1 /* 2 * EAP peer method: EAP-PEAP (draft-josefsson-pppext-eap-tls-eap-10.txt) 3 * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "includes.h" 16 17 #include "common.h" 18 #include "crypto/sha1.h" 19 #include "crypto/tls.h" 20 #include "eap_common/eap_tlv_common.h" 21 #include "eap_common/eap_peap_common.h" 22 #include "eap_i.h" 23 #include "eap_tls_common.h" 24 #include "eap_config.h" 25 #include "tncc.h" 26 27 28 /* Maximum supported PEAP version 29 * 0 = Microsoft's PEAP version 0; draft-kamath-pppext-peapv0-00.txt 30 * 1 = draft-josefsson-ppext-eap-tls-eap-05.txt 31 * 2 = draft-josefsson-ppext-eap-tls-eap-10.txt 32 */ 33 #define EAP_PEAP_VERSION 1 34 35 36 static void eap_peap_deinit(struct eap_sm *sm, void *priv); 37 38 39 struct eap_peap_data { 40 struct eap_ssl_data ssl; 41 42 int peap_version, force_peap_version, force_new_label; 43 44 const struct eap_method *phase2_method; 45 void *phase2_priv; 46 int phase2_success; 47 int phase2_eap_success; 48 int phase2_eap_started; 49 50 struct eap_method_type phase2_type; 51 struct eap_method_type *phase2_types; 52 size_t num_phase2_types; 53 54 int peap_outer_success; /* 0 = PEAP terminated on Phase 2 inner 55 * EAP-Success 56 * 1 = reply with tunneled EAP-Success to inner 57 * EAP-Success and expect AS to send outer 58 * (unencrypted) EAP-Success after this 59 * 2 = reply with PEAP/TLS ACK to inner 60 * EAP-Success and expect AS to send outer 61 * (unencrypted) EAP-Success after this */ 62 int resuming; /* starting a resumed session */ 63 int reauth; /* reauthentication */ 64 u8 *key_data; 65 66 struct wpabuf *pending_phase2_req; 67 enum { NO_BINDING, OPTIONAL_BINDING, REQUIRE_BINDING } crypto_binding; 68 int crypto_binding_used; 69 u8 binding_nonce[32]; 70 u8 ipmk[40]; 71 u8 cmk[20]; 72 int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP) 73 * is enabled. */ 74 }; 75 76 77 static int eap_peap_parse_phase1(struct eap_peap_data *data, 78 const char *phase1) 79 { 80 const char *pos; 81 82 pos = os_strstr(phase1, "peapver="); 83 if (pos) { 84 data->force_peap_version = atoi(pos + 8); 85 data->peap_version = data->force_peap_version; 86 wpa_printf(MSG_DEBUG, "EAP-PEAP: Forced PEAP version %d", 87 data->force_peap_version); 88 } 89 90 if (os_strstr(phase1, "peaplabel=1")) { 91 data->force_new_label = 1; 92 wpa_printf(MSG_DEBUG, "EAP-PEAP: Force new label for key " 93 "derivation"); 94 } 95 96 if (os_strstr(phase1, "peap_outer_success=0")) { 97 data->peap_outer_success = 0; 98 wpa_printf(MSG_DEBUG, "EAP-PEAP: terminate authentication on " 99 "tunneled EAP-Success"); 100 } else if (os_strstr(phase1, "peap_outer_success=1")) { 101 data->peap_outer_success = 1; 102 wpa_printf(MSG_DEBUG, "EAP-PEAP: send tunneled EAP-Success " 103 "after receiving tunneled EAP-Success"); 104 } else if (os_strstr(phase1, "peap_outer_success=2")) { 105 data->peap_outer_success = 2; 106 wpa_printf(MSG_DEBUG, "EAP-PEAP: send PEAP/TLS ACK after " 107 "receiving tunneled EAP-Success"); 108 } 109 110 if (os_strstr(phase1, "crypto_binding=0")) { 111 data->crypto_binding = NO_BINDING; 112 wpa_printf(MSG_DEBUG, "EAP-PEAP: Do not use cryptobinding"); 113 } else if (os_strstr(phase1, "crypto_binding=1")) { 114 data->crypto_binding = OPTIONAL_BINDING; 115 wpa_printf(MSG_DEBUG, "EAP-PEAP: Optional cryptobinding"); 116 } else if (os_strstr(phase1, "crypto_binding=2")) { 117 data->crypto_binding = REQUIRE_BINDING; 118 wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding"); 119 } 120 121 #ifdef EAP_TNC 122 if (os_strstr(phase1, "tnc=soh2")) { 123 data->soh = 2; 124 wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 2 enabled"); 125 } else if (os_strstr(phase1, "tnc=soh1")) { 126 data->soh = 1; 127 wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 1 enabled"); 128 } else if (os_strstr(phase1, "tnc=soh")) { 129 data->soh = 2; 130 wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 2 enabled"); 131 } 132 #endif /* EAP_TNC */ 133 134 return 0; 135 } 136 137 138 static void * eap_peap_init(struct eap_sm *sm) 139 { 140 struct eap_peap_data *data; 141 struct eap_peer_config *config = eap_get_config(sm); 142 143 data = os_zalloc(sizeof(*data)); 144 if (data == NULL) 145 return NULL; 146 sm->peap_done = FALSE; 147 data->peap_version = EAP_PEAP_VERSION; 148 data->force_peap_version = -1; 149 data->peap_outer_success = 2; 150 data->crypto_binding = OPTIONAL_BINDING; 151 152 if (config && config->phase1 && 153 eap_peap_parse_phase1(data, config->phase1) < 0) { 154 eap_peap_deinit(sm, data); 155 return NULL; 156 } 157 158 if (eap_peer_select_phase2_methods(config, "auth=", 159 &data->phase2_types, 160 &data->num_phase2_types) < 0) { 161 eap_peap_deinit(sm, data); 162 return NULL; 163 } 164 165 data->phase2_type.vendor = EAP_VENDOR_IETF; 166 data->phase2_type.method = EAP_TYPE_NONE; 167 168 if (eap_peer_tls_ssl_init(sm, &data->ssl, config)) { 169 wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL."); 170 eap_peap_deinit(sm, data); 171 return NULL; 172 } 173 174 return data; 175 } 176 177 178 static void eap_peap_deinit(struct eap_sm *sm, void *priv) 179 { 180 struct eap_peap_data *data = priv; 181 if (data == NULL) 182 return; 183 if (data->phase2_priv && data->phase2_method) 184 data->phase2_method->deinit(sm, data->phase2_priv); 185 os_free(data->phase2_types); 186 eap_peer_tls_ssl_deinit(sm, &data->ssl); 187 os_free(data->key_data); 188 wpabuf_free(data->pending_phase2_req); 189 os_free(data); 190 } 191 192 193 /** 194 * eap_tlv_build_nak - Build EAP-TLV NAK message 195 * @id: EAP identifier for the header 196 * @nak_type: TLV type (EAP_TLV_*) 197 * Returns: Buffer to the allocated EAP-TLV NAK message or %NULL on failure 198 * 199 * This function builds an EAP-TLV NAK message. The caller is responsible for 200 * freeing the returned buffer. 201 */ 202 static struct wpabuf * eap_tlv_build_nak(int id, u16 nak_type) 203 { 204 struct wpabuf *msg; 205 206 msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, 10, 207 EAP_CODE_RESPONSE, id); 208 if (msg == NULL) 209 return NULL; 210 211 wpabuf_put_u8(msg, 0x80); /* Mandatory */ 212 wpabuf_put_u8(msg, EAP_TLV_NAK_TLV); 213 wpabuf_put_be16(msg, 6); /* Length */ 214 wpabuf_put_be32(msg, 0); /* Vendor-Id */ 215 wpabuf_put_be16(msg, nak_type); /* NAK-Type */ 216 217 return msg; 218 } 219 220 221 static int eap_peap_get_isk(struct eap_sm *sm, struct eap_peap_data *data, 222 u8 *isk, size_t isk_len) 223 { 224 u8 *key; 225 size_t key_len; 226 227 os_memset(isk, 0, isk_len); 228 if (data->phase2_method == NULL || data->phase2_priv == NULL || 229 data->phase2_method->isKeyAvailable == NULL || 230 data->phase2_method->getKey == NULL) 231 return 0; 232 233 if (!data->phase2_method->isKeyAvailable(sm, data->phase2_priv) || 234 (key = data->phase2_method->getKey(sm, data->phase2_priv, 235 &key_len)) == NULL) { 236 wpa_printf(MSG_DEBUG, "EAP-PEAP: Could not get key material " 237 "from Phase 2"); 238 return -1; 239 } 240 241 if (key_len > isk_len) 242 key_len = isk_len; 243 os_memcpy(isk, key, key_len); 244 os_free(key); 245 246 return 0; 247 } 248 249 250 static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data) 251 { 252 u8 *tk; 253 u8 isk[32], imck[60]; 254 255 /* 256 * Tunnel key (TK) is the first 60 octets of the key generated by 257 * phase 1 of PEAP (based on TLS). 258 */ 259 tk = data->key_data; 260 if (tk == NULL) 261 return -1; 262 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TK", tk, 60); 263 264 if (data->reauth && 265 tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) { 266 /* Fast-connect: IPMK|CMK = TK */ 267 os_memcpy(data->ipmk, tk, 40); 268 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK from TK", 269 data->ipmk, 40); 270 os_memcpy(data->cmk, tk + 40, 20); 271 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK from TK", 272 data->cmk, 20); 273 return 0; 274 } 275 276 if (eap_peap_get_isk(sm, data, isk, sizeof(isk)) < 0) 277 return -1; 278 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: ISK", isk, sizeof(isk)); 279 280 /* 281 * IPMK Seed = "Inner Methods Compound Keys" | ISK 282 * TempKey = First 40 octets of TK 283 * IPMK|CMK = PRF+(TempKey, IPMK Seed, 60) 284 * (note: draft-josefsson-pppext-eap-tls-eap-10.txt includes a space 285 * in the end of the label just before ISK; is that just a typo?) 286 */ 287 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TempKey", tk, 40); 288 if (peap_prfplus(data->peap_version, tk, 40, 289 "Inner Methods Compound Keys", 290 isk, sizeof(isk), imck, sizeof(imck)) < 0) 291 return -1; 292 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IMCK (IPMKj)", 293 imck, sizeof(imck)); 294 295 os_memcpy(data->ipmk, imck, 40); 296 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK (S-IPMKj)", data->ipmk, 40); 297 os_memcpy(data->cmk, imck + 40, 20); 298 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK (CMKj)", data->cmk, 20); 299 300 return 0; 301 } 302 303 304 static int eap_tlv_add_cryptobinding(struct eap_sm *sm, 305 struct eap_peap_data *data, 306 struct wpabuf *buf) 307 { 308 u8 *mac; 309 u8 eap_type = EAP_TYPE_PEAP; 310 const u8 *addr[2]; 311 size_t len[2]; 312 u16 tlv_type; 313 314 /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */ 315 addr[0] = wpabuf_put(buf, 0); 316 len[0] = 60; 317 addr[1] = &eap_type; 318 len[1] = 1; 319 320 tlv_type = EAP_TLV_CRYPTO_BINDING_TLV; 321 if (data->peap_version >= 2) 322 tlv_type |= EAP_TLV_TYPE_MANDATORY; 323 wpabuf_put_be16(buf, tlv_type); 324 wpabuf_put_be16(buf, 56); 325 326 wpabuf_put_u8(buf, 0); /* Reserved */ 327 wpabuf_put_u8(buf, data->peap_version); /* Version */ 328 wpabuf_put_u8(buf, data->peap_version); /* RecvVersion */ 329 wpabuf_put_u8(buf, 1); /* SubType: 0 = Request, 1 = Response */ 330 wpabuf_put_data(buf, data->binding_nonce, 32); /* Nonce */ 331 mac = wpabuf_put(buf, 20); /* Compound_MAC */ 332 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC CMK", data->cmk, 20); 333 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 1", 334 addr[0], len[0]); 335 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 2", 336 addr[1], len[1]); 337 hmac_sha1_vector(data->cmk, 20, 2, addr, len, mac); 338 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC", mac, SHA1_MAC_LEN); 339 data->crypto_binding_used = 1; 340 341 return 0; 342 } 343 344 345 /** 346 * eap_tlv_build_result - Build EAP-TLV Result message 347 * @id: EAP identifier for the header 348 * @status: Status (EAP_TLV_RESULT_SUCCESS or EAP_TLV_RESULT_FAILURE) 349 * Returns: Buffer to the allocated EAP-TLV Result message or %NULL on failure 350 * 351 * This function builds an EAP-TLV Result message. The caller is responsible 352 * for freeing the returned buffer. 353 */ 354 static struct wpabuf * eap_tlv_build_result(struct eap_sm *sm, 355 struct eap_peap_data *data, 356 int crypto_tlv_used, 357 int id, u16 status) 358 { 359 struct wpabuf *msg; 360 size_t len; 361 362 if (data->crypto_binding == NO_BINDING) 363 crypto_tlv_used = 0; 364 365 len = 6; 366 if (crypto_tlv_used) 367 len += 60; /* Cryptobinding TLV */ 368 msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, len, 369 EAP_CODE_RESPONSE, id); 370 if (msg == NULL) 371 return NULL; 372 373 wpabuf_put_u8(msg, 0x80); /* Mandatory */ 374 wpabuf_put_u8(msg, EAP_TLV_RESULT_TLV); 375 wpabuf_put_be16(msg, 2); /* Length */ 376 wpabuf_put_be16(msg, status); /* Status */ 377 378 if (crypto_tlv_used && eap_tlv_add_cryptobinding(sm, data, msg)) { 379 wpabuf_free(msg); 380 return NULL; 381 } 382 383 return msg; 384 } 385 386 387 static int eap_tlv_validate_cryptobinding(struct eap_sm *sm, 388 struct eap_peap_data *data, 389 const u8 *crypto_tlv, 390 size_t crypto_tlv_len) 391 { 392 u8 buf[61], mac[SHA1_MAC_LEN]; 393 const u8 *pos; 394 395 if (eap_peap_derive_cmk(sm, data) < 0) { 396 wpa_printf(MSG_DEBUG, "EAP-PEAP: Could not derive CMK"); 397 return -1; 398 } 399 400 if (crypto_tlv_len != 4 + 56) { 401 wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid cryptobinding TLV " 402 "length %d", (int) crypto_tlv_len); 403 return -1; 404 } 405 406 pos = crypto_tlv; 407 pos += 4; /* TLV header */ 408 if (pos[1] != data->peap_version) { 409 wpa_printf(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV Version " 410 "mismatch (was %d; expected %d)", 411 pos[1], data->peap_version); 412 return -1; 413 } 414 415 if (pos[3] != 0) { 416 wpa_printf(MSG_DEBUG, "EAP-PEAP: Unexpected Cryptobinding TLV " 417 "SubType %d", pos[3]); 418 return -1; 419 } 420 pos += 4; 421 os_memcpy(data->binding_nonce, pos, 32); 422 pos += 32; /* Nonce */ 423 424 /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */ 425 os_memcpy(buf, crypto_tlv, 60); 426 os_memset(buf + 4 + 4 + 32, 0, 20); /* Compound_MAC */ 427 buf[60] = EAP_TYPE_PEAP; 428 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Compound_MAC data", 429 buf, sizeof(buf)); 430 hmac_sha1(data->cmk, 20, buf, sizeof(buf), mac); 431 432 if (os_memcmp(mac, pos, SHA1_MAC_LEN) != 0) { 433 wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid Compound_MAC in " 434 "cryptobinding TLV"); 435 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Received MAC", 436 pos, SHA1_MAC_LEN); 437 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Expected MAC", 438 mac, SHA1_MAC_LEN); 439 return -1; 440 } 441 442 wpa_printf(MSG_DEBUG, "EAP-PEAP: Valid cryptobinding TLV received"); 443 444 return 0; 445 } 446 447 448 /** 449 * eap_tlv_process - Process a received EAP-TLV message and generate a response 450 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 451 * @ret: Return values from EAP request validation and processing 452 * @req: EAP-TLV request to be processed. The caller must have validated that 453 * the buffer is large enough to contain full request (hdr->length bytes) and 454 * that the EAP type is EAP_TYPE_TLV. 455 * @resp: Buffer to return a pointer to the allocated response message. This 456 * field should be initialized to %NULL before the call. The value will be 457 * updated if a response message is generated. The caller is responsible for 458 * freeing the allocated message. 459 * @force_failure: Force negotiation to fail 460 * Returns: 0 on success, -1 on failure 461 */ 462 static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data, 463 struct eap_method_ret *ret, 464 const struct wpabuf *req, struct wpabuf **resp, 465 int force_failure) 466 { 467 size_t left, tlv_len; 468 const u8 *pos; 469 const u8 *result_tlv = NULL, *crypto_tlv = NULL; 470 size_t result_tlv_len = 0, crypto_tlv_len = 0; 471 int tlv_type, mandatory; 472 473 /* Parse TLVs */ 474 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TLV, req, &left); 475 if (pos == NULL) 476 return -1; 477 wpa_hexdump(MSG_DEBUG, "EAP-TLV: Received TLVs", pos, left); 478 while (left >= 4) { 479 mandatory = !!(pos[0] & 0x80); 480 tlv_type = WPA_GET_BE16(pos) & 0x3fff; 481 pos += 2; 482 tlv_len = WPA_GET_BE16(pos); 483 pos += 2; 484 left -= 4; 485 if (tlv_len > left) { 486 wpa_printf(MSG_DEBUG, "EAP-TLV: TLV underrun " 487 "(tlv_len=%lu left=%lu)", 488 (unsigned long) tlv_len, 489 (unsigned long) left); 490 return -1; 491 } 492 switch (tlv_type) { 493 case EAP_TLV_RESULT_TLV: 494 result_tlv = pos; 495 result_tlv_len = tlv_len; 496 break; 497 case EAP_TLV_CRYPTO_BINDING_TLV: 498 crypto_tlv = pos; 499 crypto_tlv_len = tlv_len; 500 break; 501 default: 502 wpa_printf(MSG_DEBUG, "EAP-TLV: Unsupported TLV Type " 503 "%d%s", tlv_type, 504 mandatory ? " (mandatory)" : ""); 505 if (mandatory) { 506 /* NAK TLV and ignore all TLVs in this packet. 507 */ 508 *resp = eap_tlv_build_nak(eap_get_id(req), 509 tlv_type); 510 return *resp == NULL ? -1 : 0; 511 } 512 /* Ignore this TLV, but process other TLVs */ 513 break; 514 } 515 516 pos += tlv_len; 517 left -= tlv_len; 518 } 519 if (left) { 520 wpa_printf(MSG_DEBUG, "EAP-TLV: Last TLV too short in " 521 "Request (left=%lu)", (unsigned long) left); 522 return -1; 523 } 524 525 /* Process supported TLVs */ 526 if (crypto_tlv && data->crypto_binding != NO_BINDING) { 527 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV", 528 crypto_tlv, crypto_tlv_len); 529 if (eap_tlv_validate_cryptobinding(sm, data, crypto_tlv - 4, 530 crypto_tlv_len + 4) < 0) { 531 if (result_tlv == NULL) 532 return -1; 533 force_failure = 1; 534 crypto_tlv = NULL; /* do not include Cryptobinding TLV 535 * in response, if the received 536 * cryptobinding was invalid. */ 537 } 538 } else if (!crypto_tlv && data->crypto_binding == REQUIRE_BINDING) { 539 wpa_printf(MSG_DEBUG, "EAP-PEAP: No cryptobinding TLV"); 540 return -1; 541 } 542 543 if (result_tlv) { 544 int status, resp_status; 545 wpa_hexdump(MSG_DEBUG, "EAP-TLV: Result TLV", 546 result_tlv, result_tlv_len); 547 if (result_tlv_len < 2) { 548 wpa_printf(MSG_INFO, "EAP-TLV: Too short Result TLV " 549 "(len=%lu)", 550 (unsigned long) result_tlv_len); 551 return -1; 552 } 553 status = WPA_GET_BE16(result_tlv); 554 if (status == EAP_TLV_RESULT_SUCCESS) { 555 wpa_printf(MSG_INFO, "EAP-TLV: TLV Result - Success " 556 "- EAP-TLV/Phase2 Completed"); 557 if (force_failure) { 558 wpa_printf(MSG_INFO, "EAP-TLV: Earlier failure" 559 " - force failed Phase 2"); 560 resp_status = EAP_TLV_RESULT_FAILURE; 561 ret->decision = DECISION_FAIL; 562 } else { 563 resp_status = EAP_TLV_RESULT_SUCCESS; 564 ret->decision = DECISION_UNCOND_SUCC; 565 } 566 } else if (status == EAP_TLV_RESULT_FAILURE) { 567 wpa_printf(MSG_INFO, "EAP-TLV: TLV Result - Failure"); 568 resp_status = EAP_TLV_RESULT_FAILURE; 569 ret->decision = DECISION_FAIL; 570 } else { 571 wpa_printf(MSG_INFO, "EAP-TLV: Unknown TLV Result " 572 "Status %d", status); 573 resp_status = EAP_TLV_RESULT_FAILURE; 574 ret->decision = DECISION_FAIL; 575 } 576 ret->methodState = METHOD_DONE; 577 578 *resp = eap_tlv_build_result(sm, data, crypto_tlv != NULL, 579 eap_get_id(req), resp_status); 580 } 581 582 return 0; 583 } 584 585 586 static struct wpabuf * eap_peapv2_tlv_eap_payload(struct wpabuf *buf) 587 { 588 struct wpabuf *e; 589 struct eap_tlv_hdr *tlv; 590 591 if (buf == NULL) 592 return NULL; 593 594 /* Encapsulate EAP packet in EAP-Payload TLV */ 595 wpa_printf(MSG_DEBUG, "EAP-PEAPv2: Add EAP-Payload TLV"); 596 e = wpabuf_alloc(sizeof(*tlv) + wpabuf_len(buf)); 597 if (e == NULL) { 598 wpa_printf(MSG_DEBUG, "EAP-PEAPv2: Failed to allocate memory " 599 "for TLV encapsulation"); 600 wpabuf_free(buf); 601 return NULL; 602 } 603 tlv = wpabuf_put(e, sizeof(*tlv)); 604 tlv->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY | 605 EAP_TLV_EAP_PAYLOAD_TLV); 606 tlv->length = host_to_be16(wpabuf_len(buf)); 607 wpabuf_put_buf(e, buf); 608 wpabuf_free(buf); 609 return e; 610 } 611 612 613 static int eap_peap_phase2_request(struct eap_sm *sm, 614 struct eap_peap_data *data, 615 struct eap_method_ret *ret, 616 struct wpabuf *req, 617 struct wpabuf **resp) 618 { 619 struct eap_hdr *hdr = wpabuf_mhead(req); 620 size_t len = be_to_host16(hdr->length); 621 u8 *pos; 622 struct eap_method_ret iret; 623 struct eap_peer_config *config = eap_get_config(sm); 624 625 if (len <= sizeof(struct eap_hdr)) { 626 wpa_printf(MSG_INFO, "EAP-PEAP: too short " 627 "Phase 2 request (len=%lu)", (unsigned long) len); 628 return -1; 629 } 630 pos = (u8 *) (hdr + 1); 631 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Request: type=%d", *pos); 632 switch (*pos) { 633 case EAP_TYPE_IDENTITY: 634 *resp = eap_sm_buildIdentity(sm, hdr->identifier, 1); 635 break; 636 case EAP_TYPE_TLV: 637 os_memset(&iret, 0, sizeof(iret)); 638 if (eap_tlv_process(sm, data, &iret, req, resp, 639 data->phase2_eap_started && 640 !data->phase2_eap_success)) { 641 ret->methodState = METHOD_DONE; 642 ret->decision = DECISION_FAIL; 643 return -1; 644 } 645 if (iret.methodState == METHOD_DONE || 646 iret.methodState == METHOD_MAY_CONT) { 647 ret->methodState = iret.methodState; 648 ret->decision = iret.decision; 649 data->phase2_success = 1; 650 } 651 break; 652 case EAP_TYPE_EXPANDED: 653 #ifdef EAP_TNC 654 if (data->soh) { 655 const u8 *epos; 656 size_t eleft; 657 658 epos = eap_hdr_validate(EAP_VENDOR_MICROSOFT, 0x21, 659 req, &eleft); 660 if (epos) { 661 struct wpabuf *buf; 662 wpa_printf(MSG_DEBUG, 663 "EAP-PEAP: SoH EAP Extensions"); 664 buf = tncc_process_soh_request(data->soh, 665 epos, eleft); 666 if (buf) { 667 *resp = eap_msg_alloc( 668 EAP_VENDOR_MICROSOFT, 0x21, 669 wpabuf_len(buf), 670 EAP_CODE_RESPONSE, 671 hdr->identifier); 672 if (*resp == NULL) { 673 ret->methodState = METHOD_DONE; 674 ret->decision = DECISION_FAIL; 675 return -1; 676 } 677 wpabuf_put_buf(*resp, buf); 678 wpabuf_free(buf); 679 break; 680 } 681 } 682 } 683 #endif /* EAP_TNC */ 684 /* fall through */ 685 default: 686 if (data->phase2_type.vendor == EAP_VENDOR_IETF && 687 data->phase2_type.method == EAP_TYPE_NONE) { 688 size_t i; 689 for (i = 0; i < data->num_phase2_types; i++) { 690 if (data->phase2_types[i].vendor != 691 EAP_VENDOR_IETF || 692 data->phase2_types[i].method != *pos) 693 continue; 694 695 data->phase2_type.vendor = 696 data->phase2_types[i].vendor; 697 data->phase2_type.method = 698 data->phase2_types[i].method; 699 wpa_printf(MSG_DEBUG, "EAP-PEAP: Selected " 700 "Phase 2 EAP vendor %d method %d", 701 data->phase2_type.vendor, 702 data->phase2_type.method); 703 break; 704 } 705 } 706 if (*pos != data->phase2_type.method || 707 *pos == EAP_TYPE_NONE) { 708 if (eap_peer_tls_phase2_nak(data->phase2_types, 709 data->num_phase2_types, 710 hdr, resp)) 711 return -1; 712 return 0; 713 } 714 715 if (data->phase2_priv == NULL) { 716 data->phase2_method = eap_peer_get_eap_method( 717 data->phase2_type.vendor, 718 data->phase2_type.method); 719 if (data->phase2_method) { 720 sm->init_phase2 = 1; 721 data->phase2_priv = 722 data->phase2_method->init(sm); 723 sm->init_phase2 = 0; 724 } 725 } 726 if (data->phase2_priv == NULL || data->phase2_method == NULL) { 727 wpa_printf(MSG_INFO, "EAP-PEAP: failed to initialize " 728 "Phase 2 EAP method %d", *pos); 729 ret->methodState = METHOD_DONE; 730 ret->decision = DECISION_FAIL; 731 return -1; 732 } 733 data->phase2_eap_started = 1; 734 os_memset(&iret, 0, sizeof(iret)); 735 *resp = data->phase2_method->process(sm, data->phase2_priv, 736 &iret, req); 737 if ((iret.methodState == METHOD_DONE || 738 iret.methodState == METHOD_MAY_CONT) && 739 (iret.decision == DECISION_UNCOND_SUCC || 740 iret.decision == DECISION_COND_SUCC)) { 741 data->phase2_eap_success = 1; 742 data->phase2_success = 1; 743 } 744 break; 745 } 746 747 if (*resp == NULL && 748 (config->pending_req_identity || config->pending_req_password || 749 config->pending_req_otp || config->pending_req_new_password)) { 750 wpabuf_free(data->pending_phase2_req); 751 data->pending_phase2_req = wpabuf_alloc_copy(hdr, len); 752 } 753 754 return 0; 755 } 756 757 758 static int eap_peap_decrypt(struct eap_sm *sm, struct eap_peap_data *data, 759 struct eap_method_ret *ret, 760 const struct eap_hdr *req, 761 const struct wpabuf *in_data, 762 struct wpabuf **out_data) 763 { 764 struct wpabuf *in_decrypted = NULL; 765 int res, skip_change = 0; 766 struct eap_hdr *hdr, *rhdr; 767 struct wpabuf *resp = NULL; 768 size_t len; 769 770 wpa_printf(MSG_DEBUG, "EAP-PEAP: received %lu bytes encrypted data for" 771 " Phase 2", (unsigned long) wpabuf_len(in_data)); 772 773 if (data->pending_phase2_req) { 774 wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 request - " 775 "skip decryption and use old data"); 776 /* Clear TLS reassembly state. */ 777 eap_peer_tls_reset_input(&data->ssl); 778 in_decrypted = data->pending_phase2_req; 779 data->pending_phase2_req = NULL; 780 skip_change = 1; 781 goto continue_req; 782 } 783 784 if (wpabuf_len(in_data) == 0 && sm->workaround && 785 data->phase2_success) { 786 /* 787 * Cisco ACS seems to be using TLS ACK to terminate 788 * EAP-PEAPv0/GTC. Try to reply with TLS ACK. 789 */ 790 wpa_printf(MSG_DEBUG, "EAP-PEAP: Received TLS ACK, but " 791 "expected data - acknowledge with TLS ACK since " 792 "Phase 2 has been completed"); 793 ret->decision = DECISION_COND_SUCC; 794 ret->methodState = METHOD_DONE; 795 return 1; 796 } else if (wpabuf_len(in_data) == 0) { 797 /* Received TLS ACK - requesting more fragments */ 798 return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_PEAP, 799 data->peap_version, 800 req->identifier, NULL, out_data); 801 } 802 803 res = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted); 804 if (res) 805 return res; 806 807 continue_req: 808 wpa_hexdump_buf(MSG_DEBUG, "EAP-PEAP: Decrypted Phase 2 EAP", 809 in_decrypted); 810 811 hdr = wpabuf_mhead(in_decrypted); 812 if (wpabuf_len(in_decrypted) == 5 && hdr->code == EAP_CODE_REQUEST && 813 be_to_host16(hdr->length) == 5 && 814 eap_get_type(in_decrypted) == EAP_TYPE_IDENTITY) { 815 /* At least FreeRADIUS seems to send full EAP header with 816 * EAP Request Identity */ 817 skip_change = 1; 818 } 819 if (wpabuf_len(in_decrypted) >= 5 && hdr->code == EAP_CODE_REQUEST && 820 eap_get_type(in_decrypted) == EAP_TYPE_TLV) { 821 skip_change = 1; 822 } 823 824 if (data->peap_version == 0 && !skip_change) { 825 struct eap_hdr *nhdr; 826 struct wpabuf *nmsg = wpabuf_alloc(sizeof(struct eap_hdr) + 827 wpabuf_len(in_decrypted)); 828 if (nmsg == NULL) { 829 wpabuf_free(in_decrypted); 830 return 0; 831 } 832 nhdr = wpabuf_put(nmsg, sizeof(*nhdr)); 833 wpabuf_put_buf(nmsg, in_decrypted); 834 nhdr->code = req->code; 835 nhdr->identifier = req->identifier; 836 nhdr->length = host_to_be16(sizeof(struct eap_hdr) + 837 wpabuf_len(in_decrypted)); 838 839 wpabuf_free(in_decrypted); 840 in_decrypted = nmsg; 841 } 842 843 if (data->peap_version >= 2) { 844 struct eap_tlv_hdr *tlv; 845 struct wpabuf *nmsg; 846 847 if (wpabuf_len(in_decrypted) < sizeof(*tlv) + sizeof(*hdr)) { 848 wpa_printf(MSG_INFO, "EAP-PEAPv2: Too short Phase 2 " 849 "EAP TLV"); 850 wpabuf_free(in_decrypted); 851 return 0; 852 } 853 tlv = wpabuf_mhead(in_decrypted); 854 if ((be_to_host16(tlv->tlv_type) & 0x3fff) != 855 EAP_TLV_EAP_PAYLOAD_TLV) { 856 wpa_printf(MSG_INFO, "EAP-PEAPv2: Not an EAP TLV"); 857 wpabuf_free(in_decrypted); 858 return 0; 859 } 860 if (sizeof(*tlv) + be_to_host16(tlv->length) > 861 wpabuf_len(in_decrypted)) { 862 wpa_printf(MSG_INFO, "EAP-PEAPv2: Invalid EAP TLV " 863 "length"); 864 wpabuf_free(in_decrypted); 865 return 0; 866 } 867 hdr = (struct eap_hdr *) (tlv + 1); 868 if (be_to_host16(hdr->length) > be_to_host16(tlv->length)) { 869 wpa_printf(MSG_INFO, "EAP-PEAPv2: No room for full " 870 "EAP packet in EAP TLV"); 871 wpabuf_free(in_decrypted); 872 return 0; 873 } 874 875 nmsg = wpabuf_alloc(be_to_host16(hdr->length)); 876 if (nmsg == NULL) { 877 wpabuf_free(in_decrypted); 878 return 0; 879 } 880 881 wpabuf_put_data(nmsg, hdr, be_to_host16(hdr->length)); 882 wpabuf_free(in_decrypted); 883 in_decrypted = nmsg; 884 } 885 886 hdr = wpabuf_mhead(in_decrypted); 887 if (wpabuf_len(in_decrypted) < sizeof(*hdr)) { 888 wpa_printf(MSG_INFO, "EAP-PEAP: Too short Phase 2 " 889 "EAP frame (len=%lu)", 890 (unsigned long) wpabuf_len(in_decrypted)); 891 wpabuf_free(in_decrypted); 892 return 0; 893 } 894 len = be_to_host16(hdr->length); 895 if (len > wpabuf_len(in_decrypted)) { 896 wpa_printf(MSG_INFO, "EAP-PEAP: Length mismatch in " 897 "Phase 2 EAP frame (len=%lu hdr->length=%lu)", 898 (unsigned long) wpabuf_len(in_decrypted), 899 (unsigned long) len); 900 wpabuf_free(in_decrypted); 901 return 0; 902 } 903 if (len < wpabuf_len(in_decrypted)) { 904 wpa_printf(MSG_INFO, "EAP-PEAP: Odd.. Phase 2 EAP header has " 905 "shorter length than full decrypted data " 906 "(%lu < %lu)", 907 (unsigned long) len, 908 (unsigned long) wpabuf_len(in_decrypted)); 909 } 910 wpa_printf(MSG_DEBUG, "EAP-PEAP: received Phase 2: code=%d " 911 "identifier=%d length=%lu", hdr->code, hdr->identifier, 912 (unsigned long) len); 913 switch (hdr->code) { 914 case EAP_CODE_REQUEST: 915 if (eap_peap_phase2_request(sm, data, ret, in_decrypted, 916 &resp)) { 917 wpabuf_free(in_decrypted); 918 wpa_printf(MSG_INFO, "EAP-PEAP: Phase2 Request " 919 "processing failed"); 920 return 0; 921 } 922 break; 923 case EAP_CODE_SUCCESS: 924 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Success"); 925 if (data->peap_version == 1) { 926 /* EAP-Success within TLS tunnel is used to indicate 927 * shutdown of the TLS channel. The authentication has 928 * been completed. */ 929 if (data->phase2_eap_started && 930 !data->phase2_eap_success) { 931 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 " 932 "Success used to indicate success, " 933 "but Phase 2 EAP was not yet " 934 "completed successfully"); 935 ret->methodState = METHOD_DONE; 936 ret->decision = DECISION_FAIL; 937 wpabuf_free(in_decrypted); 938 return 0; 939 } 940 wpa_printf(MSG_DEBUG, "EAP-PEAP: Version 1 - " 941 "EAP-Success within TLS tunnel - " 942 "authentication completed"); 943 ret->decision = DECISION_UNCOND_SUCC; 944 ret->methodState = METHOD_DONE; 945 data->phase2_success = 1; 946 if (data->peap_outer_success == 2) { 947 wpabuf_free(in_decrypted); 948 wpa_printf(MSG_DEBUG, "EAP-PEAP: Use TLS ACK " 949 "to finish authentication"); 950 return 1; 951 } else if (data->peap_outer_success == 1) { 952 /* Reply with EAP-Success within the TLS 953 * channel to complete the authentication. */ 954 resp = wpabuf_alloc(sizeof(struct eap_hdr)); 955 if (resp) { 956 rhdr = wpabuf_put(resp, sizeof(*rhdr)); 957 rhdr->code = EAP_CODE_SUCCESS; 958 rhdr->identifier = hdr->identifier; 959 rhdr->length = 960 host_to_be16(sizeof(*rhdr)); 961 } 962 } else { 963 /* No EAP-Success expected for Phase 1 (outer, 964 * unencrypted auth), so force EAP state 965 * machine to SUCCESS state. */ 966 sm->peap_done = TRUE; 967 } 968 } else { 969 /* FIX: ? */ 970 } 971 break; 972 case EAP_CODE_FAILURE: 973 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Failure"); 974 ret->decision = DECISION_FAIL; 975 ret->methodState = METHOD_MAY_CONT; 976 ret->allowNotifications = FALSE; 977 /* Reply with EAP-Failure within the TLS channel to complete 978 * failure reporting. */ 979 resp = wpabuf_alloc(sizeof(struct eap_hdr)); 980 if (resp) { 981 rhdr = wpabuf_put(resp, sizeof(*rhdr)); 982 rhdr->code = EAP_CODE_FAILURE; 983 rhdr->identifier = hdr->identifier; 984 rhdr->length = host_to_be16(sizeof(*rhdr)); 985 } 986 break; 987 default: 988 wpa_printf(MSG_INFO, "EAP-PEAP: Unexpected code=%d in " 989 "Phase 2 EAP header", hdr->code); 990 break; 991 } 992 993 wpabuf_free(in_decrypted); 994 995 if (resp) { 996 int skip_change2 = 0; 997 struct wpabuf *rmsg, buf; 998 999 wpa_hexdump_buf_key(MSG_DEBUG, 1000 "EAP-PEAP: Encrypting Phase 2 data", resp); 1001 /* PEAP version changes */ 1002 if (data->peap_version >= 2) { 1003 resp = eap_peapv2_tlv_eap_payload(resp); 1004 if (resp == NULL) 1005 return -1; 1006 } 1007 if (wpabuf_len(resp) >= 5 && 1008 wpabuf_head_u8(resp)[0] == EAP_CODE_RESPONSE && 1009 eap_get_type(resp) == EAP_TYPE_TLV) 1010 skip_change2 = 1; 1011 rmsg = resp; 1012 if (data->peap_version == 0 && !skip_change2) { 1013 wpabuf_set(&buf, wpabuf_head_u8(resp) + 1014 sizeof(struct eap_hdr), 1015 wpabuf_len(resp) - sizeof(struct eap_hdr)); 1016 rmsg = &buf; 1017 } 1018 1019 if (eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_PEAP, 1020 data->peap_version, req->identifier, 1021 rmsg, out_data)) { 1022 wpa_printf(MSG_INFO, "EAP-PEAP: Failed to encrypt " 1023 "a Phase 2 frame"); 1024 } 1025 wpabuf_free(resp); 1026 } 1027 1028 return 0; 1029 } 1030 1031 1032 static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv, 1033 struct eap_method_ret *ret, 1034 const struct wpabuf *reqData) 1035 { 1036 const struct eap_hdr *req; 1037 size_t left; 1038 int res; 1039 u8 flags, id; 1040 struct wpabuf *resp; 1041 const u8 *pos; 1042 struct eap_peap_data *data = priv; 1043 1044 pos = eap_peer_tls_process_init(sm, &data->ssl, EAP_TYPE_PEAP, ret, 1045 reqData, &left, &flags); 1046 if (pos == NULL) 1047 return NULL; 1048 req = wpabuf_head(reqData); 1049 id = req->identifier; 1050 1051 if (flags & EAP_TLS_FLAGS_START) { 1052 wpa_printf(MSG_DEBUG, "EAP-PEAP: Start (server ver=%d, own " 1053 "ver=%d)", flags & EAP_TLS_VERSION_MASK, 1054 data->peap_version); 1055 if ((flags & EAP_TLS_VERSION_MASK) < data->peap_version) 1056 data->peap_version = flags & EAP_TLS_VERSION_MASK; 1057 if (data->force_peap_version >= 0 && 1058 data->force_peap_version != data->peap_version) { 1059 wpa_printf(MSG_WARNING, "EAP-PEAP: Failed to select " 1060 "forced PEAP version %d", 1061 data->force_peap_version); 1062 ret->methodState = METHOD_DONE; 1063 ret->decision = DECISION_FAIL; 1064 ret->allowNotifications = FALSE; 1065 return NULL; 1066 } 1067 wpa_printf(MSG_DEBUG, "EAP-PEAP: Using PEAP version %d", 1068 data->peap_version); 1069 left = 0; /* make sure that this frame is empty, even though it 1070 * should always be, anyway */ 1071 } 1072 1073 resp = NULL; 1074 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1075 !data->resuming) { 1076 struct wpabuf msg; 1077 wpabuf_set(&msg, pos, left); 1078 res = eap_peap_decrypt(sm, data, ret, req, &msg, &resp); 1079 } else { 1080 res = eap_peer_tls_process_helper(sm, &data->ssl, 1081 EAP_TYPE_PEAP, 1082 data->peap_version, id, pos, 1083 left, &resp); 1084 1085 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { 1086 char *label; 1087 wpa_printf(MSG_DEBUG, 1088 "EAP-PEAP: TLS done, proceed to Phase 2"); 1089 os_free(data->key_data); 1090 /* draft-josefsson-ppext-eap-tls-eap-05.txt 1091 * specifies that PEAPv1 would use "client PEAP 1092 * encryption" as the label. However, most existing 1093 * PEAPv1 implementations seem to be using the old 1094 * label, "client EAP encryption", instead. Use the old 1095 * label by default, but allow it to be configured with 1096 * phase1 parameter peaplabel=1. */ 1097 if (data->peap_version > 1 || data->force_new_label) 1098 label = "client PEAP encryption"; 1099 else 1100 label = "client EAP encryption"; 1101 wpa_printf(MSG_DEBUG, "EAP-PEAP: using label '%s' in " 1102 "key derivation", label); 1103 data->key_data = 1104 eap_peer_tls_derive_key(sm, &data->ssl, label, 1105 EAP_TLS_KEY_LEN); 1106 if (data->key_data) { 1107 wpa_hexdump_key(MSG_DEBUG, 1108 "EAP-PEAP: Derived key", 1109 data->key_data, 1110 EAP_TLS_KEY_LEN); 1111 } else { 1112 wpa_printf(MSG_DEBUG, "EAP-PEAP: Failed to " 1113 "derive key"); 1114 } 1115 1116 if (sm->workaround && data->resuming) { 1117 /* 1118 * At least few RADIUS servers (Aegis v1.1.6; 1119 * but not v1.1.4; and Cisco ACS) seem to be 1120 * terminating PEAPv1 (Aegis) or PEAPv0 (Cisco 1121 * ACS) session resumption with outer 1122 * EAP-Success. This does not seem to follow 1123 * draft-josefsson-pppext-eap-tls-eap-05.txt 1124 * section 4.2, so only allow this if EAP 1125 * workarounds are enabled. 1126 */ 1127 wpa_printf(MSG_DEBUG, "EAP-PEAP: Workaround - " 1128 "allow outer EAP-Success to " 1129 "terminate PEAP resumption"); 1130 ret->decision = DECISION_COND_SUCC; 1131 data->phase2_success = 1; 1132 } 1133 1134 data->resuming = 0; 1135 } 1136 1137 if (res == 2) { 1138 struct wpabuf msg; 1139 /* 1140 * Application data included in the handshake message. 1141 */ 1142 wpabuf_free(data->pending_phase2_req); 1143 data->pending_phase2_req = resp; 1144 resp = NULL; 1145 wpabuf_set(&msg, pos, left); 1146 res = eap_peap_decrypt(sm, data, ret, req, &msg, 1147 &resp); 1148 } 1149 } 1150 1151 if (ret->methodState == METHOD_DONE) { 1152 ret->allowNotifications = FALSE; 1153 } 1154 1155 if (res == 1) { 1156 wpabuf_free(resp); 1157 return eap_peer_tls_build_ack(id, EAP_TYPE_PEAP, 1158 data->peap_version); 1159 } 1160 1161 return resp; 1162 } 1163 1164 1165 static Boolean eap_peap_has_reauth_data(struct eap_sm *sm, void *priv) 1166 { 1167 struct eap_peap_data *data = priv; 1168 return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1169 data->phase2_success; 1170 } 1171 1172 1173 static void eap_peap_deinit_for_reauth(struct eap_sm *sm, void *priv) 1174 { 1175 struct eap_peap_data *data = priv; 1176 wpabuf_free(data->pending_phase2_req); 1177 data->pending_phase2_req = NULL; 1178 data->crypto_binding_used = 0; 1179 } 1180 1181 1182 static void * eap_peap_init_for_reauth(struct eap_sm *sm, void *priv) 1183 { 1184 struct eap_peap_data *data = priv; 1185 os_free(data->key_data); 1186 data->key_data = NULL; 1187 if (eap_peer_tls_reauth_init(sm, &data->ssl)) { 1188 os_free(data); 1189 return NULL; 1190 } 1191 if (data->phase2_priv && data->phase2_method && 1192 data->phase2_method->init_for_reauth) 1193 data->phase2_method->init_for_reauth(sm, data->phase2_priv); 1194 data->phase2_success = 0; 1195 data->phase2_eap_success = 0; 1196 data->phase2_eap_started = 0; 1197 data->resuming = 1; 1198 data->reauth = 1; 1199 sm->peap_done = FALSE; 1200 return priv; 1201 } 1202 1203 1204 static int eap_peap_get_status(struct eap_sm *sm, void *priv, char *buf, 1205 size_t buflen, int verbose) 1206 { 1207 struct eap_peap_data *data = priv; 1208 int len, ret; 1209 1210 len = eap_peer_tls_status(sm, &data->ssl, buf, buflen, verbose); 1211 if (data->phase2_method) { 1212 ret = os_snprintf(buf + len, buflen - len, 1213 "EAP-PEAPv%d Phase2 method=%s\n", 1214 data->peap_version, 1215 data->phase2_method->name); 1216 if (ret < 0 || (size_t) ret >= buflen - len) 1217 return len; 1218 len += ret; 1219 } 1220 return len; 1221 } 1222 1223 1224 static Boolean eap_peap_isKeyAvailable(struct eap_sm *sm, void *priv) 1225 { 1226 struct eap_peap_data *data = priv; 1227 return data->key_data != NULL && data->phase2_success; 1228 } 1229 1230 1231 static u8 * eap_peap_getKey(struct eap_sm *sm, void *priv, size_t *len) 1232 { 1233 struct eap_peap_data *data = priv; 1234 u8 *key; 1235 1236 if (data->key_data == NULL || !data->phase2_success) 1237 return NULL; 1238 1239 key = os_malloc(EAP_TLS_KEY_LEN); 1240 if (key == NULL) 1241 return NULL; 1242 1243 *len = EAP_TLS_KEY_LEN; 1244 1245 if (data->crypto_binding_used) { 1246 u8 csk[128]; 1247 /* 1248 * Note: It looks like Microsoft implementation requires null 1249 * termination for this label while the one used for deriving 1250 * IPMK|CMK did not use null termination. 1251 */ 1252 if (peap_prfplus(data->peap_version, data->ipmk, 40, 1253 "Session Key Generating Function", 1254 (u8 *) "\00", 1, csk, sizeof(csk)) < 0) { 1255 os_free(key); 1256 return NULL; 1257 } 1258 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CSK", csk, sizeof(csk)); 1259 os_memcpy(key, csk, EAP_TLS_KEY_LEN); 1260 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Derived key", 1261 key, EAP_TLS_KEY_LEN); 1262 } else 1263 os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN); 1264 1265 return key; 1266 } 1267 1268 1269 int eap_peer_peap_register(void) 1270 { 1271 struct eap_method *eap; 1272 int ret; 1273 1274 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION, 1275 EAP_VENDOR_IETF, EAP_TYPE_PEAP, "PEAP"); 1276 if (eap == NULL) 1277 return -1; 1278 1279 eap->init = eap_peap_init; 1280 eap->deinit = eap_peap_deinit; 1281 eap->process = eap_peap_process; 1282 eap->isKeyAvailable = eap_peap_isKeyAvailable; 1283 eap->getKey = eap_peap_getKey; 1284 eap->get_status = eap_peap_get_status; 1285 eap->has_reauth_data = eap_peap_has_reauth_data; 1286 eap->deinit_for_reauth = eap_peap_deinit_for_reauth; 1287 eap->init_for_reauth = eap_peap_init_for_reauth; 1288 1289 ret = eap_peer_method_register(eap); 1290 if (ret) 1291 eap_peer_method_free(eap); 1292 return ret; 1293 } 1294