1/* 2 * EAP peer method: EAP-TTLS (RFC 5281) 3 * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "crypto/ms_funcs.h" 13#include "crypto/sha1.h" 14#include "crypto/tls.h" 15#include "eap_common/chap.h" 16#include "eap_common/eap_ttls.h" 17#include "mschapv2.h" 18#include "eap_i.h" 19#include "eap_tls_common.h" 20#include "eap_config.h" 21 22 23#define EAP_TTLS_VERSION 0 24 25 26static void eap_ttls_deinit(struct eap_sm *sm, void *priv); 27 28 29struct eap_ttls_data { 30 struct eap_ssl_data ssl; 31 32 int ttls_version; 33 34 const struct eap_method *phase2_method; 35 void *phase2_priv; 36 int phase2_success; 37 int phase2_start; 38 39 enum phase2_types { 40 EAP_TTLS_PHASE2_EAP, 41 EAP_TTLS_PHASE2_MSCHAPV2, 42 EAP_TTLS_PHASE2_MSCHAP, 43 EAP_TTLS_PHASE2_PAP, 44 EAP_TTLS_PHASE2_CHAP 45 } phase2_type; 46 struct eap_method_type phase2_eap_type; 47 struct eap_method_type *phase2_eap_types; 48 size_t num_phase2_eap_types; 49 50 u8 auth_response[MSCHAPV2_AUTH_RESPONSE_LEN]; 51 int auth_response_valid; 52 u8 master_key[MSCHAPV2_MASTER_KEY_LEN]; /* MSCHAPv2 master key */ 53 u8 ident; 54 int resuming; /* starting a resumed session */ 55 int reauth; /* reauthentication */ 56 u8 *key_data; 57 u8 *session_id; 58 size_t id_len; 59 60 struct wpabuf *pending_phase2_req; 61 62#ifdef EAP_TNC 63 int ready_for_tnc; 64 int tnc_started; 65#endif /* EAP_TNC */ 66}; 67 68 69static void * eap_ttls_init(struct eap_sm *sm) 70{ 71 struct eap_ttls_data *data; 72 struct eap_peer_config *config = eap_get_config(sm); 73 char *selected; 74 75 data = os_zalloc(sizeof(*data)); 76 if (data == NULL) 77 return NULL; 78 data->ttls_version = EAP_TTLS_VERSION; 79 selected = "EAP"; 80 data->phase2_type = EAP_TTLS_PHASE2_EAP; 81 82 if (config && config->phase2) { 83 if (os_strstr(config->phase2, "autheap=")) { 84 selected = "EAP"; 85 data->phase2_type = EAP_TTLS_PHASE2_EAP; 86 } else if (os_strstr(config->phase2, "auth=MSCHAPV2")) { 87 selected = "MSCHAPV2"; 88 data->phase2_type = EAP_TTLS_PHASE2_MSCHAPV2; 89 } else if (os_strstr(config->phase2, "auth=MSCHAP")) { 90 selected = "MSCHAP"; 91 data->phase2_type = EAP_TTLS_PHASE2_MSCHAP; 92 } else if (os_strstr(config->phase2, "auth=PAP")) { 93 selected = "PAP"; 94 data->phase2_type = EAP_TTLS_PHASE2_PAP; 95 } else if (os_strstr(config->phase2, "auth=CHAP")) { 96 selected = "CHAP"; 97 data->phase2_type = EAP_TTLS_PHASE2_CHAP; 98 } 99 } 100 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 type: %s", selected); 101 102 if (data->phase2_type == EAP_TTLS_PHASE2_EAP) { 103 if (eap_peer_select_phase2_methods(config, "autheap=", 104 &data->phase2_eap_types, 105 &data->num_phase2_eap_types) 106 < 0) { 107 eap_ttls_deinit(sm, data); 108 return NULL; 109 } 110 111 data->phase2_eap_type.vendor = EAP_VENDOR_IETF; 112 data->phase2_eap_type.method = EAP_TYPE_NONE; 113 } 114 115 if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_TTLS)) { 116 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL."); 117 eap_ttls_deinit(sm, data); 118 return NULL; 119 } 120 121 return data; 122} 123 124 125static void eap_ttls_phase2_eap_deinit(struct eap_sm *sm, 126 struct eap_ttls_data *data) 127{ 128 if (data->phase2_priv && data->phase2_method) { 129 data->phase2_method->deinit(sm, data->phase2_priv); 130 data->phase2_method = NULL; 131 data->phase2_priv = NULL; 132 } 133} 134 135 136static void eap_ttls_free_key(struct eap_ttls_data *data) 137{ 138 if (data->key_data) { 139 bin_clear_free(data->key_data, EAP_TLS_KEY_LEN); 140 data->key_data = NULL; 141 } 142} 143 144 145static void eap_ttls_deinit(struct eap_sm *sm, void *priv) 146{ 147 struct eap_ttls_data *data = priv; 148 if (data == NULL) 149 return; 150 eap_ttls_phase2_eap_deinit(sm, data); 151 os_free(data->phase2_eap_types); 152 eap_peer_tls_ssl_deinit(sm, &data->ssl); 153 eap_ttls_free_key(data); 154 os_free(data->session_id); 155 wpabuf_free(data->pending_phase2_req); 156 os_free(data); 157} 158 159 160static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id, 161 int mandatory, size_t len) 162{ 163 struct ttls_avp_vendor *avp; 164 u8 flags; 165 size_t hdrlen; 166 167 avp = (struct ttls_avp_vendor *) avphdr; 168 flags = mandatory ? AVP_FLAGS_MANDATORY : 0; 169 if (vendor_id) { 170 flags |= AVP_FLAGS_VENDOR; 171 hdrlen = sizeof(*avp); 172 avp->vendor_id = host_to_be32(vendor_id); 173 } else { 174 hdrlen = sizeof(struct ttls_avp); 175 } 176 177 avp->avp_code = host_to_be32(avp_code); 178 avp->avp_length = host_to_be32((flags << 24) | (u32) (hdrlen + len)); 179 180 return avphdr + hdrlen; 181} 182 183 184static u8 * eap_ttls_avp_add(u8 *start, u8 *avphdr, u32 avp_code, 185 u32 vendor_id, int mandatory, 186 const u8 *data, size_t len) 187{ 188 u8 *pos; 189 pos = eap_ttls_avp_hdr(avphdr, avp_code, vendor_id, mandatory, len); 190 os_memcpy(pos, data, len); 191 pos += len; 192 AVP_PAD(start, pos); 193 return pos; 194} 195 196 197static int eap_ttls_avp_encapsulate(struct wpabuf **resp, u32 avp_code, 198 int mandatory) 199{ 200 struct wpabuf *msg; 201 u8 *avp, *pos; 202 203 msg = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(*resp) + 4); 204 if (msg == NULL) { 205 wpabuf_free(*resp); 206 *resp = NULL; 207 return -1; 208 } 209 210 avp = wpabuf_mhead(msg); 211 pos = eap_ttls_avp_hdr(avp, avp_code, 0, mandatory, wpabuf_len(*resp)); 212 os_memcpy(pos, wpabuf_head(*resp), wpabuf_len(*resp)); 213 pos += wpabuf_len(*resp); 214 AVP_PAD(avp, pos); 215 wpabuf_free(*resp); 216 wpabuf_put(msg, pos - avp); 217 *resp = msg; 218 return 0; 219} 220 221 222static int eap_ttls_v0_derive_key(struct eap_sm *sm, 223 struct eap_ttls_data *data) 224{ 225 eap_ttls_free_key(data); 226 data->key_data = eap_peer_tls_derive_key(sm, &data->ssl, 227 "ttls keying material", 228 EAP_TLS_KEY_LEN); 229 if (!data->key_data) { 230 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to derive key"); 231 return -1; 232 } 233 234 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key", 235 data->key_data, EAP_TLS_KEY_LEN); 236 237 os_free(data->session_id); 238 data->session_id = eap_peer_tls_derive_session_id(sm, &data->ssl, 239 EAP_TYPE_TTLS, 240 &data->id_len); 241 if (data->session_id) { 242 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Derived Session-Id", 243 data->session_id, data->id_len); 244 } else { 245 wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to derive Session-Id"); 246 } 247 248 return 0; 249} 250 251 252static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm, 253 struct eap_ttls_data *data, size_t len) 254{ 255 return eap_peer_tls_derive_key(sm, &data->ssl, "ttls challenge", len); 256} 257 258 259static void eap_ttls_phase2_select_eap_method(struct eap_ttls_data *data, 260 u8 method) 261{ 262 size_t i; 263 for (i = 0; i < data->num_phase2_eap_types; i++) { 264 if (data->phase2_eap_types[i].vendor != EAP_VENDOR_IETF || 265 data->phase2_eap_types[i].method != method) 266 continue; 267 268 data->phase2_eap_type.vendor = 269 data->phase2_eap_types[i].vendor; 270 data->phase2_eap_type.method = 271 data->phase2_eap_types[i].method; 272 wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected " 273 "Phase 2 EAP vendor %d method %d", 274 data->phase2_eap_type.vendor, 275 data->phase2_eap_type.method); 276 break; 277 } 278} 279 280 281static int eap_ttls_phase2_eap_process(struct eap_sm *sm, 282 struct eap_ttls_data *data, 283 struct eap_method_ret *ret, 284 struct eap_hdr *hdr, size_t len, 285 struct wpabuf **resp) 286{ 287 struct wpabuf msg; 288 struct eap_method_ret iret; 289 290 os_memset(&iret, 0, sizeof(iret)); 291 wpabuf_set(&msg, hdr, len); 292 *resp = data->phase2_method->process(sm, data->phase2_priv, &iret, 293 &msg); 294 if ((iret.methodState == METHOD_DONE || 295 iret.methodState == METHOD_MAY_CONT) && 296 (iret.decision == DECISION_UNCOND_SUCC || 297 iret.decision == DECISION_COND_SUCC || 298 iret.decision == DECISION_FAIL)) { 299 ret->methodState = iret.methodState; 300 ret->decision = iret.decision; 301 } 302 303 return 0; 304} 305 306 307static int eap_ttls_phase2_request_eap_method(struct eap_sm *sm, 308 struct eap_ttls_data *data, 309 struct eap_method_ret *ret, 310 struct eap_hdr *hdr, size_t len, 311 u8 method, struct wpabuf **resp) 312{ 313#ifdef EAP_TNC 314 if (data->tnc_started && data->phase2_method && 315 data->phase2_priv && method == EAP_TYPE_TNC && 316 data->phase2_eap_type.method == EAP_TYPE_TNC) 317 return eap_ttls_phase2_eap_process(sm, data, ret, hdr, len, 318 resp); 319 320 if (data->ready_for_tnc && !data->tnc_started && 321 method == EAP_TYPE_TNC) { 322 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start TNC after completed " 323 "EAP method"); 324 data->tnc_started = 1; 325 } 326 327 if (data->tnc_started) { 328 if (data->phase2_eap_type.vendor != EAP_VENDOR_IETF || 329 data->phase2_eap_type.method == EAP_TYPE_TNC) { 330 wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected EAP " 331 "type %d for TNC", method); 332 return -1; 333 } 334 335 data->phase2_eap_type.vendor = EAP_VENDOR_IETF; 336 data->phase2_eap_type.method = method; 337 wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected " 338 "Phase 2 EAP vendor %d method %d (TNC)", 339 data->phase2_eap_type.vendor, 340 data->phase2_eap_type.method); 341 342 if (data->phase2_type == EAP_TTLS_PHASE2_EAP) 343 eap_ttls_phase2_eap_deinit(sm, data); 344 } 345#endif /* EAP_TNC */ 346 347 if (data->phase2_eap_type.vendor == EAP_VENDOR_IETF && 348 data->phase2_eap_type.method == EAP_TYPE_NONE) 349 eap_ttls_phase2_select_eap_method(data, method); 350 351 if (method != data->phase2_eap_type.method || method == EAP_TYPE_NONE) 352 { 353 if (eap_peer_tls_phase2_nak(data->phase2_eap_types, 354 data->num_phase2_eap_types, 355 hdr, resp)) 356 return -1; 357 return 0; 358 } 359 360 if (data->phase2_priv == NULL) { 361 data->phase2_method = eap_peer_get_eap_method( 362 EAP_VENDOR_IETF, method); 363 if (data->phase2_method) { 364 sm->init_phase2 = 1; 365 data->phase2_priv = data->phase2_method->init(sm); 366 sm->init_phase2 = 0; 367 } 368 } 369 if (data->phase2_priv == NULL || data->phase2_method == NULL) { 370 wpa_printf(MSG_INFO, "EAP-TTLS: failed to initialize " 371 "Phase 2 EAP method %d", method); 372 return -1; 373 } 374 375 return eap_ttls_phase2_eap_process(sm, data, ret, hdr, len, resp); 376} 377 378 379static int eap_ttls_phase2_request_eap(struct eap_sm *sm, 380 struct eap_ttls_data *data, 381 struct eap_method_ret *ret, 382 struct eap_hdr *hdr, 383 struct wpabuf **resp) 384{ 385 size_t len = be_to_host16(hdr->length); 386 u8 *pos; 387 struct eap_peer_config *config = eap_get_config(sm); 388 389 if (len <= sizeof(struct eap_hdr)) { 390 wpa_printf(MSG_INFO, "EAP-TTLS: too short " 391 "Phase 2 request (len=%lu)", (unsigned long) len); 392 return -1; 393 } 394 pos = (u8 *) (hdr + 1); 395 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP Request: type=%d", *pos); 396 switch (*pos) { 397 case EAP_TYPE_IDENTITY: 398 *resp = eap_sm_buildIdentity(sm, hdr->identifier, 1); 399 break; 400 default: 401 if (eap_ttls_phase2_request_eap_method(sm, data, ret, hdr, len, 402 *pos, resp) < 0) 403 return -1; 404 break; 405 } 406 407 if (*resp == NULL && 408 (config->pending_req_identity || config->pending_req_password || 409 config->pending_req_otp)) { 410 return 0; 411 } 412 413 if (*resp == NULL) 414 return -1; 415 416 wpa_hexdump_buf(MSG_DEBUG, "EAP-TTLS: AVP encapsulate EAP Response", 417 *resp); 418 return eap_ttls_avp_encapsulate(resp, RADIUS_ATTR_EAP_MESSAGE, 1); 419} 420 421 422static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm, 423 struct eap_ttls_data *data, 424 struct eap_method_ret *ret, 425 struct wpabuf **resp) 426{ 427#ifdef EAP_MSCHAPv2 428 struct wpabuf *msg; 429 u8 *buf, *pos, *challenge, *peer_challenge; 430 const u8 *identity, *password; 431 size_t identity_len, password_len; 432 int pwhash; 433 434 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAPV2 Request"); 435 436 identity = eap_get_config_identity(sm, &identity_len); 437 password = eap_get_config_password2(sm, &password_len, &pwhash); 438 if (identity == NULL || password == NULL) 439 return -1; 440 441 msg = wpabuf_alloc(identity_len + 1000); 442 if (msg == NULL) { 443 wpa_printf(MSG_ERROR, 444 "EAP-TTLS/MSCHAPV2: Failed to allocate memory"); 445 return -1; 446 } 447 pos = buf = wpabuf_mhead(msg); 448 449 /* User-Name */ 450 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 451 identity, identity_len); 452 453 /* MS-CHAP-Challenge */ 454 challenge = eap_ttls_implicit_challenge( 455 sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1); 456 if (challenge == NULL) { 457 wpabuf_free(msg); 458 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive " 459 "implicit challenge"); 460 return -1; 461 } 462 463 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE, 464 RADIUS_VENDOR_ID_MICROSOFT, 1, 465 challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN); 466 467 /* MS-CHAP2-Response */ 468 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_RESPONSE, 469 RADIUS_VENDOR_ID_MICROSOFT, 1, 470 EAP_TTLS_MSCHAPV2_RESPONSE_LEN); 471 data->ident = challenge[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN]; 472 *pos++ = data->ident; 473 *pos++ = 0; /* Flags */ 474 if (os_get_random(pos, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN) < 0) { 475 os_free(challenge); 476 wpabuf_free(msg); 477 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to get " 478 "random data for peer challenge"); 479 return -1; 480 } 481 peer_challenge = pos; 482 pos += EAP_TTLS_MSCHAPV2_CHALLENGE_LEN; 483 os_memset(pos, 0, 8); /* Reserved, must be zero */ 484 pos += 8; 485 if (mschapv2_derive_response(identity, identity_len, password, 486 password_len, pwhash, challenge, 487 peer_challenge, pos, data->auth_response, 488 data->master_key)) { 489 os_free(challenge); 490 wpabuf_free(msg); 491 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive " 492 "response"); 493 return -1; 494 } 495 data->auth_response_valid = 1; 496 497 pos += 24; 498 os_free(challenge); 499 AVP_PAD(buf, pos); 500 501 wpabuf_put(msg, pos - buf); 502 *resp = msg; 503 504 return 0; 505#else /* EAP_MSCHAPv2 */ 506 wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build"); 507 return -1; 508#endif /* EAP_MSCHAPv2 */ 509} 510 511 512static int eap_ttls_phase2_request_mschap(struct eap_sm *sm, 513 struct eap_ttls_data *data, 514 struct eap_method_ret *ret, 515 struct wpabuf **resp) 516{ 517 struct wpabuf *msg; 518 u8 *buf, *pos, *challenge; 519 const u8 *identity, *password; 520 size_t identity_len, password_len; 521 int pwhash; 522 523 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAP Request"); 524 525 identity = eap_get_config_identity(sm, &identity_len); 526 password = eap_get_config_password2(sm, &password_len, &pwhash); 527 if (identity == NULL || password == NULL) 528 return -1; 529 530 msg = wpabuf_alloc(identity_len + 1000); 531 if (msg == NULL) { 532 wpa_printf(MSG_ERROR, 533 "EAP-TTLS/MSCHAP: Failed to allocate memory"); 534 return -1; 535 } 536 pos = buf = wpabuf_mhead(msg); 537 538 /* User-Name */ 539 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 540 identity, identity_len); 541 542 /* MS-CHAP-Challenge */ 543 challenge = eap_ttls_implicit_challenge( 544 sm, data, EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1); 545 if (challenge == NULL) { 546 wpabuf_free(msg); 547 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAP: Failed to derive " 548 "implicit challenge"); 549 return -1; 550 } 551 552 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE, 553 RADIUS_VENDOR_ID_MICROSOFT, 1, 554 challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN); 555 556 /* MS-CHAP-Response */ 557 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_RESPONSE, 558 RADIUS_VENDOR_ID_MICROSOFT, 1, 559 EAP_TTLS_MSCHAP_RESPONSE_LEN); 560 data->ident = challenge[EAP_TTLS_MSCHAP_CHALLENGE_LEN]; 561 *pos++ = data->ident; 562 *pos++ = 1; /* Flags: Use NT style passwords */ 563 os_memset(pos, 0, 24); /* LM-Response */ 564 pos += 24; 565 if (pwhash) { 566 challenge_response(challenge, password, pos); /* NT-Response */ 567 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password hash", 568 password, 16); 569 } else { 570 nt_challenge_response(challenge, password, password_len, 571 pos); /* NT-Response */ 572 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password", 573 password, password_len); 574 } 575 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP implicit challenge", 576 challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN); 577 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP response", pos, 24); 578 pos += 24; 579 os_free(challenge); 580 AVP_PAD(buf, pos); 581 582 wpabuf_put(msg, pos - buf); 583 *resp = msg; 584 585 /* EAP-TTLS/MSCHAP does not provide tunneled success 586 * notification, so assume that Phase2 succeeds. */ 587 ret->methodState = METHOD_DONE; 588 ret->decision = DECISION_COND_SUCC; 589 590 return 0; 591} 592 593 594static int eap_ttls_phase2_request_pap(struct eap_sm *sm, 595 struct eap_ttls_data *data, 596 struct eap_method_ret *ret, 597 struct wpabuf **resp) 598{ 599 struct wpabuf *msg; 600 u8 *buf, *pos; 601 size_t pad; 602 const u8 *identity, *password; 603 size_t identity_len, password_len; 604 605 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 PAP Request"); 606 607 identity = eap_get_config_identity(sm, &identity_len); 608 password = eap_get_config_password(sm, &password_len); 609 if (identity == NULL || password == NULL) 610 return -1; 611 612 msg = wpabuf_alloc(identity_len + password_len + 100); 613 if (msg == NULL) { 614 wpa_printf(MSG_ERROR, 615 "EAP-TTLS/PAP: Failed to allocate memory"); 616 return -1; 617 } 618 pos = buf = wpabuf_mhead(msg); 619 620 /* User-Name */ 621 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 622 identity, identity_len); 623 624 /* User-Password; in RADIUS, this is encrypted, but EAP-TTLS encrypts 625 * the data, so no separate encryption is used in the AVP itself. 626 * However, the password is padded to obfuscate its length. */ 627 pad = password_len == 0 ? 16 : (16 - (password_len & 15)) & 15; 628 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_USER_PASSWORD, 0, 1, 629 password_len + pad); 630 os_memcpy(pos, password, password_len); 631 pos += password_len; 632 os_memset(pos, 0, pad); 633 pos += pad; 634 AVP_PAD(buf, pos); 635 636 wpabuf_put(msg, pos - buf); 637 *resp = msg; 638 639 /* EAP-TTLS/PAP does not provide tunneled success notification, 640 * so assume that Phase2 succeeds. */ 641 ret->methodState = METHOD_DONE; 642 ret->decision = DECISION_COND_SUCC; 643 644 return 0; 645} 646 647 648static int eap_ttls_phase2_request_chap(struct eap_sm *sm, 649 struct eap_ttls_data *data, 650 struct eap_method_ret *ret, 651 struct wpabuf **resp) 652{ 653 struct wpabuf *msg; 654 u8 *buf, *pos, *challenge; 655 const u8 *identity, *password; 656 size_t identity_len, password_len; 657 658 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 CHAP Request"); 659 660 identity = eap_get_config_identity(sm, &identity_len); 661 password = eap_get_config_password(sm, &password_len); 662 if (identity == NULL || password == NULL) 663 return -1; 664 665 msg = wpabuf_alloc(identity_len + 1000); 666 if (msg == NULL) { 667 wpa_printf(MSG_ERROR, 668 "EAP-TTLS/CHAP: Failed to allocate memory"); 669 return -1; 670 } 671 pos = buf = wpabuf_mhead(msg); 672 673 /* User-Name */ 674 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 675 identity, identity_len); 676 677 /* CHAP-Challenge */ 678 challenge = eap_ttls_implicit_challenge( 679 sm, data, EAP_TTLS_CHAP_CHALLENGE_LEN + 1); 680 if (challenge == NULL) { 681 wpabuf_free(msg); 682 wpa_printf(MSG_ERROR, "EAP-TTLS/CHAP: Failed to derive " 683 "implicit challenge"); 684 return -1; 685 } 686 687 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_CHAP_CHALLENGE, 0, 1, 688 challenge, EAP_TTLS_CHAP_CHALLENGE_LEN); 689 690 /* CHAP-Password */ 691 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_CHAP_PASSWORD, 0, 1, 692 1 + EAP_TTLS_CHAP_PASSWORD_LEN); 693 data->ident = challenge[EAP_TTLS_CHAP_CHALLENGE_LEN]; 694 *pos++ = data->ident; 695 696 /* MD5(Ident + Password + Challenge) */ 697 chap_md5(data->ident, password, password_len, challenge, 698 EAP_TTLS_CHAP_CHALLENGE_LEN, pos); 699 700 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: CHAP username", 701 identity, identity_len); 702 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: CHAP password", 703 password, password_len); 704 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP implicit challenge", 705 challenge, EAP_TTLS_CHAP_CHALLENGE_LEN); 706 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP password", 707 pos, EAP_TTLS_CHAP_PASSWORD_LEN); 708 pos += EAP_TTLS_CHAP_PASSWORD_LEN; 709 os_free(challenge); 710 AVP_PAD(buf, pos); 711 712 wpabuf_put(msg, pos - buf); 713 *resp = msg; 714 715 /* EAP-TTLS/CHAP does not provide tunneled success 716 * notification, so assume that Phase2 succeeds. */ 717 ret->methodState = METHOD_DONE; 718 ret->decision = DECISION_COND_SUCC; 719 720 return 0; 721} 722 723 724static int eap_ttls_phase2_request(struct eap_sm *sm, 725 struct eap_ttls_data *data, 726 struct eap_method_ret *ret, 727 struct eap_hdr *hdr, 728 struct wpabuf **resp) 729{ 730 int res = 0; 731 size_t len; 732 enum phase2_types phase2_type = data->phase2_type; 733 734#ifdef EAP_TNC 735 if (data->tnc_started) { 736 wpa_printf(MSG_DEBUG, "EAP-TTLS: Processing TNC"); 737 phase2_type = EAP_TTLS_PHASE2_EAP; 738 } 739#endif /* EAP_TNC */ 740 741 if (phase2_type == EAP_TTLS_PHASE2_MSCHAPV2 || 742 phase2_type == EAP_TTLS_PHASE2_MSCHAP || 743 phase2_type == EAP_TTLS_PHASE2_PAP || 744 phase2_type == EAP_TTLS_PHASE2_CHAP) { 745 if (eap_get_config_identity(sm, &len) == NULL) { 746 wpa_printf(MSG_INFO, 747 "EAP-TTLS: Identity not configured"); 748 eap_sm_request_identity(sm); 749 if (eap_get_config_password(sm, &len) == NULL) 750 eap_sm_request_password(sm); 751 return 0; 752 } 753 754 if (eap_get_config_password(sm, &len) == NULL) { 755 wpa_printf(MSG_INFO, 756 "EAP-TTLS: Password not configured"); 757 eap_sm_request_password(sm); 758 return 0; 759 } 760 } 761 762 switch (phase2_type) { 763 case EAP_TTLS_PHASE2_EAP: 764 res = eap_ttls_phase2_request_eap(sm, data, ret, hdr, resp); 765 break; 766 case EAP_TTLS_PHASE2_MSCHAPV2: 767 res = eap_ttls_phase2_request_mschapv2(sm, data, ret, resp); 768 break; 769 case EAP_TTLS_PHASE2_MSCHAP: 770 res = eap_ttls_phase2_request_mschap(sm, data, ret, resp); 771 break; 772 case EAP_TTLS_PHASE2_PAP: 773 res = eap_ttls_phase2_request_pap(sm, data, ret, resp); 774 break; 775 case EAP_TTLS_PHASE2_CHAP: 776 res = eap_ttls_phase2_request_chap(sm, data, ret, resp); 777 break; 778 default: 779 wpa_printf(MSG_ERROR, "EAP-TTLS: Phase 2 - Unknown"); 780 res = -1; 781 break; 782 } 783 784 if (res < 0) { 785 ret->methodState = METHOD_DONE; 786 ret->decision = DECISION_FAIL; 787 } 788 789 return res; 790} 791 792 793struct ttls_parse_avp { 794 u8 *mschapv2; 795 u8 *eapdata; 796 size_t eap_len; 797 int mschapv2_error; 798}; 799 800 801static int eap_ttls_parse_attr_eap(const u8 *dpos, size_t dlen, 802 struct ttls_parse_avp *parse) 803{ 804 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message"); 805 if (parse->eapdata == NULL) { 806 parse->eapdata = os_malloc(dlen); 807 if (parse->eapdata == NULL) { 808 wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to allocate " 809 "memory for Phase 2 EAP data"); 810 return -1; 811 } 812 os_memcpy(parse->eapdata, dpos, dlen); 813 parse->eap_len = dlen; 814 } else { 815 u8 *neweap = os_realloc(parse->eapdata, parse->eap_len + dlen); 816 if (neweap == NULL) { 817 wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to allocate " 818 "memory for Phase 2 EAP data"); 819 return -1; 820 } 821 os_memcpy(neweap + parse->eap_len, dpos, dlen); 822 parse->eapdata = neweap; 823 parse->eap_len += dlen; 824 } 825 826 return 0; 827} 828 829 830static int eap_ttls_parse_avp(u8 *pos, size_t left, 831 struct ttls_parse_avp *parse) 832{ 833 struct ttls_avp *avp; 834 u32 avp_code, avp_length, vendor_id = 0; 835 u8 avp_flags, *dpos; 836 size_t dlen; 837 838 avp = (struct ttls_avp *) pos; 839 avp_code = be_to_host32(avp->avp_code); 840 avp_length = be_to_host32(avp->avp_length); 841 avp_flags = (avp_length >> 24) & 0xff; 842 avp_length &= 0xffffff; 843 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x " 844 "length=%d", (int) avp_code, avp_flags, 845 (int) avp_length); 846 847 if (avp_length > left) { 848 wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow " 849 "(len=%d, left=%lu) - dropped", 850 (int) avp_length, (unsigned long) left); 851 return -1; 852 } 853 854 if (avp_length < sizeof(*avp)) { 855 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length %d", 856 avp_length); 857 return -1; 858 } 859 860 dpos = (u8 *) (avp + 1); 861 dlen = avp_length - sizeof(*avp); 862 if (avp_flags & AVP_FLAGS_VENDOR) { 863 if (dlen < 4) { 864 wpa_printf(MSG_WARNING, "EAP-TTLS: Vendor AVP " 865 "underflow"); 866 return -1; 867 } 868 vendor_id = WPA_GET_BE32(dpos); 869 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d", 870 (int) vendor_id); 871 dpos += 4; 872 dlen -= 4; 873 } 874 875 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen); 876 877 if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) { 878 if (eap_ttls_parse_attr_eap(dpos, dlen, parse) < 0) 879 return -1; 880 } else if (vendor_id == 0 && avp_code == RADIUS_ATTR_REPLY_MESSAGE) { 881 /* This is an optional message that can be displayed to 882 * the user. */ 883 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: AVP - Reply-Message", 884 dpos, dlen); 885 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 886 avp_code == RADIUS_ATTR_MS_CHAP2_SUCCESS) { 887 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MS-CHAP2-Success", 888 dpos, dlen); 889 if (dlen != 43) { 890 wpa_printf(MSG_WARNING, "EAP-TTLS: Unexpected " 891 "MS-CHAP2-Success length " 892 "(len=%lu, expected 43)", 893 (unsigned long) dlen); 894 return -1; 895 } 896 parse->mschapv2 = dpos; 897 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 898 avp_code == RADIUS_ATTR_MS_CHAP_ERROR) { 899 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MS-CHAP-Error", 900 dpos, dlen); 901 parse->mschapv2_error = 1; 902 } else if (avp_flags & AVP_FLAGS_MANDATORY) { 903 wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported mandatory AVP " 904 "code %d vendor_id %d - dropped", 905 (int) avp_code, (int) vendor_id); 906 return -1; 907 } else { 908 wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported AVP " 909 "code %d vendor_id %d", 910 (int) avp_code, (int) vendor_id); 911 } 912 913 return avp_length; 914} 915 916 917static int eap_ttls_parse_avps(struct wpabuf *in_decrypted, 918 struct ttls_parse_avp *parse) 919{ 920 u8 *pos; 921 size_t left, pad; 922 int avp_length; 923 924 pos = wpabuf_mhead(in_decrypted); 925 left = wpabuf_len(in_decrypted); 926 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 AVPs", pos, left); 927 if (left < sizeof(struct ttls_avp)) { 928 wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 AVP frame" 929 " len=%lu expected %lu or more - dropped", 930 (unsigned long) left, 931 (unsigned long) sizeof(struct ttls_avp)); 932 return -1; 933 } 934 935 /* Parse AVPs */ 936 os_memset(parse, 0, sizeof(*parse)); 937 938 while (left > 0) { 939 avp_length = eap_ttls_parse_avp(pos, left, parse); 940 if (avp_length < 0) 941 return -1; 942 943 pad = (4 - (avp_length & 3)) & 3; 944 pos += avp_length + pad; 945 if (left < avp_length + pad) 946 left = 0; 947 else 948 left -= avp_length + pad; 949 } 950 951 return 0; 952} 953 954 955static u8 * eap_ttls_fake_identity_request(void) 956{ 957 struct eap_hdr *hdr; 958 u8 *buf; 959 960 wpa_printf(MSG_DEBUG, "EAP-TTLS: empty data in beginning of " 961 "Phase 2 - use fake EAP-Request Identity"); 962 buf = os_malloc(sizeof(*hdr) + 1); 963 if (buf == NULL) { 964 wpa_printf(MSG_WARNING, "EAP-TTLS: failed to allocate " 965 "memory for fake EAP-Identity Request"); 966 return NULL; 967 } 968 969 hdr = (struct eap_hdr *) buf; 970 hdr->code = EAP_CODE_REQUEST; 971 hdr->identifier = 0; 972 hdr->length = host_to_be16(sizeof(*hdr) + 1); 973 buf[sizeof(*hdr)] = EAP_TYPE_IDENTITY; 974 975 return buf; 976} 977 978 979static int eap_ttls_encrypt_response(struct eap_sm *sm, 980 struct eap_ttls_data *data, 981 struct wpabuf *resp, u8 identifier, 982 struct wpabuf **out_data) 983{ 984 if (resp == NULL) 985 return 0; 986 987 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS: Encrypting Phase 2 data", 988 resp); 989 if (eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_TTLS, 990 data->ttls_version, identifier, 991 resp, out_data)) { 992 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to encrypt a Phase 2 " 993 "frame"); 994 return -1; 995 } 996 wpabuf_free(resp); 997 998 return 0; 999} 1000 1001 1002static int eap_ttls_process_phase2_eap(struct eap_sm *sm, 1003 struct eap_ttls_data *data, 1004 struct eap_method_ret *ret, 1005 struct ttls_parse_avp *parse, 1006 struct wpabuf **resp) 1007{ 1008 struct eap_hdr *hdr; 1009 size_t len; 1010 1011 if (parse->eapdata == NULL) { 1012 wpa_printf(MSG_WARNING, "EAP-TTLS: No EAP Message in the " 1013 "packet - dropped"); 1014 return -1; 1015 } 1016 1017 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP", 1018 parse->eapdata, parse->eap_len); 1019 hdr = (struct eap_hdr *) parse->eapdata; 1020 1021 if (parse->eap_len < sizeof(*hdr)) { 1022 wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 EAP " 1023 "frame (len=%lu, expected %lu or more) - dropped", 1024 (unsigned long) parse->eap_len, 1025 (unsigned long) sizeof(*hdr)); 1026 return -1; 1027 } 1028 len = be_to_host16(hdr->length); 1029 if (len > parse->eap_len) { 1030 wpa_printf(MSG_INFO, "EAP-TTLS: Length mismatch in Phase 2 " 1031 "EAP frame (EAP hdr len=%lu, EAP data len in " 1032 "AVP=%lu)", 1033 (unsigned long) len, 1034 (unsigned long) parse->eap_len); 1035 return -1; 1036 } 1037 wpa_printf(MSG_DEBUG, "EAP-TTLS: received Phase 2: code=%d " 1038 "identifier=%d length=%lu", 1039 hdr->code, hdr->identifier, (unsigned long) len); 1040 switch (hdr->code) { 1041 case EAP_CODE_REQUEST: 1042 if (eap_ttls_phase2_request(sm, data, ret, hdr, resp)) { 1043 wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 Request " 1044 "processing failed"); 1045 return -1; 1046 } 1047 break; 1048 default: 1049 wpa_printf(MSG_INFO, "EAP-TTLS: Unexpected code=%d in " 1050 "Phase 2 EAP header", hdr->code); 1051 return -1; 1052 } 1053 1054 return 0; 1055} 1056 1057 1058static int eap_ttls_process_phase2_mschapv2(struct eap_sm *sm, 1059 struct eap_ttls_data *data, 1060 struct eap_method_ret *ret, 1061 struct ttls_parse_avp *parse) 1062{ 1063#ifdef EAP_MSCHAPv2 1064 if (parse->mschapv2_error) { 1065 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Received " 1066 "MS-CHAP-Error - failed"); 1067 ret->methodState = METHOD_DONE; 1068 ret->decision = DECISION_FAIL; 1069 /* Reply with empty data to ACK error */ 1070 return 1; 1071 } 1072 1073 if (parse->mschapv2 == NULL) { 1074#ifdef EAP_TNC 1075 if (data->phase2_success && parse->eapdata) { 1076 /* 1077 * Allow EAP-TNC to be started after successfully 1078 * completed MSCHAPV2. 1079 */ 1080 return 1; 1081 } 1082#endif /* EAP_TNC */ 1083 wpa_printf(MSG_WARNING, "EAP-TTLS: no MS-CHAP2-Success AVP " 1084 "received for Phase2 MSCHAPV2"); 1085 return -1; 1086 } 1087 if (parse->mschapv2[0] != data->ident) { 1088 wpa_printf(MSG_WARNING, "EAP-TTLS: Ident mismatch for Phase 2 " 1089 "MSCHAPV2 (received Ident 0x%02x, expected 0x%02x)", 1090 parse->mschapv2[0], data->ident); 1091 return -1; 1092 } 1093 if (!data->auth_response_valid || 1094 mschapv2_verify_auth_response(data->auth_response, 1095 parse->mschapv2 + 1, 42)) { 1096 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid authenticator " 1097 "response in Phase 2 MSCHAPV2 success request"); 1098 return -1; 1099 } 1100 1101 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 MSCHAPV2 " 1102 "authentication succeeded"); 1103 ret->methodState = METHOD_DONE; 1104 ret->decision = DECISION_UNCOND_SUCC; 1105 data->phase2_success = 1; 1106 1107 /* 1108 * Reply with empty data; authentication server will reply 1109 * with EAP-Success after this. 1110 */ 1111 return 1; 1112#else /* EAP_MSCHAPv2 */ 1113 wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build"); 1114 return -1; 1115#endif /* EAP_MSCHAPv2 */ 1116} 1117 1118 1119#ifdef EAP_TNC 1120static int eap_ttls_process_tnc_start(struct eap_sm *sm, 1121 struct eap_ttls_data *data, 1122 struct eap_method_ret *ret, 1123 struct ttls_parse_avp *parse, 1124 struct wpabuf **resp) 1125{ 1126 /* TNC uses inner EAP method after non-EAP TTLS phase 2. */ 1127 if (parse->eapdata == NULL) { 1128 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received " 1129 "unexpected tunneled data (no EAP)"); 1130 return -1; 1131 } 1132 1133 if (!data->ready_for_tnc) { 1134 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received " 1135 "EAP after non-EAP, but not ready for TNC"); 1136 return -1; 1137 } 1138 1139 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start TNC after completed " 1140 "non-EAP method"); 1141 data->tnc_started = 1; 1142 1143 if (eap_ttls_process_phase2_eap(sm, data, ret, parse, resp) < 0) 1144 return -1; 1145 1146 return 0; 1147} 1148#endif /* EAP_TNC */ 1149 1150 1151static int eap_ttls_process_decrypted(struct eap_sm *sm, 1152 struct eap_ttls_data *data, 1153 struct eap_method_ret *ret, 1154 u8 identifier, 1155 struct ttls_parse_avp *parse, 1156 struct wpabuf *in_decrypted, 1157 struct wpabuf **out_data) 1158{ 1159 struct wpabuf *resp = NULL; 1160 struct eap_peer_config *config = eap_get_config(sm); 1161 int res; 1162 enum phase2_types phase2_type = data->phase2_type; 1163 1164#ifdef EAP_TNC 1165 if (data->tnc_started) 1166 phase2_type = EAP_TTLS_PHASE2_EAP; 1167#endif /* EAP_TNC */ 1168 1169 switch (phase2_type) { 1170 case EAP_TTLS_PHASE2_EAP: 1171 if (eap_ttls_process_phase2_eap(sm, data, ret, parse, &resp) < 1172 0) 1173 return -1; 1174 break; 1175 case EAP_TTLS_PHASE2_MSCHAPV2: 1176 res = eap_ttls_process_phase2_mschapv2(sm, data, ret, parse); 1177#ifdef EAP_TNC 1178 if (res == 1 && parse->eapdata && data->phase2_success) { 1179 /* 1180 * TNC may be required as the next 1181 * authentication method within the tunnel. 1182 */ 1183 ret->methodState = METHOD_MAY_CONT; 1184 data->ready_for_tnc = 1; 1185 if (eap_ttls_process_tnc_start(sm, data, ret, parse, 1186 &resp) == 0) 1187 break; 1188 } 1189#endif /* EAP_TNC */ 1190 return res; 1191 case EAP_TTLS_PHASE2_MSCHAP: 1192 case EAP_TTLS_PHASE2_PAP: 1193 case EAP_TTLS_PHASE2_CHAP: 1194#ifdef EAP_TNC 1195 if (eap_ttls_process_tnc_start(sm, data, ret, parse, &resp) < 1196 0) 1197 return -1; 1198 break; 1199#else /* EAP_TNC */ 1200 /* EAP-TTLS/{MSCHAP,PAP,CHAP} should not send any TLS tunneled 1201 * requests to the supplicant */ 1202 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received unexpected " 1203 "tunneled data"); 1204 return -1; 1205#endif /* EAP_TNC */ 1206 } 1207 1208 if (resp) { 1209 if (eap_ttls_encrypt_response(sm, data, resp, identifier, 1210 out_data) < 0) 1211 return -1; 1212 } else if (config->pending_req_identity || 1213 config->pending_req_password || 1214 config->pending_req_otp || 1215 config->pending_req_new_password) { 1216 wpabuf_free(data->pending_phase2_req); 1217 data->pending_phase2_req = wpabuf_dup(in_decrypted); 1218 } 1219 1220 return 0; 1221} 1222 1223 1224static int eap_ttls_implicit_identity_request(struct eap_sm *sm, 1225 struct eap_ttls_data *data, 1226 struct eap_method_ret *ret, 1227 u8 identifier, 1228 struct wpabuf **out_data) 1229{ 1230 int retval = 0; 1231 struct eap_hdr *hdr; 1232 struct wpabuf *resp; 1233 1234 hdr = (struct eap_hdr *) eap_ttls_fake_identity_request(); 1235 if (hdr == NULL) { 1236 ret->methodState = METHOD_DONE; 1237 ret->decision = DECISION_FAIL; 1238 return -1; 1239 } 1240 1241 resp = NULL; 1242 if (eap_ttls_phase2_request(sm, data, ret, hdr, &resp)) { 1243 wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 Request " 1244 "processing failed"); 1245 retval = -1; 1246 } else { 1247 struct eap_peer_config *config = eap_get_config(sm); 1248 if (resp == NULL && 1249 (config->pending_req_identity || 1250 config->pending_req_password || 1251 config->pending_req_otp || 1252 config->pending_req_new_password)) { 1253 /* 1254 * Use empty buffer to force implicit request 1255 * processing when EAP request is re-processed after 1256 * user input. 1257 */ 1258 wpabuf_free(data->pending_phase2_req); 1259 data->pending_phase2_req = wpabuf_alloc(0); 1260 } 1261 1262 retval = eap_ttls_encrypt_response(sm, data, resp, identifier, 1263 out_data); 1264 } 1265 1266 os_free(hdr); 1267 1268 if (retval < 0) { 1269 ret->methodState = METHOD_DONE; 1270 ret->decision = DECISION_FAIL; 1271 } 1272 1273 return retval; 1274} 1275 1276 1277static int eap_ttls_phase2_start(struct eap_sm *sm, struct eap_ttls_data *data, 1278 struct eap_method_ret *ret, u8 identifier, 1279 struct wpabuf **out_data) 1280{ 1281 data->phase2_start = 0; 1282 1283 /* 1284 * EAP-TTLS does not use Phase2 on fast re-auth; this must be done only 1285 * if TLS part was indeed resuming a previous session. Most 1286 * Authentication Servers terminate EAP-TTLS before reaching this 1287 * point, but some do not. Make wpa_supplicant stop phase 2 here, if 1288 * needed. 1289 */ 1290 if (data->reauth && 1291 tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) { 1292 wpa_printf(MSG_DEBUG, "EAP-TTLS: Session resumption - " 1293 "skip phase 2"); 1294 *out_data = eap_peer_tls_build_ack(identifier, EAP_TYPE_TTLS, 1295 data->ttls_version); 1296 ret->methodState = METHOD_DONE; 1297 ret->decision = DECISION_UNCOND_SUCC; 1298 data->phase2_success = 1; 1299 return 0; 1300 } 1301 1302 return eap_ttls_implicit_identity_request(sm, data, ret, identifier, 1303 out_data); 1304} 1305 1306 1307static int eap_ttls_decrypt(struct eap_sm *sm, struct eap_ttls_data *data, 1308 struct eap_method_ret *ret, u8 identifier, 1309 const struct wpabuf *in_data, 1310 struct wpabuf **out_data) 1311{ 1312 struct wpabuf *in_decrypted = NULL; 1313 int retval = 0; 1314 struct ttls_parse_avp parse; 1315 1316 os_memset(&parse, 0, sizeof(parse)); 1317 1318 wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for" 1319 " Phase 2", 1320 in_data ? (unsigned long) wpabuf_len(in_data) : 0); 1321 1322 if (data->pending_phase2_req) { 1323 wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 request - " 1324 "skip decryption and use old data"); 1325 /* Clear TLS reassembly state. */ 1326 eap_peer_tls_reset_input(&data->ssl); 1327 1328 in_decrypted = data->pending_phase2_req; 1329 data->pending_phase2_req = NULL; 1330 if (wpabuf_len(in_decrypted) == 0) { 1331 wpabuf_free(in_decrypted); 1332 return eap_ttls_implicit_identity_request( 1333 sm, data, ret, identifier, out_data); 1334 } 1335 goto continue_req; 1336 } 1337 1338 if ((in_data == NULL || wpabuf_len(in_data) == 0) && 1339 data->phase2_start) { 1340 return eap_ttls_phase2_start(sm, data, ret, identifier, 1341 out_data); 1342 } 1343 1344 if (in_data == NULL || wpabuf_len(in_data) == 0) { 1345 /* Received TLS ACK - requesting more fragments */ 1346 return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_TTLS, 1347 data->ttls_version, 1348 identifier, NULL, out_data); 1349 } 1350 1351 retval = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted); 1352 if (retval) 1353 goto done; 1354 1355continue_req: 1356 data->phase2_start = 0; 1357 1358 if (eap_ttls_parse_avps(in_decrypted, &parse) < 0) { 1359 retval = -1; 1360 goto done; 1361 } 1362 1363 retval = eap_ttls_process_decrypted(sm, data, ret, identifier, 1364 &parse, in_decrypted, out_data); 1365 1366done: 1367 wpabuf_free(in_decrypted); 1368 os_free(parse.eapdata); 1369 1370 if (retval < 0) { 1371 ret->methodState = METHOD_DONE; 1372 ret->decision = DECISION_FAIL; 1373 } 1374 1375 return retval; 1376} 1377 1378 1379static int eap_ttls_process_handshake(struct eap_sm *sm, 1380 struct eap_ttls_data *data, 1381 struct eap_method_ret *ret, 1382 u8 identifier, 1383 const u8 *in_data, size_t in_len, 1384 struct wpabuf **out_data) 1385{ 1386 int res; 1387 1388 res = eap_peer_tls_process_helper(sm, &data->ssl, EAP_TYPE_TTLS, 1389 data->ttls_version, identifier, 1390 in_data, in_len, out_data); 1391 1392 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { 1393 wpa_printf(MSG_DEBUG, "EAP-TTLS: TLS done, proceed to " 1394 "Phase 2"); 1395 if (data->resuming) { 1396 wpa_printf(MSG_DEBUG, "EAP-TTLS: fast reauth - may " 1397 "skip Phase 2"); 1398 ret->decision = DECISION_COND_SUCC; 1399 ret->methodState = METHOD_MAY_CONT; 1400 } 1401 data->phase2_start = 1; 1402 eap_ttls_v0_derive_key(sm, data); 1403 1404 if (*out_data == NULL || wpabuf_len(*out_data) == 0) { 1405 if (eap_ttls_decrypt(sm, data, ret, identifier, 1406 NULL, out_data)) { 1407 wpa_printf(MSG_WARNING, "EAP-TTLS: " 1408 "failed to process early " 1409 "start for Phase 2"); 1410 } 1411 res = 0; 1412 } 1413 data->resuming = 0; 1414 } 1415 1416 if (res == 2) { 1417 struct wpabuf msg; 1418 /* 1419 * Application data included in the handshake message. 1420 */ 1421 wpabuf_free(data->pending_phase2_req); 1422 data->pending_phase2_req = *out_data; 1423 *out_data = NULL; 1424 wpabuf_set(&msg, in_data, in_len); 1425 res = eap_ttls_decrypt(sm, data, ret, identifier, &msg, 1426 out_data); 1427 } 1428 1429 return res; 1430} 1431 1432 1433static void eap_ttls_check_auth_status(struct eap_sm *sm, 1434 struct eap_ttls_data *data, 1435 struct eap_method_ret *ret) 1436{ 1437 if (ret->methodState == METHOD_DONE) { 1438 ret->allowNotifications = FALSE; 1439 if (ret->decision == DECISION_UNCOND_SUCC || 1440 ret->decision == DECISION_COND_SUCC) { 1441 wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication " 1442 "completed successfully"); 1443 data->phase2_success = 1; 1444#ifdef EAP_TNC 1445 if (!data->ready_for_tnc && !data->tnc_started) { 1446 /* 1447 * TNC may be required as the next 1448 * authentication method within the tunnel. 1449 */ 1450 ret->methodState = METHOD_MAY_CONT; 1451 data->ready_for_tnc = 1; 1452 } 1453#endif /* EAP_TNC */ 1454 } 1455 } else if (ret->methodState == METHOD_MAY_CONT && 1456 (ret->decision == DECISION_UNCOND_SUCC || 1457 ret->decision == DECISION_COND_SUCC)) { 1458 wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication " 1459 "completed successfully (MAY_CONT)"); 1460 data->phase2_success = 1; 1461 } 1462} 1463 1464 1465static struct wpabuf * eap_ttls_process(struct eap_sm *sm, void *priv, 1466 struct eap_method_ret *ret, 1467 const struct wpabuf *reqData) 1468{ 1469 size_t left; 1470 int res; 1471 u8 flags, id; 1472 struct wpabuf *resp; 1473 const u8 *pos; 1474 struct eap_ttls_data *data = priv; 1475 1476 pos = eap_peer_tls_process_init(sm, &data->ssl, EAP_TYPE_TTLS, ret, 1477 reqData, &left, &flags); 1478 if (pos == NULL) 1479 return NULL; 1480 id = eap_get_id(reqData); 1481 1482 if (flags & EAP_TLS_FLAGS_START) { 1483 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start (server ver=%d, own " 1484 "ver=%d)", flags & EAP_TLS_VERSION_MASK, 1485 data->ttls_version); 1486 1487 /* RFC 5281, Ch. 9.2: 1488 * "This packet MAY contain additional information in the form 1489 * of AVPs, which may provide useful hints to the client" 1490 * For now, ignore any potential extra data. 1491 */ 1492 left = 0; 1493 } 1494 1495 resp = NULL; 1496 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1497 !data->resuming) { 1498 struct wpabuf msg; 1499 wpabuf_set(&msg, pos, left); 1500 res = eap_ttls_decrypt(sm, data, ret, id, &msg, &resp); 1501 } else { 1502 res = eap_ttls_process_handshake(sm, data, ret, id, 1503 pos, left, &resp); 1504 } 1505 1506 eap_ttls_check_auth_status(sm, data, ret); 1507 1508 /* FIX: what about res == -1? Could just move all error processing into 1509 * the other functions and get rid of this res==1 case here. */ 1510 if (res == 1) { 1511 wpabuf_free(resp); 1512 return eap_peer_tls_build_ack(id, EAP_TYPE_TTLS, 1513 data->ttls_version); 1514 } 1515 return resp; 1516} 1517 1518 1519static Boolean eap_ttls_has_reauth_data(struct eap_sm *sm, void *priv) 1520{ 1521 struct eap_ttls_data *data = priv; 1522 return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1523 data->phase2_success; 1524} 1525 1526 1527static void eap_ttls_deinit_for_reauth(struct eap_sm *sm, void *priv) 1528{ 1529 struct eap_ttls_data *data = priv; 1530 wpabuf_free(data->pending_phase2_req); 1531 data->pending_phase2_req = NULL; 1532#ifdef EAP_TNC 1533 data->ready_for_tnc = 0; 1534 data->tnc_started = 0; 1535#endif /* EAP_TNC */ 1536} 1537 1538 1539static void * eap_ttls_init_for_reauth(struct eap_sm *sm, void *priv) 1540{ 1541 struct eap_ttls_data *data = priv; 1542 eap_ttls_free_key(data); 1543 os_free(data->session_id); 1544 data->session_id = NULL; 1545 if (eap_peer_tls_reauth_init(sm, &data->ssl)) { 1546 os_free(data); 1547 return NULL; 1548 } 1549 if (data->phase2_priv && data->phase2_method && 1550 data->phase2_method->init_for_reauth) 1551 data->phase2_method->init_for_reauth(sm, data->phase2_priv); 1552 data->phase2_start = 0; 1553 data->phase2_success = 0; 1554 data->resuming = 1; 1555 data->reauth = 1; 1556 return priv; 1557} 1558 1559 1560static int eap_ttls_get_status(struct eap_sm *sm, void *priv, char *buf, 1561 size_t buflen, int verbose) 1562{ 1563 struct eap_ttls_data *data = priv; 1564 int len, ret; 1565 1566 len = eap_peer_tls_status(sm, &data->ssl, buf, buflen, verbose); 1567 ret = os_snprintf(buf + len, buflen - len, 1568 "EAP-TTLSv%d Phase2 method=", 1569 data->ttls_version); 1570 if (ret < 0 || (size_t) ret >= buflen - len) 1571 return len; 1572 len += ret; 1573 switch (data->phase2_type) { 1574 case EAP_TTLS_PHASE2_EAP: 1575 ret = os_snprintf(buf + len, buflen - len, "EAP-%s\n", 1576 data->phase2_method ? 1577 data->phase2_method->name : "?"); 1578 break; 1579 case EAP_TTLS_PHASE2_MSCHAPV2: 1580 ret = os_snprintf(buf + len, buflen - len, "MSCHAPV2\n"); 1581 break; 1582 case EAP_TTLS_PHASE2_MSCHAP: 1583 ret = os_snprintf(buf + len, buflen - len, "MSCHAP\n"); 1584 break; 1585 case EAP_TTLS_PHASE2_PAP: 1586 ret = os_snprintf(buf + len, buflen - len, "PAP\n"); 1587 break; 1588 case EAP_TTLS_PHASE2_CHAP: 1589 ret = os_snprintf(buf + len, buflen - len, "CHAP\n"); 1590 break; 1591 default: 1592 ret = 0; 1593 break; 1594 } 1595 if (ret < 0 || (size_t) ret >= buflen - len) 1596 return len; 1597 len += ret; 1598 1599 return len; 1600} 1601 1602 1603static Boolean eap_ttls_isKeyAvailable(struct eap_sm *sm, void *priv) 1604{ 1605 struct eap_ttls_data *data = priv; 1606 return data->key_data != NULL && data->phase2_success; 1607} 1608 1609 1610static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len) 1611{ 1612 struct eap_ttls_data *data = priv; 1613 u8 *key; 1614 1615 if (data->key_data == NULL || !data->phase2_success) 1616 return NULL; 1617 1618 key = os_malloc(EAP_TLS_KEY_LEN); 1619 if (key == NULL) 1620 return NULL; 1621 1622 *len = EAP_TLS_KEY_LEN; 1623 os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN); 1624 1625 return key; 1626} 1627 1628 1629static u8 * eap_ttls_get_session_id(struct eap_sm *sm, void *priv, size_t *len) 1630{ 1631 struct eap_ttls_data *data = priv; 1632 u8 *id; 1633 1634 if (data->session_id == NULL || !data->phase2_success) 1635 return NULL; 1636 1637 id = os_malloc(data->id_len); 1638 if (id == NULL) 1639 return NULL; 1640 1641 *len = data->id_len; 1642 os_memcpy(id, data->session_id, data->id_len); 1643 1644 return id; 1645} 1646 1647 1648int eap_peer_ttls_register(void) 1649{ 1650 struct eap_method *eap; 1651 int ret; 1652 1653 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION, 1654 EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS"); 1655 if (eap == NULL) 1656 return -1; 1657 1658 eap->init = eap_ttls_init; 1659 eap->deinit = eap_ttls_deinit; 1660 eap->process = eap_ttls_process; 1661 eap->isKeyAvailable = eap_ttls_isKeyAvailable; 1662 eap->getKey = eap_ttls_getKey; 1663 eap->getSessionId = eap_ttls_get_session_id; 1664 eap->get_status = eap_ttls_get_status; 1665 eap->has_reauth_data = eap_ttls_has_reauth_data; 1666 eap->deinit_for_reauth = eap_ttls_deinit_for_reauth; 1667 eap->init_for_reauth = eap_ttls_init_for_reauth; 1668 1669 ret = eap_peer_method_register(eap); 1670 if (ret) 1671 eap_peer_method_free(eap); 1672 return ret; 1673} 1674