2
* hostapd / EAP-TTLS (draft-ietf-pppext-eap-ttls-05.txt)
3
* Copyright (c) 2004-2007, Jouni Malinen <j@w1.fi>
5
* This program is free software; you can redistribute it and/or modify
6
* it under the terms of the GNU General Public License version 2 as
7
* published by the Free Software Foundation.
9
* Alternatively, this software may be distributed under the terms of BSD
12
* See README and COPYING for more details.
18
#include "eap_server/eap_i.h"
19
#include "eap_server/eap_tls_common.h"
25
#include "eap_common/eap_ttls.h"
28
/* Maximum supported TTLS version
29
* 0 = draft-ietf-pppext-eap-ttls-03.txt / draft-funk-eap-ttls-v0-00.txt
30
* 1 = draft-funk-eap-ttls-v1-00.txt
32
#ifndef EAP_TTLS_VERSION
33
#define EAP_TTLS_VERSION 0 /* TTLSv1 implementation is not yet complete */
34
#endif /* EAP_TTLS_VERSION */
37
#define MSCHAPV2_KEY_LEN 16
40
static void eap_ttls_reset(struct eap_sm *sm, void *priv);
43
struct eap_ttls_data {
44
struct eap_ssl_data ssl;
46
START, PHASE1, PHASE2_START, PHASE2_METHOD,
47
PHASE2_MSCHAPV2_RESP, PHASE_FINISHED, SUCCESS, FAILURE
52
const struct eap_method *phase2_method;
55
u8 mschapv2_auth_response[20];
57
int tls_ia_configured;
61
static const char * eap_ttls_state_txt(int state)
69
return "PHASE2_START";
71
return "PHASE2_METHOD";
72
case PHASE2_MSCHAPV2_RESP:
73
return "PHASE2_MSCHAPV2_RESP";
75
return "PHASE_FINISHED";
86
static void eap_ttls_state(struct eap_ttls_data *data, int state)
88
wpa_printf(MSG_DEBUG, "EAP-TTLS: %s -> %s",
89
eap_ttls_state_txt(data->state),
90
eap_ttls_state_txt(state));
95
static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id,
96
int mandatory, size_t len)
98
struct ttls_avp_vendor *avp;
102
avp = (struct ttls_avp_vendor *) avphdr;
103
flags = mandatory ? AVP_FLAGS_MANDATORY : 0;
105
flags |= AVP_FLAGS_VENDOR;
106
hdrlen = sizeof(*avp);
107
avp->vendor_id = host_to_be32(vendor_id);
109
hdrlen = sizeof(struct ttls_avp);
112
avp->avp_code = host_to_be32(avp_code);
113
avp->avp_length = host_to_be32((flags << 24) | (hdrlen + len));
115
return avphdr + hdrlen;
119
static int eap_ttls_avp_encapsulate(u8 **resp, size_t *resp_len, u32 avp_code,
124
avp = malloc(sizeof(struct ttls_avp) + *resp_len + 4);
131
pos = eap_ttls_avp_hdr(avp, avp_code, 0, mandatory, *resp_len);
132
memcpy(pos, *resp, *resp_len);
137
*resp_len = pos - avp;
142
struct eap_ttls_avp {
143
/* Note: eap is allocated memory; caller is responsible for freeing
144
* it. All the other pointers are pointing to the packet data, i.e.,
145
* they must not be freed separately. */
149
size_t user_name_len;
151
size_t user_password_len;
153
size_t chap_challenge_len;
155
size_t chap_password_len;
156
u8 *mschap_challenge;
157
size_t mschap_challenge_len;
159
size_t mschap_response_len;
160
u8 *mschap2_response;
161
size_t mschap2_response_len;
165
static int eap_ttls_avp_parse(u8 *buf, size_t len, struct eap_ttls_avp *parse)
167
struct ttls_avp *avp;
173
memset(parse, 0, sizeof(*parse));
176
u32 avp_code, avp_length, vendor_id = 0;
179
avp = (struct ttls_avp *) pos;
180
avp_code = be_to_host32(avp->avp_code);
181
avp_length = be_to_host32(avp->avp_length);
182
avp_flags = (avp_length >> 24) & 0xff;
183
avp_length &= 0xffffff;
184
wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x "
185
"length=%d", (int) avp_code, avp_flags,
187
if ((int) avp_length > left) {
188
wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow "
189
"(len=%d, left=%d) - dropped",
190
(int) avp_length, left);
193
if (avp_length < sizeof(*avp)) {
194
wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length "
198
dpos = (u8 *) (avp + 1);
199
dlen = avp_length - sizeof(*avp);
200
if (avp_flags & AVP_FLAGS_VENDOR) {
202
wpa_printf(MSG_WARNING, "EAP-TTLS: vendor AVP "
206
vendor_id = be_to_host32(* (be32 *) dpos);
207
wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d",
213
wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen);
215
if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) {
216
wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message");
217
if (parse->eap == NULL) {
218
parse->eap = malloc(dlen);
219
if (parse->eap == NULL) {
220
wpa_printf(MSG_WARNING, "EAP-TTLS: "
221
"failed to allocate memory "
222
"for Phase 2 EAP data");
225
memcpy(parse->eap, dpos, dlen);
226
parse->eap_len = dlen;
228
u8 *neweap = realloc(parse->eap,
229
parse->eap_len + dlen);
230
if (neweap == NULL) {
231
wpa_printf(MSG_WARNING, "EAP-TTLS: "
232
"failed to allocate memory "
233
"for Phase 2 EAP data");
236
memcpy(neweap + parse->eap_len, dpos, dlen);
238
parse->eap_len += dlen;
240
} else if (vendor_id == 0 &&
241
avp_code == RADIUS_ATTR_USER_NAME) {
242
wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: User-Name",
244
parse->user_name = dpos;
245
parse->user_name_len = dlen;
246
} else if (vendor_id == 0 &&
247
avp_code == RADIUS_ATTR_USER_PASSWORD) {
249
size_t password_len = dlen;
250
while (password_len > 0 &&
251
password[password_len - 1] == '\0') {
254
wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: "
255
"User-Password (PAP)",
256
password, password_len);
257
parse->user_password = password;
258
parse->user_password_len = password_len;
259
} else if (vendor_id == 0 &&
260
avp_code == RADIUS_ATTR_CHAP_CHALLENGE) {
261
wpa_hexdump(MSG_DEBUG,
262
"EAP-TTLS: CHAP-Challenge (CHAP)",
264
parse->chap_challenge = dpos;
265
parse->chap_challenge_len = dlen;
266
} else if (vendor_id == 0 &&
267
avp_code == RADIUS_ATTR_CHAP_PASSWORD) {
268
wpa_hexdump(MSG_DEBUG,
269
"EAP-TTLS: CHAP-Password (CHAP)",
271
parse->chap_password = dpos;
272
parse->chap_password_len = dlen;
273
} else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
274
avp_code == RADIUS_ATTR_MS_CHAP_CHALLENGE) {
275
wpa_hexdump(MSG_DEBUG,
276
"EAP-TTLS: MS-CHAP-Challenge",
278
parse->mschap_challenge = dpos;
279
parse->mschap_challenge_len = dlen;
280
} else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
281
avp_code == RADIUS_ATTR_MS_CHAP_RESPONSE) {
282
wpa_hexdump(MSG_DEBUG,
283
"EAP-TTLS: MS-CHAP-Response (MSCHAP)",
285
parse->mschap_response = dpos;
286
parse->mschap_response_len = dlen;
287
} else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
288
avp_code == RADIUS_ATTR_MS_CHAP2_RESPONSE) {
289
wpa_hexdump(MSG_DEBUG,
290
"EAP-TTLS: MS-CHAP2-Response (MSCHAPV2)",
292
parse->mschap2_response = dpos;
293
parse->mschap2_response_len = dlen;
294
} else if (avp_flags & AVP_FLAGS_MANDATORY) {
295
wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported "
296
"mandatory AVP code %d vendor_id %d - "
297
"dropped", (int) avp_code, (int) vendor_id);
300
wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported "
301
"AVP code %d vendor_id %d",
302
(int) avp_code, (int) vendor_id);
305
pad = (4 - (avp_length & 3)) & 3;
306
pos += avp_length + pad;
307
left -= avp_length + pad;
319
static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm,
320
struct eap_ttls_data *data, size_t len)
322
struct tls_keys keys;
325
if (data->ttls_version == 0) {
326
return eap_server_tls_derive_key(sm, &data->ssl,
327
"ttls challenge", len);
330
memset(&keys, 0, sizeof(keys));
331
if (tls_connection_get_keys(sm->ssl_ctx, data->ssl.conn, &keys) ||
332
keys.client_random == NULL || keys.server_random == NULL ||
333
keys.inner_secret == NULL) {
334
wpa_printf(MSG_INFO, "EAP-TTLS: Could not get inner secret, "
335
"client random, or server random to derive "
336
"implicit challenge");
340
rnd = malloc(keys.client_random_len + keys.server_random_len);
341
challenge = malloc(len);
342
if (rnd == NULL || challenge == NULL) {
343
wpa_printf(MSG_INFO, "EAP-TTLS: No memory for implicit "
344
"challenge derivation");
349
memcpy(rnd, keys.server_random, keys.server_random_len);
350
memcpy(rnd + keys.server_random_len, keys.client_random,
351
keys.client_random_len);
353
if (tls_prf(keys.inner_secret, keys.inner_secret_len,
354
"inner application challenge", rnd,
355
keys.client_random_len + keys.server_random_len,
357
wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive implicit "
366
wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived implicit challenge",
373
static void * eap_ttls_init(struct eap_sm *sm)
375
struct eap_ttls_data *data;
377
data = os_zalloc(sizeof(*data));
380
data->ttls_version = EAP_TTLS_VERSION;
381
data->force_version = -1;
382
if (sm->user && sm->user->force_version >= 0) {
383
data->force_version = sm->user->force_version;
384
wpa_printf(MSG_DEBUG, "EAP-TTLS: forcing version %d",
385
data->force_version);
386
data->ttls_version = data->force_version;
390
if (!(tls_capabilities(sm->ssl_ctx) & TLS_CAPABILITY_IA) &&
391
data->ttls_version > 0) {
392
if (data->force_version > 0) {
393
wpa_printf(MSG_INFO, "EAP-TTLS: Forced TTLSv%d and "
394
"TLS library does not support TLS/IA.",
395
data->force_version);
396
eap_ttls_reset(sm, data);
399
data->ttls_version = 0;
402
if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) {
403
wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
404
eap_ttls_reset(sm, data);
412
static void eap_ttls_reset(struct eap_sm *sm, void *priv)
414
struct eap_ttls_data *data = priv;
417
if (data->phase2_priv && data->phase2_method)
418
data->phase2_method->reset(sm, data->phase2_priv);
419
eap_server_tls_ssl_deinit(sm, &data->ssl);
424
static u8 * eap_ttls_build_start(struct eap_sm *sm, struct eap_ttls_data *data,
425
int id, size_t *reqDataLen)
430
*reqDataLen = sizeof(*req) + 2;
431
req = malloc(*reqDataLen);
433
wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to allocate memory for"
435
eap_ttls_state(data, FAILURE);
439
req->code = EAP_CODE_REQUEST;
440
req->identifier = id;
441
req->length = host_to_be16(*reqDataLen);
442
pos = (u8 *) (req + 1);
443
*pos++ = EAP_TYPE_TTLS;
444
*pos = EAP_TLS_FLAGS_START | data->ttls_version;
446
eap_ttls_state(data, PHASE1);
452
static u8 * eap_ttls_build_req(struct eap_sm *sm, struct eap_ttls_data *data,
453
int id, size_t *reqDataLen)
458
res = eap_server_tls_buildReq_helper(sm, &data->ssl, EAP_TYPE_TTLS,
459
data->ttls_version, id, &req,
462
if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
463
wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase1 done, starting "
465
eap_ttls_state(data, PHASE2_START);
469
return eap_server_tls_build_ack(reqDataLen, id, EAP_TYPE_TTLS,
475
static u8 * eap_ttls_encrypt(struct eap_sm *sm, struct eap_ttls_data *data,
476
int id, u8 *plain, size_t plain_len,
483
/* TODO: add support for fragmentation, if needed. This will need to
484
* add TLS Message Length field, if the frame is fragmented. */
485
req = malloc(sizeof(struct eap_hdr) + 2 + data->ssl.tls_out_limit);
489
req->code = EAP_CODE_REQUEST;
490
req->identifier = id;
492
pos = (u8 *) (req + 1);
493
*pos++ = EAP_TYPE_TTLS;
494
*pos++ = data->ttls_version;
496
res = tls_connection_encrypt(sm->ssl_ctx, data->ssl.conn,
498
pos, data->ssl.tls_out_limit);
500
wpa_printf(MSG_INFO, "EAP-TTLS: Failed to encrypt Phase 2 "
506
*out_len = sizeof(struct eap_hdr) + 2 + res;
507
req->length = host_to_be16(*out_len);
512
static u8 * eap_ttls_build_phase2_eap_req(struct eap_sm *sm,
513
struct eap_ttls_data *data,
514
int id, size_t *reqDataLen)
520
req = data->phase2_method->buildReq(sm, data->phase2_priv, id,
525
wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS/EAP: Encapsulate Phase 2 data",
528
if (eap_ttls_avp_encapsulate(&req, &req_len, RADIUS_ATTR_EAP_MESSAGE,
530
wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Failed to encapsulate "
535
wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS/EAP: Encrypt encapsulated Phase "
536
"2 data", req, req_len);
538
encr_req = eap_ttls_encrypt(sm, data, id, req, req_len, reqDataLen);
545
static u8 * eap_ttls_build_phase2_mschapv2(struct eap_sm *sm,
546
struct eap_ttls_data *data,
547
int id, size_t *reqDataLen)
549
u8 *req, *encr_req, *pos, *end;
553
pos = req = malloc(100);
558
if (data->mschapv2_resp_ok) {
559
pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_SUCCESS,
560
RADIUS_VENDOR_ID_MICROSOFT, 1, 43);
561
*pos++ = data->mschapv2_ident;
562
ret = snprintf((char *) pos, end - pos, "S=");
563
if (ret >= 0 && ret < end - pos)
565
pos += wpa_snprintf_hex_uppercase(
566
(char *) pos, end - pos, data->mschapv2_auth_response,
567
sizeof(data->mschapv2_auth_response));
569
pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_ERROR,
570
RADIUS_VENDOR_ID_MICROSOFT, 1, 6);
571
memcpy(pos, "Failed", 6);
577
wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Encrypting Phase 2 "
578
"data", req, req_len);
580
encr_req = eap_ttls_encrypt(sm, data, id, req, req_len, reqDataLen);
587
static u8 * eap_ttls_build_phase_finished(struct eap_sm *sm,
588
struct eap_ttls_data *data,
595
const int max_len = 300;
597
len = sizeof(struct eap_hdr) + 2 + max_len;
602
req->code = EAP_CODE_REQUEST;
603
req->identifier = id;
605
pos = (u8 *) (req + 1);
606
*pos++ = EAP_TYPE_TTLS;
607
*pos++ = data->ttls_version;
609
len = tls_connection_ia_send_phase_finished(sm->ssl_ctx,
611
final, pos, max_len);
617
*reqDataLen = sizeof(struct eap_hdr) + 2 + len;
618
req->length = host_to_be16(*reqDataLen);
624
static u8 * eap_ttls_buildReq(struct eap_sm *sm, void *priv, int id,
627
struct eap_ttls_data *data = priv;
629
switch (data->state) {
631
return eap_ttls_build_start(sm, data, id, reqDataLen);
633
return eap_ttls_build_req(sm, data, id, reqDataLen);
635
return eap_ttls_build_phase2_eap_req(sm, data, id, reqDataLen);
636
case PHASE2_MSCHAPV2_RESP:
637
return eap_ttls_build_phase2_mschapv2(sm, data, id,
640
return eap_ttls_build_phase_finished(sm, data, id, 1,
643
wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
644
__func__, data->state);
650
static Boolean eap_ttls_check(struct eap_sm *sm, void *priv,
651
u8 *respData, size_t respDataLen)
653
struct eap_hdr *resp;
656
resp = (struct eap_hdr *) respData;
657
pos = (u8 *) (resp + 1);
658
if (respDataLen < sizeof(*resp) + 2 || *pos != EAP_TYPE_TTLS ||
659
(be_to_host16(resp->length)) > respDataLen) {
660
wpa_printf(MSG_INFO, "EAP-TTLS: Invalid frame");
668
static int eap_ttls_ia_permute_inner_secret(struct eap_sm *sm,
669
struct eap_ttls_data *data,
670
const u8 *key, size_t key_len)
677
buf_len = 2 + key_len;
678
buf = malloc(buf_len);
681
WPA_PUT_BE16(buf, key_len);
682
memcpy(buf + 2, key, key_len);
688
wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Session keys for TLS/IA inner "
689
"secret permutation", buf, buf_len);
690
ret = tls_connection_ia_permute_inner_secret(sm->ssl_ctx,
699
static void eap_ttls_process_phase2_pap(struct eap_sm *sm,
700
struct eap_ttls_data *data,
701
const u8 *user_password,
702
size_t user_password_len)
704
/* TODO: add support for verifying that the user entry accepts
706
if (!sm->user || !sm->user->password || sm->user->password_hash) {
707
wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: No plaintext user "
708
"password configured");
709
eap_ttls_state(data, FAILURE);
713
if (sm->user->password_len != user_password_len ||
714
memcmp(sm->user->password, user_password, user_password_len) != 0)
716
wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Invalid user password");
717
eap_ttls_state(data, FAILURE);
721
wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Correct user password");
722
eap_ttls_state(data, data->ttls_version > 0 ? PHASE_FINISHED :
727
static void eap_ttls_process_phase2_chap(struct eap_sm *sm,
728
struct eap_ttls_data *data,
730
size_t challenge_len,
734
u8 *chal, hash[MD5_MAC_LEN];
738
if (challenge == NULL || password == NULL ||
739
challenge_len != EAP_TTLS_CHAP_CHALLENGE_LEN ||
740
password_len != 1 + EAP_TTLS_CHAP_PASSWORD_LEN) {
741
wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid CHAP attributes "
742
"(challenge len %lu password len %lu)",
743
(unsigned long) challenge_len,
744
(unsigned long) password_len);
745
eap_ttls_state(data, FAILURE);
749
/* TODO: add support for verifying that the user entry accepts
751
if (!sm->user || !sm->user->password || sm->user->password_hash) {
752
wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: No plaintext user "
753
"password configured");
754
eap_ttls_state(data, FAILURE);
758
chal = eap_ttls_implicit_challenge(sm, data,
759
EAP_TTLS_CHAP_CHALLENGE_LEN + 1);
761
wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Failed to generate "
762
"challenge from TLS data");
763
eap_ttls_state(data, FAILURE);
767
if (memcmp(challenge, chal, EAP_TTLS_CHAP_CHALLENGE_LEN) != 0 ||
768
password[0] != chal[EAP_TTLS_CHAP_CHALLENGE_LEN]) {
769
wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Challenge mismatch");
771
eap_ttls_state(data, FAILURE);
776
/* MD5(Ident + Password + Challenge) */
779
addr[1] = sm->user->password;
780
len[1] = sm->user->password_len;
782
len[2] = challenge_len;
783
md5_vector(3, addr, len, hash);
785
if (memcmp(hash, password + 1, EAP_TTLS_CHAP_PASSWORD_LEN) == 0) {
786
wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Correct user password");
787
eap_ttls_state(data, data->ttls_version > 0 ? PHASE_FINISHED :
790
wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid user password");
791
eap_ttls_state(data, FAILURE);
796
static void eap_ttls_process_phase2_mschap(struct eap_sm *sm,
797
struct eap_ttls_data *data,
798
u8 *challenge, size_t challenge_len,
799
u8 *response, size_t response_len)
801
u8 *chal, nt_response[24];
803
if (challenge == NULL || response == NULL ||
804
challenge_len != EAP_TTLS_MSCHAP_CHALLENGE_LEN ||
805
response_len != EAP_TTLS_MSCHAP_RESPONSE_LEN) {
806
wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid MS-CHAP "
807
"attributes (challenge len %lu response len %lu)",
808
(unsigned long) challenge_len,
809
(unsigned long) response_len);
810
eap_ttls_state(data, FAILURE);
814
/* TODO: add support for verifying that the user entry accepts
815
* EAP-TTLS/MSCHAP. */
816
if (!sm->user || !sm->user->password) {
817
wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: No user password "
819
eap_ttls_state(data, FAILURE);
823
chal = eap_ttls_implicit_challenge(sm, data,
824
EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1);
826
wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Failed to generate "
827
"challenge from TLS data");
828
eap_ttls_state(data, FAILURE);
832
if (memcmp(challenge, chal, EAP_TTLS_MSCHAP_CHALLENGE_LEN) != 0 ||
833
response[0] != chal[EAP_TTLS_MSCHAP_CHALLENGE_LEN]) {
834
wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Challenge mismatch");
836
eap_ttls_state(data, FAILURE);
841
if (sm->user->password_hash)
842
challenge_response(challenge, sm->user->password, nt_response);
844
nt_challenge_response(challenge, sm->user->password,
845
sm->user->password_len, nt_response);
847
if (memcmp(nt_response, response + 2 + 24, 24) == 0) {
848
wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Correct response");
849
eap_ttls_state(data, data->ttls_version > 0 ? PHASE_FINISHED :
852
wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid NT-Response");
853
wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Received",
854
response + 2 + 24, 24);
855
wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Expected",
857
eap_ttls_state(data, FAILURE);
862
static void eap_ttls_process_phase2_mschapv2(struct eap_sm *sm,
863
struct eap_ttls_data *data,
865
size_t challenge_len,
866
u8 *response, size_t response_len)
868
u8 *chal, *username, nt_response[24], *rx_resp, *peer_challenge,
870
size_t username_len, i;
872
if (challenge == NULL || response == NULL ||
873
challenge_len != EAP_TTLS_MSCHAPV2_CHALLENGE_LEN ||
874
response_len != EAP_TTLS_MSCHAPV2_RESPONSE_LEN) {
875
wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid MS-CHAP2 "
876
"attributes (challenge len %lu response len %lu)",
877
(unsigned long) challenge_len,
878
(unsigned long) response_len);
879
eap_ttls_state(data, FAILURE);
883
/* TODO: add support for verifying that the user entry accepts
884
* EAP-TTLS/MSCHAPV2. */
885
if (!sm->user || !sm->user->password) {
886
wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user password "
888
eap_ttls_state(data, FAILURE);
892
/* MSCHAPv2 does not include optional domain name in the
893
* challenge-response calculation, so remove domain prefix
895
username = sm->identity;
896
username_len = sm->identity_len;
897
for (i = 0; i < username_len; i++) {
898
if (username[i] == '\\') {
899
username_len -= i + 1;
905
chal = eap_ttls_implicit_challenge(
906
sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1);
908
wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Failed to generate "
909
"challenge from TLS data");
910
eap_ttls_state(data, FAILURE);
914
if (memcmp(challenge, chal, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN) != 0 ||
915
response[0] != chal[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN]) {
916
wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Challenge mismatch");
918
eap_ttls_state(data, FAILURE);
923
auth_challenge = challenge;
924
peer_challenge = response + 2;
926
wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: User",
927
username, username_len);
928
wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: auth_challenge",
929
auth_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
930
wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: peer_challenge",
931
peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
933
if (sm->user->password_hash) {
934
generate_nt_response_pwhash(auth_challenge, peer_challenge,
935
username, username_len,
939
generate_nt_response(auth_challenge, peer_challenge,
940
username, username_len,
942
sm->user->password_len,
946
rx_resp = response + 2 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 8;
947
if (memcmp(nt_response, rx_resp, 24) == 0) {
948
wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Correct "
950
data->mschapv2_resp_ok = 1;
951
if (data->ttls_version > 0) {
953
u8 pw_hash_buf[16], pw_hash_hash[16], master_key[16];
954
u8 session_key[2 * MSCHAPV2_KEY_LEN];
956
if (sm->user->password_hash)
957
pw_hash = sm->user->password;
959
nt_password_hash(sm->user->password,
960
sm->user->password_len,
962
pw_hash = pw_hash_buf;
964
hash_nt_password_hash(pw_hash, pw_hash_hash);
965
get_master_key(pw_hash_hash, nt_response, master_key);
966
get_asymetric_start_key(master_key, session_key,
967
MSCHAPV2_KEY_LEN, 0, 0);
968
get_asymetric_start_key(master_key,
969
session_key + MSCHAPV2_KEY_LEN,
970
MSCHAPV2_KEY_LEN, 1, 0);
971
eap_ttls_ia_permute_inner_secret(sm, data,
973
sizeof(session_key));
976
if (sm->user->password_hash) {
977
generate_authenticator_response_pwhash(
979
peer_challenge, auth_challenge,
980
username, username_len, nt_response,
981
data->mschapv2_auth_response);
983
generate_authenticator_response(
984
sm->user->password, sm->user->password_len,
985
peer_challenge, auth_challenge,
986
username, username_len, nt_response,
987
data->mschapv2_auth_response);
990
wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid "
992
wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Received",
994
wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Expected",
996
data->mschapv2_resp_ok = 0;
998
eap_ttls_state(data, PHASE2_MSCHAPV2_RESP);
999
data->mschapv2_ident = response[0];
1003
static int eap_ttls_phase2_eap_init(struct eap_sm *sm,
1004
struct eap_ttls_data *data,
1007
if (data->phase2_priv && data->phase2_method) {
1008
data->phase2_method->reset(sm, data->phase2_priv);
1009
data->phase2_method = NULL;
1010
data->phase2_priv = NULL;
1012
data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF,
1014
if (!data->phase2_method)
1017
sm->init_phase2 = 1;
1018
data->phase2_priv = data->phase2_method->init(sm);
1019
sm->init_phase2 = 0;
1024
static void eap_ttls_process_phase2_eap_response(struct eap_sm *sm,
1025
struct eap_ttls_data *data,
1026
u8 *in_data, size_t in_len)
1028
u8 next_type = EAP_TYPE_NONE;
1029
struct eap_hdr *hdr;
1032
const struct eap_method *m = data->phase2_method;
1033
void *priv = data->phase2_priv;
1035
if (data->phase2_priv == NULL) {
1036
wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: %s - Phase2 not "
1037
"initialized?!", __func__);
1041
hdr = (struct eap_hdr *) in_data;
1042
pos = (u8 *) (hdr + 1);
1044
if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) {
1045
left = in_len - sizeof(*hdr);
1046
wpa_hexdump(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 type Nak'ed; "
1047
"allowed types", pos + 1, left - 1);
1048
eap_sm_process_nak(sm, pos + 1, left - 1);
1049
if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
1050
sm->user->methods[sm->user_eap_method_index].method !=
1052
next_type = sm->user->methods[
1053
sm->user_eap_method_index++].method;
1054
wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d",
1056
eap_ttls_phase2_eap_init(sm, data, next_type);
1058
eap_ttls_state(data, FAILURE);
1063
if (m->check(sm, priv, in_data, in_len)) {
1064
wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 check() asked to "
1065
"ignore the packet");
1069
m->process(sm, priv, in_data, in_len);
1071
if (!m->isDone(sm, priv))
1074
if (!m->isSuccess(sm, priv)) {
1075
wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method failed");
1076
eap_ttls_state(data, FAILURE);
1080
switch (data->state) {
1082
if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
1083
wpa_hexdump_ascii(MSG_DEBUG, "EAP_TTLS: Phase2 "
1084
"Identity not found in the user "
1086
sm->identity, sm->identity_len);
1087
eap_ttls_state(data, FAILURE);
1091
eap_ttls_state(data, PHASE2_METHOD);
1092
next_type = sm->user->methods[0].method;
1093
sm->user_eap_method_index = 1;
1094
wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d", next_type);
1097
if (data->ttls_version > 0) {
1101
key = m->getKey(sm, priv, &key_len);
1102
eap_ttls_ia_permute_inner_secret(sm, data,
1105
eap_ttls_state(data, PHASE_FINISHED);
1107
eap_ttls_state(data, SUCCESS);
1112
wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
1113
__func__, data->state);
1117
eap_ttls_phase2_eap_init(sm, data, next_type);
1121
static void eap_ttls_process_phase2_eap(struct eap_sm *sm,
1122
struct eap_ttls_data *data,
1123
const u8 *eap, size_t eap_len)
1125
struct eap_hdr *hdr;
1128
if (data->state == PHASE2_START) {
1129
wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: initializing Phase 2");
1130
if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_IDENTITY) < 0)
1132
wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: failed to "
1133
"initialize EAP-Identity");
1138
if (eap_len < sizeof(*hdr)) {
1139
wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: too short Phase 2 EAP "
1140
"packet (len=%lu)", (unsigned long) eap_len);
1144
hdr = (struct eap_hdr *) eap;
1145
len = be_to_host16(hdr->length);
1146
wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: received Phase 2 EAP: code=%d "
1147
"identifier=%d length=%lu", hdr->code, hdr->identifier,
1148
(unsigned long) len);
1149
if (len > eap_len) {
1150
wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Length mismatch in Phase 2"
1151
" EAP frame (hdr len=%lu, data len in AVP=%lu)",
1152
(unsigned long) len, (unsigned long) eap_len);
1156
switch (hdr->code) {
1157
case EAP_CODE_RESPONSE:
1158
eap_ttls_process_phase2_eap_response(sm, data, (u8 *) hdr,
1162
wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Unexpected code=%d in "
1163
"Phase 2 EAP header", hdr->code);
1169
static void eap_ttls_process_phase2(struct eap_sm *sm,
1170
struct eap_ttls_data *data,
1171
struct eap_hdr *resp,
1172
u8 *in_data, size_t in_len)
1175
int len_decrypted, res;
1176
struct eap_ttls_avp parse;
1179
wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for"
1180
" Phase 2", (unsigned long) in_len);
1182
res = eap_server_tls_data_reassemble(sm, &data->ssl, &in_data,
1184
if (res < 0 || res == 1)
1188
if (data->ssl.tls_in_total > buf_len)
1189
buf_len = data->ssl.tls_in_total;
1190
in_decrypted = malloc(buf_len);
1191
if (in_decrypted == NULL) {
1192
free(data->ssl.tls_in);
1193
data->ssl.tls_in = NULL;
1194
data->ssl.tls_in_len = 0;
1195
wpa_printf(MSG_WARNING, "EAP-TTLS: failed to allocate memory "
1200
len_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
1202
in_decrypted, buf_len);
1203
free(data->ssl.tls_in);
1204
data->ssl.tls_in = NULL;
1205
data->ssl.tls_in_len = 0;
1206
if (len_decrypted < 0) {
1207
wpa_printf(MSG_INFO, "EAP-TTLS: Failed to decrypt Phase 2 "
1210
eap_ttls_state(data, FAILURE);
1214
if (data->state == PHASE_FINISHED) {
1215
if (len_decrypted == 0 &&
1216
tls_connection_ia_final_phase_finished(sm->ssl_ctx,
1218
wpa_printf(MSG_DEBUG, "EAP-TTLS: FinalPhaseFinished "
1220
eap_ttls_state(data, SUCCESS);
1222
wpa_printf(MSG_INFO, "EAP-TTLS: Did not receive valid "
1223
"FinalPhaseFinished");
1224
eap_ttls_state(data, FAILURE);
1231
wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 EAP",
1232
in_decrypted, len_decrypted);
1234
if (eap_ttls_avp_parse(in_decrypted, len_decrypted, &parse) < 0) {
1235
wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to parse AVPs");
1237
eap_ttls_state(data, FAILURE);
1241
if (parse.user_name) {
1243
sm->identity = malloc(parse.user_name_len);
1245
memcpy(sm->identity, parse.user_name,
1246
parse.user_name_len);
1247
sm->identity_len = parse.user_name_len;
1249
if (eap_user_get(sm, parse.user_name, parse.user_name_len, 1)
1251
wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 Identity not "
1252
"found in the user database");
1253
eap_ttls_state(data, FAILURE);
1259
eap_ttls_process_phase2_eap(sm, data, parse.eap,
1261
} else if (parse.user_password) {
1262
eap_ttls_process_phase2_pap(sm, data, parse.user_password,
1263
parse.user_password_len);
1264
} else if (parse.chap_password) {
1265
eap_ttls_process_phase2_chap(sm, data,
1266
parse.chap_challenge,
1267
parse.chap_challenge_len,
1268
parse.chap_password,
1269
parse.chap_password_len);
1270
} else if (parse.mschap_response) {
1271
eap_ttls_process_phase2_mschap(sm, data,
1272
parse.mschap_challenge,
1273
parse.mschap_challenge_len,
1274
parse.mschap_response,
1275
parse.mschap_response_len);
1276
} else if (parse.mschap2_response) {
1277
eap_ttls_process_phase2_mschapv2(sm, data,
1278
parse.mschap_challenge,
1279
parse.mschap_challenge_len,
1280
parse.mschap2_response,
1281
parse.mschap2_response_len);
1290
static void eap_ttls_process(struct eap_sm *sm, void *priv,
1291
u8 *respData, size_t respDataLen)
1293
struct eap_ttls_data *data = priv;
1294
struct eap_hdr *resp;
1297
unsigned int tls_msg_len;
1300
resp = (struct eap_hdr *) respData;
1301
pos = (u8 *) (resp + 1);
1304
left = be_to_host16(resp->length) - sizeof(struct eap_hdr) - 2;
1305
wpa_printf(MSG_DEBUG, "EAP-TTLS: Received packet(len=%lu) - "
1306
"Flags 0x%02x", (unsigned long) respDataLen, flags);
1307
peer_version = flags & EAP_PEAP_VERSION_MASK;
1308
if (peer_version < data->ttls_version) {
1309
wpa_printf(MSG_DEBUG, "EAP-TTLS: peer ver=%d, own ver=%d; "
1311
peer_version, data->ttls_version, peer_version);
1312
data->ttls_version = peer_version;
1315
if (data->ttls_version > 0 && !data->tls_ia_configured) {
1316
if (tls_connection_set_ia(sm->ssl_ctx, data->ssl.conn, 1)) {
1317
wpa_printf(MSG_INFO, "EAP-TTLS: Failed to enable "
1319
eap_ttls_state(data, FAILURE);
1322
data->tls_ia_configured = 1;
1325
if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) {
1327
wpa_printf(MSG_INFO, "EAP-TTLS: Short frame with TLS "
1329
eap_ttls_state(data, FAILURE);
1332
tls_msg_len = WPA_GET_BE32(pos);
1333
wpa_printf(MSG_DEBUG, "EAP-TTLS: TLS Message Length: %d",
1335
if (data->ssl.tls_in_left == 0) {
1336
data->ssl.tls_in_total = tls_msg_len;
1337
data->ssl.tls_in_left = tls_msg_len;
1338
free(data->ssl.tls_in);
1339
data->ssl.tls_in = NULL;
1340
data->ssl.tls_in_len = 0;
1346
switch (data->state) {
1348
if (eap_server_tls_process_helper(sm, &data->ssl, pos, left) <
1350
wpa_printf(MSG_INFO, "EAP-TTLS: TLS processing "
1352
eap_ttls_state(data, FAILURE);
1357
case PHASE_FINISHED:
1358
eap_ttls_process_phase2(sm, data, resp, pos, left);
1360
case PHASE2_MSCHAPV2_RESP:
1361
if (data->mschapv2_resp_ok && left == 0) {
1362
wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
1363
"acknowledged response");
1364
eap_ttls_state(data, data->ttls_version > 0 ?
1365
PHASE_FINISHED : SUCCESS);
1366
} else if (!data->mschapv2_resp_ok) {
1367
wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
1368
"acknowledged error");
1369
eap_ttls_state(data, FAILURE);
1371
wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Unexpected "
1372
"frame from peer (payload len %d, expected "
1373
"empty frame)", left);
1374
eap_ttls_state(data, FAILURE);
1378
wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected state %d in %s",
1379
data->state, __func__);
1383
if (tls_connection_get_write_alerts(sm->ssl_ctx, data->ssl.conn) > 1) {
1384
wpa_printf(MSG_INFO, "EAP-TTLS: Locally detected fatal error "
1385
"in TLS processing");
1386
eap_ttls_state(data, FAILURE);
1391
static Boolean eap_ttls_isDone(struct eap_sm *sm, void *priv)
1393
struct eap_ttls_data *data = priv;
1394
return data->state == SUCCESS || data->state == FAILURE;
1398
static u8 * eap_ttls_v1_derive_key(struct eap_sm *sm,
1399
struct eap_ttls_data *data)
1401
struct tls_keys keys;
1404
memset(&keys, 0, sizeof(keys));
1405
if (tls_connection_get_keys(sm->ssl_ctx, data->ssl.conn, &keys) ||
1406
keys.client_random == NULL || keys.server_random == NULL ||
1407
keys.inner_secret == NULL) {
1408
wpa_printf(MSG_INFO, "EAP-TTLS: Could not get inner secret, "
1409
"client random, or server random to derive keying "
1414
rnd = malloc(keys.client_random_len + keys.server_random_len);
1415
key = malloc(EAP_TLS_KEY_LEN);
1416
if (rnd == NULL || key == NULL) {
1417
wpa_printf(MSG_INFO, "EAP-TTLS: No memory for key derivation");
1422
memcpy(rnd, keys.client_random, keys.client_random_len);
1423
memcpy(rnd + keys.client_random_len, keys.server_random,
1424
keys.server_random_len);
1426
if (tls_prf(keys.inner_secret, keys.inner_secret_len,
1427
"ttls v1 keying material", rnd, keys.client_random_len +
1428
keys.server_random_len, key, EAP_TLS_KEY_LEN)) {
1429
wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key");
1435
wpa_hexdump(MSG_DEBUG, "EAP-TTLS: client/server random",
1436
rnd, keys.client_random_len + keys.server_random_len);
1437
wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: TLS/IA inner secret",
1438
keys.inner_secret, keys.inner_secret_len);
1446
static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len)
1448
struct eap_ttls_data *data = priv;
1451
if (data->state != SUCCESS)
1454
if (data->ttls_version == 0) {
1455
eapKeyData = eap_server_tls_derive_key(sm, &data->ssl,
1456
"ttls keying material",
1459
eapKeyData = eap_ttls_v1_derive_key(sm, data);
1463
*len = EAP_TLS_KEY_LEN;
1464
wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key",
1465
eapKeyData, EAP_TLS_KEY_LEN);
1467
wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key");
1474
static Boolean eap_ttls_isSuccess(struct eap_sm *sm, void *priv)
1476
struct eap_ttls_data *data = priv;
1477
return data->state == SUCCESS;
1481
int eap_server_ttls_register(void)
1483
struct eap_method *eap;
1486
eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
1487
EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS");
1491
eap->init = eap_ttls_init;
1492
eap->reset = eap_ttls_reset;
1493
eap->buildReq = eap_ttls_buildReq;
1494
eap->check = eap_ttls_check;
1495
eap->process = eap_ttls_process;
1496
eap->isDone = eap_ttls_isDone;
1497
eap->getKey = eap_ttls_getKey;
1498
eap->isSuccess = eap_ttls_isSuccess;
1500
ret = eap_server_method_register(eap);
1502
eap_server_method_free(eap);