#include "includes.h"
#include "common.h"
+#include "sha1.h"
#include "eap_i.h"
#include "eap_tls_common.h"
#include "eap_common/eap_tlv_common.h"
#include "tls.h"
+#include "tncs.h"
/* Maximum supported PEAP version
struct eap_ssl_data ssl;
enum {
START, PHASE1, PHASE1_ID2, PHASE2_START, PHASE2_ID,
- PHASE2_METHOD,
+ PHASE2_METHOD, PHASE2_SOH,
PHASE2_TLV, SUCCESS_REQ, FAILURE_REQ, SUCCESS, FAILURE
} state;
int peap_version;
+ int recv_version;
const struct eap_method *phase2_method;
void *phase2_priv;
int force_version;
struct wpabuf *pending_phase2_resp;
enum { TLV_REQ_NONE, TLV_REQ_SUCCESS, TLV_REQ_FAILURE } tlv_request;
+ int crypto_binding_sent;
+ int crypto_binding_used;
+ enum { NO_BINDING, OPTIONAL_BINDING, REQUIRE_BINDING } crypto_binding;
+ u8 binding_nonce[32];
+ u8 ipmk[40];
+ u8 cmk[20];
+ u8 *phase2_key;
+ size_t phase2_key_len;
+ struct wpabuf *soh_response;
};
return "PHASE2_ID";
case PHASE2_METHOD:
return "PHASE2_METHOD";
+ case PHASE2_SOH:
+ return "PHASE2_SOH";
case PHASE2_TLV:
return "PHASE2_TLV";
case SUCCESS_REQ:
data->peap_version = data->force_version;
}
data->state = START;
+ data->crypto_binding = OPTIONAL_BINDING;
if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) {
wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL.");
data->phase2_method->reset(sm, data->phase2_priv);
eap_server_tls_ssl_deinit(sm, &data->ssl);
wpabuf_free(data->pending_phase2_resp);
+ os_free(data->phase2_key);
+ wpabuf_free(data->soh_response);
os_free(data);
}
}
-static struct wpabuf * eap_peap_build_req(struct eap_sm *sm,
- struct eap_peap_data *data, u8 id)
+static struct wpabuf * eap_peap_build_phase2_req(struct eap_sm *sm,
+ struct eap_peap_data *data,
+ u8 id)
{
- int res;
- struct wpabuf *req;
-
- res = eap_server_tls_buildReq_helper(sm, &data->ssl, EAP_TYPE_PEAP,
- data->peap_version, id, &req);
+ struct wpabuf *buf, *encr_req;
+ const u8 *req;
+ size_t req_len;
- if (data->peap_version < 2 &&
- tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
- wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase1 done, starting "
- "Phase2");
- eap_peap_state(data, PHASE2_START);
+ if (data->phase2_method == NULL || data->phase2_priv == NULL) {
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 method not ready");
+ return NULL;
}
-
- if (res == 1)
- return eap_server_tls_build_ack(id, EAP_TYPE_PEAP,
- data->peap_version);
- return req;
-}
-
-
-static struct wpabuf * eap_peap_encrypt(struct eap_sm *sm,
- struct eap_peap_data *data,
- u8 id, const u8 *plain,
- size_t plain_len)
-{
- int res;
- struct wpabuf *buf;
-
- /* TODO: add support for fragmentation, if needed. This will need to
- * add TLS Message Length field, if the frame is fragmented. */
- buf = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PEAP,
- 1 + data->ssl.tls_out_limit,
- EAP_CODE_REQUEST, id);
+ buf = data->phase2_method->buildReq(sm, data->phase2_priv, id);
+ if (data->peap_version >= 2 && buf)
+ buf = eap_peapv2_tlv_eap_payload(buf);
if (buf == NULL)
return NULL;
- wpabuf_put_u8(buf, data->peap_version);
+ req = wpabuf_head(buf);
+ req_len = wpabuf_len(buf);
+ wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 data",
+ req, req_len);
- res = tls_connection_encrypt(sm->ssl_ctx, data->ssl.conn,
- plain, plain_len, wpabuf_put(buf, 0),
- data->ssl.tls_out_limit);
- if (res < 0) {
- wpa_printf(MSG_INFO, "EAP-PEAP: Failed to encrypt Phase 2 "
- "data");
- wpabuf_free(buf);
- return NULL;
+ if (data->peap_version == 0 &&
+ data->phase2_method->method != EAP_TYPE_TLV) {
+ req += sizeof(struct eap_hdr);
+ req_len -= sizeof(struct eap_hdr);
}
- wpabuf_put(buf, res);
- eap_update_len(buf);
+ encr_req = eap_server_tls_encrypt(sm, &data->ssl, req, req_len);
+ wpabuf_free(buf);
- return buf;
+ return encr_req;
}
-static struct wpabuf * eap_peap_build_phase2_req(struct eap_sm *sm,
+#ifdef EAP_TNC
+static struct wpabuf * eap_peap_build_phase2_soh(struct eap_sm *sm,
struct eap_peap_data *data,
u8 id)
{
- struct wpabuf *buf, *encr_req;
+ struct wpabuf *buf1, *buf, *encr_req;
const u8 *req;
size_t req_len;
- buf = data->phase2_method->buildReq(sm, data->phase2_priv, id);
- if (data->peap_version >= 2 && buf)
- buf = eap_peapv2_tlv_eap_payload(buf);
- if (buf == NULL)
+ buf1 = tncs_build_soh_request();
+ if (buf1 == NULL)
return NULL;
+ buf = eap_msg_alloc(EAP_VENDOR_MICROSOFT, 0x21, wpabuf_len(buf1),
+ EAP_CODE_REQUEST, id);
+ if (buf == NULL) {
+ wpabuf_free(buf1);
+ return NULL;
+ }
+ wpabuf_put_buf(buf, buf1);
+ wpabuf_free(buf1);
+
req = wpabuf_head(buf);
req_len = wpabuf_len(buf);
- wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 data",
+
+ wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 SOH data",
req, req_len);
- if (data->peap_version == 0 &&
- data->phase2_method->method != EAP_TYPE_TLV) {
- req += sizeof(struct eap_hdr);
- req_len -= sizeof(struct eap_hdr);
- }
+ req += sizeof(struct eap_hdr);
+ req_len -= sizeof(struct eap_hdr);
- encr_req = eap_peap_encrypt(sm, data, id, req, req_len);
+ encr_req = eap_server_tls_encrypt(sm, &data->ssl, req, req_len);
wpabuf_free(buf);
return encr_req;
}
+#endif /* EAP_TNC */
+
+
+static void eap_peap_get_isk(struct eap_peap_data *data,
+ u8 *isk, size_t isk_len)
+{
+ size_t key_len;
+
+ os_memset(isk, 0, isk_len);
+ if (data->phase2_key == NULL)
+ return;
+
+ key_len = data->phase2_key_len;
+ if (key_len > isk_len)
+ key_len = isk_len;
+ os_memcpy(isk, data->phase2_key, key_len);
+}
+
+
+void peap_prfplus(int version, const u8 *key, size_t key_len,
+ const char *label, const u8 *seed, size_t seed_len,
+ u8 *buf, size_t buf_len)
+{
+ unsigned char counter = 0;
+ size_t pos, plen;
+ u8 hash[SHA1_MAC_LEN];
+ size_t label_len = os_strlen(label);
+ u8 extra[2];
+ const unsigned char *addr[5];
+ size_t len[5];
+
+ addr[0] = hash;
+ len[0] = 0;
+ addr[1] = (unsigned char *) label;
+ len[1] = label_len;
+ addr[2] = seed;
+ len[2] = seed_len;
+
+ if (version == 0) {
+ /*
+ * PRF+(K, S, LEN) = T1 | T2 | ... | Tn
+ * T1 = HMAC-SHA1(K, S | 0x01 | 0x00 | 0x00)
+ * T2 = HMAC-SHA1(K, T1 | S | 0x02 | 0x00 | 0x00)
+ * ...
+ * Tn = HMAC-SHA1(K, Tn-1 | S | n | 0x00 | 0x00)
+ */
+
+ extra[0] = 0;
+ extra[1] = 0;
+
+ addr[3] = &counter;
+ len[3] = 1;
+ addr[4] = extra;
+ len[4] = 2;
+ } else {
+ /*
+ * PRF (K,S,LEN) = T1 | T2 | T3 | T4 | ... where:
+ * T1 = HMAC-SHA1(K, S | LEN | 0x01)
+ * T2 = HMAC-SHA1 (K, T1 | S | LEN | 0x02)
+ * T3 = HMAC-SHA1 (K, T2 | S | LEN | 0x03)
+ * T4 = HMAC-SHA1 (K, T3 | S | LEN | 0x04)
+ * ...
+ */
+
+ extra[0] = buf_len & 0xff;
+
+ addr[3] = extra;
+ len[3] = 1;
+ addr[4] = &counter;
+ len[4] = 1;
+ }
+
+ pos = 0;
+ while (pos < buf_len) {
+ counter++;
+ plen = buf_len - pos;
+ hmac_sha1_vector(key, key_len, 5, addr, len, hash);
+ if (plen >= SHA1_MAC_LEN) {
+ os_memcpy(&buf[pos], hash, SHA1_MAC_LEN);
+ pos += SHA1_MAC_LEN;
+ } else {
+ os_memcpy(&buf[pos], hash, plen);
+ break;
+ }
+ len[0] = SHA1_MAC_LEN;
+ }
+}
+
+
+static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data)
+{
+ u8 *tk;
+ u8 isk[32], imck[60];
+
+ /*
+ * Tunnel key (TK) is the first 60 octets of the key generated by
+ * phase 1 of PEAP (based on TLS).
+ */
+ tk = eap_server_tls_derive_key(sm, &data->ssl, "client EAP encryption",
+ EAP_TLS_KEY_LEN);
+ if (tk == NULL)
+ return -1;
+ wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TK", tk, 60);
+
+ eap_peap_get_isk(data, isk, sizeof(isk));
+ wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: ISK", isk, sizeof(isk));
+
+ /*
+ * IPMK Seed = "Inner Methods Compound Keys" | ISK
+ * TempKey = First 40 octets of TK
+ * IPMK|CMK = PRF+(TempKey, IPMK Seed, 60)
+ * (note: draft-josefsson-pppext-eap-tls-eap-10.txt includes a space
+ * in the end of the label just before ISK; is that just a typo?)
+ */
+ wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TempKey", tk, 40);
+ peap_prfplus(data->peap_version, tk, 40, "Inner Methods Compound Keys",
+ isk, sizeof(isk), imck, sizeof(imck));
+ wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IMCK (IPMKj)",
+ imck, sizeof(imck));
+
+ os_free(tk);
+
+ /* TODO: fast-connect: IPMK|CMK = TK */
+ os_memcpy(data->ipmk, imck, 40);
+ wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK (S-IPMKj)", data->ipmk, 40);
+ os_memcpy(data->cmk, imck + 40, 20);
+ wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK (CMKj)", data->cmk, 20);
+
+ return 0;
+}
static struct wpabuf * eap_peap_build_phase2_tlv(struct eap_sm *sm,
u8 id)
{
struct wpabuf *buf, *encr_req;
+ size_t len;
+
+ len = 6; /* Result TLV */
+ if (data->crypto_binding != NO_BINDING)
+ len += 60; /* Cryptobinding TLV */
+#ifdef EAP_TNC
+ if (data->soh_response)
+ len += wpabuf_len(data->soh_response);
+#endif /* EAP_TNC */
- buf = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, 6,
+ buf = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, len,
EAP_CODE_REQUEST, id);
if (buf == NULL)
return NULL;
wpabuf_put_be16(buf, data->tlv_request == TLV_REQ_SUCCESS ?
EAP_TLV_RESULT_SUCCESS : EAP_TLV_RESULT_FAILURE);
+ if (data->peap_version == 0 && data->tlv_request == TLV_REQ_SUCCESS &&
+ data->crypto_binding != NO_BINDING) {
+ u8 *mac;
+ u8 eap_type = EAP_TYPE_PEAP;
+ const u8 *addr[2];
+ size_t len[2];
+ u16 tlv_type;
+
+#ifdef EAP_TNC
+ if (data->soh_response) {
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Adding MS-SOH "
+ "Response TLV");
+ wpabuf_put_buf(buf, data->soh_response);
+ wpabuf_free(data->soh_response);
+ data->soh_response = NULL;
+ }
+#endif /* EAP_TNC */
+
+ if (eap_peap_derive_cmk(sm, data) < 0 ||
+ os_get_random(data->binding_nonce, 32)) {
+ wpabuf_free(buf);
+ return NULL;
+ }
+
+ /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */
+ addr[0] = wpabuf_put(buf, 0);
+ len[0] = 60;
+ addr[1] = &eap_type;
+ len[1] = 1;
+
+ tlv_type = EAP_TLV_CRYPTO_BINDING_TLV;
+ if (data->peap_version >= 2)
+ tlv_type |= EAP_TLV_TYPE_MANDATORY;
+ wpabuf_put_be16(buf, tlv_type);
+ wpabuf_put_be16(buf, 56);
+
+ wpabuf_put_u8(buf, 0); /* Reserved */
+ wpabuf_put_u8(buf, data->peap_version); /* Version */
+ wpabuf_put_u8(buf, data->recv_version); /* RecvVersion */
+ wpabuf_put_u8(buf, 0); /* SubType: 0 = Request, 1 = Response */
+ wpabuf_put_data(buf, data->binding_nonce, 32); /* Nonce */
+ mac = wpabuf_put(buf, 20); /* Compound_MAC */
+ wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC CMK",
+ data->cmk, 20);
+ wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 1",
+ addr[0], len[0]);
+ wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 2",
+ addr[1], len[1]);
+ hmac_sha1_vector(data->cmk, 20, 2, addr, len, mac);
+ wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC",
+ mac, SHA1_MAC_LEN);
+ data->crypto_binding_sent = 1;
+ }
+
wpa_hexdump_buf_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 TLV data",
buf);
- encr_req = eap_peap_encrypt(sm, data, id, wpabuf_head(buf),
- wpabuf_len(buf));
+ encr_req = eap_server_tls_encrypt(sm, &data->ssl, wpabuf_head(buf),
+ wpabuf_len(buf));
wpabuf_free(buf);
return encr_req;
wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 data",
(u8 *) hdr, req_len);
- encr_req = eap_peap_encrypt(sm, data, id, (u8 *) hdr, req_len);
+ encr_req = eap_server_tls_encrypt(sm, &data->ssl, (u8 *) hdr, req_len);
os_free(hdr);
return encr_req;
{
struct eap_peap_data *data = priv;
+ if (data->ssl.state == FRAG_ACK) {
+ return eap_server_tls_build_ack(id, EAP_TYPE_PEAP,
+ data->peap_version);
+ }
+
+ if (data->ssl.state == WAIT_FRAG_ACK) {
+ return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_PEAP,
+ data->peap_version, id);
+ }
+
switch (data->state) {
case START:
return eap_peap_build_start(sm, data, id);
case PHASE1:
case PHASE1_ID2:
- return eap_peap_build_req(sm, data, id);
+ if (data->peap_version < 2 &&
+ tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase1 done, "
+ "starting Phase2");
+ eap_peap_state(data, PHASE2_START);
+ }
+ break;
case PHASE2_ID:
case PHASE2_METHOD:
- return eap_peap_build_phase2_req(sm, data, id);
+ wpabuf_free(data->ssl.out_buf);
+ data->ssl.out_used = 0;
+ data->ssl.out_buf = eap_peap_build_phase2_req(sm, data, id);
+ break;
+#ifdef EAP_TNC
+ case PHASE2_SOH:
+ wpabuf_free(data->ssl.out_buf);
+ data->ssl.out_used = 0;
+ data->ssl.out_buf = eap_peap_build_phase2_soh(sm, data, id);
+ break;
+#endif /* EAP_TNC */
case PHASE2_TLV:
- return eap_peap_build_phase2_tlv(sm, data, id);
+ wpabuf_free(data->ssl.out_buf);
+ data->ssl.out_used = 0;
+ data->ssl.out_buf = eap_peap_build_phase2_tlv(sm, data, id);
+ break;
case SUCCESS_REQ:
- return eap_peap_build_phase2_term(sm, data, id, 1);
+ wpabuf_free(data->ssl.out_buf);
+ data->ssl.out_used = 0;
+ data->ssl.out_buf = eap_peap_build_phase2_term(sm, data, id,
+ 1);
+ break;
case FAILURE_REQ:
- return eap_peap_build_phase2_term(sm, data, id, 0);
+ wpabuf_free(data->ssl.out_buf);
+ data->ssl.out_used = 0;
+ data->ssl.out_buf = eap_peap_build_phase2_term(sm, data, id,
+ 0);
+ break;
default:
wpa_printf(MSG_DEBUG, "EAP-PEAP: %s - unexpected state %d",
__func__, data->state);
return NULL;
}
+
+ return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_PEAP,
+ data->peap_version, id);
}
}
+static int eap_tlv_validate_cryptobinding(struct eap_sm *sm,
+ struct eap_peap_data *data,
+ const u8 *crypto_tlv,
+ size_t crypto_tlv_len)
+{
+ u8 buf[61], mac[SHA1_MAC_LEN];
+ const u8 *pos;
+
+ if (crypto_tlv_len != 4 + 56) {
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid cryptobinding TLV "
+ "length %d", (int) crypto_tlv_len);
+ return -1;
+ }
+
+ pos = crypto_tlv;
+ pos += 4; /* TLV header */
+ if (pos[1] != data->peap_version) {
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV Version "
+ "mismatch (was %d; expected %d)",
+ pos[1], data->peap_version);
+ return -1;
+ }
+
+ if (pos[3] != 1) {
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Unexpected Cryptobinding TLV "
+ "SubType %d", pos[3]);
+ return -1;
+ }
+ pos += 4;
+ pos += 32; /* Nonce */
+
+ /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */
+ os_memcpy(buf, crypto_tlv, 60);
+ os_memset(buf + 4 + 4 + 32, 0, 20); /* Compound_MAC */
+ buf[60] = EAP_TYPE_PEAP;
+ hmac_sha1(data->cmk, 20, buf, sizeof(buf), mac);
+
+ if (os_memcmp(mac, pos, SHA1_MAC_LEN) != 0) {
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid Compound_MAC in "
+ "cryptobinding TLV");
+ wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK", data->cmk, 20);
+ wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Cryptobinding seed data",
+ buf, 61);
+ return -1;
+ }
+
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Valid cryptobinding TLV received");
+
+ return 0;
+}
+
+
static void eap_peap_process_phase2_tlv(struct eap_sm *sm,
struct eap_peap_data *data,
struct wpabuf *in_data)
{
const u8 *pos;
size_t left;
- const u8 *result_tlv = NULL;
- size_t result_tlv_len = 0;
+ const u8 *result_tlv = NULL, *crypto_tlv = NULL;
+ size_t result_tlv_len = 0, crypto_tlv_len = 0;
int tlv_type, mandatory, tlv_len;
pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TLV, in_data, &left);
}
/* Parse TLVs */
- wpa_hexdump(MSG_DEBUG, "EAP-TLV: Received TLVs", pos, left);
+ wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Received TLVs", pos, left);
while (left >= 4) {
mandatory = !!(pos[0] & 0x80);
tlv_type = pos[0] & 0x3f;
pos += 4;
left -= 4;
if ((size_t) tlv_len > left) {
- wpa_printf(MSG_DEBUG, "EAP-TLV: TLV underrun "
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: TLV underrun "
"(tlv_len=%d left=%lu)", tlv_len,
(unsigned long) left);
eap_peap_state(data, FAILURE);
result_tlv = pos;
result_tlv_len = tlv_len;
break;
+ case EAP_TLV_CRYPTO_BINDING_TLV:
+ crypto_tlv = pos;
+ crypto_tlv_len = tlv_len;
+ break;
default:
- wpa_printf(MSG_DEBUG, "EAP-TLV: Unsupported TLV Type "
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Unsupported TLV Type "
"%d%s", tlv_type,
mandatory ? " (mandatory)" : "");
if (mandatory) {
left -= tlv_len;
}
if (left) {
- wpa_printf(MSG_DEBUG, "EAP-TLV: Last TLV too short in "
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Last TLV too short in "
"Request (left=%lu)", (unsigned long) left);
eap_peap_state(data, FAILURE);
return;
}
/* Process supported TLVs */
+ if (crypto_tlv && data->crypto_binding_sent) {
+ wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV",
+ crypto_tlv, crypto_tlv_len);
+ if (eap_tlv_validate_cryptobinding(sm, data, crypto_tlv - 4,
+ crypto_tlv_len + 4) < 0) {
+ eap_peap_state(data, FAILURE);
+ return;
+ }
+ data->crypto_binding_used = 1;
+ } else if (!crypto_tlv && data->crypto_binding_sent &&
+ data->crypto_binding == REQUIRE_BINDING) {
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: No cryptobinding TLV");
+ eap_peap_state(data, FAILURE);
+ return;
+ }
+
if (result_tlv) {
int status;
const char *requested;
- wpa_hexdump(MSG_DEBUG, "EAP-TLV: Result TLV",
+ wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Result TLV",
result_tlv, result_tlv_len);
if (result_tlv_len < 2) {
- wpa_printf(MSG_INFO, "EAP-TLV: Too short Result TLV "
+ wpa_printf(MSG_INFO, "EAP-PEAP: Too short Result TLV "
"(len=%lu)",
(unsigned long) result_tlv_len);
eap_peap_state(data, FAILURE);
"Failure";
status = WPA_GET_BE16(result_tlv);
if (status == EAP_TLV_RESULT_SUCCESS) {
- wpa_printf(MSG_INFO, "EAP-TLV: TLV Result - Success "
+ wpa_printf(MSG_INFO, "EAP-PEAP: TLV Result - Success "
"- requested %s", requested);
if (data->tlv_request == TLV_REQ_SUCCESS)
eap_peap_state(data, SUCCESS);
eap_peap_state(data, FAILURE);
} else if (status == EAP_TLV_RESULT_FAILURE) {
- wpa_printf(MSG_INFO, "EAP-TLV: TLV Result - Failure - "
- "requested %s", requested);
+ wpa_printf(MSG_INFO, "EAP-PEAP: TLV Result - Failure "
+ "- requested %s", requested);
eap_peap_state(data, FAILURE);
} else {
- wpa_printf(MSG_INFO, "EAP-TLV: Unknown TLV Result "
+ wpa_printf(MSG_INFO, "EAP-PEAP: Unknown TLV Result "
"Status %d", status);
eap_peap_state(data, FAILURE);
}
}
+#ifdef EAP_TNC
+static void eap_peap_process_phase2_soh(struct eap_sm *sm,
+ struct eap_peap_data *data,
+ struct wpabuf *in_data)
+{
+ const u8 *pos, *vpos;
+ size_t left;
+ const u8 *soh_tlv = NULL;
+ size_t soh_tlv_len = 0;
+ int tlv_type, mandatory, tlv_len, vtlv_len;
+ u8 next_type;
+ u32 vendor_id;
+
+ pos = eap_hdr_validate(EAP_VENDOR_MICROSOFT, 0x21, in_data, &left);
+ if (pos == NULL) {
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Not a valid SoH EAP "
+ "Extensions Method header - skip TNC");
+ goto auth_method;
+ }
+
+ /* Parse TLVs */
+ wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Received TLVs (SoH)", pos, left);
+ while (left >= 4) {
+ mandatory = !!(pos[0] & 0x80);
+ tlv_type = pos[0] & 0x3f;
+ tlv_type = (tlv_type << 8) | pos[1];
+ tlv_len = ((int) pos[2] << 8) | pos[3];
+ pos += 4;
+ left -= 4;
+ if ((size_t) tlv_len > left) {
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: TLV underrun "
+ "(tlv_len=%d left=%lu)", tlv_len,
+ (unsigned long) left);
+ eap_peap_state(data, FAILURE);
+ return;
+ }
+ switch (tlv_type) {
+ case EAP_TLV_VENDOR_SPECIFIC_TLV:
+ if (tlv_len < 4) {
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Too short "
+ "vendor specific TLV (len=%d)",
+ (int) tlv_len);
+ eap_peap_state(data, FAILURE);
+ return;
+ }
+
+ vendor_id = WPA_GET_BE32(pos);
+ if (vendor_id != EAP_VENDOR_MICROSOFT) {
+ if (mandatory) {
+ eap_peap_state(data, FAILURE);
+ return;
+ }
+ break;
+ }
+
+ vpos = pos + 4;
+ mandatory = !!(vpos[0] & 0x80);
+ tlv_type = vpos[0] & 0x3f;
+ tlv_type = (tlv_type << 8) | vpos[1];
+ vtlv_len = ((int) vpos[2] << 8) | vpos[3];
+ vpos += 4;
+ if (vpos + vtlv_len > pos + left) {
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Vendor TLV "
+ "underrun");
+ eap_peap_state(data, FAILURE);
+ return;
+ }
+
+ if (tlv_type == 1) {
+ soh_tlv = vpos;
+ soh_tlv_len = vtlv_len;
+ break;
+ }
+
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Unsupported MS-TLV "
+ "Type %d%s", tlv_type,
+ mandatory ? " (mandatory)" : "");
+ if (mandatory) {
+ eap_peap_state(data, FAILURE);
+ return;
+ }
+ /* Ignore this TLV, but process other TLVs */
+ break;
+ default:
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Unsupported TLV Type "
+ "%d%s", tlv_type,
+ mandatory ? " (mandatory)" : "");
+ if (mandatory) {
+ eap_peap_state(data, FAILURE);
+ return;
+ }
+ /* Ignore this TLV, but process other TLVs */
+ break;
+ }
+
+ pos += tlv_len;
+ left -= tlv_len;
+ }
+ if (left) {
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Last TLV too short in "
+ "Request (left=%lu)", (unsigned long) left);
+ eap_peap_state(data, FAILURE);
+ return;
+ }
+
+ /* Process supported TLVs */
+ if (soh_tlv) {
+ int failure = 0;
+ wpabuf_free(data->soh_response);
+ data->soh_response = tncs_process_soh(soh_tlv, soh_tlv_len,
+ &failure);
+ if (failure) {
+ eap_peap_state(data, FAILURE);
+ return;
+ }
+ } else {
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: No SoH TLV received");
+ eap_peap_state(data, FAILURE);
+ return;
+ }
+
+auth_method:
+ eap_peap_state(data, PHASE2_METHOD);
+ next_type = sm->user->methods[0].method;
+ sm->user_eap_method_index = 1;
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: try EAP type %d", next_type);
+ eap_peap_phase2_init(sm, data, next_type);
+}
+#endif /* EAP_TNC */
+
+
static void eap_peap_process_phase2_response(struct eap_sm *sm,
struct eap_peap_data *data,
struct wpabuf *in_data)
return;
}
+#ifdef EAP_TNC
+ if (data->state == PHASE2_SOH) {
+ eap_peap_process_phase2_soh(sm, data, in_data);
+ return;
+ }
+#endif /* EAP_TNC */
+
if (data->phase2_priv == NULL) {
wpa_printf(MSG_DEBUG, "EAP-PEAP: %s - Phase2 not "
"initialized?!", __func__);
return;
}
+ os_free(data->phase2_key);
+ if (data->phase2_method->getKey) {
+ data->phase2_key = data->phase2_method->getKey(
+ sm, data->phase2_priv, &data->phase2_key_len);
+ if (data->phase2_key == NULL) {
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase2 getKey "
+ "failed");
+ eap_peap_req_failure(sm, data);
+ eap_peap_phase2_init(sm, data, EAP_TYPE_NONE);
+ return;
+ }
+
+ if (data->phase2_key_len == 32 &&
+ data->phase2_method->vendor == EAP_VENDOR_IETF &&
+ data->phase2_method->method == EAP_TYPE_MSCHAPV2) {
+ /*
+ * Microsoft uses reverse order for MS-MPPE keys in
+ * EAP-PEAP when compared to EAP-FAST derivation of
+ * ISK. Swap the keys here to get the correct ISK for
+ * EAP-PEAPv0 cryptobinding.
+ */
+ u8 tmp[16];
+ os_memcpy(tmp, data->phase2_key, 16);
+ os_memcpy(data->phase2_key, data->phase2_key + 16, 16);
+ os_memcpy(data->phase2_key + 16, tmp, 16);
+ }
+ }
+
switch (data->state) {
case PHASE1_ID2:
case PHASE2_ID:
+ case PHASE2_SOH:
if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
wpa_hexdump_ascii(MSG_DEBUG, "EAP_PEAP: Phase2 "
"Identity not found in the user "
break;
}
+#ifdef EAP_TNC
+ if (data->state != PHASE2_SOH && sm->tnc &&
+ data->peap_version == 0) {
+ eap_peap_state(data, PHASE2_SOH);
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Try to initialize "
+ "TNC (NAP SOH)");
+ next_type = EAP_TYPE_NONE;
+ break;
+ }
+#endif /* EAP_TNC */
+
eap_peap_state(data, PHASE2_METHOD);
next_type = sm->user->methods[0].method;
sm->user_eap_method_index = 1;
const u8 *in_data, size_t in_len)
{
struct wpabuf *in_decrypted;
- int len_decrypted, res;
+ int len_decrypted;
const struct eap_hdr *hdr;
size_t buf_len, len;
return;
}
- /* FIX: get rid of const -> non-const typecast */
- res = eap_server_tls_data_reassemble(sm, &data->ssl, (u8 **) &in_data,
- &in_len);
- if (res < 0 || res == 1)
- return;
-
buf_len = in_len;
- if (data->ssl.tls_in_total > buf_len)
- buf_len = data->ssl.tls_in_total;
+ /*
+ * Even though we try to disable TLS compression, it is possible that
+ * this cannot be done with all TLS libraries. Add extra buffer space
+ * to handle the possibility of the decrypted data being longer than
+ * input data.
+ */
+ buf_len += 500;
+ buf_len *= 3;
in_decrypted = wpabuf_alloc(buf_len);
if (in_decrypted == NULL) {
- os_free(data->ssl.tls_in);
- data->ssl.tls_in = NULL;
- data->ssl.tls_in_len = 0;
wpa_printf(MSG_WARNING, "EAP-PEAP: failed to allocate memory "
"for decryption");
return;
in_data, in_len,
wpabuf_mhead(in_decrypted),
buf_len);
- os_free(data->ssl.tls_in);
- data->ssl.tls_in = NULL;
- data->ssl.tls_in_len = 0;
if (len_decrypted < 0) {
wpa_printf(MSG_INFO, "EAP-PEAP: Failed to decrypt Phase 2 "
"data");
{
struct wpabuf *buf, *buf2;
int res;
- u8 *tls_out;
wpa_printf(MSG_DEBUG, "EAP-PEAPv2: Phase1 done, include first Phase2 "
"payload in the same message");
buf);
/* Append TLS data into the pending buffer after the Server Finished */
- tls_out = os_realloc(data->ssl.tls_out,
- data->ssl.tls_out_len + wpabuf_len(buf));
- if (tls_out == NULL) {
+ if (wpabuf_resize(&data->ssl.out_buf, wpabuf_len(buf)) < 0) {
wpabuf_free(buf);
return -1;
}
-
- os_memcpy(tls_out + data->ssl.tls_out_len, wpabuf_head(buf),
- wpabuf_len(buf));
- data->ssl.tls_out = tls_out;
- data->ssl.tls_out_len += wpabuf_len(buf);
-
+ wpabuf_put_buf(data->ssl.out_buf, buf);
wpabuf_free(buf);
return 0;
const u8 *pos;
u8 flags;
size_t left;
- unsigned int tls_msg_len;
int peer_version;
+ int ret;
pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PEAP, respData,
&left);
wpa_printf(MSG_DEBUG, "EAP-PEAP: Received packet(len=%lu) - "
"Flags 0x%02x", (unsigned long) wpabuf_len(respData),
flags);
- peer_version = flags & EAP_PEAP_VERSION_MASK;
+ data->recv_version = peer_version = flags & EAP_TLS_VERSION_MASK;
if (data->force_version >= 0 && peer_version != data->force_version) {
wpa_printf(MSG_INFO, "EAP-PEAP: peer did not select the forced"
" version (forced=%d peer=%d) - reject",
peer_version, data->peap_version, peer_version);
data->peap_version = peer_version;
}
- if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) {
- if (left < 4) {
- wpa_printf(MSG_INFO, "EAP-PEAP: Short frame with TLS "
- "length");
- eap_peap_state(data, FAILURE);
- return;
- }
- tls_msg_len = WPA_GET_BE32(pos);
- wpa_printf(MSG_DEBUG, "EAP-PEAP: TLS Message Length: %d",
- tls_msg_len);
- if (data->ssl.tls_in_left == 0) {
- data->ssl.tls_in_total = tls_msg_len;
- data->ssl.tls_in_left = tls_msg_len;
- os_free(data->ssl.tls_in);
- data->ssl.tls_in = NULL;
- data->ssl.tls_in_len = 0;
- }
- pos += 4;
- left -= 4;
- }
+
+ ret = eap_server_tls_reassemble(&data->ssl, flags, &pos, &left);
+ if (ret < 0) {
+ eap_peap_state(data, FAILURE);
+ return;
+ } else if (ret == 1)
+ return;
switch (data->state) {
case PHASE1:
- if (eap_server_tls_process_helper(sm, &data->ssl, pos, left) <
- 0) {
- wpa_printf(MSG_INFO, "EAP-PEAP: TLS processing "
- "failed");
+ if (eap_server_tls_phase1(sm, &data->ssl) < 0) {
eap_peap_state(data, FAILURE);
break;
}
case PHASE1_ID2:
case PHASE2_ID:
case PHASE2_METHOD:
+ case PHASE2_SOH:
case PHASE2_TLV:
eap_peap_process_phase2(sm, data, respData, pos, left);
break;
"in TLS processing");
eap_peap_state(data, FAILURE);
}
+
+ eap_server_tls_free_in_buf(&data->ssl);
}
if (data->state != SUCCESS)
return NULL;
+ if (data->crypto_binding_used) {
+ u8 csk[128];
+ /*
+ * Note: It looks like Microsoft implementation requires null
+ * termination for this label while the one used for deriving
+ * IPMK|CMK did not use null termination.
+ */
+ peap_prfplus(data->peap_version, data->ipmk, 40,
+ "Session Key Generating Function",
+ (u8 *) "\00", 1, csk, sizeof(csk));
+ wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CSK", csk, sizeof(csk));
+ eapKeyData = os_malloc(EAP_TLS_KEY_LEN);
+ if (eapKeyData) {
+ os_memcpy(eapKeyData, csk, EAP_TLS_KEY_LEN);
+ *len = EAP_TLS_KEY_LEN;
+ wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Derived key",
+ eapKeyData, EAP_TLS_KEY_LEN);
+ } else {
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Failed to derive "
+ "key");
+ }
+
+ return eapKeyData;
+ }
+
/* TODO: PEAPv1 - different label in some cases */
eapKeyData = eap_server_tls_derive_key(sm, &data->ssl,
"client EAP encryption",