1 /* 2 * hostapd / EAP-TTLS (RFC 5281) 3 * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "includes.h" 16 17 #include "common.h" 18 #include "crypto/ms_funcs.h" 19 #include "crypto/sha1.h" 20 #include "crypto/tls.h" 21 #include "eap_server/eap_i.h" 22 #include "eap_server/eap_tls_common.h" 23 #include "eap_common/chap.h" 24 #include "eap_common/eap_ttls.h" 25 26 27 #define EAP_TTLS_VERSION 0 28 29 30 static void eap_ttls_reset(struct eap_sm *sm, void *priv); 31 32 33 struct eap_ttls_data { 34 struct eap_ssl_data ssl; 35 enum { 36 START, PHASE1, PHASE2_START, PHASE2_METHOD, 37 PHASE2_MSCHAPV2_RESP, SUCCESS, FAILURE 38 } state; 39 40 int ttls_version; 41 const struct eap_method *phase2_method; 42 void *phase2_priv; 43 int mschapv2_resp_ok; 44 u8 mschapv2_auth_response[20]; 45 u8 mschapv2_ident; 46 struct wpabuf *pending_phase2_eap_resp; 47 int tnc_started; 48 }; 49 50 51 static const char * eap_ttls_state_txt(int state) 52 { 53 switch (state) { 54 case START: 55 return "START"; 56 case PHASE1: 57 return "PHASE1"; 58 case PHASE2_START: 59 return "PHASE2_START"; 60 case PHASE2_METHOD: 61 return "PHASE2_METHOD"; 62 case PHASE2_MSCHAPV2_RESP: 63 return "PHASE2_MSCHAPV2_RESP"; 64 case SUCCESS: 65 return "SUCCESS"; 66 case FAILURE: 67 return "FAILURE"; 68 default: 69 return "Unknown?!"; 70 } 71 } 72 73 74 static void eap_ttls_state(struct eap_ttls_data *data, int state) 75 { 76 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s -> %s", 77 eap_ttls_state_txt(data->state), 78 eap_ttls_state_txt(state)); 79 data->state = state; 80 } 81 82 83 static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id, 84 int mandatory, size_t len) 85 { 86 struct ttls_avp_vendor *avp; 87 u8 flags; 88 size_t hdrlen; 89 90 avp = (struct ttls_avp_vendor *) avphdr; 91 flags = mandatory ? AVP_FLAGS_MANDATORY : 0; 92 if (vendor_id) { 93 flags |= AVP_FLAGS_VENDOR; 94 hdrlen = sizeof(*avp); 95 avp->vendor_id = host_to_be32(vendor_id); 96 } else { 97 hdrlen = sizeof(struct ttls_avp); 98 } 99 100 avp->avp_code = host_to_be32(avp_code); 101 avp->avp_length = host_to_be32(((u32) flags << 24) | 102 ((u32) (hdrlen + len))); 103 104 return avphdr + hdrlen; 105 } 106 107 108 static struct wpabuf * eap_ttls_avp_encapsulate(struct wpabuf *resp, 109 u32 avp_code, int mandatory) 110 { 111 struct wpabuf *avp; 112 u8 *pos; 113 114 avp = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(resp) + 4); 115 if (avp == NULL) { 116 wpabuf_free(resp); 117 return NULL; 118 } 119 120 pos = eap_ttls_avp_hdr(wpabuf_mhead(avp), avp_code, 0, mandatory, 121 wpabuf_len(resp)); 122 os_memcpy(pos, wpabuf_head(resp), wpabuf_len(resp)); 123 pos += wpabuf_len(resp); 124 AVP_PAD((const u8 *) wpabuf_head(avp), pos); 125 wpabuf_free(resp); 126 wpabuf_put(avp, pos - (u8 *) wpabuf_head(avp)); 127 return avp; 128 } 129 130 131 struct eap_ttls_avp { 132 /* Note: eap is allocated memory; caller is responsible for freeing 133 * it. All the other pointers are pointing to the packet data, i.e., 134 * they must not be freed separately. */ 135 u8 *eap; 136 size_t eap_len; 137 u8 *user_name; 138 size_t user_name_len; 139 u8 *user_password; 140 size_t user_password_len; 141 u8 *chap_challenge; 142 size_t chap_challenge_len; 143 u8 *chap_password; 144 size_t chap_password_len; 145 u8 *mschap_challenge; 146 size_t mschap_challenge_len; 147 u8 *mschap_response; 148 size_t mschap_response_len; 149 u8 *mschap2_response; 150 size_t mschap2_response_len; 151 }; 152 153 154 static int eap_ttls_avp_parse(struct wpabuf *buf, struct eap_ttls_avp *parse) 155 { 156 struct ttls_avp *avp; 157 u8 *pos; 158 int left; 159 160 pos = wpabuf_mhead(buf); 161 left = wpabuf_len(buf); 162 os_memset(parse, 0, sizeof(*parse)); 163 164 while (left > 0) { 165 u32 avp_code, avp_length, vendor_id = 0; 166 u8 avp_flags, *dpos; 167 size_t pad, dlen; 168 avp = (struct ttls_avp *) pos; 169 avp_code = be_to_host32(avp->avp_code); 170 avp_length = be_to_host32(avp->avp_length); 171 avp_flags = (avp_length >> 24) & 0xff; 172 avp_length &= 0xffffff; 173 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x " 174 "length=%d", (int) avp_code, avp_flags, 175 (int) avp_length); 176 if ((int) avp_length > left) { 177 wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow " 178 "(len=%d, left=%d) - dropped", 179 (int) avp_length, left); 180 goto fail; 181 } 182 if (avp_length < sizeof(*avp)) { 183 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length " 184 "%d", avp_length); 185 goto fail; 186 } 187 dpos = (u8 *) (avp + 1); 188 dlen = avp_length - sizeof(*avp); 189 if (avp_flags & AVP_FLAGS_VENDOR) { 190 if (dlen < 4) { 191 wpa_printf(MSG_WARNING, "EAP-TTLS: vendor AVP " 192 "underflow"); 193 goto fail; 194 } 195 vendor_id = be_to_host32(* (be32 *) dpos); 196 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d", 197 (int) vendor_id); 198 dpos += 4; 199 dlen -= 4; 200 } 201 202 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen); 203 204 if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) { 205 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message"); 206 if (parse->eap == NULL) { 207 parse->eap = os_malloc(dlen); 208 if (parse->eap == NULL) { 209 wpa_printf(MSG_WARNING, "EAP-TTLS: " 210 "failed to allocate memory " 211 "for Phase 2 EAP data"); 212 goto fail; 213 } 214 os_memcpy(parse->eap, dpos, dlen); 215 parse->eap_len = dlen; 216 } else { 217 u8 *neweap = os_realloc(parse->eap, 218 parse->eap_len + dlen); 219 if (neweap == NULL) { 220 wpa_printf(MSG_WARNING, "EAP-TTLS: " 221 "failed to allocate memory " 222 "for Phase 2 EAP data"); 223 goto fail; 224 } 225 os_memcpy(neweap + parse->eap_len, dpos, dlen); 226 parse->eap = neweap; 227 parse->eap_len += dlen; 228 } 229 } else if (vendor_id == 0 && 230 avp_code == RADIUS_ATTR_USER_NAME) { 231 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: User-Name", 232 dpos, dlen); 233 parse->user_name = dpos; 234 parse->user_name_len = dlen; 235 } else if (vendor_id == 0 && 236 avp_code == RADIUS_ATTR_USER_PASSWORD) { 237 u8 *password = dpos; 238 size_t password_len = dlen; 239 while (password_len > 0 && 240 password[password_len - 1] == '\0') { 241 password_len--; 242 } 243 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: " 244 "User-Password (PAP)", 245 password, password_len); 246 parse->user_password = password; 247 parse->user_password_len = password_len; 248 } else if (vendor_id == 0 && 249 avp_code == RADIUS_ATTR_CHAP_CHALLENGE) { 250 wpa_hexdump(MSG_DEBUG, 251 "EAP-TTLS: CHAP-Challenge (CHAP)", 252 dpos, dlen); 253 parse->chap_challenge = dpos; 254 parse->chap_challenge_len = dlen; 255 } else if (vendor_id == 0 && 256 avp_code == RADIUS_ATTR_CHAP_PASSWORD) { 257 wpa_hexdump(MSG_DEBUG, 258 "EAP-TTLS: CHAP-Password (CHAP)", 259 dpos, dlen); 260 parse->chap_password = dpos; 261 parse->chap_password_len = dlen; 262 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 263 avp_code == RADIUS_ATTR_MS_CHAP_CHALLENGE) { 264 wpa_hexdump(MSG_DEBUG, 265 "EAP-TTLS: MS-CHAP-Challenge", 266 dpos, dlen); 267 parse->mschap_challenge = dpos; 268 parse->mschap_challenge_len = dlen; 269 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 270 avp_code == RADIUS_ATTR_MS_CHAP_RESPONSE) { 271 wpa_hexdump(MSG_DEBUG, 272 "EAP-TTLS: MS-CHAP-Response (MSCHAP)", 273 dpos, dlen); 274 parse->mschap_response = dpos; 275 parse->mschap_response_len = dlen; 276 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 277 avp_code == RADIUS_ATTR_MS_CHAP2_RESPONSE) { 278 wpa_hexdump(MSG_DEBUG, 279 "EAP-TTLS: MS-CHAP2-Response (MSCHAPV2)", 280 dpos, dlen); 281 parse->mschap2_response = dpos; 282 parse->mschap2_response_len = dlen; 283 } else if (avp_flags & AVP_FLAGS_MANDATORY) { 284 wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported " 285 "mandatory AVP code %d vendor_id %d - " 286 "dropped", (int) avp_code, (int) vendor_id); 287 goto fail; 288 } else { 289 wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported " 290 "AVP code %d vendor_id %d", 291 (int) avp_code, (int) vendor_id); 292 } 293 294 pad = (4 - (avp_length & 3)) & 3; 295 pos += avp_length + pad; 296 left -= avp_length + pad; 297 } 298 299 return 0; 300 301 fail: 302 os_free(parse->eap); 303 parse->eap = NULL; 304 return -1; 305 } 306 307 308 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm, 309 struct eap_ttls_data *data, size_t len) 310 { 311 return eap_server_tls_derive_key(sm, &data->ssl, "ttls challenge", 312 len); 313 } 314 315 316 static void * eap_ttls_init(struct eap_sm *sm) 317 { 318 struct eap_ttls_data *data; 319 320 data = os_zalloc(sizeof(*data)); 321 if (data == NULL) 322 return NULL; 323 data->ttls_version = EAP_TTLS_VERSION; 324 data->state = START; 325 326 if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) { 327 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL."); 328 eap_ttls_reset(sm, data); 329 return NULL; 330 } 331 332 return data; 333 } 334 335 336 static void eap_ttls_reset(struct eap_sm *sm, void *priv) 337 { 338 struct eap_ttls_data *data = priv; 339 if (data == NULL) 340 return; 341 if (data->phase2_priv && data->phase2_method) 342 data->phase2_method->reset(sm, data->phase2_priv); 343 eap_server_tls_ssl_deinit(sm, &data->ssl); 344 wpabuf_free(data->pending_phase2_eap_resp); 345 os_free(data); 346 } 347 348 349 static struct wpabuf * eap_ttls_build_start(struct eap_sm *sm, 350 struct eap_ttls_data *data, u8 id) 351 { 352 struct wpabuf *req; 353 354 req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TTLS, 1, 355 EAP_CODE_REQUEST, id); 356 if (req == NULL) { 357 wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to allocate memory for" 358 " request"); 359 eap_ttls_state(data, FAILURE); 360 return NULL; 361 } 362 363 wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->ttls_version); 364 365 eap_ttls_state(data, PHASE1); 366 367 return req; 368 } 369 370 371 static struct wpabuf * eap_ttls_build_phase2_eap_req( 372 struct eap_sm *sm, struct eap_ttls_data *data, u8 id) 373 { 374 struct wpabuf *buf, *encr_req; 375 376 377 buf = data->phase2_method->buildReq(sm, data->phase2_priv, id); 378 if (buf == NULL) 379 return NULL; 380 381 wpa_hexdump_buf_key(MSG_DEBUG, 382 "EAP-TTLS/EAP: Encapsulate Phase 2 data", buf); 383 384 buf = eap_ttls_avp_encapsulate(buf, RADIUS_ATTR_EAP_MESSAGE, 1); 385 if (buf == NULL) { 386 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Failed to encapsulate " 387 "packet"); 388 return NULL; 389 } 390 391 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS/EAP: Encrypt encapsulated " 392 "Phase 2 data", buf); 393 394 encr_req = eap_server_tls_encrypt(sm, &data->ssl, buf); 395 wpabuf_free(buf); 396 397 return encr_req; 398 } 399 400 401 static struct wpabuf * eap_ttls_build_phase2_mschapv2( 402 struct eap_sm *sm, struct eap_ttls_data *data) 403 { 404 struct wpabuf *encr_req, msgbuf; 405 u8 *req, *pos, *end; 406 int ret; 407 408 pos = req = os_malloc(100); 409 if (req == NULL) 410 return NULL; 411 end = req + 100; 412 413 if (data->mschapv2_resp_ok) { 414 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_SUCCESS, 415 RADIUS_VENDOR_ID_MICROSOFT, 1, 43); 416 *pos++ = data->mschapv2_ident; 417 ret = os_snprintf((char *) pos, end - pos, "S="); 418 if (ret >= 0 && ret < end - pos) 419 pos += ret; 420 pos += wpa_snprintf_hex_uppercase( 421 (char *) pos, end - pos, data->mschapv2_auth_response, 422 sizeof(data->mschapv2_auth_response)); 423 } else { 424 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_ERROR, 425 RADIUS_VENDOR_ID_MICROSOFT, 1, 6); 426 os_memcpy(pos, "Failed", 6); 427 pos += 6; 428 AVP_PAD(req, pos); 429 } 430 431 wpabuf_set(&msgbuf, req, pos - req); 432 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Encrypting Phase 2 " 433 "data", &msgbuf); 434 435 encr_req = eap_server_tls_encrypt(sm, &data->ssl, &msgbuf); 436 os_free(req); 437 438 return encr_req; 439 } 440 441 442 static struct wpabuf * eap_ttls_buildReq(struct eap_sm *sm, void *priv, u8 id) 443 { 444 struct eap_ttls_data *data = priv; 445 446 if (data->ssl.state == FRAG_ACK) { 447 return eap_server_tls_build_ack(id, EAP_TYPE_TTLS, 448 data->ttls_version); 449 } 450 451 if (data->ssl.state == WAIT_FRAG_ACK) { 452 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS, 453 data->ttls_version, id); 454 } 455 456 switch (data->state) { 457 case START: 458 return eap_ttls_build_start(sm, data, id); 459 case PHASE1: 460 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { 461 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase1 done, " 462 "starting Phase2"); 463 eap_ttls_state(data, PHASE2_START); 464 } 465 break; 466 case PHASE2_METHOD: 467 wpabuf_free(data->ssl.tls_out); 468 data->ssl.tls_out_pos = 0; 469 data->ssl.tls_out = eap_ttls_build_phase2_eap_req(sm, data, 470 id); 471 break; 472 case PHASE2_MSCHAPV2_RESP: 473 wpabuf_free(data->ssl.tls_out); 474 data->ssl.tls_out_pos = 0; 475 data->ssl.tls_out = eap_ttls_build_phase2_mschapv2(sm, data); 476 break; 477 default: 478 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d", 479 __func__, data->state); 480 return NULL; 481 } 482 483 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS, 484 data->ttls_version, id); 485 } 486 487 488 static Boolean eap_ttls_check(struct eap_sm *sm, void *priv, 489 struct wpabuf *respData) 490 { 491 const u8 *pos; 492 size_t len; 493 494 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TTLS, respData, &len); 495 if (pos == NULL || len < 1) { 496 wpa_printf(MSG_INFO, "EAP-TTLS: Invalid frame"); 497 return TRUE; 498 } 499 500 return FALSE; 501 } 502 503 504 static void eap_ttls_process_phase2_pap(struct eap_sm *sm, 505 struct eap_ttls_data *data, 506 const u8 *user_password, 507 size_t user_password_len) 508 { 509 if (!sm->user || !sm->user->password || sm->user->password_hash || 510 !(sm->user->ttls_auth & EAP_TTLS_AUTH_PAP)) { 511 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: No plaintext user " 512 "password configured"); 513 eap_ttls_state(data, FAILURE); 514 return; 515 } 516 517 if (sm->user->password_len != user_password_len || 518 os_memcmp(sm->user->password, user_password, user_password_len) != 519 0) { 520 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Invalid user password"); 521 eap_ttls_state(data, FAILURE); 522 return; 523 } 524 525 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Correct user password"); 526 eap_ttls_state(data, SUCCESS); 527 } 528 529 530 static void eap_ttls_process_phase2_chap(struct eap_sm *sm, 531 struct eap_ttls_data *data, 532 const u8 *challenge, 533 size_t challenge_len, 534 const u8 *password, 535 size_t password_len) 536 { 537 u8 *chal, hash[CHAP_MD5_LEN]; 538 539 if (challenge == NULL || password == NULL || 540 challenge_len != EAP_TTLS_CHAP_CHALLENGE_LEN || 541 password_len != 1 + EAP_TTLS_CHAP_PASSWORD_LEN) { 542 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid CHAP attributes " 543 "(challenge len %lu password len %lu)", 544 (unsigned long) challenge_len, 545 (unsigned long) password_len); 546 eap_ttls_state(data, FAILURE); 547 return; 548 } 549 550 if (!sm->user || !sm->user->password || sm->user->password_hash || 551 !(sm->user->ttls_auth & EAP_TTLS_AUTH_CHAP)) { 552 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: No plaintext user " 553 "password configured"); 554 eap_ttls_state(data, FAILURE); 555 return; 556 } 557 558 chal = eap_ttls_implicit_challenge(sm, data, 559 EAP_TTLS_CHAP_CHALLENGE_LEN + 1); 560 if (chal == NULL) { 561 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Failed to generate " 562 "challenge from TLS data"); 563 eap_ttls_state(data, FAILURE); 564 return; 565 } 566 567 if (os_memcmp(challenge, chal, EAP_TTLS_CHAP_CHALLENGE_LEN) != 0 || 568 password[0] != chal[EAP_TTLS_CHAP_CHALLENGE_LEN]) { 569 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Challenge mismatch"); 570 os_free(chal); 571 eap_ttls_state(data, FAILURE); 572 return; 573 } 574 os_free(chal); 575 576 /* MD5(Ident + Password + Challenge) */ 577 chap_md5(password[0], sm->user->password, sm->user->password_len, 578 challenge, challenge_len, hash); 579 580 if (os_memcmp(hash, password + 1, EAP_TTLS_CHAP_PASSWORD_LEN) == 0) { 581 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Correct user password"); 582 eap_ttls_state(data, SUCCESS); 583 } else { 584 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid user password"); 585 eap_ttls_state(data, FAILURE); 586 } 587 } 588 589 590 static void eap_ttls_process_phase2_mschap(struct eap_sm *sm, 591 struct eap_ttls_data *data, 592 u8 *challenge, size_t challenge_len, 593 u8 *response, size_t response_len) 594 { 595 u8 *chal, nt_response[24]; 596 597 if (challenge == NULL || response == NULL || 598 challenge_len != EAP_TTLS_MSCHAP_CHALLENGE_LEN || 599 response_len != EAP_TTLS_MSCHAP_RESPONSE_LEN) { 600 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid MS-CHAP " 601 "attributes (challenge len %lu response len %lu)", 602 (unsigned long) challenge_len, 603 (unsigned long) response_len); 604 eap_ttls_state(data, FAILURE); 605 return; 606 } 607 608 if (!sm->user || !sm->user->password || 609 !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAP)) { 610 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: No user password " 611 "configured"); 612 eap_ttls_state(data, FAILURE); 613 return; 614 } 615 616 chal = eap_ttls_implicit_challenge(sm, data, 617 EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1); 618 if (chal == NULL) { 619 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Failed to generate " 620 "challenge from TLS data"); 621 eap_ttls_state(data, FAILURE); 622 return; 623 } 624 625 if (os_memcmp(challenge, chal, EAP_TTLS_MSCHAP_CHALLENGE_LEN) != 0 || 626 response[0] != chal[EAP_TTLS_MSCHAP_CHALLENGE_LEN]) { 627 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Challenge mismatch"); 628 os_free(chal); 629 eap_ttls_state(data, FAILURE); 630 return; 631 } 632 os_free(chal); 633 634 if (sm->user->password_hash) 635 challenge_response(challenge, sm->user->password, nt_response); 636 else 637 nt_challenge_response(challenge, sm->user->password, 638 sm->user->password_len, nt_response); 639 640 if (os_memcmp(nt_response, response + 2 + 24, 24) == 0) { 641 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Correct response"); 642 eap_ttls_state(data, SUCCESS); 643 } else { 644 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid NT-Response"); 645 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Received", 646 response + 2 + 24, 24); 647 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Expected", 648 nt_response, 24); 649 eap_ttls_state(data, FAILURE); 650 } 651 } 652 653 654 static void eap_ttls_process_phase2_mschapv2(struct eap_sm *sm, 655 struct eap_ttls_data *data, 656 u8 *challenge, 657 size_t challenge_len, 658 u8 *response, size_t response_len) 659 { 660 u8 *chal, *username, nt_response[24], *rx_resp, *peer_challenge, 661 *auth_challenge; 662 size_t username_len, i; 663 664 if (challenge == NULL || response == NULL || 665 challenge_len != EAP_TTLS_MSCHAPV2_CHALLENGE_LEN || 666 response_len != EAP_TTLS_MSCHAPV2_RESPONSE_LEN) { 667 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid MS-CHAP2 " 668 "attributes (challenge len %lu response len %lu)", 669 (unsigned long) challenge_len, 670 (unsigned long) response_len); 671 eap_ttls_state(data, FAILURE); 672 return; 673 } 674 675 if (!sm->user || !sm->user->password || 676 !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAPV2)) { 677 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user password " 678 "configured"); 679 eap_ttls_state(data, FAILURE); 680 return; 681 } 682 683 if (sm->identity == NULL) { 684 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user identity " 685 "known"); 686 eap_ttls_state(data, FAILURE); 687 return; 688 } 689 690 /* MSCHAPv2 does not include optional domain name in the 691 * challenge-response calculation, so remove domain prefix 692 * (if present). */ 693 username = sm->identity; 694 username_len = sm->identity_len; 695 for (i = 0; i < username_len; i++) { 696 if (username[i] == '\\') { 697 username_len -= i + 1; 698 username += i + 1; 699 break; 700 } 701 } 702 703 chal = eap_ttls_implicit_challenge( 704 sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1); 705 if (chal == NULL) { 706 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Failed to generate " 707 "challenge from TLS data"); 708 eap_ttls_state(data, FAILURE); 709 return; 710 } 711 712 if (os_memcmp(challenge, chal, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN) != 0 || 713 response[0] != chal[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN]) { 714 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Challenge mismatch"); 715 os_free(chal); 716 eap_ttls_state(data, FAILURE); 717 return; 718 } 719 os_free(chal); 720 721 auth_challenge = challenge; 722 peer_challenge = response + 2; 723 724 wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: User", 725 username, username_len); 726 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: auth_challenge", 727 auth_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN); 728 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: peer_challenge", 729 peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN); 730 731 if (sm->user->password_hash) { 732 generate_nt_response_pwhash(auth_challenge, peer_challenge, 733 username, username_len, 734 sm->user->password, 735 nt_response); 736 } else { 737 generate_nt_response(auth_challenge, peer_challenge, 738 username, username_len, 739 sm->user->password, 740 sm->user->password_len, 741 nt_response); 742 } 743 744 rx_resp = response + 2 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 8; 745 if (os_memcmp(nt_response, rx_resp, 24) == 0) { 746 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Correct " 747 "NT-Response"); 748 data->mschapv2_resp_ok = 1; 749 750 if (sm->user->password_hash) { 751 generate_authenticator_response_pwhash( 752 sm->user->password, 753 peer_challenge, auth_challenge, 754 username, username_len, nt_response, 755 data->mschapv2_auth_response); 756 } else { 757 generate_authenticator_response( 758 sm->user->password, sm->user->password_len, 759 peer_challenge, auth_challenge, 760 username, username_len, nt_response, 761 data->mschapv2_auth_response); 762 } 763 } else { 764 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid " 765 "NT-Response"); 766 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Received", 767 rx_resp, 24); 768 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Expected", 769 nt_response, 24); 770 data->mschapv2_resp_ok = 0; 771 } 772 eap_ttls_state(data, PHASE2_MSCHAPV2_RESP); 773 data->mschapv2_ident = response[0]; 774 } 775 776 777 static int eap_ttls_phase2_eap_init(struct eap_sm *sm, 778 struct eap_ttls_data *data, 779 EapType eap_type) 780 { 781 if (data->phase2_priv && data->phase2_method) { 782 data->phase2_method->reset(sm, data->phase2_priv); 783 data->phase2_method = NULL; 784 data->phase2_priv = NULL; 785 } 786 data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF, 787 eap_type); 788 if (!data->phase2_method) 789 return -1; 790 791 sm->init_phase2 = 1; 792 data->phase2_priv = data->phase2_method->init(sm); 793 sm->init_phase2 = 0; 794 return data->phase2_priv == NULL ? -1 : 0; 795 } 796 797 798 static void eap_ttls_process_phase2_eap_response(struct eap_sm *sm, 799 struct eap_ttls_data *data, 800 u8 *in_data, size_t in_len) 801 { 802 u8 next_type = EAP_TYPE_NONE; 803 struct eap_hdr *hdr; 804 u8 *pos; 805 size_t left; 806 struct wpabuf buf; 807 const struct eap_method *m = data->phase2_method; 808 void *priv = data->phase2_priv; 809 810 if (priv == NULL) { 811 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: %s - Phase2 not " 812 "initialized?!", __func__); 813 return; 814 } 815 816 hdr = (struct eap_hdr *) in_data; 817 pos = (u8 *) (hdr + 1); 818 819 if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) { 820 left = in_len - sizeof(*hdr); 821 wpa_hexdump(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 type Nak'ed; " 822 "allowed types", pos + 1, left - 1); 823 eap_sm_process_nak(sm, pos + 1, left - 1); 824 if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS && 825 sm->user->methods[sm->user_eap_method_index].method != 826 EAP_TYPE_NONE) { 827 next_type = sm->user->methods[ 828 sm->user_eap_method_index++].method; 829 wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d", 830 next_type); 831 if (eap_ttls_phase2_eap_init(sm, data, next_type)) { 832 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to " 833 "initialize EAP type %d", 834 next_type); 835 eap_ttls_state(data, FAILURE); 836 return; 837 } 838 } else { 839 eap_ttls_state(data, FAILURE); 840 } 841 return; 842 } 843 844 wpabuf_set(&buf, in_data, in_len); 845 846 if (m->check(sm, priv, &buf)) { 847 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 check() asked to " 848 "ignore the packet"); 849 return; 850 } 851 852 m->process(sm, priv, &buf); 853 854 if (sm->method_pending == METHOD_PENDING_WAIT) { 855 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method is in " 856 "pending wait state - save decrypted response"); 857 wpabuf_free(data->pending_phase2_eap_resp); 858 data->pending_phase2_eap_resp = wpabuf_dup(&buf); 859 } 860 861 if (!m->isDone(sm, priv)) 862 return; 863 864 if (!m->isSuccess(sm, priv)) { 865 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method failed"); 866 eap_ttls_state(data, FAILURE); 867 return; 868 } 869 870 switch (data->state) { 871 case PHASE2_START: 872 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) { 873 wpa_hexdump_ascii(MSG_DEBUG, "EAP_TTLS: Phase2 " 874 "Identity not found in the user " 875 "database", 876 sm->identity, sm->identity_len); 877 eap_ttls_state(data, FAILURE); 878 break; 879 } 880 881 eap_ttls_state(data, PHASE2_METHOD); 882 next_type = sm->user->methods[0].method; 883 sm->user_eap_method_index = 1; 884 wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d", next_type); 885 if (eap_ttls_phase2_eap_init(sm, data, next_type)) { 886 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize " 887 "EAP type %d", next_type); 888 eap_ttls_state(data, FAILURE); 889 } 890 break; 891 case PHASE2_METHOD: 892 eap_ttls_state(data, SUCCESS); 893 break; 894 case FAILURE: 895 break; 896 default: 897 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d", 898 __func__, data->state); 899 break; 900 } 901 } 902 903 904 static void eap_ttls_process_phase2_eap(struct eap_sm *sm, 905 struct eap_ttls_data *data, 906 const u8 *eap, size_t eap_len) 907 { 908 struct eap_hdr *hdr; 909 size_t len; 910 911 if (data->state == PHASE2_START) { 912 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: initializing Phase 2"); 913 if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_IDENTITY) < 0) 914 { 915 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: failed to " 916 "initialize EAP-Identity"); 917 return; 918 } 919 } 920 921 if (eap_len < sizeof(*hdr)) { 922 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: too short Phase 2 EAP " 923 "packet (len=%lu)", (unsigned long) eap_len); 924 return; 925 } 926 927 hdr = (struct eap_hdr *) eap; 928 len = be_to_host16(hdr->length); 929 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: received Phase 2 EAP: code=%d " 930 "identifier=%d length=%lu", hdr->code, hdr->identifier, 931 (unsigned long) len); 932 if (len > eap_len) { 933 wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Length mismatch in Phase 2" 934 " EAP frame (hdr len=%lu, data len in AVP=%lu)", 935 (unsigned long) len, (unsigned long) eap_len); 936 return; 937 } 938 939 switch (hdr->code) { 940 case EAP_CODE_RESPONSE: 941 eap_ttls_process_phase2_eap_response(sm, data, (u8 *) hdr, 942 len); 943 break; 944 default: 945 wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Unexpected code=%d in " 946 "Phase 2 EAP header", hdr->code); 947 break; 948 } 949 } 950 951 952 static void eap_ttls_process_phase2(struct eap_sm *sm, 953 struct eap_ttls_data *data, 954 struct wpabuf *in_buf) 955 { 956 struct wpabuf *in_decrypted; 957 struct eap_ttls_avp parse; 958 959 wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for" 960 " Phase 2", (unsigned long) wpabuf_len(in_buf)); 961 962 if (data->pending_phase2_eap_resp) { 963 wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 EAP response " 964 "- skip decryption and use old data"); 965 eap_ttls_process_phase2_eap( 966 sm, data, wpabuf_head(data->pending_phase2_eap_resp), 967 wpabuf_len(data->pending_phase2_eap_resp)); 968 wpabuf_free(data->pending_phase2_eap_resp); 969 data->pending_phase2_eap_resp = NULL; 970 return; 971 } 972 973 in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn, 974 in_buf); 975 if (in_decrypted == NULL) { 976 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to decrypt Phase 2 " 977 "data"); 978 eap_ttls_state(data, FAILURE); 979 return; 980 } 981 982 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 EAP", 983 in_decrypted); 984 985 if (eap_ttls_avp_parse(in_decrypted, &parse) < 0) { 986 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to parse AVPs"); 987 wpabuf_free(in_decrypted); 988 eap_ttls_state(data, FAILURE); 989 return; 990 } 991 992 if (parse.user_name) { 993 os_free(sm->identity); 994 sm->identity = os_malloc(parse.user_name_len); 995 if (sm->identity == NULL) { 996 eap_ttls_state(data, FAILURE); 997 goto done; 998 } 999 os_memcpy(sm->identity, parse.user_name, parse.user_name_len); 1000 sm->identity_len = parse.user_name_len; 1001 if (eap_user_get(sm, parse.user_name, parse.user_name_len, 1) 1002 != 0) { 1003 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 Identity not " 1004 "found in the user database"); 1005 eap_ttls_state(data, FAILURE); 1006 goto done; 1007 } 1008 } 1009 1010 #ifdef EAP_SERVER_TNC 1011 if (data->tnc_started && parse.eap == NULL) { 1012 wpa_printf(MSG_DEBUG, "EAP-TTLS: TNC started but no EAP " 1013 "response from peer"); 1014 eap_ttls_state(data, FAILURE); 1015 goto done; 1016 } 1017 #endif /* EAP_SERVER_TNC */ 1018 1019 if (parse.eap) { 1020 eap_ttls_process_phase2_eap(sm, data, parse.eap, 1021 parse.eap_len); 1022 } else if (parse.user_password) { 1023 eap_ttls_process_phase2_pap(sm, data, parse.user_password, 1024 parse.user_password_len); 1025 } else if (parse.chap_password) { 1026 eap_ttls_process_phase2_chap(sm, data, 1027 parse.chap_challenge, 1028 parse.chap_challenge_len, 1029 parse.chap_password, 1030 parse.chap_password_len); 1031 } else if (parse.mschap_response) { 1032 eap_ttls_process_phase2_mschap(sm, data, 1033 parse.mschap_challenge, 1034 parse.mschap_challenge_len, 1035 parse.mschap_response, 1036 parse.mschap_response_len); 1037 } else if (parse.mschap2_response) { 1038 eap_ttls_process_phase2_mschapv2(sm, data, 1039 parse.mschap_challenge, 1040 parse.mschap_challenge_len, 1041 parse.mschap2_response, 1042 parse.mschap2_response_len); 1043 } 1044 1045 done: 1046 wpabuf_free(in_decrypted); 1047 os_free(parse.eap); 1048 } 1049 1050 1051 static void eap_ttls_start_tnc(struct eap_sm *sm, struct eap_ttls_data *data) 1052 { 1053 #ifdef EAP_SERVER_TNC 1054 if (!sm->tnc || data->state != SUCCESS || data->tnc_started) 1055 return; 1056 1057 wpa_printf(MSG_DEBUG, "EAP-TTLS: Initialize TNC"); 1058 if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_TNC)) { 1059 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize TNC"); 1060 eap_ttls_state(data, FAILURE); 1061 return; 1062 } 1063 1064 data->tnc_started = 1; 1065 eap_ttls_state(data, PHASE2_METHOD); 1066 #endif /* EAP_SERVER_TNC */ 1067 } 1068 1069 1070 static int eap_ttls_process_version(struct eap_sm *sm, void *priv, 1071 int peer_version) 1072 { 1073 struct eap_ttls_data *data = priv; 1074 if (peer_version < data->ttls_version) { 1075 wpa_printf(MSG_DEBUG, "EAP-TTLS: peer ver=%d, own ver=%d; " 1076 "use version %d", 1077 peer_version, data->ttls_version, peer_version); 1078 data->ttls_version = peer_version; 1079 } 1080 1081 return 0; 1082 } 1083 1084 1085 static void eap_ttls_process_msg(struct eap_sm *sm, void *priv, 1086 const struct wpabuf *respData) 1087 { 1088 struct eap_ttls_data *data = priv; 1089 1090 switch (data->state) { 1091 case PHASE1: 1092 if (eap_server_tls_phase1(sm, &data->ssl) < 0) 1093 eap_ttls_state(data, FAILURE); 1094 break; 1095 case PHASE2_START: 1096 case PHASE2_METHOD: 1097 eap_ttls_process_phase2(sm, data, data->ssl.tls_in); 1098 eap_ttls_start_tnc(sm, data); 1099 break; 1100 case PHASE2_MSCHAPV2_RESP: 1101 if (data->mschapv2_resp_ok && wpabuf_len(data->ssl.tls_in) == 1102 0) { 1103 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer " 1104 "acknowledged response"); 1105 eap_ttls_state(data, SUCCESS); 1106 } else if (!data->mschapv2_resp_ok) { 1107 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer " 1108 "acknowledged error"); 1109 eap_ttls_state(data, FAILURE); 1110 } else { 1111 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Unexpected " 1112 "frame from peer (payload len %lu, " 1113 "expected empty frame)", 1114 (unsigned long) 1115 wpabuf_len(data->ssl.tls_in)); 1116 eap_ttls_state(data, FAILURE); 1117 } 1118 eap_ttls_start_tnc(sm, data); 1119 break; 1120 default: 1121 wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected state %d in %s", 1122 data->state, __func__); 1123 break; 1124 } 1125 } 1126 1127 1128 static void eap_ttls_process(struct eap_sm *sm, void *priv, 1129 struct wpabuf *respData) 1130 { 1131 struct eap_ttls_data *data = priv; 1132 if (eap_server_tls_process(sm, &data->ssl, respData, data, 1133 EAP_TYPE_TTLS, eap_ttls_process_version, 1134 eap_ttls_process_msg) < 0) 1135 eap_ttls_state(data, FAILURE); 1136 } 1137 1138 1139 static Boolean eap_ttls_isDone(struct eap_sm *sm, void *priv) 1140 { 1141 struct eap_ttls_data *data = priv; 1142 return data->state == SUCCESS || data->state == FAILURE; 1143 } 1144 1145 1146 static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len) 1147 { 1148 struct eap_ttls_data *data = priv; 1149 u8 *eapKeyData; 1150 1151 if (data->state != SUCCESS) 1152 return NULL; 1153 1154 eapKeyData = eap_server_tls_derive_key(sm, &data->ssl, 1155 "ttls keying material", 1156 EAP_TLS_KEY_LEN); 1157 if (eapKeyData) { 1158 *len = EAP_TLS_KEY_LEN; 1159 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key", 1160 eapKeyData, EAP_TLS_KEY_LEN); 1161 } else { 1162 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key"); 1163 } 1164 1165 return eapKeyData; 1166 } 1167 1168 1169 static Boolean eap_ttls_isSuccess(struct eap_sm *sm, void *priv) 1170 { 1171 struct eap_ttls_data *data = priv; 1172 return data->state == SUCCESS; 1173 } 1174 1175 1176 int eap_server_ttls_register(void) 1177 { 1178 struct eap_method *eap; 1179 int ret; 1180 1181 eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION, 1182 EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS"); 1183 if (eap == NULL) 1184 return -1; 1185 1186 eap->init = eap_ttls_init; 1187 eap->reset = eap_ttls_reset; 1188 eap->buildReq = eap_ttls_buildReq; 1189 eap->check = eap_ttls_check; 1190 eap->process = eap_ttls_process; 1191 eap->isDone = eap_ttls_isDone; 1192 eap->getKey = eap_ttls_getKey; 1193 eap->isSuccess = eap_ttls_isSuccess; 1194 1195 ret = eap_server_method_register(eap); 1196 if (ret) 1197 eap_server_method_free(eap); 1198 return ret; 1199 } 1200