815 skip_change = 1; 816 } 817 818 if (data->peap_version == 0 && !skip_change) { 819 struct eap_hdr *nhdr; 820 struct wpabuf *nmsg = wpabuf_alloc(sizeof(struct eap_hdr) + 821 wpabuf_len(in_decrypted)); 822 if (nmsg == NULL) { 823 wpabuf_free(in_decrypted); 824 return 0; 825 } 826 nhdr = wpabuf_put(nmsg, sizeof(*nhdr)); 827 wpabuf_put_buf(nmsg, in_decrypted); 828 nhdr->code = req->code; 829 nhdr->identifier = req->identifier; 830 nhdr->length = host_to_be16(sizeof(struct eap_hdr) + 831 wpabuf_len(in_decrypted)); 832 833 wpabuf_free(in_decrypted); 834 in_decrypted = nmsg; 835 } 836 837 if (data->peap_version >= 2) { 838 struct eap_tlv_hdr *tlv; 839 struct wpabuf *nmsg; 840 841 if (wpabuf_len(in_decrypted) < sizeof(*tlv) + sizeof(*hdr)) { 842 wpa_printf(MSG_INFO, "EAP-PEAPv2: Too short Phase 2 " 843 "EAP TLV"); 844 wpabuf_free(in_decrypted); 845 return 0; 846 } 847 tlv = wpabuf_mhead(in_decrypted); 848 if ((be_to_host16(tlv->tlv_type) & 0x3fff) != 849 EAP_TLV_EAP_PAYLOAD_TLV) { 850 wpa_printf(MSG_INFO, "EAP-PEAPv2: Not an EAP TLV"); 851 wpabuf_free(in_decrypted); 852 return 0; 853 } 854 if (sizeof(*tlv) + be_to_host16(tlv->length) > 855 wpabuf_len(in_decrypted)) { 856 wpa_printf(MSG_INFO, "EAP-PEAPv2: Invalid EAP TLV " 857 "length"); 858 wpabuf_free(in_decrypted); 859 return 0; 860 } 861 hdr = (struct eap_hdr *) (tlv + 1); 862 if (be_to_host16(hdr->length) > be_to_host16(tlv->length)) { 863 wpa_printf(MSG_INFO, "EAP-PEAPv2: No room for full " 864 "EAP packet in EAP TLV"); 865 wpabuf_free(in_decrypted); 866 return 0; 867 } 868 869 nmsg = wpabuf_alloc(be_to_host16(hdr->length)); 870 if (nmsg == NULL) { 871 wpabuf_free(in_decrypted); 872 return 0; 873 } 874 875 wpabuf_put_data(nmsg, hdr, be_to_host16(hdr->length)); 876 wpabuf_free(in_decrypted); 877 in_decrypted = nmsg; 878 } 879 880 hdr = wpabuf_mhead(in_decrypted); 881 if (wpabuf_len(in_decrypted) < sizeof(*hdr)) { 882 wpa_printf(MSG_INFO, "EAP-PEAP: Too short Phase 2 " 883 "EAP frame (len=%lu)", 884 (unsigned long) wpabuf_len(in_decrypted)); 885 wpabuf_free(in_decrypted); 886 return 0; 887 } 888 len = be_to_host16(hdr->length); 889 if (len > wpabuf_len(in_decrypted)) { 890 wpa_printf(MSG_INFO, "EAP-PEAP: Length mismatch in " 891 "Phase 2 EAP frame (len=%lu hdr->length=%lu)", 892 (unsigned long) wpabuf_len(in_decrypted), 893 (unsigned long) len); 894 wpabuf_free(in_decrypted); 895 return 0; 896 } 897 if (len < wpabuf_len(in_decrypted)) { 898 wpa_printf(MSG_INFO, "EAP-PEAP: Odd.. Phase 2 EAP header has " 899 "shorter length than full decrypted data " 900 "(%lu < %lu)", 901 (unsigned long) len, 902 (unsigned long) wpabuf_len(in_decrypted)); 903 } 904 wpa_printf(MSG_DEBUG, "EAP-PEAP: received Phase 2: code=%d " 905 "identifier=%d length=%lu", hdr->code, hdr->identifier, 906 (unsigned long) len); 907 switch (hdr->code) { 908 case EAP_CODE_REQUEST: 909 if (eap_peap_phase2_request(sm, data, ret, in_decrypted, 910 &resp)) { 911 wpabuf_free(in_decrypted); 912 wpa_printf(MSG_INFO, "EAP-PEAP: Phase2 Request " 913 "processing failed"); 914 return 0; 915 } 916 break; 917 case EAP_CODE_SUCCESS: 918 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Success"); 919 if (data->peap_version == 1) { 920 /* EAP-Success within TLS tunnel is used to indicate 921 * shutdown of the TLS channel. The authentication has 922 * been completed. */ 923 if (data->phase2_eap_started && 924 !data->phase2_eap_success) { 925 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 " 926 "Success used to indicate success, " 927 "but Phase 2 EAP was not yet " 928 "completed successfully"); 929 ret->methodState = METHOD_DONE; 930 ret->decision = DECISION_FAIL; 931 wpabuf_free(in_decrypted); 932 return 0; 933 } 934 wpa_printf(MSG_DEBUG, "EAP-PEAP: Version 1 - " 935 "EAP-Success within TLS tunnel - " 936 "authentication completed"); 937 ret->decision = DECISION_UNCOND_SUCC; 938 ret->methodState = METHOD_DONE; 939 data->phase2_success = 1; 940 if (data->peap_outer_success == 2) { 941 wpabuf_free(in_decrypted); 942 wpa_printf(MSG_DEBUG, "EAP-PEAP: Use TLS ACK " 943 "to finish authentication"); 944 return 1; 945 } else if (data->peap_outer_success == 1) { 946 /* Reply with EAP-Success within the TLS 947 * channel to complete the authentication. */ 948 resp = wpabuf_alloc(sizeof(struct eap_hdr)); 949 if (resp) { 950 rhdr = wpabuf_put(resp, sizeof(*rhdr)); 951 rhdr->code = EAP_CODE_SUCCESS; 952 rhdr->identifier = hdr->identifier; 953 rhdr->length = 954 host_to_be16(sizeof(*rhdr)); 955 } 956 } else { 957 /* No EAP-Success expected for Phase 1 (outer, 958 * unencrypted auth), so force EAP state 959 * machine to SUCCESS state. */ 960 sm->peap_done = TRUE; 961 } 962 } else { 963 /* FIX: ? */ 964 } 965 break; 966 case EAP_CODE_FAILURE: 967 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Failure"); 968 ret->decision = DECISION_FAIL; 969 ret->methodState = METHOD_MAY_CONT; 970 ret->allowNotifications = FALSE; 971 /* Reply with EAP-Failure within the TLS channel to complete 972 * failure reporting. */ 973 resp = wpabuf_alloc(sizeof(struct eap_hdr)); 974 if (resp) { 975 rhdr = wpabuf_put(resp, sizeof(*rhdr)); 976 rhdr->code = EAP_CODE_FAILURE; 977 rhdr->identifier = hdr->identifier; 978 rhdr->length = host_to_be16(sizeof(*rhdr)); 979 } 980 break; 981 default: 982 wpa_printf(MSG_INFO, "EAP-PEAP: Unexpected code=%d in " 983 "Phase 2 EAP header", hdr->code); 984 break; 985 } 986 987 wpabuf_free(in_decrypted); 988 989 if (resp) { 990 int skip_change2 = 0; 991 struct wpabuf *rmsg, buf; 992 993 wpa_hexdump_buf_key(MSG_DEBUG, 994 "EAP-PEAP: Encrypting Phase 2 data", resp); 995 /* PEAP version changes */ 996 if (data->peap_version >= 2) { 997 resp = eap_peapv2_tlv_eap_payload(resp); 998 if (resp == NULL) 999 return -1; 1000 } 1001 if (wpabuf_len(resp) >= 5 && 1002 wpabuf_head_u8(resp)[0] == EAP_CODE_RESPONSE && 1003 eap_get_type(resp) == EAP_TYPE_TLV) 1004 skip_change2 = 1; 1005 rmsg = resp; 1006 if (data->peap_version == 0 && !skip_change2) { 1007 wpabuf_set(&buf, wpabuf_head_u8(resp) + 1008 sizeof(struct eap_hdr), 1009 wpabuf_len(resp) - sizeof(struct eap_hdr)); 1010 rmsg = &buf; 1011 } 1012 1013 if (eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_PEAP, 1014 data->peap_version, req->identifier, 1015 rmsg, out_data)) { 1016 wpa_printf(MSG_INFO, "EAP-PEAP: Failed to encrypt " 1017 "a Phase 2 frame"); 1018 } 1019 wpabuf_free(resp); 1020 } 1021 1022 return 0; 1023} 1024 1025 1026static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv, 1027 struct eap_method_ret *ret, 1028 const struct wpabuf *reqData) 1029{ 1030 const struct eap_hdr *req; 1031 size_t left; 1032 int res; 1033 u8 flags, id; 1034 struct wpabuf *resp; 1035 const u8 *pos; 1036 struct eap_peap_data *data = priv; 1037 1038 pos = eap_peer_tls_process_init(sm, &data->ssl, EAP_TYPE_PEAP, ret, 1039 reqData, &left, &flags); 1040 if (pos == NULL) 1041 return NULL; 1042 req = wpabuf_head(reqData); 1043 id = req->identifier; 1044 1045 if (flags & EAP_TLS_FLAGS_START) { 1046 wpa_printf(MSG_DEBUG, "EAP-PEAP: Start (server ver=%d, own " 1047 "ver=%d)", flags & EAP_TLS_VERSION_MASK, 1048 data->peap_version); 1049 if ((flags & EAP_TLS_VERSION_MASK) < data->peap_version) 1050 data->peap_version = flags & EAP_TLS_VERSION_MASK; 1051 if (data->force_peap_version >= 0 && 1052 data->force_peap_version != data->peap_version) { 1053 wpa_printf(MSG_WARNING, "EAP-PEAP: Failed to select " 1054 "forced PEAP version %d", 1055 data->force_peap_version); 1056 ret->methodState = METHOD_DONE; 1057 ret->decision = DECISION_FAIL; 1058 ret->allowNotifications = FALSE; 1059 return NULL; 1060 } 1061 wpa_printf(MSG_DEBUG, "EAP-PEAP: Using PEAP version %d", 1062 data->peap_version); 1063 left = 0; /* make sure that this frame is empty, even though it 1064 * should always be, anyway */ 1065 } 1066 1067 resp = NULL; 1068 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1069 !data->resuming) { 1070 struct wpabuf msg; 1071 wpabuf_set(&msg, pos, left); 1072 res = eap_peap_decrypt(sm, data, ret, req, &msg, &resp); 1073 } else { 1074 res = eap_peer_tls_process_helper(sm, &data->ssl, 1075 EAP_TYPE_PEAP, 1076 data->peap_version, id, pos, 1077 left, &resp); 1078 1079 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { 1080 char *label; 1081 wpa_printf(MSG_DEBUG, 1082 "EAP-PEAP: TLS done, proceed to Phase 2"); 1083 os_free(data->key_data); 1084 /* draft-josefsson-ppext-eap-tls-eap-05.txt 1085 * specifies that PEAPv1 would use "client PEAP 1086 * encryption" as the label. However, most existing 1087 * PEAPv1 implementations seem to be using the old 1088 * label, "client EAP encryption", instead. Use the old 1089 * label by default, but allow it to be configured with 1090 * phase1 parameter peaplabel=1. */ 1091 if (data->peap_version > 1 || data->force_new_label) 1092 label = "client PEAP encryption"; 1093 else 1094 label = "client EAP encryption"; 1095 wpa_printf(MSG_DEBUG, "EAP-PEAP: using label '%s' in " 1096 "key derivation", label); 1097 data->key_data = 1098 eap_peer_tls_derive_key(sm, &data->ssl, label, 1099 EAP_TLS_KEY_LEN); 1100 if (data->key_data) { 1101 wpa_hexdump_key(MSG_DEBUG, 1102 "EAP-PEAP: Derived key", 1103 data->key_data, 1104 EAP_TLS_KEY_LEN); 1105 } else { 1106 wpa_printf(MSG_DEBUG, "EAP-PEAP: Failed to " 1107 "derive key"); 1108 } 1109 1110 if (sm->workaround && data->resuming) { 1111 /* 1112 * At least few RADIUS servers (Aegis v1.1.6; 1113 * but not v1.1.4; and Cisco ACS) seem to be 1114 * terminating PEAPv1 (Aegis) or PEAPv0 (Cisco 1115 * ACS) session resumption with outer 1116 * EAP-Success. This does not seem to follow 1117 * draft-josefsson-pppext-eap-tls-eap-05.txt 1118 * section 4.2, so only allow this if EAP 1119 * workarounds are enabled. 1120 */ 1121 wpa_printf(MSG_DEBUG, "EAP-PEAP: Workaround - " 1122 "allow outer EAP-Success to " 1123 "terminate PEAP resumption"); 1124 ret->decision = DECISION_COND_SUCC; 1125 data->phase2_success = 1; 1126 } 1127 1128 data->resuming = 0; 1129 } 1130 1131 if (res == 2) { 1132 struct wpabuf msg; 1133 /* 1134 * Application data included in the handshake message. 1135 */ 1136 wpabuf_free(data->pending_phase2_req); 1137 data->pending_phase2_req = resp; 1138 resp = NULL; 1139 wpabuf_set(&msg, pos, left); 1140 res = eap_peap_decrypt(sm, data, ret, req, &msg, 1141 &resp); 1142 } 1143 } 1144 1145 if (ret->methodState == METHOD_DONE) { 1146 ret->allowNotifications = FALSE; 1147 } 1148 1149 if (res == 1) { 1150 wpabuf_free(resp); 1151 return eap_peer_tls_build_ack(id, EAP_TYPE_PEAP, 1152 data->peap_version); 1153 } 1154 1155 return resp; 1156} 1157 1158 1159static Boolean eap_peap_has_reauth_data(struct eap_sm *sm, void *priv) 1160{ 1161 struct eap_peap_data *data = priv; 1162 return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1163 data->phase2_success; 1164} 1165 1166 1167static void eap_peap_deinit_for_reauth(struct eap_sm *sm, void *priv) 1168{ 1169 struct eap_peap_data *data = priv; 1170 wpabuf_free(data->pending_phase2_req); 1171 data->pending_phase2_req = NULL; 1172 data->crypto_binding_used = 0; 1173} 1174 1175 1176static void * eap_peap_init_for_reauth(struct eap_sm *sm, void *priv) 1177{ 1178 struct eap_peap_data *data = priv; 1179 os_free(data->key_data); 1180 data->key_data = NULL; 1181 if (eap_peer_tls_reauth_init(sm, &data->ssl)) { 1182 os_free(data); 1183 return NULL; 1184 } 1185 if (data->phase2_priv && data->phase2_method && 1186 data->phase2_method->init_for_reauth) 1187 data->phase2_method->init_for_reauth(sm, data->phase2_priv); 1188 data->phase2_success = 0; 1189 data->phase2_eap_success = 0; 1190 data->phase2_eap_started = 0; 1191 data->resuming = 1; 1192 data->reauth = 1; 1193 sm->peap_done = FALSE; 1194 return priv; 1195} 1196 1197 1198static int eap_peap_get_status(struct eap_sm *sm, void *priv, char *buf, 1199 size_t buflen, int verbose) 1200{ 1201 struct eap_peap_data *data = priv; 1202 int len, ret; 1203 1204 len = eap_peer_tls_status(sm, &data->ssl, buf, buflen, verbose); 1205 if (data->phase2_method) { 1206 ret = os_snprintf(buf + len, buflen - len, 1207 "EAP-PEAPv%d Phase2 method=%s\n", 1208 data->peap_version, 1209 data->phase2_method->name); 1210 if (ret < 0 || (size_t) ret >= buflen - len) 1211 return len; 1212 len += ret; 1213 } 1214 return len; 1215} 1216 1217 1218static Boolean eap_peap_isKeyAvailable(struct eap_sm *sm, void *priv) 1219{ 1220 struct eap_peap_data *data = priv; 1221 return data->key_data != NULL && data->phase2_success; 1222} 1223 1224 1225static u8 * eap_peap_getKey(struct eap_sm *sm, void *priv, size_t *len) 1226{ 1227 struct eap_peap_data *data = priv; 1228 u8 *key; 1229 1230 if (data->key_data == NULL || !data->phase2_success) 1231 return NULL; 1232 1233 key = os_malloc(EAP_TLS_KEY_LEN); 1234 if (key == NULL) 1235 return NULL; 1236 1237 *len = EAP_TLS_KEY_LEN; 1238 1239 if (data->crypto_binding_used) { 1240 u8 csk[128]; 1241 /* 1242 * Note: It looks like Microsoft implementation requires null 1243 * termination for this label while the one used for deriving 1244 * IPMK|CMK did not use null termination. 1245 */ 1246 if (peap_prfplus(data->peap_version, data->ipmk, 40, 1247 "Session Key Generating Function", 1248 (u8 *) "\00", 1, csk, sizeof(csk)) < 0) { 1249 os_free(key); 1250 return NULL; 1251 } 1252 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CSK", csk, sizeof(csk)); 1253 os_memcpy(key, csk, EAP_TLS_KEY_LEN); 1254 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Derived key", 1255 key, EAP_TLS_KEY_LEN); 1256 } else 1257 os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN); 1258 1259 return key; 1260} 1261 1262 1263int eap_peer_peap_register(void) 1264{ 1265 struct eap_method *eap; 1266 int ret; 1267 1268 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION, 1269 EAP_VENDOR_IETF, EAP_TYPE_PEAP, "PEAP"); 1270 if (eap == NULL) 1271 return -1; 1272 1273 eap->init = eap_peap_init; 1274 eap->deinit = eap_peap_deinit; 1275 eap->process = eap_peap_process; 1276 eap->isKeyAvailable = eap_peap_isKeyAvailable; 1277 eap->getKey = eap_peap_getKey; 1278 eap->get_status = eap_peap_get_status; 1279 eap->has_reauth_data = eap_peap_has_reauth_data; 1280 eap->deinit_for_reauth = eap_peap_deinit_for_reauth; 1281 eap->init_for_reauth = eap_peap_init_for_reauth; 1282 1283 ret = eap_peer_method_register(eap); 1284 if (ret) 1285 eap_peer_method_free(eap); 1286 return ret; 1287} 1288