1/* 2 * EAP peer method: EAP-TTLS (RFC 5281) 3 * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "crypto/ms_funcs.h" 13#include "crypto/sha1.h" 14#include "crypto/tls.h" 15#include "eap_common/chap.h" 16#include "eap_common/eap_ttls.h" 17#include "mschapv2.h" 18#include "eap_i.h" 19#include "eap_tls_common.h" 20#include "eap_config.h" 21 22 23#define EAP_TTLS_VERSION 0 24 25 26static void eap_ttls_deinit(struct eap_sm *sm, void *priv); 27 28 29struct eap_ttls_data { 30 struct eap_ssl_data ssl; 31 32 int ttls_version; 33 34 const struct eap_method *phase2_method; 35 void *phase2_priv; 36 int phase2_success; 37 int phase2_start; 38 39 enum phase2_types { 40 EAP_TTLS_PHASE2_EAP, 41 EAP_TTLS_PHASE2_MSCHAPV2, 42 EAP_TTLS_PHASE2_MSCHAP, 43 EAP_TTLS_PHASE2_PAP, 44 EAP_TTLS_PHASE2_CHAP 45 } phase2_type; 46 struct eap_method_type phase2_eap_type; 47 struct eap_method_type *phase2_eap_types; 48 size_t num_phase2_eap_types; 49 50 u8 auth_response[MSCHAPV2_AUTH_RESPONSE_LEN]; 51 int auth_response_valid; 52 u8 master_key[MSCHAPV2_MASTER_KEY_LEN]; /* MSCHAPv2 master key */ 53 u8 ident; 54 int resuming; /* starting a resumed session */ 55 int reauth; /* reauthentication */ 56 u8 *key_data; 57 u8 *session_id; 58 size_t id_len; 59 60 struct wpabuf *pending_phase2_req; 61 62#ifdef EAP_TNC 63 int ready_for_tnc; 64 int tnc_started; 65#endif /* EAP_TNC */ 66}; 67 68 69static void * eap_ttls_init(struct eap_sm *sm) 70{ 71 struct eap_ttls_data *data; 72 struct eap_peer_config *config = eap_get_config(sm); 73 char *selected; 74 75 data = os_zalloc(sizeof(*data)); 76 if (data == NULL) 77 return NULL; 78 data->ttls_version = EAP_TTLS_VERSION; 79 selected = "EAP"; 80 data->phase2_type = EAP_TTLS_PHASE2_EAP; 81 82 if (config && config->phase2) { 83 if (os_strstr(config->phase2, "autheap=")) { 84 selected = "EAP"; 85 data->phase2_type = EAP_TTLS_PHASE2_EAP; 86 } else if (os_strstr(config->phase2, "auth=MSCHAPV2")) { 87 selected = "MSCHAPV2"; 88 data->phase2_type = EAP_TTLS_PHASE2_MSCHAPV2; 89 } else if (os_strstr(config->phase2, "auth=MSCHAP")) { 90 selected = "MSCHAP"; 91 data->phase2_type = EAP_TTLS_PHASE2_MSCHAP; 92 } else if (os_strstr(config->phase2, "auth=PAP")) { 93 selected = "PAP"; 94 data->phase2_type = EAP_TTLS_PHASE2_PAP; 95 } else if (os_strstr(config->phase2, "auth=CHAP")) { 96 selected = "CHAP"; 97 data->phase2_type = EAP_TTLS_PHASE2_CHAP; 98 } 99 } 100 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 type: %s", selected); 101 102 if (data->phase2_type == EAP_TTLS_PHASE2_EAP) { 103 if (eap_peer_select_phase2_methods(config, "autheap=", 104 &data->phase2_eap_types, 105 &data->num_phase2_eap_types) 106 < 0) { 107 eap_ttls_deinit(sm, data); 108 return NULL; 109 } 110 111 data->phase2_eap_type.vendor = EAP_VENDOR_IETF; 112 data->phase2_eap_type.method = EAP_TYPE_NONE; 113 } 114 115 if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_TTLS)) { 116 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL."); 117 eap_ttls_deinit(sm, data); 118 return NULL; 119 } 120 121 return data; 122} 123 124 125static void eap_ttls_phase2_eap_deinit(struct eap_sm *sm, 126 struct eap_ttls_data *data) 127{ 128 if (data->phase2_priv && data->phase2_method) { 129 data->phase2_method->deinit(sm, data->phase2_priv); 130 data->phase2_method = NULL; 131 data->phase2_priv = NULL; 132 } 133} 134 135 136static void eap_ttls_deinit(struct eap_sm *sm, void *priv) 137{ 138 struct eap_ttls_data *data = priv; 139 if (data == NULL) 140 return; 141 eap_ttls_phase2_eap_deinit(sm, data); 142 os_free(data->phase2_eap_types); 143 eap_peer_tls_ssl_deinit(sm, &data->ssl); 144 os_free(data->key_data); 145 os_free(data->session_id); 146 wpabuf_free(data->pending_phase2_req); 147 os_free(data); 148} 149 150 151static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id, 152 int mandatory, size_t len) 153{ 154 struct ttls_avp_vendor *avp; 155 u8 flags; 156 size_t hdrlen; 157 158 avp = (struct ttls_avp_vendor *) avphdr; 159 flags = mandatory ? AVP_FLAGS_MANDATORY : 0; 160 if (vendor_id) { 161 flags |= AVP_FLAGS_VENDOR; 162 hdrlen = sizeof(*avp); 163 avp->vendor_id = host_to_be32(vendor_id); 164 } else { 165 hdrlen = sizeof(struct ttls_avp); 166 } 167 168 avp->avp_code = host_to_be32(avp_code); 169 avp->avp_length = host_to_be32((flags << 24) | (u32) (hdrlen + len)); 170 171 return avphdr + hdrlen; 172} 173 174 175static u8 * eap_ttls_avp_add(u8 *start, u8 *avphdr, u32 avp_code, 176 u32 vendor_id, int mandatory, 177 const u8 *data, size_t len) 178{ 179 u8 *pos; 180 pos = eap_ttls_avp_hdr(avphdr, avp_code, vendor_id, mandatory, len); 181 os_memcpy(pos, data, len); 182 pos += len; 183 AVP_PAD(start, pos); 184 return pos; 185} 186 187 188static int eap_ttls_avp_encapsulate(struct wpabuf **resp, u32 avp_code, 189 int mandatory) 190{ 191 struct wpabuf *msg; 192 u8 *avp, *pos; 193 194 msg = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(*resp) + 4); 195 if (msg == NULL) { 196 wpabuf_free(*resp); 197 *resp = NULL; 198 return -1; 199 } 200 201 avp = wpabuf_mhead(msg); 202 pos = eap_ttls_avp_hdr(avp, avp_code, 0, mandatory, wpabuf_len(*resp)); 203 os_memcpy(pos, wpabuf_head(*resp), wpabuf_len(*resp)); 204 pos += wpabuf_len(*resp); 205 AVP_PAD(avp, pos); 206 wpabuf_free(*resp); 207 wpabuf_put(msg, pos - avp); 208 *resp = msg; 209 return 0; 210} 211 212 213static int eap_ttls_v0_derive_key(struct eap_sm *sm, 214 struct eap_ttls_data *data) 215{ 216 os_free(data->key_data); 217 data->key_data = eap_peer_tls_derive_key(sm, &data->ssl, 218 "ttls keying material", 219 EAP_TLS_KEY_LEN); 220 if (!data->key_data) { 221 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to derive key"); 222 return -1; 223 } 224 225 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key", 226 data->key_data, EAP_TLS_KEY_LEN); 227 228 os_free(data->session_id); 229 data->session_id = eap_peer_tls_derive_session_id(sm, &data->ssl, 230 EAP_TYPE_TTLS, 231 &data->id_len); 232 if (data->session_id) { 233 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Derived Session-Id", 234 data->session_id, data->id_len); 235 } else { 236 wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to derive Session-Id"); 237 } 238 239 return 0; 240} 241 242 243static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm, 244 struct eap_ttls_data *data, size_t len) 245{ 246 return eap_peer_tls_derive_key(sm, &data->ssl, "ttls challenge", len); 247} 248 249 250static void eap_ttls_phase2_select_eap_method(struct eap_ttls_data *data, 251 u8 method) 252{ 253 size_t i; 254 for (i = 0; i < data->num_phase2_eap_types; i++) { 255 if (data->phase2_eap_types[i].vendor != EAP_VENDOR_IETF || 256 data->phase2_eap_types[i].method != method) 257 continue; 258 259 data->phase2_eap_type.vendor = 260 data->phase2_eap_types[i].vendor; 261 data->phase2_eap_type.method = 262 data->phase2_eap_types[i].method; 263 wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected " 264 "Phase 2 EAP vendor %d method %d", 265 data->phase2_eap_type.vendor, 266 data->phase2_eap_type.method); 267 break; 268 } 269} 270 271 272static int eap_ttls_phase2_eap_process(struct eap_sm *sm, 273 struct eap_ttls_data *data, 274 struct eap_method_ret *ret, 275 struct eap_hdr *hdr, size_t len, 276 struct wpabuf **resp) 277{ 278 struct wpabuf msg; 279 struct eap_method_ret iret; 280 281 os_memset(&iret, 0, sizeof(iret)); 282 wpabuf_set(&msg, hdr, len); 283 *resp = data->phase2_method->process(sm, data->phase2_priv, &iret, 284 &msg); 285 if ((iret.methodState == METHOD_DONE || 286 iret.methodState == METHOD_MAY_CONT) && 287 (iret.decision == DECISION_UNCOND_SUCC || 288 iret.decision == DECISION_COND_SUCC || 289 iret.decision == DECISION_FAIL)) { 290 ret->methodState = iret.methodState; 291 ret->decision = iret.decision; 292 } 293 294 return 0; 295} 296 297 298static int eap_ttls_phase2_request_eap_method(struct eap_sm *sm, 299 struct eap_ttls_data *data, 300 struct eap_method_ret *ret, 301 struct eap_hdr *hdr, size_t len, 302 u8 method, struct wpabuf **resp) 303{ 304#ifdef EAP_TNC 305 if (data->tnc_started && data->phase2_method && 306 data->phase2_priv && method == EAP_TYPE_TNC && 307 data->phase2_eap_type.method == EAP_TYPE_TNC) 308 return eap_ttls_phase2_eap_process(sm, data, ret, hdr, len, 309 resp); 310 311 if (data->ready_for_tnc && !data->tnc_started && 312 method == EAP_TYPE_TNC) { 313 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start TNC after completed " 314 "EAP method"); 315 data->tnc_started = 1; 316 } 317 318 if (data->tnc_started) { 319 if (data->phase2_eap_type.vendor != EAP_VENDOR_IETF || 320 data->phase2_eap_type.method == EAP_TYPE_TNC) { 321 wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected EAP " 322 "type %d for TNC", method); 323 return -1; 324 } 325 326 data->phase2_eap_type.vendor = EAP_VENDOR_IETF; 327 data->phase2_eap_type.method = method; 328 wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected " 329 "Phase 2 EAP vendor %d method %d (TNC)", 330 data->phase2_eap_type.vendor, 331 data->phase2_eap_type.method); 332 333 if (data->phase2_type == EAP_TTLS_PHASE2_EAP) 334 eap_ttls_phase2_eap_deinit(sm, data); 335 } 336#endif /* EAP_TNC */ 337 338 if (data->phase2_eap_type.vendor == EAP_VENDOR_IETF && 339 data->phase2_eap_type.method == EAP_TYPE_NONE) 340 eap_ttls_phase2_select_eap_method(data, method); 341 342 if (method != data->phase2_eap_type.method || method == EAP_TYPE_NONE) 343 { 344 if (eap_peer_tls_phase2_nak(data->phase2_eap_types, 345 data->num_phase2_eap_types, 346 hdr, resp)) 347 return -1; 348 return 0; 349 } 350 351 if (data->phase2_priv == NULL) { 352 data->phase2_method = eap_peer_get_eap_method( 353 EAP_VENDOR_IETF, method); 354 if (data->phase2_method) { 355 sm->init_phase2 = 1; 356 data->phase2_priv = data->phase2_method->init(sm); 357 sm->init_phase2 = 0; 358 } 359 } 360 if (data->phase2_priv == NULL || data->phase2_method == NULL) { 361 wpa_printf(MSG_INFO, "EAP-TTLS: failed to initialize " 362 "Phase 2 EAP method %d", method); 363 return -1; 364 } 365 366 return eap_ttls_phase2_eap_process(sm, data, ret, hdr, len, resp); 367} 368 369 370static int eap_ttls_phase2_request_eap(struct eap_sm *sm, 371 struct eap_ttls_data *data, 372 struct eap_method_ret *ret, 373 struct eap_hdr *hdr, 374 struct wpabuf **resp) 375{ 376 size_t len = be_to_host16(hdr->length); 377 u8 *pos; 378 struct eap_peer_config *config = eap_get_config(sm); 379 380 if (len <= sizeof(struct eap_hdr)) { 381 wpa_printf(MSG_INFO, "EAP-TTLS: too short " 382 "Phase 2 request (len=%lu)", (unsigned long) len); 383 return -1; 384 } 385 pos = (u8 *) (hdr + 1); 386 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP Request: type=%d", *pos); 387 switch (*pos) { 388 case EAP_TYPE_IDENTITY: 389 *resp = eap_sm_buildIdentity(sm, hdr->identifier, 1); 390 break; 391 default: 392 if (eap_ttls_phase2_request_eap_method(sm, data, ret, hdr, len, 393 *pos, resp) < 0) 394 return -1; 395 break; 396 } 397 398 if (*resp == NULL && 399 (config->pending_req_identity || config->pending_req_password || 400 config->pending_req_otp)) { 401 return 0; 402 } 403 404 if (*resp == NULL) 405 return -1; 406 407 wpa_hexdump_buf(MSG_DEBUG, "EAP-TTLS: AVP encapsulate EAP Response", 408 *resp); 409 return eap_ttls_avp_encapsulate(resp, RADIUS_ATTR_EAP_MESSAGE, 1); 410} 411 412 413static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm, 414 struct eap_ttls_data *data, 415 struct eap_method_ret *ret, 416 struct wpabuf **resp) 417{ 418#ifdef EAP_MSCHAPv2 419 struct wpabuf *msg; 420 u8 *buf, *pos, *challenge, *peer_challenge; 421 const u8 *identity, *password; 422 size_t identity_len, password_len; 423 int pwhash; 424 425 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAPV2 Request"); 426 427 identity = eap_get_config_identity(sm, &identity_len); 428 password = eap_get_config_password2(sm, &password_len, &pwhash); 429 if (identity == NULL || password == NULL) 430 return -1; 431 432 msg = wpabuf_alloc(identity_len + 1000); 433 if (msg == NULL) { 434 wpa_printf(MSG_ERROR, 435 "EAP-TTLS/MSCHAPV2: Failed to allocate memory"); 436 return -1; 437 } 438 pos = buf = wpabuf_mhead(msg); 439 440 /* User-Name */ 441 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 442 identity, identity_len); 443 444 /* MS-CHAP-Challenge */ 445 challenge = eap_ttls_implicit_challenge( 446 sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1); 447 if (challenge == NULL) { 448 wpabuf_free(msg); 449 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive " 450 "implicit challenge"); 451 return -1; 452 } 453 454 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE, 455 RADIUS_VENDOR_ID_MICROSOFT, 1, 456 challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN); 457 458 /* MS-CHAP2-Response */ 459 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_RESPONSE, 460 RADIUS_VENDOR_ID_MICROSOFT, 1, 461 EAP_TTLS_MSCHAPV2_RESPONSE_LEN); 462 data->ident = challenge[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN]; 463 *pos++ = data->ident; 464 *pos++ = 0; /* Flags */ 465 if (os_get_random(pos, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN) < 0) { 466 os_free(challenge); 467 wpabuf_free(msg); 468 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to get " 469 "random data for peer challenge"); 470 return -1; 471 } 472 peer_challenge = pos; 473 pos += EAP_TTLS_MSCHAPV2_CHALLENGE_LEN; 474 os_memset(pos, 0, 8); /* Reserved, must be zero */ 475 pos += 8; 476 if (mschapv2_derive_response(identity, identity_len, password, 477 password_len, pwhash, challenge, 478 peer_challenge, pos, data->auth_response, 479 data->master_key)) { 480 os_free(challenge); 481 wpabuf_free(msg); 482 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive " 483 "response"); 484 return -1; 485 } 486 data->auth_response_valid = 1; 487 488 pos += 24; 489 os_free(challenge); 490 AVP_PAD(buf, pos); 491 492 wpabuf_put(msg, pos - buf); 493 *resp = msg; 494 495 if (sm->workaround) { 496 /* At least FreeRADIUS seems to be terminating 497 * EAP-TTLS/MSHCAPV2 without the expected MS-CHAP-v2 Success 498 * packet. */ 499 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: EAP workaround - " 500 "allow success without tunneled response"); 501 ret->methodState = METHOD_MAY_CONT; 502 ret->decision = DECISION_COND_SUCC; 503 } 504 505 return 0; 506#else /* EAP_MSCHAPv2 */ 507 wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build"); 508 return -1; 509#endif /* EAP_MSCHAPv2 */ 510} 511 512 513static int eap_ttls_phase2_request_mschap(struct eap_sm *sm, 514 struct eap_ttls_data *data, 515 struct eap_method_ret *ret, 516 struct wpabuf **resp) 517{ 518 struct wpabuf *msg; 519 u8 *buf, *pos, *challenge; 520 const u8 *identity, *password; 521 size_t identity_len, password_len; 522 int pwhash; 523 524 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAP Request"); 525 526 identity = eap_get_config_identity(sm, &identity_len); 527 password = eap_get_config_password2(sm, &password_len, &pwhash); 528 if (identity == NULL || password == NULL) 529 return -1; 530 531 msg = wpabuf_alloc(identity_len + 1000); 532 if (msg == NULL) { 533 wpa_printf(MSG_ERROR, 534 "EAP-TTLS/MSCHAP: Failed to allocate memory"); 535 return -1; 536 } 537 pos = buf = wpabuf_mhead(msg); 538 539 /* User-Name */ 540 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 541 identity, identity_len); 542 543 /* MS-CHAP-Challenge */ 544 challenge = eap_ttls_implicit_challenge( 545 sm, data, EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1); 546 if (challenge == NULL) { 547 wpabuf_free(msg); 548 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAP: Failed to derive " 549 "implicit challenge"); 550 return -1; 551 } 552 553 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE, 554 RADIUS_VENDOR_ID_MICROSOFT, 1, 555 challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN); 556 557 /* MS-CHAP-Response */ 558 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_RESPONSE, 559 RADIUS_VENDOR_ID_MICROSOFT, 1, 560 EAP_TTLS_MSCHAP_RESPONSE_LEN); 561 data->ident = challenge[EAP_TTLS_MSCHAP_CHALLENGE_LEN]; 562 *pos++ = data->ident; 563 *pos++ = 1; /* Flags: Use NT style passwords */ 564 os_memset(pos, 0, 24); /* LM-Response */ 565 pos += 24; 566 if (pwhash) { 567 challenge_response(challenge, password, pos); /* NT-Response */ 568 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password hash", 569 password, 16); 570 } else { 571 nt_challenge_response(challenge, password, password_len, 572 pos); /* NT-Response */ 573 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password", 574 password, password_len); 575 } 576 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP implicit challenge", 577 challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN); 578 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP response", pos, 24); 579 pos += 24; 580 os_free(challenge); 581 AVP_PAD(buf, pos); 582 583 wpabuf_put(msg, pos - buf); 584 *resp = msg; 585 586 /* EAP-TTLS/MSCHAP does not provide tunneled success 587 * notification, so assume that Phase2 succeeds. */ 588 ret->methodState = METHOD_DONE; 589 ret->decision = DECISION_COND_SUCC; 590 591 return 0; 592} 593 594 595static int eap_ttls_phase2_request_pap(struct eap_sm *sm, 596 struct eap_ttls_data *data, 597 struct eap_method_ret *ret, 598 struct wpabuf **resp) 599{ 600 struct wpabuf *msg; 601 u8 *buf, *pos; 602 size_t pad; 603 const u8 *identity, *password; 604 size_t identity_len, password_len; 605 606 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 PAP Request"); 607 608 identity = eap_get_config_identity(sm, &identity_len); 609 password = eap_get_config_password(sm, &password_len); 610 if (identity == NULL || password == NULL) 611 return -1; 612 613 msg = wpabuf_alloc(identity_len + password_len + 100); 614 if (msg == NULL) { 615 wpa_printf(MSG_ERROR, 616 "EAP-TTLS/PAP: Failed to allocate memory"); 617 return -1; 618 } 619 pos = buf = wpabuf_mhead(msg); 620 621 /* User-Name */ 622 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 623 identity, identity_len); 624 625 /* User-Password; in RADIUS, this is encrypted, but EAP-TTLS encrypts 626 * the data, so no separate encryption is used in the AVP itself. 627 * However, the password is padded to obfuscate its length. */ 628 pad = password_len == 0 ? 16 : (16 - (password_len & 15)) & 15; 629 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_USER_PASSWORD, 0, 1, 630 password_len + pad); 631 os_memcpy(pos, password, password_len); 632 pos += password_len; 633 os_memset(pos, 0, pad); 634 pos += pad; 635 AVP_PAD(buf, pos); 636 637 wpabuf_put(msg, pos - buf); 638 *resp = msg; 639 640 /* EAP-TTLS/PAP does not provide tunneled success notification, 641 * so assume that Phase2 succeeds. */ 642 ret->methodState = METHOD_DONE; 643 ret->decision = DECISION_COND_SUCC; 644 645 return 0; 646} 647 648 649static int eap_ttls_phase2_request_chap(struct eap_sm *sm, 650 struct eap_ttls_data *data, 651 struct eap_method_ret *ret, 652 struct wpabuf **resp) 653{ 654 struct wpabuf *msg; 655 u8 *buf, *pos, *challenge; 656 const u8 *identity, *password; 657 size_t identity_len, password_len; 658 659 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 CHAP Request"); 660 661 identity = eap_get_config_identity(sm, &identity_len); 662 password = eap_get_config_password(sm, &password_len); 663 if (identity == NULL || password == NULL) 664 return -1; 665 666 msg = wpabuf_alloc(identity_len + 1000); 667 if (msg == NULL) { 668 wpa_printf(MSG_ERROR, 669 "EAP-TTLS/CHAP: Failed to allocate memory"); 670 return -1; 671 } 672 pos = buf = wpabuf_mhead(msg); 673 674 /* User-Name */ 675 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 676 identity, identity_len); 677 678 /* CHAP-Challenge */ 679 challenge = eap_ttls_implicit_challenge( 680 sm, data, EAP_TTLS_CHAP_CHALLENGE_LEN + 1); 681 if (challenge == NULL) { 682 wpabuf_free(msg); 683 wpa_printf(MSG_ERROR, "EAP-TTLS/CHAP: Failed to derive " 684 "implicit challenge"); 685 return -1; 686 } 687 688 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_CHAP_CHALLENGE, 0, 1, 689 challenge, EAP_TTLS_CHAP_CHALLENGE_LEN); 690 691 /* CHAP-Password */ 692 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_CHAP_PASSWORD, 0, 1, 693 1 + EAP_TTLS_CHAP_PASSWORD_LEN); 694 data->ident = challenge[EAP_TTLS_CHAP_CHALLENGE_LEN]; 695 *pos++ = data->ident; 696 697 /* MD5(Ident + Password + Challenge) */ 698 chap_md5(data->ident, password, password_len, challenge, 699 EAP_TTLS_CHAP_CHALLENGE_LEN, pos); 700 701 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: CHAP username", 702 identity, identity_len); 703 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: CHAP password", 704 password, password_len); 705 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP implicit challenge", 706 challenge, EAP_TTLS_CHAP_CHALLENGE_LEN); 707 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP password", 708 pos, EAP_TTLS_CHAP_PASSWORD_LEN); 709 pos += EAP_TTLS_CHAP_PASSWORD_LEN; 710 os_free(challenge); 711 AVP_PAD(buf, pos); 712 713 wpabuf_put(msg, pos - buf); 714 *resp = msg; 715 716 /* EAP-TTLS/CHAP does not provide tunneled success 717 * notification, so assume that Phase2 succeeds. */ 718 ret->methodState = METHOD_DONE; 719 ret->decision = DECISION_COND_SUCC; 720 721 return 0; 722} 723 724 725static int eap_ttls_phase2_request(struct eap_sm *sm, 726 struct eap_ttls_data *data, 727 struct eap_method_ret *ret, 728 struct eap_hdr *hdr, 729 struct wpabuf **resp) 730{ 731 int res = 0; 732 size_t len; 733 enum phase2_types phase2_type = data->phase2_type; 734 735#ifdef EAP_TNC 736 if (data->tnc_started) { 737 wpa_printf(MSG_DEBUG, "EAP-TTLS: Processing TNC"); 738 phase2_type = EAP_TTLS_PHASE2_EAP; 739 } 740#endif /* EAP_TNC */ 741 742 if (phase2_type == EAP_TTLS_PHASE2_MSCHAPV2 || 743 phase2_type == EAP_TTLS_PHASE2_MSCHAP || 744 phase2_type == EAP_TTLS_PHASE2_PAP || 745 phase2_type == EAP_TTLS_PHASE2_CHAP) { 746 if (eap_get_config_identity(sm, &len) == NULL) { 747 wpa_printf(MSG_INFO, 748 "EAP-TTLS: Identity not configured"); 749 eap_sm_request_identity(sm); 750 if (eap_get_config_password(sm, &len) == NULL) 751 eap_sm_request_password(sm); 752 return 0; 753 } 754 755 if (eap_get_config_password(sm, &len) == NULL) { 756 wpa_printf(MSG_INFO, 757 "EAP-TTLS: Password not configured"); 758 eap_sm_request_password(sm); 759 return 0; 760 } 761 } 762 763 switch (phase2_type) { 764 case EAP_TTLS_PHASE2_EAP: 765 res = eap_ttls_phase2_request_eap(sm, data, ret, hdr, resp); 766 break; 767 case EAP_TTLS_PHASE2_MSCHAPV2: 768 res = eap_ttls_phase2_request_mschapv2(sm, data, ret, resp); 769 break; 770 case EAP_TTLS_PHASE2_MSCHAP: 771 res = eap_ttls_phase2_request_mschap(sm, data, ret, resp); 772 break; 773 case EAP_TTLS_PHASE2_PAP: 774 res = eap_ttls_phase2_request_pap(sm, data, ret, resp); 775 break; 776 case EAP_TTLS_PHASE2_CHAP: 777 res = eap_ttls_phase2_request_chap(sm, data, ret, resp); 778 break; 779 default: 780 wpa_printf(MSG_ERROR, "EAP-TTLS: Phase 2 - Unknown"); 781 res = -1; 782 break; 783 } 784 785 if (res < 0) { 786 ret->methodState = METHOD_DONE; 787 ret->decision = DECISION_FAIL; 788 } 789 790 return res; 791} 792 793 794struct ttls_parse_avp { 795 u8 *mschapv2; 796 u8 *eapdata; 797 size_t eap_len; 798 int mschapv2_error; 799}; 800 801 802static int eap_ttls_parse_attr_eap(const u8 *dpos, size_t dlen, 803 struct ttls_parse_avp *parse) 804{ 805 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message"); 806 if (parse->eapdata == NULL) { 807 parse->eapdata = os_malloc(dlen); 808 if (parse->eapdata == NULL) { 809 wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to allocate " 810 "memory for Phase 2 EAP data"); 811 return -1; 812 } 813 os_memcpy(parse->eapdata, dpos, dlen); 814 parse->eap_len = dlen; 815 } else { 816 u8 *neweap = os_realloc(parse->eapdata, parse->eap_len + dlen); 817 if (neweap == NULL) { 818 wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to allocate " 819 "memory for Phase 2 EAP data"); 820 return -1; 821 } 822 os_memcpy(neweap + parse->eap_len, dpos, dlen); 823 parse->eapdata = neweap; 824 parse->eap_len += dlen; 825 } 826 827 return 0; 828} 829 830 831static int eap_ttls_parse_avp(u8 *pos, size_t left, 832 struct ttls_parse_avp *parse) 833{ 834 struct ttls_avp *avp; 835 u32 avp_code, avp_length, vendor_id = 0; 836 u8 avp_flags, *dpos; 837 size_t dlen; 838 839 avp = (struct ttls_avp *) pos; 840 avp_code = be_to_host32(avp->avp_code); 841 avp_length = be_to_host32(avp->avp_length); 842 avp_flags = (avp_length >> 24) & 0xff; 843 avp_length &= 0xffffff; 844 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x " 845 "length=%d", (int) avp_code, avp_flags, 846 (int) avp_length); 847 848 if (avp_length > left) { 849 wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow " 850 "(len=%d, left=%lu) - dropped", 851 (int) avp_length, (unsigned long) left); 852 return -1; 853 } 854 855 if (avp_length < sizeof(*avp)) { 856 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length %d", 857 avp_length); 858 return -1; 859 } 860 861 dpos = (u8 *) (avp + 1); 862 dlen = avp_length - sizeof(*avp); 863 if (avp_flags & AVP_FLAGS_VENDOR) { 864 if (dlen < 4) { 865 wpa_printf(MSG_WARNING, "EAP-TTLS: Vendor AVP " 866 "underflow"); 867 return -1; 868 } 869 vendor_id = WPA_GET_BE32(dpos); 870 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d", 871 (int) vendor_id); 872 dpos += 4; 873 dlen -= 4; 874 } 875 876 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen); 877 878 if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) { 879 if (eap_ttls_parse_attr_eap(dpos, dlen, parse) < 0) 880 return -1; 881 } else if (vendor_id == 0 && avp_code == RADIUS_ATTR_REPLY_MESSAGE) { 882 /* This is an optional message that can be displayed to 883 * the user. */ 884 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: AVP - Reply-Message", 885 dpos, dlen); 886 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 887 avp_code == RADIUS_ATTR_MS_CHAP2_SUCCESS) { 888 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MS-CHAP2-Success", 889 dpos, dlen); 890 if (dlen != 43) { 891 wpa_printf(MSG_WARNING, "EAP-TTLS: Unexpected " 892 "MS-CHAP2-Success length " 893 "(len=%lu, expected 43)", 894 (unsigned long) dlen); 895 return -1; 896 } 897 parse->mschapv2 = dpos; 898 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 899 avp_code == RADIUS_ATTR_MS_CHAP_ERROR) { 900 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MS-CHAP-Error", 901 dpos, dlen); 902 parse->mschapv2_error = 1; 903 } else if (avp_flags & AVP_FLAGS_MANDATORY) { 904 wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported mandatory AVP " 905 "code %d vendor_id %d - dropped", 906 (int) avp_code, (int) vendor_id); 907 return -1; 908 } else { 909 wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported AVP " 910 "code %d vendor_id %d", 911 (int) avp_code, (int) vendor_id); 912 } 913 914 return avp_length; 915} 916 917 918static int eap_ttls_parse_avps(struct wpabuf *in_decrypted, 919 struct ttls_parse_avp *parse) 920{ 921 u8 *pos; 922 size_t left, pad; 923 int avp_length; 924 925 pos = wpabuf_mhead(in_decrypted); 926 left = wpabuf_len(in_decrypted); 927 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 AVPs", pos, left); 928 if (left < sizeof(struct ttls_avp)) { 929 wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 AVP frame" 930 " len=%lu expected %lu or more - dropped", 931 (unsigned long) left, 932 (unsigned long) sizeof(struct ttls_avp)); 933 return -1; 934 } 935 936 /* Parse AVPs */ 937 os_memset(parse, 0, sizeof(*parse)); 938 939 while (left > 0) { 940 avp_length = eap_ttls_parse_avp(pos, left, parse); 941 if (avp_length < 0) 942 return -1; 943 944 pad = (4 - (avp_length & 3)) & 3; 945 pos += avp_length + pad; 946 if (left < avp_length + pad) 947 left = 0; 948 else 949 left -= avp_length + pad; 950 } 951 952 return 0; 953} 954 955 956static u8 * eap_ttls_fake_identity_request(void) 957{ 958 struct eap_hdr *hdr; 959 u8 *buf; 960 961 wpa_printf(MSG_DEBUG, "EAP-TTLS: empty data in beginning of " 962 "Phase 2 - use fake EAP-Request Identity"); 963 buf = os_malloc(sizeof(*hdr) + 1); 964 if (buf == NULL) { 965 wpa_printf(MSG_WARNING, "EAP-TTLS: failed to allocate " 966 "memory for fake EAP-Identity Request"); 967 return NULL; 968 } 969 970 hdr = (struct eap_hdr *) buf; 971 hdr->code = EAP_CODE_REQUEST; 972 hdr->identifier = 0; 973 hdr->length = host_to_be16(sizeof(*hdr) + 1); 974 buf[sizeof(*hdr)] = EAP_TYPE_IDENTITY; 975 976 return buf; 977} 978 979 980static int eap_ttls_encrypt_response(struct eap_sm *sm, 981 struct eap_ttls_data *data, 982 struct wpabuf *resp, u8 identifier, 983 struct wpabuf **out_data) 984{ 985 if (resp == NULL) 986 return 0; 987 988 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS: Encrypting Phase 2 data", 989 resp); 990 if (eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_TTLS, 991 data->ttls_version, identifier, 992 resp, out_data)) { 993 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to encrypt a Phase 2 " 994 "frame"); 995 return -1; 996 } 997 wpabuf_free(resp); 998 999 return 0; 1000} 1001 1002 1003static int eap_ttls_process_phase2_eap(struct eap_sm *sm, 1004 struct eap_ttls_data *data, 1005 struct eap_method_ret *ret, 1006 struct ttls_parse_avp *parse, 1007 struct wpabuf **resp) 1008{ 1009 struct eap_hdr *hdr; 1010 size_t len; 1011 1012 if (parse->eapdata == NULL) { 1013 wpa_printf(MSG_WARNING, "EAP-TTLS: No EAP Message in the " 1014 "packet - dropped"); 1015 return -1; 1016 } 1017 1018 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP", 1019 parse->eapdata, parse->eap_len); 1020 hdr = (struct eap_hdr *) parse->eapdata; 1021 1022 if (parse->eap_len < sizeof(*hdr)) { 1023 wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 EAP " 1024 "frame (len=%lu, expected %lu or more) - dropped", 1025 (unsigned long) parse->eap_len, 1026 (unsigned long) sizeof(*hdr)); 1027 return -1; 1028 } 1029 len = be_to_host16(hdr->length); 1030 if (len > parse->eap_len) { 1031 wpa_printf(MSG_INFO, "EAP-TTLS: Length mismatch in Phase 2 " 1032 "EAP frame (EAP hdr len=%lu, EAP data len in " 1033 "AVP=%lu)", 1034 (unsigned long) len, 1035 (unsigned long) parse->eap_len); 1036 return -1; 1037 } 1038 wpa_printf(MSG_DEBUG, "EAP-TTLS: received Phase 2: code=%d " 1039 "identifier=%d length=%lu", 1040 hdr->code, hdr->identifier, (unsigned long) len); 1041 switch (hdr->code) { 1042 case EAP_CODE_REQUEST: 1043 if (eap_ttls_phase2_request(sm, data, ret, hdr, resp)) { 1044 wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 Request " 1045 "processing failed"); 1046 return -1; 1047 } 1048 break; 1049 default: 1050 wpa_printf(MSG_INFO, "EAP-TTLS: Unexpected code=%d in " 1051 "Phase 2 EAP header", hdr->code); 1052 return -1; 1053 } 1054 1055 return 0; 1056} 1057 1058 1059static int eap_ttls_process_phase2_mschapv2(struct eap_sm *sm, 1060 struct eap_ttls_data *data, 1061 struct eap_method_ret *ret, 1062 struct ttls_parse_avp *parse) 1063{ 1064#ifdef EAP_MSCHAPv2 1065 if (parse->mschapv2_error) { 1066 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Received " 1067 "MS-CHAP-Error - failed"); 1068 ret->methodState = METHOD_DONE; 1069 ret->decision = DECISION_FAIL; 1070 /* Reply with empty data to ACK error */ 1071 return 1; 1072 } 1073 1074 if (parse->mschapv2 == NULL) { 1075#ifdef EAP_TNC 1076 if (data->phase2_success && parse->eapdata) { 1077 /* 1078 * Allow EAP-TNC to be started after successfully 1079 * completed MSCHAPV2. 1080 */ 1081 return 1; 1082 } 1083#endif /* EAP_TNC */ 1084 wpa_printf(MSG_WARNING, "EAP-TTLS: no MS-CHAP2-Success AVP " 1085 "received for Phase2 MSCHAPV2"); 1086 return -1; 1087 } 1088 if (parse->mschapv2[0] != data->ident) { 1089 wpa_printf(MSG_WARNING, "EAP-TTLS: Ident mismatch for Phase 2 " 1090 "MSCHAPV2 (received Ident 0x%02x, expected 0x%02x)", 1091 parse->mschapv2[0], data->ident); 1092 return -1; 1093 } 1094 if (!data->auth_response_valid || 1095 mschapv2_verify_auth_response(data->auth_response, 1096 parse->mschapv2 + 1, 42)) { 1097 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid authenticator " 1098 "response in Phase 2 MSCHAPV2 success request"); 1099 return -1; 1100 } 1101 1102 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 MSCHAPV2 " 1103 "authentication succeeded"); 1104 ret->methodState = METHOD_DONE; 1105 ret->decision = DECISION_UNCOND_SUCC; 1106 data->phase2_success = 1; 1107 1108 /* 1109 * Reply with empty data; authentication server will reply 1110 * with EAP-Success after this. 1111 */ 1112 return 1; 1113#else /* EAP_MSCHAPv2 */ 1114 wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build"); 1115 return -1; 1116#endif /* EAP_MSCHAPv2 */ 1117} 1118 1119 1120#ifdef EAP_TNC 1121static int eap_ttls_process_tnc_start(struct eap_sm *sm, 1122 struct eap_ttls_data *data, 1123 struct eap_method_ret *ret, 1124 struct ttls_parse_avp *parse, 1125 struct wpabuf **resp) 1126{ 1127 /* TNC uses inner EAP method after non-EAP TTLS phase 2. */ 1128 if (parse->eapdata == NULL) { 1129 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received " 1130 "unexpected tunneled data (no EAP)"); 1131 return -1; 1132 } 1133 1134 if (!data->ready_for_tnc) { 1135 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received " 1136 "EAP after non-EAP, but not ready for TNC"); 1137 return -1; 1138 } 1139 1140 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start TNC after completed " 1141 "non-EAP method"); 1142 data->tnc_started = 1; 1143 1144 if (eap_ttls_process_phase2_eap(sm, data, ret, parse, resp) < 0) 1145 return -1; 1146 1147 return 0; 1148} 1149#endif /* EAP_TNC */ 1150 1151 1152static int eap_ttls_process_decrypted(struct eap_sm *sm, 1153 struct eap_ttls_data *data, 1154 struct eap_method_ret *ret, 1155 u8 identifier, 1156 struct ttls_parse_avp *parse, 1157 struct wpabuf *in_decrypted, 1158 struct wpabuf **out_data) 1159{ 1160 struct wpabuf *resp = NULL; 1161 struct eap_peer_config *config = eap_get_config(sm); 1162 int res; 1163 enum phase2_types phase2_type = data->phase2_type; 1164 1165#ifdef EAP_TNC 1166 if (data->tnc_started) 1167 phase2_type = EAP_TTLS_PHASE2_EAP; 1168#endif /* EAP_TNC */ 1169 1170 switch (phase2_type) { 1171 case EAP_TTLS_PHASE2_EAP: 1172 if (eap_ttls_process_phase2_eap(sm, data, ret, parse, &resp) < 1173 0) 1174 return -1; 1175 break; 1176 case EAP_TTLS_PHASE2_MSCHAPV2: 1177 res = eap_ttls_process_phase2_mschapv2(sm, data, ret, parse); 1178#ifdef EAP_TNC 1179 if (res == 1 && parse->eapdata && data->phase2_success) { 1180 /* 1181 * TNC may be required as the next 1182 * authentication method within the tunnel. 1183 */ 1184 ret->methodState = METHOD_MAY_CONT; 1185 data->ready_for_tnc = 1; 1186 if (eap_ttls_process_tnc_start(sm, data, ret, parse, 1187 &resp) == 0) 1188 break; 1189 } 1190#endif /* EAP_TNC */ 1191 return res; 1192 case EAP_TTLS_PHASE2_MSCHAP: 1193 case EAP_TTLS_PHASE2_PAP: 1194 case EAP_TTLS_PHASE2_CHAP: 1195#ifdef EAP_TNC 1196 if (eap_ttls_process_tnc_start(sm, data, ret, parse, &resp) < 1197 0) 1198 return -1; 1199 break; 1200#else /* EAP_TNC */ 1201 /* EAP-TTLS/{MSCHAP,PAP,CHAP} should not send any TLS tunneled 1202 * requests to the supplicant */ 1203 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received unexpected " 1204 "tunneled data"); 1205 return -1; 1206#endif /* EAP_TNC */ 1207 } 1208 1209 if (resp) { 1210 if (eap_ttls_encrypt_response(sm, data, resp, identifier, 1211 out_data) < 0) 1212 return -1; 1213 } else if (config->pending_req_identity || 1214 config->pending_req_password || 1215 config->pending_req_otp || 1216 config->pending_req_new_password) { 1217 wpabuf_free(data->pending_phase2_req); 1218 data->pending_phase2_req = wpabuf_dup(in_decrypted); 1219 } 1220 1221 return 0; 1222} 1223 1224 1225static int eap_ttls_implicit_identity_request(struct eap_sm *sm, 1226 struct eap_ttls_data *data, 1227 struct eap_method_ret *ret, 1228 u8 identifier, 1229 struct wpabuf **out_data) 1230{ 1231 int retval = 0; 1232 struct eap_hdr *hdr; 1233 struct wpabuf *resp; 1234 1235 hdr = (struct eap_hdr *) eap_ttls_fake_identity_request(); 1236 if (hdr == NULL) { 1237 ret->methodState = METHOD_DONE; 1238 ret->decision = DECISION_FAIL; 1239 return -1; 1240 } 1241 1242 resp = NULL; 1243 if (eap_ttls_phase2_request(sm, data, ret, hdr, &resp)) { 1244 wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 Request " 1245 "processing failed"); 1246 retval = -1; 1247 } else { 1248 struct eap_peer_config *config = eap_get_config(sm); 1249 if (resp == NULL && 1250 (config->pending_req_identity || 1251 config->pending_req_password || 1252 config->pending_req_otp || 1253 config->pending_req_new_password)) { 1254 /* 1255 * Use empty buffer to force implicit request 1256 * processing when EAP request is re-processed after 1257 * user input. 1258 */ 1259 wpabuf_free(data->pending_phase2_req); 1260 data->pending_phase2_req = wpabuf_alloc(0); 1261 } 1262 1263 retval = eap_ttls_encrypt_response(sm, data, resp, identifier, 1264 out_data); 1265 } 1266 1267 os_free(hdr); 1268 1269 if (retval < 0) { 1270 ret->methodState = METHOD_DONE; 1271 ret->decision = DECISION_FAIL; 1272 } 1273 1274 return retval; 1275} 1276 1277 1278static int eap_ttls_phase2_start(struct eap_sm *sm, struct eap_ttls_data *data, 1279 struct eap_method_ret *ret, u8 identifier, 1280 struct wpabuf **out_data) 1281{ 1282 data->phase2_start = 0; 1283 1284 /* 1285 * EAP-TTLS does not use Phase2 on fast re-auth; this must be done only 1286 * if TLS part was indeed resuming a previous session. Most 1287 * Authentication Servers terminate EAP-TTLS before reaching this 1288 * point, but some do not. Make wpa_supplicant stop phase 2 here, if 1289 * needed. 1290 */ 1291 if (data->reauth && 1292 tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) { 1293 wpa_printf(MSG_DEBUG, "EAP-TTLS: Session resumption - " 1294 "skip phase 2"); 1295 *out_data = eap_peer_tls_build_ack(identifier, EAP_TYPE_TTLS, 1296 data->ttls_version); 1297 ret->methodState = METHOD_DONE; 1298 ret->decision = DECISION_UNCOND_SUCC; 1299 data->phase2_success = 1; 1300 return 0; 1301 } 1302 1303 return eap_ttls_implicit_identity_request(sm, data, ret, identifier, 1304 out_data); 1305} 1306 1307 1308static int eap_ttls_decrypt(struct eap_sm *sm, struct eap_ttls_data *data, 1309 struct eap_method_ret *ret, u8 identifier, 1310 const struct wpabuf *in_data, 1311 struct wpabuf **out_data) 1312{ 1313 struct wpabuf *in_decrypted = NULL; 1314 int retval = 0; 1315 struct ttls_parse_avp parse; 1316 1317 os_memset(&parse, 0, sizeof(parse)); 1318 1319 wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for" 1320 " Phase 2", 1321 in_data ? (unsigned long) wpabuf_len(in_data) : 0); 1322 1323 if (data->pending_phase2_req) { 1324 wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 request - " 1325 "skip decryption and use old data"); 1326 /* Clear TLS reassembly state. */ 1327 eap_peer_tls_reset_input(&data->ssl); 1328 1329 in_decrypted = data->pending_phase2_req; 1330 data->pending_phase2_req = NULL; 1331 if (wpabuf_len(in_decrypted) == 0) { 1332 wpabuf_free(in_decrypted); 1333 return eap_ttls_implicit_identity_request( 1334 sm, data, ret, identifier, out_data); 1335 } 1336 goto continue_req; 1337 } 1338 1339 if ((in_data == NULL || wpabuf_len(in_data) == 0) && 1340 data->phase2_start) { 1341 return eap_ttls_phase2_start(sm, data, ret, identifier, 1342 out_data); 1343 } 1344 1345 if (in_data == NULL || wpabuf_len(in_data) == 0) { 1346 /* Received TLS ACK - requesting more fragments */ 1347 return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_TTLS, 1348 data->ttls_version, 1349 identifier, NULL, out_data); 1350 } 1351 1352 retval = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted); 1353 if (retval) 1354 goto done; 1355 1356continue_req: 1357 data->phase2_start = 0; 1358 1359 if (eap_ttls_parse_avps(in_decrypted, &parse) < 0) { 1360 retval = -1; 1361 goto done; 1362 } 1363 1364 retval = eap_ttls_process_decrypted(sm, data, ret, identifier, 1365 &parse, in_decrypted, out_data); 1366 1367done: 1368 wpabuf_free(in_decrypted); 1369 os_free(parse.eapdata); 1370 1371 if (retval < 0) { 1372 ret->methodState = METHOD_DONE; 1373 ret->decision = DECISION_FAIL; 1374 } 1375 1376 return retval; 1377} 1378 1379 1380static int eap_ttls_process_handshake(struct eap_sm *sm, 1381 struct eap_ttls_data *data, 1382 struct eap_method_ret *ret, 1383 u8 identifier, 1384 const u8 *in_data, size_t in_len, 1385 struct wpabuf **out_data) 1386{ 1387 int res; 1388 1389 res = eap_peer_tls_process_helper(sm, &data->ssl, EAP_TYPE_TTLS, 1390 data->ttls_version, identifier, 1391 in_data, in_len, out_data); 1392 1393 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { 1394 wpa_printf(MSG_DEBUG, "EAP-TTLS: TLS done, proceed to " 1395 "Phase 2"); 1396 if (data->resuming) { 1397 wpa_printf(MSG_DEBUG, "EAP-TTLS: fast reauth - may " 1398 "skip Phase 2"); 1399 ret->decision = DECISION_COND_SUCC; 1400 ret->methodState = METHOD_MAY_CONT; 1401 } 1402 data->phase2_start = 1; 1403 eap_ttls_v0_derive_key(sm, data); 1404 1405 if (*out_data == NULL || wpabuf_len(*out_data) == 0) { 1406 if (eap_ttls_decrypt(sm, data, ret, identifier, 1407 NULL, out_data)) { 1408 wpa_printf(MSG_WARNING, "EAP-TTLS: " 1409 "failed to process early " 1410 "start for Phase 2"); 1411 } 1412 res = 0; 1413 } 1414 data->resuming = 0; 1415 } 1416 1417 if (res == 2) { 1418 struct wpabuf msg; 1419 /* 1420 * Application data included in the handshake message. 1421 */ 1422 wpabuf_free(data->pending_phase2_req); 1423 data->pending_phase2_req = *out_data; 1424 *out_data = NULL; 1425 wpabuf_set(&msg, in_data, in_len); 1426 res = eap_ttls_decrypt(sm, data, ret, identifier, &msg, 1427 out_data); 1428 } 1429 1430 return res; 1431} 1432 1433 1434static void eap_ttls_check_auth_status(struct eap_sm *sm, 1435 struct eap_ttls_data *data, 1436 struct eap_method_ret *ret) 1437{ 1438 if (ret->methodState == METHOD_DONE) { 1439 ret->allowNotifications = FALSE; 1440 if (ret->decision == DECISION_UNCOND_SUCC || 1441 ret->decision == DECISION_COND_SUCC) { 1442 wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication " 1443 "completed successfully"); 1444 data->phase2_success = 1; 1445#ifdef EAP_TNC 1446 if (!data->ready_for_tnc && !data->tnc_started) { 1447 /* 1448 * TNC may be required as the next 1449 * authentication method within the tunnel. 1450 */ 1451 ret->methodState = METHOD_MAY_CONT; 1452 data->ready_for_tnc = 1; 1453 } 1454#endif /* EAP_TNC */ 1455 } 1456 } else if (ret->methodState == METHOD_MAY_CONT && 1457 (ret->decision == DECISION_UNCOND_SUCC || 1458 ret->decision == DECISION_COND_SUCC)) { 1459 wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication " 1460 "completed successfully (MAY_CONT)"); 1461 data->phase2_success = 1; 1462 } 1463} 1464 1465 1466static struct wpabuf * eap_ttls_process(struct eap_sm *sm, void *priv, 1467 struct eap_method_ret *ret, 1468 const struct wpabuf *reqData) 1469{ 1470 size_t left; 1471 int res; 1472 u8 flags, id; 1473 struct wpabuf *resp; 1474 const u8 *pos; 1475 struct eap_ttls_data *data = priv; 1476 1477 pos = eap_peer_tls_process_init(sm, &data->ssl, EAP_TYPE_TTLS, ret, 1478 reqData, &left, &flags); 1479 if (pos == NULL) 1480 return NULL; 1481 id = eap_get_id(reqData); 1482 1483 if (flags & EAP_TLS_FLAGS_START) { 1484 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start (server ver=%d, own " 1485 "ver=%d)", flags & EAP_TLS_VERSION_MASK, 1486 data->ttls_version); 1487 1488 /* RFC 5281, Ch. 9.2: 1489 * "This packet MAY contain additional information in the form 1490 * of AVPs, which may provide useful hints to the client" 1491 * For now, ignore any potential extra data. 1492 */ 1493 left = 0; 1494 } 1495 1496 resp = NULL; 1497 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1498 !data->resuming) { 1499 struct wpabuf msg; 1500 wpabuf_set(&msg, pos, left); 1501 res = eap_ttls_decrypt(sm, data, ret, id, &msg, &resp); 1502 } else { 1503 res = eap_ttls_process_handshake(sm, data, ret, id, 1504 pos, left, &resp); 1505 } 1506 1507 eap_ttls_check_auth_status(sm, data, ret); 1508 1509 /* FIX: what about res == -1? Could just move all error processing into 1510 * the other functions and get rid of this res==1 case here. */ 1511 if (res == 1) { 1512 wpabuf_free(resp); 1513 return eap_peer_tls_build_ack(id, EAP_TYPE_TTLS, 1514 data->ttls_version); 1515 } 1516 return resp; 1517} 1518 1519 1520static Boolean eap_ttls_has_reauth_data(struct eap_sm *sm, void *priv) 1521{ 1522 struct eap_ttls_data *data = priv; 1523 return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1524 data->phase2_success; 1525} 1526 1527 1528static void eap_ttls_deinit_for_reauth(struct eap_sm *sm, void *priv) 1529{ 1530 struct eap_ttls_data *data = priv; 1531 wpabuf_free(data->pending_phase2_req); 1532 data->pending_phase2_req = NULL; 1533#ifdef EAP_TNC 1534 data->ready_for_tnc = 0; 1535 data->tnc_started = 0; 1536#endif /* EAP_TNC */ 1537} 1538 1539 1540static void * eap_ttls_init_for_reauth(struct eap_sm *sm, void *priv) 1541{ 1542 struct eap_ttls_data *data = priv; 1543 os_free(data->key_data); 1544 data->key_data = NULL; 1545 os_free(data->session_id); 1546 data->session_id = NULL; 1547 if (eap_peer_tls_reauth_init(sm, &data->ssl)) { 1548 os_free(data); 1549 return NULL; 1550 } 1551 if (data->phase2_priv && data->phase2_method && 1552 data->phase2_method->init_for_reauth) 1553 data->phase2_method->init_for_reauth(sm, data->phase2_priv); 1554 data->phase2_start = 0; 1555 data->phase2_success = 0; 1556 data->resuming = 1; 1557 data->reauth = 1; 1558 return priv; 1559} 1560 1561 1562static int eap_ttls_get_status(struct eap_sm *sm, void *priv, char *buf, 1563 size_t buflen, int verbose) 1564{ 1565 struct eap_ttls_data *data = priv; 1566 int len, ret; 1567 1568 len = eap_peer_tls_status(sm, &data->ssl, buf, buflen, verbose); 1569 ret = os_snprintf(buf + len, buflen - len, 1570 "EAP-TTLSv%d Phase2 method=", 1571 data->ttls_version); 1572 if (ret < 0 || (size_t) ret >= buflen - len) 1573 return len; 1574 len += ret; 1575 switch (data->phase2_type) { 1576 case EAP_TTLS_PHASE2_EAP: 1577 ret = os_snprintf(buf + len, buflen - len, "EAP-%s\n", 1578 data->phase2_method ? 1579 data->phase2_method->name : "?"); 1580 break; 1581 case EAP_TTLS_PHASE2_MSCHAPV2: 1582 ret = os_snprintf(buf + len, buflen - len, "MSCHAPV2\n"); 1583 break; 1584 case EAP_TTLS_PHASE2_MSCHAP: 1585 ret = os_snprintf(buf + len, buflen - len, "MSCHAP\n"); 1586 break; 1587 case EAP_TTLS_PHASE2_PAP: 1588 ret = os_snprintf(buf + len, buflen - len, "PAP\n"); 1589 break; 1590 case EAP_TTLS_PHASE2_CHAP: 1591 ret = os_snprintf(buf + len, buflen - len, "CHAP\n"); 1592 break; 1593 default: 1594 ret = 0; 1595 break; 1596 } 1597 if (ret < 0 || (size_t) ret >= buflen - len) 1598 return len; 1599 len += ret; 1600 1601 return len; 1602} 1603 1604 1605static Boolean eap_ttls_isKeyAvailable(struct eap_sm *sm, void *priv) 1606{ 1607 struct eap_ttls_data *data = priv; 1608 return data->key_data != NULL && data->phase2_success; 1609} 1610 1611 1612static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len) 1613{ 1614 struct eap_ttls_data *data = priv; 1615 u8 *key; 1616 1617 if (data->key_data == NULL || !data->phase2_success) 1618 return NULL; 1619 1620 key = os_malloc(EAP_TLS_KEY_LEN); 1621 if (key == NULL) 1622 return NULL; 1623 1624 *len = EAP_TLS_KEY_LEN; 1625 os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN); 1626 1627 return key; 1628} 1629 1630 1631static u8 * eap_ttls_get_session_id(struct eap_sm *sm, void *priv, size_t *len) 1632{ 1633 struct eap_ttls_data *data = priv; 1634 u8 *id; 1635 1636 if (data->session_id == NULL || !data->phase2_success) 1637 return NULL; 1638 1639 id = os_malloc(data->id_len); 1640 if (id == NULL) 1641 return NULL; 1642 1643 *len = data->id_len; 1644 os_memcpy(id, data->session_id, data->id_len); 1645 1646 return id; 1647} 1648 1649 1650int eap_peer_ttls_register(void) 1651{ 1652 struct eap_method *eap; 1653 int ret; 1654 1655 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION, 1656 EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS"); 1657 if (eap == NULL) 1658 return -1; 1659 1660 eap->init = eap_ttls_init; 1661 eap->deinit = eap_ttls_deinit; 1662 eap->process = eap_ttls_process; 1663 eap->isKeyAvailable = eap_ttls_isKeyAvailable; 1664 eap->getKey = eap_ttls_getKey; 1665 eap->getSessionId = eap_ttls_get_session_id; 1666 eap->get_status = eap_ttls_get_status; 1667 eap->has_reauth_data = eap_ttls_has_reauth_data; 1668 eap->deinit_for_reauth = eap_ttls_deinit_for_reauth; 1669 eap->init_for_reauth = eap_ttls_init_for_reauth; 1670 1671 ret = eap_peer_method_register(eap); 1672 if (ret) 1673 eap_peer_method_free(eap); 1674 return ret; 1675} 1676