2 * EAP peer method: EAP-TTLS (draft-ietf-pppext-eap-ttls-03.txt)
3 * Copyright (c) 2004-2006, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
19 #include "eap_tls_common.h"
20 #include "config_ssid.h"
28 /* Maximum supported PEAP version
29 * 0 = draft-ietf-pppext-eap-ttls-03.txt / draft-funk-eap-ttls-v0-00.txt
30 * 1 = draft-funk-eap-ttls-v1-00.txt
32 #define EAP_TTLS_VERSION 0 /* TTLSv1 implementation is not yet complete */
35 #define MSCHAPV2_KEY_LEN 16
38 static void eap_ttls_deinit(struct eap_sm *sm, void *priv);
41 struct eap_ttls_data {
42 struct eap_ssl_data ssl;
45 int ttls_version, force_ttls_version;
47 const struct eap_method *phase2_method;
54 EAP_TTLS_PHASE2_MSCHAPV2,
55 EAP_TTLS_PHASE2_MSCHAP,
59 struct eap_method_type phase2_eap_type;
60 struct eap_method_type *phase2_eap_types;
61 size_t num_phase2_eap_types;
64 int auth_response_valid;
66 int resuming; /* starting a resumed session */
67 int reauth; /* reauthentication */
70 u8 *pending_phase2_req;
71 size_t pending_phase2_req_len;
75 static void * eap_ttls_init(struct eap_sm *sm)
77 struct eap_ttls_data *data;
78 struct wpa_ssid *config = eap_get_config(sm);
81 data = os_zalloc(sizeof(*data));
84 data->ttls_version = EAP_TTLS_VERSION;
85 data->force_ttls_version = -1;
87 data->phase2_type = EAP_TTLS_PHASE2_EAP;
89 if (config && config->phase1) {
90 char *pos = os_strstr(config->phase1, "ttlsver=");
92 data->force_ttls_version = atoi(pos + 8);
93 data->ttls_version = data->force_ttls_version;
94 wpa_printf(MSG_DEBUG, "EAP-TTLS: Forced TTLS version "
95 "%d", data->force_ttls_version);
99 if (config && config->phase2) {
100 if (os_strstr(config->phase2, "autheap=")) {
102 data->phase2_type = EAP_TTLS_PHASE2_EAP;
103 } else if (os_strstr(config->phase2, "auth=MSCHAPV2")) {
104 selected = "MSCHAPV2";
105 data->phase2_type = EAP_TTLS_PHASE2_MSCHAPV2;
106 } else if (os_strstr(config->phase2, "auth=MSCHAP")) {
108 data->phase2_type = EAP_TTLS_PHASE2_MSCHAP;
109 } else if (os_strstr(config->phase2, "auth=PAP")) {
111 data->phase2_type = EAP_TTLS_PHASE2_PAP;
112 } else if (os_strstr(config->phase2, "auth=CHAP")) {
114 data->phase2_type = EAP_TTLS_PHASE2_CHAP;
117 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 type: %s", selected);
119 if (data->phase2_type == EAP_TTLS_PHASE2_EAP) {
120 if (config && config->phase2) {
121 char *start, *pos, *buf;
122 struct eap_method_type *methods = NULL, *_methods;
124 size_t num_methods = 0;
125 start = buf = os_strdup(config->phase2);
127 eap_ttls_deinit(sm, data);
130 while (start && *start != '\0') {
132 pos = os_strstr(start, "autheap=");
135 if (start != pos && *(pos - 1) != ' ') {
141 pos = os_strchr(start, ' ');
144 method = eap_get_phase2_type(start, &vendor);
145 if (vendor == EAP_VENDOR_IETF &&
146 method == EAP_TYPE_NONE) {
147 wpa_printf(MSG_ERROR, "EAP-TTLS: "
148 "Unsupported Phase2 EAP "
149 "method '%s'", start);
152 _methods = os_realloc(
153 methods, num_methods *
155 if (_methods == NULL) {
158 eap_ttls_deinit(sm, data);
162 methods[num_methods - 1].vendor =
164 methods[num_methods - 1].method =
171 data->phase2_eap_types = methods;
172 data->num_phase2_eap_types = num_methods;
174 if (data->phase2_eap_types == NULL) {
175 data->phase2_eap_types = eap_get_phase2_types(
176 config, &data->num_phase2_eap_types);
178 if (data->phase2_eap_types == NULL) {
179 wpa_printf(MSG_ERROR, "EAP-TTLS: No Phase2 EAP method "
181 eap_ttls_deinit(sm, data);
184 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Phase2 EAP types",
185 (u8 *) data->phase2_eap_types,
186 data->num_phase2_eap_types *
187 sizeof(struct eap_method_type));
188 data->phase2_eap_type.vendor = EAP_VENDOR_IETF;
189 data->phase2_eap_type.method = EAP_TYPE_NONE;
192 if (!(tls_capabilities(sm->ssl_ctx) & TLS_CAPABILITY_IA) &&
193 data->ttls_version > 0) {
194 if (data->force_ttls_version > 0) {
195 wpa_printf(MSG_INFO, "EAP-TTLS: Forced TTLSv%d and "
196 "TLS library does not support TLS/IA.",
197 data->force_ttls_version);
198 eap_ttls_deinit(sm, data);
201 data->ttls_version = 0;
208 static void eap_ttls_deinit(struct eap_sm *sm, void *priv)
210 struct eap_ttls_data *data = priv;
213 if (data->phase2_priv && data->phase2_method)
214 data->phase2_method->deinit(sm, data->phase2_priv);
215 os_free(data->phase2_eap_types);
216 if (data->ssl_initialized)
217 eap_tls_ssl_deinit(sm, &data->ssl);
218 os_free(data->key_data);
219 os_free(data->pending_phase2_req);
224 static int eap_ttls_encrypt(struct eap_sm *sm, struct eap_ttls_data *data,
225 int id, const u8 *plain, size_t plain_len,
226 u8 **out_data, size_t *out_len)
230 struct eap_hdr *resp;
232 /* TODO: add support for fragmentation, if needed. This will need to
233 * add TLS Message Length field, if the frame is fragmented. */
234 resp = os_malloc(sizeof(struct eap_hdr) + 2 + data->ssl.tls_out_limit);
238 resp->code = EAP_CODE_RESPONSE;
239 resp->identifier = id;
241 pos = (u8 *) (resp + 1);
242 *pos++ = EAP_TYPE_TTLS;
243 *pos++ = data->ttls_version;
245 res = tls_connection_encrypt(sm->ssl_ctx, data->ssl.conn,
247 pos, data->ssl.tls_out_limit);
249 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to encrypt Phase 2 "
255 *out_len = sizeof(struct eap_hdr) + 2 + res;
256 resp->length = host_to_be16(*out_len);
257 *out_data = (u8 *) resp;
262 static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id,
263 int mandatory, size_t len)
265 struct ttls_avp_vendor *avp;
269 avp = (struct ttls_avp_vendor *) avphdr;
270 flags = mandatory ? AVP_FLAGS_MANDATORY : 0;
272 flags |= AVP_FLAGS_VENDOR;
273 hdrlen = sizeof(*avp);
274 avp->vendor_id = host_to_be32(vendor_id);
276 hdrlen = sizeof(struct ttls_avp);
279 avp->avp_code = host_to_be32(avp_code);
280 avp->avp_length = host_to_be32((flags << 24) | (hdrlen + len));
282 return avphdr + hdrlen;
286 static u8 * eap_ttls_avp_add(u8 *start, u8 *avphdr, u32 avp_code,
287 u32 vendor_id, int mandatory,
288 u8 *data, size_t len)
291 pos = eap_ttls_avp_hdr(avphdr, avp_code, vendor_id, mandatory, len);
292 os_memcpy(pos, data, len);
299 static int eap_ttls_avp_encapsulate(u8 **resp, size_t *resp_len, u32 avp_code,
304 avp = os_malloc(sizeof(struct ttls_avp) + *resp_len + 4);
312 pos = eap_ttls_avp_hdr(avp, avp_code, 0, mandatory, *resp_len);
313 os_memcpy(pos, *resp, *resp_len);
318 *resp_len = pos - avp;
323 static int eap_ttls_ia_permute_inner_secret(struct eap_sm *sm,
324 struct eap_ttls_data *data,
325 const u8 *key, size_t key_len)
332 buf_len = 2 + key_len;
333 buf = os_malloc(buf_len);
336 WPA_PUT_BE16(buf, key_len);
337 os_memcpy(buf + 2, key, key_len);
343 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Session keys for TLS/IA inner "
344 "secret permutation", buf, buf_len);
345 ret = tls_connection_ia_permute_inner_secret(sm->ssl_ctx,
354 static int eap_ttls_v0_derive_key(struct eap_sm *sm,
355 struct eap_ttls_data *data)
357 os_free(data->key_data);
358 data->key_data = eap_tls_derive_key(sm, &data->ssl,
359 "ttls keying material",
361 if (!data->key_data) {
362 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to derive key");
366 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key",
367 data->key_data, EAP_TLS_KEY_LEN);
373 static int eap_ttls_v1_derive_key(struct eap_sm *sm,
374 struct eap_ttls_data *data)
376 struct tls_keys keys;
379 os_free(data->key_data);
380 data->key_data = NULL;
382 os_memset(&keys, 0, sizeof(keys));
383 if (tls_connection_get_keys(sm->ssl_ctx, data->ssl.conn, &keys) ||
384 keys.client_random == NULL || keys.server_random == NULL ||
385 keys.inner_secret == NULL) {
386 wpa_printf(MSG_INFO, "EAP-TTLS: Could not get inner secret, "
387 "client random, or server random to derive keying "
392 rnd = os_malloc(keys.client_random_len + keys.server_random_len);
393 data->key_data = os_malloc(EAP_TLS_KEY_LEN);
394 if (rnd == NULL || data->key_data == NULL) {
395 wpa_printf(MSG_INFO, "EAP-TTLS: No memory for key derivation");
397 os_free(data->key_data);
398 data->key_data = NULL;
401 os_memcpy(rnd, keys.client_random, keys.client_random_len);
402 os_memcpy(rnd + keys.client_random_len, keys.server_random,
403 keys.server_random_len);
405 if (tls_prf(keys.inner_secret, keys.inner_secret_len,
406 "ttls v1 keying material", rnd, keys.client_random_len +
407 keys.server_random_len, data->key_data, EAP_TLS_KEY_LEN)) {
408 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key");
410 os_free(data->key_data);
411 data->key_data = NULL;
415 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: client/server random",
416 rnd, keys.client_random_len + keys.server_random_len);
417 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: TLS/IA inner secret",
418 keys.inner_secret, keys.inner_secret_len);
422 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key",
423 data->key_data, EAP_TLS_KEY_LEN);
429 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm,
430 struct eap_ttls_data *data, size_t len)
432 struct tls_keys keys;
435 if (data->ttls_version == 0) {
436 return eap_tls_derive_key(sm, &data->ssl, "ttls challenge",
440 os_memset(&keys, 0, sizeof(keys));
441 if (tls_connection_get_keys(sm->ssl_ctx, data->ssl.conn, &keys) ||
442 keys.client_random == NULL || keys.server_random == NULL ||
443 keys.inner_secret == NULL) {
444 wpa_printf(MSG_INFO, "EAP-TTLS: Could not get inner secret, "
445 "client random, or server random to derive "
446 "implicit challenge");
450 rnd = os_malloc(keys.client_random_len + keys.server_random_len);
451 challenge = os_malloc(len);
452 if (rnd == NULL || challenge == NULL) {
453 wpa_printf(MSG_INFO, "EAP-TTLS: No memory for implicit "
454 "challenge derivation");
459 os_memcpy(rnd, keys.server_random, keys.server_random_len);
460 os_memcpy(rnd + keys.server_random_len, keys.client_random,
461 keys.client_random_len);
463 if (tls_prf(keys.inner_secret, keys.inner_secret_len,
464 "inner application challenge", rnd,
465 keys.client_random_len + keys.server_random_len,
467 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive implicit "
476 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived implicit challenge",
483 static int eap_ttls_phase2_nak(struct eap_ttls_data *data, struct eap_hdr *hdr,
484 u8 **resp, size_t *resp_len)
486 struct eap_hdr *resp_hdr;
487 u8 *pos = (u8 *) (hdr + 1);
490 /* TODO: add support for expanded Nak */
491 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 Request: Nak type=%d", *pos);
492 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Allowed Phase2 EAP types",
493 (u8 *) data->phase2_eap_types, data->num_phase2_eap_types *
494 sizeof(struct eap_method_type));
495 *resp_len = sizeof(struct eap_hdr) + 1;
496 *resp = os_malloc(*resp_len + data->num_phase2_eap_types);
500 resp_hdr = (struct eap_hdr *) (*resp);
501 resp_hdr->code = EAP_CODE_RESPONSE;
502 resp_hdr->identifier = hdr->identifier;
503 pos = (u8 *) (resp_hdr + 1);
504 *pos++ = EAP_TYPE_NAK;
505 for (i = 0; i < data->num_phase2_eap_types; i++) {
506 if (data->phase2_eap_types[i].vendor == EAP_VENDOR_IETF &&
507 data->phase2_eap_types[i].method < 256) {
509 *pos++ = data->phase2_eap_types[i].method;
512 resp_hdr->length = host_to_be16(*resp_len);
518 static int eap_ttls_phase2_request_eap(struct eap_sm *sm,
519 struct eap_ttls_data *data,
520 struct eap_method_ret *ret,
522 u8 **resp, size_t *resp_len)
524 size_t len = be_to_host16(hdr->length);
526 struct eap_method_ret iret;
527 struct wpa_ssid *config = eap_get_config(sm);
529 if (len <= sizeof(struct eap_hdr)) {
530 wpa_printf(MSG_INFO, "EAP-TTLS: too short "
531 "Phase 2 request (len=%lu)", (unsigned long) len);
534 pos = (u8 *) (hdr + 1);
535 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP Request: type=%d", *pos);
537 case EAP_TYPE_IDENTITY:
538 *resp = eap_sm_buildIdentity(sm, hdr->identifier, resp_len, 1);
541 if (data->phase2_eap_type.vendor == EAP_VENDOR_IETF &&
542 data->phase2_eap_type.method == EAP_TYPE_NONE) {
544 for (i = 0; i < data->num_phase2_eap_types; i++) {
545 if (data->phase2_eap_types[i].vendor !=
547 data->phase2_eap_types[i].method != *pos)
550 data->phase2_eap_type.vendor =
551 data->phase2_eap_types[i].vendor;
552 data->phase2_eap_type.method =
553 data->phase2_eap_types[i].method;
554 wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected "
555 "Phase 2 EAP vendor %d method %d",
556 data->phase2_eap_type.vendor,
557 data->phase2_eap_type.method);
561 if (*pos != data->phase2_eap_type.method ||
562 *pos == EAP_TYPE_NONE) {
563 if (eap_ttls_phase2_nak(data, hdr, resp, resp_len))
568 if (data->phase2_priv == NULL) {
569 data->phase2_method = eap_sm_get_eap_methods(
570 EAP_VENDOR_IETF, *pos);
571 if (data->phase2_method) {
573 sm->mschapv2_full_key = 1;
575 data->phase2_method->init(sm);
577 sm->mschapv2_full_key = 0;
580 if (data->phase2_priv == NULL || data->phase2_method == NULL) {
581 wpa_printf(MSG_INFO, "EAP-TTLS: failed to initialize "
582 "Phase 2 EAP method %d", *pos);
585 os_memset(&iret, 0, sizeof(iret));
586 *resp = data->phase2_method->process(sm, data->phase2_priv,
587 &iret, (u8 *) hdr, len,
589 if ((iret.methodState == METHOD_DONE ||
590 iret.methodState == METHOD_MAY_CONT) &&
591 (iret.decision == DECISION_UNCOND_SUCC ||
592 iret.decision == DECISION_COND_SUCC ||
593 iret.decision == DECISION_FAIL)) {
594 ret->methodState = iret.methodState;
595 ret->decision = iret.decision;
597 if (data->ttls_version > 0) {
598 const struct eap_method *m = data->phase2_method;
599 void *priv = data->phase2_priv;
601 /* TTLSv1 requires TLS/IA FinalPhaseFinished */
602 if (ret->decision == DECISION_UNCOND_SUCC)
603 ret->decision = DECISION_COND_SUCC;
604 ret->methodState = METHOD_CONT;
606 if (ret->decision == DECISION_COND_SUCC &&
607 m->isKeyAvailable && m->getKey &&
608 m->isKeyAvailable(sm, priv)) {
611 key = m->getKey(sm, priv, &key_len);
613 eap_ttls_ia_permute_inner_secret(
614 sm, data, key, key_len);
623 (config->pending_req_identity || config->pending_req_password ||
624 config->pending_req_otp)) {
631 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP encapsulate EAP Response",
633 return eap_ttls_avp_encapsulate(resp, resp_len,
634 RADIUS_ATTR_EAP_MESSAGE, 1);
638 static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm,
639 struct eap_ttls_data *data,
640 struct eap_method_ret *ret,
641 u8 **resp, size_t *resp_len)
643 struct wpa_ssid *config = eap_get_config(sm);
644 u8 *buf, *pos, *challenge, *username, *peer_challenge;
645 size_t username_len, i;
647 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAPV2 Request");
649 /* MSCHAPv2 does not include optional domain name in the
650 * challenge-response calculation, so remove domain prefix
652 username = config->identity;
653 username_len = config->identity_len;
655 for (i = 0; i < username_len; i++) {
656 if (username[i] == '\\') {
657 username_len -= i + 1;
663 pos = buf = os_malloc(config->identity_len + 1000);
665 wpa_printf(MSG_ERROR,
666 "EAP-TTLS/MSCHAPV2: Failed to allocate memory");
671 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
672 config->identity, config->identity_len);
674 /* MS-CHAP-Challenge */
675 challenge = eap_ttls_implicit_challenge(
676 sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1);
677 if (challenge == NULL) {
679 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive "
680 "implicit challenge");
683 peer_challenge = challenge + 1 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN;
685 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE,
686 RADIUS_VENDOR_ID_MICROSOFT, 1,
687 challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
689 /* MS-CHAP2-Response */
690 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_RESPONSE,
691 RADIUS_VENDOR_ID_MICROSOFT, 1,
692 EAP_TTLS_MSCHAPV2_RESPONSE_LEN);
693 data->ident = challenge[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN];
694 *pos++ = data->ident;
695 *pos++ = 0; /* Flags */
696 os_memcpy(pos, peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
697 pos += EAP_TTLS_MSCHAPV2_CHALLENGE_LEN;
698 os_memset(pos, 0, 8); /* Reserved, must be zero */
700 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAPV2: implicit auth_challenge",
701 challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
702 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAPV2: peer_challenge",
703 peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
704 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MSCHAPV2 username",
705 username, username_len);
706 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: MSCHAPV2 password",
707 config->password, config->password_len);
708 generate_nt_response(challenge, peer_challenge,
709 username, username_len,
710 config->password, config->password_len,
712 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAPV2 response", pos, 24);
713 generate_authenticator_response(config->password, config->password_len,
714 peer_challenge, challenge,
715 username, username_len,
716 pos, data->auth_response);
717 data->auth_response_valid = 1;
719 if (data->ttls_version > 0) {
720 u8 pw_hash[16], pw_hash_hash[16], master_key[16];
721 u8 session_key[2 * MSCHAPV2_KEY_LEN];
722 nt_password_hash(config->password, config->password_len,
724 hash_nt_password_hash(pw_hash, pw_hash_hash);
725 get_master_key(pw_hash_hash, pos /* nt_response */,
727 get_asymetric_start_key(master_key, session_key,
728 MSCHAPV2_KEY_LEN, 0, 0);
729 get_asymetric_start_key(master_key,
730 session_key + MSCHAPV2_KEY_LEN,
731 MSCHAPV2_KEY_LEN, 1, 0);
732 eap_ttls_ia_permute_inner_secret(sm, data,
734 sizeof(session_key));
742 *resp_len = pos - buf;
744 if (sm->workaround && data->ttls_version == 0) {
745 /* At least FreeRADIUS seems to be terminating
746 * EAP-TTLS/MSHCAPV2 without the expected MS-CHAP-v2 Success
748 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: EAP workaround - "
749 "allow success without tunneled response");
750 ret->methodState = METHOD_MAY_CONT;
751 ret->decision = DECISION_COND_SUCC;
758 static int eap_ttls_phase2_request_mschap(struct eap_sm *sm,
759 struct eap_ttls_data *data,
760 struct eap_method_ret *ret,
761 u8 **resp, size_t *resp_len)
763 struct wpa_ssid *config = eap_get_config(sm);
764 u8 *buf, *pos, *challenge;
766 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAP Request");
768 pos = buf = os_malloc(config->identity_len + 1000);
770 wpa_printf(MSG_ERROR,
771 "EAP-TTLS/MSCHAP: Failed to allocate memory");
776 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
777 config->identity, config->identity_len);
779 /* MS-CHAP-Challenge */
780 challenge = eap_ttls_implicit_challenge(
781 sm, data, EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1);
782 if (challenge == NULL) {
784 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAP: Failed to derive "
785 "implicit challenge");
789 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE,
790 RADIUS_VENDOR_ID_MICROSOFT, 1,
791 challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN);
793 /* MS-CHAP-Response */
794 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_RESPONSE,
795 RADIUS_VENDOR_ID_MICROSOFT, 1,
796 EAP_TTLS_MSCHAP_RESPONSE_LEN);
797 data->ident = challenge[EAP_TTLS_MSCHAP_CHALLENGE_LEN];
798 *pos++ = data->ident;
799 *pos++ = 1; /* Flags: Use NT style passwords */
800 os_memset(pos, 0, 24); /* LM-Response */
802 nt_challenge_response(challenge,
803 config->password, config->password_len,
804 pos); /* NT-Response */
805 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password",
806 config->password, config->password_len);
807 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP implicit challenge",
808 challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN);
809 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP response", pos, 24);
815 *resp_len = pos - buf;
817 if (data->ttls_version > 0) {
818 /* EAP-TTLSv1 uses TLS/IA FinalPhaseFinished to report success,
819 * so do not allow connection to be terminated yet. */
820 ret->methodState = METHOD_CONT;
821 ret->decision = DECISION_COND_SUCC;
823 /* EAP-TTLS/MSCHAP does not provide tunneled success
824 * notification, so assume that Phase2 succeeds. */
825 ret->methodState = METHOD_DONE;
826 ret->decision = DECISION_COND_SUCC;
833 static int eap_ttls_phase2_request_pap(struct eap_sm *sm,
834 struct eap_ttls_data *data,
835 struct eap_method_ret *ret,
836 u8 **resp, size_t *resp_len)
838 struct wpa_ssid *config = eap_get_config(sm);
842 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 PAP Request");
844 pos = buf = os_malloc(config->identity_len + config->password_len +
847 wpa_printf(MSG_ERROR,
848 "EAP-TTLS/PAP: Failed to allocate memory");
853 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
854 config->identity, config->identity_len);
856 /* User-Password; in RADIUS, this is encrypted, but EAP-TTLS encrypts
857 * the data, so no separate encryption is used in the AVP itself.
858 * However, the password is padded to obfuscate its length. */
859 pad = (16 - (config->password_len & 15)) & 15;
860 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_USER_PASSWORD, 0, 1,
861 config->password_len + pad);
862 os_memcpy(pos, config->password, config->password_len);
863 pos += config->password_len;
864 os_memset(pos, 0, pad);
869 *resp_len = pos - buf;
871 if (data->ttls_version > 0) {
872 /* EAP-TTLSv1 uses TLS/IA FinalPhaseFinished to report success,
873 * so do not allow connection to be terminated yet. */
874 ret->methodState = METHOD_CONT;
875 ret->decision = DECISION_COND_SUCC;
877 /* EAP-TTLS/PAP does not provide tunneled success notification,
878 * so assume that Phase2 succeeds. */
879 ret->methodState = METHOD_DONE;
880 ret->decision = DECISION_COND_SUCC;
887 static int eap_ttls_phase2_request_chap(struct eap_sm *sm,
888 struct eap_ttls_data *data,
889 struct eap_method_ret *ret,
890 u8 **resp, size_t *resp_len)
892 struct wpa_ssid *config = eap_get_config(sm);
893 u8 *buf, *pos, *challenge;
897 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 CHAP Request");
899 pos = buf = os_malloc(config->identity_len + 1000);
901 wpa_printf(MSG_ERROR,
902 "EAP-TTLS/CHAP: Failed to allocate memory");
907 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
908 config->identity, config->identity_len);
911 challenge = eap_ttls_implicit_challenge(
912 sm, data, EAP_TTLS_CHAP_CHALLENGE_LEN + 1);
913 if (challenge == NULL) {
915 wpa_printf(MSG_ERROR, "EAP-TTLS/CHAP: Failed to derive "
916 "implicit challenge");
920 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_CHAP_CHALLENGE, 0, 1,
921 challenge, EAP_TTLS_CHAP_CHALLENGE_LEN);
924 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_CHAP_PASSWORD, 0, 1,
925 1 + EAP_TTLS_CHAP_PASSWORD_LEN);
926 data->ident = challenge[EAP_TTLS_CHAP_CHALLENGE_LEN];
927 *pos++ = data->ident;
929 /* MD5(Ident + Password + Challenge) */
930 addr[0] = &data->ident;
932 addr[1] = config->password;
933 len[1] = config->password_len;
935 len[2] = EAP_TTLS_CHAP_CHALLENGE_LEN;
936 md5_vector(3, addr, len, pos);
938 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: CHAP username",
939 config->identity, config->identity_len);
940 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: CHAP password",
941 config->password, config->password_len);
942 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP implicit challenge",
943 challenge, EAP_TTLS_CHAP_CHALLENGE_LEN);
944 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP password",
945 pos, EAP_TTLS_CHAP_PASSWORD_LEN);
946 pos += EAP_TTLS_CHAP_PASSWORD_LEN;
951 *resp_len = pos - buf;
953 if (data->ttls_version > 0) {
954 /* EAP-TTLSv1 uses TLS/IA FinalPhaseFinished to report success,
955 * so do not allow connection to be terminated yet. */
956 ret->methodState = METHOD_CONT;
957 ret->decision = DECISION_COND_SUCC;
959 /* EAP-TTLS/CHAP does not provide tunneled success
960 * notification, so assume that Phase2 succeeds. */
961 ret->methodState = METHOD_DONE;
962 ret->decision = DECISION_COND_SUCC;
969 static int eap_ttls_phase2_request(struct eap_sm *sm,
970 struct eap_ttls_data *data,
971 struct eap_method_ret *ret,
972 const struct eap_hdr *req,
974 u8 **resp, size_t *resp_len)
979 if (data->phase2_type == EAP_TTLS_PHASE2_MSCHAPV2 ||
980 data->phase2_type == EAP_TTLS_PHASE2_MSCHAP ||
981 data->phase2_type == EAP_TTLS_PHASE2_PAP ||
982 data->phase2_type == EAP_TTLS_PHASE2_CHAP) {
983 if (eap_get_config_identity(sm, &len) == NULL) {
985 "EAP-TTLS: Identity not configured");
986 eap_sm_request_identity(sm);
987 if (eap_get_config_password(sm, &len) == NULL)
988 eap_sm_request_password(sm);
992 if (eap_get_config_password(sm, &len) == NULL) {
994 "EAP-TTLS: Password not configured");
995 eap_sm_request_password(sm);
1000 switch (data->phase2_type) {
1001 case EAP_TTLS_PHASE2_EAP:
1002 res = eap_ttls_phase2_request_eap(sm, data, ret, hdr,
1005 case EAP_TTLS_PHASE2_MSCHAPV2:
1006 res = eap_ttls_phase2_request_mschapv2(sm, data, ret,
1009 case EAP_TTLS_PHASE2_MSCHAP:
1010 res = eap_ttls_phase2_request_mschap(sm, data, ret,
1013 case EAP_TTLS_PHASE2_PAP:
1014 res = eap_ttls_phase2_request_pap(sm, data, ret,
1017 case EAP_TTLS_PHASE2_CHAP:
1018 res = eap_ttls_phase2_request_chap(sm, data, ret,
1022 wpa_printf(MSG_ERROR, "EAP-TTLS: Phase 2 - Unknown");
1028 ret->methodState = METHOD_DONE;
1029 ret->decision = DECISION_FAIL;
1036 static u8 * eap_ttls_build_phase_finished(struct eap_sm *sm,
1037 struct eap_ttls_data *data,
1042 struct eap_hdr *req;
1044 const int max_len = 300;
1046 len = sizeof(struct eap_hdr) + 2 + max_len;
1047 req = os_malloc(len);
1051 req->code = EAP_CODE_RESPONSE;
1052 req->identifier = id;
1054 pos = (u8 *) (req + 1);
1055 *pos++ = EAP_TYPE_TTLS;
1056 *pos++ = data->ttls_version;
1058 len = tls_connection_ia_send_phase_finished(sm->ssl_ctx,
1060 final, pos, max_len);
1066 *reqDataLen = sizeof(struct eap_hdr) + 2 + len;
1067 req->length = host_to_be16(*reqDataLen);
1073 static int eap_ttls_decrypt(struct eap_sm *sm, struct eap_ttls_data *data,
1074 struct eap_method_ret *ret,
1075 const struct eap_hdr *req,
1076 const u8 *in_data, size_t in_len,
1077 u8 **out_data, size_t *out_len)
1079 u8 *in_decrypted = NULL, *pos;
1080 int res, retval = 0;
1081 struct eap_hdr *hdr = NULL;
1082 u8 *resp = NULL, *mschapv2 = NULL, *eapdata = NULL;
1083 size_t resp_len, eap_len = 0, len_decrypted = 0, len, buf_len, left;
1084 struct ttls_avp *avp;
1085 u8 recv_response[20];
1086 int mschapv2_error = 0;
1087 struct wpa_ssid *config = eap_get_config(sm);
1090 int need_more_input;
1092 wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for"
1093 " Phase 2", (unsigned long) in_len);
1095 if (data->pending_phase2_req) {
1096 wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 request - "
1097 "skip decryption and use old data");
1098 /* Clear TLS reassembly state. */
1099 os_free(data->ssl.tls_in);
1100 data->ssl.tls_in = NULL;
1101 data->ssl.tls_in_len = 0;
1102 data->ssl.tls_in_left = 0;
1103 data->ssl.tls_in_total = 0;
1105 in_decrypted = data->pending_phase2_req;
1106 data->pending_phase2_req = NULL;
1107 len_decrypted = data->pending_phase2_req_len;
1108 if (data->pending_phase2_req_len == 0) {
1109 os_free(in_decrypted);
1110 in_decrypted = NULL;
1111 goto fake_req_identity;
1116 if (in_len == 0 && data->phase2_start) {
1117 data->phase2_start = 0;
1118 /* EAP-TTLS does not use Phase2 on fast re-auth; this must be
1119 * done only if TLS part was indeed resuming a previous
1120 * session. Most Authentication Servers terminate EAP-TTLS
1121 * before reaching this point, but some do not. Make
1122 * wpa_supplicant stop phase 2 here, if needed. */
1124 tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) {
1125 wpa_printf(MSG_DEBUG, "EAP-TTLS: Session resumption - "
1127 *out_data = eap_tls_build_ack(&data->ssl, out_len,
1130 ret->methodState = METHOD_DONE;
1131 ret->decision = DECISION_UNCOND_SUCC;
1132 data->phase2_success = 1;
1136 wpa_printf(MSG_DEBUG, "EAP-TTLS: empty data in beginning of "
1137 "Phase 2 - use fake EAP-Request Identity");
1138 buf_len = sizeof(*hdr) + 1;
1139 in_decrypted = os_malloc(buf_len);
1140 if (in_decrypted == NULL) {
1141 wpa_printf(MSG_WARNING, "EAP-TTLS: failed to allocate "
1142 "memory for fake EAP-Identity Request");
1146 hdr = (struct eap_hdr *) in_decrypted;
1147 hdr->code = EAP_CODE_REQUEST;
1148 hdr->identifier = 0;
1149 hdr->length = host_to_be16(sizeof(*hdr) + 1);
1150 in_decrypted[sizeof(*hdr)] = EAP_TYPE_IDENTITY;
1154 msg = eap_tls_data_reassemble(sm, &data->ssl, in_data, in_len,
1155 &msg_len, &need_more_input);
1157 return need_more_input ? 1 : -1;
1160 if (data->ssl.tls_in_total > buf_len)
1161 buf_len = data->ssl.tls_in_total;
1162 in_decrypted = os_malloc(buf_len);
1163 if (in_decrypted == NULL) {
1164 os_free(data->ssl.tls_in);
1165 data->ssl.tls_in = NULL;
1166 data->ssl.tls_in_len = 0;
1167 wpa_printf(MSG_WARNING, "EAP-TTLS: failed to allocate memory "
1173 res = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
1174 msg, msg_len, in_decrypted, buf_len);
1175 os_free(data->ssl.tls_in);
1176 data->ssl.tls_in = NULL;
1177 data->ssl.tls_in_len = 0;
1179 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to decrypt Phase 2 "
1184 len_decrypted = res;
1186 if (data->ttls_version > 0 && len_decrypted == 0 &&
1187 tls_connection_ia_final_phase_finished(sm->ssl_ctx,
1189 wpa_printf(MSG_DEBUG, "EAP-TTLS: FinalPhaseFinished received");
1190 wpa_printf(MSG_INFO, "EAP-TTLS: TLS/IA authentication "
1192 ret->methodState = METHOD_DONE;
1193 ret->decision = DECISION_UNCOND_SUCC;
1194 data->phase2_success = 1;
1195 *out_data = eap_ttls_build_phase_finished(sm, data,
1198 eap_ttls_v1_derive_key(sm, data);
1203 data->phase2_start = 0;
1205 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 AVPs",
1206 in_decrypted, len_decrypted);
1207 if (len_decrypted < sizeof(struct ttls_avp)) {
1208 wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 AVP frame"
1209 " len=%lu expected %lu or more - dropped",
1210 (unsigned long) len_decrypted,
1211 (unsigned long) sizeof(struct ttls_avp));
1218 left = len_decrypted;
1222 u32 avp_code, avp_length, vendor_id = 0;
1223 u8 avp_flags, *dpos;
1225 avp = (struct ttls_avp *) pos;
1226 avp_code = be_to_host32(avp->avp_code);
1227 avp_length = be_to_host32(avp->avp_length);
1228 avp_flags = (avp_length >> 24) & 0xff;
1229 avp_length &= 0xffffff;
1230 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x "
1231 "length=%d", (int) avp_code, avp_flags,
1233 if (avp_length > left) {
1234 wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow "
1235 "(len=%d, left=%lu) - dropped",
1236 (int) avp_length, (unsigned long) left);
1240 if (avp_length < sizeof(*avp)) {
1241 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length "
1246 dpos = (u8 *) (avp + 1);
1247 dlen = avp_length - sizeof(*avp);
1248 if (avp_flags & AVP_FLAGS_VENDOR) {
1250 wpa_printf(MSG_WARNING, "EAP-TTLS: vendor AVP "
1255 vendor_id = be_to_host32(* (u32 *) dpos);
1256 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d",
1262 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen);
1264 if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) {
1265 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message");
1266 if (eapdata == NULL) {
1267 eapdata = os_malloc(dlen);
1268 if (eapdata == NULL) {
1270 wpa_printf(MSG_WARNING, "EAP-TTLS: "
1271 "failed to allocate memory "
1272 "for Phase 2 EAP data");
1275 os_memcpy(eapdata, dpos, dlen);
1278 u8 *neweap = os_realloc(eapdata,
1280 if (neweap == NULL) {
1282 wpa_printf(MSG_WARNING, "EAP-TTLS: "
1283 "failed to allocate memory "
1284 "for Phase 2 EAP data");
1287 os_memcpy(neweap + eap_len, dpos, dlen);
1291 } else if (vendor_id == 0 &&
1292 avp_code == RADIUS_ATTR_REPLY_MESSAGE) {
1293 /* This is an optional message that can be displayed to
1295 wpa_hexdump_ascii(MSG_DEBUG,
1296 "EAP-TTLS: AVP - Reply-Message",
1298 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
1299 avp_code == RADIUS_ATTR_MS_CHAP2_SUCCESS) {
1300 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: "
1301 "MS-CHAP2-Success", dpos, dlen);
1303 wpa_printf(MSG_WARNING, "EAP-TTLS: Unexpected "
1304 "MS-CHAP2-Success length "
1305 "(len=%lu, expected 43)",
1306 (unsigned long) dlen);
1311 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
1312 avp_code == RADIUS_ATTR_MS_CHAP_ERROR) {
1313 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: "
1314 "MS-CHAP-Error", dpos, dlen);
1316 } else if (avp_flags & AVP_FLAGS_MANDATORY) {
1317 wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported "
1318 "mandatory AVP code %d vendor_id %d - "
1319 "dropped", (int) avp_code, (int) vendor_id);
1323 wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported "
1324 "AVP code %d vendor_id %d",
1325 (int) avp_code, (int) vendor_id);
1328 pad = (4 - (avp_length & 3)) & 3;
1329 pos += avp_length + pad;
1330 if (left < avp_length + pad)
1333 left -= avp_length + pad;
1336 switch (data->phase2_type) {
1337 case EAP_TTLS_PHASE2_EAP:
1338 if (eapdata == NULL) {
1339 wpa_printf(MSG_WARNING, "EAP-TTLS: No EAP Message in "
1340 "the packet - dropped");
1345 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP",
1347 hdr = (struct eap_hdr *) eapdata;
1349 if (eap_len < sizeof(*hdr)) {
1350 wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 "
1351 "EAP frame (len=%lu, expected %lu or more) "
1352 "- dropped", (unsigned long) eap_len,
1353 (unsigned long) sizeof(*hdr));
1357 len = be_to_host16(hdr->length);
1358 if (len > eap_len) {
1359 wpa_printf(MSG_INFO, "EAP-TTLS: Length mismatch in "
1360 "Phase 2 EAP frame (EAP hdr len=%lu, EAP "
1361 "data len in AVP=%lu)",
1362 (unsigned long) len,
1363 (unsigned long) eap_len);
1367 wpa_printf(MSG_DEBUG, "EAP-TTLS: received Phase 2: code=%d "
1368 "identifier=%d length=%lu",
1369 hdr->code, hdr->identifier, (unsigned long) len);
1371 switch (hdr->code) {
1372 case EAP_CODE_REQUEST:
1373 if (eap_ttls_phase2_request(sm, data, ret, req, hdr,
1374 &resp, &resp_len)) {
1375 wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 "
1376 "Request processing failed");
1382 wpa_printf(MSG_INFO, "EAP-TTLS: Unexpected code=%d in "
1383 "Phase 2 EAP header", hdr->code);
1388 case EAP_TTLS_PHASE2_MSCHAPV2:
1389 if (mschapv2_error) {
1390 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Received "
1391 "MS-CHAP-Error - failed");
1392 ret->methodState = METHOD_DONE;
1393 ret->decision = DECISION_FAIL;
1394 *out_data = eap_tls_build_ack(&data->ssl, out_len,
1400 if (mschapv2 == NULL) {
1401 wpa_printf(MSG_WARNING, "EAP-TTLS: no MS-CHAP2-Success"
1402 " AVP received for Phase2 MSCHAPV2");
1406 if (mschapv2[0] != data->ident) {
1407 wpa_printf(MSG_WARNING, "EAP-TTLS: Ident mismatch "
1408 "for Phase 2 MSCHAPV2 (received Ident "
1409 "0x%02x, expected 0x%02x)",
1410 mschapv2[0], data->ident);
1414 if (!data->auth_response_valid ||
1415 mschapv2[1] != 'S' || mschapv2[2] != '=' ||
1416 hexstr2bin((char *) (mschapv2 + 3), recv_response, 20) ||
1417 os_memcmp(data->auth_response, recv_response, 20) != 0) {
1418 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid "
1419 "authenticator response in Phase 2 "
1420 "MSCHAPV2 success request");
1425 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 MSCHAPV2 "
1426 "authentication succeeded");
1427 if (data->ttls_version > 0) {
1428 /* EAP-TTLSv1 uses TLS/IA FinalPhaseFinished to report
1429 * success, so do not allow connection to be terminated
1431 ret->methodState = METHOD_CONT;
1432 ret->decision = DECISION_COND_SUCC;
1434 ret->methodState = METHOD_DONE;
1435 ret->decision = DECISION_UNCOND_SUCC;
1436 data->phase2_success = 1;
1439 /* Reply with empty data; authentication server will reply
1440 * with EAP-Success after this. */
1443 case EAP_TTLS_PHASE2_MSCHAP:
1444 case EAP_TTLS_PHASE2_PAP:
1445 case EAP_TTLS_PHASE2_CHAP:
1446 /* EAP-TTLS/{MSCHAP,PAP,CHAP} should not send any TLS tunneled
1447 * requests to the supplicant */
1448 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received unexpected "
1455 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Encrypting Phase 2 data",
1458 if (eap_ttls_encrypt(sm, data, req->identifier,
1459 resp, resp_len, out_data, out_len)) {
1460 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to encrypt "
1464 } else if (config->pending_req_identity ||
1465 config->pending_req_password ||
1466 config->pending_req_otp ||
1467 config->pending_req_new_password) {
1468 os_free(data->pending_phase2_req);
1469 data->pending_phase2_req = os_malloc(len_decrypted);
1470 if (data->pending_phase2_req) {
1471 os_memcpy(data->pending_phase2_req, in_decrypted,
1473 data->pending_phase2_req_len = len_decrypted;
1478 os_free(in_decrypted);
1482 ret->methodState = METHOD_DONE;
1483 ret->decision = DECISION_FAIL;
1490 static u8 * eap_ttls_process(struct eap_sm *sm, void *priv,
1491 struct eap_method_ret *ret,
1492 const u8 *reqData, size_t reqDataLen,
1493 size_t *respDataLen)
1495 const struct eap_hdr *req;
1498 u8 flags, *resp, id;
1500 struct eap_ttls_data *data = priv;
1501 struct wpa_ssid *config = eap_get_config(sm);
1503 pos = eap_tls_process_init(sm, &data->ssl, EAP_TYPE_TTLS, ret,
1504 reqData, reqDataLen, &left, &flags);
1507 req = (const struct eap_hdr *) reqData;
1508 id = req->identifier;
1510 if (flags & EAP_TLS_FLAGS_START) {
1511 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start (server ver=%d, own "
1512 "ver=%d)", flags & EAP_PEAP_VERSION_MASK,
1513 data->ttls_version);
1514 if ((flags & EAP_PEAP_VERSION_MASK) < data->ttls_version)
1515 data->ttls_version = flags & EAP_PEAP_VERSION_MASK;
1516 if (data->force_ttls_version >= 0 &&
1517 data->force_ttls_version != data->ttls_version) {
1518 wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to select "
1519 "forced TTLS version %d",
1520 data->force_ttls_version);
1521 ret->methodState = METHOD_DONE;
1522 ret->decision = DECISION_FAIL;
1523 ret->allowNotifications = FALSE;
1526 wpa_printf(MSG_DEBUG, "EAP-TTLS: Using TTLS version %d",
1527 data->ttls_version);
1529 if (data->ttls_version > 0)
1530 data->ssl.tls_ia = 1;
1531 if (!data->ssl_initialized &&
1532 eap_tls_ssl_init(sm, &data->ssl, config)) {
1533 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize "
1537 data->ssl_initialized = 1;
1539 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start");
1540 /* draft-ietf-pppext-eap-ttls-03.txt, Ch. 8.1:
1541 * EAP-TTLS Start packet may, in a future specification, be
1542 * allowed to contain data. Client based on this draft version
1543 * must ignore such data but must not reject the Start packet.
1546 } else if (!data->ssl_initialized) {
1547 wpa_printf(MSG_DEBUG, "EAP-TTLS: First message did not "
1548 "include Start flag");
1549 ret->methodState = METHOD_DONE;
1550 ret->decision = DECISION_FAIL;
1551 ret->allowNotifications = FALSE;
1556 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
1558 res = eap_ttls_decrypt(sm, data, ret, req, pos, left,
1559 &resp, respDataLen);
1561 res = eap_tls_process_helper(sm, &data->ssl, EAP_TYPE_TTLS,
1562 data->ttls_version, id, pos, left,
1563 &resp, respDataLen);
1565 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
1566 wpa_printf(MSG_DEBUG,
1567 "EAP-TTLS: TLS done, proceed to Phase 2");
1568 if (data->resuming) {
1569 wpa_printf(MSG_DEBUG, "EAP-TTLS: fast reauth -"
1570 " may skip Phase 2");
1571 ret->decision = DECISION_COND_SUCC;
1572 ret->methodState = METHOD_MAY_CONT;
1574 data->phase2_start = 1;
1575 if (data->ttls_version == 0)
1576 eap_ttls_v0_derive_key(sm, data);
1578 if (*respDataLen == 0) {
1579 if (eap_ttls_decrypt(sm, data, ret, req, NULL,
1580 0, &resp, respDataLen)) {
1581 wpa_printf(MSG_WARNING, "EAP-TTLS: "
1582 "failed to process early "
1583 "start for Phase 2");
1592 * Application data included in the handshake message.
1594 os_free(data->pending_phase2_req);
1595 data->pending_phase2_req = resp;
1596 data->pending_phase2_req_len = *respDataLen;
1599 res = eap_ttls_decrypt(sm, data, ret, req, pos, left,
1600 &resp, respDataLen);
1604 if (data->ttls_version == 0 && ret->methodState == METHOD_DONE) {
1605 ret->allowNotifications = FALSE;
1606 if (ret->decision == DECISION_UNCOND_SUCC ||
1607 ret->decision == DECISION_COND_SUCC) {
1608 wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication "
1609 "completed successfully");
1610 data->phase2_success = 1;
1612 } else if (data->ttls_version == 0 && sm->workaround &&
1613 ret->methodState == METHOD_MAY_CONT &&
1614 (ret->decision == DECISION_UNCOND_SUCC ||
1615 ret->decision == DECISION_COND_SUCC)) {
1616 wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication "
1617 "completed successfully (EAP workaround)");
1618 data->phase2_success = 1;
1622 return eap_tls_build_ack(&data->ssl, respDataLen, id,
1623 EAP_TYPE_TTLS, data->ttls_version);
1629 static Boolean eap_ttls_has_reauth_data(struct eap_sm *sm, void *priv)
1631 struct eap_ttls_data *data = priv;
1632 return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
1633 data->phase2_success;
1637 static void eap_ttls_deinit_for_reauth(struct eap_sm *sm, void *priv)
1639 struct eap_ttls_data *data = priv;
1640 os_free(data->pending_phase2_req);
1641 data->pending_phase2_req = NULL;
1645 static void * eap_ttls_init_for_reauth(struct eap_sm *sm, void *priv)
1647 struct eap_ttls_data *data = priv;
1648 os_free(data->key_data);
1649 data->key_data = NULL;
1650 if (eap_tls_reauth_init(sm, &data->ssl)) {
1654 if (data->phase2_priv && data->phase2_method &&
1655 data->phase2_method->init_for_reauth)
1656 data->phase2_method->init_for_reauth(sm, data->phase2_priv);
1657 data->phase2_start = 0;
1658 data->phase2_success = 0;
1665 static int eap_ttls_get_status(struct eap_sm *sm, void *priv, char *buf,
1666 size_t buflen, int verbose)
1668 struct eap_ttls_data *data = priv;
1671 len = eap_tls_status(sm, &data->ssl, buf, buflen, verbose);
1672 ret = os_snprintf(buf + len, buflen - len,
1673 "EAP-TTLSv%d Phase2 method=",
1674 data->ttls_version);
1675 if (ret < 0 || (size_t) ret >= buflen - len)
1678 switch (data->phase2_type) {
1679 case EAP_TTLS_PHASE2_EAP:
1680 ret = os_snprintf(buf + len, buflen - len, "EAP-%s\n",
1681 data->phase2_method ?
1682 data->phase2_method->name : "?");
1684 case EAP_TTLS_PHASE2_MSCHAPV2:
1685 ret = os_snprintf(buf + len, buflen - len, "MSCHAPV2\n");
1687 case EAP_TTLS_PHASE2_MSCHAP:
1688 ret = os_snprintf(buf + len, buflen - len, "MSCHAP\n");
1690 case EAP_TTLS_PHASE2_PAP:
1691 ret = os_snprintf(buf + len, buflen - len, "PAP\n");
1693 case EAP_TTLS_PHASE2_CHAP:
1694 ret = os_snprintf(buf + len, buflen - len, "CHAP\n");
1700 if (ret < 0 || (size_t) ret >= buflen - len)
1708 static Boolean eap_ttls_isKeyAvailable(struct eap_sm *sm, void *priv)
1710 struct eap_ttls_data *data = priv;
1711 return data->key_data != NULL && data->phase2_success;
1715 static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len)
1717 struct eap_ttls_data *data = priv;
1720 if (data->key_data == NULL || !data->phase2_success)
1723 key = os_malloc(EAP_TLS_KEY_LEN);
1727 *len = EAP_TLS_KEY_LEN;
1728 os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN);
1734 int eap_peer_ttls_register(void)
1736 struct eap_method *eap;
1739 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
1740 EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS");
1744 eap->init = eap_ttls_init;
1745 eap->deinit = eap_ttls_deinit;
1746 eap->process = eap_ttls_process;
1747 eap->isKeyAvailable = eap_ttls_isKeyAvailable;
1748 eap->getKey = eap_ttls_getKey;
1749 eap->get_status = eap_ttls_get_status;
1750 eap->has_reauth_data = eap_ttls_has_reauth_data;
1751 eap->deinit_for_reauth = eap_ttls_deinit_for_reauth;
1752 eap->init_for_reauth = eap_ttls_init_for_reauth;
1754 ret = eap_peer_method_register(eap);
1756 eap_peer_method_free(eap);