projects / libeap.git / blob
? search:


545958dfae0a2e3396d19f366165386a79429d1d
[libeap.git] / src / eap_server / eap_ttls.c
1 /*
2  * hostapd / EAP-TTLS (draft-ietf-pppext-eap-ttls-05.txt)
3  * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License version 2 as
7  * published by the Free Software Foundation.
8  *
9  * Alternatively, this software may be distributed under the terms of BSD
10  * license.
11  *
12  * See README and COPYING for more details.
13  */
14
15 #include "includes.h"
16
17 #include "common.h"
18 #include "eap_server/eap_i.h"
19 #include "eap_server/eap_tls_common.h"
20 #include "ms_funcs.h"
21 #include "sha1.h"
22 #include "eap_common/chap.h"
23 #include "tls.h"
24 #include "eap_common/eap_ttls.h"
25
26
27 /* Maximum supported TTLS version
28  * 0 = draft-ietf-pppext-eap-ttls-03.txt / draft-funk-eap-ttls-v0-00.txt
29  * 1 = draft-funk-eap-ttls-v1-00.txt
30  */
31 #ifndef EAP_TTLS_VERSION
32 #define EAP_TTLS_VERSION 0 /* TTLSv1 implementation is not yet complete */
33 #endif /* EAP_TTLS_VERSION */
34
35
36 #define MSCHAPV2_KEY_LEN 16
37
38
39 static void eap_ttls_reset(struct eap_sm *sm, void *priv);
40
41
42 struct eap_ttls_data {
43         struct eap_ssl_data ssl;
44         enum {
45                 START, PHASE1, PHASE2_START, PHASE2_METHOD,
46                 PHASE2_MSCHAPV2_RESP, PHASE_FINISHED, SUCCESS, FAILURE
47         } state;
48
49         int ttls_version;
50         int force_version;
51         const struct eap_method *phase2_method;
52         void *phase2_priv;
53         int mschapv2_resp_ok;
54         u8 mschapv2_auth_response[20];
55         u8 mschapv2_ident;
56         int tls_ia_configured;
57         struct wpabuf *pending_phase2_eap_resp;
58         int tnc_started;
59 };
60
61
62 static const char * eap_ttls_state_txt(int state)
63 {
64         switch (state) {
65         case START:
66                 return "START";
67         case PHASE1:
68                 return "PHASE1";
69         case PHASE2_START:
70                 return "PHASE2_START";
71         case PHASE2_METHOD:
72                 return "PHASE2_METHOD";
73         case PHASE2_MSCHAPV2_RESP:
74                 return "PHASE2_MSCHAPV2_RESP";
75         case PHASE_FINISHED:
76                 return "PHASE_FINISHED";
77         case SUCCESS:
78                 return "SUCCESS";
79         case FAILURE:
80                 return "FAILURE";
81         default:
82                 return "Unknown?!";
83         }
84 }
85
86
87 static void eap_ttls_state(struct eap_ttls_data *data, int state)
88 {
89         wpa_printf(MSG_DEBUG, "EAP-TTLS: %s -> %s",
90                    eap_ttls_state_txt(data->state),
91                    eap_ttls_state_txt(state));
92         data->state = state;
93 }
94
95
96 static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id,
97                              int mandatory, size_t len)
98 {
99         struct ttls_avp_vendor *avp;
100         u8 flags;
101         size_t hdrlen;
102
103         avp = (struct ttls_avp_vendor *) avphdr;
104         flags = mandatory ? AVP_FLAGS_MANDATORY : 0;
105         if (vendor_id) {
106                 flags |= AVP_FLAGS_VENDOR;
107                 hdrlen = sizeof(*avp);
108                 avp->vendor_id = host_to_be32(vendor_id);
109         } else {
110                 hdrlen = sizeof(struct ttls_avp);
111         }
112
113         avp->avp_code = host_to_be32(avp_code);
114         avp->avp_length = host_to_be32((flags << 24) | (hdrlen + len));
115
116         return avphdr + hdrlen;
117 }
118
119
120 static struct wpabuf * eap_ttls_avp_encapsulate(struct wpabuf *resp,
121                                                 u32 avp_code, int mandatory)
122 {
123         struct wpabuf *avp;
124         u8 *pos;
125
126         avp = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(resp) + 4);
127         if (avp == NULL) {
128                 wpabuf_free(resp);
129                 return NULL;
130         }
131
132         pos = eap_ttls_avp_hdr(wpabuf_mhead(avp), avp_code, 0, mandatory,
133                                wpabuf_len(resp));
134         os_memcpy(pos, wpabuf_head(resp), wpabuf_len(resp));
135         pos += wpabuf_len(resp);
136         AVP_PAD((const u8 *) wpabuf_head(avp), pos);
137         wpabuf_free(resp);
138         wpabuf_put(avp, pos - (u8 *) wpabuf_head(avp));
139         return avp;
140 }
141
142
143 struct eap_ttls_avp {
144          /* Note: eap is allocated memory; caller is responsible for freeing
145           * it. All the other pointers are pointing to the packet data, i.e.,
146           * they must not be freed separately. */
147         u8 *eap;
148         size_t eap_len;
149         u8 *user_name;
150         size_t user_name_len;
151         u8 *user_password;
152         size_t user_password_len;
153         u8 *chap_challenge;
154         size_t chap_challenge_len;
155         u8 *chap_password;
156         size_t chap_password_len;
157         u8 *mschap_challenge;
158         size_t mschap_challenge_len;
159         u8 *mschap_response;
160         size_t mschap_response_len;
161         u8 *mschap2_response;
162         size_t mschap2_response_len;
163 };
164
165
166 static int eap_ttls_avp_parse(u8 *buf, size_t len, struct eap_ttls_avp *parse)
167 {
168         struct ttls_avp *avp;
169         u8 *pos;
170         int left;
171
172         pos = buf;
173         left = len;
174         os_memset(parse, 0, sizeof(*parse));
175
176         while (left > 0) {
177                 u32 avp_code, avp_length, vendor_id = 0;
178                 u8 avp_flags, *dpos;
179                 size_t pad, dlen;
180                 avp = (struct ttls_avp *) pos;
181                 avp_code = be_to_host32(avp->avp_code);
182                 avp_length = be_to_host32(avp->avp_length);
183                 avp_flags = (avp_length >> 24) & 0xff;
184                 avp_length &= 0xffffff;
185                 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x "
186                            "length=%d", (int) avp_code, avp_flags,
187                            (int) avp_length);
188                 if ((int) avp_length > left) {
189                         wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow "
190                                    "(len=%d, left=%d) - dropped",
191                                    (int) avp_length, left);
192                         goto fail;
193                 }
194                 if (avp_length < sizeof(*avp)) {
195                         wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length "
196                                    "%d", avp_length);
197                         goto fail;
198                 }
199                 dpos = (u8 *) (avp + 1);
200                 dlen = avp_length - sizeof(*avp);
201                 if (avp_flags & AVP_FLAGS_VENDOR) {
202                         if (dlen < 4) {
203                                 wpa_printf(MSG_WARNING, "EAP-TTLS: vendor AVP "
204                                            "underflow");
205                                 goto fail;
206                         }
207                         vendor_id = be_to_host32(* (be32 *) dpos);
208                         wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d",
209                                    (int) vendor_id);
210                         dpos += 4;
211                         dlen -= 4;
212                 }
213
214                 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen);
215
216                 if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) {
217                         wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message");
218                         if (parse->eap == NULL) {
219                                 parse->eap = os_malloc(dlen);
220                                 if (parse->eap == NULL) {
221                                         wpa_printf(MSG_WARNING, "EAP-TTLS: "
222                                                    "failed to allocate memory "
223                                                    "for Phase 2 EAP data");
224                                         goto fail;
225                                 }
226                                 os_memcpy(parse->eap, dpos, dlen);
227                                 parse->eap_len = dlen;
228                         } else {
229                                 u8 *neweap = os_realloc(parse->eap,
230                                                         parse->eap_len + dlen);
231                                 if (neweap == NULL) {
232                                         wpa_printf(MSG_WARNING, "EAP-TTLS: "
233                                                    "failed to allocate memory "
234                                                    "for Phase 2 EAP data");
235                                         goto fail;
236                                 }
237                                 os_memcpy(neweap + parse->eap_len, dpos, dlen);
238                                 parse->eap = neweap;
239                                 parse->eap_len += dlen;
240                         }
241                 } else if (vendor_id == 0 &&
242                            avp_code == RADIUS_ATTR_USER_NAME) {
243                         wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: User-Name",
244                                           dpos, dlen);
245                         parse->user_name = dpos;
246                         parse->user_name_len = dlen;
247                 } else if (vendor_id == 0 &&
248                            avp_code == RADIUS_ATTR_USER_PASSWORD) {
249                         u8 *password = dpos;
250                         size_t password_len = dlen;
251                         while (password_len > 0 &&
252                                password[password_len - 1] == '\0') {
253                                 password_len--;
254                         }
255                         wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: "
256                                               "User-Password (PAP)",
257                                               password, password_len);
258                         parse->user_password = password;
259                         parse->user_password_len = password_len;
260                 } else if (vendor_id == 0 &&
261                            avp_code == RADIUS_ATTR_CHAP_CHALLENGE) {
262                         wpa_hexdump(MSG_DEBUG,
263                                     "EAP-TTLS: CHAP-Challenge (CHAP)",
264                                     dpos, dlen);
265                         parse->chap_challenge = dpos;
266                         parse->chap_challenge_len = dlen;
267                 } else if (vendor_id == 0 &&
268                            avp_code == RADIUS_ATTR_CHAP_PASSWORD) {
269                         wpa_hexdump(MSG_DEBUG,
270                                     "EAP-TTLS: CHAP-Password (CHAP)",
271                                     dpos, dlen);
272                         parse->chap_password = dpos;
273                         parse->chap_password_len = dlen;
274                 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
275                            avp_code == RADIUS_ATTR_MS_CHAP_CHALLENGE) {
276                         wpa_hexdump(MSG_DEBUG,
277                                     "EAP-TTLS: MS-CHAP-Challenge",
278                                     dpos, dlen);
279                         parse->mschap_challenge = dpos;
280                         parse->mschap_challenge_len = dlen;
281                 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
282                            avp_code == RADIUS_ATTR_MS_CHAP_RESPONSE) {
283                         wpa_hexdump(MSG_DEBUG,
284                                     "EAP-TTLS: MS-CHAP-Response (MSCHAP)",
285                                     dpos, dlen);
286                         parse->mschap_response = dpos;
287                         parse->mschap_response_len = dlen;
288                 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
289                            avp_code == RADIUS_ATTR_MS_CHAP2_RESPONSE) {
290                         wpa_hexdump(MSG_DEBUG,
291                                     "EAP-TTLS: MS-CHAP2-Response (MSCHAPV2)",
292                                     dpos, dlen);
293                         parse->mschap2_response = dpos;
294                         parse->mschap2_response_len = dlen;
295                 } else if (avp_flags & AVP_FLAGS_MANDATORY) {
296                         wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported "
297                                    "mandatory AVP code %d vendor_id %d - "
298                                    "dropped", (int) avp_code, (int) vendor_id);
299                         goto fail;
300                 } else {
301                         wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported "
302                                    "AVP code %d vendor_id %d",
303                                    (int) avp_code, (int) vendor_id);
304                 }
305
306                 pad = (4 - (avp_length & 3)) & 3;
307                 pos += avp_length + pad;
308                 left -= avp_length + pad;
309         }
310
311         return 0;
312
313 fail:
314         os_free(parse->eap);
315         parse->eap = NULL;
316         return -1;
317 }
318
319
320 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm,
321                                         struct eap_ttls_data *data, size_t len)
322 {
323         struct tls_keys keys;
324         u8 *challenge, *rnd;
325
326         if (data->ttls_version == 0) {
327                 return eap_server_tls_derive_key(sm, &data->ssl,
328                                                  "ttls challenge", len);
329         }
330
331         os_memset(&keys, 0, sizeof(keys));
332         if (tls_connection_get_keys(sm->ssl_ctx, data->ssl.conn, &keys) ||
333             keys.client_random == NULL || keys.server_random == NULL ||
334             keys.inner_secret == NULL) {
335                 wpa_printf(MSG_INFO, "EAP-TTLS: Could not get inner secret, "
336                            "client random, or server random to derive "
337                            "implicit challenge");
338                 return NULL;
339         }
340
341         rnd = os_malloc(keys.client_random_len + keys.server_random_len);
342         challenge = os_malloc(len);
343         if (rnd == NULL || challenge == NULL) {
344                 wpa_printf(MSG_INFO, "EAP-TTLS: No memory for implicit "
345                            "challenge derivation");
346                 os_free(rnd);
347                 os_free(challenge);
348                 return NULL;
349         }
350         os_memcpy(rnd, keys.server_random, keys.server_random_len);
351         os_memcpy(rnd + keys.server_random_len, keys.client_random,
352                   keys.client_random_len);
353
354         if (tls_prf(keys.inner_secret, keys.inner_secret_len,
355                     "inner application challenge", rnd,
356                     keys.client_random_len + keys.server_random_len,
357                     challenge, len)) {
358                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive implicit "
359                            "challenge");
360                 os_free(rnd);
361                 os_free(challenge);
362                 return NULL;
363         }
364
365         os_free(rnd);
366
367         wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived implicit challenge",
368                         challenge, len);
369
370         return challenge;
371 }
372
373
374 static void * eap_ttls_init(struct eap_sm *sm)
375 {
376         struct eap_ttls_data *data;
377
378         data = os_zalloc(sizeof(*data));
379         if (data == NULL)
380                 return NULL;
381         data->ttls_version = EAP_TTLS_VERSION;
382         data->force_version = -1;
383         if (sm->user && sm->user->force_version >= 0) {
384                 data->force_version = sm->user->force_version;
385                 wpa_printf(MSG_DEBUG, "EAP-TTLS: forcing version %d",
386                            data->force_version);
387                 data->ttls_version = data->force_version;
388         }
389         data->state = START;
390
391         if (!(tls_capabilities(sm->ssl_ctx) & TLS_CAPABILITY_IA) &&
392             data->ttls_version > 0) {
393                 if (data->force_version > 0) {
394                         wpa_printf(MSG_INFO, "EAP-TTLS: Forced TTLSv%d and "
395                                    "TLS library does not support TLS/IA.",
396                                    data->force_version);
397                         eap_ttls_reset(sm, data);
398                         return NULL;
399                 }
400                 data->ttls_version = 0;
401         }
402
403         if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) {
404                 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
405                 eap_ttls_reset(sm, data);
406                 return NULL;
407         }
408
409         return data;
410 }
411
412
413 static void eap_ttls_reset(struct eap_sm *sm, void *priv)
414 {
415         struct eap_ttls_data *data = priv;
416         if (data == NULL)
417                 return;
418         if (data->phase2_priv && data->phase2_method)
419                 data->phase2_method->reset(sm, data->phase2_priv);
420         eap_server_tls_ssl_deinit(sm, &data->ssl);
421         wpabuf_free(data->pending_phase2_eap_resp);
422         os_free(data);
423 }
424
425
426 static struct wpabuf * eap_ttls_build_start(struct eap_sm *sm,
427                                             struct eap_ttls_data *data, u8 id)
428 {       
429         struct wpabuf *req;
430
431         req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TTLS, 1,
432                             EAP_CODE_REQUEST, id);
433         if (req == NULL) {
434                 wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to allocate memory for"
435                            " request");
436                 eap_ttls_state(data, FAILURE);
437                 return NULL;
438         }
439
440         wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->ttls_version);
441
442         eap_ttls_state(data, PHASE1);
443
444         return req;
445 }
446
447
448 static struct wpabuf * eap_ttls_build_req(struct eap_sm *sm,
449                                           struct eap_ttls_data *data, u8 id)
450 {
451         int res;
452         struct wpabuf *req;
453
454         res = eap_server_tls_buildReq_helper(sm, &data->ssl, EAP_TYPE_TTLS,
455                                              data->ttls_version, id, &req);
456
457         if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
458                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase1 done, starting "
459                            "Phase2");
460                 eap_ttls_state(data, PHASE2_START);
461         }
462
463         if (res == 1)
464                 return eap_server_tls_build_ack(id, EAP_TYPE_TTLS,
465                                                 data->ttls_version);
466         return req;
467 }
468
469
470 static struct wpabuf * eap_ttls_encrypt(struct eap_sm *sm,
471                                         struct eap_ttls_data *data,
472                                         u8 id, u8 *plain, size_t plain_len)
473 {
474         int res;
475         struct wpabuf *buf;
476
477         /* TODO: add support for fragmentation, if needed. This will need to
478          * add TLS Message Length field, if the frame is fragmented. */
479         buf = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TTLS,
480                             1 + data->ssl.tls_out_limit,
481                             EAP_CODE_REQUEST, id);
482         if (buf == NULL)
483                 return NULL;
484
485         wpabuf_put_u8(buf, data->ttls_version);
486
487         res = tls_connection_encrypt(sm->ssl_ctx, data->ssl.conn,
488                                      plain, plain_len, wpabuf_put(buf, 0),
489                                      data->ssl.tls_out_limit);
490         if (res < 0) {
491                 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to encrypt Phase 2 "
492                            "data");
493                 wpabuf_free(buf);
494                 return NULL;
495         }
496
497         wpabuf_put(buf, res);
498         eap_update_len(buf);
499
500         return buf;
501 }
502
503
504 static struct wpabuf * eap_ttls_build_phase2_eap_req(
505         struct eap_sm *sm, struct eap_ttls_data *data, u8 id)
506 {
507         struct wpabuf *buf, *encr_req;
508         u8 *req;
509         size_t req_len;
510
511
512         buf = data->phase2_method->buildReq(sm, data->phase2_priv, id);
513         if (buf == NULL)
514                 return NULL;
515
516         wpa_hexdump_buf_key(MSG_DEBUG,
517                             "EAP-TTLS/EAP: Encapsulate Phase 2 data", buf);
518
519         buf = eap_ttls_avp_encapsulate(buf, RADIUS_ATTR_EAP_MESSAGE, 1);
520         if (buf == NULL) {
521                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Failed to encapsulate "
522                            "packet");
523                 return NULL;
524         }
525
526         req = wpabuf_mhead(buf);
527         req_len = wpabuf_len(buf);
528         wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS/EAP: Encrypt encapsulated Phase "
529                         "2 data", req, req_len);
530
531         encr_req = eap_ttls_encrypt(sm, data, id, req, req_len);
532         wpabuf_free(buf);
533
534         return encr_req;
535 }
536
537
538 static struct wpabuf * eap_ttls_build_phase2_mschapv2(
539         struct eap_sm *sm, struct eap_ttls_data *data, u8 id)
540 {
541         struct wpabuf *encr_req;
542         u8 *req, *pos, *end;
543         int ret;
544         size_t req_len;
545
546         pos = req = os_malloc(100);
547         if (req == NULL)
548                 return NULL;
549         end = req + 100;
550
551         if (data->mschapv2_resp_ok) {
552                 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_SUCCESS,
553                                        RADIUS_VENDOR_ID_MICROSOFT, 1, 43);
554                 *pos++ = data->mschapv2_ident;
555                 ret = os_snprintf((char *) pos, end - pos, "S=");
556                 if (ret >= 0 && ret < end - pos)
557                         pos += ret;
558                 pos += wpa_snprintf_hex_uppercase(
559                         (char *) pos, end - pos, data->mschapv2_auth_response,
560                         sizeof(data->mschapv2_auth_response));
561         } else {
562                 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_ERROR,
563                                        RADIUS_VENDOR_ID_MICROSOFT, 1, 6);
564                 os_memcpy(pos, "Failed", 6);
565                 pos += 6;
566                 AVP_PAD(req, pos);
567         }
568
569         req_len = pos - req;
570         wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Encrypting Phase 2 "
571                         "data", req, req_len);
572
573         encr_req = eap_ttls_encrypt(sm, data, id, req, req_len);
574         os_free(req);
575
576         return encr_req;
577 }
578
579
580 static struct wpabuf * eap_ttls_build_phase_finished(
581         struct eap_sm *sm, struct eap_ttls_data *data, u8 id, int final)
582 {
583         int len;
584         struct wpabuf *req;
585         const int max_len = 300;
586
587         len = 1 + max_len;
588         req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TTLS, len,
589                             EAP_CODE_REQUEST, id);
590         if (req == NULL)
591                 return NULL;
592
593         wpabuf_put_u8(req, data->ttls_version);
594
595         len = tls_connection_ia_send_phase_finished(sm->ssl_ctx,
596                                                     data->ssl.conn, final,
597                                                     wpabuf_mhead(req),
598                                                     max_len);
599         if (len < 0) {
600                 wpabuf_free(req);
601                 return NULL;
602         }
603         wpabuf_put(req, len);
604         eap_update_len(req);
605
606         return req;
607 }
608
609
610 static struct wpabuf * eap_ttls_buildReq(struct eap_sm *sm, void *priv, u8 id)
611 {
612         struct eap_ttls_data *data = priv;
613
614         switch (data->state) {
615         case START:
616                 return eap_ttls_build_start(sm, data, id);
617         case PHASE1:
618                 return eap_ttls_build_req(sm, data, id);
619         case PHASE2_METHOD:
620                 return eap_ttls_build_phase2_eap_req(sm, data, id);
621         case PHASE2_MSCHAPV2_RESP:
622                 return eap_ttls_build_phase2_mschapv2(sm, data, id);
623         case PHASE_FINISHED:
624                 return eap_ttls_build_phase_finished(sm, data, id, 1);
625         default:
626                 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
627                            __func__, data->state);
628                 return NULL;
629         }
630 }
631
632
633 static Boolean eap_ttls_check(struct eap_sm *sm, void *priv,
634                               struct wpabuf *respData)
635 {
636         const u8 *pos;
637         size_t len;
638
639         pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TTLS, respData, &len);
640         if (pos == NULL || len < 1) {
641                 wpa_printf(MSG_INFO, "EAP-TTLS: Invalid frame");
642                 return TRUE;
643         }
644
645         return FALSE;
646 }
647
648
649 static int eap_ttls_ia_permute_inner_secret(struct eap_sm *sm,
650                                             struct eap_ttls_data *data,
651                                             const u8 *key, size_t key_len)
652 {
653         u8 *buf;
654         size_t buf_len;
655         int ret;
656
657         if (key) {
658                 buf_len = 2 + key_len;
659                 buf = os_malloc(buf_len);
660                 if (buf == NULL)
661                         return -1;
662                 WPA_PUT_BE16(buf, key_len);
663                 os_memcpy(buf + 2, key, key_len);
664         } else {
665                 buf = NULL;
666                 buf_len = 0;
667         }
668
669         wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Session keys for TLS/IA inner "
670                         "secret permutation", buf, buf_len);
671         ret = tls_connection_ia_permute_inner_secret(sm->ssl_ctx,
672                                                      data->ssl.conn,
673                                                      buf, buf_len);
674         os_free(buf);
675
676         return ret;
677 }
678
679
680 static void eap_ttls_process_phase2_pap(struct eap_sm *sm,
681                                         struct eap_ttls_data *data,
682                                         const u8 *user_password,
683                                         size_t user_password_len)
684 {
685         if (!sm->user || !sm->user->password || sm->user->password_hash ||
686             !(sm->user->ttls_auth & EAP_TTLS_AUTH_PAP)) {
687                 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: No plaintext user "
688                            "password configured");
689                 eap_ttls_state(data, FAILURE);
690                 return;
691         }
692
693         if (sm->user->password_len != user_password_len ||
694             os_memcmp(sm->user->password, user_password, user_password_len) !=
695             0) {
696                 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Invalid user password");
697                 eap_ttls_state(data, FAILURE);
698                 return;
699         }
700
701         wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Correct user password");
702         eap_ttls_state(data, data->ttls_version > 0 ? PHASE_FINISHED :
703                        SUCCESS);
704 }
705
706
707 static void eap_ttls_process_phase2_chap(struct eap_sm *sm,
708                                          struct eap_ttls_data *data,
709                                          const u8 *challenge,
710                                          size_t challenge_len,
711                                          const u8 *password,
712                                          size_t password_len)
713 {
714         u8 *chal, hash[CHAP_MD5_LEN];
715
716         if (challenge == NULL || password == NULL ||
717             challenge_len != EAP_TTLS_CHAP_CHALLENGE_LEN ||
718             password_len != 1 + EAP_TTLS_CHAP_PASSWORD_LEN) {
719                 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid CHAP attributes "
720                            "(challenge len %lu password len %lu)",
721                            (unsigned long) challenge_len,
722                            (unsigned long) password_len);
723                 eap_ttls_state(data, FAILURE);
724                 return;
725         }
726
727         if (!sm->user || !sm->user->password || sm->user->password_hash ||
728             !(sm->user->ttls_auth & EAP_TTLS_AUTH_CHAP)) {
729                 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: No plaintext user "
730                            "password configured");
731                 eap_ttls_state(data, FAILURE);
732                 return;
733         }
734
735         chal = eap_ttls_implicit_challenge(sm, data,
736                                            EAP_TTLS_CHAP_CHALLENGE_LEN + 1);
737         if (chal == NULL) {
738                 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Failed to generate "
739                            "challenge from TLS data");
740                 eap_ttls_state(data, FAILURE);
741                 return;
742         }
743
744         if (os_memcmp(challenge, chal, EAP_TTLS_CHAP_CHALLENGE_LEN) != 0 ||
745             password[0] != chal[EAP_TTLS_CHAP_CHALLENGE_LEN]) {
746                 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Challenge mismatch");
747                 os_free(chal);
748                 eap_ttls_state(data, FAILURE);
749                 return;
750         }
751         os_free(chal);
752
753         /* MD5(Ident + Password + Challenge) */
754         chap_md5(password[0], sm->user->password, sm->user->password_len,
755                  challenge, challenge_len, hash);
756
757         if (os_memcmp(hash, password + 1, EAP_TTLS_CHAP_PASSWORD_LEN) == 0) {
758                 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Correct user password");
759                 eap_ttls_state(data, data->ttls_version > 0 ? PHASE_FINISHED :
760                                SUCCESS);
761         } else {
762                 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid user password");
763                 eap_ttls_state(data, FAILURE);
764         }
765 }
766
767
768 static void eap_ttls_process_phase2_mschap(struct eap_sm *sm,
769                                            struct eap_ttls_data *data,
770                                            u8 *challenge, size_t challenge_len,
771                                            u8 *response, size_t response_len)
772 {
773         u8 *chal, nt_response[24];
774
775         if (challenge == NULL || response == NULL ||
776             challenge_len != EAP_TTLS_MSCHAP_CHALLENGE_LEN ||
777             response_len != EAP_TTLS_MSCHAP_RESPONSE_LEN) {
778                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid MS-CHAP "
779                            "attributes (challenge len %lu response len %lu)",
780                            (unsigned long) challenge_len,
781                            (unsigned long) response_len);
782                 eap_ttls_state(data, FAILURE);
783                 return;
784         }
785
786         if (!sm->user || !sm->user->password ||
787             !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAP)) {
788                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: No user password "
789                            "configured");
790                 eap_ttls_state(data, FAILURE);
791                 return;
792         }
793
794         chal = eap_ttls_implicit_challenge(sm, data,
795                                            EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1);
796         if (chal == NULL) {
797                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Failed to generate "
798                            "challenge from TLS data");
799                 eap_ttls_state(data, FAILURE);
800                 return;
801         }
802
803         if (os_memcmp(challenge, chal, EAP_TTLS_MSCHAP_CHALLENGE_LEN) != 0 ||
804             response[0] != chal[EAP_TTLS_MSCHAP_CHALLENGE_LEN]) {
805                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Challenge mismatch");
806                 os_free(chal);
807                 eap_ttls_state(data, FAILURE);
808                 return;
809         }
810         os_free(chal);
811
812         if (sm->user->password_hash)
813                 challenge_response(challenge, sm->user->password, nt_response);
814         else
815                 nt_challenge_response(challenge, sm->user->password,
816                                       sm->user->password_len, nt_response);
817
818         if (os_memcmp(nt_response, response + 2 + 24, 24) == 0) {
819                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Correct response");
820                 eap_ttls_state(data, data->ttls_version > 0 ? PHASE_FINISHED :
821                                SUCCESS);
822         } else {
823                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid NT-Response");
824                 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Received",
825                             response + 2 + 24, 24);
826                 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Expected",
827                             nt_response, 24);
828                 eap_ttls_state(data, FAILURE);
829         }
830 }
831
832
833 static void eap_ttls_process_phase2_mschapv2(struct eap_sm *sm,
834                                              struct eap_ttls_data *data,
835                                              u8 *challenge,
836                                              size_t challenge_len,
837                                              u8 *response, size_t response_len)
838 {
839         u8 *chal, *username, nt_response[24], *rx_resp, *peer_challenge,
840                 *auth_challenge;
841         size_t username_len, i;
842
843         if (challenge == NULL || response == NULL ||
844             challenge_len != EAP_TTLS_MSCHAPV2_CHALLENGE_LEN ||
845             response_len != EAP_TTLS_MSCHAPV2_RESPONSE_LEN) {
846                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid MS-CHAP2 "
847                            "attributes (challenge len %lu response len %lu)",
848                            (unsigned long) challenge_len,
849                            (unsigned long) response_len);
850                 eap_ttls_state(data, FAILURE);
851                 return;
852         }
853
854         if (!sm->user || !sm->user->password ||
855             !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAPV2)) {
856                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user password "
857                            "configured");
858                 eap_ttls_state(data, FAILURE);
859                 return;
860         }
861
862         /* MSCHAPv2 does not include optional domain name in the
863          * challenge-response calculation, so remove domain prefix
864          * (if present). */
865         username = sm->identity;
866         username_len = sm->identity_len;
867         for (i = 0; i < username_len; i++) {
868                 if (username[i] == '\\') {
869                         username_len -= i + 1;
870                         username += i + 1;
871                         break;
872                 }
873         }
874
875         chal = eap_ttls_implicit_challenge(
876                 sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1);
877         if (chal == NULL) {
878                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Failed to generate "
879                            "challenge from TLS data");
880                 eap_ttls_state(data, FAILURE);
881                 return;
882         }
883
884         if (os_memcmp(challenge, chal, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN) != 0 ||
885             response[0] != chal[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN]) {
886                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Challenge mismatch");
887                 os_free(chal);
888                 eap_ttls_state(data, FAILURE);
889                 return;
890         }
891         os_free(chal);
892
893         auth_challenge = challenge;
894         peer_challenge = response + 2;
895
896         wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: User",
897                           username, username_len);
898         wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: auth_challenge",
899                     auth_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
900         wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: peer_challenge",
901                     peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
902
903         if (sm->user->password_hash) {
904                 generate_nt_response_pwhash(auth_challenge, peer_challenge,
905                                             username, username_len,
906                                             sm->user->password,
907                                             nt_response);
908         } else {
909                 generate_nt_response(auth_challenge, peer_challenge,
910                                      username, username_len,
911                                      sm->user->password,
912                                      sm->user->password_len,
913                                      nt_response);
914         }
915
916         rx_resp = response + 2 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 8;
917         if (os_memcmp(nt_response, rx_resp, 24) == 0) {
918                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Correct "
919                            "NT-Response");
920                 data->mschapv2_resp_ok = 1;
921                 if (data->ttls_version > 0) {
922                         const u8 *pw_hash;
923                         u8 pw_hash_buf[16], pw_hash_hash[16], master_key[16];
924                         u8 session_key[2 * MSCHAPV2_KEY_LEN];
925
926                         if (sm->user->password_hash)
927                                 pw_hash = sm->user->password;
928                         else {
929                                 nt_password_hash(sm->user->password,
930                                                  sm->user->password_len,
931                                                  pw_hash_buf);
932                                 pw_hash = pw_hash_buf;
933                         }
934                         hash_nt_password_hash(pw_hash, pw_hash_hash);
935                         get_master_key(pw_hash_hash, nt_response, master_key);
936                         get_asymetric_start_key(master_key, session_key,
937                                                 MSCHAPV2_KEY_LEN, 0, 0);
938                         get_asymetric_start_key(master_key,
939                                                 session_key + MSCHAPV2_KEY_LEN,
940                                                 MSCHAPV2_KEY_LEN, 1, 0);
941                         eap_ttls_ia_permute_inner_secret(sm, data,
942                                                          session_key,
943                                                          sizeof(session_key));
944                 }
945
946                 if (sm->user->password_hash) {
947                         generate_authenticator_response_pwhash(
948                                 sm->user->password,
949                                 peer_challenge, auth_challenge,
950                                 username, username_len, nt_response,
951                                 data->mschapv2_auth_response);
952                 } else {
953                         generate_authenticator_response(
954                                 sm->user->password, sm->user->password_len,
955                                 peer_challenge, auth_challenge,
956                                 username, username_len, nt_response,
957                                 data->mschapv2_auth_response);
958                 }
959         } else {
960                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid "
961                            "NT-Response");
962                 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Received",
963                             rx_resp, 24);
964                 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Expected",
965                             nt_response, 24);
966                 data->mschapv2_resp_ok = 0;
967         }
968         eap_ttls_state(data, PHASE2_MSCHAPV2_RESP);
969         data->mschapv2_ident = response[0];
970 }
971
972
973 static int eap_ttls_phase2_eap_init(struct eap_sm *sm,
974                                     struct eap_ttls_data *data,
975                                     EapType eap_type)
976 {
977         if (data->phase2_priv && data->phase2_method) {
978                 data->phase2_method->reset(sm, data->phase2_priv);
979                 data->phase2_method = NULL;
980                 data->phase2_priv = NULL;
981         }
982         data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF,
983                                                         eap_type);
984         if (!data->phase2_method)
985                 return -1;
986
987         sm->init_phase2 = 1;
988         data->phase2_priv = data->phase2_method->init(sm);
989         sm->init_phase2 = 0;
990         return 0;
991 }
992
993
994 static void eap_ttls_process_phase2_eap_response(struct eap_sm *sm,
995                                                  struct eap_ttls_data *data,
996                                                  u8 *in_data, size_t in_len)
997 {
998         u8 next_type = EAP_TYPE_NONE;
999         struct eap_hdr *hdr;
1000         u8 *pos;
1001         size_t left;
1002         struct wpabuf buf;
1003         const struct eap_method *m = data->phase2_method;
1004         void *priv = data->phase2_priv;
1005
1006         if (priv == NULL) {
1007                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: %s - Phase2 not "
1008                            "initialized?!", __func__);
1009                 return;
1010         }
1011
1012         hdr = (struct eap_hdr *) in_data;
1013         pos = (u8 *) (hdr + 1);
1014
1015         if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) {
1016                 left = in_len - sizeof(*hdr);
1017                 wpa_hexdump(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 type Nak'ed; "
1018                             "allowed types", pos + 1, left - 1);
1019                 eap_sm_process_nak(sm, pos + 1, left - 1);
1020                 if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
1021                     sm->user->methods[sm->user_eap_method_index].method !=
1022                     EAP_TYPE_NONE) {
1023                         next_type = sm->user->methods[
1024                                 sm->user_eap_method_index++].method;
1025                         wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d",
1026                                    next_type);
1027                         eap_ttls_phase2_eap_init(sm, data, next_type);
1028                 } else {
1029                         eap_ttls_state(data, FAILURE);
1030                 }
1031                 return;
1032         }
1033
1034         wpabuf_set(&buf, in_data, in_len);
1035
1036         if (m->check(sm, priv, &buf)) {
1037                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 check() asked to "
1038                            "ignore the packet");
1039                 return;
1040         }
1041
1042         m->process(sm, priv, &buf);
1043
1044         if (sm->method_pending == METHOD_PENDING_WAIT) {
1045                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method is in "
1046                            "pending wait state - save decrypted response");
1047                 wpabuf_free(data->pending_phase2_eap_resp);
1048                 data->pending_phase2_eap_resp = wpabuf_dup(&buf);
1049         }
1050
1051         if (!m->isDone(sm, priv))
1052                 return;
1053
1054         if (!m->isSuccess(sm, priv)) {
1055                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method failed");
1056                 eap_ttls_state(data, FAILURE);
1057                 return;
1058         }
1059
1060         switch (data->state) {
1061         case PHASE2_START:
1062                 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
1063                         wpa_hexdump_ascii(MSG_DEBUG, "EAP_TTLS: Phase2 "
1064                                           "Identity not found in the user "
1065                                           "database",
1066                                           sm->identity, sm->identity_len);
1067                         eap_ttls_state(data, FAILURE);
1068                         break;
1069                 }
1070
1071                 eap_ttls_state(data, PHASE2_METHOD);
1072                 next_type = sm->user->methods[0].method;
1073                 sm->user_eap_method_index = 1;
1074                 wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d", next_type);
1075                 break;
1076         case PHASE2_METHOD:
1077                 if (data->ttls_version > 0) {
1078                         if (m->getKey) {
1079                                 u8 *key;
1080                                 size_t key_len;
1081                                 key = m->getKey(sm, priv, &key_len);
1082                                 eap_ttls_ia_permute_inner_secret(sm, data,
1083                                                                  key, key_len);
1084                         }
1085                         eap_ttls_state(data, PHASE_FINISHED);
1086                 } else
1087                         eap_ttls_state(data, SUCCESS);
1088                 break;
1089         case FAILURE:
1090                 break;
1091         default:
1092                 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
1093                            __func__, data->state);
1094                 break;
1095         }
1096
1097         eap_ttls_phase2_eap_init(sm, data, next_type);
1098 }
1099
1100
1101 static void eap_ttls_process_phase2_eap(struct eap_sm *sm,
1102                                         struct eap_ttls_data *data,
1103                                         const u8 *eap, size_t eap_len)
1104 {
1105         struct eap_hdr *hdr;
1106         size_t len;
1107
1108         if (data->state == PHASE2_START) {
1109                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: initializing Phase 2");
1110                 if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_IDENTITY) < 0)
1111                 {
1112                         wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: failed to "
1113                                    "initialize EAP-Identity");
1114                         return;
1115                 }
1116         }
1117
1118         if (eap_len < sizeof(*hdr)) {
1119                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: too short Phase 2 EAP "
1120                            "packet (len=%lu)", (unsigned long) eap_len);
1121                 return;
1122         }
1123
1124         hdr = (struct eap_hdr *) eap;
1125         len = be_to_host16(hdr->length);
1126         wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: received Phase 2 EAP: code=%d "
1127                    "identifier=%d length=%lu", hdr->code, hdr->identifier,
1128                    (unsigned long) len);
1129         if (len > eap_len) {
1130                 wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Length mismatch in Phase 2"
1131                            " EAP frame (hdr len=%lu, data len in AVP=%lu)",
1132                            (unsigned long) len, (unsigned long) eap_len);
1133                 return;
1134         }
1135
1136         switch (hdr->code) {
1137         case EAP_CODE_RESPONSE:
1138                 eap_ttls_process_phase2_eap_response(sm, data, (u8 *) hdr,
1139                                                      len);
1140                 break;
1141         default:
1142                 wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Unexpected code=%d in "
1143                            "Phase 2 EAP header", hdr->code);
1144                 break;
1145         }
1146 }
1147
1148
1149 static void eap_ttls_process_phase2(struct eap_sm *sm,
1150                                     struct eap_ttls_data *data,
1151                                     u8 *in_data, size_t in_len)
1152 {
1153         u8 *in_decrypted;
1154         int len_decrypted, res;
1155         struct eap_ttls_avp parse;
1156         size_t buf_len;
1157
1158         wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for"
1159                    " Phase 2", (unsigned long) in_len);
1160
1161         if (data->pending_phase2_eap_resp) {
1162                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 EAP response "
1163                            "- skip decryption and use old data");
1164                 eap_ttls_process_phase2_eap(
1165                         sm, data, wpabuf_head(data->pending_phase2_eap_resp),
1166                         wpabuf_len(data->pending_phase2_eap_resp));
1167                 wpabuf_free(data->pending_phase2_eap_resp);
1168                 data->pending_phase2_eap_resp = NULL;
1169                 return;
1170         }
1171
1172         res = eap_server_tls_data_reassemble(sm, &data->ssl, &in_data,
1173                                              &in_len);
1174         if (res < 0 || res == 1)
1175                 return;
1176
1177         buf_len = in_len;
1178         if (data->ssl.tls_in_total > buf_len)
1179                 buf_len = data->ssl.tls_in_total;
1180         in_decrypted = os_malloc(buf_len);
1181         if (in_decrypted == NULL) {
1182                 os_free(data->ssl.tls_in);
1183                 data->ssl.tls_in = NULL;
1184                 data->ssl.tls_in_len = 0;
1185                 wpa_printf(MSG_WARNING, "EAP-TTLS: failed to allocate memory "
1186                            "for decryption");
1187                 return;
1188         }
1189
1190         len_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
1191                                                in_data, in_len,
1192                                                in_decrypted, buf_len);
1193         os_free(data->ssl.tls_in);
1194         data->ssl.tls_in = NULL;
1195         data->ssl.tls_in_len = 0;
1196         if (len_decrypted < 0) {
1197                 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to decrypt Phase 2 "
1198                            "data");
1199                 os_free(in_decrypted);
1200                 eap_ttls_state(data, FAILURE);
1201                 return;
1202         }
1203
1204         if (data->state == PHASE_FINISHED) {
1205                 if (len_decrypted == 0 &&
1206                     tls_connection_ia_final_phase_finished(sm->ssl_ctx,
1207                                                            data->ssl.conn)) {
1208                         wpa_printf(MSG_DEBUG, "EAP-TTLS: FinalPhaseFinished "
1209                                    "received");
1210                         eap_ttls_state(data, SUCCESS);
1211                 } else {
1212                         wpa_printf(MSG_INFO, "EAP-TTLS: Did not receive valid "
1213                                    "FinalPhaseFinished");
1214                         eap_ttls_state(data, FAILURE);
1215                 }
1216
1217                 os_free(in_decrypted);
1218                 return;
1219         }
1220
1221         wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 EAP",
1222                         in_decrypted, len_decrypted);
1223
1224         if (eap_ttls_avp_parse(in_decrypted, len_decrypted, &parse) < 0) {
1225                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to parse AVPs");
1226                 os_free(in_decrypted);
1227                 eap_ttls_state(data, FAILURE);
1228                 return;
1229         }
1230
1231         if (parse.user_name) {
1232                 os_free(sm->identity);
1233                 sm->identity = os_malloc(parse.user_name_len);
1234                 if (sm->identity) {
1235                         os_memcpy(sm->identity, parse.user_name,
1236                                   parse.user_name_len);
1237                         sm->identity_len = parse.user_name_len;
1238                 }
1239                 if (eap_user_get(sm, parse.user_name, parse.user_name_len, 1)
1240                     != 0) {
1241                         wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 Identity not "
1242                                    "found in the user database");
1243                         eap_ttls_state(data, FAILURE);
1244                         goto done;
1245                 }
1246         }
1247
1248 #ifdef EAP_TNC
1249         if (data->tnc_started && parse.eap == NULL) {
1250                 wpa_printf(MSG_DEBUG, "EAP-TTLS: TNC started but no EAP "
1251                            "response from peer");
1252                 eap_ttls_state(data, FAILURE);
1253                 goto done;
1254         }
1255 #endif /* EAP_TNC */
1256
1257         if (parse.eap) {
1258                 eap_ttls_process_phase2_eap(sm, data, parse.eap,
1259                                             parse.eap_len);
1260         } else if (parse.user_password) {
1261                 eap_ttls_process_phase2_pap(sm, data, parse.user_password,
1262                                             parse.user_password_len);
1263         } else if (parse.chap_password) {
1264                 eap_ttls_process_phase2_chap(sm, data,
1265                                              parse.chap_challenge,
1266                                              parse.chap_challenge_len,
1267                                              parse.chap_password,
1268                                              parse.chap_password_len);
1269         } else if (parse.mschap_response) {
1270                 eap_ttls_process_phase2_mschap(sm, data,
1271                                                parse.mschap_challenge,
1272                                                parse.mschap_challenge_len,
1273                                                parse.mschap_response,
1274                                                parse.mschap_response_len);
1275         } else if (parse.mschap2_response) {
1276                 eap_ttls_process_phase2_mschapv2(sm, data,
1277                                                  parse.mschap_challenge,
1278                                                  parse.mschap_challenge_len,
1279                                                  parse.mschap2_response,
1280                                                  parse.mschap2_response_len);
1281         }
1282
1283 done:
1284         os_free(in_decrypted);
1285         os_free(parse.eap);
1286 }
1287
1288
1289 static void eap_ttls_start_tnc(struct eap_sm *sm, struct eap_ttls_data *data)
1290 {
1291 #ifdef EAP_TNC
1292         if (!sm->tnc || data->state != SUCCESS || data->tnc_started)
1293                 return;
1294
1295         wpa_printf(MSG_DEBUG, "EAP-TTLS: Initialize TNC");
1296         if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_TNC)) {
1297                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize TNC");
1298                 eap_ttls_state(data, FAILURE);
1299                 return;
1300         }
1301
1302         data->tnc_started = 1;
1303         eap_ttls_state(data, PHASE2_METHOD);
1304 #endif /* EAP_TNC */
1305 }
1306
1307
1308 static void eap_ttls_process(struct eap_sm *sm, void *priv,
1309                              struct wpabuf *respData)
1310 {
1311         struct eap_ttls_data *data = priv;
1312         const u8 *pos;
1313         u8 flags;
1314         size_t left;
1315         unsigned int tls_msg_len;
1316         int peer_version;
1317
1318         pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TTLS, respData,
1319                                &left);
1320         if (pos == NULL || left < 1)
1321                 return;
1322         flags = *pos++;
1323         left--;
1324         wpa_printf(MSG_DEBUG, "EAP-TTLS: Received packet(len=%lu) - "
1325                    "Flags 0x%02x", (unsigned long) wpabuf_len(respData),
1326                    flags);
1327         peer_version = flags & EAP_PEAP_VERSION_MASK;
1328         if (peer_version < data->ttls_version) {
1329                 wpa_printf(MSG_DEBUG, "EAP-TTLS: peer ver=%d, own ver=%d; "
1330                            "use version %d",
1331                            peer_version, data->ttls_version, peer_version);
1332                 data->ttls_version = peer_version;
1333         }
1334
1335         if (data->ttls_version > 0 && !data->tls_ia_configured) {
1336                 if (tls_connection_set_ia(sm->ssl_ctx, data->ssl.conn, 1)) {
1337                         wpa_printf(MSG_INFO, "EAP-TTLS: Failed to enable "
1338                                    "TLS/IA");
1339                         eap_ttls_state(data, FAILURE);
1340                         return;
1341                 }
1342                 data->tls_ia_configured = 1;
1343         }
1344
1345         if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) {
1346                 if (left < 4) {
1347                         wpa_printf(MSG_INFO, "EAP-TTLS: Short frame with TLS "
1348                                    "length");
1349                         eap_ttls_state(data, FAILURE);
1350                         return;
1351                 }
1352                 tls_msg_len = WPA_GET_BE32(pos);
1353                 wpa_printf(MSG_DEBUG, "EAP-TTLS: TLS Message Length: %d",
1354                            tls_msg_len);
1355                 if (data->ssl.tls_in_left == 0) {
1356                         data->ssl.tls_in_total = tls_msg_len;
1357                         data->ssl.tls_in_left = tls_msg_len;
1358                         os_free(data->ssl.tls_in);
1359                         data->ssl.tls_in = NULL;
1360                         data->ssl.tls_in_len = 0;
1361                 }
1362                 pos += 4;
1363                 left -= 4;
1364         }
1365
1366         switch (data->state) {
1367         case PHASE1:
1368                 if (eap_server_tls_process_helper(sm, &data->ssl, pos, left) <
1369                     0) {
1370                         wpa_printf(MSG_INFO, "EAP-TTLS: TLS processing "
1371                                    "failed");
1372                         eap_ttls_state(data, FAILURE);
1373                 }
1374                 break;
1375         case PHASE2_START:
1376         case PHASE2_METHOD:
1377         case PHASE_FINISHED:
1378                 /* FIX: get rid of const->non-const typecast */
1379                 eap_ttls_process_phase2(sm, data, (u8 *) pos, left);
1380                 eap_ttls_start_tnc(sm, data);
1381                 break;
1382         case PHASE2_MSCHAPV2_RESP:
1383                 if (data->mschapv2_resp_ok && left == 0) {
1384                         wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
1385                                    "acknowledged response");
1386                         eap_ttls_state(data, data->ttls_version > 0 ?
1387                                        PHASE_FINISHED : SUCCESS);
1388                 } else if (!data->mschapv2_resp_ok) {
1389                         wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
1390                                    "acknowledged error");
1391                         eap_ttls_state(data, FAILURE);
1392                 } else {
1393                         wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Unexpected "
1394                                    "frame from peer (payload len %lu, "
1395                                    "expected empty frame)",
1396                                    (unsigned long) left);
1397                         eap_ttls_state(data, FAILURE);
1398                 }
1399                 eap_ttls_start_tnc(sm, data);
1400                 break;
1401         default:
1402                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected state %d in %s",
1403                            data->state, __func__);
1404                 break;
1405         }
1406
1407         if (tls_connection_get_write_alerts(sm->ssl_ctx, data->ssl.conn) > 1) {
1408                 wpa_printf(MSG_INFO, "EAP-TTLS: Locally detected fatal error "
1409                            "in TLS processing");
1410                 eap_ttls_state(data, FAILURE);
1411         }
1412 }
1413
1414
1415 static Boolean eap_ttls_isDone(struct eap_sm *sm, void *priv)
1416 {
1417         struct eap_ttls_data *data = priv;
1418         return data->state == SUCCESS || data->state == FAILURE;
1419 }
1420
1421
1422 static u8 * eap_ttls_v1_derive_key(struct eap_sm *sm,
1423                                    struct eap_ttls_data *data)
1424 {
1425         struct tls_keys keys;
1426         u8 *rnd, *key;
1427
1428         os_memset(&keys, 0, sizeof(keys));
1429         if (tls_connection_get_keys(sm->ssl_ctx, data->ssl.conn, &keys) ||
1430             keys.client_random == NULL || keys.server_random == NULL ||
1431             keys.inner_secret == NULL) {
1432                 wpa_printf(MSG_INFO, "EAP-TTLS: Could not get inner secret, "
1433                            "client random, or server random to derive keying "
1434                            "material");
1435                 return NULL;
1436         }
1437
1438         rnd = os_malloc(keys.client_random_len + keys.server_random_len);
1439         key = os_malloc(EAP_TLS_KEY_LEN);
1440         if (rnd == NULL || key == NULL) {
1441                 wpa_printf(MSG_INFO, "EAP-TTLS: No memory for key derivation");
1442                 os_free(rnd);
1443                 os_free(key);
1444                 return NULL;
1445         }
1446         os_memcpy(rnd, keys.client_random, keys.client_random_len);
1447         os_memcpy(rnd + keys.client_random_len, keys.server_random,
1448                   keys.server_random_len);
1449
1450         if (tls_prf(keys.inner_secret, keys.inner_secret_len,
1451                     "ttls v1 keying material", rnd, keys.client_random_len +
1452                     keys.server_random_len, key, EAP_TLS_KEY_LEN)) {
1453                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key");
1454                 os_free(rnd);
1455                 os_free(key);
1456                 return NULL;
1457         }
1458
1459         wpa_hexdump(MSG_DEBUG, "EAP-TTLS: client/server random",
1460                     rnd, keys.client_random_len + keys.server_random_len);
1461         wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: TLS/IA inner secret",
1462                         keys.inner_secret, keys.inner_secret_len);
1463
1464         os_free(rnd);
1465
1466         return key;
1467 }
1468
1469
1470 static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len)
1471 {
1472         struct eap_ttls_data *data = priv;
1473         u8 *eapKeyData;
1474
1475         if (data->state != SUCCESS)
1476                 return NULL;
1477
1478         if (data->ttls_version == 0) {
1479                 eapKeyData = eap_server_tls_derive_key(sm, &data->ssl,
1480                                                        "ttls keying material",
1481                                                        EAP_TLS_KEY_LEN);
1482         } else {
1483                 eapKeyData = eap_ttls_v1_derive_key(sm, data);
1484         }
1485
1486         if (eapKeyData) {
1487                 *len = EAP_TLS_KEY_LEN;
1488                 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key",
1489                                 eapKeyData, EAP_TLS_KEY_LEN);
1490         } else {
1491                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key");
1492         }
1493
1494         return eapKeyData;
1495 }
1496
1497
1498 static Boolean eap_ttls_isSuccess(struct eap_sm *sm, void *priv)
1499 {
1500         struct eap_ttls_data *data = priv;
1501         return data->state == SUCCESS;
1502 }
1503
1504
1505 int eap_server_ttls_register(void)
1506 {
1507         struct eap_method *eap;
1508         int ret;
1509
1510         eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
1511                                       EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS");
1512         if (eap == NULL)
1513                 return -1;
1514
1515         eap->init = eap_ttls_init;
1516         eap->reset = eap_ttls_reset;
1517         eap->buildReq = eap_ttls_buildReq;
1518         eap->check = eap_ttls_check;
1519         eap->process = eap_ttls_process;
1520         eap->isDone = eap_ttls_isDone;
1521         eap->getKey = eap_ttls_getKey;
1522         eap->isSuccess = eap_ttls_isSuccess;
1523
1524         ret = eap_server_method_register(eap);
1525         if (ret)
1526                 eap_server_method_free(eap);
1527         return ret;
1528 }
EAP library