1 /* 2 * hostapd / EAP-TTLS (RFC 5281) 3 * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "includes.h" 16 17 #include "common.h" 18 #include "crypto/ms_funcs.h" 19 #include "crypto/sha1.h" 20 #include "crypto/tls.h" 21 #include "eap_server/eap_i.h" 22 #include "eap_server/eap_tls_common.h" 23 #include "eap_common/chap.h" 24 #include "eap_common/eap_ttls.h" 25 26 27 #define EAP_TTLS_VERSION 0 28 29 30 static void eap_ttls_reset(struct eap_sm *sm, void *priv); 31 32 33 struct eap_ttls_data { 34 struct eap_ssl_data ssl; 35 enum { 36 START, PHASE1, PHASE2_START, PHASE2_METHOD, 37 PHASE2_MSCHAPV2_RESP, SUCCESS, FAILURE 38 } state; 39 40 int ttls_version; 41 const struct eap_method *phase2_method; 42 void *phase2_priv; 43 int mschapv2_resp_ok; 44 u8 mschapv2_auth_response[20]; 45 u8 mschapv2_ident; 46 struct wpabuf *pending_phase2_eap_resp; 47 int tnc_started; 48 }; 49 50 51 static const char * eap_ttls_state_txt(int state) 52 { 53 switch (state) { 54 case START: 55 return "START"; 56 case PHASE1: 57 return "PHASE1"; 58 case PHASE2_START: 59 return "PHASE2_START"; 60 case PHASE2_METHOD: 61 return "PHASE2_METHOD"; 62 case PHASE2_MSCHAPV2_RESP: 63 return "PHASE2_MSCHAPV2_RESP"; 64 case SUCCESS: 65 return "SUCCESS"; 66 case FAILURE: 67 return "FAILURE"; 68 default: 69 return "Unknown?!"; 70 } 71 } 72 73 74 static void eap_ttls_state(struct eap_ttls_data *data, int state) 75 { 76 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s -> %s", 77 eap_ttls_state_txt(data->state), 78 eap_ttls_state_txt(state)); 79 data->state = state; 80 } 81 82 83 static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id, 84 int mandatory, size_t len) 85 { 86 struct ttls_avp_vendor *avp; 87 u8 flags; 88 size_t hdrlen; 89 90 avp = (struct ttls_avp_vendor *) avphdr; 91 flags = mandatory ? AVP_FLAGS_MANDATORY : 0; 92 if (vendor_id) { 93 flags |= AVP_FLAGS_VENDOR; 94 hdrlen = sizeof(*avp); 95 avp->vendor_id = host_to_be32(vendor_id); 96 } else { 97 hdrlen = sizeof(struct ttls_avp); 98 } 99 100 avp->avp_code = host_to_be32(avp_code); 101 avp->avp_length = host_to_be32(((u32) flags << 24) | 102 ((u32) (hdrlen + len))); 103 104 return avphdr + hdrlen; 105 } 106 107 108 static struct wpabuf * eap_ttls_avp_encapsulate(struct wpabuf *resp, 109 u32 avp_code, int mandatory) 110 { 111 struct wpabuf *avp; 112 u8 *pos; 113 114 avp = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(resp) + 4); 115 if (avp == NULL) { 116 wpabuf_free(resp); 117 return NULL; 118 } 119 120 pos = eap_ttls_avp_hdr(wpabuf_mhead(avp), avp_code, 0, mandatory, 121 wpabuf_len(resp)); 122 os_memcpy(pos, wpabuf_head(resp), wpabuf_len(resp)); 123 pos += wpabuf_len(resp); 124 AVP_PAD((const u8 *) wpabuf_head(avp), pos); 125 wpabuf_free(resp); 126 wpabuf_put(avp, pos - (u8 *) wpabuf_head(avp)); 127 return avp; 128 } 129 130 131 struct eap_ttls_avp { 132 /* Note: eap is allocated memory; caller is responsible for freeing 133 * it. All the other pointers are pointing to the packet data, i.e., 134 * they must not be freed separately. */ 135 u8 *eap; 136 size_t eap_len; 137 u8 *user_name; 138 size_t user_name_len; 139 u8 *user_password; 140 size_t user_password_len; 141 u8 *chap_challenge; 142 size_t chap_challenge_len; 143 u8 *chap_password; 144 size_t chap_password_len; 145 u8 *mschap_challenge; 146 size_t mschap_challenge_len; 147 u8 *mschap_response; 148 size_t mschap_response_len; 149 u8 *mschap2_response; 150 size_t mschap2_response_len; 151 }; 152 153 154 static int eap_ttls_avp_parse(struct wpabuf *buf, struct eap_ttls_avp *parse) 155 { 156 struct ttls_avp *avp; 157 u8 *pos; 158 int left; 159 160 pos = wpabuf_mhead(buf); 161 left = wpabuf_len(buf); 162 os_memset(parse, 0, sizeof(*parse)); 163 164 while (left > 0) { 165 u32 avp_code, avp_length, vendor_id = 0; 166 u8 avp_flags, *dpos; 167 size_t pad, dlen; 168 avp = (struct ttls_avp *) pos; 169 avp_code = be_to_host32(avp->avp_code); 170 avp_length = be_to_host32(avp->avp_length); 171 avp_flags = (avp_length >> 24) & 0xff; 172 avp_length &= 0xffffff; 173 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x " 174 "length=%d", (int) avp_code, avp_flags, 175 (int) avp_length); 176 if ((int) avp_length > left) { 177 wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow " 178 "(len=%d, left=%d) - dropped", 179 (int) avp_length, left); 180 goto fail; 181 } 182 if (avp_length < sizeof(*avp)) { 183 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length " 184 "%d", avp_length); 185 goto fail; 186 } 187 dpos = (u8 *) (avp + 1); 188 dlen = avp_length - sizeof(*avp); 189 if (avp_flags & AVP_FLAGS_VENDOR) { 190 if (dlen < 4) { 191 wpa_printf(MSG_WARNING, "EAP-TTLS: vendor AVP " 192 "underflow"); 193 goto fail; 194 } 195 vendor_id = be_to_host32(* (be32 *) dpos); 196 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d", 197 (int) vendor_id); 198 dpos += 4; 199 dlen -= 4; 200 } 201 202 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen); 203 204 if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) { 205 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message"); 206 if (parse->eap == NULL) { 207 parse->eap = os_malloc(dlen); 208 if (parse->eap == NULL) { 209 wpa_printf(MSG_WARNING, "EAP-TTLS: " 210 "failed to allocate memory " 211 "for Phase 2 EAP data"); 212 goto fail; 213 } 214 os_memcpy(parse->eap, dpos, dlen); 215 parse->eap_len = dlen; 216 } else { 217 u8 *neweap = os_realloc(parse->eap, 218 parse->eap_len + dlen); 219 if (neweap == NULL) { 220 wpa_printf(MSG_WARNING, "EAP-TTLS: " 221 "failed to allocate memory " 222 "for Phase 2 EAP data"); 223 goto fail; 224 } 225 os_memcpy(neweap + parse->eap_len, dpos, dlen); 226 parse->eap = neweap; 227 parse->eap_len += dlen; 228 } 229 } else if (vendor_id == 0 && 230 avp_code == RADIUS_ATTR_USER_NAME) { 231 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: User-Name", 232 dpos, dlen); 233 parse->user_name = dpos; 234 parse->user_name_len = dlen; 235 } else if (vendor_id == 0 && 236 avp_code == RADIUS_ATTR_USER_PASSWORD) { 237 u8 *password = dpos; 238 size_t password_len = dlen; 239 while (password_len > 0 && 240 password[password_len - 1] == '\0') { 241 password_len--; 242 } 243 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: " 244 "User-Password (PAP)", 245 password, password_len); 246 parse->user_password = password; 247 parse->user_password_len = password_len; 248 } else if (vendor_id == 0 && 249 avp_code == RADIUS_ATTR_CHAP_CHALLENGE) { 250 wpa_hexdump(MSG_DEBUG, 251 "EAP-TTLS: CHAP-Challenge (CHAP)", 252 dpos, dlen); 253 parse->chap_challenge = dpos; 254 parse->chap_challenge_len = dlen; 255 } else if (vendor_id == 0 && 256 avp_code == RADIUS_ATTR_CHAP_PASSWORD) { 257 wpa_hexdump(MSG_DEBUG, 258 "EAP-TTLS: CHAP-Password (CHAP)", 259 dpos, dlen); 260 parse->chap_password = dpos; 261 parse->chap_password_len = dlen; 262 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 263 avp_code == RADIUS_ATTR_MS_CHAP_CHALLENGE) { 264 wpa_hexdump(MSG_DEBUG, 265 "EAP-TTLS: MS-CHAP-Challenge", 266 dpos, dlen); 267 parse->mschap_challenge = dpos; 268 parse->mschap_challenge_len = dlen; 269 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 270 avp_code == RADIUS_ATTR_MS_CHAP_RESPONSE) { 271 wpa_hexdump(MSG_DEBUG, 272 "EAP-TTLS: MS-CHAP-Response (MSCHAP)", 273 dpos, dlen); 274 parse->mschap_response = dpos; 275 parse->mschap_response_len = dlen; 276 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 277 avp_code == RADIUS_ATTR_MS_CHAP2_RESPONSE) { 278 wpa_hexdump(MSG_DEBUG, 279 "EAP-TTLS: MS-CHAP2-Response (MSCHAPV2)", 280 dpos, dlen); 281 parse->mschap2_response = dpos; 282 parse->mschap2_response_len = dlen; 283 } else if (avp_flags & AVP_FLAGS_MANDATORY) { 284 wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported " 285 "mandatory AVP code %d vendor_id %d - " 286 "dropped", (int) avp_code, (int) vendor_id); 287 goto fail; 288 } else { 289 wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported " 290 "AVP code %d vendor_id %d", 291 (int) avp_code, (int) vendor_id); 292 } 293 294 pad = (4 - (avp_length & 3)) & 3; 295 pos += avp_length + pad; 296 left -= avp_length + pad; 297 } 298 299 return 0; 300 301 fail: 302 os_free(parse->eap); 303 parse->eap = NULL; 304 return -1; 305 } 306 307 308 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm, 309 struct eap_ttls_data *data, size_t len) 310 { 311 return eap_server_tls_derive_key(sm, &data->ssl, "ttls challenge", 312 len); 313 } 314 315 316 static void * eap_ttls_init(struct eap_sm *sm) 317 { 318 struct eap_ttls_data *data; 319 320 data = os_zalloc(sizeof(*data)); 321 if (data == NULL) 322 return NULL; 323 data->ttls_version = EAP_TTLS_VERSION; 324 data->state = START; 325 326 if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) { 327 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL."); 328 eap_ttls_reset(sm, data); 329 return NULL; 330 } 331 332 return data; 333 } 334 335 336 static void eap_ttls_reset(struct eap_sm *sm, void *priv) 337 { 338 struct eap_ttls_data *data = priv; 339 if (data == NULL) 340 return; 341 if (data->phase2_priv && data->phase2_method) 342 data->phase2_method->reset(sm, data->phase2_priv); 343 eap_server_tls_ssl_deinit(sm, &data->ssl); 344 wpabuf_free(data->pending_phase2_eap_resp); 345 os_free(data); 346 } 347 348 349 static struct wpabuf * eap_ttls_build_start(struct eap_sm *sm, 350 struct eap_ttls_data *data, u8 id) 351 { 352 struct wpabuf *req; 353 354 req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TTLS, 1, 355 EAP_CODE_REQUEST, id); 356 if (req == NULL) { 357 wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to allocate memory for" 358 " request"); 359 eap_ttls_state(data, FAILURE); 360 return NULL; 361 } 362 363 wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->ttls_version); 364 365 eap_ttls_state(data, PHASE1); 366 367 return req; 368 } 369 370 371 static struct wpabuf * eap_ttls_build_phase2_eap_req( 372 struct eap_sm *sm, struct eap_ttls_data *data, u8 id) 373 { 374 struct wpabuf *buf, *encr_req; 375 376 377 buf = data->phase2_method->buildReq(sm, data->phase2_priv, id); 378 if (buf == NULL) 379 return NULL; 380 381 wpa_hexdump_buf_key(MSG_DEBUG, 382 "EAP-TTLS/EAP: Encapsulate Phase 2 data", buf); 383 384 buf = eap_ttls_avp_encapsulate(buf, RADIUS_ATTR_EAP_MESSAGE, 1); 385 if (buf == NULL) { 386 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Failed to encapsulate " 387 "packet"); 388 return NULL; 389 } 390 391 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS/EAP: Encrypt encapsulated " 392 "Phase 2 data", buf); 393 394 encr_req = eap_server_tls_encrypt(sm, &data->ssl, buf); 395 wpabuf_free(buf); 396 397 return encr_req; 398 } 399 400 401 static struct wpabuf * eap_ttls_build_phase2_mschapv2( 402 struct eap_sm *sm, struct eap_ttls_data *data) 403 { 404 struct wpabuf *encr_req, msgbuf; 405 u8 *req, *pos, *end; 406 int ret; 407 408 pos = req = os_malloc(100); 409 if (req == NULL) 410 return NULL; 411 end = req + 100; 412 413 if (data->mschapv2_resp_ok) { 414 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_SUCCESS, 415 RADIUS_VENDOR_ID_MICROSOFT, 1, 43); 416 *pos++ = data->mschapv2_ident; 417 ret = os_snprintf((char *) pos, end - pos, "S="); 418 if (ret >= 0 && ret < end - pos) 419 pos += ret; 420 pos += wpa_snprintf_hex_uppercase( 421 (char *) pos, end - pos, data->mschapv2_auth_response, 422 sizeof(data->mschapv2_auth_response)); 423 } else { 424 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_ERROR, 425 RADIUS_VENDOR_ID_MICROSOFT, 1, 6); 426 os_memcpy(pos, "Failed", 6); 427 pos += 6; 428 AVP_PAD(req, pos); 429 } 430 431 wpabuf_set(&msgbuf, req, pos - req); 432 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Encrypting Phase 2 " 433 "data", &msgbuf); 434 435 encr_req = eap_server_tls_encrypt(sm, &data->ssl, &msgbuf); 436 os_free(req); 437 438 return encr_req; 439 } 440 441 442 static struct wpabuf * eap_ttls_buildReq(struct eap_sm *sm, void *priv, u8 id) 443 { 444 struct eap_ttls_data *data = priv; 445 446 if (data->ssl.state == FRAG_ACK) { 447 return eap_server_tls_build_ack(id, EAP_TYPE_TTLS, 448 data->ttls_version); 449 } 450 451 if (data->ssl.state == WAIT_FRAG_ACK) { 452 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS, 453 data->ttls_version, id); 454 } 455 456 switch (data->state) { 457 case START: 458 return eap_ttls_build_start(sm, data, id); 459 case PHASE1: 460 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { 461 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase1 done, " 462 "starting Phase2"); 463 eap_ttls_state(data, PHASE2_START); 464 } 465 break; 466 case PHASE2_METHOD: 467 wpabuf_free(data->ssl.tls_out); 468 data->ssl.tls_out_pos = 0; 469 data->ssl.tls_out = eap_ttls_build_phase2_eap_req(sm, data, 470 id); 471 break; 472 case PHASE2_MSCHAPV2_RESP: 473 wpabuf_free(data->ssl.tls_out); 474 data->ssl.tls_out_pos = 0; 475 data->ssl.tls_out = eap_ttls_build_phase2_mschapv2(sm, data); 476 break; 477 default: 478 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d", 479 __func__, data->state); 480 return NULL; 481 } 482 483 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS, 484 data->ttls_version, id); 485 } 486 487 488 static Boolean eap_ttls_check(struct eap_sm *sm, void *priv, 489 struct wpabuf *respData) 490 { 491 const u8 *pos; 492 size_t len; 493 494 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TTLS, respData, &len); 495 if (pos == NULL || len < 1) { 496 wpa_printf(MSG_INFO, "EAP-TTLS: Invalid frame"); 497 return TRUE; 498 } 499 500 return FALSE; 501 } 502 503 504 static void eap_ttls_process_phase2_pap(struct eap_sm *sm, 505 struct eap_ttls_data *data, 506 const u8 *user_password, 507 size_t user_password_len) 508 { 509 if (!sm->user || !sm->user->password || sm->user->password_hash || 510 !(sm->user->ttls_auth & EAP_TTLS_AUTH_PAP)) { 511 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: No plaintext user " 512 "password configured"); 513 eap_ttls_state(data, FAILURE); 514 return; 515 } 516 517 if (sm->user->password_len != user_password_len || 518 os_memcmp(sm->user->password, user_password, user_password_len) != 519 0) { 520 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Invalid user password"); 521 eap_ttls_state(data, FAILURE); 522 return; 523 } 524 525 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Correct user password"); 526 eap_ttls_state(data, SUCCESS); 527 } 528 529 530 static void eap_ttls_process_phase2_chap(struct eap_sm *sm, 531 struct eap_ttls_data *data, 532 const u8 *challenge, 533 size_t challenge_len, 534 const u8 *password, 535 size_t password_len) 536 { 537 u8 *chal, hash[CHAP_MD5_LEN]; 538 539 if (challenge == NULL || password == NULL || 540 challenge_len != EAP_TTLS_CHAP_CHALLENGE_LEN || 541 password_len != 1 + EAP_TTLS_CHAP_PASSWORD_LEN) { 542 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid CHAP attributes " 543 "(challenge len %lu password len %lu)", 544 (unsigned long) challenge_len, 545 (unsigned long) password_len); 546 eap_ttls_state(data, FAILURE); 547 return; 548 } 549 550 if (!sm->user || !sm->user->password || sm->user->password_hash || 551 !(sm->user->ttls_auth & EAP_TTLS_AUTH_CHAP)) { 552 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: No plaintext user " 553 "password configured"); 554 eap_ttls_state(data, FAILURE); 555 return; 556 } 557 558 chal = eap_ttls_implicit_challenge(sm, data, 559 EAP_TTLS_CHAP_CHALLENGE_LEN + 1); 560 if (chal == NULL) { 561 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Failed to generate " 562 "challenge from TLS data"); 563 eap_ttls_state(data, FAILURE); 564 return; 565 } 566 567 if (os_memcmp(challenge, chal, EAP_TTLS_CHAP_CHALLENGE_LEN) != 0 || 568 password[0] != chal[EAP_TTLS_CHAP_CHALLENGE_LEN]) { 569 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Challenge mismatch"); 570 os_free(chal); 571 eap_ttls_state(data, FAILURE); 572 return; 573 } 574 os_free(chal); 575 576 /* MD5(Ident + Password + Challenge) */ 577 chap_md5(password[0], sm->user->password, sm->user->password_len, 578 challenge, challenge_len, hash); 579 580 if (os_memcmp(hash, password + 1, EAP_TTLS_CHAP_PASSWORD_LEN) == 0) { 581 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Correct user password"); 582 eap_ttls_state(data, SUCCESS); 583 } else { 584 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid user password"); 585 eap_ttls_state(data, FAILURE); 586 } 587 } 588 589 590 static void eap_ttls_process_phase2_mschap(struct eap_sm *sm, 591 struct eap_ttls_data *data, 592 u8 *challenge, size_t challenge_len, 593 u8 *response, size_t response_len) 594 { 595 u8 *chal, nt_response[24]; 596 597 if (challenge == NULL || response == NULL || 598 challenge_len != EAP_TTLS_MSCHAP_CHALLENGE_LEN || 599 response_len != EAP_TTLS_MSCHAP_RESPONSE_LEN) { 600 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid MS-CHAP " 601 "attributes (challenge len %lu response len %lu)", 602 (unsigned long) challenge_len, 603 (unsigned long) response_len); 604 eap_ttls_state(data, FAILURE); 605 return; 606 } 607 608 if (!sm->user || !sm->user->password || 609 !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAP)) { 610 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: No user password " 611 "configured"); 612 eap_ttls_state(data, FAILURE); 613 return; 614 } 615 616 chal = eap_ttls_implicit_challenge(sm, data, 617 EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1); 618 if (chal == NULL) { 619 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Failed to generate " 620 "challenge from TLS data"); 621 eap_ttls_state(data, FAILURE); 622 return; 623 } 624 625 if (os_memcmp(challenge, chal, EAP_TTLS_MSCHAP_CHALLENGE_LEN) != 0 || 626 response[0] != chal[EAP_TTLS_MSCHAP_CHALLENGE_LEN]) { 627 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Challenge mismatch"); 628 os_free(chal); 629 eap_ttls_state(data, FAILURE); 630 return; 631 } 632 os_free(chal); 633 634 if (sm->user->password_hash) 635 challenge_response(challenge, sm->user->password, nt_response); 636 else 637 nt_challenge_response(challenge, sm->user->password, 638 sm->user->password_len, nt_response); 639 640 if (os_memcmp(nt_response, response + 2 + 24, 24) == 0) { 641 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Correct response"); 642 eap_ttls_state(data, SUCCESS); 643 } else { 644 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid NT-Response"); 645 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Received", 646 response + 2 + 24, 24); 647 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Expected", 648 nt_response, 24); 649 eap_ttls_state(data, FAILURE); 650 } 651 } 652 653 654 static void eap_ttls_process_phase2_mschapv2(struct eap_sm *sm, 655 struct eap_ttls_data *data, 656 u8 *challenge, 657 size_t challenge_len, 658 u8 *response, size_t response_len) 659 { 660 u8 *chal, *username, nt_response[24], *rx_resp, *peer_challenge, 661 *auth_challenge; 662 size_t username_len, i; 663 664 if (challenge == NULL || response == NULL || 665 challenge_len != EAP_TTLS_MSCHAPV2_CHALLENGE_LEN || 666 response_len != EAP_TTLS_MSCHAPV2_RESPONSE_LEN) { 667 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid MS-CHAP2 " 668 "attributes (challenge len %lu response len %lu)", 669 (unsigned long) challenge_len, 670 (unsigned long) response_len); 671 eap_ttls_state(data, FAILURE); 672 return; 673 } 674 675 if (!sm->user || !sm->user->password || 676 !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAPV2)) { 677 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user password " 678 "configured"); 679 eap_ttls_state(data, FAILURE); 680 return; 681 } 682 683 /* MSCHAPv2 does not include optional domain name in the 684 * challenge-response calculation, so remove domain prefix 685 * (if present). */ 686 username = sm->identity; 687 username_len = sm->identity_len; 688 for (i = 0; i < username_len; i++) { 689 if (username[i] == '\\') { 690 username_len -= i + 1; 691 username += i + 1; 692 break; 693 } 694 } 695 696 chal = eap_ttls_implicit_challenge( 697 sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1); 698 if (chal == NULL) { 699 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Failed to generate " 700 "challenge from TLS data"); 701 eap_ttls_state(data, FAILURE); 702 return; 703 } 704 705 if (os_memcmp(challenge, chal, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN) != 0 || 706 response[0] != chal[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN]) { 707 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Challenge mismatch"); 708 os_free(chal); 709 eap_ttls_state(data, FAILURE); 710 return; 711 } 712 os_free(chal); 713 714 auth_challenge = challenge; 715 peer_challenge = response + 2; 716 717 wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: User", 718 username, username_len); 719 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: auth_challenge", 720 auth_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN); 721 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: peer_challenge", 722 peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN); 723 724 if (sm->user->password_hash) { 725 generate_nt_response_pwhash(auth_challenge, peer_challenge, 726 username, username_len, 727 sm->user->password, 728 nt_response); 729 } else { 730 generate_nt_response(auth_challenge, peer_challenge, 731 username, username_len, 732 sm->user->password, 733 sm->user->password_len, 734 nt_response); 735 } 736 737 rx_resp = response + 2 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 8; 738 if (os_memcmp(nt_response, rx_resp, 24) == 0) { 739 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Correct " 740 "NT-Response"); 741 data->mschapv2_resp_ok = 1; 742 743 if (sm->user->password_hash) { 744 generate_authenticator_response_pwhash( 745 sm->user->password, 746 peer_challenge, auth_challenge, 747 username, username_len, nt_response, 748 data->mschapv2_auth_response); 749 } else { 750 generate_authenticator_response( 751 sm->user->password, sm->user->password_len, 752 peer_challenge, auth_challenge, 753 username, username_len, nt_response, 754 data->mschapv2_auth_response); 755 } 756 } else { 757 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid " 758 "NT-Response"); 759 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Received", 760 rx_resp, 24); 761 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Expected", 762 nt_response, 24); 763 data->mschapv2_resp_ok = 0; 764 } 765 eap_ttls_state(data, PHASE2_MSCHAPV2_RESP); 766 data->mschapv2_ident = response[0]; 767 } 768 769 770 static int eap_ttls_phase2_eap_init(struct eap_sm *sm, 771 struct eap_ttls_data *data, 772 EapType eap_type) 773 { 774 if (data->phase2_priv && data->phase2_method) { 775 data->phase2_method->reset(sm, data->phase2_priv); 776 data->phase2_method = NULL; 777 data->phase2_priv = NULL; 778 } 779 data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF, 780 eap_type); 781 if (!data->phase2_method) 782 return -1; 783 784 sm->init_phase2 = 1; 785 data->phase2_priv = data->phase2_method->init(sm); 786 sm->init_phase2 = 0; 787 return data->phase2_priv == NULL ? -1 : 0; 788 } 789 790 791 static void eap_ttls_process_phase2_eap_response(struct eap_sm *sm, 792 struct eap_ttls_data *data, 793 u8 *in_data, size_t in_len) 794 { 795 u8 next_type = EAP_TYPE_NONE; 796 struct eap_hdr *hdr; 797 u8 *pos; 798 size_t left; 799 struct wpabuf buf; 800 const struct eap_method *m = data->phase2_method; 801 void *priv = data->phase2_priv; 802 803 if (priv == NULL) { 804 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: %s - Phase2 not " 805 "initialized?!", __func__); 806 return; 807 } 808 809 hdr = (struct eap_hdr *) in_data; 810 pos = (u8 *) (hdr + 1); 811 812 if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) { 813 left = in_len - sizeof(*hdr); 814 wpa_hexdump(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 type Nak'ed; " 815 "allowed types", pos + 1, left - 1); 816 eap_sm_process_nak(sm, pos + 1, left - 1); 817 if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS && 818 sm->user->methods[sm->user_eap_method_index].method != 819 EAP_TYPE_NONE) { 820 next_type = sm->user->methods[ 821 sm->user_eap_method_index++].method; 822 wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d", 823 next_type); 824 if (eap_ttls_phase2_eap_init(sm, data, next_type)) { 825 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to " 826 "initialize EAP type %d", 827 next_type); 828 eap_ttls_state(data, FAILURE); 829 return; 830 } 831 } else { 832 eap_ttls_state(data, FAILURE); 833 } 834 return; 835 } 836 837 wpabuf_set(&buf, in_data, in_len); 838 839 if (m->check(sm, priv, &buf)) { 840 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 check() asked to " 841 "ignore the packet"); 842 return; 843 } 844 845 m->process(sm, priv, &buf); 846 847 if (sm->method_pending == METHOD_PENDING_WAIT) { 848 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method is in " 849 "pending wait state - save decrypted response"); 850 wpabuf_free(data->pending_phase2_eap_resp); 851 data->pending_phase2_eap_resp = wpabuf_dup(&buf); 852 } 853 854 if (!m->isDone(sm, priv)) 855 return; 856 857 if (!m->isSuccess(sm, priv)) { 858 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method failed"); 859 eap_ttls_state(data, FAILURE); 860 return; 861 } 862 863 switch (data->state) { 864 case PHASE2_START: 865 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) { 866 wpa_hexdump_ascii(MSG_DEBUG, "EAP_TTLS: Phase2 " 867 "Identity not found in the user " 868 "database", 869 sm->identity, sm->identity_len); 870 eap_ttls_state(data, FAILURE); 871 break; 872 } 873 874 eap_ttls_state(data, PHASE2_METHOD); 875 next_type = sm->user->methods[0].method; 876 sm->user_eap_method_index = 1; 877 wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d", next_type); 878 if (eap_ttls_phase2_eap_init(sm, data, next_type)) { 879 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize " 880 "EAP type %d", next_type); 881 eap_ttls_state(data, FAILURE); 882 } 883 break; 884 case PHASE2_METHOD: 885 eap_ttls_state(data, SUCCESS); 886 break; 887 case FAILURE: 888 break; 889 default: 890 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d", 891 __func__, data->state); 892 break; 893 } 894 } 895 896 897 static void eap_ttls_process_phase2_eap(struct eap_sm *sm, 898 struct eap_ttls_data *data, 899 const u8 *eap, size_t eap_len) 900 { 901 struct eap_hdr *hdr; 902 size_t len; 903 904 if (data->state == PHASE2_START) { 905 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: initializing Phase 2"); 906 if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_IDENTITY) < 0) 907 { 908 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: failed to " 909 "initialize EAP-Identity"); 910 return; 911 } 912 } 913 914 if (eap_len < sizeof(*hdr)) { 915 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: too short Phase 2 EAP " 916 "packet (len=%lu)", (unsigned long) eap_len); 917 return; 918 } 919 920 hdr = (struct eap_hdr *) eap; 921 len = be_to_host16(hdr->length); 922 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: received Phase 2 EAP: code=%d " 923 "identifier=%d length=%lu", hdr->code, hdr->identifier, 924 (unsigned long) len); 925 if (len > eap_len) { 926 wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Length mismatch in Phase 2" 927 " EAP frame (hdr len=%lu, data len in AVP=%lu)", 928 (unsigned long) len, (unsigned long) eap_len); 929 return; 930 } 931 932 switch (hdr->code) { 933 case EAP_CODE_RESPONSE: 934 eap_ttls_process_phase2_eap_response(sm, data, (u8 *) hdr, 935 len); 936 break; 937 default: 938 wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Unexpected code=%d in " 939 "Phase 2 EAP header", hdr->code); 940 break; 941 } 942 } 943 944 945 static void eap_ttls_process_phase2(struct eap_sm *sm, 946 struct eap_ttls_data *data, 947 struct wpabuf *in_buf) 948 { 949 struct wpabuf *in_decrypted; 950 struct eap_ttls_avp parse; 951 952 wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for" 953 " Phase 2", (unsigned long) wpabuf_len(in_buf)); 954 955 if (data->pending_phase2_eap_resp) { 956 wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 EAP response " 957 "- skip decryption and use old data"); 958 eap_ttls_process_phase2_eap( 959 sm, data, wpabuf_head(data->pending_phase2_eap_resp), 960 wpabuf_len(data->pending_phase2_eap_resp)); 961 wpabuf_free(data->pending_phase2_eap_resp); 962 data->pending_phase2_eap_resp = NULL; 963 return; 964 } 965 966 in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn, 967 in_buf); 968 if (in_decrypted == NULL) { 969 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to decrypt Phase 2 " 970 "data"); 971 eap_ttls_state(data, FAILURE); 972 return; 973 } 974 975 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 EAP", 976 in_decrypted); 977 978 if (eap_ttls_avp_parse(in_decrypted, &parse) < 0) { 979 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to parse AVPs"); 980 wpabuf_free(in_decrypted); 981 eap_ttls_state(data, FAILURE); 982 return; 983 } 984 985 if (parse.user_name) { 986 os_free(sm->identity); 987 sm->identity = os_malloc(parse.user_name_len); 988 if (sm->identity) { 989 os_memcpy(sm->identity, parse.user_name, 990 parse.user_name_len); 991 sm->identity_len = parse.user_name_len; 992 } 993 if (eap_user_get(sm, parse.user_name, parse.user_name_len, 1) 994 != 0) { 995 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 Identity not " 996 "found in the user database"); 997 eap_ttls_state(data, FAILURE); 998 goto done; 999 } 1000 } 1001 1002 #ifdef EAP_SERVER_TNC 1003 if (data->tnc_started && parse.eap == NULL) { 1004 wpa_printf(MSG_DEBUG, "EAP-TTLS: TNC started but no EAP " 1005 "response from peer"); 1006 eap_ttls_state(data, FAILURE); 1007 goto done; 1008 } 1009 #endif /* EAP_SERVER_TNC */ 1010 1011 if (parse.eap) { 1012 eap_ttls_process_phase2_eap(sm, data, parse.eap, 1013 parse.eap_len); 1014 } else if (parse.user_password) { 1015 eap_ttls_process_phase2_pap(sm, data, parse.user_password, 1016 parse.user_password_len); 1017 } else if (parse.chap_password) { 1018 eap_ttls_process_phase2_chap(sm, data, 1019 parse.chap_challenge, 1020 parse.chap_challenge_len, 1021 parse.chap_password, 1022 parse.chap_password_len); 1023 } else if (parse.mschap_response) { 1024 eap_ttls_process_phase2_mschap(sm, data, 1025 parse.mschap_challenge, 1026 parse.mschap_challenge_len, 1027 parse.mschap_response, 1028 parse.mschap_response_len); 1029 } else if (parse.mschap2_response) { 1030 eap_ttls_process_phase2_mschapv2(sm, data, 1031 parse.mschap_challenge, 1032 parse.mschap_challenge_len, 1033 parse.mschap2_response, 1034 parse.mschap2_response_len); 1035 } 1036 1037 done: 1038 wpabuf_free(in_decrypted); 1039 os_free(parse.eap); 1040 } 1041 1042 1043 static void eap_ttls_start_tnc(struct eap_sm *sm, struct eap_ttls_data *data) 1044 { 1045 #ifdef EAP_SERVER_TNC 1046 if (!sm->tnc || data->state != SUCCESS || data->tnc_started) 1047 return; 1048 1049 wpa_printf(MSG_DEBUG, "EAP-TTLS: Initialize TNC"); 1050 if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_TNC)) { 1051 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize TNC"); 1052 eap_ttls_state(data, FAILURE); 1053 return; 1054 } 1055 1056 data->tnc_started = 1; 1057 eap_ttls_state(data, PHASE2_METHOD); 1058 #endif /* EAP_SERVER_TNC */ 1059 } 1060 1061 1062 static int eap_ttls_process_version(struct eap_sm *sm, void *priv, 1063 int peer_version) 1064 { 1065 struct eap_ttls_data *data = priv; 1066 if (peer_version < data->ttls_version) { 1067 wpa_printf(MSG_DEBUG, "EAP-TTLS: peer ver=%d, own ver=%d; " 1068 "use version %d", 1069 peer_version, data->ttls_version, peer_version); 1070 data->ttls_version = peer_version; 1071 } 1072 1073 return 0; 1074 } 1075 1076 1077 static void eap_ttls_process_msg(struct eap_sm *sm, void *priv, 1078 const struct wpabuf *respData) 1079 { 1080 struct eap_ttls_data *data = priv; 1081 1082 switch (data->state) { 1083 case PHASE1: 1084 if (eap_server_tls_phase1(sm, &data->ssl) < 0) 1085 eap_ttls_state(data, FAILURE); 1086 break; 1087 case PHASE2_START: 1088 case PHASE2_METHOD: 1089 eap_ttls_process_phase2(sm, data, data->ssl.tls_in); 1090 eap_ttls_start_tnc(sm, data); 1091 break; 1092 case PHASE2_MSCHAPV2_RESP: 1093 if (data->mschapv2_resp_ok && wpabuf_len(data->ssl.tls_in) == 1094 0) { 1095 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer " 1096 "acknowledged response"); 1097 eap_ttls_state(data, SUCCESS); 1098 } else if (!data->mschapv2_resp_ok) { 1099 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer " 1100 "acknowledged error"); 1101 eap_ttls_state(data, FAILURE); 1102 } else { 1103 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Unexpected " 1104 "frame from peer (payload len %lu, " 1105 "expected empty frame)", 1106 (unsigned long) 1107 wpabuf_len(data->ssl.tls_in)); 1108 eap_ttls_state(data, FAILURE); 1109 } 1110 eap_ttls_start_tnc(sm, data); 1111 break; 1112 default: 1113 wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected state %d in %s", 1114 data->state, __func__); 1115 break; 1116 } 1117 } 1118 1119 1120 static void eap_ttls_process(struct eap_sm *sm, void *priv, 1121 struct wpabuf *respData) 1122 { 1123 struct eap_ttls_data *data = priv; 1124 if (eap_server_tls_process(sm, &data->ssl, respData, data, 1125 EAP_TYPE_TTLS, eap_ttls_process_version, 1126 eap_ttls_process_msg) < 0) 1127 eap_ttls_state(data, FAILURE); 1128 } 1129 1130 1131 static Boolean eap_ttls_isDone(struct eap_sm *sm, void *priv) 1132 { 1133 struct eap_ttls_data *data = priv; 1134 return data->state == SUCCESS || data->state == FAILURE; 1135 } 1136 1137 1138 static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len) 1139 { 1140 struct eap_ttls_data *data = priv; 1141 u8 *eapKeyData; 1142 1143 if (data->state != SUCCESS) 1144 return NULL; 1145 1146 eapKeyData = eap_server_tls_derive_key(sm, &data->ssl, 1147 "ttls keying material", 1148 EAP_TLS_KEY_LEN); 1149 if (eapKeyData) { 1150 *len = EAP_TLS_KEY_LEN; 1151 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key", 1152 eapKeyData, EAP_TLS_KEY_LEN); 1153 } else { 1154 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key"); 1155 } 1156 1157 return eapKeyData; 1158 } 1159 1160 1161 static Boolean eap_ttls_isSuccess(struct eap_sm *sm, void *priv) 1162 { 1163 struct eap_ttls_data *data = priv; 1164 return data->state == SUCCESS; 1165 } 1166 1167 1168 int eap_server_ttls_register(void) 1169 { 1170 struct eap_method *eap; 1171 int ret; 1172 1173 eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION, 1174 EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS"); 1175 if (eap == NULL) 1176 return -1; 1177 1178 eap->init = eap_ttls_init; 1179 eap->reset = eap_ttls_reset; 1180 eap->buildReq = eap_ttls_buildReq; 1181 eap->check = eap_ttls_check; 1182 eap->process = eap_ttls_process; 1183 eap->isDone = eap_ttls_isDone; 1184 eap->getKey = eap_ttls_getKey; 1185 eap->isSuccess = eap_ttls_isSuccess; 1186 1187 ret = eap_server_method_register(eap); 1188 if (ret) 1189 eap_server_method_free(eap); 1190 return ret; 1191 } 1192