1/* 2 * EAP peer method: EAP-PEAP (draft-josefsson-pppext-eap-tls-eap-10.txt) 3 * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "crypto/sha1.h" 13#include "crypto/tls.h" 14#include "eap_common/eap_tlv_common.h" 15#include "eap_common/eap_peap_common.h" 16#include "eap_i.h" 17#include "eap_tls_common.h" 18#include "eap_config.h" 19#include "tncc.h" 20 21 22/* Maximum supported PEAP version 23 * 0 = Microsoft's PEAP version 0; draft-kamath-pppext-peapv0-00.txt 24 * 1 = draft-josefsson-ppext-eap-tls-eap-05.txt 25 */ 26#define EAP_PEAP_VERSION 1 27 28 29static void eap_peap_deinit(struct eap_sm *sm, void *priv); 30 31 32struct eap_peap_data { 33 struct eap_ssl_data ssl; 34 35 int peap_version, force_peap_version, force_new_label; 36 37 const struct eap_method *phase2_method; 38 void *phase2_priv; 39 int phase2_success; 40 int phase2_eap_success; 41 int phase2_eap_started; 42 43 struct eap_method_type phase2_type; 44 struct eap_method_type *phase2_types; 45 size_t num_phase2_types; 46 47 int peap_outer_success; /* 0 = PEAP terminated on Phase 2 inner 48 * EAP-Success 49 * 1 = reply with tunneled EAP-Success to inner 50 * EAP-Success and expect AS to send outer 51 * (unencrypted) EAP-Success after this 52 * 2 = reply with PEAP/TLS ACK to inner 53 * EAP-Success and expect AS to send outer 54 * (unencrypted) EAP-Success after this */ 55 int resuming; /* starting a resumed session */ 56 int reauth; /* reauthentication */ 57 u8 *key_data; 58 u8 *session_id; 59 size_t id_len; 60 61 struct wpabuf *pending_phase2_req; 62 struct wpabuf *pending_resp; 63 enum { NO_BINDING, OPTIONAL_BINDING, REQUIRE_BINDING } crypto_binding; 64 int crypto_binding_used; 65 u8 binding_nonce[32]; 66 u8 ipmk[40]; 67 u8 cmk[20]; 68 int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP) 69 * is enabled. */ 70}; 71 72 73static void eap_peap_parse_phase1(struct eap_peap_data *data, 74 const char *phase1) 75{ 76 const char *pos; 77 78 pos = os_strstr(phase1, "peapver="); 79 if (pos) { 80 data->force_peap_version = atoi(pos + 8); 81 data->peap_version = data->force_peap_version; 82 wpa_printf(MSG_DEBUG, "EAP-PEAP: Forced PEAP version %d", 83 data->force_peap_version); 84 } 85 86 if (os_strstr(phase1, "peaplabel=1")) { 87 data->force_new_label = 1; 88 wpa_printf(MSG_DEBUG, "EAP-PEAP: Force new label for key " 89 "derivation"); 90 } 91 92 if (os_strstr(phase1, "peap_outer_success=0")) { 93 data->peap_outer_success = 0; 94 wpa_printf(MSG_DEBUG, "EAP-PEAP: terminate authentication on " 95 "tunneled EAP-Success"); 96 } else if (os_strstr(phase1, "peap_outer_success=1")) { 97 data->peap_outer_success = 1; 98 wpa_printf(MSG_DEBUG, "EAP-PEAP: send tunneled EAP-Success " 99 "after receiving tunneled EAP-Success"); 100 } else if (os_strstr(phase1, "peap_outer_success=2")) { 101 data->peap_outer_success = 2; 102 wpa_printf(MSG_DEBUG, "EAP-PEAP: send PEAP/TLS ACK after " 103 "receiving tunneled EAP-Success"); 104 } 105 106 if (os_strstr(phase1, "crypto_binding=0")) { 107 data->crypto_binding = NO_BINDING; 108 wpa_printf(MSG_DEBUG, "EAP-PEAP: Do not use cryptobinding"); 109 } else if (os_strstr(phase1, "crypto_binding=1")) { 110 data->crypto_binding = OPTIONAL_BINDING; 111 wpa_printf(MSG_DEBUG, "EAP-PEAP: Optional cryptobinding"); 112 } else if (os_strstr(phase1, "crypto_binding=2")) { 113 data->crypto_binding = REQUIRE_BINDING; 114 wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding"); 115 } 116 117#ifdef EAP_TNC 118 if (os_strstr(phase1, "tnc=soh2")) { 119 data->soh = 2; 120 wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 2 enabled"); 121 } else if (os_strstr(phase1, "tnc=soh1")) { 122 data->soh = 1; 123 wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 1 enabled"); 124 } else if (os_strstr(phase1, "tnc=soh")) { 125 data->soh = 2; 126 wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 2 enabled"); 127 } 128#endif /* EAP_TNC */ 129} 130 131 132static void * eap_peap_init(struct eap_sm *sm) 133{ 134 struct eap_peap_data *data; 135 struct eap_peer_config *config = eap_get_config(sm); 136 137 data = os_zalloc(sizeof(*data)); 138 if (data == NULL) 139 return NULL; 140 sm->peap_done = FALSE; 141 data->peap_version = EAP_PEAP_VERSION; 142 data->force_peap_version = -1; 143 data->peap_outer_success = 2; 144 data->crypto_binding = OPTIONAL_BINDING; 145 146 if (config && config->phase1) 147 eap_peap_parse_phase1(data, config->phase1); 148 149 if (eap_peer_select_phase2_methods(config, "auth=", 150 &data->phase2_types, 151 &data->num_phase2_types) < 0) { 152 eap_peap_deinit(sm, data); 153 return NULL; 154 } 155 156 data->phase2_type.vendor = EAP_VENDOR_IETF; 157 data->phase2_type.method = EAP_TYPE_NONE; 158 159 if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_PEAP)) { 160 wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL."); 161 eap_peap_deinit(sm, data); 162 return NULL; 163 } 164 165 return data; 166} 167 168 169static void eap_peap_free_key(struct eap_peap_data *data) 170{ 171 if (data->key_data) { 172 bin_clear_free(data->key_data, EAP_TLS_KEY_LEN); 173 data->key_data = NULL; 174 } 175} 176 177 178static void eap_peap_deinit(struct eap_sm *sm, void *priv) 179{ 180 struct eap_peap_data *data = priv; 181 if (data == NULL) 182 return; 183 if (data->phase2_priv && data->phase2_method) 184 data->phase2_method->deinit(sm, data->phase2_priv); 185 os_free(data->phase2_types); 186 eap_peer_tls_ssl_deinit(sm, &data->ssl); 187 eap_peap_free_key(data); 188 os_free(data->session_id); 189 wpabuf_free(data->pending_phase2_req); 190 wpabuf_free(data->pending_resp); 191 os_free(data); 192} 193 194 195/** 196 * eap_tlv_build_nak - Build EAP-TLV NAK message 197 * @id: EAP identifier for the header 198 * @nak_type: TLV type (EAP_TLV_*) 199 * Returns: Buffer to the allocated EAP-TLV NAK message or %NULL on failure 200 * 201 * This function builds an EAP-TLV NAK message. The caller is responsible for 202 * freeing the returned buffer. 203 */ 204static struct wpabuf * eap_tlv_build_nak(int id, u16 nak_type) 205{ 206 struct wpabuf *msg; 207 208 msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, 10, 209 EAP_CODE_RESPONSE, id); 210 if (msg == NULL) 211 return NULL; 212 213 wpabuf_put_u8(msg, 0x80); /* Mandatory */ 214 wpabuf_put_u8(msg, EAP_TLV_NAK_TLV); 215 wpabuf_put_be16(msg, 6); /* Length */ 216 wpabuf_put_be32(msg, 0); /* Vendor-Id */ 217 wpabuf_put_be16(msg, nak_type); /* NAK-Type */ 218 219 return msg; 220} 221 222 223static int eap_peap_get_isk(struct eap_sm *sm, struct eap_peap_data *data, 224 u8 *isk, size_t isk_len) 225{ 226 u8 *key; 227 size_t key_len; 228 229 os_memset(isk, 0, isk_len); 230 if (data->phase2_method == NULL || data->phase2_priv == NULL || 231 data->phase2_method->isKeyAvailable == NULL || 232 data->phase2_method->getKey == NULL) 233 return 0; 234 235 if (!data->phase2_method->isKeyAvailable(sm, data->phase2_priv) || 236 (key = data->phase2_method->getKey(sm, data->phase2_priv, 237 &key_len)) == NULL) { 238 wpa_printf(MSG_DEBUG, "EAP-PEAP: Could not get key material " 239 "from Phase 2"); 240 return -1; 241 } 242 243 if (key_len > isk_len) 244 key_len = isk_len; 245 os_memcpy(isk, key, key_len); 246 os_free(key); 247 248 return 0; 249} 250 251 252static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data) 253{ 254 u8 *tk; 255 u8 isk[32], imck[60]; 256 int resumed; 257 258 /* 259 * Tunnel key (TK) is the first 60 octets of the key generated by 260 * phase 1 of PEAP (based on TLS). 261 */ 262 tk = data->key_data; 263 if (tk == NULL) 264 return -1; 265 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TK", tk, 60); 266 267 resumed = tls_connection_resumed(sm->ssl_ctx, data->ssl.conn); 268 wpa_printf(MSG_DEBUG, 269 "EAP-PEAP: CMK derivation - reauth=%d resumed=%d phase2_eap_started=%d phase2_success=%d", 270 data->reauth, resumed, data->phase2_eap_started, 271 data->phase2_success); 272 if (data->reauth && !data->phase2_eap_started && resumed) { 273 /* Fast-connect: IPMK|CMK = TK */ 274 os_memcpy(data->ipmk, tk, 40); 275 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK from TK", 276 data->ipmk, 40); 277 os_memcpy(data->cmk, tk + 40, 20); 278 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK from TK", 279 data->cmk, 20); 280 return 0; 281 } 282 283 if (eap_peap_get_isk(sm, data, isk, sizeof(isk)) < 0) 284 return -1; 285 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: ISK", isk, sizeof(isk)); 286 287 /* 288 * IPMK Seed = "Inner Methods Compound Keys" | ISK 289 * TempKey = First 40 octets of TK 290 * IPMK|CMK = PRF+(TempKey, IPMK Seed, 60) 291 * (note: draft-josefsson-pppext-eap-tls-eap-10.txt includes a space 292 * in the end of the label just before ISK; is that just a typo?) 293 */ 294 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TempKey", tk, 40); 295 if (peap_prfplus(data->peap_version, tk, 40, 296 "Inner Methods Compound Keys", 297 isk, sizeof(isk), imck, sizeof(imck)) < 0) 298 return -1; 299 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IMCK (IPMKj)", 300 imck, sizeof(imck)); 301 302 os_memcpy(data->ipmk, imck, 40); 303 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK (S-IPMKj)", data->ipmk, 40); 304 os_memcpy(data->cmk, imck + 40, 20); 305 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK (CMKj)", data->cmk, 20); 306 307 return 0; 308} 309 310 311static int eap_tlv_add_cryptobinding(struct eap_sm *sm, 312 struct eap_peap_data *data, 313 struct wpabuf *buf) 314{ 315 u8 *mac; 316 u8 eap_type = EAP_TYPE_PEAP; 317 const u8 *addr[2]; 318 size_t len[2]; 319 u16 tlv_type; 320 321 /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */ 322 addr[0] = wpabuf_put(buf, 0); 323 len[0] = 60; 324 addr[1] = &eap_type; 325 len[1] = 1; 326 327 tlv_type = EAP_TLV_CRYPTO_BINDING_TLV; 328 wpabuf_put_be16(buf, tlv_type); 329 wpabuf_put_be16(buf, 56); 330 331 wpabuf_put_u8(buf, 0); /* Reserved */ 332 wpabuf_put_u8(buf, data->peap_version); /* Version */ 333 wpabuf_put_u8(buf, data->peap_version); /* RecvVersion */ 334 wpabuf_put_u8(buf, 1); /* SubType: 0 = Request, 1 = Response */ 335 wpabuf_put_data(buf, data->binding_nonce, 32); /* Nonce */ 336 mac = wpabuf_put(buf, 20); /* Compound_MAC */ 337 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC CMK", data->cmk, 20); 338 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 1", 339 addr[0], len[0]); 340 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 2", 341 addr[1], len[1]); 342 if (hmac_sha1_vector(data->cmk, 20, 2, addr, len, mac) < 0) 343 return -1; 344 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC", mac, SHA1_MAC_LEN); 345 data->crypto_binding_used = 1; 346 347 return 0; 348} 349 350 351/** 352 * eap_tlv_build_result - Build EAP-TLV Result message 353 * @id: EAP identifier for the header 354 * @status: Status (EAP_TLV_RESULT_SUCCESS or EAP_TLV_RESULT_FAILURE) 355 * Returns: Buffer to the allocated EAP-TLV Result message or %NULL on failure 356 * 357 * This function builds an EAP-TLV Result message. The caller is responsible 358 * for freeing the returned buffer. 359 */ 360static struct wpabuf * eap_tlv_build_result(struct eap_sm *sm, 361 struct eap_peap_data *data, 362 int crypto_tlv_used, 363 int id, u16 status) 364{ 365 struct wpabuf *msg; 366 size_t len; 367 368 if (data->crypto_binding == NO_BINDING) 369 crypto_tlv_used = 0; 370 371 len = 6; 372 if (crypto_tlv_used) 373 len += 60; /* Cryptobinding TLV */ 374 msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, len, 375 EAP_CODE_RESPONSE, id); 376 if (msg == NULL) 377 return NULL; 378 379 wpabuf_put_u8(msg, 0x80); /* Mandatory */ 380 wpabuf_put_u8(msg, EAP_TLV_RESULT_TLV); 381 wpabuf_put_be16(msg, 2); /* Length */ 382 wpabuf_put_be16(msg, status); /* Status */ 383 384 if (crypto_tlv_used && eap_tlv_add_cryptobinding(sm, data, msg)) { 385 wpabuf_free(msg); 386 return NULL; 387 } 388 389 return msg; 390} 391 392 393static int eap_tlv_validate_cryptobinding(struct eap_sm *sm, 394 struct eap_peap_data *data, 395 const u8 *crypto_tlv, 396 size_t crypto_tlv_len) 397{ 398 u8 buf[61], mac[SHA1_MAC_LEN]; 399 const u8 *pos; 400 401 if (eap_peap_derive_cmk(sm, data) < 0) { 402 wpa_printf(MSG_DEBUG, "EAP-PEAP: Could not derive CMK"); 403 return -1; 404 } 405 406 if (crypto_tlv_len != 4 + 56) { 407 wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid cryptobinding TLV " 408 "length %d", (int) crypto_tlv_len); 409 return -1; 410 } 411 412 pos = crypto_tlv; 413 pos += 4; /* TLV header */ 414 if (pos[1] != data->peap_version) { 415 wpa_printf(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV Version " 416 "mismatch (was %d; expected %d)", 417 pos[1], data->peap_version); 418 return -1; 419 } 420 421 if (pos[3] != 0) { 422 wpa_printf(MSG_DEBUG, "EAP-PEAP: Unexpected Cryptobinding TLV " 423 "SubType %d", pos[3]); 424 return -1; 425 } 426 pos += 4; 427 os_memcpy(data->binding_nonce, pos, 32); 428 pos += 32; /* Nonce */ 429 430 /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */ 431 os_memcpy(buf, crypto_tlv, 60); 432 os_memset(buf + 4 + 4 + 32, 0, 20); /* Compound_MAC */ 433 buf[60] = EAP_TYPE_PEAP; 434 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Compound_MAC data", 435 buf, sizeof(buf)); 436 hmac_sha1(data->cmk, 20, buf, sizeof(buf), mac); 437 438 if (os_memcmp_const(mac, pos, SHA1_MAC_LEN) != 0) { 439 wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid Compound_MAC in " 440 "cryptobinding TLV"); 441 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Received MAC", 442 pos, SHA1_MAC_LEN); 443 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Expected MAC", 444 mac, SHA1_MAC_LEN); 445 return -1; 446 } 447 448 wpa_printf(MSG_DEBUG, "EAP-PEAP: Valid cryptobinding TLV received"); 449 450 return 0; 451} 452 453 454/** 455 * eap_tlv_process - Process a received EAP-TLV message and generate a response 456 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 457 * @ret: Return values from EAP request validation and processing 458 * @req: EAP-TLV request to be processed. The caller must have validated that 459 * the buffer is large enough to contain full request (hdr->length bytes) and 460 * that the EAP type is EAP_TYPE_TLV. 461 * @resp: Buffer to return a pointer to the allocated response message. This 462 * field should be initialized to %NULL before the call. The value will be 463 * updated if a response message is generated. The caller is responsible for 464 * freeing the allocated message. 465 * @force_failure: Force negotiation to fail 466 * Returns: 0 on success, -1 on failure 467 */ 468static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data, 469 struct eap_method_ret *ret, 470 const struct wpabuf *req, struct wpabuf **resp, 471 int force_failure) 472{ 473 size_t left, tlv_len; 474 const u8 *pos; 475 const u8 *result_tlv = NULL, *crypto_tlv = NULL; 476 size_t result_tlv_len = 0, crypto_tlv_len = 0; 477 int tlv_type, mandatory; 478 479 /* Parse TLVs */ 480 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TLV, req, &left); 481 if (pos == NULL) 482 return -1; 483 wpa_hexdump(MSG_DEBUG, "EAP-TLV: Received TLVs", pos, left); 484 while (left >= 4) { 485 mandatory = !!(pos[0] & 0x80); 486 tlv_type = WPA_GET_BE16(pos) & 0x3fff; 487 pos += 2; 488 tlv_len = WPA_GET_BE16(pos); 489 pos += 2; 490 left -= 4; 491 if (tlv_len > left) { 492 wpa_printf(MSG_DEBUG, "EAP-TLV: TLV underrun " 493 "(tlv_len=%lu left=%lu)", 494 (unsigned long) tlv_len, 495 (unsigned long) left); 496 return -1; 497 } 498 switch (tlv_type) { 499 case EAP_TLV_RESULT_TLV: 500 result_tlv = pos; 501 result_tlv_len = tlv_len; 502 break; 503 case EAP_TLV_CRYPTO_BINDING_TLV: 504 crypto_tlv = pos; 505 crypto_tlv_len = tlv_len; 506 break; 507 default: 508 wpa_printf(MSG_DEBUG, "EAP-TLV: Unsupported TLV Type " 509 "%d%s", tlv_type, 510 mandatory ? " (mandatory)" : ""); 511 if (mandatory) { 512 /* NAK TLV and ignore all TLVs in this packet. 513 */ 514 *resp = eap_tlv_build_nak(eap_get_id(req), 515 tlv_type); 516 return *resp == NULL ? -1 : 0; 517 } 518 /* Ignore this TLV, but process other TLVs */ 519 break; 520 } 521 522 pos += tlv_len; 523 left -= tlv_len; 524 } 525 if (left) { 526 wpa_printf(MSG_DEBUG, "EAP-TLV: Last TLV too short in " 527 "Request (left=%lu)", (unsigned long) left); 528 return -1; 529 } 530 531 /* Process supported TLVs */ 532 if (crypto_tlv && data->crypto_binding != NO_BINDING) { 533 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV", 534 crypto_tlv, crypto_tlv_len); 535 if (eap_tlv_validate_cryptobinding(sm, data, crypto_tlv - 4, 536 crypto_tlv_len + 4) < 0) { 537 if (result_tlv == NULL) 538 return -1; 539 force_failure = 1; 540 crypto_tlv = NULL; /* do not include Cryptobinding TLV 541 * in response, if the received 542 * cryptobinding was invalid. */ 543 } 544 } else if (!crypto_tlv && data->crypto_binding == REQUIRE_BINDING) { 545 wpa_printf(MSG_DEBUG, "EAP-PEAP: No cryptobinding TLV"); 546 return -1; 547 } 548 549 if (result_tlv) { 550 int status, resp_status; 551 wpa_hexdump(MSG_DEBUG, "EAP-TLV: Result TLV", 552 result_tlv, result_tlv_len); 553 if (result_tlv_len < 2) { 554 wpa_printf(MSG_INFO, "EAP-TLV: Too short Result TLV " 555 "(len=%lu)", 556 (unsigned long) result_tlv_len); 557 return -1; 558 } 559 status = WPA_GET_BE16(result_tlv); 560 if (status == EAP_TLV_RESULT_SUCCESS) { 561 wpa_printf(MSG_INFO, "EAP-TLV: TLV Result - Success " 562 "- EAP-TLV/Phase2 Completed"); 563 if (force_failure) { 564 wpa_printf(MSG_INFO, "EAP-TLV: Earlier failure" 565 " - force failed Phase 2"); 566 resp_status = EAP_TLV_RESULT_FAILURE; 567 ret->decision = DECISION_FAIL; 568 } else { 569 resp_status = EAP_TLV_RESULT_SUCCESS; 570 ret->decision = DECISION_UNCOND_SUCC; 571 } 572 } else if (status == EAP_TLV_RESULT_FAILURE) { 573 wpa_printf(MSG_INFO, "EAP-TLV: TLV Result - Failure"); 574 resp_status = EAP_TLV_RESULT_FAILURE; 575 ret->decision = DECISION_FAIL; 576 } else { 577 wpa_printf(MSG_INFO, "EAP-TLV: Unknown TLV Result " 578 "Status %d", status); 579 resp_status = EAP_TLV_RESULT_FAILURE; 580 ret->decision = DECISION_FAIL; 581 } 582 ret->methodState = METHOD_DONE; 583 584 *resp = eap_tlv_build_result(sm, data, crypto_tlv != NULL, 585 eap_get_id(req), resp_status); 586 } 587 588 return 0; 589} 590 591 592static int eap_peap_phase2_request(struct eap_sm *sm, 593 struct eap_peap_data *data, 594 struct eap_method_ret *ret, 595 struct wpabuf *req, 596 struct wpabuf **resp) 597{ 598 struct eap_hdr *hdr = wpabuf_mhead(req); 599 size_t len = be_to_host16(hdr->length); 600 u8 *pos; 601 struct eap_method_ret iret; 602 struct eap_peer_config *config = eap_get_config(sm); 603 604 if (len <= sizeof(struct eap_hdr)) { 605 wpa_printf(MSG_INFO, "EAP-PEAP: too short " 606 "Phase 2 request (len=%lu)", (unsigned long) len); 607 return -1; 608 } 609 pos = (u8 *) (hdr + 1); 610 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Request: type=%d", *pos); 611 switch (*pos) { 612 case EAP_TYPE_IDENTITY: 613 *resp = eap_sm_buildIdentity(sm, hdr->identifier, 1); 614 break; 615 case EAP_TYPE_TLV: 616 os_memset(&iret, 0, sizeof(iret)); 617 if (eap_tlv_process(sm, data, &iret, req, resp, 618 data->phase2_eap_started && 619 !data->phase2_eap_success)) { 620 ret->methodState = METHOD_DONE; 621 ret->decision = DECISION_FAIL; 622 return -1; 623 } 624 if (iret.methodState == METHOD_DONE || 625 iret.methodState == METHOD_MAY_CONT) { 626 ret->methodState = iret.methodState; 627 ret->decision = iret.decision; 628 data->phase2_success = 1; 629 } 630 break; 631 case EAP_TYPE_EXPANDED: 632#ifdef EAP_TNC 633 if (data->soh) { 634 const u8 *epos; 635 size_t eleft; 636 637 epos = eap_hdr_validate(EAP_VENDOR_MICROSOFT, 0x21, 638 req, &eleft); 639 if (epos) { 640 struct wpabuf *buf; 641 wpa_printf(MSG_DEBUG, 642 "EAP-PEAP: SoH EAP Extensions"); 643 buf = tncc_process_soh_request(data->soh, 644 epos, eleft); 645 if (buf) { 646 *resp = eap_msg_alloc( 647 EAP_VENDOR_MICROSOFT, 0x21, 648 wpabuf_len(buf), 649 EAP_CODE_RESPONSE, 650 hdr->identifier); 651 if (*resp == NULL) { 652 ret->methodState = METHOD_DONE; 653 ret->decision = DECISION_FAIL; 654 wpabuf_free(buf); 655 return -1; 656 } 657 wpabuf_put_buf(*resp, buf); 658 wpabuf_free(buf); 659 break; 660 } 661 } 662 } 663#endif /* EAP_TNC */ 664 /* fall through */ 665 default: 666 if (data->phase2_type.vendor == EAP_VENDOR_IETF && 667 data->phase2_type.method == EAP_TYPE_NONE) { 668 size_t i; 669 for (i = 0; i < data->num_phase2_types; i++) { 670 if (data->phase2_types[i].vendor != 671 EAP_VENDOR_IETF || 672 data->phase2_types[i].method != *pos) 673 continue; 674 675 data->phase2_type.vendor = 676 data->phase2_types[i].vendor; 677 data->phase2_type.method = 678 data->phase2_types[i].method; 679 wpa_printf(MSG_DEBUG, "EAP-PEAP: Selected " 680 "Phase 2 EAP vendor %d method %d", 681 data->phase2_type.vendor, 682 data->phase2_type.method); 683 break; 684 } 685 } 686 if (*pos != data->phase2_type.method || 687 *pos == EAP_TYPE_NONE) { 688 if (eap_peer_tls_phase2_nak(data->phase2_types, 689 data->num_phase2_types, 690 hdr, resp)) 691 return -1; 692 return 0; 693 } 694 695 if (data->phase2_priv == NULL) { 696 data->phase2_method = eap_peer_get_eap_method( 697 data->phase2_type.vendor, 698 data->phase2_type.method); 699 if (data->phase2_method) { 700 sm->init_phase2 = 1; 701 data->phase2_priv = 702 data->phase2_method->init(sm); 703 sm->init_phase2 = 0; 704 } 705 } 706 if (data->phase2_priv == NULL || data->phase2_method == NULL) { 707 wpa_printf(MSG_INFO, "EAP-PEAP: failed to initialize " 708 "Phase 2 EAP method %d", *pos); 709 ret->methodState = METHOD_DONE; 710 ret->decision = DECISION_FAIL; 711 return -1; 712 } 713 data->phase2_eap_started = 1; 714 os_memset(&iret, 0, sizeof(iret)); 715 *resp = data->phase2_method->process(sm, data->phase2_priv, 716 &iret, req); 717 if ((iret.methodState == METHOD_DONE || 718 iret.methodState == METHOD_MAY_CONT) && 719 (iret.decision == DECISION_UNCOND_SUCC || 720 iret.decision == DECISION_COND_SUCC)) { 721 data->phase2_eap_success = 1; 722 data->phase2_success = 1; 723 } 724 break; 725 } 726 727 if (*resp == NULL && 728 (config->pending_req_identity || config->pending_req_password || 729 config->pending_req_otp || config->pending_req_new_password)) { 730 wpabuf_free(data->pending_phase2_req); 731 data->pending_phase2_req = wpabuf_alloc_copy(hdr, len); 732 } 733 734 return 0; 735} 736 737 738static int eap_peap_decrypt(struct eap_sm *sm, struct eap_peap_data *data, 739 struct eap_method_ret *ret, 740 const struct eap_hdr *req, 741 const struct wpabuf *in_data, 742 struct wpabuf **out_data) 743{ 744 struct wpabuf *in_decrypted = NULL; 745 int res, skip_change = 0; 746 struct eap_hdr *hdr, *rhdr; 747 struct wpabuf *resp = NULL; 748 size_t len; 749 750 wpa_printf(MSG_DEBUG, "EAP-PEAP: received %lu bytes encrypted data for" 751 " Phase 2", (unsigned long) wpabuf_len(in_data)); 752 753 if (data->pending_phase2_req) { 754 wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 request - " 755 "skip decryption and use old data"); 756 /* Clear TLS reassembly state. */ 757 eap_peer_tls_reset_input(&data->ssl); 758 in_decrypted = data->pending_phase2_req; 759 data->pending_phase2_req = NULL; 760 skip_change = 1; 761 goto continue_req; 762 } 763 764 if (wpabuf_len(in_data) == 0 && sm->workaround && 765 data->phase2_success) { 766 /* 767 * Cisco ACS seems to be using TLS ACK to terminate 768 * EAP-PEAPv0/GTC. Try to reply with TLS ACK. 769 */ 770 wpa_printf(MSG_DEBUG, "EAP-PEAP: Received TLS ACK, but " 771 "expected data - acknowledge with TLS ACK since " 772 "Phase 2 has been completed"); 773 ret->decision = DECISION_COND_SUCC; 774 ret->methodState = METHOD_DONE; 775 return 1; 776 } else if (wpabuf_len(in_data) == 0) { 777 /* Received TLS ACK - requesting more fragments */ 778 return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_PEAP, 779 data->peap_version, 780 req->identifier, NULL, out_data); 781 } 782 783 res = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted); 784 if (res) 785 return res; 786 787continue_req: 788 wpa_hexdump_buf(MSG_DEBUG, "EAP-PEAP: Decrypted Phase 2 EAP", 789 in_decrypted); 790 791 hdr = wpabuf_mhead(in_decrypted); 792 if (wpabuf_len(in_decrypted) == 5 && hdr->code == EAP_CODE_REQUEST && 793 be_to_host16(hdr->length) == 5 && 794 eap_get_type(in_decrypted) == EAP_TYPE_IDENTITY) { 795 /* At least FreeRADIUS seems to send full EAP header with 796 * EAP Request Identity */ 797 skip_change = 1; 798 } 799 if (wpabuf_len(in_decrypted) >= 5 && hdr->code == EAP_CODE_REQUEST && 800 eap_get_type(in_decrypted) == EAP_TYPE_TLV) { 801 skip_change = 1; 802 } 803 804 if (data->peap_version == 0 && !skip_change) { 805 struct eap_hdr *nhdr; 806 struct wpabuf *nmsg = wpabuf_alloc(sizeof(struct eap_hdr) + 807 wpabuf_len(in_decrypted)); 808 if (nmsg == NULL) { 809 wpabuf_free(in_decrypted); 810 return 0; 811 } 812 nhdr = wpabuf_put(nmsg, sizeof(*nhdr)); 813 wpabuf_put_buf(nmsg, in_decrypted); 814 nhdr->code = req->code; 815 nhdr->identifier = req->identifier; 816 nhdr->length = host_to_be16(sizeof(struct eap_hdr) + 817 wpabuf_len(in_decrypted)); 818 819 wpabuf_free(in_decrypted); 820 in_decrypted = nmsg; 821 } 822 823 hdr = wpabuf_mhead(in_decrypted); 824 if (wpabuf_len(in_decrypted) < sizeof(*hdr)) { 825 wpa_printf(MSG_INFO, "EAP-PEAP: Too short Phase 2 " 826 "EAP frame (len=%lu)", 827 (unsigned long) wpabuf_len(in_decrypted)); 828 wpabuf_free(in_decrypted); 829 return 0; 830 } 831 len = be_to_host16(hdr->length); 832 if (len > wpabuf_len(in_decrypted)) { 833 wpa_printf(MSG_INFO, "EAP-PEAP: Length mismatch in " 834 "Phase 2 EAP frame (len=%lu hdr->length=%lu)", 835 (unsigned long) wpabuf_len(in_decrypted), 836 (unsigned long) len); 837 wpabuf_free(in_decrypted); 838 return 0; 839 } 840 if (len < wpabuf_len(in_decrypted)) { 841 wpa_printf(MSG_INFO, "EAP-PEAP: Odd.. Phase 2 EAP header has " 842 "shorter length than full decrypted data " 843 "(%lu < %lu)", 844 (unsigned long) len, 845 (unsigned long) wpabuf_len(in_decrypted)); 846 } 847 wpa_printf(MSG_DEBUG, "EAP-PEAP: received Phase 2: code=%d " 848 "identifier=%d length=%lu", hdr->code, hdr->identifier, 849 (unsigned long) len); 850 switch (hdr->code) { 851 case EAP_CODE_REQUEST: 852 if (eap_peap_phase2_request(sm, data, ret, in_decrypted, 853 &resp)) { 854 wpabuf_free(in_decrypted); 855 wpa_printf(MSG_INFO, "EAP-PEAP: Phase2 Request " 856 "processing failed"); 857 return 0; 858 } 859 break; 860 case EAP_CODE_SUCCESS: 861 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Success"); 862 if (data->peap_version == 1) { 863 /* EAP-Success within TLS tunnel is used to indicate 864 * shutdown of the TLS channel. The authentication has 865 * been completed. */ 866 if (data->phase2_eap_started && 867 !data->phase2_eap_success) { 868 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 " 869 "Success used to indicate success, " 870 "but Phase 2 EAP was not yet " 871 "completed successfully"); 872 ret->methodState = METHOD_DONE; 873 ret->decision = DECISION_FAIL; 874 wpabuf_free(in_decrypted); 875 return 0; 876 } 877 wpa_printf(MSG_DEBUG, "EAP-PEAP: Version 1 - " 878 "EAP-Success within TLS tunnel - " 879 "authentication completed"); 880 ret->decision = DECISION_UNCOND_SUCC; 881 ret->methodState = METHOD_DONE; 882 data->phase2_success = 1; 883 if (data->peap_outer_success == 2) { 884 wpabuf_free(in_decrypted); 885 wpa_printf(MSG_DEBUG, "EAP-PEAP: Use TLS ACK " 886 "to finish authentication"); 887 return 1; 888 } else if (data->peap_outer_success == 1) { 889 /* Reply with EAP-Success within the TLS 890 * channel to complete the authentication. */ 891 resp = wpabuf_alloc(sizeof(struct eap_hdr)); 892 if (resp) { 893 rhdr = wpabuf_put(resp, sizeof(*rhdr)); 894 rhdr->code = EAP_CODE_SUCCESS; 895 rhdr->identifier = hdr->identifier; 896 rhdr->length = 897 host_to_be16(sizeof(*rhdr)); 898 } 899 } else { 900 /* No EAP-Success expected for Phase 1 (outer, 901 * unencrypted auth), so force EAP state 902 * machine to SUCCESS state. */ 903 sm->peap_done = TRUE; 904 } 905 } else { 906 /* FIX: ? */ 907 } 908 break; 909 case EAP_CODE_FAILURE: 910 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Failure"); 911 ret->decision = DECISION_FAIL; 912 ret->methodState = METHOD_MAY_CONT; 913 ret->allowNotifications = FALSE; 914 /* Reply with EAP-Failure within the TLS channel to complete 915 * failure reporting. */ 916 resp = wpabuf_alloc(sizeof(struct eap_hdr)); 917 if (resp) { 918 rhdr = wpabuf_put(resp, sizeof(*rhdr)); 919 rhdr->code = EAP_CODE_FAILURE; 920 rhdr->identifier = hdr->identifier; 921 rhdr->length = host_to_be16(sizeof(*rhdr)); 922 } 923 break; 924 default: 925 wpa_printf(MSG_INFO, "EAP-PEAP: Unexpected code=%d in " 926 "Phase 2 EAP header", hdr->code); 927 break; 928 } 929 930 wpabuf_free(in_decrypted); 931 932 if (resp) { 933 int skip_change2 = 0; 934 struct wpabuf *rmsg, buf; 935 936 wpa_hexdump_buf_key(MSG_DEBUG, 937 "EAP-PEAP: Encrypting Phase 2 data", resp); 938 /* PEAP version changes */ 939 if (wpabuf_len(resp) >= 5 && 940 wpabuf_head_u8(resp)[0] == EAP_CODE_RESPONSE && 941 eap_get_type(resp) == EAP_TYPE_TLV) 942 skip_change2 = 1; 943 rmsg = resp; 944 if (data->peap_version == 0 && !skip_change2) { 945 wpabuf_set(&buf, wpabuf_head_u8(resp) + 946 sizeof(struct eap_hdr), 947 wpabuf_len(resp) - sizeof(struct eap_hdr)); 948 rmsg = &buf; 949 } 950 951 if (eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_PEAP, 952 data->peap_version, req->identifier, 953 rmsg, out_data)) { 954 wpa_printf(MSG_INFO, "EAP-PEAP: Failed to encrypt " 955 "a Phase 2 frame"); 956 } 957 wpabuf_free(resp); 958 } 959 960 return 0; 961} 962 963 964static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv, 965 struct eap_method_ret *ret, 966 const struct wpabuf *reqData) 967{ 968 const struct eap_hdr *req; 969 size_t left; 970 int res; 971 u8 flags, id; 972 struct wpabuf *resp; 973 const u8 *pos; 974 struct eap_peap_data *data = priv; 975 struct wpabuf msg; 976 977 pos = eap_peer_tls_process_init(sm, &data->ssl, EAP_TYPE_PEAP, ret, 978 reqData, &left, &flags); 979 if (pos == NULL) 980 return NULL; 981 req = wpabuf_head(reqData); 982 id = req->identifier; 983 984 if (flags & EAP_TLS_FLAGS_START) { 985 wpa_printf(MSG_DEBUG, "EAP-PEAP: Start (server ver=%d, own " 986 "ver=%d)", flags & EAP_TLS_VERSION_MASK, 987 data->peap_version); 988 if ((flags & EAP_TLS_VERSION_MASK) < data->peap_version) 989 data->peap_version = flags & EAP_TLS_VERSION_MASK; 990 if (data->force_peap_version >= 0 && 991 data->force_peap_version != data->peap_version) { 992 wpa_printf(MSG_WARNING, "EAP-PEAP: Failed to select " 993 "forced PEAP version %d", 994 data->force_peap_version); 995 ret->methodState = METHOD_DONE; 996 ret->decision = DECISION_FAIL; 997 ret->allowNotifications = FALSE; 998 return NULL; 999 } 1000 wpa_printf(MSG_DEBUG, "EAP-PEAP: Using PEAP version %d", 1001 data->peap_version); 1002 left = 0; /* make sure that this frame is empty, even though it 1003 * should always be, anyway */ 1004 } 1005 1006 wpabuf_set(&msg, pos, left); 1007 1008 resp = NULL; 1009 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1010 !data->resuming) { 1011 res = eap_peap_decrypt(sm, data, ret, req, &msg, &resp); 1012 } else { 1013 if (sm->waiting_ext_cert_check && data->pending_resp) { 1014 struct eap_peer_config *config = eap_get_config(sm); 1015 1016 if (config->pending_ext_cert_check == 1017 EXT_CERT_CHECK_GOOD) { 1018 wpa_printf(MSG_DEBUG, 1019 "EAP-PEAP: External certificate check succeeded - continue handshake"); 1020 resp = data->pending_resp; 1021 data->pending_resp = NULL; 1022 sm->waiting_ext_cert_check = 0; 1023 return resp; 1024 } 1025 1026 if (config->pending_ext_cert_check == 1027 EXT_CERT_CHECK_BAD) { 1028 wpa_printf(MSG_DEBUG, 1029 "EAP-PEAP: External certificate check failed - force authentication failure"); 1030 ret->methodState = METHOD_DONE; 1031 ret->decision = DECISION_FAIL; 1032 sm->waiting_ext_cert_check = 0; 1033 return NULL; 1034 } 1035 1036 wpa_printf(MSG_DEBUG, 1037 "EAP-PEAP: Continuing to wait external server certificate validation"); 1038 return NULL; 1039 } 1040 1041 res = eap_peer_tls_process_helper(sm, &data->ssl, 1042 EAP_TYPE_PEAP, 1043 data->peap_version, id, &msg, 1044 &resp); 1045 1046 if (res < 0) { 1047 wpa_printf(MSG_DEBUG, 1048 "EAP-PEAP: TLS processing failed"); 1049 ret->methodState = METHOD_DONE; 1050 ret->decision = DECISION_FAIL; 1051 return resp; 1052 } 1053 1054 1055 if (sm->waiting_ext_cert_check) { 1056 wpa_printf(MSG_DEBUG, 1057 "EAP-PEAP: Waiting external server certificate validation"); 1058 wpabuf_free(data->pending_resp); 1059 data->pending_resp = resp; 1060 return NULL; 1061 } 1062 1063 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { 1064 char *label; 1065 wpa_printf(MSG_DEBUG, 1066 "EAP-PEAP: TLS done, proceed to Phase 2"); 1067 eap_peap_free_key(data); 1068 /* draft-josefsson-ppext-eap-tls-eap-05.txt 1069 * specifies that PEAPv1 would use "client PEAP 1070 * encryption" as the label. However, most existing 1071 * PEAPv1 implementations seem to be using the old 1072 * label, "client EAP encryption", instead. Use the old 1073 * label by default, but allow it to be configured with 1074 * phase1 parameter peaplabel=1. */ 1075 if (data->force_new_label) 1076 label = "client PEAP encryption"; 1077 else 1078 label = "client EAP encryption"; 1079 wpa_printf(MSG_DEBUG, "EAP-PEAP: using label '%s' in " 1080 "key derivation", label); 1081 data->key_data = 1082 eap_peer_tls_derive_key(sm, &data->ssl, label, 1083 EAP_TLS_KEY_LEN); 1084 if (data->key_data) { 1085 wpa_hexdump_key(MSG_DEBUG, 1086 "EAP-PEAP: Derived key", 1087 data->key_data, 1088 EAP_TLS_KEY_LEN); 1089 } else { 1090 wpa_printf(MSG_DEBUG, "EAP-PEAP: Failed to " 1091 "derive key"); 1092 } 1093 1094 os_free(data->session_id); 1095 data->session_id = 1096 eap_peer_tls_derive_session_id(sm, &data->ssl, 1097 EAP_TYPE_PEAP, 1098 &data->id_len); 1099 if (data->session_id) { 1100 wpa_hexdump(MSG_DEBUG, 1101 "EAP-PEAP: Derived Session-Id", 1102 data->session_id, data->id_len); 1103 } else { 1104 wpa_printf(MSG_ERROR, "EAP-PEAP: Failed to " 1105 "derive Session-Id"); 1106 } 1107 1108 if (sm->workaround && data->resuming) { 1109 /* 1110 * At least few RADIUS servers (Aegis v1.1.6; 1111 * but not v1.1.4; and Cisco ACS) seem to be 1112 * terminating PEAPv1 (Aegis) or PEAPv0 (Cisco 1113 * ACS) session resumption with outer 1114 * EAP-Success. This does not seem to follow 1115 * draft-josefsson-pppext-eap-tls-eap-05.txt 1116 * section 4.2, so only allow this if EAP 1117 * workarounds are enabled. 1118 */ 1119 wpa_printf(MSG_DEBUG, "EAP-PEAP: Workaround - " 1120 "allow outer EAP-Success to " 1121 "terminate PEAP resumption"); 1122 ret->decision = DECISION_COND_SUCC; 1123 data->phase2_success = 1; 1124 } 1125 1126 data->resuming = 0; 1127 } 1128 1129 if (res == 2) { 1130 /* 1131 * Application data included in the handshake message. 1132 */ 1133 wpabuf_free(data->pending_phase2_req); 1134 data->pending_phase2_req = resp; 1135 resp = NULL; 1136 res = eap_peap_decrypt(sm, data, ret, req, &msg, 1137 &resp); 1138 } 1139 } 1140 1141 if (ret->methodState == METHOD_DONE) { 1142 ret->allowNotifications = FALSE; 1143 } 1144 1145 if (res == 1) { 1146 wpabuf_free(resp); 1147 return eap_peer_tls_build_ack(id, EAP_TYPE_PEAP, 1148 data->peap_version); 1149 } 1150 1151 return resp; 1152} 1153 1154 1155static Boolean eap_peap_has_reauth_data(struct eap_sm *sm, void *priv) 1156{ 1157 struct eap_peap_data *data = priv; 1158 return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1159 data->phase2_success; 1160} 1161 1162 1163static void eap_peap_deinit_for_reauth(struct eap_sm *sm, void *priv) 1164{ 1165 struct eap_peap_data *data = priv; 1166 wpabuf_free(data->pending_phase2_req); 1167 data->pending_phase2_req = NULL; 1168 wpabuf_free(data->pending_resp); 1169 data->pending_resp = NULL; 1170 data->crypto_binding_used = 0; 1171} 1172 1173 1174static void * eap_peap_init_for_reauth(struct eap_sm *sm, void *priv) 1175{ 1176 struct eap_peap_data *data = priv; 1177 eap_peap_free_key(data); 1178 os_free(data->session_id); 1179 data->session_id = NULL; 1180 if (eap_peer_tls_reauth_init(sm, &data->ssl)) { 1181 os_free(data); 1182 return NULL; 1183 } 1184 if (data->phase2_priv && data->phase2_method && 1185 data->phase2_method->init_for_reauth) 1186 data->phase2_method->init_for_reauth(sm, data->phase2_priv); 1187 data->phase2_success = 0; 1188 data->phase2_eap_success = 0; 1189 data->phase2_eap_started = 0; 1190 data->resuming = 1; 1191 data->reauth = 1; 1192 sm->peap_done = FALSE; 1193 return priv; 1194} 1195 1196 1197static int eap_peap_get_status(struct eap_sm *sm, void *priv, char *buf, 1198 size_t buflen, int verbose) 1199{ 1200 struct eap_peap_data *data = priv; 1201 int len, ret; 1202 1203 len = eap_peer_tls_status(sm, &data->ssl, buf, buflen, verbose); 1204 if (data->phase2_method) { 1205 ret = os_snprintf(buf + len, buflen - len, 1206 "EAP-PEAPv%d Phase2 method=%s\n", 1207 data->peap_version, 1208 data->phase2_method->name); 1209 if (os_snprintf_error(buflen - len, ret)) 1210 return len; 1211 len += ret; 1212 } 1213 return len; 1214} 1215 1216 1217static Boolean eap_peap_isKeyAvailable(struct eap_sm *sm, void *priv) 1218{ 1219 struct eap_peap_data *data = priv; 1220 return data->key_data != NULL && data->phase2_success; 1221} 1222 1223 1224static u8 * eap_peap_getKey(struct eap_sm *sm, void *priv, size_t *len) 1225{ 1226 struct eap_peap_data *data = priv; 1227 u8 *key; 1228 1229 if (data->key_data == NULL || !data->phase2_success) 1230 return NULL; 1231 1232 key = os_malloc(EAP_TLS_KEY_LEN); 1233 if (key == NULL) 1234 return NULL; 1235 1236 *len = EAP_TLS_KEY_LEN; 1237 1238 if (data->crypto_binding_used) { 1239 u8 csk[128]; 1240 /* 1241 * Note: It looks like Microsoft implementation requires null 1242 * termination for this label while the one used for deriving 1243 * IPMK|CMK did not use null termination. 1244 */ 1245 if (peap_prfplus(data->peap_version, data->ipmk, 40, 1246 "Session Key Generating Function", 1247 (u8 *) "\00", 1, csk, sizeof(csk)) < 0) { 1248 os_free(key); 1249 return NULL; 1250 } 1251 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CSK", csk, sizeof(csk)); 1252 os_memcpy(key, csk, EAP_TLS_KEY_LEN); 1253 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Derived key", 1254 key, EAP_TLS_KEY_LEN); 1255 } else 1256 os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN); 1257 1258 return key; 1259} 1260 1261 1262static u8 * eap_peap_get_session_id(struct eap_sm *sm, void *priv, size_t *len) 1263{ 1264 struct eap_peap_data *data = priv; 1265 u8 *id; 1266 1267 if (data->session_id == NULL || !data->phase2_success) 1268 return NULL; 1269 1270 id = os_malloc(data->id_len); 1271 if (id == NULL) 1272 return NULL; 1273 1274 *len = data->id_len; 1275 os_memcpy(id, data->session_id, data->id_len); 1276 1277 return id; 1278} 1279 1280 1281int eap_peer_peap_register(void) 1282{ 1283 struct eap_method *eap; 1284 1285 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION, 1286 EAP_VENDOR_IETF, EAP_TYPE_PEAP, "PEAP"); 1287 if (eap == NULL) 1288 return -1; 1289 1290 eap->init = eap_peap_init; 1291 eap->deinit = eap_peap_deinit; 1292 eap->process = eap_peap_process; 1293 eap->isKeyAvailable = eap_peap_isKeyAvailable; 1294 eap->getKey = eap_peap_getKey; 1295 eap->get_status = eap_peap_get_status; 1296 eap->has_reauth_data = eap_peap_has_reauth_data; 1297 eap->deinit_for_reauth = eap_peap_deinit_for_reauth; 1298 eap->init_for_reauth = eap_peap_init_for_reauth; 1299 eap->getSessionId = eap_peap_get_session_id; 1300 1301 return eap_peer_method_register(eap); 1302} 1303