2 * hostapd / EAP-PEAP (draft-josefsson-pppext-eap-tls-eap-10.txt)
3 * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/sha1.h"
13 #include "crypto/tls.h"
14 #include "crypto/random.h"
16 #include "eap_tls_common.h"
17 #include "eap_common/eap_tlv_common.h"
18 #include "eap_common/eap_peap_common.h"
22 /* Maximum supported PEAP version
23 * 0 = Microsoft's PEAP version 0; draft-kamath-pppext-peapv0-00.txt
24 * 1 = draft-josefsson-ppext-eap-tls-eap-05.txt
26 #define EAP_PEAP_VERSION 1
29 static void eap_peap_reset(struct eap_sm *sm, void *priv);
32 struct eap_peap_data {
33 struct eap_ssl_data ssl;
35 START, PHASE1, PHASE1_ID2, PHASE2_START, PHASE2_ID,
36 PHASE2_METHOD, PHASE2_SOH,
37 PHASE2_TLV, SUCCESS_REQ, FAILURE_REQ, SUCCESS, FAILURE
42 const struct eap_method *phase2_method;
45 struct wpabuf *pending_phase2_resp;
46 enum { TLV_REQ_NONE, TLV_REQ_SUCCESS, TLV_REQ_FAILURE } tlv_request;
47 int crypto_binding_sent;
48 int crypto_binding_used;
49 enum { NO_BINDING, OPTIONAL_BINDING, REQUIRE_BINDING } crypto_binding;
54 size_t phase2_key_len;
55 struct wpabuf *soh_response;
59 static const char * eap_peap_state_txt(int state)
69 return "PHASE2_START";
73 return "PHASE2_METHOD";
92 static void eap_peap_state(struct eap_peap_data *data, int state)
94 wpa_printf(MSG_DEBUG, "EAP-PEAP: %s -> %s",
95 eap_peap_state_txt(data->state),
96 eap_peap_state_txt(state));
98 if (state == FAILURE || state == FAILURE_REQ)
99 tls_connection_remove_session(data->ssl.conn);
103 static void eap_peap_valid_session(struct eap_sm *sm,
104 struct eap_peap_data *data)
108 if (!sm->tls_session_lifetime ||
109 tls_connection_resumed(sm->ssl_ctx, data->ssl.conn))
112 buf = wpabuf_alloc(1 + 1 + sm->identity_len);
115 wpabuf_put_u8(buf, EAP_TYPE_PEAP);
119 if (sm->identity_len <= 255)
120 id_len = sm->identity_len;
123 wpabuf_put_u8(buf, id_len);
124 wpabuf_put_data(buf, sm->identity, id_len);
126 wpabuf_put_u8(buf, 0);
128 tls_connection_set_success_data(data->ssl.conn, buf);
132 static void eap_peap_req_success(struct eap_sm *sm,
133 struct eap_peap_data *data)
135 if (data->state == FAILURE || data->state == FAILURE_REQ) {
136 eap_peap_state(data, FAILURE);
140 if (data->peap_version == 0) {
141 data->tlv_request = TLV_REQ_SUCCESS;
142 eap_peap_state(data, PHASE2_TLV);
144 eap_peap_state(data, SUCCESS_REQ);
149 static void eap_peap_req_failure(struct eap_sm *sm,
150 struct eap_peap_data *data)
152 if (data->state == FAILURE || data->state == FAILURE_REQ ||
153 data->state == SUCCESS_REQ || data->tlv_request != TLV_REQ_NONE) {
154 eap_peap_state(data, FAILURE);
158 if (data->peap_version == 0) {
159 data->tlv_request = TLV_REQ_FAILURE;
160 eap_peap_state(data, PHASE2_TLV);
162 eap_peap_state(data, FAILURE_REQ);
167 static void * eap_peap_init(struct eap_sm *sm)
169 struct eap_peap_data *data;
171 data = os_zalloc(sizeof(*data));
174 data->peap_version = EAP_PEAP_VERSION;
175 data->force_version = -1;
176 if (sm->user && sm->user->force_version >= 0) {
177 data->force_version = sm->user->force_version;
178 wpa_printf(MSG_DEBUG, "EAP-PEAP: forcing version %d",
179 data->force_version);
180 data->peap_version = data->force_version;
183 data->crypto_binding = OPTIONAL_BINDING;
185 if (eap_server_tls_ssl_init(sm, &data->ssl, 0, EAP_TYPE_PEAP)) {
186 wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL.");
187 eap_peap_reset(sm, data);
195 static void eap_peap_reset(struct eap_sm *sm, void *priv)
197 struct eap_peap_data *data = priv;
200 if (data->phase2_priv && data->phase2_method)
201 data->phase2_method->reset(sm, data->phase2_priv);
202 eap_server_tls_ssl_deinit(sm, &data->ssl);
203 wpabuf_free(data->pending_phase2_resp);
204 os_free(data->phase2_key);
205 wpabuf_free(data->soh_response);
206 bin_clear_free(data, sizeof(*data));
210 static struct wpabuf * eap_peap_build_start(struct eap_sm *sm,
211 struct eap_peap_data *data, u8 id)
215 req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PEAP, 1,
216 EAP_CODE_REQUEST, id);
218 wpa_printf(MSG_ERROR, "EAP-PEAP: Failed to allocate memory for"
220 eap_peap_state(data, FAILURE);
224 wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->peap_version);
226 eap_peap_state(data, PHASE1);
232 static struct wpabuf * eap_peap_build_phase2_req(struct eap_sm *sm,
233 struct eap_peap_data *data,
236 struct wpabuf *buf, *encr_req, msgbuf;
240 if (data->phase2_method == NULL || data->phase2_priv == NULL) {
241 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 method not ready");
244 buf = data->phase2_method->buildReq(sm, data->phase2_priv, id);
248 req = wpabuf_head(buf);
249 req_len = wpabuf_len(buf);
250 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 data",
253 if (data->peap_version == 0 &&
254 data->phase2_method->method != EAP_TYPE_TLV) {
255 req += sizeof(struct eap_hdr);
256 req_len -= sizeof(struct eap_hdr);
259 wpabuf_set(&msgbuf, req, req_len);
260 encr_req = eap_server_tls_encrypt(sm, &data->ssl, &msgbuf);
267 #ifdef EAP_SERVER_TNC
268 static struct wpabuf * eap_peap_build_phase2_soh(struct eap_sm *sm,
269 struct eap_peap_data *data,
272 struct wpabuf *buf1, *buf, *encr_req, msgbuf;
276 buf1 = tncs_build_soh_request();
280 buf = eap_msg_alloc(EAP_VENDOR_MICROSOFT, 0x21, wpabuf_len(buf1),
281 EAP_CODE_REQUEST, id);
286 wpabuf_put_buf(buf, buf1);
289 req = wpabuf_head(buf);
290 req_len = wpabuf_len(buf);
292 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 SOH data",
295 req += sizeof(struct eap_hdr);
296 req_len -= sizeof(struct eap_hdr);
297 wpabuf_set(&msgbuf, req, req_len);
299 encr_req = eap_server_tls_encrypt(sm, &data->ssl, &msgbuf);
304 #endif /* EAP_SERVER_TNC */
307 static void eap_peap_get_isk(struct eap_peap_data *data,
308 u8 *isk, size_t isk_len)
312 os_memset(isk, 0, isk_len);
313 if (data->phase2_key == NULL)
316 key_len = data->phase2_key_len;
317 if (key_len > isk_len)
319 os_memcpy(isk, data->phase2_key, key_len);
323 static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data)
326 u8 isk[32], imck[60];
329 * Tunnel key (TK) is the first 60 octets of the key generated by
330 * phase 1 of PEAP (based on TLS).
332 tk = eap_server_tls_derive_key(sm, &data->ssl, "client EAP encryption",
336 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TK", tk, 60);
338 eap_peap_get_isk(data, isk, sizeof(isk));
339 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: ISK", isk, sizeof(isk));
342 * IPMK Seed = "Inner Methods Compound Keys" | ISK
343 * TempKey = First 40 octets of TK
344 * IPMK|CMK = PRF+(TempKey, IPMK Seed, 60)
345 * (note: draft-josefsson-pppext-eap-tls-eap-10.txt includes a space
346 * in the end of the label just before ISK; is that just a typo?)
348 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TempKey", tk, 40);
349 if (peap_prfplus(data->peap_version, tk, 40,
350 "Inner Methods Compound Keys",
351 isk, sizeof(isk), imck, sizeof(imck)) < 0) {
355 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IMCK (IPMKj)",
360 /* TODO: fast-connect: IPMK|CMK = TK */
361 os_memcpy(data->ipmk, imck, 40);
362 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK (S-IPMKj)", data->ipmk, 40);
363 os_memcpy(data->cmk, imck + 40, 20);
364 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK (CMKj)", data->cmk, 20);
370 static struct wpabuf * eap_peap_build_phase2_tlv(struct eap_sm *sm,
371 struct eap_peap_data *data,
374 struct wpabuf *buf, *encr_req;
377 mlen = 6; /* Result TLV */
378 if (data->peap_version == 0 && data->tlv_request == TLV_REQ_SUCCESS &&
379 data->crypto_binding != NO_BINDING) {
380 mlen += 60; /* Cryptobinding TLV */
381 #ifdef EAP_SERVER_TNC
382 if (data->soh_response)
383 mlen += wpabuf_len(data->soh_response);
384 #endif /* EAP_SERVER_TNC */
387 buf = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, mlen,
388 EAP_CODE_REQUEST, id);
392 wpabuf_put_u8(buf, 0x80); /* Mandatory */
393 wpabuf_put_u8(buf, EAP_TLV_RESULT_TLV);
395 wpabuf_put_be16(buf, 2);
397 wpabuf_put_be16(buf, data->tlv_request == TLV_REQ_SUCCESS ?
398 EAP_TLV_RESULT_SUCCESS : EAP_TLV_RESULT_FAILURE);
400 if (data->peap_version == 0 && data->tlv_request == TLV_REQ_SUCCESS &&
401 data->crypto_binding != NO_BINDING) {
403 u8 eap_type = EAP_TYPE_PEAP;
408 #ifdef EAP_SERVER_TNC
409 if (data->soh_response) {
410 wpa_printf(MSG_DEBUG, "EAP-PEAP: Adding MS-SOH "
412 wpabuf_put_buf(buf, data->soh_response);
413 wpabuf_free(data->soh_response);
414 data->soh_response = NULL;
416 #endif /* EAP_SERVER_TNC */
418 if (eap_peap_derive_cmk(sm, data) < 0 ||
419 random_get_bytes(data->binding_nonce, 32)) {
424 /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */
425 addr[0] = wpabuf_put(buf, 0);
430 tlv_type = EAP_TLV_CRYPTO_BINDING_TLV;
431 wpabuf_put_be16(buf, tlv_type);
432 wpabuf_put_be16(buf, 56);
434 wpabuf_put_u8(buf, 0); /* Reserved */
435 wpabuf_put_u8(buf, data->peap_version); /* Version */
436 wpabuf_put_u8(buf, data->recv_version); /* RecvVersion */
437 wpabuf_put_u8(buf, 0); /* SubType: 0 = Request, 1 = Response */
438 wpabuf_put_data(buf, data->binding_nonce, 32); /* Nonce */
439 mac = wpabuf_put(buf, 20); /* Compound_MAC */
440 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC CMK",
442 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 1",
444 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 2",
446 hmac_sha1_vector(data->cmk, 20, 2, addr, len, mac);
447 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC",
449 data->crypto_binding_sent = 1;
452 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 TLV data",
455 encr_req = eap_server_tls_encrypt(sm, &data->ssl, buf);
462 static struct wpabuf * eap_peap_build_phase2_term(struct eap_sm *sm,
463 struct eap_peap_data *data,
466 struct wpabuf *encr_req, msgbuf;
470 req_len = sizeof(*hdr);
471 hdr = os_zalloc(req_len);
475 hdr->code = success ? EAP_CODE_SUCCESS : EAP_CODE_FAILURE;
476 hdr->identifier = id;
477 hdr->length = host_to_be16(req_len);
479 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 data",
480 (u8 *) hdr, req_len);
482 wpabuf_set(&msgbuf, hdr, req_len);
483 encr_req = eap_server_tls_encrypt(sm, &data->ssl, &msgbuf);
490 static struct wpabuf * eap_peap_buildReq(struct eap_sm *sm, void *priv, u8 id)
492 struct eap_peap_data *data = priv;
494 if (data->ssl.state == FRAG_ACK) {
495 return eap_server_tls_build_ack(id, EAP_TYPE_PEAP,
499 if (data->ssl.state == WAIT_FRAG_ACK) {
500 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_PEAP,
501 data->peap_version, id);
504 switch (data->state) {
506 return eap_peap_build_start(sm, data, id);
509 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
510 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase1 done, "
512 eap_peap_state(data, PHASE2_START);
517 wpabuf_free(data->ssl.tls_out);
518 data->ssl.tls_out_pos = 0;
519 data->ssl.tls_out = eap_peap_build_phase2_req(sm, data, id);
521 #ifdef EAP_SERVER_TNC
523 wpabuf_free(data->ssl.tls_out);
524 data->ssl.tls_out_pos = 0;
525 data->ssl.tls_out = eap_peap_build_phase2_soh(sm, data, id);
527 #endif /* EAP_SERVER_TNC */
529 wpabuf_free(data->ssl.tls_out);
530 data->ssl.tls_out_pos = 0;
531 data->ssl.tls_out = eap_peap_build_phase2_tlv(sm, data, id);
534 wpabuf_free(data->ssl.tls_out);
535 data->ssl.tls_out_pos = 0;
536 data->ssl.tls_out = eap_peap_build_phase2_term(sm, data, id,
540 wpabuf_free(data->ssl.tls_out);
541 data->ssl.tls_out_pos = 0;
542 data->ssl.tls_out = eap_peap_build_phase2_term(sm, data, id,
546 wpa_printf(MSG_DEBUG, "EAP-PEAP: %s - unexpected state %d",
547 __func__, data->state);
551 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_PEAP,
552 data->peap_version, id);
556 static Boolean eap_peap_check(struct eap_sm *sm, void *priv,
557 struct wpabuf *respData)
562 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PEAP, respData, &len);
563 if (pos == NULL || len < 1) {
564 wpa_printf(MSG_INFO, "EAP-PEAP: Invalid frame");
572 static int eap_peap_phase2_init(struct eap_sm *sm, struct eap_peap_data *data,
573 int vendor, EapType eap_type)
575 if (data->phase2_priv && data->phase2_method) {
576 data->phase2_method->reset(sm, data->phase2_priv);
577 data->phase2_method = NULL;
578 data->phase2_priv = NULL;
580 data->phase2_method = eap_server_get_eap_method(vendor, eap_type);
581 if (!data->phase2_method)
585 data->phase2_priv = data->phase2_method->init(sm);
591 static int eap_tlv_validate_cryptobinding(struct eap_sm *sm,
592 struct eap_peap_data *data,
593 const u8 *crypto_tlv,
594 size_t crypto_tlv_len)
596 u8 buf[61], mac[SHA1_MAC_LEN];
599 if (crypto_tlv_len != 4 + 56) {
600 wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid cryptobinding TLV "
601 "length %d", (int) crypto_tlv_len);
606 pos += 4; /* TLV header */
607 if (pos[1] != data->peap_version) {
608 wpa_printf(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV Version "
609 "mismatch (was %d; expected %d)",
610 pos[1], data->peap_version);
615 wpa_printf(MSG_DEBUG, "EAP-PEAP: Unexpected Cryptobinding TLV "
616 "SubType %d", pos[3]);
620 pos += 32; /* Nonce */
622 /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */
623 os_memcpy(buf, crypto_tlv, 60);
624 os_memset(buf + 4 + 4 + 32, 0, 20); /* Compound_MAC */
625 buf[60] = EAP_TYPE_PEAP;
626 hmac_sha1(data->cmk, 20, buf, sizeof(buf), mac);
628 if (os_memcmp_const(mac, pos, SHA1_MAC_LEN) != 0) {
629 wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid Compound_MAC in "
630 "cryptobinding TLV");
631 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK", data->cmk, 20);
632 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Cryptobinding seed data",
637 wpa_printf(MSG_DEBUG, "EAP-PEAP: Valid cryptobinding TLV received");
643 static void eap_peap_process_phase2_tlv(struct eap_sm *sm,
644 struct eap_peap_data *data,
645 struct wpabuf *in_data)
649 const u8 *result_tlv = NULL, *crypto_tlv = NULL;
650 size_t result_tlv_len = 0, crypto_tlv_len = 0;
651 int tlv_type, mandatory, tlv_len;
653 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TLV, in_data, &left);
655 wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid EAP-TLV header");
660 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Received TLVs", pos, left);
662 mandatory = !!(pos[0] & 0x80);
663 tlv_type = pos[0] & 0x3f;
664 tlv_type = (tlv_type << 8) | pos[1];
665 tlv_len = ((int) pos[2] << 8) | pos[3];
668 if ((size_t) tlv_len > left) {
669 wpa_printf(MSG_DEBUG, "EAP-PEAP: TLV underrun "
670 "(tlv_len=%d left=%lu)", tlv_len,
671 (unsigned long) left);
672 eap_peap_state(data, FAILURE);
676 case EAP_TLV_RESULT_TLV:
678 result_tlv_len = tlv_len;
680 case EAP_TLV_CRYPTO_BINDING_TLV:
682 crypto_tlv_len = tlv_len;
685 wpa_printf(MSG_DEBUG, "EAP-PEAP: Unsupported TLV Type "
687 mandatory ? " (mandatory)" : "");
689 eap_peap_state(data, FAILURE);
692 /* Ignore this TLV, but process other TLVs */
700 wpa_printf(MSG_DEBUG, "EAP-PEAP: Last TLV too short in "
701 "Request (left=%lu)", (unsigned long) left);
702 eap_peap_state(data, FAILURE);
706 /* Process supported TLVs */
707 if (crypto_tlv && data->crypto_binding_sent) {
708 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV",
709 crypto_tlv, crypto_tlv_len);
710 if (eap_tlv_validate_cryptobinding(sm, data, crypto_tlv - 4,
711 crypto_tlv_len + 4) < 0) {
712 eap_peap_state(data, FAILURE);
715 data->crypto_binding_used = 1;
716 } else if (!crypto_tlv && data->crypto_binding_sent &&
717 data->crypto_binding == REQUIRE_BINDING) {
718 wpa_printf(MSG_DEBUG, "EAP-PEAP: No cryptobinding TLV");
719 eap_peap_state(data, FAILURE);
725 const char *requested;
727 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Result TLV",
728 result_tlv, result_tlv_len);
729 if (result_tlv_len < 2) {
730 wpa_printf(MSG_INFO, "EAP-PEAP: Too short Result TLV "
732 (unsigned long) result_tlv_len);
733 eap_peap_state(data, FAILURE);
736 requested = data->tlv_request == TLV_REQ_SUCCESS ? "Success" :
738 status = WPA_GET_BE16(result_tlv);
739 if (status == EAP_TLV_RESULT_SUCCESS) {
740 wpa_printf(MSG_INFO, "EAP-PEAP: TLV Result - Success "
741 "- requested %s", requested);
742 if (data->tlv_request == TLV_REQ_SUCCESS) {
743 eap_peap_state(data, SUCCESS);
744 eap_peap_valid_session(sm, data);
746 eap_peap_state(data, FAILURE);
749 } else if (status == EAP_TLV_RESULT_FAILURE) {
750 wpa_printf(MSG_INFO, "EAP-PEAP: TLV Result - Failure "
751 "- requested %s", requested);
752 eap_peap_state(data, FAILURE);
754 wpa_printf(MSG_INFO, "EAP-PEAP: Unknown TLV Result "
755 "Status %d", status);
756 eap_peap_state(data, FAILURE);
762 #ifdef EAP_SERVER_TNC
763 static void eap_peap_process_phase2_soh(struct eap_sm *sm,
764 struct eap_peap_data *data,
765 struct wpabuf *in_data)
767 const u8 *pos, *vpos;
769 const u8 *soh_tlv = NULL;
770 size_t soh_tlv_len = 0;
771 int tlv_type, mandatory, tlv_len, vtlv_len;
775 pos = eap_hdr_validate(EAP_VENDOR_MICROSOFT, 0x21, in_data, &left);
777 wpa_printf(MSG_DEBUG, "EAP-PEAP: Not a valid SoH EAP "
778 "Extensions Method header - skip TNC");
783 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Received TLVs (SoH)", pos, left);
785 mandatory = !!(pos[0] & 0x80);
786 tlv_type = pos[0] & 0x3f;
787 tlv_type = (tlv_type << 8) | pos[1];
788 tlv_len = ((int) pos[2] << 8) | pos[3];
791 if ((size_t) tlv_len > left) {
792 wpa_printf(MSG_DEBUG, "EAP-PEAP: TLV underrun "
793 "(tlv_len=%d left=%lu)", tlv_len,
794 (unsigned long) left);
795 eap_peap_state(data, FAILURE);
799 case EAP_TLV_VENDOR_SPECIFIC_TLV:
801 wpa_printf(MSG_DEBUG, "EAP-PEAP: Too short "
802 "vendor specific TLV (len=%d)",
804 eap_peap_state(data, FAILURE);
808 vendor_id = WPA_GET_BE32(pos);
809 if (vendor_id != EAP_VENDOR_MICROSOFT) {
811 eap_peap_state(data, FAILURE);
818 mandatory = !!(vpos[0] & 0x80);
819 tlv_type = vpos[0] & 0x3f;
820 tlv_type = (tlv_type << 8) | vpos[1];
821 vtlv_len = ((int) vpos[2] << 8) | vpos[3];
823 if (vpos + vtlv_len > pos + left) {
824 wpa_printf(MSG_DEBUG, "EAP-PEAP: Vendor TLV "
826 eap_peap_state(data, FAILURE);
832 soh_tlv_len = vtlv_len;
836 wpa_printf(MSG_DEBUG, "EAP-PEAP: Unsupported MS-TLV "
837 "Type %d%s", tlv_type,
838 mandatory ? " (mandatory)" : "");
840 eap_peap_state(data, FAILURE);
843 /* Ignore this TLV, but process other TLVs */
846 wpa_printf(MSG_DEBUG, "EAP-PEAP: Unsupported TLV Type "
848 mandatory ? " (mandatory)" : "");
850 eap_peap_state(data, FAILURE);
853 /* Ignore this TLV, but process other TLVs */
861 wpa_printf(MSG_DEBUG, "EAP-PEAP: Last TLV too short in "
862 "Request (left=%lu)", (unsigned long) left);
863 eap_peap_state(data, FAILURE);
867 /* Process supported TLVs */
870 wpabuf_free(data->soh_response);
871 data->soh_response = tncs_process_soh(soh_tlv, soh_tlv_len,
874 eap_peap_state(data, FAILURE);
878 wpa_printf(MSG_DEBUG, "EAP-PEAP: No SoH TLV received");
879 eap_peap_state(data, FAILURE);
884 eap_peap_state(data, PHASE2_METHOD);
885 next_type = sm->user->methods[0].method;
886 sm->user_eap_method_index = 1;
887 wpa_printf(MSG_DEBUG, "EAP-PEAP: try EAP vendor %d type %d",
888 sm->user->methods[0].vendor, next_type);
889 eap_peap_phase2_init(sm, data, sm->user->methods[0].vendor, next_type);
891 #endif /* EAP_SERVER_TNC */
894 static void eap_peap_process_phase2_response(struct eap_sm *sm,
895 struct eap_peap_data *data,
896 struct wpabuf *in_data)
898 int next_vendor = EAP_VENDOR_IETF;
899 u32 next_type = EAP_TYPE_NONE;
900 const struct eap_hdr *hdr;
904 if (data->state == PHASE2_TLV) {
905 eap_peap_process_phase2_tlv(sm, data, in_data);
909 #ifdef EAP_SERVER_TNC
910 if (data->state == PHASE2_SOH) {
911 eap_peap_process_phase2_soh(sm, data, in_data);
914 #endif /* EAP_SERVER_TNC */
916 if (data->phase2_priv == NULL) {
917 wpa_printf(MSG_DEBUG, "EAP-PEAP: %s - Phase2 not "
918 "initialized?!", __func__);
922 hdr = wpabuf_head(in_data);
923 pos = (const u8 *) (hdr + 1);
925 if (wpabuf_len(in_data) > sizeof(*hdr) && *pos == EAP_TYPE_NAK) {
926 left = wpabuf_len(in_data) - sizeof(*hdr);
927 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Phase2 type Nak'ed; "
928 "allowed types", pos + 1, left - 1);
929 eap_sm_process_nak(sm, pos + 1, left - 1);
930 if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
931 (sm->user->methods[sm->user_eap_method_index].vendor !=
933 sm->user->methods[sm->user_eap_method_index].method !=
935 next_vendor = sm->user->methods[
936 sm->user_eap_method_index].vendor;
937 next_type = sm->user->methods[
938 sm->user_eap_method_index++].method;
939 wpa_printf(MSG_DEBUG,
940 "EAP-PEAP: try EAP vendor %d type 0x%x",
941 next_vendor, next_type);
943 eap_peap_req_failure(sm, data);
944 next_vendor = EAP_VENDOR_IETF;
945 next_type = EAP_TYPE_NONE;
947 eap_peap_phase2_init(sm, data, next_vendor, next_type);
951 if (data->phase2_method->check(sm, data->phase2_priv, in_data)) {
952 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase2 check() asked to "
953 "ignore the packet");
957 data->phase2_method->process(sm, data->phase2_priv, in_data);
959 if (sm->method_pending == METHOD_PENDING_WAIT) {
960 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase2 method is in "
961 "pending wait state - save decrypted response");
962 wpabuf_free(data->pending_phase2_resp);
963 data->pending_phase2_resp = wpabuf_dup(in_data);
966 if (!data->phase2_method->isDone(sm, data->phase2_priv))
969 if (!data->phase2_method->isSuccess(sm, data->phase2_priv)) {
970 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase2 method failed");
971 eap_peap_req_failure(sm, data);
972 next_vendor = EAP_VENDOR_IETF;
973 next_type = EAP_TYPE_NONE;
974 eap_peap_phase2_init(sm, data, next_vendor, next_type);
978 os_free(data->phase2_key);
979 if (data->phase2_method->getKey) {
980 data->phase2_key = data->phase2_method->getKey(
981 sm, data->phase2_priv, &data->phase2_key_len);
982 if (data->phase2_key == NULL) {
983 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase2 getKey "
985 eap_peap_req_failure(sm, data);
986 eap_peap_phase2_init(sm, data, EAP_VENDOR_IETF,
992 switch (data->state) {
996 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
997 wpa_hexdump_ascii(MSG_DEBUG, "EAP_PEAP: Phase2 "
998 "Identity not found in the user "
1000 sm->identity, sm->identity_len);
1001 eap_peap_req_failure(sm, data);
1002 next_vendor = EAP_VENDOR_IETF;
1003 next_type = EAP_TYPE_NONE;
1007 #ifdef EAP_SERVER_TNC
1008 if (data->state != PHASE2_SOH && sm->tnc &&
1009 data->peap_version == 0) {
1010 eap_peap_state(data, PHASE2_SOH);
1011 wpa_printf(MSG_DEBUG, "EAP-PEAP: Try to initialize "
1013 next_vendor = EAP_VENDOR_IETF;
1014 next_type = EAP_TYPE_NONE;
1017 #endif /* EAP_SERVER_TNC */
1019 eap_peap_state(data, PHASE2_METHOD);
1020 next_vendor = sm->user->methods[0].vendor;
1021 next_type = sm->user->methods[0].method;
1022 sm->user_eap_method_index = 1;
1023 wpa_printf(MSG_DEBUG, "EAP-PEAP: try EAP vendor %d type 0x%x",
1024 next_vendor, next_type);
1027 eap_peap_req_success(sm, data);
1028 next_vendor = EAP_VENDOR_IETF;
1029 next_type = EAP_TYPE_NONE;
1034 wpa_printf(MSG_DEBUG, "EAP-PEAP: %s - unexpected state %d",
1035 __func__, data->state);
1039 eap_peap_phase2_init(sm, data, next_vendor, next_type);
1043 static void eap_peap_process_phase2(struct eap_sm *sm,
1044 struct eap_peap_data *data,
1045 const struct wpabuf *respData,
1046 struct wpabuf *in_buf)
1048 struct wpabuf *in_decrypted;
1049 const struct eap_hdr *hdr;
1052 wpa_printf(MSG_DEBUG, "EAP-PEAP: received %lu bytes encrypted data for"
1053 " Phase 2", (unsigned long) wpabuf_len(in_buf));
1055 if (data->pending_phase2_resp) {
1056 wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 response - "
1057 "skip decryption and use old data");
1058 eap_peap_process_phase2_response(sm, data,
1059 data->pending_phase2_resp);
1060 wpabuf_free(data->pending_phase2_resp);
1061 data->pending_phase2_resp = NULL;
1065 in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
1067 if (in_decrypted == NULL) {
1068 wpa_printf(MSG_INFO, "EAP-PEAP: Failed to decrypt Phase 2 "
1070 eap_peap_state(data, FAILURE);
1074 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-PEAP: Decrypted Phase 2 EAP",
1077 if (data->peap_version == 0 && data->state != PHASE2_TLV) {
1078 const struct eap_hdr *resp;
1079 struct eap_hdr *nhdr;
1080 struct wpabuf *nbuf =
1081 wpabuf_alloc(sizeof(struct eap_hdr) +
1082 wpabuf_len(in_decrypted));
1084 wpabuf_free(in_decrypted);
1088 resp = wpabuf_head(respData);
1089 nhdr = wpabuf_put(nbuf, sizeof(*nhdr));
1090 nhdr->code = resp->code;
1091 nhdr->identifier = resp->identifier;
1092 nhdr->length = host_to_be16(sizeof(struct eap_hdr) +
1093 wpabuf_len(in_decrypted));
1094 wpabuf_put_buf(nbuf, in_decrypted);
1095 wpabuf_free(in_decrypted);
1097 in_decrypted = nbuf;
1100 hdr = wpabuf_head(in_decrypted);
1101 if (wpabuf_len(in_decrypted) < (int) sizeof(*hdr)) {
1102 wpa_printf(MSG_INFO, "EAP-PEAP: Too short Phase 2 "
1103 "EAP frame (len=%lu)",
1104 (unsigned long) wpabuf_len(in_decrypted));
1105 wpabuf_free(in_decrypted);
1106 eap_peap_req_failure(sm, data);
1109 len = be_to_host16(hdr->length);
1110 if (len > wpabuf_len(in_decrypted)) {
1111 wpa_printf(MSG_INFO, "EAP-PEAP: Length mismatch in "
1112 "Phase 2 EAP frame (len=%lu hdr->length=%lu)",
1113 (unsigned long) wpabuf_len(in_decrypted),
1114 (unsigned long) len);
1115 wpabuf_free(in_decrypted);
1116 eap_peap_req_failure(sm, data);
1119 wpa_printf(MSG_DEBUG, "EAP-PEAP: received Phase 2: code=%d "
1120 "identifier=%d length=%lu", hdr->code, hdr->identifier,
1121 (unsigned long) len);
1122 switch (hdr->code) {
1123 case EAP_CODE_RESPONSE:
1124 eap_peap_process_phase2_response(sm, data, in_decrypted);
1126 case EAP_CODE_SUCCESS:
1127 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Success");
1128 if (data->state == SUCCESS_REQ) {
1129 eap_peap_state(data, SUCCESS);
1130 eap_peap_valid_session(sm, data);
1133 case EAP_CODE_FAILURE:
1134 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Failure");
1135 eap_peap_state(data, FAILURE);
1138 wpa_printf(MSG_INFO, "EAP-PEAP: Unexpected code=%d in "
1139 "Phase 2 EAP header", hdr->code);
1143 wpabuf_free(in_decrypted);
1147 static int eap_peap_process_version(struct eap_sm *sm, void *priv,
1150 struct eap_peap_data *data = priv;
1152 data->recv_version = peer_version;
1153 if (data->force_version >= 0 && peer_version != data->force_version) {
1154 wpa_printf(MSG_INFO, "EAP-PEAP: peer did not select the forced"
1155 " version (forced=%d peer=%d) - reject",
1156 data->force_version, peer_version);
1159 if (peer_version < data->peap_version) {
1160 wpa_printf(MSG_DEBUG, "EAP-PEAP: peer ver=%d, own ver=%d; "
1162 peer_version, data->peap_version, peer_version);
1163 data->peap_version = peer_version;
1170 static void eap_peap_process_msg(struct eap_sm *sm, void *priv,
1171 const struct wpabuf *respData)
1173 struct eap_peap_data *data = priv;
1175 switch (data->state) {
1177 if (eap_server_tls_phase1(sm, &data->ssl) < 0) {
1178 eap_peap_state(data, FAILURE);
1183 eap_peap_state(data, PHASE2_ID);
1184 eap_peap_phase2_init(sm, data, EAP_VENDOR_IETF,
1192 eap_peap_process_phase2(sm, data, respData, data->ssl.tls_in);
1195 eap_peap_state(data, SUCCESS);
1196 eap_peap_valid_session(sm, data);
1199 eap_peap_state(data, FAILURE);
1202 wpa_printf(MSG_DEBUG, "EAP-PEAP: Unexpected state %d in %s",
1203 data->state, __func__);
1209 static void eap_peap_process(struct eap_sm *sm, void *priv,
1210 struct wpabuf *respData)
1212 struct eap_peap_data *data = priv;
1213 const struct wpabuf *buf;
1217 if (eap_server_tls_process(sm, &data->ssl, respData, data,
1218 EAP_TYPE_PEAP, eap_peap_process_version,
1219 eap_peap_process_msg) < 0) {
1220 eap_peap_state(data, FAILURE);
1224 if (data->state == SUCCESS ||
1225 !tls_connection_established(sm->ssl_ctx, data->ssl.conn) ||
1226 !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn))
1229 buf = tls_connection_get_success_data(data->ssl.conn);
1230 if (!buf || wpabuf_len(buf) < 2) {
1231 wpa_printf(MSG_DEBUG,
1232 "EAP-PEAP: No success data in resumed session - reject attempt");
1233 eap_peap_state(data, FAILURE);
1237 pos = wpabuf_head(buf);
1238 if (*pos != EAP_TYPE_PEAP) {
1239 wpa_printf(MSG_DEBUG,
1240 "EAP-PEAP: Resumed session for another EAP type (%u) - reject attempt",
1242 eap_peap_state(data, FAILURE);
1248 wpa_hexdump_ascii(MSG_DEBUG, "EAP-PEAP: Identity from cached session",
1250 os_free(sm->identity);
1251 sm->identity = os_malloc(id_len ? id_len : 1);
1252 if (!sm->identity) {
1253 sm->identity_len = 0;
1254 eap_peap_state(data, FAILURE);
1258 os_memcpy(sm->identity, pos, id_len);
1259 sm->identity_len = id_len;
1261 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
1262 wpa_hexdump_ascii(MSG_DEBUG, "EAP-PEAP: Phase2 Identity not found in the user database",
1263 sm->identity, sm->identity_len);
1264 eap_peap_state(data, FAILURE);
1268 wpa_printf(MSG_DEBUG,
1269 "EAP-PEAP: Resuming previous session - skip Phase2");
1270 eap_peap_state(data, SUCCESS_REQ);
1271 tls_connection_set_success_data_resumed(data->ssl.conn);
1275 static Boolean eap_peap_isDone(struct eap_sm *sm, void *priv)
1277 struct eap_peap_data *data = priv;
1278 return data->state == SUCCESS || data->state == FAILURE;
1282 static u8 * eap_peap_getKey(struct eap_sm *sm, void *priv, size_t *len)
1284 struct eap_peap_data *data = priv;
1287 if (data->state != SUCCESS)
1290 if (data->crypto_binding_used) {
1293 * Note: It looks like Microsoft implementation requires null
1294 * termination for this label while the one used for deriving
1295 * IPMK|CMK did not use null termination.
1297 if (peap_prfplus(data->peap_version, data->ipmk, 40,
1298 "Session Key Generating Function",
1299 (u8 *) "\00", 1, csk, sizeof(csk)) < 0)
1301 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CSK", csk, sizeof(csk));
1302 eapKeyData = os_malloc(EAP_TLS_KEY_LEN);
1304 os_memcpy(eapKeyData, csk, EAP_TLS_KEY_LEN);
1305 *len = EAP_TLS_KEY_LEN;
1306 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Derived key",
1307 eapKeyData, EAP_TLS_KEY_LEN);
1309 wpa_printf(MSG_DEBUG, "EAP-PEAP: Failed to derive "
1316 /* TODO: PEAPv1 - different label in some cases */
1317 eapKeyData = eap_server_tls_derive_key(sm, &data->ssl,
1318 "client EAP encryption",
1321 *len = EAP_TLS_KEY_LEN;
1322 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Derived key",
1323 eapKeyData, EAP_TLS_KEY_LEN);
1325 wpa_printf(MSG_DEBUG, "EAP-PEAP: Failed to derive key");
1332 static Boolean eap_peap_isSuccess(struct eap_sm *sm, void *priv)
1334 struct eap_peap_data *data = priv;
1335 return data->state == SUCCESS;
1339 static u8 * eap_peap_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
1341 struct eap_peap_data *data = priv;
1343 if (data->state != SUCCESS)
1346 return eap_server_tls_derive_session_id(sm, &data->ssl, EAP_TYPE_PEAP,
1351 int eap_server_peap_register(void)
1353 struct eap_method *eap;
1356 eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
1357 EAP_VENDOR_IETF, EAP_TYPE_PEAP, "PEAP");
1361 eap->init = eap_peap_init;
1362 eap->reset = eap_peap_reset;
1363 eap->buildReq = eap_peap_buildReq;
1364 eap->check = eap_peap_check;
1365 eap->process = eap_peap_process;
1366 eap->isDone = eap_peap_isDone;
1367 eap->getKey = eap_peap_getKey;
1368 eap->isSuccess = eap_peap_isSuccess;
1369 eap->getSessionId = eap_peap_get_session_id;
1371 ret = eap_server_method_register(eap);
1373 eap_server_method_free(eap);