www.project-moonshot.org Git - mech_eap.orig/blob - libeap/src/eap_server/eap_server_ttls.c

   1 /*
   2  * hostapd / EAP-TTLS (RFC 5281)
   3  * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Alternatively, this software may be distributed under the terms of BSD
  10  * license.
  11  *
  12  * See README and COPYING for more details.
  13  */
  14
  15 #include "includes.h"
  16
  17 #include "common.h"
  18 #include "crypto/ms_funcs.h"
  19 #include "crypto/sha1.h"
  20 #include "crypto/tls.h"
  21 #include "eap_server/eap_i.h"
  22 #include "eap_server/eap_tls_common.h"
  23 #include "eap_common/chap.h"
  24 #include "eap_common/eap_ttls.h"
  25
  26
  27 /* Maximum supported TTLS version
  28  * 0 = RFC 5281
  29  * 1 = draft-funk-eap-ttls-v1-00.txt
  30  */
  31 #ifndef EAP_TTLS_VERSION
  32 #define EAP_TTLS_VERSION 0 /* TTLSv1 implementation is not yet complete */
  33 #endif /* EAP_TTLS_VERSION */
  34
  35
  36 #define MSCHAPV2_KEY_LEN 16
  37
  38
  39 static void eap_ttls_reset(struct eap_sm *sm, void *priv);
  40
  41
  42 struct eap_ttls_data {
  43         struct eap_ssl_data ssl;
  44         enum {
  45                 START, PHASE1, PHASE2_START, PHASE2_METHOD,
  46                 PHASE2_MSCHAPV2_RESP, PHASE_FINISHED, SUCCESS, FAILURE
  47         } state;
  48
  49         int ttls_version;
  50         int force_version;
  51         const struct eap_method *phase2_method;
  52         void *phase2_priv;
  53         int mschapv2_resp_ok;
  54         u8 mschapv2_auth_response[20];
  55         u8 mschapv2_ident;
  56         int tls_ia_configured;
  57         struct wpabuf *pending_phase2_eap_resp;
  58         int tnc_started;
  59 };
  60
  61
  62 static const char * eap_ttls_state_txt(int state)
  63 {
  64         switch (state) {
  65         case START:
  66                 return "START";
  67         case PHASE1:
  68                 return "PHASE1";
  69         case PHASE2_START:
  70                 return "PHASE2_START";
  71         case PHASE2_METHOD:
  72                 return "PHASE2_METHOD";
  73         case PHASE2_MSCHAPV2_RESP:
  74                 return "PHASE2_MSCHAPV2_RESP";
  75         case PHASE_FINISHED:
  76                 return "PHASE_FINISHED";
  77         case SUCCESS:
  78                 return "SUCCESS";
  79         case FAILURE:
  80                 return "FAILURE";
  81         default:
  82                 return "Unknown?!";
  83         }
  84 }
  85
  86
  87 static void eap_ttls_state(struct eap_ttls_data *data, int state)
  88 {
  89         wpa_printf(MSG_DEBUG, "EAP-TTLS: %s -> %s",
  90                    eap_ttls_state_txt(data->state),
  91                    eap_ttls_state_txt(state));
  92         data->state = state;
  93 }
  94
  95
  96 static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id,
  97                              int mandatory, size_t len)
  98 {
  99         struct ttls_avp_vendor *avp;
 100         u8 flags;
 101         size_t hdrlen;
 102
 103         avp = (struct ttls_avp_vendor *) avphdr;
 104         flags = mandatory ? AVP_FLAGS_MANDATORY : 0;
 105         if (vendor_id) {
 106                 flags |= AVP_FLAGS_VENDOR;
 107                 hdrlen = sizeof(*avp);
 108                 avp->vendor_id = host_to_be32(vendor_id);
 109         } else {
 110                 hdrlen = sizeof(struct ttls_avp);
 111         }
 112
 113         avp->avp_code = host_to_be32(avp_code);
 114         avp->avp_length = host_to_be32((flags << 24) | (hdrlen + len));
 115
 116         return avphdr + hdrlen;
 117 }
 118
 119
 120 static struct wpabuf * eap_ttls_avp_encapsulate(struct wpabuf *resp,
 121                                                 u32 avp_code, int mandatory)
 122 {
 123         struct wpabuf *avp;
 124         u8 *pos;
 125
 126         avp = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(resp) + 4);
 127         if (avp == NULL) {
 128                 wpabuf_free(resp);
 129                 return NULL;
 130         }
 131
 132         pos = eap_ttls_avp_hdr(wpabuf_mhead(avp), avp_code, 0, mandatory,
 133                                wpabuf_len(resp));
 134         os_memcpy(pos, wpabuf_head(resp), wpabuf_len(resp));
 135         pos += wpabuf_len(resp);
 136         AVP_PAD((const u8 *) wpabuf_head(avp), pos);
 137         wpabuf_free(resp);
 138         wpabuf_put(avp, pos - (u8 *) wpabuf_head(avp));
 139         return avp;
 140 }
 141
 142
 143 struct eap_ttls_avp {
 144          /* Note: eap is allocated memory; caller is responsible for freeing
 145           * it. All the other pointers are pointing to the packet data, i.e.,
 146           * they must not be freed separately. */
 147         u8 *eap;
 148         size_t eap_len;
 149         u8 *user_name;
 150         size_t user_name_len;
 151         u8 *user_password;
 152         size_t user_password_len;
 153         u8 *chap_challenge;
 154         size_t chap_challenge_len;
 155         u8 *chap_password;
 156         size_t chap_password_len;
 157         u8 *mschap_challenge;
 158         size_t mschap_challenge_len;
 159         u8 *mschap_response;
 160         size_t mschap_response_len;
 161         u8 *mschap2_response;
 162         size_t mschap2_response_len;
 163 };
 164
 165
 166 static int eap_ttls_avp_parse(struct wpabuf *buf, struct eap_ttls_avp *parse)
 167 {
 168         struct ttls_avp *avp;
 169         u8 *pos;
 170         int left;
 171
 172         pos = wpabuf_mhead(buf);
 173         left = wpabuf_len(buf);
 174         os_memset(parse, 0, sizeof(*parse));
 175
 176         while (left > 0) {
 177                 u32 avp_code, avp_length, vendor_id = 0;
 178                 u8 avp_flags, *dpos;
 179                 size_t pad, dlen;
 180                 avp = (struct ttls_avp *) pos;
 181                 avp_code = be_to_host32(avp->avp_code);
 182                 avp_length = be_to_host32(avp->avp_length);
 183                 avp_flags = (avp_length >> 24) & 0xff;
 184                 avp_length &= 0xffffff;
 185                 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x "
 186                            "length=%d", (int) avp_code, avp_flags,
 187                            (int) avp_length);
 188                 if ((int) avp_length > left) {
 189                         wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow "
 190                                    "(len=%d, left=%d) - dropped",
 191                                    (int) avp_length, left);
 192                         goto fail;
 193                 }
 194                 if (avp_length < sizeof(*avp)) {
 195                         wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length "
 196                                    "%d", avp_length);
 197                         goto fail;
 198                 }
 199                 dpos = (u8 *) (avp + 1);
 200                 dlen = avp_length - sizeof(*avp);
 201                 if (avp_flags & AVP_FLAGS_VENDOR) {
 202                         if (dlen < 4) {
 203                                 wpa_printf(MSG_WARNING, "EAP-TTLS: vendor AVP "
 204                                            "underflow");
 205                                 goto fail;
 206                         }
 207                         vendor_id = be_to_host32(* (be32 *) dpos);
 208                         wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d",
 209                                    (int) vendor_id);
 210                         dpos += 4;
 211                         dlen -= 4;
 212                 }
 213
 214                 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen);
 215
 216                 if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) {
 217                         wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message");
 218                         if (parse->eap == NULL) {
 219                                 parse->eap = os_malloc(dlen);
 220                                 if (parse->eap == NULL) {
 221                                         wpa_printf(MSG_WARNING, "EAP-TTLS: "
 222                                                    "failed to allocate memory "
 223                                                    "for Phase 2 EAP data");
 224                                         goto fail;
 225                                 }
 226                                 os_memcpy(parse->eap, dpos, dlen);
 227                                 parse->eap_len = dlen;
 228                         } else {
 229                                 u8 *neweap = os_realloc(parse->eap,
 230                                                         parse->eap_len + dlen);
 231                                 if (neweap == NULL) {
 232                                         wpa_printf(MSG_WARNING, "EAP-TTLS: "
 233                                                    "failed to allocate memory "
 234                                                    "for Phase 2 EAP data");
 235                                         goto fail;
 236                                 }
 237                                 os_memcpy(neweap + parse->eap_len, dpos, dlen);
 238                                 parse->eap = neweap;
 239                                 parse->eap_len += dlen;
 240                         }
 241                 } else if (vendor_id == 0 &&
 242                            avp_code == RADIUS_ATTR_USER_NAME) {
 243                         wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: User-Name",
 244                                           dpos, dlen);
 245                         parse->user_name = dpos;
 246                         parse->user_name_len = dlen;
 247                 } else if (vendor_id == 0 &&
 248                            avp_code == RADIUS_ATTR_USER_PASSWORD) {
 249                         u8 *password = dpos;
 250                         size_t password_len = dlen;
 251                         while (password_len > 0 &&
 252                                password[password_len - 1] == '\0') {
 253                                 password_len--;
 254                         }
 255                         wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: "
 256                                               "User-Password (PAP)",
 257                                               password, password_len);
 258                         parse->user_password = password;
 259                         parse->user_password_len = password_len;
 260                 } else if (vendor_id == 0 &&
 261                            avp_code == RADIUS_ATTR_CHAP_CHALLENGE) {
 262                         wpa_hexdump(MSG_DEBUG,
 263                                     "EAP-TTLS: CHAP-Challenge (CHAP)",
 264                                     dpos, dlen);
 265                         parse->chap_challenge = dpos;
 266                         parse->chap_challenge_len = dlen;
 267                 } else if (vendor_id == 0 &&
 268                            avp_code == RADIUS_ATTR_CHAP_PASSWORD) {
 269                         wpa_hexdump(MSG_DEBUG,
 270                                     "EAP-TTLS: CHAP-Password (CHAP)",
 271                                     dpos, dlen);
 272                         parse->chap_password = dpos;
 273                         parse->chap_password_len = dlen;
 274                 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
 275                            avp_code == RADIUS_ATTR_MS_CHAP_CHALLENGE) {
 276                         wpa_hexdump(MSG_DEBUG,
 277                                     "EAP-TTLS: MS-CHAP-Challenge",
 278                                     dpos, dlen);
 279                         parse->mschap_challenge = dpos;
 280                         parse->mschap_challenge_len = dlen;
 281                 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
 282                            avp_code == RADIUS_ATTR_MS_CHAP_RESPONSE) {
 283                         wpa_hexdump(MSG_DEBUG,
 284                                     "EAP-TTLS: MS-CHAP-Response (MSCHAP)",
 285                                     dpos, dlen);
 286                         parse->mschap_response = dpos;
 287                         parse->mschap_response_len = dlen;
 288                 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
 289                            avp_code == RADIUS_ATTR_MS_CHAP2_RESPONSE) {
 290                         wpa_hexdump(MSG_DEBUG,
 291                                     "EAP-TTLS: MS-CHAP2-Response (MSCHAPV2)",
 292                                     dpos, dlen);
 293                         parse->mschap2_response = dpos;
 294                         parse->mschap2_response_len = dlen;
 295                 } else if (avp_flags & AVP_FLAGS_MANDATORY) {
 296                         wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported "
 297                                    "mandatory AVP code %d vendor_id %d - "
 298                                    "dropped", (int) avp_code, (int) vendor_id);
 299                         goto fail;
 300                 } else {
 301                         wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported "
 302                                    "AVP code %d vendor_id %d",
 303                                    (int) avp_code, (int) vendor_id);
 304                 }
 305
 306                 pad = (4 - (avp_length & 3)) & 3;
 307                 pos += avp_length + pad;
 308                 left -= avp_length + pad;
 309         }
 310
 311         return 0;
 312
 313 fail:
 314         os_free(parse->eap);
 315         parse->eap = NULL;
 316         return -1;
 317 }
 318
 319
 320 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm,
 321                                         struct eap_ttls_data *data, size_t len)
 322 {
 323         struct tls_keys keys;
 324         u8 *challenge, *rnd;
 325
 326         if (data->ttls_version == 0) {
 327                 return eap_server_tls_derive_key(sm, &data->ssl,
 328                                                  "ttls challenge", len);
 329         }
 330
 331         os_memset(&keys, 0, sizeof(keys));
 332         if (tls_connection_get_keys(sm->ssl_ctx, data->ssl.conn, &keys) ||
 333             keys.client_random == NULL || keys.server_random == NULL ||
 334             keys.inner_secret == NULL) {
 335                 wpa_printf(MSG_INFO, "EAP-TTLS: Could not get inner secret, "
 336                            "client random, or server random to derive "
 337                            "implicit challenge");
 338                 return NULL;
 339         }
 340
 341         rnd = os_malloc(keys.client_random_len + keys.server_random_len);
 342         challenge = os_malloc(len);
 343         if (rnd == NULL || challenge == NULL) {
 344                 wpa_printf(MSG_INFO, "EAP-TTLS: No memory for implicit "
 345                            "challenge derivation");
 346                 os_free(rnd);
 347                 os_free(challenge);
 348                 return NULL;
 349         }
 350         os_memcpy(rnd, keys.server_random, keys.server_random_len);
 351         os_memcpy(rnd + keys.server_random_len, keys.client_random,
 352                   keys.client_random_len);
 353
 354         if (tls_prf(keys.inner_secret, keys.inner_secret_len,
 355                     "inner application challenge", rnd,
 356                     keys.client_random_len + keys.server_random_len,
 357                     challenge, len)) {
 358                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive implicit "
 359                            "challenge");
 360                 os_free(rnd);
 361                 os_free(challenge);
 362                 return NULL;
 363         }
 364
 365         os_free(rnd);
 366
 367         wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived implicit challenge",
 368                         challenge, len);
 369
 370         return challenge;
 371 }
 372
 373
 374 static void * eap_ttls_init(struct eap_sm *sm)
 375 {
 376         struct eap_ttls_data *data;
 377
 378         data = os_zalloc(sizeof(*data));
 379         if (data == NULL)
 380                 return NULL;
 381         data->ttls_version = EAP_TTLS_VERSION;
 382         data->force_version = -1;
 383         if (sm->user && sm->user->force_version >= 0) {
 384                 data->force_version = sm->user->force_version;
 385                 wpa_printf(MSG_DEBUG, "EAP-TTLS: forcing version %d",
 386                            data->force_version);
 387                 data->ttls_version = data->force_version;
 388         }
 389         data->state = START;
 390
 391         if (!(tls_capabilities(sm->ssl_ctx) & TLS_CAPABILITY_IA) &&
 392             data->ttls_version > 0) {
 393                 if (data->force_version > 0) {
 394                         wpa_printf(MSG_INFO, "EAP-TTLS: Forced TTLSv%d and "
 395                                    "TLS library does not support TLS/IA.",
 396                                    data->force_version);
 397                         eap_ttls_reset(sm, data);
 398                         return NULL;
 399                 }
 400                 data->ttls_version = 0;
 401         }
 402
 403         if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) {
 404                 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
 405                 eap_ttls_reset(sm, data);
 406                 return NULL;
 407         }
 408
 409         return data;
 410 }
 411
 412
 413 static void eap_ttls_reset(struct eap_sm *sm, void *priv)
 414 {
 415         struct eap_ttls_data *data = priv;
 416         if (data == NULL)
 417                 return;
 418         if (data->phase2_priv && data->phase2_method)
 419                 data->phase2_method->reset(sm, data->phase2_priv);
 420         eap_server_tls_ssl_deinit(sm, &data->ssl);
 421         wpabuf_free(data->pending_phase2_eap_resp);
 422         os_free(data);
 423 }
 424
 425
 426 static struct wpabuf * eap_ttls_build_start(struct eap_sm *sm,
 427                                             struct eap_ttls_data *data, u8 id)
 428 {
 429         struct wpabuf *req;
 430
 431         req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TTLS, 1,
 432                             EAP_CODE_REQUEST, id);
 433         if (req == NULL) {
 434                 wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to allocate memory for"
 435                            " request");
 436                 eap_ttls_state(data, FAILURE);
 437                 return NULL;
 438         }
 439
 440         wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->ttls_version);
 441
 442         eap_ttls_state(data, PHASE1);
 443
 444         return req;
 445 }
 446
 447
 448 static struct wpabuf * eap_ttls_build_phase2_eap_req(
 449         struct eap_sm *sm, struct eap_ttls_data *data, u8 id)
 450 {
 451         struct wpabuf *buf, *encr_req;
 452
 453
 454         buf = data->phase2_method->buildReq(sm, data->phase2_priv, id);
 455         if (buf == NULL)
 456                 return NULL;
 457
 458         wpa_hexdump_buf_key(MSG_DEBUG,
 459                             "EAP-TTLS/EAP: Encapsulate Phase 2 data", buf);
 460
 461         buf = eap_ttls_avp_encapsulate(buf, RADIUS_ATTR_EAP_MESSAGE, 1);
 462         if (buf == NULL) {
 463                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Failed to encapsulate "
 464                            "packet");
 465                 return NULL;
 466         }
 467
 468         wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS/EAP: Encrypt encapsulated "
 469                             "Phase 2 data", buf);
 470
 471         encr_req = eap_server_tls_encrypt(sm, &data->ssl, buf);
 472         wpabuf_free(buf);
 473
 474         return encr_req;
 475 }
 476
 477
 478 static struct wpabuf * eap_ttls_build_phase2_mschapv2(
 479         struct eap_sm *sm, struct eap_ttls_data *data)
 480 {
 481         struct wpabuf *encr_req, msgbuf;
 482         u8 *req, *pos, *end;
 483         int ret;
 484
 485         pos = req = os_malloc(100);
 486         if (req == NULL)
 487                 return NULL;
 488         end = req + 100;
 489
 490         if (data->mschapv2_resp_ok) {
 491                 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_SUCCESS,
 492                                        RADIUS_VENDOR_ID_MICROSOFT, 1, 43);
 493                 *pos++ = data->mschapv2_ident;
 494                 ret = os_snprintf((char *) pos, end - pos, "S=");
 495                 if (ret >= 0 && ret < end - pos)
 496                         pos += ret;
 497                 pos += wpa_snprintf_hex_uppercase(
 498                         (char *) pos, end - pos, data->mschapv2_auth_response,
 499                         sizeof(data->mschapv2_auth_response));
 500         } else {
 501                 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_ERROR,
 502                                        RADIUS_VENDOR_ID_MICROSOFT, 1, 6);
 503                 os_memcpy(pos, "Failed", 6);
 504                 pos += 6;
 505                 AVP_PAD(req, pos);
 506         }
 507
 508         wpabuf_set(&msgbuf, req, pos - req);
 509         wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Encrypting Phase 2 "
 510                             "data", &msgbuf);
 511
 512         encr_req = eap_server_tls_encrypt(sm, &data->ssl, &msgbuf);
 513         os_free(req);
 514
 515         return encr_req;
 516 }
 517
 518
 519 static struct wpabuf * eap_ttls_build_phase_finished(
 520         struct eap_sm *sm, struct eap_ttls_data *data, int final)
 521 {
 522         return tls_connection_ia_send_phase_finished(sm->ssl_ctx,
 523                                                      data->ssl.conn, final);
 524 }
 525
 526
 527 static struct wpabuf * eap_ttls_buildReq(struct eap_sm *sm, void *priv, u8 id)
 528 {
 529         struct eap_ttls_data *data = priv;
 530
 531         if (data->ssl.state == FRAG_ACK) {
 532                 return eap_server_tls_build_ack(id, EAP_TYPE_TTLS,
 533                                                 data->ttls_version);
 534         }
 535
 536         if (data->ssl.state == WAIT_FRAG_ACK) {
 537                 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS,
 538                                                 data->ttls_version, id);
 539         }
 540
 541         switch (data->state) {
 542         case START:
 543                 return eap_ttls_build_start(sm, data, id);
 544         case PHASE1:
 545                 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
 546                         wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase1 done, "
 547                                    "starting Phase2");
 548                         eap_ttls_state(data, PHASE2_START);
 549                 }
 550                 break;
 551         case PHASE2_METHOD:
 552                 wpabuf_free(data->ssl.tls_out);
 553                 data->ssl.tls_out_pos = 0;
 554                 data->ssl.tls_out = eap_ttls_build_phase2_eap_req(sm, data,
 555                                                                   id);
 556                 break;
 557         case PHASE2_MSCHAPV2_RESP:
 558                 wpabuf_free(data->ssl.tls_out);
 559                 data->ssl.tls_out_pos = 0;
 560                 data->ssl.tls_out = eap_ttls_build_phase2_mschapv2(sm, data);
 561                 break;
 562         case PHASE_FINISHED:
 563                 wpabuf_free(data->ssl.tls_out);
 564                 data->ssl.tls_out_pos = 0;
 565                 data->ssl.tls_out = eap_ttls_build_phase_finished(sm, data, 1);
 566                 break;
 567         default:
 568                 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
 569                            __func__, data->state);
 570                 return NULL;
 571         }
 572
 573         return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS,
 574                                         data->ttls_version, id);
 575 }
 576
 577
 578 static Boolean eap_ttls_check(struct eap_sm *sm, void *priv,
 579                               struct wpabuf *respData)
 580 {
 581         const u8 *pos;
 582         size_t len;
 583
 584         pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TTLS, respData, &len);
 585         if (pos == NULL || len < 1) {
 586                 wpa_printf(MSG_INFO, "EAP-TTLS: Invalid frame");
 587                 return TRUE;
 588         }
 589
 590         return FALSE;
 591 }
 592
 593
 594 static int eap_ttls_ia_permute_inner_secret(struct eap_sm *sm,
 595                                             struct eap_ttls_data *data,
 596                                             const u8 *key, size_t key_len)
 597 {
 598         u8 *buf;
 599         size_t buf_len;
 600         int ret;
 601
 602         if (key) {
 603                 buf_len = 2 + key_len;
 604                 buf = os_malloc(buf_len);
 605                 if (buf == NULL)
 606                         return -1;
 607                 WPA_PUT_BE16(buf, key_len);
 608                 os_memcpy(buf + 2, key, key_len);
 609         } else {
 610                 buf = NULL;
 611                 buf_len = 0;
 612         }
 613
 614         wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Session keys for TLS/IA inner "
 615                         "secret permutation", buf, buf_len);
 616         ret = tls_connection_ia_permute_inner_secret(sm->ssl_ctx,
 617                                                      data->ssl.conn,
 618                                                      buf, buf_len);
 619         os_free(buf);
 620
 621         return ret;
 622 }
 623
 624
 625 static void eap_ttls_process_phase2_pap(struct eap_sm *sm,
 626                                         struct eap_ttls_data *data,
 627                                         const u8 *user_password,
 628                                         size_t user_password_len)
 629 {
 630         if (!sm->user || !sm->user->password || sm->user->password_hash ||
 631             !(sm->user->ttls_auth & EAP_TTLS_AUTH_PAP)) {
 632                 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: No plaintext user "
 633                            "password configured");
 634                 eap_ttls_state(data, FAILURE);
 635                 return;
 636         }
 637
 638         if (sm->user->password_len != user_password_len ||
 639             os_memcmp(sm->user->password, user_password, user_password_len) !=
 640             0) {
 641                 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Invalid user password");
 642                 eap_ttls_state(data, FAILURE);
 643                 return;
 644         }
 645
 646         wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Correct user password");
 647         eap_ttls_state(data, data->ttls_version > 0 ? PHASE_FINISHED :
 648                        SUCCESS);
 649 }
 650
 651
 652 static void eap_ttls_process_phase2_chap(struct eap_sm *sm,
 653                                          struct eap_ttls_data *data,
 654                                          const u8 *challenge,
 655                                          size_t challenge_len,
 656                                          const u8 *password,
 657                                          size_t password_len)
 658 {
 659         u8 *chal, hash[CHAP_MD5_LEN];
 660
 661         if (challenge == NULL || password == NULL ||
 662             challenge_len != EAP_TTLS_CHAP_CHALLENGE_LEN ||
 663             password_len != 1 + EAP_TTLS_CHAP_PASSWORD_LEN) {
 664                 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid CHAP attributes "
 665                            "(challenge len %lu password len %lu)",
 666                            (unsigned long) challenge_len,
 667                            (unsigned long) password_len);
 668                 eap_ttls_state(data, FAILURE);
 669                 return;
 670         }
 671
 672         if (!sm->user || !sm->user->password || sm->user->password_hash ||
 673             !(sm->user->ttls_auth & EAP_TTLS_AUTH_CHAP)) {
 674                 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: No plaintext user "
 675                            "password configured");
 676                 eap_ttls_state(data, FAILURE);
 677                 return;
 678         }
 679
 680         chal = eap_ttls_implicit_challenge(sm, data,
 681                                            EAP_TTLS_CHAP_CHALLENGE_LEN + 1);
 682         if (chal == NULL) {
 683                 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Failed to generate "
 684                            "challenge from TLS data");
 685                 eap_ttls_state(data, FAILURE);
 686                 return;
 687         }
 688
 689         if (os_memcmp(challenge, chal, EAP_TTLS_CHAP_CHALLENGE_LEN) != 0 ||
 690             password[0] != chal[EAP_TTLS_CHAP_CHALLENGE_LEN]) {
 691                 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Challenge mismatch");
 692                 os_free(chal);
 693                 eap_ttls_state(data, FAILURE);
 694                 return;
 695         }
 696         os_free(chal);
 697
 698         /* MD5(Ident + Password + Challenge) */
 699         chap_md5(password[0], sm->user->password, sm->user->password_len,
 700                  challenge, challenge_len, hash);
 701
 702         if (os_memcmp(hash, password + 1, EAP_TTLS_CHAP_PASSWORD_LEN) == 0) {
 703                 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Correct user password");
 704                 eap_ttls_state(data, data->ttls_version > 0 ? PHASE_FINISHED :
 705                                SUCCESS);
 706         } else {
 707                 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid user password");
 708                 eap_ttls_state(data, FAILURE);
 709         }
 710 }
 711
 712
 713 static void eap_ttls_process_phase2_mschap(struct eap_sm *sm,
 714                                            struct eap_ttls_data *data,
 715                                            u8 *challenge, size_t challenge_len,
 716                                            u8 *response, size_t response_len)
 717 {
 718         u8 *chal, nt_response[24];
 719
 720         if (challenge == NULL || response == NULL ||
 721             challenge_len != EAP_TTLS_MSCHAP_CHALLENGE_LEN ||
 722             response_len != EAP_TTLS_MSCHAP_RESPONSE_LEN) {
 723                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid MS-CHAP "
 724                            "attributes (challenge len %lu response len %lu)",
 725                            (unsigned long) challenge_len,
 726                            (unsigned long) response_len);
 727                 eap_ttls_state(data, FAILURE);
 728                 return;
 729         }
 730
 731         if (!sm->user || !sm->user->password ||
 732             !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAP)) {
 733                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: No user password "
 734                            "configured");
 735                 eap_ttls_state(data, FAILURE);
 736                 return;
 737         }
 738
 739         chal = eap_ttls_implicit_challenge(sm, data,
 740                                            EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1);
 741         if (chal == NULL) {
 742                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Failed to generate "
 743                            "challenge from TLS data");
 744                 eap_ttls_state(data, FAILURE);
 745                 return;
 746         }
 747
 748         if (os_memcmp(challenge, chal, EAP_TTLS_MSCHAP_CHALLENGE_LEN) != 0 ||
 749             response[0] != chal[EAP_TTLS_MSCHAP_CHALLENGE_LEN]) {
 750                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Challenge mismatch");
 751                 os_free(chal);
 752                 eap_ttls_state(data, FAILURE);
 753                 return;
 754         }
 755         os_free(chal);
 756
 757         if (sm->user->password_hash)
 758                 challenge_response(challenge, sm->user->password, nt_response);
 759         else
 760                 nt_challenge_response(challenge, sm->user->password,
 761                                       sm->user->password_len, nt_response);
 762
 763         if (os_memcmp(nt_response, response + 2 + 24, 24) == 0) {
 764                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Correct response");
 765                 eap_ttls_state(data, data->ttls_version > 0 ? PHASE_FINISHED :
 766                                SUCCESS);
 767         } else {
 768                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid NT-Response");
 769                 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Received",
 770                             response + 2 + 24, 24);
 771                 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Expected",
 772                             nt_response, 24);
 773                 eap_ttls_state(data, FAILURE);
 774         }
 775 }
 776
 777
 778 static void eap_ttls_process_phase2_mschapv2(struct eap_sm *sm,
 779                                              struct eap_ttls_data *data,
 780                                              u8 *challenge,
 781                                              size_t challenge_len,
 782                                              u8 *response, size_t response_len)
 783 {
 784         u8 *chal, *username, nt_response[24], *rx_resp, *peer_challenge,
 785                 *auth_challenge;
 786         size_t username_len, i;
 787
 788         if (challenge == NULL || response == NULL ||
 789             challenge_len != EAP_TTLS_MSCHAPV2_CHALLENGE_LEN ||
 790             response_len != EAP_TTLS_MSCHAPV2_RESPONSE_LEN) {
 791                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid MS-CHAP2 "
 792                            "attributes (challenge len %lu response len %lu)",
 793                            (unsigned long) challenge_len,
 794                            (unsigned long) response_len);
 795                 eap_ttls_state(data, FAILURE);
 796                 return;
 797         }
 798
 799         if (!sm->user || !sm->user->password ||
 800             !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAPV2)) {
 801                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user password "
 802                            "configured");
 803                 eap_ttls_state(data, FAILURE);
 804                 return;
 805         }
 806
 807         /* MSCHAPv2 does not include optional domain name in the
 808          * challenge-response calculation, so remove domain prefix
 809          * (if present). */
 810         username = sm->identity;
 811         username_len = sm->identity_len;
 812         for (i = 0; i < username_len; i++) {
 813                 if (username[i] == '\\') {
 814                         username_len -= i + 1;
 815                         username += i + 1;
 816                         break;
 817                 }
 818         }
 819
 820         chal = eap_ttls_implicit_challenge(
 821                 sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1);
 822         if (chal == NULL) {
 823                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Failed to generate "
 824                            "challenge from TLS data");
 825                 eap_ttls_state(data, FAILURE);
 826                 return;
 827         }
 828
 829         if (os_memcmp(challenge, chal, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN) != 0 ||
 830             response[0] != chal[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN]) {
 831                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Challenge mismatch");
 832                 os_free(chal);
 833                 eap_ttls_state(data, FAILURE);
 834                 return;
 835         }
 836         os_free(chal);
 837
 838         auth_challenge = challenge;
 839         peer_challenge = response + 2;
 840
 841         wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: User",
 842                           username, username_len);
 843         wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: auth_challenge",
 844                     auth_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
 845         wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: peer_challenge",
 846                     peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
 847
 848         if (sm->user->password_hash) {
 849                 generate_nt_response_pwhash(auth_challenge, peer_challenge,
 850                                             username, username_len,
 851                                             sm->user->password,
 852                                             nt_response);
 853         } else {
 854                 generate_nt_response(auth_challenge, peer_challenge,
 855                                      username, username_len,
 856                                      sm->user->password,
 857                                      sm->user->password_len,
 858                                      nt_response);
 859         }
 860
 861         rx_resp = response + 2 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 8;
 862         if (os_memcmp(nt_response, rx_resp, 24) == 0) {
 863                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Correct "
 864                            "NT-Response");
 865                 data->mschapv2_resp_ok = 1;
 866                 if (data->ttls_version > 0) {
 867                         const u8 *pw_hash;
 868                         u8 pw_hash_buf[16], pw_hash_hash[16], master_key[16];
 869                         u8 session_key[2 * MSCHAPV2_KEY_LEN];
 870
 871                         if (sm->user->password_hash)
 872                                 pw_hash = sm->user->password;
 873                         else {
 874                                 nt_password_hash(sm->user->password,
 875                                                  sm->user->password_len,
 876                                                  pw_hash_buf);
 877                                 pw_hash = pw_hash_buf;
 878                         }
 879                         hash_nt_password_hash(pw_hash, pw_hash_hash);
 880                         get_master_key(pw_hash_hash, nt_response, master_key);
 881                         get_asymetric_start_key(master_key, session_key,
 882                                                 MSCHAPV2_KEY_LEN, 0, 0);
 883                         get_asymetric_start_key(master_key,
 884                                                 session_key + MSCHAPV2_KEY_LEN,
 885                                                 MSCHAPV2_KEY_LEN, 1, 0);
 886                         eap_ttls_ia_permute_inner_secret(sm, data,
 887                                                          session_key,
 888                                                          sizeof(session_key));
 889                 }
 890
 891                 if (sm->user->password_hash) {
 892                         generate_authenticator_response_pwhash(
 893                                 sm->user->password,
 894                                 peer_challenge, auth_challenge,
 895                                 username, username_len, nt_response,
 896                                 data->mschapv2_auth_response);
 897                 } else {
 898                         generate_authenticator_response(
 899                                 sm->user->password, sm->user->password_len,
 900                                 peer_challenge, auth_challenge,
 901                                 username, username_len, nt_response,
 902                                 data->mschapv2_auth_response);
 903                 }
 904         } else {
 905                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid "
 906                            "NT-Response");
 907                 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Received",
 908                             rx_resp, 24);
 909                 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Expected",
 910                             nt_response, 24);
 911                 data->mschapv2_resp_ok = 0;
 912         }
 913         eap_ttls_state(data, PHASE2_MSCHAPV2_RESP);
 914         data->mschapv2_ident = response[0];
 915 }
 916
 917
 918 static int eap_ttls_phase2_eap_init(struct eap_sm *sm,
 919                                     struct eap_ttls_data *data,
 920                                     EapType eap_type)
 921 {
 922         if (data->phase2_priv && data->phase2_method) {
 923                 data->phase2_method->reset(sm, data->phase2_priv);
 924                 data->phase2_method = NULL;
 925                 data->phase2_priv = NULL;
 926         }
 927         data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF,
 928                                                         eap_type);
 929         if (!data->phase2_method)
 930                 return -1;
 931
 932         sm->init_phase2 = 1;
 933         data->phase2_priv = data->phase2_method->init(sm);
 934         sm->init_phase2 = 0;
 935         return data->phase2_priv == NULL ? -1 : 0;
 936 }
 937
 938
 939 static void eap_ttls_process_phase2_eap_response(struct eap_sm *sm,
 940                                                  struct eap_ttls_data *data,
 941                                                  u8 *in_data, size_t in_len)
 942 {
 943         u8 next_type = EAP_TYPE_NONE;
 944         struct eap_hdr *hdr;
 945         u8 *pos;
 946         size_t left;
 947         struct wpabuf buf;
 948         const struct eap_method *m = data->phase2_method;
 949         void *priv = data->phase2_priv;
 950
 951         if (priv == NULL) {
 952                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: %s - Phase2 not "
 953                            "initialized?!", __func__);
 954                 return;
 955         }
 956
 957         hdr = (struct eap_hdr *) in_data;
 958         pos = (u8 *) (hdr + 1);
 959
 960         if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) {
 961                 left = in_len - sizeof(*hdr);
 962                 wpa_hexdump(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 type Nak'ed; "
 963                             "allowed types", pos + 1, left - 1);
 964                 eap_sm_process_nak(sm, pos + 1, left - 1);
 965                 if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
 966                     sm->user->methods[sm->user_eap_method_index].method !=
 967                     EAP_TYPE_NONE) {
 968                         next_type = sm->user->methods[
 969                                 sm->user_eap_method_index++].method;
 970                         wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d",
 971                                    next_type);
 972                         if (eap_ttls_phase2_eap_init(sm, data, next_type)) {
 973                                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to "
 974                                            "initialize EAP type %d",
 975                                            next_type);
 976                                 eap_ttls_state(data, FAILURE);
 977                                 return;
 978                         }
 979                 } else {
 980                         eap_ttls_state(data, FAILURE);
 981                 }
 982                 return;
 983         }
 984
 985         wpabuf_set(&buf, in_data, in_len);
 986
 987         if (m->check(sm, priv, &buf)) {
 988                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 check() asked to "
 989                            "ignore the packet");
 990                 return;
 991         }
 992
 993         m->process(sm, priv, &buf);
 994
 995         if (sm->method_pending == METHOD_PENDING_WAIT) {
 996                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method is in "
 997                            "pending wait state - save decrypted response");
 998                 wpabuf_free(data->pending_phase2_eap_resp);
 999                 data->pending_phase2_eap_resp = wpabuf_dup(&buf);
1000         }
1001
1002         if (!m->isDone(sm, priv))
1003                 return;
1004
1005         if (!m->isSuccess(sm, priv)) {
1006                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method failed");
1007                 eap_ttls_state(data, FAILURE);
1008                 return;
1009         }
1010
1011         switch (data->state) {
1012         case PHASE2_START:
1013                 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
1014                         wpa_hexdump_ascii(MSG_DEBUG, "EAP_TTLS: Phase2 "
1015                                           "Identity not found in the user "
1016                                           "database",
1017                                           sm->identity, sm->identity_len);
1018                         eap_ttls_state(data, FAILURE);
1019                         break;
1020                 }
1021
1022                 eap_ttls_state(data, PHASE2_METHOD);
1023                 next_type = sm->user->methods[0].method;
1024                 sm->user_eap_method_index = 1;
1025                 wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d", next_type);
1026                 if (eap_ttls_phase2_eap_init(sm, data, next_type)) {
1027                         wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize "
1028                                    "EAP type %d", next_type);
1029                         eap_ttls_state(data, FAILURE);
1030                 }
1031                 break;
1032         case PHASE2_METHOD:
1033                 if (data->ttls_version > 0) {
1034                         if (m->getKey) {
1035                                 u8 *key;
1036                                 size_t key_len;
1037                                 key = m->getKey(sm, priv, &key_len);
1038                                 eap_ttls_ia_permute_inner_secret(sm, data,
1039                                                                  key, key_len);
1040                         }
1041                         eap_ttls_state(data, PHASE_FINISHED);
1042                 } else
1043                         eap_ttls_state(data, SUCCESS);
1044                 break;
1045         case FAILURE:
1046                 break;
1047         default:
1048                 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
1049                            __func__, data->state);
1050                 break;
1051         }
1052 }
1053
1054
1055 static void eap_ttls_process_phase2_eap(struct eap_sm *sm,
1056                                         struct eap_ttls_data *data,
1057                                         const u8 *eap, size_t eap_len)
1058 {
1059         struct eap_hdr *hdr;
1060         size_t len;
1061
1062         if (data->state == PHASE2_START) {
1063                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: initializing Phase 2");
1064                 if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_IDENTITY) < 0)
1065                 {
1066                         wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: failed to "
1067                                    "initialize EAP-Identity");
1068                         return;
1069                 }
1070         }
1071
1072         if (eap_len < sizeof(*hdr)) {
1073                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: too short Phase 2 EAP "
1074                            "packet (len=%lu)", (unsigned long) eap_len);
1075                 return;
1076         }
1077
1078         hdr = (struct eap_hdr *) eap;
1079         len = be_to_host16(hdr->length);
1080         wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: received Phase 2 EAP: code=%d "
1081                    "identifier=%d length=%lu", hdr->code, hdr->identifier,
1082                    (unsigned long) len);
1083         if (len > eap_len) {
1084                 wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Length mismatch in Phase 2"
1085                            " EAP frame (hdr len=%lu, data len in AVP=%lu)",
1086                            (unsigned long) len, (unsigned long) eap_len);
1087                 return;
1088         }
1089
1090         switch (hdr->code) {
1091         case EAP_CODE_RESPONSE:
1092                 eap_ttls_process_phase2_eap_response(sm, data, (u8 *) hdr,
1093                                                      len);
1094                 break;
1095         default:
1096                 wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Unexpected code=%d in "
1097                            "Phase 2 EAP header", hdr->code);
1098                 break;
1099         }
1100 }
1101
1102
1103 static void eap_ttls_process_phase2(struct eap_sm *sm,
1104                                     struct eap_ttls_data *data,
1105                                     struct wpabuf *in_buf)
1106 {
1107         struct wpabuf *in_decrypted;
1108         struct eap_ttls_avp parse;
1109
1110         wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for"
1111                    " Phase 2", (unsigned long) wpabuf_len(in_buf));
1112
1113         if (data->pending_phase2_eap_resp) {
1114                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 EAP response "
1115                            "- skip decryption and use old data");
1116                 eap_ttls_process_phase2_eap(
1117                         sm, data, wpabuf_head(data->pending_phase2_eap_resp),
1118                         wpabuf_len(data->pending_phase2_eap_resp));
1119                 wpabuf_free(data->pending_phase2_eap_resp);
1120                 data->pending_phase2_eap_resp = NULL;
1121                 return;
1122         }
1123
1124         in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
1125                                               in_buf);
1126         if (in_decrypted == NULL) {
1127                 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to decrypt Phase 2 "
1128                            "data");
1129                 eap_ttls_state(data, FAILURE);
1130                 return;
1131         }
1132
1133         if (data->state == PHASE_FINISHED) {
1134                 if (wpabuf_len(in_decrypted) == 0 &&
1135                     tls_connection_ia_final_phase_finished(sm->ssl_ctx,
1136                                                            data->ssl.conn)) {
1137                         wpa_printf(MSG_DEBUG, "EAP-TTLS: FinalPhaseFinished "
1138                                    "received");
1139                         eap_ttls_state(data, SUCCESS);
1140                 } else {
1141                         wpa_printf(MSG_INFO, "EAP-TTLS: Did not receive valid "
1142                                    "FinalPhaseFinished");
1143                         eap_ttls_state(data, FAILURE);
1144                 }
1145
1146                 wpabuf_free(in_decrypted);
1147                 return;
1148         }
1149
1150         wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 EAP",
1151                             in_decrypted);
1152
1153         if (eap_ttls_avp_parse(in_decrypted, &parse) < 0) {
1154                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to parse AVPs");
1155                 wpabuf_free(in_decrypted);
1156                 eap_ttls_state(data, FAILURE);
1157                 return;
1158         }
1159
1160         if (parse.user_name) {
1161                 os_free(sm->identity);
1162                 sm->identity = os_malloc(parse.user_name_len);
1163                 if (sm->identity) {
1164                         os_memcpy(sm->identity, parse.user_name,
1165                                   parse.user_name_len);
1166                         sm->identity_len = parse.user_name_len;
1167                 }
1168                 if (eap_user_get(sm, parse.user_name, parse.user_name_len, 1)
1169                     != 0) {
1170                         wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 Identity not "
1171                                    "found in the user database");
1172                         eap_ttls_state(data, FAILURE);
1173                         goto done;
1174                 }
1175         }
1176
1177 #ifdef EAP_SERVER_TNC
1178         if (data->tnc_started && parse.eap == NULL) {
1179                 wpa_printf(MSG_DEBUG, "EAP-TTLS: TNC started but no EAP "
1180                            "response from peer");
1181                 eap_ttls_state(data, FAILURE);
1182                 goto done;
1183         }
1184 #endif /* EAP_SERVER_TNC */
1185
1186         if (parse.eap) {
1187                 eap_ttls_process_phase2_eap(sm, data, parse.eap,
1188                                             parse.eap_len);
1189         } else if (parse.user_password) {
1190                 eap_ttls_process_phase2_pap(sm, data, parse.user_password,
1191                                             parse.user_password_len);
1192         } else if (parse.chap_password) {
1193                 eap_ttls_process_phase2_chap(sm, data,
1194                                              parse.chap_challenge,
1195                                              parse.chap_challenge_len,
1196                                              parse.chap_password,
1197                                              parse.chap_password_len);
1198         } else if (parse.mschap_response) {
1199                 eap_ttls_process_phase2_mschap(sm, data,
1200                                                parse.mschap_challenge,
1201                                                parse.mschap_challenge_len,
1202                                                parse.mschap_response,
1203                                                parse.mschap_response_len);
1204         } else if (parse.mschap2_response) {
1205                 eap_ttls_process_phase2_mschapv2(sm, data,
1206                                                  parse.mschap_challenge,
1207                                                  parse.mschap_challenge_len,
1208                                                  parse.mschap2_response,
1209                                                  parse.mschap2_response_len);
1210         }
1211
1212 done:
1213         wpabuf_free(in_decrypted);
1214         os_free(parse.eap);
1215 }
1216
1217
1218 static void eap_ttls_start_tnc(struct eap_sm *sm, struct eap_ttls_data *data)
1219 {
1220 #ifdef EAP_SERVER_TNC
1221         if (!sm->tnc || data->state != SUCCESS || data->tnc_started)
1222                 return;
1223
1224         wpa_printf(MSG_DEBUG, "EAP-TTLS: Initialize TNC");
1225         if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_TNC)) {
1226                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize TNC");
1227                 eap_ttls_state(data, FAILURE);
1228                 return;
1229         }
1230
1231         data->tnc_started = 1;
1232         eap_ttls_state(data, PHASE2_METHOD);
1233 #endif /* EAP_SERVER_TNC */
1234 }
1235
1236
1237 static int eap_ttls_process_version(struct eap_sm *sm, void *priv,
1238                                     int peer_version)
1239 {
1240         struct eap_ttls_data *data = priv;
1241         if (peer_version < data->ttls_version) {
1242                 wpa_printf(MSG_DEBUG, "EAP-TTLS: peer ver=%d, own ver=%d; "
1243                            "use version %d",
1244                            peer_version, data->ttls_version, peer_version);
1245                 data->ttls_version = peer_version;
1246         }
1247
1248         if (data->ttls_version > 0 && !data->tls_ia_configured) {
1249                 if (tls_connection_set_ia(sm->ssl_ctx, data->ssl.conn, 1)) {
1250                         wpa_printf(MSG_INFO, "EAP-TTLS: Failed to enable "
1251                                    "TLS/IA");
1252                         return -1;
1253                 }
1254                 data->tls_ia_configured = 1;
1255         }
1256
1257         return 0;
1258 }
1259
1260
1261 static void eap_ttls_process_msg(struct eap_sm *sm, void *priv,
1262                                  const struct wpabuf *respData)
1263 {
1264         struct eap_ttls_data *data = priv;
1265
1266         switch (data->state) {
1267         case PHASE1:
1268                 if (eap_server_tls_phase1(sm, &data->ssl) < 0)
1269                         eap_ttls_state(data, FAILURE);
1270                 break;
1271         case PHASE2_START:
1272         case PHASE2_METHOD:
1273         case PHASE_FINISHED:
1274                 eap_ttls_process_phase2(sm, data, data->ssl.tls_in);
1275                 eap_ttls_start_tnc(sm, data);
1276                 break;
1277         case PHASE2_MSCHAPV2_RESP:
1278                 if (data->mschapv2_resp_ok && wpabuf_len(data->ssl.tls_in) ==
1279                     0) {
1280                         wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
1281                                    "acknowledged response");
1282                         eap_ttls_state(data, data->ttls_version > 0 ?
1283                                        PHASE_FINISHED : SUCCESS);
1284                 } else if (!data->mschapv2_resp_ok) {
1285                         wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
1286                                    "acknowledged error");
1287                         eap_ttls_state(data, FAILURE);
1288                 } else {
1289                         wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Unexpected "
1290                                    "frame from peer (payload len %lu, "
1291                                    "expected empty frame)",
1292                                    (unsigned long)
1293                                    wpabuf_len(data->ssl.tls_in));
1294                         eap_ttls_state(data, FAILURE);
1295                 }
1296                 eap_ttls_start_tnc(sm, data);
1297                 break;
1298         default:
1299                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected state %d in %s",
1300                            data->state, __func__);
1301                 break;
1302         }
1303 }
1304
1305
1306 static void eap_ttls_process(struct eap_sm *sm, void *priv,
1307                              struct wpabuf *respData)
1308 {
1309         struct eap_ttls_data *data = priv;
1310         if (eap_server_tls_process(sm, &data->ssl, respData, data,
1311                                    EAP_TYPE_TTLS, eap_ttls_process_version,
1312                                    eap_ttls_process_msg) < 0)
1313                 eap_ttls_state(data, FAILURE);
1314 }
1315
1316
1317 static Boolean eap_ttls_isDone(struct eap_sm *sm, void *priv)
1318 {
1319         struct eap_ttls_data *data = priv;
1320         return data->state == SUCCESS || data->state == FAILURE;
1321 }
1322
1323
1324 static u8 * eap_ttls_v1_derive_key(struct eap_sm *sm,
1325                                    struct eap_ttls_data *data)
1326 {
1327         struct tls_keys keys;
1328         u8 *rnd, *key;
1329
1330         os_memset(&keys, 0, sizeof(keys));
1331         if (tls_connection_get_keys(sm->ssl_ctx, data->ssl.conn, &keys) ||
1332             keys.client_random == NULL || keys.server_random == NULL ||
1333             keys.inner_secret == NULL) {
1334                 wpa_printf(MSG_INFO, "EAP-TTLS: Could not get inner secret, "
1335                            "client random, or server random to derive keying "
1336                            "material");
1337                 return NULL;
1338         }
1339
1340         rnd = os_malloc(keys.client_random_len + keys.server_random_len);
1341         key = os_malloc(EAP_TLS_KEY_LEN);
1342         if (rnd == NULL || key == NULL) {
1343                 wpa_printf(MSG_INFO, "EAP-TTLS: No memory for key derivation");
1344                 os_free(rnd);
1345                 os_free(key);
1346                 return NULL;
1347         }
1348         os_memcpy(rnd, keys.client_random, keys.client_random_len);
1349         os_memcpy(rnd + keys.client_random_len, keys.server_random,
1350                   keys.server_random_len);
1351
1352         if (tls_prf(keys.inner_secret, keys.inner_secret_len,
1353                     "ttls v1 keying material", rnd, keys.client_random_len +
1354                     keys.server_random_len, key, EAP_TLS_KEY_LEN)) {
1355                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key");
1356                 os_free(rnd);
1357                 os_free(key);
1358                 return NULL;
1359         }
1360
1361         wpa_hexdump(MSG_DEBUG, "EAP-TTLS: client/server random",
1362                     rnd, keys.client_random_len + keys.server_random_len);
1363         wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: TLS/IA inner secret",
1364                         keys.inner_secret, keys.inner_secret_len);
1365
1366         os_free(rnd);
1367
1368         return key;
1369 }
1370
1371
1372 static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len)
1373 {
1374         struct eap_ttls_data *data = priv;
1375         u8 *eapKeyData;
1376
1377         if (data->state != SUCCESS)
1378                 return NULL;
1379
1380         if (data->ttls_version == 0) {
1381                 eapKeyData = eap_server_tls_derive_key(sm, &data->ssl,
1382                                                        "ttls keying material",
1383                                                        EAP_TLS_KEY_LEN);
1384         } else {
1385                 eapKeyData = eap_ttls_v1_derive_key(sm, data);
1386         }
1387
1388         if (eapKeyData) {
1389                 *len = EAP_TLS_KEY_LEN;
1390                 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key",
1391                                 eapKeyData, EAP_TLS_KEY_LEN);
1392         } else {
1393                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key");
1394         }
1395
1396         return eapKeyData;
1397 }
1398
1399
1400 static Boolean eap_ttls_isSuccess(struct eap_sm *sm, void *priv)
1401 {
1402         struct eap_ttls_data *data = priv;
1403         return data->state == SUCCESS;
1404 }
1405
1406
1407 int eap_server_ttls_register(void)
1408 {
1409         struct eap_method *eap;
1410         int ret;
1411
1412         eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
1413                                       EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS");
1414         if (eap == NULL)
1415                 return -1;
1416
1417         eap->init = eap_ttls_init;
1418         eap->reset = eap_ttls_reset;
1419         eap->buildReq = eap_ttls_buildReq;
1420         eap->check = eap_ttls_check;
1421         eap->process = eap_ttls_process;
1422         eap->isDone = eap_ttls_isDone;
1423         eap->getKey = eap_ttls_getKey;
1424         eap->isSuccess = eap_ttls_isSuccess;
1425
1426         ret = eap_server_method_register(eap);
1427         if (ret)
1428                 eap_server_method_free(eap);
1429         return ret;
1430 }