1 /* 2 * hostapd / EAP-TTLS (RFC 5281) 3 * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/ms_funcs.h" 13 #include "crypto/sha1.h" 14 #include "crypto/tls.h" 15 #include "eap_server/eap_i.h" 16 #include "eap_server/eap_tls_common.h" 17 #include "eap_common/chap.h" 18 #include "eap_common/eap_ttls.h" 19 20 21 #define EAP_TTLS_VERSION 0 22 23 24 static void eap_ttls_reset(struct eap_sm *sm, void *priv); 25 26 27 struct eap_ttls_data { 28 struct eap_ssl_data ssl; 29 enum { 30 START, PHASE1, PHASE2_START, PHASE2_METHOD, 31 PHASE2_MSCHAPV2_RESP, SUCCESS, FAILURE 32 } state; 33 34 int ttls_version; 35 const struct eap_method *phase2_method; 36 void *phase2_priv; 37 int mschapv2_resp_ok; 38 u8 mschapv2_auth_response[20]; 39 u8 mschapv2_ident; 40 struct wpabuf *pending_phase2_eap_resp; 41 int tnc_started; 42 }; 43 44 45 static const char * eap_ttls_state_txt(int state) 46 { 47 switch (state) { 48 case START: 49 return "START"; 50 case PHASE1: 51 return "PHASE1"; 52 case PHASE2_START: 53 return "PHASE2_START"; 54 case PHASE2_METHOD: 55 return "PHASE2_METHOD"; 56 case PHASE2_MSCHAPV2_RESP: 57 return "PHASE2_MSCHAPV2_RESP"; 58 case SUCCESS: 59 return "SUCCESS"; 60 case FAILURE: 61 return "FAILURE"; 62 default: 63 return "Unknown?!"; 64 } 65 } 66 67 68 static void eap_ttls_state(struct eap_ttls_data *data, int state) 69 { 70 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s -> %s", 71 eap_ttls_state_txt(data->state), 72 eap_ttls_state_txt(state)); 73 data->state = state; 74 } 75 76 77 static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id, 78 int mandatory, size_t len) 79 { 80 struct ttls_avp_vendor *avp; 81 u8 flags; 82 size_t hdrlen; 83 84 avp = (struct ttls_avp_vendor *) avphdr; 85 flags = mandatory ? AVP_FLAGS_MANDATORY : 0; 86 if (vendor_id) { 87 flags |= AVP_FLAGS_VENDOR; 88 hdrlen = sizeof(*avp); 89 avp->vendor_id = host_to_be32(vendor_id); 90 } else { 91 hdrlen = sizeof(struct ttls_avp); 92 } 93 94 avp->avp_code = host_to_be32(avp_code); 95 avp->avp_length = host_to_be32(((u32) flags << 24) | 96 ((u32) (hdrlen + len))); 97 98 return avphdr + hdrlen; 99 } 100 101 102 static struct wpabuf * eap_ttls_avp_encapsulate(struct wpabuf *resp, 103 u32 avp_code, int mandatory) 104 { 105 struct wpabuf *avp; 106 u8 *pos; 107 108 avp = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(resp) + 4); 109 if (avp == NULL) { 110 wpabuf_free(resp); 111 return NULL; 112 } 113 114 pos = eap_ttls_avp_hdr(wpabuf_mhead(avp), avp_code, 0, mandatory, 115 wpabuf_len(resp)); 116 os_memcpy(pos, wpabuf_head(resp), wpabuf_len(resp)); 117 pos += wpabuf_len(resp); 118 AVP_PAD((const u8 *) wpabuf_head(avp), pos); 119 wpabuf_free(resp); 120 wpabuf_put(avp, pos - (u8 *) wpabuf_head(avp)); 121 return avp; 122 } 123 124 125 struct eap_ttls_avp { 126 /* Note: eap is allocated memory; caller is responsible for freeing 127 * it. All the other pointers are pointing to the packet data, i.e., 128 * they must not be freed separately. */ 129 u8 *eap; 130 size_t eap_len; 131 u8 *user_name; 132 size_t user_name_len; 133 u8 *user_password; 134 size_t user_password_len; 135 u8 *chap_challenge; 136 size_t chap_challenge_len; 137 u8 *chap_password; 138 size_t chap_password_len; 139 u8 *mschap_challenge; 140 size_t mschap_challenge_len; 141 u8 *mschap_response; 142 size_t mschap_response_len; 143 u8 *mschap2_response; 144 size_t mschap2_response_len; 145 }; 146 147 148 static int eap_ttls_avp_parse(struct wpabuf *buf, struct eap_ttls_avp *parse) 149 { 150 struct ttls_avp *avp; 151 u8 *pos; 152 int left; 153 154 pos = wpabuf_mhead(buf); 155 left = wpabuf_len(buf); 156 os_memset(parse, 0, sizeof(*parse)); 157 158 while (left > 0) { 159 u32 avp_code, avp_length, vendor_id = 0; 160 u8 avp_flags, *dpos; 161 size_t pad, dlen; 162 avp = (struct ttls_avp *) pos; 163 avp_code = be_to_host32(avp->avp_code); 164 avp_length = be_to_host32(avp->avp_length); 165 avp_flags = (avp_length >> 24) & 0xff; 166 avp_length &= 0xffffff; 167 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x " 168 "length=%d", (int) avp_code, avp_flags, 169 (int) avp_length); 170 if ((int) avp_length > left) { 171 wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow " 172 "(len=%d, left=%d) - dropped", 173 (int) avp_length, left); 174 goto fail; 175 } 176 if (avp_length < sizeof(*avp)) { 177 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length " 178 "%d", avp_length); 179 goto fail; 180 } 181 dpos = (u8 *) (avp + 1); 182 dlen = avp_length - sizeof(*avp); 183 if (avp_flags & AVP_FLAGS_VENDOR) { 184 if (dlen < 4) { 185 wpa_printf(MSG_WARNING, "EAP-TTLS: vendor AVP " 186 "underflow"); 187 goto fail; 188 } 189 vendor_id = be_to_host32(* (be32 *) dpos); 190 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d", 191 (int) vendor_id); 192 dpos += 4; 193 dlen -= 4; 194 } 195 196 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen); 197 198 if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) { 199 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message"); 200 if (parse->eap == NULL) { 201 parse->eap = os_malloc(dlen); 202 if (parse->eap == NULL) { 203 wpa_printf(MSG_WARNING, "EAP-TTLS: " 204 "failed to allocate memory " 205 "for Phase 2 EAP data"); 206 goto fail; 207 } 208 os_memcpy(parse->eap, dpos, dlen); 209 parse->eap_len = dlen; 210 } else { 211 u8 *neweap = os_realloc(parse->eap, 212 parse->eap_len + dlen); 213 if (neweap == NULL) { 214 wpa_printf(MSG_WARNING, "EAP-TTLS: " 215 "failed to allocate memory " 216 "for Phase 2 EAP data"); 217 goto fail; 218 } 219 os_memcpy(neweap + parse->eap_len, dpos, dlen); 220 parse->eap = neweap; 221 parse->eap_len += dlen; 222 } 223 } else if (vendor_id == 0 && 224 avp_code == RADIUS_ATTR_USER_NAME) { 225 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: User-Name", 226 dpos, dlen); 227 parse->user_name = dpos; 228 parse->user_name_len = dlen; 229 } else if (vendor_id == 0 && 230 avp_code == RADIUS_ATTR_USER_PASSWORD) { 231 u8 *password = dpos; 232 size_t password_len = dlen; 233 while (password_len > 0 && 234 password[password_len - 1] == '\0') { 235 password_len--; 236 } 237 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: " 238 "User-Password (PAP)", 239 password, password_len); 240 parse->user_password = password; 241 parse->user_password_len = password_len; 242 } else if (vendor_id == 0 && 243 avp_code == RADIUS_ATTR_CHAP_CHALLENGE) { 244 wpa_hexdump(MSG_DEBUG, 245 "EAP-TTLS: CHAP-Challenge (CHAP)", 246 dpos, dlen); 247 parse->chap_challenge = dpos; 248 parse->chap_challenge_len = dlen; 249 } else if (vendor_id == 0 && 250 avp_code == RADIUS_ATTR_CHAP_PASSWORD) { 251 wpa_hexdump(MSG_DEBUG, 252 "EAP-TTLS: CHAP-Password (CHAP)", 253 dpos, dlen); 254 parse->chap_password = dpos; 255 parse->chap_password_len = dlen; 256 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 257 avp_code == RADIUS_ATTR_MS_CHAP_CHALLENGE) { 258 wpa_hexdump(MSG_DEBUG, 259 "EAP-TTLS: MS-CHAP-Challenge", 260 dpos, dlen); 261 parse->mschap_challenge = dpos; 262 parse->mschap_challenge_len = dlen; 263 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 264 avp_code == RADIUS_ATTR_MS_CHAP_RESPONSE) { 265 wpa_hexdump(MSG_DEBUG, 266 "EAP-TTLS: MS-CHAP-Response (MSCHAP)", 267 dpos, dlen); 268 parse->mschap_response = dpos; 269 parse->mschap_response_len = dlen; 270 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT && 271 avp_code == RADIUS_ATTR_MS_CHAP2_RESPONSE) { 272 wpa_hexdump(MSG_DEBUG, 273 "EAP-TTLS: MS-CHAP2-Response (MSCHAPV2)", 274 dpos, dlen); 275 parse->mschap2_response = dpos; 276 parse->mschap2_response_len = dlen; 277 } else if (avp_flags & AVP_FLAGS_MANDATORY) { 278 wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported " 279 "mandatory AVP code %d vendor_id %d - " 280 "dropped", (int) avp_code, (int) vendor_id); 281 goto fail; 282 } else { 283 wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported " 284 "AVP code %d vendor_id %d", 285 (int) avp_code, (int) vendor_id); 286 } 287 288 pad = (4 - (avp_length & 3)) & 3; 289 pos += avp_length + pad; 290 left -= avp_length + pad; 291 } 292 293 return 0; 294 295 fail: 296 os_free(parse->eap); 297 parse->eap = NULL; 298 return -1; 299 } 300 301 302 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm, 303 struct eap_ttls_data *data, size_t len) 304 { 305 return eap_server_tls_derive_key(sm, &data->ssl, "ttls challenge", 306 len); 307 } 308 309 310 static void * eap_ttls_init(struct eap_sm *sm) 311 { 312 struct eap_ttls_data *data; 313 314 data = os_zalloc(sizeof(*data)); 315 if (data == NULL) 316 return NULL; 317 data->ttls_version = EAP_TTLS_VERSION; 318 data->state = START; 319 320 if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) { 321 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL."); 322 eap_ttls_reset(sm, data); 323 return NULL; 324 } 325 326 return data; 327 } 328 329 330 static void eap_ttls_reset(struct eap_sm *sm, void *priv) 331 { 332 struct eap_ttls_data *data = priv; 333 if (data == NULL) 334 return; 335 if (data->phase2_priv && data->phase2_method) 336 data->phase2_method->reset(sm, data->phase2_priv); 337 eap_server_tls_ssl_deinit(sm, &data->ssl); 338 wpabuf_free(data->pending_phase2_eap_resp); 339 os_free(data); 340 } 341 342 343 static struct wpabuf * eap_ttls_build_start(struct eap_sm *sm, 344 struct eap_ttls_data *data, u8 id) 345 { 346 struct wpabuf *req; 347 348 req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TTLS, 1, 349 EAP_CODE_REQUEST, id); 350 if (req == NULL) { 351 wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to allocate memory for" 352 " request"); 353 eap_ttls_state(data, FAILURE); 354 return NULL; 355 } 356 357 wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->ttls_version); 358 359 eap_ttls_state(data, PHASE1); 360 361 return req; 362 } 363 364 365 static struct wpabuf * eap_ttls_build_phase2_eap_req( 366 struct eap_sm *sm, struct eap_ttls_data *data, u8 id) 367 { 368 struct wpabuf *buf, *encr_req; 369 370 371 buf = data->phase2_method->buildReq(sm, data->phase2_priv, id); 372 if (buf == NULL) 373 return NULL; 374 375 wpa_hexdump_buf_key(MSG_DEBUG, 376 "EAP-TTLS/EAP: Encapsulate Phase 2 data", buf); 377 378 buf = eap_ttls_avp_encapsulate(buf, RADIUS_ATTR_EAP_MESSAGE, 1); 379 if (buf == NULL) { 380 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Failed to encapsulate " 381 "packet"); 382 return NULL; 383 } 384 385 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS/EAP: Encrypt encapsulated " 386 "Phase 2 data", buf); 387 388 encr_req = eap_server_tls_encrypt(sm, &data->ssl, buf); 389 wpabuf_free(buf); 390 391 return encr_req; 392 } 393 394 395 static struct wpabuf * eap_ttls_build_phase2_mschapv2( 396 struct eap_sm *sm, struct eap_ttls_data *data) 397 { 398 struct wpabuf *encr_req, msgbuf; 399 u8 *req, *pos, *end; 400 int ret; 401 402 pos = req = os_malloc(100); 403 if (req == NULL) 404 return NULL; 405 end = req + 100; 406 407 if (data->mschapv2_resp_ok) { 408 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_SUCCESS, 409 RADIUS_VENDOR_ID_MICROSOFT, 1, 43); 410 *pos++ = data->mschapv2_ident; 411 ret = os_snprintf((char *) pos, end - pos, "S="); 412 if (ret >= 0 && ret < end - pos) 413 pos += ret; 414 pos += wpa_snprintf_hex_uppercase( 415 (char *) pos, end - pos, data->mschapv2_auth_response, 416 sizeof(data->mschapv2_auth_response)); 417 } else { 418 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_ERROR, 419 RADIUS_VENDOR_ID_MICROSOFT, 1, 6); 420 os_memcpy(pos, "Failed", 6); 421 pos += 6; 422 AVP_PAD(req, pos); 423 } 424 425 wpabuf_set(&msgbuf, req, pos - req); 426 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Encrypting Phase 2 " 427 "data", &msgbuf); 428 429 encr_req = eap_server_tls_encrypt(sm, &data->ssl, &msgbuf); 430 os_free(req); 431 432 return encr_req; 433 } 434 435 436 static struct wpabuf * eap_ttls_buildReq(struct eap_sm *sm, void *priv, u8 id) 437 { 438 struct eap_ttls_data *data = priv; 439 440 if (data->ssl.state == FRAG_ACK) { 441 return eap_server_tls_build_ack(id, EAP_TYPE_TTLS, 442 data->ttls_version); 443 } 444 445 if (data->ssl.state == WAIT_FRAG_ACK) { 446 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS, 447 data->ttls_version, id); 448 } 449 450 switch (data->state) { 451 case START: 452 return eap_ttls_build_start(sm, data, id); 453 case PHASE1: 454 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { 455 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase1 done, " 456 "starting Phase2"); 457 eap_ttls_state(data, PHASE2_START); 458 } 459 break; 460 case PHASE2_METHOD: 461 wpabuf_free(data->ssl.tls_out); 462 data->ssl.tls_out_pos = 0; 463 data->ssl.tls_out = eap_ttls_build_phase2_eap_req(sm, data, 464 id); 465 break; 466 case PHASE2_MSCHAPV2_RESP: 467 wpabuf_free(data->ssl.tls_out); 468 data->ssl.tls_out_pos = 0; 469 data->ssl.tls_out = eap_ttls_build_phase2_mschapv2(sm, data); 470 break; 471 default: 472 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d", 473 __func__, data->state); 474 return NULL; 475 } 476 477 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS, 478 data->ttls_version, id); 479 } 480 481 482 static Boolean eap_ttls_check(struct eap_sm *sm, void *priv, 483 struct wpabuf *respData) 484 { 485 const u8 *pos; 486 size_t len; 487 488 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TTLS, respData, &len); 489 if (pos == NULL || len < 1) { 490 wpa_printf(MSG_INFO, "EAP-TTLS: Invalid frame"); 491 return TRUE; 492 } 493 494 return FALSE; 495 } 496 497 498 static void eap_ttls_process_phase2_pap(struct eap_sm *sm, 499 struct eap_ttls_data *data, 500 const u8 *user_password, 501 size_t user_password_len) 502 { 503 if (!sm->user || !sm->user->password || sm->user->password_hash || 504 !(sm->user->ttls_auth & EAP_TTLS_AUTH_PAP)) { 505 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: No plaintext user " 506 "password configured"); 507 eap_ttls_state(data, FAILURE); 508 return; 509 } 510 511 if (sm->user->password_len != user_password_len || 512 os_memcmp(sm->user->password, user_password, user_password_len) != 513 0) { 514 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Invalid user password"); 515 eap_ttls_state(data, FAILURE); 516 return; 517 } 518 519 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Correct user password"); 520 eap_ttls_state(data, SUCCESS); 521 } 522 523 524 static void eap_ttls_process_phase2_chap(struct eap_sm *sm, 525 struct eap_ttls_data *data, 526 const u8 *challenge, 527 size_t challenge_len, 528 const u8 *password, 529 size_t password_len) 530 { 531 u8 *chal, hash[CHAP_MD5_LEN]; 532 533 if (challenge == NULL || password == NULL || 534 challenge_len != EAP_TTLS_CHAP_CHALLENGE_LEN || 535 password_len != 1 + EAP_TTLS_CHAP_PASSWORD_LEN) { 536 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid CHAP attributes " 537 "(challenge len %lu password len %lu)", 538 (unsigned long) challenge_len, 539 (unsigned long) password_len); 540 eap_ttls_state(data, FAILURE); 541 return; 542 } 543 544 if (!sm->user || !sm->user->password || sm->user->password_hash || 545 !(sm->user->ttls_auth & EAP_TTLS_AUTH_CHAP)) { 546 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: No plaintext user " 547 "password configured"); 548 eap_ttls_state(data, FAILURE); 549 return; 550 } 551 552 chal = eap_ttls_implicit_challenge(sm, data, 553 EAP_TTLS_CHAP_CHALLENGE_LEN + 1); 554 if (chal == NULL) { 555 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Failed to generate " 556 "challenge from TLS data"); 557 eap_ttls_state(data, FAILURE); 558 return; 559 } 560 561 if (os_memcmp(challenge, chal, EAP_TTLS_CHAP_CHALLENGE_LEN) != 0 || 562 password[0] != chal[EAP_TTLS_CHAP_CHALLENGE_LEN]) { 563 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Challenge mismatch"); 564 os_free(chal); 565 eap_ttls_state(data, FAILURE); 566 return; 567 } 568 os_free(chal); 569 570 /* MD5(Ident + Password + Challenge) */ 571 chap_md5(password[0], sm->user->password, sm->user->password_len, 572 challenge, challenge_len, hash); 573 574 if (os_memcmp(hash, password + 1, EAP_TTLS_CHAP_PASSWORD_LEN) == 0) { 575 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Correct user password"); 576 eap_ttls_state(data, SUCCESS); 577 } else { 578 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid user password"); 579 eap_ttls_state(data, FAILURE); 580 } 581 } 582 583 584 static void eap_ttls_process_phase2_mschap(struct eap_sm *sm, 585 struct eap_ttls_data *data, 586 u8 *challenge, size_t challenge_len, 587 u8 *response, size_t response_len) 588 { 589 u8 *chal, nt_response[24]; 590 591 if (challenge == NULL || response == NULL || 592 challenge_len != EAP_TTLS_MSCHAP_CHALLENGE_LEN || 593 response_len != EAP_TTLS_MSCHAP_RESPONSE_LEN) { 594 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid MS-CHAP " 595 "attributes (challenge len %lu response len %lu)", 596 (unsigned long) challenge_len, 597 (unsigned long) response_len); 598 eap_ttls_state(data, FAILURE); 599 return; 600 } 601 602 if (!sm->user || !sm->user->password || 603 !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAP)) { 604 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: No user password " 605 "configured"); 606 eap_ttls_state(data, FAILURE); 607 return; 608 } 609 610 chal = eap_ttls_implicit_challenge(sm, data, 611 EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1); 612 if (chal == NULL) { 613 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Failed to generate " 614 "challenge from TLS data"); 615 eap_ttls_state(data, FAILURE); 616 return; 617 } 618 619 if (os_memcmp(challenge, chal, EAP_TTLS_MSCHAP_CHALLENGE_LEN) != 0 || 620 response[0] != chal[EAP_TTLS_MSCHAP_CHALLENGE_LEN]) { 621 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Challenge mismatch"); 622 os_free(chal); 623 eap_ttls_state(data, FAILURE); 624 return; 625 } 626 os_free(chal); 627 628 if (sm->user->password_hash) 629 challenge_response(challenge, sm->user->password, nt_response); 630 else 631 nt_challenge_response(challenge, sm->user->password, 632 sm->user->password_len, nt_response); 633 634 if (os_memcmp(nt_response, response + 2 + 24, 24) == 0) { 635 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Correct response"); 636 eap_ttls_state(data, SUCCESS); 637 } else { 638 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid NT-Response"); 639 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Received", 640 response + 2 + 24, 24); 641 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Expected", 642 nt_response, 24); 643 eap_ttls_state(data, FAILURE); 644 } 645 } 646 647 648 static void eap_ttls_process_phase2_mschapv2(struct eap_sm *sm, 649 struct eap_ttls_data *data, 650 u8 *challenge, 651 size_t challenge_len, 652 u8 *response, size_t response_len) 653 { 654 u8 *chal, *username, nt_response[24], *rx_resp, *peer_challenge, 655 *auth_challenge; 656 size_t username_len, i; 657 658 if (challenge == NULL || response == NULL || 659 challenge_len != EAP_TTLS_MSCHAPV2_CHALLENGE_LEN || 660 response_len != EAP_TTLS_MSCHAPV2_RESPONSE_LEN) { 661 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid MS-CHAP2 " 662 "attributes (challenge len %lu response len %lu)", 663 (unsigned long) challenge_len, 664 (unsigned long) response_len); 665 eap_ttls_state(data, FAILURE); 666 return; 667 } 668 669 if (!sm->user || !sm->user->password || 670 !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAPV2)) { 671 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user password " 672 "configured"); 673 eap_ttls_state(data, FAILURE); 674 return; 675 } 676 677 if (sm->identity == NULL) { 678 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user identity " 679 "known"); 680 eap_ttls_state(data, FAILURE); 681 return; 682 } 683 684 /* MSCHAPv2 does not include optional domain name in the 685 * challenge-response calculation, so remove domain prefix 686 * (if present). */ 687 username = sm->identity; 688 username_len = sm->identity_len; 689 for (i = 0; i < username_len; i++) { 690 if (username[i] == '\\') { 691 username_len -= i + 1; 692 username += i + 1; 693 break; 694 } 695 } 696 697 chal = eap_ttls_implicit_challenge( 698 sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1); 699 if (chal == NULL) { 700 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Failed to generate " 701 "challenge from TLS data"); 702 eap_ttls_state(data, FAILURE); 703 return; 704 } 705 706 if (os_memcmp(challenge, chal, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN) != 0 || 707 response[0] != chal[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN]) { 708 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Challenge mismatch"); 709 os_free(chal); 710 eap_ttls_state(data, FAILURE); 711 return; 712 } 713 os_free(chal); 714 715 auth_challenge = challenge; 716 peer_challenge = response + 2; 717 718 wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: User", 719 username, username_len); 720 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: auth_challenge", 721 auth_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN); 722 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: peer_challenge", 723 peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN); 724 725 if (sm->user->password_hash) { 726 generate_nt_response_pwhash(auth_challenge, peer_challenge, 727 username, username_len, 728 sm->user->password, 729 nt_response); 730 } else { 731 generate_nt_response(auth_challenge, peer_challenge, 732 username, username_len, 733 sm->user->password, 734 sm->user->password_len, 735 nt_response); 736 } 737 738 rx_resp = response + 2 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 8; 739 if (os_memcmp(nt_response, rx_resp, 24) == 0) { 740 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Correct " 741 "NT-Response"); 742 data->mschapv2_resp_ok = 1; 743 744 if (sm->user->password_hash) { 745 generate_authenticator_response_pwhash( 746 sm->user->password, 747 peer_challenge, auth_challenge, 748 username, username_len, nt_response, 749 data->mschapv2_auth_response); 750 } else { 751 generate_authenticator_response( 752 sm->user->password, sm->user->password_len, 753 peer_challenge, auth_challenge, 754 username, username_len, nt_response, 755 data->mschapv2_auth_response); 756 } 757 } else { 758 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid " 759 "NT-Response"); 760 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Received", 761 rx_resp, 24); 762 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Expected", 763 nt_response, 24); 764 data->mschapv2_resp_ok = 0; 765 } 766 eap_ttls_state(data, PHASE2_MSCHAPV2_RESP); 767 data->mschapv2_ident = response[0]; 768 } 769 770 771 static int eap_ttls_phase2_eap_init(struct eap_sm *sm, 772 struct eap_ttls_data *data, 773 EapType eap_type) 774 { 775 if (data->phase2_priv && data->phase2_method) { 776 data->phase2_method->reset(sm, data->phase2_priv); 777 data->phase2_method = NULL; 778 data->phase2_priv = NULL; 779 } 780 data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF, 781 eap_type); 782 if (!data->phase2_method) 783 return -1; 784 785 sm->init_phase2 = 1; 786 data->phase2_priv = data->phase2_method->init(sm); 787 sm->init_phase2 = 0; 788 return data->phase2_priv == NULL ? -1 : 0; 789 } 790 791 792 static void eap_ttls_process_phase2_eap_response(struct eap_sm *sm, 793 struct eap_ttls_data *data, 794 u8 *in_data, size_t in_len) 795 { 796 u8 next_type = EAP_TYPE_NONE; 797 struct eap_hdr *hdr; 798 u8 *pos; 799 size_t left; 800 struct wpabuf buf; 801 const struct eap_method *m = data->phase2_method; 802 void *priv = data->phase2_priv; 803 804 if (priv == NULL) { 805 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: %s - Phase2 not " 806 "initialized?!", __func__); 807 return; 808 } 809 810 hdr = (struct eap_hdr *) in_data; 811 pos = (u8 *) (hdr + 1); 812 813 if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) { 814 left = in_len - sizeof(*hdr); 815 wpa_hexdump(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 type Nak'ed; " 816 "allowed types", pos + 1, left - 1); 817 eap_sm_process_nak(sm, pos + 1, left - 1); 818 if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS && 819 sm->user->methods[sm->user_eap_method_index].method != 820 EAP_TYPE_NONE) { 821 next_type = sm->user->methods[ 822 sm->user_eap_method_index++].method; 823 wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d", 824 next_type); 825 if (eap_ttls_phase2_eap_init(sm, data, next_type)) { 826 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to " 827 "initialize EAP type %d", 828 next_type); 829 eap_ttls_state(data, FAILURE); 830 return; 831 } 832 } else { 833 eap_ttls_state(data, FAILURE); 834 } 835 return; 836 } 837 838 wpabuf_set(&buf, in_data, in_len); 839 840 if (m->check(sm, priv, &buf)) { 841 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 check() asked to " 842 "ignore the packet"); 843 return; 844 } 845 846 m->process(sm, priv, &buf); 847 848 if (sm->method_pending == METHOD_PENDING_WAIT) { 849 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method is in " 850 "pending wait state - save decrypted response"); 851 wpabuf_free(data->pending_phase2_eap_resp); 852 data->pending_phase2_eap_resp = wpabuf_dup(&buf); 853 } 854 855 if (!m->isDone(sm, priv)) 856 return; 857 858 if (!m->isSuccess(sm, priv)) { 859 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method failed"); 860 eap_ttls_state(data, FAILURE); 861 return; 862 } 863 864 switch (data->state) { 865 case PHASE2_START: 866 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) { 867 wpa_hexdump_ascii(MSG_DEBUG, "EAP_TTLS: Phase2 " 868 "Identity not found in the user " 869 "database", 870 sm->identity, sm->identity_len); 871 eap_ttls_state(data, FAILURE); 872 break; 873 } 874 875 eap_ttls_state(data, PHASE2_METHOD); 876 next_type = sm->user->methods[0].method; 877 sm->user_eap_method_index = 1; 878 wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d", next_type); 879 if (eap_ttls_phase2_eap_init(sm, data, next_type)) { 880 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize " 881 "EAP type %d", next_type); 882 eap_ttls_state(data, FAILURE); 883 } 884 break; 885 case PHASE2_METHOD: 886 eap_ttls_state(data, SUCCESS); 887 break; 888 case FAILURE: 889 break; 890 default: 891 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d", 892 __func__, data->state); 893 break; 894 } 895 } 896 897 898 static void eap_ttls_process_phase2_eap(struct eap_sm *sm, 899 struct eap_ttls_data *data, 900 const u8 *eap, size_t eap_len) 901 { 902 struct eap_hdr *hdr; 903 size_t len; 904 905 if (data->state == PHASE2_START) { 906 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: initializing Phase 2"); 907 if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_IDENTITY) < 0) 908 { 909 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: failed to " 910 "initialize EAP-Identity"); 911 return; 912 } 913 } 914 915 if (eap_len < sizeof(*hdr)) { 916 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: too short Phase 2 EAP " 917 "packet (len=%lu)", (unsigned long) eap_len); 918 return; 919 } 920 921 hdr = (struct eap_hdr *) eap; 922 len = be_to_host16(hdr->length); 923 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: received Phase 2 EAP: code=%d " 924 "identifier=%d length=%lu", hdr->code, hdr->identifier, 925 (unsigned long) len); 926 if (len > eap_len) { 927 wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Length mismatch in Phase 2" 928 " EAP frame (hdr len=%lu, data len in AVP=%lu)", 929 (unsigned long) len, (unsigned long) eap_len); 930 return; 931 } 932 933 switch (hdr->code) { 934 case EAP_CODE_RESPONSE: 935 eap_ttls_process_phase2_eap_response(sm, data, (u8 *) hdr, 936 len); 937 break; 938 default: 939 wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Unexpected code=%d in " 940 "Phase 2 EAP header", hdr->code); 941 break; 942 } 943 } 944 945 946 static void eap_ttls_process_phase2(struct eap_sm *sm, 947 struct eap_ttls_data *data, 948 struct wpabuf *in_buf) 949 { 950 struct wpabuf *in_decrypted; 951 struct eap_ttls_avp parse; 952 953 wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for" 954 " Phase 2", (unsigned long) wpabuf_len(in_buf)); 955 956 if (data->pending_phase2_eap_resp) { 957 wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 EAP response " 958 "- skip decryption and use old data"); 959 eap_ttls_process_phase2_eap( 960 sm, data, wpabuf_head(data->pending_phase2_eap_resp), 961 wpabuf_len(data->pending_phase2_eap_resp)); 962 wpabuf_free(data->pending_phase2_eap_resp); 963 data->pending_phase2_eap_resp = NULL; 964 return; 965 } 966 967 in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn, 968 in_buf); 969 if (in_decrypted == NULL) { 970 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to decrypt Phase 2 " 971 "data"); 972 eap_ttls_state(data, FAILURE); 973 return; 974 } 975 976 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 EAP", 977 in_decrypted); 978 979 if (eap_ttls_avp_parse(in_decrypted, &parse) < 0) { 980 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to parse AVPs"); 981 wpabuf_free(in_decrypted); 982 eap_ttls_state(data, FAILURE); 983 return; 984 } 985 986 if (parse.user_name) { 987 os_free(sm->identity); 988 sm->identity = os_malloc(parse.user_name_len); 989 if (sm->identity == NULL) { 990 eap_ttls_state(data, FAILURE); 991 goto done; 992 } 993 os_memcpy(sm->identity, parse.user_name, parse.user_name_len); 994 sm->identity_len = parse.user_name_len; 995 if (eap_user_get(sm, parse.user_name, parse.user_name_len, 1) 996 != 0) { 997 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 Identity not " 998 "found in the user database"); 999 eap_ttls_state(data, FAILURE); 1000 goto done; 1001 } 1002 } 1003 1004 #ifdef EAP_SERVER_TNC 1005 if (data->tnc_started && parse.eap == NULL) { 1006 wpa_printf(MSG_DEBUG, "EAP-TTLS: TNC started but no EAP " 1007 "response from peer"); 1008 eap_ttls_state(data, FAILURE); 1009 goto done; 1010 } 1011 #endif /* EAP_SERVER_TNC */ 1012 1013 if (parse.eap) { 1014 eap_ttls_process_phase2_eap(sm, data, parse.eap, 1015 parse.eap_len); 1016 } else if (parse.user_password) { 1017 eap_ttls_process_phase2_pap(sm, data, parse.user_password, 1018 parse.user_password_len); 1019 } else if (parse.chap_password) { 1020 eap_ttls_process_phase2_chap(sm, data, 1021 parse.chap_challenge, 1022 parse.chap_challenge_len, 1023 parse.chap_password, 1024 parse.chap_password_len); 1025 } else if (parse.mschap_response) { 1026 eap_ttls_process_phase2_mschap(sm, data, 1027 parse.mschap_challenge, 1028 parse.mschap_challenge_len, 1029 parse.mschap_response, 1030 parse.mschap_response_len); 1031 } else if (parse.mschap2_response) { 1032 eap_ttls_process_phase2_mschapv2(sm, data, 1033 parse.mschap_challenge, 1034 parse.mschap_challenge_len, 1035 parse.mschap2_response, 1036 parse.mschap2_response_len); 1037 } 1038 1039 done: 1040 wpabuf_free(in_decrypted); 1041 os_free(parse.eap); 1042 } 1043 1044 1045 static void eap_ttls_start_tnc(struct eap_sm *sm, struct eap_ttls_data *data) 1046 { 1047 #ifdef EAP_SERVER_TNC 1048 if (!sm->tnc || data->state != SUCCESS || data->tnc_started) 1049 return; 1050 1051 wpa_printf(MSG_DEBUG, "EAP-TTLS: Initialize TNC"); 1052 if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_TNC)) { 1053 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize TNC"); 1054 eap_ttls_state(data, FAILURE); 1055 return; 1056 } 1057 1058 data->tnc_started = 1; 1059 eap_ttls_state(data, PHASE2_METHOD); 1060 #endif /* EAP_SERVER_TNC */ 1061 } 1062 1063 1064 static int eap_ttls_process_version(struct eap_sm *sm, void *priv, 1065 int peer_version) 1066 { 1067 struct eap_ttls_data *data = priv; 1068 if (peer_version < data->ttls_version) { 1069 wpa_printf(MSG_DEBUG, "EAP-TTLS: peer ver=%d, own ver=%d; " 1070 "use version %d", 1071 peer_version, data->ttls_version, peer_version); 1072 data->ttls_version = peer_version; 1073 } 1074 1075 return 0; 1076 } 1077 1078 1079 static void eap_ttls_process_msg(struct eap_sm *sm, void *priv, 1080 const struct wpabuf *respData) 1081 { 1082 struct eap_ttls_data *data = priv; 1083 1084 switch (data->state) { 1085 case PHASE1: 1086 if (eap_server_tls_phase1(sm, &data->ssl) < 0) 1087 eap_ttls_state(data, FAILURE); 1088 break; 1089 case PHASE2_START: 1090 case PHASE2_METHOD: 1091 eap_ttls_process_phase2(sm, data, data->ssl.tls_in); 1092 eap_ttls_start_tnc(sm, data); 1093 break; 1094 case PHASE2_MSCHAPV2_RESP: 1095 if (data->mschapv2_resp_ok && wpabuf_len(data->ssl.tls_in) == 1096 0) { 1097 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer " 1098 "acknowledged response"); 1099 eap_ttls_state(data, SUCCESS); 1100 } else if (!data->mschapv2_resp_ok) { 1101 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer " 1102 "acknowledged error"); 1103 eap_ttls_state(data, FAILURE); 1104 } else { 1105 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Unexpected " 1106 "frame from peer (payload len %lu, " 1107 "expected empty frame)", 1108 (unsigned long) 1109 wpabuf_len(data->ssl.tls_in)); 1110 eap_ttls_state(data, FAILURE); 1111 } 1112 eap_ttls_start_tnc(sm, data); 1113 break; 1114 default: 1115 wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected state %d in %s", 1116 data->state, __func__); 1117 break; 1118 } 1119 } 1120 1121 1122 static void eap_ttls_process(struct eap_sm *sm, void *priv, 1123 struct wpabuf *respData) 1124 { 1125 struct eap_ttls_data *data = priv; 1126 if (eap_server_tls_process(sm, &data->ssl, respData, data, 1127 EAP_TYPE_TTLS, eap_ttls_process_version, 1128 eap_ttls_process_msg) < 0) 1129 eap_ttls_state(data, FAILURE); 1130 } 1131 1132 1133 static Boolean eap_ttls_isDone(struct eap_sm *sm, void *priv) 1134 { 1135 struct eap_ttls_data *data = priv; 1136 return data->state == SUCCESS || data->state == FAILURE; 1137 } 1138 1139 1140 static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len) 1141 { 1142 struct eap_ttls_data *data = priv; 1143 u8 *eapKeyData; 1144 1145 if (data->state != SUCCESS) 1146 return NULL; 1147 1148 eapKeyData = eap_server_tls_derive_key(sm, &data->ssl, 1149 "ttls keying material", 1150 EAP_TLS_KEY_LEN); 1151 if (eapKeyData) { 1152 *len = EAP_TLS_KEY_LEN; 1153 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key", 1154 eapKeyData, EAP_TLS_KEY_LEN); 1155 } else { 1156 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key"); 1157 } 1158 1159 return eapKeyData; 1160 } 1161 1162 1163 static Boolean eap_ttls_isSuccess(struct eap_sm *sm, void *priv) 1164 { 1165 struct eap_ttls_data *data = priv; 1166 return data->state == SUCCESS; 1167 } 1168 1169 1170 int eap_server_ttls_register(void) 1171 { 1172 struct eap_method *eap; 1173 int ret; 1174 1175 eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION, 1176 EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS"); 1177 if (eap == NULL) 1178 return -1; 1179 1180 eap->init = eap_ttls_init; 1181 eap->reset = eap_ttls_reset; 1182 eap->buildReq = eap_ttls_buildReq; 1183 eap->check = eap_ttls_check; 1184 eap->process = eap_ttls_process; 1185 eap->isDone = eap_ttls_isDone; 1186 eap->getKey = eap_ttls_getKey; 1187 eap->isSuccess = eap_ttls_isSuccess; 1188 1189 ret = eap_server_method_register(eap); 1190 if (ret) 1191 eap_server_method_free(eap); 1192 return ret; 1193 } 1194