1 /* 2 * EAP peer method: EAP-TTLS (RFC 5281) 3 * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "includes.h" 16 17 #include "common.h" 18 #include "crypto/ms_funcs.h" 19 #include "crypto/sha1.h" 20 #include "crypto/tls.h" 21 #include "eap_common/chap.h" 22 #include "eap_common/eap_ttls.h" 23 #include "mschapv2.h" 24 #include "eap_i.h" 25 #include "eap_tls_common.h" 26 #include "eap_config.h" 27 28 29 #define EAP_TTLS_VERSION 0 30 31 32 static void eap_ttls_deinit(struct eap_sm *sm, void *priv); 33 34 35 struct eap_ttls_data { 36 struct eap_ssl_data ssl; 37 38 int ttls_version; 39 40 const struct eap_method *phase2_method; 41 void *phase2_priv; 42 int phase2_success; 43 int phase2_start; 44 45 enum phase2_types { 46 EAP_TTLS_PHASE2_EAP, 47 EAP_TTLS_PHASE2_MSCHAPV2, 48 EAP_TTLS_PHASE2_MSCHAP, 49 EAP_TTLS_PHASE2_PAP, 50 EAP_TTLS_PHASE2_CHAP 51 } phase2_type; 52 struct eap_method_type phase2_eap_type; 53 struct eap_method_type *phase2_eap_types; 54 size_t num_phase2_eap_types; 55 56 u8 auth_response[MSCHAPV2_AUTH_RESPONSE_LEN]; 57 int auth_response_valid; 58 u8 master_key[MSCHAPV2_MASTER_KEY_LEN]; /* MSCHAPv2 master key */ 59 u8 ident; 60 int resuming; /* starting a resumed session */ 61 int reauth; /* reauthentication */ 62 u8 *key_data; 63 64 struct wpabuf *pending_phase2_req; 65 66 #ifdef EAP_TNC 67 int ready_for_tnc; 68 int tnc_started; 69 #endif /* EAP_TNC */ 70 }; 71 72 73 static void * eap_ttls_init(struct eap_sm *sm) 74 { 75 struct eap_ttls_data *data; 76 struct eap_peer_config *config = eap_get_config(sm); 77 char *selected; 78 79 data = os_zalloc(sizeof(*data)); 80 if (data == NULL) 81 return NULL; 82 data->ttls_version = EAP_TTLS_VERSION; 83 selected = "EAP"; 84 data->phase2_type = EAP_TTLS_PHASE2_EAP; 85 86 if (config && config->phase2) { 87 if (os_strstr(config->phase2, "autheap=")) { 88 selected = "EAP"; 89 data->phase2_type = EAP_TTLS_PHASE2_EAP; 90 } else if (os_strstr(config->phase2, "auth=MSCHAPV2")) { 91 selected = "MSCHAPV2"; 92 data->phase2_type = EAP_TTLS_PHASE2_MSCHAPV2; 93 } else if (os_strstr(config->phase2, "auth=MSCHAP")) { 94 selected = "MSCHAP"; 95 data->phase2_type = EAP_TTLS_PHASE2_MSCHAP; 96 } else if (os_strstr(config->phase2, "auth=PAP")) { 97 selected = "PAP"; 98 data->phase2_type = EAP_TTLS_PHASE2_PAP; 99 } else if (os_strstr(config->phase2, "auth=CHAP")) { 100 selected = "CHAP"; 101 data->phase2_type = EAP_TTLS_PHASE2_CHAP; 102 } 103 } 104 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 type: %s", selected); 105 106 if (data->phase2_type == EAP_TTLS_PHASE2_EAP) { 107 if (eap_peer_select_phase2_methods(config, "autheap=", 108 &data->phase2_eap_types, 109 &data->num_phase2_eap_types) 110 < 0) { 111 eap_ttls_deinit(sm, data); 112 return NULL; 113 } 114 115 data->phase2_eap_type.vendor = EAP_VENDOR_IETF; 116 data->phase2_eap_type.method = EAP_TYPE_NONE; 117 } 118 119 if (eap_peer_tls_ssl_init(sm, &data->ssl, config)) { 120 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL."); 121 eap_ttls_deinit(sm, data); 122 return NULL; 123 } 124 125 return data; 126 } 127 128 129 static void eap_ttls_phase2_eap_deinit(struct eap_sm *sm, 130 struct eap_ttls_data *data) 131 { 132 if (data->phase2_priv && data->phase2_method) { 133 data->phase2_method->deinit(sm, data->phase2_priv); 134 data->phase2_method = NULL; 135 data->phase2_priv = NULL; 136 } 137 } 138 139 140 static void eap_ttls_deinit(struct eap_sm *sm, void *priv) 141 { 142 struct eap_ttls_data *data = priv; 143 if (data == NULL) 144 return; 145 eap_ttls_phase2_eap_deinit(sm, data); 146 os_free(data->phase2_eap_types); 147 eap_peer_tls_ssl_deinit(sm, &data->ssl); 148 os_free(data->key_data); 149 wpabuf_free(data->pending_phase2_req); 150 os_free(data); 151 } 152 153 154 static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id, 155 int mandatory, size_t len) 156 { 157 struct ttls_avp_vendor *avp; 158 u8 flags; 159 size_t hdrlen; 160 161 avp = (struct ttls_avp_vendor *) avphdr; 162 flags = mandatory ? AVP_FLAGS_MANDATORY : 0; 163 if (vendor_id) { 164 flags |= AVP_FLAGS_VENDOR; 165 hdrlen = sizeof(*avp); 166 avp->vendor_id = host_to_be32(vendor_id); 167 } else { 168 hdrlen = sizeof(struct ttls_avp); 169 } 170 171 avp->avp_code = host_to_be32(avp_code); 172 avp->avp_length = host_to_be32((flags << 24) | (u32) (hdrlen + len)); 173 174 return avphdr + hdrlen; 175 } 176 177 178 static u8 * eap_ttls_avp_add(u8 *start, u8 *avphdr, u32 avp_code, 179 u32 vendor_id, int mandatory, 180 const u8 *data, size_t len) 181 { 182 u8 *pos; 183 pos = eap_ttls_avp_hdr(avphdr, avp_code, vendor_id, mandatory, len); 184 os_memcpy(pos, data, len); 185 pos += len; 186 AVP_PAD(start, pos); 187 return pos; 188 } 189 190 191 static int eap_ttls_avp_encapsulate(struct wpabuf **resp, u32 avp_code, 192 int mandatory) 193 { 194 struct wpabuf *msg; 195 u8 *avp, *pos; 196 197 msg = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(*resp) + 4); 198 if (msg == NULL) { 199 wpabuf_free(*resp); 200 *resp = NULL; 201 return -1; 202 } 203 204 avp = wpabuf_mhead(msg); 205 pos = eap_ttls_avp_hdr(avp, avp_code, 0, mandatory, wpabuf_len(*resp)); 206 os_memcpy(pos, wpabuf_head(*resp), wpabuf_len(*resp)); 207 pos += wpabuf_len(*resp); 208 AVP_PAD(avp, pos); 209 wpabuf_free(*resp); 210 wpabuf_put(msg, pos - avp); 211 *resp = msg; 212 return 0; 213 } 214 215 216 static int eap_ttls_v0_derive_key(struct eap_sm *sm, 217 struct eap_ttls_data *data) 218 { 219 os_free(data->key_data); 220 data->key_data = eap_peer_tls_derive_key(sm, &data->ssl, 221 "ttls keying material", 222 EAP_TLS_KEY_LEN); 223 if (!data->key_data) { 224 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to derive key"); 225 return -1; 226 } 227 228 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key", 229 data->key_data, EAP_TLS_KEY_LEN); 230 231 return 0; 232 } 233 234 235 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm, 236 struct eap_ttls_data *data, size_t len) 237 { 238 return eap_peer_tls_derive_key(sm, &data->ssl, "ttls challenge", len); 239 } 240 241 242 static void eap_ttls_phase2_select_eap_method(struct eap_ttls_data *data, 243 u8 method) 244 { 245 size_t i; 246 for (i = 0; i < data->num_phase2_eap_types; i++) { 247 if (data->phase2_eap_types[i].vendor != EAP_VENDOR_IETF || 248 data->phase2_eap_types[i].method != method) 249 continue; 250 251 data->phase2_eap_type.vendor = 252 data->phase2_eap_types[i].vendor; 253 data->phase2_eap_type.method = 254 data->phase2_eap_types[i].method; 255 wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected " 256 "Phase 2 EAP vendor %d method %d", 257 data->phase2_eap_type.vendor, 258 data->phase2_eap_type.method); 259 break; 260 } 261 } 262 263 264 static int eap_ttls_phase2_eap_process(struct eap_sm *sm, 265 struct eap_ttls_data *data, 266 struct eap_method_ret *ret, 267 struct eap_hdr *hdr, size_t len, 268 struct wpabuf **resp) 269 { 270 struct wpabuf msg; 271 struct eap_method_ret iret; 272 273 os_memset(&iret, 0, sizeof(iret)); 274 wpabuf_set(&msg, hdr, len); 275 *resp = data->phase2_method->process(sm, data->phase2_priv, &iret, 276 &msg); 277 if ((iret.methodState == METHOD_DONE || 278 iret.methodState == METHOD_MAY_CONT) && 279 (iret.decision == DECISION_UNCOND_SUCC || 280 iret.decision == DECISION_COND_SUCC || 281 iret.decision == DECISION_FAIL)) { 282 ret->methodState = iret.methodState; 283 ret->decision = iret.decision; 284 } 285 286 return 0; 287 } 288 289 290 static int eap_ttls_phase2_request_eap_method(struct eap_sm *sm, 291 struct eap_ttls_data *data, 292 struct eap_method_ret *ret, 293 struct eap_hdr *hdr, size_t len, 294 u8 method, struct wpabuf **resp) 295 { 296 #ifdef EAP_TNC 297 if (data->tnc_started && data->phase2_method && 298 data->phase2_priv && method == EAP_TYPE_TNC && 299 data->phase2_eap_type.method == EAP_TYPE_TNC) 300 return eap_ttls_phase2_eap_process(sm, data, ret, hdr, len, 301 resp); 302 303 if (data->ready_for_tnc && !data->tnc_started && 304 method == EAP_TYPE_TNC) { 305 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start TNC after completed " 306 "EAP method"); 307 data->tnc_started = 1; 308 } 309 310 if (data->tnc_started) { 311 if (data->phase2_eap_type.vendor != EAP_VENDOR_IETF || 312 data->phase2_eap_type.method == EAP_TYPE_TNC) { 313 wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected EAP " 314 "type %d for TNC", method); 315 return -1; 316 } 317 318 data->phase2_eap_type.vendor = EAP_VENDOR_IETF; 319 data->phase2_eap_type.method = method; 320 wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected " 321 "Phase 2 EAP vendor %d method %d (TNC)", 322 data->phase2_eap_type.vendor, 323 data->phase2_eap_type.method); 324 325 if (data->phase2_type == EAP_TTLS_PHASE2_EAP) 326 eap_ttls_phase2_eap_deinit(sm, data); 327 } 328 #endif /* EAP_TNC */ 329 330 if (data->phase2_eap_type.vendor == EAP_VENDOR_IETF && 331 data->phase2_eap_type.method == EAP_TYPE_NONE) 332 eap_ttls_phase2_select_eap_method(data, method); 333 334 if (method != data->phase2_eap_type.method || method == EAP_TYPE_NONE) 335 { 336 if (eap_peer_tls_phase2_nak(data->phase2_eap_types, 337 data->num_phase2_eap_types, 338 hdr, resp)) 339 return -1; 340 return 0; 341 } 342 343 if (data->phase2_priv == NULL) { 344 data->phase2_method = eap_peer_get_eap_method( 345 EAP_VENDOR_IETF, method); 346 if (data->phase2_method) { 347 sm->init_phase2 = 1; 348 data->phase2_priv = data->phase2_method->init(sm); 349 sm->init_phase2 = 0; 350 } 351 } 352 if (data->phase2_priv == NULL || data->phase2_method == NULL) { 353 wpa_printf(MSG_INFO, "EAP-TTLS: failed to initialize " 354 "Phase 2 EAP method %d", method); 355 return -1; 356 } 357 358 return eap_ttls_phase2_eap_process(sm, data, ret, hdr, len, resp); 359 } 360 361 362 static int eap_ttls_phase2_request_eap(struct eap_sm *sm, 363 struct eap_ttls_data *data, 364 struct eap_method_ret *ret, 365 struct eap_hdr *hdr, 366 struct wpabuf **resp) 367 { 368 size_t len = be_to_host16(hdr->length); 369 u8 *pos; 370 struct eap_peer_config *config = eap_get_config(sm); 371 372 if (len <= sizeof(struct eap_hdr)) { 373 wpa_printf(MSG_INFO, "EAP-TTLS: too short " 374 "Phase 2 request (len=%lu)", (unsigned long) len); 375 return -1; 376 } 377 pos = (u8 *) (hdr + 1); 378 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP Request: type=%d", *pos); 379 switch (*pos) { 380 case EAP_TYPE_IDENTITY: 381 *resp = eap_sm_buildIdentity(sm, hdr->identifier, 1); 382 break; 383 default: 384 if (eap_ttls_phase2_request_eap_method(sm, data, ret, hdr, len, 385 *pos, resp) < 0) 386 return -1; 387 break; 388 } 389 390 if (*resp == NULL && 391 (config->pending_req_identity || config->pending_req_password || 392 config->pending_req_otp)) { 393 return 0; 394 } 395 396 if (*resp == NULL) 397 return -1; 398 399 wpa_hexdump_buf(MSG_DEBUG, "EAP-TTLS: AVP encapsulate EAP Response", 400 *resp); 401 return eap_ttls_avp_encapsulate(resp, RADIUS_ATTR_EAP_MESSAGE, 1); 402 } 403 404 405 static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm, 406 struct eap_ttls_data *data, 407 struct eap_method_ret *ret, 408 struct wpabuf **resp) 409 { 410 struct wpabuf *msg; 411 u8 *buf, *pos, *challenge, *peer_challenge; 412 const u8 *identity, *password; 413 size_t identity_len, password_len; 414 int pwhash; 415 416 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAPV2 Request"); 417 418 identity = eap_get_config_identity(sm, &identity_len); 419 password = eap_get_config_password2(sm, &password_len, &pwhash); 420 if (identity == NULL || password == NULL) 421 return -1; 422 423 msg = wpabuf_alloc(identity_len + 1000); 424 if (msg == NULL) { 425 wpa_printf(MSG_ERROR, 426 "EAP-TTLS/MSCHAPV2: Failed to allocate memory"); 427 return -1; 428 } 429 pos = buf = wpabuf_mhead(msg); 430 431 /* User-Name */ 432 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 433 identity, identity_len); 434 435 /* MS-CHAP-Challenge */ 436 challenge = eap_ttls_implicit_challenge( 437 sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1); 438 if (challenge == NULL) { 439 wpabuf_free(msg); 440 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive " 441 "implicit challenge"); 442 return -1; 443 } 444 445 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE, 446 RADIUS_VENDOR_ID_MICROSOFT, 1, 447 challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN); 448 449 /* MS-CHAP2-Response */ 450 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_RESPONSE, 451 RADIUS_VENDOR_ID_MICROSOFT, 1, 452 EAP_TTLS_MSCHAPV2_RESPONSE_LEN); 453 data->ident = challenge[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN]; 454 *pos++ = data->ident; 455 *pos++ = 0; /* Flags */ 456 if (os_get_random(pos, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN) < 0) { 457 os_free(challenge); 458 wpabuf_free(msg); 459 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to get " 460 "random data for peer challenge"); 461 return -1; 462 } 463 peer_challenge = pos; 464 pos += EAP_TTLS_MSCHAPV2_CHALLENGE_LEN; 465 os_memset(pos, 0, 8); /* Reserved, must be zero */ 466 pos += 8; 467 if (mschapv2_derive_response(identity, identity_len, password, 468 password_len, pwhash, challenge, 469 peer_challenge, pos, data->auth_response, 470 data->master_key)) { 471 os_free(challenge); 472 wpabuf_free(msg); 473 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive " 474 "response"); 475 return -1; 476 } 477 data->auth_response_valid = 1; 478 479 pos += 24; 480 os_free(challenge); 481 AVP_PAD(buf, pos); 482 483 wpabuf_put(msg, pos - buf); 484 *resp = msg; 485 486 if (sm->workaround) { 487 /* At least FreeRADIUS seems to be terminating 488 * EAP-TTLS/MSHCAPV2 without the expected MS-CHAP-v2 Success 489 * packet. */ 490 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: EAP workaround - " 491 "allow success without tunneled response"); 492 ret->methodState = METHOD_MAY_CONT; 493 ret->decision = DECISION_COND_SUCC; 494 } 495 496 return 0; 497 } 498 499 500 static int eap_ttls_phase2_request_mschap(struct eap_sm *sm, 501 struct eap_ttls_data *data, 502 struct eap_method_ret *ret, 503 struct wpabuf **resp) 504 { 505 struct wpabuf *msg; 506 u8 *buf, *pos, *challenge; 507 const u8 *identity, *password; 508 size_t identity_len, password_len; 509 int pwhash; 510 511 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAP Request"); 512 513 identity = eap_get_config_identity(sm, &identity_len); 514 password = eap_get_config_password2(sm, &password_len, &pwhash); 515 if (identity == NULL || password == NULL) 516 return -1; 517 518 msg = wpabuf_alloc(identity_len + 1000); 519 if (msg == NULL) { 520 wpa_printf(MSG_ERROR, 521 "EAP-TTLS/MSCHAP: Failed to allocate memory"); 522 return -1; 523 } 524 pos = buf = wpabuf_mhead(msg); 525 526 /* User-Name */ 527 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 528 identity, identity_len); 529 530 /* MS-CHAP-Challenge */ 531 challenge = eap_ttls_implicit_challenge( 532 sm, data, EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1); 533 if (challenge == NULL) { 534 wpabuf_free(msg); 535 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAP: Failed to derive " 536 "implicit challenge"); 537 return -1; 538 } 539 540 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE, 541 RADIUS_VENDOR_ID_MICROSOFT, 1, 542 challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN); 543 544 /* MS-CHAP-Response */ 545 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_RESPONSE, 546 RADIUS_VENDOR_ID_MICROSOFT, 1, 547 EAP_TTLS_MSCHAP_RESPONSE_LEN); 548 data->ident = challenge[EAP_TTLS_MSCHAP_CHALLENGE_LEN]; 549 *pos++ = data->ident; 550 *pos++ = 1; /* Flags: Use NT style passwords */ 551 os_memset(pos, 0, 24); /* LM-Response */ 552 pos += 24; 553 if (pwhash) { 554 challenge_response(challenge, password, pos); /* NT-Response */ 555 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password hash", 556 password, 16); 557 } else { 558 nt_challenge_response(challenge, password, password_len, 559 pos); /* NT-Response */ 560 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password", 561 password, password_len); 562 } 563 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP implicit challenge", 564 challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN); 565 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP response", pos, 24); 566 pos += 24; 567 os_free(challenge); 568 AVP_PAD(buf, pos); 569 570 wpabuf_put(msg, pos - buf); 571 *resp = msg; 572 573 /* EAP-TTLS/MSCHAP does not provide tunneled success 574 * notification, so assume that Phase2 succeeds. */ 575 ret->methodState = METHOD_DONE; 576 ret->decision = DECISION_COND_SUCC; 577 578 return 0; 579 } 580 581 582 static int eap_ttls_phase2_request_pap(struct eap_sm *sm, 583 struct eap_ttls_data *data, 584 struct eap_method_ret *ret, 585 struct wpabuf **resp) 586 { 587 struct wpabuf *msg; 588 u8 *buf, *pos; 589 size_t pad; 590 const u8 *identity, *password; 591 size_t identity_len, password_len; 592 593 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 PAP Request"); 594 595 identity = eap_get_config_identity(sm, &identity_len); 596 password = eap_get_config_password(sm, &password_len); 597 if (identity == NULL || password == NULL) 598 return -1; 599 600 msg = wpabuf_alloc(identity_len + password_len + 100); 601 if (msg == NULL) { 602 wpa_printf(MSG_ERROR, 603 "EAP-TTLS/PAP: Failed to allocate memory"); 604 return -1; 605 } 606 pos = buf = wpabuf_mhead(msg); 607 608 /* User-Name */ 609 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 610 identity, identity_len); 611 612 /* User-Password; in RADIUS, this is encrypted, but EAP-TTLS encrypts 613 * the data, so no separate encryption is used in the AVP itself. 614 * However, the password is padded to obfuscate its length. */ 615 pad = password_len == 0 ? 16 : (16 - (password_len & 15)) & 15; 616 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_USER_PASSWORD, 0, 1, 617 password_len + pad); 618 os_memcpy(pos, password, password_len); 619 pos += password_len; 620 os_memset(pos, 0, pad); 621 pos += pad; 622 AVP_PAD(buf, pos); 623 624 wpabuf_put(msg, pos - buf); 625 *resp = msg; 626 627 /* EAP-TTLS/PAP does not provide tunneled success notification, 628 * so assume that Phase2 succeeds. */ 629 ret->methodState = METHOD_DONE; 630 ret->decision = DECISION_COND_SUCC; 631 632 return 0; 633 } 634 635 636 static int eap_ttls_phase2_request_chap(struct eap_sm *sm, 637 struct eap_ttls_data *data, 638 struct eap_method_ret *ret, 639 struct wpabuf **resp) 640 { 641 struct wpabuf *msg; 642 u8 *buf, *pos, *challenge; 643 const u8 *identity, *password; 644 size_t identity_len, password_len; 645 646 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 CHAP Request"); 647 648 identity = eap_get_config_identity(sm, &identity_len); 649 password = eap_get_config_password(sm, &password_len); 650 if (identity == NULL || password == NULL) 651 return -1; 652 653 msg = wpabuf_alloc(identity_len + 1000); 654 if (msg == NULL) { 655 wpa_printf(MSG_ERROR, 656 "EAP-TTLS/CHAP: Failed to allocate memory"); 657 return -1; 658 } 659 pos = buf = wpabuf_mhead(msg); 660 661 /* User-Name */ 662 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1, 663 identity, identity_len); 664 665 /* CHAP-Challenge */ 666 challenge = eap_ttls_implicit_challenge( 667 sm, data, EAP_TTLS_CHAP_CHALLENGE_LEN + 1); 668 if (challenge == NULL) { 669 wpabuf_free(msg); 670 wpa_printf(MSG_ERROR, "EAP-TTLS/CHAP: Failed to derive " 671 "implicit challenge"); 672 return -1; 673 } 674 675 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_CHAP_CHALLENGE, 0, 1, 676 challenge, EAP_TTLS_CHAP_CHALLENGE_LEN); 677 678 /* CHAP-Password */ 679 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_CHAP_PASSWORD, 0, 1, 680 1 + EAP_TTLS_CHAP_PASSWORD_LEN); 681 data->ident = challenge[EAP_TTLS_CHAP_CHALLENGE_LEN]; 682 *pos++ = data->ident; 683 684 /* MD5(Ident + Password + Challenge) */ 685 chap_md5(data->ident, password, password_len, challenge, 686 EAP_TTLS_CHAP_CHALLENGE_LEN, pos); 687 688 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: CHAP username", 689 identity, identity_len); 690 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: CHAP password", 691 password, password_len); 692 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP implicit challenge", 693 challenge, EAP_TTLS_CHAP_CHALLENGE_LEN); 694 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP password", 695 pos, EAP_TTLS_CHAP_PASSWORD_LEN); 696 pos += EAP_TTLS_CHAP_PASSWORD_LEN; 697 os_free(challenge); 698 AVP_PAD(buf, pos); 699 700 wpabuf_put(msg, pos - buf); 701 *resp = msg; 702 703 /* EAP-TTLS/CHAP does not provide tunneled success 704 * notification, so assume that Phase2 succeeds. */ 705 ret->methodState = METHOD_DONE; 706 ret->decision = DECISION_COND_SUCC; 707 708 return 0; 709 } 710 711 712 static int eap_ttls_phase2_request(struct eap_sm *sm, 713 struct eap_ttls_data *data, 714 struct eap_method_ret *ret, 715 struct eap_hdr *hdr, 716 struct wpabuf **resp) 717 { 718 int res = 0; 719 size_t len; 720 enum phase2_types phase2_type = data->phase2_type; 721 722 #ifdef EAP_TNC 723 if (data->tnc_started) { 724 wpa_printf(MSG_DEBUG, "EAP-TTLS: Processing TNC"); 725 phase2_type = EAP_TTLS_PHASE2_EAP; 726 } 727 #endif /* EAP_TNC */ 728 729 if (phase2_type == EAP_TTLS_PHASE2_MSCHAPV2 || 730 phase2_type == EAP_TTLS_PHASE2_MSCHAP || 731 phase2_type == EAP_TTLS_PHASE2_PAP || 732 phase2_type == EAP_TTLS_PHASE2_CHAP) { 733 if (eap_get_config_identity(sm, &len) == NULL) { 734 wpa_printf(MSG_INFO, 735 "EAP-TTLS: Identity not configured"); 736 eap_sm_request_identity(sm); 737 if (eap_get_config_password(sm, &len) == NULL) 738 eap_sm_request_password(sm); 739 return 0; 740 } 741 742 if (eap_get_config_password(sm, &len) == NULL) { 743 wpa_printf(MSG_INFO, 744 "EAP-TTLS: Password not configured"); 745 eap_sm_request_password(sm); 746 return 0; 747 } 748 } 749 750 switch (phase2_type) { 751 case EAP_TTLS_PHASE2_EAP: 752 res = eap_ttls_phase2_request_eap(sm, data, ret, hdr, resp); 753 break; 754 case EAP_TTLS_PHASE2_MSCHAPV2: 755 res = eap_ttls_phase2_request_mschapv2(sm, data, ret, resp); 756 break; 757 case EAP_TTLS_PHASE2_MSCHAP: 758 res = eap_ttls_phase2_request_mschap(sm, data, ret, resp); 759 break; 760 case EAP_TTLS_PHASE2_PAP: 761 res = eap_ttls_phase2_request_pap(sm, data, ret, resp); 762 break; 763 case EAP_TTLS_PHASE2_CHAP: 764 res = eap_ttls_phase2_request_chap(sm, data, ret, resp); 765 break; 766 default: 767 wpa_printf(MSG_ERROR, "EAP-TTLS: Phase 2 - Unknown"); 768 res = -1; 769 break; 770 } 771 772 if (res < 0) { 773 ret->methodState = METHOD_DONE; 774 ret->decision = DECISION_FAIL; 775 } 776 777 return res; 778 } 779 780 781 struct ttls_parse_avp { 782 u8 *mschapv2; 783 u8 *eapdata; 784 size_t eap_len; 785 int mschapv2_error; 786 }; 787 788 789 static int eap_ttls_parse_attr_eap(const u8 *dpos, size_t dlen, 790 struct ttls_parse_avp *parse) 791 { 792 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message"); 793 if (parse->eapdata == NULL) { 794 parse->eapdata = os_malloc(dlen); 795 if (parse->eapdata == NULL) { 796 wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to allocate " 797 "memory for Phase 2 EAP data"); 798 return -1; 799 } 800 os_memcpy(parse->eapdata, dpos, dlen); 801 parse->eap_len = dlen; 802 } else { 803 u8 *neweap = os_realloc(parse->eapdata, parse->eap_len + dlen); 804 if (neweap == NULL) { 805 wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to allocate " 806 "memory for Phase 2 EAP data"); 807 return -1; 808 } 809 os_memcpy(neweap + parse->eap_len, dpos, dlen); 810 parse->eapdata = neweap; 811 parse->eap_len += dlen; 812 } 813 814 return 0; 815 } 816 817 818 static int eap_ttls_parse_avp(u8 *pos, size_t left, 819 struct ttls_parse_avp *parse) 820 { 821 struct ttls_avp *avp; 822 u32 avp_code, avp_length, vendor_id = 0; 823 u8 avp_flags, *dpos; 824 size_t dlen; 825 826 avp = (struct ttls_avp *) pos; 827 avp_code = be_to_host32(avp->avp_code); 828 avp_length = be_to_host32(avp->avp_length); 829 avp_flags = (avp_length >> 24) & 0xff; 830 avp_length &= 0xffffff; 831 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x " 832 "length=%d", (int) avp_code, avp_flags, 833 (int) avp_length); 834 835 if (avp_length > left) { 836 wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow " 837 "(len=%d, left=%lu) - dropped", 838 (int) avp_length, (unsigned long) left); 839 return -1; 840 } 841 842 if (avp_length < sizeof(*avp)) { 843 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length %d", 844 avp_length); 845 return -1; 846 } 847 848 dpos = (u8 *) (avp + 1); 849 dlen = avp_length - sizeof(*avp); 850 if (avp_flags & AVP_FLAGS_VENDOR) { 851 if (dlen < 4) { 852 wpa_printf(MSG_WARNING, "EAP-TTLS: Vendor AVP " 853 "underflow"); 854 return -1; 855 } 856 vendor_id = WPA_GET_BE32(dpos); 857 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d", 858 (int) vendor_id); 859 dpos += 4; 860 dlen -= 4; 861 } 862 863 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen); 864 865 if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) { 866 if (eap_ttls_parse_attr_eap(dpos, dlen, parse) < 0) 867 return -1; 868 } else if (vendor_id == 0 && avp_code == RADIUS_ATTR_REPLY_MESSAGE) { 869 /* This is an optional message that can be displayed to 870 * the user. */ 871 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: AVP - Reply-Message", 872 dpos, dlen); 873 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 874 avp_code == RADIUS_ATTR_MS_CHAP2_SUCCESS) { 875 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MS-CHAP2-Success", 876 dpos, dlen); 877 if (dlen != 43) { 878 wpa_printf(MSG_WARNING, "EAP-TTLS: Unexpected " 879 "MS-CHAP2-Success length " 880 "(len=%lu, expected 43)", 881 (unsigned long) dlen); 882 return -1; 883 } 884 parse->mschapv2 = dpos; 885 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 886 avp_code == RADIUS_ATTR_MS_CHAP_ERROR) { 887 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MS-CHAP-Error", 888 dpos, dlen); 889 parse->mschapv2_error = 1; 890 } else if (avp_flags & AVP_FLAGS_MANDATORY) { 891 wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported mandatory AVP " 892 "code %d vendor_id %d - dropped", 893 (int) avp_code, (int) vendor_id); 894 return -1; 895 } else { 896 wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported AVP " 897 "code %d vendor_id %d", 898 (int) avp_code, (int) vendor_id); 899 } 900 901 return avp_length; 902 } 903 904 905 static int eap_ttls_parse_avps(struct wpabuf *in_decrypted, 906 struct ttls_parse_avp *parse) 907 { 908 u8 *pos; 909 size_t left, pad; 910 int avp_length; 911 912 pos = wpabuf_mhead(in_decrypted); 913 left = wpabuf_len(in_decrypted); 914 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 AVPs", pos, left); 915 if (left < sizeof(struct ttls_avp)) { 916 wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 AVP frame" 917 " len=%lu expected %lu or more - dropped", 918 (unsigned long) left, 919 (unsigned long) sizeof(struct ttls_avp)); 920 return -1; 921 } 922 923 /* Parse AVPs */ 924 os_memset(parse, 0, sizeof(*parse)); 925 926 while (left > 0) { 927 avp_length = eap_ttls_parse_avp(pos, left, parse); 928 if (avp_length < 0) 929 return -1; 930 931 pad = (4 - (avp_length & 3)) & 3; 932 pos += avp_length + pad; 933 if (left < avp_length + pad) 934 left = 0; 935 else 936 left -= avp_length + pad; 937 } 938 939 return 0; 940 } 941 942 943 static u8 * eap_ttls_fake_identity_request(void) 944 { 945 struct eap_hdr *hdr; 946 u8 *buf; 947 948 wpa_printf(MSG_DEBUG, "EAP-TTLS: empty data in beginning of " 949 "Phase 2 - use fake EAP-Request Identity"); 950 buf = os_malloc(sizeof(*hdr) + 1); 951 if (buf == NULL) { 952 wpa_printf(MSG_WARNING, "EAP-TTLS: failed to allocate " 953 "memory for fake EAP-Identity Request"); 954 return NULL; 955 } 956 957 hdr = (struct eap_hdr *) buf; 958 hdr->code = EAP_CODE_REQUEST; 959 hdr->identifier = 0; 960 hdr->length = host_to_be16(sizeof(*hdr) + 1); 961 buf[sizeof(*hdr)] = EAP_TYPE_IDENTITY; 962 963 return buf; 964 } 965 966 967 static int eap_ttls_encrypt_response(struct eap_sm *sm, 968 struct eap_ttls_data *data, 969 struct wpabuf *resp, u8 identifier, 970 struct wpabuf **out_data) 971 { 972 if (resp == NULL) 973 return 0; 974 975 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS: Encrypting Phase 2 data", 976 resp); 977 if (eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_TTLS, 978 data->ttls_version, identifier, 979 resp, out_data)) { 980 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to encrypt a Phase 2 " 981 "frame"); 982 return -1; 983 } 984 wpabuf_free(resp); 985 986 return 0; 987 } 988 989 990 static int eap_ttls_process_phase2_eap(struct eap_sm *sm, 991 struct eap_ttls_data *data, 992 struct eap_method_ret *ret, 993 struct ttls_parse_avp *parse, 994 struct wpabuf **resp) 995 { 996 struct eap_hdr *hdr; 997 size_t len; 998 999 if (parse->eapdata == NULL) { 1000 wpa_printf(MSG_WARNING, "EAP-TTLS: No EAP Message in the " 1001 "packet - dropped"); 1002 return -1; 1003 } 1004 1005 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP", 1006 parse->eapdata, parse->eap_len); 1007 hdr = (struct eap_hdr *) parse->eapdata; 1008 1009 if (parse->eap_len < sizeof(*hdr)) { 1010 wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 EAP " 1011 "frame (len=%lu, expected %lu or more) - dropped", 1012 (unsigned long) parse->eap_len, 1013 (unsigned long) sizeof(*hdr)); 1014 return -1; 1015 } 1016 len = be_to_host16(hdr->length); 1017 if (len > parse->eap_len) { 1018 wpa_printf(MSG_INFO, "EAP-TTLS: Length mismatch in Phase 2 " 1019 "EAP frame (EAP hdr len=%lu, EAP data len in " 1020 "AVP=%lu)", 1021 (unsigned long) len, 1022 (unsigned long) parse->eap_len); 1023 return -1; 1024 } 1025 wpa_printf(MSG_DEBUG, "EAP-TTLS: received Phase 2: code=%d " 1026 "identifier=%d length=%lu", 1027 hdr->code, hdr->identifier, (unsigned long) len); 1028 switch (hdr->code) { 1029 case EAP_CODE_REQUEST: 1030 if (eap_ttls_phase2_request(sm, data, ret, hdr, resp)) { 1031 wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 Request " 1032 "processing failed"); 1033 return -1; 1034 } 1035 break; 1036 default: 1037 wpa_printf(MSG_INFO, "EAP-TTLS: Unexpected code=%d in " 1038 "Phase 2 EAP header", hdr->code); 1039 return -1; 1040 } 1041 1042 return 0; 1043 } 1044 1045 1046 static int eap_ttls_process_phase2_mschapv2(struct eap_sm *sm, 1047 struct eap_ttls_data *data, 1048 struct eap_method_ret *ret, 1049 struct ttls_parse_avp *parse) 1050 { 1051 if (parse->mschapv2_error) { 1052 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Received " 1053 "MS-CHAP-Error - failed"); 1054 ret->methodState = METHOD_DONE; 1055 ret->decision = DECISION_FAIL; 1056 /* Reply with empty data to ACK error */ 1057 return 1; 1058 } 1059 1060 if (parse->mschapv2 == NULL) { 1061 #ifdef EAP_TNC 1062 if (data->phase2_success && parse->eapdata) { 1063 /* 1064 * Allow EAP-TNC to be started after successfully 1065 * completed MSCHAPV2. 1066 */ 1067 return 1; 1068 } 1069 #endif /* EAP_TNC */ 1070 wpa_printf(MSG_WARNING, "EAP-TTLS: no MS-CHAP2-Success AVP " 1071 "received for Phase2 MSCHAPV2"); 1072 return -1; 1073 } 1074 if (parse->mschapv2[0] != data->ident) { 1075 wpa_printf(MSG_WARNING, "EAP-TTLS: Ident mismatch for Phase 2 " 1076 "MSCHAPV2 (received Ident 0x%02x, expected 0x%02x)", 1077 parse->mschapv2[0], data->ident); 1078 return -1; 1079 } 1080 if (!data->auth_response_valid || 1081 mschapv2_verify_auth_response(data->auth_response, 1082 parse->mschapv2 + 1, 42)) { 1083 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid authenticator " 1084 "response in Phase 2 MSCHAPV2 success request"); 1085 return -1; 1086 } 1087 1088 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 MSCHAPV2 " 1089 "authentication succeeded"); 1090 ret->methodState = METHOD_DONE; 1091 ret->decision = DECISION_UNCOND_SUCC; 1092 data->phase2_success = 1; 1093 1094 /* 1095 * Reply with empty data; authentication server will reply 1096 * with EAP-Success after this. 1097 */ 1098 return 1; 1099 } 1100 1101 1102 #ifdef EAP_TNC 1103 static int eap_ttls_process_tnc_start(struct eap_sm *sm, 1104 struct eap_ttls_data *data, 1105 struct eap_method_ret *ret, 1106 struct ttls_parse_avp *parse, 1107 struct wpabuf **resp) 1108 { 1109 /* TNC uses inner EAP method after non-EAP TTLS phase 2. */ 1110 if (parse->eapdata == NULL) { 1111 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received " 1112 "unexpected tunneled data (no EAP)"); 1113 return -1; 1114 } 1115 1116 if (!data->ready_for_tnc) { 1117 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received " 1118 "EAP after non-EAP, but not ready for TNC"); 1119 return -1; 1120 } 1121 1122 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start TNC after completed " 1123 "non-EAP method"); 1124 data->tnc_started = 1; 1125 1126 if (eap_ttls_process_phase2_eap(sm, data, ret, parse, resp) < 0) 1127 return -1; 1128 1129 return 0; 1130 } 1131 #endif /* EAP_TNC */ 1132 1133 1134 static int eap_ttls_process_decrypted(struct eap_sm *sm, 1135 struct eap_ttls_data *data, 1136 struct eap_method_ret *ret, 1137 u8 identifier, 1138 struct ttls_parse_avp *parse, 1139 struct wpabuf *in_decrypted, 1140 struct wpabuf **out_data) 1141 { 1142 struct wpabuf *resp = NULL; 1143 struct eap_peer_config *config = eap_get_config(sm); 1144 int res; 1145 enum phase2_types phase2_type = data->phase2_type; 1146 1147 #ifdef EAP_TNC 1148 if (data->tnc_started) 1149 phase2_type = EAP_TTLS_PHASE2_EAP; 1150 #endif /* EAP_TNC */ 1151 1152 switch (phase2_type) { 1153 case EAP_TTLS_PHASE2_EAP: 1154 if (eap_ttls_process_phase2_eap(sm, data, ret, parse, &resp) < 1155 0) 1156 return -1; 1157 break; 1158 case EAP_TTLS_PHASE2_MSCHAPV2: 1159 res = eap_ttls_process_phase2_mschapv2(sm, data, ret, parse); 1160 #ifdef EAP_TNC 1161 if (res == 1 && parse->eapdata && data->phase2_success) { 1162 /* 1163 * TNC may be required as the next 1164 * authentication method within the tunnel. 1165 */ 1166 ret->methodState = METHOD_MAY_CONT; 1167 data->ready_for_tnc = 1; 1168 if (eap_ttls_process_tnc_start(sm, data, ret, parse, 1169 &resp) == 0) 1170 break; 1171 } 1172 #endif /* EAP_TNC */ 1173 return res; 1174 case EAP_TTLS_PHASE2_MSCHAP: 1175 case EAP_TTLS_PHASE2_PAP: 1176 case EAP_TTLS_PHASE2_CHAP: 1177 #ifdef EAP_TNC 1178 if (eap_ttls_process_tnc_start(sm, data, ret, parse, &resp) < 1179 0) 1180 return -1; 1181 break; 1182 #else /* EAP_TNC */ 1183 /* EAP-TTLS/{MSCHAP,PAP,CHAP} should not send any TLS tunneled 1184 * requests to the supplicant */ 1185 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received unexpected " 1186 "tunneled data"); 1187 return -1; 1188 #endif /* EAP_TNC */ 1189 } 1190 1191 if (resp) { 1192 if (eap_ttls_encrypt_response(sm, data, resp, identifier, 1193 out_data) < 0) 1194 return -1; 1195 } else if (config->pending_req_identity || 1196 config->pending_req_password || 1197 config->pending_req_otp || 1198 config->pending_req_new_password) { 1199 wpabuf_free(data->pending_phase2_req); 1200 data->pending_phase2_req = wpabuf_dup(in_decrypted); 1201 } 1202 1203 return 0; 1204 } 1205 1206 1207 static int eap_ttls_implicit_identity_request(struct eap_sm *sm, 1208 struct eap_ttls_data *data, 1209 struct eap_method_ret *ret, 1210 u8 identifier, 1211 struct wpabuf **out_data) 1212 { 1213 int retval = 0; 1214 struct eap_hdr *hdr; 1215 struct wpabuf *resp; 1216 1217 hdr = (struct eap_hdr *) eap_ttls_fake_identity_request(); 1218 if (hdr == NULL) { 1219 ret->methodState = METHOD_DONE; 1220 ret->decision = DECISION_FAIL; 1221 return -1; 1222 } 1223 1224 resp = NULL; 1225 if (eap_ttls_phase2_request(sm, data, ret, hdr, &resp)) { 1226 wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 Request " 1227 "processing failed"); 1228 retval = -1; 1229 } else { 1230 struct eap_peer_config *config = eap_get_config(sm); 1231 if (resp == NULL && 1232 (config->pending_req_identity || 1233 config->pending_req_password || 1234 config->pending_req_otp || 1235 config->pending_req_new_password)) { 1236 /* 1237 * Use empty buffer to force implicit request 1238 * processing when EAP request is re-processed after 1239 * user input. 1240 */ 1241 wpabuf_free(data->pending_phase2_req); 1242 data->pending_phase2_req = wpabuf_alloc(0); 1243 } 1244 1245 retval = eap_ttls_encrypt_response(sm, data, resp, identifier, 1246 out_data); 1247 } 1248 1249 os_free(hdr); 1250 1251 if (retval < 0) { 1252 ret->methodState = METHOD_DONE; 1253 ret->decision = DECISION_FAIL; 1254 } 1255 1256 return retval; 1257 } 1258 1259 1260 static int eap_ttls_phase2_start(struct eap_sm *sm, struct eap_ttls_data *data, 1261 struct eap_method_ret *ret, u8 identifier, 1262 struct wpabuf **out_data) 1263 { 1264 data->phase2_start = 0; 1265 1266 /* 1267 * EAP-TTLS does not use Phase2 on fast re-auth; this must be done only 1268 * if TLS part was indeed resuming a previous session. Most 1269 * Authentication Servers terminate EAP-TTLS before reaching this 1270 * point, but some do not. Make wpa_supplicant stop phase 2 here, if 1271 * needed. 1272 */ 1273 if (data->reauth && 1274 tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) { 1275 wpa_printf(MSG_DEBUG, "EAP-TTLS: Session resumption - " 1276 "skip phase 2"); 1277 *out_data = eap_peer_tls_build_ack(identifier, EAP_TYPE_TTLS, 1278 data->ttls_version); 1279 ret->methodState = METHOD_DONE; 1280 ret->decision = DECISION_UNCOND_SUCC; 1281 data->phase2_success = 1; 1282 return 0; 1283 } 1284 1285 return eap_ttls_implicit_identity_request(sm, data, ret, identifier, 1286 out_data); 1287 } 1288 1289 1290 static int eap_ttls_decrypt(struct eap_sm *sm, struct eap_ttls_data *data, 1291 struct eap_method_ret *ret, u8 identifier, 1292 const struct wpabuf *in_data, 1293 struct wpabuf **out_data) 1294 { 1295 struct wpabuf *in_decrypted = NULL; 1296 int retval = 0; 1297 struct ttls_parse_avp parse; 1298 1299 os_memset(&parse, 0, sizeof(parse)); 1300 1301 wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for" 1302 " Phase 2", 1303 in_data ? (unsigned long) wpabuf_len(in_data) : 0); 1304 1305 if (data->pending_phase2_req) { 1306 wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 request - " 1307 "skip decryption and use old data"); 1308 /* Clear TLS reassembly state. */ 1309 eap_peer_tls_reset_input(&data->ssl); 1310 1311 in_decrypted = data->pending_phase2_req; 1312 data->pending_phase2_req = NULL; 1313 if (wpabuf_len(in_decrypted) == 0) { 1314 wpabuf_free(in_decrypted); 1315 return eap_ttls_implicit_identity_request( 1316 sm, data, ret, identifier, out_data); 1317 } 1318 goto continue_req; 1319 } 1320 1321 if ((in_data == NULL || wpabuf_len(in_data) == 0) && 1322 data->phase2_start) { 1323 return eap_ttls_phase2_start(sm, data, ret, identifier, 1324 out_data); 1325 } 1326 1327 if (in_data == NULL || wpabuf_len(in_data) == 0) { 1328 /* Received TLS ACK - requesting more fragments */ 1329 return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_TTLS, 1330 data->ttls_version, 1331 identifier, NULL, out_data); 1332 } 1333 1334 retval = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted); 1335 if (retval) 1336 goto done; 1337 1338 continue_req: 1339 data->phase2_start = 0; 1340 1341 if (eap_ttls_parse_avps(in_decrypted, &parse) < 0) { 1342 retval = -1; 1343 goto done; 1344 } 1345 1346 retval = eap_ttls_process_decrypted(sm, data, ret, identifier, 1347 &parse, in_decrypted, out_data); 1348 1349 done: 1350 wpabuf_free(in_decrypted); 1351 os_free(parse.eapdata); 1352 1353 if (retval < 0) { 1354 ret->methodState = METHOD_DONE; 1355 ret->decision = DECISION_FAIL; 1356 } 1357 1358 return retval; 1359 } 1360 1361 1362 static int eap_ttls_process_handshake(struct eap_sm *sm, 1363 struct eap_ttls_data *data, 1364 struct eap_method_ret *ret, 1365 u8 identifier, 1366 const u8 *in_data, size_t in_len, 1367 struct wpabuf **out_data) 1368 { 1369 int res; 1370 1371 res = eap_peer_tls_process_helper(sm, &data->ssl, EAP_TYPE_TTLS, 1372 data->ttls_version, identifier, 1373 in_data, in_len, out_data); 1374 1375 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { 1376 wpa_printf(MSG_DEBUG, "EAP-TTLS: TLS done, proceed to " 1377 "Phase 2"); 1378 if (data->resuming) { 1379 wpa_printf(MSG_DEBUG, "EAP-TTLS: fast reauth - may " 1380 "skip Phase 2"); 1381 ret->decision = DECISION_COND_SUCC; 1382 ret->methodState = METHOD_MAY_CONT; 1383 } 1384 data->phase2_start = 1; 1385 eap_ttls_v0_derive_key(sm, data); 1386 1387 if (*out_data == NULL || wpabuf_len(*out_data) == 0) { 1388 if (eap_ttls_decrypt(sm, data, ret, identifier, 1389 NULL, out_data)) { 1390 wpa_printf(MSG_WARNING, "EAP-TTLS: " 1391 "failed to process early " 1392 "start for Phase 2"); 1393 } 1394 res = 0; 1395 } 1396 data->resuming = 0; 1397 } 1398 1399 if (res == 2) { 1400 struct wpabuf msg; 1401 /* 1402 * Application data included in the handshake message. 1403 */ 1404 wpabuf_free(data->pending_phase2_req); 1405 data->pending_phase2_req = *out_data; 1406 *out_data = NULL; 1407 wpabuf_set(&msg, in_data, in_len); 1408 res = eap_ttls_decrypt(sm, data, ret, identifier, &msg, 1409 out_data); 1410 } 1411 1412 return res; 1413 } 1414 1415 1416 static void eap_ttls_check_auth_status(struct eap_sm *sm, 1417 struct eap_ttls_data *data, 1418 struct eap_method_ret *ret) 1419 { 1420 if (ret->methodState == METHOD_DONE) { 1421 ret->allowNotifications = FALSE; 1422 if (ret->decision == DECISION_UNCOND_SUCC || 1423 ret->decision == DECISION_COND_SUCC) { 1424 wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication " 1425 "completed successfully"); 1426 data->phase2_success = 1; 1427 #ifdef EAP_TNC 1428 if (!data->ready_for_tnc && !data->tnc_started) { 1429 /* 1430 * TNC may be required as the next 1431 * authentication method within the tunnel. 1432 */ 1433 ret->methodState = METHOD_MAY_CONT; 1434 data->ready_for_tnc = 1; 1435 } 1436 #endif /* EAP_TNC */ 1437 } 1438 } else if (ret->methodState == METHOD_MAY_CONT && 1439 (ret->decision == DECISION_UNCOND_SUCC || 1440 ret->decision == DECISION_COND_SUCC)) { 1441 wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication " 1442 "completed successfully (MAY_CONT)"); 1443 data->phase2_success = 1; 1444 } 1445 } 1446 1447 1448 static struct wpabuf * eap_ttls_process(struct eap_sm *sm, void *priv, 1449 struct eap_method_ret *ret, 1450 const struct wpabuf *reqData) 1451 { 1452 size_t left; 1453 int res; 1454 u8 flags, id; 1455 struct wpabuf *resp; 1456 const u8 *pos; 1457 struct eap_ttls_data *data = priv; 1458 1459 pos = eap_peer_tls_process_init(sm, &data->ssl, EAP_TYPE_TTLS, ret, 1460 reqData, &left, &flags); 1461 if (pos == NULL) 1462 return NULL; 1463 id = eap_get_id(reqData); 1464 1465 if (flags & EAP_TLS_FLAGS_START) { 1466 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start (server ver=%d, own " 1467 "ver=%d)", flags & EAP_TLS_VERSION_MASK, 1468 data->ttls_version); 1469 1470 /* RFC 5281, Ch. 9.2: 1471 * "This packet MAY contain additional information in the form 1472 * of AVPs, which may provide useful hints to the client" 1473 * For now, ignore any potential extra data. 1474 */ 1475 left = 0; 1476 } 1477 1478 resp = NULL; 1479 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1480 !data->resuming) { 1481 struct wpabuf msg; 1482 wpabuf_set(&msg, pos, left); 1483 res = eap_ttls_decrypt(sm, data, ret, id, &msg, &resp); 1484 } else { 1485 res = eap_ttls_process_handshake(sm, data, ret, id, 1486 pos, left, &resp); 1487 } 1488 1489 eap_ttls_check_auth_status(sm, data, ret); 1490 1491 /* FIX: what about res == -1? Could just move all error processing into 1492 * the other functions and get rid of this res==1 case here. */ 1493 if (res == 1) { 1494 wpabuf_free(resp); 1495 return eap_peer_tls_build_ack(id, EAP_TYPE_TTLS, 1496 data->ttls_version); 1497 } 1498 return resp; 1499 } 1500 1501 1502 static Boolean eap_ttls_has_reauth_data(struct eap_sm *sm, void *priv) 1503 { 1504 struct eap_ttls_data *data = priv; 1505 return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1506 data->phase2_success; 1507 } 1508 1509 1510 static void eap_ttls_deinit_for_reauth(struct eap_sm *sm, void *priv) 1511 { 1512 struct eap_ttls_data *data = priv; 1513 wpabuf_free(data->pending_phase2_req); 1514 data->pending_phase2_req = NULL; 1515 #ifdef EAP_TNC 1516 data->ready_for_tnc = 0; 1517 data->tnc_started = 0; 1518 #endif /* EAP_TNC */ 1519 } 1520 1521 1522 static void * eap_ttls_init_for_reauth(struct eap_sm *sm, void *priv) 1523 { 1524 struct eap_ttls_data *data = priv; 1525 os_free(data->key_data); 1526 data->key_data = NULL; 1527 if (eap_peer_tls_reauth_init(sm, &data->ssl)) { 1528 os_free(data); 1529 return NULL; 1530 } 1531 if (data->phase2_priv && data->phase2_method && 1532 data->phase2_method->init_for_reauth) 1533 data->phase2_method->init_for_reauth(sm, data->phase2_priv); 1534 data->phase2_start = 0; 1535 data->phase2_success = 0; 1536 data->resuming = 1; 1537 data->reauth = 1; 1538 return priv; 1539 } 1540 1541 1542 static int eap_ttls_get_status(struct eap_sm *sm, void *priv, char *buf, 1543 size_t buflen, int verbose) 1544 { 1545 struct eap_ttls_data *data = priv; 1546 int len, ret; 1547 1548 len = eap_peer_tls_status(sm, &data->ssl, buf, buflen, verbose); 1549 ret = os_snprintf(buf + len, buflen - len, 1550 "EAP-TTLSv%d Phase2 method=", 1551 data->ttls_version); 1552 if (ret < 0 || (size_t) ret >= buflen - len) 1553 return len; 1554 len += ret; 1555 switch (data->phase2_type) { 1556 case EAP_TTLS_PHASE2_EAP: 1557 ret = os_snprintf(buf + len, buflen - len, "EAP-%s\n", 1558 data->phase2_method ? 1559 data->phase2_method->name : "?"); 1560 break; 1561 case EAP_TTLS_PHASE2_MSCHAPV2: 1562 ret = os_snprintf(buf + len, buflen - len, "MSCHAPV2\n"); 1563 break; 1564 case EAP_TTLS_PHASE2_MSCHAP: 1565 ret = os_snprintf(buf + len, buflen - len, "MSCHAP\n"); 1566 break; 1567 case EAP_TTLS_PHASE2_PAP: 1568 ret = os_snprintf(buf + len, buflen - len, "PAP\n"); 1569 break; 1570 case EAP_TTLS_PHASE2_CHAP: 1571 ret = os_snprintf(buf + len, buflen - len, "CHAP\n"); 1572 break; 1573 default: 1574 ret = 0; 1575 break; 1576 } 1577 if (ret < 0 || (size_t) ret >= buflen - len) 1578 return len; 1579 len += ret; 1580 1581 return len; 1582 } 1583 1584 1585 static Boolean eap_ttls_isKeyAvailable(struct eap_sm *sm, void *priv) 1586 { 1587 struct eap_ttls_data *data = priv; 1588 return data->key_data != NULL && data->phase2_success; 1589 } 1590 1591 1592 static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len) 1593 { 1594 struct eap_ttls_data *data = priv; 1595 u8 *key; 1596 1597 if (data->key_data == NULL || !data->phase2_success) 1598 return NULL; 1599 1600 key = os_malloc(EAP_TLS_KEY_LEN); 1601 if (key == NULL) 1602 return NULL; 1603 1604 *len = EAP_TLS_KEY_LEN; 1605 os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN); 1606 1607 return key; 1608 } 1609 1610 1611 int eap_peer_ttls_register(void) 1612 { 1613 struct eap_method *eap; 1614 int ret; 1615 1616 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION, 1617 EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS"); 1618 if (eap == NULL) 1619 return -1; 1620 1621 eap->init = eap_ttls_init; 1622 eap->deinit = eap_ttls_deinit; 1623 eap->process = eap_ttls_process; 1624 eap->isKeyAvailable = eap_ttls_isKeyAvailable; 1625 eap->getKey = eap_ttls_getKey; 1626 eap->get_status = eap_ttls_get_status; 1627 eap->has_reauth_data = eap_ttls_has_reauth_data; 1628 eap->deinit_for_reauth = eap_ttls_deinit_for_reauth; 1629 eap->init_for_reauth = eap_ttls_init_for_reauth; 1630 1631 ret = eap_peer_method_register(eap); 1632 if (ret) 1633 eap_peer_method_free(eap); 1634 return ret; 1635 } 1636