2 * hostapd / EAP-TTLS (RFC 5281)
3 * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
18 #include "crypto/ms_funcs.h"
19 #include "crypto/sha1.h"
20 #include "crypto/tls.h"
21 #include "eap_server/eap_i.h"
22 #include "eap_server/eap_tls_common.h"
23 #include "eap_common/chap.h"
24 #include "eap_common/eap_ttls.h"
27 /* Maximum supported TTLS version
29 * 1 = draft-funk-eap-ttls-v1-00.txt
31 #ifndef EAP_TTLS_VERSION
32 #define EAP_TTLS_VERSION 0 /* TTLSv1 implementation is not yet complete */
33 #endif /* EAP_TTLS_VERSION */
36 #define MSCHAPV2_KEY_LEN 16
39 static void eap_ttls_reset(struct eap_sm *sm, void *priv);
42 struct eap_ttls_data {
43 struct eap_ssl_data ssl;
45 START, PHASE1, PHASE2_START, PHASE2_METHOD,
46 PHASE2_MSCHAPV2_RESP, PHASE_FINISHED, SUCCESS, FAILURE
51 const struct eap_method *phase2_method;
54 u8 mschapv2_auth_response[20];
56 int tls_ia_configured;
57 struct wpabuf *pending_phase2_eap_resp;
62 static const char * eap_ttls_state_txt(int state)
70 return "PHASE2_START";
72 return "PHASE2_METHOD";
73 case PHASE2_MSCHAPV2_RESP:
74 return "PHASE2_MSCHAPV2_RESP";
76 return "PHASE_FINISHED";
87 static void eap_ttls_state(struct eap_ttls_data *data, int state)
89 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s -> %s",
90 eap_ttls_state_txt(data->state),
91 eap_ttls_state_txt(state));
96 static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id,
97 int mandatory, size_t len)
99 struct ttls_avp_vendor *avp;
103 avp = (struct ttls_avp_vendor *) avphdr;
104 flags = mandatory ? AVP_FLAGS_MANDATORY : 0;
106 flags |= AVP_FLAGS_VENDOR;
107 hdrlen = sizeof(*avp);
108 avp->vendor_id = host_to_be32(vendor_id);
110 hdrlen = sizeof(struct ttls_avp);
113 avp->avp_code = host_to_be32(avp_code);
114 avp->avp_length = host_to_be32((flags << 24) | (hdrlen + len));
116 return avphdr + hdrlen;
120 static struct wpabuf * eap_ttls_avp_encapsulate(struct wpabuf *resp,
121 u32 avp_code, int mandatory)
126 avp = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(resp) + 4);
132 pos = eap_ttls_avp_hdr(wpabuf_mhead(avp), avp_code, 0, mandatory,
134 os_memcpy(pos, wpabuf_head(resp), wpabuf_len(resp));
135 pos += wpabuf_len(resp);
136 AVP_PAD((const u8 *) wpabuf_head(avp), pos);
138 wpabuf_put(avp, pos - (u8 *) wpabuf_head(avp));
143 struct eap_ttls_avp {
144 /* Note: eap is allocated memory; caller is responsible for freeing
145 * it. All the other pointers are pointing to the packet data, i.e.,
146 * they must not be freed separately. */
150 size_t user_name_len;
152 size_t user_password_len;
154 size_t chap_challenge_len;
156 size_t chap_password_len;
157 u8 *mschap_challenge;
158 size_t mschap_challenge_len;
160 size_t mschap_response_len;
161 u8 *mschap2_response;
162 size_t mschap2_response_len;
166 static int eap_ttls_avp_parse(struct wpabuf *buf, struct eap_ttls_avp *parse)
168 struct ttls_avp *avp;
172 pos = wpabuf_mhead(buf);
173 left = wpabuf_len(buf);
174 os_memset(parse, 0, sizeof(*parse));
177 u32 avp_code, avp_length, vendor_id = 0;
180 avp = (struct ttls_avp *) pos;
181 avp_code = be_to_host32(avp->avp_code);
182 avp_length = be_to_host32(avp->avp_length);
183 avp_flags = (avp_length >> 24) & 0xff;
184 avp_length &= 0xffffff;
185 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x "
186 "length=%d", (int) avp_code, avp_flags,
188 if ((int) avp_length > left) {
189 wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow "
190 "(len=%d, left=%d) - dropped",
191 (int) avp_length, left);
194 if (avp_length < sizeof(*avp)) {
195 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length "
199 dpos = (u8 *) (avp + 1);
200 dlen = avp_length - sizeof(*avp);
201 if (avp_flags & AVP_FLAGS_VENDOR) {
203 wpa_printf(MSG_WARNING, "EAP-TTLS: vendor AVP "
207 vendor_id = be_to_host32(* (be32 *) dpos);
208 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d",
214 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen);
216 if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) {
217 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message");
218 if (parse->eap == NULL) {
219 parse->eap = os_malloc(dlen);
220 if (parse->eap == NULL) {
221 wpa_printf(MSG_WARNING, "EAP-TTLS: "
222 "failed to allocate memory "
223 "for Phase 2 EAP data");
226 os_memcpy(parse->eap, dpos, dlen);
227 parse->eap_len = dlen;
229 u8 *neweap = os_realloc(parse->eap,
230 parse->eap_len + dlen);
231 if (neweap == NULL) {
232 wpa_printf(MSG_WARNING, "EAP-TTLS: "
233 "failed to allocate memory "
234 "for Phase 2 EAP data");
237 os_memcpy(neweap + parse->eap_len, dpos, dlen);
239 parse->eap_len += dlen;
241 } else if (vendor_id == 0 &&
242 avp_code == RADIUS_ATTR_USER_NAME) {
243 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: User-Name",
245 parse->user_name = dpos;
246 parse->user_name_len = dlen;
247 } else if (vendor_id == 0 &&
248 avp_code == RADIUS_ATTR_USER_PASSWORD) {
250 size_t password_len = dlen;
251 while (password_len > 0 &&
252 password[password_len - 1] == '\0') {
255 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: "
256 "User-Password (PAP)",
257 password, password_len);
258 parse->user_password = password;
259 parse->user_password_len = password_len;
260 } else if (vendor_id == 0 &&
261 avp_code == RADIUS_ATTR_CHAP_CHALLENGE) {
262 wpa_hexdump(MSG_DEBUG,
263 "EAP-TTLS: CHAP-Challenge (CHAP)",
265 parse->chap_challenge = dpos;
266 parse->chap_challenge_len = dlen;
267 } else if (vendor_id == 0 &&
268 avp_code == RADIUS_ATTR_CHAP_PASSWORD) {
269 wpa_hexdump(MSG_DEBUG,
270 "EAP-TTLS: CHAP-Password (CHAP)",
272 parse->chap_password = dpos;
273 parse->chap_password_len = dlen;
274 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
275 avp_code == RADIUS_ATTR_MS_CHAP_CHALLENGE) {
276 wpa_hexdump(MSG_DEBUG,
277 "EAP-TTLS: MS-CHAP-Challenge",
279 parse->mschap_challenge = dpos;
280 parse->mschap_challenge_len = dlen;
281 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
282 avp_code == RADIUS_ATTR_MS_CHAP_RESPONSE) {
283 wpa_hexdump(MSG_DEBUG,
284 "EAP-TTLS: MS-CHAP-Response (MSCHAP)",
286 parse->mschap_response = dpos;
287 parse->mschap_response_len = dlen;
288 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
289 avp_code == RADIUS_ATTR_MS_CHAP2_RESPONSE) {
290 wpa_hexdump(MSG_DEBUG,
291 "EAP-TTLS: MS-CHAP2-Response (MSCHAPV2)",
293 parse->mschap2_response = dpos;
294 parse->mschap2_response_len = dlen;
295 } else if (avp_flags & AVP_FLAGS_MANDATORY) {
296 wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported "
297 "mandatory AVP code %d vendor_id %d - "
298 "dropped", (int) avp_code, (int) vendor_id);
301 wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported "
302 "AVP code %d vendor_id %d",
303 (int) avp_code, (int) vendor_id);
306 pad = (4 - (avp_length & 3)) & 3;
307 pos += avp_length + pad;
308 left -= avp_length + pad;
320 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm,
321 struct eap_ttls_data *data, size_t len)
323 struct tls_keys keys;
326 if (data->ttls_version == 0) {
327 return eap_server_tls_derive_key(sm, &data->ssl,
328 "ttls challenge", len);
331 os_memset(&keys, 0, sizeof(keys));
332 if (tls_connection_get_keys(sm->ssl_ctx, data->ssl.conn, &keys) ||
333 keys.client_random == NULL || keys.server_random == NULL ||
334 keys.inner_secret == NULL) {
335 wpa_printf(MSG_INFO, "EAP-TTLS: Could not get inner secret, "
336 "client random, or server random to derive "
337 "implicit challenge");
341 rnd = os_malloc(keys.client_random_len + keys.server_random_len);
342 challenge = os_malloc(len);
343 if (rnd == NULL || challenge == NULL) {
344 wpa_printf(MSG_INFO, "EAP-TTLS: No memory for implicit "
345 "challenge derivation");
350 os_memcpy(rnd, keys.server_random, keys.server_random_len);
351 os_memcpy(rnd + keys.server_random_len, keys.client_random,
352 keys.client_random_len);
354 if (tls_prf(keys.inner_secret, keys.inner_secret_len,
355 "inner application challenge", rnd,
356 keys.client_random_len + keys.server_random_len,
358 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive implicit "
367 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived implicit challenge",
374 static void * eap_ttls_init(struct eap_sm *sm)
376 struct eap_ttls_data *data;
378 data = os_zalloc(sizeof(*data));
381 data->ttls_version = EAP_TTLS_VERSION;
382 data->force_version = -1;
383 if (sm->user && sm->user->force_version >= 0) {
384 data->force_version = sm->user->force_version;
385 wpa_printf(MSG_DEBUG, "EAP-TTLS: forcing version %d",
386 data->force_version);
387 data->ttls_version = data->force_version;
391 if (!(tls_capabilities(sm->ssl_ctx) & TLS_CAPABILITY_IA) &&
392 data->ttls_version > 0) {
393 if (data->force_version > 0) {
394 wpa_printf(MSG_INFO, "EAP-TTLS: Forced TTLSv%d and "
395 "TLS library does not support TLS/IA.",
396 data->force_version);
397 eap_ttls_reset(sm, data);
400 data->ttls_version = 0;
403 if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) {
404 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
405 eap_ttls_reset(sm, data);
413 static void eap_ttls_reset(struct eap_sm *sm, void *priv)
415 struct eap_ttls_data *data = priv;
418 if (data->phase2_priv && data->phase2_method)
419 data->phase2_method->reset(sm, data->phase2_priv);
420 eap_server_tls_ssl_deinit(sm, &data->ssl);
421 wpabuf_free(data->pending_phase2_eap_resp);
426 static struct wpabuf * eap_ttls_build_start(struct eap_sm *sm,
427 struct eap_ttls_data *data, u8 id)
431 req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TTLS, 1,
432 EAP_CODE_REQUEST, id);
434 wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to allocate memory for"
436 eap_ttls_state(data, FAILURE);
440 wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->ttls_version);
442 eap_ttls_state(data, PHASE1);
448 static struct wpabuf * eap_ttls_build_phase2_eap_req(
449 struct eap_sm *sm, struct eap_ttls_data *data, u8 id)
451 struct wpabuf *buf, *encr_req;
454 buf = data->phase2_method->buildReq(sm, data->phase2_priv, id);
458 wpa_hexdump_buf_key(MSG_DEBUG,
459 "EAP-TTLS/EAP: Encapsulate Phase 2 data", buf);
461 buf = eap_ttls_avp_encapsulate(buf, RADIUS_ATTR_EAP_MESSAGE, 1);
463 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Failed to encapsulate "
468 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS/EAP: Encrypt encapsulated "
469 "Phase 2 data", buf);
471 encr_req = eap_server_tls_encrypt(sm, &data->ssl, buf);
478 static struct wpabuf * eap_ttls_build_phase2_mschapv2(
479 struct eap_sm *sm, struct eap_ttls_data *data)
481 struct wpabuf *encr_req, msgbuf;
485 pos = req = os_malloc(100);
490 if (data->mschapv2_resp_ok) {
491 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_SUCCESS,
492 RADIUS_VENDOR_ID_MICROSOFT, 1, 43);
493 *pos++ = data->mschapv2_ident;
494 ret = os_snprintf((char *) pos, end - pos, "S=");
495 if (ret >= 0 && ret < end - pos)
497 pos += wpa_snprintf_hex_uppercase(
498 (char *) pos, end - pos, data->mschapv2_auth_response,
499 sizeof(data->mschapv2_auth_response));
501 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_ERROR,
502 RADIUS_VENDOR_ID_MICROSOFT, 1, 6);
503 os_memcpy(pos, "Failed", 6);
508 wpabuf_set(&msgbuf, req, pos - req);
509 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Encrypting Phase 2 "
512 encr_req = eap_server_tls_encrypt(sm, &data->ssl, &msgbuf);
519 static struct wpabuf * eap_ttls_build_phase_finished(
520 struct eap_sm *sm, struct eap_ttls_data *data, int final)
522 return tls_connection_ia_send_phase_finished(sm->ssl_ctx,
523 data->ssl.conn, final);
527 static struct wpabuf * eap_ttls_buildReq(struct eap_sm *sm, void *priv, u8 id)
529 struct eap_ttls_data *data = priv;
531 if (data->ssl.state == FRAG_ACK) {
532 return eap_server_tls_build_ack(id, EAP_TYPE_TTLS,
536 if (data->ssl.state == WAIT_FRAG_ACK) {
537 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS,
538 data->ttls_version, id);
541 switch (data->state) {
543 return eap_ttls_build_start(sm, data, id);
545 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
546 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase1 done, "
548 eap_ttls_state(data, PHASE2_START);
552 wpabuf_free(data->ssl.tls_out);
553 data->ssl.tls_out_pos = 0;
554 data->ssl.tls_out = eap_ttls_build_phase2_eap_req(sm, data,
557 case PHASE2_MSCHAPV2_RESP:
558 wpabuf_free(data->ssl.tls_out);
559 data->ssl.tls_out_pos = 0;
560 data->ssl.tls_out = eap_ttls_build_phase2_mschapv2(sm, data);
563 wpabuf_free(data->ssl.tls_out);
564 data->ssl.tls_out_pos = 0;
565 data->ssl.tls_out = eap_ttls_build_phase_finished(sm, data, 1);
568 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
569 __func__, data->state);
573 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS,
574 data->ttls_version, id);
578 static Boolean eap_ttls_check(struct eap_sm *sm, void *priv,
579 struct wpabuf *respData)
584 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TTLS, respData, &len);
585 if (pos == NULL || len < 1) {
586 wpa_printf(MSG_INFO, "EAP-TTLS: Invalid frame");
594 static int eap_ttls_ia_permute_inner_secret(struct eap_sm *sm,
595 struct eap_ttls_data *data,
596 const u8 *key, size_t key_len)
603 buf_len = 2 + key_len;
604 buf = os_malloc(buf_len);
607 WPA_PUT_BE16(buf, key_len);
608 os_memcpy(buf + 2, key, key_len);
614 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Session keys for TLS/IA inner "
615 "secret permutation", buf, buf_len);
616 ret = tls_connection_ia_permute_inner_secret(sm->ssl_ctx,
625 static void eap_ttls_process_phase2_pap(struct eap_sm *sm,
626 struct eap_ttls_data *data,
627 const u8 *user_password,
628 size_t user_password_len)
630 if (!sm->user || !sm->user->password || sm->user->password_hash ||
631 !(sm->user->ttls_auth & EAP_TTLS_AUTH_PAP)) {
632 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: No plaintext user "
633 "password configured");
634 eap_ttls_state(data, FAILURE);
638 if (sm->user->password_len != user_password_len ||
639 os_memcmp(sm->user->password, user_password, user_password_len) !=
641 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Invalid user password");
642 eap_ttls_state(data, FAILURE);
646 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Correct user password");
647 eap_ttls_state(data, data->ttls_version > 0 ? PHASE_FINISHED :
652 static void eap_ttls_process_phase2_chap(struct eap_sm *sm,
653 struct eap_ttls_data *data,
655 size_t challenge_len,
659 u8 *chal, hash[CHAP_MD5_LEN];
661 if (challenge == NULL || password == NULL ||
662 challenge_len != EAP_TTLS_CHAP_CHALLENGE_LEN ||
663 password_len != 1 + EAP_TTLS_CHAP_PASSWORD_LEN) {
664 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid CHAP attributes "
665 "(challenge len %lu password len %lu)",
666 (unsigned long) challenge_len,
667 (unsigned long) password_len);
668 eap_ttls_state(data, FAILURE);
672 if (!sm->user || !sm->user->password || sm->user->password_hash ||
673 !(sm->user->ttls_auth & EAP_TTLS_AUTH_CHAP)) {
674 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: No plaintext user "
675 "password configured");
676 eap_ttls_state(data, FAILURE);
680 chal = eap_ttls_implicit_challenge(sm, data,
681 EAP_TTLS_CHAP_CHALLENGE_LEN + 1);
683 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Failed to generate "
684 "challenge from TLS data");
685 eap_ttls_state(data, FAILURE);
689 if (os_memcmp(challenge, chal, EAP_TTLS_CHAP_CHALLENGE_LEN) != 0 ||
690 password[0] != chal[EAP_TTLS_CHAP_CHALLENGE_LEN]) {
691 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Challenge mismatch");
693 eap_ttls_state(data, FAILURE);
698 /* MD5(Ident + Password + Challenge) */
699 chap_md5(password[0], sm->user->password, sm->user->password_len,
700 challenge, challenge_len, hash);
702 if (os_memcmp(hash, password + 1, EAP_TTLS_CHAP_PASSWORD_LEN) == 0) {
703 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Correct user password");
704 eap_ttls_state(data, data->ttls_version > 0 ? PHASE_FINISHED :
707 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid user password");
708 eap_ttls_state(data, FAILURE);
713 static void eap_ttls_process_phase2_mschap(struct eap_sm *sm,
714 struct eap_ttls_data *data,
715 u8 *challenge, size_t challenge_len,
716 u8 *response, size_t response_len)
718 u8 *chal, nt_response[24];
720 if (challenge == NULL || response == NULL ||
721 challenge_len != EAP_TTLS_MSCHAP_CHALLENGE_LEN ||
722 response_len != EAP_TTLS_MSCHAP_RESPONSE_LEN) {
723 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid MS-CHAP "
724 "attributes (challenge len %lu response len %lu)",
725 (unsigned long) challenge_len,
726 (unsigned long) response_len);
727 eap_ttls_state(data, FAILURE);
731 if (!sm->user || !sm->user->password ||
732 !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAP)) {
733 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: No user password "
735 eap_ttls_state(data, FAILURE);
739 chal = eap_ttls_implicit_challenge(sm, data,
740 EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1);
742 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Failed to generate "
743 "challenge from TLS data");
744 eap_ttls_state(data, FAILURE);
748 if (os_memcmp(challenge, chal, EAP_TTLS_MSCHAP_CHALLENGE_LEN) != 0 ||
749 response[0] != chal[EAP_TTLS_MSCHAP_CHALLENGE_LEN]) {
750 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Challenge mismatch");
752 eap_ttls_state(data, FAILURE);
757 if (sm->user->password_hash)
758 challenge_response(challenge, sm->user->password, nt_response);
760 nt_challenge_response(challenge, sm->user->password,
761 sm->user->password_len, nt_response);
763 if (os_memcmp(nt_response, response + 2 + 24, 24) == 0) {
764 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Correct response");
765 eap_ttls_state(data, data->ttls_version > 0 ? PHASE_FINISHED :
768 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid NT-Response");
769 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Received",
770 response + 2 + 24, 24);
771 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Expected",
773 eap_ttls_state(data, FAILURE);
778 static void eap_ttls_process_phase2_mschapv2(struct eap_sm *sm,
779 struct eap_ttls_data *data,
781 size_t challenge_len,
782 u8 *response, size_t response_len)
784 u8 *chal, *username, nt_response[24], *rx_resp, *peer_challenge,
786 size_t username_len, i;
788 if (challenge == NULL || response == NULL ||
789 challenge_len != EAP_TTLS_MSCHAPV2_CHALLENGE_LEN ||
790 response_len != EAP_TTLS_MSCHAPV2_RESPONSE_LEN) {
791 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid MS-CHAP2 "
792 "attributes (challenge len %lu response len %lu)",
793 (unsigned long) challenge_len,
794 (unsigned long) response_len);
795 eap_ttls_state(data, FAILURE);
799 if (!sm->user || !sm->user->password ||
800 !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAPV2)) {
801 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user password "
803 eap_ttls_state(data, FAILURE);
807 /* MSCHAPv2 does not include optional domain name in the
808 * challenge-response calculation, so remove domain prefix
810 username = sm->identity;
811 username_len = sm->identity_len;
812 for (i = 0; i < username_len; i++) {
813 if (username[i] == '\\') {
814 username_len -= i + 1;
820 chal = eap_ttls_implicit_challenge(
821 sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1);
823 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Failed to generate "
824 "challenge from TLS data");
825 eap_ttls_state(data, FAILURE);
829 if (os_memcmp(challenge, chal, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN) != 0 ||
830 response[0] != chal[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN]) {
831 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Challenge mismatch");
833 eap_ttls_state(data, FAILURE);
838 auth_challenge = challenge;
839 peer_challenge = response + 2;
841 wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: User",
842 username, username_len);
843 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: auth_challenge",
844 auth_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
845 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: peer_challenge",
846 peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
848 if (sm->user->password_hash) {
849 generate_nt_response_pwhash(auth_challenge, peer_challenge,
850 username, username_len,
854 generate_nt_response(auth_challenge, peer_challenge,
855 username, username_len,
857 sm->user->password_len,
861 rx_resp = response + 2 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 8;
862 if (os_memcmp(nt_response, rx_resp, 24) == 0) {
863 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Correct "
865 data->mschapv2_resp_ok = 1;
866 if (data->ttls_version > 0) {
868 u8 pw_hash_buf[16], pw_hash_hash[16], master_key[16];
869 u8 session_key[2 * MSCHAPV2_KEY_LEN];
871 if (sm->user->password_hash)
872 pw_hash = sm->user->password;
874 nt_password_hash(sm->user->password,
875 sm->user->password_len,
877 pw_hash = pw_hash_buf;
879 hash_nt_password_hash(pw_hash, pw_hash_hash);
880 get_master_key(pw_hash_hash, nt_response, master_key);
881 get_asymetric_start_key(master_key, session_key,
882 MSCHAPV2_KEY_LEN, 0, 0);
883 get_asymetric_start_key(master_key,
884 session_key + MSCHAPV2_KEY_LEN,
885 MSCHAPV2_KEY_LEN, 1, 0);
886 eap_ttls_ia_permute_inner_secret(sm, data,
888 sizeof(session_key));
891 if (sm->user->password_hash) {
892 generate_authenticator_response_pwhash(
894 peer_challenge, auth_challenge,
895 username, username_len, nt_response,
896 data->mschapv2_auth_response);
898 generate_authenticator_response(
899 sm->user->password, sm->user->password_len,
900 peer_challenge, auth_challenge,
901 username, username_len, nt_response,
902 data->mschapv2_auth_response);
905 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid "
907 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Received",
909 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Expected",
911 data->mschapv2_resp_ok = 0;
913 eap_ttls_state(data, PHASE2_MSCHAPV2_RESP);
914 data->mschapv2_ident = response[0];
918 static int eap_ttls_phase2_eap_init(struct eap_sm *sm,
919 struct eap_ttls_data *data,
922 if (data->phase2_priv && data->phase2_method) {
923 data->phase2_method->reset(sm, data->phase2_priv);
924 data->phase2_method = NULL;
925 data->phase2_priv = NULL;
927 data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF,
929 if (!data->phase2_method)
933 data->phase2_priv = data->phase2_method->init(sm);
935 return data->phase2_priv == NULL ? -1 : 0;
939 static void eap_ttls_process_phase2_eap_response(struct eap_sm *sm,
940 struct eap_ttls_data *data,
941 u8 *in_data, size_t in_len)
943 u8 next_type = EAP_TYPE_NONE;
948 const struct eap_method *m = data->phase2_method;
949 void *priv = data->phase2_priv;
952 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: %s - Phase2 not "
953 "initialized?!", __func__);
957 hdr = (struct eap_hdr *) in_data;
958 pos = (u8 *) (hdr + 1);
960 if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) {
961 left = in_len - sizeof(*hdr);
962 wpa_hexdump(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 type Nak'ed; "
963 "allowed types", pos + 1, left - 1);
964 eap_sm_process_nak(sm, pos + 1, left - 1);
965 if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
966 sm->user->methods[sm->user_eap_method_index].method !=
968 next_type = sm->user->methods[
969 sm->user_eap_method_index++].method;
970 wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d",
972 if (eap_ttls_phase2_eap_init(sm, data, next_type)) {
973 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to "
974 "initialize EAP type %d",
976 eap_ttls_state(data, FAILURE);
980 eap_ttls_state(data, FAILURE);
985 wpabuf_set(&buf, in_data, in_len);
987 if (m->check(sm, priv, &buf)) {
988 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 check() asked to "
989 "ignore the packet");
993 m->process(sm, priv, &buf);
995 if (sm->method_pending == METHOD_PENDING_WAIT) {
996 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method is in "
997 "pending wait state - save decrypted response");
998 wpabuf_free(data->pending_phase2_eap_resp);
999 data->pending_phase2_eap_resp = wpabuf_dup(&buf);
1002 if (!m->isDone(sm, priv))
1005 if (!m->isSuccess(sm, priv)) {
1006 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method failed");
1007 eap_ttls_state(data, FAILURE);
1011 switch (data->state) {
1013 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
1014 wpa_hexdump_ascii(MSG_DEBUG, "EAP_TTLS: Phase2 "
1015 "Identity not found in the user "
1017 sm->identity, sm->identity_len);
1018 eap_ttls_state(data, FAILURE);
1022 eap_ttls_state(data, PHASE2_METHOD);
1023 next_type = sm->user->methods[0].method;
1024 sm->user_eap_method_index = 1;
1025 wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d", next_type);
1026 if (eap_ttls_phase2_eap_init(sm, data, next_type)) {
1027 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize "
1028 "EAP type %d", next_type);
1029 eap_ttls_state(data, FAILURE);
1033 if (data->ttls_version > 0) {
1037 key = m->getKey(sm, priv, &key_len);
1038 eap_ttls_ia_permute_inner_secret(sm, data,
1041 eap_ttls_state(data, PHASE_FINISHED);
1043 eap_ttls_state(data, SUCCESS);
1048 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
1049 __func__, data->state);
1055 static void eap_ttls_process_phase2_eap(struct eap_sm *sm,
1056 struct eap_ttls_data *data,
1057 const u8 *eap, size_t eap_len)
1059 struct eap_hdr *hdr;
1062 if (data->state == PHASE2_START) {
1063 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: initializing Phase 2");
1064 if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_IDENTITY) < 0)
1066 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: failed to "
1067 "initialize EAP-Identity");
1072 if (eap_len < sizeof(*hdr)) {
1073 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: too short Phase 2 EAP "
1074 "packet (len=%lu)", (unsigned long) eap_len);
1078 hdr = (struct eap_hdr *) eap;
1079 len = be_to_host16(hdr->length);
1080 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: received Phase 2 EAP: code=%d "
1081 "identifier=%d length=%lu", hdr->code, hdr->identifier,
1082 (unsigned long) len);
1083 if (len > eap_len) {
1084 wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Length mismatch in Phase 2"
1085 " EAP frame (hdr len=%lu, data len in AVP=%lu)",
1086 (unsigned long) len, (unsigned long) eap_len);
1090 switch (hdr->code) {
1091 case EAP_CODE_RESPONSE:
1092 eap_ttls_process_phase2_eap_response(sm, data, (u8 *) hdr,
1096 wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Unexpected code=%d in "
1097 "Phase 2 EAP header", hdr->code);
1103 static void eap_ttls_process_phase2(struct eap_sm *sm,
1104 struct eap_ttls_data *data,
1105 struct wpabuf *in_buf)
1107 struct wpabuf *in_decrypted;
1108 struct eap_ttls_avp parse;
1110 wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for"
1111 " Phase 2", (unsigned long) wpabuf_len(in_buf));
1113 if (data->pending_phase2_eap_resp) {
1114 wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 EAP response "
1115 "- skip decryption and use old data");
1116 eap_ttls_process_phase2_eap(
1117 sm, data, wpabuf_head(data->pending_phase2_eap_resp),
1118 wpabuf_len(data->pending_phase2_eap_resp));
1119 wpabuf_free(data->pending_phase2_eap_resp);
1120 data->pending_phase2_eap_resp = NULL;
1124 in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
1126 if (in_decrypted == NULL) {
1127 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to decrypt Phase 2 "
1129 eap_ttls_state(data, FAILURE);
1133 if (data->state == PHASE_FINISHED) {
1134 if (wpabuf_len(in_decrypted) == 0 &&
1135 tls_connection_ia_final_phase_finished(sm->ssl_ctx,
1137 wpa_printf(MSG_DEBUG, "EAP-TTLS: FinalPhaseFinished "
1139 eap_ttls_state(data, SUCCESS);
1141 wpa_printf(MSG_INFO, "EAP-TTLS: Did not receive valid "
1142 "FinalPhaseFinished");
1143 eap_ttls_state(data, FAILURE);
1146 wpabuf_free(in_decrypted);
1150 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 EAP",
1153 if (eap_ttls_avp_parse(in_decrypted, &parse) < 0) {
1154 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to parse AVPs");
1155 wpabuf_free(in_decrypted);
1156 eap_ttls_state(data, FAILURE);
1160 if (parse.user_name) {
1161 os_free(sm->identity);
1162 sm->identity = os_malloc(parse.user_name_len);
1164 os_memcpy(sm->identity, parse.user_name,
1165 parse.user_name_len);
1166 sm->identity_len = parse.user_name_len;
1168 if (eap_user_get(sm, parse.user_name, parse.user_name_len, 1)
1170 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 Identity not "
1171 "found in the user database");
1172 eap_ttls_state(data, FAILURE);
1177 #ifdef EAP_SERVER_TNC
1178 if (data->tnc_started && parse.eap == NULL) {
1179 wpa_printf(MSG_DEBUG, "EAP-TTLS: TNC started but no EAP "
1180 "response from peer");
1181 eap_ttls_state(data, FAILURE);
1184 #endif /* EAP_SERVER_TNC */
1187 eap_ttls_process_phase2_eap(sm, data, parse.eap,
1189 } else if (parse.user_password) {
1190 eap_ttls_process_phase2_pap(sm, data, parse.user_password,
1191 parse.user_password_len);
1192 } else if (parse.chap_password) {
1193 eap_ttls_process_phase2_chap(sm, data,
1194 parse.chap_challenge,
1195 parse.chap_challenge_len,
1196 parse.chap_password,
1197 parse.chap_password_len);
1198 } else if (parse.mschap_response) {
1199 eap_ttls_process_phase2_mschap(sm, data,
1200 parse.mschap_challenge,
1201 parse.mschap_challenge_len,
1202 parse.mschap_response,
1203 parse.mschap_response_len);
1204 } else if (parse.mschap2_response) {
1205 eap_ttls_process_phase2_mschapv2(sm, data,
1206 parse.mschap_challenge,
1207 parse.mschap_challenge_len,
1208 parse.mschap2_response,
1209 parse.mschap2_response_len);
1213 wpabuf_free(in_decrypted);
1218 static void eap_ttls_start_tnc(struct eap_sm *sm, struct eap_ttls_data *data)
1220 #ifdef EAP_SERVER_TNC
1221 if (!sm->tnc || data->state != SUCCESS || data->tnc_started)
1224 wpa_printf(MSG_DEBUG, "EAP-TTLS: Initialize TNC");
1225 if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_TNC)) {
1226 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize TNC");
1227 eap_ttls_state(data, FAILURE);
1231 data->tnc_started = 1;
1232 eap_ttls_state(data, PHASE2_METHOD);
1233 #endif /* EAP_SERVER_TNC */
1237 static int eap_ttls_process_version(struct eap_sm *sm, void *priv,
1240 struct eap_ttls_data *data = priv;
1241 if (peer_version < data->ttls_version) {
1242 wpa_printf(MSG_DEBUG, "EAP-TTLS: peer ver=%d, own ver=%d; "
1244 peer_version, data->ttls_version, peer_version);
1245 data->ttls_version = peer_version;
1248 if (data->ttls_version > 0 && !data->tls_ia_configured) {
1249 if (tls_connection_set_ia(sm->ssl_ctx, data->ssl.conn, 1)) {
1250 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to enable "
1254 data->tls_ia_configured = 1;
1261 static void eap_ttls_process_msg(struct eap_sm *sm, void *priv,
1262 const struct wpabuf *respData)
1264 struct eap_ttls_data *data = priv;
1266 switch (data->state) {
1268 if (eap_server_tls_phase1(sm, &data->ssl) < 0)
1269 eap_ttls_state(data, FAILURE);
1273 case PHASE_FINISHED:
1274 eap_ttls_process_phase2(sm, data, data->ssl.tls_in);
1275 eap_ttls_start_tnc(sm, data);
1277 case PHASE2_MSCHAPV2_RESP:
1278 if (data->mschapv2_resp_ok && wpabuf_len(data->ssl.tls_in) ==
1280 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
1281 "acknowledged response");
1282 eap_ttls_state(data, data->ttls_version > 0 ?
1283 PHASE_FINISHED : SUCCESS);
1284 } else if (!data->mschapv2_resp_ok) {
1285 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
1286 "acknowledged error");
1287 eap_ttls_state(data, FAILURE);
1289 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Unexpected "
1290 "frame from peer (payload len %lu, "
1291 "expected empty frame)",
1293 wpabuf_len(data->ssl.tls_in));
1294 eap_ttls_state(data, FAILURE);
1296 eap_ttls_start_tnc(sm, data);
1299 wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected state %d in %s",
1300 data->state, __func__);
1306 static void eap_ttls_process(struct eap_sm *sm, void *priv,
1307 struct wpabuf *respData)
1309 struct eap_ttls_data *data = priv;
1310 if (eap_server_tls_process(sm, &data->ssl, respData, data,
1311 EAP_TYPE_TTLS, eap_ttls_process_version,
1312 eap_ttls_process_msg) < 0)
1313 eap_ttls_state(data, FAILURE);
1317 static Boolean eap_ttls_isDone(struct eap_sm *sm, void *priv)
1319 struct eap_ttls_data *data = priv;
1320 return data->state == SUCCESS || data->state == FAILURE;
1324 static u8 * eap_ttls_v1_derive_key(struct eap_sm *sm,
1325 struct eap_ttls_data *data)
1327 struct tls_keys keys;
1330 os_memset(&keys, 0, sizeof(keys));
1331 if (tls_connection_get_keys(sm->ssl_ctx, data->ssl.conn, &keys) ||
1332 keys.client_random == NULL || keys.server_random == NULL ||
1333 keys.inner_secret == NULL) {
1334 wpa_printf(MSG_INFO, "EAP-TTLS: Could not get inner secret, "
1335 "client random, or server random to derive keying "
1340 rnd = os_malloc(keys.client_random_len + keys.server_random_len);
1341 key = os_malloc(EAP_TLS_KEY_LEN);
1342 if (rnd == NULL || key == NULL) {
1343 wpa_printf(MSG_INFO, "EAP-TTLS: No memory for key derivation");
1348 os_memcpy(rnd, keys.client_random, keys.client_random_len);
1349 os_memcpy(rnd + keys.client_random_len, keys.server_random,
1350 keys.server_random_len);
1352 if (tls_prf(keys.inner_secret, keys.inner_secret_len,
1353 "ttls v1 keying material", rnd, keys.client_random_len +
1354 keys.server_random_len, key, EAP_TLS_KEY_LEN)) {
1355 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key");
1361 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: client/server random",
1362 rnd, keys.client_random_len + keys.server_random_len);
1363 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: TLS/IA inner secret",
1364 keys.inner_secret, keys.inner_secret_len);
1372 static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len)
1374 struct eap_ttls_data *data = priv;
1377 if (data->state != SUCCESS)
1380 if (data->ttls_version == 0) {
1381 eapKeyData = eap_server_tls_derive_key(sm, &data->ssl,
1382 "ttls keying material",
1385 eapKeyData = eap_ttls_v1_derive_key(sm, data);
1389 *len = EAP_TLS_KEY_LEN;
1390 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key",
1391 eapKeyData, EAP_TLS_KEY_LEN);
1393 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key");
1400 static Boolean eap_ttls_isSuccess(struct eap_sm *sm, void *priv)
1402 struct eap_ttls_data *data = priv;
1403 return data->state == SUCCESS;
1407 int eap_server_ttls_register(void)
1409 struct eap_method *eap;
1412 eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
1413 EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS");
1417 eap->init = eap_ttls_init;
1418 eap->reset = eap_ttls_reset;
1419 eap->buildReq = eap_ttls_buildReq;
1420 eap->check = eap_ttls_check;
1421 eap->process = eap_ttls_process;
1422 eap->isDone = eap_ttls_isDone;
1423 eap->getKey = eap_ttls_getKey;
1424 eap->isSuccess = eap_ttls_isSuccess;
1426 ret = eap_server_method_register(eap);
1428 eap_server_method_free(eap);