2 * hostapd / EAP-PEAP (draft-josefsson-pppext-eap-tls-eap-10.txt)
3 * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
20 #include "eap_tls_common.h"
21 #include "eap_common/eap_tlv_common.h"
26 /* Maximum supported PEAP version
27 * 0 = Microsoft's PEAP version 0; draft-kamath-pppext-peapv0-00.txt
28 * 1 = draft-josefsson-ppext-eap-tls-eap-05.txt
29 * 2 = draft-josefsson-ppext-eap-tls-eap-10.txt
31 #define EAP_PEAP_VERSION 1
34 static void eap_peap_reset(struct eap_sm *sm, void *priv);
37 struct eap_peap_data {
38 struct eap_ssl_data ssl;
40 START, PHASE1, PHASE1_ID2, PHASE2_START, PHASE2_ID,
41 PHASE2_METHOD, PHASE2_SOH,
42 PHASE2_TLV, SUCCESS_REQ, FAILURE_REQ, SUCCESS, FAILURE
47 const struct eap_method *phase2_method;
50 struct wpabuf *pending_phase2_resp;
51 enum { TLV_REQ_NONE, TLV_REQ_SUCCESS, TLV_REQ_FAILURE } tlv_request;
52 int crypto_binding_sent;
53 int crypto_binding_used;
54 enum { NO_BINDING, OPTIONAL_BINDING, REQUIRE_BINDING } crypto_binding;
59 size_t phase2_key_len;
60 struct wpabuf *soh_response;
64 static const char * eap_peap_state_txt(int state)
74 return "PHASE2_START";
78 return "PHASE2_METHOD";
97 static void eap_peap_state(struct eap_peap_data *data, int state)
99 wpa_printf(MSG_DEBUG, "EAP-PEAP: %s -> %s",
100 eap_peap_state_txt(data->state),
101 eap_peap_state_txt(state));
106 static struct wpabuf * eap_peapv2_tlv_eap_payload(struct wpabuf *buf)
109 struct eap_tlv_hdr *tlv;
114 /* Encapsulate EAP packet in EAP-Payload TLV */
115 wpa_printf(MSG_DEBUG, "EAP-PEAPv2: Add EAP-Payload TLV");
116 e = wpabuf_alloc(sizeof(*tlv) + wpabuf_len(buf));
118 wpa_printf(MSG_DEBUG, "EAP-PEAPv2: Failed to allocate memory "
119 "for TLV encapsulation");
123 tlv = wpabuf_put(e, sizeof(*tlv));
124 tlv->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY |
125 EAP_TLV_EAP_PAYLOAD_TLV);
126 tlv->length = host_to_be16(wpabuf_len(buf));
127 wpabuf_put_buf(e, buf);
133 static void eap_peap_req_success(struct eap_sm *sm,
134 struct eap_peap_data *data)
136 if (data->state == FAILURE || data->state == FAILURE_REQ) {
137 eap_peap_state(data, FAILURE);
141 if (data->peap_version == 0) {
142 data->tlv_request = TLV_REQ_SUCCESS;
143 eap_peap_state(data, PHASE2_TLV);
145 eap_peap_state(data, SUCCESS_REQ);
150 static void eap_peap_req_failure(struct eap_sm *sm,
151 struct eap_peap_data *data)
153 if (data->state == FAILURE || data->state == FAILURE_REQ ||
154 data->state == SUCCESS_REQ || data->tlv_request != TLV_REQ_NONE) {
155 eap_peap_state(data, FAILURE);
159 if (data->peap_version == 0) {
160 data->tlv_request = TLV_REQ_FAILURE;
161 eap_peap_state(data, PHASE2_TLV);
163 eap_peap_state(data, FAILURE_REQ);
168 static void * eap_peap_init(struct eap_sm *sm)
170 struct eap_peap_data *data;
172 data = os_zalloc(sizeof(*data));
175 data->peap_version = EAP_PEAP_VERSION;
176 data->force_version = -1;
177 if (sm->user && sm->user->force_version >= 0) {
178 data->force_version = sm->user->force_version;
179 wpa_printf(MSG_DEBUG, "EAP-PEAP: forcing version %d",
180 data->force_version);
181 data->peap_version = data->force_version;
184 data->crypto_binding = OPTIONAL_BINDING;
186 if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) {
187 wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL.");
188 eap_peap_reset(sm, data);
196 static void eap_peap_reset(struct eap_sm *sm, void *priv)
198 struct eap_peap_data *data = priv;
201 if (data->phase2_priv && data->phase2_method)
202 data->phase2_method->reset(sm, data->phase2_priv);
203 eap_server_tls_ssl_deinit(sm, &data->ssl);
204 wpabuf_free(data->pending_phase2_resp);
205 os_free(data->phase2_key);
206 wpabuf_free(data->soh_response);
211 static struct wpabuf * eap_peap_build_start(struct eap_sm *sm,
212 struct eap_peap_data *data, u8 id)
216 req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PEAP, 1,
217 EAP_CODE_REQUEST, id);
219 wpa_printf(MSG_ERROR, "EAP-PEAP: Failed to allocate memory for"
221 eap_peap_state(data, FAILURE);
225 wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->peap_version);
227 eap_peap_state(data, PHASE1);
233 static struct wpabuf * eap_peap_build_req(struct eap_sm *sm,
234 struct eap_peap_data *data, u8 id)
239 res = eap_server_tls_buildReq_helper(sm, &data->ssl, EAP_TYPE_PEAP,
240 data->peap_version, id, &req);
242 if (data->peap_version < 2 &&
243 tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
244 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase1 done, starting "
246 eap_peap_state(data, PHASE2_START);
250 return eap_server_tls_build_ack(id, EAP_TYPE_PEAP,
256 static struct wpabuf * eap_peap_encrypt(struct eap_sm *sm,
257 struct eap_peap_data *data,
258 u8 id, const u8 *plain,
264 /* TODO: add support for fragmentation, if needed. This will need to
265 * add TLS Message Length field, if the frame is fragmented. */
266 buf = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PEAP,
267 1 + data->ssl.tls_out_limit,
268 EAP_CODE_REQUEST, id);
272 wpabuf_put_u8(buf, data->peap_version);
274 res = tls_connection_encrypt(sm->ssl_ctx, data->ssl.conn,
275 plain, plain_len, wpabuf_put(buf, 0),
276 data->ssl.tls_out_limit);
278 wpa_printf(MSG_INFO, "EAP-PEAP: Failed to encrypt Phase 2 "
284 wpabuf_put(buf, res);
291 static struct wpabuf * eap_peap_build_phase2_req(struct eap_sm *sm,
292 struct eap_peap_data *data,
295 struct wpabuf *buf, *encr_req;
299 if (data->phase2_method == NULL || data->phase2_priv == NULL) {
300 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 method not ready");
303 buf = data->phase2_method->buildReq(sm, data->phase2_priv, id);
304 if (data->peap_version >= 2 && buf)
305 buf = eap_peapv2_tlv_eap_payload(buf);
309 req = wpabuf_head(buf);
310 req_len = wpabuf_len(buf);
311 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 data",
314 if (data->peap_version == 0 &&
315 data->phase2_method->method != EAP_TYPE_TLV) {
316 req += sizeof(struct eap_hdr);
317 req_len -= sizeof(struct eap_hdr);
320 encr_req = eap_peap_encrypt(sm, data, id, req, req_len);
328 static struct wpabuf * eap_peap_build_phase2_soh(struct eap_sm *sm,
329 struct eap_peap_data *data,
332 struct wpabuf *buf1, *buf, *encr_req;
336 buf1 = tncs_build_soh_request();
340 buf = eap_msg_alloc(EAP_VENDOR_MICROSOFT, 0x21, wpabuf_len(buf1),
341 EAP_CODE_REQUEST, id);
346 wpabuf_put_buf(buf, buf1);
349 req = wpabuf_head(buf);
350 req_len = wpabuf_len(buf);
352 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 SOH data",
355 req += sizeof(struct eap_hdr);
356 req_len -= sizeof(struct eap_hdr);
358 encr_req = eap_peap_encrypt(sm, data, id, req, req_len);
366 static void eap_peap_get_isk(struct eap_peap_data *data,
367 u8 *isk, size_t isk_len)
371 os_memset(isk, 0, isk_len);
372 if (data->phase2_key == NULL)
375 key_len = data->phase2_key_len;
376 if (key_len > isk_len)
378 os_memcpy(isk, data->phase2_key, key_len);
382 void peap_prfplus(int version, const u8 *key, size_t key_len,
383 const char *label, const u8 *seed, size_t seed_len,
384 u8 *buf, size_t buf_len)
386 unsigned char counter = 0;
388 u8 hash[SHA1_MAC_LEN];
389 size_t label_len = os_strlen(label);
391 const unsigned char *addr[5];
396 addr[1] = (unsigned char *) label;
403 * PRF+(K, S, LEN) = T1 | T2 | ... | Tn
404 * T1 = HMAC-SHA1(K, S | 0x01 | 0x00 | 0x00)
405 * T2 = HMAC-SHA1(K, T1 | S | 0x02 | 0x00 | 0x00)
407 * Tn = HMAC-SHA1(K, Tn-1 | S | n | 0x00 | 0x00)
419 * PRF (K,S,LEN) = T1 | T2 | T3 | T4 | ... where:
420 * T1 = HMAC-SHA1(K, S | LEN | 0x01)
421 * T2 = HMAC-SHA1 (K, T1 | S | LEN | 0x02)
422 * T3 = HMAC-SHA1 (K, T2 | S | LEN | 0x03)
423 * T4 = HMAC-SHA1 (K, T3 | S | LEN | 0x04)
427 extra[0] = buf_len & 0xff;
436 while (pos < buf_len) {
438 plen = buf_len - pos;
439 hmac_sha1_vector(key, key_len, 5, addr, len, hash);
440 if (plen >= SHA1_MAC_LEN) {
441 os_memcpy(&buf[pos], hash, SHA1_MAC_LEN);
444 os_memcpy(&buf[pos], hash, plen);
447 len[0] = SHA1_MAC_LEN;
452 static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data)
455 u8 isk[32], imck[60];
458 * Tunnel key (TK) is the first 60 octets of the key generated by
459 * phase 1 of PEAP (based on TLS).
461 tk = eap_server_tls_derive_key(sm, &data->ssl, "client EAP encryption",
465 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TK", tk, 60);
467 eap_peap_get_isk(data, isk, sizeof(isk));
468 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: ISK", isk, sizeof(isk));
471 * IPMK Seed = "Inner Methods Compound Keys" | ISK
472 * TempKey = First 40 octets of TK
473 * IPMK|CMK = PRF+(TempKey, IPMK Seed, 60)
474 * (note: draft-josefsson-pppext-eap-tls-eap-10.txt includes a space
475 * in the end of the label just before ISK; is that just a typo?)
477 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TempKey", tk, 40);
478 peap_prfplus(data->peap_version, tk, 40, "Inner Methods Compound Keys",
479 isk, sizeof(isk), imck, sizeof(imck));
480 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IMCK (IPMKj)",
485 /* TODO: fast-connect: IPMK|CMK = TK */
486 os_memcpy(data->ipmk, imck, 40);
487 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK (S-IPMKj)", data->ipmk, 40);
488 os_memcpy(data->cmk, imck + 40, 20);
489 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK (CMKj)", data->cmk, 20);
495 static struct wpabuf * eap_peap_build_phase2_tlv(struct eap_sm *sm,
496 struct eap_peap_data *data,
499 struct wpabuf *buf, *encr_req;
502 len = 6; /* Result TLV */
503 if (data->crypto_binding != NO_BINDING)
504 len += 60; /* Cryptobinding TLV */
506 if (data->soh_response)
507 len += wpabuf_len(data->soh_response);
510 buf = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, len,
511 EAP_CODE_REQUEST, id);
515 wpabuf_put_u8(buf, 0x80); /* Mandatory */
516 wpabuf_put_u8(buf, EAP_TLV_RESULT_TLV);
518 wpabuf_put_be16(buf, 2);
520 wpabuf_put_be16(buf, data->tlv_request == TLV_REQ_SUCCESS ?
521 EAP_TLV_RESULT_SUCCESS : EAP_TLV_RESULT_FAILURE);
523 if (data->peap_version == 0 && data->tlv_request == TLV_REQ_SUCCESS &&
524 data->crypto_binding != NO_BINDING) {
526 u8 eap_type = EAP_TYPE_PEAP;
532 if (data->soh_response) {
533 wpa_printf(MSG_DEBUG, "EAP-PEAP: Adding MS-SOH "
535 wpabuf_put_buf(buf, data->soh_response);
536 wpabuf_free(data->soh_response);
537 data->soh_response = NULL;
541 if (eap_peap_derive_cmk(sm, data) < 0 ||
542 os_get_random(data->binding_nonce, 32)) {
547 /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */
548 addr[0] = wpabuf_put(buf, 0);
553 tlv_type = EAP_TLV_CRYPTO_BINDING_TLV;
554 if (data->peap_version >= 2)
555 tlv_type |= EAP_TLV_TYPE_MANDATORY;
556 wpabuf_put_be16(buf, tlv_type);
557 wpabuf_put_be16(buf, 56);
559 wpabuf_put_u8(buf, 0); /* Reserved */
560 wpabuf_put_u8(buf, data->peap_version); /* Version */
561 wpabuf_put_u8(buf, data->recv_version); /* RecvVersion */
562 wpabuf_put_u8(buf, 0); /* SubType: 0 = Request, 1 = Response */
563 wpabuf_put_data(buf, data->binding_nonce, 32); /* Nonce */
564 mac = wpabuf_put(buf, 20); /* Compound_MAC */
565 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC CMK",
567 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 1",
569 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 2",
571 hmac_sha1_vector(data->cmk, 20, 2, addr, len, mac);
572 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC",
574 data->crypto_binding_sent = 1;
577 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 TLV data",
580 encr_req = eap_peap_encrypt(sm, data, id, wpabuf_head(buf),
588 static struct wpabuf * eap_peap_build_phase2_term(struct eap_sm *sm,
589 struct eap_peap_data *data,
592 struct wpabuf *encr_req;
596 req_len = sizeof(*hdr);
597 hdr = os_zalloc(req_len);
601 hdr->code = success ? EAP_CODE_SUCCESS : EAP_CODE_FAILURE;
602 hdr->identifier = id;
603 hdr->length = host_to_be16(req_len);
605 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 data",
606 (u8 *) hdr, req_len);
608 encr_req = eap_peap_encrypt(sm, data, id, (u8 *) hdr, req_len);
615 static struct wpabuf * eap_peap_buildReq(struct eap_sm *sm, void *priv, u8 id)
617 struct eap_peap_data *data = priv;
619 switch (data->state) {
621 return eap_peap_build_start(sm, data, id);
624 return eap_peap_build_req(sm, data, id);
627 return eap_peap_build_phase2_req(sm, data, id);
630 return eap_peap_build_phase2_soh(sm, data, id);
633 return eap_peap_build_phase2_tlv(sm, data, id);
635 return eap_peap_build_phase2_term(sm, data, id, 1);
637 return eap_peap_build_phase2_term(sm, data, id, 0);
639 wpa_printf(MSG_DEBUG, "EAP-PEAP: %s - unexpected state %d",
640 __func__, data->state);
646 static Boolean eap_peap_check(struct eap_sm *sm, void *priv,
647 struct wpabuf *respData)
652 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PEAP, respData, &len);
653 if (pos == NULL || len < 1) {
654 wpa_printf(MSG_INFO, "EAP-PEAP: Invalid frame");
662 static int eap_peap_phase2_init(struct eap_sm *sm, struct eap_peap_data *data,
665 if (data->phase2_priv && data->phase2_method) {
666 data->phase2_method->reset(sm, data->phase2_priv);
667 data->phase2_method = NULL;
668 data->phase2_priv = NULL;
670 data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF,
672 if (!data->phase2_method)
676 data->phase2_priv = data->phase2_method->init(sm);
682 static int eap_tlv_validate_cryptobinding(struct eap_sm *sm,
683 struct eap_peap_data *data,
684 const u8 *crypto_tlv,
685 size_t crypto_tlv_len)
687 u8 buf[61], mac[SHA1_MAC_LEN];
690 if (crypto_tlv_len != 4 + 56) {
691 wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid cryptobinding TLV "
692 "length %d", (int) crypto_tlv_len);
697 pos += 4; /* TLV header */
698 if (pos[1] != data->peap_version) {
699 wpa_printf(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV Version "
700 "mismatch (was %d; expected %d)",
701 pos[1], data->peap_version);
706 wpa_printf(MSG_DEBUG, "EAP-PEAP: Unexpected Cryptobinding TLV "
707 "SubType %d", pos[3]);
711 pos += 32; /* Nonce */
713 /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */
714 os_memcpy(buf, crypto_tlv, 60);
715 os_memset(buf + 4 + 4 + 32, 0, 20); /* Compound_MAC */
716 buf[60] = EAP_TYPE_PEAP;
717 hmac_sha1(data->cmk, 20, buf, sizeof(buf), mac);
719 if (os_memcmp(mac, pos, SHA1_MAC_LEN) != 0) {
720 wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid Compound_MAC in "
721 "cryptobinding TLV");
722 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK", data->cmk, 20);
723 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Cryptobinding seed data",
728 wpa_printf(MSG_DEBUG, "EAP-PEAP: Valid cryptobinding TLV received");
734 static void eap_peap_process_phase2_tlv(struct eap_sm *sm,
735 struct eap_peap_data *data,
736 struct wpabuf *in_data)
740 const u8 *result_tlv = NULL, *crypto_tlv = NULL;
741 size_t result_tlv_len = 0, crypto_tlv_len = 0;
742 int tlv_type, mandatory, tlv_len;
744 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TLV, in_data, &left);
746 wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid EAP-TLV header");
751 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Received TLVs", pos, left);
753 mandatory = !!(pos[0] & 0x80);
754 tlv_type = pos[0] & 0x3f;
755 tlv_type = (tlv_type << 8) | pos[1];
756 tlv_len = ((int) pos[2] << 8) | pos[3];
759 if ((size_t) tlv_len > left) {
760 wpa_printf(MSG_DEBUG, "EAP-PEAP: TLV underrun "
761 "(tlv_len=%d left=%lu)", tlv_len,
762 (unsigned long) left);
763 eap_peap_state(data, FAILURE);
767 case EAP_TLV_RESULT_TLV:
769 result_tlv_len = tlv_len;
771 case EAP_TLV_CRYPTO_BINDING_TLV:
773 crypto_tlv_len = tlv_len;
776 wpa_printf(MSG_DEBUG, "EAP-PEAP: Unsupported TLV Type "
778 mandatory ? " (mandatory)" : "");
780 eap_peap_state(data, FAILURE);
783 /* Ignore this TLV, but process other TLVs */
791 wpa_printf(MSG_DEBUG, "EAP-PEAP: Last TLV too short in "
792 "Request (left=%lu)", (unsigned long) left);
793 eap_peap_state(data, FAILURE);
797 /* Process supported TLVs */
798 if (crypto_tlv && data->crypto_binding_sent) {
799 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV",
800 crypto_tlv, crypto_tlv_len);
801 if (eap_tlv_validate_cryptobinding(sm, data, crypto_tlv - 4,
802 crypto_tlv_len + 4) < 0) {
803 eap_peap_state(data, FAILURE);
806 data->crypto_binding_used = 1;
807 } else if (!crypto_tlv && data->crypto_binding_sent &&
808 data->crypto_binding == REQUIRE_BINDING) {
809 wpa_printf(MSG_DEBUG, "EAP-PEAP: No cryptobinding TLV");
810 eap_peap_state(data, FAILURE);
816 const char *requested;
818 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Result TLV",
819 result_tlv, result_tlv_len);
820 if (result_tlv_len < 2) {
821 wpa_printf(MSG_INFO, "EAP-PEAP: Too short Result TLV "
823 (unsigned long) result_tlv_len);
824 eap_peap_state(data, FAILURE);
827 requested = data->tlv_request == TLV_REQ_SUCCESS ? "Success" :
829 status = WPA_GET_BE16(result_tlv);
830 if (status == EAP_TLV_RESULT_SUCCESS) {
831 wpa_printf(MSG_INFO, "EAP-PEAP: TLV Result - Success "
832 "- requested %s", requested);
833 if (data->tlv_request == TLV_REQ_SUCCESS)
834 eap_peap_state(data, SUCCESS);
836 eap_peap_state(data, FAILURE);
838 } else if (status == EAP_TLV_RESULT_FAILURE) {
839 wpa_printf(MSG_INFO, "EAP-PEAP: TLV Result - Failure "
840 "- requested %s", requested);
841 eap_peap_state(data, FAILURE);
843 wpa_printf(MSG_INFO, "EAP-PEAP: Unknown TLV Result "
844 "Status %d", status);
845 eap_peap_state(data, FAILURE);
852 static void eap_peap_process_phase2_soh(struct eap_sm *sm,
853 struct eap_peap_data *data,
854 struct wpabuf *in_data)
856 const u8 *pos, *vpos;
858 const u8 *soh_tlv = NULL;
859 size_t soh_tlv_len = 0;
860 int tlv_type, mandatory, tlv_len, vtlv_len;
864 pos = eap_hdr_validate(EAP_VENDOR_MICROSOFT, 0x21, in_data, &left);
866 wpa_printf(MSG_DEBUG, "EAP-PEAP: Not a valid SoH EAP "
867 "Extensions Method header - skip TNC");
872 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Received TLVs (SoH)", pos, left);
874 mandatory = !!(pos[0] & 0x80);
875 tlv_type = pos[0] & 0x3f;
876 tlv_type = (tlv_type << 8) | pos[1];
877 tlv_len = ((int) pos[2] << 8) | pos[3];
880 if ((size_t) tlv_len > left) {
881 wpa_printf(MSG_DEBUG, "EAP-PEAP: TLV underrun "
882 "(tlv_len=%d left=%lu)", tlv_len,
883 (unsigned long) left);
884 eap_peap_state(data, FAILURE);
888 case EAP_TLV_VENDOR_SPECIFIC_TLV:
890 wpa_printf(MSG_DEBUG, "EAP-PEAP: Too short "
891 "vendor specific TLV (len=%d)",
893 eap_peap_state(data, FAILURE);
897 vendor_id = WPA_GET_BE32(pos);
898 if (vendor_id != EAP_VENDOR_MICROSOFT) {
900 eap_peap_state(data, FAILURE);
907 mandatory = !!(vpos[0] & 0x80);
908 tlv_type = vpos[0] & 0x3f;
909 tlv_type = (tlv_type << 8) | vpos[1];
910 vtlv_len = ((int) vpos[2] << 8) | vpos[3];
912 if (vpos + vtlv_len > pos + left) {
913 wpa_printf(MSG_DEBUG, "EAP-PEAP: Vendor TLV "
915 eap_peap_state(data, FAILURE);
921 soh_tlv_len = vtlv_len;
925 wpa_printf(MSG_DEBUG, "EAP-PEAP: Unsupported MS-TLV "
926 "Type %d%s", tlv_type,
927 mandatory ? " (mandatory)" : "");
929 eap_peap_state(data, FAILURE);
932 /* Ignore this TLV, but process other TLVs */
935 wpa_printf(MSG_DEBUG, "EAP-PEAP: Unsupported TLV Type "
937 mandatory ? " (mandatory)" : "");
939 eap_peap_state(data, FAILURE);
942 /* Ignore this TLV, but process other TLVs */
950 wpa_printf(MSG_DEBUG, "EAP-PEAP: Last TLV too short in "
951 "Request (left=%lu)", (unsigned long) left);
952 eap_peap_state(data, FAILURE);
956 /* Process supported TLVs */
959 wpabuf_free(data->soh_response);
960 data->soh_response = tncs_process_soh(soh_tlv, soh_tlv_len,
963 eap_peap_state(data, FAILURE);
967 wpa_printf(MSG_DEBUG, "EAP-PEAP: No SoH TLV received");
968 eap_peap_state(data, FAILURE);
973 eap_peap_state(data, PHASE2_METHOD);
974 next_type = sm->user->methods[0].method;
975 sm->user_eap_method_index = 1;
976 wpa_printf(MSG_DEBUG, "EAP-PEAP: try EAP type %d", next_type);
977 eap_peap_phase2_init(sm, data, next_type);
982 static void eap_peap_process_phase2_response(struct eap_sm *sm,
983 struct eap_peap_data *data,
984 struct wpabuf *in_data)
986 u8 next_type = EAP_TYPE_NONE;
987 const struct eap_hdr *hdr;
991 if (data->state == PHASE2_TLV) {
992 eap_peap_process_phase2_tlv(sm, data, in_data);
997 if (data->state == PHASE2_SOH) {
998 eap_peap_process_phase2_soh(sm, data, in_data);
1001 #endif /* EAP_TNC */
1003 if (data->phase2_priv == NULL) {
1004 wpa_printf(MSG_DEBUG, "EAP-PEAP: %s - Phase2 not "
1005 "initialized?!", __func__);
1009 hdr = wpabuf_head(in_data);
1010 pos = (const u8 *) (hdr + 1);
1012 if (wpabuf_len(in_data) > sizeof(*hdr) && *pos == EAP_TYPE_NAK) {
1013 left = wpabuf_len(in_data) - sizeof(*hdr);
1014 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Phase2 type Nak'ed; "
1015 "allowed types", pos + 1, left - 1);
1016 eap_sm_process_nak(sm, pos + 1, left - 1);
1017 if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
1018 sm->user->methods[sm->user_eap_method_index].method !=
1020 next_type = sm->user->methods[
1021 sm->user_eap_method_index++].method;
1022 wpa_printf(MSG_DEBUG, "EAP-PEAP: try EAP type %d",
1025 eap_peap_req_failure(sm, data);
1026 next_type = EAP_TYPE_NONE;
1028 eap_peap_phase2_init(sm, data, next_type);
1032 if (data->phase2_method->check(sm, data->phase2_priv, in_data)) {
1033 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase2 check() asked to "
1034 "ignore the packet");
1038 data->phase2_method->process(sm, data->phase2_priv, in_data);
1040 if (sm->method_pending == METHOD_PENDING_WAIT) {
1041 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase2 method is in "
1042 "pending wait state - save decrypted response");
1043 wpabuf_free(data->pending_phase2_resp);
1044 data->pending_phase2_resp = wpabuf_dup(in_data);
1047 if (!data->phase2_method->isDone(sm, data->phase2_priv))
1050 if (!data->phase2_method->isSuccess(sm, data->phase2_priv)) {
1051 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase2 method failed");
1052 eap_peap_req_failure(sm, data);
1053 next_type = EAP_TYPE_NONE;
1054 eap_peap_phase2_init(sm, data, next_type);
1058 os_free(data->phase2_key);
1059 if (data->phase2_method->getKey) {
1060 data->phase2_key = data->phase2_method->getKey(
1061 sm, data->phase2_priv, &data->phase2_key_len);
1062 if (data->phase2_key == NULL) {
1063 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase2 getKey "
1065 eap_peap_req_failure(sm, data);
1066 eap_peap_phase2_init(sm, data, EAP_TYPE_NONE);
1070 if (data->phase2_key_len == 32 &&
1071 data->phase2_method->vendor == EAP_VENDOR_IETF &&
1072 data->phase2_method->method == EAP_TYPE_MSCHAPV2) {
1074 * Microsoft uses reverse order for MS-MPPE keys in
1075 * EAP-PEAP when compared to EAP-FAST derivation of
1076 * ISK. Swap the keys here to get the correct ISK for
1077 * EAP-PEAPv0 cryptobinding.
1080 os_memcpy(tmp, data->phase2_key, 16);
1081 os_memcpy(data->phase2_key, data->phase2_key + 16, 16);
1082 os_memcpy(data->phase2_key + 16, tmp, 16);
1086 switch (data->state) {
1090 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
1091 wpa_hexdump_ascii(MSG_DEBUG, "EAP_PEAP: Phase2 "
1092 "Identity not found in the user "
1094 sm->identity, sm->identity_len);
1095 eap_peap_req_failure(sm, data);
1096 next_type = EAP_TYPE_NONE;
1101 if (data->state != PHASE2_SOH && sm->tnc &&
1102 data->peap_version == 0) {
1103 eap_peap_state(data, PHASE2_SOH);
1104 wpa_printf(MSG_DEBUG, "EAP-PEAP: Try to initialize "
1106 next_type = EAP_TYPE_NONE;
1109 #endif /* EAP_TNC */
1111 eap_peap_state(data, PHASE2_METHOD);
1112 next_type = sm->user->methods[0].method;
1113 sm->user_eap_method_index = 1;
1114 wpa_printf(MSG_DEBUG, "EAP-PEAP: try EAP type %d", next_type);
1117 eap_peap_req_success(sm, data);
1118 next_type = EAP_TYPE_NONE;
1123 wpa_printf(MSG_DEBUG, "EAP-PEAP: %s - unexpected state %d",
1124 __func__, data->state);
1128 eap_peap_phase2_init(sm, data, next_type);
1132 static void eap_peap_process_phase2(struct eap_sm *sm,
1133 struct eap_peap_data *data,
1134 const struct wpabuf *respData,
1135 const u8 *in_data, size_t in_len)
1137 struct wpabuf *in_decrypted;
1138 int len_decrypted, res;
1139 const struct eap_hdr *hdr;
1140 size_t buf_len, len;
1142 wpa_printf(MSG_DEBUG, "EAP-PEAP: received %lu bytes encrypted data for"
1143 " Phase 2", (unsigned long) in_len);
1145 if (data->pending_phase2_resp) {
1146 wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 response - "
1147 "skip decryption and use old data");
1148 eap_peap_process_phase2_response(sm, data,
1149 data->pending_phase2_resp);
1150 wpabuf_free(data->pending_phase2_resp);
1151 data->pending_phase2_resp = NULL;
1155 /* FIX: get rid of const -> non-const typecast */
1156 res = eap_server_tls_data_reassemble(sm, &data->ssl, (u8 **) &in_data,
1158 if (res < 0 || res == 1)
1162 if (data->ssl.tls_in_total > buf_len)
1163 buf_len = data->ssl.tls_in_total;
1165 * Even though we try to disable TLS compression, it is possible that
1166 * this cannot be done with all TLS libraries. Add extra buffer space
1167 * to handle the possibility of the decrypted data being longer than
1172 in_decrypted = wpabuf_alloc(buf_len);
1173 if (in_decrypted == NULL) {
1174 os_free(data->ssl.tls_in);
1175 data->ssl.tls_in = NULL;
1176 data->ssl.tls_in_len = 0;
1177 wpa_printf(MSG_WARNING, "EAP-PEAP: failed to allocate memory "
1182 len_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
1184 wpabuf_mhead(in_decrypted),
1186 os_free(data->ssl.tls_in);
1187 data->ssl.tls_in = NULL;
1188 data->ssl.tls_in_len = 0;
1189 if (len_decrypted < 0) {
1190 wpa_printf(MSG_INFO, "EAP-PEAP: Failed to decrypt Phase 2 "
1192 wpabuf_free(in_decrypted);
1193 eap_peap_state(data, FAILURE);
1196 wpabuf_put(in_decrypted, len_decrypted);
1198 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-PEAP: Decrypted Phase 2 EAP",
1201 hdr = wpabuf_head(in_decrypted);
1203 if (data->peap_version == 0 && data->state != PHASE2_TLV) {
1204 const struct eap_hdr *resp;
1205 struct eap_hdr *nhdr;
1206 struct wpabuf *nbuf =
1207 wpabuf_alloc(sizeof(struct eap_hdr) +
1208 wpabuf_len(in_decrypted));
1210 wpabuf_free(in_decrypted);
1214 resp = wpabuf_head(respData);
1215 nhdr = wpabuf_put(nbuf, sizeof(*nhdr));
1216 nhdr->code = resp->code;
1217 nhdr->identifier = resp->identifier;
1218 nhdr->length = host_to_be16(sizeof(struct eap_hdr) +
1219 wpabuf_len(in_decrypted));
1220 wpabuf_put_buf(nbuf, in_decrypted);
1221 wpabuf_free(in_decrypted);
1223 in_decrypted = nbuf;
1224 } else if (data->peap_version >= 2) {
1225 struct eap_tlv_hdr *tlv;
1226 struct wpabuf *nmsg;
1228 if (wpabuf_len(in_decrypted) < sizeof(*tlv) + sizeof(*hdr)) {
1229 wpa_printf(MSG_INFO, "EAP-PEAPv2: Too short Phase 2 "
1231 wpabuf_free(in_decrypted);
1234 tlv = wpabuf_mhead(in_decrypted);
1235 if ((be_to_host16(tlv->tlv_type) & EAP_TLV_TYPE_MASK) !=
1236 EAP_TLV_EAP_PAYLOAD_TLV) {
1237 wpa_printf(MSG_INFO, "EAP-PEAPv2: Not an EAP TLV");
1238 wpabuf_free(in_decrypted);
1241 if (sizeof(*tlv) + be_to_host16(tlv->length) >
1242 wpabuf_len(in_decrypted)) {
1243 wpa_printf(MSG_INFO, "EAP-PEAPv2: Invalid EAP TLV "
1245 wpabuf_free(in_decrypted);
1248 hdr = (struct eap_hdr *) (tlv + 1);
1249 if (be_to_host16(hdr->length) > be_to_host16(tlv->length)) {
1250 wpa_printf(MSG_INFO, "EAP-PEAPv2: No room for full "
1251 "EAP packet in EAP TLV");
1252 wpabuf_free(in_decrypted);
1256 nmsg = wpabuf_alloc(be_to_host16(hdr->length));
1258 wpabuf_free(in_decrypted);
1262 wpabuf_put_data(nmsg, hdr, be_to_host16(hdr->length));
1263 wpabuf_free(in_decrypted);
1264 in_decrypted = nmsg;
1267 hdr = wpabuf_head(in_decrypted);
1268 if (wpabuf_len(in_decrypted) < (int) sizeof(*hdr)) {
1269 wpa_printf(MSG_INFO, "EAP-PEAP: Too short Phase 2 "
1270 "EAP frame (len=%lu)",
1271 (unsigned long) wpabuf_len(in_decrypted));
1272 wpabuf_free(in_decrypted);
1273 eap_peap_req_failure(sm, data);
1276 len = be_to_host16(hdr->length);
1277 if (len > wpabuf_len(in_decrypted)) {
1278 wpa_printf(MSG_INFO, "EAP-PEAP: Length mismatch in "
1279 "Phase 2 EAP frame (len=%lu hdr->length=%lu)",
1280 (unsigned long) wpabuf_len(in_decrypted),
1281 (unsigned long) len);
1282 wpabuf_free(in_decrypted);
1283 eap_peap_req_failure(sm, data);
1286 wpa_printf(MSG_DEBUG, "EAP-PEAP: received Phase 2: code=%d "
1287 "identifier=%d length=%lu", hdr->code, hdr->identifier,
1288 (unsigned long) len);
1289 switch (hdr->code) {
1290 case EAP_CODE_RESPONSE:
1291 eap_peap_process_phase2_response(sm, data, in_decrypted);
1293 case EAP_CODE_SUCCESS:
1294 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Success");
1295 if (data->state == SUCCESS_REQ) {
1296 eap_peap_state(data, SUCCESS);
1299 case EAP_CODE_FAILURE:
1300 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Failure");
1301 eap_peap_state(data, FAILURE);
1304 wpa_printf(MSG_INFO, "EAP-PEAP: Unexpected code=%d in "
1305 "Phase 2 EAP header", hdr->code);
1309 os_free(in_decrypted);
1313 static int eap_peapv2_start_phase2(struct eap_sm *sm,
1314 struct eap_peap_data *data)
1316 struct wpabuf *buf, *buf2;
1320 wpa_printf(MSG_DEBUG, "EAP-PEAPv2: Phase1 done, include first Phase2 "
1321 "payload in the same message");
1322 eap_peap_state(data, PHASE1_ID2);
1323 if (eap_peap_phase2_init(sm, data, EAP_TYPE_IDENTITY))
1326 /* TODO: which Id to use here? */
1327 buf = data->phase2_method->buildReq(sm, data->phase2_priv, 6);
1331 buf2 = eap_peapv2_tlv_eap_payload(buf);
1335 wpa_hexdump_buf(MSG_DEBUG, "EAP-PEAPv2: Identity Request", buf2);
1337 buf = wpabuf_alloc(data->ssl.tls_out_limit);
1343 res = tls_connection_encrypt(sm->ssl_ctx, data->ssl.conn,
1344 wpabuf_head(buf2), wpabuf_len(buf2),
1346 data->ssl.tls_out_limit);
1350 wpa_printf(MSG_INFO, "EAP-PEAPv2: Failed to encrypt Phase 2 "
1356 wpabuf_put(buf, res);
1357 wpa_hexdump_buf(MSG_DEBUG, "EAP-PEAPv2: Encrypted Identity Request",
1360 /* Append TLS data into the pending buffer after the Server Finished */
1361 tls_out = os_realloc(data->ssl.tls_out,
1362 data->ssl.tls_out_len + wpabuf_len(buf));
1363 if (tls_out == NULL) {
1368 os_memcpy(tls_out + data->ssl.tls_out_len, wpabuf_head(buf),
1370 data->ssl.tls_out = tls_out;
1371 data->ssl.tls_out_len += wpabuf_len(buf);
1379 static void eap_peap_process(struct eap_sm *sm, void *priv,
1380 struct wpabuf *respData)
1382 struct eap_peap_data *data = priv;
1386 unsigned int tls_msg_len;
1389 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PEAP, respData,
1391 if (pos == NULL || left < 1)
1395 wpa_printf(MSG_DEBUG, "EAP-PEAP: Received packet(len=%lu) - "
1396 "Flags 0x%02x", (unsigned long) wpabuf_len(respData),
1398 data->recv_version = peer_version = flags & EAP_PEAP_VERSION_MASK;
1399 if (data->force_version >= 0 && peer_version != data->force_version) {
1400 wpa_printf(MSG_INFO, "EAP-PEAP: peer did not select the forced"
1401 " version (forced=%d peer=%d) - reject",
1402 data->force_version, peer_version);
1403 eap_peap_state(data, FAILURE);
1406 if (peer_version < data->peap_version) {
1407 wpa_printf(MSG_DEBUG, "EAP-PEAP: peer ver=%d, own ver=%d; "
1409 peer_version, data->peap_version, peer_version);
1410 data->peap_version = peer_version;
1412 if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) {
1414 wpa_printf(MSG_INFO, "EAP-PEAP: Short frame with TLS "
1416 eap_peap_state(data, FAILURE);
1419 tls_msg_len = WPA_GET_BE32(pos);
1420 wpa_printf(MSG_DEBUG, "EAP-PEAP: TLS Message Length: %d",
1422 if (data->ssl.tls_in_left == 0) {
1423 data->ssl.tls_in_total = tls_msg_len;
1424 data->ssl.tls_in_left = tls_msg_len;
1425 os_free(data->ssl.tls_in);
1426 data->ssl.tls_in = NULL;
1427 data->ssl.tls_in_len = 0;
1433 switch (data->state) {
1435 if (eap_server_tls_process_helper(sm, &data->ssl, pos, left) <
1437 wpa_printf(MSG_INFO, "EAP-PEAP: TLS processing "
1439 eap_peap_state(data, FAILURE);
1443 if (data->peap_version >= 2 &&
1444 tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
1445 if (eap_peapv2_start_phase2(sm, data)) {
1446 eap_peap_state(data, FAILURE);
1452 eap_peap_state(data, PHASE2_ID);
1453 eap_peap_phase2_init(sm, data, EAP_TYPE_IDENTITY);
1460 eap_peap_process_phase2(sm, data, respData, pos, left);
1463 eap_peap_state(data, SUCCESS);
1466 eap_peap_state(data, FAILURE);
1469 wpa_printf(MSG_DEBUG, "EAP-PEAP: Unexpected state %d in %s",
1470 data->state, __func__);
1474 if (tls_connection_get_write_alerts(sm->ssl_ctx, data->ssl.conn) > 1) {
1475 wpa_printf(MSG_INFO, "EAP-PEAP: Locally detected fatal error "
1476 "in TLS processing");
1477 eap_peap_state(data, FAILURE);
1482 static Boolean eap_peap_isDone(struct eap_sm *sm, void *priv)
1484 struct eap_peap_data *data = priv;
1485 return data->state == SUCCESS || data->state == FAILURE;
1489 static u8 * eap_peap_getKey(struct eap_sm *sm, void *priv, size_t *len)
1491 struct eap_peap_data *data = priv;
1494 if (data->state != SUCCESS)
1497 if (data->crypto_binding_used) {
1500 * Note: It looks like Microsoft implementation requires null
1501 * termination for this label while the one used for deriving
1502 * IPMK|CMK did not use null termination.
1504 peap_prfplus(data->peap_version, data->ipmk, 40,
1505 "Session Key Generating Function",
1506 (u8 *) "\00", 1, csk, sizeof(csk));
1507 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CSK", csk, sizeof(csk));
1508 eapKeyData = os_malloc(EAP_TLS_KEY_LEN);
1510 os_memcpy(eapKeyData, csk, EAP_TLS_KEY_LEN);
1511 *len = EAP_TLS_KEY_LEN;
1512 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Derived key",
1513 eapKeyData, EAP_TLS_KEY_LEN);
1515 wpa_printf(MSG_DEBUG, "EAP-PEAP: Failed to derive "
1522 /* TODO: PEAPv1 - different label in some cases */
1523 eapKeyData = eap_server_tls_derive_key(sm, &data->ssl,
1524 "client EAP encryption",
1527 *len = EAP_TLS_KEY_LEN;
1528 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Derived key",
1529 eapKeyData, EAP_TLS_KEY_LEN);
1531 wpa_printf(MSG_DEBUG, "EAP-PEAP: Failed to derive key");
1538 static Boolean eap_peap_isSuccess(struct eap_sm *sm, void *priv)
1540 struct eap_peap_data *data = priv;
1541 return data->state == SUCCESS;
1545 int eap_server_peap_register(void)
1547 struct eap_method *eap;
1550 eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
1551 EAP_VENDOR_IETF, EAP_TYPE_PEAP, "PEAP");
1555 eap->init = eap_peap_init;
1556 eap->reset = eap_peap_reset;
1557 eap->buildReq = eap_peap_buildReq;
1558 eap->check = eap_peap_check;
1559 eap->process = eap_peap_process;
1560 eap->isDone = eap_peap_isDone;
1561 eap->getKey = eap_peap_getKey;
1562 eap->isSuccess = eap_peap_isSuccess;
1564 ret = eap_server_method_register(eap);
1566 eap_server_method_free(eap);