2 * EAP peer method: EAP-TTLS (RFC 5281)
3 * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "radius/radius.h"
13 #include "crypto/ms_funcs.h"
14 #include "crypto/sha1.h"
15 #include "crypto/tls.h"
16 #include "eap_common/chap.h"
17 #include "eap_common/eap_ttls.h"
20 #include "eap_tls_common.h"
21 #include "eap_config.h"
24 #define EAP_TTLS_VERSION 0
27 static void eap_ttls_deinit(struct eap_sm *sm, void *priv);
30 struct eap_ttls_data {
31 struct eap_ssl_data ssl;
35 const struct eap_method *phase2_method;
39 EapDecision decision_succ;
43 EAP_TTLS_PHASE2_MSCHAPV2,
44 EAP_TTLS_PHASE2_MSCHAP,
48 struct eap_method_type phase2_eap_type;
49 struct eap_method_type *phase2_eap_types;
50 size_t num_phase2_eap_types;
52 u8 auth_response[MSCHAPV2_AUTH_RESPONSE_LEN];
53 int auth_response_valid;
54 u8 master_key[MSCHAPV2_MASTER_KEY_LEN]; /* MSCHAPv2 master key */
56 int resuming; /* starting a resumed session */
57 int reauth; /* reauthentication */
62 struct wpabuf *pending_phase2_req;
63 struct wpabuf *pending_resp;
64 int chbind_req_sent; /* channel binding request was sent */
65 int done_butfor_cb; /*we turned METHOD_DONE into METHOD_MAY_CONT to receive cb*/
66 EapDecision cbDecision;
74 /* draft-ietf-emu-chbind-13 section 5.3 */
91 static void * eap_ttls_init(struct eap_sm *sm)
93 struct eap_ttls_data *data;
94 struct eap_peer_config *config = eap_get_config(sm);
98 data = os_zalloc(sizeof(*data));
101 data->ttls_version = EAP_TTLS_VERSION;
103 selected_non_eap = 0;
104 data->phase2_type = EAP_TTLS_PHASE2_EAP;
107 * Either one auth= type or one or more autheap= methods can be
110 if (config && config->phase2) {
111 const char *token, *last = NULL;
113 while ((token = cstr_token(config->phase2, " \t", &last))) {
114 if (os_strncmp(token, "auth=", 5) != 0)
118 if (last - token == 8 &&
119 os_strncmp(token, "MSCHAPV2", 8) == 0) {
120 selected = "MSCHAPV2";
121 data->phase2_type = EAP_TTLS_PHASE2_MSCHAPV2;
122 } else if (last - token == 6 &&
123 os_strncmp(token, "MSCHAP", 6) == 0) {
125 data->phase2_type = EAP_TTLS_PHASE2_MSCHAP;
126 } else if (last - token == 3 &&
127 os_strncmp(token, "PAP", 3) == 0) {
129 data->phase2_type = EAP_TTLS_PHASE2_PAP;
130 } else if (last - token == 4 &&
131 os_strncmp(token, "CHAP", 4) == 0) {
133 data->phase2_type = EAP_TTLS_PHASE2_CHAP;
135 wpa_printf(MSG_ERROR,
136 "EAP-TTLS: Unsupported Phase2 type '%s'",
138 eap_ttls_deinit(sm, data);
142 if (selected_non_eap) {
143 wpa_printf(MSG_ERROR,
144 "EAP-TTLS: Only one Phase2 type can be specified");
145 eap_ttls_deinit(sm, data);
149 selected_non_eap = 1;
152 if (os_strstr(config->phase2, "autheap=")) {
153 if (selected_non_eap) {
154 wpa_printf(MSG_ERROR,
155 "EAP-TTLS: Both auth= and autheap= params cannot be specified");
156 eap_ttls_deinit(sm, data);
160 data->phase2_type = EAP_TTLS_PHASE2_EAP;
164 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 type: %s", selected);
166 if (data->phase2_type == EAP_TTLS_PHASE2_EAP) {
167 if (eap_peer_select_phase2_methods(config, "autheap=",
168 &data->phase2_eap_types,
169 &data->num_phase2_eap_types)
171 eap_ttls_deinit(sm, data);
175 data->phase2_eap_type.vendor = EAP_VENDOR_IETF;
176 data->phase2_eap_type.method = EAP_TYPE_NONE;
179 if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_TTLS)) {
180 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
181 eap_ttls_deinit(sm, data);
189 static void eap_ttls_phase2_eap_deinit(struct eap_sm *sm,
190 struct eap_ttls_data *data)
192 if (data->phase2_priv && data->phase2_method) {
193 data->phase2_method->deinit(sm, data->phase2_priv);
194 data->phase2_method = NULL;
195 data->phase2_priv = NULL;
200 static void eap_ttls_free_key(struct eap_ttls_data *data)
202 if (data->key_data) {
203 bin_clear_free(data->key_data, EAP_TLS_KEY_LEN + EAP_EMSK_LEN);
204 data->key_data = NULL;
209 static void eap_ttls_deinit(struct eap_sm *sm, void *priv)
211 struct eap_ttls_data *data = priv;
214 eap_ttls_phase2_eap_deinit(sm, data);
215 os_free(data->phase2_eap_types);
216 eap_peer_tls_ssl_deinit(sm, &data->ssl);
217 eap_ttls_free_key(data);
218 os_free(data->session_id);
219 wpabuf_free(data->pending_phase2_req);
220 wpabuf_free(data->pending_resp);
225 static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id,
226 int mandatory, size_t len)
228 struct ttls_avp_vendor *avp;
232 avp = (struct ttls_avp_vendor *) avphdr;
233 flags = mandatory ? AVP_FLAGS_MANDATORY : 0;
235 flags |= AVP_FLAGS_VENDOR;
236 hdrlen = sizeof(*avp);
237 avp->vendor_id = host_to_be32(vendor_id);
239 hdrlen = sizeof(struct ttls_avp);
242 avp->avp_code = host_to_be32(avp_code);
243 avp->avp_length = host_to_be32(((u32) flags << 24) |
244 (u32) (hdrlen + len));
246 return avphdr + hdrlen;
250 static u8 * eap_ttls_avp_add(u8 *start, u8 *avphdr, u32 avp_code,
251 u32 vendor_id, int mandatory,
252 const u8 *data, size_t len)
255 pos = eap_ttls_avp_hdr(avphdr, avp_code, vendor_id, mandatory, len);
256 os_memcpy(pos, data, len);
263 static int eap_ttls_avp_encapsulate(struct wpabuf **resp, u32 avp_code,
269 msg = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(*resp) + 4);
276 avp = wpabuf_mhead(msg);
277 pos = eap_ttls_avp_hdr(avp, avp_code, 0, mandatory, wpabuf_len(*resp));
278 os_memcpy(pos, wpabuf_head(*resp), wpabuf_len(*resp));
279 pos += wpabuf_len(*resp);
282 wpabuf_put(msg, pos - avp);
287 /* chop up resp into multiple vsa's as necessary*/
288 static int eap_ttls_avp_radius_vsa_encapsulate(struct wpabuf **resp, u32 vendor,
289 u8 attr, int mandatory)
292 u8 *avp, *pos, *src, *final;
293 size_t size = wpabuf_len(*resp);
294 size_t num_msgs = 1 + (size / 248);
295 size_t msg_wrapper_size = sizeof(struct ttls_avp_vendor) + 6;
296 size_t allocated_total = num_msgs * (4 + msg_wrapper_size) + size;
298 msg = wpabuf_alloc(allocated_total);
304 src = wpabuf_mhead(*resp);
305 avp = wpabuf_mhead(msg);
307 int avp_size = size > 248 ? 248 : size;
309 pos = eap_ttls_avp_hdr(avp, RADIUS_ATTR_VENDOR_SPECIFIC, 0, mandatory,
311 wpabuf_put(msg, pos-avp);
312 wpabuf_put_be32(msg, vendor);
313 wpabuf_put_u8(msg, (u8) attr);
314 wpabuf_put_u8(msg, (u8) avp_size+2);
315 wpabuf_put_data(msg, src, avp_size);
317 pos = wpabuf_mhead_u8(msg) + wpabuf_len(msg);
318 final = pos; /*keep pos so we know how much padding is added*/
319 AVP_PAD(avp, final); /*final modified*/
321 wpabuf_put(msg, final-pos);
324 /* check avp-wpabuf_mhead(msg) < allocated_total */
330 static int eap_ttls_v0_derive_key(struct eap_sm *sm,
331 struct eap_ttls_data *data)
333 eap_ttls_free_key(data);
334 data->key_data = eap_peer_tls_derive_key(sm, &data->ssl,
335 "ttls keying material",
338 if (!data->key_data) {
339 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to derive key");
343 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key",
344 data->key_data, EAP_TLS_KEY_LEN);
345 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived EMSK",
346 data->key_data + EAP_TLS_KEY_LEN,
349 os_free(data->session_id);
350 data->session_id = eap_peer_tls_derive_session_id(sm, &data->ssl,
353 if (data->session_id) {
354 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Derived Session-Id",
355 data->session_id, data->id_len);
357 wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to derive Session-Id");
365 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm,
366 struct eap_ttls_data *data, size_t len)
368 return eap_peer_tls_derive_key(sm, &data->ssl, "ttls challenge", len);
370 #endif /* CONFIG_FIPS */
373 static void eap_ttls_phase2_select_eap_method(struct eap_ttls_data *data,
377 for (i = 0; i < data->num_phase2_eap_types; i++) {
378 if (data->phase2_eap_types[i].vendor != EAP_VENDOR_IETF ||
379 data->phase2_eap_types[i].method != method)
382 data->phase2_eap_type.vendor =
383 data->phase2_eap_types[i].vendor;
384 data->phase2_eap_type.method =
385 data->phase2_eap_types[i].method;
386 wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected "
387 "Phase 2 EAP vendor %d method %d",
388 data->phase2_eap_type.vendor,
389 data->phase2_eap_type.method);
395 static int eap_ttls_phase2_eap_process(struct eap_sm *sm,
396 struct eap_ttls_data *data,
397 struct eap_method_ret *ret,
398 struct eap_hdr *hdr, size_t len,
399 struct wpabuf **resp)
402 struct eap_method_ret iret;
404 os_memset(&iret, 0, sizeof(iret));
405 wpabuf_set(&msg, hdr, len);
406 *resp = data->phase2_method->process(sm, data->phase2_priv, &iret,
408 if ((iret.methodState == METHOD_DONE ||
409 iret.methodState == METHOD_MAY_CONT) &&
410 (iret.decision == DECISION_UNCOND_SUCC ||
411 iret.decision == DECISION_COND_SUCC ||
412 iret.decision == DECISION_FAIL)) {
413 ret->methodState = iret.methodState;
414 ret->decision = iret.decision;
421 static int eap_ttls_phase2_request_eap_method(struct eap_sm *sm,
422 struct eap_ttls_data *data,
423 struct eap_method_ret *ret,
424 struct eap_hdr *hdr, size_t len,
425 u8 method, struct wpabuf **resp)
428 if (data->tnc_started && data->phase2_method &&
429 data->phase2_priv && method == EAP_TYPE_TNC &&
430 data->phase2_eap_type.method == EAP_TYPE_TNC)
431 return eap_ttls_phase2_eap_process(sm, data, ret, hdr, len,
434 if (data->ready_for_tnc && !data->tnc_started &&
435 method == EAP_TYPE_TNC) {
436 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start TNC after completed "
438 data->tnc_started = 1;
441 if (data->tnc_started) {
442 if (data->phase2_eap_type.vendor != EAP_VENDOR_IETF ||
443 data->phase2_eap_type.method == EAP_TYPE_TNC) {
444 wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected EAP "
445 "type %d for TNC", method);
449 data->phase2_eap_type.vendor = EAP_VENDOR_IETF;
450 data->phase2_eap_type.method = method;
451 wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected "
452 "Phase 2 EAP vendor %d method %d (TNC)",
453 data->phase2_eap_type.vendor,
454 data->phase2_eap_type.method);
456 if (data->phase2_type == EAP_TTLS_PHASE2_EAP)
457 eap_ttls_phase2_eap_deinit(sm, data);
461 if (data->phase2_eap_type.vendor == EAP_VENDOR_IETF &&
462 data->phase2_eap_type.method == EAP_TYPE_NONE)
463 eap_ttls_phase2_select_eap_method(data, method);
465 if (method != data->phase2_eap_type.method || method == EAP_TYPE_NONE)
467 if (eap_peer_tls_phase2_nak(data->phase2_eap_types,
468 data->num_phase2_eap_types,
474 if (data->phase2_priv == NULL) {
475 data->phase2_method = eap_peer_get_eap_method(
476 EAP_VENDOR_IETF, method);
477 if (data->phase2_method) {
479 data->phase2_priv = data->phase2_method->init(sm);
483 if (data->phase2_priv == NULL || data->phase2_method == NULL) {
484 wpa_printf(MSG_INFO, "EAP-TTLS: failed to initialize "
485 "Phase 2 EAP method %d", method);
489 return eap_ttls_phase2_eap_process(sm, data, ret, hdr, len, resp);
493 static int eap_ttls_phase2_request_eap(struct eap_sm *sm,
494 struct eap_ttls_data *data,
495 struct eap_method_ret *ret,
497 struct wpabuf **resp)
499 size_t len = be_to_host16(hdr->length);
501 struct eap_peer_config *config = eap_get_config(sm);
503 if (len <= sizeof(struct eap_hdr)) {
504 wpa_printf(MSG_INFO, "EAP-TTLS: too short "
505 "Phase 2 request (len=%lu)", (unsigned long) len);
508 pos = (u8 *) (hdr + 1);
509 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP Request: type=%d", *pos);
511 case EAP_TYPE_IDENTITY:
512 *resp = eap_sm_buildIdentity(sm, hdr->identifier, 1);
515 if (eap_ttls_phase2_request_eap_method(sm, data, ret, hdr, len,
522 (config->pending_req_identity || config->pending_req_password ||
523 config->pending_req_otp)) {
530 wpa_hexdump_buf(MSG_DEBUG, "EAP-TTLS: AVP encapsulate EAP Response",
532 return eap_ttls_avp_encapsulate(resp, RADIUS_ATTR_EAP_MESSAGE, 1);
536 static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm,
537 struct eap_ttls_data *data,
538 struct eap_method_ret *ret,
539 struct wpabuf **resp)
542 wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPV2 not supported in FIPS build");
544 #else /* CONFIG_FIPS */
547 u8 *buf, *pos, *challenge, *peer_challenge;
548 const u8 *identity, *password;
549 size_t identity_len, password_len;
552 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAPV2 Request");
554 identity = eap_get_config_identity(sm, &identity_len);
555 password = eap_get_config_password2(sm, &password_len, &pwhash);
556 if (identity == NULL || password == NULL)
559 msg = wpabuf_alloc(identity_len + 1000);
561 wpa_printf(MSG_ERROR,
562 "EAP-TTLS/MSCHAPV2: Failed to allocate memory");
565 pos = buf = wpabuf_mhead(msg);
568 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
569 identity, identity_len);
571 /* MS-CHAP-Challenge */
572 challenge = eap_ttls_implicit_challenge(
573 sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1);
574 if (challenge == NULL) {
576 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive "
577 "implicit challenge");
581 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE,
582 RADIUS_VENDOR_ID_MICROSOFT, 1,
583 challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
585 /* MS-CHAP2-Response */
586 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_RESPONSE,
587 RADIUS_VENDOR_ID_MICROSOFT, 1,
588 EAP_TTLS_MSCHAPV2_RESPONSE_LEN);
589 data->ident = challenge[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN];
590 *pos++ = data->ident;
591 *pos++ = 0; /* Flags */
592 if (os_get_random(pos, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN) < 0) {
595 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to get "
596 "random data for peer challenge");
599 peer_challenge = pos;
600 pos += EAP_TTLS_MSCHAPV2_CHALLENGE_LEN;
601 os_memset(pos, 0, 8); /* Reserved, must be zero */
603 if (mschapv2_derive_response(identity, identity_len, password,
604 password_len, pwhash, challenge,
605 peer_challenge, pos, data->auth_response,
609 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive "
613 data->auth_response_valid = 1;
619 wpabuf_put(msg, pos - buf);
623 #else /* EAP_MSCHAPv2 */
624 wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build");
626 #endif /* EAP_MSCHAPv2 */
627 #endif /* CONFIG_FIPS */
631 static int eap_ttls_phase2_request_mschap(struct eap_sm *sm,
632 struct eap_ttls_data *data,
633 struct eap_method_ret *ret,
634 struct wpabuf **resp)
637 wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAP not supported in FIPS build");
639 #else /* CONFIG_FIPS */
641 u8 *buf, *pos, *challenge;
642 const u8 *identity, *password;
643 size_t identity_len, password_len;
646 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAP Request");
648 identity = eap_get_config_identity(sm, &identity_len);
649 password = eap_get_config_password2(sm, &password_len, &pwhash);
650 if (identity == NULL || password == NULL)
653 msg = wpabuf_alloc(identity_len + 1000);
655 wpa_printf(MSG_ERROR,
656 "EAP-TTLS/MSCHAP: Failed to allocate memory");
659 pos = buf = wpabuf_mhead(msg);
662 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
663 identity, identity_len);
665 /* MS-CHAP-Challenge */
666 challenge = eap_ttls_implicit_challenge(
667 sm, data, EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1);
668 if (challenge == NULL) {
670 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAP: Failed to derive "
671 "implicit challenge");
675 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE,
676 RADIUS_VENDOR_ID_MICROSOFT, 1,
677 challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN);
679 /* MS-CHAP-Response */
680 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_RESPONSE,
681 RADIUS_VENDOR_ID_MICROSOFT, 1,
682 EAP_TTLS_MSCHAP_RESPONSE_LEN);
683 data->ident = challenge[EAP_TTLS_MSCHAP_CHALLENGE_LEN];
684 *pos++ = data->ident;
685 *pos++ = 1; /* Flags: Use NT style passwords */
686 os_memset(pos, 0, 24); /* LM-Response */
689 challenge_response(challenge, password, pos); /* NT-Response */
690 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password hash",
693 nt_challenge_response(challenge, password, password_len,
694 pos); /* NT-Response */
695 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password",
696 password, password_len);
698 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP implicit challenge",
699 challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN);
700 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP response", pos, 24);
705 wpabuf_put(msg, pos - buf);
708 /* EAP-TTLS/MSCHAP does not provide tunneled success
709 * notification, so assume that Phase2 succeeds. */
710 ret->methodState = METHOD_DONE;
711 ret->decision = DECISION_COND_SUCC;
714 #endif /* CONFIG_FIPS */
718 static int eap_ttls_phase2_request_pap(struct eap_sm *sm,
719 struct eap_ttls_data *data,
720 struct eap_method_ret *ret,
721 struct wpabuf **resp)
726 const u8 *identity, *password;
727 size_t identity_len, password_len;
729 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 PAP Request");
731 identity = eap_get_config_identity(sm, &identity_len);
732 password = eap_get_config_password(sm, &password_len);
733 if (identity == NULL || password == NULL)
736 msg = wpabuf_alloc(identity_len + password_len + 100);
738 wpa_printf(MSG_ERROR,
739 "EAP-TTLS/PAP: Failed to allocate memory");
742 pos = buf = wpabuf_mhead(msg);
745 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
746 identity, identity_len);
748 /* User-Password; in RADIUS, this is encrypted, but EAP-TTLS encrypts
749 * the data, so no separate encryption is used in the AVP itself.
750 * However, the password is padded to obfuscate its length. */
751 pad = password_len == 0 ? 16 : (16 - (password_len & 15)) & 15;
752 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_USER_PASSWORD, 0, 1,
754 os_memcpy(pos, password, password_len);
756 os_memset(pos, 0, pad);
760 wpabuf_put(msg, pos - buf);
763 /* EAP-TTLS/PAP does not provide tunneled success notification,
764 * so assume that Phase2 succeeds. */
765 ret->methodState = METHOD_DONE;
766 ret->decision = DECISION_COND_SUCC;
772 static int eap_ttls_phase2_request_chap(struct eap_sm *sm,
773 struct eap_ttls_data *data,
774 struct eap_method_ret *ret,
775 struct wpabuf **resp)
778 wpa_printf(MSG_ERROR, "EAP-TTLS: CHAP not supported in FIPS build");
780 #else /* CONFIG_FIPS */
782 u8 *buf, *pos, *challenge;
783 const u8 *identity, *password;
784 size_t identity_len, password_len;
786 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 CHAP Request");
788 identity = eap_get_config_identity(sm, &identity_len);
789 password = eap_get_config_password(sm, &password_len);
790 if (identity == NULL || password == NULL)
793 msg = wpabuf_alloc(identity_len + 1000);
795 wpa_printf(MSG_ERROR,
796 "EAP-TTLS/CHAP: Failed to allocate memory");
799 pos = buf = wpabuf_mhead(msg);
802 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
803 identity, identity_len);
806 challenge = eap_ttls_implicit_challenge(
807 sm, data, EAP_TTLS_CHAP_CHALLENGE_LEN + 1);
808 if (challenge == NULL) {
810 wpa_printf(MSG_ERROR, "EAP-TTLS/CHAP: Failed to derive "
811 "implicit challenge");
815 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_CHAP_CHALLENGE, 0, 1,
816 challenge, EAP_TTLS_CHAP_CHALLENGE_LEN);
819 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_CHAP_PASSWORD, 0, 1,
820 1 + EAP_TTLS_CHAP_PASSWORD_LEN);
821 data->ident = challenge[EAP_TTLS_CHAP_CHALLENGE_LEN];
822 *pos++ = data->ident;
824 /* MD5(Ident + Password + Challenge) */
825 chap_md5(data->ident, password, password_len, challenge,
826 EAP_TTLS_CHAP_CHALLENGE_LEN, pos);
828 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: CHAP username",
829 identity, identity_len);
830 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: CHAP password",
831 password, password_len);
832 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP implicit challenge",
833 challenge, EAP_TTLS_CHAP_CHALLENGE_LEN);
834 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP password",
835 pos, EAP_TTLS_CHAP_PASSWORD_LEN);
836 pos += EAP_TTLS_CHAP_PASSWORD_LEN;
840 wpabuf_put(msg, pos - buf);
843 /* EAP-TTLS/CHAP does not provide tunneled success
844 * notification, so assume that Phase2 succeeds. */
845 ret->methodState = METHOD_DONE;
846 ret->decision = DECISION_COND_SUCC;
849 #endif /* CONFIG_FIPS */
853 static int eap_ttls_phase2_request(struct eap_sm *sm,
854 struct eap_ttls_data *data,
855 struct eap_method_ret *ret,
857 struct wpabuf **resp)
861 enum phase2_types phase2_type = data->phase2_type;
864 if (data->tnc_started) {
865 wpa_printf(MSG_DEBUG, "EAP-TTLS: Processing TNC");
866 phase2_type = EAP_TTLS_PHASE2_EAP;
870 if (phase2_type == EAP_TTLS_PHASE2_MSCHAPV2 ||
871 phase2_type == EAP_TTLS_PHASE2_MSCHAP ||
872 phase2_type == EAP_TTLS_PHASE2_PAP ||
873 phase2_type == EAP_TTLS_PHASE2_CHAP) {
874 if (eap_get_config_identity(sm, &len) == NULL) {
876 "EAP-TTLS: Identity not configured");
877 eap_sm_request_identity(sm);
878 if (eap_get_config_password(sm, &len) == NULL)
879 eap_sm_request_password(sm);
883 if (eap_get_config_password(sm, &len) == NULL) {
885 "EAP-TTLS: Password not configured");
886 eap_sm_request_password(sm);
891 switch (phase2_type) {
892 case EAP_TTLS_PHASE2_EAP:
893 res = eap_ttls_phase2_request_eap(sm, data, ret, hdr, resp);
895 case EAP_TTLS_PHASE2_MSCHAPV2:
896 res = eap_ttls_phase2_request_mschapv2(sm, data, ret, resp);
898 case EAP_TTLS_PHASE2_MSCHAP:
899 res = eap_ttls_phase2_request_mschap(sm, data, ret, resp);
901 case EAP_TTLS_PHASE2_PAP:
902 res = eap_ttls_phase2_request_pap(sm, data, ret, resp);
904 case EAP_TTLS_PHASE2_CHAP:
905 res = eap_ttls_phase2_request_chap(sm, data, ret, resp);
908 wpa_printf(MSG_ERROR, "EAP-TTLS: Phase 2 - Unknown");
914 ret->methodState = METHOD_DONE;
915 ret->decision = DECISION_FAIL;
922 struct ttls_parse_avp {
932 static int eap_ttls_parse_attr_eap(const u8 *dpos, size_t dlen,
933 struct ttls_parse_avp *parse)
935 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message");
936 if (parse->eapdata == NULL) {
937 parse->eapdata = os_malloc(dlen);
938 if (parse->eapdata == NULL) {
939 wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to allocate "
940 "memory for Phase 2 EAP data");
943 os_memcpy(parse->eapdata, dpos, dlen);
944 parse->eap_len = dlen;
946 u8 *neweap = os_realloc(parse->eapdata, parse->eap_len + dlen);
947 if (neweap == NULL) {
948 wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to allocate "
949 "memory for Phase 2 EAP data");
952 os_memcpy(neweap + parse->eap_len, dpos, dlen);
953 parse->eapdata = neweap;
954 parse->eap_len += dlen;
961 static int eap_ttls_parse_attr_chbind(const u8 *dpos, size_t dlen,
962 struct ttls_parse_avp *parse)
964 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - Channel Binding Message");
966 if (parse->chbind_data == NULL) {
967 parse->chbind_data = os_malloc(dlen);
968 if (parse->chbind_data == NULL) {
969 wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to allocate "
970 "memory for Phase 2 channel binding data");
973 os_memcpy(parse->chbind_data, dpos, dlen);
974 parse->chbind_len = dlen;
976 /* TODO: can this really happen? maybe just make this an error? */
977 u8 *newchbind = os_realloc(parse->chbind_data,
978 parse->chbind_len + dlen);
979 if (newchbind == NULL) {
980 wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to allocate "
981 "memory for Phase 2 channel binding data");
984 os_memcpy(newchbind + parse->chbind_len, dpos, dlen);
985 parse->chbind_data = newchbind;
986 parse->chbind_len += dlen;
993 static int eap_ttls_parse_avp(u8 *pos, size_t left,
994 struct ttls_parse_avp *parse)
996 struct ttls_avp *avp;
997 u32 avp_code, avp_length, vendor_id = 0;
1001 avp = (struct ttls_avp *) pos;
1002 avp_code = be_to_host32(avp->avp_code);
1003 avp_length = be_to_host32(avp->avp_length);
1004 avp_flags = (avp_length >> 24) & 0xff;
1005 avp_length &= 0xffffff;
1006 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x "
1007 "length=%d", (int) avp_code, avp_flags,
1010 if (avp_length > left) {
1011 wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow "
1012 "(len=%d, left=%lu) - dropped",
1013 (int) avp_length, (unsigned long) left);
1017 if (avp_length < sizeof(*avp)) {
1018 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length %d",
1023 dpos = (u8 *) (avp + 1);
1024 dlen = avp_length - sizeof(*avp);
1025 if (avp_flags & AVP_FLAGS_VENDOR) {
1027 wpa_printf(MSG_WARNING, "EAP-TTLS: Vendor AVP "
1031 vendor_id = WPA_GET_BE32(dpos);
1032 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d",
1038 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen);
1040 if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) {
1041 if (eap_ttls_parse_attr_eap(dpos, dlen, parse) < 0)
1043 } else if (vendor_id == RADIUS_VENDOR_ID_UKERNA &&
1044 avp_code == RADIUS_ATTR_UKERNA_CHBIND) {
1045 /* message containing channel binding data */
1046 if (eap_ttls_parse_attr_chbind(dpos, dlen, parse) < 0)
1048 } else if (vendor_id == 0 && avp_code == RADIUS_ATTR_REPLY_MESSAGE) {
1049 /* This is an optional message that can be displayed to
1051 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: AVP - Reply-Message",
1053 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
1054 avp_code == RADIUS_ATTR_MS_CHAP2_SUCCESS) {
1055 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MS-CHAP2-Success",
1058 wpa_printf(MSG_WARNING, "EAP-TTLS: Unexpected "
1059 "MS-CHAP2-Success length "
1060 "(len=%lu, expected 43)",
1061 (unsigned long) dlen);
1064 parse->mschapv2 = dpos;
1065 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
1066 avp_code == RADIUS_ATTR_MS_CHAP_ERROR) {
1067 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MS-CHAP-Error",
1069 parse->mschapv2_error = 1;
1070 } else if (avp_flags & AVP_FLAGS_MANDATORY) {
1071 wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported mandatory AVP "
1072 "code %d vendor_id %d - dropped",
1073 (int) avp_code, (int) vendor_id);
1076 wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported AVP "
1077 "code %d vendor_id %d",
1078 (int) avp_code, (int) vendor_id);
1085 static int eap_ttls_parse_avps(struct wpabuf *in_decrypted,
1086 struct ttls_parse_avp *parse)
1092 pos = wpabuf_mhead(in_decrypted);
1093 left = wpabuf_len(in_decrypted);
1094 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 AVPs", pos, left);
1095 if (left < sizeof(struct ttls_avp)) {
1096 wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 AVP frame"
1097 " len=%lu expected %lu or more - dropped",
1098 (unsigned long) left,
1099 (unsigned long) sizeof(struct ttls_avp));
1104 os_memset(parse, 0, sizeof(*parse));
1107 avp_length = eap_ttls_parse_avp(pos, left, parse);
1111 pad = (4 - (avp_length & 3)) & 3;
1112 pos += avp_length + pad;
1113 if (left < avp_length + pad)
1116 left -= avp_length + pad;
1123 static u8 * eap_ttls_fake_identity_request(void)
1125 struct eap_hdr *hdr;
1128 wpa_printf(MSG_DEBUG, "EAP-TTLS: empty data in beginning of "
1129 "Phase 2 - use fake EAP-Request Identity");
1130 buf = os_malloc(sizeof(*hdr) + 1);
1132 wpa_printf(MSG_WARNING, "EAP-TTLS: failed to allocate "
1133 "memory for fake EAP-Identity Request");
1137 hdr = (struct eap_hdr *) buf;
1138 hdr->code = EAP_CODE_REQUEST;
1139 hdr->identifier = 0;
1140 hdr->length = host_to_be16(sizeof(*hdr) + 1);
1141 buf[sizeof(*hdr)] = EAP_TYPE_IDENTITY;
1147 static int eap_ttls_encrypt_response(struct eap_sm *sm,
1148 struct eap_ttls_data *data,
1149 struct wpabuf *resp, u8 identifier,
1150 struct wpabuf **out_data)
1155 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS: Encrypting Phase 2 data",
1157 if (eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_TTLS,
1158 data->ttls_version, identifier,
1160 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to encrypt a Phase 2 "
1170 static int eap_ttls_add_chbind_request(struct eap_sm *sm,
1171 struct eap_ttls_data *data,
1172 struct wpabuf **resp)
1174 struct wpabuf *chbind_req;
1176 struct eap_peer_config *config = eap_get_config(sm);
1178 if (!config->chbind_config || config->chbind_config_len <= 0)
1181 for (i=0; i<config->chbind_config_len; i++) {
1182 length += 3 + config->chbind_config[i].req_data_len;
1185 chbind_req = wpabuf_alloc(length);
1189 wpabuf_put_u8(chbind_req, CHBIND_CODE_REQUEST);
1190 for (i=0; i<config->chbind_config_len; i++) {
1191 struct eap_peer_chbind_config *chbind_config =
1192 &config->chbind_config[i];
1193 wpabuf_put_be16(chbind_req, chbind_config->req_data_len);
1194 wpabuf_put_u8(chbind_req, chbind_config->nsid);
1195 wpabuf_put_data(chbind_req, chbind_config->req_data,
1196 chbind_config->req_data_len);
1198 if (eap_ttls_avp_radius_vsa_encapsulate(&chbind_req,
1199 RADIUS_VENDOR_ID_UKERNA,
1200 RADIUS_ATTR_UKERNA_CHBIND, 0) < 0)
1203 /* bleh. This will free *resp regardless of whether combined buffer
1204 alloc succeeds, which is not consistent with the other error
1205 condition behavior in this function */
1206 *resp = wpabuf_concat(chbind_req, *resp);
1208 return (*resp) ? 0 : -1;
1212 static int eap_ttls_process_chbind(struct eap_sm *sm,
1213 struct eap_ttls_data *data,
1214 struct eap_method_ret *ret,
1215 struct ttls_parse_avp *parse,
1216 struct wpabuf **resp)
1221 struct chbind_hdr *hdr;
1222 struct eap_peer_config *config = eap_get_config(sm);
1226 if (parse->chbind_data == NULL) {
1227 wpa_printf(MSG_WARNING, "EAP-TTLS: No channel binding message "
1228 "in the packet - dropped");
1231 if (parse->chbind_len < 1 ) {
1232 wpa_printf(MSG_WARNING, "EAP-TTLS: bad channel binding response "
1233 "frame (len=%lu, expected %lu or more) - dropped",
1234 (unsigned long) parse->chbind_len,
1238 code = parse->chbind_data[pos++];
1239 for (i=0; i<config->chbind_config_len; i++) {
1240 struct eap_peer_chbind_config *chbind_config =
1241 &config->chbind_config[i];
1244 while (pos+sizeof(*hdr) < parse->chbind_len) {
1245 hdr = (struct chbind_hdr *)(&parse->chbind_data[pos]);
1246 pos += sizeof(*hdr);
1247 len = be_to_host16(hdr->len);
1248 if (pos + len <= parse->chbind_len) {
1249 if (chbind_config->nsid == hdr->nsid)
1250 chbind_config->response_cb(
1253 &parse->chbind_data[pos], len);
1258 if (pos != parse->chbind_len) {
1259 wpa_printf(MSG_WARNING, "EAP-TTLS: bad channel binding response "
1260 "frame (parsed len=%lu, expected %lu) - dropped",
1261 (unsigned long) pos,
1262 (unsigned long) parse->chbind_len);
1266 chbind_config->response_cb(
1268 code, chbind_config->nsid,
1276 static int eap_ttls_process_phase2_eap(struct eap_sm *sm,
1277 struct eap_ttls_data *data,
1278 struct eap_method_ret *ret,
1279 struct ttls_parse_avp *parse,
1280 struct wpabuf **resp)
1282 struct eap_hdr *hdr;
1285 if (parse->eapdata == NULL) {
1286 wpa_printf(MSG_WARNING, "EAP-TTLS: No EAP Message in the "
1287 "packet - dropped");
1291 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP",
1292 parse->eapdata, parse->eap_len);
1293 hdr = (struct eap_hdr *) parse->eapdata;
1295 if (parse->eap_len < sizeof(*hdr)) {
1296 wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 EAP "
1297 "frame (len=%lu, expected %lu or more) - dropped",
1298 (unsigned long) parse->eap_len,
1299 (unsigned long) sizeof(*hdr));
1302 len = be_to_host16(hdr->length);
1303 if (len > parse->eap_len) {
1304 wpa_printf(MSG_INFO, "EAP-TTLS: Length mismatch in Phase 2 "
1305 "EAP frame (EAP hdr len=%lu, EAP data len in "
1307 (unsigned long) len,
1308 (unsigned long) parse->eap_len);
1311 wpa_printf(MSG_DEBUG, "EAP-TTLS: received Phase 2: code=%d "
1312 "identifier=%d length=%lu",
1313 hdr->code, hdr->identifier, (unsigned long) len);
1314 switch (hdr->code) {
1315 case EAP_CODE_REQUEST:
1316 if (eap_ttls_phase2_request(sm, data, ret, hdr, resp)) {
1317 wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 Request "
1318 "processing failed");
1323 wpa_printf(MSG_INFO, "EAP-TTLS: Unexpected code=%d in "
1324 "Phase 2 EAP header", hdr->code);
1332 static int eap_ttls_process_phase2_mschapv2(struct eap_sm *sm,
1333 struct eap_ttls_data *data,
1334 struct eap_method_ret *ret,
1335 struct ttls_parse_avp *parse)
1338 if (parse->mschapv2_error) {
1339 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Received "
1340 "MS-CHAP-Error - failed");
1341 ret->methodState = METHOD_DONE;
1342 ret->decision = DECISION_FAIL;
1343 /* Reply with empty data to ACK error */
1347 if (parse->mschapv2 == NULL) {
1349 if (data->phase2_success && parse->eapdata) {
1351 * Allow EAP-TNC to be started after successfully
1352 * completed MSCHAPV2.
1356 #endif /* EAP_TNC */
1357 wpa_printf(MSG_WARNING, "EAP-TTLS: no MS-CHAP2-Success AVP "
1358 "received for Phase2 MSCHAPV2");
1361 if (parse->mschapv2[0] != data->ident) {
1362 wpa_printf(MSG_WARNING, "EAP-TTLS: Ident mismatch for Phase 2 "
1363 "MSCHAPV2 (received Ident 0x%02x, expected 0x%02x)",
1364 parse->mschapv2[0], data->ident);
1367 if (!data->auth_response_valid ||
1368 mschapv2_verify_auth_response(data->auth_response,
1369 parse->mschapv2 + 1, 42)) {
1370 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid authenticator "
1371 "response in Phase 2 MSCHAPV2 success request");
1375 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 MSCHAPV2 "
1376 "authentication succeeded");
1377 ret->methodState = METHOD_DONE;
1378 ret->decision = DECISION_UNCOND_SUCC;
1379 data->phase2_success = 1;
1382 * Reply with empty data; authentication server will reply
1383 * with EAP-Success after this.
1386 #else /* EAP_MSCHAPv2 */
1387 wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build");
1389 #endif /* EAP_MSCHAPv2 */
1394 static int eap_ttls_process_tnc_start(struct eap_sm *sm,
1395 struct eap_ttls_data *data,
1396 struct eap_method_ret *ret,
1397 struct ttls_parse_avp *parse,
1398 struct wpabuf **resp)
1400 /* TNC uses inner EAP method after non-EAP TTLS phase 2. */
1401 if (parse->eapdata == NULL) {
1402 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received "
1403 "unexpected tunneled data (no EAP)");
1407 if (!data->ready_for_tnc) {
1408 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received "
1409 "EAP after non-EAP, but not ready for TNC");
1413 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start TNC after completed "
1415 data->tnc_started = 1;
1417 if (eap_ttls_process_phase2_eap(sm, data, ret, parse, resp) < 0)
1422 #endif /* EAP_TNC */
1425 static int eap_ttls_process_decrypted(struct eap_sm *sm,
1426 struct eap_ttls_data *data,
1427 struct eap_method_ret *ret,
1429 struct ttls_parse_avp *parse,
1430 struct wpabuf *in_decrypted,
1431 struct wpabuf **out_data)
1433 struct wpabuf *resp = NULL;
1434 struct eap_peer_config *config = eap_get_config(sm);
1436 enum phase2_types phase2_type = data->phase2_type;
1439 if (data->tnc_started)
1440 phase2_type = EAP_TTLS_PHASE2_EAP;
1441 #endif /* EAP_TNC */
1443 /* handle channel binding response here */
1444 if (parse->chbind_data) {
1445 /* received channel binding repsonse */
1446 if (eap_ttls_process_chbind(sm, data, ret, parse, &resp) < 0)
1448 if (data->done_butfor_cb) {
1449 ret->methodState = METHOD_DONE;
1450 ret->decision = data->cbDecision;
1451 data->phase2_success = 1;
1452 return 1; /*request ack*/
1456 switch (phase2_type) {
1457 case EAP_TTLS_PHASE2_EAP:
1458 if (eap_ttls_process_phase2_eap(sm, data, ret, parse, &resp) <
1462 case EAP_TTLS_PHASE2_MSCHAPV2:
1463 res = eap_ttls_process_phase2_mschapv2(sm, data, ret, parse);
1465 if (res == 1 && parse->eapdata && data->phase2_success) {
1467 * TNC may be required as the next
1468 * authentication method within the tunnel.
1470 ret->methodState = METHOD_MAY_CONT;
1471 data->ready_for_tnc = 1;
1472 if (eap_ttls_process_tnc_start(sm, data, ret, parse,
1476 #endif /* EAP_TNC */
1478 case EAP_TTLS_PHASE2_MSCHAP:
1479 case EAP_TTLS_PHASE2_PAP:
1480 case EAP_TTLS_PHASE2_CHAP:
1482 if (eap_ttls_process_tnc_start(sm, data, ret, parse, &resp) <
1487 /* EAP-TTLS/{MSCHAP,PAP,CHAP} should not send any TLS tunneled
1488 * requests to the supplicant */
1489 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received unexpected "
1492 #endif /* EAP_TNC */
1495 if (!resp && (config->pending_req_identity ||
1496 config->pending_req_password ||
1497 config->pending_req_otp ||
1498 config->pending_req_new_password)) {
1499 wpabuf_free(data->pending_phase2_req);
1500 data->pending_phase2_req = wpabuf_dup(in_decrypted);
1504 /* issue channel binding request when appropriate */
1505 if (config->chbind_config && config->chbind_config_len > 0 &&
1506 !data->chbind_req_sent) {
1507 if (eap_ttls_add_chbind_request(sm, data, &resp) < 0)
1509 data->chbind_req_sent = 1;
1510 if (ret->methodState == METHOD_DONE) {
1511 data->done_butfor_cb = 1;
1512 data->cbDecision = ret->decision;
1513 ret->methodState = METHOD_MAY_CONT;
1518 if (eap_ttls_encrypt_response(sm, data, resp, identifier,
1527 static int eap_ttls_implicit_identity_request(struct eap_sm *sm,
1528 struct eap_ttls_data *data,
1529 struct eap_method_ret *ret,
1531 struct wpabuf **out_data)
1534 struct eap_hdr *hdr;
1535 struct wpabuf *resp;
1537 hdr = (struct eap_hdr *) eap_ttls_fake_identity_request();
1539 ret->methodState = METHOD_DONE;
1540 ret->decision = DECISION_FAIL;
1545 if (eap_ttls_phase2_request(sm, data, ret, hdr, &resp)) {
1546 wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 Request "
1547 "processing failed");
1550 struct eap_peer_config *config = eap_get_config(sm);
1552 (config->pending_req_identity ||
1553 config->pending_req_password ||
1554 config->pending_req_otp ||
1555 config->pending_req_new_password)) {
1557 * Use empty buffer to force implicit request
1558 * processing when EAP request is re-processed after
1561 wpabuf_free(data->pending_phase2_req);
1562 data->pending_phase2_req = wpabuf_alloc(0);
1565 retval = eap_ttls_encrypt_response(sm, data, resp, identifier,
1572 ret->methodState = METHOD_DONE;
1573 ret->decision = DECISION_FAIL;
1580 static int eap_ttls_phase2_start(struct eap_sm *sm, struct eap_ttls_data *data,
1581 struct eap_method_ret *ret, u8 identifier,
1582 struct wpabuf **out_data)
1584 data->phase2_start = 0;
1587 * EAP-TTLS does not use Phase2 on fast re-auth; this must be done only
1588 * if TLS part was indeed resuming a previous session. Most
1589 * Authentication Servers terminate EAP-TTLS before reaching this
1590 * point, but some do not. Make wpa_supplicant stop phase 2 here, if
1594 tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) {
1595 wpa_printf(MSG_DEBUG, "EAP-TTLS: Session resumption - "
1597 *out_data = eap_peer_tls_build_ack(identifier, EAP_TYPE_TTLS,
1598 data->ttls_version);
1599 ret->methodState = METHOD_DONE;
1600 ret->decision = DECISION_UNCOND_SUCC;
1601 data->phase2_success = 1;
1605 return eap_ttls_implicit_identity_request(sm, data, ret, identifier,
1610 static int eap_ttls_decrypt(struct eap_sm *sm, struct eap_ttls_data *data,
1611 struct eap_method_ret *ret, u8 identifier,
1612 const struct wpabuf *in_data,
1613 struct wpabuf **out_data)
1615 struct wpabuf *in_decrypted = NULL;
1617 struct ttls_parse_avp parse;
1619 os_memset(&parse, 0, sizeof(parse));
1621 wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for"
1623 in_data ? (unsigned long) wpabuf_len(in_data) : 0);
1625 if (data->pending_phase2_req) {
1626 wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 request - "
1627 "skip decryption and use old data");
1628 /* Clear TLS reassembly state. */
1629 eap_peer_tls_reset_input(&data->ssl);
1631 in_decrypted = data->pending_phase2_req;
1632 data->pending_phase2_req = NULL;
1633 if (wpabuf_len(in_decrypted) == 0) {
1634 wpabuf_free(in_decrypted);
1635 return eap_ttls_implicit_identity_request(
1636 sm, data, ret, identifier, out_data);
1641 if ((in_data == NULL || wpabuf_len(in_data) == 0) &&
1642 data->phase2_start) {
1643 return eap_ttls_phase2_start(sm, data, ret, identifier,
1647 if (in_data == NULL || wpabuf_len(in_data) == 0) {
1648 /* Received TLS ACK - requesting more fragments */
1649 return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_TTLS,
1651 identifier, NULL, out_data);
1654 retval = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted);
1659 data->phase2_start = 0;
1661 if (eap_ttls_parse_avps(in_decrypted, &parse) < 0) {
1666 retval = eap_ttls_process_decrypted(sm, data, ret, identifier,
1667 &parse, in_decrypted, out_data);
1670 wpabuf_free(in_decrypted);
1671 os_free(parse.eapdata);
1674 ret->methodState = METHOD_DONE;
1675 ret->decision = DECISION_FAIL;
1682 static int eap_ttls_process_handshake(struct eap_sm *sm,
1683 struct eap_ttls_data *data,
1684 struct eap_method_ret *ret,
1686 const struct wpabuf *in_data,
1687 struct wpabuf **out_data)
1691 if (sm->waiting_ext_cert_check && data->pending_resp) {
1692 struct eap_peer_config *config = eap_get_config(sm);
1694 if (config->pending_ext_cert_check == EXT_CERT_CHECK_GOOD) {
1695 wpa_printf(MSG_DEBUG,
1696 "EAP-TTLS: External certificate check succeeded - continue handshake");
1697 *out_data = data->pending_resp;
1698 data->pending_resp = NULL;
1699 sm->waiting_ext_cert_check = 0;
1703 if (config->pending_ext_cert_check == EXT_CERT_CHECK_BAD) {
1704 wpa_printf(MSG_DEBUG,
1705 "EAP-TTLS: External certificate check failed - force authentication failure");
1706 ret->methodState = METHOD_DONE;
1707 ret->decision = DECISION_FAIL;
1708 sm->waiting_ext_cert_check = 0;
1712 wpa_printf(MSG_DEBUG,
1713 "EAP-TTLS: Continuing to wait external server certificate validation");
1717 res = eap_peer_tls_process_helper(sm, &data->ssl, EAP_TYPE_TTLS,
1718 data->ttls_version, identifier,
1721 wpa_printf(MSG_DEBUG, "EAP-TTLS: TLS processing failed");
1722 ret->methodState = METHOD_DONE;
1723 ret->decision = DECISION_FAIL;
1727 if (sm->waiting_ext_cert_check) {
1728 wpa_printf(MSG_DEBUG,
1729 "EAP-TTLS: Waiting external server certificate validation");
1730 wpabuf_free(data->pending_resp);
1731 data->pending_resp = *out_data;
1736 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
1737 wpa_printf(MSG_DEBUG, "EAP-TTLS: TLS done, proceed to "
1739 if (data->resuming) {
1740 wpa_printf(MSG_DEBUG, "EAP-TTLS: fast reauth - may "
1742 ret->decision = DECISION_COND_SUCC;
1743 ret->methodState = METHOD_MAY_CONT;
1745 data->phase2_start = 1;
1746 eap_ttls_v0_derive_key(sm, data);
1748 if (*out_data == NULL || wpabuf_len(*out_data) == 0) {
1749 if (eap_ttls_decrypt(sm, data, ret, identifier,
1751 wpa_printf(MSG_WARNING, "EAP-TTLS: "
1752 "failed to process early "
1753 "start for Phase 2");
1762 * Application data included in the handshake message.
1764 wpabuf_free(data->pending_phase2_req);
1765 data->pending_phase2_req = *out_data;
1767 res = eap_ttls_decrypt(sm, data, ret, identifier, in_data,
1775 static void eap_ttls_check_auth_status(struct eap_sm *sm,
1776 struct eap_ttls_data *data,
1777 struct eap_method_ret *ret)
1779 if (ret->methodState == METHOD_DONE) {
1780 ret->allowNotifications = FALSE;
1781 if (ret->decision == DECISION_UNCOND_SUCC ||
1782 ret->decision == DECISION_COND_SUCC) {
1783 wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication "
1784 "completed successfully");
1785 data->phase2_success = 1;
1786 data->decision_succ = ret->decision;
1788 if (!data->ready_for_tnc && !data->tnc_started) {
1790 * TNC may be required as the next
1791 * authentication method within the tunnel.
1793 ret->methodState = METHOD_MAY_CONT;
1794 data->ready_for_tnc = 1;
1796 #endif /* EAP_TNC */
1798 } else if (ret->methodState == METHOD_MAY_CONT &&
1799 (ret->decision == DECISION_UNCOND_SUCC ||
1800 ret->decision == DECISION_COND_SUCC)) {
1801 wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication "
1802 "completed successfully (MAY_CONT)");
1803 data->phase2_success = 1;
1804 data->decision_succ = ret->decision;
1805 } else if (data->decision_succ != DECISION_FAIL &&
1806 data->phase2_success &&
1807 !data->ssl.tls_out) {
1809 * This is needed to cover the case where the final Phase 2
1810 * message gets fragmented since fragmentation clears
1811 * decision back to FAIL.
1813 wpa_printf(MSG_DEBUG,
1814 "EAP-TTLS: Restore success decision after fragmented frame sent completely");
1815 ret->decision = data->decision_succ;
1820 static struct wpabuf * eap_ttls_process(struct eap_sm *sm, void *priv,
1821 struct eap_method_ret *ret,
1822 const struct wpabuf *reqData)
1827 struct wpabuf *resp;
1829 struct eap_ttls_data *data = priv;
1832 pos = eap_peer_tls_process_init(sm, &data->ssl, EAP_TYPE_TTLS, ret,
1833 reqData, &left, &flags);
1836 id = eap_get_id(reqData);
1838 if (flags & EAP_TLS_FLAGS_START) {
1839 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start (server ver=%d, own "
1840 "ver=%d)", flags & EAP_TLS_VERSION_MASK,
1841 data->ttls_version);
1843 /* RFC 5281, Ch. 9.2:
1844 * "This packet MAY contain additional information in the form
1845 * of AVPs, which may provide useful hints to the client"
1846 * For now, ignore any potential extra data.
1851 wpabuf_set(&msg, pos, left);
1854 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
1856 res = eap_ttls_decrypt(sm, data, ret, id, &msg, &resp);
1858 res = eap_ttls_process_handshake(sm, data, ret, id,
1862 eap_ttls_check_auth_status(sm, data, ret);
1864 /* FIX: what about res == -1? Could just move all error processing into
1865 * the other functions and get rid of this res==1 case here. */
1868 return eap_peer_tls_build_ack(id, EAP_TYPE_TTLS,
1869 data->ttls_version);
1875 static Boolean eap_ttls_has_reauth_data(struct eap_sm *sm, void *priv)
1877 struct eap_ttls_data *data = priv;
1878 return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
1879 data->phase2_success;
1883 static void eap_ttls_deinit_for_reauth(struct eap_sm *sm, void *priv)
1885 struct eap_ttls_data *data = priv;
1886 wpabuf_free(data->pending_phase2_req);
1887 data->pending_phase2_req = NULL;
1888 wpabuf_free(data->pending_resp);
1889 data->pending_resp = NULL;
1890 data->decision_succ = DECISION_FAIL;
1892 data->ready_for_tnc = 0;
1893 data->tnc_started = 0;
1894 #endif /* EAP_TNC */
1898 static void * eap_ttls_init_for_reauth(struct eap_sm *sm, void *priv)
1900 struct eap_ttls_data *data = priv;
1901 eap_ttls_free_key(data);
1902 os_free(data->session_id);
1903 data->session_id = NULL;
1904 if (eap_peer_tls_reauth_init(sm, &data->ssl)) {
1908 if (data->phase2_priv && data->phase2_method &&
1909 data->phase2_method->init_for_reauth)
1910 data->phase2_method->init_for_reauth(sm, data->phase2_priv);
1911 data->phase2_start = 0;
1912 data->phase2_success = 0;
1919 static int eap_ttls_get_status(struct eap_sm *sm, void *priv, char *buf,
1920 size_t buflen, int verbose)
1922 struct eap_ttls_data *data = priv;
1925 len = eap_peer_tls_status(sm, &data->ssl, buf, buflen, verbose);
1926 ret = os_snprintf(buf + len, buflen - len,
1927 "EAP-TTLSv%d Phase2 method=",
1928 data->ttls_version);
1929 if (os_snprintf_error(buflen - len, ret))
1932 switch (data->phase2_type) {
1933 case EAP_TTLS_PHASE2_EAP:
1934 ret = os_snprintf(buf + len, buflen - len, "EAP-%s\n",
1935 data->phase2_method ?
1936 data->phase2_method->name : "?");
1938 case EAP_TTLS_PHASE2_MSCHAPV2:
1939 ret = os_snprintf(buf + len, buflen - len, "MSCHAPV2\n");
1941 case EAP_TTLS_PHASE2_MSCHAP:
1942 ret = os_snprintf(buf + len, buflen - len, "MSCHAP\n");
1944 case EAP_TTLS_PHASE2_PAP:
1945 ret = os_snprintf(buf + len, buflen - len, "PAP\n");
1947 case EAP_TTLS_PHASE2_CHAP:
1948 ret = os_snprintf(buf + len, buflen - len, "CHAP\n");
1954 if (os_snprintf_error(buflen - len, ret))
1962 static Boolean eap_ttls_isKeyAvailable(struct eap_sm *sm, void *priv)
1964 struct eap_ttls_data *data = priv;
1965 return data->key_data != NULL && data->phase2_success;
1969 static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len)
1971 struct eap_ttls_data *data = priv;
1974 if (data->key_data == NULL || !data->phase2_success)
1977 key = os_malloc(EAP_TLS_KEY_LEN);
1981 *len = EAP_TLS_KEY_LEN;
1982 os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN);
1988 static u8 * eap_ttls_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
1990 struct eap_ttls_data *data = priv;
1993 if (data->session_id == NULL || !data->phase2_success)
1996 id = os_malloc(data->id_len);
2000 *len = data->id_len;
2001 os_memcpy(id, data->session_id, data->id_len);
2007 static u8 * eap_ttls_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
2009 struct eap_ttls_data *data = priv;
2012 if (data->key_data == NULL)
2015 key = os_malloc(EAP_EMSK_LEN);
2019 *len = EAP_EMSK_LEN;
2020 os_memcpy(key, data->key_data + EAP_TLS_KEY_LEN, EAP_EMSK_LEN);
2026 int eap_peer_ttls_register(void)
2028 struct eap_method *eap;
2030 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
2031 EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS");
2035 eap->init = eap_ttls_init;
2036 eap->deinit = eap_ttls_deinit;
2037 eap->process = eap_ttls_process;
2038 eap->isKeyAvailable = eap_ttls_isKeyAvailable;
2039 eap->getKey = eap_ttls_getKey;
2040 eap->getSessionId = eap_ttls_get_session_id;
2041 eap->get_status = eap_ttls_get_status;
2042 eap->has_reauth_data = eap_ttls_has_reauth_data;
2043 eap->deinit_for_reauth = eap_ttls_deinit_for_reauth;
2044 eap->init_for_reauth = eap_ttls_init_for_reauth;
2045 eap->get_emsk = eap_ttls_get_emsk;
2047 return eap_peer_method_register(eap);